Martin Himken | MVP

Windows first sign-in restore experience now available - Windows IT Pro Blog With Windows Backup for Organizations, you can now restore Windows on even more devices.  

#Windows Backup for Organizations now has First Sign-In Restore! This means you can now have people sign in and select a backup even if the device wasn't enrolled.
aka.ms/FirstSignInR...

People will be so mad if they already packaged the #OOB KB5077744 or KB5077797 to be deployed in #Intune manually...

Secure Boot, Certificates and BlackLotus – mAnimA.de Microsoft wants you to update your Secure Boot certificates as soon as possible. Join me as I explain the situation and take action now!

What do #Certificates, #SecureBoot, and #BlackLotus have in common? Read my new blog post for more context on what's actually happening and why you need to do more than just flip a few settings in the long run. Enjoy reading!

manima.de/2026/01/secu...

Using #PowerShell Graph modules for #Intune or #EntraID administration? Well, the interactive sign in for Connect-MGGraph has finally been fixed! All you need is to update your module(s)!
Happy Holidays!
github.com/microsoftgra...

The disconnected Entra double computer object problem - Part 1 – mAnimA.de Are there Entra devices in your tenant that you cannot delete? Is your Autopilot device pointing to the wrong Entra device? Read more here!

📰 New blog post dropped!
In this long due blog post, we explore the "split device" issue in your #Entra tenant a bit more. Don't think you have this? Run the script and find out!
manima.de/2025/12/the-...

It's even worse if you use the "meeting ended" timestamp to track how long you were in the meeting...

Beyond RC4 for Windows authentication As organizations face an evolving threat landscape, strengthening Windows authentication is more critical than ever.

Oh hey, we're [finally] killing RC4 everywhere officially. www.microsoft.com/en-us/window...

📰🤯 #Microsoft just announced the biggest #Intune license update since 2023 (release of the first Intune Suite Feature "Remote help").
aka.ms/M365-PIBlog
aka.ms/M365Governme...
aka.ms/IntuneM365Blog

Update intune-endpoints.md by FadiJo · Pull Request #4841 · MicrosoftDocs/memdocs As per ICM (675845676) SSL inspection is not supported for Microsoft store API and may cause reporting issues so we need to add the note that SSL inspection not supported for Microsoft Store API si...

📰 Reminder that TLS inspection is unsupported for many of the endpoints required for #Intune services. In this case its the Store endpoints, that are required for things like license validation.
github.com/MicrosoftDoc...

#MSIgnite listening to BRK1700 right now. So the „cloud restore“ will use WinRE to download and reinstall Windows. 👌🏻 This is exactly what I wanted for years! Early Christmas if you ask me ❤️

"Microsoft Ignite 2025 Book of News" is out and _man_ there is a lot to unpack. Go read about it!
Keywords to look for:
* Security Copilot
* Windows Resiliency Initiative
* Maintenance Window
and many more!

news.microsoft.com/ignite-2025-...

Oh, I know about that. That's a file with a "system" attribute flag for a reason. The file is sometimes pretty well-defined in the ReAgent.xml, including a fixed path. This is one of the rare cases where it really shouldn't be _anywhere_ else. For context, I wrote this: github.com/MHimken/WinR....

#PowerShell #Windows I just found one of the weirdest thing. Remember reagentc? If you /disable while using a x86 PowerShell the WinRE.wim will be put into a different folder than when you do it from x64. This is wild.
github.com/MHimken/WinR...

Network endpoints for Microsoft Intune - Microsoft Intune Review endpoints for Intune. This page lists IP addresses and port settings needed for proxy settings in your Intune deployments.

#Intune network requirements page got a huge update! There is now a consolidated list for the network endpoints. Rejoice!
However, it's still not fully complete 😭 But updating _that_ list should be much easier than the JSON 😊.

learn.microsoft.com/intune/intun...

Microsoft Entra: Soft deletion and restoration for cloud security groups Microsoft Entra introduces soft deletion and restoration for cloud security groups, allowing recovery within 30 days while preserving settings, ownership, and m

#Entra will have "soft delete" for _cloud_ security groups. I wonder if this would also restore access to things like Teams private channels and SharePoint.
deltapulse.app/message/MC11...
I wish I had this feature a couple moons ago...💀

Release Version 1.4 (Community-Is-Key) released · MHimken/IntuneNetworkRequirements A handful of updates (full changelog here) are finally implemented: ID-to-Service-List list is now available. This will show you which custom ID is related to which service. Test MCC endpoints Tes...

📰🆕: The #INR script v1.4 to test #Intune and related network services just got its first big update in a bit. Here's what changed in the latest version.

- ID-to-Service list is now available.
- Test MCC
- Test NuGet
- ...

Go grab the new version here:
github.com/MHimken/Intu...

PSA: If you're running WSUS you will want to look at MC1178653 in your Message Center. The only workaround to CVE-2025-59287 is denying access to the service. If you haven't patched your Server 2025 yet (and as that update apparently was pulled) this is the replacement fix.

Release windows-v3.7 · SkipToTheEndpoint/OpenIntuneBaseline Windows v3.7 - 2025-10-15 - 25H2 Edition Added 🆕 Settings Catalog 🆕Win - OIB - SC - Device Security - D - Administrator Protection - v3.7 Added configuration to enable the new Administrator Protec...

Hey #Intune peeps, @skiptotheendpoint.co.uk released a new version of his awesome #OpenIntuneBaseline #OIB today for 25H2! stte.me/oib25h2

Remote Device Actions – Wipe, Lock, Locate, and More - Microsoft Intune Discover how to use Microsoft Intune to remotely manage, wipe, lock, restart, and secure Android, iOS/iPadOS, macOS, Windows, and ChromeOS devices. Learn about available remote actions, prerequisites,...

💡New docs on #Intune "remote device actions". Apparently it was updated this month and while it looks much cleaner now, I think its missing crucial information (like what each action actually does?) I liked the old table more 🙈. learn.microsoft.com/intune/intun...

web.archive.org/web/20250328...

Using #WindowsAutopatch in #Intune? You should go here and Migrate to the Win32 App. This will create an application for you "Windows Autopatch Client Broker" that you can use to deploy the AP service instead of the script.

intune.microsoft.com#view/Microso...

learn.microsoft.com/en-us/window...

TIL: Is it #Office ADMX x86 or x64 right for me? They're identical except for a minor version number string in the Lync16.adml files. Just use whichever download you prefer.

Ok, Citrix really?
First of all, Intune has been able to do this for years. So, you've figured that out, and you've even got a working template? Oh, wait a minute - your new ADMX doesn't work too, because you forgot to include EXPLAIN strings in 2 spots.
github.com/MHimken/FixM...

Reminder! - "The option to move back to Compatibility mode will remain until September 2025. After this date, the StrongCertificateBindingEnforcement registry key will no longer be supported" - support.microsoft.com/en-us/topic/... #ADCS #InfoSec

End of Servicing Plan for Third-Party Printer Drivers on Windows - Windows drivers This article provides information on the end of servicing plan for third-party printer drivers on Windows.

🖨️💡Have you switched your #Windows printer drivers to v4 or IPP with PSAs yet? Don't know I'm talking about? It's time to read up on this apparently forgotten topic. Out of the five customers I had today, none of them knew about the change. To busy w/ W11.
learn.microsoft.com/en-us/window...

GitHub - MHimken/IntuneNetworkRequirements: This tool provides a way to verify Intune network requirements automatically This tool provides a way to verify Intune network requirements automatically - MHimken/IntuneNetworkRequirements

#INR aka #Intune Network Requirements script just got an update and a new home. Update your bookmarks! Also, new ASAs added:

* Microsoft Defender for Endpoint
* Visual Studio

github.com/MHimken/Intu...

#MVPBuzz

#Intune "Windows Quality Update management policies" just dropped on the roadmap. This will allow you to control non-security and OOB updates more granular.
www.microsoft.com/en-us/micros...

Although it's possible to migrate a cloud group from on-premises to Entra and sync group members managed in the cloud back to AD, the documentation omits crucial steps. I hope this helps you experiment with this process.

Firstly, yes, this is reversible.
Secondly, the SID stays the same.
Thirdly, your groups need to be universal in order to sync back from Entra to ADDS. This isn't documented properly.
Fourthly, Cloud Sync is a prerequisite but doesn't explain how to set it up properly.

Embrace cloud-first posture and convert Group Source of Authority (SOA) to the cloud (Preview) - Microsoft Entra ID Learn about Source of Authority (SOA), including prerequisites, supported scenarios, and step-by-step guidance for IT Architects and Administrators.

You can now specify whether an #ADDS group is an #EntraID group or on-premises. This is called a 'change of SOA'. However, be aware that, since @ajf8729.com and I have only just tried this out, the documentation is incomplete for now. Let me explain...🧵
learn.microsoft.com/en-us/entra/...

toolbox/Intune/Platform Scripts/Reset-WindowsUpdateSettings.ps1 at main · MHimken/toolbox This is my toolbox. Watch where you step. Contribute to MHimken/toolbox development by creating an account on GitHub.

#WindowsUpdate: Thinking of moving to #Intune and/or #Autopatch? Used GPOs or any RMM tool (yes CM too) to adjust the update settings? This cleanup script is for you. I recently received some requests for this again, so I'll share it once more.
github.com/MHimken/tool...
#MVPBuzz