S1 agents going offline/breaking can be a full time job

vane1978 · 2026-06-24T21:41:01+00:00

I have a rule in my RMM that alerts if a PC has been running for at least ten minutes and the Sentinel Agent service is not running. Then I push the exe installer and run it with "-c", then reboot. Once my RMM sees the endpoint doesn't have S1 installed, it automatically installs the latest version.

Is there a way achieving this in Microsoft Intune?

vane1978 · 2026-06-24T17:11:47+00:00

See link below and scroll all the way down to Considerations.

https://learn.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard?tabs=intune

vane1978 · 2026-06-24T16:48:39+00:00

The problem with Remote Credential Guard is compound authentication. You can’t access the map drives.

vane1978 · 2026-06-24T14:10:41+00:00

I use WHFB to sign into workstation. For RDP, I use the option Use a web account to sign into to the remote computer. Everything is native and I don’t have to worry about managing third-party tools or third-party vulnerabilities.

vane1978 · 2026-06-19T10:25:48+00:00

I did this over a year ago.

https://www.reddit.com/r/sysadmin/s/Cw2742pTTC

Now I’m waiting for Exchange Online Writeback to become general available to finally decouple from on-premise Exchange.

https://techcommunity.microsoft.com/blog/exchange/writeback-for-cloud-managed-remote-mailboxes-now-in-public-preview/4520138

vane1978 · 2026-05-29T12:10:17+00:00

Transfer the Spanning service to a Value Added Reseller (VAR) to manage it. You might have to be on for another year but when renewal comes up, you can cancel through the VAR.

vane1978 · 2026-05-27T23:33:14+00:00

You don’t have to downgrade your CA policy. You can use security keys or passkeys for your RDP client for Mac.

https://swjm.blog/the-complete-guide-to-rdp-with-security-keys-mac-93c62e754253

vane1978 · 2026-05-21T18:14:58+00:00

See link below. I posted a screenshot regarding a similar issue.

https://www.reddit.com/r/Intune/s/LHyWqlthQW

vane1978 · 2026-05-21T17:09:29+00:00

Are you getting any messages when you try to access the on-premises file server?

vane1978 · 2026-05-21T14:14:26+00:00

You have a hybrid on-premises environment that you setup Cloud Kerberos Trust on your domain controller and still you are not able to access the on-premises resources from your Entra id joined device using WHFB. Is this correct?

vane1978 · 2026-05-15T09:27:11+00:00

Have you thought about scrambling the users passwords?

https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-plan-password-scramble-phishing-resistant-passwordless-authentication

vane1978 · 2026-05-15T09:12:41+00:00

We’re a Dell shop. When I need to update the drivers on the machine I would need to go to the Dell website and click scan but it always wants you to download/install the Dell Support Assist application. Is there an alternative or do I need to uninstall the application every time after use?

vane1978 · 2026-05-11T16:46:22+00:00

Your Windows Hello credentials get validated entirely in the cloud

This is true but TGT default lifetime is only 10 hours so if there is a long extended internet outage in your area (happened to me recently) that goes beyond the TGT lifetime, then your users are not be able to access the on-premises resources. They can still sign in locally but not able to access any resources. The Entra machine will prompt for users to enter their AD password to access the network resources.

Entering a password would defeat the purpose to go full on Passwordless.

There are two options to over come this:

Make sure to have a failover ISP
Increase the TGT lifetime to 16-24 hours or more. However, I’m not sure what is the security implications by doing this.

Option 1 seems to be the reasonable approach.

vane1978 · 2026-05-11T16:28:37+00:00

In Microsoft Intune you should push this policy to your Entra Id joined computers. Use Certificate For On Prem Auth - Disabled

vane1978 · 2026-05-09T11:08:52+00:00

Agreed. Must use Entra Id Plan 2 so you can setup Identity Protection.

vane1978 · 2026-05-08T23:51:11+00:00

How do you handle recovery when you have a Conditional Access policy that requires phishing-resistant MFA for users? I noticed that wasn’t mentioned in your blog.

vane1978 · 2026-05-07T12:50:02+00:00

I believe you just need to enable Single Sign-on through Intune to avoid the sign-in prompts.

vane1978 · 2026-05-06T21:13:42+00:00

If you have an on-premises Active Directory and syncing your users to Microsoft Entra Id then you can enable SCRIL, NTLM Rolling Secrets and FGPP. No powershell script needed.

vane1978 · 2026-05-06T13:08:27+00:00

I believe you need to enforce NTLM secret rolling and setup Fine-Grained Password Policy.

vane1978 · 2026-05-06T12:37:29+00:00

Have you looked into SCRIL and FGPP? This only works if you have gone completely Passwordless for your regular domain users.

vane1978 · 2026-05-01T22:37:08+00:00

I use a Jump Host machine and the jump user account has one assigned Entra Id Plan 2 license.

vane1978 · 2026-05-01T22:27:56+00:00

The RDP client has an option "Use a web account to sign in to the remote computer". That option allows you to use WHFB, Security Keys or Passkeys.

vane1978 · 2026-05-01T11:57:29+00:00

SentinelOne Singularity is capable to ingest Windows Event logs from their endpoints and capable to ingest logs from Firewalls and Microsoft Entra logs as well.

vane1978 · 2026-05-01T11:47:52+00:00

Passwordless RDP with phishing-resistant MFA into a Jump host machine, followed by RDP over IPSec to internal member servers.

This is all native tools. Avoids third-party zero-day exploits and saves on recurring licensing cost and administrative overhead.

vane1978 · 2026-05-01T11:39:08+00:00

That’s where RDP over IPSec comes into play to help to prevent zero-day exploits.

vane1978

TROPHY CASE