Posts

OneDrive for Business sync issues on EntraID devices - When "sorry" just doesn't cut it..

Image
  While working on a customer's Azure tenant, I came across an issue that I hadn't seen before. I was configuring the Intune tenant to provision Windows 11 devices using Autopilot. As part of the configuration, OneDrive for Business was also included to manage and secure user data. However, after provisioning a device, I soon started seeing issues with OneDrive failing to sync. I will only see a pop-up window displaying the message ' Sorry, OneDrive can't add your folder right now. Please contact support .'. Not really helpful. There was nothing in the Entra sign-in logs, so ruled out conditional access policies as the root cause. I also had the relevant licenses assigned so I ruled that out as well. Then I recalled that there was something similar in relation to Outlook mailbox device management setting which could interfere with Intune device management policies. Something that I also blogged about which you can check out over here . Not really like for like, but ...

Passkeys for macOS and addressing the phishing resistant authentication registration loop

Image
For the last couple of days, I have been working on securing my own tenant and as a result of this, I wanted to enable passkeys for all my test accounts. Passkeys (FIDO2) not only improves productivity and provide better security, but also make the authentication process seamless by eliminating the need for entering a username or password. This can be achieved through both FIDO2 security key and Microsoft Authenticator. Due to this fact, Microsoft and its partners are investing in both synced and device bound passkeys for work accounts. However, and during my own testing, enabling passkey on the user's side can go into a loop when trying to add a passkey in Microsoft Authenticator application. This may not be a case for every tenant, but if you have conditional access policies created that specifically leverage phishing-resistant authentication strength, then you will most likely run into this issue. Luckily there are some work arounds available and require further actions. In this...

Delaying installation of applications during Autopilot provisioning

Image
If you provision devices using Autopilot, then you may have dealt with situations like delaying installation of certain applications to address provisioning requirements or simply get the process over the line. I recently had to deal with a something similar involving Zscaler in a customer's tenant. Installation of the application would halt the provisioning process, regardless of whether it installed in device or account setup phase. This is because the way Zscaler policy was configured in the customer's tenant which required user credentials before allowing access to internet.  Back in the day, if you were using ConfigMgr, then this could be addressed by creating a dynamic collection that would populate with the devices based on the completion status of an imaging task sequence. You would then target the same collection with such apps or scripts as post installation tasks. With Intune, the same isn't really possible using the native functionality and one has to come up wi...

Intune: Microsoft Store app (new) and built-in apps - Not super obvious!

Image
Back in the day when Windows 10 OS was launched, it came with a lot of built-in apps that most enterprise customers didn't want to offer to their end users. This obviously created an additional task for the administrators to find a way to remove such apps during the build process. The method of choice was using a PowerShell script to remove the apps which you could simply put in a imaging process and work away. When the management of the devices moved to the modern solutions like Intune, so did this removal process. Nothing much changed in this aspect, other than how they were setup in the Intune admin portal. I personally used this method for a long time, even when the OS moved to Windows 11, but then eventually dropped the method in favor of using the Microsoft Store app type, built into Intune. I would just import the store app, create an uninstall assignment and be done with it. It was simple and elegant. Then Microsoft replaced it with the new store experience and segregated t...