Endpoint Manager Newsletter – 1st July 2022

Welcome to another bumper roundup of community and Microsoft content for Microsoft Endpoint Manager (and if you are working for Microsoft, happy new financial year)

There have been a lot of updates from Microsoft this week so I have split this newsletter into two sections, one for community, one for Microsoft to make it a little easier to digest. I’ll always start with community content because I couldn’t do this without them!

For all MVPs reading this, good luck with the renewals!

Community Content

We’ll start this week with two posts from Florian Salzmann with scripts/applications to deploy Office templates via Intune, especially useful if you are going for a full cloud environment.


If you happen to be looking after an envrionment with fast startup enabled, you will know the effort to find out how long it has actually been since a reboot. Fortunately Damien Van Robaeys has a Proactive Remediation script to tell you just that.

https://www.systanddeploy.com/2022/06/using-powershell-to-get-real-device.html


This post from Joost Gelijsteen uses Settings Catalog to configure policies for securing devices when they enter sleep mode, well worth a read!


The big Microsoft rebranding continues, this one with Purview. For anyone who has lost track, this post by Niels Scheffers runs through the details


This post from Timmy Andersson is one I will find useful. Sometimes you want to restrict devices to users like in the Logon To option in old on-prem AD. Here you can find out how to replicate that functionality in Intune.


A very clever post from Ben Whitmore for those of you fighting bloatware (and the never-ending changing apps). Rather than a static one-off script, this uses a cloud based file to define which apps are to be removed so you can constantly keep on top of things.


If you haven’t come across IntuneCD from Tobias Almén, please go and check it out now. It can take policies from your Dev environment and automatically push them into Prod via pipelines. Incredible work!

https://github.com/almenscorner/IntuneCD


Conditional Access policies are incredibly important when dealing with anything in M365 or Azure, it is literally your first line of defence. Shehan Perera does any excellent job of giving a full run-down of them here.

https://shehanperera.com/2022/05/03/aad-cap101/

A second, last minute entry from Shehan showing how to use the same Tag in both Intune and Defender for Endpoint rather than manually creating in each

https://shehanperera.com/2022/07/01/mde-mem-device-tagging/


If you are having issues with MS Store apps failing during Autopilot (and aren’t we all), check out this excellent post from Anoop Nair


I am sure everyone reading this has a home lab for testing new apps, policies, scripts etc. and I know I’m constantly destroying and building new machines. This script from Gannon Novak automates the creation of new machines to make things so much quicker.


For anyone starting out (or trying to explain to a customer), Niklas Tinner has a very good overview of MDM vs MAM and the differences between them

https://oceanleaf.ch/mdm-mam-with-intune/


Next we have two posts from Thomas Martin Grome, the first of which is one I hadn’t seen before. CIS have a tool to run a security assessment which can then be used to harden your environment!

https://blog.grome.dev/2022/06/running-cis-cat-assessments-for.html?m=1

The second post gives a very thorough run-through on importing Active Directory group policies into Settings catalog

https://blog.grome.dev/2022/06/importing-active-directory-group.html


This post from Simon Skotheimsvik shows how to deploy a custom start menu to Windows 11 machines via Custom OMA-URI policy

https://skotheimsvik.blogspot.com/2022/06/windows-11-customize-start-menu-layout.html


If you are licensed for Defender for Endpoint and not currently using it, read this post from Anand P to deploy it to your environment, it is an excellent product and improves constantly.

https://www.cloudtekspace.com/post/onboard-windows-devices-to-mde-using-intune


Now Settings Catalog has entered GA, I would recommend everyone starts using it. Follow this guide from Jitesh Kumar to set up your first policy


If you are often configuring new Intune environments, I would recommend using this script from Alex Durrant to automate the creation of the most commonly used Azure AD groups


The newsletter wouldn’t be complete without at least one post from Rudy Ooms and this week we have three!

The first is troubleshooting enrollment for non-Autopilot machines (Hybrid joined or just AAD)

The second has features here before, but has further updates. If you are one of many of us experiencing issues with Microsoft Store apps, go and check this one out!

Rudy’s third post troubleshoots enrollment errors and the joys of DNS


If you manage Lenovo devices, this script from Martin Bengtsson shows how to manipulate the BIOS to set passwords amongst other things. Whilst the post shows how to do so in MEMCM, it could easily be adapted for Intune.

https://www.imab.dk/configure-and-use-lenovo-bios-supervisor-password-during-osd-using-powershell-and-configuration-manager/


I’m a massive PowerShell fan (if you hadn’t noticed), but if you aren’t as comfortable, this post from Johan Arwidmark will quickly get you up and running!


Following on from his excellent post looking at the Autopilot Hash, Michael Niehaus has done it again, this time digging deep into UEFI BIOS and the settings inside it.

https://oofhours.com/2022/06/29/geeking-out-with-the-uefi-boot-manager/


If you find some of your machines not activating Windows, try this script from Peter Klapwijk


A new preview feature worth checking out if you are a PIM user. You can now get alerts if anyone makes an assignment without using PIM (so you can remove it and tell them off). Jan Bakker tells us how to configure it here.


Another newly added feature, this one within Intune which shows group membership for devices. Read this post from Trevor Jones to find out more.

https://smsagent.blog/2022/06/30/get-group-membership-for-intune-managed-devices-with-powershell/


Christopher Mogis has developed an excellent script to quickly check if a computer is Windows 11 compliant. This could be incorporated nicely into a Proactive Remediation!

https://www.ccmtune.fr/2022/06/check-if-your-computer-is-windows-11.html


Another script, this one from Tristan Tyson to quick grab Azure AD group SIDs which is always useful!

https://github.com/tristantyson/Get-AzureADGroupSID


In this next post, Jannik Reinhard shows how to output discovered apps into Log Analytics so you can ensure devices have the apps they should (or shouldn’t) have

https://jannikreinhard.com/2022/07/01/copy-intune-discovered-apps-in-log-analytics-workspace/


This amazing script/application from Jeroen Burgerhout allows users to reset their devices without needing admin rights! Obviously deploy with caution

https://www.burgerhout.org/reset-your-device-with-a-simple-app/


The last of the community content this week comes from Jonas Bøgvad with a run-through of zero touch deployment across platforms.

https://www.linkedin.com/pulse/what-zero-touch-deployment-intune-jonas-b%C3%B8gvad/


Microsoft Content

Now for the many Microsoft announcements

First up, you can now use Defender for Endpoint to prevent lateral movement

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/prevent-compromised-unmanaged-devices-from-moving-laterally-in/ba-p/3482134

For PowerShell users, have a look at predictive intellisense, it will amaze you!

https://devblogs.microsoft.com/powershell/psreadline-2-2-6-enables-predictive-intellisense-by-default/

One to bookmark, the roadmap for Azure AD and Intune

https://www.microsoft.com/en-gb/microsoft-365/roadmap?filters=Microsoft%20Intune%2CAzure%20Active%20Directory

A new MacOS feature to remotely restart and shut down devices

https://docs.microsoft.com/en-us/mem/intune/fundamentals/whats-new#remotely-restart-and-shut-down-macos-device

For AVD users, there have been additional configuration policies and support for PowerShell scripts from Intune to your multi-session devices

https://techcommunity.microsoft.com/t5/azure-virtual-desktop/public-preview-intune-user-configuration-for-windows-11-multi/m-p/3562093

As covered above by Trevor Jones, you can now view group membership of managed devices

https://docs.microsoft.com/en-us/mem/intune/fundamentals/whats-new#view-a-managed-devices-group-membership

And finally, some additional MacOS settings to manage Microsoft Office

https://docs.microsoft.com/en-us/mem/intune/fundamentals/whats-new#new-microsoft-office-and-microsoft-outlook-preference-settings-in-the-macos-settings-catalog-


I think that may be a record newsletter, now you have earned yourself a cup of coffee/tea/something stronger

Posted in Newsletter