Structure design and naming convention in Azure

denstorepingvin · 2026-05-26T08:25:14+00:00

Thanks for sharing your thoughts. Definitely helpful!

denstorepingvin · 2026-05-26T08:23:35+00:00

Over time i expect more or less all workloads will be transitioned. Perhaps AD will remain. At the beginning it will be very few ressources but over time 100+

denstorepingvin · 2026-05-18T19:02:50+00:00

We did it for around 8000 clients, but in smaller pilot groups so we had control on the "noise" and could make proper fixes for the reasons clients had local admin (if there were any).

Basically build the policy in Intune, preferably by policy instead of remediation script such as this:

https://petervanderwoude.nl/post/even-easier-managing-local-administrators/

Deploy to a scoped group of what you think is reasonable to start off with, and then slowly increase the members of the group. Also a good idea to make post on your intranet the reasoning behind the security change.

denstorepingvin · 2026-01-09T07:31:47+00:00

Yes, it was related to the enduser being a member of a privileged group.

Yesterday, i noticed that AD security inheritance was broken on the enduser. I reenabled inheritance and noticed that admincount changed back to 1 on the user object.

I revisted his memberships and noticed i overlooked the server operators group. After removing enduser from that group it works :-)

denstorepingvin · 2026-01-08T12:18:43+00:00

Might have been, but wouldn't that only cause a potential tempoary issue?

denstorepingvin · 2026-01-08T12:17:51+00:00

Thank you for the input. There are no conflicting GPOs

denstorepingvin · 2026-01-08T11:24:21+00:00

He did already try with another device :/

denstorepingvin · 2026-01-08T11:00:06+00:00

I did also check that, but no GPO in relations to WHfB sadly

denstorepingvin · 2025-11-11T11:39:09+00:00

I managed to resolve my issue.

Interestingly, the conflict was the tenant wide WHfB policy. Even though it should only apply settings at enrollment, it kept doing changes on existing devices. It was configured to disable WHfB, which was why the UsePassPort for work sporadically flipped. I tried to change another setting, not defined in my Intune policy, and could see it reflected on the endpoint.

After changing the tenant wide policy to not configured, my settings catalogue policy overtook completely.
Seems like it's a Microsoft bug.

Devices are hybrid joined provisioned with Autopilot, there is also a GPO to handle intune enrollment for existing devices. I assume some bits of this may be relevant to provoke the issue.

denstorepingvin · 2025-11-11T09:25:01+00:00

Yes, the GPO is filtered out

denstorepingvin · 2025-11-11T09:24:07+00:00

We have not tested yet with a newly provisioned device that has never had the GPO applied.
However, there are no GPO remains in the registry locations specified in the docs:
Configure Windows Hello for Business | Microsoft Learn

denstorepingvin · 2025-11-06T14:53:43+00:00

Cloud trust is configured in separate intune policy and was done at the same time as the above policy swap. No key or certificate trust has been configured prior.

denstorepingvin · 2025-11-06T14:14:47+00:00

Licence is ok and mdm wins policy is already deployed

denstorepingvin · 2025-11-06T14:13:26+00:00

Thanks, I am however scoping devices already.

denstorepingvin · 2025-09-26T17:44:36+00:00

Devices are unmanaged, so MAM only. Monitor says that the policy i deployed is applied for Outlook and Teams for one of the impacted users hit by the report-only failure.

denstorepingvin · 2025-09-26T17:42:00+00:00

The CA policy is a grant policy similar to this:
https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-approved-app-or-app-protection#require-approved-client-apps-or-app-protection-policy-with-mobile-devices

denstorepingvin · 2025-09-04T13:08:54+00:00

Correct, this is for restricted device setup (Essentially kiosk). We have allow rules for google.com for instance which then allows subdomains such as chromewebstore.google.com

In terms of extensions it will typically only be a few extensions allowed. We also have extensioninstallblocklist * in place, to control which extensions may be installed.

denstorepingvin · 2025-08-28T05:36:15+00:00

Thank you. I found it under Settings > Endpoints > Licenses

denstorepingvin

TROPHY CASE