You may take a look at Securden Windows Privlege Manager, which achieves this - (Disclosure I work for Securden) Securden integrated with your AD/Azure AD so you can easily import your users and grant them access to resources in your organization.On Windows 11, I made a WDAC policy with WDAC Wizard and added it to Group Policy, restarted the PC and still the policy isn't being enforced. If you feel the application is useful, it can be made permanently available to them. Now for new applications - they can always request temporary access, and as an admin, you will be able to approve/deny their request based on their reason. For users who require admin access - you can grant them time-restricted and fully audited admin access so they can carry out any tasks that may include changing certain system settings. Now to make the process hassle-free, it lets you define application control policies - you can whitelist trusted applications and block restricted ones. This would mean they cannot install or run applications they do not need. Typically, they would remove the local admin rights on all user computers and endpoints. You could take a look at Endpoint Privilege Management (EPM) solutions. Have any of you attempted using WDAC? If so how was it? Are you actively using it or was there just too many issues/overhead? I am worried about how much management this will cause especially when things need to be regularly patched. We don't have any developers and most of our software is pretty standard (MS Office, Acrobat, etc). Then use their wizard to create a profile on that. My plan is to roll out the Microsoft signed template in audit mode on a standard domain computer and see what it catches. We use AD to manage computers so would roll it out using Group Policy or the scripting option.
So I started looking at Windows Defender Application Control. AppLocker isn't an option for us since we're running Windows 10 Pro and not Enterprise unless that's changed recently.
We don't give users admin rights but obviously most things these days can run in the user's local context and don't need those rights. We are running into issues with people loading programs on their computers that they shouldn't be (recently found Roblox on a computer).
0 kommentar(er)
