How to Enable Windows 11 Config Lock on Secured-Core PCs
Windows 11 Secured-core configuration lock (config lock) is a new system-level feature on the Windows 11 2022 Update to protect secured-core PCs from unintentional misconfiguration. When enabled, Windows 11 config lock should guarantee that secured-core PCs won’t be affected by configuration drift. In this article, I’ll be detailing how config lock works and how you can configure it in the Intune Admin Center.
Table of Contents
- How Windows 11 config lock works
- How to configure Windows 11 config lock
When Microsoft revealed the minimum supported hardware requirements for Windows 11, the software giant made its security focus very clear. By removing support for chips and chipsets that do not support Windows 11’s improved performance, reliability, and security features, the company made purposeful strides toward a security-first product.
How Windows 11 config lock works
To understand how Windows 11 config lock works, you’ll first need to understand what is a “secured-core PC,” which sounds a little bit like a marketing term – and it is.
What is a secured-core PC?
A secured-core PC is a device that conforms to a series of best practices that provide protection against sophisticated attacks. With secured-core PCs, Microsoft has begun to address one of the more common attack vectors in modern operating systems – the kernel.
Recent malware has leveraged vulnerable kernel drivers to gain direct access to the operating system itself, bypassing the usual security controls that are designed to protect computers. As this type of attack can go undetected and disable security protections such as Microsoft Defender, it is a particularly big deal when it comes to threat protection.
While improving security is always a good thing, it’s still important that it doesn’t impact the user experience too much. Overall, IT pros should make sure that the right level of security is applied for the use case or role of the computer.
For mission-critical data in highly sensitive industries such as banking and healthcare, it is generally accepted that security will be tight and that the user experience might suffer as a consequence. It’s this type of device that would need to be configured as a secured-core PC.
For general-purpose computers and workstations used for data entry and customer support, Microsoft recommends applying the Windows security baselines available in Intune instead. These baselines, supported by Secure Boot, Bitlocker encryption, Microsoft Defender, Windows Hello biometric authentication, and a TPM 2.0 chip provide a hardware root of trust for the OS itself.
Secured-core PC specific features
While there is a lot of overlap between the Windows security baselines (for general-purpose computers) and secured-core PCs, there are some specific secured-core security features that really stand out. These include:
- Dynamic Root of Trust for Measurement (DRTM): This feature is part of Windows Defender Secure Launch, and it allows untrusted UEFI code to boot the system before it transitions into a trusted state.
- System Management Mode protection: SMM protection is part of Windows Defender System Guard and it is built on top of Microsoft’s Secure Launch technology.
Microsoft makes the configuration of these security features pretty simple to deploy via Intune or Configuration Manager.
How Windows 11 config lock works on secured-core PCs
Once a device is configured with secured-core PC features, it’s always possible that this configuration is subject to change over time. A device that is part of many security groups may be subject to a number of Intune configuration policies during its lifetime.
What happens if one of these policies disables a secured-core PC feature? Well, that’s where Windows 11 config lock comes in.
Configuration Lock is a secured-core PC feature that is designed to prevent configuration drift, which is a situation where the configuration of a device changes from its original set state. This is done by quickly detecting an incorrect configuration and remediating the setting that has changed almost instantly.
While most Intune-managed configurations will automatically revert back to their configured state if changed, this detection and remediation process is based on a regular MDM sync, typically every 8 hours. During that period, computers could still be left in a vulnerable state for quite some time.
Windows 11 config lock on secured-core PCs aims for near-immediate detection and remediation of configuration drift. It achieves this by actively monitoring specific registry entries for the target value. If the value changes from its intent, the OS immediately remediates the setting.
How to configure Windows 11 config lock
As you should know by now, the Windows 11 config lock capability is only available for computers designated as Secured-core PCs. To configure Windows 11 config lock, you’ll need to go to the Intune Admin Center.
Creating a profile in the Microsoft Endpoint Manager admin center
In the Microsoft Endpoint Manager admin center, head to Devices, then click on Configuration profiles under the Policy section.
After clicking on Create profile, choose the following settings:
- Platform: Windows 10 and later
- Profile type: Templates
- Template: Custom
At the Basics step, give the Profile a name. I’ve gone for “Enable Configuration Lock”. It’s a good idea to give a meaningful description at this stage.
Click Next when you’re ready to configure settings for Windows 11 config lock
Windows 11 config lock configuration settings
On the Configuration Settings screen, enter the following information:
- OMA-URI: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock
- Data type: Integer
- Value: 1 (0 turns off config lock)
Click Next when you’re done.
On the Assignments tab, you’ll need to enter a target group for your profile. Choose Next when you’re done
On the Applicability Rules screen, you can specify different rules for applying your profile within an assigned group, but you don’t need to do that for testing purposes. Click Next when you’re done.
Once you reach the Review + create screen, you can double-check your configuration settings for your config lock profile. Click Create if everything looks good.
At the Review + create screen, click Create.
Once complete, the Enable Configuration Lock profile will appear in the list of configuration profiles in the Microsoft Endpoint Manager admin center. Once your devices have synced with the Microsoft Intune server, you’ll be able to see if config lock has been successfully enabled.
Windows 11 config lock gives administrators the capability to specify that high-security computers, or groups of computers, are so sensitive that it is vital their config does not change. This gives assurance to organizations that operate in highly secure or regulated environments that their devices are, and will remain, secure.
More in Windows Client OS
How to Easily Edit the Hosts File in Windows 11
Jan 12, 2023 | Russell Smith
Microsoft's January Patch Tuesday Updates Fix 98 Windows Vulnerabilities
Jan 11, 2023 | Laurent Giret
How to Use Windows File Recovery to Recover Lost Files
Dec 12, 2022 | Michael Reinders
How to Enable Windows 11 Config Lock on Secured-Core PCs
Dec 2, 2022 | Dean Ellerby
How to Install Google Drive for Desktop (Install & Set Up)
Nov 23, 2022 | Rabia Noureen
How to Use Local Administrator Password Solution (LAPS) with Active Directory and Azure AD
Nov 14, 2022 | Michael Reinders
Most popular on petri