Browsed by
Category: Device Enrollment

B for Bitlocker

B for Bitlocker

This blog will be about the Bitlocker recovery key and some proactive remediation (and some background information about how it works) Bitlocker is one of the many security measures you will need to implement to make sure the data is safe when a device is stolen. One of the downsides are the support tickets that could be created when a user simply does not remember their password anymore and tried it too many times. Luckily in a normal situation, you…

Read More Read More

Natural Born MFA Killers

Natural Born MFA Killers

This blog will be about a weird MFA problem when we were enrolling devices and at the same time configuring MFA. The user in question already had the company  and Authenticator app installed on their IPhone. We were very glad, because it can really save some time. It’s obvious MFA needs to be required when devices need to join Azure Ad. We handed out the surface, so the user could complete the steps to configure Windows Hello and setting up…

Read More Read More

The red screen before Christmas

The red screen before Christmas

Using Autopilot will give you a lot of benefits, especially when combining it with White Glove.  When you have got new devices, you are good to go but when you want to enroll existing “older” devices into Autopilot White Glove you can run into some problems. When we were enrolling a lot of new devices at a customer site no problems were encountered, because we previously enrolled them with Autopilot White glove. After our work was done, the customer asked…

Read More Read More

Fantastic MR. SSO

Fantastic MR. SSO

This blog will be about what kind of problems you can run into when you have multiple customers inside one active directory and you want to provide them SSO with Office 365. Making use of modern authentication in combination with SSO can provide you with a very good user experience, except when you don’t have the option to use single sign-on. Take a look at this scenario: You are a hosting provider You have one big multi-Tenant Active Directory You…

Read More Read More

Company App: Unchained

Company App: Unchained

In this blog I will give you my opinion on how I prefer apps to be deployed. When deploying a zero-trust modern workplace you need to make sure your users are not member of the local admin group. Take a look at my blogs if you want to make sure a user is never a local admin. When your users are no local admin anymore, you can implement an AppLocker policy to make sure your devices are secure. But here…

Read More Read More

The chronicals of Win32 App installations: The RunOnce key, Onedrive and Adminless

The chronicals of Win32 App installations: The RunOnce key, Onedrive and Adminless

This blog will be about some weird RunOnce behavior when installing applications. This week, a customer asked me to push their Nuance Dragon speech software to some specific devices. I guess I am a nice person, so I immediately created a new Win32 App with some parameters. To start testing, it’s always recommended to have a dedicated M365 test tenant for testing purposes with some test virtual machines. I enrolled a new virtual Windows 10 and waited until the application…

Read More Read More

Web Content filtering: The final chapter

Web Content filtering: The final chapter

Starting with Microsoft 365 business is an excellent idea. It contains almost everything you need for a secure modern workplace.  With almost everything I mean you’ll be missing out on some great features contained within the Microsoft E5 license. The biggest example would be Microsoft Defender for endpoints, it also has some addons like web content filtering. I can imagine for the SMB, Microsoft E5 might be too expensive for now. The price difference between a Microsoft 365 Business premium…

Read More Read More

The curious cage of hiding the OOBE stage

The curious cage of hiding the OOBE stage

In this blog, I will show you how to remove the OOBE stage when NOT using autopilot. When using autopilot you can configure the OOBE experience like this. When NOT using autopilot, you have got some challenges. One of them is skipping this kind of questions: Configuring the user account type, is the second challenge. You really want to have a standard user and not an admin! Luckily I already blogged about it, how you can prevent users from becoming…

Read More Read More

Autopilot: The group membership war

Autopilot: The group membership war

This blog will be about my experience with dynamic group membership within Azure AD. Waiting for dynamic group membership to be updated can be a pain, certainly when combining dynamic groups with Autopilot. Imagine you have a Windows 10 device that’s not imported in autopilot, you’ll need to upload the hardware hash and wait for the device to change the autopilot device status to assigned. Waiting…waiting…waiting. But still, the profile status is not assigned. So, what to do now? Grab…

Read More Read More

Remote Wipe: The Next level

Remote Wipe: The Next level

The power of remote wiping your device is great to have. When your devices are configured with Autopilot, a remote wipe will make sure your devices will return to factory defaults and will begin to enroll your device with all that’s configured in Intune. Transforming to a zero-trust modern workplace will require some work. You’ll need to setup Autopilot, collect the hardware hashes, remote wipe, and reset the device to let it enroll in Azure Ad with autopilot. But how…

Read More Read More