Microsoft Technical Takeoff: Windows + Intune
Welcome to the third installment of the Microsoft Technical Takeoff for Windows and Microsoft Intune! This free, virtual skilling event offers prescriptive, technical deep dives and panel-based discussions to help you feel prepared and confident in deploying and managing devices, apps, and experiences from client to cloud! Experts from the Windows, Windows 365, Intune, Azure Virtual Desktop, and security teams answer your questions live during the sessions and throughout the week. This event is all about getting you the information and skills you need to be successful! Monday, March 3, 2025 - now on demand! Let's talk Windows and Intune: 2025 edition Enhance and supercharge IT management with Copilot in Intune The hottest way to update Windows 11 and Windows Server 2025 The path ahead: The roadmap for Windows in the cloud Achieving update harmony through unified update management Intune 'fast lane' - Let's talk about all things latency Untangling this thing called AI in a Windows ecosystem Understanding security and management on Windows 365 Link Unlocking productivity on the frontline with Windows 365 From admin to standard user with Endpoint Privilege Management Tuesday, March 4, 2025 - now on demand! Managing macOS updates in Intune Windows Autopatch: Your playbook for advanced update management Unified security: Intune + Microsoft Defender for Endpoint AMA: Microsoft Application Management for Windows Effective prompt engineering for IT pros Utilize, configure, and manage Cloud PKI like a pro Skill up! Cloud PC management and reporting Get to know Windows security and resiliency in the cloud Windows 11 kiosks: Cloud management for the win Wednesday, March 5, 2025 - now on demand! Enabling accessible Windows 11 experiences: an IT pro's guide Never trust, always verify: Tips for Zero Trust with Intune Data protection with hardware-based security and Windows 11 Best practices for Windows Autopilot and device preparation Intune data platform and Advanced Analytics Enhancing resiliency with Windows 365 How to protect your administrator users on the device Delivering like-local Windows experiences from the cloud Deploying Microsoft Connected Cache for Enterprise at scale Secure corporate data and privacy with Win32 app isolation Thursday, March 6, 2025 - now on demand! Azure Virtual Desktop app management Azure Virtual Desktop hostpool management at scale Device management for the frontline: Intune to the rescue The latest and greatest in the world of Windows LAPS AMA: Cloud native with Microsoft Intune Secure helpdesk support using Intune Remote Help Enterprise Application Management with Microsoft Graph Windows cloud migration and deployment best practices Windows 10 EOS: Myths, misconceptions, and FAQs The full agenda Here is a day-by-day look at the 2025 session grid, which was available for download.Azure Monitor Baseline Alerts (Preview)
We are pleased to announced the public preview of Azure Monitor Baseline Alerts for Azure and Azure landing zone customers built by the Azure landing zone product group. The Baseline alerts 'framework' is built using Azure Policy with a predefined list of platform / infrastructure alerts that provides a flexible, scalable and consistent way to deploy alerts into your Azure environment.A New Platform Management Group & Subscription for Security in Azure landing zone (ALZ)
At the start of 2025, during the January 2025 ALZ Community Call, we asked everyone for their feedback, via these discussions on our GitHub repo: 1898 & 1978 , on the future of Microsoft Sentinel in the Azure landing zone (ALZ) architecture as we were receiving feedback that it needed some changes and additional clarity from what ALZ was deploying and advising then. We have now worked with customers, partners, and internal teams to figure out what we should update in ALZ around Microsoft Sentinel and Security tooling and have updated the ALZ conceptual architecture to show this. What did ALZ advise and deploy before, by default? Prior to these updates ALZ advised the following: The central Log Analytics Workspace (LAW) in the Management Subscription should Be used to capture all logs, including security/SIEM logs The Microsoft Sentinel solution (called Security) should be installed upon this LAW also And in the accelerators and tooling it deployed, by default: The central Log Analytics Workspace (LAW) in the Management Subscription with the Microsoft Sentinel solution installed Microsoft Sentinel had no additional configuration apart from being installed as a solution on the central LAW What are the changes being made to ALZ from today? Based on the feedback from the GitHub discussions and working with customers, partners and internal teams we are making the following changes: A new dedicated Security Management Group beneath the Platform Management Group A new dedicated Security Subscription placed in the new Security Management Group Nothing will be deployed into this subscription by ALZ by default. This allows: Customers & partners to deploy and manage the Microsoft Sentinel deployment how they wish to The 31-day 10GB/day free trial can be started when the customer or partner is ready to utilise it No longer deploy the Microsoft Sentinel solution (called Security) on the central LAW in the Management Subscription This allows for separating of operational/platform logs from security logs, as per considerations documented in Design a Log Analytics workspace architecture The changes have only been made to our ALZ CAF/MS Learn guidance as of now, and the changes to the accelerators and implementation tools will be made over the coming months 👍 These changes can be seen in the latest ALZ conceptual architecture snippet below The full ALZ conceptual architecture can be seen here on MS Learn. You can also download a Visio or PDF copy of all the ALZ diagrams. What if we have already deployed ALZ? If you have already deployed ALZ and haven't tailored the ALZ default Management Group hierarchy to create a Security Management Group then you can now review and decide whether this is something you'd like to create and align with. While not mandatory, this enhancement to the ALZ architecture is recommended for new customers. The previous approach remains valid; however, feedback from customers, partners, and internal teams indicates that using a dedicated Microsoft Sentinel and Log Analytics Workspace within a separate security-focused Subscription and Management Group is a common real-world practice. To reflect these real-world implementations and feedback, we’re evolving the ALZ conceptual architecture accordingly 👍 Closing We hope you benefit from this update to the ALZ conceptual architecture. As always we welcome any feedback via our GitHub Issues
Azure Update Manager to support CIS hardened images among other images
What’s coming in by first week of August: Azure Update Manager will add support for 35 CIS hardened images. This is the first time that Update Management product in Azure is supporting CIS hardened images. Apart from CIS hardened images, Azure Update Manager will also add support for 59 other images to unblock Automation Update Management migrations to Azure Update Manager. What’s coming in September: After this release, another batch of 30 images will be added support for. Please refer to the article below to check the details of which images will be supported. Below 35 CIS images will be supported by Azure Update Manager by first week of August. Please note Publisher for all these images is center-for-internet-security-inc. Offer Plan cis-windows-server cis-windows-server2016-l1-gen1 cis-windows-server2019-l1-gen1 cis-windows-server2019-l1-gen2 cis-windows-server2019-l2-gen1 cis-windows-server2022-l1-gen2 cis-windows-server2022-l2-gen2 cis-windows-server2022-l1-gen1 cis-windows-server-2022-l1 cis-windows-server-2022-l1 cis-windows-server-2022-l1-gen2 cis-windows-server-2022-l2 cis-windows-server-2022-l2 cis-windows-server-2022-l2-gen2 cis-windows-server-2019-v1-0-0-l1 cis-ws2019-l1 cis-windows-server-2019-v1-0-0-l2 cis-ws2019-l2 cis-windows-server-2016-v1-0-0-l1 cis--l1 cis-windows-server-2016-v1-0-0-l2 cis-ws2016-l2 cis-windows-server-2012-r2-v2-2-1-l2 cis-ws2012-r2-l2 cis-rhel9-l1 cis-rhel9-l1 cis-rhel9-l1-gen2 cis-rhel-8-l1 cis-rhel-8-l2 cis-rhel8-l2 cis-rhel-7-l2 cis-rhel7-l2 cis-rhel cis-redhat7-l1-gen1 cis-redhat8-l1-gen1 cis-redhat8-l2-gen1 cis-redhat9-l1-gen1 cis-redhat9-l1-gen2 cis-ubuntu-linux-2204-l1 cis-ubuntu-linux-2204-l1 cis-ubuntu-linux-2204-l1-gen2 cis-ubuntu-linux-2004-l1 cis-ubuntu2004-l1 cis-ubuntu-linux-1804-l1 cis-ubuntu1804-l1 cis-ubuntu cis-ubuntu1804-l1 cis-ubuntulinux2004-l1-gen1 cis-ubuntulinux2204-l1-gen1 cis-ubuntulinux2204-l1-gen2 cis-oracle-linux-8-l1 cis-oracle8-l1 Apart from CIS hardened images, below are the other 59 images which will be supported by Azure Update Manager by first week of August: Publisher Offer Plan almalinux almalinux-x86_64 8_7-gen2 belindaczsro1588885355210 belvmsrv01 belvmsrv003 cloudera cloudera-centos-os 7_5 cloud-infrastructure-services rds-farm-2019 rds-farm-2019 cloud-infrastructure-services ad-dc-2019 ad-dc-2019 cloud-infrastructure-services sftp-2016 sftp-2016 cloud-infrastructure-services ad-dc-2016 ad-dc-2016 cloud-infrastructure-services hpc2019-windows-server-2019 hpc2019-windows-server-2019 cloud-infrastructure-services dns-ubuntu-2004 dns-ubuntu-2004 cloud-infrastructure-services servercore-2019 servercore-2019 cloud-infrastructure-services ad-dc-2022 ad-dc-2022 cloud-infrastructure-services squid-ubuntu-2004 squid-ubuntu-2004 cognosys sql-server-2016-sp2-std-win2016-debug-utilities sql-server-2016-sp2-std-win2016-debug-utilities esri arcgis-enterprise byol-108 byol-109 byol-111 byol-1081 byol-1091 esri arcgis-enterprise-106 byol-1061 esri arcgis-enterprise-107 byol-1071 esri pro-byol pro-byol-29 filemagellc filemage-gateway-vm-win filemage-gateway-vm-win-001 filemage-gateway-vm-win-002 github github-enterprise github-enterprise matillion matillion matillion-etl-for-snowflake microsoft-ads windows-data-science-vm windows2016 windows2016byol microsoft-dsvm ubuntu-1804 1804-gen2 netapp netapp-oncommand-cloud-manager occm-byol nginxinc nginx-plus-ent-v1 nginx-plus-ent-centos7 ntegralinc1586961136942 ntg_oracle_8_7 ntg_oracle_8_7 procomputers almalinux-8-7 almalinux-8-7 procomputers rhel-8-2 rhel-8-2 RedHat rhel 8_9 redhat rhel-byos rhel-lvm79 rhel-lvm79-gen2 rhel-lvm8 rhel-lvm82-gen2 rhel-lvm83 rhel-lvm84 rhel-lvm84-gen2 rhel-lvm85-gen2 rhel-lvm86 rhel-lvm86-gen2 rhel-lvm87-gen2 rhel-raw76 redhat rhel 8.1 redhat rhel-sap 7.4 redhat rhel-sap 7.7 redhat rhel 89-gen2 southrivertech1586314123192 tn-ent-payg Tnentpayg southrivertech1586314123192 tn-sftp-payg Tnsftppayg suse sles-sap-15-sp2-byos gen2 suse sles-15-sp5 gen2 talend talend_re_image tlnd_re thorntechnologiesllc sftpgateway Sftpgateway veeam office365backup veeamoffice365backup veeam veeam-backup-replication veeam-backup-replication-v11 zscaler zscaler-private-access zpa-con-azure Below images will be supported in September: Publisher Offer Plan aod win2019azpolicy win2019azpolicy belindaczsro1588885355210 belvmsrv03 belvmsrv001 center-for-internet-security-inc cis-rhel-7-v2-2-0-l1 cis-rhel7-l1 center-for-internet-security-inc cis-rhel-7-stig cis-rhel-7-stig center-for-internet-security-inc cis-win-2016-stig cis-win-2016-stig center-for-internet-security-inc cis-windows-server-2012-r2-v2-2-1-l1 cis-ws2012-r2-l1 cloudrichness rockey_linux_image rockylinux86 Credativ Debian 8 microsoftdynamicsnav dynamicsnav 2017 microsoftwindowsserver windowsserver-hub 2012-r2-datacenter-hub 2016-datacenter-hub MicrosoftWindowsServer WindowsServer-HUB 2016-Datacenter-HUB ntegralinc1586961136942 ntg_cbl_mariner_2 ntg_cbl_mariner_2_gen2 openvpn openvpnas access_server_byol rapid7 nexpose-scan-engine nexpose-scan-engine rapid7 rapid7-vm-console rapid7-vm-console suse sles 12-sp3 suse sles-15-sp1-basic gen1 suse sles-15-sp2-basic gen1 suse sles-15-sp3-basic gen1 gen2 suse sles-15-sp4-basic gen2 suse sles-sap 12-sp3 15 gen2-15 suse sles-sap-byos 15 suse SLES-SAP-BYOS 15 suse sles-sap-15-sp1-byos gen1 Tenable tenablecorenessus tenablecorenessusbyolHOW-TO: Import Out of Band Updates to WSUS using Microsoft Edge Chromium IE Mode and PowerShell
----- I recommend using https://www.powershellgallery.com/packages/Import-WSUSUpdate Full instructions to install the module are located here - https://www.ajtek.ca/blog/the-new-way-to-import-updates-into-wsus/ ----- History: 09/12/2023 - adding PowerShell method to the OP 07/30/2023 - please follow the latest comments for the updated approach using PowerShell. The method in the OP has become obsolete 01/13/2022 - update links and clarification to prevent an error "This update cannot be imported into Windows Server Update Services, because it is not compatible with your version of WSUS", added Troubleshooting and Q&A section. 02/11/2021 - initial version PREREQUISITES: Windows 10 / 11 / Windows Server 2016 or later with WSUS RSAT Tool installed. latest Microsoft Edge installed, version 97 as of time of writing. Internet Explorer (mode) is installed in Settings > Apps > Optional Features or equivalent location in Windows 11 HOW-TO: - Open Edge 97 or later - Open Microsoft Edge Options > Default Browser - Change "Allow Sites to be reloaded in Internet Explorer Mode" to 'Allow' - Add links to add to Microsoft Edge IE Mode - Remove all other links in the scope of *.catalog.update.microsoft.com, only these shall remain for the catalog.update.microsoft.com page. https://catalog.update.microsoft.com/ https://catalog.update.microsoft.com/v7/site/Home.aspx see screenshots below for better illustration. - Close Edge and all catalog tabs if there were any open, especially if you use "Open tabs from the previous session" feature - Open WSUS MMC and right click Updates from the tree > Import Updates - The link in Edge should open in IE mode, there are several indicators on this the open tab to point to https://catalog.update.microsoft.com/v7/site/Home.aspx?SKU=WSUS&Version=10.0.xxxxx.xxxx&ServerName=YOURSERVER.CONTOSO.LOCAL&PortNumber=8531&Ssl=True&Protocol=1.20 NOTES 1.When the link opened in importing updates from WSUS MMC does not contain the "v7/site/" part or does contain a https://www.update instead of https://catalog.update your configuration is wrong. 2. The "Default" setting will not be sufficient to allow the installation and use of the ActiveX plugin. Go back to your update catalog tab, Install the ActiveX if you have not done on this box already. Check if you have not setup restrictions to execute or install ActiveX plugins in IE directly or via group policy. 3. Edge now has the ability to an IE Mode button. Also it has a new feature to automatically add pages to the exception list. Do not use this ability as shown in the picture for this use case as it might add wrong exceptions to the list. 4. When there are wrong exceptions in the exception list for IE mode it might not work correctly and cause a missing but very important redirection, which ultimately cause the import to fail. More troubleshooting assistance below. LINKS STARTING FROM DECEMBER 2021 / JANUARY 2022: Links to add to Microsoft Edge IE Mode https://catalog.update.microsoft.com/ https://catalog.update.microsoft.com/v7/site/Home.aspx TROUBLESHOOTING: Q 1: Microsoft Edge does not allow me to configure any IE Site Mode links (greyed out). A: Either you have not enabled "Allow Sites to be reloaded in Internet Explorer Mode" to 'Allow', or your enterprise has set policies to prevent that. This should be clearly indicated by a lock and message in the Edge settings tab. Q 2: I have followed this guide or a previous version. I can see the cart to import into WSUS but cannot import any or just specific updates. Others fail with a message "This update cannot be imported into Windows Server Update Services, because it is not compatible with your version of WSUS". A: This is a "known" issue and the guide has been updated to reflect this issue and a potential change on the server-side. Please make sure only the two links are included in your IE mode list. They may not include www in the link name. You need to include both links, not just one or the other as in the previous version of this guide. Q 3: May I use the new Edge feature in Settings > Appearance > Internet Explorer Mode button A: I would recommend to refrain using this feature, as the mechanism between WSUS update import and the browser is extremly picky. It would not work if you just copy the same link into a browser tab. The feature of the cart to import into WSUS will be likely missing and you can just download to the Download folder instead. Q 4: Edge offers me to restart this tab in IE mode next time. A: you should not receive this message, otherwise the exceptions as stated in the guide are invalid or you have more than the stated links in place. Go through the guide again and double-check. Do not use this otherwise nice feature. It will cause to add more catalog links to the exception list which will cause an issue to import updates to WSUS, as described in Q #2. Thanks for the hint Eric_VanAelstyn, thanks to abbodi1406 for additional hints after this guide got invalid a redirection change in December 2021 / January 2022. cc AriaUpdated MissyQ cc for the other teams as I did not want to repost it in Edge and Servicing communities, unless you insist 🙂
