Endpoint Manager Newsletter – 8th July 2022

Welcome to another bumper weekly newsletter! There is so much excellent content coming out of this wonderful community of late, thank you all! If I have missed anything, please add it in the comments below for everyone to see (or message me on here or LinkedIn and I’ll add it on).

Before starting on the content, a congratulations from me to all of the MVPs who have been renewed for another year, all fully deserved

Community Content

This week we start with a post from Johan Arwidmark with an excellent script to inject PowerShell 7 into a Windows PE image. I can see this being useful for so many things!


Now for two posts from Jitesh Kumar

First up, should you find Cloud Protection has become disabled in your environment, this will show you how to use Settings Catalog to re-enable it.

This second post is what I’m often hearing from both Security Teams, Execs and SDMs, “how many of our devices are encrypted”. Well worth a read!


For anyone starting out in Intune, or looking for a guide to send to IT support teams, this walkthrough from Anoop Nair should be at the top of your list!

A second this post from Anoop demonstrating how to remove an application from Intune after deployment.


This article from Alex Semibratov gives an excellent run-through of the Intune Management Extension logs when using nested application deployments.

https://www.linkedin.com/pulse/troubleshooting-intune-management-extension-log-when-apps-semibratov/


We’ve all been in the position where we have deployed a policy or app to a Device Group and want to switch it for a User group, but then find the group now has hundreds of devices in it! Fortunately this excellent script from Jannik Reinhard has you covered and will automate the process for you.

https://jannikreinhard.com/2022/07/03/migrate-an-aad-user-group-to-a-device-group-and-vice-versa/

A second post this week from Jannik, this one is a script to remove any old Applicability Rules you have left in the estate

https://jannikreinhard.com/2022/07/03/applicability-rule-gone-but-still-there/

A second post this week from Jannik, this one is the release of a new application to perform common Azure AD and Intune tasks within a quick and easy application. One to add to your app library!

https://jannikreinhard.com/2022/07/07/intune-tool-box-rebuild-of-intune-in-powershell/


If you have MFA configured with a standard 90 day re-authentication, this can be a concern where a user can enrol a new device and be within the 90 day period and not be prompted. This post from Rahul Jindal shows how to tweak a conditional access policy to prompt on enrollment.

https://rahuljindalmyit.blogspot.com/2022/07/enabling-reauthentication-with-mfa.html


Whilst not strictly Endpoint Manager related, I use Logic Apps for a few of my automated tasks so felt this would be useful. Here René Laas shows how we can use multiple triggers on a logic app.

https://endpointcave.com/logic-app-with-multiple-triggers/


Local Admin Rights are a pain for any Intune administrator, especially for users who need individual access to one machine only. Tristan Tyson has a script and policy here showing how to add users or groups into the Local Admin of a device.

https://tech.tristantyson.com/managelocaladministrators


This post from Oktay Sari runs through your options for passwordless login to your machines and why you should consider switching to a complex non-expiring password and then use one of these methods to access devices. Your security team will love it!

https://allthingscloud.blog/what-is-your-excuse-for-passwords/


This is one of my favourites this week! Damien Van Robaeys has created an application which will not only create an IntuneWin package, but will also extract the contents of one! Ideal for those apps you lost the source code for years ago and finally need to update.

https://www.systanddeploy.com/2022/07/win32app-build-and-extract-tool-tool-to.html


If you’ve ever deployed SSO for WHfB via the Key Trust config, you will understand how time consuming it was. Fortunately Microsoft have released Cloud Trust in preview which is so much quicker! Check out this excellent guide from Timmy Andersson on how to deploy it yourself.


If you’re using a Wired Network profile and are having issues with it, check out this post from Tyler Reilly


If you (or your customers) have Business Premium licensing, you will notice that among other features, Proactive Remediations isn’t enabled. Fortunately, Florian Salzmann has created an excellent script package which will give you the same Detect/Remediate functionality via a deployed Scheduled Task.


Endpoint Analytics is a hugely useful tool for any cloud managed device and automation is the future so why not combine them both? That’s exactly what Sander Rozemuller has done here!


Data protection is critical in any environment and this should not be restricted to only Corporate Owned devices. For your BYOD, App Protection Policies are the answer and this excellent post from James Yip runs through why you need them and how to configure them,


If you have Update Compliance configured (and if you don’t, set it up now!), have a look at this from Peter van der Woude demonstrating the new functionality within the O365 Portal to quickly view update status.


Following on from Part 1, Dujon Walsham has written another excellent article, this one looking at Windows 11 readiness via both Intune and SCCM and then looking at your upgrade options.

https://windowsmanagementexperts.com/leveraging-windows-11-management-part-2-readiness-assessment/leveraging-windows-11-management-part-2-readiness-assessment.htm

A second post from Dujon this week and another continuation of the posts about Application Management. This part looks at application approval and digs into MS Graph with Powershell:


Now we have two posts from Simon Skotheimsvik. If you use HP devices, this first is a must-read looking at the HP Connect portal to manage BIOS settings from a central portal, leveraging Proactive Remediations

https://skotheimsvik.blogspot.com/2022/07/hp-connect-for-microsoft-endpoint.html

The second post is one I personally have been fighting with recently. If you have deployed a VPN config in Intune, you will have noticed that Fortinet is not one of the options. This post covers how to deploy Fortinet config via Powershell and Proactive Remediations.

https://skotheimsvik.blogspot.com/2022/07/fortinet-vpn-profile-distribution-with.html


Some exciting new Azure AD functionality, Group Writeback is now in preview. Read all about it in this excellent post from Pim Jacobs.

https://identity-man.eu/2022/07/05/using-the-new-group-writeback-functionality-in-azure-ad/


With the announcement of Temporary Access Passes for Autopilot enrollment, Rudy Ooms has done some testing and found some things worth considering. If you are looking to use TAP, have a read of this first to make sure you secure the environment fully.


This thorough post from Gannon Novak digs into App Protection, what it does, how it works and how to configure it.


This excellent post from Matt Tinney shows how to enable SSPR and add a link to the Login Screen for users to be able to reset their own passwords. Your Service Desk will thank you for deploying this one!!

https://windowsmanagementexperts.com/microsoft-endpoint-manager-reset-password-from-the-login-screen/microsoft-endpoint-manager-reset-password-from-the-login-screen.htm

If you use Palo Alto VPN, check out this post from Jeroen Burgerhout to see how to stop the Global VPN from appearing as one of the login authentication methods.

https://www.burgerhout.org/hide-global-protect-vpn-client-as-default-sign-in-option/


This post from Niklas Tinner looks at Session policies in Azure AD Conditional Access and Defender for Cloud Apps

https://oceanleaf.ch/ca-dfca-session-policies/


If you find yourself in the situation where you need to get 32-bit office onto a machine you’ve built with 64-bit, have a read of this post from Sharath Raj

https://intunecloudarchitect.blogspot.com/2022/07/how-can-we-install-32-bit-office-in.html


This video from Harvansh Singh is an excellent overview of Windows Defender and all of the features within it


A new video from Andy Jones, this one demonstrates using FIDO2 security keys for authenticating against your devices. I find these particularly useful for any shared devices to avoid having to share passwords or PINS

Microsoft News and Announcements

Now for the announcements from Microsoft for this week.

First up, add this into your calendar for 21st July, these events are highly recommended

https://techcommunity.microsoft.com/t5/tech-community-live/tech-community-live-endpoint-manager-edition/ev-p/3394931

This support post runs through some issues you may be experiencing with compliance policies and why (and how to resolve)

https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-known-issues-in-reporting-and-viewing-compliance/ba-p/3562824?WT.mc_id=EM-MVP-5003580

App Protection policies now available for Android Open Source Project (AOSP) devices

https://techcommunity.microsoft.com/t5/intune-customer-success/intune-app-now-available-for-android-enterprise-dedicated/ba-p/3562046?WT.mc_id=EM-MVP-5003580


I wish you all an amazing weekend

Posted in Newsletter