Community Content
We start this week with an excellent look at Autpatch from Katy Nicholson, not only looking at implementing, but the requirements and the various groups and policies it creates.
https://katystech.blog/mem/windows-autopatch
Next, we have two posts from Michael Niehaus, the first looking at different firmware versions and why they vary across devices.
https://oofhours.com/2022/08/12/fun-with-tpm-firmware-version-numbers/
For any MacOS users, the second post will show you how to create a Windows 11 ISO for booting into Parallels
https://oofhours.com/2022/08/15/want-your-own-windows-11-21h2-arm64-isos/
A question I hear a lot is how to force the time to update on an Intune device. Fortunately Niall Brady has done some investigation and come up with a PowerShell script to solve the problem
Device Guard is an excellent feature for extra security, but it’s Windows Enterprise only. If you deploy a machine with a Pro license and then uplift, you may find that it’s refusing to apply the config profile. Simon Håkansson has created a Proactive Remediation script in this post to give it a nudge in the right direction.
https://www.simonhakansson.com/cloud-endpoint-blog/credential-guard-not-applicable
We have a new application from Jannik Reinhard, this one will create an Intunewin application for a chocolatey application to take the hard work away from you.
https://jannikreinhard.com/2022/08/01/introduction-of-the-chocolatey-intune-app-creator/
In Jannik’s second post, we can see how to activate MacOS FileVault via Intune to encrypt Apple devices
https://jannikreinhard.com/2022/08/17/activate-mac-filevault-using-intune/
Self-service is a wonderful thing, but there are times where you would rather users call IT for help and from a security aspect, this is definitely one of them. This post from Jan Bakker will show you how to disable the feature.
It’s no secret that I’m a massive fan of Proactive Remediations, but sometimes a scheduled task just works better, but the functionality is not built-in natively to Intune. This post from Gannon Novak will show you how to deploy a scheduled task as a Win32 application.
A second post from Gannon this week, this one showing how to use Intune and Win32 apps to backup additional files to Onedrive via Scheduled Tasks
https://smbtothecloud.com/sync-users-teams-backgrounds-or-other-files-with-onedrive-using-intune/
This application from Florian Salzmann will take Winget/Chocolatey apps and package them as Intunewin. It will also keep a current inventory of apps for you and upload to the portal!
This post from Dean Ellerby gives a quick run-down on three of my favourite tools, WimWitch, OSDCloud and PSADT. I’m looking forward to seeing the content that follows!
If you’ve recently switched to Windows 11, have a look at this post from Christopher Mogis on how to install hyper-v for your all important labs!
https://www.ccmtune.fr/2022/08/how-to-install-hyper-v-feature-on.html
A second post from Christopher, this one showing how to set the time zone via Intune
https://www.ccmtune.fr/2022/08/how-to-set-time-zone-on-windows-device.html
Christopher has been busy this week, the third post looks at configuring and deploying Autopatch
https://www.ccmtune.fr/2022/08/windows-autopatch-service-activation.html
Next up, Andy Jones gives an excellent run-down on Expedited updates within Windows Update for Business
Andy’s second post this week looks at the extremely useful device filters and how to use them
https://move2modern.weebly.com/blog-posts/filters-what-are-they-and-how-do-they-work
This post from Anoop Nair has an in-depth look at the OneDrive policy settings in Settings Catalog, what they do and why you should use them
https://www.anoopcnair.com/silently-move-known-folders-to-onedrive-intune/
Whilst the Intune portal now has Locate Device functionality for Windows devices, sometimes it’s quicker to grab information via Powershell (if you want to map location of all devices for example). This post from Damien Van Robaeys will show you how to use PowerShell and Graph to find a devices location.
https://www.systanddeploy.com/2021/04/use-powershell-and-ms-graph-to-locate.html
In this post, James Robinson has done a deep dive into Autopatch, looking at what exactly it is doing at the Graph level
https://skiptotheendpoint.co.uk/diving-under-the-hood-of-autopatch/
If you use Device Enrollment restrictions, check out this post from Noel Fairclough to clarify what the manufacturer field does (hint: Blocks, not allows)
For those with security baselines deployed, you will be aware that when an update is released, it’s a manual job to update your policies or they go read-only. If you have multiple customers, this is a very manual task to check for updates. Fortunately Peter Klapwijk has created a logic app here to alert you of chanages.
In Peter’s second post, monitoring is extended to Autopilot profiles to look for any devices which aren’t assigned an Autopilot profile
Peter’s third post (busy week) shows how to create a Managed Identity and assign permissions to it
If you’ve wanted to look at using FIDO2 authentication, this post from Joost Gelijsteen will show you how to configure and use it
This post from Lars Lohmann demonstrates the difference between a destructive and non-destructive PIN reset and how to enable the non-destructive approach.
The first of two posts this week from Rudy Ooms looks at what my cause Edge to hang on first login after Autopilot and how to fix it.
Grab a comfy seat before starting on this next one. It’s a long and complex dive into the murky world of TPM Attestation…
With the new ADMX custom import, Rudy has updated the post on mapping drives, it’s worth re-reading to get the latest
For those looking for a remote tool, but without the cost of the big names, this post from Ľuboš Nikolíni shows how to deploy Remote Desktop Services Shadowing via Intune and Proactive Remediations
This post from Somesh Pathak looks at issues with Android Enterprise devices rebooting themselves and how to resolve
https://intuneirl.se/home/f/android-enterprise-device-reboots-on-its-own
Now onto the video content this week, this first one from Roy Esteves showing how to configure Apple VPP and link it to Intune
This video from Matt Soseman demonstrates how to use a security key to onboard new users without needing to provide them a password, time to go passwordless!!
Next, we have a video from Manish Bangia on configuring Azure AD Connect and then configuring Hyrbid AD Join
With the new custom ADMX ingestion, Jakub Piesik has recorded a video on doing so using Firefox as an example
To complete the community content this week, we have a video from Dean Ellerby showing how to add a custom Azure AD Domain in the new Entra portal
Microsoft Content
A lot of Microsoft news this week as well!
Edge Security Baseline v104 has been released with 12 new settings, it’s worth having a look before implementing/updating!
Pre-Requisites for Update Rings have been documented
https://docs.microsoft.com/en-us/mem/intune/protect/windows-10-update-rings#prerequisites
Some tips on how to make Dynamic Rules more efficient in AAD groups
TLS 1.0 and TLS 1.1 will soon be disabled by default, read what that means to you here
https://blogs.windows.com/msedgedev/2020/03/31/tls-1-0-tls-1-1-schedule-update-edge-ie11/
Tamper Protection in Defender for Endpoint on MacOS is now out of preview and into GA
Dev Box is now in preview (and free for 15 hours for now)
https://azure.microsoft.com/en-us/blog/announcing-microsoft-dev-box-preview/
A lists of the supported CSPs when using Group Policy Analytics and importing the settings
Time-Based One Time Passcode (TOTP) is now out of preview and GA (and something worth applying)
An update to the drivers preview functionality has been posted at the bottom of this article
Universal print is now included in Windows 11
Azure Workbooks for Update Compliance now in preview (if you haven’t deployed Update Compliance yet, read my guide here)
Zero-day support for Android
Custom import ADMX Templates (this is a big one)
https://docs.microsoft.com/en-us/mem/intune/configuration/administrative-templates-import-custom
Defender APIs now in Graph in Public Preview
And finally, Office 2016 and 2019 won’t connect to exchange online after October 2023, watch this video to look at your update options.
Congratulations! You have reached the end for this week! Have a great weekend.