Posts covering Microsoft Endpoint Manager/Intune and related features.
Katy Nicholson, 13 October, 2023
Device Control Printer Restriction has been around for a while and can be configured using a couple of CSP entries to block the use of "non-corporate printers", and a list of USB hardware IDs can be specified to be allowed through the block. This has been a good solution for locking down printing on devices which leave the office, however the definition of "corporate printers" does not include Universal Print. Luckily there is a new version of this policy, confusingly it's got the same name but uses Defender's device restriction mechanism. Using this new method we can define groups of devices and create a list of rules to apply.
Katy Nicholson, 24 September, 2022
BitLocker is Microsoft's disk encryption system and the only supported silent configuration involves the TPM only. There are other options such as also requiring a start-up PIN or a physical key (USB drive containing the key), or both - whether you think you need the extra security at the risk of PIN re-use/being written down is an exercise left to the reader. However I wanted to find a way to enable BitLocker with a PIN required at start-up on a device deployed through Autopilot, without the user having to do anything to enable the protection. While there are configuration profiles which can configure BitLocker to require a PIN and to require the device encryption, this won't actually prompt the user to encrypt the device if you're requiring additional authentication to unlock the drive. Looking forward it would be nice to see this supported - as a step in the OOBE process or on the Enrolment Status Page, asking the user for a PIN and enabling the encryption. But for now, we have to come up with our own solutions - my solution involves a PowerShell script which enables the encryption using the device serial as the key. The user can then be given instructions to change this once logged on.
Katy Nicholson, 12 August, 2022
Windows Autopatch is a service which takes care of updates to Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams across your devices. It is marketed as taking the mundane tasks of managing updates away from IT staff, leaving them free to work on other things. Autopatch uses various policies and profiles through Intune to set the update configuration on the client devices, Windows Update for Business to deliver the updates, and reporting is also done through Intune (or the Update Compliance Log Analytics solution). Autopatch uses four rings to phase updates across your devices - test, first, fast and broad - where test gets the updates as soon as they become available, broad gets them with a 9 day delay, so that any issues are caught in the test or first rings and further deployment can be paused.
Katy Nicholson, 31 July, 2022
Corporate devices can be fully managed and secured using Mobile Device Management (MDM) such as Intune. But what about securing personally owned devices? This is where Mobile Application Management (MAM) steps in. For iOS and Android devices, MAM in Intune is implemented through App Protection Policies. With these policies, we can segregate corporate data on personal devices and also put restrictions in place - for example, don't allow copy/paste between the corporate apps and the rest of the device, or requiring PIN or biometric unlock before the data can be accessed. In this post I'm going to go through how to create an App Protection Policy and cover the differences between iOS and Android.
Katy Nicholson, 23 July, 2022
Katy Nicholson, 23 April, 2022
This has to be one of the most requested features for Intune - importing Group Policy Objects. It's now a feature! Currently in public preview, so should be available on most tenants. The way this works is that you export your GPOs from Group Policy Management Console, import them into the Group Policy Analytics and it will determine whether they will work as Intune configuration profiles - by trying to map the GPO settings to the corresponding Configuration Service Provier (CSP) setting, if one exists. You'll be shown a report detailing how much of your policies will be transferable, and which individual settings will or won't work.
Katy Nicholson, 21 February, 2022
Remote Help is a new feature of Intune which allows you to remotely help a user. It is based on the Quick Assist tool found in Windows 10 and 11, but with several improvements - both parties need to be logged in with an Azure AD account in your tenant, and the helper can run elevated commands. There is also a RBAC role for controlling what level of access helpers have - e.g. view only or full control, whether they can interact with elevated windows.
Katy Nicholson, 6 January, 2022
Occasionally while working with MDM and iOS devices you'll reset a device and discover the user left an activation lock. I look at how to bypass that for devices which have, at one point in their life, been attached to MDM.
Katy Nicholson, 9 December, 2021
Traditionally you would use something like Group Policy Preferences or use Config Mgr to set registry keys on a client device. In this post I look at a way to do this using Intune.
Katy Nicholson, 4 December, 2021
A look at how we can force our devices to update to Windows 11 using Intune.
Katy Nicholson, 31 October, 2021
Love them or hate them, you will probably have to manage Android devices at some point. In this post I look at the enrolment profile types for Anrdoid devices on Intune.
Katy Nicholson, 23 September, 2021
It's annoying having to enter your credentials whenever you connect to an 802.1x wireless network. We can use Intune to push out certificates to enable password-free network connection. This post looks at Intune managed Azure AD joined devices, an 802.1x wireless network using NPS for authentication, and Active Directory Certificate Services to issue the certificates to the users.
Katy Nicholson, 4 August, 2021
Windows 365 Cloud PC is an exciting new product from Microsoft. Split into two SKUs, Business and Enterprise, I have a look at the differences and how to configure Windows 365.
Katy Nicholson, 23 June, 2021
Windows Update for Business (WUfB) is a free service which allows you a level of control over Windows Update on certain SKU of Windows 10 - Pro/Enterprise/Education/Pro for Workstation - basically everything except Home edition. You can select which types of updates you would like - Feature updates, Quality (security) updates, Driver updates and Microsoft Product updates. Product updates are for other Microsoft products, but not Office if you used the Click-to-Run installer.
Katy Nicholson, 9 June, 2021
Endpoint Manager/Intune Filters is a new feature which gives you advanced targeting for things like compliance policies, configuration profiles and app assignment by adding filters.
Katy Nicholson, 19 May, 2021
Endpoint Analytics is a component of Intune and is used to provide you with insights as to how your devices are performing. Which take forever to log on? Which apps crash frequently? You can also run proactive remediation scripts to enforce settings or fix issues.
Katy Nicholson, 31 March, 2021
Sometimes you may be given iOS devices which have been purchased by another department - or ad-hoc - and thus you do not have the details to have the supplier add these to DEP/Apple School/Business Manager. In this post I look at how we can add these devices using Apple Configurator 2, and pull these into Intune.
Katy Nicholson, 12 March, 2021
Windows Hello is Windows 10's biometric authentication system which allows users to sign into their device using facial recognition (if the device has an IR camera), fingerprint (if the device has a fingerprint reader) and PIN. The data for these is stored on the device itself rather than transmitted to the authentication provider (i.e. Azure AD) so is more secure than a password as an attacker would need the device as well as the face/finger/PIN of the person they are trying to impersonate. In this case a PIN is more like a password, as we can define the minimum and maximum length, and allow/forbid/require lower case, upper case and special characters. The default setting permits numbers, lower and upper case letters but does not allow special characters.
Katy Nicholson, 26 February, 2021
Whilst Endpoint Protection can be suitably managed for traditional Active Directory-joined devices using Group Policies, you'll need an alternative to protect your Azure AD joined devices. Luckily Intune can do this for us by way of a device configuration profile.
Katy Nicholson, 5 February, 2021
Sometimes you have no option but to use a wireless network with a username and password, which you want to set on devices with a Configuration Profile. While there is no option to do this with the built in Wi-Fi profile, you can create a custom one on Apple Configurator 2 and import this into Intune.
Katy Nicholson, 13 January, 2021
In this part of the Intune series of posts I'm looking at getting iPads enrolled and managed, and deploying apps. In my case I'm looking to migrate some iPads from an existing MDM into Intune, so I'm assuming you already have an Apple ID set up to create the push certificates and already have Apple School Manager (or Business Manager) set up.
Katy Nicholson, 6 January, 2021
In this post I cover deploying applications to devices through Intune - Microsoft 365 Apps, Microsoft Store apps, Web Apps and Win32 Applications.
Katy Nicholson, 20 December, 2020
In this post I take a first look at Intune and Autopilot and go through importing devices, creating enrolment profiles, configuration profiles and deploying the device.