Latest Posts

Certificate mapping for AAD Devices with AD accounts

Katy Nicholson, 31 August, 2024

Device certificate authentication to NPS (e.g. an 802.1x wireless network) requires the device to have a computer object in the on-premises Active Directory. This can be done using a script to get all Autopilot registered devices, and create an account in the local AD (see SysManSquad - Working around NPS limitations for AADJ Windows Devices) however the thumbprint of the device certificate needs to be added to the computer object's altSecurityIdentities attribute. While this can be ran as an hourly task, there is the risk of a device being unable to connect for up to an hour. Luckily through configuring auditing and a scheduled task triggered by an event being raised, we can perform this mapping immediately after certificate issue.

Intune: Managing Promethean OPS-A (Android) Devices

Katy Nicholson, 28 August, 2024

Newer Promethean screens can be fitted with compute devices, OPS-M (Windows) and OPS-A (Android). There is very little documentation around configuring these Android devices with Intune in order to restrict access to settings. In this post I go through how enrolling these as corporate-owned dedicated devices, and retaining the pre-installed Promethean apps.

Restricting printing to specific devices or device types

Katy Nicholson, 13 October, 2023

Device Control Printer Restriction has been around for a while and can be configured using a couple of CSP entries to block the use of "non-corporate printers", and a list of USB hardware IDs can be specified to be allowed through the block. This has been a good solution for locking down printing on devices which leave the office, however the definition of "corporate printers" does not include Universal Print. Luckily there is a new version of this policy, confusingly it's got the same name but uses Defender's device restriction mechanism. Using this new method we can define groups of devices and create a list of rules to apply.

Silently enable BitLocker with PIN during Autopilot

Katy Nicholson, 24 September, 2022

BitLocker is Microsoft's disk encryption system and the only supported silent configuration involves the TPM only. There are other options such as also requiring a start-up PIN or a physical key (USB drive containing the key), or both - whether you think you need the extra security at the risk of PIN re-use/being written down is an exercise left to the reader. However I wanted to find a way to enable BitLocker with a PIN required at start-up on a device deployed through Autopilot, without the user having to do anything to enable the protection. While there are configuration profiles which can configure BitLocker to require a PIN and to require the device encryption, this won't actually prompt the user to encrypt the device if you're requiring additional authentication to unlock the drive. Looking forward it would be nice to see this supported - as a step in the OOBE process or on the Enrolment Status Page, asking the user for a PIN and enabling the encryption. But for now, we have to come up with our own solutions - my solution involves a PowerShell script which enables the encryption using the device serial as the key. The user can then be given instructions to change this once logged on.

Windows Autopatch

Katy Nicholson, 12 August, 2022

Windows Autopatch is a service which takes care of updates to Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams across your devices. It is marketed as taking the mundane tasks of managing updates away from IT staff, leaving them free to work on other things. Autopatch uses various policies and profiles through Intune to set the update configuration on the client devices, Windows Update for Business to deliver the updates, and reporting is also done through Intune (or the Update Compliance Log Analytics solution). Autopatch uses four rings to phase updates across your devices - test, first, fast and broad - where test gets the updates as soon as they become available, broad gets them with a 9 day delay, so that any issues are caught in the test or first rings and further deployment can be paused.

View All Posts