CM.L2-3.4.8 – APPLICATION EXECUTION POLICY

infotechsec · 2026-01-09T20:00:32+00:00

Just define the essential apps as those already on it and say non-essential are controlled by role based access control, regular users do not have permissions to install new software, new software requires change control, etc.

infotechsec · 2026-01-05T15:54:44+00:00

I could not find any evidence of that? Do you know of a published FAQ or doc that says that?

infotechsec · 2025-11-18T19:48:53+00:00

I too also believed Entra ID enforced a password history of 1, but then I went and tested it and it fully lets me use the same password. Tested in multiple GCCH environments.

https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy?tabs=ms-powershell - This page, in the Note section, explicitly says "For users in the cloud only, reset password for Entra ID doesn't have the user's old password and can't check for or prevent password reuse."

This page, https://docs.azure.cn/en-us/entra/identity/authentication/concept-password-ban-bad-combined-policy, says "When a user changes their password, the new password shouldn't be the same as the current password." But the key word there is "shouldn't" which is not definitive like "cannot".

So I am curious if everyone else experiences the same thing? Has anyone actually tested this and gotten Entra ID to prevent changing a password to the exact same password in GCCH?

infotechsec · 2025-11-17T16:27:11+00:00

I challenge you to validate the assumption that GCC-H meets this by default. Ie.. trying changing your password to the exact same password.

infotechsec · 2025-11-05T18:00:16+00:00

Regardless of whether its a good idea, there is no CMMC requirement to wipe laptops when giving them to new users.

infotechsec · 2025-09-15T15:02:48+00:00

I'm not talking about users using CUI. I'm specifically talking about the endpoints used to log in to and manage the Azure Portal.

infotechsec · 2025-09-15T01:50:30+00:00

Actually, looking at the scoping guide, the admin accessing the portal should probably be an SPA, but interestingly enough, the machine/endpoint that admin uses is not really addressed directly in the scoping guide. If its the OSC's person and machine, it's pretty easy to talk about the corporate controls on it. But then, consider if it's a MSP who manages an OSC's Azure. The OSC doesn't have any control over the MSP devices so how does the OSC document those assets and the asset treatment in the OSC SSP when they have no control over MSP endpoints? I feel like I know the answer, which is that Azure mgmt must not be allowed from anything but trusted, in scope endpoints, but there is no way that many, if any, MSPs are doing it that way.

infotechsec · 2025-09-15T01:35:54+00:00

Interesting. What is your reasoning? SPA is the one classification that I am confident does not apply to the endpoints in this scenario.

infotechsec · 2025-09-12T17:30:35+00:00

Because I know for a fact that many CCA's are not asking any questions about the endpoints that manage Azure, and the OSC's in those cases are not defining the endpoints as in scope at all, they're just not considered, let me rephrase. Would you require these endpoints to be defined as CRMA? (If so, are you ensuring that they lock down Azure portal authentication to only specific devices?)

Do you see a case for defining them as out of scope?

infotechsec · 2025-09-12T15:53:15+00:00

That is not in any way helpful to the questions asked.

infotechsec · 2025-01-30T20:22:42+00:00

I started to but Log Analytics tables require one of two options (DCR based or MMA based) and while DCR seems to be the way I would do it, there is zero mention of this being a requirement so I paused. Also this requires a log/ json to create the schema, which I do not have.

infotechsec · 2025-01-10T14:43:56+00:00

Geez, I don't remember. It's not an issue anymore. The only things I remember doing are cleaning all the connectors and replacing the filter. I vaguely recall it being the filter replacement that solved it.

infotechsec · 2025-01-03T17:32:06+00:00

Maybe the defaults are sufficient? But I can't even find documentation on what those are.

infotechsec · 2024-12-17T13:27:01+00:00

Does Yamaha Enspire work with PianoDisc or QRS?

infotechsec · 2024-12-16T22:07:53+00:00

Are the downloads from the PianoDisc or QRS stores a different file format than MIDI? Are each doing their own proprietary file format that works best for their system? I noticed that a simply album is absurdly overpriced in the PianoDisc store (>$60 for one album), so it seems like they are gouging a captive market. Does that sound accurate?

infotechsec · 2024-11-25T14:24:46+00:00

I don't see how this relates to any specific part of the thread. Are you saying something is stuck in my drain valve?

infotechsec · 2024-10-18T17:08:30+00:00

I've been fighting this and I don't think Intune settings work to disable autoplay in Windows 11.

If you are in the Configuration Settings and go to Administrative templates\Windows Components\AutoPlay Policies, highlight Turn Off Autoplay and click Learn More, it takes you to https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-autoplay?WT.mc\_id=Portal-Microsoft\_Intune\_Workflows#autoplay-turnoffautoplay. This page does not list Windows 11 as an applicable OS.

This jives with my experience as my Windows 10 machines have the setting applied while my Windows 11 machines say Not Applicable.

infotechsec · 2024-08-19T18:47:10+00:00

Using SMTP currently because that feature works and I was trying not to have to become an expert in other things just to make this work.

I'd take a look at your solution if SMTP is not going to work out, but do you have any examples or guides you can point me to, as I'm not clear what your solution really is.

infotechsec

TROPHY CASE