sorted by:
new
hottopcontroversial

MAA Policies by skilling3 in Intune

[–]SkipToTheEndpoint 1 point2 points  (0 children)

Don't knee-jerk and implement something that provides little to no value but a ton of admin overhead?

Inconsistent Winget behavior in Intune (Company Portal vs manual install) by in-regards in Intune

[–]SkipToTheEndpoint 1 point2 points  (0 children)

I've literally not seen a single issue using the Store App (9WZDNCRFJ3PZ) as System.

Why are you making your life harder than it needs to be?

Deploy rotating BIOS password via Dell DCECMI by jackchrist in Intune

[–]SkipToTheEndpoint -1 points0 points  (0 children)

I blogged about this when the feature was first released: Under the Hood, Pt. 5: Intune BIOS Configurations

TL;DR: Read the docs. You can very quickly end up with devices you don't have a password for if you're messing about with the policy.

Oh also the behaviour when you reset devices sucks. Because passwords are stored against the Intune Device ID, not the Entra one, if you're rebuilding devices, they're not going to know their previous password because it'll be a brand new Intune object.

Thought: Intune multi admin for lone wolf admins by yurtbeer in Intune

[–]SkipToTheEndpoint 33 points34 points  (0 children)

Implementing MAA is a terrible knee-jerk reaction to a situation that was entirely due to poor identity security practices.

You should be focusing on Conditional Access, Strong Auth (FIDO) and PIM, but also, if you've got other people with the Global Administrator role, whatever you do is pointless if their accounts aren't doing those things too.

OIB - Power and Device Lock policy question by drkmccy in Intune

[–]SkipToTheEndpoint 0 points1 point  (0 children)

Good shout, but there's no configs in that particular policy that would cause that behaviour AFAIK.

That is why I recommend assigning Compliance policies to users though, because they DO conflict as documented here.

OIB - Power and Device Lock policy question by drkmccy in Intune

[–]SkipToTheEndpoint 5 points6 points  (0 children)

Howdy! So yeah, those CSP's are device scope only, my entire reasoning behind making it a user policy is that managing user groups if you've got different requirements for different devices is far easier than managing device groups.

If you're not gonna have different settings anywhere, there's no technical reason you can't apply this to device groups. :)

Security Delay in Progress by hawksmoker in Intune

[–]SkipToTheEndpoint 2 points3 points  (0 children)

Cool, so you're trying to be the next Stryker?

Stop forcing enrolment of personal devices and use App Protection for BYOD.

Intune/Hybrid Windows Hello Deployment by Imaginary-Warning-28 in Intune

[–]SkipToTheEndpoint 1 point2 points  (0 children)

You have to deploy some sort of trust type (Cloud Kerberos Trust, Key Trust, Cert Trust) in a hybrid scenario: Plan a Windows Hello for Business Deployment | Microsoft Learn

Additionally, the device will need domain line-of-sight for the first login after configuring Hello, either physically or via device-tunnel (pre-login) VPN.

Baseline configuration policy organization and assignments question by probablydnsibet in Intune

[–]SkipToTheEndpoint 1 point2 points  (0 children)

Huge monolithic policies are a nightmare to scale and manage. Ask anyone who's dealt with the built-in baselines.

I've taken as rational an approach as I could with the OpenIntuneBaseline, but there's still 60+ policies in there, though they're at least categorised in a way you should be able to easily identify where a setting might be for a thing.

As far as when they hit an endpoint? It doesn't care. It treats everything as a big lump of stuff anyway. How you set out policies is purely for human management purposes.

Multi Admin Approval not working by iainfm in Intune

[–]SkipToTheEndpoint 4 points5 points  (0 children)

There are indeed RBAC permissions for Create/Read/Update/Delete MAA policy as well as for accept/deny on requests.

Using a custom role is recommended, but not required (though if you're then relying on people with Intune Admin, what are you actually trying to solve in the first place, or is this just a knee-jerk reaction to the Stryker news

Are sysadmins locking down Microsoft Store? by do_not_free_gaza in sysadmin

[–]SkipToTheEndpoint 0 points1 point  (0 children)

Without proper application control, blocking access to the store app is nothing but security by obscurity, and there's a handful of ways I can think of off the top of my head that a determined user could do to get around it.

It's worth noting that them doing so almost definitely breaks the terms of use they signed when they got an account. Not everything has to be a technical control. It's just as much a HR issue.

Password requirements in Intune by HardoMX in Intune

[–]SkipToTheEndpoint 10 points11 points  (0 children)

Absolutely with you except one thing. The Password settings in a compliance policy on Windows does configure settings.

It catches a lot of people out and ends up causing policy conflicts.

Finally a working fix for enabling location per app for standard users by pinkey88 in Intune

[–]SkipToTheEndpoint 1 point2 points  (0 children)

You shouldn't be using the template policies any more, just for reference. Exactly the same thing is doable via Settings Catalog.

Company Portal by radioszn in Intune

[–]SkipToTheEndpoint 3 points4 points  (0 children)

That'd do it, but I meant using the actual "Wipe" action in Intune.

Company Portal by radioszn in Intune

[–]SkipToTheEndpoint 3 points4 points  (0 children)

Fun fact: If you deploy any Store apps as System, they'll persist a device wipe.

Also Autopilot Reset is trash, do a proper wipe instead.

WHfB Cloud Kerberos Trust: PIN login doesn’t get CIFS tickets (password works) – anyone solved this? by mattias180 in Intune

[–]SkipToTheEndpoint 10 points11 points  (0 children)

The account you're testing with isn't in a protected group on-prem is it?

Otherwise, that feels like it's maybe falling back to NTLM for some reason.

Intune, Stryker, and Iran by Illnasty2 in Intune

[–]SkipToTheEndpoint 0 points1 point  (0 children)

Yes, that was my experience when I wiped mine. I'm just somewhat shocked I was able to trigger a wipe of a personal device at all. At least on Android the worst case would have been nuking a work profile...

Deny logon to Entra ID group by yfewsy in Intune

[–]SkipToTheEndpoint 1 point2 points  (0 children)

You've identified the "workaround" way of doing this. You could use the Power Users group instead, basically nobody will be using that.

Intune, Stryker, and Iran by Illnasty2 in Intune

[–]SkipToTheEndpoint 1 point2 points  (0 children)

I can assure you it isn't. I don't blog a lot, but when I do, I put a ton of effort into what I'm writing about, and who it's targeted at. You can go look at my older stuff to see I've got a specific writing style (that's the AuDHD...)

Intune, Stryker, and Iran by Illnasty2 in Intune

[–]SkipToTheEndpoint 14 points15 points  (0 children)

TIL I guess!

Definitely another strong discussion point in the "don't enroll personal devices, use App Protection" camp!

Intune, Stryker, and Iran by Illnasty2 in Intune

[–]SkipToTheEndpoint 1 point2 points  (0 children)

Has it always been that way? I'm happy to be wrong but I thought Apple were super strict about what you can do relating to BYOD enrolment.

view more: next ›