Wednesday, 30 April 2025

What's new in Microsoft Intune: April 2025

Microsoft Intune's April 2025 release introduces several enhancements aimed at improving device management and security:

Custom Naming for Android Enterprise Devices - Administrators can now create custom naming templates during Android Enterprise device enrollment. This feature allows the inclusion of fixed text and device-specific variables (like serial numbers), promoting consistency and reducing post-enrollment renaming efforts.




Enhanced Controls for Apple Devices - Intune expands its Mobile Application Management (MAM) capabilities for unmanaged iOS devices. New Application Protection Policies (APP) now allow administrators to:
  • Block screen captures within the Apple Intelligence app.
  • Control access to AI-driven tools like Writing Tools and Genmojis. These controls help balance user productivity with data security.

Tuesday, 29 April 2025

Microsoft Intune: Customization of app installs with Enterprise Application Management (Sep 2025 Rollout Update)

Script installer offers you a way to have more control and customization around Win32 (including in EAM catalog) app installations. You now have the option to use a PowerShell script in place of command line configurations to install your app.



Wednesday, 9 April 2025

Step-by-Step Guide to Changing the Microsoft 365 Apps Update Channel | Microsoft Configuration Manager


Managing the update channels for Microsoft 365 Apps is crucial for IT administrators aiming to control the deployment of new features and updates within their organizations. Microsoft Configuration Manager (ConfigMgr) offers a robust platform to facilitate this process, ensuring devices receive updates in alignment with organizational policies. This guide provides a comprehensive walkthrough on changing the Microsoft 365 Apps update channel using ConfigMgr.

Prerequisites

Before proceeding, ensure the following conditions are met:

  1. Configuration Manager Management: ConfigMgr should be configured to manage the "Click-to-Run" workload for Office applications.

  2. Scheduled Task Activation: The "Office Automatic Update 2.0" scheduled task must be enabled on all client devices to allow automatic detection and application of updates.

  3. Update Deployment Configuration: ConfigMgr should be set up to deploy Microsoft 365 Apps updates. Detailed instructions are available in Microsoft's documentation on managing updates to Microsoft 365 Apps with Configuration Manager.

  4. Administrative Access: Ensure you have the necessary permissions to create applications and device collections within ConfigMgr.

Step-by-Step Guide to Changing the Update Channel

Step 1: Remove Conflicting Group Policies

If there are existing Group Policies that define the Office update channel, they will override settings configured via the Office Deployment Tool (ODT). To prevent conflicts, remove any such Group Policies before proceeding.

Step 2: Deploy Updates for the Target Channel

Create dynamic collections in ConfigMgr to deploy Microsoft 365 Apps updates corresponding to the desired channel. For guidance on setting up these collections, refer to Microsoft's article on switching to Monthly Enterprise Channel with Configuration Manager.

Step 3: Prepare the Office Deployment Tool (ODT)

  1. Download the Latest ODT: Obtain the newest version of the Office Deployment Tool from Download Office Deployment Tool from Official Microsoft Download Center

  2. Extract ODT Files: After downloading, extract the contents of the ODT package. Retain only the setup.exe file and remove other files to avoid confusion.

  3. Create Configuration XML: Craft a configuration XML file (e.g., Configure.xml) specifying the desired update channel. Save this XML in the same directory as setup.exe.

    • For Monthly Enterprise Channel:

      xml
      <Configuration>
      <Updates Channel="MonthlyEnterprise" /> </Configuration>
    • For Current Channel:

      xml
      <Configuration> <Updates Channel="Current" /> </Configuration>

Step 4: Develop a Deployment Script

Create a PowerShell script to automate the channel change process. The script should execute the following actions:

  1. Run ODT with the Configuration XML: This updates the CDNBaseUrl registry key to reflect the new channel.Remove Update Detection Timestamp: Delete the UpdateDetectionLastRunTime registry key to prompt immediate detection of the new policy.

  2. Trigger Scheduled Tasks and ConfigMgr Actions: Initiate the "Office Automatic Updates 2.0" scheduled task and trigger ConfigMgr actions like Hardware Inventory and Software Update Deployment Evaluation.

    Sample PowerShell Script:

    Start-Process -FilePath .\Setup.exe -ArgumentList "/configure .\Configure.xml" -Wait
    Remove-ItemProperty -Path HKLM:\software\Microsoft\Office\ClickToRun\Updates -Name UpdateDetectionLastRunTime -Force Get-ScheduledTask -TaskName "Office Automatic Updates*" | Start-ScheduledTask # Run Hardware Inventory Invoke-WMIMethod -ComputerName $env:COMPUTERNAME -Namespace root\ccm -Class SMS_CLIENT -Name TriggerSchedule “{00000000-0000-0000-0000-000000000001}” # Software Update Deployment Cycle Invoke-WMIMethod -ComputerName $env:COMPUTERNAME -Namespace root\ccm -Class SMS_CLIENT -Name TriggerSchedule “{00000000-0000-0000-0000-000000000108}” # Software Update Deployment Evaluation Cycle Invoke-WMIMethod -ComputerName $env:COMPUTERNAME -Namespace root\ccm -Class SMS_CLIENT -Name TriggerSchedule “{00000000-0000-0000-0000-000000000114}”


Step 5: Create and Deploy the Application in ConfigMgr

  1. Application Creation: In ConfigMgr, create a new application that utilizes the prepared PowerShell script for installation.

  2. Deployment: Deploy this application to the device collection targeted for the channel change.

Step 6: Verification

After deployment, verify the update channel change by:

  • Registry Inspection: Check the UpdateChannel and UpdateChannelChanged values in the HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration registry path.

  • Office Application: Open any Office application, navigate to the Account menu, and confirm the displayed update channel.

Note: If the Office version remains the same across channels during the transition, the channel description in the Office application may not immediately reflect the change.

By meticulously following these steps, IT administrators can effectively manage and change the Microsoft 365 Apps update channels using Microsoft Configuration Manager, ensuring that devices within the organization receive updates in accordance with specified policies.

Tuesday, 8 April 2025

How to enable Windows Recovery Environment (WinRE) on Windows 11 and 10


The Windows Recovery Environment (WinRE) is an essential feature in Windows 11 and Windows 10, providing tools like automatic repair, system reset, and command prompt access to troubleshoot and resolve system issues. While WinRE is typically enabled by default, there are scenarios where it might be disabled, either intentionally or due to system modifications. This guide will walk you through the steps to enable or disable WinRE on your Windows device.

How to Enable Windows Recovery Environment (WinRE)

If you find that WinRE is disabled on your system, you can enable it using the Command Prompt with administrative privileges. Here's how:​

  1. Open Command Prompt as Administrator:

    • Click on the Start menu.

    • Type "Command Prompt" in the search bar.

    • Right-click on the Command Prompt app and select Run as administrator.

  2. Check the Status of WinRE:

    • In the Command Prompt window, type the following command and press Enter: reagentc /info

    • This command displays the current status of WinRE. Look for the "Windows RE status" line to see if it's enabled or disabled.

  3. Enable WinRE:

    • To enable WinRE, type the following command and press Enter: reagentc /enable

    • After executing this command, you should see a confirmation message indicating that WinRE has been enabled.​

  4. Verify WinRE is Enabled:

    • To confirm that WinRE is now enabled, you can re-run the reagentc /info command. The "Windows RE status" should now display as "Enabled".​

Once enabled, you can access WinRE by restarting your computer and pressing the appropriate key (often F8) during boot, or by navigating through the Settings app under Update & Security > Recovery > Advanced startup.​

How to Disable Windows Recovery Environment (WinRE)

If, for security or administrative reasons, you need to disable WinRE, follow these steps:​

  1. Open Command Prompt as Administrator:

    • Click on the Start menu.​

    • Type Command Prompt in the search bar.​

    • Right-click on the Command Prompt app and select Run as administrator.​

  2. Check the Status of WinRE:

    • In the Command Prompt window, type the following command and press Enter:​ reagentc /info

    • This will show the current status of WinRE.​

  3. Disable WinRE:

    • To disable WinRE, type the following command and press Enter:​ reagentc /disable

    • You should receive a confirmation message indicating that WinRE has been disabled.​

  4. Verify WinRE is Disabled:

    • To ensure that WinRE is disabled, re-run the reagentc /info command. The "Windows RE status" should now display as "Disabled".​

Disabling WinRE will prevent access to the recovery tools during boot, so ensure that this action aligns with your system management policies.​

By managing the state of the Windows Recovery Environment appropriately, you can maintain control over the troubleshooting tools available on your Windows 11 or Windows 10 system, ensuring they align with your usage and security requirements.

Troubleshooting Windows Feature updates in Microsoft Intune


Managing Windows feature updates through Microsoft Intune is crucial for maintaining device security and performance. However, administrators may encounter challenges during deployment. This guide outlines essential troubleshooting steps to address common issues with feature update policies in Intune.

Prerequisites for Feature Update Deployment

Before deploying feature updates, ensure the following prerequisites are met:

  • Licensing Requirements: Devices must have appropriate licenses that include access to the Windows Update for Business deployment service, such as:

    • Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)

    • Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)

    • Windows Virtual Desktop Access E3 or E5

    • Microsoft 365 Business Premium

    These licenses enable features like gradual rollout and optional feature updates.

  • Telemetry Configuration: Deploy a device restriction policy to all targeted devices, setting the "Share usage data" option to "Required." This ensures accurate reporting and telemetry.

  • Diagnostic Data Collection: Configure diagnostic data collection tenant-wide in the Intune admin center under Tenant administration > Connectors and tokens > Windows data. Proper configuration is vital for accurate feature update reporting.

  • Service Status:

    • Microsoft Account Sign-in Assistant: Ensure this service is not disabled; it should be set to "Manual" by default.

    • Connected User Experiences and Telemetry: Confirm this service is set to "Automatic" and is running.

  • Supported Windows Versions: Devices should be running supported editions such as Professional, Enterprise, or Education.

  • Network Connectivity: Verify that devices can access necessary Intune and Windows Update endpoints.

Configuring Update Rings with Feature Update Policies

When deploying update rings alongside feature update policies, consider the following:

  • Feature Update Deferral Period: Set this to '0' days to avoid delaying feature updates.

  • Upgrade to Latest Windows 11 Release: If enabled, eligible Windows 10 devices will upgrade to the latest Windows 11 feature update, potentially overriding specific feature update policies.

Common Troubleshooting Steps

If devices are not receiving or installing feature updates as expected:

  1. Policy Assignment Verification: Ensure that the feature update policy is correctly assigned to the intended device groups.

  2. Update Compliance Monitoring: Utilize Intune's reporting features to monitor update compliance and identify devices that are not updating.

  3. Windows Update Service Checks: Confirm that the Windows Update service is running and not disabled on the devices.

  4. Registry Configuration: Verify that registry settings align with the deployed policies.

  5. Safeguard Holds: Be aware of any safeguard holds that might prevent the update from being offered to certain devices due to known compatibility issues.

  6. Manual Update Attempts: Attempt to manually initiate the update on a device to determine if the issue is with policy deployment or the update process itself.

By systematically verifying prerequisites, configuring policies correctly, and utilizing Intune's monitoring tools, administrators can effectively troubleshoot and resolve issues related to Windows feature updates in Microsoft Intune.

Strengthening Email Ecosystem: Outlook’s New Requirements for High‐Volume Senders

In an era where email remains a cornerstone of both personal and business communication, ensuring the security and reliability of email ecosystems is paramount. To bolster trust and protect users, Outlook.com is introducing new requirements for domains that send over 5,000 emails per day. These measures aim to enhance email authentication and reduce malicious activities such as spoofing, phishing, and spam.

New Authentication Requirements for High-Volume Senders

Effective May 5, 2025, domains dispatching more than 5,000 emails daily to Outlook.com addresses must comply with the following authentication protocols:

  1. Sender Policy Framework (SPF):

    • Ensure that your domain's DNS records accurately list all authorized IP addresses and hosts permitted to send emails on behalf of your domain.

    • SPF records must pass validation to confirm the legitimacy of the sending source.

  2. DomainKeys Identified Mail (DKIM):

    • Implement DKIM to attach a digital signature to your emails, verifying that the message content remains unaltered during transit.

    • DKIM signatures must pass verification to authenticate the integrity and origin of the emails.

  3. Domain-based Message Authentication, Reporting, and Conformance (DMARC):

    • Configure a DMARC policy with at least a p=none setting, aligning with either SPF or DKIM (preferably both).

    • DMARC enables domain owners to specify how unauthenticated messages should be handled, providing reports on email authentication status.

For detailed guidance on setting up these authentication methods, refer to Microsoft's documentation on email authentication.

Additional Email Hygiene Best Practices

Beyond authentication, high-volume senders are encouraged to adopt the following practices to maintain email quality and user trust:

  • Valid P2 (Primary) Sender Addresses:

    • Ensure that the "From" or "Reply-To" addresses are valid, accurately reflect the sending domain, and are capable of receiving replies.

  • Functional Unsubscribe Mechanisms:

    • Provide clear and accessible options for recipients to opt out of future communications, especially in marketing or bulk emails.

  • Regular List Maintenance and Bounce Management:

    • Periodically cleanse mailing lists to remove invalid or inactive addresses, thereby reducing bounce rates and spam complaints.

  • Transparent Mailing Practices:

    • Use honest subject lines, avoid misleading headers, and ensure that all recipients have explicitly consented to receive your emails.

Adhering to these practices not only enhances deliverability but also fortifies the sender's reputation within the email ecosystem.

Enforcement Timeline and Actions

Starting May 5, 2025, Outlook.com will begin routing emails from non-compliant high-volume senders to recipients' Junk folders. This initial phase serves as a grace period, allowing senders to address and rectify any authentication issues. Future enforcement actions may escalate to outright rejection of non-compliant emails, with specific dates to be announced subsequently.

Outlook.com reserves the right to take negative actions, including filtering or blocking, against senders who fail to meet these standards, particularly in cases of significant authentication breaches or poor email hygiene.

Steps to Prepare

To align with these new requirements and ensure uninterrupted email delivery:

  1. Audit Your DNS Records:

    • Review and update your SPF, DKIM, and DMARC records to ensure they meet the specified standards.

  2. Monitor Authentication Headers:

    • Regularly inspect email headers to verify authentication status. Guidance on viewing and interpreting these headers is available through Microsoft's support resources.

  3. Stay Updated:

    • Keep abreast of further announcements regarding enforcement timelines and additional requirements by following official communications from Outlook.com.

By proactively implementing these measures, high-volume senders can contribute to a more secure and trustworthy email environment, benefiting both senders and recipients alike.

Must-Know CMD Commands for System Administrators

📌 User & Group Management

🔹 Check all users: net user

🔹 Check user details: net user username

🔹 Add a new user: net user NewUser Password123 /add

🔹 Add user to local admin group: net localgroup Administrators NewUser /add

🔹 Remove user from a group: net localgroup Administrators NewUser /delete

🔹 Delete a user account: net user NewUser /delete


📌 System Information & Performance

🔹 Check system info: systeminfo

🔹 View running processes: tasklist

🔹 Kill a process by name: taskkill /IM processname.exe /F

🔹 Check disk usage: wmic logicaldisk get name, freespace, size, description

🔹 Check RAM details: wmic MEMORYCHIP get BankLabel, Capacity, Speed

🔹 Check network configuration:ipconfig /all

🔹 Flush DNS cache: ipconfig /flushdns


📌 Network & Remote Management

🔹 Ping a server: ping google.com

🔹 Check open ports: netstat -an | find "LISTEN"

🔹 Test remote connection (RDP): mstsc /v:RemotePCName

🔹 Enable RDP remotely: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f


📌 File & Disk Management

🔹 List all drives: wmic logicaldisk get name

🔹 Check disk health (SMART): wmic diskdrive get status

🔹 Check file size in a folder: dir /s /a C:\YourFolder

🔹 Find large files (over 1GB): forfiles /S /M *.* /C "cmd /c if @fsize GEQ 1073741824 echo @path @fsize"


📌 Active Directory & Domain Management

🔹 Check domain details: nltest /dsgetdc:yourdomain.com

🔹 List all domain users: net user /domain

🔹 Force Group Policy update: gpupdate /force

🔹 Check AD replication status: repadmin /replsummary


📌 Security & Event Logs

🔹 Check failed login attempts: wevtutil qe Security /c:10 /f:text /q:"*[System[(EventID=4625)]]"

🔹 Enable BitLocker on drive C: manage-bde -on C: -RecoveryPassword

🔹 Check Windows Defender status: sc query windefend



🚀 Why Every System Admin Should Use These Commands?


✅ Saves time – No need to navigate through GUI

✅ Troubleshoot quickly – Identify & fix issues in seconds

✅ More control – Perform advanced tasks efficiently

The future of Mac device management is with Microsoft Intune

Managing Mac devices in the enterprise has traditionally been a complex task, often requiring multiple tools and platforms. However, Microsoft Intune is transforming this landscape by offering a unified, efficient, and secure solution for macOS management.

Key Advantages of Using Microsoft Intune for Mac Management:

  • Unified Device Management: Intune allows organizations to manage all devices—Windows, macOS, iOS, and Android—through a single platform, simplifying administration and ensuring consistent policies across different operating systems.

  • Enhanced Security and Compliance: With robust security features like encryption enforcement, password requirements, and remote wipe capabilities, Intune helps protect corporate data on Mac devices. Administrators can enforce compliance policies to ensure devices adhere to organizational standards.

  • Seamless Application Deployment: Intune simplifies the deployment and management of applications on Mac devices, supporting both DMG and PKG app package types. This ensures users have access to necessary software without complex procedures. 

  • Declarative Device Management (DDM): Intune supports Apple's DDM protocol, enhancing policy delivery performance and enabling more robust device compliance and app inventory capabilities.

  • Integration with Microsoft Ecosystem: Intune integrates seamlessly with Microsoft Entra ID (formerly Azure Active Directory) and other Microsoft services, providing a cohesive and secure environment for device management.

By leveraging Microsoft Intune, organizations can streamline their Mac management processes, enhance security, and provide a better experience for both IT administrators and end-users.

For a more in-depth look at how Intune is revolutionizing macOS management, check out this Microsoft Mechanics podcast:

Note: This post is inspired by insights from the Microsoft Tech Community blog on macOS management with Intune.

What's new in Microsoft Intune: April 2025

Microsoft Intune's April 2025 release introduces several enhancements aimed at improving device management and security: Custom Naming ...