There are a number of security baselines out there for Windows clients: Microsoft, CIS, NIST and ACSC to name a few. These baselines focus mainly on domain-joined Windows clients, however Microsoft do also release security baselines targeted at Intune/AAD-only clients through their Intune Security Baselines. The reason Microsoft release separate baselines for AAD vs. AD … Continue reading Hardening: Using LGPO to enforce non-Intune supported settings on AAD devices. ACSC example.
Category: Windows 10
ServiceUI.exe and Windows Defender Exploit Guard
In February I briefly tweeted about an issue I ran into an issue at a customer that could not launch an HTA during their OSD task sequence using ServiceUI.exe. I looked for some obvious things and after quickly coming up empty handed started looking deeper. Cause The customer used Windows Defender Exploit Guard, but not … Continue reading ServiceUI.exe and Windows Defender Exploit Guard
Disable SCCM Automatic Client Remediation during Windows 10 In-Place Upgrades
I ran into an issue the other day during a W10 1703 to 1709 in-place upgrade where the upgrade task sequence bombed after Windows setup had completed. The OS had upgraded successfully to 1709 and SetupDiag also reported all was well in that area, however the remainder of the task sequence never ran, not a … Continue reading Disable SCCM Automatic Client Remediation during Windows 10 In-Place Upgrades
How to fix “Windows failed to apply MitigationOptions settings” GPUpdate error on W10 1709
This error occurs when applying the Microsoft W10 1709 security baseline to a W10 1709 device. The error will show when running GPUpdate on the command line as shown below, and in a GPResults report. Cause Since the W10 1703, Microsoft has removed the Untrusted Font Blocking setting from it's security baseline. As expected, the … Continue reading How to fix “Windows failed to apply MitigationOptions settings” GPUpdate error on W10 1709
OSD Pro Tip: How to stop your OSD task sequences from causing mass destruction
There have been improvements over the years within SCCM to help prevent OSD admins from deploying career changing task sequences to entire environments and wiping out thousands systems. Namely, the ability to limit within the console which collections you are able to deploy an OSD task sequence to, based on the number of members of that … Continue reading OSD Pro Tip: How to stop your OSD task sequences from causing mass destruction
All Group Policy Settings for Windows 10 1703, aka Creators Update
This is a follow up to my previous post New Group Policy Settings for Windows 10 1703, aka Creators Update. My previous post contained the small list of group policy settings that only apply to Windows 10 1703 and Edge in 1703. New group policies were also exposed in 1703 that apply to various operating systems and browsers which I will … Continue reading All Group Policy Settings for Windows 10 1703, aka Creators Update
New Group Policy Settings for Windows 10 1703, aka Creators Update
New Group Policy Settings for Windows 10 1703, aka Creators Update
Colin Ford Blog 