GIA - Get Intune Assignments Application
Hello Everyone, Some time ago I was struggling to get all Assignments Intune for a Specific Azure AD Group. This option does not exist at console, and we need to run a lot of queries at MS Graph and/or use PowerShell to retrieve. So, to help the community I started to create PowerShell scripts to help to query some of the Assignments but, still, I had a lot of scripts each one to retrieve a specific type of items (like profiles, conditional access, apps, etc). After a while I decide to develop a C# .NET Application to facilitate the process. Today I want to share with all you my GIA App (Get Intune Assignments). It's available on my gitHub page: https://github.com/sibranda/GetIntuneAssignments I hope this app can help you guys the same way is helping me and my customers. RegardsWindows office hours: June 17, 2021
Post your questions for our next office hours session, which will take place here in the Windows servicing community on Thursday, June 17th from 9:00-10:00 a.m. Pacific Time. Join us to get answers to any questions you may have around managing updates for the remote and onsite devices in your organization, help with specific issues, and tips on how to increase update velocity. We'll have members of the Windows and Microsoft Endpoint Manager product and engineering teams on hand, as well as the FastTrack team. Save the date and see the Windows IT Pro Blog for full details. Let's get started!Securing Windows devices away from the corporate network
During the current public health situation, ensuring that devices can still be effectively managed and secured in what can be called "the new normal" is of utmost priority. As a result, I wanted to share with you the first chapter in a new web series where we will discuss what you, as an IT professional, can do immediately, in the next few weeks, and over the next few months to properly maintain the security of your organization's devices while users are working away from your corporate networks. We will look at sample timelines for accelerated approaches, including ways to optimize the impact of virtual private networks (VPNs) and minimize overall workflow disruption. Learn more Here are links to the resources mentioned in this session. We've also included a list of frequently asked questions below. OSHA COVID19 guidance Configure and Deploy Security Baselines Setup/Configure Azure AD Connect Set up a Cloud Management Gateway Enable OneDrive for Business Switch to Split-Tunnel VPN Policies Enable ConfigMgr Co-Management Shift update and servicing workloads to the cloud (Windows Update for Business, Office 365 CDN) Begin OneDrive for Business Known Folder Migration Configure and Enable Azure AD Conditional Access Set up Azure App Proxy Replace Perimeter trust with Zero Trust Enhance MFA by issuing FIDO2 Keys Consider Further Advanced Cloud Security Solutions Leverage the power of Analytics: User Experience & Productivity Score Shift line of business (LOB) application workloads Configure and Deploy Security Baselines Begin piloting and shifting Policy, Compliance, and EP to the cloud Enable asset protection through Office ATP and MCAS Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager Azure Multi-Factor Authentication Conditional Access Data Leak Prevention Intune Migration Guide Zero Trust strategy—what good looks like How to implement Multi-Factor Authentication (MFA) Microsoft Cloud Security solutions provide comprehensive cross-cloud protection Blog: Brad Anderson Blog: Jared Spataro While not mentioned specifically in this session, here are some additional resources you might find helpful: Microsoft COVID-19 response site Enabling Remote Work Microsoft Endpoint Manager remote work blog Work remotely, stay secure 2 weeks in: what we’ve learned about remote work Frequently asked questions Q: How are others offloading patching traffic to Microsoft sources for full-VPN clients, like split tunneling (since Windows Update IPs aren’t clearly published)? A: We are seeing customers move all Internet traffic away from VPN and that’s what we do internally as well. There are a couple resources on this for WSUS (see 2.1.1) and Windows Update. Q: Are there instructions to shift Office updates from Configuration Manager to the cloud? A: Yes. Here's guidance on how to Manage Office 365 ProPlus with Configuration Manager. Q: Regarding disabling password expirations, do you have any formal documentation that can be provided for our security team? A: Here are some resources that are available on the topic: https://www.microsoft.com/security/blog/2019/07/11/preparing-your-enterprise-to-eliminate-passwords/ https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984 https://www.microsoft.com/en-us/security/business/identity/passwordless Q: Do you have any formal statements endorsing Split-Tunnel VPN? A: Statement below from: https://www.microsoft.com/en-us/itshowcase/enhancing-remote-access-in-windows-10-with-an-automatic-vpn-profile Split tunneling Split tunneling allows only the traffic destined for the Microsoft corporate network to be routed through the VPN tunnel, and all Internet traffic goes directly through the Internet without traversing the VPN tunnel. In the VPN connection profile, split tunneling is enabled by default. Q: How can we evaluate the potential cost of the cloud management gateway (CMG)? A: Refer to the Configuration Manager documentation here: https://docs.microsoft.com/en-us/configmgr/core/clients/manage/cmg/plan-cloud-management-gateway#cost Q: For split tunneling all Internet traffic out, how do you perform URL filtering for compliance? A: We use Microsoft Threat Protection across Office ATP and Microsoft Defender ATP. Specifically, the Endpoint Detection and Response (EDR) component. Feedback We hope you find this first session useful. We'd love your feedback and ideas for future sessions so please fill out this short survey. Thank you!Office hours are closed: December 17, 2020
Office hours are now closed. We hope we were able to answer your questions and provide tips and resources to help you more easily manage Windows 10 updates and your Windows device estate. The experts and engineers who supported today's session were: Windows as a service strategies, tactics, best practices: Dave Backman and James Bell Windows 10 deployment: Steve Thomas Cloud-based update management, Windows Update for Business: Aria Carley Microsoft Endpoint Manager: Joe Lurie Microsoft Endpoint Manager (public sector, CMG, etc.): Danny Guillory Configuration Manager: Rob York, Bruno Yoshioka Product feedback: Kevin Mineweaser FastTrack: Sean McLaren Save the date for future events We'll be back in 2021 every third Thursday. Save the date for our next office hours event -- Thursday, January 21st, 9:00-10:00 a.m. Pacific Time -- and see the Windows IT Pro Blog for an up-to-date list of future events. See you next time!
Compliance licenses at tenant level
Hi, We are a small organization of about 200 employees, and we have following requirements. DLP policies configuration at Exchange, OneDrive, SharePoint BYOD security Users should not be able to send files outside the org And so on as we evaluate We already have M365 Business Premium. However, after researching we figured out that M365 Business premium will alone not solve our requirements. May be compliance license will. We want to apply security policies at tenant level in our organization but definitely do not want every user to get licenses as this will be expensive for us and there is no requirement at all for our users. The question is, Is there a way to solve the above scenario?Defender for macOS onboarding issue
I am trying to onboard macOS devices in my organization with Microsoft Defender via Intune, and facing multiple issues with it, the configuration profiles are applied successfully only on few devices, only the first (manually installed) macOS is properly onboarded in Defender, and all of the other ones are complaining about missing license. Could someone answer few questions and maybe give some tips on how can I troubleshoot and resolve this: We have Microsoft 365 Business Premium license, and according to Defender documentation this is a sufficient license to use it on any endpoint device. However the error message on macOS devices states that there is a missing Microsoft Enterprise license. Is there a special license needed or is this just the payload configuration profile issue? The kernel extension and onboarding profiles are generated in the Microsoft Defender Admin Center, however I did noticed that the OrgID in the onboarding profile file does not match my TenantID. Does that mean that those files are premade and I should adjust them to my organization details or it is simply a different ID assigned? The onboarding profile gets successfully applied on all devices however the kernel extension profile fails on almost every device, and the successful applications do not follow any pattern or macOS version. Can't really find any suggestions on the possible root cause of this issue. Did anyone had similar problems with the kext profile? The Microsoft Defender Admin Center does provide a installation package PKG file. However according to the Defender documentation I should use Microsoft Defender for Endpoint (macOS) application that is ready to be applied directly from Intune Management Portal. Which is it? Or maybe both? Thank you in advance for any tips and / or answers 🙂Mobile Application Management for Windows (NEW)
This newly released product is now available in Public Preview, and I'm excited to share my initial impressions. MAM enables users to stay productive on any device while ensuring the security of our data. Mobile Application Management for Windows enables us to; Apply policies to corporate applications on personal devices. No enrollment required, just an Azure AD (or MEID) registration. Place restrictions such as cut/copy/print and blocking incoming or outgoing data. Integration with the Mobile Threat Defense connector to detect local health threats. Block access or wipe corporate data based on specific conditions. In this blog post, I provide a first look at the configuration and user experience of MAM for Windows. https://myronhelgering.com/first-look-at-mam-for-windows/
