Endpoint Manager Newsletter – 19th August 2022

Community Content

We start this week with an excellent look at Autpatch from Katy Nicholson, not only looking at implementing, but the requirements and the various groups and policies it creates.

https://katystech.blog/mem/windows-autopatch


Next, we have two posts from Michael Niehaus, the first looking at different firmware versions and why they vary across devices.

https://oofhours.com/2022/08/12/fun-with-tpm-firmware-version-numbers/

For any MacOS users, the second post will show you how to create a Windows 11 ISO for booting into Parallels

https://oofhours.com/2022/08/15/want-your-own-windows-11-21h2-arm64-isos/


A question I hear a lot is how to force the time to update on an Intune device. Fortunately Niall Brady has done some investigation and come up with a PowerShell script to solve the problem

https://www.windows-noob.com/forums/topic/22645-forcing-a-time-sync-during-windows-autopilot-oobe-to-combat-time-related-issues/


Device Guard is an excellent feature for extra security, but it’s Windows Enterprise only. If you deploy a machine with a Pro license and then uplift, you may find that it’s refusing to apply the config profile. Simon Håkansson has created a Proactive Remediation script in this post to give it a nudge in the right direction.

https://www.simonhakansson.com/cloud-endpoint-blog/credential-guard-not-applicable


We have a new application from Jannik Reinhard, this one will create an Intunewin application for a chocolatey application to take the hard work away from you.

https://jannikreinhard.com/2022/08/01/introduction-of-the-chocolatey-intune-app-creator/

In Jannik’s second post, we can see how to activate MacOS FileVault via Intune to encrypt Apple devices

https://jannikreinhard.com/2022/08/17/activate-mac-filevault-using-intune/


Self-service is a wonderful thing, but there are times where you would rather users call IT for help and from a security aspect, this is definitely one of them. This post from Jan Bakker will show you how to disable the feature.


It’s no secret that I’m a massive fan of Proactive Remediations, but sometimes a scheduled task just works better, but the functionality is not built-in natively to Intune. This post from Gannon Novak will show you how to deploy a scheduled task as a Win32 application.

https://smbtothecloud.com/deploy-scheduled-tasks-with-a-win32app/

A second post from Gannon this week, this one showing how to use Intune and Win32 apps to backup additional files to Onedrive via Scheduled Tasks

https://smbtothecloud.com/sync-users-teams-backgrounds-or-other-files-with-onedrive-using-intune/


This application from Florian Salzmann will take Winget/Chocolatey apps and package them as Intunewin. It will also keep a current inventory of apps for you and upload to the portal!

https://scloud.work/en/intune-win32-deployer/

This post from Dean Ellerby gives a quick run-down on three of my favourite tools, WimWitch, OSDCloud and PSADT. I’m looking forward to seeing the content that follows!

https://www.linkedin.com/pulse/some-awesome-community-tools-part-1-dean-ellerby?lipi=urn%3Ali%3Apage%3Ad_flagship3_profile_view_base_recent_activity_details_all%3BFruCkP1bRBiIVQ3%2Fe0bg3w%3D%3D


If you’ve recently switched to Windows 11, have a look at this post from Christopher Mogis on how to install hyper-v for your all important labs!

https://www.ccmtune.fr/2022/08/how-to-install-hyper-v-feature-on.html

A second post from Christopher, this one showing how to set the time zone via Intune

https://www.ccmtune.fr/2022/08/how-to-set-time-zone-on-windows-device.html

Christopher has been busy this week, the third post looks at configuring and deploying Autopatch

https://www.ccmtune.fr/2022/08/windows-autopatch-service-activation.html


Next up, Andy Jones gives an excellent run-down on Expedited updates within Windows Update for Business

https://move2modern.weebly.com/blog-posts/how-to-expedite-windows-quality-updates-in-microsoft-intune

Andy’s second post this week looks at the extremely useful device filters and how to use them

https://move2modern.weebly.com/blog-posts/filters-what-are-they-and-how-do-they-work


This post from Anoop Nair has an in-depth look at the OneDrive policy settings in Settings Catalog, what they do and why you should use them

https://www.anoopcnair.com/silently-move-known-folders-to-onedrive-intune/


Whilst the Intune portal now has Locate Device functionality for Windows devices, sometimes it’s quicker to grab information via Powershell (if you want to map location of all devices for example). This post from Damien Van Robaeys will show you how to use PowerShell and Graph to find a devices location.

https://www.systanddeploy.com/2021/04/use-powershell-and-ms-graph-to-locate.html


In this post, James Robinson has done a deep dive into Autopatch, looking at what exactly it is doing at the Graph level

https://skiptotheendpoint.co.uk/diving-under-the-hood-of-autopatch/


If you use Device Enrollment restrictions, check out this post from Noel Fairclough to clarify what the manufacturer field does (hint: Blocks, not allows)

https://www.linkedin.com/pulse/android-enrollment-device-restrictions-manufacturer-noel-fairclough?lipi=urn%3Ali%3Apage%3Ad_flagship3_profile_view_base_recent_activity_details_all%3BHE7Ygk2bR6m3lH1%2B3UX7gg%3D%3D


For those with security baselines deployed, you will be aware that when an update is released, it’s a manual job to update your policies or they go read-only. If you have multiple customers, this is a very manual task to check for updates. Fortunately Peter Klapwijk has created a logic app here to alert you of chanages.

In Peter’s second post, monitoring is extended to Autopilot profiles to look for any devices which aren’t assigned an Autopilot profile

Peter’s third post (busy week) shows how to create a Managed Identity and assign permissions to it


If you’ve wanted to look at using FIDO2 authentication, this post from Joost Gelijsteen will show you how to configure and use it


This post from Lars Lohmann demonstrates the difference between a destructive and non-destructive PIN reset and how to enable the non-destructive approach.


The first of two posts this week from Rudy Ooms looks at what my cause Edge to hang on first login after Autopilot and how to fix it.

Grab a comfy seat before starting on this next one. It’s a long and complex dive into the murky world of TPM Attestation…

With the new ADMX custom import, Rudy has updated the post on mapping drives, it’s worth re-reading to get the latest


For those looking for a remote tool, but without the cost of the big names, this post from Ľuboš Nikolíni shows how to deploy Remote Desktop Services Shadowing via Intune and Proactive Remediations

https://github.com/najki78/publicStuff/wiki/Remote-desktop-shadowing-is-Microsoft’s-free-alternative-to-VNC,-TeamViewer,-DameWare-etc.-(well,-sort-of-and-only-sometimes)


This post from Somesh Pathak looks at issues with Android Enterprise devices rebooting themselves and how to resolve

https://intuneirl.se/home/f/android-enterprise-device-reboots-on-its-own


Now onto the video content this week, this first one from Roy Esteves showing how to configure Apple VPP and link it to Intune


This video from Matt Soseman demonstrates how to use a security key to onboard new users without needing to provide them a password, time to go passwordless!!


Next, we have a video from Manish Bangia on configuring Azure AD Connect and then configuring Hyrbid AD Join


With the new custom ADMX ingestion, Jakub Piesik has recorded a video on doing so using Firefox as an example


To complete the community content this week, we have a video from Dean Ellerby showing how to add a custom Azure AD Domain in the new Entra portal

Microsoft Content

A lot of Microsoft news this week as well!

Edge Security Baseline v104 has been released with 12 new settings, it’s worth having a look before implementing/updating!

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v104/ba-p/3593826


Pre-Requisites for Update Rings have been documented

https://docs.microsoft.com/en-us/mem/intune/protect/windows-10-update-rings#prerequisites


Some tips on how to make Dynamic Rules more efficient in AAD groups

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-rule-more-efficient


TLS 1.0 and TLS 1.1 will soon be disabled by default, read what that means to you here

https://blogs.windows.com/msedgedev/2020/03/31/tls-1-0-tls-1-1-schedule-update-edge-ie11/


Tamper Protection in Defender for Endpoint on MacOS is now out of preview and into GA

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/tamper-protection-on-macos-is-now-generally-available/ba-p/3595422#


Dev Box is now in preview (and free for 15 hours for now)

https://azure.microsoft.com/en-us/blog/announcing-microsoft-dev-box-preview/


A lists of the supported CSPs when using Group Policy Analytics and importing the settings

https://docs.microsoft.com/en-us/mem/intune/configuration/group-policy-analytics#supported-csps-and-group-policies


Time-Based One Time Passcode (TOTP) is now out of preview and GA (and something worth applying)

https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/totp-based-mfa-for-azure-ad-b2c-is-now-generally-available/ba-p/3600448


An update to the drivers preview functionality has been posted at the bottom of this article

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/deployment-service-for-driver-updates-public-preview-coming-soon/ba-p/2914212#:~:text=Roadmap%20


Universal print is now included in Windows 11

https://techcommunity.microsoft.com/t5/universal-print-blog/universal-print-capabilities-in-windows-11-now-available-in/ba-p/3590531


Azure Workbooks for Update Compliance now in preview (if you haven’t deployed Update Compliance yet, read my guide here)

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/public-preview-of-azure-workbooks-for-update-compliance/ba-p/3601310


Zero-day support for Android

https://techcommunity.microsoft.com/t5/intune-customer-success/day-zero-support-for-android-13-with-microsoft-endpoint-manager/ba-p/3601760


Custom import ADMX Templates (this is a big one)

https://docs.microsoft.com/en-us/mem/intune/configuration/administrative-templates-import-custom


Defender APIs now in Graph in Public Preview

https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/the-new-microsoft-365-defender-apis-in-microsoft-graph-are-now/ba-p/3603099


And finally, Office 2016 and 2019 won’t connect to exchange online after October 2023, watch this video to look at your update options.


Congratulations! You have reached the end for this week! Have a great weekend.

Leave a Comment