Secured-Core Configuration Lock - Windows Client Management | Microsoft Docs
source link: https://docs.microsoft.com/en-us/windows/client-management/mdm/config-lock
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Secured-Core PC Configuration Lock
- 10/25/2021
- 2 minutes to read
Applies to
- Windows 11
In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with Config Lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.
Secured-Core Configuration Lock (Config Lock) is a new Secured-Core PC (SCPC) feature that prevents configuration drift from Secured-Core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a Secured-Core PC remains a Secured-Core PC.
To summarize, Config Lock:
- Enables IT to “lock” Secured-Core PC features when managed through MDM
- Detects drift remediates within seconds
- DOES NOT prevent malicious attacks
Configuration Flow
After a Secured-Core PC reaches the desktop, Config Lock will prevent configuration drift by detecting if the device is a Secured-Core PC or not. When the device isn't a Secured-Core PC, the lock won't apply. If the device is a Secured-Core PC, config lock will lock the policies listed under List of locked policies.
System Requirements
Config Lock will be available for all Windows Professional and Enterprise Editions running on Secured-Core PCs.
Enabling Config Lock using Microsoft Intune
Config Lock isn't enabled by default (or turned on by the OS during boot). Rather, an IT Admin must intentionally turn it on.
The steps to turn on Config Lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows:
Ensure that the device to turn on Config Lock is enrolled in Microsoft Intune.
From the Microsoft Intune portal main page, select Devices > Configuration Profiles > Create a profile.
Select the following and press Create:
- Platform: Windows 10 and later
- Profile type: Templates
- Template name: Custom
Name your profile.
When you reach the Configuration Settings step, select “Add” and add the following information:
- OMA-URI: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock
- Data type: Integer
- Value: 1
To turn off Config Lock. Change value to 0.
Select the devices to turn on Config Lock. If you're using a test tenant, you can select “+ Add all devices”.
You'll not need to set any applicability rules for test purposes.
Review the Configuration and select “Create” if everything is correct.
After the device syncs with the Microsoft Intune server, you can confirm if the Config Lock was successfully enabled.
Disabling
Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally misconfigured. IT Admins retain the ability to change (enabled/disable) SCPC features via Group Policies and/or mobile device management (MDM) tools, such as Microsoft Intune.
Can an IT admins disable Config Lock ?
Yes. IT admins can use MDM to turn off Config Lock.
List of locked policies
Is this page helpful?
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK