Restrict users desktop on AVD-Hosts (local user-profiles)
Greetings, I have a query regarding restricting user desktops to only allow read permissions. Our team attempted to achieve this goal by utilizing Group Policy Objects (GPOs) and adjusting the rights on the folder "%UserProfile%\Desktop". Regrettably, our efforts did not produce the desired outcome. Hence, we would appreciate your guidance and insights on whether it is possible to realize this restriction using local user profiles. If so, we would be grateful for any recommended approaches or best practices to accomplish this effectively. Thank you all for your time and expertise. Your assistance will be greatly valued.Personal devices enrolled into Intune despite being blocked?
I'm still fairly new to modern device management so please forgive me in advance! I've currently got several hundred devices enrolled via Autopilot successfully into MEM, but found a dozen or so that popped up as personal, despite that option having been restricted. Am I missing something that is allowing the occasional one to slip through the cracks? I did a quick search here and didn't come across a similar issue so figured I would ask.
Breaking Inheriting Permissions and creating groups
Hello everyone, I am trying to control access to folders from specific user. So I created a library and "stopped inheriting permissions", my plan was to create groups with different access levels and add different users within. But as I was about to do this, I ran into an issue, I realized that groups are created at the site level and because of this, the groups will also have access to the other Libraries I have within the same site...which is something I do not want and is risky. The only option I see so far is to add individual users into the Library and then restrict each folder to each user individually. But the issue is that this will not work in the long run. Is there any other way to do this that anyone is aware of? Thank you all. The image below shows I am only able to aMicrosoft Teams with Teams, Calendar, Calls but no Chat and Files
We are rolling out Teams pretty slowly and right now we provide our users with the following functions: - Calls - Calendar The first step was the replacement of WebEx as video conference software. Now we want to take the next step and provide the users with Teams. But since we haven't established a rights management system yet, we have to disable the usage of SharePoint Online files usage. So what we want to provide is: - Calls - Calendar - Teams - OneNote - Planner I know that the OneNotes and Planner are located within SharePoint online or other online services. And I know that Teams don't work with any other data storage besides SharePoint Online. So is there any way to activate Teams with channels but don't use the files? OneDrive for Business is already disabled for all users. The only idea that comes to my mind is to revoke all Team members the rights for the underlying SharePoint site. Since we established a Power Automate process to create a new Team it would just be another step to do that programmatically. I know that it would be a far better user experience to provide all the amazing features of Teams. It's just the way it is.
OneDrive sync restriction not working properly - some legit machines blocked.
We've recently deployed OneDrive for Business for a customer and we set up the client sync restriction to the domain GUID. There seem to be some HUGE issues with the feature to make me think it's buggy. Issue #1 - Random computers on the "allowed" domain are not recognised as such and clients are denied sync. The error thrown is "Sorry, OneDrive can't add your folder right now." Furthermore, Fiddler shows an HTTP response "X-ClientErrorCode: MachineIsNotAllowedToSync". Issue #2 - Users randomly get a problem in Office ProPlus when opening OneDrive files. For example, in Excel, going to the "Open" menu item and select OneDrive as the storage location, they are prompted for credentials to sign-in. When they enter correct credentials, the error thrown is "That Microsoft account doesn't exist. Enter a different account or get a new one." For both of these issues, disabling the OneDrive for Business client restriction fixes the problem immediately. I've also tested affected client computers both on the local network (which has a proxy) and direct Internet access. Anyone seen this behaviour? I'd love to see some documentation on how the domain GUID is confirmed at the client-side to point me in the right direction.
