thomas maillo grome

I manage Intune for a living. Clicking through the portal works fine when you're dealing with a handful of devices, but once you're past a few hundred, you start writing scripts. And once you start writing scripts against Microsoft 365, you end up at Microsoft Graph whether you planned to or not.

I started writing a post about Credential Guard. Then I started testing Mimikatz in a lab to see what Credential Guard actually stops. Then I fell down a rabbit hole and this turned into something bigger than I planned. So here's the deal: I'm going to show you what Mimikatz does to an unprotected domain controller, then show you how Credential Guard shuts it down, and then tell you about all the stuff that breaks when you flip the switch. Because nobody warns you about that last part until it's too late. The attack: what Mimikatz actually does So Mimikatz. Benjamin Delpy wrote it in 2011 as a research project. He found a flaw in how Windows handles authentication and tried to report it to Microsoft. They blew him off. So he published the tool instead. It's been used in basically every major Windows credential theft since, including NotPetya and Bad Rabbit. What makes it dangerous is simple: Windows caches credential hashes in LSASS memory so you don't h...

I locked myself out of a test machine last week. Not in a fun way. Not in a "forgot my password" way. In a "the sign-in method you're trying to use isn't allowed" way, where no account on the device could log in at all. Not the admin. Not the test user. Nobody. Ok. Probably just something to do with Windows Hello. No worries. Lemme just login with the password. 😒 Thanks for giving me the benefit of the doubt but I DID not mean to do this on purpose. I've deployed this exact policy before in production environments. I know how it works. And I still managed to brick the logon on my test device. I had to wipe the machine. Completely. What happened? I forgot the #!&%?! USERS group. The trap with AADJ devices On AADJ-only devices, local group memberships are still evaluated for user rights assignments. Your Entra ID groups don't just float freely. They need to be nested inside one of the local BUILTIN groups on the ma...