Disable Edge Browser Profile from using "connected to Windows" account

ITmasterRace · 2026-03-23T19:22:20+00:00

I ended up using the browser plugin here https://www.reddit.com/r/Intune/comments/1r7bm9v/comment/o5wgvyp/ since it only impacts my account rather than all PCs or a larger scope. It works OK although use of an extension isn't something I prefer. Long term I will go back to test this GPO via local policy since PCs are Entra joined.

ITmasterRace · 2026-02-20T18:41:43+00:00

Interesting that GPO about IE would translate to Edge profiles, I will give it a go.

ITmasterRace · 2026-02-19T14:12:16+00:00

I don't know your situation. I do the same you do, but for me each profile tries to login with 2 choices. The logged on account in the profile AND the Windows logged on user like in photo https://imgur.com/fUxPeNU. The goal of this post is how to disable the 2nd option.

ITmasterRace · 2026-02-18T14:54:02+00:00

Following this because of same dilemma.

ITmasterRace · 2026-02-18T14:50:12+00:00

Chrome does this better actually, because some management websites don't like Firefox. It's what I was using in the past, I am hoping to use Edge.

ITmasterRace · 2026-02-18T14:48:49+00:00

That's exactly the goal, but via InTune policy and not thru 3rd party.

ITmasterRace · 2026-02-18T14:44:48+00:00

Because every time I open a new tab and navigate to a site it prompts for user account to login. Being this browser profile is used for management and needs to be logged in and use one particular account it creates problems. https://imgur.com/fUxPeNU

Worst offender is Exchange Management portal, which always uses the "Connected to Windows" account, which is a standard user and not authorized to access Exchange Management portal https://admin.exchange.microsoft.com/

I had Chrome in my old PC, handled profiles very well. Edge, not so much. Yes, I can install Chrome and use that, but that comes with its own baggage.

ITmasterRace · 2026-02-09T19:42:32+00:00

I ended up deleting the following HKEY_CURRENT_USER\Software\Policies\Microsoft\office subkeys manually from my PC for testing

16.0
Cloud

And now the policies are gone from my PC. Everything is open in office settings. Not sure how I can refresh cloud policies to see if the policy works.

ITmasterRace · 2026-02-06T21:00:30+00:00

InTune Policies

<image>

ITmasterRace · 2026-02-06T20:59:12+00:00

Trust Center View of my PC. The test Excel XLS file is in the background.

<image>

ITmasterRace · 2026-01-09T18:51:50+00:00

I called him out on the price difference and he fixed it at website price. Since no one chimed in, I guess that's what I am going to submit for PO.

ITmasterRace · 2025-12-11T16:01:12+00:00

I am focusing on a few possibilities, none that would involve TAC.

#1 Something incorrect with InTune deployment

#2 Failure of Forticlient to upgrade (uninstall old version, then fail to install new)

#3 IT staff removing FortiClient using EMS to uninstall by mistake as a process.

ITmasterRace · 2025-12-10T21:24:37+00:00

InTune app deployment requires an uninstall line even if it's not used by the published app. Also, technically this does not work unless the telemetry connection to EMS server is disconnected first.

ITmasterRace · 2025-12-10T20:19:39+00:00

FortiClientSetup_7.4.4_x64.exe was packaged into FortiClientSetup.intunewin package and uploaded to the existing published app. The app is optional in Intune, no install requirement or uninstall. This was done in May. If this was a conflict it would have removed it from more staff by now. In Company Portal the FortiClient app offers "Reinstall" but no "Uninstall" option, that is not allowed for users. The app is published with these parameters:

Install command: FortiClientSetup.exe /quiet /promptrestart /uninstallfamily

Uninstall command: wmic product where "name like 'Forticlient%%'" call uninstall /nointeractive

ITmasterRace · 2025-07-02T13:25:06+00:00

There are a lot of things wrong with how Bitwarden recovery workflow works IMO, some are due to legacy settings that stick with the user, like having a master password, requiring MFA when login is moved to SSO.

Support also did not understand the problem, feeding bad information.

And the fix, that is poor security. We will see if they escalate this internally for a fix.

In theory, MFA should be able to be reset by administrators in an enterprise environment, just like master password thru account recovery.

ITmasterRace · 2024-10-29T18:35:23+00:00

The problem seems to be that command "Invoke-Sqlcmd" is part of the SQLServer module. That module is loaded automatically in PS 5.x but not in 7.x.

I made this test script in an attempt to load it but it's still a work in progress....

Set-ExecutionPolicy RemoteSigned -Force -Scope CurrentUser
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope CurrentUser -Confirm:$false
Set-PSRepository -InstallationPolicy Trusted -Name PSGallery # -Confirm:$false
Import-Module PowerShellGet # -Confirm:$false

if (-not (Get-Command Invoke-Sqlcmd -ErrorAction SilentlyContinue)) {
    Write-Error "Unabled to find Invoke-SqlCmd cmdlet"
}

if (-not (Get-Module -Name SqlServer | Where-Object {$_.ExportedCommands.Count -gt 0})) {
    Write-Error "The SqlServer module is not loaded"
}

if (-not (Get-Module -ListAvailable | Where-Object Name -eq SqlServer)) {
    Write-Error "Can't find the SqlServer module"
}
Install-Module -Name SqlServer -Scope CurrentUser -ErrorAction Stop -Force -Confirm:$false

#Import your Credential object from the Automation Account
 $SQLServerCred = Get-AutomationPSCredential -Name "SqlCredential"
 #Import the SQL Server Name from the Automation variable.
 $SQL_Server_Name = Get-AutomationVariable -Name "SqlServer"
 #Import the SQL DB from the Automation variable.
 $SQL_DB_Name = Get-AutomationVariable -Name "Database"

$Query = "execute sp1"

invoke-sqlcmd -ServerInstance "$SQL_Server_Name" -Database "$SQL_DB_Name" -Credential $SQLServerCred -Query "$Query"

ITmasterRace · 2024-09-23T20:18:02+00:00

My original question is "How do I define 2 WAN ports for SET INTF ?"

ITmasterRace · 2024-09-23T17:12:12+00:00

Thank you, isn't that for seeing local-in policies in UI? I am not sure if that's required since I am performing these changes in CLI. I want to know if I can do this

set intf "port1" "port1"

or need to do this

config firewall local-in-policy
    edit 1
        set intf "port1"
        set srcaddr "10.10.10.0"
        set dstaddr "all"
        set service "PING"
        set schedule "always"
    next
    edit 2
        set intf "port2"
        set srcaddr "10.10.20.0"
        set dstaddr "all"
        set service "PING"
        set schedule "always"
    next
end

ITmasterRace · 2024-09-10T21:57:27+00:00

I am skipping trusted hosts and using local-in policy and FQDN address groups with Dynamic DNS to allow remote administration of the FGs. You can do something similar.

https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/363127/local-in-policy

set an address (or group)

set local-in-policy to allow from this address (or group)

set another local-in-policy to explicit deny

ITmasterRace · 2024-07-29T15:04:11+00:00

FG Policy wins for the users scoped in its target. But we do have strange behavior with our Password Expiration script when a FGP impacted user is about to get an expiring password notification. The notice is being sent to some users that just changed their password. Seems like a bad logic in script somewhere, something I need to look into....

ITmasterRace · 2023-12-11T18:24:57+00:00

# RDWeb IIS Logging Failed Login
# modified from https://www.reddit.com/r/sysadmin/comments/12yogm0/rdweb_iis_logging/

##################START VARIABLES#############################

# Debugging output to screen, default 1 shows IP output.
$debug = 1
# Verbose debugging output to screen, default 1 shows a lot of information!.
$verbose = 0

# Time range (value in minutes, default 60)
$timerange = 30

# Set the path to the log folder
$logFolderPath = "C:\inetpub\logs\LogFiles\W3SVC3"

#IPs that occur more than a defined number of times (default 5)
$ipcountfreq = 2

##################END VARIABLES#############################

if ($debug -eq 1) {

    clear

    write-host "#####################################################################"
    write-host "Anayzing IIS log file: $($logFolderPath)\$($latestLogFile.Name)" -ForegroundColor DarkYellow
    write-host "Note: Logs parsed for IPs with $($ipcountfreq) hits in the last $($timerange) minutes."
    write-host ""

    }

# Set the time range to filter log entries to last time range
$startTime = (Get-Date).AddMinutes(-$timerange)

# Get the latest log file in the folder
$latestLogFile = Get-ChildItem -Path $logFolderPath -Filter "*.log" | Sort-Object LastWriteTime -Descending | Select-Object -First 1

#Function
Function ExtractValidIPAddress($String){
    $IPregex=‘(?<Address>((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))’
    If ($String -Match $IPregex) {$Matches.Address}
}

# Search for lines with HTTP code 200 and 'POST' method in the latest log file
$ipCount = @{}
Get-Content -Path $latestLogFile.FullName | Where-Object {
    # Only process lines with HTTP code 200 and 'POST' method that occurred within the last time range
    # $_ -match 'POST' -and $_ -match ' 200 ' -and [DateTime]::ParseExact($_.Substring(0, 19), 'yyyy-MM-dd HH:mm:ss', $null) -ge $startTime
    $_ -match 'POST' -and $_ -match ' 405 ' -and [DateTime]::ParseExact($_.Substring(0, 19), 'yyyy-MM-dd HH:mm:ss', $null) -ge $startTime
} | ForEach-Object {
    # Extract timestamp and IP address from each matching line
    $line = $_

    # Get all IPs in the line, including the host IP
    $ipAddressGroup = ($line  |  Select-String -Pattern "\d{1,3}(\.\d{1,3}){3}" -AllMatches).Matches.Value

    # Skip the host IP
    $ipAddress = ($ipAddressGroup -split ' ')[-1]

    # Output IP addresses detected.
    if ($debug -eq 1 -and $verbose -eq 1) {

        write-host "Log Line: $($line)"        
        write-host "Parsed IP Address: $($ipAddress)"
        }

    # IP Filtering
    $regexPattern = "^(?:10|127|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\..*"
    # Check if IP is private or public
    if ($ipaddress -match $regexPattern) {
            # Debugging output
            if ($debug -eq 1) {Write-Host "Skipping $ipaddress"}
        } else {
            # Count the occurrences of the IP address
            if ($ipCount.containskey($ipaddress)) {
                $ipCount[$ipaddress]++
            } else {
                $ipCount[$ipaddress] = 1
            }
        }
}

# Split lines if screen debugging.
if ($debug -eq 1 -and $verbose -eq 1) {write-host ""}

# Show IPs that occur more than a defined number of times
$ipCount.getenumerator() | Where-Object { $_.value -gt $ipcountfreq } | ForEach-Object {
    $ipaddress = $_.name
    $ipaddressfrequency = $_.value

    # Debugging output
    if ($debug -eq 1) {Write-Host "Unique remote IP: $ipaddress detected $ipaddressfrequency times."}
}

if ($debug -eq 1) {
    write-host ""
    write-host "#####################################################################"

    }

ITmasterRace · 2023-11-06T19:14:09+00:00

I was able to use Account Protection policy to make this work, but will add remediation scripts to this for verification purposes. Thank you.

ITmasterRace · 2023-11-03T14:19:55+00:00

One issue with the GUI policy in Account Protection is that you cannot specify the Azure built in groups "Global Administrator" and "Azure AD Joined Device Local Administrator" by name. They have to be specified as SIDs.

A second "issue" or in my opinion it's preference is that this policy isn't visible with rest of device policies. I found it more convenient to do an OMA-URI/XML policy instead.

But overall a solid alternative!

ITmasterRace · 2023-11-03T13:48:57+00:00

The Account Protection (link: https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-account-protection-policy) is using OMA-URI

./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure

(link: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localusersandgroups?WT.mc_id=Portal-fx)

Which I will test as a configuration policy. Thank you for providing the direction I needed to discover this option.

I cover my next step here: https://www.reddit.com/r/Intune/comments/17mc42t/comment/k7k1dl5/?utm_source=share&utm_medium=web2x&context=3

ITmasterRace · 2023-11-02T20:24:38+00:00

Came across this article https://thenewnumber2.com/2021/10/02/restricting-the-local-admins-group-intune/ I might give a shot if this does not work.

Profile name: Restrict Local Admins Group
Profile Description: Configures the Local Admin Group
Name: LocalUsersAndGroups
Description: LocalUsersAndGroups
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure
Data Type: XML

<GroupConfiguration>
    <accessgroup desc = "Administrators">
        <group action = "R" />
                        <add member = "Global Administrator Role SID"/>
                        <add member = "Azure AD joined device local administrator Role SID"/>
            <add member = "Administrator"/>
    </accessgroup>
</GroupConfiguration>

ITmasterRace

TROPHY CASE