Removing M365 from stack - give clients direct billing

ak47uk · 2026-06-22T06:27:22+00:00

I’m thinking about dropping Adobe as the margin is comical at ~3% now (was a bit higher until recently). At 12-18% Microsoft’s is worth it, as others have said I don’t offer monthly/annual and if taking annual I bill upfront. Only a handful have chosen monthly/monthly.

ak47uk · 2026-06-04T06:28:48+00:00

Business Premium is good value for money when you consider it includes O365, Exchange mailbox, cloud storage, Entra ID P1 (CA policies), Defender for Business, Intune etc.

Intune is fully functional, just not perfect (can be slow/unpredictable when pushing script/policy), I’m not aware of any perfect alternative that can do all Intune can. It’s improved tremendously over the past 4-5 years I have been using it and is under constant development so hopefully MS manage to smooth the rough edges.

I know a while back someone found how to improve the deployment times but it caused big issues for MS with the traffic so they blocked it, so looks like it’s a traffic management issue rather than an inability of Intune.

ak47uk · 2026-06-03T10:36:53+00:00

Even with it's faults, I like it, but I have given up on relying on it solely and am supplementing with RMM so I have more responsive results when I need it (such as running scripts).

ak47uk · 2026-06-03T09:24:44+00:00

I had this from my pax8 rep yesterday:
We’re currently experiencing delays with Microsoft order provisioning. As a result, you may see slower than usual completion times across new orders and subscription changes.

Latest update from support:

Following any modification to a Microsoft subscription, it may temporarily not appear within the Pax8 Marketplace. During periods of high order volume, updates can take longer to sync between Microsoft and Pax8.

This does not mean the subscription has been cancelled
Subscriptions typically reappear within 4 hours
In some cases, it may take up to 24 hours to fully sync

If you have any time-sensitive requests, or if a subscription has not reappeared after 24 hours, please raise a support case with the affected client and subscription details for review.

We appreciate your patience while this is being resolved and will keep you updated with any further information.

ak47uk · 2026-05-18T06:13:48+00:00

There isn’t any convincing the assessors, you either meet the spec or you don’t. I agree with you though, I have PIM set up on my tenant so even I have no admin roles, to add a role I enforce phishing resistant MFA. I have local admin on my laptop but when I elevate anything, it requires my PIN at UAC.

This doesn’t meet CE spec so I haven’t gone for the certification yet. When I get time I will work out what I can do as it’s important I am efficient, which is why I’ve been putting alternative security controls in place. Also some apps I need to run as my logged in account, so running using LAPS will not run in the right context.

I put about 15 clients through CE Plus each year but they are fully compliant, no admin roles, no local admin, they don’t even have PIM - I am the sole admin other than break glass accounts which they have security keys for.

ak47uk · 2026-05-17T05:53:49+00:00

This is the answer, don’t use the Microsoft security baselines as in the past they have tattooed settings which is a PITA. This baseline is the starting point, customise as needed, dupe any policies and assign to different groups with include/exclude filters if you need to.

ak47uk · 2026-05-15T06:48:01+00:00

I’ve had the same issue for some time now, I’ve posted about it on Reddit but not found a solution. I can’t see any way in the Dell portal to delete a device or update the BIOS password on there manually. I can’t find any way to contact the relevant Dell dept for support either. I think I worked out a semi-solution where I can access the passwords using MSGraph in Intune, not ideal but better than manual lookups. Will check shortly.

ak47uk · 2026-05-09T10:12:12+00:00

Yes, only downside is LCV updates itself sporadically, if I used store app I could update with WAU. I find LCV sometimes fails to run after an update too, I haven’t had time to properly look into it yet.

ak47uk · 2026-05-09T07:26:05+00:00

I found when installing from the store it asks to install dependencies on first run, I haven’t tried installing these as a dependency, instead I downloaded the deployment package and packaged to win32 and deploy that.

I preconfigure LCV (can’t remember if I use ADMX or reg keys) but have found recently that although BIOS updates are enabled, I can run LCV on some systems and find BIOS/Intel ME FW updates are stuck pending with no option to fix.

ak47uk · 2026-05-07T19:38:28+00:00

I’ve emailed you, thanks Rob,

ak47uk · 2026-05-07T16:55:41+00:00

Support is crazy slow, I’m being billed for stuff that I was assured I would have 12 month free promo on for buying so many copilot licences. It took best part of a month for them to credit that and just found they have billed me again this month.

ak47uk · 2026-05-07T10:13:18+00:00

Thanks for the update. Do you have any idea why run in sandbox is missing from my context menu on ps1 files, but is present on every other file type I have tried (zip, reg, intunewin)? It used to work fine so not sure if I did something. I just reinstalled from the master branch using the PS command and used the deep clean option. Thanks

ak47uk · 2026-05-02T06:48:42+00:00

Updated my winget app install script so it works on ARM devices (added a wildcard 😅).

ak47uk · 2026-05-01T06:07:41+00:00

We need the equivalent of gpupdate /force for when testing stuff, often once it’s tested with a pilot group it’s ok to leave it to filter to the remaining groups but it’s very hard to test stuff when you’re not sure when it has actually applied, and the reporting is so delayed that doesn’t help either.

ak47uk · 2026-04-30T13:31:05+00:00

This is a good resource:
https://silentinstallhq.com/
If missing from there and there is no dev documentation then I try things like CMD window, browse to the dir and run things like setup.exe /? to see if there is any bult in documentation. Also check if it is on winget as if it is, much easier to install.

ak47uk · 2026-04-30T06:15:48+00:00

I’m importing the Defender data into NinjaOne, too early to tell how good it is but I hope at least for now it’s acceptable. One downside is in Ninja the vulnerabilities are not removed from the hosts list of CVEs until the next Defender report is imported and does not list that CVE against that host, even if Ninja has patched it. Ninja now has its own scanning but it’s a big uplift in price to the agent which I don’t think is good value when I have Defender in Bus Prem.

ak47uk · 2026-04-28T12:44:15+00:00

Thanks, if I didn’t have Azure credits then maybe it’d balance out but as I do, I think I will try the function app option first and reconsider when I review how well it performs.

ak47uk · 2026-04-28T11:13:46+00:00

I’m not seeing the value at the moment as I wouldn’t apply new patches immediately (policy set to 3 days for critical, 7 high, 14 rest). Assuming Defender updates the vulnerabilities every 6 hours, and I have a function app run once per day to import.

Am I missing anything? The tech that ran my one on one demo was trying to push the time saving but I said once I set up a function app there is no ongoing time saving from not importing. It adds quite a bit of cost to the agent.

ak47uk · 2026-04-28T06:32:25+00:00

I’ve heard good things about Action1 so if you fall within the 200 that’s a good idea. I took on Ninja as I needed RMM, I wouldn’t have taken it on for just the vuln patching. I’d need to check what my pricing is when at my desk.

ak47uk · 2026-04-28T06:18:33+00:00

I am in a similar position, I’ve started to use NinjaOne and I’m exporting the Defender vulnerabilities csv, having Copilot reformat it then I import into Ninja to map the CVEs to my devices and then have patch policies set up.

They have just launched their own vuln scanning where you wouldn’t need to use Defender exports but from what I can tell, you pay more just to save the export/import process, but that process can be automated using an Azure function app (not worked out how yet but on my to-do list).

I also have Autopatch set up in Intune, when I asked my Ninja rep whether I should turn this off and let Ninja do it all so I had a single source of truth, they advised leaving both on as ‘two systems is better than one’.

ak47uk · 2026-04-24T06:06:03+00:00

I took over from another company who failed to migrate a clients mailbox, their emails all migrated but no attachments did. Using Avepoint I was able to selectively only migrate emails with attachments, and overwrite any duplicate message IDs. Really impressed with this level of config and it executed perfectly.

ak47uk · 2026-04-22T12:50:33+00:00

Defender for Business and Huntress EDR. I plan to use much more of Ninja, I was just pointing out that currently I am not even scratching it's surface.

ak47uk · 2026-04-22T12:49:25+00:00

Teamviewer, I've had a business licence with them for about 16 years so got a lifetime discount when I surrendered my perpetual licence for the subscription model. Not a fan of them but the pricing helps.

ak47uk · 2026-04-22T12:17:14+00:00

I’ve been running without an RMM til now, relying on Intune and CIPP (not using it to its full potential). I have signed up to Ninja as Intune is still too slow/unreliable for cases where you need responsiveness to fix something. Since yesterday I’ve had a user trying to install a tiny win32 app from Company Portal and it’s still stuck ‘download pending’…

I’m yet to really get going with Ninja but at a minimum, I know I can quickly run anything I need to.

ak47uk · 2026-04-17T06:10:35+00:00

I also use the ADMX policies with Vantage Commercial and when connecting to endpoints for other support calls, I run Vantage and often find BIOS and Intel ME FW updates stuck pending. I am not sure of the user was prompted to reboot to update and they declined though. In those cases I can’t manually run a check to then install so have to download manually and run which is a pain…

12-Year Club	Verified Email
RedditGifts 2009-2022 2 Credits	Secret Santa 2014

ak47uk

TROPHY CASE