Welcome to this coast! Learn everything on Endpoint Management with Microsoft Intune to deploy, manage, secure and monitor endpoints from all platforms through the cloud.


Introduction, experience and thoughts

Introduction to the Microsoft Intune product family
Introduction This post is recommended for any reader who is new to Intune or would like to get a high-level overview of the Intune product family. It will contain the product, feature and service names and a description of their purpose, as well as references to my dedicated blog posts
A touch on Intune
This blog is mostly about Intune Endpoint Management. Modern Workplace and Mobile Device Management (MDM), with a special focus on security. This post will treat a high-level introduction to Microsoft Intune. The audience are people that are new to specifically Intune. You don’t need to have a high…
Unboxing the Intune Suite
IntroductionHere we go - the full Microsoft Intune Suite is released in February 2024 🥳 We now got Microsoft Cloud PKI, Advanced Analytics and Enterprise Application Management in the portfolio. This blog post shows a first look at the features, their benefits and how to get started. These features…
What you need to know about Intune
Ever wondered what Autopilot or Intune is? Read here more about this topic!
Intune best practices
Introduction This post is a summary of brief descriptions to technical Intune best practices. To deliver a true modern workplace these topics may be considered. You may also be interested in one of my other posts: Tranisition to modern Endpoint Management Intune challenges A full series on everythi…
Transition to modern Endpoint Management
This is an updated post, here you will find information about: Endpoint Management design (legacy vs. modern) Reasons for Hybrid or Cloud-only Configuration challenges and approaches Security aspects This post is intended to give an engineering overview on the journey to Modern Endpoint Management…
Autopilot identities and assignments
Introduction Every modern Windows (10/11) device can be setup and managed through Intune and enabled for organizational use. There are two types of ownership, one is personal and the other corporate. If a device is fully corporate-owned, the hard- and software should be registered for an organizatio…

Troubleshooting

Autopilot Troubleshooting
Introduction I have already created a post about Autopilot Troubleshooting nearly 2 years ago, but I wanted to update it and make it a little more structured and straight-forward. What is Microsoft Intune Endpoint Management? Essentially Microsoft Intune uses the capability of Windows Autopilot to…
Troubleshooting Intune policies and apps
Introduction This post aims to explain a standard procedure when investigating for unexpected behavior or errors between Intune and an endpoint. This means, when the IT admin configures anything in the Intune admin portal and the device should apply the setting, but encounters issues. Things could g…

Start of the journey

Upload hardware hash to Intune, made easy
This script was made as an addition to “Get-WindowsAutoPilotInfo” for registering the individual hardware hash id from a device into a Microsoft 365 Intune tenant for device enrollment to be super simple & reusable.
Intune operations par excellence
💡Learn about how to align organizational operations, to deliver technology with excellence!Introduction Im my daily work as engineer and consultant I accompany organizations from several industries on their way to modern endpoint management with Microsoft Intune. Beside the technical challenges, I…

Design and solution concepts

Enforce device compliance
Introduction Most organizations have compliance requirements for dozens of topics, spanning both technical and non-technical domains, as they are in a complex landscape of regulations, standards, and best practices to ensure the integrity, security, and conduct of their operations. This post is jus…
Intune certificate deployment overview
💡Microsoft announced “cloud certification management” capabilities for the Intune suite to come in the second half of 2023. This could significantly simplify Intune certificate management.Introduction Authentication with certificates is considered as very secure and seamless for the user. Simply pu…
Enable network authentication with Azure AD only joined devices & Intune
Introduction This post is a brief summary of establishing network connection (wired or wireless network) on Intune managed devices, from my experience. Challenges -Azure AD only joined devices are not present in Active Directory and therefore certificates can not be issued by the PKI, resulting tha…
Windows updates - write up
Introduction Windows update is seen on all Windows operating systems (OS) so that endpoints stay up to date with the newest features, run high-performing, without bugs and stay secure. This post aims to clarify different update methods, release channels, update types, support durations and focus on…
Summarized: Windows Update for Business reports (former Update Compliance)
Introduction So, Windows Update for Business houses a lot of components, including: Receive update services: Windows end device Configuration: through GPO, CSP or Graph API and PowerShell SDK Reporting: Windows Update for Business reports (now generall available) - what this post is about, along wi…
Intune + driver update management - concept summary
Introduction Here it is! Windows driver and firmware updates with Intune 🥳 This post will be a brief kick-off and concept summary of this new feature. Previously, Windows Update for Business only allowed for a all-or-nothing setting. Driver updates could be blocked or allowed. Now we have the capa…
The bridge from Intune to Defender for Endpoint
Introduction This post is a straightforward tutorial to enable Defender for Endpoint with Intune. These two products live in the Microsoft ecosystem and can be natively integrated. It is a major advantage to connect your endpoint management product (Intune) with your XDR and security product (Defend…
Intune - a reference to Kiosk/shared PC mode
Introduction Windows is an open platform that allows users to install applications, customize settings and work on files of several different types. At the same time there are some use cases where a limited or restricted app or Windows platform environment is needed. These are called single-use, Kio…

Security

Dive into Microsoft Security Baselines
ℹ️This is not a pure security post, it is focusing on high-level topics around endpoint security and baselines. Please be aware that security configuration and operation should be performed on the highest level of professionality.Introduction In my blog posts I often mention the Microsoft Security B…
Windows Hello for Business - summary and a focus to the modern way
Windows Hello for Business (WHfB) is a modern attempt to go passwordless, reinforce security and increase end user usability. It leverages Windows account authentication services to get access to resources, or in the simplest scenario: login to your device. Key facts WHfB is an authentication metho…
Local admin/privilege management with Intune
Introduction Most operating system know two levels of user interactions. Standard or elevated, also known as administrator. For Windows in the enterprise segment, the users most often work with standard permissions. The IT has access to administrator accounts that can modify the system, install appl…
Windows LAPS: the comprehensive guide
Introduction This post features Windows LAPS with its most important specifications and what you need to know high-level. Both Active Directory and Azure AD scenarios are described. Overview Windows LAPS is now in public preview! The Local Administrator Password Solution is a familiar Microsoft pr…
Endpoint Privilege Management deployment guide
IntroductionMicrosoft Endpoint Privilege Management (EPM) is a part of the Intune Suite offering. It allows standard users to run applications with privilege rights, without the need to be local administrators. This is a massive security improvement and supports your zero-trust strategy. At core, wi…
Device Control with Intune
Introduction This post will walk you through Device Control with Microsoft Intune. It is all about controlling access to certain devices or peripherals of Windows. Background Device Control can bring the benefit for these requirements: Security: Peripherals connected to your device and operating s…

RBAC

Intune RBAC permissions
Introduction Intune role-based access control allows administrators to control the level of access to the Intune portal and its resources. It works by assigning roles to users or groups of users. Each role defines a set of permissions throughout Intune or device management such as Device configurat…
Device management RBAC design (Intune & Azure AD)
Introduction This post is the part 2 of my initial writing on RBAC in Intune. My intention is to explain a real world example on RBAC design with Intune and Azure AD, since device operations can be made on the Intune device object, but also on the Azure AD device

Graph API

Get started with Graph API + Explorer and Powershell - how to import/export Intune profiles
Introduction The Microsoft Graph Microsoft Graph enables you to access all your data and intelligence in Microsoft 365, Windows, and Enterprise Mobility + Security. Available under one single endpoint: https://graph.microsoft.com you can call Microsoft Graph from your REST APIs or SDKs. Through Grap…
Azure Managed Identity - access to Graph API and Azure resources
Introduction Nowadays and with Azure, many resources interact with each other and therefore need some type of authentication. As credentials through passwords is no longer considered as safe, we need other secrets to provide authorized access. This is where Managed Identities come to play - they al…
Intune automation enlightenment - Azure Logic App + Graph API + Managed Identity
Introduction In this post we are going to delve into automation for Endpoint Management with Intune. The idea is to give you a powerful and secure tool that you can then use to develop solutions for any use case. Make sure to understand Graph API and Managed Identity in advance
Intune event based automation with alert rules
Introduction In my last post I talked about Intune automation enlightenment with Azure Logic Apps. This time we will take a look on event based triggering to notify for alerting purposes or run Logic apps or other automation tools. Components Azure Log Analytics Workspace provides the ability to st…

Miscellaneous

Intune change tracking (Azure Workbook)
What is it? Intune offers a variety of configurations and functionalities, namely talking about configuration profiles, applications, scripts and also operational tasks like managing a device. (enroll, sync, delete etc.) It can be quite a challenge to keep track of all the changes and operations, a…
Intune challenges (community edition)
What to expect I wanted to hear from you on Reddit and Twitter about which challenges you are facing with Intune. This post concentrates on a summary writeup on the most intense challenges and I want to bring in some of my advice and experience. This post was written in
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.