Forum Discussion

gtwood's avatar
gtwood
Copper Contributor
Apr 04, 2023

Win32 Content Prep tool doesn't work with FIPS mode

This issue on GitHub has been languishing unacknowledged for the past three years.   Since the elder days of yore, the Win32 Content Prep tool - the only option for deploying non-MSI applications t...
Public Sector
matt-defcert's avatar
matt-defcert
Copper Contributor
Apr 04, 2023
I am running into the same issue with quite a few clients that are required to use FIPS mode. Any help on this would be greatly appreciated.
  • Pat_Fetty's avatar
    Pat_Fetty
    Icon for Microsoft rankMicrosoft
    Apr 04, 2023
    Hello,

    Unfortunately this is 'by design' as we don't have plans on fixing the tool. The workaround for this is to run the tool on a machines/VM that is not in FIPS mode. I know for some customers this can be a pain (I am in the Intune PG and work only with Gov customers)... but at this time, this is the only option available.

    Thanks,

    Pat
    • matt-defcert's avatar
      matt-defcert
      Copper Contributor
      Apr 04, 2023
      We have been doing that in the meantime with some customers and its not an ideal solution especially for the smaller ones that don't have crazy amounts of extra hardware lying around. But it would be really nice in the future if this could get fixed so that there is less usability issues for small defense contractors struggling to get set up on GCC High Intune/Endpoint Manager for their Windows endpoints.
      • Pat_Fetty's avatar
        Pat_Fetty
        Icon for Microsoft rankMicrosoft
        Apr 04, 2023
        Totally understand. Customers can use a VM to run the tool, which isn't an additional cost and shouldn't be too much of a burden, but I totally hear your feedback. It's a matter of priorities and resources for our Gov work, and right now, getting parity with commercial is a very high priority for us at the moment!
    • A9G-Data-Droid's avatar
      A9G-Data-Droid
      Copper Contributor
      Jul 19, 2023
      Running a management system running out of FIPS mode would come up as a violation on a security audit. Having a management tool, like InTune, is required. What you are saying is that the only way to use InTune is in a non-compliant way. Which is to say that InTune should not be used in a GCC-High environment. Instead of using multiple tools for the same job this forces government customers to look for other MDM solutions for managing baseline configuration.
      • nittajef's avatar
        nittajef
        Copper Contributor
        Aug 10, 2023
        Not sure it would meet everyone's compliance requirements, but if allowable, the content prep tool should work in the Windows Sandbox feature that's enabled on a machine with FIPS enabled.

Resources