Hardening: Using LGPO to enforce non-Intune supported settings on AAD devices. ACSC example.

July 12, 2022 ~ cford79 ~ Leave a comment

There are a number of security baselines out there for Windows clients: Microsoft, CIS, NIST and ACSC to name a few. These baselines focus mainly on domain-joined Windows clients, however Microsoft do also release security baselines targeted at Intune/AAD-only clients through their Intune Security Baselines. The reason Microsoft release separate baselines for AAD vs. AD … Continue reading Hardening: Using LGPO to enforce non-Intune supported settings on AAD devices. ACSC example.

Defense in Depth: Hardening clients against malware deployment by disabling unused Group Policy CSEs

June 24, 2022July 12, 2022 ~ cford79 ~ Leave a comment

This is an idea that came off the back of a customer being hit with ransomware. The deployment method used by the attackers was simple: They got domain admin and then proceeded to create a GPO that deployed the ransomware over a weekend using Group Policy Software installation. By Monday morning, over 10k clients and … Continue reading Defense in Depth: Hardening clients against malware deployment by disabling unused Group Policy CSEs

ServiceUI.exe and Windows Defender Exploit Guard

July 23, 2018 ~ cford79 ~ Leave a comment

In February I briefly tweeted about an issue I ran into an issue at a customer that could not launch an HTA during their OSD task sequence using ServiceUI.exe. I looked for some obvious things and after quickly coming up empty handed started looking deeper. Cause The customer used Windows Defender Exploit Guard, but not … Continue reading ServiceUI.exe and Windows Defender Exploit Guard

Disable SCCM Automatic Client Remediation during Windows 10 In-Place Upgrades

July 22, 2018July 22, 2018 ~ cford79 ~ 4 Comments

I ran into an issue the other day during a W10 1703 to 1709 in-place upgrade where the upgrade task sequence bombed after Windows setup had completed. The OS had upgraded successfully to 1709 and SetupDiag also reported all was well in that area, however the remainder of the task sequence never ran, not a … Continue reading Disable SCCM Automatic Client Remediation during Windows 10 In-Place Upgrades

How to fix “Windows failed to apply MitigationOptions settings” GPUpdate error on W10 1709

March 8, 2018July 22, 2018 ~ cford79 ~ Leave a comment

This error occurs when applying the Microsoft W10 1709 security baseline to a W10 1709 device. The error will show when running GPUpdate on the command line as shown below, and in a GPResults report. Cause Since the W10 1703, Microsoft has removed the Untrusted Font Blocking setting from it's security baseline. As expected, the … Continue reading How to fix “Windows failed to apply MitigationOptions settings” GPUpdate error on W10 1709

OSD Pro Tip: How to stop your OSD task sequences from causing mass destruction

August 18, 2017August 18, 2017 ~ cford79 ~ 1 Comment

There have been improvements over the years within SCCM to help prevent OSD admins from deploying career changing task sequences to entire environments and wiping out thousands systems. Namely, the ability to limit within the console which collections you are able to deploy an OSD task sequence to, based on the number of members of that … Continue reading OSD Pro Tip: How to stop your OSD task sequences from causing mass destruction