Martin Himken | MVP
@intune.best
#MVP #Intune, plus #ITSec #EMS #Azure and #ConfigMgr - Managing your endpoints with Microsoft since 2012. Posts are my own and do not represent my employer.
Blog: https://manima.de
Blog: https://manima.de
#MSIgnite listening to BRK1700 right now. So the „cloud restore“ will use WinRE to download and reinstall Windows. 👌🏻 This is exactly what I wanted for years! Early Christmas if you ask me ❤️
November 19, 2025 at 5:40 PM
#MSIgnite listening to BRK1700 right now. So the „cloud restore“ will use WinRE to download and reinstall Windows. 👌🏻 This is exactly what I wanted for years! Early Christmas if you ask me ❤️
"Microsoft Ignite 2025 Book of News" is out and _man_ there is a lot to unpack. Go read about it!
Keywords to look for:
* Security Copilot
* Windows Resiliency Initiative
* Maintenance Window
and many more!
news.microsoft.com/ignite-2025-...
Keywords to look for:
* Security Copilot
* Windows Resiliency Initiative
* Maintenance Window
and many more!
news.microsoft.com/ignite-2025-...
November 18, 2025 at 4:34 PM
"Microsoft Ignite 2025 Book of News" is out and _man_ there is a lot to unpack. Go read about it!
Keywords to look for:
* Security Copilot
* Windows Resiliency Initiative
* Maintenance Window
and many more!
news.microsoft.com/ignite-2025-...
Keywords to look for:
* Security Copilot
* Windows Resiliency Initiative
* Maintenance Window
and many more!
news.microsoft.com/ignite-2025-...
#PowerShell #Windows I just found one of the weirdest thing. Remember reagentc? If you /disable while using a x86 PowerShell the WinRE.wim will be put into a different folder than when you do it from x64. This is wild.
github.com/MHimken/WinR...
github.com/MHimken/WinR...
November 16, 2025 at 8:48 PM
#PowerShell #Windows I just found one of the weirdest thing. Remember reagentc? If you /disable while using a x86 PowerShell the WinRE.wim will be put into a different folder than when you do it from x64. This is wild.
github.com/MHimken/WinR...
github.com/MHimken/WinR...
#Intune network requirements page got a huge update! There is now a consolidated list for the network endpoints. Rejoice!
However, it's still not fully complete 😭 But updating _that_ list should be much easier than the JSON 😊.
learn.microsoft.com/intune/intun...
However, it's still not fully complete 😭 But updating _that_ list should be much easier than the JSON 😊.
learn.microsoft.com/intune/intun...
Network endpoints for Microsoft Intune - Microsoft Intune
Review endpoints for Intune. This page lists IP addresses and port settings needed for proxy settings in your Intune deployments.
learn.microsoft.com
November 13, 2025 at 6:04 PM
#Intune network requirements page got a huge update! There is now a consolidated list for the network endpoints. Rejoice!
However, it's still not fully complete 😭 But updating _that_ list should be much easier than the JSON 😊.
learn.microsoft.com/intune/intun...
However, it's still not fully complete 😭 But updating _that_ list should be much easier than the JSON 😊.
learn.microsoft.com/intune/intun...
#Entra will have "soft delete" for _cloud_ security groups. I wonder if this would also restore access to things like Teams private channels and SharePoint.
deltapulse.app/message/MC11...
I wish I had this feature a couple moons ago...💀
deltapulse.app/message/MC11...
I wish I had this feature a couple moons ago...💀
Microsoft Entra: Soft deletion and restoration for cloud security groups
Microsoft Entra introduces soft deletion and restoration for cloud security groups, allowing recovery within 30 days while preserving settings, ownership, and m
deltapulse.app
November 6, 2025 at 9:16 PM
#Entra will have "soft delete" for _cloud_ security groups. I wonder if this would also restore access to things like Teams private channels and SharePoint.
deltapulse.app/message/MC11...
I wish I had this feature a couple moons ago...💀
deltapulse.app/message/MC11...
I wish I had this feature a couple moons ago...💀
📰🆕: The #INR script v1.4 to test #Intune and related network services just got its first big update in a bit. Here's what changed in the latest version.
- ID-to-Service list is now available.
- Test MCC
- Test NuGet
- ...
Go grab the new version here:
github.com/MHimken/Intu...
- ID-to-Service list is now available.
- Test MCC
- Test NuGet
- ...
Go grab the new version here:
github.com/MHimken/Intu...
Release Version 1.4 (Community-Is-Key) released · MHimken/IntuneNetworkRequirements
A handful of updates (full changelog here) are finally implemented:
ID-to-Service-List list is now available. This will show you which custom ID is related to which service.
Test MCC endpoints
Tes...
github.com
November 3, 2025 at 11:03 PM
📰🆕: The #INR script v1.4 to test #Intune and related network services just got its first big update in a bit. Here's what changed in the latest version.
- ID-to-Service list is now available.
- Test MCC
- Test NuGet
- ...
Go grab the new version here:
github.com/MHimken/Intu...
- ID-to-Service list is now available.
- Test MCC
- Test NuGet
- ...
Go grab the new version here:
github.com/MHimken/Intu...
PSA: If you're running WSUS you will want to look at MC1178653 in your Message Center. The only workaround to CVE-2025-59287 is denying access to the service. If you haven't patched your Server 2025 yet (and as that update apparently was pulled) this is the replacement fix.
October 24, 2025 at 6:23 AM
PSA: If you're running WSUS you will want to look at MC1178653 in your Message Center. The only workaround to CVE-2025-59287 is denying access to the service. If you haven't patched your Server 2025 yet (and as that update apparently was pulled) this is the replacement fix.
Reposted by Martin Himken | MVP
Hey #Intune peeps, @skiptotheendpoint.co.uk released a new version of his awesome #OpenIntuneBaseline #OIB today for 25H2! stte.me/oib25h2
Release windows-v3.7 · SkipToTheEndpoint/OpenIntuneBaseline
Windows v3.7 - 2025-10-15 - 25H2 Edition
Added 🆕
Settings Catalog
🆕Win - OIB - SC - Device Security - D - Administrator Protection - v3.7
Added configuration to enable the new Administrator Protec...
stte.me
October 15, 2025 at 1:31 PM
Hey #Intune peeps, @skiptotheendpoint.co.uk released a new version of his awesome #OpenIntuneBaseline #OIB today for 25H2! stte.me/oib25h2
💡New docs on #Intune "remote device actions". Apparently it was updated this month and while it looks much cleaner now, I think its missing crucial information (like what each action actually does?) I liked the old table more 🙈. learn.microsoft.com/intune/intun...
web.archive.org/web/20250328...
web.archive.org/web/20250328...
Remote Device Actions – Wipe, Lock, Locate, and More - Microsoft Intune
Discover how to use Microsoft Intune to remotely manage, wipe, lock, restart, and secure Android, iOS/iPadOS, macOS, Windows, and ChromeOS devices. Learn about available remote actions, prerequisites,...
learn.microsoft.com
October 14, 2025 at 10:20 AM
💡New docs on #Intune "remote device actions". Apparently it was updated this month and while it looks much cleaner now, I think its missing crucial information (like what each action actually does?) I liked the old table more 🙈. learn.microsoft.com/intune/intun...
web.archive.org/web/20250328...
web.archive.org/web/20250328...
Using #WindowsAutopatch in #Intune? You should go here and Migrate to the Win32 App. This will create an application for you "Windows Autopatch Client Broker" that you can use to deploy the AP service instead of the script.
intune.microsoft.com#view/Microso...
learn.microsoft.com/en-us/window...
intune.microsoft.com#view/Microso...
learn.microsoft.com/en-us/window...
October 10, 2025 at 10:56 AM
Using #WindowsAutopatch in #Intune? You should go here and Migrate to the Win32 App. This will create an application for you "Windows Autopatch Client Broker" that you can use to deploy the AP service instead of the script.
intune.microsoft.com#view/Microso...
learn.microsoft.com/en-us/window...
intune.microsoft.com#view/Microso...
learn.microsoft.com/en-us/window...
TIL: Is it #Office ADMX x86 or x64 right for me? They're identical except for a minor version number string in the Lync16.adml files. Just use whichever download you prefer.
September 30, 2025 at 10:05 PM
TIL: Is it #Office ADMX x86 or x64 right for me? They're identical except for a minor version number string in the Lync16.adml files. Just use whichever download you prefer.
Ok, Citrix really?
First of all, Intune has been able to do this for years. So, you've figured that out, and you've even got a working template? Oh, wait a minute - your new ADMX doesn't work too, because you forgot to include EXPLAIN strings in 2 spots.
github.com/MHimken/FixM...
First of all, Intune has been able to do this for years. So, you've figured that out, and you've even got a working template? Oh, wait a minute - your new ADMX doesn't work too, because you forgot to include EXPLAIN strings in 2 spots.
github.com/MHimken/FixM...
September 10, 2025 at 3:21 PM
Ok, Citrix really?
First of all, Intune has been able to do this for years. So, you've figured that out, and you've even got a working template? Oh, wait a minute - your new ADMX doesn't work too, because you forgot to include EXPLAIN strings in 2 spots.
github.com/MHimken/FixM...
First of all, Intune has been able to do this for years. So, you've figured that out, and you've even got a working template? Oh, wait a minute - your new ADMX doesn't work too, because you forgot to include EXPLAIN strings in 2 spots.
github.com/MHimken/FixM...
Reposted by Martin Himken | MVP
Reminder! - "The option to move back to Compatibility mode will remain until September 2025. After this date, the StrongCertificateBindingEnforcement registry key will no longer be supported" - support.microsoft.com/en-us/topic/... #ADCS #InfoSec
KB5014754: Certificate-based authentication changes on Windows domain controllers - Microsoft Support
support.microsoft.com
September 8, 2025 at 9:23 PM
Reminder! - "The option to move back to Compatibility mode will remain until September 2025. After this date, the StrongCertificateBindingEnforcement registry key will no longer be supported" - support.microsoft.com/en-us/topic/... #ADCS #InfoSec
🖨️💡Have you switched your #Windows printer drivers to v4 or IPP with PSAs yet? Don't know I'm talking about? It's time to read up on this apparently forgotten topic. Out of the five customers I had today, none of them knew about the change. To busy w/ W11.
learn.microsoft.com/en-us/window...
learn.microsoft.com/en-us/window...
End of Servicing Plan for Third-Party Printer Drivers on Windows - Windows drivers
This article provides information on the end of servicing plan for third-party printer drivers on Windows.
learn.microsoft.com
September 1, 2025 at 7:03 PM
🖨️💡Have you switched your #Windows printer drivers to v4 or IPP with PSAs yet? Don't know I'm talking about? It's time to read up on this apparently forgotten topic. Out of the five customers I had today, none of them knew about the change. To busy w/ W11.
learn.microsoft.com/en-us/window...
learn.microsoft.com/en-us/window...
#INR aka #Intune Network Requirements script just got an update and a new home. Update your bookmarks! Also, new ASAs added:
* Microsoft Defender for Endpoint
* Visual Studio
github.com/MHimken/Intu...
#MVPBuzz
* Microsoft Defender for Endpoint
* Visual Studio
github.com/MHimken/Intu...
#MVPBuzz
GitHub - MHimken/IntuneNetworkRequirements: This tool provides a way to verify Intune network requirements automatically
This tool provides a way to verify Intune network requirements automatically - MHimken/IntuneNetworkRequirements
github.com
August 29, 2025 at 10:41 PM
#INR aka #Intune Network Requirements script just got an update and a new home. Update your bookmarks! Also, new ASAs added:
* Microsoft Defender for Endpoint
* Visual Studio
github.com/MHimken/Intu...
#MVPBuzz
* Microsoft Defender for Endpoint
* Visual Studio
github.com/MHimken/Intu...
#MVPBuzz
#Intune "Windows Quality Update management policies" just dropped on the roadmap. This will allow you to control non-security and OOB updates more granular.
www.microsoft.com/en-us/micros...
www.microsoft.com/en-us/micros...
Microsoft 365 Roadmap | Microsoft 365
www.microsoft.com
August 29, 2025 at 9:44 AM
#Intune "Windows Quality Update management policies" just dropped on the roadmap. This will allow you to control non-security and OOB updates more granular.
www.microsoft.com/en-us/micros...
www.microsoft.com/en-us/micros...
You can now specify whether an #ADDS group is an #EntraID group or on-premises. This is called a 'change of SOA'. However, be aware that, since @ajf8729.com and I have only just tried this out, the documentation is incomplete for now. Let me explain...🧵
learn.microsoft.com/en-us/entra/...
learn.microsoft.com/en-us/entra/...
Embrace cloud-first posture and convert Group Source of Authority (SOA) to the cloud (Preview) - Microsoft Entra ID
Learn about Source of Authority (SOA), including prerequisites, supported scenarios, and step-by-step guidance for IT Architects and Administrators.
learn.microsoft.com
August 1, 2025 at 10:26 PM
You can now specify whether an #ADDS group is an #EntraID group or on-premises. This is called a 'change of SOA'. However, be aware that, since @ajf8729.com and I have only just tried this out, the documentation is incomplete for now. Let me explain...🧵
learn.microsoft.com/en-us/entra/...
learn.microsoft.com/en-us/entra/...
#WindowsUpdate: Thinking of moving to #Intune and/or #Autopatch? Used GPOs or any RMM tool (yes CM too) to adjust the update settings? This cleanup script is for you. I recently received some requests for this again, so I'll share it once more.
github.com/MHimken/tool...
#MVPBuzz
github.com/MHimken/tool...
#MVPBuzz
toolbox/Intune/Platform Scripts/Reset-WindowsUpdateSettings.ps1 at main · MHimken/toolbox
This is my toolbox. Watch where you step. Contribute to MHimken/toolbox development by creating an account on GitHub.
github.com
July 31, 2025 at 12:02 PM
#WindowsUpdate: Thinking of moving to #Intune and/or #Autopatch? Used GPOs or any RMM tool (yes CM too) to adjust the update settings? This cleanup script is for you. I recently received some requests for this again, so I'll share it once more.
github.com/MHimken/tool...
#MVPBuzz
github.com/MHimken/tool...
#MVPBuzz
'Windows 11 cloud-native migration with Microsoft Intune'.
There's a great article from @onpremcloudguy.com with lots of useful information in the links. Afterwards, you can read my blog to find out about other relevant technologies 😉
techcommunity.microsoft.com/blog/windows...
There's a great article from @onpremcloudguy.com with lots of useful information in the links. Afterwards, you can read my blog to find out about other relevant technologies 😉
techcommunity.microsoft.com/blog/windows...
Windows 11 cloud-native migration with Microsoft Intune - Windows IT Pro Blog
Learn how to migrate domain-joined, co-managed Windows 10 devices to Microsoft Intune managed Windows 11.
techcommunity.microsoft.com
July 29, 2025 at 9:49 AM
'Windows 11 cloud-native migration with Microsoft Intune'.
There's a great article from @onpremcloudguy.com with lots of useful information in the links. Afterwards, you can read my blog to find out about other relevant technologies 😉
techcommunity.microsoft.com/blog/windows...
There's a great article from @onpremcloudguy.com with lots of useful information in the links. Afterwards, you can read my blog to find out about other relevant technologies 😉
techcommunity.microsoft.com/blog/windows...
Unattended access with Remote Help is on its way!
Bear in mind that this is the GA date, so there may be a (private) preview available to join. I still highly recommend checking out the MMCCP to participate in early previews. techcommunity.microsoft.com/blog/windows...
#MVPBuzz
Bear in mind that this is the GA date, so there may be a (private) preview available to join. I still highly recommend checking out the MMCCP to participate in early previews. techcommunity.microsoft.com/blog/windows...
#MVPBuzz
July 29, 2025 at 9:12 AM
Unattended access with Remote Help is on its way!
Bear in mind that this is the GA date, so there may be a (private) preview available to join. I still highly recommend checking out the MMCCP to participate in early previews. techcommunity.microsoft.com/blog/windows...
#MVPBuzz
Bear in mind that this is the GA date, so there may be a (private) preview available to join. I still highly recommend checking out the MMCCP to participate in early previews. techcommunity.microsoft.com/blog/windows...
#MVPBuzz
Reposted by Martin Himken | MVP
Internet-facing file servers, using SMB over QUIC, and secured using Entra authentication! This turned out to be really easy to get up and running. ajf.one/entrafs #Entra #EntraID
Internet-facing File Servers, with a dash of Entra Authentication!
Now that the the “Azure AD based Windows Login” extension is available (docs here), a Windows server running in Azure or that is Arc-enabled can now be signed into via Entra ID. When I …
ajf.one
July 27, 2025 at 9:23 PM
Internet-facing file servers, using SMB over QUIC, and secured using Entra authentication! This turned out to be really easy to get up and running. ajf.one/entrafs #Entra #EntraID
Since I don't do a lot of macOS administration I completely missed this (thanks Andreas!). LAPS for macOS is here :)
learn.microsoft.com/en-us/intune...
#MVPBuzz
learn.microsoft.com/en-us/intune...
#MVPBuzz
Set up local admin account creation and password management for macOS devices - Microsoft Intune
Set up macOS account configuration with LAPS through automatic device enrollment for macOS devices in Intune.
learn.microsoft.com
July 25, 2025 at 6:50 AM
Since I don't do a lot of macOS administration I completely missed this (thanks Andreas!). LAPS for macOS is here :)
learn.microsoft.com/en-us/intune...
#MVPBuzz
learn.microsoft.com/en-us/intune...
#MVPBuzz
⚠️⚠️The preview update for #Windows 24H2 allows you to pin apps to the start menu ONCE (aka boolean). No mention of how yet though 🙈Finally, no more playing around with start2.bin
Also: Quick Machine Recovery and many more things - go read now!
support.microsoft.com/en-us/topic/...
#MVPbuzz
Also: Quick Machine Recovery and many more things - go read now!
support.microsoft.com/en-us/topic/...
#MVPbuzz
July 22, 2025—KB5062660 (OS Build 26100.4770) Preview - Microsoft Support
support.microsoft.com
July 23, 2025 at 8:45 PM
⚠️⚠️The preview update for #Windows 24H2 allows you to pin apps to the start menu ONCE (aka boolean). No mention of how yet though 🙈Finally, no more playing around with start2.bin
Also: Quick Machine Recovery and many more things - go read now!
support.microsoft.com/en-us/topic/...
#MVPbuzz
Also: Quick Machine Recovery and many more things - go read now!
support.microsoft.com/en-us/topic/...
#MVPbuzz
This post does not have enough attention yet. 2.29.1 seems to finally solve the authentication issues that existed in Microsoft.Graph.Authentication for a good while now. Run your Update-Module now!
The Microsoft Graph SDK and Microsoft.Graph #PowerShell module version 2.29.1 are now available.
No known significant issues since the 2.27 and 2.26 releases. I am able to connect with the Microsoft.Entra module and with Maester. 👍
No known significant issues since the 2.27 and 2.26 releases. I am able to connect with the Microsoft.Entra module and with Maester. 👍
July 22, 2025 at 8:00 AM
This post does not have enough attention yet. 2.29.1 seems to finally solve the authentication issues that existed in Microsoft.Graph.Authentication for a good while now. Run your Update-Module now!
In case you're using a Windows 11 IoT version and it isn't a Microsoft Teams Room device, here's a reminder that (since may actually) Autopilot is _not_ supported.
learn.microsoft.com/en-us/autopi...
I can only assume that's because it - by default - skips the OOBE.
learn.microsoft.com/en-us/autopi...
I can only assume that's because it - by default - skips the OOBE.
Windows Autopilot requirements
Software, Networking, Licensing, and Configuration requirements for Windows Autopilot.
learn.microsoft.com
July 21, 2025 at 2:56 PM
In case you're using a Windows 11 IoT version and it isn't a Microsoft Teams Room device, here's a reminder that (since may actually) Autopilot is _not_ supported.
learn.microsoft.com/en-us/autopi...
I can only assume that's because it - by default - skips the OOBE.
learn.microsoft.com/en-us/autopi...
I can only assume that's because it - by default - skips the OOBE.