Ghost Policy stopping Windows Updates

Analytics/ Analysis

Josh Weiss joins us to share his experiences with Ghost Policy.  About two months ago  Josh installed some Intune files that set up a bunch of baseline policies, that included it’s app locker policy (a Software Restriction Policy).  After realizing this was to much for his company he deleted it from his tenant.   He then spent two months trying to figure out why he couldn't install any software

once he signed in Intune.  Recently he spoke with a Microsoft engineer who explained something called a ghost policy. In Intune policies are Device Configuration profiles. If you delete a device configuration profile, before assigning it, it will remain locked to any users who had had it. In order to remove this lock  there is a  process for going through the Microsoft Graph, confirming the existence of that and then deleting it.  Watch as Harry and Josh discuss Ghost Policy. 

Josh Weiss

 

Video Transactions

Harry Brelsford  0:03 

Hey Nation Nation back with Josh at LA Creative someone I really miss man, I really enjoyed going to the continuum conferences with you and heckling you from the audience. It's not been two years in Pittsburgh.

Josh Weiss  0:17 

It was Vegas and Pittsburgh. Yeah.

Harry Brelsford  0:20 

Yeah. I saw you in the one in Pittsburgh. Last year. omegas. Two? Oh, yep. Yeah. Yeah. So hopefully they're coming back. You know, I think there's pent up demand for events. I know I'm, I'm chomping at the bit to get out and get off these virtual backgrounds, although yours is a real background. So yeah, sir. What's, what's news, man? what's what's going on? You've been doing some bizdev. And you also have some insights into a Microsoft product.

Josh Weiss  0:49 

Yeah, I mean, I guess on the biz dev side, I mean, I'm gonna, I'm gonna I'm gonna guess and hope that I'm not the only one watching here where it certainly seems like the projects are coming back. The interest is coming back. And I think something, one of my oldest clients, I've been with them for about a decade, they're, you know, they're a startup that I've overseen it for from 15 people 1000. And some really interesting happened. And, and I think it speaks to something that everyone here would do get to focus on. You know, so we went through a time You know, when I met them 10 years ago, I didn't know a cybersecurity from a printer. Hardly. But you know, certainly over the years, I've had to learn a lot any any MSP in me, basically, we've all become cybersecurity practitioners, whether we want Yeah, at this point, one way or another. Yep. Something that I worked on with them is, you know, we, we put up a spec for security for them back in 2016. That was firewalls and, you know, somewhat of a next gen antivirus, I guess. But that's, that's so far, you know, remove now from what is a real cybersecurity program. And, you know, starting three and a half years ago, I have been begging and pleading and educating and doing whatever possible to get them to say, hey, maybe we need some more security right there. They are in an industry, which is really prone to business, email compromised wire fraud, and reputation damage. And, you know, I went in and did a cybersecurity awareness training for their staff. We've done things here and there. But mostly, it's been me bringing stuff up and then saying sounds great, no, but and the nice part about that is I set myself up as someone who understands security. So now, you know, 1000 person, company, national footprint International, really. And they hired a new president, who's sitting between operations and management. And she came from a company, which had seen a devastating ransomware attack. And she said, we need to talk about security right now. And, and this is the, this is the point I want to make for the nation here. If I hadn't been bugging them about that, they would have thought I didn't know about it, and looked somewhere else. And because I had sort of set myself up is that a resource, they had us perform a pen test on their infrastructure, we found a lot of issues. And, um, you know, something that I was able to do was present that in a very educational way to them, not in a scare tactic way. But here's what I found. And here's stories that sort of have come up in other environments or in the news, or because I've known them for a decade in your environment. Right. And they were really impressed. And so we're, you know, we're looking at some security packages, now, you can cross your fingers for me, but just even being invited as that resource to present to a company of that size and stature, and to sort of have them engaged listening, asking questions, learning. It was a really great experience. And, you know, anyone out there I think it's really time to move from network assessments to like, actionable, relatable, understandable, security assessments. Yeah,

Harry Brelsford  4:13 

I'll come back at you with your consistency and bizdev. And I've been preaching that since the beginning. And that's the one thing I am I'm a good bass hitter. And then every now and then we get homeruns. Right. But I'd rather be that bass hitter where you're just really consistent. You don't miss any games, and Ty Cobb or whoever had the record, but but the point is your LinkedIn profile, here we are, you're still consistently posting up and staying visible. And my question is with some of the the writing you've done anything, have you have you printed that out and made it part of your sales slick? Do you sometimes on a biz dev call the ADR brochure? Do you have some that you leave behind or do you stay more in the digital realm and stuff.

Josh Weiss  5:00 

Oh, I did have all of that I had this sort of, you know, lumpy mail well kit that we used to use and all that content is five years old right now. Yeah, of course. You know, and I think, you know, I love that stuff. And I think what you're asking is really helpful. It's not something that we have right now, I've been working on the new content, I mean, on this call, I was able to present a really, really refined security package flyer that we have now. And okay, that's fresh content. And I think, you know, I work with a designer, I love going on Upwork, and finding resources to work with there. And my favorite are my graphic design resources that I have on Upwork. And so, you know, I'll go ahead and find some flyer, I like somewhere or I'll just literally write up a bunch of stuff with bullet points in a Word doc. And, you know, usually it takes us about three revisions and like, she's got my brand down, she's got my color down, she's got the whole thing. And it's nice when you're presenting, you know, some sort of solution, especially to a slick modern startup to say, look, these are the packages. This is how they work. And yeah, yeah. So I might leave behind Kit. We'll come back together.

Harry Brelsford  6:15 

Yeah, yeah. And they'll also be in person meeting. Hey, with the time we have left, so you had a Microsoft update, talk to me.

Josh Weiss  6:24 

So I've been chasing this problem for a couple months. I had anyone out there who hasn't seen it. There's a guy named Alex Fields.

Harry Brelsford  6:33 

Oh, yeah. Yeah, he's one of our analysts. Oh, yeah.

Josh Weiss  6:36 

I bought Alex fields, kit for five expertise. And he includes some Intune JSON files that you can import to Intune to set up a bunch of baseline policies. They all come into Intune unassigned, and they'll cause no problems in that state. But I assigned his enhanced security baseline to my whole company. And it includes, I think it's app locker policies or some kind of software Restriction Policies. So you can't install anything without expressly allowing it. And I was like, Oh, this was, this was too much for my company. So what did I do with before assigning it, I deleted it from my tenant. I then spent two months trying to figure out why I couldn't install any software once I signed in Intune. And I just got off a call with Microsoft engineer who explained to me something called a ghost policy. In Intune policy is, you know, these are Device Configuration profiles. If you delete a device configuration profile, before assigning it, it will remain locked to any users who had had it. And so I was shown today a process for going through the Microsoft Graph, confirming the existence of that and then deleting it. I'm actually looking at my computer, maybe reset right now my test computer. And so you can all cross your fingers. I close my big deal on Friday. And then when I reboot this thing, Intune installs my RMM and we're in automation.

Harry Brelsford  8:19 

All right, well, we'll check in with enough next month. Hopefully we'll be popping champagne bottles and not drinking beer with getting that one across the finish line, but glad you're doing well. And appreciate you sticking with us ma'am.

Josh Weiss  8:33 

Good to see you Harry