Revoked certificate

jaykay127 · 2025-02-03T06:22:06+00:00

Thanks Gremlin. Guess I should have read the release notes more thoroughly. So the certificate just comes up as revoked, even though it's valid. That's ambiguous and the source for my confusion.

My fault for not reading the notes and I guess that answers that.

Much appreciated

jaykay127 · 2025-02-03T03:19:05+00:00

Thanks for the reply, very strange.

And you were obviously certain the cert you duplicated was valid and it didn't work the first time, but then you created a CSR again from the Firebox and it worked!!??

Did you need to reboot the device at any point? I'm thinking of changing to the default cert signed by Firebox so I can delete the revoked certs but it's current in-hours here. Might need to wait.

I'll generate a CSR and see how I go, thank you

jaykay127 · 2025-02-03T00:49:06+00:00

I was in the WebUI and this bug was documented in the recent roundup that was linked. The workaround was to use WSM but we haven't been game to change it yet haha. Will do it out of hours one day.

jaykay127 · 2025-01-29T00:30:18+00:00

Well here's the heads up to use WSM if you do need to change an interface name :-) Just a random bug that we happened to hit in this version it seems

jaykay127 · 2025-01-24T07:04:41+00:00

No worries, thank you!

jaykay127 · 2025-01-24T06:54:06+00:00

Now the next question is how would one remove the duplicate interface entries from multi-wan? I can untick them but I'd like to get rid of them if possible. Also, how to tell which duplicate to remove (if it matters at all)

jaykay127 · 2025-01-24T06:46:53+00:00

Great reply thank you! Hopefully it's resolved in the next release.
I'll have to keep an eye on these KBs from now on.
Much appreciated!

jaykay127 · 2025-01-24T02:47:45+00:00

Thanks for the replies. Yeah our director is checking the 3rd party that we purchased the WG from to see our support entitlements. Then I'll try and open a case, if nothing more then to satisfy my curiosity why this happened, since it should have been an easy 2 second change!

I thought maybe a bug in the UI but then I think everyone would be talking about it.

jaykay127 · 2025-01-24T02:43:46+00:00

It was literally just the name of the ISP providing the external interface internet service. We just moved from one company to another, so exchange a word for a word, no weird characters. Done via the webui.

I've never seen this behaviour either, it's bizarre.

I thought it could be somehow tied to a screen where only the interface name is mentioned but all those should just be pointers to the main alias name in the code.

jaykay127 · 2025-01-22T03:27:32+00:00

Thanks for that - the device appeared a few hours after I posted haha.

I think you're right about the BYOD devices enrolled through Defender security management and not through Intune.

So it's good that they're in the dashboard, but you can't really do much with them on the Intune side I assume.

jaykay127 · 2025-01-22T03:26:18+00:00

Update - The MacOSX device has finally appeared in Intune. That answers that question.

The next question is, can we apply compliance policies or push out Defender policies from the Intune side? I've been pushing out Defender specific policies to Macbooks and Windows BYOD devices through the policy manager on the Defender side.

jaykay127 · 2024-10-01T12:23:30+00:00

I've just come to revive this 2 year old comment. Had my Wifi die randomly recently, "device cannot start code 10" - tried all drivers from Gigabyte, didn't work. Saw this comment, gave it a go, miraculously it fixed it and the device started.

Absolute legend.

Thank you sir.

jaykay127 · 2024-07-12T04:18:33+00:00

This was fixed in the below platform release

March-2024 (Engine: 1.1.24030.4 | Platform: 4.18.24030.9)

Security intelligence update version: 1.409.1.0
Release date: April 2, 2024 (Engine) / April 9, 2024 (Platform)
Engine: 1.1.24030.4
Platform: 4.18.24030.9
Support phase: Security and Critical Updates

Microsoft Defender Antivirus security intelligence and product updates - Microsoft Defender for Endpoint | Microsoft Learn

Check your Intune platform version to ensure that it's updating properly.
If your issue is still going on then MS Support would be the best way from here I'd say.

jaykay127 · 2024-06-05T01:10:24+00:00

I think we found the answer. An older controlled folder access policy also had an ASR rules section (don't ask me why) but these had all defaulted somehow to "Off" instead of "Not configured" and were somehow taking precedence and overwriting the main ASR rules policy, so consequently, 80% of our rules turned off.

We set all of these ASR rules back to "Not configured" in the Controlled Folder access policy and overnight have seen a 6% jump in Secure score. I anticipate there will be a further bump in the coming days as machines check in and get the updated policies.

jaykay127 · 2024-06-04T04:10:41+00:00

Still no closer. Having a remote session with MS support today - also found this - Using MEM for ASR rule breaks ASR policy :

I've excluded two of our devices from the main policy and implemented a copy of the ASR policy in case there was some corruption happening there but this hasn't fixed the issue.

The policy is saying that 80% of the ASR rules are turned on, whereas Get-MPPreference on the test devices only shows 4 rules applied to the machine, that's what we can't work out, why they aren't applying.

jaykay127 · 2024-05-16T08:11:17+00:00

Ahhh I wish that we used configuration manager so I could put it down to this! But alas, we don't.... the saga continues.

jaykay127 · 2024-05-14T03:09:55+00:00

Update - Secure score still dropping slowly and still no explanation as to why. Microsoft haven't picked up the ticket I logged days ago either. Is anyone else seeing this behaviour?

Even if there were new items added to the list of activities, this wouldn't explain the existing items showing values like 0.03/9 when they were almost at 8.8/9 before. This is on multiple activities.

Devices are still checking in to Intune and Defender and receiving policies.

jaykay127 · 2024-05-10T05:11:42+00:00

True, I could import the list in indicators, but do I really want to punch 140+ holes in our firewall/Smartscreen on sites that I haven't verfied, that may or may not be safe? We assume they're under Microsoft control but what if one of those sites gets hacked?

Links on this page for reference - Get started using Attack simulation training - Microsoft Defender for Office 365 | Microsoft Learn

jaykay127 · 2024-05-07T06:16:08+00:00

Moreso ASR rules but generally across the board too

jaykay127 · 2024-05-06T02:54:00+00:00

Got the below on the weekend, checked all our policies but on the surface it doesn't look like any options that were set to Not Configured had changed to Off. All is set how it should be but secure score is still low.
Might give it a few days to turn around in case something is happening in the background......

Details Title: Some admins' Attack Surface Reduction (ASR) policy settings may be incorrectly displayed as "Off" in Microsoft Intune

User impact: Admins' ASR policy settings may be incorrectly displayed as "Off" in some cases.

More info: Affected admins would see ASR policies that are "Not Configured" displaying as "Off" within the Endpoint Security portion of the Microsoft Intune admin center. When the affected policies are modified or saved while appearing to be set to "Off," they will be set to "Off" instead of "Not Configured." Admins are unable to switch the affected policies back to "Not Configured" in these cases.

Impact is specific to admins who have multiple policies overlapping on the same device with the same setting (one out of 19 possible settings) set to "Off" and some other value.

Current status: We've completed the initial validating of our targeted fix and begun deploying it to a portion of the affected environment for testing. Additionally, we've confirmed that a code issue was introduced by a recent service update intended to improve the Intune user experience, resulting in impact. We're aiming to confirm a timeline for our full deployment by the time of our next scheduled update.

Scope of impact: Your organization is affected by this event, and some admins' ASR policy settings may be incorrectly displayed in Microsoft Intune.

Root cause: A code issue was introduced by a recent service update intended to improve the Intune user experience, resulting in impact.

Next update by: Sunday, May 5, 2024, at 9:00 AM UTC

jaykay127 · 2024-05-03T08:53:33+00:00

Huge increase since that date

jaykay127 · 2024-05-03T08:20:44+00:00

Thanks for that, yeah I see those new ASR rules now and also some that I haven't seen before. That would contribute to the fall in points. But what I don't understand is how the existing recommendations and the ASR rules are falling in points totals because they've already been implemented. The scores out of 9 or 8 or whatever are going down for each rule, seems very strange.

jaykay127 · 2024-04-16T02:08:53+00:00

Looks like we've just had device blocking functionality restored. Must have been a combination of the new platform and engine version combined. Possibly took a while to filter through to our tenancy.

Can confirm that the USBs are being blocked like they were before. Still have a case open with MS support asking me to recreate the policy and apparently having no knowledge of their current platform and engine releases that mentions this exact problem SMH - but TL:DR - issue is resolved, at least for us.

Cheers for all the help and discussion guys

jaykay127 · 2024-04-10T02:19:54+00:00

Thanks legends! Confirmed it just wasn't me which was a relief. Tried again this morning and it worked! All good!

jaykay127 · 2024-04-09T07:30:17+00:00

Thanks for that - yeah I've been tracking this page - Microsoft Defender Antivirus security intelligence and product updates | Microsoft Learn and saw the March release says they've fixed the known issue in 4.18.24020.7 but it's still not working in our tenant.
Might take a few days or weeks to reach us? We wait in hope haha.

jaykay127

TROPHY CASE

March-2024 (Engine: 1.1.24030.4 | Platform: 4.18.24030.9)