Modern Device Management

For the last couple of days, I have been working on securing my own tenant and as a result of this, I wanted to enable passkeys for all my test accounts. Passkeys (FIDO2) not only improves productivity and provide better security, but also make the authentication process seamless by eliminating the need for entering a username or password. This can be achieved through both FIDO2 security key and Microsoft Authenticator. Due to this fact, Microsoft and its partners are investing in both synced and device bound passkeys for work accounts. However, and during my own testing, enabling passkey on the user's side can go into a loop when trying to add a passkey in Microsoft Authenticator application. This may not be a case for every tenant, but if you have conditional access policies created that specifically leverage phishing-resistant authentication strength, then you will most likely run into this issue. Luckily there are some work arounds available and require further actions. In this...

If you provision devices using Autopilot, then you may have dealt with situations like delaying installation of certain applications to address provisioning requirements or simply get the process over the line. I recently had to deal with a something similar involving Zscaler in a customer's tenant. Installation of the application would halt the provisioning process, regardless of whether it installed in device or account setup phase. This is because the way Zscaler policy was configured in the customer's tenant which required user credentials before allowing access to internet.  Back in the day, if you were using ConfigMgr, then this could be addressed by creating a dynamic collection that would populate with the devices based on the completion status of an imaging task sequence. You would then target the same collection with such apps or scripts as post installation tasks. With Intune, the same isn't really possible using the native functionality and one has to come up wi...

Back in the day when Windows 10 OS was launched, it came with a lot of built-in apps that most enterprise customers didn't want to offer to their end users. This obviously created an additional task for the administrators to find a way to remove such apps during the build process. The method of choice was using a PowerShell script to remove the apps which you could simply put in a imaging process and work away. When the management of the devices moved to the modern solutions like Intune, so did this removal process. Nothing much changed in this aspect, other than how they were setup in the Intune admin portal. I personally used this method for a long time, even when the OS moved to Windows 11, but then eventually dropped the method in favor of using the Microsoft Store app type, built into Intune. I would just import the store app, create an uninstall assignment and be done with it. It was simple and elegant. Then Microsoft replaced it with the new store experience and segregated t...