Microsoft Improves and Simplifies Defender for Endpoint Management Capabilities

Microsoft Improves and Simplifies Defender for Endpoint Management Capabilities

In one of the biggest changes to Microsoft Defender for Endpoint (MDE) in its product history, you no longer need a separate management engine to configure endpoint settings. In this blog, we'll look at what that change is, why it was necessary, initial impressions, and what you might want to do next. Historic management architecture needed simplifying MDE (and it's Windows client, Microsoft Defender Antivirus (MDAV)) always stood out from the crowd of endpoint…
Deploying Office 365 with Intune as a Win32 App (and Why You’d Want To)

Deploying Office 365 with Intune as a Win32 App (and Why You’d Want To)

Office 365, or Microsoft 365 Apps for Enterprise, or whatever it's called this month, can be deployed by Intune to Windows 10 devices using a built-in wizard.  The advantage of this is you don't need to package anything: you fill out some nice drop-downs and options in a GUI, assign it like any other app, and Microsoft takes care of the rest. In the background, this is using the Office CSP to deploy the…
Troubleshooting Hybrid Azure AD Intune Automatic Enrollment

Troubleshooting Hybrid Azure AD Intune Automatic Enrollment

As I have blogged about a lot, there are a bunch of hoops to be jumped through and prerequisites to be met for a successful hybrid Azure AD join and automatic, GPO-invoked Intune enrollment. But sometimes, you have to go back to the basics when you're banging your head off the table, and laugh off the embarrassment of not checking the fundamentals. I was recently setting up hybrid Azure AD join and Intune enrollment,…
Update BitLocker Unique Identifiers with Intune

Update BitLocker Unique Identifiers with Intune

BitLocker unique identifiers are values used to identify the ownership of an encrypted volume.  The device that performs the encryption holds the unique identifier and as encryption begins, it also records this against the metadata of that encrypted volume. The identifiers are typically used in tandem with the BitLocker removable data-drive setting write access to devices configured in another organisation which, if set to block, will prevent write operations on devices where the unique…
Microsoft Defender Network Protection – Not Enabling via Intune – Troubleshooting & Fix

Microsoft Defender Network Protection – Not Enabling via Intune – Troubleshooting & Fix

When configuring Defender for Endpoint (MDE) customer recently, I ran into a problem when trying to enable network protection.  Network protection is a feature of MDE and Microsoft Defender Antivirus (MDAV) that takes the filtering capabilities of SmartScreen and applies them to all network traffic.  It is a prerequisite for things such as MDE's web content filtering and URL/domain indicators of compromise. This blog details the specific problem I had enabling it with Intune…
Use Intune to Manage Microsoft Defender for Endpoint Tags and Device Groups

Use Intune to Manage Microsoft Defender for Endpoint Tags and Device Groups

In Microsoft Defender for Endpoint (MDE), tags can be attached to a device for reporting, filtering, and as a dynamic attribute for membership of a device group.  Device groups (previously machine groups), are used to assign devices different rules and administrative ownership.  A device can only belong to one group and controls settings such as auto-remediation level and which Role-Based Access Control (RBAC) roles have administrative permissions over it. While you can assign tags,…
Turn Existing Azure AD Devices into Windows Autopilot Devices

Turn Existing Azure AD Devices into Windows Autopilot Devices

To provision Windows 10 PCs using Autopilot and Intune, they must first be registered as Windows Autopilot devices in the Device Directory Service, which is really the cloud Autopilot service.  When a device is registered to the Autopilot service, its hardware hash is used to generate a Zero Touch Device ID (ZTDID) - a globally unique identifier for that device based on hardware information such as (but not only) MAC address, disk serial number,…
Store BitLocker Recovery Keys in Azure AD for Devices Already Encrypted

Store BitLocker Recovery Keys in Azure AD for Devices Already Encrypted

As you move from on-premises or third-party infrastructure to Microsoft 365 and Azure AD, you will want to keep those BitLocker recovery keys safe.  You can store those keys either in on-premises Active Directory or in the cloud with Azure AD. The behavior of the BitLocker / Azure AD relationship is that the recovery keys will only be stored against the device object in Azure AD if the encryption happens when the device is…
Hybrid Azure AD Join + Intune Enrollment – Prerequisites Checklist and Process Flow

Hybrid Azure AD Join + Intune Enrollment – Prerequisites Checklist and Process Flow

I'm a simple person, and sometimes it just helps to have a checklist to refer to when you're troubleshooting rather than navigating the sparse pages of docs.microsoft.com.  In this blog, I  explain the prerequisites for the Hybrid Azure AD Join (HAADJ) + automatic (GPO controlled) Intune MDM enrollment scenario and the process from start to end, as simply and concisely as I can (not easy!)  There are no screenshots and it's not a click-by-click:…
Connect a Work or School Account – MDM vs. MAM in Self Enrolment

Connect a Work or School Account – MDM vs. MAM in Self Enrolment

A Windows 10 user can self-enrol in MDM or MAM from Settings > Accounts > Access work or school > Connect. What happens next depends on how Mobility (MDM and MAM) is configured in Azure Active Directory and device ownership.  For a personal device, if user scope for both MDM and MAM overlaps for the enrolling user, MAM will win.  The opposite is true of corporate devices. Intune devices are considered personal by default…