deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/client-management/mdm/config-lock.md
Lovina Saldanha 3956c25ebc Update config-lock.md 
Updated CSP links
2021-10-18 11:44:05 +05:30

9.6 KiB
Raw Blame History

title, description, manager, keywords, ms.author, ms.topic, ms.prod, ms.technology, author, ms.date
title description manager keywords ms.author ms.topic ms.prod ms.technology author ms.date
Secured-Core Configuration Lock A Secured-Core PC (SCPC) feature that prevents configuration drift from Secured-Core PC features (shown below) caused by unintentional misconfiguration. dansimp mdm,management,administrator,config lock v-lsaldanha article w11 windows lovina-saldanha 10/07/2021

Secured-Core PC Configuration Lock

Applies to

  • Windows 11

In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with Config Lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.

Secured-Core Configuration Lock (Config Lock) is a new Secured-Core PC (SCPC) feature that prevents configuration drift from Secured-Core PC features (shown below) caused by unintentional misconfiguration. In short, it ensures a device intended to be a Secured-Core PC remains a Secured-Core PC.

:::image type="content" source="../images/config-lock-mdsl.png" alt-text="mdsl":::

To summarize, Config Lock:

  • Enables IT to “lock” Secured-Core PC features when managed through MDM
  • Detects drift remediates within seconds
  • DOES NOT prevent malicious attacks

Configuration Flow

After a Secured-Core PC reaches the desktop, Config lock will prevent configuration drift as follows:

Config Lock will prevent configuration drift by detecting if the device is a Secured-Core PC or not. When the device is not a Secured-Core PC, the lock will not apply. If the device is a Secured-Core PC, config lock will lock the policies listed here.

List of locked policies

Policies
CSPs
BitLocker
PassportForWork
WindowsDefenderApplicationGuard
ApplicationControl
MDM policies
DataProtection/AllowDirectMemoryAccess
DataProtection/LegacySelectiveWipeID
DeviceGuard/ConfigureSystemGuardLaunch
DeviceGuard/EnableVirtualizationBasedSecurity
DeviceGuard/LsaCfgFlags
DeviceGuard/RequirePlatformSecurityFeatures
DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs
DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
DeviceInstallation/PreventDeviceMetadataFromNetwork
DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
DmaGuard/DeviceEnumerationPolicy
WindowsDefenderSecurityCenter/CompanyName
WindowsDefenderSecurityCenter/DisableAccountProtectionUI
WindowsDefenderSecurityCenter/DisableAppBrowserUI
WindowsDefenderSecurityCenter/DisableClearTpmButton
WindowsDefenderSecurityCenter/DisableDeviceSecurityUI
WindowsDefenderSecurityCenter/DisableEnhancedNotifications
WindowsDefenderSecurityCenter/DisableFamilyUI
WindowsDefenderSecurityCenter/DisableHealthUI
WindowsDefenderSecurityCenter/DisableNetworkUI
WindowsDefenderSecurityCenter/DisableNotifications
WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning
WindowsDefenderSecurityCenter/DisableVirusUI
WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride
WindowsDefenderSecurityCenter/Email
WindowsDefenderSecurityCenter/EnableCustomizedToasts
WindowsDefenderSecurityCenter/EnableInAppCustomization
WindowsDefenderSecurityCenter/HideRansomwareDataRecovery
WindowsDefenderSecurityCenter/HideSecureBoot
WindowsDefenderSecurityCenter/HideTPMTroubleshooting
WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl
WindowsDefenderSecurityCenter/Phone
WindowsDefenderSecurityCenter/URL
SmartScreen/EnableAppInstallControl
SmartScreen/EnableSmartScreenInShell
SmartScreen/PreventOverrideForFilesInShell
  • If so, prevent the following Secured-Core PC features from being disabled without IT Admin permission:
    • Memory Access Protection (kDMA)
    • Memory Integrity (HVCI)
    • System Guard
      • DRTM
      • SMM

:::image type="content" source="images/flow_configlock.png" alt-text="config lock flow.":::

IT Admin scenario:

  1. IT Admin use MDM to enable Config Lock
  2. IT Admin use MDM service to set policies
  3. Policies are targeted to user/device
  4. Policies come down to device and get set
  5. Configurations are locked
  6. A local admin user attempts to override the policy
  7. System quickly remediates policy to the desired SCPC state

Helpdesk scenario:

  1. Helpdesk support engineer investigates the device
  2. Helpdesk support engineer contacts the IT Admin to unlock the device
  3. IT Admin unlocks the device to make configuration changes
  4. Device returns to locked state after a defined time (default 30 minutes)

System Requirements

Config Lock will be available for all Windows Professional and Enterprise Editions.

Enabling Config Lock using Microsoft Intune

Config Lock isn't enabled by default (or turned on by the OS during boot). Rather, an IT Admin must intentionally turn it on.

The steps to turn on Config Lock using Microsoft Endpoint Manager (MEM) are as follows:

  1. Ensure that the device to turn on Config Lock is enrolled in MEM.

  2. From the MEM portal main page, select Devices > Configuration Profiles > Create a profile.

  3. Select the following and press Create:

    • Platform: Windows 10 and later
    • Profile type: Templates
    • Template name: Custom

    :::image type="content" source="images/configlock-mem-createprofile.png" alt-text="create profile":::

  4. Name your profile.

  5. When you reach the Configuration Settings step, select “Add” and add the following information:

    • OMA-URI: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock
    • Data type: Integer
    • Value: 1
      To turn off Config Lock. Change value to 0.

    :::image type="content" source="images/configlock-mem-editrow.png" alt-text="edit row":::

  6. Select the devices to turn on Config Lock. If you're using a test tenant, you can select “+ Add all devices”.

  7. You'll not need to set any applicability rules for test purposes.

  8. Review the Configuration and select “Create” if everything is correct.

  9. After the device syncs with the MEM server, you can confirm if the Config Lock was successfully enabled.

    :::image type="content" source="images/configlock-mem-dev.png" alt-text="status":::

    :::image type="content" source="images/configlock-mem-devstatus.png" alt-text="device status":::

Disabling

Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally misconfigured. IT Admins retain the ability to change (enabled/disable) SCPC features via Group Policies and/or mobile device management (MDM) tools, such as MEM.

:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="firmware protect":::

FAQ

Can an IT Admin disable Config Lock ?
Yes. IT Admin can use MDM to turn off Config Lock.

Could an end-user run the BuiltAsSecuredCorePC PowerShell command to disable Config Lock?
The PowerShell script is accessible, but the BuiltAsSecuredCorePC becomes read-only after boot, so the command will fail when run from the OS.