Posts

Showing posts from November, 2022

Enabling Windows 11 22H2 Core Isolation Memory Integrity feature using Intune

Image
In Windows 10 and 11, the operating system can provide protection from malicious code by isolating certain processes in the PC’s memory using virtualization on supported hardware. This protection runs under Memory Integrity under Core Isolation feature. With Windows 11 22H2, Microsoft made this feature default. However, as of writing this post, Memory Integrity will only turn on new devices by default. For existing devices upgrading to Windows 11 22H2, the feature will need to be managed separately. Memory integrity is also known as Hypervisor-protected Code Integrity (HVCI). Being a device guard feature, it hasn't made to the dedicated security profiles under Endpoint Security Attack Surface Rules in Intune as a standalone policy. Official documentation by Microsoft suggests that it can be enabled as part of Applocker Code Integrity CSP .  Alternatively, one can also enable it through the Applocker policy in Application control ASR, if you want to enable Applocker policy as a w...

Configuring Adobe Acrobat Reader DC policy settings using Intune for AAD devices

Image
I recently had a requirement for setting up policies for Adobe Acrobat Reader DC to lockdown and configure some features against Autopilot provisioned AAD devices. Adobe does provide GPO templates, but what's astonishing is that these templates do not support all the settings. According to Adobe, the templates are basic starter templates containing the most important setting and are broadly spread across the following categories: 1. General enterprise settings: Features such as disabling updates and setting the default PDF handler. 2. Security: Application security features such as enhanced security, sandboxing, and JS controls. 3. TrustManager: Trusting Windows OS security zones as defined in Internet Explorer. 4. Digital Signatures: Adobe Acrobat Trust List integration. I imported the templates in Intune to check what all policies are supported in Intune and there were only a handful settings. According to Adobe, one can use Preference Reference to extend the templates, but this...