Endpoint Manager/Intune

Posts covering Microsoft Endpoint Manager/Intune and related features.

Restricting printing to specific devices or device types

Katy Nicholson, 13 October, 2023

Device Control Printer Restriction has been around for a while and can be configured using a couple of CSP entries to block the use of "non-corporate printers", and a list of USB hardware IDs can be specified to be allowed through the block. This has been a good solution for locking down printing on devices which leave the office, however the definition of "corporate printers" does not include Universal Print. Luckily there is a new version of this policy, confusingly it's got the same name but uses Defender's device restriction mechanism. Using this new method we can define groups of devices and create a list of rules to apply.

Silently enable BitLocker with PIN during Autopilot

Katy Nicholson, 24 September, 2022

BitLocker is Microsoft's disk encryption system and the only supported silent configuration involves the TPM only. There are other options such as also requiring a start-up PIN or a physical key (USB drive containing the key), or both - whether you think you need the extra security at the risk of PIN re-use/being written down is an exercise left to the reader. However I wanted to find a way to enable BitLocker with a PIN required at start-up on a device deployed through Autopilot, without the user having to do anything to enable the protection. While there are configuration profiles which can configure BitLocker to require a PIN and to require the device encryption, this won't actually prompt the user to encrypt the device if you're requiring additional authentication to unlock the drive. Looking forward it would be nice to see this supported - as a step in the OOBE process or on the Enrolment Status Page, asking the user for a PIN and enabling the encryption. But for now, we have to come up with our own solutions - my solution involves a PowerShell script which enables the encryption using the device serial as the key. The user can then be given instructions to change this once logged on.

Windows Autopatch

Katy Nicholson, 12 August, 2022

Windows Autopatch is a service which takes care of updates to Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams across your devices. It is marketed as taking the mundane tasks of managing updates away from IT staff, leaving them free to work on other things. Autopatch uses various policies and profiles through Intune to set the update configuration on the client devices, Windows Update for Business to deliver the updates, and reporting is also done through Intune (or the Update Compliance Log Analytics solution). Autopatch uses four rings to phase updates across your devices - test, first, fast and broad - where test gets the updates as soon as they become available, broad gets them with a 9 day delay, so that any issues are caught in the test or first rings and further deployment can be paused.

App Protection Policies

Katy Nicholson, 31 July, 2022

Corporate devices can be fully managed and secured using Mobile Device Management (MDM) such as Intune. But what about securing personally owned devices? This is where Mobile Application Management (MAM) steps in. For iOS and Android devices, MAM in Intune is implemented through App Protection Policies. With these policies, we can segregate corporate data on personal devices and also put restrictions in place - for example, don't allow copy/paste between the corporate apps and the rest of the device, or requiring PIN or biometric unlock before the data can be accessed. In this post I'm going to go through how to create an App Protection Policy and cover the differences between iOS and Android.

Azure AD Terms of Use

Katy Nicholson, 23 July, 2022

Azure AD's terms of use feature allows us to present information to users which they need to accept/acknowledge before being permitted access to a service. The feature supports multiple languages and essentially you upload a PDF for each supported language for your Terms of Use policy. You can create multiple policies if needed. Possible use cases for this include for users enrolling their personal Windows device through Access work or school, where they can be presented with some rules before their device will give them access, or even when accessing specific services such as Microsoft Forms in the browser, if you wanted to display some usage guidance for using Forms in your organisation.

Importing Group Policy Objects into Intune

Katy Nicholson, 23 April, 2022

This has to be one of the most requested features for Intune - importing Group Policy Objects. It's now a feature! Currently in public preview, so should be available on most tenants. The way this works is that you export your GPOs from Group Policy Management Console, import them into the Group Policy Analytics and it will determine whether they will work as Intune configuration profiles - by trying to map the GPO settings to the corresponding Configuration Service Provier (CSP) setting, if one exists. You'll be shown a report detailing how much of your policies will be transferable, and which individual settings will or won't work.

Intune Remote Help

Katy Nicholson, 21 February, 2022

Remote Help is a new feature of Intune which allows you to remotely help a user. It is based on the Quick Assist tool found in Windows 10 and 11, but with several improvements - both parties need to be logged in with an Azure AD account in your tenant, and the helper can run elevated commands. There is also a RBAC role for controlling what level of access helpers have - e.g. view only or full control, whether they can interact with elevated windows.

MEM: Bypassing iOS activation lock on supervised devices

Katy Nicholson, 6 January, 2022

Occasionally while working with MDM and iOS devices you'll reset a device and discover the user left an activation lock. I look at how to bypass that for devices which have, at one point in their life, been attached to MDM.

MEM: Setting Client Registry Keys

Katy Nicholson, 9 December, 2021

Traditionally you would use something like Group Policy Preferences or use Config Mgr to set registry keys on a client device. In this post I look at a way to do this using Intune.

MEM: Updating to Windows 11

Katy Nicholson, 4 December, 2021

A look at how we can force our devices to update to Windows 11 using Intune.

MEM: Managing Android Devices

Katy Nicholson, 31 October, 2021

Love them or hate them, you will probably have to manage Android devices at some point. In this post I look at the enrolment profile types for Anrdoid devices on Intune.

Intune: 802.1x Wi-Fi, NPS and user PKCS certificates

Katy Nicholson, 23 September, 2021

It's annoying having to enter your credentials whenever you connect to an 802.1x wireless network. We can use Intune to push out certificates to enable password-free network connection. This post looks at Intune managed Azure AD joined devices, an 802.1x wireless network using NPS for authentication, and Active Directory Certificate Services to issue the certificates to the users.

Windows 365 Cloud PC

Katy Nicholson, 4 August, 2021

Windows 365 Cloud PC is an exciting new product from Microsoft. Split into two SKUs, Business and Enterprise, I have a look at the differences and how to configure Windows 365.

Windows Update for Business (WUfB) and Update Compliance

Katy Nicholson, 23 June, 2021

Windows Update for Business (WUfB) is a free service which allows you a level of control over Windows Update on certain SKU of Windows 10 - Pro/Enterprise/Education/Pro for Workstation - basically everything except Home edition. You can select which types of updates you would like - Feature updates, Quality (security) updates, Driver updates and Microsoft Product updates. Product updates are for other Microsoft products, but not Office if you used the Click-to-Run installer.

Intune: Introducing Filters

Katy Nicholson, 9 June, 2021

Endpoint Manager/Intune Filters is a new feature which gives you advanced targeting for things like compliance policies, configuration profiles and app assignment by adding filters.

Endpoint Analytics

Katy Nicholson, 19 May, 2021

Endpoint Analytics is a component of Intune and is used to provide you with insights as to how your devices are performing. Which take forever to log on? Which apps crash frequently? You can also run proactive remediation scripts to enforce settings or fix issues.

Intune: Manage non-DEP iOS devices via AC2 DEP enrolment

Katy Nicholson, 31 March, 2021

Sometimes you may be given iOS devices which have been purchased by another department - or ad-hoc - and thus you do not have the details to have the supplier add these to DEP/Apple School/Business Manager. In this post I look at how we can add these devices using Apple Configurator 2, and pull these into Intune.

Intune: Windows Hello for Business

Katy Nicholson, 12 March, 2021

Windows Hello is Windows 10's biometric authentication system which allows users to sign into their device using facial recognition (if the device has an IR camera), fingerprint (if the device has a fingerprint reader) and PIN. The data for these is stored on the device itself rather than transmitted to the authentication provider (i.e. Azure AD) so is more secure than a password as an attacker would need the device as well as the face/finger/PIN of the person they are trying to impersonate. In this case a PIN is more like a password, as we can define the minimum and maximum length, and allow/forbid/require lower case, upper case and special characters. The default setting permits numbers, lower and upper case letters but does not allow special characters.

Intune: Endpoint Protection

Katy Nicholson, 26 February, 2021

Whilst Endpoint Protection can be suitably managed for traditional Active Directory-joined devices using Group Policies, you'll need an alternative to protect your Azure AD joined devices. Luckily Intune can do this for us by way of a device configuration profile.

MEM: iOS Wireless Profile with embedded credentials

Katy Nicholson, 5 February, 2021

Sometimes you have no option but to use a wireless network with a username and password, which you want to set on devices with a Configuration Profile. While there is no option to do this with the built in Wi-Fi profile, you can create a custom one on Apple Configurator 2 and import this into Intune.

Intune: Managing iOS devices

Katy Nicholson, 13 January, 2021

In this part of the Intune series of posts I'm looking at getting iPads enrolled and managed, and deploying apps. In my case I'm looking to migrate some iPads from an existing MDM into Intune, so I'm assuming you already have an Apple ID set up to create the push certificates and already have Apple School Manager (or Business Manager) set up.

Intune: Deploying Applications

Katy Nicholson, 6 January, 2021

In this post I cover deploying applications to devices through Intune - Microsoft 365 Apps, Microsoft Store apps, Web Apps and Win32 Applications.

Intune: Getting Started with Autopilot

Katy Nicholson, 20 December, 2020

In this post I take a first look at Intune and Autopilot and go through importing devices, creating enrolment profiles, configuration profiles and deploying the device.