User Profile
Matthias_VDB
Iron Contributor
Joined 7 years ago
User Widgets
Recent Discussions
Re: "sign-in frequency" every time not working as expected and described.
Update after some more testing. Recap: We have the following setup in a test-tenant with standard settings and required p2 licenses. PIM managed groups with only eligible memberships the configuration requires "Authentication context" The authentication context is custom made for this use case and linked with, for now, 1 Conditional Access policy. The conditional access policy is configured to require phishing resistant MFA, and Sign-In Frequency is set to "Every time". The policy is scoped to "all users" The goal is to require MFA every time a user activates membership to one of those PIM managed groups, as those provide access to administrative permissions. The expected behaviour, based on the Microsoft description is that a user is required to provide MFA for the activation if there is more than 5 minutes between those activations. Updated experience after more testing: The actual experience is very unpredictable: Sometimes no MFA is requested, even with the first logon if the user activates their membership within 5min after logging on to the Azure portal, Sometimes re-authentication with if MFA is requested as expected, Most of the times MFA is requested the first time, but succedent activations don't require re-authentication. It can happen after 1 hour those do, or 20 min, or... And in addition is the behaviour very different from browser to browser. The Authentication Context is only used for this purpose. The tests were done in a tenant with no other active CA policies in place. The device is not joined to the tenant. The account which is logged on to the device is not the account used to logon to the tenant. Due to the unpredictability, we can't provide steps for the reproduction of the issue, as it is also stil not clear in which circumstances the behaviour is not as expected or described. I also assume this behaviour we experience is also not "as designed". Thanks for the advice and feedback!"sign-in frequency" every time not working as expected and described.
We have several PIM managed groups in an Entra ID tenant. Members are added as eligible. For the activation of the memberships an Authentication Context is created which is linked to a conditional access policy. The conditional access policy requires MFA with phishing resistant authentication factors, and "sign in frequency" is set to "every time". When activating membership authentication is required. When activating membership to another group (>5min in between activations) one would expect to request an authentication prompt, as described in Microsoft documentation. In Firefox this works as expected, In Edge and Chrome there is no re-authentication required every time, and sometimes even not for the first activation, not even in an in-private session. The device is not joined to this tenant, and the account used to log on is different from the one used to logon to the Entra ID portal. This is a test tenant with only those CA rules configured, no other policies or rules are in place. Anyone experiencing the same, or knowing the cause?Re: Turning On Bing/Discovery in Edge via Intune
Hi DavidWanderer , Not sure about the "discover" functionality, but you can check the following: Manage the sidebar in Microsoft Edge | Microsoft Learn The policies explained there will match the ones available in Intune (or at least you know what to look for, if not added in Intune 🙂 😞 Configure Microsoft Edge policy settings for Windows using Microsoft Intune | Microsoft Learn If the setting is not available in the default set of policies, you could always use ProcMon (Process Monitor - Sysinternals | Microsoft Learn) to figure out the registry location for this, but I assume this will be stored as a binary value.Re: system crashes with green screen constantly in use or after use and when playing a game please fix
haemish110 Hi, More information is needed about the issue you are experiencing for someone to be able to fix this. The green screen is same as a blue screen, but it is green because you are running a preview version of Windows. Probably this will be an issue with your graphical card drivers, but not sure without more information. When you get a Blue-Screen (Green in your case), a memory dump is created. (C:\Windows\xxxx.dmp) This memory dump can be analysed using tools such as DBGviewer. This can give an indication of the issue. (Don't send the dump to someone you don't trust as this can contain confidential information) On the green-screen, you also get an error message and/or a QR-code. This can already be helpful in analysing the issue. Further: what version of windows are your running (type winver in a cmd prompt) what is the system information (Hardware, drivers, system configuration, ....) ... All by all, this is probably not an issue in Windows itself... Hope this helps you a bit on the way of fixing this issue Don't forget to mark the question as resolved, and to mark the "Best Solution". This helps others with the same issue quickly find an answer, and helps supportint people quickly find unanswered topics.Re: Unable to Disable the "Add Profile" Feature in Edge on Windows 365
Intune can use ADMX files, https://learn.microsoft.com/en-us/mem/intune/configuration/administrative-templates-import-custom https://learn.microsoft.com/en-us/mem/intune/configuration/administrative-templates-windows or if you use the Intune "native" configuration profiles, the Intune management extensions sets reg keys as well... You don't need Group Policy ADMX files perse... https://learn.microsoft.com/en-us/windows/client-management/understanding-admx-backed-policiesRe: Suspected brute-force attack and None of the passwords attempted where previously used passwords
Sure is worth investigating So, I guess this one you already figured out it was a script, or similar, using the wrong password... which for an AI system looks like a brute force attack... So, this one is benign positive then Guess "Suspected" is key in this case.... Microsoft Defender for Identity security alert guide - Microsoft Defender for Identity | Microsoft Learn Microsoft Defender for Identity compromised credentials phase security alerts - Microsoft Defender for Identity | Microsoft Learn So, it is based on authentication attempts... but i guess it doesn't compare the hashes. But then again, how would it detect a password spray, or know the password wasn't used. Probably the underlaying detection algorithms will not be shared for security reasons. So lets just go with what we know: Get an alert, investigateRe: Unable to Disable the "Add Profile" Feature in Edge on Windows 365
Hi, Think you have to combine with the setting to enforce work-profile logon in Edge... so there is at least one profile... The you can further restrict what to sync to this profile... Don't know what other settings you are using, which might conflict... like maybe Enterprise State roaming... Think you should be using the following, in addition to "BrowserAddProfileEnabled"... But has been long time since I configured this myself and played around with this... Windows information and settings Group Policy (ADMX) info GP unique name: EdgeDefaultProfileEnabled GP name: Default Profile Setting Enabled GP path (Mandatory): Administrative Templates/Microsoft Edge/Identity and sign-in GP path (Recommended): N/A GP ADMX file name: MSEdge.admx Windows Registry Settings Path (Mandatory): SOFTWARE\Policies\Microsoft\Edge Path (Recommended): N/A Value Name: EdgeDefaultProfileEnabled Value Type: REG_SZRe: Blackscreen after log in - Explorer.exe not started
Hi, Seems strange issue... I would think in the direction of applocker or WDAC... Don't know if you have some scripts running at start-up or logon? Further, if all machines have the same patch-level and configuration, but only this machine has the issue, I would start looking at differences... Which software and so on, when did it start, etc. I would also start investigating for malicious infections... You could restage the machine, but then you would loose all "evidence" and you didn't really solved the cause of the issue, so if it would happen again you aren't any wiser 🙂 Things you can check are for example also the Shell, if this is still explorer.exe... maybe some software or installation changed this. You can check in the registry: (also check the user hive....) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon You can also run a system filechecker to check for corrupted files in the OS: run sfc /scannowRe: Suspected brute-force attack and None of the passwords attempted where previously used passwords
Hi, Seems logic this is 100 attempts with 100 different passwords. If it was 100 times the same password against the same account, this is probably not considered a brute-force attack... This wouldn't make any sense... If the password doesn't work the first time, no attacker will try the same password 99 times more on the same account. If it would be a password-spray attack, then an attacker might use the same password against 100 accounts. Your message also says: "none of the passwordS"... So it is fair to assume we are talking about a real brute-force attack where an attacker is trying 100 different passwords against the same account.Re: I've turned on two-step verification, but my phone got stolen
Hi, Some options, - Recover e-mail (But this wasn't possible) - A trusted device - still logged on somewhere - if it is business account, your admin can trigger for you to re-register (SSPR) - Maybe you have configured recovery questions? - an old phone where you had authenticator configured. - SMS or voice as authentication (SIM card can be recovered from your operator) Don't think I know about any other option... Even Microsoft support will require one of those things I guess...Windows Defender Application Control - Intune Management DLL's
Hi, I'm busy deploying WDAC via Intune, and I was curious about the options and settings in the "Endpoint Security - Attack Surface Reduction - Application Control"-profile. This to check if it would offer some basic protection without having to implement additional profiles using xml files and to keep management simple. Off course I started in Audit mode to see the results: After applying and using my machine, I notice some logs which don't seem to be normal... You would expect the Intune Management Components would be trusted. Since, if you put in block mode you would still want to be able to manage your machine. Apparently, this isn't the case. For example, the OSExtentions.dll would be blocked because the file is not correctly signed. (Same for the GAC...) When checking the signature of the dll, it seems to be correctly signed.... So I don't know if this is by design or not... (This was tested on Windows 10 Enterprise v21H1 - OS Build 19043.1052)M365 security recommendations on Block-Listed domain
Don't know if this is the correct place to post my question, but here we go. I'm busy on baselining some tenants for customers and I'm struggling with the allow-listing and block-listing of domains to allow sharing and collaborating. Allow-listing all the domains is quite impossible due to the nature of the business, but at least we should be able to block-list certain domains. To do so, I'm trying to find a list of domains which are untrustworthy, and which should definitely be blocked. This as an alternative solution.... In the meantime I'm also building the allow-list, as I know this should be the way to go off course Any help is welcome, or some feedback from peers who went through the same experience. Thanks already!
