How do you get smarter in MDM & Group Policy?

Upcoming Training Classes

With Jeremy Moskowitz

To consult about an on-site (Private) Group Policy class or the Group Policy Health Check, please call Laura Rubinstein at (720) 693-8144 or email laura[[att]]policypak.com

To purchase seats in a LIVE or ONLINE training class, contact Laura Rubinstein at (720) 693-8144 or email laura[[att]]policypak.com

Get serious, and perform “Best Practices” around Group Policy management. Take back control and get your IT life back!

Dates Class Actions
No Public Classes Scheduled

Call if you have 3 or more people to help us get started! In the meantime, click here to checkout our Online Class

How do you get smarter in MDM & Group Policy?

Feb 2023
02

Go and Get Rid of those Old Group Policies that are no Longer Used

Many people have a hard time parting with stuff. That’s why the self-storage industry is so successful regardless of the what the economy is doing. Just as a lot of the stuff contained in storage units will never be used again, there are probably some unused group policies that are still lingering on your servers taking up space and creating unnecessary clutter. A couple good examples are GPOs that have settings disabled or are no longer linked to anything.

You can disable/enable settings for any GPO in the Details tab in Group Policy Management Console. As shown below, you can disable computer configuration settings, user configuration settings, or all settings configured within the GPO.

Keep in mind that its best practice to only configure settings for one side or the other. A GPO that is configured on both sides should be split into two separate GPOs in the first place. Therefore, there’s no need to have one side disabled as shown below.

Disabling both sides of a GPO means that the GPO is essentially doing nothing. If these settings are no longer required, then they should be decommissioned entirely by deleting the GPO.

If you have a well-designed AD with a well-defined OU structure, you need only link your GPOs to an applicable OU and assign it to the Authenticated Users group. This makes security filtering easy and straight forward. Unlinking a GPO is the same as turning it off for a designated OU. A GPO that isn’t linked anywhere is probably one that is no longer needed such as the GPO shown in the screenshot below. In this case, this GPO could probably be decommissioned entirely.

There are some exceptions, however. For instance, you may use some GPOs for testing purposes that are only used for brief periods. You also may have some GPOs you only want turned on at various times of the year. An example might be a school system that enacts certain policies at the start or close of the school year only.

Remember that you must delete a GPO you must do so from the Group Policy Objects node where you can view all your GPOs in alphabetical order. Right clicking on a GPO link will only delete the link itself, not the GPO. Before you delete any GPO, make sure you have a backup of them just in case you find out down the road that you really do need that policy for something.

 

Jan 2023
24

How to Verify Your Current Intune Service Release Version

Anyone that works with Microsoft Intune has experienced this. You read about a newly released Intune preview feature that sounds enticing. You then logon to your Intune portal only to find its not there. What’s the deal?

Microsoft regularly releases new updates to the Intune platform at least once a month. Each service release includes new features, capabilities and bug fixes. Like regular Windows updates, these service releases are deployed using a phased approach. Not all tenants receive these service releases simultaneously, however. For instance, government related tenants are updated last. Some geographcial parts of the world receive them before others as well. This methodical approach is done to identify issues before being released to all Intune customers. If your Intune portal lacks a new feature you just read about, chances are it’s because you’re not running the latest Intune service release version yet.

The Tenant Status Page

There’s an easy way to find which service release version your Intune portal is currently running. Navigate to Tenant Administration and select Tenant Status. Here you will see the Service release version as shown in the screenshot below.

Here you will also find other information such as your Tenant name, Tenant Location, the number of licensed users present and the number of Intune enrolled devices. If you find that your Service release version doesn’t match up with the latest one you read about, just be patient and check back in a week.

Jan 2023
12

3 Ways to Enable/Disable LSA on Windows 10 and 11

Microsoft introduced a process called Local Security Authority (LSA) a while back for Windows 8.1. LSA performs security related tasks such as the verification of logon attempts and password changes. It also creates access tokens, enforces local security policies, and protects and adds security protection for stored credentials. With the growing threat landscape out there, it’s a good thing to enable for your Windows desktops and servers.

The good news is that LSA protection is enabled by default for devices running Windows 11, 22H2 that meet the following conditions:

  • Windows 11, 22H2 was newly installed on the device and not upgraded from a previous release
  • The device is enterprise joined be it AD domain joined, Azure AD domain joined or a hybrid configuration.

While Microsoft advocates enabling LSA across your enterprise, they recommend that you first identify all LSA plug-ins and drivers that are in use within your organization and ensure that they are digitally signed with a Microsoft certificate and perform as expected. You can refer to this document for more information.

As of right now, there is no way to enable/disable LSA using Intune. Your three available management options for now are Windows Security, the registry, and Group Policy.

Enabling LSA on a Local Device

If you just have a few computers to manage, you can enable them locally on the desktops themselves by going to Windows Security > Device security > Core isolation details and enable the toggle under the Local Security Authority protection section. In the screenshot below, LSA is currently disabled.

Registry

You can manage LSA through the registry, either using the local registry editor or a GPO using Group Policy Preferences. The required key path is as follows:

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe.

If you want to enable LSA using Auditing mode, click on the LSA key and create a value called AuditLevel. Select REG_DWORD as the value type and type 00000008 in the value data box. This is a good option to identify LSA plug-ins and drivers that will fail to load in LSA Protection mode.

To fully enable LSA, create a value key called RunAsPPL, choose REG_DWORD and type 00000001 as shown in the screenshot below.

You can create a GPO and use Group Policy Preferences to push out these registry values. Go to Computer Configuration > Preferences > Registry > right click and choose “New registry item” and input the required values as shown below.

Group Policy ADMX

You can enable/disable LSA using Group Policy as well. In Group Policy Management Editor go to Computer Configuration > Administrative Templates > System > Local Security Authority. The setting you want is “Configure LSASS to run as a protected process.” In the screenshot below you will notice a down arrow beside the setting title. The down arrow indicates that the setting is a preference setting and not stored in the typical group policy location in the registry.

Group Policy ADMX

You can enable/disable LSA using Group Policy as well. In Group Policy Management Editor go to Computer Configuration > Administrative Templates > System > Local Security Authority. The setting you want is “Configure LSASS to run as a protected process.” In the screenshot below you will notice a down arrow beside the setting title. The down arrow indicates that the setting is a preference setting and not stored in the typical group policy location in the registry.

Conclusion

Hackers are constantly trying to subvert the Windows logon process which is why you need to protect it from hackers as much as possible. LSA is a great out-of-the-box utility to help you achieve that.

 

 

 

 

 

Dec 2022
29

New Intune Feature - Multiple Admin Approval Process

A new feature update was released in the 2211 November update for Intune. The feature is called, Multiple Admin Approval Process (MAA). The premise for the new feature is to protect against a possible compromised administrative account using something called Intune access policies. These access policies require that a change be approved by a second administrative account before being applied.  An access policy states what resource will be protected and which group of accounts are permitted to approve the changes to those resources.

Currently, MAA is supported for the following resources

  • Apps deployments
  • Script deployments to devices running Windows of macOS

Anytime any admin goes to create or edit an object that involves a resource that is protected by an access policy, it must be approved by an approver without exception.

Let’s use a scenario to demonstrate how MAA works. First let’s create an access policy. To create an access policy, you must be assigned one of the following roles:

  • Intune Service Administrator
  • Azure Global Administrator

In the Microsoft Endpoint Management admin center, go to Tenant Administration > Multi Admin Approval > Access policies and click “Create” as shown in the screenshot below.

Name the policy and then choose the resource you want to protect.

The final step is to choose an Approver group. Any user that is a member of this group can approve requests.  Now I have created my first MAA access policy as shown below.

For this demonstration, I created a temporary Intune administrator account.  When creating temporary accounts for testing purposes, it is good to define an active time window for these accounts so that they are deactivated automatically if forgotten. As shown in the example below, I created an account called testadmin and I defined a start and ending time for its active state.

Now, I will log on to Intune using the account I just created. I go to Apps > All apps and click Add. I then create a policy to deploy Windows 365 apps to Windows machines. In the final Review + Create screen of the wizard, there is a Business Justification section at the bottom, prompting the requester to state the justification for doing this. Also note the outlined banner alerting requester that they must enter a business justification and that the request must be approved before being implemented. Once the business justification has been entered, click “Submit for approval” and the request is now sent to Received requests where it can be reviewed.

In a separate session, I have logged into Intune using an account that is a member of the approver group. As shown in the screenshot below, the request now appears (in this example, I created two requests). To approve or deny the request, click the URL in the Business justification column.

After clicking on the URL, the approver is shown the requested resource changes. The request can be approved or denied and the approver can add notes for feedback as shown in the screenshot below.  

Switching back to the testadmin account, I can see the status of the requests made by that account. As shown below, one is approved while one still waits approval.

Note that any individual who submits a request and is also a member of the approval group can see their own requests, however, they cannot approve their own requests. Should no action be taken on a request for 30 days, it becomes expired and must be resubmitted.

 

Testimonials