Hi,
Hehe, I didn`t scroll down to the bottom...:)
I was not able to switch it to corporate.
But what is actually the difference ?
Is it only so I can deploy different configuration if its a personal or a company device, and from the monitor point of view I can see the complete phone number ?
Is there anything else spesific ?
Hi,
Thanks for reply.
So we can use SCCM to monitor these, do you have some links to screenshot of how this is monitored ? I did google it, but not sure if I found the right pictures.
We have another customer that uses MS Defender and M365 ATP, I guess these can not be compared ? I must say with M365 ATP and MS Endpoint protection you get very good information, and good overview over what happens if you for example get a ransomware attack etc. Do you have the same visibility with SCCM and MS Endpoint Manager ?
Rgs
Andy
Hi again @Jason-MSFT
One more comment.
What I have noticed is that If I have applied a baseline, and then to small changes to that one, then the sync goes pretty fast. But If I remove the link to the group, so that everything is supposed to be removed, then it takes very long time before every setting is back to default.
Comments ?
/R
Andy
Hi,
Thanks for your reply.
I have done some more testing, and here is the scenario.
First I deploy MS default baseline, and this works great
Then I try to for example change settings under Event Log Service > Application log maximum file size in KB to 99999 and this applies after a couple of minutes, so everything is good.
Then I try to undo several things under Internet Explorer from the Baseline, for example I change Internet Explorer encryption support from TLS 1.1 and 1.2 to Not Configured. Then I save the changes and wait for it to apply..no changes.... try sync, do reboot but nothing happens.
Then I removed the whole baseline from the User Group I have assigned it to, waited around 30 minutes, IE settings still there, did a sync, reboot still there... The next day it was Gone.
So to me it seems like Internet Explorer settings either takes very long time to apply ? I have now tested it again, and will wait 24 hours to see if the changes apply. Comments ?
Hi,
Update, it has now been between 6-10 hours since I reconfigured the IE settings, and now I can see that these have changed.
So to me it seems like IE settings does not care if you click sync, this one just wait for the interval it has. But other settings works when you click sync.
Comments ?
/Andy
Hi,
Thanks for your answer.
Some of them are local admin and some are not.
So if you are a local admin, how would the users go ahead and do this ? Would it be like this...
1. Click Settings > Accounts > Access work or school
2. Then select Enroll only in device management
(When they do this will the users notice anything ? we have not yet assigned any profiles ++)
3.or... could they download the company portal and it will automatically register in intune ?
I can see that they have one device that is also in Intune, so i guess I could convert this device to Autopilot ?
Another thing, I can also see that the device is marked as Owenership=Personal and not Corporate. I can see that I can change this, If I do that what impact will that have on the user ?
Thanks for answers.
Hi,
As long as we using conditional access, "security defaults" is off (they cannot be combinded).
Yes the "breakglass" accounts have Global administrator role. There are 3 users that are part of Global Administrator, and I want to drop MFA for two of those accounts.
I looked at the link, but now answer there.
Reference here: https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access
- You should make the Global Administrator role assignment permanent for your emergency access accounts.
- During an emergency, you do not want a policy to potentially block your access to fix an issue. At least one emergency access account should be excluded from all Conditional Access policies.
Not able to exclude as they say, or am I missing the point here ?
Hi,
Thanks, it was a general problem. Solved by MS today.
Ref:
Title: Admins can't sync Autopilot devices User Impact: Admins may be unable to sync Autopilot devices in the Microsoft Intune service. Current status: We've received reports of an issue which is preventing admins from syncing Autopilot devices in the Microsoft Intune service. We're analyzing the corresponding Azure Active Directory (AAD) service telemetry to help us determine why these attempted syncs have been failing. We're also initiating a full sync for devices, which we expect will mitigate the impact. Scope of impact: Impact is specific to admins attempting to sync Autopilot devices. Next update by: Wednesday, February 10, 2021, at 11:00 PM UTC
/R
Andy