Updating the Endpoint Security Baseline



Introduction - 
This is part 3 of a four part series on 'How to remotely assist Azure AD Joined devices'.
Remotely assisting Intune managed devices poses challenges for MSPs as MSP technicians don't normally have Global Admin rights to the tenant and usually perform admin tasks via the Microsoft Partner Portal. 

MSP technicians face several challenges including - 
- The MSP technician account is not a local admin of the Azure AD Joined / Intune Managed device
- The end user is a standard user and has no local admin rights
- Windows 10 blacks out the screen during UAC prompts when clients are being assisted via TeamViewer or Microsoft QuickAssist.
- The 
Intune Security Baseline denies user elevation prompts with the message - This app has been blocked by your system administrator. 

To solve these issues I have designed a three stage solution which includes the following
- Add users or groups as local admins to all Azure AD Joined devices
- Deploy a PowerShell script to disable the prompt on the secure desktop
- Update the Endpoint Security Baseline

======================================================================

This is Part 3 of a 4 part series

Remote Administration and Assistance - Four part tutorial
1. Add users or groups as local admins to all Azure AD Joined devices - Link 
2. PowerShell script to disable the prompt on secure desktop - Link
3. Updating the Endpoint Security BaselineLink - This article
4. How to remotely connect and assist - Link


=======================================================================

3. Updating the Endpoint Security Baseline

As discussed in the Introduction, one of the challenges with providing remote assistance is the Endpoint Security Baseline, by default, denies user elevation prompts with the message - This app has been blocked by your system administrator. 



To remove this restriction and enable the UAC prompt, we need to update the existing Security Baseline. 

You can review my tutorial on configuring and enabling the Security Baseline -
Configure and apply the Security Baseline - Link 


Updating the existing Security Baseline - 

Endpoint Security - Security Baselines


Select - Windows 10 Security Baseline


Here we can see the Security Baseline we created earlier (if you followed this tutorial - Link )
Select the Baseline


Select - Properties


Next to Configuration settings - Select - Edit


In the search box, enter the word - elevation - and search
Select - Local Policies Security Options


Scroll down to - Standard user elevation prompt behavior -
Note that this is currently set to - Automatically deny elevation requests - (this is the default)


Use the drop down arrow and select - Prompt for credentials


This should now show - Prompt for credentials


Select - Review and Save

Select - Save

=====================================================================


 
About the author -

Terry Munro is an IT specialist based in Brisbane, Australia.
He draws upon over 20 years experience designing and delivering technical solutions to a variety of enterprise clients in the private, Government and Education sectors, to revolutionise client businesses through collaboration and getting the most value from a variety of cloud solutions.
He is passionate about learning new technologies and is a firm believer in sharing knowledge to provide a better experience for all.

You can connect with Terry
LinkedIn - https://www.linkedin.com/in/terry-munro/
Facebook - @IntuneAdmin - https://www.facebook.com/IntuneAdmin/
Facebook Community Group - https://www.facebook.com/groups/intuneadmin/ 
GitHub Repository - https://github.com/TeamTerry

No comments:

Post a Comment