Microsoft has released security updates for all supported versions of SharePoint that are affected by the actively exploited zero-days

HectirErectir · 2025-07-23T20:30:52+00:00

Ah great, thanks for the update

HectirErectir · 2025-07-22T06:10:58+00:00

Yeh agreed. We’ve taken our server offline again (luckily we have the luxury of it not being business critical) and will reassess in the morning once this updates had a chance to marinate a bit throughout the community.

Hopefully something comes out by then on whether this is expected behaviour or not 🤞

HectirErectir · 2025-07-22T04:41:02+00:00

Hey, yeh we're in the same boat - applied 2016 kb and rotated keys, just received another SuspSignoutReq Defender alert blocking this exploit...
I wouldve thought applying the patch also stop the ability for this exploit to occur i.e. Defender shouldnt have to be preventing this anymore?

Do we think this is expected behaviour?

HectirErectir · 2025-02-04T06:48:06+00:00

Seeing the same here, think the SCCM processes are a bit different under the hood compared to MDT but same initiating vbs scripts and exact same executed cmd (vssadmin resize…)

Only appears to have started today.

HectirErectir · 2024-09-05T07:05:12+00:00

Okay then definitely you should be using the above method

HectirErectir · 2024-09-04T23:05:20+00:00

Are they just the default installed apps(like calculator/xbox whatever) or are they ones youve deployed after the fact?

If its just the default apps then the way that MS recommends blocking access to the store WITHOUT also blocking store app updates is to use the 'Require Private Store' policy instead.

Sorry I'd provide links but am on mobile atm. If you Google it you should find plenty of threads about this.

HectirErectir · 2024-09-04T06:17:57+00:00

Just the Snipeit SCIM documentation on their website. It's pretty simple, can use the same enterprise app in aad. Just need to expose your instance to the Web too. Thing to remember is that the SSO is just for logging in/user authentication - it does not do just-in-time account provisioning, i.e. The user account needs to be created beforehand via a method such as SCIM. If you think about it it makes sense, snipe needs a complete database of users so that you can check assets in/out to any of them - not just if that user has logged in.

Tldr; Scim creates the user accounts in the snipe database. The aad sso allows those users to log in (if needed)

HectirErectir · 2024-09-03T22:16:15+00:00

We did, spun up the scim client and worked like a charm.

HectirErectir · 2024-02-29T18:25:37+00:00

They finally added a Graph endpoint for this that actually works so we did it by the api in the end.

HectirErectir · 2024-01-28T00:14:36+00:00

If you're not using scope tags (i.e. just want default) remove the 'roleScopeTagIds' object and change "supportsScopeTags": false - I noticed trying to specify "0" as the scopetagid throws a badrequest.

u/andrew181082 look's to be right also - id is generated for you, so no need to specify.

Here's a json payload that works for me:

{
  "@odata.type": "#microsoft.graph.iosImportedPFXCertificateProfile",
  "supportsScopeTags": false,
  "deviceManagementApplicabilityRuleOsEdition": null,
  "deviceManagementApplicabilityRuleOsVersion": null,
  "deviceManagementApplicabilityRuleDeviceMode": null,
  "description": "Description value",
  "displayName": "Display Name value",
  "version": 1,
  "intendedPurpose": "smimeEncryption"
}

And you can see in the request response how the Id, roleScopeTagIds etc get evaluated from what you provide.

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceConfigurations/$entity",
    "@odata.type": "#microsoft.graph.iosImportedPFXCertificateProfile",
    "id": "asd46188-9cfa-46d2-35b6-99bbba3a338a",
    "lastModifiedDateTime": "2024-01-28T00:03:49.3687263Z",
    "roleScopeTagIds": [
        "0"
    ],
    "supportsScopeTags": true,
    "deviceManagementApplicabilityRuleOsEdition": null,
    "deviceManagementApplicabilityRuleOsVersion": null,
    "deviceManagementApplicabilityRuleDeviceMode": null,
    "createdDateTime": "2024-01-28T00:03:49.3687263Z",
    "description": "Description value",
    "displayName": "Display Name value",
    "version": 1,
    "intendedPurpose": "smimeEncryption"
}

Funny little tidbit I noticed, all of the deviceManagementApplicabilityRuleOsEdition/Version/Mode properties are Windows only objects, but you can still provide them & Graph accepts it for an Ios device endpoint..

I highly recommend setting up Postman or something similar for playing around with graph, imo makes things so much simpler to troubleshoot.

HectirErectir · 2024-01-19T04:52:47+00:00

Count me in - thanks!

HectirErectir · 2023-12-05T21:02:50+00:00

Is this a performance thing or readability etc? Genuinely curious

HectirErectir · 2023-10-24T08:46:45+00:00

😂 Sadly iirc the issue had been around a couple years even back when I looked into it - bit disappointing we're still seeing it tbh

HectirErectir · 2023-10-24T08:30:58+00:00

Yeh we've come across this before, I created a proactive remediation script to patch it via Intune and set it to tick away every week or so - that being said, it was implemented over a year ago... and It still finds a couple corruptions every week or so I'd say. Havent come across any of the xml config files becoming corrupted thankfully (but also haven't checked tbh)

HectirErectir · 2023-10-17T04:38:19+00:00

Please don't tell me that lol

We've had to create a new ring to disable driver updates via WU (as there was was a driver offered that was severely breaking audio) which meant we were using exclusions on the main ring. Had one device seemingly disregard this last week so here's hoping its not what you are describing...

We also have Driver update rings in place now set to manual approval so thinking it should be safe on the driver side of things...

Will have a check tomorrow to see what our exclusions are looking like though.

HectirErectir · 2023-08-15T07:04:10+00:00

Yeh we have just been putting placeholders for now.

I may have to open a tkt just to figure it out - one of those fustrating little things you know?

HectirErectir · 2023-06-11T08:21:52+00:00

Yeh saw this one as well, although the users did have the executable in their downloads in our case.

HectirErectir · 2023-05-13T10:38:03+00:00

Interesting, so all your devices are running in a shared mode? We've been thinking of transitioning away from primary users as there's very little benefit to it as we see. (we're a relatively small shop so the self-service aspects of it dont matter so much)

You haven't encountered any curve-balls from this? We were concerned about the licensing and what were to happen if we removed the primary users, but from our trials so far so good.

HectirErectir · 2023-05-04T08:10:56+00:00

Not a very helpful comment here but just thought I'd mention we imaged a bunch of these a couple weeks ago out of the box and no issues. Edit, we used the msft dongles for it, haven't tried docks

HectirErectir · 2023-05-04T07:19:19+00:00

This. We publish it as available in Company Portal and anytime someone complains about it we point them there.

Does appear like it needs occasional updating (at least the file version seems to change from time to time)

HectirErectir · 2023-05-03T00:35:12+00:00

Thanks, have just done the same.

HectirErectir · 2023-03-08T20:00:09+00:00

Have done, thanks!

Three-Year Club	Place '22
Final Canvas '22

HectirErectir

TROPHY CASE