Imagine this utopian scenario…
- You join your mobile/roaming devices to AzureAD ONLY
- You use EMS to enrol these devices automatically into InTune
- You are running Windows 10 Creators Edition (1703?)
By default, when a user joins a device to AzureAD they will be granted admin rights. They can then download and install anything they like, which could be malware, ransomware or potentially unwanted applications (PUA).
Creators Edition has an option, which will presumably be configurable via MDM, to Allow apps from the Store only. This will block the installation of Win32 apps if they do not originate from the Windows Store.
It is also possible via the MDM channel to block the public Windows Store and only allow your organisational Windows Store for Business (WSfB).
You can do this via a “Custom Configuration” policy for Windows 10.
Use whatever names you like but the important part is the OMA-URI:
Set this to an integer value of 1
Deploy this policy to a USER group to enforce the setting.
At this point, if you enable Allow apps from the Store only you now have a machine which can only install apps via the WSfB. Any app you require from the public store can be added to your private WSfB store for installation either by the user or pushed via Intune.
The device, despite being used with admin permissions, now at least is protected from externally introduced application installations. Setting Allow apps from the Store only does not conflict with Intune delivery of traditional MSI based Win32 apps. With Allow apps from the Store only set it is still possible to install an MSI via Company Portal or push it to the device.
All the above is good stuff, we don’t want users installing additional applications on their systems as we don’t know what they are and they could introduce vulnerabilities.
Here’s the important bit – the setting Allow apps from the Store only does not appear to stop all portable Win32 apps from running thus not stopping any kind of .exe which may be executed as part of a malware or ransomware attack. I tried a few portable apps and got mixed results, putty.exe was blocked but bginfo was not. It would be interesting to understand how the logic determines that the .exe is trying to install.
With that in mind you’ve got yourself a machine with some protection but not quite enough to meet some security scenarios. It looks like for now at least you’ll still need AppLocker or another 3rd party tool to do your application whitelisting but it is a step in the right direction.