Set Windows 11 GPO "Enable MPR notifications …" for your security

Posted on 2023-01-08 by guenni

Windows[German]A brief tip for administrators who are so slowly introducing Windows 11 into corporate environments. In the default settings of the operating system, the Winlogon credentials can be read out in plain text using a simple DLL. The new group policy "Enable MPR notifications" is now supposed to prevent this. The whole thing has finally been implemented (after 20 years) in Windows 11 22H2.

Advertising

A note on Twitter

The topic passed me by a bit until I came across the following hint from Grzegorz Tworek on Twitter. He gives administrators responsible for the Windows 11 Security Baseline the tip to look at the group policy "Enable MPR notifications".

GPO "Enable MPR notifications"

By default, Windows sends an MPR notification to the system when the user logs on via Winlogon. From Microsoft there is for example this support article (is a bit older) about it. The default settings allow reading plain text credentials from Winlogon with a simple DLL.

In the new Windows 11 22H2 security baselines, there is now a policy "Enable MPR notification for the system" under:

Windows Components\Windows Logon Options

Advertising

If the policy "Enable MPR notification for the system" is set to Disabled, WinLogon does not send MPR notification to the system. If the policy is set to Enabled or not configured, MPR notifications are sent.

Introduced with Windows 11 22H2

The colleagues from Bleeping Computer pointed out the new policy in the security baseline of Windows 11 22H2 in the article Windows 11 22H2 adds kernel exploit protection to security baseline in September 2022 (the operating system was then generally released in early October 2022).

The Windows 11 22H2 security baseline also includes credential theft protection via the 'Allow Custom SSPs and APs to be loaded into LSASS,' 'Configure LSASS to run as a protected process,' and 'Enable MPR notifications for the system' to restrict the loading of custom security packages and block password disclosure to providers.

Apparently, however, there are differences in the ADMX group policies of Windows 10 22H2 and Windows 11 22H2. Helmut Wagensonner from Microsoft has published  some details in a post Windows 10 or Windows 11 GPO ADMX – An Update in the Techcommunity.

Advertising
This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).