Azure Local 2604: Legal Notice now managed by security baseline and drift control : DataON Support Portal

TL;DR: Azure Local 2604 now configures the "Interactive logon" message text and title via the security baseline with drift control, so the legal notice is compliant by default — to customize it, disable drift control first.

Recommended action:

If you are on Azure Local 2604 or later and just want default compliance — do nothing. The baseline sets a default legal notice and protects it with drift control.

If you need to customize the legal notice (for example, to match your organization's wording for DISA STIG or CIS alignment):

Disable drift control on the node or cluster:

Disable-AzsSecurity -FeatureName DriftControl -Scope <Local | Cluster>

Set your custom legal notice:

Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LegalNoticeCaption" -Value "Legal Notice"

Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LegalNoticeText" -Value "Your custom legal notice text here"

Re-enable drift control to lock in your customized values:

Enable-AzsSecurity -FeatureName DriftControl -Scope <Local | Cluster>

Why:

Prior to 2604, the Interactive logon "Message text" and "Message title" settings were not managed by the Azure Local security baseline. They surfaced as non-compliant in the Microsoft Cloud Security Benchmark (MCSB) report until an administrator manually configured them. Starting in 2604, the baseline applies default values for both settings and brings them under drift control, satisfying DISA STIG and CIS requirements out of the box.

Because the values are now protected, any direct registry change made while drift control is enabled will be overwritten. Disabling drift control before editing — then re-enabling it — is the supported customization path.

Going forward:

On 2604 and later, treat the legal notice as a baseline-managed setting, not a freeform admin task.
If you previously had a custom legal notice in place before updating to 2604, verify it after the update. Drift control enforcement may have replaced it with the baseline default.
Re-enabling drift control after customization is what locks your values in — skipping that step leaves the setting unprotected.

Reference: https://learn.microsoft.com/en-us/azure/azure-local/manage/manage-secure-baseline

Azure Local 2604: Legal Notice now managed by security baseline and drift control Print

Related Articles