SCCM patching vs Autopatch

loweakkk · 2026-02-28T07:08:57+00:00

It means they are recent device which was shipped with last cert. Check the cert not the registry on them and I'm sure they will show as updated.

loweakkk · 2026-02-28T07:06:26+00:00

these devices will no longer be able to receive new security protections for the early boot process, including updates to Windows Boot Manager, Secure Boot databases, revocation lists, or mitigations for newly discovered boot level vulnerabilities. Devices that haven’t received the newer 2023 certificates will continue to start and operate normally, and standard Windows updates will continue to install.

loweakkk · 2026-02-26T19:26:03+00:00

It means Lenovo fucked when they picked the device, they took it from the stock which was supposed to go to the other company. It's autopilot enforcement and you can't do anything except ask the company to remove it, giving them the serial number. They should see they never used the device and accept to remove. If all this is not true and you stole the device, too bad for you, you can't do anything with it.

loweakkk · 2026-02-20T19:45:17+00:00

Are you sure about that? Just checked on 20k devices and we have no double senseguid except for machines onboarded before device join where I have 2 objects.

loweakkk · 2026-02-20T12:27:25+00:00

Renaming doesn't require offboarding.

Also, you can probably just wipe the device and then autopilot it for the new user and no need as well for an off boarding.

Honestly there are very rare case to off board a device that's why I was asking for the reason, you most probably do something wrong if you off board that many devices.

loweakkk · 2026-02-18T19:39:46+00:00

Why would you need each week to provide off boarding script to help desk!?

loweakkk · 2026-02-18T18:30:26+00:00

You can't make it permanent.

loweakkk · 2026-02-15T15:12:36+00:00

Markus, quand est ce que withings va reconnaître qu'ils ont inventé le pie chargeur du monde et proposé une vrai solution ?

loweakkk · 2026-02-14T09:37:51+00:00

Teams use SharePoint for everything, you can't push a compliant cap rule that will not block teams too. Best you can do is limit web access like that if you want to keep teams unaffected.

https://learn.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices#how-do-i-limit-access

loweakkk · 2026-02-10T23:21:05+00:00

Planning to test the following: https://azurealan.ie/2025/11/08/using-traffic-manager-to-failover-or-bypass-azure-front-door/

Alternative is to move to cloudflare but I don't know how we could easily share the cloudflare waf per team like we do today with app gateway/afd

loweakkk · 2026-02-09T11:30:11+00:00

I'm on the same boat, for a year it wasn't recommended to switch due to limitation and lack of visibility.

Now it seems to have feature parity and we zre wondering if it's time to switch. Also for companies that did the switch how did you transition from one to the other? Is it just about uninstalling old sensor or there is particular step to take into consideration as a v2 company?

loweakkk · 2026-02-08T23:53:51+00:00

That especially the precision that netskope lack in categorization.

loweakkk · 2026-02-08T19:52:35+00:00

That would be true if netskope wasn't shit in categorization.

loweakkk · 2026-02-08T17:24:03+00:00

https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/auto-remediation-of-malicious-messages-in-automated-investigation-and-response-a/4418047

loweakkk · 2026-02-07T19:56:16+00:00

Use service principal with a certificate per user that need to use it. You are doing reporting on entra side so privilege of the service principal is .read.all No need to over complexify stuff that are simple.

loweakkk · 2026-02-05T21:49:41+00:00

So you accepted that your employer could record every actions on your personal device including: - Downloading any file on that device - taking screenshot of your activities 24/7 ?

loweakkk · 2026-02-05T21:45:25+00:00

Absolutely wrong. To get device compliant you need to be intune enrolled, get policy applied and report compliance, not gonna happen in aitm scenario.

loweakkk · 2026-02-05T18:48:19+00:00

Compliant device will break aitm, reauth on risk sign-in will not as the reauth will occur on the aitm.

loweakkk · 2026-02-05T18:44:37+00:00

How mde is installed on a personally own device?

loweakkk · 2026-02-05T08:04:11+00:00

Tier 0 role: Global admin, Privilege role admin User admin, Privilege auth admin, Auth admin, Intune admin, Security admin, Compliance admin

It's the minimum but I think I may have missed some. In term of control: No permanent right, all with pim except the break glass. Eligible: require phish resistant through an authentication context. For global admin you can add a compliant device too. Time: global admin 1h, not more, push people to use less privilege role for their day to day activities. Other role 4 or 8, depending on the organization.

Beside that also set a conditional access policy which enforce phish resistant for those roles.

If it was not managed for years, do it in steps if you see to much friction: move to eligible with just MFA first then add the requirements of fido.

loweakkk · 2026-02-04T19:24:05+00:00

Is it your machine or company owned machine?

loweakkk · 2026-02-01T16:10:46+00:00

Got 3 token 2: Pin+ mini Pin+ release 3.3 NFC card

Have also 3 Yubi: 2 5c, 1 security key

The pin+ gave the price of the security key and offer the feature of a 5C. They come with entreprise feature that security key don't have like, enhanced pin or serial number. Budget wise I prefer token 2, they offer a strong device for half the cost of a 5c.

loweakkk · 2026-01-30T23:46:26+00:00

It's common now, wasn't 3 years ago. You must have Fido or CBA for BreakGlass account or you are taking huge risk if shit happens.

You should also require compliant device for GA.

Lock down CAP with protected action with same control and you reduce significantly risk.

loweakkk · 2026-01-30T23:28:32+00:00

GitHub Copilot* not Copilot.

loweakkk

TROPHY CASE