Its been a while and because there was a fair bit of interest in version 1 of my Autopilot Quick Links document I thought it was time to make some updates. Thanks so much to all the great blogs and articles community members have produced. If you are researching or learning about Microsoft Autopilot life is made so much easier when you have a quick reference guide, right ? These are blogs and videos i've come across and also include resources others have requested to be added to IQL. They have helped me in my learning expererience so I wanted to share this for you to benefit from. As always if you find this useful then please provide some feedback or send me your links to articles and I will contiunue to maintain this list. In the meantime feel free to download the PDF document. Happy learning.
One of the great benefits of using PowerShell and the Microsoft Graph is the flexibility it introduces when quickly updating your Intune tenant. In this blog Im going to show how to use both of these to configure a Wi-Fi configuration profile for your Windows 10 and later devices. If you want to learn the basics and full capability of MS graph take a look at the Microsoft Learn module here What is Microsoft Graph? - Training | Microsoft Learn. Note that wi-fi profiles can also be configured specifically for iOS, MacOS and Android devices.
So on to Wi-Fi profiles within Intune. Wi-Fi is a wireless network used by mobile devices to gain network access. Microsoft Intune includes built-in Wi-Fi settings that can be deployed to users and devices in your organization. So this scenario could be useful to your company when making Wi-Fi available to your employee's or guests. This might be to either or both corporate or personally owned devices when on company sites. All Wi-Fi network connections are identified with a speciific SSID or Service Set Identifier so if you choose to not broadcast your SSID but you still want employees to automatically having access this could be a great option. It certainly stops the need to publish the information which could land in the hands of unwanted users and devices and means they dont need to know the password.
Steps to deployment.
I will show two options for creating the Wi-Fi profile to use here. First using the Intune portal and a configuration template for 'Windows 10 and later' and then using the Graph API route to show you the comparison.
1. Deployment using an Intune Configuration profile
So lets get into it. Log-in to your Intune tenant endpoint.microsoft.com and navigate to
Home > Devices > Device Profiles
Author: Andy Jones
Filters were introduced to Intune around mid 2021 and for some reason have mainly escaped me up to this point. I like many have used Dynamic groups as the default approach when needing to narrow down the assignment of compliance policies, configuration profiles and applications. Filters however bring a number of welcome improvements to the table we will go through in this blog.
Filters introduce a way of applying advanced targeting and in some scenarios performance benefits to help you replace the use of dynamic group assignment. When it comes to defining and applying Filters you typically need to make the right architectural decisions for your own Intune deployments but filters add a new layer of targeting definitely worth considering. The natural way of structuring your users and devices hasn't changed by creating Azure Active Directory 'Groups'. By creating these you are defining a hierarchy and structure that reflects your organisation which may be through specific teams of people such as the 'Sales team' or device types 'Windows 11 devices'. These are still relevant and provide the baseline for assignment to your applications, policies and profiles. For each of these groups where Microsoft have added the option for filters, you now have the ability to narrow the assignment scope that best fits your needs.
We do need to mention 'Virtual Groups' as these include 'All users' and 'All devices' and by default they don't have any management overhead meaning there is no need to first create or make changes for these. Its worth noting that every time you create a new group (one that has never been used before in an Intune assignment) they go through a first-time setup process together with a membership sync. This first sync will always take longer than subsequent (incremental) syncs. The upside to these virtual groups is that they are stable and highly optimized for assignment. The use of these may be few and far between so most admins will break down all users and all devices into sub groups. As a result the groups you create need to be synchronized from Azure AD and evaluated for assignment. And therein lies the major benefit for me, the performance of assignment. I have seen technical community requests for information when it comes to dynamic group assignment for example. The underlying issue is it sometimes takes longer than expected especially on larger group assignments to verify the members that apply to the dynamic groups which can then delay an app or policy being deployed or even delay an enrolment.
Author: Andy Jones Date Published: 09/08/2022
Expedite built from Windows Update for Business (WUfB)
I first want to provide some background to this blog topic. If you're familiar with the Windows Update for Busines (WUfB) service you'll know this is the main channel for updating your Windows 10 or later devices with the latest security defenses, bug fixes and Windows features. Once you switch from Configuration manager workloads to WUfB your devices can be updated with policies defined with cloud-based management using Intune. There are four key management policies provided by WUfB which include:
So What is Expedite for Quality updates
Expedite for quality updates were introduced to quickly maintain the productivity of devices. Originally released in May 2021 this option is still in preview at the time of writing, so please be aware of this when deploying on your production paltform.
PLEASE NOTE: Its important to know also that Expedite only includes security updates right now but could see this being expanded in the future.
July 8th, 2022 by Andrew Jones
I’m sure you will agree that using passwords is on a road to extinction. Hi there is this blog post Im going to cover the topic of security and going Password-less using FIDO2 Security keys. If you would prefer to watch the video version of this head over to Youtube https://youtu.be/Kq74imD6KPY
In this blog I will cover setting up Azure AD, Microsoft Intune and registering a hardware security key for a single test user.
Let me start by saying a special thanks to Feitian who kindly provided me with three of their FIDO2 security keys. And I’ll be using one of these the K26 to demonstrate how it works in a Password-less experience.
Before we dive into the detail, we first need to look at some of the background and put some context around this topic. Recent statistics show around 81% of cyberattacks are due to comprised username or passwords. So, when we look at the use of passwords, old security approaches in the enterprise simply no longer apply. When we think about it the only people who like passwords are hackers. We have to create and remember them which is why help desks get so many calls and not only are they expensive to manage but easy for hackers to guess.
So the first approach and one quickly becoming a standard is to turn on multi-factor authentication which reduces the risk considerably. We won’t go into setting this up or configuring this here but take a look at the Microsoft article in how to achieve this. Enable Azure AD Multi-Factor Authentication - Microsoft Entra | Microsoft Docs
It is important to highlight that 2 factor Authentication using passwords is not the most convenient and secure method we can use. The diagram below shows a representation of the current guidance on this.
the When you're looking to migrate your infrastructure into the cloud they're generally two areas of concern
that pop up time and time again, these include your applications and group policy objects (GPOs). So in this blog I'm going to look at how you collect your group policy objects, analyse them within Microsoft Intune, and deploy available settings to Windows devices.
When examining a GPO policy within Intune, you'll first require a GPO report file. This you can either create directly or create a backup of an existing Group Policy object and requires a report .xml file. To achieve this, launch your group policy management within your own environment (Domain) and navigate to the group policy objects. Select a specific GPO for examining and then right click that GPO to make a backup. You will need to select your destination and then take a a copy of what is the gpreport.xml file. This will then be the report file you can use to import into your Intune environment.
With your gpreport file saved Login to Microsoft Endpoint Manager admin center using an Intune administrator or Global Admin account and navigate to: Devices > Group Policy analytics.
Please note: this is currently still in preview at the time of doing this blog but i'm hoping it will become GA fairly soon (Fingers crossed).
Import your GPO into Intune
The next step is to hit the import option and select the report file you backed up previously. After you have imported the gpreport.xml file it will first show that it's being processed and then that it has been
imported. Go ahead and close that option after which the page will start showing details straight away.
If we take a look at my actual imported gpreport.xml in more detail you will notice that basically what it has imported is a computer GPO which has a number of settings. The setting types contained within this group policy includes things like clear text password, lockout bad count and minimum password age.
So i'm a little late to the game on this I know but when it comes to proactive remediations with Intune it is a bit of a waiting game. I'm obviously referring to that short time frame before you start seeing some great examples appearing within the community. There are now probably 100's of great blogs and PR packages created which address real life issues and help simplify an admin's role. We can all learn by example but also why reinvent the wheel.
On my own path to understanding what Proactive Remediations are and how they can be applied I have used many of these to better my knowledge so I thought Id create a Quick links on these for you guys. A big thanks to all early adopters and especially those willing to share their experience and hard work.
Watch out for my forthcoming YouTube video where I introduce and test out Proactive Remediations for myself and even develop my own to share. Meanwhile take a look and download my 10 getting started links provided by community members.