Microsoft-Intune on Ru Campbell MVP

Microsoft 365: The Essential 10 Security Considerations

Fri, 28 Nov 2025 13:42:07 +0000

When we talk about Microsoft 365 security, we are talking about two things:

Securing Microsoft 365 the platform, such as Exchange Online, SharePoint Online, Microsoft 365 Copilot; ensuring they are hardened and monitored in proportion to risk appetite.
Using Microsoft 365 security tooling, such as Defender, Purview, Entra, and Intune; ensuring they are deployed, well configured, and you’re not paying for capabilities gathering dust.

The latter can be used to achieve the former, as well as other (non-Microsoft 365) platforms. For example, using Defender for Endpoint on a Linux server in AWS, or using Entra for single sign on to Salesforce.

Deploying Office 365 with Intune as a Win32 App (and Why You'd Want To)

Tue, 15 Jun 2021 15:26:14 +0000

Office 365, or Microsoft 365 Apps for Enterprise, or whatever it’s called this month, can be deployed by Intune to Windows 10 devices using a built-in wizard. The advantage of this is you don’t need to package anything: you fill out some nice drop-downs and options in a GUI, assign it like any other app, and Microsoft takes care of the rest.

In the background, this is using the Office CSP to deploy the client, which makes it quite unique compared to the deployment of other apps, which are best done with Win32 packaging. I wrote a general guide about that for Petri.com, available here.

Troubleshooting Hybrid Azure AD Intune Automatic Enrollment

Mon, 19 Apr 2021 20:02:44 +0000

As I have blogged about a lot, there are a bunch of hoops to be jumped through and prerequisites to be met for a successful hybrid Azure AD join and automatic, GPO-invoked Intune enrollment. But sometimes, you have to go back to the basics when you’re banging your head off the table, and laugh off the embarrassment of not checking the fundamentals.

I was recently setting up hybrid Azure AD join and Intune enrollment, as I’ve done hundreds of times before, but this time I was hitting a strange problem. Hybrid Azure AD join went fine, but for the Intune MDM enrollment, I was getting nowhere. Devices showed in the Azure AD admin centre, but never showed an MDM, and therefore never showed in Endpoint Manager.

Update BitLocker Unique Identifiers with Intune

Mon, 22 Mar 2021 18:01:18 +0000

BitLocker unique identifiers are values used to identify the ownership of an encrypted volume. The device that performs the encryption holds the unique identifier and as encryption begins, it also records this against the metadata of that encrypted volume.

The identifiers are typically used in tandem with the BitLocker removable data-drive setting write access to devices configured in another organisation which, if set to block, will prevent write operations on devices where the unique identifier of the removable drive doesn’t match a list of unique identifiers managed on the device. The idea here is you want to enforce BitLocker on removable drives to improve data loss (encrypted drives, if found, are unreadable without the means to decrypt them), but you only want them to be encrypted within your organisation: someone can’t encrypt their device elsewhere and then copy data to it. You may want to do this because it means you, as an administrator, would not be able to decrypt it if required.

Microsoft Defender Network Protection - Not Enabling via Intune - Troubleshooting & Fix

Sun, 07 Mar 2021 13:27:29 +0000

When configuring Defender for Endpoint (MDE) customer recently, I ran into a problem when trying to enable network protection. Network protection is a feature of MDE and Microsoft Defender Antivirus (MDAV) that takes the filtering capabilities of SmartScreen and applies them to all network traffic. It is a prerequisite for things such as MDE’s web content filtering and URL/domain indicators of compromise.

This blog details the specific problem I had enabling it with Intune (Microsoft Endpoint Manager), and general troubleshooting steps to follow that will help for that problem and hopefully others you may experience.

Turn Existing Azure AD Devices into Windows Autopilot Devices

Sat, 06 Feb 2021 09:19:13 +0000

To provision Windows 10 PCs using Autopilot and Intune, they must first be registered as Windows Autopilot devices in the Device Directory Service, which is really the cloud Autopilot service. When a device is registered to the Autopilot service, its hardware hash is used to generate a Zero Touch Device ID(ZTDID) - a globally unique identifier for that device based on hardware information such as (but not only) MAC address, disk serial number, and system serial number.

Store BitLocker Recovery Keys in Azure AD for Devices Already Encrypted

Fri, 15 Jan 2021 18:18:36 +0000

As you move from on-premises or third-party infrastructure to Microsoft 365 and Azure AD, you will want to keep those BitLocker recovery keys safe. You can store those keys either in on-premises Active Directory or in the cloud with Azure AD.

The behavior of the BitLocker / Azure AD relationship is that the recovery keys will only be stored against the device object in Azure AD if the encryption happens when the device is already Azure AD or Hybrid Azure AD Joined. You can then retrieve the recovery keys from the Azure AD portal or Microsoft Endpoint Manager (which really just takes you back to Azure AD’s properties for the device).

Microsoft Defender for Endpoint Web Content Filtering - Administration, Limitations, and User Experience

Sun, 28 Jun 2020 16:37:29 +0000

Historically, one of the big features missing “out of the box” with MDATP was web content filtering. Customers typically look at MDATP as an option when their existing endpoint security is due for license renewal, and compare their existing solution against it. They would be moving from one of the big security vendors such as Sophos, Norton, and McAfee, which all supported web content filtering. Higher lever stakeholders often listed the ability to block websites as essential, and as Microsoft did not maintain such a categorisation database, if you wanted it with Defender ATP, you’d be looking at other solutions too. This took away from Defender ATP’s “single pane of glass” selling point.

Connect a Work or School Account - MDM vs. MAM in Self Enrolment

Sat, 16 May 2020 06:13:47 +0000

A Windows 10 user can self-enrol in MDM or MAM from Settings > Accounts > Access work or school > Connect.

What happens next depends on how Mobility (MDM and MAM) is configured in Azure Active Directory and device ownership. For a personal device, if user scope for both MDM and MAM overlaps for the enrolling user, MAM will win. The opposite is true of corporate devices. [wptb id=277]

Windows Information Protection (WIP) App Protection Policies: Protected and Exempt; Denied and Allowed - What Do They Mean?

Thu, 14 May 2020 21:05:30 +0000

One of things that strikes me as vague in Windows Information Protection (WIP) policies in Intune is configuring targeted apps: what’s the exact difference between a protected app and an exempt app; and what does allow or deny exactly do for both of those?

A recap on some terminology before explaining what-does-what.

Targeted apps are ones the WIP service will implement controls over.
Unenlightened apps cannot differentiate between work and personal data. They have no idea what WIP is as the developer has not incorporated it. They can only implement controls if the device is MDM enrolled.
Enlightened apps have incorporated WIP into the design and can differentiate between work and personal data. For example, Outlook knows if the email account is tenant one or not. They can implement controls even if it’s just using MAM. Such a scenario is called WIP Without Enrollment or WIP-WE.
Enterprise context is the ownership of data in the application. You can review this by adding the column in Task Manager. Data will either belong to the tenant (work) or personal (not work). It can also be exempt, which means waived from rules.

In the example below, every app you see - protected and exempt - will be controlled if an MDM scenario, but only enlightened ones can be in a MAM scenario.

Using Intune to Deploy the Azure Information Protection (AIP) Unified Labeling Client (Win32 MSI)

Sat, 18 Jan 2020 22:47:50 +0000

Unified labels refer to a movement whereby Azure Information Protection (AIP) labels are now being replaced by sensitivity labels. Sensitivity labels offer encryption, watermarks, etc as AIP labels did before them, but are now managed in the new Microsoft 365 Security Centre, with several other benefits beyond the scope of this post.

With this change comes a new AIP client, called the unified labeling client, that replaces the old one, now called the classic client. The AIP unified labeling client will refer to the M365 Security Centre to download labels, but note that (and ‘unified’ gives this away) labels created on either the old Azure AIP dashboard or new M365 Security Centre will sync to each other after you have enabled unified labeling. Current guidelines from Microsoft are that, unless you have a use case that isn’t a feature of the unified labeling client, this is what you should be installing. This post holds your hand through a deployment of the client using Intune.

Deploy Microsoft Store Apps using Intune with Configuration Manager (SCCM) Co-Management (Fix 'Not Applicable' Status)

Fri, 10 Jan 2020 21:00:30 +0000

Intune provides an interface to easily deploy apps from the Microsoft Store to your registered users and devices, but even if you have SCCM (Config Manager) Co-Mangement enabled with the default workloads shifted to Intune in Co-Management properties, there is more to be done. If you don’t follow these steps, you will receive the status of Not applicable in the Intune client apps user and device install status pages.

Prerequisite: This only works with SCCM 1806+.