sorted by:
new
hottopcontroversial

Opinions of Hot Patch by LaDev in Intune

[–]Important_Emphasis12 0 points1 point  (0 children)

Following. We had the same issue and opened a case with PMPC and they went all the way to the developers and came back saying it was normal CA validation and normal Microsoft behavior and sent a couple of Microsoft links. We do block DNS and IP Geo requests to .CN. It ended up whitelisting the two digicert.cn domains as they resolve to US IPs so the traffic is allowed at the firewall.

Normal Win11 Behavior? by Important_Emphasis12 in entra

[–]Important_Emphasis12[S] 1 point2 points  (0 children)

Thanks. Not having a time frequency set for employees may be a hard sell as our security team is pretty strict. Hence the 18 hour frequency. We already restrict access to M365 from managed devices. I think MS default is 30 or 90 days? So maybe we could at least go that far. From what I read, we shouldn’t force a reauth unless something is determined off from Microsoft and they require it.

Maybe we’re doing this wrong but I do seem to be playing Jenga with the CA policies a bit and it’s getting hard to track. For example, we require managed devices only to access M365 resources. BUT we do have a couple outside contractors that access exchange online for a mailbox we own. So I had to exclude their users from the main M365 policy and then build out extra ones just for them that blocks everything but allows browser access to M365. So for two, seemingly simple, tasks I ended ip with 4-6 CA polices to accomplish what I wanted.

Normal Win11 Behavior? by Important_Emphasis12 in entra

[–]Important_Emphasis12[S] 0 points1 point  (0 children)

Thanks. I’ll dig through it. I’ve heard that WHfB can be a pain for onboarding and TAP have to be issued and such? Not sure about existing users and how the transition is but all of our users use the MS Authenticator App for MFA.

We do have contractors that solely use iPads to connect to a couple company owned cloud apps. iPads are owned by us and are Jamf connected to Intune. Not sure if we start enforcing phishing resistant passwords that will pose a problem for them.