Forum Discussion
MSI Elevated privilege request
Hi, I have been using Intune to try and stop staff being able to install without entering Admin Credentials, it is working for .exe as each user is a standard user, but whatever I try for .msi fi...
Hi,
These are the settings I have currently, I have tried various combinations and they either stop everything and don't prompt for Admin Credentials, don't block anything, or they work but stop intune pushing apps on install. They are set to system installations so not sure what is the issue, all of Office installs, but Teams, disable this policy and Teams installs but .msi files can run
Microsoft Defender Exploit Guard
Flag credential stealing from the Windows local security authority subsystem
Enable
Process creation from Adobe Reader (beta)
Enable
Office apps injecting into other processes (no exceptions)
Block
Office apps/macros creating executable content
Block
Office apps launching child processes
Block
Win32 imports from Office macro code
Block
Process creation from Office communication products (beta)
Enable
Obfuscated js/vbs/ps/macro code
Block
js/vbs executing payload downloaded from Internet (no exceptions)
Block
Process creation from PSExec and WMI commands
Block
Untrusted and unsigned processes that run from USB
Block
Executables that don’t meet a prevalence, age, or trusted list criteria
Block
Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
Block
Advanced ransomware protection
Enable
Network protection
Disable
Microsoft Defender Application Control
Application control code integrity policies:
Enforce
Trust apps with good reputation:
Enable
because we are only a small organisation I have set the policies on the machines individually in the past using the local admin account, but due to us now requiring to be Cyber Essentials Plus certified this is going to be a nightmare next year when we renew it as any changes I will have to call all the machines in and adjust the policies individually, so thought Endpoint would be a nice way of setting things up, but it has been a while since I have done server/network stuff of this level.
My end goal is first off making sure all the machines are protected and secure, after that I want to be able to push the apps required through Company Portal, prompt all other installations to require Admin Credentials, stop any .exe file from running from the desktop/downloads etc, and set the default apps for Mail and PDF. After that I will look into what else can be applied and managed, but for now I don't want to over complicate things.
So far I have managed to stop autorun/autoplay, set the default apps, and stop .exe installation, and prompt for Admin Credentials when trying to run CMD/Powershell, so some bits are done
Hi.
The asr rules look pretty good... please beware of this one: Executables that don’t meet a prevalence, age, or trusted list criteria
It can sometimes screw some things up!
And just enabling application guard with this setting
Microsoft Defender Application Control
Application control code integrity policies:
Enforce
Trust apps with good reputation:
Enable
Is not my cup of tea... I would rather start with applocker. I have done a blog/serie about endpoint protection... wdac/mdac is of course one of them! When you have configured it like you did.... a lot of stuff and I mean a lot of stuff will be blocked
https://call4cloud.nl/2021/06/wdac-or-the-unexpected-virtue-of-ignorance/
The asr rules look pretty good... please beware of this one: Executables that don’t meet a prevalence, age, or trusted list criteria
It can sometimes screw some things up!
And just enabling application guard with this setting
Microsoft Defender Application Control
Application control code integrity policies:
Enforce
Trust apps with good reputation:
Enable
Is not my cup of tea... I would rather start with applocker. I have done a blog/serie about endpoint protection... wdac/mdac is of course one of them! When you have configured it like you did.... a lot of stuff and I mean a lot of stuff will be blocked
https://call4cloud.nl/2021/06/wdac-or-the-unexpected-virtue-of-ignorance/
- I will have a read of your blogs, I guess Endpoint/Intune as it is now is pretty new as there are a lot of settings you can't do from it's preselect options and have to make custom policies and import them
- Hi
Yes totally true.. You can simply enable it in the Endpoint Security settings.. but that doesn't mean it is configured like you wanted it to be... So you end up adding some other settings manually with a csp or a powershell script :).