Browsed by
Category: Security

App Protection: Attack of the third-party apps

App Protection: Attack of the third-party apps

In one of my last blogs, I showed how you can set up multiple App protection profiles to make sure your managed and unmanaged IOS devices could receive the correct app protection policy. In my opinion, you need to make sure you lower the security bar for the managed devices app protection policies. You really don’t want well-behaved employees who enrolled their own devices, become angry about the security barriers, and finding another way to share the data. Here is…

Read More Read More

Applocker on the Company portal Express

Applocker on the Company portal Express

This short blog will be about why baselines are very important and why you need to keep them up to date. I am not talking about security baselines this time. What I will be talking about, is the app baseline you need to deploy to your users Windows 10 devices to make sure users can install apps on their own. It’s best practice to implement adminless. *Source: Microsoft Vulnerabilities Report 2021 | BeyondTrust (great report!!) Of course, nowadays users are…

Read More Read More

Public Desktop icons and Adminless: The far side of Intune

Public Desktop icons and Adminless: The far side of Intune

This short blog will be about, why users don’t need admin permissions to delete the public desktop icons. There are not a lot of reasons why your Azure Ad users need to be local admins on their devices. You can do a lot even without admin permissions. To summon a few: -Restarting services can be done without local admin permissions The non admin user: The battle of restarting services – Call4Cloud -Installing applications The PowerShell Win32 App Express – Call4Cloud -Installing…

Read More Read More

Zero Trust Security Flow

Zero Trust Security Flow

Everything is about Zero trust security, you will need to implement it.  There are a lot of articles written about zero-trust security the last few months. Some examples: Zero Trust Security (microsoft.com) Take the Zero Trust Assessment (microsoft.com) How to best explain zero trust? It’s like the quote of Ronald Reagan but just with one additional word: Never trust, but verify Zero trust ensures, identities are verified and devices are safe before you can access your corporate apps and data….

Read More Read More

The Applocker Games: Catching the events

The Applocker Games: Catching the events

The past year I blogged a lot about securing and monitoring your devices. Of course, Microsoft 365 E5 is the way to go when you want to maximize your security, but for the SMB the license can be too expensive. For these customers, Microsoft 365 business premium is the best choice. But when you choose Microsoft 365 Business premium you can’t make use of the advanced security features. Of course, by now you have implemented adminless and AppLocker on your…

Read More Read More

Applocker: The Meltdown

Applocker: The Meltdown

This short blog will be about what to do when you have locked yourself out of your device when implementing Intune Applocker device configuration policies. Some time ago I blogged about how a not configured DLL rule can break your devices. The Appocker Dilemma – Call4Cloud At that time, just changing the Applocker device config inside Intune did the job. But what if the new Applocker policy just won’t sync to the device and the old policies still apply. At…

Read More Read More

The non admin user: The battle of restarting services

The non admin user: The battle of restarting services

Some time ago, Oliver Kieselbach discovered a very great new method to start the IME sync process with just a simple command: “intunemanagementextension://syncapp”.  You could push a shortcut to with command to all your user desktops. An excellent new approach. Like Oliver was mentioning, you could restart the Microsoft intune management service, which also triggers the sync. But when your users have no admin privileges, this is not possible. This got me thinking, shouldn’t it be possible to restart some…

Read More Read More

Not yet another AppLocker Blog.

Not yet another AppLocker Blog.

Provisioning your non (for now) Azure ad enrolled Windows 10 Pro devices with AppLocker can be very hard because AppLocker won’t work on Windows 10 Pro devices without Intune… at least that’s what I thought.  When configuring AppLocker on a Windows 10 pro device, you will notice this message inside the event log: component not available on this SKU.  Take a look at the operating system requirements… Some time ago I created a blog about how you can automatically wipe and reset your domain joined devices to enroll them with autopilot.  In this PowerShell script…

Read More Read More

The chronicals of Win32 App installations: The RunOnce key, Onedrive and Adminless

The chronicals of Win32 App installations: The RunOnce key, Onedrive and Adminless

This blog will be about some weird RunOnce behavior when installing applications. This week, a customer asked me to push their Nuance Dragon speech software to some specific devices. I guess I am a nice person, so I immediately created a new Win32 App with some parameters. To start testing, it’s always recommended to have a dedicated M365 test tenant for testing purposes with some test virtual machines. I enrolled a new virtual Windows 10 and waited until the application…

Read More Read More

The book of Non-Managed Shared Devices

The book of Non-Managed Shared Devices

This blog will be about what options you have when you got a lot of non-managed shared devices that need to run the Teams desktop app. Imagine the next scenario:  Just right before the first Covid19 wave, a company made the decision to transform their organization to a modern zero trust company. Before this decision was made, everyone was working on a remote desktop cluster which was placed inside a datacentre and none of their (shared) on-premise devices were managed….

Read More Read More