SOLVED

Chrome installation failed due to ExploitGuard block

%3CLINGO-SUB%20id%3D%22lingo-sub-328260%22%20slang%3D%22en-US%22%3EChrome%20installation%20failed%20due%20to%20ExploitGuard%20block%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-328260%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20are%20facing%20the%20problem%20if%20Google%20Chrome%20should%20be%20installed%20by%20Intune%20via%20the%20Company%20Portal%20it%20gets%20blocked%20from%20the%20ExploitGuard.%3C%2FP%3E%3CP%3EIn%20Intune%20theres%20a%20Endpoint%20Protection%20Profile%20with%26nbsp%3BAttack%20Surface%20Reduction%20rules%3A%20Flag%20credential%20stealing%20from%20the%20Windows%20local%20security%20authority%20subsystem%20%3D%20Enabled%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20now%20Chroe%20should%20be%20installed%20exactly%20this%20rule%20will%20block%20the%20installation.%3C%2FP%3E%3CP%3EDid%20someone%20facing%20the%20same%20problem%3F%3C%2FP%3E%3CP%3EI%20dont%20want%20do%20tisabled%20this%20setting....is%20the%20only%20way%20to%20use%20an%20Mitigation%20XML%20to%20allow%20the%20GoogleUpdater.exe%20acces%20to%20the%20lsass%20to%20have%20an%20complete%20installation%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3EMiguel%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-328260%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Security%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExploit%20Guard%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Defender%20ATP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-382626%22%20slang%3D%22en-US%22%3ERe%3A%20Chrome%20installation%20failed%20due%20to%20ExploitGuard%20block%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-382626%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Efound%20a%20solution.%20If%20anyone%20is%20also%20interested%20in%20installing%20Google%20Chrome%20Enterprise%20with%20Intune%20as%20MSI%20and%20have%20also%20Windows%20Defender%20fully%20activated%3C%2FP%3E%3CP%3E-------%3C%2FP%3E%3CP%3Eespecially%20ExploitGuard%20%26amp%3B%20CredentialGuard%20or%20at%20least%20the%20option%20in%20the%20Intune%20Endpoint%20Protection%20Profile%20%26gt%3B%26gt%3B%26nbsp%3BEndpoint%20protection%20%26gt%3B%20Windows%20Defender%20Exploit%20Guard%20%26gt%3B%20Attack%20Surface%20Reduction%20%26gt%3B%26nbsp%3BFlag%20credential%20stealing%20from%20the%20Windows%20local%20security%20authority%20subsystem%20%3D%20Enable%3C%2FP%3E%3CP%3E-------%3C%2FP%3E%3CP%3EHere%20is%20the%20Mitigation.xml%20which%20is%20working%20(working%20-%20not%20perfect)%3C%2FP%3E%3CP%3EIntune%20Endpoint%20Protection%20Profile%20%26gt%3B%26gt%3B%26nbsp%3BEndpoint%20protection%20%26gt%3B%20Windows%20Defender%20Exploit%20Guard%20%26gt%3B%26nbsp%3BExploit%20protection%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CMITIGATIONPOLICY%3E%3CBR%20%2F%3E%3CAPPCONFIG%20executable%3D%22%26quot%3BGoogleUpdate.exe%26quot%3B%22%3E%3CBR%20%2F%3E%3CDEP%20enable%3D%22%26quot%3Btrue%26quot%3B%22%20emulateatlthunks%3D%22%26quot%3Bfalse%26quot%3B%22%3E%3C%2FDEP%3E%3CBR%20%2F%3E%3CASLR%20forcerelocateimages%3D%22%26quot%3Bfalse%26quot%3B%22%20requireinfo%3D%22%26quot%3Bfalse%26quot%3B%22%20bottomup%3D%22%26quot%3Btrue%26quot%3B%22%20highentropy%3D%22%26quot%3Btrue%26quot%3B%22%3E%3C%2FASLR%3E%3CBR%20%2F%3E%3CSTRICTHANDLE%20enable%3D%22%26quot%3Bfalse%26quot%3B%22%3E%3C%2FSTRICTHANDLE%3E%3CBR%20%2F%3E%3CSYSTEMCALLS%20disablewin32ksystemcalls%3D%22%26quot%3Bfalse%26quot%3B%22%3E%3C%2FSYSTEMCALLS%3E%3CBR%20%2F%3E%3CEXTENSIONPOINTS%20disableextensionpoints%3D%22%26quot%3Bfalse%26quot%3B%22%3E%3C%2FEXTENSIONPOINTS%3E%3CBR%20%2F%3E%3CDYNAMICCODE%20blockdynamiccode%3D%22%26quot%3Bfalse%26quot%3B%22%20allowthreadstooptout%3D%22%26quot%3Bfalse%26quot%3B%22%3E%3C%2FDYNAMICCODE%3E%3CBR%20%2F%3E%3CCONTROLFLOWGUARD%20enable%3D%22%26quot%3Btrue%26quot%3B%22%20suppressexports%3D%22%26quot%3Bfalse%26quot%3B%22%3E%3C%2FCONTROLFLOWGUARD%3E%3CBR%20%2F%3E%3CSIGNEDBINARIES%20microsoftsignedonly%3D%22%26quot%3Bfalse%26quot%3B%22%20allowstoresignedbinaries%3D%22%26quot%3Bfalse%26quot%3B%22%20enforcemoduledependencysigning%3D%22%26quot%3Bfalse%26quot%3B%22%3E%3C%2FSIGNEDBINARIES%3E%3CBR%20%2F%3E%3CFONTS%20disablenonsystemfonts%3D%22%26quot%3Bfalse%26quot%3B%22%20auditonly%3D%22%26quot%3Bfalse%26quot%3B%22%20audit%3D%22%26quot%3Bfalse%26quot%3B%22%3E%3C%2FFONTS%3E%3CBR%20%2F%3E%3CIMAGELOAD%20blockremoteimageloads%3D%22%26quot%3Bfalse%26quot%3B%22%20blocklowlabelimageloads%3D%22%26quot%3Bfalse%26quot%3B%22%3E%3C%2FIMAGELOAD%3E%3CBR%20%2F%3E%3CPAYLOAD%20enableexportaddressfilter%3D%22%26quot%3Bfalse%26quot%3B%22%20enableexportaddressfilterplus%3D%22%26quot%3Bfalse%26quot%3B%22%20enableimportaddressfilter%3D%22%26quot%3Bfalse%26quot%3B%22%20enableropstackpivot%3D%22%26quot%3Bfalse%26quot%3B%22%20enableropcallercheck%3D%22%26quot%3Bfalse%26quot%3B%22%20enableropsimexec%3D%22%26quot%3Bfalse%26quot%3B%22%3E%3C%2FPAYLOAD%3E%3CBR%20%2F%3E%3CSEHOP%20enable%3D%22%26quot%3Btrue%26quot%3B%22%20telemetryonly%3D%22%26quot%3Bfalse%26quot%3B%22%3E%3C%2FSEHOP%3E%3CBR%20%2F%3E%3CHEAP%20terminateonerror%3D%22%26quot%3Btrue%26quot%3B%22%3E%3C%2FHEAP%3E%3CBR%20%2F%3E%3CCHILDPROCESS%20disallowchildprocesscreation%3D%22%26quot%3Bfalse%26quot%3B%22%3E%3C%2FCHILDPROCESS%3E%3CBR%20%2F%3E%3C%2FAPPCONFIG%3E%3CBR%20%2F%3E%3C%2FMITIGATIONPOLICY%3E%3C%2FP%3E%3CP%3EIf%20anyone%20know%20which%20option%20allows%20the%20access%20to%20lassas.exe%20please%20reply.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-328522%22%20slang%3D%22en-US%22%3ERe%3A%20Chrome%20installation%20failed%20due%20to%20ExploitGuard%20block%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-328522%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20did%20is%20what%20i%20tried%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-328483%22%20slang%3D%22en-US%22%3ERe%3A%20Chrome%20installation%20failed%20due%20to%20ExploitGuard%20block%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-328483%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20tried%20installing%20Chrome%20for%20Enterprise.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fcloud.google.com%2Fchrome-enterprise%2Fbrowser%2Fdownload%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcloud.google.com%2Fchrome-enterprise%2Fbrowser%2Fdownload%2F%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1065121%22%20slang%3D%22en-US%22%3ERe%3A%20Chrome%20installation%20failed%20due%20to%20ExploitGuard%20block%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1065121%22%20slang%3D%22en-US%22%3E%3CP%3ESeems%20that%20the%20same%20start%20doing%20the%20MicrosoftEdgeUpdate.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1131007%22%20slang%3D%22en-US%22%3ERe%3A%20Chrome%20installation%20failed%20due%20to%20ExploitGuard%20block%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1131007%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F746%22%20target%3D%22_blank%22%3E%40Petr%20Vlk%3C%2FA%3E%26nbsp%3BDid%20you%20deployed%20this%20manually%20or%20by%20the%20Intune%20native%20deployment%20option%3F%20In%20our%20environment%20it%20worked%20with%20the%20native%20Intune%20deployment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1132134%22%20slang%3D%22en-US%22%3ERe%3A%20Chrome%20installation%20failed%20due%20to%20ExploitGuard%20block%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1132134%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F271823%22%20target%3D%22_blank%22%3E%40m_krone%3C%2FA%3E%26nbsp%3BInstalled%20by%20users.%20Enterprise%20installer%20does%20not%20seem%20(to%20now)%20do%20this.%20But%20Intune%20the%20same.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi all,

 

we are facing the problem if Google Chrome should be installed by Intune via the Company Portal it gets blocked from the ExploitGuard.

In Intune theres a Endpoint Protection Profile with Attack Surface Reduction rules: Flag credential stealing from the Windows local security authority subsystem = Enabled

 

If now Chroe should be installed exactly this rule will block the installation.

Did someone facing the same problem?

I dont want do tisabled this setting....is the only way to use an Mitigation XML to allow the GoogleUpdater.exe acces to the lsass to have an complete installation?

 

Regards

Miguel

6 Replies
Highlighted

Hi,

 

Did you tried installing Chrome for Enterprise.

 

https://cloud.google.com/chrome-enterprise/browser/download/

 

Highlighted

Yes did is what i tried

Highlighted
Best Response confirmed by m_krone (Contributor)
Solution

Hi all,

 

found a solution. If anyone is also interested in installing Google Chrome Enterprise with Intune as MSI and have also Windows Defender fully activated

-------

especially ExploitGuard & CredentialGuard or at least the option in the Intune Endpoint Protection Profile >> Endpoint protection > Windows Defender Exploit Guard > Attack Surface Reduction > Flag credential stealing from the Windows local security authority subsystem = Enable

-------

Here is the Mitigation.xml which is working (working - not perfect)

Intune Endpoint Protection Profile >> Endpoint protection > Windows Defender Exploit Guard > Exploit protection

<?xml version="1.0" encoding="UTF-8"?>
<MitigationPolicy>
<AppConfig Executable="GoogleUpdate.exe">
<DEP Enable="true" EmulateAtlThunks="false" />
<ASLR ForceRelocateImages="false" RequireInfo="false" BottomUp="true" HighEntropy="true" />
<StrictHandle Enable="false" />
<SystemCalls DisableWin32kSystemCalls="false" />
<ExtensionPoints DisableExtensionPoints="false" />
<DynamicCode BlockDynamicCode="false" AllowThreadsToOptOut="false" />
<ControlFlowGuard Enable="true" SuppressExports="false" />
<SignedBinaries MicrosoftSignedOnly="false" AllowStoreSignedBinaries="false" EnforceModuleDependencySigning="false" />
<Fonts DisableNonSystemFonts="false" AuditOnly="false" Audit="false" />
<ImageLoad BlockRemoteImageLoads="false" BlockLowLabelImageLoads="false" />
<Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="false" EnableRopCallerCheck="false" EnableRopSimExec="false" />
<SEHOP Enable="true" TelemetryOnly="false" />
<Heap TerminateOnError="true" />
<ChildProcess DisallowChildProcessCreation="false" />
</AppConfig>
</MitigationPolicy>

If anyone know which option allows the access to lassas.exe please reply.

Highlighted

Seems that the same start doing the MicrosoftEdgeUpdate.

Highlighted

@Petr Vlk Did you deployed this manually or by the Intune native deployment option? In our environment it worked with the native Intune deployment.

 

Regards

Highlighted

@m_krone Installed by users. Enterprise installer does not seem (to now) do this. But Intune the same.