Windows apps/VPN unable to connect after pushing FIPS policy in Intune

Chris Dahler 0 Reputation points

Applied the Allow Fips Algorithm Policy w/ FIPS-199 cipher suite in Intune configuration profile, assigned it to my to my pilot group. Once settings applied to workstations, we noticed Outlook/TEAMS would no longer connect, our MotionPro VPN would no longer work, etc.. I rolled the setting back, but at that point the boxes would no longer connect to Intune. I noticed the policy had set the registry Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled and MDMEnabled were set to '1', so I reset back to '0' and rebooted, to no avail. I've also ensured the FIPS policy is disabled in local security settings. I opened a ticket with Intune, they reproduced the issue in a test env. and were also unable to roll it back. Intune then said it was a Windows tattooing issue, and no longer in scope with Intune, so closed the ticket.I understand that, but I have several boxes in this condition and would like to resolve this without defaulting the boxes. Interesting that browsers can still set up TLS connections, it's just apps that seem broken.

Any help appreciated, thank you.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,768 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,456 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Chris Dahler 0 Reputation points

    FIXED. After the config policy is pushed, the 'Allow Fips Algorithm Policy' and the cipher suite is set in the settings config (cryptography), the PC is no longer able to pick up the new settings in order to rollback. So you got to dig into the PC. I found the settings in the registries \Computer Config\Admin Templates\Network\SSL Configuration Setting\SSL

    Cipher Suite Order Not configured No

    ECC Curve Order Not configured No

    I enabled the Cipher Suite Order, which immediately populates the cipher suites. Gpupdate /force and issue was resolved. This setting is not set by pushing the settings policy from Intune, but should be. This was a sticky one.

    Note: At all times, the browsers were able to set up TLS 1.2 connection without incident.

    0 comments No comments