Blog about Microsoft Intune, Windows and Co.

  • Update: Audit changes in Intune configs using Azure DevOps – Config as Code Part 1

    Update: Audit changes in Intune configs using Azure DevOps – Config as Code Part 1

    Today I want to show you some updates, that I made to the Azure DevOps Project for Config as a Code for Intune since publishing the initial blog post: Audit changes in Intune configs using Azure DevOps – Config as Code Part 1 – Mike’s MDM Blog You will find the Updated Version on GitHub:…

  • Intune custom compliance scripts

    Intune custom compliance scripts

    Did you know that you can leverage custom PowerShell scripts in Intune to determine if a device should be considered as compliant or not? You can use custom compliance scripts to check for a lot of cool things, like is your company vpn software actually installed and running, or block access of devices that have…

  • Standalone Microsoft Connected Cache available in preview

    Standalone Microsoft Connected Cache available in preview

    Finally, after years of waiting the standalone version of the Microsoft Connected Cache (MCC) is now finally available in public preview. This means, we no longer need to deploy MECM / SCCM Distribution Points if we only need the Connected Cache part of it since we are already cloud native. Let’s start with what the…

  • Enroll Ubuntu Linux devices in Intune

    Enroll Ubuntu Linux devices in Intune

    Did you know that you can also manage Linux devices in Intune? Currently Intune supports the following distributions: Check out the official docs for the most up to date information: aka.ms/enrollmylinux Let’s start Since I have no access to REHL, we will use Ubuntu 22.04.5 desktop for the demo. Let’s start by installing Ubuntu as…

  • Windows 11 24H2 is finally available

    Windows 11 24H2 is finally available

    This week Microsoft finally announced Windows 11 24H2 is now available for all, not just Copilot+ PCs, so let’s have a look at what’s new. Microsoft added a lot of new feature, explained in this IT Pro Blog: Windows 11, version 24H2: What’s new for IT pros – Windows IT Pro Blog (microsoft.com) Windows LAPS…

  • Using LGPO.exe to apply GPOs to test clients easily OnDemand via Intune

    Using LGPO.exe to apply GPOs to test clients easily OnDemand via Intune

    From time to time, I wanted to have a way to set Policies (GPOs) on my test clients in a non-enforced way, which allows me to locally modify the settings to troubleshoot something, while still having an easy way to re-apply the settings. While this is definitely an edge case and does not apply to…

  • Troubleshooting Intune Endpoint Privilege Management

    Troubleshooting Intune Endpoint Privilege Management

    Today I want to show you how you can troubleshoot issues with Intune Endpoint Privilege Management (EPM) and will try a little deep dive in how it works. Policies Let’s start with the basics, in order to get Intune EPM started, we need to assign at least an EPM Settings policy from Intune to the…

  • Prevent sign-in consent prompt on AVD or Windows 365 Single Sign On (SSO)

    Prevent sign-in consent prompt on AVD or Windows 365 Single Sign On (SSO)

    If you enabled Entra SSO on your AVD or Windows 365 Machines, you are probably familiar with the sign in consent prompt that asks you to allow the RDP connection to your Cloud PC / AVD Host. Your response is saved for up to 15 devices and for 30 days until you have to accept…

  • Intune Endpoint Privilege Management Companion

    Intune Endpoint Privilege Management Companion

    Today I want to introduce you to my Intune EPM Companion Power App. In my first blog post about Intune EPM (Intune Endpoint Privilege Management – Mike’s MDM Blog (mikemdm.de)), I showed you how the then new support approved flow allows your users and admins to get admin rights for a specific application on demand…

  • Automatically assign Intune Scope Tags based on User location using Entra ID Groups

    Automatically assign Intune Scope Tags based on User location using Entra ID Groups

    A while ago I wrote a blog post, about how you can automatically assign Intune Scope Tags based on Entra ID User information: Set Intune Device ScopeTags based on User Locations – Mike’s MDM Blog (mikemdm.de) This script directly assigned the Scope Tag to the Intune object. While this script worked flawlessly for us for…

  • New Autopilot Companion App for Corporate Identifiers

    New Autopilot Companion App for Corporate Identifiers

    If you played with the new Autopilot V2 Autopilot device preparation profiles in Intune, you pretty fast noticed there is no “registration” with a hardware hash or similar is needed, and it just works with all devices. If you want to limit it, to only allow corporate owned devices using enrollment restrictions, you can now…

  • Collect local logfiles using an Azure Storage Account and Remediations in Intune

    Collect local logfiles using an Azure Storage Account and Remediations in Intune

    Intune has an integrated function to collect Logs that can really be helpful to troubleshoot issues on Windows Clients, but what to do, if the desired log is not part of this? Well, we can collect them pretty easily our self, using a custom OnDemand Remediation script in Intune and an Azure Blob Storage to…

  • Power Bi – Intune Endpoint Analytics – Reporting Series Part 7

    Power Bi – Intune Endpoint Analytics – Reporting Series Part 7

    The new advanced endpoint analytics, available as add-on to Intune or available in Intune Suite allows us to get a really deep dive into the health of our devices with a lot of fresh data. However, the visual representation in the portal is in my opinion currently a little bit limited and can be enhanced…

  • Automatically set Intune Device Categories based on Inventory data

    Automatically set Intune Device Categories based on Inventory data

    Today I want to show you, how you can automatically set Intune Device Categories based on data already available in Intune / Entra, like Device Name, Device Model, Enrollment Profile Name, Join Type, etc. I found a few articles that will try to do similar, but most of what I found did not scale well…

  • Read, Write, Query data from Azure Cosmos DB in PowerShell

    Read, Write, Query data from Azure Cosmos DB in PowerShell

    For a lot of my projects, I needed to read or write Azure Cosmos DB data from a PowerShell script. However, most PowerShell samples only cover creating and modifying the database itself, but not much about interacting with the data itself. So, I want to show you a few sample scripts, that I used in…

  • Time based Group membership for Entra devices – Part 2

    Time based Group membership for Entra devices – Part 2

    As promised last week, here is part 2 of my time-based group membership. In this part, I will show you, how you can use the backend from part 1 to allow admins to add Intune managed devices to the group using a PowerApp. PowerApp Let’s start with importing the PowerApp: You can find the sources…

  • Time based Group membership for Entra devices

    Time based Group membership for Entra devices

    Who don’t know these annoying assigned device groups in Entra used for example in Intune to exclude assignments for specific policies? Once created and assigned we tend to forget to remove the devices. This can lead to issues and security risks, if for example an excluded security policy needed to install a software, stays excluded…

  • Create App Control for Business Policies in Azure DevOPs – Config as a Code – Part 3(.1)

    Create App Control for Business Policies in Azure DevOPs – Config as a Code – Part 3(.1)

    Last week I wrote a blog post about how you can create a WDAC Policy fully automated from DevOps, knowing there will be the ask, why not use the more modern implementation of App Control for Business in Intune, well now here we are. If you already build the project, you can simply update the…

  • Create WDAC Policy in Azure DevOPs – Config as a Code – Part 3

    Create WDAC Policy in Azure DevOPs – Config as a Code – Part 3

    If you have evaluated WDAC as binary control based on signer rules, you know you have to adjust the policy every time a new application should be allowed. To make this process easier and more reliable, I wanted a fully automated process based on Azure DevOPs to create the policy and deploy it to a…

  • Create or set Registry Keys using Intune Remediation scripts – Part 2

    Create or set Registry Keys using Intune Remediation scripts – Part 2

    Today in Part 2 on how to create or set Registry Keys using Intune Remediation scripts, I want to show you how easy you can modify Regkeys for all users or keys that need additional permissions for the currently logged on User. In Part 1: I covered, how you can set a specific Regkey for…

  • Power Bi – Enterprise Privilege Management – Reporting Series Part 6

    Power Bi – Enterprise Privilege Management – Reporting Series Part 6

    Today I want to show you, how you can export the elevation request data from Intune Enterprise Privilege Management into our Power Bi Reports. With this data, we can for example build reports to see, which EPM Rules are still in use, or which files are requested via support approved, to maybe build a managed…

  • Assign Device Tags in MDE using information from Intune and Entra ID

    Assign Device Tags in MDE using information from Intune and Entra ID

    Today I want to show you, how you can automatically assign Tags in Microsoft Defender for Endpoint based on information from Intune and Entra ID. The goal was to assign Tags containing the Company Name of the user from Entra ID of all Intune managed devices in MDE. If a device that had a Tag…

  • Configure Dell UEFI Settings using Intune Configuration Profiles

    Configure Dell UEFI Settings using Intune Configuration Profiles

    Today I want to show you, that you can now configure Dell UEFI Settings directly in Intune, using the new “BIOS configurations and other settings” Template. Dell provides a really good guide for this: https://www.dell.com/support/kbdoc/en-us/000214308/dell-command-endpoint-configure-for-microsoft-intune Dell Command Configure Before we can deploy the wanted setting changes to our clients, we have to prepare the UEFI…

  • Intune Endpoint Privilege Management

    Intune Endpoint Privilege Management

    Today I want to give you a first look at the Intune Endpoint Privilege Management that is part of Intune Suite for one year with the March 2023 Intune release. Additionally, I want to show you the new support approved flow, which was added recently and allows for example the Helpdesk approving elevation requests for…

  • Update: Autopilot Companion based on Power Apps

    Update: Autopilot Companion based on Power Apps

    Today I want to show you the updated Autopilot Companion Power App. Check out my initial post to learn about the basics of the Companion App, how it works and how it started: https://mikemdm.de/2023/04/08/autopilot-companion-app/ What has changed since the last version? The biggest change is the possibility to pre-assign a user the Autopilot Device. For…

  • First look at Intune Cloud PKI

    First look at Intune Cloud PKI

    With the Service Release 2402, the Intune Suite got one more exciting feature, Cloud PKI. With Cloud PKI, you can now use Client Authentication certificates on all Intune managed devices without needing to deploy your own PKI Infrastructure or having to deploy the Intune SCEP Connector, everything can be managed within Intune. You basically have…

  • Deploy a WPA3 Enterprise Wi-Fi Profile to Windows Endpoints using Intune

    Deploy a WPA3 Enterprise Wi-Fi Profile to Windows Endpoints using Intune

    If you ever tried to deploy a W-Fi Profile that is secured by WPA3 Enterprise to Windows Clients in Intune, you probably noticed, that this is not possible using the built-in Wi-Fi Template. Don’t worry, the solution is really simple, you can configure the Wi-Fi Profile on a Client, export it and then deploy it…

  • Entra ID Group for Intune Devices enrolled after a given date

    Entra ID Group for Intune Devices enrolled after a given date

    Today I want to show you a little script that allows you to dynamically populate a Entra ID group with Intune Devices that are enrolled after a given date. This can be useful in scenarios, where you want to rollout a new feature to newly enrolled devices, but not touch existing devices. Unfortunately, this is…

  • Enterprise App catalog now available in Intune Suite

    Enterprise App catalog now available in Intune Suite

    As announced in October last year: Introducing Microsoft Intune Enterprise App Management | Microsoft Intune Blog, the Intune Suite got a really cool new feature today, the Enterprise App catalog. The Enterprise App catalog allows you to search for your desired apps so you can easily add them in Intune. It will also allow you…

  • New Windows 365 Boot Features available for Windows Insiders

    New Windows 365 Boot Features available for Windows Insiders

    Compared to my blog post from last year about Windows 365 Boot: Windows 365 – Boot directly to your CloudPC – Mike’s MDM Blog (mikemdm.de) Windows 365 is now available in two different modes for Windows Insiders. A shared PC mode which is similar to the existing Windows 365 Boot Feature and a new personal…

  • Awarded as Microsoft Intune MVP

    Awarded as Microsoft Intune MVP

    I am thrilled to share that this week, I have been recognized as an MVP for Microsoft Intune. This is a great honor and I am humbled to be recognized for my contributions to the community. I am grateful for the opportunity to share my knowledge and expertise with others. I would like to thank…

  • Custom MacOS Client Inventory Data – Reporting Series Part 5

    Custom MacOS Client Inventory Data – Reporting Series Part 5

    Inspired by the cool blog article about collecting custom MacOS inventory data to an Log Analytics Workspace:https://ugurkoc.de/collecting-customized-inventory-data-on-macos-devices-using-intune/I modified his script to upload the data using our Azure Function App from Part 1 of our Reporting Series to our existing Cosmos DB. If you haven’t seen it, check it out now: Part 1 Architecture As a…

  • Audit changes in GPOs using Azure DevOps – Config as Code Part 2

    Audit changes in GPOs using Azure DevOps – Config as Code Part 2

    In part 1 of our Config as a Code series, we monitored changes in Intune. Since we still have machines that are managed via GPOs like Servers and some VDI, in part 2 now I want to show you how you can monitor these Group Policies as well in the same DevOps project. DevOps Project…

  • Audit changes in Intune configs using Azure DevOps – Config as Code Part 1

    Audit changes in Intune configs using Azure DevOps – Config as Code Part 1

    Today I want to show you, how you can monitor changes in Intune configs using Azure DevOps. This will be part one of a multiple part series about Config as a Code with Azure DevOps. Azure DevOps project Let’s start with creating the DevOps project, that we will use for the whole series. I’m assuming…

  • Windows 11 23H2 is finally here

    Windows 11 23H2 is finally here

    Windows 11 finally got its well-deserved annual update 23H2. Windows Update History The update comes with a lot of long-awaited new features, like the new windows explorer user interface or the “never group” option for the taskbar. New features One little new option is the setting to disable the grouping of Apps in the Taskbar,…

  • Windows passwordless experience and Web Sign-in

    Windows passwordless experience and Web Sign-in

    Today I want to show you the new Windows passwordless experience and the new Web sign-in feature, which came with the latest Windows Update for Window 11 22H2. The passwordless experience will hide the password credential provider in the logon screen, to make it easier for the user to select a passwordless logon provider like…

  • Enhance PowerBi Report with UEFI / BIOS Settings – Part 4

    Enhance PowerBi Report with UEFI / BIOS Settings – Part 4

    Today I want to show you, how you can enhance our Inventory data that we created in our reporting series with UEFI Setting for Dell, HP and Lenovo Client devices. If you haven’t seen the reporting series, check it out here: Part 1, Part 2, Part 3 Cosmos DB First thing we do, is to…

  • Intune Remediation to verify BitLocker keys are uploaded to Entra ID

    Intune Remediation to verify BitLocker keys are uploaded to Entra ID

    Today I want to show you how you can check if the BitLocker Key Backup to Entra ID (AzureAD) was successfully done. We have configured BitLocker encryption in Intune to silently encrypt the system drive and automatically upload the recovery key. Usually these Settings should ensure, that the device is only encrypted if the Recovery…

  • Modern OS Provisioning for Windows Autopilot using OSDCloud

    Modern OS Provisioning for Windows Autopilot using OSDCloud

    Today I want to talk about modern OS Deployment for Windows Autopilot Enrollments using OSDCloud. Also, I will show you where we came from with regards of OS Provisioning and which customizations we made to OSDCloud to make it fit our needs even more. OSD using a SCCM Task Sequence When we started using Windows…

  • Windows 365 – Switch to your CloudPC via TaskView

    Windows 365 – Switch to your CloudPC via TaskView

    Today I want to talk about Windows 365 Switch, which is now available as public preview to Windows Insiders. With Windows 365 Switch you can access your CloudPC just like a second Desktop in Task View. Let’s start with the Prerequisites to start testing and I will go over, how it looks and my personal…

  • Windows 365 – Boot directly to your CloudPC

    Windows 365 – Boot directly to your CloudPC

    Today I want to talk about a cool new feature that Microsoft recently released as public preview, Windows 365 Boot. With Windows 365 Boot, you can convert every Windows 11 Client into a Thin Client like experience, that let you access your Windows 365 CloudPC super easy. Prerequisites Configuring the Guided scenario in Intune To…

  • Using Intune driver and firmware management to update your devices

    Using Intune driver and firmware management to update your devices

    Today I want to talk about a really cool feature, which came with Intune Release 2306, driver and firmware management in Intune. While the backend service using Windows Update for Business Deployment Services (WUfB-DS) was available earlier, you had to create the policy’s manually via Graph API. Now with the seamless integration in Intune, it’s…

  • Run Applications in Intune Company Portal on Demand

    Run Applications in Intune Company Portal on Demand

    Have you ever wondered, if you can run an application or script on Demand with Intune Company Portal, like you could do in SCCM / ConfigMgr when choosing Packages instead of Applications? Currently this is not possible out of the Box with Intune, but today I want to show you, what you can do to…

  • Organizational messages in Microsoft Intune and custom messages via Powershell

    Organizational messages in Microsoft Intune and custom messages via Powershell

    Today I want to talk about Organizational messages in Microsoft Intune, what you can do with them and what you can do, if you need a more customizable notification area message, than what is currently possible in Intune. Organizational messages Let’s start with what are Organizational messages. They are a really cool new feature, that…

  • Deploy a basic WDAC Policy with Intune as managed Installer

    Deploy a basic WDAC Policy with Intune as managed Installer

    Today I want to show you, how you can deploy a basic WDAC (Windows Defender Application Control) Policy that uses the Intune Management Extension (IME) as managed Installer to allow only Apps that are deployed via Intune. WDAC Policy At first we start creating a basic WDAC Policy, using the officia WDAC Wizard from: https://webapp-wdac-wizard.azurewebsites.netWe…

  • Create or set Registry Keys in Intune using (Proactive) Remediations

    Create or set Registry Keys in Intune using (Proactive) Remediations

    Today I will show you, how you can create or set Registry Keys using Intune (Proactive) Remediations. For (Hybrid) Domain joined Clients we used Group Policy Preferences to set these RegKeys, but as there is no such thing for Azure AD joined Clients, we will use a small remediation script for this. As an example,…

  • Verify and replace Files with Proactive Remediations in Intune

    Verify and replace Files with Proactive Remediations in Intune

    Today I will show you how you can verify (small) files like configuration files with (Proactive) Remediations in Microsoft Intune. We can use this to replace Group Policy Preferences File rules, as long as the files are smaller then 200KB, if they are bigger i would suggest to wrap it in a Win32 Application, then…

  • Update Intune Win32 Apps using Applicability Rules

    Update Intune Win32 Apps using Applicability Rules

    today I want to show you how to update Win32 Apps using Applicability Rules in Intune. Let’s pretend all Apps are brought to the User as an Available assignment via Company Portal. This way every user can install all Apps that he needs by himself and still has only the Apps installed that he wants.…

  • PowerBi Report for Intune and Client Data – Part 3

    PowerBi Report for Intune and Client Data – Part 3

    In the final Part 3 of the Reporting Series, I will show you a sample Power Bi Report, that uses the collected Data from Part 1 and 2. We will start by importing the Template File, that I uploaded to my GitHub: Scripts/Inventory Report.pbit at main · mmeierm/Scripts · GitHub At the first Import, you…

  • Enhance PowerBi Report with Intune Inventory Data – Part 2

    Enhance PowerBi Report with Intune Inventory Data – Part 2

    In Part 2 of the Reporting Series, we will add Intune and AAD User Data to our Cosmos DB created in Part 1 PowerBi Reports for Advanced Windows Client Inventory Data – Part 1 – Mike’s MDM Blog (mikemdm.de) Architecture In Part 2 we will go into details in the lower half of the Architecture,…