Forum Discussion
MSI Elevated privilege request
Hi, I have been using Intune to try and stop staff being able to install without entering Admin Credentials, it is working for .exe as each user is a standard user, but whatever I try for .msi fi...
I don't know if i am reading it correctly, but do you allow every user to install "stuff' on their own without admin prompts? i hope I am reading it wrong, because that's not the way to go! π
I would go for the option to publish all of your apps necessary in the company portal and create a baseline. When the apps are published inside the company portal, every user can install them. Combine this with a strict applocker configuration and educate the users to install apps from the company portal.
If you want to know more, please visit my site call4cloud.nl it has all the information you need
I would go for the option to publish all of your apps necessary in the company portal and create a baseline. When the apps are published inside the company portal, every user can install them. Combine this with a strict applocker configuration and educate the users to install apps from the company portal.
If you want to know more, please visit my site call4cloud.nl it has all the information you need
Rudy_Ooms_MVP Hi, no this is the problem, I am trying to lock it down so they can't install anything without Admin Credentials, unless it's in the portal, but when I turn on the settings it is stopping installation of Microsoft Teams and Adobe Reader when re-installing machines using autopilot and intune to deploy them.
I have autopilot set to create users as standard accounts when the machine is setup, so .exe installs are asking for Credentials when run, but .msi files aren't
- Hi.. Ah good π nice to hear !.. Can you tell me which setting you are configuring to make sure your users can't install anything? or are you referring to the autopilot? normally when you push down an installation from Intune and it;s configured to run as system there would be no problem at all
Hi,
These are the settings I have currently, I have tried various combinations and they either stop everything and don't prompt for Admin Credentials, don't block anything, or they work but stop intune pushing apps on install. They are set to system installations so not sure what is the issue, all of Office installs, but Teams, disable this policy and Teams installs but .msi files can run
Microsoft Defender Exploit GuardFlag credential stealing from the Windows local security authority subsystemEnableProcess creation from Adobe Reader (beta)EnableOffice apps injecting into other processes (no exceptions)BlockOffice apps/macros creating executable contentBlockOffice apps launching child processesBlockWin32 imports from Office macro codeBlockProcess creation from Office communication products (beta)EnableObfuscated js/vbs/ps/macro codeBlockjs/vbs executing payload downloaded from Internet (no exceptions)BlockProcess creation from PSExec and WMI commandsBlockUntrusted and unsigned processes that run from USBBlockExecutables that donβt meet a prevalence, age, or trusted list criteriaBlockExecution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)BlockAdvanced ransomware protectionEnableNetwork protectionDisableMicrosoft Defender Application ControlApplication control code integrity policies:EnforceTrust apps with good reputation:Enablebecause we are only a small organisation I have set the policies on the machines individually in the past using the local admin account, but due to us now requiring to be Cyber Essentials Plus certified this is going to be a nightmare next year when we renew it as any changes I will have to call all the machines in and adjust the policies individually, so thought Endpoint would be a nice way of setting things up, but it has been a while since I have done server/network stuff of this level.My end goal is first off making sure all the machines are protected and secure, after that I want to be able to push the apps required through Company Portal, prompt all other installations to require Admin Credentials, stop any .exe file from running from the desktop/downloads etc, and set the default apps for Mail and PDF. After that I will look into what else can be applied and managed, but for now I don't want to over complicate things.So far I have managed to stop autorun/autoplay, set the default apps, and stop .exe installation, and prompt for Admin Credentials when trying to run CMD/Powershell, so some bits are done- Hi.
The asr rules look pretty good... please beware of this one: Executables that donβt meet a prevalence, age, or trusted list criteria
It can sometimes screw some things up!
And just enabling application guard with this setting
Microsoft Defender Application Control
Application control code integrity policies:
Enforce
Trust apps with good reputation:
Enable
Is not my cup of tea... I would rather start with applocker. I have done a blog/serie about endpoint protection... wdac/mdac is of course one of them! When you have configured it like you did.... a lot of stuff and I mean a lot of stuff will be blocked
https://call4cloud.nl/2021/06/wdac-or-the-unexpected-virtue-of-ignorance/