Tag: Intune
-
Windows 365 Frontline Shared and Autopilot device preparation
Did you know, you can use Autopilot device preparation to add applications to your Windows 365 Frontline shared machines before your user has the chance to connect? With this relatively new feature, it gets even easier to prepare your W365 Frontline Shared CloudPCs, no need to create a custom windows image anymore, just to get…
-
Windows Autopatch Groups user opt-in
Windows Autopatch Groups allows for easy staged rollouts of Windows Updates, Driver and Firmware updates and Office updates. You can create your deployment rings in your Autopatch Group dynamically or static assigned to a group of your choice: Both options are great to have, and can make it pretty easy to manage your monthly update…
-
Windows 365 – Task Scheduler and Time zones
Today I want to talk a little bit about the Windows Task Scheduler in Windows 365 Cloud PCs and how RDP Time zone redirection can result in interesting issues. User complaint How did this all started? Well a User complained, that his software that relied on the Windows Task Scheduler failed to schedule jobs on…
-
Windows Hotpatch
Today I want to talk a little bit about Hotpatch updates, what they are, how you can enable them and how they have the potential to change the way we look at security updates. What are Hotpatch Updates? Hotpatch updates allow you for the first time in Windows to install security updates without needing to…
-
Getting started with Intune Copilot
Today I want to show you how to set up Copilot in Intune. Since Copilot for Intune is based on Microsoft Security Copilot, we technically will need to set up Security Copilot, even if we are not using it for that. Prerequisites To get started with Copilot, you need to have access to at least…
-
Intune Device Query now allows queries for multiple devices as part of Advanced Analytics
A long-awaited feature is now finally available as part of Intune Advanced Analytics (part of Intune Suite). The KQL based device query feature, allows now to write queries for multiple devices. Device Query for Multiple Devices Single device Query As a recap, what was the “normal” single device query all about? If you went to…
-
Automatically create corporate device identifiers for local running VMs
If you need to deploy local Hyper-V or VMWare VMs that are enrolling in Intune with native Entra join, we now have a nice modern method to do so by utilizing Autopilot device preparation. The only thing is, we need to create corporate device identifiers for all these VMs in Intune or otherwise our users…
-
Enable RemoteFX USB Redirection for AVD or Windows 365 using Intune
If you need to redirect USB device to your AVD or Windows 365 Machines like a 3D Mouse or similar devices, that are not just a flash drive, you will need to enable RemoteFX USB Redirection. While the AVD / W365 side is easy in Intune, the client side is actually not so easy… But…
-
Intune finally supports Ubuntu 24.04 LTS
Now that Ubuntu 24.04 LTS is a supported version, I want to take the chance to show you how you can install and enroll such a device step by step. OS Installation Let’s start with the installation itself, I will use Hyper-V as a basis. Once you booted from the iso image, you will be…
-
Intune hardware inventory is now available
As announced at Microsoft Ignite this year, Intune now comes with an advanced hardware inventory. This new feature is available in Intune Core (P1) and does not need any addon as Intune Suite. The rollout to all tenants seems to have been started a few days ago as I see it arriving on out tenants.…
-
Update: Audit changes in Intune configs using Azure DevOps – Config as Code Part 1
Today I want to show you some updates, that I made to the Azure DevOps Project for Config as a Code for Intune since publishing the initial blog post: Audit changes in Intune configs using Azure DevOps – Config as Code Part 1 – Mike’s MDM Blog You will find the Updated Version on GitHub:…
-
Intune custom compliance scripts
Did you know that you can leverage custom PowerShell scripts in Intune to determine if a device should be considered as compliant or not? You can use custom compliance scripts to check for a lot of cool things, like is your company vpn software actually installed and running, or block access of devices that have…
-
Standalone Microsoft Connected Cache available in preview
Finally, after years of waiting the standalone version of the Microsoft Connected Cache (MCC) is now finally available in public preview. This means, we no longer need to deploy MECM / SCCM Distribution Points if we only need the Connected Cache part of it since we are already cloud native. Let’s start with what the…
-
Enroll Ubuntu Linux devices in Intune
Did you know that you can also manage Linux devices in Intune? Currently Intune supports the following distributions: Check out the official docs for the most up to date information: aka.ms/enrollmylinux Let’s start Since I have no access to REHL, we will use Ubuntu 22.04.5 desktop for the demo. Let’s start by installing Ubuntu as…
-
Windows 11 24H2 is finally available
This week Microsoft finally announced Windows 11 24H2 is now available for all, not just Copilot+ PCs, so let’s have a look at what’s new. Microsoft added a lot of new feature, explained in this IT Pro Blog: Windows 11, version 24H2: What’s new for IT pros – Windows IT Pro Blog (microsoft.com) Windows LAPS…
-
Using LGPO.exe to apply GPOs to test clients easily OnDemand via Intune
From time to time, I wanted to have a way to set Policies (GPOs) on my test clients in a non-enforced way, which allows me to locally modify the settings to troubleshoot something, while still having an easy way to re-apply the settings. While this is definitely an edge case and does not apply to…
-
Troubleshooting Intune Endpoint Privilege Management
Today I want to show you how you can troubleshoot issues with Intune Endpoint Privilege Management (EPM) and will try a little deep dive in how it works. Policies Let’s start with the basics, in order to get Intune EPM started, we need to assign at least an EPM Settings policy from Intune to the…
-
Intune Endpoint Privilege Management Companion
Today I want to introduce you to my Intune EPM Companion Power App. In my first blog post about Intune EPM (Intune Endpoint Privilege Management – Mike’s MDM Blog (mikemdm.de)), I showed you how the then new support approved flow allows your users and admins to get admin rights for a specific application on demand…
-
New Autopilot Companion App for Corporate Identifiers
If you played with the new Autopilot V2 Autopilot device preparation profiles in Intune, you pretty fast noticed there is no “registration” with a hardware hash or similar is needed, and it just works with all devices. If you want to limit it, to only allow corporate owned devices using enrollment restrictions, you can now…
-
Collect local logfiles using an Azure Storage Account and Remediations in Intune
Intune has an integrated function to collect Logs that can really be helpful to troubleshoot issues on Windows Clients, but what to do, if the desired log is not part of this? Well, we can collect them pretty easily our self, using a custom OnDemand Remediation script in Intune and an Azure Blob Storage to…
-
Power Bi – Intune Endpoint Analytics – Reporting Series Part 7
The new advanced endpoint analytics, available as add-on to Intune or available in Intune Suite allows us to get a really deep dive into the health of our devices with a lot of fresh data. However, the visual representation in the portal is in my opinion currently a little bit limited and can be enhanced…
-
Automatically set Intune Device Categories based on Inventory data
Today I want to show you, how you can automatically set Intune Device Categories based on data already available in Intune / Entra, like Device Name, Device Model, Enrollment Profile Name, Join Type, etc. I found a few articles that will try to do similar, but most of what I found did not scale well…
-
Time based Group membership for Entra devices – Part 2
As promised last week, here is part 2 of my time-based group membership. In this part, I will show you, how you can use the backend from part 1 to allow admins to add Intune managed devices to the group using a PowerApp. PowerApp Let’s start with importing the PowerApp: You can find the sources…
-
Time based Group membership for Entra devices
Who don’t know these annoying assigned device groups in Entra used for example in Intune to exclude assignments for specific policies? Once created and assigned we tend to forget to remove the devices. This can lead to issues and security risks, if for example an excluded security policy needed to install a software, stays excluded…
-
Create App Control for Business Policies in Azure DevOPs – Config as a Code – Part 3(.1)
Last week I wrote a blog post about how you can create a WDAC Policy fully automated from DevOps, knowing there will be the ask, why not use the more modern implementation of App Control for Business in Intune, well now here we are. If you already build the project, you can simply update the…
-
Create WDAC Policy in Azure DevOPs – Config as a Code – Part 3
If you have evaluated WDAC as binary control based on signer rules, you know you have to adjust the policy every time a new application should be allowed. To make this process easier and more reliable, I wanted a fully automated process based on Azure DevOPs to create the policy and deploy it to a…
-
Create or set Registry Keys using Intune Remediation scripts – Part 2
Today in Part 2 on how to create or set Registry Keys using Intune Remediation scripts, I want to show you how easy you can modify Regkeys for all users or keys that need additional permissions for the currently logged on User. In Part 1: I covered, how you can set a specific Regkey for…
-
Power Bi – Enterprise Privilege Management – Reporting Series Part 6
Today I want to show you, how you can export the elevation request data from Intune Enterprise Privilege Management into our Power Bi Reports. With this data, we can for example build reports to see, which EPM Rules are still in use, or which files are requested via support approved, to maybe build a managed…
-
Assign Device Tags in MDE using information from Intune and Entra ID
Today I want to show you, how you can automatically assign Tags in Microsoft Defender for Endpoint based on information from Intune and Entra ID. The goal was to assign Tags containing the Company Name of the user from Entra ID of all Intune managed devices in MDE. If a device that had a Tag…
-
Configure Dell UEFI Settings using Intune Configuration Profiles
Today I want to show you, that you can now configure Dell UEFI Settings directly in Intune, using the new “BIOS configurations and other settings” Template. Dell provides a really good guide for this: https://www.dell.com/support/kbdoc/en-us/000214308/dell-command-endpoint-configure-for-microsoft-intune Dell Command Configure Before we can deploy the wanted setting changes to our clients, we have to prepare the UEFI…
-
Intune Endpoint Privilege Management
Today I want to give you a first look at the Intune Endpoint Privilege Management that is part of Intune Suite for one year with the March 2023 Intune release. Additionally, I want to show you the new support approved flow, which was added recently and allows for example the Helpdesk approving elevation requests for…
-
Update: Autopilot Companion based on Power Apps
Today I want to show you the updated Autopilot Companion Power App. Check out my initial post to learn about the basics of the Companion App, how it works and how it started: https://mikemdm.de/2023/04/08/autopilot-companion-app/ What has changed since the last version? The biggest change is the possibility to pre-assign a user the Autopilot Device. For…
-
First look at Intune Cloud PKI
With the Service Release 2402, the Intune Suite got one more exciting feature, Cloud PKI. With Cloud PKI, you can now use Client Authentication certificates on all Intune managed devices without needing to deploy your own PKI Infrastructure or having to deploy the Intune SCEP Connector, everything can be managed within Intune. You basically have…
-
Deploy a WPA3 Enterprise Wi-Fi Profile to Windows Endpoints using Intune
If you ever tried to deploy a W-Fi Profile that is secured by WPA3 Enterprise to Windows Clients in Intune, you probably noticed, that this is not possible using the built-in Wi-Fi Template. Don’t worry, the solution is really simple, you can configure the Wi-Fi Profile on a Client, export it and then deploy it…
-
Enterprise App catalog now available in Intune Suite
As announced in October last year: Introducing Microsoft Intune Enterprise App Management | Microsoft Intune Blog, the Intune Suite got a really cool new feature today, the Enterprise App catalog. The Enterprise App catalog allows you to search for your desired apps so you can easily add them in Intune. It will also allow you…
-
New Windows 365 Boot Features available for Windows Insiders
Compared to my blog post from last year about Windows 365 Boot: Windows 365 – Boot directly to your CloudPC – Mike’s MDM Blog (mikemdm.de) Windows 365 is now available in two different modes for Windows Insiders. A shared PC mode which is similar to the existing Windows 365 Boot Feature and a new personal…
-
Custom MacOS Client Inventory Data – Reporting Series Part 5
Inspired by the cool blog article about collecting custom MacOS inventory data to an Log Analytics Workspace:https://ugurkoc.de/collecting-customized-inventory-data-on-macos-devices-using-intune/I modified his script to upload the data using our Azure Function App from Part 1 of our Reporting Series to our existing Cosmos DB. If you haven’t seen it, check it out now: Part 1 Architecture As a…
-
Audit changes in Intune configs using Azure DevOps – Config as Code Part 1
Today I want to show you, how you can monitor changes in Intune configs using Azure DevOps. This will be part one of a multiple part series about Config as a Code with Azure DevOps. Azure DevOps project Let’s start with creating the DevOps project, that we will use for the whole series. I’m assuming…
-
Windows 11 23H2 is finally here
Windows 11 finally got its well-deserved annual update 23H2. Windows Update History The update comes with a lot of long-awaited new features, like the new windows explorer user interface or the “never group” option for the taskbar. New features One little new option is the setting to disable the grouping of Apps in the Taskbar,…
-
Windows passwordless experience and Web Sign-in
Today I want to show you the new Windows passwordless experience and the new Web sign-in feature, which came with the latest Windows Update for Window 11 22H2. The passwordless experience will hide the password credential provider in the logon screen, to make it easier for the user to select a passwordless logon provider like…
-
Enhance PowerBi Report with UEFI / BIOS Settings – Part 4
Today I want to show you, how you can enhance our Inventory data that we created in our reporting series with UEFI Setting for Dell, HP and Lenovo Client devices. If you haven’t seen the reporting series, check it out here: Part 1, Part 2, Part 3 Cosmos DB First thing we do, is to…
-
Intune Remediation to verify BitLocker keys are uploaded to Entra ID
Today I want to show you how you can check if the BitLocker Key Backup to Entra ID (AzureAD) was successfully done. We have configured BitLocker encryption in Intune to silently encrypt the system drive and automatically upload the recovery key. Usually these Settings should ensure, that the device is only encrypted if the Recovery…
-
Windows 365 – Boot directly to your CloudPC
Today I want to talk about a cool new feature that Microsoft recently released as public preview, Windows 365 Boot. With Windows 365 Boot, you can convert every Windows 11 Client into a Thin Client like experience, that let you access your Windows 365 CloudPC super easy. Prerequisites Configuring the Guided scenario in Intune To…
-
Using Intune driver and firmware management to update your devices
Today I want to talk about a really cool feature, which came with Intune Release 2306, driver and firmware management in Intune. While the backend service using Windows Update for Business Deployment Services (WUfB-DS) was available earlier, you had to create the policy’s manually via Graph API. Now with the seamless integration in Intune, it’s…
-
Run Applications in Intune Company Portal on Demand
Have you ever wondered, if you can run an application or script on Demand with Intune Company Portal, like you could do in SCCM / ConfigMgr when choosing Packages instead of Applications? Currently this is not possible out of the Box with Intune, but today I want to show you, what you can do to…
-
Organizational messages in Microsoft Intune and custom messages via Powershell
Today I want to talk about Organizational messages in Microsoft Intune, what you can do with them and what you can do, if you need a more customizable notification area message, than what is currently possible in Intune. Organizational messages Let’s start with what are Organizational messages. They are a really cool new feature, that…
-
Deploy a basic WDAC Policy with Intune as managed Installer
Today I want to show you, how you can deploy a basic WDAC (Windows Defender Application Control) Policy that uses the Intune Management Extension (IME) as managed Installer to allow only Apps that are deployed via Intune. WDAC Policy At first we start creating a basic WDAC Policy, using the officia WDAC Wizard from: https://webapp-wdac-wizard.azurewebsites.netWe…
-
Create or set Registry Keys in Intune using (Proactive) Remediations
Today I will show you, how you can create or set Registry Keys using Intune (Proactive) Remediations. For (Hybrid) Domain joined Clients we used Group Policy Preferences to set these RegKeys, but as there is no such thing for Azure AD joined Clients, we will use a small remediation script for this. As an example,…
-
Verify and replace Files with Proactive Remediations in Intune
Today I will show you how you can verify (small) files like configuration files with (Proactive) Remediations in Microsoft Intune. We can use this to replace Group Policy Preferences File rules, as long as the files are smaller then 200KB, if they are bigger i would suggest to wrap it in a Win32 Application, then…