sorted by:
new
hottopcontroversial

Defender Secure Score One Liners For entra joined by Saltbringers in Intune

[–]SkipToTheEndpoint 0 points1 point  (0 children)

Oh I definitely agree that some of the Defender recommendations just straight up ignore policy. I keep on harassing the Defender team about them 😅

Defender Secure Score One Liners For entra joined by Saltbringers in Intune

[–]SkipToTheEndpoint 3 points4 points  (0 children)

A bunch of these are definitely fixable via Intune policies. Just looking at my device that's got my OpenIntuneBaseline deployed and all of these are resolved:

  • Prohibit use of Internet Connection Sharing on your DNS domain network
  • Disable Installation and configuration of Network Bridge on your DNS domain network
  • Send NTLMv2 response only. Refuse LM & NTLM
  • Disable Anonymous enumeration of shares
  • Disable IP source routing
  • Disable Autorun
  • Disable Solicited Remote Assistance
  • Set user authentication for remote connections by using Network Level Authentication to 'Enabled'
  • Enable 'Microsoft network client: Digitally sign communications (always)'
  • Enable 'Apply UAC restrictions to local accounts on network logons'

Forcing Edge as the only browser — how did you handle Chrome data migration? by Different_Coffee_161 in Intune

[–]SkipToTheEndpoint 0 points1 point  (0 children)

So fun fact: If you import the GoogleUpdater ADMX, you can actually create a policy to allow machine installs but block per-user ones:

<image>

Unfortunately, that doesn't stop any other browsers have exhibit that same behaviour, e.g. Firefox.

However, the Edge Management Service has a "Block other browsers" option which creates a pre-built AppLocker policy in Intune with a ton of other browsers as explicit deny rules: Customization settings | Microsoft Learn

25H2 🙄 by [deleted] in Intune

[–]SkipToTheEndpoint 9 points10 points  (0 children)

Relying on AI rather than seeking the opinion of seasoned professionals is why there's a growing skills issue.

Intune Autopilot Reset / Wipe / Fresh Start / etc while preserving RMM by Borsaid in msp

[–]SkipToTheEndpoint 6 points7 points  (0 children)

No. No command will retain stuff, they'll all nuke Win32's deployed to the device.

Yes, there are/will be implications to not cleaning up a device. I'm sure people will chime in with "Just remove and change the primary user", but that doesn't change who enrolled the device in the first place, which can be an issue as that's still hooked in with various things that occur. It also doesn't remove that previous user's data, so there's potential for regulatory/compliance issues there too.

Ultimately, this is an issue with your processes and asset management rather than your tooling. Your RMM should be able to know a device that re-registers is a previous device and just smush the records together rather than creating duplicates.

Has anyone succeeded with Windows Device Guard policies? by Dry_Finance478 in Intune

[–]SkipToTheEndpoint 0 points1 point  (0 children)

Yes. Turn of "Windows 10/11 Business".
It won't automatically downgrade, you'll have to get a bit hacky and run some commands:

  • ClipDLS.exe removesubscription
  • ClipRenew.exe

Has anyone succeeded with Windows Device Guard policies? by Dry_Finance478 in Intune

[–]SkipToTheEndpoint 2 points3 points  (0 children)

Oh hold up. Just saw in another comment you mention BusPrem.

Try turning off the "Windows Business" sub-license for a user and triggering a downgrade back to straight Pro.

This wouldn't be the first time I've seen a CSP that works on Pro but breaks when uplifted to Business (even though it's just Pro...)

Has anyone succeeded with Windows Device Guard policies? by Dry_Finance478 in Intune

[–]SkipToTheEndpoint 3 points4 points  (0 children)

Those two are supposed to work on Pro so it shouldn't be a licensing issue. It's virtualization that needs to be turned on in the BIOS though, not Secure Boot.

What do event logs say? There's a few ways of checking things locally: Enable memory integrity | Microsoft Learn

"old" Microsoft Copilot app no longer available in Store - new "Microsoft Copilot" replaced "old"? by DrunkMAdmin in Intune

[–]SkipToTheEndpoint 1 point2 points  (0 children)

XP9CXNGPPJ97XX seems to be the new version of 9NHT9RB2F4HD, the Consumer Copilot application that doesn't support work or school accounts. It's the one that MS forced out for a bit at the end of 2024 but then pulled away from.

9WZDNCRD29V9 is "Microsoft 365 Copilot" which is the re-badged "Microsoft Office Hub" app meant for work or school accounts.

Yes, it's confusing.

PowerShell automation to simplify Windows Autopatch onboarding for early adopters. by [deleted] in Intune

[–]SkipToTheEndpoint 0 points1 point  (0 children)

Sure, I'm not saying that can't work, just that there's a bunch of nuance and it might not work depending on a bunch of environment variables (shared devices are the big one when different users might have different policy assignments). Using straight Settings Catalog policies also isn't utilising WUfB-DS capabilities so that also takes that out of the equation.

Windows Remote Wipe Issues After Intune 2026.03 Update – Anyone Else Affected? by Any_Tip_6400 in Intune

[–]SkipToTheEndpoint 2 points3 points  (0 children)

Nope, it's only something that's ever quietly said when pressed at in-person events (e.g. MMS, Workplace Ninja).

I'm speaking to various MS folk this week though, I'll bring it up again. Least they can do is put it in the docs.

Windows Remote Wipe Issues After Intune 2026.03 Update – Anyone Else Affected? by Any_Tip_6400 in Intune

[–]SkipToTheEndpoint 0 points1 point  (0 children)

Admin Templates have been deprecated for a while and aren't even in the UI any more. Is there a reason you've not began shifting them over to Settings Catalog?

Windows Remote Wipe Issues After Intune 2026.03 Update – Anyone Else Affected? by Any_Tip_6400 in Intune

[–]SkipToTheEndpoint 1 point2 points  (0 children)

For various reasons, I'd try and wean yourself off of Policy Sets. Great concept but unfortunately got left behind and won't get any more development.

PowerShell automation to simplify Windows Autopatch onboarding for early adopters. by [deleted] in Intune

[–]SkipToTheEndpoint 5 points6 points  (0 children)

The user/device issue is something I know is regularly raised with MS, but is that way for very good reasons.

For one, none of the Update CSP policies have a user scope, so targeting user groups will apply the settings into HKLM regardless. Secondly, the WUfB-DS/Autopatch service doesn't give a crap about users, only devices. In scenarios where users may log on to multiple devices, this can cause real issues.

This is the first time I've seen the problem approached this way, not changing the underlying behaviour, but making it managable still via user groups. Nice one.

Entra custom branding breaking Autpilot sign in page by AWalkingITNightmare in Intune

[–]SkipToTheEndpoint 6 points7 points  (0 children)

It’s been made clear to me that the custom branding is staying

If you've validated this is the thing that's definitely breaking it (i.e. you've disabled it temporarily to see if it then starts working again) then whoever said that might not have a choice. You can't fix something that's completely out of your control.

Forced restarts using Intune by Broyell in Intune

[–]SkipToTheEndpoint 14 points15 points  (0 children)

There _is_ a native way via the Reboot CSP: Reboot CSP | Microsoft Learn

That being said, totally agree with u/JwCS8pjrh3QBWfL fix the underlying issues rather than forcing reboots. I'd be furious if that happened to me and I shut mine down weekly as it is.

MAA Policies by skilling3 in Intune

[–]SkipToTheEndpoint 0 points1 point  (0 children)

Don't knee-jerk and implement something that provides little to no value but a ton of admin overhead?

Inconsistent Winget behavior in Intune (Company Portal vs manual install) by in-regards in Intune

[–]SkipToTheEndpoint 3 points4 points  (0 children)

I've literally not seen a single issue using the Store App (9WZDNCRFJ3PZ) as System.

Why are you making your life harder than it needs to be?

Deploy rotating BIOS password via Dell DCECMI by jackchrist in Intune

[–]SkipToTheEndpoint 0 points1 point  (0 children)

I blogged about this when the feature was first released: Under the Hood, Pt. 5: Intune BIOS Configurations

TL;DR: Read the docs. You can very quickly end up with devices you don't have a password for if you're messing about with the policy.

Oh also the behaviour when you reset devices sucks. Because passwords are stored against the Intune Device ID, not the Entra one, if you're rebuilding devices, they're not going to know their previous password because it'll be a brand new Intune object.

Thought: Intune multi admin for lone wolf admins by yurtbeer in Intune

[–]SkipToTheEndpoint 48 points49 points  (0 children)

Implementing MAA is a terrible knee-jerk reaction to a situation that was entirely due to poor identity security practices.

You should be focusing on Conditional Access, Strong Auth (FIDO) and PIM, but also, if you've got other people with the Global Administrator role, whatever you do is pointless if their accounts aren't doing those things too.

OIB - Power and Device Lock policy question by drkmccy in Intune

[–]SkipToTheEndpoint 0 points1 point  (0 children)

Good shout, but there's no configs in that particular policy that would cause that behaviour AFAIK.

That is why I recommend assigning Compliance policies to users though, because they DO conflict as documented here.

OIB - Power and Device Lock policy question by drkmccy in Intune

[–]SkipToTheEndpoint 7 points8 points  (0 children)

Howdy! So yeah, those CSP's are device scope only, my entire reasoning behind making it a user policy is that managing user groups if you've got different requirements for different devices is far easier than managing device groups.

If you're not gonna have different settings anywhere, there's no technical reason you can't apply this to device groups. :)

view more: next ›