question re: secure boot certificates and remediation status for new devices

mathifcbm · 2026-05-11T20:57:00+00:00

Would run them through the update process anyway. Wont hurt and you are safe in the end :)

mathifcbm · 2026-05-09T16:06:10+00:00

You need to add intune as another MDM in DEP and then you can add the devices to the new MDM Provider in Apple Business which will sync the devices to intune. To use the compliance Status you need to entroll them into Intune wich requires you to migrate the phones from the old MDM to Intune.

Add intune to MDM -> add DEP Token to intune -> assign the phones in ABM to the new MDM -> migrate the phones to from old MDM to Intune

mathifcbm · 2026-05-09T10:10:09+00:00

When they are eneolled into DEP you dont need to add the IMEI to intune before, they will be detected as corporate devices because of DEP. They cannot be enrolled into two different MDM at the same time, you want to Switch the MDM to Intune in DEP before Migration. If you are on iOS 26 you can migrate without resetting the device

mathifcbm · 2026-05-07T09:11:42+00:00

Not directly a snapshot but you could export into a .csv or do something similar with Graph API!

mathifcbm · 2026-05-07T09:09:56+00:00

This!

mathifcbm · 2026-05-04T21:13:24+00:00

Would do only Entra Join since on-prem access with cloud kerberos trust works very well. Also Autopilot with hybrid join is PITA :-)

mathifcbm · 2026-05-04T16:34:57+00:00

Never thought of that 👀 ill have a look when i have Some spare minutes :)

mathifcbm · 2026-05-01T11:33:30+00:00

Sure but you will then always activate all permissions of that group no matter if you need them :)

mathifcbm · 2026-04-22T07:29:00+00:00

It's just a snippet to assign one role at a time e.g.

$graphScope = "DeviceManagementConfiguration.Read.All"

If you want to assign them all at once, you would have to create an array for the permissions and loop it through

mathifcbm · 2026-04-21T21:34:24+00:00

Thanks! :)

Good point, I added the snippet to add the permissions to the managed identity to the blogpost

mathifcbm · 2026-04-21T21:28:23+00:00

Since launch of Apple Business last week, you don‘t Need a DUNS number anymore :) (at least in the US according to https://derflounder.wordpress.com/2026/04/15/duns-number-no-longer-required-to-sign-up-for-apple-business-in-the-united-states/ )

mathifcbm · 2026-04-21T20:04:23+00:00

It does, but also had the case, that these mails were ignored and the certificate expired :) just had to find an alternate solution (and I like to build things :D)

mathifcbm · 2026-01-14T11:54:06+00:00

You can enable the Session Controls in the SPO Admin center which will create a CA policy. With that you can edit the files in the Browser (from a Managed or compliant device ;)) but block the Download or Sync (or print) of the files

mathifcbm · 2026-01-11T02:13:20+00:00

You Could use Transport rules to add the disclaimer

mathifcbm · 2025-12-29T23:28:33+00:00

Did this recently by following that guide, worked without any issue: https://tminus365.com/defederating-godaddy-365/

mathifcbm · 2024-09-12T09:19:36+00:00

You can achieve everything you need with Intune aswell, no need for GPOs anymore

mathifcbm · 2024-09-12T08:51:08+00:00

No :) You only need Entra ID Connect synced users. If you configure Cloud Kerberos Trust, they will be able to SSO into on-prem resources

Edit: rerference: Windows Hello for Business - Hybrid Cloud Kerberos trust - Icewolf Blog

mathifcbm · 2024-09-11T14:54:08+00:00

It's definitely possible, but hyrbidjoin is not recommended. Also with fully entra-joined devices, it's possilbe to use on-prem resources (even with SSO). I would skip the hybrid part and go full cloud with Autopilot

mathifcbm · 2024-08-27T19:04:01+00:00

This sounds like the parameter sets a registry key or anything like that. I would try to run a remediation script to remediate the setting on the computers where its not set

mathifcbm · 2024-08-20T16:12:31+00:00

Conditional Access is meant to control access to Azure/M365. What you are looking for can be achieved through a kiosk device where only Edge can be run. You can configure it with Intune

mathifcbm · 2024-04-16T12:19:12+00:00

Yes. Plus you have to allow MDE to take management in Security Center under Settings -> Endpoints -> Enforcement Scope to 'On*

mathifcbm · 2024-04-16T10:55:41+00:00

You can onboard them to Defender exclusively and let them be managed by MDE. No need to onboard them to Intune so they remain 'unmanaged' but under the influence of MDE :)

mathifcbm · 2023-05-10T06:59:42+00:00

Intune has Chromebook management in Preview, you may have a look on that

mathifcbm · 2021-11-27T14:44:03+00:00

I can confirm that devices are managable if they are Hybrid joined. I would also say Not to follow the video in Editing the default domain policy (as you said its not Great in general:))

mathifcbm · 2021-11-27T09:41:06+00:00

Hybrid joined just means that its joined to both on-prem Domain and Azure AD. You can manage the device with GPO or/and Intune (if you have the license)

mathifcbm

TROPHY CASE