Endpoint Manager Newsletter – 3rd June 2022

Welcome to a bumper newsletter, I think this is probably the longest read yet, it’s been a busy week in the community!

First up we have a post from Oktay Sari looking at using Conditional Access device filters to block access to M365 apps when not using the Android for Work profile on a non-corporate owned device

https://allthingscloud.blog/blocking-access-to-microsoft-365-outside-the-android-for-work-profile-with-endpoint-manager/


Next we have two posts from Damien Van Robaeys. The first is a useful script to display not only the size consumed by a OneDrive account, but also how much size it is using on the hard disk. Always nice to know if you need to press the Free up Space button!

https://www.systanddeploy.com/2021/04/onedrive-and-powershell-get-size-and.html

For those of you using Proactive Remediations, the second script will remove any content from devices after the script has completed, useful if you have content you would rather the users did not see.

https://www.systanddeploy.com/2022/05/removing-automatically-proactive.html


We also have two posts from Rudy Ooms. The first gives a useful way of grabbing your Win32 apps from an environment without needing the encryption key. If you have inherited an environment, lost the original files, or doing a tenant migration, this is well worth a read.

For his second post, Rudy has put on his Sherlock Holmes hat and done some digging into Autopilot errors with the latest Windows 11 insider build.


This post from Peter van der Woude looks at a method of transferring data from an Android device to a new Samsung one, something I am sure we have all come up against!


We now have two posts from Peter Klapwijk. First, if any of you don’t have a lab tenant, please read this excellent post and go and grab a developer subscription. Never test in production!!

The second post uses configuration profiles to deny logon rights to accounts or groups on Azure AD joined devices.


It’s a week of double posts! These two are from Gannon Novak.

First up, we have a script to grab Autopilot hashes and upload them to Azure Blob storage for retrieval later

The second post runs through a script to quickly package Win32 apps from just the installer URL. If you are packaging many apps, or finding yourself always updating them, this is a quick way to quickly package up the latest versions.


The next two posts from Sean Bulger dig into Microsoft PowerApps and linking them into day-to-day Intune tasks. I’m looking forward to watching how these posts develop!

https://www.modernendpoint.com/managed/MMS-Intune-Management-PowerApp-Demo-Part-1-Creating-the-PowerAutomate-flows/

https://www.modernendpoint.com/managed/MMS-Intune-Management-PowerApp-Demo-Part-2-Creating-the-PowerApp-user-lookup-controls/


This post from Sander Rozemuller digs into the Graph API (we all love a bit of Graph!) to look at the MS security score and the outstanding improvements

https://rozemuller.com/monitor-identity-secure-score-security-improvement-action-status/


This post from Manish Bangia covers how to distinguish devices based on their location using Group Tags and dynamic groups

https://www.manishbangia.com/autopilot-apply-computer-name-based-upon-country-location/


Next up, Moe Kinani runs through using Conditional Access to restrict access to ONLY managed devices

https://cloudbymoe.com/f/enable-access-to-your-tenant-from-managed-devices-only-using-ca


This very thorough post from Anoop Nair runs through the process of creating an Intune policy using the MS Graph API. It’s well worth checking out if you want to start down the automation route.


It’s been a busy week at Microsoft as well with a number of accouncements!

Let’s start with one closest to my heart, why we should be joining devices to Azure Active Directory and not traditional on-prem Active Directory

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/to-aad-join-or-not-that-is-the-question/ba-p/3435768

We also have the public preview of Access Reviews for AAD to review and remove any inactive users.

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/review-and-remove-aad-inactive-users-in-public-preview/ba-p/3290632?WT.mc_id=EM-MVP-5003580

Windows Autopatch has also entered preview (currently by request only), I’m excited to try this one

https://docs.microsoft.com/en-us/windows/deployment/windows-autopatch/

For anyone using Azure AD without Conditional Access policies, it’s worth noting that Azure Security Defaults will soon be applied to your tenancy. If this may impact you or any customers, I suggest reading about it now.

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/raising-the-baseline-security-for-all-organizations-in-the-world/ba-p/3299048


And finally, we have three videos from Dean Ellerby (and his cat).

The first video looks at trying to fix a previous issue enrolling a device into a hybrid domain joined config via autopilot (all the more reason to ditch the domain)

This next very brief video deploys Office 365 apps via the GUI in Intune in less than 60 seconds (although I think I can deploy quicker using Powershell and Graph)

The final video looks at using Defender for Endpoint to manage devices which have not been enrolled into Intune, something definitely worth checking out!

That’s it for this week and what a week it’s been!

In the famous words of Arnold Schwarzenegger, “Hasta La Vista Baby”

Leave a Comment