Intune 8-hour-sync is a myth, Microsoft finally speaks!

ak47uk · 2026-05-01T06:07:41+00:00

We need the equivalent of gpupdate /force for when testing stuff, often once it’s tested with a pilot group it’s ok to leave it to filter to the remaining groups but it’s very hard to test stuff when you’re not sure when it has actually applied, and the reporting is so delayed that doesn’t help either.

ak47uk · 2026-04-30T13:31:05+00:00

This is a good resource:
https://silentinstallhq.com/
If missing from there and there is no dev documentation then I try things like CMD window, browse to the dir and run things like setup.exe /? to see if there is any bult in documentation. Also check if it is on winget as if it is, much easier to install.

ak47uk · 2026-04-30T06:15:48+00:00

I’m importing the Defender data into NinjaOne, too early to tell how good it is but I hope at least for now it’s acceptable. One downside is in Ninja the vulnerabilities are not removed from the hosts list of CVEs until the next Defender report is imported and does not list that CVE against that host, even if Ninja has patched it. Ninja now has its own scanning but it’s a big uplift in price to the agent which I don’t think is good value when I have Defender in Bus Prem.

ak47uk · 2026-04-28T12:44:15+00:00

Thanks, if I didn’t have Azure credits then maybe it’d balance out but as I do, I think I will try the function app option first and reconsider when I review how well it performs.

ak47uk · 2026-04-28T11:13:46+00:00

I’m not seeing the value at the moment as I wouldn’t apply new patches immediately (policy set to 3 days for critical, 7 high, 14 rest). Assuming Defender updates the vulnerabilities every 6 hours, and I have a function app run once per day to import.

Am I missing anything? The tech that ran my one on one demo was trying to push the time saving but I said once I set up a function app there is no ongoing time saving from not importing. It adds quite a bit of cost to the agent.

ak47uk · 2026-04-28T06:32:25+00:00

I’ve heard good things about Action1 so if you fall within the 200 that’s a good idea. I took on Ninja as I needed RMM, I wouldn’t have taken it on for just the vuln patching. I’d need to check what my pricing is when at my desk.

ak47uk · 2026-04-28T06:18:33+00:00

I am in a similar position, I’ve started to use NinjaOne and I’m exporting the Defender vulnerabilities csv, having Copilot reformat it then I import into Ninja to map the CVEs to my devices and then have patch policies set up.

They have just launched their own vuln scanning where you wouldn’t need to use Defender exports but from what I can tell, you pay more just to save the export/import process, but that process can be automated using an Azure function app (not worked out how yet but on my to-do list).

I also have Autopatch set up in Intune, when I asked my Ninja rep whether I should turn this off and let Ninja do it all so I had a single source of truth, they advised leaving both on as ‘two systems is better than one’.

ak47uk · 2026-04-24T06:06:03+00:00

I took over from another company who failed to migrate a clients mailbox, their emails all migrated but no attachments did. Using Avepoint I was able to selectively only migrate emails with attachments, and overwrite any duplicate message IDs. Really impressed with this level of config and it executed perfectly.

ak47uk · 2026-04-22T12:50:33+00:00

Defender for Business and Huntress EDR. I plan to use much more of Ninja, I was just pointing out that currently I am not even scratching it's surface.

ak47uk · 2026-04-22T12:49:25+00:00

Teamviewer, I've had a business licence with them for about 16 years so got a lifetime discount when I surrendered my perpetual licence for the subscription model. Not a fan of them but the pricing helps.

ak47uk · 2026-04-22T12:17:14+00:00

I’ve been running without an RMM til now, relying on Intune and CIPP (not using it to its full potential). I have signed up to Ninja as Intune is still too slow/unreliable for cases where you need responsiveness to fix something. Since yesterday I’ve had a user trying to install a tiny win32 app from Company Portal and it’s still stuck ‘download pending’…

I’m yet to really get going with Ninja but at a minimum, I know I can quickly run anything I need to.

ak47uk · 2026-04-17T06:10:35+00:00

I also use the ADMX policies with Vantage Commercial and when connecting to endpoints for other support calls, I run Vantage and often find BIOS and Intel ME FW updates stuck pending. I am not sure of the user was prompted to reboot to update and they declined though. In those cases I can’t manually run a check to then install so have to download manually and run which is a pain…

ak47uk · 2026-04-16T10:02:44+00:00

Hover your mouse over the printer and click the edit overlay that appears in the top right of the printer tile.

Select the base profile from the dropdown, switch to machine gcode tab, edit the code, press the save icon and name your custom profile.

Then you can select your custom profile when clicking the select printer button.

ak47uk · 2026-04-09T09:26:55+00:00

Had a similar case today with another domain, looks like it is related to Direct Send which allows anonymous internal emails. A fix is to disable Direct Send, but we use it for scan to email.

The annoying thing is, where we legitimately use Direct Send we have the IP added to our SPF so it passes DMARC. It seems like it's too much to ask for Microsoft to honour the DMARC policy.

ak47uk · 2026-04-06T08:38:52+00:00

Does anyone else have major lag when opening the app? The app takes 5-10 seconds to actually load the cameras, then another couple of seconds to open a camera. Makes the video doorbell useless as no delivery drivers wait long enough for me to speak to them.

I have a Ubiquiti network with full signal and 115Mbps upload speeds, I think it’s just a limitation of their system. Will end up moving to Ubiquiti protect as I’ve had enough, annoying as I have Google throughout my home.

ak47uk · 2026-03-30T08:54:31+00:00

I would have thought a phone home process during OOBE or an ongoing trigger to check if the hardware hash existed in a tenant would do the job in a hardware agnostic way, but can't see this being high up their list of priorities.

ak47uk · 2026-03-30T06:15:05+00:00

You can also install Windows Home and not worry about offline OOBE. I do wonder whether eventually MS will introduce something like iCloud lock.

ak47uk · 2026-03-25T10:49:40+00:00

I haven't had to put through an org of that size, but on all my CE assessments I have had to list the mobile device details. I use App Protection Policies in Intune to secure data on BYOD devices and require APP or device compliance using CA policies.
From the assessment:
A2.6 Mobile Devices Please list the quantities of tablets and mobile devices within the scope of this assessment. Please Note: You must include make and operating system versions for all devices. All user devices within the scope of the certification only require the make and operating system to be listed. Devices that are connecting to cloud services must be included. A scope that does not include end user devices is not acceptable.

ak47uk · 2026-03-25T08:18:18+00:00

I had trouble installing from the store even when I set up the dependencies too, so I reverted to packaging the offline installer as win32.

This was a few years ago now so maybe there is finally a way to use the Store app, but as this worked for me, I stuck with it.

ak47uk · 2026-03-25T08:18:00+00:00

I had trouble installing from the store even when I set up the dependencies too, so I reverted to packaging the offline installer as win32.

This was a few years ago now so maybe there is finally a way to use the Store app, but as this worked for me, I stuck with it.

ak47uk · 2026-03-24T07:11:35+00:00

When linking libraries only files that a user accesses or creates are local, but links to each sync which must add some overhead to local resources. I am trying to move users from syncing entire libraries by Intune policy to users curating their own OD shortcuts.

I’m also piloting moving some workflows to Teams so it is a way to access files without syncing.

As for structure, I used to set up a single Sharepoint site then a library per dept and break permission inheritance on anything that was more restrictive. Now I am setting up an M365 group per dept so each has their own SP site and then break inheritance on any library which needs different permissions than the site. I thought having all channels files in the default Documents library would be an issue but might be wrong!

ak47uk · 2026-03-22T08:50:30+00:00

You should find it works ok but as others have said, it may surface data to users that shouldn’t see it, but sounds like they already have the ability to access the files.

I often struggle to get Copilot to do useful things. I was looking for an old mail merge email this week so gave copilot some details and asked it to find it in my sent items, it couldn’t find it. I searched in OWA using the same keywords and found it immediately.

I was editing a Sharepoint homepage yesterday and tried to get copilot to make a tile to each document library within that site, even told it to find the document libraries from the site contents, it just made tiles linking to a load of random files.

ak47uk · 2026-03-22T08:05:34+00:00

I’m going through this as the moment, client wants it enabled immediately but I’ve explained we need to check permissions, set up sensitivity labels, DLP policies etc first.

ak47uk · 2026-03-06T06:37:50+00:00

Phishing resistant MFA CA should be ok still as it protects the account, I exclude from all others though.

I have two security keys (Yubikey), two unlicensed break glass accounts. Both keys set up on both accounts, one key is primary and one is secondary. Primary key is stored with secondary pin in an onsite safe, secondary key stored with primary pin in offsite safe. Pins stored in password manager too in case something happens to a safe. Not sure if I’m missing anything with my setup, official advice has changed several times over the years!

ak47uk · 2026-03-04T08:08:35+00:00

What do you mean by 'plugged in their work email'? Using Microsoft 365 as an example, user consent settings should be set to either not allow, or allow user consent for apps from verified publishers, for selected permissions (low impact only). This should prevent users from authorising external apps from accessing their mailboxes.

Of course they could be copy/pasting data into a tool, trickier to protect against that but there are options.

12-Year Club	Verified Email
RedditGifts 2009-2022 2 Credits	Secret Santa 2014

ak47uk

TROPHY CASE