To Enable Kernel-mode Hardware-enforced Stack Protection in the Intune configuration policy

Vinayak Kanavimath 20 Reputation points
2026-06-25T06:48:37.6933333+00:00

Hi Team,

I am trying to enable both Memory Integrity (HVCI) and Kernel-mode Hardware-enforced Stack Protection on Windows 11 devices using Intune.

Currently, I have configured the following Intune policy:

Devices > Configuration Profiles > Settings Catalog > Virtualization Based Technology > Hypervisor Enforced Code Integrity = Enabled

As expected, Memory Integrity is enabled and the toggle is greyed out with the message "This setting is managed by your administrator."

However, Kernel-mode Hardware-enforced Stack Protection remains disabled on all tested devices.

Tested on:

  • Windows 11 23H2 and 24H2
  • Lenovo ThinkPad T14 Gen 3
  • Dell Latitude 7440

According to Microsoft documentation, Kernel-mode Hardware-enforced Stack Protection requires:

  • VBS enabled
  • HVCI enabled
  • Supported hardware (Intel CET / AMD Shadow Stack)
  • Compatible drivers

All prerequisites appear to be met. I have also tested on multiple modern devices with the same result.

My questions are:

  1. Is there currently a supported Intune Settings Catalog policy or CSP to enable Kernel-mode Hardware-enforced Stack Protection?
  2. Can this setting be enforced and greyed out for users in the same way as Memory Integrity?
  3. If Intune does not currently support this setting, is the recommended approach to use Group Policy, OMA-URI, or a remediation script?
  4. Are there any known limitations or dependencies that would prevent the feature from enabling even when VBS and HVCI are active?

Any guidance or Microsoft-recommended approach would be appreciated.

Thank you.Hi Team,

I am trying to enable both Memory Integrity (HVCI) and Kernel-mode Hardware-enforced Stack Protection on Windows 11 devices using Intune.

Currently, I have configured the following Intune policy:

Devices > Configuration Profiles > Settings Catalog > Virtualization Based Technology > Hypervisor Enforced Code Integrity = Enabled

As expected, Memory Integrity is enabled and the toggle is greyed out with the message "This setting is managed by your administrator."

However, Kernel-mode Hardware-enforced Stack Protection remains disabled on all tested devices.

Tested on:

  • Windows 11 23H2 and 24H2
  • Lenovo ThinkPad T14 Gen 3
  • Dell Latitude 7440

According to Microsoft documentation, Kernel-mode Hardware-enforced Stack Protection requires:

  • VBS enabled
  • HVCI enabled
  • Supported hardware (Intel CET / AMD Shadow Stack)
  • Compatible drivers

All prerequisites appear to be met. I have also tested on multiple modern devices with the same result.

My questions are:

  1. Is there currently a supported Intune Settings Catalog policy or CSP to enable Kernel-mode Hardware-enforced Stack Protection?
  2. Can this setting be enforced and greyed out for users in the same way as Memory Integrity?
  3. If Intune does not currently support this setting, is the recommended approach to use Group Policy, OMA-URI, or a remediation script?
  4. Are there any known limitations or dependencies that would prevent the feature from enabling even when VBS and HVCI are active?

Any guidance or Microsoft-recommended approach would be appreciated.

Thank you.

Microsoft Security | Intune | Configuration
0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.