Blog about Microsoft Intune, Windows and Co.
-
Intune Endpoint Privilege Management now supports elevation in user context
One of the most asked features just arrived in Intune Endpoint Privilege Management, the option to not only elevate a process using the virtual account, but also allow it within the current user session, eliminating challenges with network access due to missing Kerberos tickets, but it now also allows to elevate programs that tries to…
-
First steps with Windows 365 Link
If you are new to Windows 365 Link or are still in the progress of evaluating if it can fit your needs, I want to give you some insights on how to get started and what and how you can manage them. Enrollment There are plenty of unboxing videos / blogs out there, so I…
-
Robopack, how to get started
I’ve gotten the chance to play around with Robopack in my lab environment and wanted to give you the chance to follow along, what were my first impressions and what it can do for you. Getting started First thing you will want to do once signed in, is to connect Robopack to your Intune instance.…
-
16 Bit Applications on Windows 11?
With the EOL for Windows 10 in about a month not only does Windows 10 go EOL but with it also the last 32-bit Windows as there is no 32-bit version of Windows 11. Yes, I know there are ESU options and Windows 10 (IOT) LTSC is still around for a while, but let’s ignore…
-
Intune Endpoint Privilege Management tips and tricks
Intune Endpoint Privilege Management got more and more features in the last months (child process behavior, argument support, etc.), converting it from a relatively basic EPM solution to a competitive product. However even with all that improvements, there are still a few things that are not as intuitive as they could be, so I wanted…
-
Enable HTTPS Support for Microsoft Connected Cache for Enterprise – Part 2
With the GA of the Microsoft Connected Cache for Enterprise it now also supports HTTPS Content, which allows it to also support Teams and future Intune Content which will move from HTTP to HTTPs. In this part, I will show you how you can enable HTTPS support for your Connected Cache Nodes. It is not…
-
Standalone Microsoft Connected Cache for Enterprise is now GA – Part 1
Around two weeks ago, Microsoft announced the Connected Cache for Enterprise is now finally generally available: Microsoft Connected Cache is now generally available – Windows IT Pro Blog In Part 1 I will cover how you can migrate your preview nodes to GA. Migration from public preview If you already have your Connected Cache servers…
-
Security Copilot in Intune is now GA and brings an exciting new feature
A while ago, I took a look at what Security Copilot could do for you in Intune and how you can set it up, while it still was in public preview: Getting started with Intune Copilot – Mike’s MDM Blog Today I want to focus on, how it looks now and also highlight the new…
-
Intune Win32 App Requirement rules now support ARM64 architecture
In one of the last service releases Intune got a long-awaited addition to the Win32 App requirement rules, it now supports selecting ARM64 as an architecture. Requirement Rule Until then, the only options we had to target specific apps to ARM64 based Copilot+ PCs were either write our own custom applicability rule script for each…
-
Windows 365 Frontline Shared and Autopilot device preparation
Did you know, you can use Autopilot device preparation to add applications to your Windows 365 Frontline shared machines before your user has the chance to connect? With this relatively new feature, it gets even easier to prepare your W365 Frontline Shared CloudPCs, no need to create a custom windows image anymore, just to get…
-
Windows Autopatch Groups user opt-in
Windows Autopatch Groups allows for easy staged rollouts of Windows Updates, Driver and Firmware updates and Office updates. You can create your deployment rings in your Autopatch Group dynamically or static assigned to a group of your choice: Both options are great to have, and can make it pretty easy to manage your monthly update…
-
Use Power Automate to show Power BI Reports on a digital signage display
Today I want to show you something a little bit different to my usual content. I want to show you, how you can use Power Automate to get a Power BI Report displayed on a digital signage screen. The challenge basically was, as most digital signage solutions do not have any good way of authenticating…
-
Windows 365 – Task Scheduler and Time zones
Today I want to talk a little bit about the Windows Task Scheduler in Windows 365 Cloud PCs and how RDP Time zone redirection can result in interesting issues. User complaint How did this all started? Well a User complained, that his software that relied on the Windows Task Scheduler failed to schedule jobs on…
-
Windows Hotpatch
Today I want to talk a little bit about Hotpatch updates, what they are, how you can enable them and how they have the potential to change the way we look at security updates. What are Hotpatch Updates? Hotpatch updates allow you for the first time in Windows to install security updates without needing to…
-
Getting started with Intune Copilot
Today I want to show you how to set up Copilot in Intune. Since Copilot for Intune is based on Microsoft Security Copilot, we technically will need to set up Security Copilot, even if we are not using it for that. Prerequisites To get started with Copilot, you need to have access to at least…
-
Intune Device Query now allows queries for multiple devices as part of Advanced Analytics
A long-awaited feature is now finally available as part of Intune Advanced Analytics (part of Intune Suite). The KQL based device query feature, allows now to write queries for multiple devices. Device Query for Multiple Devices Single device Query As a recap, what was the “normal” single device query all about? If you went to…
-
Automatically create corporate device identifiers for local running VMs
If you need to deploy local Hyper-V or VMWare VMs that are enrolling in Intune with native Entra join, we now have a nice modern method to do so by utilizing Autopilot device preparation. The only thing is, we need to create corporate device identifiers for all these VMs in Intune or otherwise our users…
-
Setup AVD on Azure Local (Azure Stack HCI) in your (Home)Lab – Part 2
In the first part of this series, we successfully deployed our Azure Local into our (Home)Lab. In this part, we will deploy the first AVD Hosts onto our Azure Local. Prerequisites VM IMAGES First thing, we will add to our Azure Local are some Images, that we will use later in our Host Pool(s). To…
-
Setup AVD on Azure Local (Azure Stack HCI) in your (Home)Lab – Part 1
In this blog, I want to show you, how you can set up Azure Virtual Desktop (AVD) on Azure Local (former Azure Stack HCI) in your (Home) Lab to get a feeling about how it works. Hardware Requirements We can find the official Hardware requirements: https://learn.microsoft.com/azure/azure-local/concepts/system-requirements-23h2?WT.mc_id=MVP_317638#machine-and-storage-requirements For me it boils down, I need a relatively…
-
Enable RemoteFX USB Redirection for AVD or Windows 365 using Intune
If you need to redirect USB device to your AVD or Windows 365 Machines like a 3D Mouse or similar devices, that are not just a flash drive, you will need to enable RemoteFX USB Redirection. While the AVD / W365 side is easy in Intune, the client side is actually not so easy… But…
-
Intune finally supports Ubuntu 24.04 LTS
Now that Ubuntu 24.04 LTS is a supported version, I want to take the chance to show you how you can install and enroll such a device step by step. OS Installation Let’s start with the installation itself, I will use Hyper-V as a basis. Once you booted from the iso image, you will be…
-
Intune hardware inventory is now available
As announced at Microsoft Ignite this year, Intune now comes with an advanced hardware inventory. This new feature is available in Intune Core (P1) and does not need any addon as Intune Suite. The rollout to all tenants seems to have been started a few days ago as I see it arriving on out tenants.…
-
Update: Audit changes in Intune configs using Azure DevOps – Config as Code Part 1
Today I want to show you some updates, that I made to the Azure DevOps Project for Config as a Code for Intune since publishing the initial blog post: Audit changes in Intune configs using Azure DevOps – Config as Code Part 1 – Mike’s MDM Blog You will find the Updated Version on GitHub:…
-
Intune custom compliance scripts
Did you know that you can leverage custom PowerShell scripts in Intune to determine if a device should be considered as compliant or not? You can use custom compliance scripts to check for a lot of cool things, like is your company vpn software actually installed and running, or block access of devices that have…
-
Standalone Microsoft Connected Cache available in preview
Finally, after years of waiting the standalone version of the Microsoft Connected Cache (MCC) is now finally available in public preview. This means, we no longer need to deploy MECM / SCCM Distribution Points if we only need the Connected Cache part of it since we are already cloud native. Let’s start with what the…
-
Enroll Ubuntu Linux devices in Intune
Did you know that you can also manage Linux devices in Intune? Currently Intune supports the following distributions: Check out the official docs for the most up to date information: aka.ms/enrollmylinux Let’s start Since I have no access to REHL, we will use Ubuntu 22.04.5 desktop for the demo. Let’s start by installing Ubuntu as…
-
Windows 11 24H2 is finally available
This week Microsoft finally announced Windows 11 24H2 is now available for all, not just Copilot+ PCs, so let’s have a look at what’s new. Microsoft added a lot of new feature, explained in this IT Pro Blog: Windows 11, version 24H2: What’s new for IT pros – Windows IT Pro Blog (microsoft.com) Windows LAPS…
-
Using LGPO.exe to apply GPOs to test clients easily OnDemand via Intune
From time to time, I wanted to have a way to set Policies (GPOs) on my test clients in a non-enforced way, which allows me to locally modify the settings to troubleshoot something, while still having an easy way to re-apply the settings. While this is definitely an edge case and does not apply to…
-
Troubleshooting Intune Endpoint Privilege Management
Today I want to show you how you can troubleshoot issues with Intune Endpoint Privilege Management (EPM) and will try a little deep dive in how it works. Policies Let’s start with the basics, in order to get Intune EPM started, we need to assign at least an EPM Settings policy from Intune to the…
-
Prevent sign-in consent prompt on AVD or Windows 365 Single Sign On (SSO)
If you enabled Entra SSO on your AVD or Windows 365 Machines, you are probably familiar with the sign in consent prompt that asks you to allow the RDP connection to your Cloud PC / AVD Host. Your response is saved for up to 15 devices and for 30 days until you have to accept…
-
Intune Endpoint Privilege Management Companion
Today I want to introduce you to my Intune EPM Companion Power App. In my first blog post about Intune EPM (Intune Endpoint Privilege Management – Mike’s MDM Blog (mikemdm.de)), I showed you how the then new support approved flow allows your users and admins to get admin rights for a specific application on demand…
-
Automatically assign Intune Scope Tags based on User location using Entra ID Groups
A while ago I wrote a blog post, about how you can automatically assign Intune Scope Tags based on Entra ID User information: Set Intune Device ScopeTags based on User Locations – Mike’s MDM Blog (mikemdm.de) This script directly assigned the Scope Tag to the Intune object. While this script worked flawlessly for us for…
-
New Autopilot Companion App for Corporate Identifiers
If you played with the new Autopilot V2 Autopilot device preparation profiles in Intune, you pretty fast noticed there is no “registration” with a hardware hash or similar is needed, and it just works with all devices. If you want to limit it, to only allow corporate owned devices using enrollment restrictions, you can now…
-
Collect local logfiles using an Azure Storage Account and Remediations in Intune
Intune has an integrated function to collect Logs that can really be helpful to troubleshoot issues on Windows Clients, but what to do, if the desired log is not part of this? Well, we can collect them pretty easily our self, using a custom OnDemand Remediation script in Intune and an Azure Blob Storage to…
-
Power Bi – Intune Endpoint Analytics – Reporting Series Part 7
The new advanced endpoint analytics, available as add-on to Intune or available in Intune Suite allows us to get a really deep dive into the health of our devices with a lot of fresh data. However, the visual representation in the portal is in my opinion currently a little bit limited and can be enhanced…
-
Automatically set Intune Device Categories based on Inventory data
Today I want to show you, how you can automatically set Intune Device Categories based on data already available in Intune / Entra, like Device Name, Device Model, Enrollment Profile Name, Join Type, etc. I found a few articles that will try to do similar, but most of what I found did not scale well…
-
Read, Write, Query data from Azure Cosmos DB in PowerShell
For a lot of my projects, I needed to read or write Azure Cosmos DB data from a PowerShell script. However, most PowerShell samples only cover creating and modifying the database itself, but not much about interacting with the data itself. So, I want to show you a few sample scripts, that I used in…
-
Time based Group membership for Entra devices – Part 2
As promised last week, here is part 2 of my time-based group membership. In this part, I will show you, how you can use the backend from part 1 to allow admins to add Intune managed devices to the group using a PowerApp. PowerApp Let’s start with importing the PowerApp: You can find the sources…
-
Time based Group membership for Entra devices
Who don’t know these annoying assigned device groups in Entra used for example in Intune to exclude assignments for specific policies? Once created and assigned we tend to forget to remove the devices. This can lead to issues and security risks, if for example an excluded security policy needed to install a software, stays excluded…
-
Create App Control for Business Policies in Azure DevOPs – Config as a Code – Part 3(.1)
Last week I wrote a blog post about how you can create a WDAC Policy fully automated from DevOps, knowing there will be the ask, why not use the more modern implementation of App Control for Business in Intune, well now here we are. If you already build the project, you can simply update the…
-
Create WDAC Policy in Azure DevOPs – Config as a Code – Part 3
If you have evaluated WDAC as binary control based on signer rules, you know you have to adjust the policy every time a new application should be allowed. To make this process easier and more reliable, I wanted a fully automated process based on Azure DevOPs to create the policy and deploy it to a…
-
Create or set Registry Keys using Intune Remediation scripts – Part 2
Today in Part 2 on how to create or set Registry Keys using Intune Remediation scripts, I want to show you how easy you can modify Regkeys for all users or keys that need additional permissions for the currently logged on User. In Part 1: I covered, how you can set a specific Regkey for…
-
Power Bi – Enterprise Privilege Management – Reporting Series Part 6
Today I want to show you, how you can export the elevation request data from Intune Enterprise Privilege Management into our Power Bi Reports. With this data, we can for example build reports to see, which EPM Rules are still in use, or which files are requested via support approved, to maybe build a managed…
-
Assign Device Tags in MDE using information from Intune and Entra ID
Today I want to show you, how you can automatically assign Tags in Microsoft Defender for Endpoint based on information from Intune and Entra ID. The goal was to assign Tags containing the Company Name of the user from Entra ID of all Intune managed devices in MDE. If a device that had a Tag…
-
Configure Dell UEFI Settings using Intune Configuration Profiles
Today I want to show you, that you can now configure Dell UEFI Settings directly in Intune, using the new “BIOS configurations and other settings” Template. Dell provides a really good guide for this: https://www.dell.com/support/kbdoc/en-us/000214308/dell-command-endpoint-configure-for-microsoft-intune Dell Command Configure Before we can deploy the wanted setting changes to our clients, we have to prepare the UEFI…
-
Intune Endpoint Privilege Management
Today I want to give you a first look at the Intune Endpoint Privilege Management that is part of Intune Suite for one year with the March 2023 Intune release. Additionally, I want to show you the new support approved flow, which was added recently and allows for example the Helpdesk approving elevation requests for…
-
Update: Autopilot Companion based on Power Apps
Today I want to show you the updated Autopilot Companion Power App. Check out my initial post to learn about the basics of the Companion App, how it works and how it started: https://mikemdm.de/2023/04/08/autopilot-companion-app/ What has changed since the last version? The biggest change is the possibility to pre-assign a user the Autopilot Device. For…
-
First look at Intune Cloud PKI
With the Service Release 2402, the Intune Suite got one more exciting feature, Cloud PKI. With Cloud PKI, you can now use Client Authentication certificates on all Intune managed devices without needing to deploy your own PKI Infrastructure or having to deploy the Intune SCEP Connector, everything can be managed within Intune. You basically have…
-
Deploy a WPA3 Enterprise Wi-Fi Profile to Windows Endpoints using Intune
If you ever tried to deploy a W-Fi Profile that is secured by WPA3 Enterprise to Windows Clients in Intune, you probably noticed, that this is not possible using the built-in Wi-Fi Template. Don’t worry, the solution is really simple, you can configure the Wi-Fi Profile on a Client, export it and then deploy it…
-
Entra ID Group for Intune Devices enrolled after a given date
Today I want to show you a little script that allows you to dynamically populate a Entra ID group with Intune Devices that are enrolled after a given date. This can be useful in scenarios, where you want to rollout a new feature to newly enrolled devices, but not touch existing devices. Unfortunately, this is…