Olivia
Online
James Robinson | MVP
@SkipToEndpoint
Microsoft MVP - Intune and Windows
| Cloud-Native Endpoint Advocate | Neurodivergent Loudmouth |
| All thoughts my own |
Brighton, England
Joined April 2022
230 Following
1.9K Followers
1.5K Posts
Pinned Tweet
What's better on a Friday afternoon than dropping a blog about the use of HAADJ and how it fits into "Modern Management"?
https://t.co/GRouba3jET
#MSIntune #HAADJ #Autopilot #CloudNative
Massive Security win! You can now manage policies for #VSCode in #Intune!
As of the #Windows June Preview Update (26200.8524), MS have unblocked the VSCode ADMX registry path, meaning that uploading the ADMX shipped with a VSCode install allows you to create a policy to deploy allowed extensions (either by publisher or individually), as well as things like control chat capabilities and MCP servers - All of which have been proven as a serious supply chain attack or data exfiltration risks!
VSCode policy docs: https://t.co/A2Ceq6etFE
@AdamGell Nah. First it's imported ADMX which adds all sorts of nightmares. Even if it were in Settings Catalog, it's an additional app install, and who am I to say what extensions your company should trust?
Who to follow
UpdateDavid_MSFT
@UpdatedavidM
Microsoft Product Manager working in various forms of deployment and updates. Currently owning Windows Updates in Intune.
Scott Breen #MSFT
@scottbreen
Principal Product Manager | Microsoft Intune Customer Acceleration Team | @Microsoft | Tweets are my own
Sean Bulger
@managed_blog
Blogging, speaking, and learning about Intune, MS Graph, Modern Workplace technology | Cloud Endpoint TS at Microsoft | Former MS MVP | All views are my own
@KiPos_info I agree the next step is having these just native in Settings Catalog and will be moaning ad nauseum to this effect... But you gotta start somewhere!
@acjuelich I've been bitten by enough network teams saying this to know they're full of crap.
@SasStu @NathanMcNulty Also this.
I tried to update my OIB M365 Apps policies to the latest baseline with my latest release but noticed some settings were still MIA. Frustrating indeed.
3.10.3 Released. Added Win32 app Install/Uninstall script support and Windows Quality Update Policies. Fixed category import, JSON property order for Git tracking + multiple documentation fixes. See https://t.co/fFctA4XZkj for more info
So that's basically the entire point of the OIBID I've added. If the GUID in the description matches, it doesn't matter what the policy name is (which was my first crude implementation).
The only thing I'm not doing (cos it's much harder to do) is per-policy settings checks.
🚨#OIB #Windows v3.8 & #OIBDeployer updates!
I've just released v3.8 of the Windows OIB, which adds some cool things, as well as squashing a bunch of #community submitted bugs! Most importantly, I'm adding policy tracking through unique "OIBID"s, meaning much more flexible options when it comes to policy management through my OIB Deployer tool!
Speaking of which, I've updated that too! A small face-lift (including dark mode!), API call improvements, and the functionality to support the new OIBID checks.
Full Windows v3.8 Changelog here: https://t.co/Y6XDkjCNJy
Deploy or Update it in your tenant here: https://t.co/UIOdOJhO9g
To everyone that continues to provide support, feedback, and trust in this little project that's gotten way bigger than I ever thought it would - Thank you. 💛
@marrrkkkuuu @Mister_MDM Much easier to just deploy a Local Group Management policy to remove anything you don't specifically want in that group out of it anyway rather than relying on compliance.
See also: Things that "Pwn Defender".
OOTB Consumer Defender and Defender for Endpoint configured properly are very different things.
>headline: “critical vulnerability unveiled”
>body: “requires local admin”
@snr_boost @JenMsft I mean there's plenty of awful things I've seen IT teams do...
That's definitely not the behaviour I'd expect to get though. Any colleagues seeing the same thing?
@snr_boost @JenMsft Have you run a debloat tool or something, cos "display" should absolutely bring up exactly what you want immediately
@SwiftOnSecurity So you're saying it's not normal that I know every single setting I've put in my OpenIntuneBaseline? Huh...
I'm going to go against the grain here and say that the the knee-jerk reaction happening after the #Stryker incident is stupid.
All of a sudden I'm seeing tons of security people now shouting that #Intune Multi Admin Approval needs to be deployed, yet for years they've not even considered that a device management platform is a core part of an orgs security posture.
What's worse is from my personal experience presenting topics on this exact issue, they've been actively gatekeeping security from your endpoint management teams, creating a horrible siloed culture.
Stryker wasn't a critical failure in the endpoint management platform, it was just another Identity-driven attack where the proper attention to controls around least privilege, Conditional Access and authentication enforcement had been poorly implemented.
Intune RBAC and Multi Admin Approval provide strong additional layers of security, but both come at a significant cost to day-to-day operational overhead that many orgs are just NOT prepared or set up to deal with.
While I'm glad that it's making security folk realise that Device Management IS Security (something I've been banging on about for years at this point), you don't get to suddenly demand implementation of a thing just because you read something on the internet when you haven't done your part in shoring up security gaps.
Stop living in a silo, collaborate, engage. Security is everyone's responsibility, and only working together will provide positive outcomes.
@RustySowers That's such dated thinking. The "all eggs in one basket" isn't a problem. It's the siloed nature of properly implementing the tools available that causes breaches.
Good luck adequately reducing security gaps in a bunch of products that struggle to talk to each other properly.
@deepthought161 Then you may be surprised to know how many orgs are massively siloed, or security teams that gatekeep "security".
Security folk - You starting to realise that Device Management needs to be part of Security, yet?
Reduce your Intune Admins and use intune rbac and restricted admin units. Segregate device management into groups to decrease the blast radius. Treat Intune Admins like Global Admins. Require PIM with approvals. I've been saying this since before it was popular.
As unpopular as this may sound right now, Microsoft is not to blame. They wrote about how to do all this in their documentation, but nobody does it.
You have to keep in mind that it could have been a Global Admin too. In that case, the situation is even more dire.
The vast majority of orgs are still hybrid. If the compromise was of the on-prem AD, not much you can do because you can pivot to an Intune Admin's device and use the APIs. This is why your EDR should be throwing high alerts when admin machines stop checking in and you should validate visibility on those machines. Managing admin machines is really really hard. Admins write code, run scripts, and look like they are compromised all the time when they're not.
An employer making a decision that you have to enrol BYOD are clueless that BYOD is a service they're providing.
If anyone tried to force me to enrol a device for the pleasure of getting bugged in my own time, I'd tell them where to swivel. Everyone else should too.
Last Seen Users on Sotwe
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers