Categories
Informatique IT

Blocking Co-Installers in Windows with Intune Remediations

When using Windows 10/11, Windows Plug & Play drivers can automatically install applications (unsecured, dangerous or both) on your computer. This is a feature called Co Installers.

This – initially convenient – behaviour can be undesirable for most of us. For example a bug in Razer’s Synapse software allowed standard users to gain admin access to the machines.

At BoucheCousue, we offer managed services to our customers and our therefore looking to reduce any surface of attack on the machines being used by end users.

How to block CoInstallers?

You can manually edit your registry by adding or changing a key in

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionDevice Installer 

Modify or create the value DisableCoInstallers as a DWORD-32 with a value of 1

Source: BleepingComputer

How to block CoInstallers using Intune Remediations

For Intune, you can use Remediation Scripts to change registry settings automatically.

Here is the detection script to upload:

## DetectCoInstallers - BoucheCousue
## Detection script for Intune Remediation

# Parameters
$regkey="HKLM:SOFTWAREMicrosoftWindowsCurrentVersionDevice Installer"
$name="DisableCoInstallers"
$value=1

# Registry Detection Template
If (!(Test-Path $regkey))
{
Write-Output 'RegKey not available - remediate'
Exit 1
}

$check=(Get-ItemProperty -path $regkey -name $name -ErrorAction SilentlyContinue).$name
if ($check -eq $value){
write-output 'setting ok - no remediation required'
Exit 0
} Else {
write-output 'value not ok, no value or could not read - go and remediate'
Exit 1
}

And the remediation one:

## DetectCoInstallers - BoucheCousue
## Remediation script for Intune Remediation

# Parameters
$regkey="HKLM:SOFTWAREMicrosoftWindowsCurrentVersionDevice Installer"
$name="DisableCoInstallers"
$value=1

#Registry Template
If (!(Test-Path $regkey))
{
New-Item -Path $regkey -ErrorAction stop
}

if (!(Get-ItemProperty -Path $regkey -Name $name -ErrorAction SilentlyContinue))
{
New-ItemProperty -Path $regkey -Name $name -Value $value -PropertyType DWORD -ErrorAction stop
write-output "remediation complete"
exit 0
}

set-ItemProperty -Path $regkey -Name $name -Value $value -ErrorAction stop
write-output "remediation complete"
exit 0

Base script by MikeMDM, customized for the needs of this registry key.

Thanks: Big up to Mattias Melkersen for bringing up this topic on X and to Nathan McNulty for sharing the fix that Will Dormann offered.

Categories
IT

Deploying the Slack token on macOS with JAMF

Slack has a Windows/macOS compatible feature that allows the use of a file called Signin.slacktoken helping the users be redirected to the right workspace to sign in.

Categories
Informatique IT

Indexing Google Drive in Spotlight for Mac OS

If you use Google Drive on Mac OS (formerly named Drive File Stream), you might be having a hard time finding documents and folders in Spotlight. It is quite an easy problem to solve.

Categories
Informatique IT

Update script for PCEngines APU2 from PFSense

You want to update the BIOS of a PCEngines APU2 box from Pfsense? It is rather easy.

Categories
Informatique IT

Linux: Delete empty directories

You have loads of empty directories to delete in Linux? There is a command for that!

Categories
Informatique IT

2 ways to disable Office’s invite for file format

Looking for the registry key or Powershell script that will help you get rid of the Office invite asking for a default file type? The solution is as follows..
Categories
IT

Default password for EpsonNet Config

You’ve just set up a kitchen printer or receipt printer from Epson, have to access the admin panel to adjust some settings? The EpsonNet Config utility sometimes requires a password. 

Categories
IT

Run Speedtests from a PfSense router

If you need to check quickly how well the Internet connection of one of your pfSense routers is doing , why not use Speedtest ? And this just requires installing a small package on the machine.

Categories
IT

List of IPs and networks for Youtube

Logo Youtube

If you need to apply QoS rules to trafic coming or going to Youtube, the best thing to do is to have the list of IPs of their network.

Categories
IT

PfSense and Intel fiber card

PfSense

If you use or plan to use a fiber network card such as the Intel E10G42BTDA – Intel X520-DA2 with a PfSense firewall (such as our SolidRouters), you need to adjust the /boot/loader.conf.local file with informations such as :


vm.kmem_size="435544320"
vm.kmem_size_max="535544320"
kern.ipc.nmbclusters="1000000"
kern.ipc.nmbjumbop="524288"
hw.igb.fc_setting=0
hw.ixgbe.num_queues="4"

Values are to be adjusted according to your setup. The last line is relate to quad ethernet network cards from Intel.