Microsoft Intune: Customization of app installs with Enterprise Application Management

🚨 The Signal: Intune now allows PowerShell scripts for Win32 app installations, including Enterprise Application Management (EAM) catalog apps. This provides greater customization but introduces new avenues for script-based attacks if not managed securely.

The Impact

Intune administrators are affected, facing increased risk of malicious script execution if deployment processes are not secured.

• Intune Admins: Risk of deploying insecure scripts leading to system compromise.
• Security Teams: Increased attack surface for script-based malware and privilege escalation.
• End Users: Potential for compromised applications or systems if scripts are malicious.

The Action

1. Review and approve all PowerShell scripts used for app installations in Intune.
2. Implement least privilege for Intune administrators deploying scripts.
3. Utilize script signing to ensure integrity and authenticity of deployment scripts.
4. Configure Intune to monitor script execution and report anomalies.
5. Regularly audit script deployment configurations and permissions in Intune.

Domain: Intune · Impact: high · Workload: Intune · Essential Eight: Application Control, Restrict Administrative Privileges · ISM: ISM-0445, ISM-0843, ISM-1175, ISM-1380, ISM-1490, ISM-1507, ISM-1508, ISM-1509, ISM-1544, ISM-1582, ISM-1647, ISM-1648, ISM-1650, ISM-1656, ISM-1657, ISM-1658, ISM-1659, ISM-1660, ISM-1686, ISM-1688, ISM-1689, ISM-1870, ISM-1871, ISM-1883, ISM-1897, ISM-1898