MSI Elevated privilege request

New Contributor

Hi,

 

I have been using Intune to try and stop staff being able to install without entering Admin Credentials, it is working for .exe as each user is a standard user, but whatever I try for .msi files either does nothing, or it blocks the install completely and also stops the intune apps installing when setting up the machines.

 

Does anyone have any tips for me?

7 Replies
I don't know if i am reading it correctly, but do you allow every user to install "stuff' on their own without admin prompts? i hope I am reading it wrong, because that's not the way to go! :)

I would go for the option to publish all of your apps necessary in the company portal and create a baseline. When the apps are published inside the company portal, every user can install them. Combine this with a strict applocker configuration and educate the users to install apps from the company portal.

If you want to know more, please visit my site call4cloud.nl it has all the information you need

@Rudy_Ooms_MVP Hi, no this is the problem, I am trying to lock it down so they can't install anything without Admin Credentials, unless it's in the portal, but when I turn on the settings it is stopping installation of Microsoft Teams and Adobe Reader when re-installing machines using autopilot and intune to deploy them.

 

I have autopilot set to create users as standard accounts when the machine is setup, so .exe installs are asking for Credentials when run, but .msi files aren't 

Hi.. Ah good :) nice to hear !.. Can you tell me which setting you are configuring to make sure your users can't install anything? or are you referring to the autopilot? normally when you push down an installation from Intune and it;s configured to run as system there would be no problem at all

@Rudy_Ooms_MVP 

Hi,

These are the settings I have currently, I have tried various combinations and they either stop everything and don't prompt for Admin Credentials, don't block anything, or they work but stop intune pushing apps on install. They are set to system installations so not sure what is the issue, all of Office installs, but Teams, disable this policy and Teams installs but .msi files can run

 

Microsoft Defender Exploit Guard
Flag credential stealing from the Windows local security authority subsystem
Enable
Process creation from Adobe Reader (beta)
Enable
Office apps injecting into other processes (no exceptions)
Block
Office apps/macros creating executable content
Block
Office apps launching child processes
Block
Win32 imports from Office macro code
Block
Process creation from Office communication products (beta)
Enable
Obfuscated js/vbs/ps/macro code
Block
js/vbs executing payload downloaded from Internet (no exceptions)
Block
Process creation from PSExec and WMI commands
Block
Untrusted and unsigned processes that run from USB
Block
Executables that don’t meet a prevalence, age, or trusted list criteria
Block
Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
Block
Advanced ransomware protection
Enable
Network protection
Disable
Microsoft Defender Application Control
Application control code integrity policies:
Enforce
Trust apps with good reputation:
Enable
 
 
because we are only a small organisation I have set the policies on the machines individually in the past using the local admin account, but due to us now requiring to be Cyber Essentials Plus certified this is going to be a nightmare next year when we renew it as any changes I will have to call all the machines in and adjust the policies individually, so thought Endpoint would be a nice way of setting things up, but it has been a while since I have done server/network stuff of this level.
 
 
My end goal is first off making sure all the machines are protected and secure, after that I want to be able to push the apps required through Company Portal, prompt all other installations to require Admin Credentials, stop any .exe file from running from the desktop/downloads etc, and set the default apps for Mail and PDF. After that I will look into what else can be applied and managed, but for now I don't want to over complicate things. 
So far I have managed to stop autorun/autoplay, set the default apps, and stop .exe installation, and prompt for Admin Credentials when trying to run CMD/Powershell, so some bits are done
Hi.

The asr rules look pretty good... please beware of this one: Executables that don’t meet a prevalence, age, or trusted list criteria
It can sometimes screw some things up!

And just enabling application guard with this setting

Microsoft Defender Application Control
Application control code integrity policies:
Enforce
Trust apps with good reputation:
Enable

Is not my cup of tea... I would rather start with applocker. I have done a blog/serie about endpoint protection... wdac/mdac is of course one of them! When you have configured it like you did.... a lot of stuff and I mean a lot of stuff will be blocked

https://call4cloud.nl/2021/06/wdac-or-the-unexpected-virtue-of-ignorance/
I will have a read of your blogs, I guess Endpoint/Intune as it is now is pretty new as there are a lot of settings you can't do from it's preselect options and have to make custom policies and import them
Hi

Yes totally true.. You can simply enable it in the Endpoint Security settings.. but that doesn't mean it is configured like you wanted it to be... So you end up adding some other settings manually with a csp or a powershell script :).