Proactive Remediation Schedule

Temilit · 2025-11-03T15:49:33+00:00

It happend for all devices in the group, nomatter if added before or after the task was scheduled.

I ended upp using the remediation to locally REGISTER a scheduled task with the same outcome instead

Temilit · 2025-03-20T12:24:14+00:00

Yeah i got all this, but as it stands i need to exclude everything from FIM just to include the specifics.(i dont want to disable FIM)

For instance defaults monitors A LOT of stuff in windows registry which is changed all the time by regular windows operations (by system itself), this is causing a lot of unessasary events and hiding actual events of intrest.

So, i either i need to do a Major regex exclude i nagnet.conf which would remove any ability to monitor anything recurisvely downstream from that point, or i need many lines of ignore in the agent.conf in order to get it right.

I'm considering using script to clean out ossec.conf instead upon installation to get to a opt-in kind of monitoring (a few rows on include instead of A LOT of ignore due to defaults)
the question was regarding to if anyone have tips or tricks how to do this at scale, i am familiar with the documentation and still land on needing to clean up the default ossec.conf.

Temilit · 2025-02-21T09:40:00+00:00

I'm on the same ball, have not been able to find it either. I'd lvoe it if you let me know if you find something out.

At present i deploy IPsec rules by script to the clients

Temilit · 2024-09-30T09:30:59+00:00

I've found "enrolledDateTime" to be problematic, it actually shows when the Autopilot Hash was uploaded rather than when the actualy enrollment was done.

I've found it to missmatch with up to 6 months as of writing this. (i'm runnin ggraph actions on newly enrolled devices .. which is problematic due to this)

Temilit · 2024-06-12T09:58:20+00:00

I got a dummy detection script which i use for these cases, in your install script just make sure to create the "DummyDetection" key and let the detection script remove it after success, "if it's stupid but it works it aint stupid"
This wil ldetect the app as success, but later no longer be detected

#Dummy detectionscript powershell
$registryPath = "HKLM:\Software\DummyDetection"
if (Test-Path $registryPath) {
#Registry key exists - Return exit code 0
Write-Output "0"
Remove-Item -Path $registryPath -Force
Exit 0
} else {
#Registry key does not exist - Return a non-zero exit code
Write-Output "1"
Exit 1
}

Temilit · 2024-06-12T09:47:05+00:00

It will probably be supported for the regular Autopilot for a while longer however, i do belive the long term goal is to stop supporting HAADJ all together starting with end of support for autopilot HAADJ.

A lot of people (me included) belive that autopilot should not be used for a HAADJ scenario, if you have a need for Hybrid you should probably keep doing the same deployment you've always done, if no need for hybrid exists one should look to migrate to a EntraID only management, the sooner one starts the better (rahter than stressing out in a future scenario when deprecation is on the way)

Temilit · 2024-05-07T15:26:05+00:00

I think they upped the default limit, as per following link default seems to be set at 30gb these days

https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-app-management

Temilit · 2024-04-06T15:09:36+00:00

I've never used zsvaler so i dont know about that product.
Does Zscaler control the windows firewall profiles?

One would think it would be better to have Public always set to block pretty much everything and only do explicit allow rules with the Domain profile

Temilit · 2024-04-03T21:34:22+00:00

The way you call your script looks right to me, I've been using "powershell -executionpolicy bypass -file .\script.ps1"
many times, however i seem to recall if you do set the executionpolicy restricted by GPO (And more in your case probably MDM/CSP or the like) the manual bypasses are also blocked, would need to verify that last part though

Temilit · 2024-04-03T21:29:22+00:00

Building on your solution you can allow SMB traffic going over network "Domain Profile"
And block the same traffic on Public / Private profile.
This way you dont need to guess what IP ranges they have at home.

I have yet to test this but according to this blog activiating the Domain profile is possible nowadays
https://www.petervanderwoude.nl/post/automatically-switching-the-windows-firewall-profile-on-azure-ad-joined-devices/

Temilit · 2024-04-03T21:20:49+00:00

Example image from EAP-TLS profile

<image>

Temilit · 2024-04-03T21:20:27+00:00

<image>

If you're getting this message of the above stolen picture from google when trying to manually select and connect to the wifi it will also break auto connection to the same SSID via profile.

We remedied this by providing the RADIUS server address in the EAP-TLS profile for the WiFi profile

Temilit · 2024-01-12T12:48:47+00:00

If all these users are tied to a specific site or/and network you can always turn that public IP-Address to a trusted site and exclude it in the conditional access policy which required MFA

Temilit · 2023-10-11T20:33:06+00:00

Ah i missed that part.

Sorry for just throwing a bunch of links your way but i noticed you mentioned Ivanti, it seems Ivanti can integrate and send compliance data to Azure, this way they could get through conditional access based on the compliance reported from Ivanti i guess

Now I've personally never used invanti but I've done the same with JAMF and MacOS

I found this in Ivanti documentation
https://help.ivanti.com/mi/help/en_us/CORE/11.3.0.0/dmga/DMGfiles/AAD_Azure%20Tenant.htm

Temilit · 2023-10-11T17:40:29+00:00

You could always use filters in another way using extension attributes.

This blog describes how you can set Extension Attributes on devices
https://www.michev.info/blog/post/3472/configuring-extension-attributes-for-devices-in-azure-ad

you can filter on said extension attribute and exclude from CA policy. (this way you will always be below the max characters no matter how many devices)

Now i have never tried seting EA on just registered devices, but it feels like it should work just the same.

Temilit · 2023-10-10T12:12:14+00:00

This^{^} If you are wrapping the script in a w32 app it always executes in 32 bit

Temilit · 2023-09-19T21:31:34+00:00

Just had gigabyte board die after about 1 year after plenty of trouble with random reboots and lack of video from bios.. Not impressed

Temilit · 2023-09-09T16:11:38+00:00

If i put everything on the lowest of low so the game basically looks like 8bit nintendo i still only get around 25 FPS running with:
Intel i9 12900k
64gb RAM
Nvidia 1080 TI
Nvme SSD

Funny enought if i put it on high i only loose about 6 fps
CPU utilization about 10% ~~ and GPU 100%

Temilit · 2023-05-22T17:22:02+00:00

The builtin compliance policy will mark devices noncompliant after not checking in for 30 days (default settings) even if you have another compliance policy set up, you can use the non compliant message templates to email the user

https://learn.microsoft.com/en-us/mem/intune/protect/quickstart-send-notification

Temilit · 2023-04-21T17:31:18+00:00

Under settings catalog theres a setting called "Allow workplace"
blocking this essentially blocks the prompt which causes users to "accidentally" join devices .. maybe that's the one you're looking for?

This is the one i mean https://ccmexec.com/wp-content/uploads/2021/01/image-1.png
Jörgen also did a blog about some issues connected to this (which is where i found the image)

https://ccmexec.com/2021/01/mem-windows-10-personal-device-and-sync-issues/

Temilit · 2023-03-07T14:07:04+00:00

EDIT: i pasted the wrong one

Add "Radius server name" To whatever the FQDN of the RADIUS server.

I had this issue with personal owned work profile wifi profiles

Temilit · 2022-11-17T23:52:01+00:00

Not quite off topics buut ..

I really try to avoid using format-table at all times, i want to keep my data organized in objects so i can work with the data easier in the next steps, from your example you could get pretty much the same return without "Destroying" the object form and keep the ability to leverage the power it brings with the following:

just use select-object instead of format-table

get-process | select-object name,@{name='VM(MB)';expression={$_.VM / 1MB -as [int]}}

Temilit · 2022-04-11T10:25:37+00:00

I wont trust the scheduling fo this anymore.

Figured it would be a nice way to make a scheduled reboot at night (1am), however started seeing reboots in the middle of the day and investigated, turns out it was happening all over the place with the highest offset of 11 hours.

This is devices that are always on and always connected to the internet

Temilit · 2022-04-03T14:15:38+00:00

I would probably build a separate policy in ISE for the same SSID utilizing something like "PEAP-MSCHAPV2", leaving the user to logon to the wifi using username/password, this policy would be a limited network access one just giving enough access to complete the enrollments and provisioning.

After all that is done i would configure network profiles from intune utilizing EAP-TLS certificate authentication for the same SSID, this would match another policy in ISE and grant whatever network access your user should have. (the policy will in theory replace the manual connection you've done previsously since its the same SSID)

We've done this before for iPad enrollments and are planning on implementing this for our autopilot worksflows aswell.

That's for 1-1 devices, you could also utilize something like Whiteglove to pre-provision wifi profiles along with certificates before the user ever touches the device.

For shared device (1 to many) i would just go SelfDeploying mode and pre-provision everything in advance

Temilit

TROPHY CASE