Device certificate authentication to NPS (e.g. an 802.1x wireless network) requires the device to have a computer object in the on-premises Active Directory. This can be done using a script to get all Autopilot registered devices, and create an account in the local AD (see [SysManSquad - Working around NPS limitations for AADJ Windows Devices](https://sysmansquad.com/2021/04/27/working-around-nps-limitations-for-aadj-windows-devices/)) however the thumbprint of the device certificate needs to be added to the computer object's altSecurityIdentities attribute. While this can be ran as an hourly ..read more

Newer Promethean screens can be fitted with compute devices, OPS-M (Windows) and OPS-A (Android). There is very little documentation around configuring these Android devices with Intune in order to restrict access to settings. In this post I go through how enrolling these as corporate-owned dedicated devices, and retaining the pre-installed Promethean apps ..read more

Device Control Printer Restriction has been around for a while and can be configured using a couple of CSP entries to block the use of "non-corporate printers", and a list of USB hardware IDs can be specified to be allowed through the block. This has been a good solution for locking down printing on devices which leave the office, however the definition of "corporate printers" does not include Universal Print. Luckily there is a new version of this policy, confusingly it's got the same name but uses Defender's device restriction mechanism. Using this new method we can define groups of devices ..read more

BitLocker is Microsoft's disk encryption system and the only supported silent configuration involves the TPM only. There are other options such as also requiring a start-up PIN or a physical key (USB drive containing the key), or both - whether you think you need the extra security at the risk of PIN re-use/being written down is an exercise left to the reader. However I wanted to find a way to enable BitLocker with a PIN required at start-up on a device deployed through Autopilot, without the user having to do anything to enable the protection. While there are configuration profiles which can ..read more

Windows Autopatch is a service which takes care of updates to Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams across your devices. It is marketed as taking the mundane tasks of managing updates away from IT staff, leaving them free to work on other things. Autopatch uses various policies and profiles through Intune to set the update configuration on the client devices, Windows Update for Business to deliver the updates, and reporting is also done through Intune (or the Update Compliance Log Analytics solution). Autopatch uses four rings to phase updates across y ..read more

Corporate devices can be fully managed and secured using Mobile Device Management (MDM) such as Intune. But what about securing personally owned devices? This is where Mobile Application Management (MAM) steps in. For iOS and Android devices, MAM in Intune is implemented through App Protection Policies. With these policies, we can segregate corporate data on personal devices and also put restrictions in place - for example, don't allow copy/paste between the corporate apps and the rest of the device, or requiring PIN or biometric unlock before the data can be accessed. In this post I'm going t ..read more

Azure AD's terms of use feature allows us to present information to users which they need to accept/acknowledge before being permitted access to a service. The feature supports multiple languages and essentially you upload a PDF for each supported language for your Terms of Use policy. You can create multiple policies if needed. Possible use cases for this include for users enrolling their personal Windows device through *Access work or school*, where they can be presented with some rules before their device will give them access, or even when accessing specific services such as Microsoft Form ..read more

Surely by now everyone has turned on Multi-Factor Authentication (MFA) as part of their identity protection strategy. Not necessarily - I regularly come across people who have not enabled this crucial feature, usually through the company/institution's management thinking it is not necessary or not worth the hassle. Usually this is followed up with a compromised account sending thousands of emails in an attempt to gather credentials from contacts of the compromised user. I've [previously written about Azure Conditional Access and MFA](/azure/azure-conditional-access-and-mfa), this post is a mor ..read more

This has to be one of the most requested features for Intune - importing Group Policy Objects. It's now a feature! Currently in public preview, so should be available on most tenants. The way this works is that you export your GPOs from Group Policy Management Console, import them into the Group Policy Analytics and it will determine whether they will work as Intune configuration profiles - by trying to map the GPO settings to the corresponding Configuration Service Provier (CSP) setting, if one exists. You'll be shown a report detailing how much of your policies will be transferable, and whic ..read more

I recently moved this blog from WordPress to its current form - a custom PHP site running on Azure App Service. At the back end I decided to store the blog posts as Markdown, as it's relatively easy to edit in any text editor, and I did not want to re-create a rich editor like WordPress has. I also wanted the site to be easy to deploy, if I need to move it or scale up multiple servers, so I decided it should be a (private, for now) GitHub repository. I've already created a template site which is used with my [Redirect Tool](/projects/project-short-link-creator) and [Certificate Expiry Tool](/p ..read more