Secured-core PC configuration lock

In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a noncompliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with config lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.

Secured-core configuration lock (config lock) is a new secured-core PC (SCPC) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a secured-core PC remains a secured-core PC.

To summarize, config lock:

  • Enables IT to "lock" secured-core PC features when managed through MDM
  • Detects drift remediates within seconds
  • Doesn't prevent malicious attacks

Windows edition and licensing requirements

The following table lists the Windows editions that support Secured-core configuration lock:

Windows Pro Windows Enterprise Windows Pro Education/SE Windows Education
Yes Yes Yes Yes

Secured-core configuration lock license entitlements are granted by the following licenses:

Windows Pro/Pro Education/SE Windows Enterprise E3 Windows Enterprise E5 Windows Education A3 Windows Education A5
Yes Yes Yes Yes Yes

For more information about Windows licensing, see Windows licensing overview.

Configuration Flow

After a secured-core PCs reaches the desktop, config lock will prevent configuration drift by detecting if the device is a secured-core PC or not. When the device isn't a secured-core PC, the lock doesn't apply. If the device is a secured-core PC, config lock locks the policies listed under List of locked policies.

Enabling config lock using Microsoft Intune

Config lock isn't enabled by default, or turned on by the OS during boot. Rather, you need to turn it on.

The steps to turn on config lock using Microsoft Intune are as follows:

  1. Ensure that the device to turn on config lock is enrolled in Microsoft Intune.

  2. In the Intune admin center, select Devices > Configuration Profiles > Create a profile.

  3. Select the following and press Create:

    • Platform: Windows 10 and later
    • Profile type: Templates
    • Template name: Custom

    In Configuration profiles, the Create a profile page is showing, with the Platform set to Windows 10 and later, and a Profile Type of Templates.

  4. Name your profile.

  5. When you reach the Configuration Settings step, select "Add" and add the following information:

    • OMA-URI: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock
    • Data type: Integer
    • Value: 1

    To turn off config lock, change the value to 0.

    In the Configuration settings step, the Edit Row page is shown with a Name of config lock, a Description of Turn-on config lock and the OMA-URI set, along with a Data type of Integer set to a Value of 1.

  6. Select the devices to turn on config lock. If you're using a test tenant, you can select "+ Add all devices".

  7. You don't need to set any applicability rules for test purposes.

  8. Review the Configuration and select "Create" if everything is correct.

  9. After the device syncs with the Microsoft Intune server, you can confirm if the config lock was successfully enabled.

    The Profile assignment status dashboard when viewing the config lock device configuration profile, showing one device has succeeded in having this profile applied.

    The Device Status for the config lock Device Configuration Profile, showing one device with a Deployment Status as Succeeded and two with Pending.

Configuring secured-core PC features

Config lock is designed to ensure that a secured-core PC isn't unintentionally misconfigured. You keep the ability to enable or disable SCPC features, for example, firmware protection. You can make these changes with group policies or MDM services like Microsoft Intune.

The Defender Firmware protection setting, with a description of System Guard protects your device from compromised firmware. The setting is set to Off.

FAQ

  • Can I disable config lock? Yes. You can use MDM to turn off config lock completely or put it in temporary unlock mode for helpdesk activities.

List of locked policies

CSPs
BitLocker
PassportForWork
WindowsDefenderApplicationGuard
ApplicationControl
MDM policies Supported by Group Policy
DataProtection/AllowDirectMemoryAccess No
DataProtection/LegacySelectiveWipeID No
DeviceGuard/ConfigureSystemGuardLaunch Yes
DeviceGuard/EnableVirtualizationBasedSecurity Yes
DeviceGuard/LsaCfgFlags Yes
DeviceGuard/RequirePlatformSecurityFeatures Yes
DeviceInstallation/AllowInstallationOfMatchingDeviceIDs Yes
DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs Yes
DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses Yes
DeviceInstallation/PreventDeviceMetadataFromNetwork Yes
DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings Yes
DeviceInstallation/PreventInstallationOfMatchingDeviceIDs Yes
DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs Yes
DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses Yes
DmaGuard/DeviceEnumerationPolicy Yes
WindowsDefenderSecurityCenter/CompanyName Yes
WindowsDefenderSecurityCenter/DisableAccountProtectionUI Yes
WindowsDefenderSecurityCenter/DisableAppBrowserUI Yes
WindowsDefenderSecurityCenter/DisableClearTpmButton Yes
WindowsDefenderSecurityCenter/DisableDeviceSecurityUI Yes
WindowsDefenderSecurityCenter/DisableEnhancedNotifications Yes
WindowsDefenderSecurityCenter/DisableFamilyUI Yes
WindowsDefenderSecurityCenter/DisableHealthUI Yes
WindowsDefenderSecurityCenter/DisableNetworkUI Yes
WindowsDefenderSecurityCenter/DisableNotifications Yes
WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning Yes
WindowsDefenderSecurityCenter/DisableVirusUI Yes
WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride Yes
WindowsDefenderSecurityCenter/Email Yes
WindowsDefenderSecurityCenter/EnableCustomizedToasts Yes
WindowsDefenderSecurityCenter/EnableInAppCustomization Yes
WindowsDefenderSecurityCenter/HideRansomwareDataRecovery Yes
WindowsDefenderSecurityCenter/HideSecureBoot Yes
WindowsDefenderSecurityCenter/HideTPMTroubleshooting Yes
WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl Yes
WindowsDefenderSecurityCenter/Phone Yes
WindowsDefenderSecurityCenter/URL Yes
SmartScreen/EnableAppInstallControl Yes
SmartScreen/EnableSmartScreenInShell Yes
SmartScreen/PreventOverrideForFilesInShell Yes