Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Chrome installation failed due to ExploitGuard block

Brass Contributor

Hi all,

 

we are facing the problem if Google Chrome should be installed by Intune via the Company Portal it gets blocked from the ExploitGuard.

In Intune theres a Endpoint Protection Profile with Attack Surface Reduction rules: Flag credential stealing from the Windows local security authority subsystem = Enabled

 

If now Chroe should be installed exactly this rule will block the installation.

Did someone facing the same problem?

I dont want do tisabled this setting....is the only way to use an Mitigation XML to allow the GoogleUpdater.exe acces to the lsass to have an complete installation?

 

Regards

Miguel

6 Replies

Hi,

 

Did you tried installing Chrome for Enterprise.

 

https://cloud.google.com/chrome-enterprise/browser/download/

 

Yes did is what i tried

best response confirmed by m_krone (Brass Contributor)
Solution

Hi all,

 

found a solution. If anyone is also interested in installing Google Chrome Enterprise with Intune as MSI and have also Windows Defender fully activated

-------

especially ExploitGuard & CredentialGuard or at least the option in the Intune Endpoint Protection Profile >> Endpoint protection > Windows Defender Exploit Guard > Attack Surface Reduction > Flag credential stealing from the Windows local security authority subsystem = Enable

-------

Here is the Mitigation.xml which is working (working - not perfect)

Intune Endpoint Protection Profile >> Endpoint protection > Windows Defender Exploit Guard > Exploit protection

<?xml version="1.0" encoding="UTF-8"?>
<MitigationPolicy>
<AppConfig Executable="GoogleUpdate.exe">
<DEP Enable="true" EmulateAtlThunks="false" />
<ASLR ForceRelocateImages="false" RequireInfo="false" BottomUp="true" HighEntropy="true" />
<StrictHandle Enable="false" />
<SystemCalls DisableWin32kSystemCalls="false" />
<ExtensionPoints DisableExtensionPoints="false" />
<DynamicCode BlockDynamicCode="false" AllowThreadsToOptOut="false" />
<ControlFlowGuard Enable="true" SuppressExports="false" />
<SignedBinaries MicrosoftSignedOnly="false" AllowStoreSignedBinaries="false" EnforceModuleDependencySigning="false" />
<Fonts DisableNonSystemFonts="false" AuditOnly="false" Audit="false" />
<ImageLoad BlockRemoteImageLoads="false" BlockLowLabelImageLoads="false" />
<Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="false" EnableRopCallerCheck="false" EnableRopSimExec="false" />
<SEHOP Enable="true" TelemetryOnly="false" />
<Heap TerminateOnError="true" />
<ChildProcess DisallowChildProcessCreation="false" />
</AppConfig>
</MitigationPolicy>

If anyone know which option allows the access to lassas.exe please reply.

Seems that the same start doing the MicrosoftEdgeUpdate.

@Petr Vlk Did you deployed this manually or by the Intune native deployment option? In our environment it worked with the native Intune deployment.

 

Regards

@m_krone Installed by users. Enterprise installer does not seem (to now) do this. But Intune the same.

1 best response

Accepted Solutions
best response confirmed by m_krone (Brass Contributor)
Solution

Hi all,

 

found a solution. If anyone is also interested in installing Google Chrome Enterprise with Intune as MSI and have also Windows Defender fully activated

-------

especially ExploitGuard & CredentialGuard or at least the option in the Intune Endpoint Protection Profile >> Endpoint protection > Windows Defender Exploit Guard > Attack Surface Reduction > Flag credential stealing from the Windows local security authority subsystem = Enable

-------

Here is the Mitigation.xml which is working (working - not perfect)

Intune Endpoint Protection Profile >> Endpoint protection > Windows Defender Exploit Guard > Exploit protection

<?xml version="1.0" encoding="UTF-8"?>
<MitigationPolicy>
<AppConfig Executable="GoogleUpdate.exe">
<DEP Enable="true" EmulateAtlThunks="false" />
<ASLR ForceRelocateImages="false" RequireInfo="false" BottomUp="true" HighEntropy="true" />
<StrictHandle Enable="false" />
<SystemCalls DisableWin32kSystemCalls="false" />
<ExtensionPoints DisableExtensionPoints="false" />
<DynamicCode BlockDynamicCode="false" AllowThreadsToOptOut="false" />
<ControlFlowGuard Enable="true" SuppressExports="false" />
<SignedBinaries MicrosoftSignedOnly="false" AllowStoreSignedBinaries="false" EnforceModuleDependencySigning="false" />
<Fonts DisableNonSystemFonts="false" AuditOnly="false" Audit="false" />
<ImageLoad BlockRemoteImageLoads="false" BlockLowLabelImageLoads="false" />
<Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="false" EnableRopCallerCheck="false" EnableRopSimExec="false" />
<SEHOP Enable="true" TelemetryOnly="false" />
<Heap TerminateOnError="true" />
<ChildProcess DisallowChildProcessCreation="false" />
</AppConfig>
</MitigationPolicy>

If anyone know which option allows the access to lassas.exe please reply.

View solution in original post