The Twelve Days of Blog-mas: No.11 – The Kitchen Sink

This post has been republished via RSS; it originally appeared at: Core Infrastructure and Security Blog articles.

Hi folks!

I am running out of days for my “Twelve Days” timeframe, so I’m dropping a pile of topics here that I feel are important/helpful but less-known.

Apologies in advance for the brevity and link-breadcrumbs.

On-prem App Provisioning + MIM Connector Re-use

• For a loooong time, we have been waiting for the ability to provision on-prem users/apps as well as re-use existing MIM connectors.  There are some caveats (a big one is no support for AD provisioning at this time) but there is good progress here.
  • Microsoft Entra on-premises application provisioning architecture | Microsoft Learn
  • Microsoft Entra provisioning to applications using custom connectors | Microsoft Learn

Apps in Intune

• Manage and secure apps in Intune - Microsoft Intune | Microsoft Learn

• Use the Company Portal app for your private app repo on Windows 11 devices - Windows Application Management | Microsoft Learn
  • TIP: If apps are mysteriously not showing up in the Company Portal, check your app assignments.  If you assign an app to devices/device groups (instead of users/user groups), the app won’t show up in the Company Portal.
    • This is because the Company Portal is a based on the user sign-in – not the context of the device.
  • TIP: Wanna see your Config Manager apps in the Company Portal along with your Intune apps (CMPivot in the example below)? 

 Enable Company Portal to be the ‘user portal’ option for the Software Center option in Configuration Manager Client Settings

NOTE: Enabling that integration of CM apps into Company Portal does NOT break or disable Software Center, though – that still works fine:

• Below is a visual collage of the various ‘Application’ elements for a given Co-managed device from within the Intune portal:
  • Discovered apps – A list of detected apps on a device.
    • Discovered apps - Microsoft Intune | Microsoft Learn
  • Applications – SCCM-based apps on a Co-managed device.
  • Managed Apps – Intune deployed apps on a device.
    • Add apps to Microsoft Intune | Microsoft Learn

• Coming in early 2024 - Intune Suite - Enterprise App Management
  • Event | Navigate the future of Enterprise Application Management with Intune | Microsoft Technical Takeoff
• Use our services and cloud infrastructure to test/re-test your Windows apps, even with your own OS image – take a close look at Test Base
  • What’s new: Test Base for Microsoft 365 at Microsoft Ignite 2023 | Windows IT Pro Blog
• App Control for Business - makes it easier to control the apps that are allowed to run on Windows devices in your environment.
  • Manage approved apps for Windows devices with App Control for Business policy and Managed Installers in Microsoft Intune | Microsoft Learn

Surface Management Portal

• Overview of Microsoft Surface Management Portal | Microsoft Learn

Patch Windows.  Better.  From the Cloud.

• We’re bringing more and more capability and flexibility to cloud-based patching for Windows
  • Overview of the deployment service - Windows Update for Business deployment service | Microsoft Learn
• Autopatch – I’ll admit that I initially kicked this one aside.  However, it’s feature set has expanded VERY quickly and it can be a viable way to off-load the lion’s share of the mundane patching efforts for your Windows clients.  We have large enterprises succeeding with this.  
  • A brief video I took part in back in April
  • A lot of improvements came out in August, including a deployment guide.
• Soon, all the WUFB ‘stuff’ will fall under the ‘Autopatch’ brand (which is expanding)
  • What’s New in Windows Autopatch: Microsoft Ignite 2023 Edition | Windows IT Pro Blog

Protect.  Detect.  Respond.

Defender for Identity is an amazing product.  If you have it going in your enviro, you already know this.  If you don't have it going yet, get to it - you'll sleep better.  It proactively monitors network traffic/patterns and event logs for Active Directory (and ADFS and now ADCS/PKI). 

• One example is watching for sensitive group changes. 
• The portal will pop Incidents and/or Alerts details for monitored activities VERY quickly.
• But it can send you daily reports, too - Manage reports - Microsoft Defender for Identity | Microsoft Learn

• The 'usual suspects' like Domain Admins are tagged as sensitive, but of course, you can tag your own, too:

• The "Report" is a multi-tabbed XLS with all the ‘who/what/where/when’ glory. 

"Happy little clouds"

This Visio evolved from an ad-hoc whiteboard drawing during a customer discussion about endpoint and server management - enjoy the Bob Ross (RIP)

A series recap (so far):

1. The Twelve Days of Blog-mas: No.1 - A Creative Use for Intune Remediations - Microsoft Community Hub
2. The Twelve Days of Blog-mas: No.2 - Windows Web Sign in and Passwordless - Microsoft Community Hub
3. The Twelve Days of Blog-mas: No.3 - Windows Local Admin Password Solution (LAPS) - Microsoft Communi...
4. The Twelve Days of Blog-mas: No.4 - Sync Cloud Groups from AAD/Entra ID back to Active Directory - M...
5. The Twelve Days of Blog-mas: No.5 - The Endpoint Management Jigsaw - Microsoft Community Hub
6. The Twelve Days of Blog-mas: No.6 - The Reporting Edition - Microsoft Community Hub
7. The Twelve Days of Blog-mas: No.7 - Architecture Visuals - for Your Reference or Your Own Docs - Mic...
8. The Twelve Days of Blog-mas: No.8 - The Evolution of Windows Server Management - Microsoft Community Hub
9. The Twelve Days of Blog-mas: No.9 - It’s a Multi-Tenant and Cross-Platform World: Part I - Microsoft Community Hub
10. The Twelve Days of Blog-mas: No.10 - It’s a Multi-Tenant and Cross-Platform World: Part II - Microsoft Community Hub

See ya tomorrow!

Hilde