Posts

Showing posts from 2020

Intune: Windows Hello for Business

Image
Windows Hello for Business has been aroun d for some time as an alternative sign-in method and it allows a user gesture to sign-in instead of just using a password. There are many sign-in gestures available and depending on what is supported based on the hardware, one can configure a PIN, biometric or a fingerprint. For corporate devices, PIN is the most suited method and it is easily configurable on Intune managed devices. However, I will cover other settings in this blog as well. Now Windows Hello for Business is Not Configured by default. So, in case you do not want to enable it for all your users (Remember this setting is a tenant wide setting) then you will need to atleast configure it to Disable for Intune to be able to manage the feature.   Once in place, one can then deploy a Windows Identity protection profile policy to devices of your choice to enable the feature along with the desired configuration. Let’s begin Browse to Devices – Windows – Configuration profile.

Intune - Manage Google Chrome Settings

Image
Not so while ago, I covered the management of Edge browser settings in my blog here . To continue blogging on MDM management capabilities using Intune, I wanted to cover the settings for managing Google Chrome as well.  Managing Google Chrome consists of two parts  - a. Deploying of Chrome ADMX file to the Intune managed device using a custom policy. b. Deploying the actual set of settings using custom policies . Let’s begin. 1. Download the Chrome ADMX template in order to ingest in Intune. 2. Sign-in to the  https://endpoint.microsoft.com . 3. Browse to Devices – Windows – Configuration profiles 4. Click Create Profile 5. Choose Windows 10 and later as Platform 6. Choose Custom as Profile type 7. Click Create 8. Give a name 9. Add OMA-URI settings as covered below Name: Chrome ADMX OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx Data Type: String Value: Copy the entire content of the ADMX file. Name: HomepageLo

MEMCM: Fixing MS15-011 Vulnerability in Group Policy that could allow remote code execution, using Compliance Settings in ConfigMgr

Image
For past couple of months, I have been working on a vulnerability assessment project and as part of the exercise, I came across a vulnerability related to MS15-011: Vulnerability in Group Policy could allow remote code execution , that was flagged up on many servers. Nothing unusual about it and is easily fixable as long as you dot all the i’s and cross all the t’s. Nonetheless, I wanted to blog my experience in an endeavor to make it easier for others to implement this, should you choose to follow the method as documented below. What is ‘ MS15-011: Vulnerability in Group Policy could allow remote code execution’ all about? According to official documentation by MS , A remote code execution vulnerability exists in how Group Policy receives and applies connection data when a domain-joined system connects to a domain controller. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, could

Intune - Microsoft Edge browser settings & extensions

Image
In this blog I will cover some of the settings of Microsoft Edge browser configured using built in administrative templates in Intune.  Using Intune to manage and enforce policies is equivalent to using Active Directory Group Policy or configuring local Group Policy Object (GPO) settings on user devices. For a complete list of Microsoft edge policies, you can check the link here . Let’s begin 1.      Sign-in to the  https://endpoint.microsoft.com 2.      Browse to Devices – Windows – Configuration profiles 3.      Click Create Profile 4.      Choose Windows 10 and later as Platform 5.      Choose Administrative Templates as Profile type 6.      Click Create 7.      Give a name 8.      Use the search field ("Search to filter items ...") to find a specific setting you want to configure as shown below. Configure the home page URL     Enable the default search provider     Hide the First-run experience and splash screen   Default search provider URL fo

Intune - BitLocker silent and automatic Encryption Settings for Lenovo Thinkpads

Image
A while ago, I was working on an endpoint management project and one of the key requirements was to roll out BitLocker policies to the Windows 10 MDM enrolled devices. As much as this may seem routine, what made things interesting was that the customer only had Lenovo devices and apparently it required some additional bits and pieces to be put in place along side the Intune BitLocker encryption settings. I will cover the details and my experience through this blog. Before going into the details, please make a note of the requirements for automatic BitLocker device encryption: 1. Device should be running 1903 with latest CU or newer build. 2. TPM 1.2 or 2.0. 3. UEFI Secure Boot should be enabled. 4. DMA protection should be enabled. As for my project requirements for enabling BitLocker encryption are concerned, they are as follows - 1. Enable BitLocker of OS drive. 2. Configure BitLocker automatically and silently without any kind of user interaction. 3. Disable Startup Pin. 4. Escrow