Open nathanaelad opened 4 years ago
Getting the same error. and I have tried on 4 different computers. still cant get a resolution. I even tried the registry hack still a no go. I have used this when it just came out and it worked perfectly, now it doe snot work any more.
I had success, in my testing, using this tool to compile a package inside of Windows Sandbox. Some AzureAD Policy on my workstation has enabled FIPS and used the Sandbox to compile my one app using the tool successfully.
Any updates on validating this app?
Found a workable solution: 1) open Local Security Policy ; navigate to Security Settings > Local Policies > Security Options > System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing ; Disable it 2) open regedit ; Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy ; change both values "Enabled" and "MDMEnabled" to 0
worked for me after making the above changes
This worked for me too. Although the only thing I had to disable was MDMenabled as it was the only setting set to enabled. Thank you for the fix
From: argjesse @.> Sent: Friday, June 25, 2021 6:03 PM To: microsoft/Microsoft-Win32-Content-Prep-Tool @.> Cc: Robert Bobby Wint @.>; Comment @.> Subject: Re: [microsoft/Microsoft-Win32-Content-Prep-Tool] Error for Windows Platform FIPS (#33)
EXTERNAL EMAIL: Do not click any links or open any attachments unless you trust the sender and know the content is safe.
Found a workable solution:
worked for me after making the above changes
- You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmicrosoft%2FMicrosoft-Win32-Content-Prep-Tool%2Fissues%2F33%23issuecomment-868855623&data=04%7C01%7CRobert.Wint%40myacany.org%7C930e9b7bd40f45b11a5d08d938250e94%7C36253b11ad3a41f29b7e2d8a03fe7dca%7C1%7C0%7C637602554083623491%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=XkE5JpDp5O8PpQQ2foX7tAAQu%2F8bWOpJmjsS2MIJg%2FM%3D&reserved=0, or unsubscribehttps://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FALZUQHUE4556KQ2ZSPY5QI3TUT4K3ANCNFSM4L3DQOXQ&data=04%7C01%7CRobert.Wint%40myacany.org%7C930e9b7bd40f45b11a5d08d938250e94%7C36253b11ad3a41f29b7e2d8a03fe7dca%7C1%7C0%7C637602554083633479%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4n80jEBTjaY5OfNJLKPgKFt729wH%2FomCLCmp%2F%2Fg8C0s%3D&reserved=0.
For those of us who can't "just disable" FIPS mode, this is an ongoing issue. Can this be updated to use FIPS crypto?
I'm currently disabling FIPS mode enforcement in machine.config
each time I run this. I hope it's obvious that having to do that isn't optimal.
This fix shouldn't be much more trouble than replacing manual construction of SHA256Managed
with SHA256.Create()
, please make this one-line change so your customers can meet their compliance requirements.
Found a workable solution:
- open Local Security Policy ; navigate to Security Settings > Local Policies > Security Options > System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing ; Disable it
- open regedit ; Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy ; change both values "Enabled" and "MDMEnabled" to 0
worked for me after making the above changes
setting "MDMEnabled" to 0 is enough. No need te reboot.
This really needs the correct fix. Our policies require FIPS and I shouldn't need to disable that just to add apps to Intune, even temporarily. If it's really a single line that needs changing can we get an update?
Ran into this today. With more and more people moving to CIS and other standards that require FIPS this is going to be coming up more often. Would love to see a fix ASAP.
I had been using the workaround to change Enabled and MDMEnabled in the registry to 0. That was working just fine until installing Bitlocker with FIPS mode enabled. After Bitlocker has been installed, even with that registry change, the utility still squawks about not being FIPS compliant. So, it is 100% useless to me at this point. Please release a FIPS-compliant version.
Any updates on this issue? Still struggling with the Bitlocker FIPS..
If Microsoft aren't going to support this tool enough to change a single line of code they should release the source here in this repository. Let the community change the line and compile our own FIPS compliant version.
Hello @A9G-Data-Droid. I'm an engineer at a company named Simeon Cloud. Our team has created an open source tool http://github.com/simeoncloud/IntuneAppBuilder/ which has the same functionality as this tool (plus the ability to publish apps). Maybe it could be a viable alternative for you.
@ashek-simeon I appreciate that but at the same time, I don't want you to have to do Microsoft job for them. If they would release their source it would be much better for the community so we wouldn't have to rewrite the whole thing. People like you could contribute, which would be more efficient for all parties.
Ah the irony of Microsoft requiring use of a tool they won't even support to make a single line change and then having the nerve to put the download on GitHub without also posting the source code for the tool. It's almost as if they only pay lip service to open source initiatives...
Anyway, here to say I just ran into this same issue. Thankfully, I do have the option to override the policy, but still not ideal.
A new version was released without source code, so I had to test it to find if this was fixed. Same error. They didn't change the one line of code needed to close this issue. It's not even a breaking change. They are using SHA256, which is fine! If you use the FIPS compatible version of SHA256 you will get the same hash values. It will "just work".
I don't have FIPS enabled. But did have the same symptoms. Running the tool totally crashed my Terminal window. Took a video and saw the exception flashing by just before the window closing.
Added Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled DWord (32 bit) = 0 registry entry and it worked...miraculously.
MDMEnabled DWord (32 bit) = 0 registry entry and it worked...miraculously.
@TonnyWildeman Do you work for the federal government or a contractor bound to comply with FIPS?
If so, turning off that setting is a policy violation. You should speak with your security team to find out why that setting is enabled and ask if it's safe to turn it off. Your PC will begin to show up on audit reports. If you have a regular IT process that requires a security violation to function you'll never be compliant.
Microsoft's approach to FIPS 140-2 validation
Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001. Microsoft validates its cryptographic modules under the NIST CMVP, as described above. Multiple Microsoft products, including Windows 10, Windows Server, and many cloud services, use these cryptographic modules.
@A9G-Data-Droid I do not work for or in the USA. Most people don't.
And people may be compliant in the USA, if they use the prep tool in a Windows Sandbox as suggested by @nathank1989.
@TonnyWildeman Then you absolutely should not be using FIPS mode. Then next question is then about how that setting got applied to your computer. You wouldn't want that being pushed to your organization.
Still having this issue as of Feb 2024.
We are also facing this issue. Since it is not an option for us to customize policies or registry keys we searched for another workaround.
When you add a IntuneWinAppUtil.exe.config file next to the IntuneWinAppUtil.exe you can disable the FIPS checks just for this executeable. Content for the .config file:
`<?xml version="1.0" encoding="utf-8"?>
We are also facing this issue. Since it is not an option for us to customize policies or registry keys we searched for another workaround.
When you add a IntuneWinAppUtil.exe.config file next to the IntuneWinAppUtil.exe you can disable the FIPS checks just for this executeable. Content for the .config file:
<?xml version="1.0" encoding="utf-8"?> <configuration> <runtime> <enforceFIPSPolicy enabled="false"/> </runtime> </configuration>
How are you adding the config file next to the exe?
en you add a IntuneWinAppUtil.exe.config file next to the IntuneWinAppUtil.exe you ca
never mind you just put the IntuneWinAppUtil.exe.config in the same folder as the IntuneWinAppUtil.exe file
No matter how I run this application I keep getting the below error.
The most related issue I can find so far is is this post on stackoverflow. The suggested registry changed do not seem to work, unfortunately.