Setting up and managing device configurations using Intune
To Enable Kernel-mode Hardware-enforced Stack Protection in the Intune configuration policy
Hi Team,
I am trying to enable both Memory Integrity (HVCI) and Kernel-mode Hardware-enforced Stack Protection on Windows 11 devices using Intune.
Currently, I have configured the following Intune policy:
Devices > Configuration Profiles > Settings Catalog > Virtualization Based Technology > Hypervisor Enforced Code Integrity = Enabled
As expected, Memory Integrity is enabled and the toggle is greyed out with the message "This setting is managed by your administrator."
However, Kernel-mode Hardware-enforced Stack Protection remains disabled on all tested devices.
Tested on:
- Windows 11 23H2 and 24H2
- Lenovo ThinkPad T14 Gen 3
- Dell Latitude 7440
According to Microsoft documentation, Kernel-mode Hardware-enforced Stack Protection requires:
- VBS enabled
- HVCI enabled
- Supported hardware (Intel CET / AMD Shadow Stack)
- Compatible drivers
All prerequisites appear to be met. I have also tested on multiple modern devices with the same result.
My questions are:
- Is there currently a supported Intune Settings Catalog policy or CSP to enable Kernel-mode Hardware-enforced Stack Protection?
- Can this setting be enforced and greyed out for users in the same way as Memory Integrity?
- If Intune does not currently support this setting, is the recommended approach to use Group Policy, OMA-URI, or a remediation script?
- Are there any known limitations or dependencies that would prevent the feature from enabling even when VBS and HVCI are active?
Any guidance or Microsoft-recommended approach would be appreciated.
Thank you.Hi Team,
I am trying to enable both Memory Integrity (HVCI) and Kernel-mode Hardware-enforced Stack Protection on Windows 11 devices using Intune.
Currently, I have configured the following Intune policy:
Devices > Configuration Profiles > Settings Catalog > Virtualization Based Technology > Hypervisor Enforced Code Integrity = Enabled
As expected, Memory Integrity is enabled and the toggle is greyed out with the message "This setting is managed by your administrator."
However, Kernel-mode Hardware-enforced Stack Protection remains disabled on all tested devices.
Tested on:
- Windows 11 23H2 and 24H2
- Lenovo ThinkPad T14 Gen 3
- Dell Latitude 7440
According to Microsoft documentation, Kernel-mode Hardware-enforced Stack Protection requires:
- VBS enabled
- HVCI enabled
- Supported hardware (Intel CET / AMD Shadow Stack)
- Compatible drivers
All prerequisites appear to be met. I have also tested on multiple modern devices with the same result.
My questions are:
- Is there currently a supported Intune Settings Catalog policy or CSP to enable Kernel-mode Hardware-enforced Stack Protection?
- Can this setting be enforced and greyed out for users in the same way as Memory Integrity?
- If Intune does not currently support this setting, is the recommended approach to use Group Policy, OMA-URI, or a remediation script?
- Are there any known limitations or dependencies that would prevent the feature from enabling even when VBS and HVCI are active?
Any guidance or Microsoft-recommended approach would be appreciated.
Thank you.