How to Enable Windows 11 Config Lock on Secured-Core PCs

Security

Windows 11 Secured-core configuration lock (config lock) is a new system-level feature on the Windows 11 2022 Update to protect secured-core PCs from unintentional misconfiguration. When enabled, Windows 11 config lock should guarantee that secured-core PCs won’t be affected by configuration drift. In this article, I’ll be detailing how config lock works and how you can configure it in the Intune Admin Center.

When Microsoft revealed the minimum supported hardware requirements for Windows 11, the software giant made its security focus very clear. By removing support for chips and chipsets that do not support Windows 11’s improved performance, reliability, and security features, the company made purposeful strides toward a security-first product.

How Windows 11 config lock works

To understand how Windows 11 config lock works, you’ll first need to understand what is a “secured-core PC,” which sounds a little bit like a marketing term – and it is.

What is a secured-core PC?

A secured-core PC is a device that conforms to a series of best practices that provide protection against sophisticated attacks. With secured-core PCs, Microsoft has begun to address one of the more common attack vectors in modern operating systems – the kernel.

Recent malware has leveraged vulnerable kernel drivers to gain direct access to the operating system itself, bypassing the usual security controls that are designed to protect computers. As this type of attack can go undetected and disable security protections such as Microsoft Defender, it is a particularly big deal when it comes to threat protection.

While improving security is always a good thing, it’s still important that it doesn’t impact the user experience too much. Overall, IT pros should make sure that the right level of security is applied for the use case or role of the computer.

For mission-critical data in highly sensitive industries such as banking and healthcare, it is generally accepted that security will be tight and that the user experience might suffer as a consequence. It’s this type of device that would need to be configured as a secured-core PC.

For general-purpose computers and workstations used for data entry and customer support, Microsoft recommends applying the Windows security baselines available in Intune instead. These baselines, supported by Secure Boot, Bitlocker encryption, Microsoft Defender, Windows Hello biometric authentication, and a TPM 2.0 chip provide a hardware root of trust for the OS itself.

Secured-core PC specific features

While there is a lot of overlap between the Windows security baselines (for general-purpose computers) and secured-core PCs, there are some specific secured-core security features that really stand out. These include:

Microsoft makes the configuration of these security features pretty simple to deploy via Intune or Configuration Manager.

How Windows 11 config lock works on secured-core PCs

Once a device is configured with secured-core PC features, it’s always possible that this configuration is subject to change over time. A device that is part of many security groups may be subject to a number of Intune configuration policies during its lifetime.

What happens if one of these policies disables a secured-core PC feature? Well, that’s where Windows 11 config lock comes in.

Configuration Lock is a secured-core PC feature that is designed to prevent configuration drift, which is a situation where the configuration of a device changes from its original set state. This is done by quickly detecting an incorrect configuration and remediating the setting that has changed almost instantly.

While most Intune-managed configurations will automatically revert back to their configured state if changed, this detection and remediation process is based on a regular MDM sync, typically every 8 hours. During that period, computers could still be left in a vulnerable state for quite some time.

Windows 11 config lock on secured-core PCs aims for near-immediate detection and remediation of configuration drift. It achieves this by actively monitoring specific registry entries for the target value. If the value changes from its intent, the OS immediately remediates the setting.

How to configure Windows 11 config lock

As you should know by now, the Windows 11 config lock capability is only available for computers designated as Secured-core PCs. To configure Windows 11 config lock, you’ll need to go to the Intune Admin Center.

Creating a profile in the Microsoft Endpoint Manager admin center

In the Microsoft Endpoint Manager admin center, head to Devices, then click on Configuration profiles under the Policy section.

After clicking on Create profile, choose the following settings:

  • Platform: Windows 10 and later
  • Profile type: Templates
  • Template: Custom
Create a profile in the Microsoft Endpoint Manager admin center
Creating your profile in the Microsoft Endpoint manager admin center

At the Basics step, give the Profile a name. I’ve gone for “Enable Configuration Lock”. It’s a good idea to give a meaningful description at this stage.

the profile is named "enable configuration lock"
Give your profile a name

Click Next when you’re ready to configure settings for Windows 11 config lock

Windows 11 config lock configuration settings

On the Configuration Settings screen, enter the following information:

  • OMA-URI: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock
  • Data type: Integer
  • Value: 1 (0 turns off config lock)

Click Next when you’re done.

Configuration Settings for config lock
Configuration Settings

On the Assignments tab, you’ll need to enter a target group for your profile. Choose Next when you’re done

you'll need to enter a target group for your config lock profile
Assignments – intune.microsoft.com

On the Applicability Rules screen, you can specify different rules for applying your profile within an assigned group, but you don’t need to do that for testing purposes. Click Next when you’re done.

image 45
Applicability Rules – intune.microsoft.com

Once you reach the Review + create screen, you can double-check your configuration settings for your config lock profile. Click Create if everything looks good.

image 46
Review & Create – intune.microsoft.com

At the Review + create screen, click Create.

The Enable Configuration Lock profile now appears in the list of configuration profiles
Configuration Profiles – intune.microsoft.com

Once complete, the Enable Configuration Lock profile will appear in the list of configuration profiles in the Microsoft Endpoint Manager admin center. Once your devices have synced with the Microsoft Intune server, you’ll be able to see if config lock has been successfully enabled.

Conclusion

Windows 11 config lock gives administrators the capability to specify that high-security computers, or groups of computers, are so sensitive that it is vital their config does not change. This gives assurance to organizations that operate in highly secure or regulated environments that their devices are, and will remain, secure.