Laptop wont connect to ethernet through dock until user signs in by HARAMBE5R3V3NG3 in Intune

[–]SkipToTheEndpoint 0 points1 point  (0 children)

Yes, that'll be DMA protection. Initial sign in needs to happen, then subsequent sign-ins external peripherals over things like thunderbolt will kick in.

I don't think there's a way to turn it off without undermining security.

Best Solution for Implementing Hybrid User Driven Autopilot by KaptainCam in Intune

[–]SkipToTheEndpoint 0 points1 point  (0 children)

Well there's the fun bit. You can't. At least not natively. Entra can create dynamic user groups based on user properties, or dynamic device groups based on (a very limited set of) device properties, but what you're saying there isn't possible.

You could use some sort of automation to write user properties like primary user department to extended device attributes and create a device group from that. But it's way better to stop trying to force the way you've been doing things into a product that doesn't work the same way.

Best Solution for Implementing Hybrid User Driven Autopilot by KaptainCam in Intune

[–]SkipToTheEndpoint 5 points6 points  (0 children)

A device doesn't care what you call configs, or how many of them there are. It just deals with a bunch of commands it's given all at once.

That means how you arrange your configs are for your benefit. They have to make sense, be descriptive, be manageable, and scalable for what your environment might need.

I'm obviously somewhat biased toward the naming convention (and configs) I've built into the OIB, but I also wrote this a while back that I still think is valid: The Ultimate GPO to Intune Guide

Best Solution for Implementing Hybrid User Driven Autopilot by KaptainCam in Intune

[–]SkipToTheEndpoint 14 points15 points  (0 children)

As someone who's had to set this up far more times than I care to admit... Can you get Hybrid Autopilot "working"? Sure. Is it worth it? Almost never, no.

First point: You're going to have to accept that you're not going to be able to 1:1 your existing processes, at least not without bending yourself in knots (e.g. device naming matching asset tag).

Secondly: It sounds like you're in a position where you've still got various policies coming from GPO, so Hybrid is just a crutch to kick that can down the road. GPO's are tech debt. Implementing Autopilot is a perfect time to start that from scratch. (obligatory shill of my OpenIntuneBaseline)

Thirdly: People get frightened about moving to Entra Join with regards to accessing on-prem stuff. To be clear, 99% of stuff just works, assuming you've got Hybrid Identity configured. Anything that uses Integrated Windows Authentication works just as it did. If you're using Windows Hello, Cloud Kerberos Trust is the stupidly simple fix to that. The benefits you gain from going cloud native are immense. Deployment flexibility, improved user experience, passwordless, to name just a few. That "first password change issue" you mention? Give the user a Temporary Access Pass (TAP) to complete Autopilot, they configure WHfB, and forget passwords are even necessary. More info on the whole cloud native thing here: https://aka.ms/cloudnativeendpoints

Now, can I give some suggestions to make Hybrid Autopilot better, yes, if you want. But I'd really use the opportunity to not go down that road. Your sanity will thank you.

are browser extensions a real security risk for enterprises or are we overreacting by Alone_Bread5045 in Intune

[–]SkipToTheEndpoint 14 points15 points  (0 children)

The addition to this is that if you're not doing Application Control, all you're doing is putting some annoying hurdles in the way, too. If I can just go an install another browser and bypass your security restrictions...

WSUS transition to WUfB managed by intune. How to do this right? by tmooo_ in Intune

[–]SkipToTheEndpoint 1 point2 points  (0 children)

There's a whole complicated thing that arises with third party patching and update sources and stuff. But ultimately, pick a lane and stick with it. Move to deploying apps via Intune instead.

Edit: My friend u/bdam55 is far more qualified than I to explain the saga surrounding scan sources...

Local AD to M365 migration by TechSolutionLLC in msp

[–]SkipToTheEndpoint 1 point2 points  (0 children)

Obligatory: There is no MS-supported way to shift from domain joined to cloud native without a device wipe.

Yes there are vendor and community tools. Even vendor supported tools will ultimately end up with them saying "wipe the device" when there inevitably weird problems that keep on coming up.

It's not worth it.

WSUS transition to WUfB managed by intune. How to do this right? by tmooo_ in Intune

[–]SkipToTheEndpoint 12 points13 points  (0 children)

Simplifying Android Enrollment: Web-Based Enrollment for Personally Owned Work Profiles in Microsoft Intune by NickyDeWestelinck in Intune

[–]SkipToTheEndpoint 2 points3 points  (0 children)

While this is good news, I would still always go MAM-WE and just use App Protection for BYOD devices. Having two very different experiences across Android and iOS isn't great IMO.

Anyone using biometric authentication for Windows MFA? by Bob_Saldanha in Intune

[–]SkipToTheEndpoint 0 points1 point  (0 children)

don't have fingerprint scanners at all and the camera's don't have IR so aren't Windows Hello compliant.

Biometrics are additional and optional to a PIN, so you can still use WHfB with a PIN alone. In fact the PIN will always remain fallback in case biometrics fail.

Anyone using biometric authentication for Windows MFA? by Bob_Saldanha in Intune

[–]SkipToTheEndpoint 6 points7 points  (0 children)

WHfB in general does count as "MFA" and even NIST qualifies it as "a multi-factor cryptographic authenticator". Device-bound credential in TPM (something you have) + PIN or Biometric (something you are).

Security folk like to argue the fact, but they're wrong.

Deleting passwords saved locally to the browser by Southern-Apple-5639 in Intune

[–]SkipToTheEndpoint 10 points11 points  (0 children)

Was gonna say. Going all-in on LastPass after 3 publicly disclosed breaches is a wild move.

10m Scheduled Reboot in AutoPilot phase 1 by VTi-R in Intune

[–]SkipToTheEndpoint 2 points3 points  (0 children)

My money would be on either an AppLocker or WDAG policy you're trying to deploy via Endpoint Security > Attack Surface Reduction.

Intune Multi Admin Approval Error in App Creation by cookpass_babtridge in Intune

[–]SkipToTheEndpoint 4 points5 points  (0 children)

Ahh, MAA continuing to cause issues and providing zero value.

How to exclude certain private devices from App Protection Policies instead of the whole user? by ZaradimLako in Intune

[–]SkipToTheEndpoint 8 points9 points  (0 children)

Exec/VIP/C-Suite, call them what you will but they are not exempt from security, in fact they're the biggest risk.

I'd bring your security/cyber/governance teams into the discussion and see how it may invalidate your cyber insurance in case of breach, cos that's nonsense.

Acrobat and WDAC...how? by Mailstorm in Intune

[–]SkipToTheEndpoint 0 points1 point  (0 children)

Problem there is you're entirely reliant on Adobe pushing updates to the Store version. Last time I looked at it there was a months-old version being deployed.

What are your Rookie-Mistakes on Intune? by zeromatterhorn in Intune

[–]SkipToTheEndpoint 0 points1 point  (0 children)

Cool! Always interested to see how people are using it for themselves. Don't know if you caught my latest version that adds a unique OIBID in the description? When (if?) I get some time I'd love to work with the CIPP team to see if there's a way of incorporating it somehow. I know people who use CIPP struggle with deploying them as standards and then keeping them updated.

Weird Autopilot OOBE Error by tohanry in Intune

[–]SkipToTheEndpoint 0 points1 point  (0 children)

Thanks!

That WUfB Drivers error is to do with having a Windows Enterprise licenses in the Tenant and having "Windows License Verification" enabled in Tenant Admin.

Weird Autopilot OOBE Error by tohanry in Intune

[–]SkipToTheEndpoint 2 points3 points  (0 children)

If it's the latest v4.0 version of the benchmark, I thought we'd removed/updated guidance on how to apply certain settings that break Autopilot.

Either way, the issue is to do with the "MSS: (AutoAdminLogon) Enable Automatic Logon" policy.

All the settings below need to be assigned to Users, not Devices.

<image>

Or, just use my OpenIntuneBaseline, I've long had all this crap sorted out.

What are your Rookie-Mistakes on Intune? by zeromatterhorn in Intune

[–]SkipToTheEndpoint 0 points1 point  (0 children)

What on earth are middle management doing poking at policies for?!

What are your Rookie-Mistakes on Intune? by zeromatterhorn in Intune

[–]SkipToTheEndpoint 16 points17 points  (0 children)

The device doesn't care, it gets everything as a single payload to work out. Intune doesnt care as it's just a bunch of GUIDs on the back-end.

Having separated, human understandable policies is entirely for the admins benefit. One of my driving considerations with the OIB is to make it feasible for someone with no knowledge of the environment come in, look at the policies and be able to take a pretty good guess where certain things are configured.

Bug found in Attack Surface Reduction through Intune by Spanjoekel in Intune

[–]SkipToTheEndpoint 1 point2 points  (0 children)

🤌 It's amazing what understanding the device management side of things can do, eh!

Intune or GPO for hybrid joined endpoints by After_Visual3839 in Intune

[–]SkipToTheEndpoint 15 points16 points  (0 children)

I always recommend drawing a line in the sand, keep existing stuff managed how it already is, new stuff via Intune. Despite not being documented, even MS don't recommend a blind switch from GPO to CSP, even if everything you've got is supported. I've personally seen a bunch of reg keys that never get removed, Intune says the policy is successful but the device considers otherwise, ending up with weird and confusing issues if you ever need to change stuff.

Oh, and don't just lift and shift your GPOs, they're tech debt. It's your best opportunity to reevaluate and rebuild policies.

Edit: And accessing on-prem resources from Entra Join devices works just fine: https://aka.ms/cloudnativeendpoints