GIA - Get Intune Assignments Application
Hello Everyone, Some time ago I was struggling to get all Assignments Intune for a Specific Azure AD Group. This option does not exist at console, and we need to run a lot of queries at MS Graph and/or use PowerShell to retrieve. So, to help the community I started to create PowerShell scripts to help to query some of the Assignments but, still, I had a lot of scripts each one to retrieve a specific type of items (like profiles, conditional access, apps, etc). After a while I decide to develop a C# .NET Application to facilitate the process. Today I want to share with all you my GIA App (Get Intune Assignments). It's available on my gitHub page: https://github.com/sibranda/GetIntuneAssignments I hope this app can help you guys the same way is helping me and my customers. RegardsWindows office hours: June 17, 2021
Post your questions for our next office hours session, which will take place here in the Windows servicing community on Thursday, June 17th from 9:00-10:00 a.m. Pacific Time. Join us to get answers to any questions you may have around managing updates for the remote and onsite devices in your organization, help with specific issues, and tips on how to increase update velocity. We'll have members of the Windows and Microsoft Endpoint Manager product and engineering teams on hand, as well as the FastTrack team. Save the date and see the Windows IT Pro Blog for full details. Let's get started!Securing Windows devices away from the corporate network
During the current public health situation, ensuring that devices can still be effectively managed and secured in what can be called "the new normal" is of utmost priority. As a result, I wanted to share with you the first chapter in a new web series where we will discuss what you, as an IT professional, can do immediately, in the next few weeks, and over the next few months to properly maintain the security of your organization's devices while users are working away from your corporate networks. We will look at sample timelines for accelerated approaches, including ways to optimize the impact of virtual private networks (VPNs) and minimize overall workflow disruption. Learn more Here are links to the resources mentioned in this session. We've also included a list of frequently asked questions below. OSHA COVID19 guidance Configure and Deploy Security Baselines Setup/Configure Azure AD Connect Set up a Cloud Management Gateway Enable OneDrive for Business Switch to Split-Tunnel VPN Policies Enable ConfigMgr Co-Management Shift update and servicing workloads to the cloud (Windows Update for Business, Office 365 CDN) Begin OneDrive for Business Known Folder Migration Configure and Enable Azure AD Conditional Access Set up Azure App Proxy Replace Perimeter trust with Zero Trust Enhance MFA by issuing FIDO2 Keys Consider Further Advanced Cloud Security Solutions Leverage the power of Analytics: User Experience & Productivity Score Shift line of business (LOB) application workloads Configure and Deploy Security Baselines Begin piloting and shifting Policy, Compliance, and EP to the cloud Enable asset protection through Office ATP and MCAS Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager Azure Multi-Factor Authentication Conditional Access Data Leak Prevention Intune Migration Guide Zero Trust strategy—what good looks like How to implement Multi-Factor Authentication (MFA) Microsoft Cloud Security solutions provide comprehensive cross-cloud protection Blog: Brad Anderson Blog: Jared Spataro While not mentioned specifically in this session, here are some additional resources you might find helpful: Microsoft COVID-19 response site Enabling Remote Work Microsoft Endpoint Manager remote work blog Work remotely, stay secure 2 weeks in: what we’ve learned about remote work Frequently asked questions Q: How are others offloading patching traffic to Microsoft sources for full-VPN clients, like split tunneling (since Windows Update IPs aren’t clearly published)? A: We are seeing customers move all Internet traffic away from VPN and that’s what we do internally as well. There are a couple resources on this for WSUS (see 2.1.1) and Windows Update. Q: Are there instructions to shift Office updates from Configuration Manager to the cloud? A: Yes. Here's guidance on how to Manage Office 365 ProPlus with Configuration Manager. Q: Regarding disabling password expirations, do you have any formal documentation that can be provided for our security team? A: Here are some resources that are available on the topic: https://www.microsoft.com/security/blog/2019/07/11/preparing-your-enterprise-to-eliminate-passwords/ https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984 https://www.microsoft.com/en-us/security/business/identity/passwordless Q: Do you have any formal statements endorsing Split-Tunnel VPN? A: Statement below from: https://www.microsoft.com/en-us/itshowcase/enhancing-remote-access-in-windows-10-with-an-automatic-vpn-profile Split tunneling Split tunneling allows only the traffic destined for the Microsoft corporate network to be routed through the VPN tunnel, and all Internet traffic goes directly through the Internet without traversing the VPN tunnel. In the VPN connection profile, split tunneling is enabled by default. Q: How can we evaluate the potential cost of the cloud management gateway (CMG)? A: Refer to the Configuration Manager documentation here: https://docs.microsoft.com/en-us/configmgr/core/clients/manage/cmg/plan-cloud-management-gateway#cost Q: For split tunneling all Internet traffic out, how do you perform URL filtering for compliance? A: We use Microsoft Threat Protection across Office ATP and Microsoft Defender ATP. Specifically, the Endpoint Detection and Response (EDR) component. Feedback We hope you find this first session useful. We'd love your feedback and ideas for future sessions so please fill out this short survey. Thank you!Office hours are closed: December 17, 2020
Office hours are now closed. We hope we were able to answer your questions and provide tips and resources to help you more easily manage Windows 10 updates and your Windows device estate. The experts and engineers who supported today's session were: Windows as a service strategies, tactics, best practices: Dave Backman and James Bell Windows 10 deployment: Steve Thomas Cloud-based update management, Windows Update for Business: Aria Carley Microsoft Endpoint Manager: Joe Lurie Microsoft Endpoint Manager (public sector, CMG, etc.): Danny Guillory Configuration Manager: Rob York, Bruno Yoshioka Product feedback: Kevin Mineweaser FastTrack: Sean McLaren Save the date for future events We'll be back in 2021 every third Thursday. Save the date for our next office hours event -- Thursday, January 21st, 9:00-10:00 a.m. Pacific Time -- and see the Windows IT Pro Blog for an up-to-date list of future events. See you next time!Enterprise Security Assessment: A Strategic Lens for Mission Critical Environments
Understanding Enterprise Security at Scale Understanding security posture at scale requires more than isolated control reviews or point‑in‑time assessments. The Enterprise Security Assessment (ESA) helps organizations understand their security posture across Azure, Microsoft 365, and hybrid environments from a true enterprise perspective. Instead of assessing individual services or workloads in isolation, ESA provides a single, enterprise‑wide view of security. By examining identity, data security, endpoints, threat protection, and cloud infrastructure together, ESA helps uncover gaps that often span multiple teams and platforms. This broader perspective enables clearer prioritization, stronger alignment across security teams, and a more resilient foundation for long‑term security improvement. ESA complements other Microsoft assessments, such as workload‑specific reviews, by connecting the bigger picture - to align security priorities across teams and platforms, fostering a more cohesive and resilient security approach. From Standard Engagement to Strategic Partnership An Enterprise Security Assessment is typically delivered as a focused engagement designed to establish an enterprise‑wide view of security posture. At Microsoft, we begin by reviewing Secure Score insights, analyzing a defined set of core security datasets, and correlating those signals across Azure and Microsoft 365. For many organizations, this approach works well. Collecting and evaluating these datasets provides a high‑level understanding of security posture, highlights common gaps, and identifies priority improvement areas. In standard enterprise environments, ESA delivers actionable insights with minimal disruption and sets a solid foundation for security improvements. How ESA Evolves in Mission‑Critical Environments In large or mission‑critical environments, security is often distributed across multiple teams and tools. Operational constraints, regulatory requirements, and business dependencies introduce complexity that standard assessments cannot fully capture. For mission‑critical customers, ESA goes beyond a baseline review and becomes more consultative. This typically includes: 📝 Structured discovery sessions across multiple security domains 🤝 Deep‑dive workshops with specialized teams 🎯 Validation of findings against real‑world operating models 🔄 Iterative analysis to validate findings against real operational conditions This ensures recommendations reflect how security is actually managed, not just how it is documented. Why Going Deeper Matters to Customers For organizations operating at scale, this consultative ESA approach delivers significantly more than a standard readout: A realistic, enterprise‑wide understanding of security posture, grounded in actual configurations and operating models Clear visibility into cross‑team dependencies and systemic risks Prioritized recommendations aligned to existing licenses, third‑party tools, and regulatory requirements A realistic, phased security roadmap focused on adoption, not theory The result is a clear starting point for security improvements that teams can execute with confidence. A Continuous Improvement Model ESA is not a one‑time exercise. For most customers, it becomes the foundation for ongoing security maturity. Once a baseline is established, future ESAs are faster and more efficient, allowing organizations to track progress, validate improvements, and maintain alignment as environments evolve. Over time, ESA functions as an annual enterprise security health check, supported by follow‑up reviews and continuous improvement. In mission‑critical environments, this means: The first ESA requires deeper engagement investment Building cross-team alignment takes time Future assessments become smoother and more efficient once a baseline is established Over time, ESA functions as an enterprise security health check that supports continuous improvement. It works best when treated as a starting point for continuous improvement, and Enterprise Security Alignment. What Customers Gain from an Enterprise Security Assessment A true enterprise view Visibility across identity, data, devices, cloud workloads, and threat signals - without losing sight of critical details. A customized security roadmap Recommendations aligned to existing licenses, third‑party tools, hybrid footprints, and regulatory requirements - making adoption realistic, not aspirational. Momentum and measurability Many organizations track progress using dashboards or scorecards to measure improvement and sustain focus over time. Repeatability Once a baseline is established, future ESAs become easier and more efficient - serving as a regular health check rather than a brand‑new effort. A consultative model ESA delivers far more value than a one‑time assessment by fostering collaboration, shared understanding, and long‑term alignment. A Foundation for Continuous Improvement Enterprise security is complex, especially at scale. In mission‑critical environments, security success depends on embracing complexity, aligning teams, and moving beyond a standard assessment playbook. An Enterprise Security Assessment is more than a snapshot. It’s an opportunity to build alignment, inform strategy, and create a resilient security foundation that evolves with the organization.
Compliance licenses at tenant level
Hi, We are a small organization of about 200 employees, and we have following requirements. DLP policies configuration at Exchange, OneDrive, SharePoint BYOD security Users should not be able to send files outside the org And so on as we evaluate We already have M365 Business Premium. However, after researching we figured out that M365 Business premium will alone not solve our requirements. May be compliance license will. We want to apply security policies at tenant level in our organization but definitely do not want every user to get licenses as this will be expensive for us and there is no requirement at all for our users. The question is, Is there a way to solve the above scenario?Defender for macOS onboarding issue
I am trying to onboard macOS devices in my organization with Microsoft Defender via Intune, and facing multiple issues with it, the configuration profiles are applied successfully only on few devices, only the first (manually installed) macOS is properly onboarded in Defender, and all of the other ones are complaining about missing license. Could someone answer few questions and maybe give some tips on how can I troubleshoot and resolve this: We have Microsoft 365 Business Premium license, and according to Defender documentation this is a sufficient license to use it on any endpoint device. However the error message on macOS devices states that there is a missing Microsoft Enterprise license. Is there a special license needed or is this just the payload configuration profile issue? The kernel extension and onboarding profiles are generated in the Microsoft Defender Admin Center, however I did noticed that the OrgID in the onboarding profile file does not match my TenantID. Does that mean that those files are premade and I should adjust them to my organization details or it is simply a different ID assigned? The onboarding profile gets successfully applied on all devices however the kernel extension profile fails on almost every device, and the successful applications do not follow any pattern or macOS version. Can't really find any suggestions on the possible root cause of this issue. Did anyone had similar problems with the kext profile? The Microsoft Defender Admin Center does provide a installation package PKG file. However according to the Defender documentation I should use Microsoft Defender for Endpoint (macOS) application that is ready to be applied directly from Intune Management Portal. Which is it? Or maybe both? Thank you in advance for any tips and / or answers 🙂
