Merge branch 'master' into v-smandalika-5494946-B3

2025-05-12 13:27:23 +00:00 · 2021-10-22 11:00:39 +05:30 · 2021-10-22 11:00:39 +05:30 · 016d15f069
commit 016d15f069
parent 8d336e6f54 8546c04ec9
12 changed files with 273 additions and 265 deletions
--- a/windows/client-management/mdm/config-lock.md
+++ b/windows/client-management/mdm/config-lock.md
@ -0,0 +1,133 @@
+---
+title: Secured-Core Configuration Lock
+description: A Secured-Core PC (SCPC) feature that prevents configuration drift from Secured-Core PC features (shown below) caused by unintentional misconfiguration. 
+manager: dansimp
+keywords: mdm,management,administrator,config lock
+ms.author: v-lsaldanha
+ms.topic: article
+ms.prod: w11
+ms.technology: windows
+author: lovina-saldanha
+ms.date: 10/07/2021
+---
+
+# Secured-Core PC Configuration Lock 
+
+**Applies to**
+
+-   Windows 11
+
+In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with Config Lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.
+
+Secured-Core Configuration Lock (Config Lock) is a new [Secured-Core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from Secured-Core PC features (shown below) caused by unintentional misconfiguration. In short, it ensures a device intended to be a Secured-Core PC remains a Secured-Core PC.
+
+To summarize, Config Lock:
+
+- Enables IT to “lock” Secured-Core PC features when managed through MDM
+- Detects drift remediates within seconds
+- DOES NOT prevent malicious attacks
+
+## Configuration Flow
+
+After a Secured-Core PC reaches the desktop, Config Lock will prevent configuration drift by detecting if the device is a Secured-Core PC or not. When the device isn't a Secured-Core PC, the lock won't apply. If the device is a Secured-Core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies).
+
+## System Requirements
+
+Config Lock will be available for all Windows Professional and Enterprise Editions running on [Secured-Core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).  
+
+## Enabling Config Lock using Microsoft Intune
+
+Config Lock isn't enabled by default (or turned on by the OS during boot). Rather, an IT Admin must intentionally turn it on.
+ 
+The steps to turn on Config Lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows:
+
+1. Ensure that the device to turn on Config Lock is enrolled in Microsoft Intune.
+1. From the Microsoft Intune portal main page, select **Devices** > **Configuration Profiles** > **Create a profile**.
+1. Select the following and press **Create**:
+    - **Platform**: Windows 10 and later
+    - **Profile type**: Templates
+    - **Template name**: Custom
+
+    :::image type="content" source="images/configlock-mem-createprofile.png" alt-text="create profile":::
+
+1. Name your profile.
+1. When you reach the Configuration Settings step, select “Add” and add the following information:
+    - **OMA-URI**: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock
+    - **Data type**: Integer
+    - **Value**: 1 </br>
+    To turn off Config Lock. Change value to 0.
+
+    :::image type="content" source="images/configlock-mem-editrow.png" alt-text="edit row":::
+
+1. Select the devices to turn on Config Lock. If you're using a test tenant, you can select “+ Add all devices”.
+1. You'll not need to set any applicability rules for test purposes.
+1. Review the Configuration and select “Create” if everything is correct.
+1. After the device syncs with the Microsoft Intune server, you can confirm if the Config Lock was successfully enabled.
+
+    :::image type="content" source="images/configlock-mem-dev.png" alt-text="status":::
+
+    :::image type="content" source="images/configlock-mem-devstatus.png" alt-text="device status":::
+
+## Disabling
+
+Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally misconfigured.  IT Admins retain the ability to change (enabled/disable) SCPC features via Group Policies and/or mobile device management (MDM) tools, such as Microsoft Intune.
+
+:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="firmware protect":::
+ 
+## FAQ
+
+**Can an IT admins disable Config Lock ?** </br>
+	Yes. IT admins can use MDM to turn off Config Lock.</br>
+
+### List of locked policies
+
+|**CSPs**     |
+|-----|
+|[BitLocker ](bitlocker-csp.md)      |
+|[PassportForWork](passportforwork-csp.md)       |
+|[WindowsDefenderApplicationGuard](windowsdefenderapplicationguard-csp.md)       |
+|[ApplicationControl](applicationcontrol-csp.md) 
+
+
+|**MDM policies**     |
+|-----|
+|[DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md)      |
+|[DataProtection/LegacySelectiveWipeID](policy-csp-dataprotection.md)      |
+|[DeviceGuard/ConfigureSystemGuardLaunch](policy-csp-deviceguard.md)      |
+|[DeviceGuard/EnableVirtualizationBasedSecurity](policy-csp-deviceguard.md)      |
+|[DeviceGuard/LsaCfgFlags](policy-csp-deviceguard.md)      |
+|[DeviceGuard/RequirePlatformSecurityFeatures](policy-csp-deviceguard.md)      |
+|[DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md)      |
+|[DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md)      |
+|[DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) |
+|[DeviceInstallation/PreventDeviceMetadataFromNetwork](policy-csp-deviceinstallation.md) |
+|[DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](policy-csp-deviceinstallation.md) |
+|[DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) |
+|[DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) |
+|[DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) |
+|[DmaGuard/DeviceEnumerationPolicy](policy-csp-dmaguard.md) |
+|[WindowsDefenderSecurityCenter/CompanyName](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableAccountProtectionUI](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableAppBrowserUI](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableClearTpmButton](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableEnhancedNotifications](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableFamilyUI](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableHealthUI](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableNetworkUI](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableNotifications](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](policy-csp-windowsdefendersecuritycenter.md)|
+|[WindowsDefenderSecurityCenter/DisableVirusUI](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/Email](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/EnableCustomizedToasts](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/EnableInAppCustomization](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/HideSecureBoot](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/HideTPMTroubleshooting](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/Phone](policy-csp-windowsdefendersecuritycenter.md) |
+|[WindowsDefenderSecurityCenter/URL](policy-csp-windowsdefendersecuritycenter.md) |
+|[SmartScreen/EnableAppInstallControl](policy-csp-smartscreen.md)|
+|[SmartScreen/EnableSmartScreenInShell](policy-csp-smartscreen.md) |
+|[SmartScreen/PreventOverrideForFilesInShell](policy-csp-smartscreen.md) |
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@ -22,7 +22,7 @@ The following shows the DMClient CSP in tree format.
 ./Vendor/MSFT
 DMClient
 ----Provider
--------
+--------ProviderID
 ------------EntDeviceName
 ------------ExchangeID
 ------------EntDMID
@ -45,6 +45,10 @@ DMClient
 ------------HWDevID
 ------------ManagementServerAddressList
 ------------CommercialID
+------------ConfigLock
+----------------Lock
+----------------UnlockDuration
+----------------SecureCore
 ------------Push
 ----------------PFN
 ----------------ChannelURI
@ -598,6 +602,33 @@ Optional. Boolean value that allows the IT admin to require the device to start

 Supported operations are Add, Get, and Replace.

+<a href="" id="provider-providerid-configlock"></a>**Provider/*ProviderID*/ConfigLock**
+
+Optional. This node enables [Config Lock](config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected.
+
+Default = Locked
+
+> [!Note]
+>If the device is not a Secured-core PC, then this feature will not work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure).
+
+<a href="" id="provider-providerid-configlock-lock"></a>**Provider/*ProviderID*/ConfigLock/Lock**
+
+The supported values for this node are 0-unlock, 1-lock.
+
+Supported operations are Add, Delete, Get.
+
+<a href="" id="provider-providerid-configlock-unlockduration"></a>**Provider/*ProviderID*/ConfigLock/UnlockDuration**
+
+The supported values for this node are 1 to 480 (in min).
+
+Supported operations are Add, Delete, Get.
+
+<a href="" id="provider-providerid-configlock-securecore"></a>**Provider/*ProviderID*/ConfigLock/SecureCore**
+
+The supported values for this node are false or true.
+
+Supported operation is Get only.
+
 <a href="" id="provider-providerid-push"></a>**Provider/*ProviderID*/Push**  
 Optional. Not configurable during WAP Provisioning XML. If removed, DM sessions triggered by Push will no longer be supported.

--- a/windows/client-management/mdm/images/configlock-mem-createprofile.png
+++ b/windows/client-management/mdm/images/configlock-mem-createprofile.png
--- a/windows/client-management/mdm/images/configlock-mem-dev.png
+++ b/windows/client-management/mdm/images/configlock-mem-dev.png
--- a/windows/client-management/mdm/images/configlock-mem-devstatus.png
+++ b/windows/client-management/mdm/images/configlock-mem-devstatus.png
--- a/windows/client-management/mdm/images/configlock-mem-editrow.png
+++ b/windows/client-management/mdm/images/configlock-mem-editrow.png
--- a/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png
+++ b/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png
--- a/windows/client-management/mdm/images/faq-max-devices.png
+++ b/windows/client-management/mdm/images/faq-max-devices.png
--- a/windows/client-management/mdm/images/flow-configlock.png
+++ b/windows/client-management/mdm/images/flow-configlock.png
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@ -517,7 +517,7 @@ Specifies the list of domains that are allowed to be navigated to in AAD PIN res
 <!--/Scope-->
 <!--Description-->
 > [!Warning]
-> This policy is in preview mode only and therefore not meant or recommended for production purposes.
+> The Web Sign-in feature is in preview mode only and therefore not meant or recommended for production purposes.

 This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.

@ -596,7 +596,7 @@ Value type is integer. Supported values:
 <!--/Scope-->
 <!--Description-->
 > [!Warning]
-> This policy is in preview mode only and therefore not meant or recommended for production purposes.
+> The Web Sign-in feature is in preview mode only and therefore not meant or recommended for production purposes.

 "Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass.

--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@ -48,6 +48,8 @@ items:
      href: device-update-management.md
    - name: Bulk enrollment
      href: bulk-enrollment-using-windows-provisioning-tool.md
+    - name: Secured-Core PC Configuration Lock
+      href: config-lock.md
    - name: Management tool for the Microsoft Store for Business
      href: management-tool-for-windows-store-for-business.md
      items: