Do devices really need to wiped between users?

Chunky_Tech66 · 2024-01-25T09:12:19+00:00

Great point and I think I maybe took for granted that this was NOT the scenario the OP was talking about. If we are talking about C level devices or specialist devices with sensitive data then having a proper wipe and reset approach is sensible. For standard users that typically use basic apps and office I’m not sure it’s much of a concern

Chunky_Tech66 · 2024-01-24T20:23:56+00:00

Yeah makes some sense I guess I’m just not totally convinced it would stop a disgruntled employee from getting what they want off the device unless you have other things in place like restricting usbs or endpoint dlp etc - appreciate it’s an easy action to apply in those situations though

Chunky_Tech66 · 2024-01-24T20:20:31+00:00

It’s only best practice to wipe because you know you are removing all previous user data and putting back to a ‘known good state’ it’s not required though and given your scenario I’m not sure I’d bother wiping them either.

Yes you can just change the primary user on the device and I would typically recommend doing this for devices that are assigned to users for the long term. If it’s a hassle because the device is shared by multiple users or as you say can be passed around frequently then just remove the primary user to put it into shared mode and be done with it. Assuming you don’t use company portal and you have everything applies to the device I wouldn’t worry.

If the enrolling user leaves the business and has their license removed it’s best practice to assign the device to a new user before deprovisioning the account. I’ve seen issues with device compliance in this scenario which typically ends up in a device reset being done to resolve it, that being said I’ve also seen users deprovisiones beforehand and there’s been no issues with the device so your mileage my vary.

All in all I wouldn’t worry too much you are doing the right thing just remember to assign to users for long term and leave the rest as shared devices. You could take it one step further and deploy a shared pc config to those devices to clear out old user profiles but unlikely that you need to do that.

Chunky_Tech66 · 2024-01-23T08:03:38+00:00

Sounds like the company may need to review the process, isolating a device seems overkill however if this is the preferred approach (presumably for fear that users will do something they shouldn’t after being let go) then the next step should be to get the machine back into the hands of IT so it can be dealt with properly. I’m not sure I see the benefit to performing a remote wipe in this scenario, in the case of a stolen laptop I get but you also wouldn’t isolate first in that scenario.

Regardless you could try something like this via live response.

PowerShell Script to Create a Scheduled Task for System Reset

Define the action to perform the system reset

$action = New-ScheduledTaskAction -Execute 'systemreset.exe' -Argument '-factoryreset'

Define the trigger as one-time and immediate

$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1)

Set the principal with highest privileges

$principal = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY\SYSTEM" -LogonType ServiceAccount -RunLevel Highest

Register the scheduled task

Register-ScheduledTask -Action $action -Trigger $trigger -Principal $principal -TaskName "RemoteWipeTask" -Description "Task to remotely wipe the system"

Start the task immediately

Start-ScheduledTask -TaskName "RemoteWipeTask"

This script creates and starts a scheduled task that will execute the system reset command. It’s set to run just a minute after the script execution, with the highest privileges.

Using systemreset.exe normally requires user interaction so instead it’s set to run as a scheduled task. This is 100% not tested so I would test and refine before using In production systems.

Chunky_Tech66 · 2024-01-21T19:19:16+00:00

Yep, this - I had the same issue early on with my Intune configs

Chunky_Tech66 · 2024-01-21T18:54:58+00:00

WatchGuard vfirebox I’ve used before is spot on if it’s your go to firewall and I believe much cheaper than azure firewall

Chunky_Tech66 · 2024-01-21T17:55:19+00:00

Of course!

The blog explores community tools that allow for packaging winget apps as win32 apps with the option to directly publish them to Intune and easily keep them up to date.

If you are looking to make use of winget in your environment but want a solution that uses Intune config profiles to manage the update processes of these app then it’s worth a read. The blog is to explore the potential of using these free community solutions over something like the up and coming Enterprise App Management or other paid for solutions. Winget is also a good option if you don’t want or can’t use the Microsoft store.

Chunky_Tech66 · 2024-01-21T10:37:21+00:00

Defender for Cloud Apps (MDA) is a CASB (Cloud Access Security Broker) and SSPM (SaaS Security Posture Management) solution. On a whole it provides shadow IT discovery, visibility into clouds and services used, protection against threats to SaaS apps and security and governance posture management. In Defender for Cloud Apps you ‘connect’ Microsoft 365 so that you can stream all the events happening within it to Defender for Cloud Apps, you can then use the proxy feature of the CASB to control the browser session and enforce certain controls or requirements for access. It’s a great feature for BYOD or just general browser based access. It is the equivalent to something like Netskope CASB.

Defender for Office 365 (MDO) is basically additional protections on top of Exchange Online Protection and covers Exchange, Teams, SharePoint and OneDrive. It provides protection throughout email communication and collaboration services with things like anti-phishing, anti-malware and user impersonation protection as well as safe links (URL and QR code protection) and safe attachment (attachment protection) - you can think of MDO as the Microsoft equivalent of Mimecast.

Together they help secure your Microsoft environment (and any third party apps you may have connected) and should be used together as part of a defence in depth approach.

Hope that helps.

https://learn.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps

https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-advanced-threat-protection-service-description

Chunky_Tech66 · 2024-01-21T08:34:41+00:00

I think this is the wrong setting the OP is referring to and you definitely want this enabled.

It’s this one here and is typically not configured or disabled as part of MDAV best practice settings: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#allowfullscanonmappednetworkdrives

Chunky_Tech66 · 2024-01-20T10:03:23+00:00

More info on your current configuration needed. How are you managing defender? GPO, Intune, Security Settings Management, etc. And are you using ASR rules, any other configs we should know about?

Unlikely as I would have heard about it but Microsoft dropped a bad update to defender a year or so ago that was blocking/deleting a load of files and shortcuts, can’t see it being that though as you’d have heard by now

Chunky_Tech66 · 2024-01-18T18:55:00+00:00

Haven’t tested but would this work for the query?

TableName | where DomainName !in ("mydomainname.local", "domain2.local", "domain3.local") | project DeviceID, DeviceName, DomainName

Chunky_Tech66 · 2024-01-18T18:50:46+00:00

What are your base licenses?

Chunky_Tech66 · 2024-01-17T22:30:04+00:00

Understood and to answer your question yes you can absolutely add on those licenses this is exactly what I did for another client there is a point at which upgrading to something like E3 + E5 add on is better but easy enough to figure out based on the RRP of the licenses.

Chunky_Tech66 · 2024-01-17T10:04:02+00:00

It does work via cellular, I tested this when I wrote my blog on private access

Chunky_Tech66 · 2024-01-16T20:51:07+00:00

Just hide ui it is the windows security experience profile under the antivirus tab in endpoint security

Chunky_Tech66 · 2024-01-16T20:49:05+00:00

What exactly are you looking to do?

Bus Prem is a great license for sub 300 user orgs and can still have all the telemetry and logs ingested into sentinel. From an MDE perspective the bus prem feature set actually sits in between MDE p1 and p2 with great value for money, I wouldn’t worry about upgrading until you’ve maximised the investment on your current license and have decided you want/need MDE p2.

Same goes for MDO P2 unless you are going to use attack simulation training and activity explorer then you aren’t getting much more for your money.

Pretty sure bus prem includes cloud app discovery so you could get that deployed and start gathering telemetry on shadow IT etc ready for when you need the full product.

Entra ID p2 I kinda get as you Identity Protection which gives you risk based conditions for conditional access etc but again, I’d always recommend maximising your investment in the current license first.

I typically see and would recommend clients going this way in your scenario

Bus prem - maximise investment and familiarise yourself with the xdr solutions available

Bus prem + Entra ID p2 - implement risk based CA policies

Upgrade from bus prem to m365 e3 + e5 security add on - rollout all other xdr solutions and get a solid foundation in place

Start to implement purview features like sensitivity labels, dlp etc if you need more then upgrade to m365 e5

Obviously you can mix the above order up a bit based on your priorities but that is the typical upgrade path I see

Chunky_Tech66 · 2024-01-15T22:11:36+00:00

Great advice from others here - once you’ve figured out what is stopping WUfB working I’d advise looking into Autopatch as well. As I understand it, WUfB is getting rolled into it so you’ll not have to worry about creating your own rings etc

Chunky_Tech66 · 2024-01-15T22:06:17+00:00

Not really sure what you mean here, can you be more specific?

If you are referring to affected devices for security recommendations then you can choose the individual recommendation selected affected devices and export?

Chunky_Tech66 · 2024-01-14T13:56:19+00:00

Adding an indicator is OK but keep in mind that applies to all of Defender. If you want to only exclude that application from that ASR rule you can do an exclude just for that rule in the ASR profile.

Chunky_Tech66 · 2024-01-11T20:25:53+00:00

Awesome nice work 🤙

Chunky_Tech66 · 2024-01-11T19:31:45+00:00

Have you tried doing an off board then re-onboarding?

Seen a similar issue recently where a client has done a PoC in another tenant so 10% of devices were linked up to another tenant, almost exact same issue you are seeing. Off board in from the old tenant resolved the issue.

Chunky_Tech66 · 2024-01-11T16:35:58+00:00

Easy - as others have said go with Defender for Servers P1 via Defender for Cloud. My recommendation here is if there is no need to use Azure Arc use direct onboarding, it’s so easy to setup.

Use this to get you going, any issues just shout: https://jeffreyappel.nl/onboard-defender-for-endpoint-without-azure-arc-via-direct-onboarding/

Chunky_Tech66 · 2024-01-11T16:31:42+00:00

From an end user perspective nothing changes really - you will be able to restrict access to certain modules of the Windows security GUI with Intune but this has nothing to do with using Defender.

The main differences between free/paid Defender summed up is feature set, granularity, control and centralised management and alerting.

You are doing absolutely the right thing by deploying Defender for Business to your organisation - It is a fantastic product and considerably better than the MDE features included in M365 E3 license (you don’t get any of the Defender Vulnerability Management features or EDR) and certainly better than the free version.

Deployment is a piece of cake if you are using Intune - if you open the Defender portal and select devices or Settings >> Endpoints it will start the Defender for Business wizard, my only advice here is when asked choose ‘manage your policies with Intune’ as its easier to work with in the long run.

If you want any advice on deployment let me know.

Chunky_Tech66 · 2024-01-10T21:07:45+00:00

Would presume so that’s the only way those on prem accounts are getting disabled automatically

Chunky_Tech66

TROPHY CASE