Event details
52 Comments
- How to thoroughly check if device can support System Guard (Secure Launch) or why it hasn't started when configured? Docs article - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows - is overcomplicated
- As far as I know you would find Secure Launch listed in msinfo32 under Virtualization Based security - Available security properties in case it's a Secured-core PC
- Will these security features be activated when doing an in-place upgrade, or only when clean installing this version?
- Matthew_Palko
Microsoft
Hi Karel, Credential Guard will be enabled when doing an in place upgrade to Windows 11, 22H2. LSA Protection will only be activated on a clean install of Windows 11, 22H2.- Hi Matthew you are speaking about an in-place upgrade, so this means every device coming from Windows 11 21H2 to 22H2 with a the more feasible enablement package, won't gain the same protection in terms of Credential Guard? If so, this would make sense to rollout all devices again - what a pain for early adopters, because the new App control feature also does not create a baseline, even not on in-place upgrades.
- Why would we want to use LSA protection without UEFI lock, isn't that less secure?
jirenugoYou might want to disable LSA protection as a stopgap if you have to use an application or scenario that requires being loaded into LSA.- Matthew_PalkoLSA protection without UEFI lock gives you more flexibility for testing and rolling back in case there is an issue with compatibility. Disabling the feature with UEFI lock requires special scripts and user interaction on the local device. For default enablement, we've enabled without UEFI lock so if you do need to disable the feature for compatibility purposes it is easier to do so. If you do not have any issues with LSA protection and you want better protection, you can enable UEFI lock with policy.
- Thanks, Matthew, that makes a lot of sense. It's almost like a 1.5 step between Audit Mode and Enable Mode with UEFI.
- Or rather, why would we want to disable LSA Protection?
- You have to be very careful with the HVCI settings. If the PC doesn't support the setting, it will cause extreme performance issues on the PC. In my experience at a previous company, we turned this on in a GPO with UEFI lock thinking if the PC didn't support it, it just wouldn't apply. That was a huge mistake. PCs that didn't support it could barely run Excel afterwards. And to reverse the setting when UEFI lock is turned on, you have to physically touch the device. It cannot be turned off remotely.
- Why do we see lots and lots of attempts to access LSA from legitimate processes (e.g. Chrome) filling up the logs? Are there just a lot of badly written apps, or do they have good reason to do this?
- Matthew_PalkoThere are legitimate reasons for a process to load into LSA, but we prefer if LSA APIs are used if possible. For example, in the talk auth packages are mentioned which are a legitimate reason. We have seen processes (for example some AVs), which will inject into all sorts of processes on the system, including LSA. In the specific case of Chrome, I do no not know.
- Thanks. It just creates an incredible amount of noise, we wouldn't see a LSA block that should concern us in the sea of seemingly benign blocks. This is then a support issue, how can Service Desk know a fault is related to this security policy or some other problem?
- On demand recordings will be available??
- Joe_LurieYes, Recordings will be available on demand
- Heather_Poulsen
Community Manager
Yes, sessions will be recorded and available on demand shortly after the live stream concludes.
Our organization is trying to transition from ConfigManager/SCCM to Intune. We are currently using Hybrid with a large (many domain) ADFS AAD setup. We currently harden via GPO on each domain. My goal is to be able to deploy policy via Intune instead of domain GPO, but it seems Intune is still in Preview and lacking policy support in MDM. As an example, CIS is our Organizations security standard, 70-90 policies are not supported in Intune MDM when importing a CIS benchmark. Word is you can setup OMA-URI custom, manual settings. Is there a way to confirm the accuracy of these strings? Is Intune still being expanded for MDM to cover all of the unsupported/missing policies? Thanks!
- Joe_LurieWithout knowing what the 70-90 settings are, I can't give a recommendation on using OMA-URI to set them. But Settings Catalog is in GA (no Preview), and we are constantly adding settings to it. But again, without know what settings you're looking for, I can't really give more advice. Note that some of those settings may never be translated to Intune - settings that include the word "Domain" or "Kerberos" as these are on-prem domain terms, and cloud-only devices are managed differently. Or some may be in a different spot in Intune - Firewall settings are not in Settings Catalog, but are in the Security node; Password policies are in Azure, since that's where user accounts live. So, it's possible that at least some of these settings are there but in a different spot than you'd expect, or aren't necessary on a cloud-first device.
This is our biggest blocker to moving to AADJ. Would be great if MSFT has an official response. Joe_Lurie or Matthew_Palko , any help?
- I've heard from Customer Success Team that we can provide list of settings from GPO that are not yet supported via MDM and it should be covered in some unknown future. On the other hand, when I've raised support ticket I end-up with recommendation to deploy PowerShell script that will implement that part of CIS which had issue. The last thing is reporting of CIS implementation on the endpoint. In GPO recommendation document there are reg keys for polices from GPO, and Intune MDM caches settings in PolicyManager key so if there is an automated/ semi-automated audit that will check for reg keys based on GPO doc you will probably fail
Hello Heather_Poulsen can you tell if this is kind of AMA so executed in chat only, or rather an Teams meeting?
- Heather_PoulsenAll the Q&A will take place here in the chat. Our SMEs will be here live during the session and will monitor throughout the week.
Hello everybody,
really looking forward for this technical after-ignite intune event! 🙂
One question, what a little bit confussed me at ignite.
In https://ignite.microsoft.com/de-DE/sessions/2c334d3c-0886-4b98-8f02-ee0c8e4691d3 at around 3:03
https://ignite.microsoft.com/de-DE/speakers/c465abd3-62b4-4fe0-ac8d-be0746a67665?source=/sessions/2c334d3c-0886-4b98-8f02-ee0c8e4691d3 speaks about Secured-core PC (Advanced security enabled by default) and/or Pluton (OS hardware root-of-trust) and it was not clear to me what was meant with it.I hope because of the title of this session "Default hardening in Windows 11, version 22H2" I hope I will have a clearer view of what is meant by Secured-core PC.Thanks in advance.- jirenugo
This talk will not address secured-core PCs. This only covers 2 hardening features that will be enabled by default for eligible devices starting from 22h2.
- Matthew_PalkoHi Sebastian, Secure-core PCs are required to have a set of security features enabled by default by the OEM. Not all of these features are default enabled in the OS. For more information on the features included as a part of secure core see: https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure-11 Credential Guard and LSA protection, which are in this talk are not included as a part of secure core at this time.
