Tweet fijado
What's better on a Friday afternoon than dropping a blog about the use of HAADJ and how it fits into "Modern Management"?
skiptotheendpoint.co.uk/haadj-stop-it-…
#MSIntune #HAADJ #Autopilot #CloudNative
English
James Robinson | MVP
1.5K posts
James Robinson | MVP
@SkipToEndpoint
Microsoft MVP - Intune and Windows | Cloud-Native Endpoint Advocate | Neurodivergent Loudmouth | | All thoughts my own |
Brighton, England Se unió Nisan 2022
230 Siguiendo1.9K Seguidores
I'm going to go against the grain here and say that the the knee-jerk reaction happening after the #Stryker incident is stupid.
All of a sudden I'm seeing tons of security people now shouting that #Intune Multi Admin Approval needs to be deployed, yet for years they've not even considered that a device management platform is a core part of an orgs security posture.
What's worse is from my personal experience presenting topics on this exact issue, they've been actively gatekeeping security from your endpoint management teams, creating a horrible siloed culture.
Stryker wasn't a critical failure in the endpoint management platform, it was just another Identity-driven attack where the proper attention to controls around least privilege, Conditional Access and authentication enforcement had been poorly implemented.
Intune RBAC and Multi Admin Approval provide strong additional layers of security, but both come at a significant cost to day-to-day operational overhead that many orgs are just NOT prepared or set up to deal with.
While I'm glad that it's making security folk realise that Device Management IS Security (something I've been banging on about for years at this point), you don't get to suddenly demand implementation of a thing just because you read something on the internet when you haven't done your part in shoring up security gaps.
Stop living in a silo, collaborate, engage. Security is everyone's responsibility, and only working together will provide positive outcomes.
English
@RustySowers That's such dated thinking. The "all eggs in one basket" isn't a problem. It's the siloed nature of properly implementing the tools available that causes breaches.
Good luck adequately reducing security gaps in a bunch of products that struggle to talk to each other properly.
English
well-known security best practice? avoid vendor consolidation of os, hardware, device mgmt, cloud services, identity services, biz prod suite, email services (especially if using same biz for tools in securing all of above)
#cybersecurity
#informationsecurity
James Robinson | MVP@SkipToEndpoint
Security folk - You starting to realise that Device Management needs to be part of Security, yet?
English
@deepthought161 Then you may be surprised to know how many orgs are massively siloed, or security teams that gatekeep "security".
English
@SkipToEndpoint They have always been part of security. At least then I talk to my clients I place them as a risk if not given the proper attention
English
An employer making a decision that you have to enrol BYOD are clueless that BYOD is a service they're providing.
If anyone tried to force me to enrol a device for the pleasure of getting bugged in my own time, I'd tell them where to swivel. Everyone else should too.
English
The last time I discussed BYOD I got TROUNCED in the comments 😂 so maybe now that hacker MG is saying it, it'll make a difference?
I carry two phones if I have to. The company is never getting access to any personal device of mine because aside from it being a security risk for me it's also security risk for them given all the toxic shit I have on my computers.
Also in lawsuits they get to keep your personal devices so that's never happening.
MG@_MG_
If you use a personal phone/laptop for your work, pay very close attention to this little detail. Iran attackers wipe 200k devices at a company called Stryker. Within those devices appears to be employees PERSONAL devices. The attackers used the company’s MDM software, which is basically IT management software running on everything. It’s an incredibly attractive backdoor to an attacker. I successfully targeted MDM software for several Red Team engagements. It’s… lots of fun :) Anyway, a lot of companies require you to install their MDM software on your personal devices before you can access resources like Corp email. It’s used to keep devices updated, lock things down if they get stolen, etc. The company often promises that they won’t access personal data, erase any personal data, etc. But this is often ONLY POLICY. If a bad actor gains access to the MDM tool, as was the case here, then anything can happen. People should be aware of these risks. I refused to run MDM software on any of my personal devices. The company needs to provide me with hardware if they want that. I personally isolate all corp devices to their own network too. If an adversary can get into the corp laptop, then can then get inside my network… there have been cases of it happening in the past.
English
@UK_Daniel_Card @cyber_scrutiny So I've been reliably informed that's actually not the case and personal iOS devices can just be wiped if enrolled. Madness.
More fuel on the fire that BYOD should be secured via App Protection without forcing enrolment.
English
@SkipToEndpoint @cyber_scrutiny Haha I was gona try that when I’m home.
English
I've played with MDMs. MDMs cannot access/wipe anything outside Work Profile in the case of a BYOD (both Android & iOS)
So in this case devices must have been enrolled as "fully managed" devices in the MDM. This is pretty bad if they were BYODs.
Often employees don't know what level of permissions they've granted to their employer's MDM, simply because setting up Work Profiles on each device by the device owner is a bit of a geeky work for noobs.
I'll be interested to know if Stryker faces a lawsuit by theie employees if BYODs were wiped via their MDMs
@Alph4betSoup
MG@_MG_
If you use a personal phone/laptop for your work, pay very close attention to this little detail. Iran attackers wipe 200k devices at a company called Stryker. Within those devices appears to be employees PERSONAL devices. The attackers used the company’s MDM software, which is basically IT management software running on everything. It’s an incredibly attractive backdoor to an attacker. I successfully targeted MDM software for several Red Team engagements. It’s… lots of fun :) Anyway, a lot of companies require you to install their MDM software on your personal devices before you can access resources like Corp email. It’s used to keep devices updated, lock things down if they get stolen, etc. The company often promises that they won’t access personal data, erase any personal data, etc. But this is often ONLY POLICY. If a bad actor gains access to the MDM tool, as was the case here, then anything can happen. People should be aware of these risks. I refused to run MDM software on any of my personal devices. The company needs to provide me with hardware if they want that. I personally isolate all corp devices to their own network too. If an adversary can get into the corp laptop, then can then get inside my network… there have been cases of it happening in the past.
English
@UK_Daniel_Card @cyber_scrutiny I just managed to actually wipe my test iPhone that I'd enrolled as personal, but it required one key step: Changing the ownership from Personal to Corporate.
Their admins were doing something they shouldn't have been doing, and the users would have been notified, too.
English
@cyber_scrutiny Yeah it would be odd to enroll a personal device as a corporate one. Especially as that requires wiping the device to start with before it’s enrolled.
English
@TheITCloudGuy So that data is actually via WUfB Reports tables, using an Azure Workbook created by @modaly_it with some tweaks added by me.
msendpointmgr.com/2024/06/20/del…
Currently still the only way to get some of that data if you're using Autopatch, which is frustrating.
English
@SkipToEndpoint That's cool. How did you get this breakdown?
English
Microsoft Conneced Cache is a fantastic addition to any large network for Windows, Office, Edge updates aswell as Intune App deployments . Really reduces the bandwidth requirements across the organisation. It's just a real shame that Microsoft still have not included Visual Studio updates! Is this on the roadmap @MicrosoftHelps?
learn.microsoft.com/en-us/windows/…
English
@zsattler @ariaupdated Oh for sure, and it wasn't pointed at you. I just can't stand it when security products actively make you less secure, or security teams who don't understand when something is better 😉
English
@SkipToEndpoint @ariaupdated Yep, have tried, and will continue to do so. Would like to use Autopatch and I said I liked the change, this wasn't a complaint against it, just noting an obstacle I've had trying to do so.
Milwaukee, WI 🇺🇸 English
Say hello to fewer reboots and getting secure faster!
#Autopatch will now be enabling #Hotpatch by default - applying the security fixes without a reboot when available for applicable devices!! 🎉
techcommunity.microsoft.com/blog/windows-i… #WindowsUpdate
English
@zsattler @ariaupdated I'd argue that's something to take up with your vendor product rather than Autopatch. That seems like a pretty poor show from them.
English
@ariaupdated I like this Aria, but we've had issues with a security vendor not respecting the Hotpatch build number as a valid fix for certain vulns. All they care about is the build number in the registry and if it doesn't meet that it throws red flags into our alerting, while protected.
English
Least privilege isn’t optional in your identity platform or in your cloud infrastructure. It shouldn’t be optional in your endpoint management platform either.
skiptotheendpoint.co.uk/intune-adminis…
#Intune #Security #RBAC #ZeroTrust
English
@Centit Thanks!
Yeah. I mean lots of it is there with the policies that still exist, but they haven't been kept up-to-date. My intention to begin with was to just apply the same across both.
English
@SkipToEndpoint looking at your amazing openintune baselines, I had a question on the Chrome removal. I understand you want to direct to Edge but if Chrome was required would you suggest following Edge baselines as they are both Chromium based?
English
@FrankLesniak It's funny that MS publishes security recommendations for WSL (disable it all - #recommended-settings" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/windows/…) but hasn't integrated this into it's own security baselines.
AFAIK my OIB is the only one that follows that guidance.
English
@cnik80 Gotcha. I did have this thought and I ended up just assuming if you had that requirement you could just run two versions of the script targeted to different policies.
I'll have a think.
Warn/Block should be relatively simple.
English
@SkipToEndpoint Thanks James! So basically we have a global policy where we might have 10 days cadence,and a separate more aggressive policy (eg NHS) for certain region where it's only couple days cadence. Realise you have separate policies, though some users fussy about notifications..
English
Keeping Intune compliance-related policies current shouldn’t be a manual chore, so I'm releasing IntuneComplianceMaintainer!
ICM is a PowerShell tool that automatically keeps Intune compliance & app-protection policies aligned with supported OS versions across Windows, macOS, iOS/iPadOS, and Android!
stte.me/automatecompli…
English
@cnik80 Can I ask what scenario a second parameter would be for?
APP warn/block, I did think about that in a sort of "n-1" approach so I'll take a look at how I can implement. Thanks!
English
@SkipToEndpoint This looks amazing James - something we will definitely be looking to use. Two potential 'feature requests' that would be super useful for us not sure if in pipeline - 1. Having a second 'cadenceDays' parameter if needing a bit more flexibility. 2. For APP can we have a value
English
@Mister_MDM And if your organisation is using a proxy then it's probably broken WNS so this is unlikely to work at all 🫠
English
Remote Sync in Intune behaves very differently than most people think.
Let me explain... Pressing the Sync button in Intune doesn’t directly send policies to the device. It delivers a push signal (wake-up call), and the device decides whether to start the management session immediately or schedule it, based on how deviceenroller classifies the request.
The flow moves through WNS, WNF, PushLaunch, deviceenroller, and only then the policies come down.
This post builds on the earlier blog about how Intune syncs policies vs apps and zooms in on what really happens behind the Remote Sync button.
#Intune #MSIntune #Windows #Windows11
patchmypc.com/blog/what-real…
English
@acjuelich That's expected behaviour now. They no longer merge the objects. I imagine it was computationally expensive or something.
English
In this environment, the Autopilot record is separate from the Hybrid-joined Intune-enrolled record on almost all devices for some reason. We need to assign about a dozen profiles to some assigned groups. Trying to think how I can make this easier. #MSIntune
English
@NathanMcNulty Yeah this one caught me a while back. Totally unsurprisingly given this is the timeline we're stuck in...
English
I hereby apologise to CISSPs, or NIST, or I don't even know... 🤷♂️
English