User Profile
StuartK73
Iron Contributor
Joined Mar 26, 2018
User Widgets
Recent Discussions
Re: Separate APP policies
Hi Buddy Many thanks for your reply although I don't think I really understand what you are saying. Anyway, I think I have it working with the following filters: BYOD APP policy > Assigned to E3 / F3 groups > EXCLUDE (app.deviceManagementType -eq "Android Enterprise") Corp Owned / Intune Enrolled COBO APP policy - EXCLUDE (app.deviceManagementType -eq "Unmanaged") In APP Monitor, I can see: BYOD APP policy going to my test BYOD device COBO APP policy going to my test COBO device This is the desired outcome 😎🌲Separate APP policies
Hi All I hope you are well and have a Merry Christmas and a Happy New Year. Anyway, trying to get my head around APP policies for both BYOD and Corp (COBO) Android devices. I'd like nothing more than a single APP policy for Android but there are certain settings such block screenshots that I would like to include in the BYOD APP policy but not include in the Corp (COBO) APP policy. So, my thinking is: BYOD APP policy > Assigned to E3 / F3 groups > Filter on EXCLUDE corp devices Corp Owned / Intune Enrolled COBO APP policy - Filter on EXCLUDE personal devices Could someone advise on the best way to achieve this? What's the best Device / App filter syntax to use? Info appreciatedRemed Script to delete Reg Value
Hi All I hope you are well. Anyway, pulling hair out this one, so could someone help me compile a Detect and Remed script to delete the following Reg key please: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate Value I need removed is the SetActiveHours one as below Any help would be greatly appreciated.Re: Restrict some devices
Hi Buddy Unfortunately, these devices are not yet enrolled in Defender for Endpoint, I am and have been pressing for this for a while now. Could you elaborate on "Alternatively, if you have list of devices already identified, then you can block access to them using conditional access device filters. " I'm struggling to get my head around the Include filtered devices in the policy / Exclude filtered devices from the policy. Let say we do CA Policy - Filtered Devices All users All resources Access = BLOCK Include filtered devices in the policy Property Operator Value DeviceID Equals Device ID from Intune Does that policy work out as any user accessing any cloud resource on a deviceID is blocked? SKBlock All Software Installs
Hi All Is there a way to block all software installs on Windows devices except for those we push out via Intune? I have have a look in the Device Config settings but there seems to be some confusing settings in there and some stating set as "Disabled" when disabled isn't an option. Info appreciated.Restrict some devices
Hi All I hope you are well. Anyway, I'm looking for some advice. We have identified some Intune enrolled, Entra ID joined devices that may be security risks (malware) and would like to restrict these devices from accessing things like M365 apps, Azure VPN etc etc. What's the best way to achieve this? Conditional Access and target a group with the devices as members? Info appreciatedTAP Question
Hi All I hope you are well. Anyway, I'm looking for some clarification over Temporary Access Passes (TAP) as our testing seems to reveal some different results from those listed in the MS documentation. Here's the scenario's. My understanding: Require MFA policy deployed via Conditional Access New user F3 user starts Issue TAP to user where they can then setup MFA themselves via My Security Info etc Testing results: Require MFA policy deployed via Conditional Access New user F3 user starts User can setup MFA themselves via MS Auth app on a mobile device or via My Security Info in a browser MS TAP Info page: "The most common use for a TAP is for a user to register authentication details during the first sign-in or device setup, without the need to complete extra security prompts." Ref: Configure a Temporary Access Pass in Microsoft Entra ID to register passwordless authentication methods - Microsoft Entra ID | Microsoft Learn Have I missed understood something here and if a new user can indeed still setup MFA is there any real need for a TAP for first time user? Info appreciated. SKRe: Password reset via InTunes takes up to 30 minutes
Hi Buddy Yeah defo more information is required here and I'm not aware of any password reset mechanism within Intune itself. A lot of people seem to be confused with the different Microsoft portals and end up labeling them all as "Intune" or "Azure". Here's a brief summary of some of them: Infrastructure - Virtual Machines, Networks etc etc: https://portal.azure.com Identity - User and Group management etc etc: https://entra.microsoft.com M365 Applications - Office apps etc etc: http://admin.microsoft.com Device Management - MDM, MAM, Application deployment, Device Security etc etc: http://endpoint.microsoft.com Compliance - As it says: https://purview.microsoft.com Please note that there is a lot of "overlap" between portals. To address your original question, I think you have some sort of on-premise infrastructure which is syncing your users from Active Directory (AD) to Microsoft Entra, but you'd need to confirm this. If so, you can force a Delta sync on your sync server via PowerShell by: Start-ADSyncSyncCycle -PolicyType Delta. You can also alter your sync intervals (30 mins?), all info here: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-feature-scheduler#custom-scheduler I hope this is correct and helps. StuartMGP Keep apps on certain version
Hi All I hope you are well. Anyway, a wee urgent one here. Is there any way to keep apps from the Managed Google Play to a certain version number? Apparently, the latest version of one of our apps is flawed. This is an app that is available publicly and not an LOB / APK etc. Info appreciated. StuartMHS Permissions / Samsung OEMConfig
Hi All I hope you are well. Anyway, we are rolling out Android Enterprise ZTE tablets in Entra Shared Device Mode and all seems well. Only thing is the MHS app permissions deployed via the Device config profile just don't seem to have worked and also I can't see anywhere in the OEMConfig file to set Power / Sleep options. Does anyone have the correct working settings for these 2 things? Info appreciated. SK
