Forum Discussion
Disabling Core Isolation Memory Integrity via Group Policy (creating a new group policy)
My organization is currently trying to set a group policy to apply to a set of devices or groups where the Core Isolation / Memory Integrity is switched off so that specific apps can run on specified devices. However, we're having a heck of a time locating this option in Azure. Could someone point me in the right direction to create this group policy in Azure?
4 Replies
- So, quick update: We were able to go into the Registry and turn off the Memory Integrity in Core Isolation for Win 11, but looks like we'll have to do this manually on each machine. I was hoping to find a setting in Azure so that I could create a group policy for all the machines that we need to make the changes on and then push that policy out, but looks like my research is coming up empty.
You should not have to set the registry value manually.
But going back a step, are you actually talking about group policy - which is a mechanic used by Windows clients (workgroup-, domain- or hybrid-joined) or mobile device management (MDM) policy, such as that found within InTune?
Group policy is not found in Azure. MDM policy is found in Azure (via InTune).
InTune's MDM implementation can leverage Windows' group policy client through locally injecting policy data into the Windows group policy client engine.
Given I'm unsure as to which approach you're looking to use, here's some information on both.
Memory integrity can be managed natively by both group policy and MDM policy as noted below:
- Group policy: Enable memory integrity - Windows Security | Microsoft Learn
- InTune policy: Enable memory integrity - Windows Security | Microsoft Learn
If you're using an MDM that isn't InTune, you'd want to look for a native setting that deals with memory integrity. Should that not exist, then you're back to the approach of deploying something like a PowerShell script as an application to perform the task. You should be able to run a search on this approach and find many examples that cover the setting of a registry key.
Cheers,
Lain
No, create one that sets Memory Integrity to "disabled" or "off" in Core Isolation. When you use the Registry Editor to do this per machine, it will either get overriden by the current Azure policy for the Group the device is in or it just will not go through at all.
Hope that makes sense.
