Forum Discussion

RossEarnheart's avatar
RossEarnheart
Copper Contributor
Oct 20, 2023

Disabling Core Isolation Memory Integrity via Group Policy (creating a new group policy)

My organization is currently trying to set a group policy to apply to a set of devices or groups where the Core Isolation / Memory Integrity is switched off so that specific apps can run on specified devices. However, we're having a heck of a time locating this option in Azure. Could someone point me in the right direction to create this group policy in Azure?

    • RossEarnheart's avatar
      RossEarnheart
      Copper Contributor

      Kidd_Ip 

       

      No, create one that sets Memory Integrity to "disabled" or "off" in Core Isolation. When you use the Registry Editor to do this per machine, it will either get overriden by the current Azure policy for the Group the device is in or it just will not go through at all. 

       

      Hope that makes sense.

  • RossEarnheart's avatar
    RossEarnheart
    Copper Contributor
    So, quick update: We were able to go into the Registry and turn off the Memory Integrity in Core Isolation for Win 11, but looks like we'll have to do this manually on each machine. I was hoping to find a setting in Azure so that I could create a group policy for all the machines that we need to make the changes on and then push that policy out, but looks like my research is coming up empty.
    • LainRobertson's avatar
      LainRobertson
      Silver Contributor

      RossEarnheart 

       

      You should not have to set the registry value manually.

       

      But going back a step, are you actually talking about group policy - which is a mechanic used by Windows clients (workgroup-, domain- or hybrid-joined) or mobile device management (MDM) policy, such as that found within InTune?

       

      Group policy is not found in Azure. MDM policy is found in Azure (via InTune).

       

      InTune's MDM implementation can leverage Windows' group policy client through locally injecting policy data into the Windows group policy client engine.

       

      Given I'm unsure as to which approach you're looking to use, here's some information on both.

       

      Memory integrity can be managed natively by both group policy and MDM policy as noted below:

       

       

      If you're using an MDM that isn't InTune, you'd want to look for a native setting that deals with memory integrity. Should that not exist, then you're back to the approach of deploying something like a PowerShell script as an application to perform the task. You should be able to run a search on this approach and find many examples that cover the setting of a registry key.

       

      Cheers,

      Lain

Resources