Microsoft

Microsoft Endpoint Configuration Manager Feedback

Suggestion box powered by UserVoice - Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more

Adam Stasiniewicz

My feedback

  1. 337 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    14 comments  ·  Ideas » Site deployment and infrastructure  ·  Flag idea as inappropriate…  ·  Admin →
    An error occurred while saving the comment
    Adam Stasiniewicz commented  · 

    @Joe: Yes, I was commenting on the current state. Forgot to mention, that I like your solution.

    I do wish LAPS be built into the OS though; but that's feedback for a different team. :)

    An error occurred while saving the comment
    Adam Stasiniewicz commented  · 

    Using a Client Push is well understood to be the least secure option for deploying ConfigMgr. As this results in a theft-able credential being left behind. If this credential is highly privileged, it offers an attacker a very easy avenue to compromise the environment.

    A simply attack scenario could be as easy as this: Attacker gains control of a single system (maybe a phished user's workstation, a poorly protected DMZ server, etc). They uninstall the ConfigMgr client, wait for the admin to re-push the agent, then capture the Client Push credential. From there, they now have a credential that has administrative rights to every system in the environment.

    For more information, I highly recommend reading the Pass-The-Hash whitepapers: https://aka.ms/pth At minimum, guidance around Client Push should be updated to discourage its use.

    Adam Stasiniewicz supported this idea  · 

Feedback and Knowledge Base