Modern Device Management

  Microsoft recently released next version of  Windows 11 known as 22H2. This feature update comes with many new security capabilities and one of such capability is Enhanced Phishing Protection. As part of Microsoft Defender SmartScreen, Enhanced Phishing Protection helps in protecting Microsoft school or work passwords against phishing and unsafe usage on sites and apps. It currently supports the following 3 scenarios: 1. If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection will alert them. It will also prompt them to change their password so attackers can't gain access to their account. 2. Reusing work or school passwords on sites and apps will prompt them to change their password. 3. Storing plaintext passwords in text editors such as Notepad or Office applications like Word, will result in a warning and a recommendation for removing the password from the file. If yo...

A large number of my customers are implementing Autopilot device provisioning process in an effort to move away from traditional imaging solutions like ConfigMgr and adopt cloud first strategy, whilst retaining their investment in ConfigMgr. This normally results in a mixed workload management through Co-management which can be setup and configured easily. For devices being provisioned using Autopilot, there is actually more than 1 way to achieve a co-managed state for the endpoints. If you are looking for a native solution, then Microsoft recently introduced Co-management settings right in MEM Console which can be used to apply the settings automatically during ESP phase. However, this method doesn't support all scenarios and there are some limitations, namely - - Hybrid Azure AD-joined devices are not supported. - Autopilot pre-provisioning, also known as white glove provisioning is not supported. - Workloads switched to Pilot Intune with pilot collections are not supported. - Cl...

Are you deploying OneDrive configuration including Known folder move using Settings Catalog and wondering why your known folders Documents and Pictures are not synching like Desktop , then you are not alone. Ever since settings catalog was introduced, I have practically moved all my device policies over, where ever possible of course. Naturally, I moved OneDrive settings as well, but soon realized that this may not be such a good idea. At least not until Microsoft addresses the issue. As of writing this blog, it is not possible to configure all known folder move configuration in settings catalog. Currently the following settings are available under Settings Catalog - When you configure these settings and assign them, only the Desktop known folder will get enabled for sync, leaving the other 2 known folders Documents and Pictures un-managed. To fix this natively in Intune, the only option is to use built Administrative template. This is because the built-in administrative templates...

I recently dealt with an Autopilot issue which prompted me to capture my experience in this blog. Now issues during Autopilot provisioning is fairly common. Especially when Microsoft introduces changes in the backend that affects the Autopilot provisioning process. Now I am not sure if the issue I experienced was a result of some changes made by Microsoft or not, but it certainly affected some tenants as many others reported similar issues on Twitter . Let me explain the issue in detail. In my case it started with AP timing out with the infamous 0x800705b4 error. Running Get-AutopilotDiagnostics led me to believe that something was wrong with how policies were getting evaluated as ESP showed as not assigned. This is odd. Why would ESP not show assigned when the very same policy had been running for weeks without any issues? What is even more strange that the diagnostics showed ESP as blocking. That would explain the timeout error I was seeing. To test my theory of a possible issue wit...