Jan 30 2019
02:20 PM
- last edited on
May 24 2021
02:05 PM
by
TechCommunityAP
Jan 30 2019
02:20 PM
- last edited on
May 24 2021
02:05 PM
by
TechCommunityAP
Hi all,
we are facing the problem if Google Chrome should be installed by Intune via the Company Portal it gets blocked from the ExploitGuard.
In Intune theres a Endpoint Protection Profile with Attack Surface Reduction rules: Flag credential stealing from the Windows local security authority subsystem = Enabled
If now Chroe should be installed exactly this rule will block the installation.
Did someone facing the same problem?
I dont want do tisabled this setting....is the only way to use an Mitigation XML to allow the GoogleUpdater.exe acces to the lsass to have an complete installation?
Regards
Miguel
Jan 31 2019 02:36 AM
Hi,
Did you tried installing Chrome for Enterprise.
https://cloud.google.com/chrome-enterprise/browser/download/
Jan 31 2019 04:03 AM
Yes did is what i tried
Mar 22 2019 05:24 AM
SolutionHi all,
found a solution. If anyone is also interested in installing Google Chrome Enterprise with Intune as MSI and have also Windows Defender fully activated
-------
especially ExploitGuard & CredentialGuard or at least the option in the Intune Endpoint Protection Profile >> Endpoint protection > Windows Defender Exploit Guard > Attack Surface Reduction > Flag credential stealing from the Windows local security authority subsystem = Enable
-------
Here is the Mitigation.xml which is working (working - not perfect)
Intune Endpoint Protection Profile >> Endpoint protection > Windows Defender Exploit Guard > Exploit protection
<?xml version="1.0" encoding="UTF-8"?>
<MitigationPolicy>
<AppConfig Executable="GoogleUpdate.exe">
<DEP Enable="true" EmulateAtlThunks="false" />
<ASLR ForceRelocateImages="false" RequireInfo="false" BottomUp="true" HighEntropy="true" />
<StrictHandle Enable="false" />
<SystemCalls DisableWin32kSystemCalls="false" />
<ExtensionPoints DisableExtensionPoints="false" />
<DynamicCode BlockDynamicCode="false" AllowThreadsToOptOut="false" />
<ControlFlowGuard Enable="true" SuppressExports="false" />
<SignedBinaries MicrosoftSignedOnly="false" AllowStoreSignedBinaries="false" EnforceModuleDependencySigning="false" />
<Fonts DisableNonSystemFonts="false" AuditOnly="false" Audit="false" />
<ImageLoad BlockRemoteImageLoads="false" BlockLowLabelImageLoads="false" />
<Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="false" EnableRopCallerCheck="false" EnableRopSimExec="false" />
<SEHOP Enable="true" TelemetryOnly="false" />
<Heap TerminateOnError="true" />
<ChildProcess DisallowChildProcessCreation="false" />
</AppConfig>
</MitigationPolicy>
If anyone know which option allows the access to lassas.exe please reply.
Dec 13 2019 05:46 AM
Seems that the same start doing the MicrosoftEdgeUpdate.
Jan 27 2020 05:29 AM
@Kazzan Did you deployed this manually or by the Intune native deployment option? In our environment it worked with the native Intune deployment.
Regards
Jan 27 2020 02:17 PM
@m_krone Installed by users. Enterprise installer does not seem (to now) do this. But Intune the same.
Mar 22 2019 05:24 AM
SolutionHi all,
found a solution. If anyone is also interested in installing Google Chrome Enterprise with Intune as MSI and have also Windows Defender fully activated
-------
especially ExploitGuard & CredentialGuard or at least the option in the Intune Endpoint Protection Profile >> Endpoint protection > Windows Defender Exploit Guard > Attack Surface Reduction > Flag credential stealing from the Windows local security authority subsystem = Enable
-------
Here is the Mitigation.xml which is working (working - not perfect)
Intune Endpoint Protection Profile >> Endpoint protection > Windows Defender Exploit Guard > Exploit protection
<?xml version="1.0" encoding="UTF-8"?>
<MitigationPolicy>
<AppConfig Executable="GoogleUpdate.exe">
<DEP Enable="true" EmulateAtlThunks="false" />
<ASLR ForceRelocateImages="false" RequireInfo="false" BottomUp="true" HighEntropy="true" />
<StrictHandle Enable="false" />
<SystemCalls DisableWin32kSystemCalls="false" />
<ExtensionPoints DisableExtensionPoints="false" />
<DynamicCode BlockDynamicCode="false" AllowThreadsToOptOut="false" />
<ControlFlowGuard Enable="true" SuppressExports="false" />
<SignedBinaries MicrosoftSignedOnly="false" AllowStoreSignedBinaries="false" EnforceModuleDependencySigning="false" />
<Fonts DisableNonSystemFonts="false" AuditOnly="false" Audit="false" />
<ImageLoad BlockRemoteImageLoads="false" BlockLowLabelImageLoads="false" />
<Payload EnableExportAddressFilter="false" EnableExportAddressFilterPlus="false" EnableImportAddressFilter="false" EnableRopStackPivot="false" EnableRopCallerCheck="false" EnableRopSimExec="false" />
<SEHOP Enable="true" TelemetryOnly="false" />
<Heap TerminateOnError="true" />
<ChildProcess DisallowChildProcessCreation="false" />
</AppConfig>
</MitigationPolicy>
If anyone know which option allows the access to lassas.exe please reply.