Sabitlenmiş Tweet
What's better on a Friday afternoon than dropping a blog about the use of HAADJ and how it fits into "Modern Management"?
skiptotheendpoint.co.uk/haadj-stop-it-…
#MSIntune #HAADJ #Autopilot #CloudNative
English
James Robinson | MVP
1.5K posts
James Robinson | MVP
@SkipToEndpoint
Microsoft MVP - Intune and Windows | Cloud-Native Endpoint Advocate | Neurodivergent Loudmouth | | All thoughts my own |
Brighton, England Katılım Nisan 2022
231 Takip Edilen1.9K Takipçiler
James Robinson | MVP retweetledi
3.10.3 Released. Added Win32 app Install/Uninstall script support and Windows Quality Update Policies. Fixed category import, JSON property order for Git tracking + multiple documentation fixes. See github.com/Micke-K/Intune… for more info
English
So that's basically the entire point of the OIBID I've added. If the GUID in the description matches, it doesn't matter what the policy name is (which was my first crude implementation).
The only thing I'm not doing (cos it's much harder to do) is per-policy settings checks.
English
This is really an awesome solution and it has gotten so easy to implement and support.
One thing I'd like to see (unless I missed it) is to specify your own naming convention template so it can match your current structure.
James Robinson | MVP@SkipToEndpoint
🚨#OIB #Windows v3.8 & #OIBDeployer updates! I've just released v3.8 of the Windows OIB, which adds some cool things, as well as squashing a bunch of #community submitted bugs! Most importantly, I'm adding policy tracking through unique "OIBID"s, meaning much more flexible options when it comes to policy management through my OIB Deployer tool! Speaking of which, I've updated that too! A small face-lift (including dark mode!), API call improvements, and the functionality to support the new OIBID checks. Full Windows v3.8 Changelog here: stte.me/oibwin3dot8 Deploy or Update it in your tenant here: stte.me/deployoib To everyone that continues to provide support, feedback, and trust in this little project that's gotten way bigger than I ever thought it would - Thank you. 💛
English
🚨#OIB #Windows v3.8 & #OIBDeployer updates!
I've just released v3.8 of the Windows OIB, which adds some cool things, as well as squashing a bunch of #community submitted bugs! Most importantly, I'm adding policy tracking through unique "OIBID"s, meaning much more flexible options when it comes to policy management through my OIB Deployer tool!
Speaking of which, I've updated that too! A small face-lift (including dark mode!), API call improvements, and the functionality to support the new OIBID checks.
Full Windows v3.8 Changelog here: stte.me/oibwin3dot8
Deploy or Update it in your tenant here: stte.me/deployoib
To everyone that continues to provide support, feedback, and trust in this little project that's gotten way bigger than I ever thought it would - Thank you. 💛
English
@marrrkkkuuu @Mister_MDM Much easier to just deploy a Local Group Management policy to remove anything you don't specifically want in that group out of it anyway rather than relying on compliance.
English
@Mister_MDM Great post, never considered this scenario. I’m thinking a custom compliance script to mark non-compliant if any user is detected as a member of the local Administrators group.
English
Autopilot Profile Missing: Why Didn’t Enrollment Restrictions Block It?
We all have seen it.
A device registered with the Autopilot service still ends up with a random computer name and the user being a local admin. The first reaction is usually simple...
The Autopilot profile did not apply, so this must be a personal device now. And if personal devices are blocked with MDM enrollment restrictions, it should have blocked the enrollment.
Well… not always. Read the @PatchMyPC blog for all the details!
#Intune #PatchMyPC #MSIntune #Windows11
patchmypc.com/blog/the-autop…
English
See also: Things that "Pwn Defender".
OOTB Consumer Defender and Defender for Endpoint configured properly are very different things.
Ru Campbell@rucam365
>headline: “critical vulnerability unveiled” >body: “requires local admin”
English
@snr_boost @JenMsft I mean there's plenty of awful things I've seen IT teams do...
That's definitely not the behaviour I'd expect to get though. Any colleagues seeing the same thing?
English
Windows is actually garbage. Today I tried searching for the display settings for 10 minutes to fix resolution on my monitor and it refused to surface anything remotely helpful
Took a chatgpt query to figure out how to access this
Pirat_Nation 🔴@Pirat_Nation
Microsoft announced plans to lower the baseline memory footprint of Windows 11. They want to reduce idle RAM usage by optimizing the operating system itself. On a clean Windows 11 25H2 install, the OS typically uses around 3.3 GB at idle. Real-world usage often climbs to 6 GB or more on 8 GB systems and over 10 GB on 16 GB systems due to background processes and features.
English
@snr_boost @JenMsft Have you run a debloat tool or something, cos "display" should absolutely bring up exactly what you want immediately
English
@SwiftOnSecurity So you're saying it's not normal that I know every single setting I've put in my OpenIntuneBaseline? Huh...
GIF
English
Having a model of the firm's Windows configuration in your head is an absolutely astonishingly rare thing.
WhiskeyHacker@whiskeyhacker
I spent my normal whiskey/cigar break thinking and reading and counting how many configuration "switches" are available when you are a firm like Stryker. 36,000 to 45,000 config settings And that's before you count the permutations. You think a spreadsheet and a quarterly review covers it?
English
I'm going to go against the grain here and say that the the knee-jerk reaction happening after the #Stryker incident is stupid.
All of a sudden I'm seeing tons of security people now shouting that #Intune Multi Admin Approval needs to be deployed, yet for years they've not even considered that a device management platform is a core part of an orgs security posture.
What's worse is from my personal experience presenting topics on this exact issue, they've been actively gatekeeping security from your endpoint management teams, creating a horrible siloed culture.
Stryker wasn't a critical failure in the endpoint management platform, it was just another Identity-driven attack where the proper attention to controls around least privilege, Conditional Access and authentication enforcement had been poorly implemented.
Intune RBAC and Multi Admin Approval provide strong additional layers of security, but both come at a significant cost to day-to-day operational overhead that many orgs are just NOT prepared or set up to deal with.
While I'm glad that it's making security folk realise that Device Management IS Security (something I've been banging on about for years at this point), you don't get to suddenly demand implementation of a thing just because you read something on the internet when you haven't done your part in shoring up security gaps.
Stop living in a silo, collaborate, engage. Security is everyone's responsibility, and only working together will provide positive outcomes.
English
@RustySowers That's such dated thinking. The "all eggs in one basket" isn't a problem. It's the siloed nature of properly implementing the tools available that causes breaches.
Good luck adequately reducing security gaps in a bunch of products that struggle to talk to each other properly.
English
well-known security best practice? avoid vendor consolidation of os, hardware, device mgmt, cloud services, identity services, biz prod suite, email services (especially if using same biz for tools in securing all of above)
#cybersecurity
#informationsecurity
James Robinson | MVP@SkipToEndpoint
Security folk - You starting to realise that Device Management needs to be part of Security, yet?
English
@deepthought161 Then you may be surprised to know how many orgs are massively siloed, or security teams that gatekeep "security".
English
@SkipToEndpoint They have always been part of security. At least then I talk to my clients I place them as a risk if not given the proper attention
English
An employer making a decision that you have to enrol BYOD are clueless that BYOD is a service they're providing.
If anyone tried to force me to enrol a device for the pleasure of getting bugged in my own time, I'd tell them where to swivel. Everyone else should too.
English
The last time I discussed BYOD I got TROUNCED in the comments 😂 so maybe now that hacker MG is saying it, it'll make a difference?
I carry two phones if I have to. The company is never getting access to any personal device of mine because aside from it being a security risk for me it's also security risk for them given all the toxic shit I have on my computers.
Also in lawsuits they get to keep your personal devices so that's never happening.
MG@_MG_
If you use a personal phone/laptop for your work, pay very close attention to this little detail. Iran attackers wipe 200k devices at a company called Stryker. Within those devices appears to be employees PERSONAL devices. The attackers used the company’s MDM software, which is basically IT management software running on everything. It’s an incredibly attractive backdoor to an attacker. I successfully targeted MDM software for several Red Team engagements. It’s… lots of fun :) Anyway, a lot of companies require you to install their MDM software on your personal devices before you can access resources like Corp email. It’s used to keep devices updated, lock things down if they get stolen, etc. The company often promises that they won’t access personal data, erase any personal data, etc. But this is often ONLY POLICY. If a bad actor gains access to the MDM tool, as was the case here, then anything can happen. People should be aware of these risks. I refused to run MDM software on any of my personal devices. The company needs to provide me with hardware if they want that. I personally isolate all corp devices to their own network too. If an adversary can get into the corp laptop, then can then get inside my network… there have been cases of it happening in the past.
English
@UK_Daniel_Card @cyber_scrutiny So I've been reliably informed that's actually not the case and personal iOS devices can just be wiped if enrolled. Madness.
More fuel on the fire that BYOD should be secured via App Protection without forcing enrolment.
English
@SkipToEndpoint @cyber_scrutiny Haha I was gona try that when I’m home.
English
I've played with MDMs. MDMs cannot access/wipe anything outside Work Profile in the case of a BYOD (both Android & iOS)
So in this case devices must have been enrolled as "fully managed" devices in the MDM. This is pretty bad if they were BYODs.
Often employees don't know what level of permissions they've granted to their employer's MDM, simply because setting up Work Profiles on each device by the device owner is a bit of a geeky work for noobs.
I'll be interested to know if Stryker faces a lawsuit by theie employees if BYODs were wiped via their MDMs
@Alph4betSoup
MG@_MG_
If you use a personal phone/laptop for your work, pay very close attention to this little detail. Iran attackers wipe 200k devices at a company called Stryker. Within those devices appears to be employees PERSONAL devices. The attackers used the company’s MDM software, which is basically IT management software running on everything. It’s an incredibly attractive backdoor to an attacker. I successfully targeted MDM software for several Red Team engagements. It’s… lots of fun :) Anyway, a lot of companies require you to install their MDM software on your personal devices before you can access resources like Corp email. It’s used to keep devices updated, lock things down if they get stolen, etc. The company often promises that they won’t access personal data, erase any personal data, etc. But this is often ONLY POLICY. If a bad actor gains access to the MDM tool, as was the case here, then anything can happen. People should be aware of these risks. I refused to run MDM software on any of my personal devices. The company needs to provide me with hardware if they want that. I personally isolate all corp devices to their own network too. If an adversary can get into the corp laptop, then can then get inside my network… there have been cases of it happening in the past.
English
@UK_Daniel_Card @cyber_scrutiny I just managed to actually wipe my test iPhone that I'd enrolled as personal, but it required one key step: Changing the ownership from Personal to Corporate.
Their admins were doing something they shouldn't have been doing, and the users would have been notified, too.
English
@cyber_scrutiny Yeah it would be odd to enroll a personal device as a corporate one. Especially as that requires wiping the device to start with before it’s enrolled.
English
@TheITCloudGuy So that data is actually via WUfB Reports tables, using an Azure Workbook created by @modaly_it with some tweaks added by me.
msendpointmgr.com/2024/06/20/del…
Currently still the only way to get some of that data if you're using Autopatch, which is frustrating.
English
@SkipToEndpoint That's cool. How did you get this breakdown?
English
Microsoft Conneced Cache is a fantastic addition to any large network for Windows, Office, Edge updates aswell as Intune App deployments . Really reduces the bandwidth requirements across the organisation. It's just a real shame that Microsoft still have not included Visual Studio updates! Is this on the roadmap @MicrosoftHelps?
learn.microsoft.com/en-us/windows/…
English
@zsattler @ariaupdated Oh for sure, and it wasn't pointed at you. I just can't stand it when security products actively make you less secure, or security teams who don't understand when something is better 😉
English
@SkipToEndpoint @ariaupdated Yep, have tried, and will continue to do so. Would like to use Autopatch and I said I liked the change, this wasn't a complaint against it, just noting an obstacle I've had trying to do so.
Milwaukee, WI 🇺🇸 English
Say hello to fewer reboots and getting secure faster!
#Autopatch will now be enabling #Hotpatch by default - applying the security fixes without a reboot when available for applicable devices!! 🎉
techcommunity.microsoft.com/blog/windows-i… #WindowsUpdate
English
@zsattler @ariaupdated I'd argue that's something to take up with your vendor product rather than Autopatch. That seems like a pretty poor show from them.
English
@ariaupdated I like this Aria, but we've had issues with a security vendor not respecting the Hotpatch build number as a valid fix for certain vulns. All they care about is the build number in the registry and if it doesn't meet that it throws red flags into our alerting, while protected.
English
Least privilege isn’t optional in your identity platform or in your cloud infrastructure. It shouldn’t be optional in your endpoint management platform either.
skiptotheendpoint.co.uk/intune-adminis…
#Intune #Security #RBAC #ZeroTrust
English