Score:0

How to detect when someone customizes a managed PC?

tr flag

As we have moved to Intune, we have "managed" nearly everything. Making Intune the only local administrator needed on most of our PCs.

Reaching the edges of this policy, I would like to make it possible for a technician to customize a PC. While somehow knowing which PCs may have been customized. The assumption being, any PC found to have had an administrator logon and/or elevate should be considered "customized".

I am aware of enabling Sensitive Privilege Use auditing, then watching for Security log event ID 4673. For my purposes, an Azure AD SID (starting S-1-12-1-) is likely a human. However, I only need to find one entry to know this has happened. Besides, the added audit entries are noisy, scanning the Security log is slow and prone to failure due to logs rolling and the entries are not useful, in that they do not capture the information you would expect.

Is there any other way to detect when a human has elevated on a PC?

Score:0
ng flag

DSC - Desired state configuration - might be overkill for what you want but believe it might do the trick. depends on the configured parameters Configuration as code https://learn.microsoft.com/en-us/powershell/dsc/getting-started/wingettingstarted?view=dsc-1.1

tr flag
I like the way you are thinking. If only the Intune team had used Desired State Configuration (DSC). Even then, someone granted local admin would have a wide-open playground available to them. My end goal is to give a different level of support to any PC that someone has elevated their credentials on, as it is difficult to know exactly what they did after that. They don't even know. "I ran suchnsuch.exe"
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.