![]() ![]() ![]() Restrict local administrative rights on the site server computer. To help mitigate this threat, use Server Message Block (SMB) signing or Internet Protocol security (IPsec) between client computers and the management point. If you deploy a profile, and a trusted administrative user doesn't specify user device affinity, unauthorized users might receive elevated privileges and can remotely connect to computers.Ĭonfiguration Manager collects usage-based information through state messages, which is a fast but insecure communication channel. Don't consider the information that Configuration Manager collects from users or from the device to be authoritative. With this configuration, you should always manually specify user device affinity. Don't enable usage-based configuration.īefore you can deploy a remote connection profile, you need to enable the option to Allow all primary users of the work computer to remotely connect. Manually specify user device affinity instead of allowing users to identify their primary device. Security and privacy considerations Security considerations For more information, see Configure role-based administration. The Compliance Settings Manager built-in role includes the permissions required to manage these profiles. To manage remote connection profiles, your user account needs specific permissions in Configuration Manager. For more information, see Link users and devices with user device affinity. In order for a user to connect to a work computer, that computer must be a primary device of the user. If clients run a different host-based firewall, manually configure this firewall dependency. ![]() If you use Group Policy to configure Windows Firewall, make sure that Group Policy settings don't block mstsc.exe. I'd be interested if anyone has been able to do this recently with all the security baselines enabled.Group Policy settings to configure Windows Firewall can override the configuration that you set in Configuration Manager. I believe that setting the Policy rules from group policy not merged to 'Not Configured' does open some doors in terms of security but I've had no luck using Intune FW rules. In the Windows 11 settings (System > Remote Desktop) it will show RDC as being OFF, but within The RDC options found in Control Panel, it will be turned on. Require user authentication for remote connections by using Network Level Authentication Allow users to connect remotely by using Remote Desktop Services Within Intune, create a Configuration Profile and enable the following settings: (Settings > Network & Internet - Properties) Check your network adaptor is using the Private Network Profile Type. Set-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)" -Profile "Private"Įnable-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)" Use the Scripts policy tool (or just do it manually) in Intune to deploy the following settings (PowerShell) There is a setting called Policy rules from group policy not merged which I set to 'Not Configured' for the Private Firewall Profile Particularly if you have any Security / Defender Baseline policies set. All users added in the policy "Local user group membership", are added in the local group "Remote Desktop Users" on all devices assigned to this would suggest the following: I my testing, adding AAD group in the Endpoint security - Account protection - Local user group membership policy is not working, only users can be added. An AAD groups with devices must be maintained. Managment - I dont want this configuration to all Windows clients in the company. There is a couple of drawback from this configuration. Add users (not AAD groups) in "Remote Desktop Users" group. Add users in local "Remote Desktop Users" group:Įndpoint security - Account protection - Local user group membership. Allow RDP/3389 through Windows Firewall: Device Configuration Profiles - Endpoint protection Require user authentication for remote connections by using Network Level Authentication - Disabled Enable RDP on device: Configuration Profile, Administrative template:Īllow users to connect remotely by using Remote Desktop Services - Enabled This is the configuration I'm testing at the moment: I'm working with a customer to enable RDP on some AAD joined, Intune managed devices in the company. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |