{"id":28295,"date":"2023-01-08T00:01:17","date_gmt":"2023-01-07T23:01:17","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=28295"},"modified":"2023-01-06T18:53:13","modified_gmt":"2023-01-06T17:53:13","slug":"set-windows-11-gpo-enable-mpr-notifications-for-your-security","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2023\/01\/08\/set-windows-11-gpo-enable-mpr-notifications-for-your-security\/","title":{"rendered":"Set Windows 11 GPO \"Enable MPR notifications &#8230;\" for your security"},"content":{"rendered":"<p><img decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" title=\"Windows\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Windows-klein.jpg\" alt=\"Windows\" width=\"200\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/?p=276604\" target=\"_blank\" rel=\"noopener\">German<\/a>]A brief tip for administrators who are so slowly introducing Windows 11 into corporate environments. In the default settings of the operating system, the Winlogon credentials can be read out in plain text using a simple DLL. The new group policy \"Enable MPR notifications\" is now supposed to prevent this. The whole thing has finally been implemented (after 20 years) in Windows 11 22H2.<\/p>\n<p><!--more--><\/p>\n<h2>A note on Twitter<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg04.met.vgwort.de\/na\/b4463763bca74d958856a925a83c032f\" alt=\"\" width=\"1\" height=\"1\" \/>The topic passed me by a bit until I came across the following hint from Grzegorz Tworek on Twitter. He gives administrators responsible for the Windows 11 Security Baseline the tip to look at the group policy \"Enable MPR notifications\".<\/p>\n<p><img decoding=\"async\" title=\" GPO &quot;Enable MPR notifications&quot;\" src=\"https:\/\/i.imgur.com\/cEq6dZ6.png\" alt=\" GPO &quot;Enable MPR notifications&quot;\" \/><\/p>\n<p>By default, Windows sends an MPR notification to the system when the user logs on via Winlogon. From Microsoft there is for example <a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/the-mpr-still-calls-the-nppasswordchangenotify-function-to-notify-a-password-change-event-in-windows-7-or-in-windows-server-2008-r2-even-though-the-password-change-is-unsuccessful-f77c413c-9b39-e807-8fc1-f0b9b5433d38\" target=\"_blank\" rel=\"noopener\">this support article<\/a> (is a bit older) about it. The default settings allow reading plain text credentials from Winlogon with a simple DLL.<\/p>\n<p>In the new Windows 11 22H2 security baselines, there is now a policy \"Enable MPR notification for the system\" under:<\/p>\n<p>Windows Components\\Windows Logon Options<\/p>\n<p>If the policy \"Enable MPR notification for the system\" is set to Disabled, WinLogon does not send MPR notification to the system. If the policy is set to Enabled or not configured, MPR notifications are sent.<\/p>\n<h2>Introduced with Windows 11 22H2<\/h2>\n<p>The colleagues from Bleeping Computer pointed out the new policy in the security baseline of Windows 11 22H2 in the article <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/windows-11-22h2-adds-kernel-exploit-protection-to-security-baseline\/\" target=\"_blank\" rel=\"noopener\">Windows 11 22H2 adds kernel exploit protection to security baseline<\/a> in September 2022 (the operating system was then generally released in early October 2022).<\/p>\n<blockquote><p>The Windows 11 22H2 security baseline also includes credential theft protection via the 'Allow Custom SSPs and APs to be loaded into LSASS,' 'Configure LSASS to run as a protected process,' and 'Enable MPR notifications for the system' to restrict the loading of custom security packages and block password disclosure to providers.<\/p><\/blockquote>\n<p>Apparently, however, there are differences in the ADMX group policies of Windows 10 22H2 and Windows 11 22H2. Helmut Wagensonner from Microsoft has published\u00a0 some details in a post <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/core-infrastructure-and-security\/windows-10-or-windows-11-gpo-admx-an-update\/ba-p\/3703548\" target=\"_blank\" rel=\"noopener\">Windows 10 or Windows 11 GPO ADMX \u2013 An Update<\/a> in the Techcommunity.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]A brief tip for administrators who are so slowly introducing Windows 11 into corporate environments. In the default settings of the operating system, the Winlogon credentials can be read out in plain text using a simple DLL. The new group &hellip; <a href=\"https:\/\/borncity.com\/win\/2023\/01\/08\/set-windows-11-gpo-enable-mpr-notifications-for-your-security\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[69,2643],"class_list":["post-28295","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-security","tag-windows-11"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/28295","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=28295"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/28295\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=28295"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=28295"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=28295"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}