Endpoint Manager Newsletter – 7th October 2022

Welcome everyone to this weeks newsletter, grab a drink, pull up a comfy chair, maybe even a pair of slippers if that’s your thing and read on…

Community Content

We start with this post from Niklas Tinner with an excellent high-level view of moving to a cloud-only Intune environment, looking at configuration, FAQs and also the security aspects.

https://oceanleaf.ch/endpoint-management-transition-to-the-cloud/


Filters are a very powerful feature in Intune and one which is often overlooked. This guide from Jitesh Kumar will show you how to create a filter for devices running Windows 11-22H2

https://www.anoopcnair.com/filter-windows-11-22h2-devices-in-intune-mem/


As I’ve mentioned before, Azure AD is the front-door to your entire environment and it should be secured accordingly. To implement CIS Foundation Level 1 to your environment, follow this post from Jonas Bøgvad

https://blog.skymadesimple.io/cis-ms-365-foundation-level-1-azure-active-directory/


Uplifting a device from Windows 10/11 Pro to Enterprise is seamless in a cloud-only world, but for your hybrid devices, there is a bit more involved. In this post from Ben Owens, you can find out what is involved and how to make sure your environment is fully configured.

https://www.teamas.co.uk/2022/06/assigning-windows-1011-enterprise.html


Sometimes you find yourself with an application which you need to have on all devices, but requires some interaction from the user which rules out deploying during Autopilot ESP. For those applications, have a look at this guide from Jannik Reinhard to use an application Custom Requirements script to detect when ESP has completed.

https://jannikreinhard.com/2022/10/02/how-to-skip-the-esp-for-a-single-app-installation/


For anyone starting out on the exciting Autopilot journey, this in-depth post from Devraj Mukherjee will run you through setting it up and testing in a hyper-v lab.

https://www.myintunespace.com/forum/infrastructure/windows-11-autopilot-how-much-easy-is-it?origin=business_manager


Driver updates, whilst improving, are still one of the more tricky parts to manage on an Intune joined device and you’re largely given the option of “yes, update them” or “no, don’t”. If you run a Dell estate, have a look at this Proactive Remediation from Florian Salzmann then sit back and relax.

https://scloud.work/en/dell-driver-intune/


The Microsoft Store for Business retirement seems to have caused a lot of confusion amongst many people. If you want an idea of what’s happening, have a look at this post from James Robinson

https://skiptotheendpoint.co.uk/the-troubled-situation-with-the-store/


In a bizarre twist or GPOness, we have moved from on-prem AD to Intune configuration profiles, but now have the option to ingest old-school ADMX files to pick up anything not currently built-in. In a typically thorough post from Rudy Ooms, you can find out how to create your own ADMX policies and see how they work.


If you have a website which doesn’t behave well as a shortcut, or have another requirement, have a look at this post from Somesh Pathak (congratulations on the MVP award) to deploy it as a Webview application.


A new feature recently added to Intune covers alerts on Windows 365 machines. To find out more and how to configure them, read this guide from Ola Ström.

https://www.olastrom.com/2022/alerts-in-windows-365


Temporary Access Pass (TAP) is an excellent way to combine with Autopilot and ship devices to new users without having to share a password with them prior to first login. This post from Bilal el Haddouchi covers using and configuring them nicely.

https://www.bilalelhaddouchi.nl/index.php/2022/10/05/temporary-access-pass/


If you are yet to setup Autopatch, follow this excellent guide from Prajwal Desai


So many excellent new features in Windows 11-22H2 (and not many bugs from what I’ve seen), now is a good time to start updating your machines. Joey Verlinden shows you how to deploy via Intune in this guide.

https://www.joeyverlinden.com/upgrade-to-windows-11-22h2/


Microsoft Graph and PowerShell scripts, two of my favourite parts of Intune. Niels Kok spotted a gap in the Microsoft documentation around assigning PowerShell scripts within Intune via Graph and has put together these instructions to fill the void.


Next up, anyone who has upgraded to 22H2 may have noticed an issue with virtual switches on a hyper-v environment. Sune Thomsen has looked at what’s causing the issue and how to fix it in this post.


If you are seeing an error when installing a new Config Manager distribution point, have a look at this post from Timmy Andersson with a fix.


Another new MVP (congrats) Shehan Perera has released an excellent guide on using the Microsoft Graph Intune PowerShell modules which are extremely powerful.

https://shehanperera.com/2022/10/06/ms-graph-powershell-1/


Mattias Melkersen Kalvåg has released a new version 2.0 of the Intune Debug Toolkit which is a collection of community tools for troubleshooting and debugging Intune and Autopilot issues, highly recommended for anyone working in Intune.


I always prefer to use a sandbox for app packaging so I can check the installers work ok, get detections requirements etc. This post from Tim Hermie will get you started with a sandbox and the intunewin packaging tool.


Taking TAP a step further, Jan Bakker shows how to use a Logic App to fully automate the starters and leavers process in this thorough guide.


This post from Harm Veenstra lists some excellent PowerShell modules which are definitely worth checking out!


Ákos Bakos has released the second part of the series looking at OSDCloud, this part looks at image deployment, drivers and custom image management. If you’re new to OSDCloud, this and part 1 will get you setup without too much effort.


If you use MDT for bare-metal deployments, you may have noticed an issue with Windows 11-22H2. There is now a workaround listed on the MS Docs Github Repo. Thanks to Johan Arwidmark for the fix.

https://github.com/MicrosoftDocs/memdocs/blob/main/memdocs/configmgr/mdt/known-issues.md


Michael Niehaus has also looked at the impact of 22H2 on MDT deployments including the removal of x86 and Johan’s fix above.

https://oofhours.com/2022/10/06/get-ready-and-get-mdt-ready-to-deploy-windows-11-22h2/


This post from Moe Kinani looks at iOS app protection policies for managed apps and lists the application IDs for some of the main apps you may wish to protect

https://cloudbymoe.com/f/ios-app-protection-policy—manage-exceptions


For anyone stuck with Hybrid managed devices, my sympathies! One of the (potentially many) issues you may encounter is with devices stuck as Pending. To troubleshoot and resolve the issue, have a look at this post from Gannon Novak


One of the exciting new features in Windows 11 22H2 is Smart App Control. To find out what it is, how it works and how to use it, follow this guide from Dean Ellerby


If you want to filter policies to just W365 cloud machines (or just those which aren’t), have a look at this post from Aresh Sarkari


Conditional Access Authentication Strength is a new feature in AAD (be careful with it, don’t lock yourself out!). If you want to automate the deployment of it, and why wouldn’t you, follow this guide from Sander Rozemuller

https://www.rozemuller.com/deploy-monitor-conditional-access-require-authentication-strength/


The last of the community content (and only video content this week unless I’ve missed something) comes from Jóhannes Kristjansson, Jake Shackelford and Sean Bulger looking at using Graph to manage your users.

Microsoft Content

Now onto the Microsoft news and announcements this week

This post looks at your options to prepare for a DR situation across your M365 environment and the importance of backups (something I’ve mentioned before here)

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/prepare-for-cloud-service-disaster-recovery-export-key-m365/ba-p/3641966


You can now use RBAC with Tenant Attached machines!

https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/new-rbac-capabilities-with-configuration-manager-and-intune/ba-p/3640477


Updates on using SCEP with Intune

https://learn.microsoft.com/en-us/mem/intune/protect/certificates-profile-scep#create-a-scep-certificate-profile


Autopilot will soon automatically detect diagnostics when a machine fails to complete

https://learn.microsoft.com/en-us/mem/autopilot/windows-autopilot-whats-new#autopilot-automatic-device-diagnostics-collection


Many improvements for managing Android Open Source Project (AOSP) devices

https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-expands-device-management-for-android/ba-p/3645407


A guide to the Endpoint Management sessions at Ignite

https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/your-guide-to-endpoint-management-at-microsoft-ignite-2022/ba-p/3646286


And finally an excellent video from Microsoft Mechanics looking at all things Autopilot


I hope you’ve found these as useful as I have! Have a great weekend.

Posted in Newsletter