Using Windows LAPS along legacy LAPS
Good afternoon folks, I trying to figure out a thing or two for using Windows LAPS in our domain. First , we do have legacy LAPS configured and used in our domain. We still have Servers with Windows Server 2k12R2 and 2k16. They both need to use the legacy LAPS because they are not supported for using Windows LAPS. I was planning using emulation mode so that we do not introduce new ways to do things while some legacy configuration are around. So until we get rid of the older OSes, legacy emulation mode should remain. I was planning to make two policies applied using WMI filters and only for LAPS: One for the Windows LAPS config and the other for legacy LAPS config, both targeted to the proper OS. Am I right in my configuration? The way I am seeing it is: That using two policies, no servers should receive configurations that are not set for them. I can uninstall the legacy client on the newer servers and leave the old client on the older OSes. Helpdesk will continue to use the LAPS tool to retrieve the password. We still target the same account using both policies. To achieve that config I will require to: Extend the schema for Windows LAPS. Configure two policies using WMI filters and configure the right options: On the one newer OS, I need both legacy and Windows LAPS policies set (Emulation mode only for the Windows LAPS). On the older OS policy, only the legacy one. Remove the legacy client on the new OSes. Any idea or suggestion? Am I missing something about the requirements of both mode or any incompatibility using what I am planning to? Thanks a lot for any comments. MathieuWDAC Managed Installer and Applocker Audit logs
Hello, I am looking to deploy WDAC to Intune managed Windows 11 devices. In testing I have followed guidance (link below) to create the required supporting Applocker ManagedInstaller rule: Allow apps deployed with a WDAC managed installer (Windows) | Microsoft Learn In testing, whilst this appears to work (in that an app deployed by Intune is allowed, but the same app installed locally by an admin is not), I have noticed that the configuration results in a excessive amount of logging to the ApplockerMicrosoft-Windows-AppLocker/EXE and DLL log, i.e. a 8003 audit event for pretty much every DLL execution: Does anyone know if this is expected? Seems an obvious question as I see how the configuration of the Applocker ManagedInstaller rule collection in audit mode could cause this: Just looking for some clarification that this is expected as I had not anticipated the use of this (MDAC) option to result in such aggressive logging by Applocker (which I am otherwise not looking to use)? I have seen no mention of this in the documentation, so I guess it is either deemed obvious (which one could argue is the case!) or I have miss configured something? Does anyone else have this configured and if so, do you see the same? Many thanks, PhilFast Microsoft recommended driver block rules update with automatic scheduled task
Microsoft recommended driver block rulesin Windows are automatically updated starting with Windows 11 22H2, twice per year, but the list itself is updated more often. Microsoft provides ways to update them faster and out of the schedule. I've created a PowerShell script that does this automatically and you only need to run the script once, then it will create a scheduled task in Windows that runs every 7 days and renews the recommended drivers block list. # create a scheduled task that runs every 7 days if (-NOT (Get-ScheduledTask -TaskName "MSFT Driver Block list update" -ErrorAction SilentlyContinue)) { $action = New-ScheduledTaskAction -Execute 'Powershell.exe' ` -Argument '-NoProfile -WindowStyle Hidden -command "& {Invoke-WebRequest -Uri "https://aka.ms/VulnerableDriverBlockList" -OutFile VulnerableDriverBlockList.zip;Expand-Archive .\VulnerableDriverBlockList.zip -DestinationPath "VulnerableDriverBlockList" -Force;Rename-Item .\VulnerableDriverBlockList\SiPolicy_Enforced.p7b -NewName "SiPolicy.p7b" -Force;Copy-Item .\VulnerableDriverBlockList\SiPolicy.p7b -Destination "C:\Windows\System32\CodeIntegrity";$job = Start-Job -Name "Job1" -ScriptBlock { CiTool.exe -r };Start-Sleep -s 15;Stop-Job $job;Remove-Item .\VulnerableDriverBlockList -Recurse -Force;Remove-Item .\VulnerableDriverBlockList.zip -Force;}"' $TaskPrincipal = New-ScheduledTaskPrincipal -LogonType S4U -UserId $env:USERNAME -RunLevel Highest # trigger $Time = New-ScheduledTaskTrigger ` -Once -At (Get-Date).AddHours(3) ` -RepetitionInterval (New-TimeSpan -Days 7) ` # register the task Register-ScheduledTask -Action $action -Trigger $Time -Principal $TaskPrincipal -TaskPath "MSFT Driver Block list update" -TaskName "MSFT Driver Block list update" -Description "Microsoft Recommended Driver Block List update" # define advanced settings for the task $TaskSettings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -Compatibility Win8 -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 3) # add advanced settings we defined to the task Set-ScheduledTask -TaskPath "MSFT Driver Block list update" -TaskName "MSFT Driver Block list update" -Settings $TaskSettings } https://github.com/HotCakeX/Harden-Windows-Security/wiki/Fast-and-Automatic-Microsoft-Recommended-Driver-Block-Rules-updates
Prevent User folders from caching locally
Hi@all, I do IT work for a company that uses profile redirection on all their workers machines which stores on a server. However, I noticed that user folders are being cached locally on every device and are accessible when not connected to the domain(IE, going into C:\Users and seeing the local folders and files of every user that has logged into a machine). How do I go about preventing the data from being cached so that if someone walks in and steals a computer there isn't any sensitive data being accessed? Or do I have to enable bitlocker on all devices? Thank you for your time.Prohibit standard users from adding exclusions to Windows Defender (Windows Security)
Hello there, How can I prohibit standard users from adding exclusions in Windows Defender? I would like to only control the Defender-exclusions from a central point and the standard users should not be able to add exclusions themselves. I've searched through GPO's and settings in Intune but can't seem to find the correct setting. Does anyone know if this is possible? If it is, where is the setting then? Windows 10 Enterprise, 1903 and 2004. Devices are Hybrid Azure AD Joined
