(127) Windows Autopilot - "Required" Reboots
- Mr B SOE way
- May 30, 2024
- 2 min read
Updated: Mar 5
As part of CIS Windows 11 Benchmark 3.0.0, there are 9 settings which cause reboots during Autopilot.
5 of them which start from 'Device Lock':
You can check in registry for the "RequiredReboots" HKLM:\SOFTWARE\Microsoft\Provisioning\SyncML\RebootRequiredURIs
CIS Control | Description |
1.1.1 | (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' |
1.1.2 | (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0' |
1.1.3 | (L1) Ensure 'Minimum password age' is set to '1 or more day(s)' |
1.1.4 | (L1) Ensure 'Minimum password length' is set to '14 or more character(s)' |
1.1.5 | (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' |
As well as the 4 settings from 'Device Guard'
Configure System Guard Launch = Unmanaged Enables Secure Launch if supported by hardware
Enable Virtualization Based Security = enable virtualization based security.
Credential Guard = (Enabled without lock) Turns on Credential Guard without UEFI lock.
Require Platform Security Features = Turns on VBS with Secure Boot.
Solutions:
Settings Catalog:
Create a separate policy with Settings Catalog and assign to a "User Context" that is assign to a user group.
Win32 App:
Place these settings as a Win32 App.
secedit /export /cfg secedit.cfg /areas securitypolicy user_rights
$secedit = Get-Content secedit.cfg
$secedit = $secedit -replace "PasswordHistorySize.*", "PasswordHistorySize = 24" <# Enforce password history #> `
-replace "MaximumPasswordAge.*", "MaximumPasswordAge = 365" <# Maximum password #> `
-replace "MinimumPasswordAge.*", "MinimumPasswordAge= 1" <# Minimum password#> `
-replace "MinimumPasswordLength.*", "MinimumPasswordLength = 14" <# Minimum Password Length#> `
-replace "PasswordComplexity.*", "PasswordComplexity = 1" <# Password Complexity #>
$secedit | Out-File seceditnew.cfg
secedit /configure /cfg seceditnew.cfg /db seceditnew.sdb /areas securitypolicy user_rights
gpupdate /forceThe detect.ps1 would be checking against the values like:
secedit /export /cfg secedit.cfg
$secedit = Get-Content secedit.cfg
$settings = @(
"PasswordHistorySize = 30", # Enforce password history: 24
"MaximumPasswordAge = 5", # Maximum password: 365
"MinimumPasswordAge = 1", # Minimum password: 1
"MinimumPasswordLength = 15", # Minimum Password Length: 14
"PasswordComplexity = 1", <# Password Complexity: Enabled #>As this Win32 app will be deployed to "All Devices", in the ESP make sure to set this setting "Only fail selected blocking apps in technician phase" as No.
To ensure we both target 'Device Guard' and 'Device Lock', we can create a policy with the following and target a users group or 'All Users'
Comments