Endpoint Manager Newsletter – 23rd July 2022

Hello and welcome to another weekly Intune newsletter with a load of cracking content from the MEM community and a good number of announcements from Microsoft.

Community Content

We’ll start this week with this post from Martin Bengtsson demonstrating how to use device control Custom OMA-URI policies to block any non-approved removable storage devices. This adds an extra layer of management over the default block/unblock everything from the security blade.

https://www.imab.dk/prevent-write-and-execute-access-to-non-approved-removable-storage-using-device-control-and-microsoft-intune/


Next up, there has been an update to the excellent Microsoft 365 DSC tool and it now supports Intune policies. This is an excellent way to monitor environments and compare them to a baseline in Powershell. Thanks to William Francillette for pointing this one out.

https://github.com/microsoft/Microsoft365DSC


We have two posts from Rudy Ooms this week, this first one looks at how a device knows which tenant it belongs to. If you ever have to troubleshoot end-user devices, this is definitely worth a read.

Rudy’s second post looks at how you can allow users to update their own apps, in this case Autocad, using powershell scripts, ServiceUI and toast notifications.


We also have two posts from Jonas Bøgvad, starting with a quick look at the recent Microsoft AMA on Autopilot and a link to the video for those who missed it (guilty)

https://blog.skymadesimple.io/read-my-notes-from-microsofts-ama-with-a-focus-on-autopilot/

The second post explains what Android AOSP is and how you can manage these devices using Intune

https://blog.skymadesimple.io/what-is-android-aosp/


This post from Manish Bangia shows how to use Log Analytics and Intune auditing to alert if any changes are made to your environment

https://www.manishbangia.com/keep-track-who-modified-wufb-intune-policies-using-email-alert/


We also have two posts from Jannik Reinhard this week, this first one has a Powershell script and Proactive Remediation to control disk cleanup activities on devices.

https://jannikreinhard.com/2022/07/17/use-endpoint-analytics-to-clean-up-the-disk/

If you package and deploy apps regularly, you’ll know that creating AAD groups can take longer than doing the packaging in some cases. This Powershell script running in an Azure Automation runbook will remove the headache and sort the groups for you!

https://jannikreinhard.com/2022/07/21/automatically-create-assignment-groups-when-a-app-is-created/


This post from Octavio Rodríguez shows how to enrol devices into Defender for Endpoint using Intune (link will translate from Spanish to English)

https://www-deployment-mx.translate.goog/seguridad-para-equipos-con-microsoft-defender-for-endpoint/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp


Here we have an excellent tool from Ugur Koc to push MDE updates directly on devices. If you run MDE, this is well worth deploying to your devices.


We all love Procmon, but sometimes it can be tricky trying to find the information you need amongst everything running on a standard Windows device. This post from Anand P will show how to use Procmon to look at issues being caused by Defender anti-virus.

https://www.cloudtekspace.com/post/use-procmon-for-defender-av-performance-issues


If you have websites which use IE mode in Edge, you may have noticed that the Save Page option has disappeared. This post from Anoop Nair will show you how to re-enable it.

https://www.anoopcnair.com/enable-the-save-page-as-option-ie-mode-ms-edge/


This post from Oliver Kieselbach gives another way to monitor changes to Intune environments, this one uses Azure Automation runbooks.

https://oliverkieselbach.com/2022/07/19/monitoring-intune-policy-configuration-changes/


For a deep-dive into the Intune Device Health Attestation report (something always worth monitoring), have a read of this post from Jitesh Kumar

https://www.anoopcnair.com/intune-device-health-attestation-report-mem/


If you don’t have a test lab for Intune changes, features and general playing about, Peter Klapwijk has you covered with this excellent guide.


Now Chrome can finally be managed using Settings Catalog, Joost Gelijsteen has re-created the Edge baseline for Chrome in a Settings Catalog policy


For any of those annoying apps which MUST have admin access to run, have a look at the RunAsRob tool which Florian Salzmann runs through how to use and deploy via Intune in this post.


I try not to cover too much Windows 365 or AVD content on here as they already have excellent newsletters of their own, but this post from Peter van der Woude gives an excellent insight into Windows 365 and how to deploy it.

Peter’s second post this week shows the easiest way to deploy Universal Print devices with Intune

https://www.petervanderwoude.nl/post/easily-managing-universal-print-printers-on-windows-11-devices/


Whether you support multiple customers, or even just have a test, UAT and live tenancy, it’s a chore having to manually re-created policies in the GUI. Fortunately, Gannon Novak has done some digging around in MS Graph and demonstrates how to export and import using Powershell.


Is there anything more annoying than having meeting invitations declined without sending a response and then sitting waiting for someone who is never going to show? This post from Simon Skotheimsvik shows how to use Intune to disable that option.

https://skotheimsvik.blogspot.com/2022/07/disable-do-not-send-response-option-in.html


If you are a Defender for Endpoint user, I’d strongly recommend reading this from Shehan Perera with a run-through on how to use threat hunting and in particular, using KQL which underpins all reports.

https://shehanperera.com/2022/07/17/defender-threat-hunting-1/


Now we have a two-part post from Joymalya Basu Roy with a full end-end walkthrough for deploying Windows Autopatch.


Microsoft Content

Another busy week at Microsoft HQ! First we have an interactive guide on deploying Intune and Autopilot which is well worth checking out.

https://regale.cloud/Microsoft/viewer/1339/index.html#/0/0

If you haven’t already heard, WIP is no-longer under development, read about that here.

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/announcing-the-sunset-of-windows-information-protection-wip/ba-p/3579282

I’ve included this for the excellent AVD landing zone diagram. If you are currently, or will be working with AVD, it’s worth checking out

https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/wvd/enterprise-scale-landing-zone

There are some exciting new features on the authenticator app, read about them here:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-phone

A new version of one of my favourite selection of tools has been released, find out more and grab the latest versions here:

https://techcommunity.microsoft.com/t5/sysinternals-blog/bg-p/Sysinternals-Blog

You can now use M365 Lighthouse to deploy Edge settings to multiple tenants at once, read how:

https://techcommunity.microsoft.com/t5/microsoft-365-blog/managing-browser-security-easily-with-microsoft-365-lighthouse/ba-p/3572366

And last, but not least, Microsoft have a lot of updates for MacOS and iOS management, read about those below.

https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-simplifies-endpoint-manager-enrollment-for-apple/ba-p/3570319

That’s it for this week, I hope you found these as useful as I have!

Posted in Newsletter