Win32 Content Prep tool doesn't work with FIPS mode

Copper Contributor

This issue on GitHub has been languishing unacknowledged for the past three years.

 

Since the elder days of yore, the Win32 Content Prep tool - the only option for deploying non-MSI applications through Intune - has been unable to operate on and endpoint which has been FIPSed.

 

This process has caused much consternation among those of us who must, by reason of government directive, FIPS ourselves and our endpoints for the security of the nation.

 

I would humbly beseech those who create the great and powerful content prep tool to update it with support for FIPS so that those of us who wish to use it can do so.

GitHub Reference Link Error for Windows Platform FIPS · Issue #33 · microsoft/Microsoft-Win32-Content-Prep-Tool (github.co...

7 Replies
I am running into the same issue with quite a few clients that are required to use FIPS mode. Any help on this would be greatly appreciated.
Hello,

Unfortunately this is 'by design' as we don't have plans on fixing the tool. The workaround for this is to run the tool on a machines/VM that is not in FIPS mode. I know for some customers this can be a pain (I am in the Intune PG and work only with Gov customers)... but at this time, this is the only option available.

Thanks,

Pat
We have been doing that in the meantime with some customers and its not an ideal solution especially for the smaller ones that don't have crazy amounts of extra hardware lying around. But it would be really nice in the future if this could get fixed so that there is less usability issues for small defense contractors struggling to get set up on GCC High Intune/Endpoint Manager for their Windows endpoints.
Totally understand. Customers can use a VM to run the tool, which isn't an additional cost and shouldn't be too much of a burden, but I totally hear your feedback. It's a matter of priorities and resources for our Gov work, and right now, getting parity with commercial is a very high priority for us at the moment!
Running a management system running out of FIPS mode would come up as a violation on a security audit. Having a management tool, like InTune, is required. What you are saying is that the only way to use InTune is in a non-compliant way. Which is to say that InTune should not be used in a GCC-High environment. Instead of using multiple tools for the same job this forces government customers to look for other MDM solutions for managing baseline configuration.
Not sure it would meet everyone's compliance requirements, but if allowable, the content prep tool should work in the Windows Sandbox feature that's enabled on a machine with FIPS enabled.

I think what's frustrating is that changing the hash library is a quick fix that has been ignored for years. There is a GitHub repo with no source. If the source was there, customers could patch the problem themselves and that wouldn't take your resources away from other efforts.

https://github.com/microsoft/Microsoft-Win32-Content-Prep-Tool/issues/120