none
Local Security Policy - FIPS Compliant Algorithms RRS feed

  • Question

  • I am trying to disable this security setting. I've done it through the Local Security Policy GUI and through the registry.

    Each time I make this change and then reboot, it's back enabled again. I can't find why it keeps getting enabled.

    Is there anything that will cause this to be re-enabled? Already verified that it's not through group policy.

    Thursday, June 18, 2015 6:12 PM

All replies

  • Hi,

    Did your computer joined into Domain environment? If that it is, this might be Domain group policy settings.

    Next time when you disabled the policy, run gpupdate /force command, then restart the computer to check the policy status, if problem persists, open Event Viewer to check if it identify the events.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, June 19, 2015 7:37 AM
    Moderator
  • It's not group policy. I've already looked at it and done tests like you've described.

    I've looked at 5 other domain member computers and none of them have this setting enabled, which also points to something besides group policy.

    Monday, June 22, 2015 4:00 PM
  • I created a GPO that specifically disables the setting. When I run gpupdate, it changes the setting to disabled and it's grayed-out as expected when GPO is controlling a setting.

    But, when I reboot the computer, the setting is set to enabled and is grayed-out. So something is changing it and I can't figure out what's doing it.

    Monday, June 22, 2015 11:05 PM
  • Hi,

    Have you checked Event Log if it identify this problem?

    On the other hand, please follow the steps below to collect GPO log to make further troubleshoot:

    http://blogs.technet.com/b/askds/archive/2015/04/17/a-treatise-on-group-policy-troubleshooting-now-with-gpsvc-log-analysis.aspx

    http://blogs.technet.com/b/csstwplatform/archive/2010/11/09/how-to-enable-gpo-logging-on-windows-7-2008-r2.aspx


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, June 23, 2015 5:35 AM
    Moderator
  • The machine thinks the policy was applied correctly. When I run the RSoP snap-in, it says "The policy Disable FIPS Cryptography was correctly applied"

    When I run gpupdate after a reboot, it does apply correctly.

    The GPO log doesn't show anything that would disable it.

    Tuesday, June 23, 2015 5:12 PM
  • Hi,

    Maybe you can try to leave the PC from domain to check the status of this problem. Then join domian again for test.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, June 24, 2015 5:19 AM
    Moderator
  • Here are the steps taken.

    Left the domain, rebooted.

    In the local profile, disabled FIPS compliany and rebooted.

    After the reboot, it was enabled, just as before.

    Joined the domain, rebooted.

    After the initial reboot to join the domain, the policy was disabled. Rebooted again.

    After the second reboot, it was back enabled again.

    So, removing and re-adding to the domain did not make any difference.

    Wednesday, June 24, 2015 8:17 PM
  • Hi,

    How about disabling this settings by modifing Registry:

    1. Click Start, type regedit in the start search box and hit enter.
    2. In the registry editor navigate to
    HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled
    3. This registry value reflects the current FIPS setting. If this setting is enabled, the value is 1. If this setting is disabled, the value is 0.
    4. To disable it double click on the file and select 0.
    5. Restart the computer and check.

    Note: Please backup the Registry key which you're going to modify in case it's harm the system.

    If there is any progress, please feel free let us know.

    Thursday, June 25, 2015 6:54 AM
  • I had to dig on this one, because we had users running into the same issue that you describe, no matter what we changed on the local PC, and even if Group Policy was not enforcing FIPS to be enabled, following a reboot the FIPS entry was set to enabled again under the Local Security Policy.

    The issue ended up being Cisco AnyConnect...

    AnyConnect can have FIPS enforcement turned on, if that is the case AnyConnect overrides Windows policy FIPS settings and will always re-enable this following reboot, like we see.  To disable FIPS enforcement, need to change a parameter in the AnyConnect Local Policy XML file.

    To permanently disable AnyConnect from automatically re-enabling FIPS after reboots

    1. Go here:  C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client
    2. In Notepad, Edit the AnyConnect Local Policy File “AnyConnectLocalPolicy.xml
    3. Set the “FipsMode>false</FipsMode>” to false

    Can read more about this on the Cisco AnyConnect Secure Mobility Client Administrator Guide, find the section "Enabling FIPS and Additional Security in the Local Policy"

    Wednesday, April 6, 2016 8:47 PM