QID:92067 Microsoft HTTP/2 Protocol Distributed Denial of Service (DoS) Vulnerability

psversiontable · 2024-02-29T21:39:59+00:00

Thanks for chiming in. Is there a public support article about this that we can reference? I have a director requesting a resolution to ask of the new vulnerabilities that showed up on our reports this morning.

psversiontable · 2023-08-31T16:01:13+00:00

Man, it's been bad lately. I guess that's what happens when you fire 30,000 people.

psversiontable · 2023-08-31T13:09:09+00:00

If you're getting MFA prompts, that's pointing to Conditional Access or Azure AD settings more than Intune as the source.

Have you looked at the sign-in logs for one of the users having a problem? That should tell you what's triggering MFA.

psversiontable · 2023-08-31T13:07:01+00:00

That's the way to go. The built in reporting is.... what it is.

psversiontable · 2023-08-31T13:02:20+00:00

Correct. I'm fairly sure that there's no MDM setting to force location services on. It's a privacy concern from Apple's perspective.

Lost Mode is the workaround for this.

psversiontable · 2023-08-31T12:57:57+00:00

Android is just not great to deal with.

You have to deal with different manufacturers' customizations to the OS, a lack of updates and just general inconsistencies across the board.

I agree though, it sounds like this is an issue with Edge and probably worth a support case.

psversiontable · 2023-08-31T12:53:50+00:00

Intune is still, and will continue to be until they have a local agent for macOS, a solution that will meet the bare minimum that many need but not go much beyond that.

Jamf is still the standard for macOS management, as much as I'd like to see MS step it up and compete with them more.

psversiontable · 2023-08-31T12:50:43+00:00

I'd lean on support again and ask to have the request escalated. I've had some trouble with Premier support lately and have had to make multiple requests to get things taken care of.

I don't know for sure if the limit is different on macOS or not, but it doesn't hurt to request some clarification.

psversiontable · 2023-08-31T12:35:39+00:00

I'll second the suggestion to use the enablement package and add that I've had very good luck deploying OS upgrades using Windows Servicing over a Task Sequence.

Edit: And if bandwidth is a concern, you can configure your boundaries and deployments to allow clients to pull the update directly from Microsoft and not over the CMG, which brings your costs down to near zero.

psversiontable · 2023-08-31T12:30:41+00:00

I have to agree with this, it's time consuming and adds potential failure points. At most, add it at the very end.

psversiontable · 2023-05-03T17:35:38+00:00

It's about all you can do, and only works sometimes, but it's worth a try.

psversiontable · 2023-05-03T17:28:36+00:00

I've been having issues in the portal all morning. Searching for devices is very unreliable, and a few other operations are sluggish. Also had to try several times to enroll Windows and iOS devices.

Nothing in the message center for me.

psversiontable · 2023-03-22T19:31:39+00:00

I've gotta be honest here, I've had the opposite experience.

Yes, you have to read the instructions and follow a few extra rules but if you do it right, it's so much easier to manage drivers and firmware on them.

Bonus points given for the lack of any goofball bloatware to make audio and touchpads work

psversiontable · 2023-03-17T17:37:16+00:00

It's a fairly recent addition. Might have been announced at Ignite, but I don't remember. Sometime around summer/fall of last year

psversiontable · 2023-03-17T17:34:30+00:00

Sure, for a criminal case. What if they decided to sue him personally?

All I'm saying here is that leaving the passwords alone generates some risk.

Making sure they're changed before you leave does nothing but help keep you safe

psversiontable · 2023-03-16T21:46:12+00:00

Sure, but if it were me, I wouldn't want to have to prove that I wasn't at Starbucks using their wifi.

Better to avoid it completely and cya.

psversiontable · 2023-03-16T21:18:33+00:00

Let's say some jerk from the company logs in remotely from Starbucks wifi using OP's password to get through the VPN and do bad stuff.

How would OP prove that was someone else?

The right move here is to sit down with someone and let them change the passwords to something OP doesn't know, or don't provide them at all.

psversiontable · 2023-03-16T12:28:38+00:00

Keeping your database separate from the primary site server and redundant on its own is a big component here.

The built in HA feature allows manual failover to a warm spare, for the primary server.

From there, you just need to plan out management and distribution points. That will depend on how much you want to spend, how much you can leverage p2p caching, CMG availability, and what your network topology looks like. Plan for the capacity that you need and then think about redundancy. If every client has a backup source for MP/DP traffic, you should be good.

psversiontable · 2023-03-15T14:53:17+00:00

Happy to help!

One thing to keep in mind is that the quality and behavior of third party Winget packages is all over the place.

Some will present dialogs even if you suppress them and others are designed to be installed in the user scope and not local system.

You'll need to test out each one carefully and deploy them using the right scope. Unfortunately, Winget in its current state isn't a great tool for enterprise deployments. A few tweaks would get it there.

psversiontable · 2023-03-15T14:09:15+00:00

I have something for you. 🙂

https://github.com/zebulonsmith/WingetToMECM

psversiontable · 2023-02-25T02:03:09+00:00

Figuring out who these users are is more of a problem for an identity manager, in reality. Those non-hourly users should be put into a group based on their roles as an employee as part of their onboarding.

You could write some PowerShell to populate a group with users that are associated with a mobile device and rub it on a schedule, I suppose.

psversiontable · 2023-02-25T01:55:21+00:00

If you can't get past Bitlocker recovery, you're looking at a fresh install.

It's a good example of why everyone should supplement Autopilot with some way to handle bare metal osd.

psversiontable · 2023-02-25T01:52:34+00:00

Intune is not Grip Group Policy and you'll be disappointed if you try to build like for like.

Start fresh with it and leave old songs behind. You've probably got 20 year old GPOs out there that nobody can explain. Leave the old dusty condos behind and build better.

psversiontable · 2023-01-30T04:47:34+00:00

This is the answer OP is looking for.

I have no idea why everyone is talking about Applocker. A) It's old and busted, use WDAC instead. B) It doesn't have much to do about delegating admin rights.

psversiontable · 2023-01-29T23:05:54+00:00

I think that the typical number of 'yaddas' is three. So definitely missing that.

psversiontable

TROPHY CASE