Zero Trust, Secure Administration and ADJ/HAADJ vs. AADJ

September 21, 2023September 22, 2023 ~ cford79 ~ Leave a comment

One of the security issues that domain joined/Active Directory Joined (ADJ) devices bring with them is the tight network connectivity that they require to Domain Controllers (DCs). ADJ and likewise Hybrid Azure AD Joined (HAADJ) devices require 1000's of ports open to DCs in order to function, and these same ports are also used for … Continue reading Zero Trust, Secure Administration and ADJ/HAADJ vs. AADJ

Hardening: Using LGPO to enforce non-Intune supported settings on AAD devices. ACSC example.

July 12, 2022 ~ cford79 ~ Leave a comment

There are a number of security baselines out there for Windows clients: Microsoft, CIS, NIST and ACSC to name a few. These baselines focus mainly on domain-joined Windows clients, however Microsoft do also release security baselines targeted at Intune/AAD-only clients through their Intune Security Baselines. The reason Microsoft release separate baselines for AAD vs. AD … Continue reading Hardening: Using LGPO to enforce non-Intune supported settings on AAD devices. ACSC example.

Defense in Depth: Hardening clients against malware deployment by disabling unused Group Policy CSEs

June 24, 2022July 12, 2022 ~ cford79 ~ Leave a comment

This is an idea that came off the back of a customer being hit with ransomware. The deployment method used by the attackers was simple: They got domain admin and then proceeded to create a GPO that deployed the ransomware over a weekend using Group Policy Software installation. By Monday morning, over 10k clients and … Continue reading Defense in Depth: Hardening clients against malware deployment by disabling unused Group Policy CSEs

Microsoft/Intune/ACSC Security Baseline Comparison for Windows 10 21H2

June 16, 2022June 17, 2022 ~ cford79 ~ 1 Comment

FINAL-MS Security Baseline Windows 10 v21H1-Intune-ACSCDownload If you have ever wanted to know the difference between these baselines, the attached spreadsheet contains a comparison between all three for Windows 10 21H1. The Microsoft baseline was used as the base with columns added for the others with some colour-coding for easy sorting / filtering. Update 17/06/2022: … Continue reading Microsoft/Intune/ACSC Security Baseline Comparison for Windows 10 21H2

ServiceUI.exe and Windows Defender Exploit Guard

July 23, 2018 ~ cford79 ~ Leave a comment

In February I briefly tweeted about an issue I ran into an issue at a customer that could not launch an HTA during their OSD task sequence using ServiceUI.exe. I looked for some obvious things and after quickly coming up empty handed started looking deeper. Cause The customer used Windows Defender Exploit Guard, but not … Continue reading ServiceUI.exe and Windows Defender Exploit Guard

Disable SCCM Automatic Client Remediation during Windows 10 In-Place Upgrades

July 22, 2018July 22, 2018 ~ cford79 ~ 4 Comments

I ran into an issue the other day during a W10 1703 to 1709 in-place upgrade where the upgrade task sequence bombed after Windows setup had completed. The OS had upgraded successfully to 1709 and SetupDiag also reported all was well in that area, however the remainder of the task sequence never ran, not a … Continue reading Disable SCCM Automatic Client Remediation during Windows 10 In-Place Upgrades

How to fix “Windows failed to apply MitigationOptions settings” GPUpdate error on W10 1709

March 8, 2018July 22, 2018 ~ cford79 ~ Leave a comment

This error occurs when applying the Microsoft W10 1709 security baseline to a W10 1709 device. The error will show when running GPUpdate on the command line as shown below, and in a GPResults report. Cause Since the W10 1703, Microsoft has removed the Untrusted Font Blocking setting from it's security baseline. As expected, the … Continue reading How to fix “Windows failed to apply MitigationOptions settings” GPUpdate error on W10 1709

OSD Pro Tip: How to stop your OSD task sequences from causing mass destruction

August 18, 2017August 18, 2017 ~ cford79 ~ 1 Comment

There have been improvements over the years within SCCM to help prevent OSD admins from deploying career changing task sequences to entire environments and wiping out thousands systems. Namely, the ability to limit within the console which collections you are able to deploy an OSD task sequence to, based on the number of members of that … Continue reading OSD Pro Tip: How to stop your OSD task sequences from causing mass destruction

All Group Policy Settings for Windows 10 1703, aka Creators Update

April 10, 2017April 10, 2017 ~ cford79 ~ Leave a comment

This is a follow up to my previous post New Group Policy Settings for Windows 10 1703, aka Creators Update. My previous post contained the small list of group policy settings that only apply to Windows 10 1703 and Edge in 1703. New group policies were also exposed in 1703 that apply to various operating systems and browsers which I will … Continue reading All Group Policy Settings for Windows 10 1703, aka Creators Update

New Group Policy Settings for Windows 10 1703, aka Creators Update

April 7, 2017April 7, 2017 ~ cford79 ~ 2 Comments

New Group Policy Settings for Windows 10 1703, aka Creators Update