Modern Device Management

Windows Hello for Business has been aroun d for some time as an alternative sign-in method and it allows a user gesture to sign-in instead of just using a password. There are many sign-in gestures available and depending on what is supported based on the hardware, one can configure a PIN, biometric or a fingerprint. For corporate devices, PIN is the most suited method and it is easily configurable on Intune managed devices. However, I will cover other settings in this blog as well. Now Windows Hello for Business is Not Configured by default. So, in case you do not want to enable it for all your users (Remember this setting is a tenant wide setting) then you will need to atleast configure it to Disable for Intune to be able to manage the feature.   Once in place, one can then deploy a Windows Identity protection profile policy to devices of your choice to enable the feature along with the desired configuration. Let’s begin Browse to Devices – Windows – Configuration profile.

Not so while ago, I covered the management of Edge browser settings in my blog here . To continue blogging on MDM management capabilities using Intune, I wanted to cover the settings for managing Google Chrome as well.  Managing Google Chrome consists of two parts  - a. Deploying of Chrome ADMX file to the Intune managed device using a custom policy. b. Deploying the actual set of settings using custom policies . Let’s begin. 1. Download the Chrome ADMX template in order to ingest in Intune. 2. Sign-in to the  https://endpoint.microsoft.com . 3. Browse to Devices – Windows – Configuration profiles 4. Click Create Profile 5. Choose Windows 10 and later as Platform 6. Choose Custom as Profile type 7. Click Create 8. Give a name 9. Add OMA-URI settings as covered below Name: Chrome ADMX OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx Data Type: String Value: Copy the entire content of the ADMX file. Name: HomepageLo

For past couple of months, I have been working on a vulnerability assessment project and as part of the exercise, I came across a vulnerability related to MS15-011: Vulnerability in Group Policy could allow remote code execution , that was flagged up on many servers. Nothing unusual about it and is easily fixable as long as you dot all the i’s and cross all the t’s. Nonetheless, I wanted to blog my experience in an endeavor to make it easier for others to implement this, should you choose to follow the method as documented below. What is ‘ MS15-011: Vulnerability in Group Policy could allow remote code execution’ all about? According to official documentation by MS , A remote code execution vulnerability exists in how Group Policy receives and applies connection data when a domain-joined system connects to a domain controller. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, could