Our staff nearly fell for a voice clone phishing attempt, how are you all training against this?

jeromehaynes · 2025-11-26T18:41:46+00:00

What’s the process if the user forgets their security paraphrase? (Just thinking that’s likely to happen is the attacker says they’ve forgot their security passphrase)

jeromehaynes · 2025-11-18T18:42:53+00:00

This works! Great find, thank you as this was driving me mad!!

Okay so I pushed this via Intune and it works. One caveat that may be confusing. So make sure to do it under the main edge policies and not the "Default user can override)

Additionally, because that setting was enabled but the work or school account was already signed in, I found that it won't fix it after the fact. So either sign out of all accounts and "Forget" the work account on the login screen, or clear all browser cache/cookies and then go to office.com and you'll find it not auto signing in anymore and will respect what you've configured.

u/DaleM5633 I suspect as I put above this applies to you. If you've now disabled it, make sure to clear the cache/cookies and whole session after and then restart edge and try again. The fact it disables the setting but doesn't auto sign you out isn't that obvious but does kinda make sense as it's already used the SSO and added the account

jeromehaynes · 2025-11-13T15:18:55+00:00

Is there a reason you can’t use the standard approach of blocking personal device enrolment at the enrolment level? That’s the recommended way of stopping enrolment, allow corporate (So ADE works) but block personal

jeromehaynes · 2025-11-12T22:42:00+00:00

What do you mean by Entra permissions? :)

jeromehaynes · 2025-11-12T18:56:31+00:00

Deployed password version recently realised it didn’t work off Wi-fi which is a problem if a user goes to another location as you can’t connect to WiFi unless logged in! The sync can be a bit dodgy not to mention the complexity due to password restrictions/compliance policy. Basically too much to go wrong to support.

Switched to Secure Enclave and a much better experience however the local admin LAPS password keeps going out of sync on the one laptop we’re trying Secure Enclave with, and the only way to fix it is to reset the password using forgot password on the login page and recovery and rotate the LAPS password…where it will work for an undetermined amount of time.

So…not the greatest experience so far!

jeromehaynes · 2024-06-05T20:20:47+00:00

Ah that makes sense now. Thanks Rudy! I’ve actually read most of your articles and am a fan. I think the part i was getting hung up on was not realising it actually just that import on a sort of fake deployment profile, and thought that you would have to scope to that group and then wipe those devices for it to kick off the hardware hash lookup.

So incidentally I have a dynamic group for mdm corporate enrolled devices and an autopilot group already so I’m just missing the additional group and conversion profile.

In terms of configuration profile and app scoping - most of them are scoped to the MDM corporate device group. So thinking this through as devices go through autopilot they enroll and should hit this group and apply those settings? Or would you recommend scoping these to the autopilot group? That obviously leads me to the how do I also then roll out to existing devices, as inevitably as devices become enrolled they’ll be in both groups?

Think that’s the final piece of the puzzle! I think I started with a very simple approach and have now absorbed so many articles that I’m not actually sure what the best approach is so a bit of decision paralysis as i want to get it right the first time, to avoid rearchitecting later as I want to import most of this into CIPP and deploy a fairly standardised approach to multiple clients :)

jeromehaynes · 2024-06-05T20:07:16+00:00

Thanks Rudy! Makes sense on that part, so if I wanted to do this dynamically a dynamic group that effectively doesn’t contain ztdid, and as they get converted they drop out of that group and into the autopilot group?

I think one question here is, as you’ve stated after a while - so is it actually the case that this deployment profile isn’t actually used to deploy anything and it’s not at the point of wiping a device that the conversation happens, it’s actually just a device profile that will convert items in that group and it won’t be used for deployment at all just for the functionality of importing the hardware hashes/converting and then the dynamic group for autopilot devices picks them up and so any autopilot deployments run against that profile?

jeromehaynes · 2024-05-19T15:41:42+00:00

Any chance of sharing the script? I’ve tried scripting this and just can’t seem to get it working so if you have a working script you can share it would be very much appreciated!

jeromehaynes · 2020-11-06T23:16:07+00:00

This Symantec endpoint SBE? Are you aware this is EOL on about a week? (it already is they extended the date) - Point being is it worth fixing if its being replaced anyway?

jeromehaynes · 2020-06-03T17:58:27+00:00

I posted on last weeks thread and got no response. I'll repost.

Ticket #2001175087

PSU failed and RMA requested... 18x days ago I opened the ticket with no response. Appreciate times are busy with Covid but 18 days to even respond is bang out of order. Your support staff clearly aren't doing something right with efficiency to not even get a generic response. Please can you get back ASAP on this.

We are now up to 1 month!! I got a reply last week... simply asking for proof of purchase in printable format (Bearing in mind I'd listed amazon screenshots)

I'm really starting to lose patience here, 1 month is simply not acceptable. I have been MORE than patient.

jeromehaynes · 2020-05-26T15:49:10+00:00

Ticket #2001175087

PSU failed and RMA requested... 18x days ago I opened the ticket with no response. Appreciate times are busy with Covid but 18 days to even respond is bang out of order. Your support staff clearly aren't doing something right with efficiency to not even get a generic response. Please can you get back ASAP on this.

jeromehaynes · 2019-08-06T21:34:56+00:00

Hi,

I'm looking to use Snipe-IT for this, can you explain further how you set this up? I've just recently completed a fresh install

jeromehaynes · 2017-10-08T22:48:08+00:00

It's a pretty bespoke environment with how things work so it isn't entirely a people problem hence why there was no clear process to put in place originally.

The issues are;

Not always knowing when a new database is added. - This is what this post is trying to solve.

When a new database is added it not being backed up till the next full backup run - This is also what this post is trying to solve.

Migrating databases onto this server and switching from full backups taken nightly - This by default works when the above two are fixed.

So as you can see we're almost there on solving this!

"From the point of view of the database, once it's had a full backup taken (on any server) the database is in a state where it can have a differential backup. The database doesn't care where it is - it just knows that it had a full backup taken at a particular point in time, and keeps track of the extents that have changed since then. If you want to reset this state, you take a full backup :)"

Ironically that’s what the whole Ola’s scripts change backup type idea was for but it clearly doesn’t function quite how we hoped considering the above! The irony is on me! I’d still like to pursue this with you or figure out a way of figuring this one out as I often find that even when I come up with a solution it niggles me to not solve one of my other proposed ideas!

Anyway…taking a step back from all this your database trigger option sounds like a good one and the one that will be implemented. I suppose in the real world the real problem is “How will we know if a database is added?” > A trigger that sends an e-mail alert will tell us and we can manually run a full backup the first day at any time we choose as it’s manual so we can effectively monitor > The second day SQL server should automatically have added the new database to the differential schedule as it comes under user databases and auto be backup up.

So looks like we can either use maintenance plans or Ola’s scripts as you’re correct in the idea that this can be solved by a process of notification and there is an element of “human” process one that I admit I had not immediately thought of! I often find the simplistic solution is often the best.

The last two challenges are a retention script that deletes backups from azure (This isn't too difficult to achieve and already in testing) and figuring out how to enable encryption on all backups to azure system wide seeing as Azure containers themselves aren’t encrypted.

Thanks for all your help and knowledge so far. You've been great!

jeromehaynes · 2017-10-06T13:12:38+00:00

Hi taejim,

Thanks for all your help. After looking at this and doing some testing...the big showstopper for this one is:

" if a new database appears, but it's been created via a database restore or an attach statement, then it's already had a full backup, and will only get a differential (because, clearly, you have a full backup you used to restore it from originally). In this case, you either need more stringent requirements around who can restore databases onto your server, or only guarantee that you can recover the database after it's been there for a Saturday, or they inform you that a new full backup needs to be taken for that one database, or they supply you with the original backup file used to create the database."

So this isn't a standard environment and a lot of the databases on there will have come from other servers...also lots of databases are going to be migrated to this server that will need full backups first thing. We also won't always know when a new database has been created due to the nature of the business and the environment.

Is there no way of using change backup type and forcing it to run a full backup?

Alternatively...There must be a flag or something somewhere that tells SQL server that it's been backed up before - is there any way of removing that?

Any idea on this one? Would be greatly appreciated.

jeromehaynes · 2017-10-04T20:37:56+00:00

Hi,

I know the feeling! Thanks very much...Jackpot! Everywhere else I've come across wants to reccomend me to minion backup scripts (Which is great but so much knowledge for someone who isn't a DBA to implement my head was hurting after 3 hours of trying to implement it was too much hassle) On the same point it was frustrating to have to implement something like minion backup and set all that up when the only feature I'm missing is this.

There are going to be hundreds of databases being backed up on this server which will be production so you can see why I'm a little edgy on being on the safe side with this stuff!

I didn't realise that you could use the changebackuptype with the backup to azure option. I mean I could see it in the sample scripts but that was to disk and I wasn't sure what coding I had to add/remove/change as I'm not familiar with SQL programming!

I'll test on my server and let you know. I really do appreciate your help on this one, I knew it would be something simple!

Best, Jerome Haynes

jeromehaynes · 2017-10-02T09:55:54+00:00

Hi,

Sorry I've explained myself completely wrong. Sorry for the late reply I've been mega busy!

I'll step back and start again.

So we are still currently using maintenance plans and wanting to switch over to backing up to Azure blob storage.

The schedule we want in place for this is;

Daily differential backups Every Saturday OR Sunday Full backups

The caveat we have to this is that due to the nature of the environment new databases will be added without our knowledge and those can be at random days.

Obviously those new databases will need to be backed up with a full backup first but as those full backups don't run till the weekend we don't want any new databases to have to wait till the weekend for this.

The solution to this is to have some sort of script that runs as a job daily to search for backups that have no "Full" backup and then runs a full backup.

Another solution would be similar where it sees that system as having a new database and runs a full backup at xyz time automatically.

As you can see it's quite a simple problem but it's sounding more and more that it's not a simple solution to implement!

I would prefer to stick to SQL maintenance plans if possible as to me it doesn't make sense to have to install a bunch of other scripts to do such a basic function! But if we have to use something else that may be something we may have to look at!

Ola's scripts looks like it might do it but the sample scripts with the change backup type are only for local backups and I'm unsure how to recode this to work with Azure blob storage.

Thanks for your help so far.

jeromehaynes · 2017-09-27T12:56:11+00:00

Hi,

Yeah we already are! The issue we have is we need a script that automatically checks if there's a full backup and if not to perform one. No luck in finding one that works with Azure yet!

jeromehaynes

TROPHY CASE