Welcome to your non-stop-shop for Intune content. This week is so full of content, I started writing it the day after I published last weeks!
Community Content
First up this week, Somesh Pathak has a look at the Factory Reset Protection functionality built in to Android devices
https://www.intuneirl.com/factory-reset-protection/
A second post from Somesh, also on the Android theme, looks at the Device Administrator app, what it does and why it’s there
https://www.intuneirl.com/device-admin-app/
I’m sure you’ve noticed the new sidebar in Edge (love it or hate it?). This post from Nicklas Ahlberg shows how to show it, hide it and add custom links to it
Trevor Jones has put together an excellent script to grab the data on all feature update rings and export to Log Analytics where you can use PowerBi to make charts and exec-friendly displays. Well worth checking out!
https://smsagent.blog/2023/02/10/consolidated-feature-update-reporting-for-microsoft-intune/
Now we have two posts from Tom Machado, the first using Graph to locate a device and plot it on a map
Tom’s second post looks at Device Diagnostics and how to use them effectively
https://poemtomdm.fr/2023/02/09/how-to-remotely-get-any-local-files-from-microsoft-intune/
If you are deploying bare metal images with Config Manager, I’d recommend reading this post from Michael Niehaus with a potential issue you may see when domain joining
https://oofhours.com/2023/02/10/the-mysterious-case-of-the-failed-ad-domain-join/
In Michael’s second post you can find a script to create a provisioning package for bulk enrollment, but more reliably than using the ICD Tooling
Another troubleshooting post, this one from Ramal Abeysekera looking at the “Accunt Not Onboarded” error with macOS devices
Next up, Jannik Reinhard looks at one of my favourite things, Microsoft Graph including how to get started using it (managing Intune gets easier when you’ve mastered Graph)
https://jannikreinhard.com/2023/02/12/how-to-create-powershell-script-to-automate-tasks-in-intune/
Now for two posts from Nico Wyss, the first of which with some tips and scripts to harden Chrome with Intune and Defender
https://cloudfil.ch/intune-and-defender-365-google-chrome-hardening/
Nico’s second post runs through how to retrieve and deploy the certificate required for Fortigate SSL deep inspection via Intune
https://cloudfil.ch/how-to-deploy-fortigate-ssl-deep-inspection-certificate-with-microsoft-intune/
The next part of Paul Winstanley and Michael Marable‘s excellent look at conditional access is now available, this time enforcing MFA for admins. If you don’t have this setup already, please do so!
Now for two post from Jitesh Kumar starting with a look at user-driven enrollment on iOS devices
https://www.anoopcnair.com/account-driven-user-enrollment-for-ios-ipados/
And this one covers how to monitor the status of the firewall on your Intune managed devices
https://www.anoopcnair.com/check-firewall-policy-reports-from-intune/
If you are in a co-managed setup, this post from Benoit Hamet will show you how to get Config Manager recommendations from within the Intune portal
https://blog.hametbenoit.info/2023/02/14/intune-get-recommendations-for-your-configuration-manager/
One of the more annoying parts of setting up a new environment is having to go and assign all of the apps added from Apple VPP, Google Play etc. Fortunately Nick Benton has put together a very useful script to automate bulk assignment
https://memv.ennbee.uk/posts/assigning-intune-applications/
Damien Van Robaeys has put together another excellent script which leverages log analytics to provide a useful dashboard displaying devices with BSOD
https://www.systanddeploy.com/2023/02/devices-bsod-blue-screen-dashboard-with.html
An exciting new announcement (official one below), driver management is now publically available (but not yet in the Intune console). Fortunately David Brook has been quick off the mark with the Graph commands to manage it all. David has also released a video version in the content below.
Driver Management via Graph API and PowerShell (euc365.com)
In a follow up post you can find a script to also set deferrals
https://euc365.com/post/add-offer-deferrals-driver-firmware-policies/
If you want to see which devices are applicable for driver deployments, you need this post
https://euc365.com/post/view-applicable-devices-driver-deployments/
Next, Florian Salzmann looks at the Defender for Endpoint web filtering capabilities, how to enable in Intune and what the end-user experience is like
https://scloud.work/defender-for-endpoint-webfilter/
Rudy Ooms has again been digging around in Procmon and Wireshark, this time looking at the importance of MSA Tickets in device communication with Intune
A new feature in W11 22H2 is Smart App Control, this post from Peter van der Woude looks at how it works as well as WDAC including configuring the policies
Knowledge of Azure AD/identity management is crucial when working with any of the Microsoft cloud tools. As Eric Woodruff covers here, it’s also critical to most Microsoft exams!
Whilst on the subject of identity, if you don’t currently use PIM, have a read of this post from Mike van den Brandt and find out why you should be using it!
This post from Prajwal Desai runs you through the complete end-to-end steps to deploy Zoom via Intune
A second post from Prajwal, this time thoroughly running through the steps to configure Bitlocker via Intune
Prajwal’s third post looks at the different way of getting cloud PC connection details
On a similar note, if you need Zoom on a cloud VDI machine, Gannon Novak explains how to obtain and install the VDI specific verion here
Mattias Melkersen Kalvåg has released part 4 of the series on PSADT, this time looking at getting, setting and removing registry keys
Some weekly knowledge nuggets from Niclas Andersson, this week looking at Winget, Logic apps and Microsoft Graph
In the first of two posts from Brad Wyatt you can find a PowerShell script to amend permissions on the Public desktop to let users manage their own icons
Brad’s second post uses ADMX Ingestion to enable SSO within Firefox
Following on from a previous post re-creating the Edge baseline, Jörgen Nilsson has now re-created the Windows Security Baseline using the Settings Catalog only
Dynamic AAD Groups and Filters take a lot of the effort out of managing an estate. This post from Priscilla Leon takes a good look at both of them!
https://patchtuesday.com/tech-blog/dynamic-azure-ad-groups/
Jeffrey Appel has released part 10 of the Defender for Endpoint Series, this part covers some useful tips and tricks as well as what to watch out for.
An updated post from Simon Skotheimsvik showing how to deploy FortiClient VPN, not including PMPC and Scappman
If you want to restrict access to just upload Autopilot hashes, this post from Niklas Tinner will show you how to create a custom role with the required permissions
https://niklastinner.medium.com/permissions-to-manage-and-upload-an-autopilot-identity-415817f4b0ff
A second post from Niklas, looking at the wider Intune RBAC permissions
https://oceanleaf.ch/intune-rbac-permissions/
Number match for MFA is soon to be the default, in this post Moe Kinani looks at the PowerShell commands to switch authentication method
https://cloudbymoe.com/f/number-match-and-changing-the-default-mfa-method
This thorough post from Pim Jacobs looks at Azure AD Access Packages and some excellent features you may not know existed
Niels Kok and Stefan Dingemanse have put together an excellent PS Module for managing W365 machines. In this latest post, you can see how it restores and reprovisions a cloud PC
This guide from Aresh Sarkari shows you how to get started with Defender for Endpoint and W365/AVD machines
On the subject of cloud PCs, this post from Doug Petrole looks at the secondary monitoring metrics available
https://www.desktopsforeveryone.com/blog/monitoring-month-secondary-metrics
If you are building machines using SCCM/MDT or simply having IT staff login to machine prior to deployment, you may find the primary user does not match the actual end-user and causes havoc with company portal. Fortunately Torbjorn (Mr T-Bone) Granheden has a script that can run in an Azure Runbook to sort it for you
https://www.tbone.se/2023/02/16/update-intune-primary-user-with-powershell-or-azure-automation/
Will Francillette has released part 3 of the Graph SDK series (and we all know how much I love Graph), this one looking at Graph permissions. If you haven’t read the previous parts, check those out too!
https://www.french365connection.co.uk/post/graph-sdk-permissions
Defender for Endpoint is an incredibly useful part of the M365 suite. This post from René Laas runs through the steps to onboard via Intune
https://endpointcave.com/onboard-devices-to-defender-for-endpoint-via-intune-connector/
If you haven’t yet setup Windows Hello for Business, this post from Manish Bangia will walk you through it step by step
https://www.manishbangia.com/configure-windows-hello-for-business-using-intune/
This article from Roy Apalnes demonstrates some of the use cases for leveraging Windows 365
https://www.linkedin.com/pulse/windows-365-6-personas-your-company-can-better-support-roy-apalnes/
Microsoft now officially support Windows 11 on ARM based macOS devices using Parallels, you can read more in this post from Michael Niehaus
Next, an introduction to Winget (and the interesting history behind package managers) from Kevin Kaminski
https://www.checkyourlogs.net/introducing-winget/
Video Content
Now onto the video content, this week starting with a new video from Peter Kay showing how to create a message template for non-compliant devices
Next, Dean Ellerby demonstrates how to import your on-prem GPOs into Intune using GPO Analytics as well as home tips
This episode of the 425 show is a deep dive into Conditional Access featuring Caleb Baker and Shannon Kuehn
The latest Namaste Techies episode is now live with Harjit Dhaliwal and Anoop Nair looking at and discussing Chat GPO and Bing
This video featuring Mattias Melkersen Kalvåg and Chris Gerke shows how to leverage VS Code, Git and PSADT to make building and deploying your Win32 apps much easier!
Managing your security baselines in Intune can be a lengthy process, even more so if you are managing multiple tenants. This video from Nick Ross looks at Microsoft365 DSC and Simeon Cloud to do the hard work for you.
To make logins easier for your end users, you can set a default domain in Intune as demonstrated in this video from Craig Camacho
This video from Chander Mani Pandey shows how to use a PowerShell script and Azure automation to bulk sync Windows devices
As mentioned earlier, David Brook has put together a video covering the new driver integration functionality
If you haven’t tried Winget yet, this video from Dean Cefola will set you well on your way
The latest what’s new in Intune video is now out featuring Mattias Melkersen Kalvåg and Nickolaj Andersen looking at the new features in 2301
The first of a new set of videos from Andrew Jones looking at managing iOS and macOS with Intune, starting with enrolling personal macOS devices
The final video from this week comes from Jóhannes Geir Kristjansson, Jake Shackelford and Sean Bulger looking at the cause of many sleepless nights for me, Graph Pagination. Fortunately the script is shared for you to use in your scripts!
Microsoft Content
Now onto the Microsoft content, starting with a look at the expansion of ASR to MDE managed devices (and how to exclude them) from Laura Arrizza and Amit Ghodke
Expanding support for Attack surface reduction rules with Microsoft Intune – Microsoft Community Hub
As covered earlier, here is the official announcement of the driver integration from Nir Froimovici
If you are reading this, you must have some interest in Windows and Intune. Join the Office Hour to discuss any questions and speak with the experts. Heather Poulsen has more information here
The latest Skilling Snack has been released, this one comes from Danny Guillory and covers transitioning from on-prem to cloud on your end-user devices, looking at your various options
The final content from this week comes from Anton Fontanov looking at improvements to the updating of .Net framework in Windows 11 22H2
If you’re still reading at this point, congratulations! That’s it for this week, go and enjoy your weekend
