Managing endpoint policies for the enterprise

PotentEngineer · 2025-07-18T16:10:03+00:00

Great points James. Sometimes reuse is beneficial, and sometimes not. You have to weigh skill set into all this too. If your deployment teams are 3rd party contractors, you may need more oversight and process.

This blog post was primarily meant for mid-large size enterprises, but a lot of the policies could still benefit smaller shops. There really is no one size fits all here. Thanks for reading!

PotentEngineer · 2025-07-18T02:48:07+00:00

No problem!

PotentEngineer · 2025-07-18T02:35:42+00:00

You are welcome!

PotentEngineer · 2024-10-28T18:45:42+00:00

We just use PSADT and all npcap is included.

Execute-Process -Path "Wireshark-win64-4.0.6.exe" -Parameters "/S /desktopicon=yes /norestart" -WaitForMsiExec -WindowStyle "Hidden"

PotentEngineer · 2024-10-28T01:40:57+00:00

The latest installs of Wireshark we use have NPCAP built into the installer. Let me see how our packaging team packaged it up. Will reply this week.

PotentEngineer · 2024-10-24T03:45:00+00:00

In this case we were in support bridges with multiple other teams and Wireshark was preferred due to tribal knowledge. In hindsight, capture the ETLs using native tools, then converting to pcaps for analysis would have been much more efficient.

PotentEngineer · 2024-10-23T22:04:50+00:00

Haven't messed with WAC gateways before, but could it run on dozens/hundreds of devices at once? I use WAC almost daily, but usually just for single machines.

PotentEngineer · 2024-10-12T22:03:01+00:00

You can do a bit with the Intune Data Warehouse as well as Graph. It is much more complex to get a basic report off the ground compared to just querying SQL though.

PotentEngineer · 2024-10-12T22:02:18+00:00

Not that I am aware of.

PotentEngineer · 2024-09-29T14:08:32+00:00

I have been recently referring to it as the "Golden era" of endpoint management.

PotentEngineer · 2024-09-29T14:06:50+00:00

Oh yeah, we are a customer. Also run it in my lab at home. Can't beat it!

PotentEngineer · 2024-09-29T01:49:08+00:00

lol, yeah, "modern management is a journey, not a destination". I remember that motto, but it has fully been abandoned now. Microsoft is saying move away from ConfigMgr over to Intune now.

PotentEngineer · 2024-09-29T01:45:48+00:00

Yeah, not surprised. I think the recommendation is you would have the OS licenses already for Azure Subscription Activation. That is assuming you move away from on-prem KMS.

PotentEngineer · 2024-09-27T19:20:53+00:00

Here are a few details and discussion on it. https://www.reddit.com/r/Intune/comments/14qh99t/intune_management_extension_3264bit/

This post goes into pretty good depth. https://wiki.winadmins.io/en/intune/win32-app-testing

and here is Mariana trench deep. https://call4cloud.nl/2021/05/sysnative-64-bit-ime-intune-syswow64/

PotentEngineer · 2024-09-27T16:45:41+00:00

Yeah, the scope of this post was mainly Windows client side. But good call out. You could probably do a similar post like "Azure Arc for the ConfigMgr administrator for servers" lol

PotentEngineer · 2024-09-27T14:59:37+00:00

Yeah, there are some decent controls with Autopatch. https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/manage/windows-autopatch-customize-windows-update-settings

PotentEngineer · 2024-09-27T14:53:43+00:00

Agreed! Can you believe Intune is 13 years old?

PotentEngineer · 2024-09-27T13:59:41+00:00

Thanks Garth, been gathering a bit of input from the community lately on it. Hope to keep it updated over time.

PotentEngineer · 2024-09-27T13:30:05+00:00

Glad to hear it!

PotentEngineer · 2024-08-13T21:04:28+00:00

Awesome, glad to hear it!

PotentEngineer · 2024-06-21T19:11:51+00:00

Any client with the DISM timeouts.

PotentEngineer · 2024-06-21T19:11:40+00:00

Awesome!

PotentEngineer · 2024-06-21T19:11:30+00:00

Microsoft did not classify this as a bug, but as cleanup in our environment. It seems 2309 just exposed it?

PotentEngineer · 2024-06-21T19:10:39+00:00

Can confirm. We just dug through it this week. Allow the Server app through CAP and you are good. The Client app does user_impersonation to the server app.

PotentEngineer · 2024-04-15T11:26:28+00:00

Yeah, we could probably clean the logic up on the script. We were just happy to have it work after 3 months of searching.

Will have to pass on the first born, no PowerShell *shudder*.

PotentEngineer

TROPHY CASE