Create blob files with SHA-256 hashing enabled instead of MD5

Collin Harrison  thank you for submitting this request. We will capture and discuss with our development team. 

Hi Collin Harrison , we have been investigating your request, but we don't see a clear path to resolve this.

The actual blob contents are stored as SHA-256 encryption by default (and optionally customers can use CMK instead), however the hashing (which correlates to the 'Content-MD5' field that's displayed on the blob object properties) appears to be a native Azure property which doesn't have any options to customize beyond disabling the hashing entirely.

Example:

Here is the Microsoft KB document we have used to research this property. 

https://learn.microsoft.com/en-us/dotnet/api/microsoft.azure.storage.blob.blobrequestoptions.storeblobcontentmd5

If we are misunderstanding the request, please let me know so that we can investigate further. If this specific property is causing you issues, please raise a support request with Azure support, we would be happy to work with them and you to reach the required outcome, but we don't see any options at this point.

I also just experienced this issue and I'm not sure what the way forward is. Did you ever find a way forward on this? I'm coming up on audits and this looks like it will be a significant issue for all Government users of Nerdio.

John,

We're still dealing with this issue, unfortunately. I was told Nerdio does not support FIPS-enabled machines, and it does not look like they plan to change that. As a workaround, we are running our own automations from a separate storage account. It would be nice to be able to leverage Nerdio for that, but it's not possible at this point.

I would like to bump this for review as well, as this is a huge issue for our environment right now.

Our POTENTIAL workaround is that we're going to see if Nerdio can deploy the registry key that enables that setting AFTER deployment, but it is highly inconvenient to have to do it this way. We are looking for any potential option to delay FIPS until after a VM is deployed at this time.

Adding to this.  Case 136149 for scripted actions failing in NMM 7.0.2 with FIPS cryptography algorithms enforced via Intune policy for CMMC compliance.  

The combined observed sequence is:
1 Custom Script Extension installs.
2 Script files successfully downloaded from Azure storage account
3 Custom Script Extension attempts integrity validation
4 Validation step fails to produce any hashes
5 Script file is not committed/finalized on disk
6 PowerShell invocation fails due to missing file
7 Extension reports execution failure after attempting to run

We have an application for handling CUI and it requires individual, assigned Sessions Hosts.  Every time it is re-imaged, users have to add their account back into the application which is somewhat painful.

I understood that the MD5 hash is in Microsoft's CSE; given your CMMC/GCC High customer base, do you have or plan a FIPS-safe execution path that doesn't route through it?  Perhaps an alternate execution path such as a different extension or agent-based delivery?

Our temporary solution was to grant the Nerdio Scripted Actions automation account permissions to add devices to groups via an Azure Runbook. The Azure Runbook adds the device via Nerdio to a specific Azure FIPS group that once membership is detected, Intune deploys the FIPS policy.

It is set to run as a Scripted Action on each host pool at the “These scripted actions will run after VM is joined to AVD host pool” section.

Feature request was submitted to allow reordering of certain VM deployment functions. E.G. under the Virtual Machines section, the option to add the device to an Entra Group is ran fairly early on in the deployment process. It would be helpful to have this done later in the process. Until then, the above is what has gotten us through a little.

Thank you Steven Billig .  My solution is to replace my scripted actions with scheduled tasks baked into the image. For regular W11 updates, I'm going to use AUM.  With all the manual work (work-arounds), I'm not really sure what I'm getting out of NMM for building enclaves for CMMC (yes, I know I'm posting in NME but have a post in NMM also). Most of this, if not all, I can, and have to, manage by hand. 

Hey John, did you happen to get this verified from your compliance team? Our internal security team mentioned that that was not enough for a GCCH environment and required the FIPS Compliance policy to still be deployed. If we didn't have to deploy the FIPS Compliance setting, it would make life a heck of a lot easier for sure.

Steven Billig  You saw my comment before I deleted it :). I posted and then didn't want to fully commit to it. 

Hahahah no worries at all. Appreciate it, sir!

Steven Billig , 

Your post came in via email, even though you deleted it ;-)

How would you handle a regularly running scripted action for something like running Windows Updates?  Seems you would need to remove the machine from the group applying the FIPS policy, run updates and then add it back.

One thing I noted is when I removed the FIPS policy, scripted actions still would not run until I reimaged the session host.  As if some setting is tattooed to the session host.  

So the update would have to be something like
1: remove SH from group
2: reimage SH
3: Run Win update scripted action
4: add SH to group.

I wouldn't want to document in the SSP for CMMC compliance, that I'm removing FIPS requirement every two weeks with automation, for a patch window. But that might be okay, I haven't gone through a C3PAO audit yet.