WDAC Managed Installer and Applocker Audit logs
Hello, I am looking to deploy WDAC to Intune managed Windows 11 devices. In testing I have followed guidance (link below) to create the required supporting Applocker ManagedInstaller rule: Allow apps deployed with a WDAC managed installer (Windows) | Microsoft Learn In testing, whilst this appears to work (in that an app deployed by Intune is allowed, but the same app installed locally by an admin is not), I have noticed that the configuration results in a excessive amount of logging to the Applocker Microsoft-Windows-AppLocker/EXE and DLL log, i.e. a 8003 audit event for pretty much every DLL execution: Does anyone know if this is expected? Seems an obvious question as I see how the configuration of the Applocker ManagedInstaller rule collection in audit mode could cause this: Just looking for some clarification that this is expected as I had not anticipated the use of this (MDAC) option to result in such aggressive logging by Applocker (which I am otherwise not looking to use)? I have seen no mention of this in the documentation, so I guess it is either deemed obvious (which one could argue is the case!) or I have miss configured something? Does anyone else have this configured and if so, do you see the same? Many thanks, Phil
Hacked and unable to clean pcs
Good Morning Approx 8 PC's have been hacked as I have tried to restore them but the worm or whatever is installed/affecting them is still on the pc . Large amounts of data are shown downloaded via the router ( PC to bad guy internet address ) Started infecting pc's at one site and over a vpn connection and then downloaded itself to another site affecting all of these pc's I have been working with Norton to eradicate this but they cannot find any sort of a virus as they recommended coming here ! User admin credentials changed , large downloads , Remote access shut off but they still connect , nefarious bad guy IP's are set to connect ( netstat -abn shows them connecting are various times and places data lost ) . I know they have gotten in and somehow rewriting possibly by powershell changes that affect the users and other areas ! I put the most of tghe collected troubleshooting data/info I could up on Norton forums (https://community.norton.com/en/comment/8538567#comment-8538567) I have been working on this for a few months now and after several restores whatever is on the pc does not get removed ! Built firewalls and they work around it , blocked remote services ( tons of tasks etc. shut off) and they work around it . My wife's laptop set up an admin and user account after a restore and they removed the admin account and now we cannot log in - only on the standard account . It seems to have something to do with office , click to run , edge , outlook as I see activity here but am unable to pinpoint . HS TXCR ? but unable to id this file nor anti virus never picked it up , Security logs in event viewer show changes I think by powershell . No idea how they get in . I am going crazy trying to id this but more importantly after a restore/ remove all files whatever is on the pc does not get removed and they never go away still donw3loading and rewriting pc data What I found was that the restore/remove does NOT rebuild the code just removes possibly user data and a few other areas ( not a major rebuild ) . Without a disk I am stuck as I cannot reset to factory as I am learning as I go ! 5 HP latops and desktop 1 Lenovo gaming pc and one other type of pc ( 2 gaming PC'S that support video and security cameras ) Ran ALL sorts of anti virus /scans etc. from Norton and a couple of recommended Microsoft scans form the tools page and found nothing HUGE amount of time working on this to resolve but reaching out for help ! Reaching out as I am unable to move forward - desperate ! Any help would be seriously appreciated ! Thx Regards RichPrevent User folders from caching locally
Hi @all, I do IT work for a company that uses profile redirection on all their workers machines which stores on a server. However, I noticed that user folders are being cached locally on every device and are accessible when not connected to the domain(IE, going into C:\Users and seeing the local folders and files of every user that has logged into a machine). How do I go about preventing the data from being cached so that if someone walks in and steals a computer there isn't any sensitive data being accessed? Or do I have to enable bitlocker on all devices? Thank you for your time.🔒How to deal with multiple passwords cross-device [Password Manager]
NEW VIDEO N. 209 In this video tutorial, I’ll show how to deal with multiple passwords on the web cross-device. Today Microsoft Edge has the same functionality as Google Chrome, plus it offers the ability to manage passwords, combining Edge with the smartphone app Microsoft Authenticator you are able to sync all passwords through devices. The Microsoft Authenticator app helps you sign in to your accounts when you're using two-factor verification. Two-factor verification helps you to use your accounts more securely because passwords can be forgotten, stolen, or compromised. Two-factor verification uses a second factor like your phone to make it harder for other people to break in to your account. Moreover the Microsoft Authenticator app store and encrypt all passwords.
Intune Bitlocker for USB/external drive (Missing policy for Azure AD Join scenario)
When we enable intune policy: Block write access to devices configured in another organization in Intune Bitlocker policy We also need to deploy an Onprem GPO policy: Provide unique identifier for your organization. This will allow the PC to differentiate the Org it belongs to. GPO policy: Provide unique identifier for your organization is missing in Intune. Because of this we cannot use Intune policy: Block write access to devices configured in another organization. Looking for suggestions how we implement Block write access to devices configured in another organization in Intune for Azure AD Join (not hybrid domain join)?kb4592438 GPO - what does it do?
Hi all, at the bottom of this KB article https://support.microsoft.com/en-us/help/4592438/windows-10-update-kb4592438 is a link to a group policy. I've installed the policy but the policy has no details about what it does. It display the details below so what does this GPO actually do to "fix" the potential chkdsk issue? The reason I'm asking is that I would like to push this out to my machines but I'll never get this past the change committee without knowing what the GPO actually does. The wording is rather poor in that regard. thanks.Prohibit standard users from adding exclusions to Windows Defender (Windows Security)
Hello there, How can I prohibit standard users from adding exclusions in Windows Defender? I would like to only control the Defender-exclusions from a central point and the standard users should not be able to add exclusions themselves. I've searched through GPO's and settings in Intune but can't seem to find the correct setting. Does anyone know if this is possible? If it is, where is the setting then? Windows 10 Enterprise, 1903 and 2004. Devices are Hybrid Azure AD JoinedWindows Security alerts?
So apparently this is trending: https://www.forbes.com/sites/daveywinder/2020/01/14/windows-10-extraordinarily-serious-security-warning-for-900-million-users/#592b6ac690ca If you check the linked Twitter accounts in the article, they do seem credible and this does seem like a real thing. There used to be a place to sing up and receive alerts from Microsoft, but I can't seem to find it anymore. Does anyone have any intel on this?Windows Defender and how it performs against malware
I recently watched this video https://www.youtube.com/watch?v=sE-xdb9hTqY testing how Windows Defender (+ Sandbox mode ) performs against real malware. it made me kind of worried. I really hope Microsoft improves it so that installing 3rd party AV software won't be the first thing a user should do after Windows installation. obviously I still and will keep using Windows Defender because I'm aware of the files I download but for the majority of people, that's not unfortunately the case. I think Microsoft should put Windows Defender ATP inside the normal Windows 10 pro editions by default for everyone. it's not a bad thing to make your OS a safe environment for your users. https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp?ocid=cx-blog-mmpc
