Welcome everyone to this weeks Endpoint Manager newsletter with another feast of content for you to enjoy.
Community Content
We start this week with a post from Manish Bangia with a thorough look at the difference between MDM and MAM enrollment.
https://www.manishbangia.com/mdm-user-scope-vs-mam-user-scope/
Next, we have two posts from Jannik Reinhard, the first uses Automation runbooks to create a Teams alert with the top-5 failed apps in the estate, an excellent way to spot any faulty win32 packages.
Jannik’s second post is a useful script to quickly check if a device meets the pre-requisites for Autopilot, well worth running to avoid a deployment failing.
https://jannikreinhard.com/2022/08/24/check-autopilot-enrollment-prerequisite/
This post from Niklas Tinner shows how to use the browser developer tools and Graph Explorer to export policies and scripts directly from Intune.
https://oceanleaf.ch/get-started-with-graph-explorer-and-intune/
If you haven’t looked at PIM (and have AAD P2 licensing), read this from Gaurav Pandey on why just-in-time access is so important, especially on your AAD joined device admins, this role is across the estate!
If you haven’t read the announcement from Microsoft (linked below), Intune is now a leader in the Gartner Magic Quadrant for Unified Endpoint Management. But what is UEM? Read this post from Anoop Nair to find out…
https://www.anoopcnair.com/what-microsoft-unified-endpoint-management-uem/
Now we have a double bill from Jitesh Kumar, the first demonstrating how to add Managed Google Play Store apps into Intune
https://www.anoopcnair.com/add-android-managed-google-play-app-in-intune/
The second post shows a magic button in Company Portal to bulk install multiple applications (I’ll be using this a lot when testing new packages!)
https://www.anoopcnair.com/bulk-install-windows-apps-intune-company-portal/
If you have ever looked at the Attack Surface Reduction rules in Intune, you will have noticed there are a LOT of them. This post from Prajwal Desai gives a great break-down of what they do and how they work.
https://www.prajwaldesai.com/attack-surface-reduction-rules-in-intune-mem/
This post from Michael Niehaus looks at the different ways to assign Autopilot profiles onto devices
https://oofhours.com/2022/08/24/how-many-ways-are-there-to-manage-autopilot-devices-and-profiles/
Another excellent monitoring Power Automate config here from Peter Klapwijk, this one gives an easy to read email with a list of any policies which are sitting unassigned to keep your environment neat!
When deploying apps and scripts you have the choice of System or User context, but with some apps it can be difficult to work out which to use. This post from Gannon Novak looks at the differences between them.
If you have Conditional Access policies deployed, they have no doubt been carefully considered and run past multiple departments, but what if someone just starts changing them? Follow this guide from Bilal el Haddouchi to setup monitoring alerts when someone changes your CA policies.
Now we have 4 updated posts from Rudy Ooms which are well worth refreshing to catch the updates.
The first looks at the recent changes to how ESP handles required applications and those specified specifically in the ESP config
The second update confirms a Windows update fixes one of the issues around rebooting during Autopilot
This post looks at why when wiping a device the Company Portal app will become unresponsive after rebuilding
The fourth update covers resetting an Autopilot device via PowerShell
Basic Authentication is being disabled shortly which is fine for anything recently configured, but what if you have an iOS device which was configured a while ago? This post from Somesh Pathak shows how to deploy a policy to nudge these devices into the modern world.
https://intuneirl.se/home/f/its-time-to-move-to-modern-authentication
This post from Jonas Bøgvad looks at the importance of carefully selecting your devices and what to look for
https://blog.skymadesimple.io/secure-supply-chain/
Now we have a 2-parter from Shehan Perera around Azure AD Device Registration. The first part looks at troubleshooting and fixing any devices stuck in Pending.
https://shehanperera.com/2022/08/17/aad-drs-pending-1/
Expanding on that, the second part uses Azure Automation to alert you when a device enters the pending state so you can fix it accordingly
https://shehanperera.com/2022/08/19/aad-drs-pending-2/
If you are using Windows 365 you might have encountered an issue with ESP causing a device to hang and require re-provisioning. This post from Ola Ström will show you how to configure a custom policy to disable it.
With the introduction of importing custom ADMX templates, it is now much easier to manage 3rd party software. This post from Joost Gelijsteen looks at importing the Adobe ADMX templates to cloud manage your Adobe apps.
The next part of Mattias Melkersen Kalvåg‘s excellent vlog on PSADT is now live and well worth watching, this part takes a look at the functions and how the script works.
Microsoft have announced GA of Custom Compliance Scripts (you can read my post on how to use them here) and also custom shell scripts for MacOS. Ramya Chitrakar has given us more information here:
A new script from Ugur Koc, this gives a nice GUI to the get-windowsautopilotinfo script and also some additional features to do some autopilot pre-requisite checks
I’m sure like me, most of you are using Hyper-V virtual machines in your test labs which often need creating and destroying (the best way to learn is by breaking things). Luckily for all of us, Harm Veenstra has released a script to build a PowerShell VM AND register it for Autopilot!
If you still have Windows 10 device in the estate and want to remove Internet Explorer from them, follow this guide from Christopher Mogis
https://www.ccmtune.fr/2022/08/how-to-disable-internet-explorer-on.html
Now onto the video content for this week and we start with this video from Matt Soseman on how to use Temporary Access pass, conditional access, compliance policies and Autopilot for a secure passwordless first login experience.
If you work in Education, this video from the Intune for Education Customer Acceleration Team will show how to enrol a device running Windows 11 SE into Autopilot
The Intune Training Team have released a new video, this one from Adam Gross and Steven Hosking looking at configuring Local Admins on devices via the Endpoint Security settings
If you missed the excellent Autopilot AMA, fear not, it is still available on Youtube with contribution from Steven Hosking, Ben Reader, Jóhannes Geir Kristjansson, Jake Shackelford, Dean Ellerby, Andy Jones, Simon Lee, Dan Stradling and Lexi Burroughs
Microsoft Content
Now onto the Microsoft announcements for this week
First, as mentioned above, basic authentication is being deprecated in exchange online.
Microsoft have been announced as a leader in the Gartner Magic Quadrant for UEM, well done to everyone involved!
Following on from Ramya’s post above, if you want to look at everything in the 2208 edition of Endpoint Manager, here is the full release information
Defender for Endpoint now supports network and web protection for MacOs and Linux!
That’s it for this week, put your feet up and enjoy the weekend!
