Ambassador 
Windows 11 Deployment FFU
Administered by:
#Intune
0 posts0 participants0 posts today
OuttaTune — The Microsoft Intune Conditional Access bypass I reported is now officially closed by MSRC (again).
It began as “By Design”… then was reclassified as a Moderate severity vulnerability… led to a product group meeting… and ultimately forced Microsoft to revise their official Conditional Access guidance.
Yet now it’s closed - with no fix timeline, no CVE, and no researcher credit. 
Let’s unpack it. 
⸻
The Issue
Intune lets you apply Conditional Access policies using device filters - say, “block access to Office 365 from DevBox VMs.”
But that device model? It’s just a registry key.
A local admin can change one line, sync the device, and suddenly it’s not a DevBox anymore. It’s “Compliant.” It’s trusted. It’s in.
⸻
Microsoft’s Initial Response
“This is by design.”
“Assignment filters should be used sparingly.”
“Intune cannot accurately lock down a device if an admin on the machine is actively working against management.”
Wait - imagine Microsoft saying that about Defender for Endpoint:
“Sorry, if someone has admin, Defender just gives up.”
Of course they wouldn’t say that. Because security controls must assume hostile actors. Why should Intune be any different?
⸻
The Outcome
• I pushed back, published my findings, and spoke directly with Microsoft’s product teams.
• They reclassified the issue as a Moderate security vulnerability.
• They changed official documentation to warn against using properties like device.model in isolation.
“Microsoft recommends using at least one system defined or admin configurable device property…”
That change exists because of this research.
⸻
But the Case Is Now Closed
MSRC insists that:
“This requires admin and knowledge of policy filters, so it remains Moderate.”
But attackers don’t need to know your exact filters - they can just trial different registry values and sync until they’re in. No alerts. No resistance. No risk of detection unless you’ve layered in custom EDR rules.
And admin access is table stakes. We can’t keep pretending that post-exploitation scenarios don’t matter.
⸻
Conditional Access isn’t just about who you are - it’s supposed to account for where and what you’re accessing from.
But when enforcement relies on unverified local data, the door isn’t locked. It’s not even shut.
We’ve just convinced ourselves that it is.
Trust nothing. Validate everything.
Even the registry keys your policies depend on.
⸻
Blog link: https://cirriustech.co.uk/blog/outtatune-vulnerability
CirriusTech | Serious About Tech · OuttaTune: Bypassing Conditional Access in Microsoft IntuneExposing how Microsoft Intune's device filtering can be trivially bypassed to evade Conditional Access controls.
Bin gerade sehr sauer… werde gezwungen, Microsoft-Software auf meinen sicheren Mac zu installieren… zur Verbesserung der Sicherheit.
Ich will gerade was anzünden…
New blog post before MMSMOA 2025. I wanted to write something before then. I went into some details on how we randomize our rollouts of #Intune policies with a #Powershell function to randomize an #Entra group.
JoeLoveless.com · Creating Intune Randomized Rollouts with Entra Group MembershipCreating Intune Randomized Rollouts with Entra Group Membership
Any #Intune connoisseur here ?
I would like to know if I can create an intune package from a computer on my workplace tenant and push it to a customer tenant ?
Or should I be connected to the customer tenant to do that ?
Just spent like 3 days trying to figure out another Azure Tenants Intune rbac roles not applying... it was caused by the intune license group being nested under another group. Nested groups are a wonderful concept but the amount of times they have been the root of random issues is very high. #azure #intune #entraID
Hey Mastodon, question for my #sysadmin and #DevOps types. Has anyone used #Pester and #PSScriptAnalyzer to set up unit testing for test driven development, particularly on (relatively) simple scripts like you might use for application detection, installation, and uninstallation from a system like #SCCM #Intune or #ManageEngine ?
Apologies for the buzzword bingo, but I’m trying to reach folks who may be following the hashtags, but not necessarily have a connection otherwise.
Hey if you happen to have access to BBC Radio 3, you might want to point your ears towards In Tune starting IMMINENTLY where we'll be in the studio doing some songs!
Continued thread
Two days later, two full reinstalls and now I'm in Intune sync error territory. The next colleague who boasts the idea of moving to cloud_only gets a smack in the face.
Forcing a mac onto our network might not have been the greatest idea after all...
#intune
Today I'm in macOS platformSSO hell. Active directory password out of sync on my mac... No clue what it's supposed to be then. I can however just logon to my device without any issue. Everything else that requires authorization - BAM - wrong password. 
@vvelox @SecurityWriter +9001%
Also the fact that #Windows gave birth to an entire cottage industry of #Scareware producers is already an indictment to it's shortcomings for any serious #IT.
- But if you need "#CheckboxSecurity" for some #compliance stuff, there are commercial solutions for that too.
#LivePouet mon #Ubuntu dans mon #AD et bientôt dans #Intune
alors oui, j’ai dû aller ajouter un vilain repo néerlandais, mais ça y est intune est installé sur mon Linux
c’est très moche, mais c’est beau !
Replied in thread
@GossiTheDog So basically #Recall makes #Windows11 that is managed via #InTune illegal in #Germany, AFAICT...
How to disable ads in Windows
By default, Windows includes ads for other Microsoft products and services, such as using your Microsoft account, backing up your data to OneDrive, etc., but Windows also includes various tips and recommendations that are displayed to users.
Some of the recommendations may be appropriate for the average end user. However, they are probably inappropriate for a corporate environment, as corporate IT usually has these things handled centrally and the end user usually has no way to interfere anyway.
https://www.cswrld.com/2024/05/how-to-turn-off-windows-ads-via-microsoft-intune/
Ok, es gibt wohl ein Bug mit leicht veralteten Admin Apps, die von Unternehmen eingesetzt werden, die auf #Android Arbeitsprofile einrichten. Mit dem Dezember Update für Android 14 und Installationen wie Google #Family, #Intune oder #Unternehmensportal, wird wohl die Berechtigung zur Installation aus unbekannten Quellen unveränderbar für den Hauptaccount festgelegt. Es ist dann nicht mehr möglich apk zu installieren. Nur über USB Debugging und #ADB install geht es noch.
Ärgerlich. 
Dnes je den plný kanadských žertů. Tentokrát jsem si málem nainstaloval Intune...
Hledám jiné cesty...
#NowPlaying Bot 
#InTune
- Thomas Gould, Fergus McCreadie Trio
Violinist Thomas Gould and the Fergus McCreadie Trio join Sean Rafferty.
Relisten now
https://www.bbc.co.uk/programmes/m001nh5n
BBCBBC Radio 3 - In Tune, Thomas Gould, Fergus McCreadie TrioViolinist Thomas Gould and the Fergus McCreadie Trio join Sean Rafferty.
@eljefedsecurit Or I thought I had. After SanFW)Tool disabled Knox, I was able to set up the phone, go into "Device admin Apps" and delete #VMWare Hub Work Profile, BUT ... When I set up #Intune company portal I got an error that it could not complete. Reenabled Knox through a factory reset, and booting back up VMWare Hub downloaded to the phone and kicked in. I thought I had that deleted from the phone completely. The phone will be returned as it is not usable like this & I will pay a little more for a phone that is not wrapped around the axel.
This does seem to be IMHO an #Infosec issue, a way for an attacker to not only maintain persistence but download an executable from the internet & run it. Even when factory reset.
Also #Skype, #Intune, #WLAN, #Kaltura #Powershell und mit was seid Ihr heute morgen so in Berührung gekommen.
Ich will nicht fluchen #Intune