What's better on a Friday afternoon than dropping a blog about the use of HAADJ and how it fits into "Modern Management"? skiptotheendpoint.co.uk/haad… #MSIntune #HAADJ #Autopilot #CloudNative

Massive Security win! You can now manage policies for #VSCode in #Intune! As of the #Windows June Preview Update (26200.8524), MS have unblocked the VSCode ADMX registry path, meaning that uploading the ADMX shipped with a VSCode install allows you to create a policy to deploy allowed extensions (either by publisher or individually), as well as things like control chat capabilities and MCP servers - All of which have been proven as a serious supply chain attack or data exfiltration risks! VSCode policy docs: code.visualstudio.com/docs/e…

3.10.3 Released. Added Win32 app Install/Uninstall script support and Windows Quality Update Policies. Fixed category import, JSON property order for Git tracking multiple documentation fixes. See github.com/Micke-K/IntuneMan… for more info

🚨#OIB #Windows v3.8 & #OIBDeployer updates! I've just released v3.8 of the Windows OIB, which adds some cool things, as well as squashing a bunch of #community submitted bugs! Most importantly, I'm adding policy tracking through unique "OIBID"s, meaning much more flexible options when it comes to policy management through my OIB Deployer tool! Speaking of which, I've updated that too! A small face-lift (including dark mode!), API call improvements, and the functionality to support the new OIBID checks. Full Windows v3.8 Changelog here: stte.me/oibwin3dot8 Deploy or Update it in your tenant here: stte.me/deployoib To everyone that continues to provide support, feedback, and trust in this little project that's gotten way bigger than I ever thought it would - Thank you. 💛

See also: Things that "Pwn Defender". OOTB Consumer Defender and Defender for Endpoint configured properly are very different things.

I'm going to go against the grain here and say that the the knee-jerk reaction happening after the #Stryker incident is stupid. All of a sudden I'm seeing tons of security people now shouting that #Intune Multi Admin Approval needs to be deployed, yet for years they've not even considered that a device management platform is a core part of an orgs security posture. What's worse is from my personal experience presenting topics on this exact issue, they've been actively gatekeeping security from your endpoint management teams, creating a horrible siloed culture. Stryker wasn't a critical failure in the endpoint management platform, it was just another Identity-driven attack where the proper attention to controls around least privilege, Conditional Access and authentication enforcement had been poorly implemented. Intune RBAC and Multi Admin Approval provide strong additional layers of security, but both come at a significant cost to day-to-day operational overhead that many orgs are just NOT prepared or set up to deal with. While I'm glad that it's making security folk realise that Device Management IS Security (something I've been banging on about for years at this point), you don't get to suddenly demand implementation of a thing just because you read something on the internet when you haven't done your part in shoring up security gaps. Stop living in a silo, collaborate, engage. Security is everyone's responsibility, and only working together will provide positive outcomes.

Security folk - You starting to realise that Device Management needs to be part of Security, yet?

Least privilege isn’t optional in your identity platform or in your cloud infrastructure. It shouldn’t be optional in your endpoint management platform either. skiptotheendpoint.co.uk/intu… #Intune #Security #RBAC #ZeroTrust

Keeping Intune compliance-related policies current shouldn’t be a manual chore, so I'm releasing IntuneComplianceMaintainer! ICM is a PowerShell tool that automatically keeps Intune compliance & app-protection policies aligned with supported OS versions across Windows, macOS, iOS/iPadOS, and Android! stte.me/automatecompliance

🚨#Windows #OIB v3.7 - 25H2 Edition is live! Try out the OIB Deployer at deploy.openintunebaseline.co… to get a neat view of new and updated policies and an easy way to get them imported! Full change notes at stte.me/oib25h2

So after 10 years, 2 months, 15 days, #Windows10 reaches end of support. For those having to keep it around, I hope you've got ESU, because they're going to be a perfect target. It wouldn't surprise me if we saw some juicy 0-Days crop up that have just been waiting for this moment. If you don't... Well, to quote my clickbait blog title from Jan 2023: Windows 10 is Dead! Migrate to 11 immediately!

It's both an honour and a privilege to not only sit down and talk #OIB with @rucam365, but also be a part of the incredible Microsoft Practice at @Threatscape. AND, as if Friday couldn't get any better, I've also just published a preview change log of the 25H2 release! Check them out at: stte.me/oib25h2 youtube.com/watch?v=Xe32TzHg…

🚨Huge #OpenIntuneBaseline News! I've been busy working on a web-based, user-friendly tool to be able to deploy and version-check existing #OIB deployments, and it's finally ready! Features: - New Deployments: Allows granular control over policy deployment. Import as much or as little as you want! - Existing Deployments: Validate your OIB policies against the latest version, allowing quick and easy views on what's outdated or new. - Completely browser-based, using MSAL Authentication. - MIT Licensed: Not comfortable using my Enterprise App? No problem! Grab the code and host it yourself or run it locally! Website: deploy.openintunebaseline.co… GitHub: github.com/SkipToTheEndpoint… Huge thanks to the various people who have provided feedback, input and testing while I've been putting this together. Even bigger thanks to everyone in the community who use, and provide feedback, bugs and requests for the OIB. I don't think it's possible to even estimate how many hours the project has been able to save Intune admins around the world. Also, we're closing in on 1k Stars on GitHub! #MayTheCapybaraBeWithYou

Seeing lots of "Are you Windows 11 ready" posts both here and elsewhere, and I have to ask: Why are you leaving it so late? This change isn't a surprise. It's been being communicated for YEARS. I wrote the below blog in January of *2023*, mostly off the back of the conversations with customers I was having at the time, so there's more of the "why move" stuff. But now you don't have a choice. There's now only 47 working days before it's unsupported. So, my blunt but genuine question: Why has it taken a near-dangerous amount of time to make a change which shouldn't have been that big of a deal? skiptotheendpoint.co.uk/wind…

In case you've been living under a rock... OpenIntuneBaselines (OIB) are probably a better starting point for most orgs than other benchmarks (including paid ones) This is the value of design and feedback by a community of passionate practitioners github.com/SkipToTheEndpoint…

That's about time! #Windows techcommunity.microsoft.com/…

There's some companion apps coming to #Windows11 via the M365 Desktop Apps that might catch admins or users off-guard, so I've put some thoughts and information together in a mini-blog. skiptotheendpoint.co.uk/m365…

#Intune environments with Windows ARM64 devices! Have you had an absolute nightmare with apps meant for x64 being installed? Rejoice! New Win32 Requirements allows you to specifically choose ARM64 as an architecture!