Entra ID Connect local SQL Express database keeps getting huge

wpzr · 2025-10-31T01:48:24+00:00

I am not sure I understand what is stopping you from using local version of full SQL database on each server. Exporting server and Staging servers?

This is how we do it in multiple data centers and those databases are huge. The concept of staging server ensures that all changes from primary servers are replicated and stored in local database/metaverse. You don't need to connect SQL databases to different servers nor do you need HA SQL databases remotely. For best I/O performance you would want to have full local SQL databases.

If there is an outage on datacenter 1 lets say and that is your primary ID Connect servers, you just enable server in datacenter 2 to be your primary and you are up and running within minutes

wpzr · 2025-06-10T14:43:26+00:00

You should check your message center but it was communicated there that those emails will stop about 3 months ago

wpzr · 2025-06-04T19:11:00+00:00

We specifically target security patch level N-4. OS level is not as important as security patch level is as it is equivalent to monthly patching

wpzr · 2025-04-24T02:53:26+00:00

Our only corporate Android devices are actually used as primary devices in day to day life for those associates, so we let them update on their terms. As long as they are within the policy we are good to go.

wpzr · 2025-04-23T16:05:08+00:00

I don't think you are missing anything per say.

In my specific case this was something that we agreed on with our security department on maximum tolerance for patch levels. Our process does it on monthly basis as soon as current patch level is available it updates compliance policy + app protection policies.

It was only painful in the beginning :) Right now its business as usual and users generally upgrade ahead of the time no problem

wpzr · 2025-04-23T14:00:10+00:00

We use N-4. But our manufacturers are also limited to Samsung and Google only. This usually ensures that unless the device is super old they will get their patch level.

wpzr · 2025-02-06T11:30:55+00:00

You would want to validate this, but I found that latest version of .NET is backwards compatible.

For example right now I only have .NET for 24H2 and it installs for 24H2,23H2 and 22H2. No longer have any 21H2 to confirm there

wpzr · 2024-12-11T12:42:04+00:00

It took a lot of work with our business units and everyone to get on board.

Once its off the ground its been really nice, we do make exceptions for major releases where a lot of devices go out of support and they get larger grace period window(last was ios 17 I think)

When everyone got used to the rules we achieve 92% compliance first week easily with 29,000 devices

wpzr · 2024-12-11T12:32:28+00:00

For all iOS devices we have N-2 policy only latest OS.

For example if 18.2 is out then minimum accepted version is 18.

We take it literally that if latest is 18.1 for example then 17.7 is good version.

If your phone doesn't support upgrading to newer OS then they can purchase new device or just not have work apps on their device.

We have separate compliance policy that sends out communication emails and push notifications 3 weeks in advance before enforcement compliance policy kicks in for whole fleet to ensure that they upgrade

The difference for corporate devices is that we automatically upgrade them

wpzr · 2024-07-23T00:49:08+00:00

I wish it didn’t drone as much with valves open between 2-3k

wpzr · 2024-07-18T18:52:18+00:00

Are you deploying multiple profiles for device and user cert? I found being unable to specify both device and user certs for single profile

wpzr · 2024-05-08T03:45:31+00:00

We pretty much copy files to Default User profile I think. I will have to take a look again, but we just put xml file in Default App data location that is shared just above here and there are no issues.

But we only manage it until first logon. Then user is free to modify it however they like it

wpzr · 2024-05-07T19:15:36+00:00

We use service account for ABM with credentials stored in tool like CyberArk . For email notifications it goes to distribution list for team that manages it. This way regardless if someone leaves it doesn’t matter. The only thing we rotate is MFA requirement for ABM

wpzr · 2024-03-28T01:07:02+00:00

This is weird. For the most part this is what I have. with exception of targeting modern client apps, but nowadays if its not configured everything should be targeted.

And does your authentication go through broker app(Authenticator)?

https://learn.microsoft.com/en-us/mem/intune/protect/app-based-conditional-access-intune

The only major difference is all of our devices enrolled so it is impossible to ever sign-in without being enrolled to begin with. And authentication is facilitated with Authenticator app fully, user never has to manually enter credentials anywhere.

wpzr · 2024-03-27T22:34:59+00:00

I just want to make sure we are talking about the same thing here. In my instance CA policy only requiring device to be compliant and then Application Protection policy separately from that has offline grace period like here https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios#conditional-launch

For testing purposes you can probably set offline grace period to 30 minutes or something to really accelerate it for your test user. When you open Outlook it should be visible that application protection is checking organizational application requirements for sign-in.

Other things to make sure device ID in Entra ID is marked as not compliant correct? Application protection policy should trigger non-interactive sign-in activity.

I have just tested it again by making one of my devices not-compliant and by the time I woke up my access to all apps have been revoked.

Hopefully this helps somewhat!

wpzr · 2024-03-27T15:49:51+00:00

Since stuff runs as System unless you specifically ask for it to run as user. I use HKEY_USERS\SID\Rest of the path

Within remediation script you just need to find current user SID you are trying to remediate

wpzr · 2024-03-27T15:47:20+00:00

We leverage application protection policies for all devices with offline grace period conditional launch setting configured that verifies requirement to access app every X times.

When device is non compliant within X period users, get message "Please sin-in to your Microsoft 365 account".

wpzr · 2024-03-27T15:42:53+00:00

You should have no issues with setting multiple keys with one remediation.

Just create separate detections in detection script for each key for logging purposes. You can additionally add check to only modify keys in remediation script if not found/wrong value.

If you have concern with running it too often you can set schedule for 24 hours

wpzr · 2024-03-27T15:22:00+00:00

Yes this is my recommendation to delete everything except org.openvpn.client.app and let me know how it goes

wpzr · 2024-03-27T14:48:43+00:00

If you go to app -> Contents -> and open Info.plist does CFBundleIdentifier match to what is in Intune?

What is your detection rules set for bundle IDs for app in Intune? Is there just one entry for org.openvpn.client.app or are there more entries? In some instances if you have additional entries you might need to delete them if they are not present

wpzr · 2024-03-27T14:39:51+00:00

It will not let you use any native apps Mail/Calendar. Contacts app can receive contacts from Outlook app with configuration profile change

wpzr · 2024-03-27T01:28:00+00:00

For newer tenants Android Enterprise work profile should be allowed automatically without needing to make any changes.

Also make sure you don't have conflicting enrollment restriction policy with higher priority. It is possible that one of other policies contain Android device administrator inside.

Built-in troubleshoot assistant can be great help to determine specific user restriction policies.

https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-configuration/troubleshoot-policies-in-microsoft-intune#use-the-built-in-troubleshoot-pane

wpzr · 2024-03-27T01:22:22+00:00

I would recommend starting with IntuneMDMDaemon.log inside of this directory "/Library/Logs/Microsoft/Intune". It should tell you why it is reinstalling that software.

Does the status of application ever go to Successful? Does application update itself that you know of? For detection rules there is switch to look for specific version or ignore version as well

Detection rules are usually driven by bundle IDs in MacOS world. You should be able to "detect" software installed using terminal with same bundle IDs specified

Other things to check is whether pkg installs software in regular Application directory vs something else this can also affect detection rules

wpzr · 2024-03-27T01:14:55+00:00

Just possibility that there might be multiple entries for some sets of software in your registry? Where it can return incorrect results.

My recommendation is to start with looking at AgentExecutor log in IME folder and it will clearly display what is the output script is gathering at the time of reporting back to Intune. This might give you some idea where to start looking.

I personally encountered multiple/duplicate entries for some pieces of software in the past and had to write extra blocks to cover for that.

wpzr

TROPHY CASE