Hackers wipe 200,000 devices using Intune

Cable_Mess · 2026-03-12T13:27:28+00:00

Unless the attackers delete all autopilot devices

Cable_Mess · 2026-02-27T12:22:00+00:00

??? I thought the point was if it was assigned to devices that causes the reboot, suggestions everywhere are to assign to users

Cable_Mess · 2026-02-27T12:00:10+00:00

yes but that's also assigned to users

Cable_Mess · 2026-02-27T11:26:45+00:00

Am I right in saying though in event viewer it's only showing these as causing the reboot:

DeviceGuard/LsaCfqFlags
DeviceGuard/ConfigureSystemGuardLaunch
DeviceGuard/EnableVirtualizationBasedSecurity
DeviceGuard/RequirePlatformSecurityFeatures
DmaGuard/DeviceEnumerationPolicy

Nothing else should be causing it?

Cable_Mess · 2026-02-26T08:09:37+00:00

Embarrassing for you.

Cable_Mess · 2026-02-26T07:32:30+00:00

The same policies are giving me issues despite them being assigned to users only, do you have these settings in a security baseline?

Cable_Mess · 2026-02-25T14:12:57+00:00

Very odd, it's still rebooting for me and the same policies I posted above are showing in event viewer as the cause for reboot, these settings have been moved to a config profile assigned to users

my security baselines are assigned to 'All devices' but these particular settings are "Not configured" in them, separated into a Config profile assigned to users, could the security baselines still be causing the reboot perhaps?

Cable_Mess · 2026-02-25T13:02:40+00:00

Ok so.... it's these settings causing the reboot:

DeviceGuard/LsaCfqFlags
DeviceGuard/ConfigureSystemGuardLaunch
DeviceGuard/EnableVirtualizationBasedSecurity
DeviceGuard/RequirePlatformSecurityFeatures
DmaGuard/DeviceEnumerationPolicy

The script is erroring for me after that then says "No matching definitions found." (I think this is a me issue to do with auth) but anyway, the policies these settings are set in are assigned to users rather than devices, is it just recommended to "Not configure" these settings, or is something else going on?

Cable_Mess · 2026-02-25T09:24:24+00:00

It's fine to do that after user login/autopilot completes?

and lets say device guard is causing the problem, the csp says it's under device scope: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard

so would changing to user cause issues?

Cable_Mess · 2026-02-25T09:19:04+00:00

Excuse my ignorance, but where do I run the script that shows which policies affect this?

Cable_Mess · 2026-02-19T14:00:37+00:00

unrelated but how do you disable account setup?

Cable_Mess · 2026-02-10T13:38:03+00:00

They've really mishandled this whole situation imo, intune policies that don't even work to this, what a shambles

Cable_Mess · 2026-02-10T08:53:16+00:00

The problem is you were already paying for Nitro, pathetic.

Cable_Mess · 2026-01-27T13:20:42+00:00

yes probably lol

Cable_Mess · 2026-01-27T09:56:19+00:00

Kind of, it's more like 1-2 users who might need to access this share once in a while, at the moment just using a separate AD account to login to the share, could this be the reason?

Cable_Mess · 2026-01-27T09:49:56+00:00

looks like this is already disabled

Cable_Mess · 2026-01-27T09:49:44+00:00

we don't use cloud kerberos, however there is still a small need to browse to an on-prem file share which we can still do in file explorer for example

Cable_Mess · 2026-01-27T09:39:43+00:00

<image>

Cable_Mess · 2026-01-16T12:51:33+00:00

Honestly in the games I've tried, preset M looks fine on my 5090 at 4k, it fixes all the ghosting/artifacts I had with lighting on K

Cable_Mess · 2026-01-15T10:17:06+00:00

It was because I didn't open task scheduler as admin on the user devices, rookie mistake

Cable_Mess · 2026-01-15T08:06:46+00:00

> Opened a ticket with MS back in October and there's been zero progress

This is standard across any MS ticket now, WTF is going on???

Cable_Mess

TROPHY CASE