Managing browser extensions in Edge with Intune

This series of posts is an approach to implementing Intune inside a business. So far, I have covered off:

The goal we are trying to achieve is to move all users from third party browsers to using Microsoft Edge. The next step in this process will be deploying and managing a constrained set of extensions in Microsoft Edge.

The first step is to visit the Microsoft Edge store for extensions and grab the unique ID for the extensions you want to use. You find this in the URL for the extension as shown above. Here are three common extensions I will use for this example:

Lastpass – bbcinlkgjjkejfdpemiealijmmooekmp

DuckDuckGo Privacy – caoacbimdbbljakfhgikoodekdnlcgpk

Save to Pocket – jicacccodjjgmghnmekophahpmddeemd

Once we have these we need to login to the Intune management portal.

In the last article I created a generic device configuration profile called ‘Edge configuration’ policy that I’ll be extending here. Select the policy name to view its settings.

Scroll down the policy until you locate the heading Configuration settings as shown above, and then select the Edit hyperlink to the right of this.

Select the + Add Settings link as shown above.

Expand the Microsoft Edge option in the top part of the blade that appears and then select Extensions as shown above. In the options that appear in the lower part of the screen select:

– Allow specific extensions to be installed

– Control which extensions are installed silently

– Control which extensions cannot be installed

Close the blade.

You should now see the ability to customise these options in the policy as shown above.

Add the ID’s of the extensions you want silently installed and ensure that each is ticked as shown.

Add ‘*’ (i.e. all) as the option for IDs to be prevented from being installed and ensure it is ticked as shown. Basically all other extensions will not be permitted to be installed.

Add the ID’s of the extensions you want to allow in the exempt from block area and ensure each is ticked as shown.

Save the policy changes and allow it to be propagated to all groups included in the policy.

Once the policy has rolled out, you should find the extensions you entered in the policy have been added to Microsoft Edge as shown above.

You should also find that users cannot add additional extensions to their Microsoft Edge browser as shown above.

The aim of this exercise was to automatically configure a number of ‘standard’ extensions for Microsoft Edge and block everything else. We have been able to achieve this by extending the original ‘Edge configuration’ policy that was created earlier.

The next step in the process will be to lock down the Microsoft Edge browser using a baseline policy. Stay tuned.

Controlling local user group membership with Intune

I recently outlined how to

Control local admin on a device with LAPS and Intune

Once you have LAPS in place I suggested that you want to eliminate any local device administrators as a best practice. You can achieve this via a policy in Intune.

The first step in the process is going to be to determine any local administrator accounts and what they are doing in your environment. A good starting point is this KQL query to look for local admin activity in your device fleet:

DeviceLogonEvents
| where TimeGenerated >= ago(7d)
| where IsLocalAdmin == true
| summarize count() by DeviceName, AccountName,LogonType
| sort by AccountName

That will, of course, only show you logon activity by an account that is a local administrator. For dormant local admin accounts you are going to need to do more work to flush them out. However, the query will at least show you active local admin accounts that maybe impacted by any changes made using something like LAPS.

To set a policy to control local groups on Windows devices, login to the Intune management portal and select Endpoint security and Account protection, as shown above. Create a new policy for Windows 10 and later and select Local user group membership as the Profile.

Give your policy a meaningful name and continue.

Select the local group (here Administrators), select the action (here Remove) and Manual for the User selection type.

When you select the Add users hyperlink in the Selected users/groups field you will see the above blade appear. In here, you’ll find a number of different methods of identifying users. If you have a list of local device admins then you can add them here.

Once you have entered all the users you wish to remove from the local device administrators group, complete the policy and assign it to the audience you wish.

The policy will then roll out to your environment and the changes will be made to the local group membership. In this case, it will remove local users from the local device administrator group so they can no longer administrate the device.

Remember, there are lots of options here. You could different policies for different users and/or devices. You could create policies to not only remove but also add. An example maybe where you wish an Entra ID user to be a local administrator of box. In that case, simply select the option to Add the user from Entra ID to the local administrators group. There is a lot of flexibility here with this policy.

Typically, once your policy has completed and there are no more local administrators you can remove the policy, as hopefully no more local accounts will be created with devices being joined directly to Entra ID. However, you may wish to retain it for if new devices are joined to your environment, especially if you don’t use Autopilot.

In summary then, the process so far, is:

1. Create compliance policies and update devices to be compliant

2. Implement LAPS to control the local device admin account that cannot be deleted

3. Remove all other accounts from local administrator group on devices

Typically, these steps will have no impact on users working with their devices and it commences the process of implementing a consistent environment and making it more secure.

You can read more about this particular policy here:

Manage local groups on Windows devices

Controlling local admin with LAPS and Intune

I recently suggested that Compliance policies were the place to start with Intune device management.

Start with Intune policies

From there, I would suggest that configuring the Local Administrator Password (LAPS) policy is a good follow on option. This will automatically rotate the password for the Windows local device administrator accounts.

In the Intune console select Endpoint Security and then Account protection. Create a new policy for Windows 10 and later and select Local admin password solution (Windows LAPS) as shown above.

Give the policy a meaning name and description.

Make the appropriate settings as shown above. You want to ensure that the Backup directory is set to Backup the password to Azure AD only.

Assign the policy and save it.

Once the policy has been assigned to the device a random password, to specifications set in the policy will be applied and a copy will be saved into the device details in the location shown above within Intune

In general it is best practice to have no other local admin accounts on devices except the default one provided by Windows that cannot be removed. Per the FAQs, LAPS supports only one account on a device. You can specify that account but it is best practice to not specify a name on the policy configuration and allow Intune to manage the default built-in administrator account.

Once the LAPS policy has been applied you will see the following for the Windows devices as shown above.

Selecting the Show local administrator password hyperlink will display a blade with the above information. Selecting the Show button here will display the current password and allow you to take a copy.

Best practice is to take control of the default local admin account using the LAPS policy deployed via Intune as shown. The next step would then to be to eliminate any other local admin account from the devices so the only ne left is the default which has its password rotated regularly thanks to LAPS.

Further information on LAPS with Intune can be found here:

Microsoft Intune support for Windows LAPS

Start with Intune Compliance policies

I see many people struggle to get started with Intune and Device Management in Microsoft 365. My recommendation is always to start with configuring Compliance policies. Doing so will give you:

1. A device inventory

2. A list of devices that fail to meet the minimum standards set for connection to corporate data

However, the major benefit is that, by default, Intune Compliance Policies make no change to any of the device or impact users productivity. In effect, Compliance Policies simply READ the status of a device and make NO changes.

You’ll find Compliance Policies under Devices in the Intune portal as shown above.

Typically, you’ll create at least one Compliance Policy for each different operating systems you have in your environment (i.e. for Windows, iOS, Android, etc). You can, of course, have as many different Compliance Policies as you desire, potentially targeted at different users and or devices. However, the policies you have, the more maintenance and troubleshooting will be required. It is therefore recommended to stick with a single Compliance Policy for each operating system.

During the policy creation you’ll see a screen as shown above in which you can set actions for devices that fail compliance. You will not that, by default, the only taken is simply to mark the devices as non compliant. That is the only action take. You can add more actions if you want, but importantly, by default, the only action taken is simply to mark devices as non compliant.

Once you have created and assigned the Compliance Policy the machines covered that policy will be evaluated and results reported back to Intune.

If devices are found that are not compliant, then you can take action to make them compliant before allowing them to access corporate data.

Above all, using compliance policies is a great way to get an inventory of all the devices in your environment and report their configuration. Of course, these Compliance Policies will continue to be evaluated regularly in case anything changes on the device.

The recommendation then is to start with Compliance Policies to take an inventory of your device fleet before proceeding further with Device management. If you want to read more about Modern Device Management then read my series of blog posts starting here:

https://blog.ciaops.com/2020/09/26/modern-device-management-with-microsoft-365-business-premium-part-1/

Need to Know podcast–Episode 309

All the latest news and updates from the Microsoft Cloud with a focus on SMB. Inside this episode are also some thoughts around incident response and why you should have one and why you should be reviewing and updating it regularly.

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-309-incident-response/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

This episode was recorded using Microsoft Teams and produced with Camtasia 2023.

Brought to you by www.ciaopspatron.com

Resources

@directorcia

@directorcia@twit.social

Join my shared channel

CIAOPS merch store

Become a CIAOPS Patron

CIAOPS Blog

Copilot in Teams: August 2023 Updates

Microsoft announces 2023 Surface event taking place next month in New York

Microsoft Defender data can now be hosted locally in Australia

Frontline updates in Microsoft Teams, Windows 365, Copilot & Dynamics 365 Field Service

Remote Help for Android coming soon to public preview

Day zero support for Android 14 with Microsoft Intune

SharePoint Roadmap Pitstop: July 2023

View and edit shape data in Visio for the web

Conditional Access for Protected Actions is Now Generally Available!

Intro to AI, AI for SMBs

Incident response overview

CIAOPS M365 Incident response online training course

Need to Know podcast–Episode 307

All the news and announcements from Microsoft Inspire plus Azure AD getting renamed to Entra as well as some recent security news you should be across. Lots in this episode so listen along and let me know what you think.

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-307-news-from-inspire/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

This episode was recorded using Microsoft Teams and produced with Camtasia 2023.

Brought to you by www.ciaopspatron.com

Resources

@directorcia

@directorcia@twit.social

Join my shared channel

CIAOPS merch store

Become a CIAOPS Patron

CIAOPS Blog

Microsoft inspire

Furthering our AI ambitions – Announcing Bing Chat Enterprise and Microsoft 365 Copilot pricing – The Official Microsoft Blog

Welcome to Microsoft Inspire 2023: Introducing Microsoft 365 Backup and Microsoft 365 Archive – Microsoft Community Hub

Microsoft Inspire: Accelerating AI transformation through partnership – The Official Microsoft Blog

Microsoft Inspire: Prepare for the future of security with AI | Microsoft Security Blog

Microsoft Sales Copilot, Dynamics 365 Customer Insights, and cloud migration reshape the future of business – Microsoft Dynamics 365 Blog

SMB security New innovations from Microsoft Inspire 2023

Introducing a new SharePoint Web UI kit! – Microsoft Community Hub

Security Copilot – How it works

Azure AD is Becoming Microsoft Entra ID – Microsoft Community Hub

Microsoft Entra Expands into Security Service Edge with Two New Offerings – Microsoft Community Hub

Get started with Global Secure Access (preview) | Microsoft Learn

How Microsoft is expanding cloud logging to give customers deeper security visibility | Microsoft Security Blog

Analysis of Storm-0558 techniques for unauthorized email access | Microsoft Security Blog

Compromised Microsoft Key: More Impactful Than We Thought | Wiz Blog

Basic event capture in Microsoft 365

If you want to be able to find out what has happened in Microsoft 365 you’ll need to ensure that you have enabled the appropriate logs as well as being able to view information there when needed. This video shows you the basic locations for logs in Microsoft 365 as well as the different services that cane be used to query and report on these. It is important to have all your logging enabled well in advance of when you’ll need it. This video should get you started.

Video link – https://www.youtube.com/watch?v=-YSHlo4Cvgo

Need to Know podcast–Episode 305

Join me for an update of the Microsoft Cloud news as well as some thoughts around the importance and approach to managing logs in Microsoft Cloud Services.

Join me for the latest news and updates from the Microsoft Cloud and then a look at Application Control and how you consider implementing it.

This episode was recorded using Microsoft Teams and produced with Camtasia 2023.

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-305-logs/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

This episode was recorded using Microsoft Teams and produced with Camtasia 2023.

Brought to you by www.ciaopspatron.com

Resources