Why are PolicyManger settings getting applied during windows setup?

Question

Why are PolicyManger settings getting applied during windows setup?

Cestra, Joe 25

I am trying to track down how and why settings under HKLM\Software\Microsoft\PolicyManager get applied. From what I have read this is supposed to be used strictly for MDM managed policies but that does not seem to be the case. I am seeing these settings get laid down during windows setup on first boot into the OS. We use standard wipe and load methods to provision machines and a thin unaltered image pulled directly from Microsoft. Those PolicyManager setting do not exist in the WIM but after the windows setup runs and by the time you first see the desktop some of those settings will exist. The interesting part is that different sets of configurations are laid down for different models of devices, i.e. Lenovo, Dell, Hyper-V using an identical imaging process. Can anyone explain why these cloud managed settings are getting laid down at this stage of an OS deployment? There is no cloud presence at this stage, it’s not an Autopilot build, no Intune enrollment yet. Thank you.

User's image

Answer accepted by question author

0 additional answers

Your answer

Answer 1

HarryPhan-2691 8,170 Independent Advisor

Hi Cestra,

What you’re observing with the PolicyManager settings being applied during Windows setup is actually by design, even in the absence of MDM or Autopilot enrollment. During the initial boot phase, Windows retrieves configuration assists specific to the device model or hardware from a Microsoft service. This process helps apply optimizations or baseline policies tailored to the manufacturer, such as Lenovo, Dell, or Hyper-V.

These settings aren’t part of the base WIM file but are dynamically applied as the device completes the Out-of-Box Experience (OOBE). Think of it as a lightweight provisioning step to align the device with recommended configurations for stability or performance, depending on the hardware.

While PolicyManager is indeed a key component for MDM policies, it also supports this pre-enrollment configuration layer to ensure a consistent experience across diverse hardware. Rest assured, this isn’t tied to cloud management or Intune at this stage.

I hope this clarifies what you’re seeing in your deployment process! If you have any follow-up questions, feel free to ask. And if this answer helps, don’t forget to hit “Accept Answer” 😊.

Cestra, Joe 25 Reputation points

2025-10-03T02:08:13.1033333+00:00

Thank you that is very enlightening. Is this documented anywhere? I understand it but I think this design can present at least minor problems and one I have already verified. Once a device is enrolled for MDM it will reapply those PolicyManger settings on syncs. So now we have policies you are not even aware of and never deployed from Intune getting applied. Ill summarize quickly just to get this out there I don't need any further assistance.

Provision a new Lenovo PC

OOBE lays down PolicyManager - EnableVirtualziationBasedSecurity = 1

Device is Hybrid Joined and MDM Enrolled

You apply legacy GPO to set EnbableVirtualizationBasedSecurity to disabled

The effect is: Software\Policies...\DeviceGuard - EnbableVirtualizationBasedSecurity = 0

Now because the device is MDM enrolled and that OOBE installed PolicyManager enableVBS setting exists, the 8-hour MDM sync flips Software\Policies...\DeviceGuard - EnbableVirtualizationBasedSecurity to 1

Then a Group Policy refresh will flip it back to 0 because that's how the policy is configured. Now its flipping back and forth. It may not cause an observable issue, but I expect this is happening to others. The issue here is I explicitly configured a policy to turn it off but because some other policy laid down by OOBE unbeknownst to me its flipping back on.

Share via

Why are PolicyManger settings getting applied during windows setup?

0 additional answers

Your answer