Modern Device Management

  It's pretty normal for enterprise users contacting support team for password resets\recovery or perhaps doing it themselves using Self service password reset. However, in a passwordless environment, this can become a bit of a challenge because password will not normally be shared with the end users. If the organization is using Temporary access pass then it can be used for account recovery in general. I wrote a blog about this which you can refer to over here . This in turn should allow the end users to reset the PIN as well. It can be done right from the lockscreen, but the feature needs to be enabled first. If your devices are enrolled in Intune, then you can enable the feature using either the Identity Protection template or Account Protection Endpoint security policy. I am using Identity Protection policy to enable the feature as part of my overall Windows Hello for business configuration. Here is how you can do it. 1. Head over to Microsoft Endpoint Manager admin center . 2....

If you are managing Microsoft Defender AV and Microsoft Defender for Endpoint policies using Intune, then chances are that you may come across an issue where Windows Defender Real-Time Protection doesn't enable after a device has been provisioned using Autopilot. I started experiencing this issue lately which also resulted in device reporting as non-compliant.  On further investigation, I found out that Windows Defender Antimalware Real-Time Protection was not getting enabled because of the missing of Antimalware Engine. This is clearly evident under Windows Security > Settings > About section. It appears that the check for security intelligence updates was not getting initiated during and post provisioning and the updates were not coming down automatically. This is odd because I have got the policies for automatic update of Defender AV updates enabled as part of my policies in Intune. I must state that in my case the operating system is Windows 11 Enterprise and the devices ...

As part of an ongoing Autopilot project, I am installing ConfigMgr agent on devices with Azure AD identity to support Co-management. Workloads for patching Windows updates and Office 365 sit with ConfigMgr so it is important for me to have this working to support an existing monthly patching process in the customer's environment. Since I implemented CMG for the customer as part of another project last year, I was aware of the configuration, but when security patching didn't work using CMG on AAD devices, it came as a little surprise to me. I immediately put on my troubleshooting hat and started looking into the issue. Now update scan failures in the world of ConfigMgr is a common occurrence. Since I have dealt with such issues many times in the past during my career, I knew what and where to look for. I wanted to share some of my troubleshooting steps through this blog post which may help others in the future. The first thing I did was to check whether the client had installed ...

The default configuration for user sign-in frequency in Azure Active Directory is a rolling window of 90 days. But there are scenarios where organizations may require a fresh authentication every time a user performs specific actions. Based on customer feedback, Microsoft have introduced Sign-in frequency option Every time in addition to existing periodic frequency of hours and days. With this new capability, organization can now re-verify identity, device, and any other Conditional Access conditions for high-risk scenarios like - User risk  Session risk  Microsoft Intune device enrollment  I wanted to test this new feature for Intune enrollment and shall be covering my experience in this blog. Let's get started. 1. Head over to Microsoft Endpoint Manager admin center . 2. Select Endpoint Security > Conditional Access > New Policy. 3. Provide a Name. 4. Under Users and groups, choose Specific users included and select the users or groups that you want to targe...