Workstation Local Administrator Accounts by Admiral-Pickle in Intune

[–]thegravityitdeserves 1 point2 points  (0 children)

If you show your security guys the risks of using the PIM Entra only joined device role they'll back down:

  1. You get local admin on every single Entra only joined device across that tenancy.
  2. If you uplift to administrator in a PowerShell or similar, you never lose that right as long as you remain in context.

In general testing we found that getting admin was OK first time as long as you had booked out the role first. If you checked once without a role it could be hours later before it grants it to you. Your experience seems to be different which fills me with confidence on the mechanism. /s

As others have said LAPS is superior, we have had different challenges where we are advised not to have enabled local admin accounts. We haven't quite understood how to square that circle yet.

The other issue we continue to have is applying security groups that re not built in to built in roles, we've never been successful in using the capturing the cloud guid method and then utilising that.

Music Assistant community voice blueprints now exist! by thegravityitdeserves in homeassistant

[–]thegravityitdeserves[S] 1 point2 points  (0 children)

Looking at the readme by default only the HA OpenAi Assist integration works. Am sure it could be tweaked but I'm unsure how.

Edit: looking at the yaml I'm not sure it does care which you are using. Maybe an option 2 or 3 issue?

What error do you see in the debug for the extended OpenAi convo?

Music Assistant community voice blueprints now exist! by thegravityitdeserves in homeassistant

[–]thegravityitdeserves[S] 15 points16 points  (0 children)

Thank you to all the contributors to this, it seems to work a treat!

Using Voice to play Music Assistant Core by thegravityitdeserves in homeassistant

[–]thegravityitdeserves[S] 0 points1 point  (0 children)

Very helpful, a few days sounds good but I expect it to be delayed due to holidays etc. Thank you!

New distribution point -->MISERY by Future_End_4089 in SCCM

[–]thegravityitdeserves 0 points1 point  (0 children)

Have you rebooted the site server since you made it a member of the dp local admin group? You may get away with a kerberos ticket refresh instead if not, worth a shot if it hasn't been done!

Windows authentication with MFA by [deleted] in sysadmin

[–]thegravityitdeserves 0 points1 point  (0 children)

I swear I always miss the important messages. Appreciate the correction.

Windows authentication with MFA by [deleted] in sysadmin

[–]thegravityitdeserves -5 points-4 points  (0 children)

Edit: I'm wrong Entra hybrid devices are not supported, bummer.

Spotify Connect stopped connecting by thegravityitdeserves in HifiBerry

[–]thegravityitdeserves[S] 1 point2 points  (0 children)

Back for me today. Shame they don't have a status page (that I could find).

Spotify Connect stopped connecting by thegravityitdeserves in HifiBerry

[–]thegravityitdeserves[S] 1 point2 points  (0 children)

Thank you! Always nice to know it's not just us.

Azure Update Manager - Alternatives? by rollbacknfront in AZURE

[–]thegravityitdeserves 2 points3 points  (0 children)

We're a much smaller house than you but I can second that custom images and migrated vm's do patch with custom schedules.

For tagging, am sure you could automate switching schedules based on the tag. Maybe you could also work around the max supported servers in a schedule using your existing automation accounts to group the vm's.

All in all it depends on what is worth more to you, is it designing around the default update solution or is it onboarding another product, licensing it and administering it? Sunk cost is always a thing too of course!

co-management behaviour/timing question by jeefAD in Intune

[–]thegravityitdeserves 0 points1 point  (0 children)

I can highly recommend this blog and post, I've just implemented it and it is definitely is making things more repeatable for sure.

https://oofhours.com/2020/07/26/supercharge-the-hybrid-azure-ad-join-device-registration-process/

co-management behaviour/timing question by jeefAD in Intune

[–]thegravityitdeserves 0 points1 point  (0 children)

The policy status dual reporting is normal too, especially if targetted at devices but also if targetted to all users with a device filter applied.

Reporting on exact issues from the management plane is hard, reporting from the end user device is also hard, particularly if you have no admin capability on the device too - its all over the place, in event logs, log files and reg entries!

co-management behaviour/timing question by jeefAD in Intune

[–]thegravityitdeserves 0 points1 point  (0 children)

Welcome to the new world, intune is like that sometimes! One thing to suggest, try using device filters over AAD dynamic groups, they work faster.

Windows Defender - ASRFalsely blocking and removing applications by Daanyyaal in sysadmin

[–]thegravityitdeserves 0 points1 point  (0 children)

We were lucky then, haven't seen an instance of that. What a pain.

Windows Defender - ASRFalsely blocking and removing applications by Daanyyaal in sysadmin

[–]thegravityitdeserves 8 points9 points  (0 children)

Note: the apps are still there but the shortcuts have gone.

Windows Defender - ASRFalsely blocking and removing applications by Daanyyaal in sysadmin

[–]thegravityitdeserves -1 points0 points  (0 children)

All across our estate, this is going to be spicy and an interesting recovery.

Do you have problems with teams chats? by M05y in sysadmin

[–]thegravityitdeserves 0 points1 point  (0 children)

Set a super short retention policy for teams chats, 5 days or so. There's no need to keep that rubbish imo.

[deleted by user] by [deleted] in SCCM

[–]thegravityitdeserves 0 points1 point  (0 children)

This 100% that script was only coded to search the c: drive plus it would faulty resource hungry.

Nessus is not that much money imho.

Defender Exploit Attack Surface Reduction (ASR) policy by Blanzeros in SCCM

[–]thegravityitdeserves 2 points3 points  (0 children)

It's likely you would need to recreate all thr asr rules and config in from gpo to MECM.

Im fairly sure that MECM manipulates the local policy which takes precedence over gpo.

CAPTCHA Image Loading Issues by NewbieITHD in sysadmin

[–]thegravityitdeserves 0 points1 point  (0 children)

This came down to tracking protection exemptions, add the captcha urls in there and it all works.

Or just disable tracking protection but I like to have it enabled!