Event banner
Event details
Our organization is trying to transition from ConfigManager/SCCM to Intune. We are currently using Hybrid with a large (many domain) ADFS AAD setup. We currently harden via GPO on each domain. My goal is to be able to deploy policy via Intune instead of domain GPO, but it seems Intune is still in Preview and lacking policy support in MDM. As an example, CIS is our Organizations security standard, 70-90 policies are not supported in Intune MDM when importing a CIS benchmark. Word is you can setup OMA-URI custom, manual settings. Is there a way to confirm the accuracy of these strings? Is Intune still being expanded for MDM to cover all of the unsupported/missing policies? Thanks!
Intune has Group Policy Analytics that lets you upload your GPO, compare it to Intune policy, and even convert it to an Intune policy
- I've heard from Customer Success Team that we can provide list of settings from GPO that are not yet supported via MDM and it should be covered in some unknown future. On the other hand, when I've raised support ticket I end-up with recommendation to deploy PowerShell script that will implement that part of CIS which had issue. The last thing is reporting of CIS implementation on the endpoint. In GPO recommendation document there are reg keys for polices from GPO, and Intune MDM caches settings in PolicyManager key so if there is an automated/ semi-automated audit that will check for reg keys based on GPO doc you will probably fail
This is our biggest blocker to moving to AADJ. Would be great if MSFT has an official response. Joe_Lurie or Matthew_Palko , any help?
Hello everybody,
really looking forward for this technical after-ignite intune event! 🙂
One question, what a little bit confussed me at ignite.
In Securing hybrid work with Windows, Devices, Desktops and Cloud at around 3:03
Wangui McKelvey speaks about Secured-core PC (Advanced security enabled by default) and/or Pluton (OS hardware root-of-trust) and it was not clear to me what was meant with it.I hope because of the title of this session "Default hardening in Windows 11, version 22H2" I hope I will have a clearer view of what is meant by Secured-core PC.Thanks in advance.- Matthew_Palko
Microsoft
Hi Sebastian, Secure-core PCs are required to have a set of security features enabled by default by the OEM. Not all of these features are default enabled in the OS. For more information on the features included as a part of secure core see: https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure-11 Credential Guard and LSA protection, which are in this talk are not included as a part of secure core at this time. 
jirenugoThis talk will not address secured-core PCs. This only covers 2 hardening features that will be enabled by default for eligible devices starting from 22h2.
Hello Heather_Poulsen can you tell if this is kind of AMA so executed in chat only, or rather an Teams meeting?
- Heather_Poulsen
Community Manager
All the Q&A will take place here in the chat. Our SMEs will be here live during the session and will monitor throughout the week.
- On demand recordings will be available??
- Heather_PoulsenYes, sessions will be recorded and available on demand shortly after the live stream concludes.
- Joe_LurieYes, Recordings will be available on demand
- Why would we want to use LSA protection without UEFI lock, isn't that less secure?
- Matthew_PalkoLSA protection without UEFI lock gives you more flexibility for testing and rolling back in case there is an issue with compatibility. Disabling the feature with UEFI lock requires special scripts and user interaction on the local device. For default enablement, we've enabled without UEFI lock so if you do need to disable the feature for compatibility purposes it is easier to do so. If you do not have any issues with LSA protection and you want better protection, you can enable UEFI lock with policy.
- Thanks, Matthew, that makes a lot of sense. It's almost like a 1.5 step between Audit Mode and Enable Mode with UEFI.
- Or rather, why would we want to disable LSA Protection?
- You have to be very careful with the HVCI settings. If the PC doesn't support the setting, it will cause extreme performance issues on the PC. In my experience at a previous company, we turned this on in a GPO with UEFI lock thinking if the PC didn't support it, it just wouldn't apply. That was a huge mistake. PCs that didn't support it could barely run Excel afterwards. And to reverse the setting when UEFI lock is turned on, you have to physically touch the device. It cannot be turned off remotely.
- jirenugoYou might want to disable LSA protection as a stopgap if you have to use an application or scenario that requires being loaded into LSA.
- How to thoroughly check if device can support System Guard (Secure Launch) or why it hasn't started when configured? Docs article - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows - is overcomplicated
- As far as I know you would find Secure Launch listed in msinfo32 under Virtualization Based security - Available security properties in case it's a Secured-core PC
- Is there a recommended method for creating filters in Intune or collections in ConfigMgr that can contain only PCs that include all the hardware requirements for enabling HVCI? I got bit several years ago where we enabled HVCI with UEFI lock on many PCs that didn't support it and it caused severe performance issues.
- jirenugo
We don't have any recommendations right now. Thanks for the feedback! We will look into documenting the hardware requirements or providing a scripted mechanism to identify devices that can support VBS features. This is a good place to start Virtualization-based Security (VBS) | Microsoft Learn
- Follow-up. Is there a way for companies to implement these settings in a scripted way that does the same checks that a fresh install of W11 22H2 does? It would be great if the product team could provide that.
- Heather_Poulsen
We’re happy you joined us at the Microsoft Technical Takeoff! Whether you are attending one session or many, please take this 2-minute survey and let us know your thoughts on this event.
- With MDM do you have filter recommendations to send them out to specific machines?
- Is there an Intune Settings Catalog option for enabling LSA protection for Windows 10 systems?
- Matthew_PalkoLSA Protection currently does not have an Intune Settings Catalog option.
