This blog will be about the Bitlocker recovery key and some proactive remediation (and some background information about how it works) Bitlocker is one of the many security measures you will need to implement to make sure the data is safe when a device is stolen. One of the downsides are the support tickets that could be created when a user simply does not remember their password anymore and tried it too many times. Luckily in a normal situation, you…
This blog will be about a weird MFA problem when we were enrolling devices and at the same time configuring MFA. The user in question already had the company and Authenticator app installed on their IPhone. We were very glad, because it can really save some time. It’s obvious MFA needs to be required when devices need to join Azure Ad. We handed out the surface, so the user could complete the steps to configure Windows Hello and setting up…
Using Autopilot will give you a lot of benefits, especially when combining it with White Glove. When you have got new devices, you are good to go but when you want to enroll existing “older” devices into Autopilot White Glove you can run into some problems. When we were enrolling a lot of new devices at a customer site no problems were encountered, because we previously enrolled them with Autopilot White glove. After our work was done, the customer asked…
This blog will be about what kind of problems you can run into when you have multiple customers inside one active directory and you want to provide them SSO with Office 365. Making use of modern authentication in combination with SSO can provide you with a very good user experience, except when you don’t have the option to use single sign-on. Take a look at this scenario: You are a hosting provider You have one big multi-Tenant Active Directory You…
In this blog I will give you my opinion on how I prefer apps to be deployed. When deploying a zero-trust modern workplace you need to make sure your users are not member of the local admin group. Take a look at my blogs if you want to make sure a user is never a local admin. When your users are no local admin anymore, you can implement an AppLocker policy to make sure your devices are secure. But here…
This blog will be about some weird RunOnce behavior when installing applications. This week, a customer asked me to push their Nuance Dragon speech software to some specific devices. I guess I am a nice person, so I immediately created a new Win32 App with some parameters. To start testing, it’s always recommended to have a dedicated M365 test tenant for testing purposes with some test virtual machines. I enrolled a new virtual Windows 10 and waited until the application…
Starting with Microsoft 365 business is an excellent idea. It contains almost everything you need for a secure modern workplace. With almost everything I mean you’ll be missing out on some great features contained within the Microsoft E5 license. The biggest example would be Microsoft Defender for endpoints, it also has some addons like web content filtering. I can imagine for the SMB, Microsoft E5 might be too expensive for now. The price difference between a Microsoft 365 Business premium…
In this blog, I will show you how to remove the OOBE stage when NOT using autopilot. When using autopilot you can configure the OOBE experience like this. When NOT using autopilot, you have got some challenges. One of them is skipping this kind of questions: Configuring the user account type, is the second challenge. You really want to have a standard user and not an admin! Luckily I already blogged about it, how you can prevent users from becoming…
This blog will be about my experience with dynamic group membership within Azure AD. Waiting for dynamic group membership to be updated can be a pain, certainly when combining dynamic groups with Autopilot. Imagine you have a Windows 10 device that’s not imported in autopilot, you’ll need to upload the hardware hash and wait for the device to change the autopilot device status to assigned. Waiting…waiting…waiting. But still, the profile status is not assigned. So, what to do now? Grab…
The power of remote wiping your device is great to have. When your devices are configured with Autopilot, a remote wipe will make sure your devices will return to factory defaults and will begin to enroll your device with all that’s configured in Intune. Transforming to a zero-trust modern workplace will require some work. You’ll need to setup Autopilot, collect the hardware hashes, remote wipe, and reset the device to let it enroll in Azure Ad with autopilot. But how…