Endpoint Manager Newsletter – 17th June 2022

Welcome everyone to another roundup of the exciting content coming from the Endpoint Manager community.

Before starting, I feel it’s only fair to bid farewell to Internet Explorer, whilst it was a bit geriatric towards the end, it has ultimately served us well for all of these years

Now, on with the show…

First up, we have this thorough post from Gannon Novak showing how to use a filter to exclude devices from conditional access (or include if you have a particularly troublesome user)


Next, Ugur Koc uses Proactive Remediations and Log Analytics to take device location one step further and generates a map to show exactly where a device was last seen.


Now we have two posts from Peter Klapwijk. The first uses the new Dynamic Group membership rules to create different groups for Co-Managed and Intune Managed devices which is especially useful if you have a mixed estate,

The second post shows how to use application rules to update those pesky Available apps in Intune which are tricky to update centrally. If you use Available apps, I would definitely suggest reading and implementing!


We also have three posts from Rudy Ooms this week, both of which are well worth a read.

I’m sure everyone now knows about Store for Business going end-of-life. Hopefully this post will put your minds at ease, it’s not going to be a Mission Impossible style self-destruct!

For the second post, anyone who uses Quick Assist will notice the old app now prompts you to install the new Store one, which helpfully has a habit of prompting for user input which breaks Autopilot. Have a read to find out how to resolve the issue!

A last minute addition looking at why the Reset button doesn’t work in Company Portal and how to fix it


This excellent post from René Laas runs through the importance of RBAC and how to create role-assignable groups to use for Intune Management

https://endpointcave.com/configure-rbac-for-intune-in-a-secure-way/


Fast Boot is an IT Admins nightmare, it may speed up boot time by 0.0001 seconds, but sometimes your computer just needs a proper reboot and then you end up arguing with users who claim they have shut down every night. If you have this enabled, have a look at this script from Damien Van Robaeys which looks at the actual boot time.

https://www.systanddeploy.com/2022/02/a-toast-notification-to-display-warning.html

A second (last minute post) also from Damien show how to configure a Dynamic AAD group to automatically populate when Autopilot completes. This is very useful for any required apps which are a bit large to have in the initial build, but you want installed ASAP

https://www.systanddeploy.com/2022/03/automatically-adding-devices-to-azure.html?m=0


Another dynamic AAD group based post (can you see how excited we all are for it!), in this one Anoop Nair creates dynamic groups to split your Hybrid Joined and AAD joined devices. I can see this being very useful when deploying scripts, apps and policies which use an AD object.


This very comprehensive post from Moe Kinani sets up an alert if someone accesses the tenant from an unfamiliar location, especially useful if you want to catch anyone outsourcing their work. I’ll be testing this one myself!

https://cloudbymoe.com/f/get-notified-when-someone-access-from-unfamiliar-location


If you have Lenovo devices in your fleet, check out this post from Philip Jorgensen where he shares proactive remediation scripts to set the asset tag on devices.

https://blog.lenovocdrt.com/#/2022/intune_asset_tag


This post from Joymalya Basu Roy demonstrates how to expand the event log size via Settings Catalog for the main event logs and also how to tweak the registry to increase any other event log on Windows.


With the demise of Internet Explorer, Manish Bangia shows how to fully disable IE using a Custom OMA-URI policy and have the URLs open in Edge instead.

https://www.manishbangia.com/disable-internet-explorer-and-redirect-to-microsoft-edge/


This post from Johan Arwidmark runs through an alternative way of enrolling devices into Azure AD without using Autopilot (or if it’s being temperamental)


We all love a bit of automation and MS Store apps have always been a pain. Fortunately Niels Kok has a solution using MS Graph and JSON. This will definitely help with the deployment of Company Portal on a scripted build!


This post from Joost Gelijsteen show how to display displaying the last logged in user via Settings Catalog


Another busy week from Microsoft as well.

Firstly, you can now review sync reports for OneDrive in the M365 admin centre. Might be a good thing to keep an eye on before rebuilding any machines!

https://docs.microsoft.com/en-us/onedrive/sync-health?tabs=windows

New security baselines released for M365 apps

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2206/ba-p/3502714

For anyone dealing with developers, rather than caving in and giving admin access, check out the Dev-Box

https://techcommunity.microsoft.com/t5/azure-developer-community-blog/introducing-microsoft-dev-box/ba-p/3412063

Bookmark this one, it shows everything currently in development for Intune

https://docs.microsoft.com/en-us/mem/intune/fundamentals/in-development

Use Defender for Endpoint to isolate compromised devices, even if they are unmanaged!

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/prevent-compromised-unmanaged-devices-from-moving-laterally-in/ba-p/3482134

And finally a video looking at integrating Windows 365 with Windows 11

That’s it for this week, have a great weekend!

Posted in Newsletter