Welcome to this weeks newsletter and for those of you returning (or back) from MMS, I hope you enjoyed the conference!
Quite a lot of content this week and of course the big news of the week is the end of life of Windows 10!
Community Content
We start this week with Patrick Seltmann answering the question as to whether you need to exclude Intune Enrollment from your CA policies with this very thorough post
Should you exclude “Microsoft Intune Enrollment” from your compliance CAP or not?
Managing guest users is always a challenge, especially if they need to access internal resources. Kenneth van Surksum looks at how to use Conditional Access to manage them here
Configuring Conditional Access for Guest Users: Allowing Only Office 365 and Essential Apps
If you’re looking at getting started with Windows 365 Link, check out this guide from Michael Meier
Now WMI has been removed from 25H2, this script from Jorge Suarez will check your scripts and flag up any which need fixing
https://www.jorgeasaur.us/finding-wmi-usage-before-microsoft-finds-it-for-you/
Next, Joymalya Basu Roy looks at Hotpatch including the all important patching calendar
Windows Hotpatch: Reboot-Free Security Updates for Windows 11 with Intune
One thing to watch with Autopatch is build numbers, especially if used with compliance policies, or filters as covered here in a second post from Joymalya
The Autopatch client broker can now be deployed via Win32 application instead of a PowerShell script. Jan Mulder covers the steps to migrate it here
If you are rapidly deploying Windows 11, this script from Florian Salzmann should be top of your list to deploy, it will ensure your devices have the required disk space to complete the update
https://scloud.work/free-up-space-for-windows-11-upgrades-with-intune-remediation/
If you don’t want to use a Debloat script (I’ve heard one is quite good), you can now remove the built-in Microsoft apps natively as covered here by Peter van der Woude
Removing preinstalled Microsoft Store apps using native functionality
For the ultimate in phased deployments, check out this script from Nick Benton which will create dynamic groups for you, no matter what size your estate
https://www.oddsandendpoints.co.uk/posts/tuning-phased-deployment-groups/
I still prefer Applocker to WDAC (maybe I’m getting old). If you want to automate the creation of configuration files for use in Intune, check out this post from Niels Kok
If you are running HP devices and are struggling to install windows because the drive is not appearing, Peter Klapwijk has the fix here
Hard drive and partitions are not shown while installing Windows
Now AVD and Windows 365 support external identities, follow this guide from Dieter Kempeneers to get started using the new functionality
How External Identities Improve Security and Collaboration in AVD and Windows 365
Another deep dive here from Anders Ahl, this one looking at the first layer of defence on your tenant, Conditional Access, how to configure properly and some things to look out for
Microsoft Conditional Access: Implementation Considerations and Common Mistakes
Desperately trying to keep those Win10 machines running? Learn how to enable ESU for them in this post from Jose Schenardie
Enable Windows 10 ESU (Extended Security Updates) with Intune
If you have been following the previous posts from Ewelina Paczkowska you will probably have a solid set of Conditional Access policies ready (and hopefully in report-only mode). Now it’s time to take the leap and throw them into production, follow this final post in the series to learn how and to report on them fully.
Damien Van Robaeys has another extremely useful dashboard for you, this one showing the Windows authentication methods used across your estate
https://www.systanddeploy.com/2025/10/dashboard-of-windows-authentication.html
Following on from the excellent first part covering personal Android devices, Nicky De Westelinck has posted the second part which looks at your corporate Android Enterprise devices
If you don’t have Windows Enterprise licensing, but want to deploy custom backgrounds and lockscreens, check out this script from James Vincent
Deploy and Apply Desktop Wallpaper & Lockscreen using Intune
Considering a Windows 365 Link? Niklas Tinner has you covered here with things to note
https://www.oceanleaf.ch/windows-365-link-experience/
You may have noticed the Windows cumulative updates have recently jumped in size. If you want to learn what’s inside them and what it means to you, check out this post from Michael Niehaus
Windows 11 cumulative updates: How can they possibly be that big?
Gannon Novak has updated the excellent script for automating the creation of MAM policies, groups and filters, well worth checking out
https://smbtothecloud.com/configure-mam-for-ios-android-with-one-script/
Video Content
Now for this weeks video content where Christiaan Brinkhoff chats to Megan Gremmell about the importance of community in Microsoft
The latest podcast is here from Shady Khorshed, discussing the fleetly tool with Somesh Pathak
Next, John Savill covers the ins and outs of hotpatch
Microsoft Content
Now for the Microsoft content, starting with more information around the ever popular hotpatch from Sakshi Monga
If you need ESU for Windows 10, see how Windows 365 might help you here with Ivaylo Ivanov
If you need to deploy DISA STIGs, Chris Vetter runs through the different options here
That’s it for this week, have a great weekend!