#Modern Workplace

While attempting to upgrade my Surface device to 25H2 in my tenant, I constantly encountered issues. The error in the default Windows Update report was not really helpful. The error just indicated that the installation was being cancelled by the user and that it needed attention. Which is quite bizarre, because I had the device kept switched on and connected to the internet for a long period of time so the error didn't make sense to me. I started investigating this and realized that I needed more information to get to the bottom of the error. That is when I realized that I hadn't configured the collection of the Windows diagnostic or telemetry data correctly. While this is not a necessity, nonetheless highly recommended. Here is why.. Windows telemetry helps in improving security and compatibility, identifying and troubleshooting issues, monitoring device performance and reliability through collection of specific data points. These are classified across - Service-based data fro...

Back in January, 2024, when I first wrote about my experience working with Global Secure Access (GSA) for Android OS, GSA was still in preview. Since then, most of the configuration in GSA has been moved into GA, including support for macOS, and this is what I will be covering in this blog. First a quick refresher on what GSA is really all about. Global Secure Access (GSA) is Microsoft’s unified Security Service Edge (SSE) solution that combines Microsoft Entra Internet Access and Microsoft Entra Private Access, giving identity-aware access control (for internet, SaaS, and private resources) without relying solely on VPNs. Using GSA one can guard against threats like token replay by leveraging a combination of compliant network and conditional access policies. A compliant network check is a conditional access control that one can configure so that access to resources is only allowed when the client is connected via the Global Secure Access infrastructure (i.e. traffic is routed throug...

Every now and then, I get asked by customers for ways of offboarding devices from Defender for Endpoint for various reasons. Most of the time it involves troubleshooting of some sort which requires going off MDE altogether. While I normally recommend to use put the device in troubleshooting mode, sometimes, it is just not the way to go. And therefore, one finds themselves offboarding the devices.  Until now, I had been using the OMA-URI way of offboarding a device in Intune, but recently I stumbled upon another way which I had no idea it ever existed. Did you know that you can use EDR to offboard a device? Surprise, surprise. I always used EDR under endpoint security in Intune, to use the blob connector to onboard a device. However, the same EDR profile also allows offboarding devices using value from the WindowsDefenderATP offboarding package. Here is how you can go about - 1. Head over to the Microsoft Defender admin portal. 2. Navigate to Settings > Endpoints > Offboardin...

I recently had a conversation around the configuration of shared windows devices with a customer and as part of the discussion, the customer showed interest in being able to login on web applications on Edge by multiple users in a secure manner. It immediately struck me that Microsoft recently released secure password deployment feature for enterprise customers. It had been recently moved into GA and I thought it was a legitimate option and possibly a right fit considering their specific requirement. Microsoft Edge's Secure Password Deployment feature is a new enterprise-grade solution designed to enhance password security and simplify access for organizations. It allows administrators to securely share encrypted passwords with specific users or groups within an organization using Microsoft Edge for Business. This is especially useful in environments where shared credentials are needed but must be tightly controlled. These passwords are encrypted using Microsoft Information Protect...