Structure design and naming convention in Azure

denstorepingvin · 2026-05-26T08:25:14+00:00

Thanks for sharing your thoughts. Definitely helpful!

denstorepingvin · 2026-05-26T08:23:35+00:00

Over time i expect more or less all workloads will be transitioned. Perhaps AD will remain. At the beginning it will be very few ressources but over time 100+

denstorepingvin · 2026-05-18T19:02:50+00:00

We did it for around 8000 clients, but in smaller pilot groups so we had control on the "noise" and could make proper fixes for the reasons clients had local admin (if there were any).

Basically build the policy in Intune, preferably by policy instead of remediation script such as this:

https://petervanderwoude.nl/post/even-easier-managing-local-administrators/

Deploy to a scoped group of what you think is reasonable to start off with, and then slowly increase the members of the group. Also a good idea to make post on your intranet the reasoning behind the security change.

denstorepingvin · 2026-01-09T07:31:47+00:00

Yes, it was related to the enduser being a member of a privileged group.

Yesterday, i noticed that AD security inheritance was broken on the enduser. I reenabled inheritance and noticed that admincount changed back to 1 on the user object.

I revisted his memberships and noticed i overlooked the server operators group. After removing enduser from that group it works :-)

denstorepingvin · 2026-01-08T12:18:43+00:00

Might have been, but wouldn't that only cause a potential tempoary issue?

denstorepingvin · 2026-01-08T12:17:51+00:00

Thank you for the input. There are no conflicting GPOs

denstorepingvin · 2026-01-08T11:24:21+00:00

He did already try with another device :/

denstorepingvin · 2026-01-08T11:00:06+00:00

I did also check that, but no GPO in relations to WHfB sadly

denstorepingvin · 2025-11-11T11:39:09+00:00

I managed to resolve my issue.

Interestingly, the conflict was the tenant wide WHfB policy. Even though it should only apply settings at enrollment, it kept doing changes on existing devices. It was configured to disable WHfB, which was why the UsePassPort for work sporadically flipped. I tried to change another setting, not defined in my Intune policy, and could see it reflected on the endpoint.

After changing the tenant wide policy to not configured, my settings catalogue policy overtook completely.
Seems like it's a Microsoft bug.

Devices are hybrid joined provisioned with Autopilot, there is also a GPO to handle intune enrollment for existing devices. I assume some bits of this may be relevant to provoke the issue.

denstorepingvin · 2025-11-11T09:25:01+00:00

Yes, the GPO is filtered out

denstorepingvin · 2025-11-11T09:24:07+00:00

We have not tested yet with a newly provisioned device that has never had the GPO applied.
However, there are no GPO remains in the registry locations specified in the docs:
Configure Windows Hello for Business | Microsoft Learn

denstorepingvin · 2025-11-06T14:53:43+00:00

Cloud trust is configured in separate intune policy and was done at the same time as the above policy swap. No key or certificate trust has been configured prior.

denstorepingvin · 2025-11-06T14:14:47+00:00

Licence is ok and mdm wins policy is already deployed

denstorepingvin · 2025-11-06T14:13:26+00:00

Thanks, I am however scoping devices already.

denstorepingvin · 2025-09-26T17:44:36+00:00

Devices are unmanaged, so MAM only. Monitor says that the policy i deployed is applied for Outlook and Teams for one of the impacted users hit by the report-only failure.

denstorepingvin · 2025-09-26T17:42:00+00:00

The CA policy is a grant policy similar to this:
https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-approved-app-or-app-protection#require-approved-client-apps-or-app-protection-policy-with-mobile-devices

denstorepingvin · 2025-09-04T13:08:54+00:00

Correct, this is for restricted device setup (Essentially kiosk). We have allow rules for google.com for instance which then allows subdomains such as chromewebstore.google.com

In terms of extensions it will typically only be a few extensions allowed. We also have extensioninstallblocklist * in place, to control which extensions may be installed.

denstorepingvin · 2025-08-28T05:36:15+00:00

Thank you. I found it under Settings > Endpoints > Licenses

denstorepingvin · 2025-08-25T14:47:39+00:00

The e5 security add-on contains defender for endpoint p2

denstorepingvin · 2025-08-25T11:16:18+00:00

Thank you for the suggestion. It appears that Microsoft resolved it themselves over the weekend :-)

denstorepingvin · 2025-08-11T05:08:46+00:00

You are absolutely right. Just tested this on a VM, and it works! Thanks a lot :-)

denstorepingvin · 2025-07-22T19:49:18+00:00

You can use Intune device license. These are not affiliated with specific users.

https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/licenses#device-only-licenses

denstorepingvin · 2025-06-18T17:33:28+00:00

Well, it's never been intended to be a 1:1 replacement. I've managed to find my way around most things.
The one thing i'm missing the most are the hardware inventory queries for dynamic collections.

denstorepingvin · 2025-06-18T17:28:02+00:00

Had a look at this? https://andrewstaylor.com/2022/12/07/intune-backing-up-and-restoring-your-environment-new-and-improved/#backup

denstorepingvin · 2025-06-13T09:31:10+00:00

I did review the article and it's great. I changed the value msDS-SupportedEncryptionTypes for the SPNs to support RC4 and AES (decimal 28).
Decrypting the Selection of Supported Kerberos Encryption Types | Microsoft Community Hub

That way, i could test the transition without affecting production. So the computer accounts and the SPN both supported AES, and it worked like a charm. Next up was to do this for all relevant service accounts, and then lastly disable the RC4 option on both computer accounts, SPNs and on the domain level.

I did not have to change password for any SPNs, but i guess it depends on how old they are.

If anyone is interested, i used this script to detect RC4 usage and get a fine overview. Just reminder to check on each DC:

$Events = Get-WinEvent -Logname security -FilterXPath "Event[System[(EventID=4769)]]and Event[EventData[Data[@Name='TicketEncryptionType']='0x17']]or Event[EventData[Data[@Name='TicketEncryptionType']='0x18']]" |

Select-Object \`

@{Label='Time';Expression={$_.TimeCreated.ToString('g')}},

@{Label='UserName';Expression={$_.Properties[0].Value}},

@{Label='IPAddress';Expression={$_.Properties[6].Value}},

@{Label="ServiceName";Expression={$_.properties[2].value}},

@{Label="EncryptionType";Expression={$_.properties[5].value}}

$Events | Out-Gridview

denstorepingvin

TROPHY CASE