Microsoft Improves and Simplifies Defender for Endpoint Management Capabilities
Posted inMicrosoft 365 Microsoft Defender Microsoft Defender for Endpoint Microsoft Defender XDR

Microsoft Improves and Simplifies Defender for Endpoint Management Capabilities

In one of the biggest changes to Microsoft Defender for Endpoint (MDE) in its product history, you no longer need a separate management engine to configure endpoint settings. In this blog, we'll look at what that change is, why it was necessary, initial impressions, and what you might want to do next. Historic management architecture needed simplifying MDE (and it's Windows client, Microsoft Defender Antivirus (MDAV)) always stood out from the crowd of endpoint…
Update BitLocker Unique Identifiers with Intune
Posted inBitLocker Intune Microsoft 365 Microsoft Intune Windows

Update BitLocker Unique Identifiers with Intune

BitLocker unique identifiers are values used to identify the ownership of an encrypted volume.  The device that performs the encryption holds the unique identifier and as encryption begins, it also records this against the metadata of that encrypted volume. The identifiers are typically used in tandem with the BitLocker removable data-drive setting write access to devices configured in another organisation which, if set to block, will prevent write operations on devices where the unique…
Microsoft Defender Network Protection – Not Enabling via Intune – Troubleshooting & Fix
Posted inIntune Microsoft 365 Microsoft Defender for Endpoint Microsoft Intune SmartScreen/Network Protection

Microsoft Defender Network Protection – Not Enabling via Intune – Troubleshooting & Fix

When configuring Defender for Endpoint (MDE) customer recently, I ran into a problem when trying to enable network protection.  Network protection is a feature of MDE and Microsoft Defender Antivirus (MDAV) that takes the filtering capabilities of SmartScreen and applies them to all network traffic.  It is a prerequisite for things such as MDE's web content filtering and URL/domain indicators of compromise. This blog details the specific problem I had enabling it with Intune…
Use Intune to Manage Microsoft Defender for Endpoint Tags and Device Groups
Posted inIntune Microsoft 365 Microsoft Defender for Endpoint

Use Intune to Manage Microsoft Defender for Endpoint Tags and Device Groups

In Microsoft Defender for Endpoint (MDE), tags can be attached to a device for reporting, filtering, and as a dynamic attribute for membership of a device group.  Device groups (previously machine groups), are used to assign devices different rules and administrative ownership.  A device can only belong to one group and controls settings such as auto-remediation level and which Role-Based Access Control (RBAC) roles have administrative permissions over it. While you can assign tags,…
Turn Existing Azure AD Devices into Windows Autopilot Devices
Posted inAutopilot Entra ID (Azure Active Directory) Intune Microsoft 365 Microsoft Intune Windows

Turn Existing Azure AD Devices into Windows Autopilot Devices

To provision Windows 10 PCs using Autopilot and Intune, they must first be registered as Windows Autopilot devices in the Device Directory Service, which is really the cloud Autopilot service.  When a device is registered to the Autopilot service, its hardware hash is used to generate a Zero Touch Device ID (ZTDID) - a globally unique identifier for that device based on hardware information such as (but not only) MAC address, disk serial number,…
Store BitLocker Recovery Keys in Azure AD for Devices Already Encrypted
Posted inBitLocker Entra ID (Azure Active Directory) Intune Microsoft 365 Microsoft Intune PowerShell Windows

Store BitLocker Recovery Keys in Azure AD for Devices Already Encrypted

As you move from on-premises or third-party infrastructure to Microsoft 365 and Azure AD, you will want to keep those BitLocker recovery keys safe.  You can store those keys either in on-premises Active Directory or in the cloud with Azure AD. The behavior of the BitLocker / Azure AD relationship is that the recovery keys will only be stored against the device object in Azure AD if the encryption happens when the device is…
Hybrid Azure AD Join + Intune Enrollment – Prerequisites Checklist and Process Flow
Posted inEntra ID (Azure Active Directory) Intune Microsoft 365

Hybrid Azure AD Join + Intune Enrollment – Prerequisites Checklist and Process Flow

I'm a simple person, and sometimes it just helps to have a checklist to refer to when you're troubleshooting rather than navigating the sparse pages of docs.microsoft.com.  In this blog, I  explain the prerequisites for the Hybrid Azure AD Join (HAADJ) + automatic (GPO controlled) Intune MDM enrollment scenario and the process from start to end, as simply and concisely as I can (not easy!)  There are no screenshots and it's not a click-by-click:…
Connect a Work or School Account – MDM vs. MAM in Self Enrolment
Posted inIntune Microsoft 365 Microsoft Intune

Connect a Work or School Account – MDM vs. MAM in Self Enrolment

A Windows 10 user can self-enrol in MDM or MAM from Settings > Accounts > Access work or school > Connect. What happens next depends on how Mobility (MDM and MAM) is configured in Azure Active Directory and device ownership.  For a personal device, if user scope for both MDM and MAM overlaps for the enrolling user, MAM will win.  The opposite is true of corporate devices. Intune devices are considered personal by default…
Using Intune to Deploy the Azure Information Protection (AIP) Unified Labeling Client (Win32 MSI)
Posted inIntune Microsoft 365 Microsoft Intune Sensitivity labels (Azure Information Protection)

Using Intune to Deploy the Azure Information Protection (AIP) Unified Labeling Client (Win32 MSI)

Unified labels refer to a movement whereby Azure Information Protection (AIP) labels are now being replaced by sensitivity labels.  Sensitivity labels offer encryption, watermarks, etc as AIP labels did before them, but are now managed in the new Microsoft 365 Security Centre, with several other benefits beyond the scope of this post. With this change comes a new AIP client, called the unified labeling client, that replaces the old one, now called the classic…
Deploy Microsoft Store Apps using Intune with Configuration Manager (SCCM) Co-Management (Fix ‘Not Applicable’ Status)
Posted inConfiguration Manager Intune Microsoft 365 Microsoft Intune Microsoft Store

Deploy Microsoft Store Apps using Intune with Configuration Manager (SCCM) Co-Management (Fix ‘Not Applicable’ Status)

Intune provides an interface to easily deploy apps from the Microsoft Store to your registered users and devices, but even if you have SCCM (Config Manager) Co-Mangement enabled with the default workloads shifted to Intune in Co-Management properties, there is more to be done.  If you don't follow these steps, you will receive the status of Not applicable in the Intune client apps user and device install status pages. Prerequisite: This only works with…