[German]A brief tip for administrators who are so slowly introducing Windows 11 into corporate environments. In the default settings of the operating system, the Winlogon credentials can be read out in plain text using a simple DLL. The new group policy "Enable MPR notifications" is now supposed to prevent this. The whole thing has finally been implemented (after 20 years) in Windows 11 22H2.
Advertising
A note on Twitter
The topic passed me by a bit until I came across the following hint from Grzegorz Tworek on Twitter. He gives administrators responsible for the Windows 11 Security Baseline the tip to look at the group policy "Enable MPR notifications".
By default, Windows sends an MPR notification to the system when the user logs on via Winlogon. From Microsoft there is for example this support article (is a bit older) about it. The default settings allow reading plain text credentials from Winlogon with a simple DLL.
In the new Windows 11 22H2 security baselines, there is now a policy "Enable MPR notification for the system" under:
Windows Components\Windows Logon Options
Advertising
If the policy "Enable MPR notification for the system" is set to Disabled, WinLogon does not send MPR notification to the system. If the policy is set to Enabled or not configured, MPR notifications are sent.
Introduced with Windows 11 22H2
The colleagues from Bleeping Computer pointed out the new policy in the security baseline of Windows 11 22H2 in the article Windows 11 22H2 adds kernel exploit protection to security baseline in September 2022 (the operating system was then generally released in early October 2022).
The Windows 11 22H2 security baseline also includes credential theft protection via the 'Allow Custom SSPs and APs to be loaded into LSASS,' 'Configure LSASS to run as a protected process,' and 'Enable MPR notifications for the system' to restrict the loading of custom security packages and block password disclosure to providers.
Apparently, however, there are differences in the ADMX group policies of Windows 10 22H2 and Windows 11 22H2. Helmut Wagensonner from Microsoft has published some details in a post Windows 10 or Windows 11 GPO ADMX – An Update in the Techcommunity.
