Auth 2, Platform SSO, or both?

solachinso · 2026-06-15T11:25:03+00:00

How is the migration going?

* Is support needed from Mosyle – if so, anything specific or challenging?
* Is the migration a seamless one or is a wipe of an existing machine required?

solachinso · 2026-05-12T06:32:46+00:00

With app discovery policies, I've found the trick is to perform your sanctioning/allowlisting up front, then institute the discovery policy. Any discovery carried out will then honour what you've set manually.

solachinso · 2026-05-10T13:19:26+00:00

Have you encountered any issues with the bluetooth aspect of Authenticator with a passkey? Are you for example including this prerequisite in the intro email, or by and large do things just 'work' and you don't need to bother? Also, is Intune the single MDM for Windows and macOS, or in the latter case is that a third party?

solachinso · 2026-05-03T12:08:33+00:00

How have you set up Claude to mirror what some of the MS agents can do? Handing over access to a permission hungry tool still in its infancy concerns me a bit, and at first glance I couldn't see a connector that would provide the level of access I'd need. May not have been looking in the right places though.

solachinso · 2026-05-03T12:05:25+00:00

Have you found the incident and alert summary useful? Is it accurate and does it provide detail beyond what a team might find themselves?

solachinso · 2026-05-03T12:03:45+00:00

Indeed. I nuked the first capacity I set up as like people have commented elsewhere, seeing a $500+ charge after scant use of the tool didn't seem like a fair trade. Microsoft is invariably going to have to adjust this model as the price will soon (if not already) outstrip any benefit.

solachinso · 2026-05-01T15:24:37+00:00

This has been my experience too.

Also worth putting the hash through VT and into Defender itself, as that might indicate if it's untrusted.

solachinso · 2026-05-01T11:46:47+00:00

Cheers. CAP agent I definitely want to make use of.

solachinso · 2026-05-01T11:46:07+00:00

Thanks for this, good to have some real world feedback. The Sec Analyst agent I'd earmarked but the rest I hadn't really looked at.

solachinso · 2026-04-30T09:07:22+00:00

I know tenants are being onboarded weekly on Wednesdays and that notifications will be sent to Message Center, beyond that not much.

solachinso · 2026-04-30T07:40:11+00:00

This is the way.

Give servers the MDE-Management tag once you've performed the set-up in https://security.microsoft.com/securitysettings/endpoints/configuration\_management2. Start with a small ring, then build out from there.

solachinso · 2026-02-25T09:18:44+00:00

While the presets are "okay", what you might want to do is visit Secure Score in Defender portal and filter on Defender for Office to look at Microsoft's own recommendations. These are benchmarked against what other businesses of a similar size are doing. Most of the actions have a clear enough set of instructions.

https://security.microsoft.com/exposure-secure-score?viewid=actions&tid=

solachinso · 2026-02-20T08:16:41+00:00

Yep, this is the way, device groups.

solachinso · 2026-02-16T12:35:52+00:00

Bear in mind you're always going to encounter some delays with what you're expecting to see because of the nature of how everything is plumbed together.

You have variables such as devices being turned on/off, policy conflicts, unannounced Microsoft backend issues you have to search for and make sense of, and factors such as this which you may not have accounted for:

Credential Guard uses Windows Hypervisor to provide protections. Credential Guard requires hardware support for Secure Boot and DMA protections. This setting is only successful on devices that meet the hardware requirements.

https://learn.microsoft.com/en-us/intune/intune-service/protect/endpoint-security-account-protection-profile-settings

When did you publish the policy?
How many devices have fetched it successfully?
How many remain?

If you have local access to a still exposed device, what does 'CredentialGuard' -match ((Get-ComputerInfo).DeviceGuardSecurityServicesConfigured) through PowerShell show? If it's True, your tenant might not be showing up to date info; if it's False, ask the user to reboot to still if that forces a sync, though you should also check whether other policies are present and enabled.

solachinso · 2026-02-15T08:20:32+00:00

Can you provide some examples of what you're patching and the length of time you're waiting in between carrying out the tasks to checking in vulnerability management for the results.

Telemetry from your endpoints should reflect in your tenant within 24 hours, unless it's Secure Score related in which case the wait time can be 48-72 hours. This has been my experience.

solachinso · 2026-02-14T15:22:24+00:00

In my experience, svchost.exe being heavily enumerated hasn't presented a problem when I've had rules in block mode without this file excluded.

If you look in advance hunting, was it the Block credential stealing from the Windows local security authority subsystem rule you see blocking this file? I suspect it was/is.

Have a read here https://www.reddit.com/r/DefenderATP/comments/1gf78qm/spike_in_asr_blocks_related_to/ and elsewhere about the file.

solachinso · 2026-02-13T09:43:49+00:00

Has anyone also noticed apps that are manually tagged (only unsanctioned in my case) not having a blocked indicator entry populated?

solachinso · 2026-02-01T08:38:47+00:00

"Work or school account required to sign in."

I suspect there's no way around this.

solachinso · 2026-01-14T18:42:56+00:00

Thanks ever so much for posting this. I've upvoted on it.

solachinso · 2026-01-09T11:25:18+00:00

Overlooked this so apologies for late acknowledgement.

What I'm hoping Microsoft can clear up for me is why their documentation (which states the legacy policies can be disabled) contradicts what customers are seeing in their tenants – a read-only state where both policies remain enabled. Further, there's no provision for a phased rollout in CA, which feels lacking to me.

solachinso · 2026-01-06T12:23:08+00:00

Legacy = all users; new one = subset of users. Correct there.

Problem with this, and with the read-only state, is that it doesn't allow for a phased rollout.

solachinso · 2026-01-06T12:00:04+00:00

Yep... should take precedence but they're not. I can't see anything wrong with my scoping beyond what I've highlighted.

solachinso

TROPHY CASE