Author Archives: Thomas.Marcussen

About Thomas.Marcussen

Technology Architect & Evangelist, Microsoft Trainer and Everything System Center Professional with a passion for Technology

Understanding Device Enrollment and Visibility in Microsoft Intune and Entra ID

Posted on by
Reply

Troubleshooting Errors Like 0x80180014 and Navigating Device Records in the Admin Portals

Introduction

Managing devices in a modern enterprise requires a clear understanding of how devices enroll into your organization’s management ecosystem, particularly in Microsoft Intune and Microsoft Entra ID (formerly Azure Active Directory). With the increasing adoption of mobile device management (MDM) and the demand for secure cloud identity integration, IT administrators frequently encounter various behaviors—and sometimes, errors—that can be confusing.

One of the more common challenges occurs when a device fails to enroll correctly, presenting cryptic error codes such as 0x80180014. This blog post provides a deep dive into how device registration and visibility work across Microsoft Intune and Entra ID. We’ll also unpack typical issues, explain where devices appear in each admin center, and how to cleanly troubleshoot enrollment errors.

This issue was thoroughly explored during a troubleshooting session with Carsten Lund Meilbak, the go-to expert for everything Microsoft Teams and Teams Meeting Room environments, where we investigated problems with a Microsoft Teams Room (MTR) device. During the session, we discovered how certain Autopilot scenarios could result in orphaned device records in Entra ID, preventing re-enrollment.

What Is Microsoft Intune?

Microsoft Intune is a cloud-based endpoint management solution that helps organizations manage user access, enforce compliance, and deploy apps and configurations to devices. Whether the devices are Windows, Android, iOS, or macOS, Intune serves as the command center for policy enforcement and inventory tracking.

What Is Microsoft Entra ID?

Microsoft Entra ID (previously known as Azure Active Directory) is Microsoft’s cloud-based identity and access management service. Devices can be registered, joined, or hybrid joined to Entra ID, and the identity status of these devices is critical for secure access, Conditional Access policies, and MDM enrollment flows.

Section 1: Device Lifecycle – From Registration to Management

Step 1: Device Registration in Entra ID

When a device first connects with a corporate identity, it can take one of several paths:

  1. Azure AD Registered (Workplace Join):
    • Typical for BYOD (Bring Your Own Device).
    • Appears under the user’s profile in Entra ID.
    • Usually paired with manual or conditional enrollment in Intune.
  2. Azure AD Joined:
    • Common for corporate-owned devices.
    • Full control over the device by the organization.
    • Required for Autopilot provisioning and device-based Conditional Access.
  3. Hybrid Azure AD Joined:
    • Devices are joined to on-prem Active Directory and then synced to Entra ID via Azure AD Connect.
    • Offers compatibility for legacy environments still using GPOs or SCCM.

Step 2: Device Enrollment in Intune

After a device is registered in Entra ID, it may also become enrolled in Intune:

  • Automatic Enrollment via group policies or Autopilot.
  • Manual Enrollment by end-users through “Access Work or School” in Windows settings.
  • Co-management Scenarios where both Intune and ConfigMgr (SCCM) share responsibilities.

This enrollment is what allows policies, apps, and configurations to be deployed to the device.

Section 2: How Devices Appear in Admin Portals

2.1 Microsoft Entra Admin Center

Link: https://entra.microsoft.com

Navigate to:

Microsoft Entra Admin Center → Devices → All Devices

Here, you’ll see all devices that are registered or joined to your Entra tenant.

Each record provides the following key information:

  • Device Name
  • Join Type (Azure AD Registered, Azure AD Joined, or Hybrid)
  • OS Type and Version
  • MDM Enrolled (Yes/No)
  • Compliant (Yes/No)
  • Owner (User Principal Name)

If a device shows up here but not in Intune, it might not be enrolled in MDM. You can confirm this via the MDM Enrolled column or by selecting the device and checking details.

2.2 Microsoft Intune Admin Center

Link: https://intune.microsoft.com

Navigate to:

Devices → All Devices

This view shows all devices that are successfully enrolled in Intune, either through automatic enrollment or manual addition.

Important fields include:

  • Compliance Status
  • Enrollment Type (Corporate, BYOD, Autopilot)
  • Primary User
  • Managed By
  • Last Check-In
  • Device Category

If a device is listed here but shows a warning or non-compliance, the issue often relates to Conditional Access, configuration profiles, or missing required apps.

Cross-Referencing Between Portals

It’s not uncommon for admins to find a device in one portal and not the other. Here’s what it typically means:

Found in Entra OnlyFound in Intune OnlyFound in Both
Device is only registered, not MDM-enrolled.Rare; usually due to stale objects or migration.Device is properly joined and managed.

A properly managed device should show up in both portals, and any inconsistency is a sign of an enrollment issue.

Section 3: Common Error – 0x80180014

What Does 0x80180014 Mean?

This error appears most often during the enrollment phase of a Windows 10/11 device. It typically means:

“The device is already enrolled.”

In other words, Windows believes the device is already managed, either because of a previous enrollment or residual data from a prior configuration.

Resolution Steps

  1. Check Admin Portals: Remove the device from both Intune and Entra if it still exists.
  2. Remove MDM Profile: Disconnect the work or school account in Settings.
  3. Use PowerShell: Run dsregcmd /leave to unjoin from Entra ID.
  4. Retry Enrollment: After cleanup, re-enroll the device manually or through Autopilot.

Section 4: Unable to Delete Device from Entra ID

If the device does not appear in Intune but is still stuck in Entra ID and can’t be deleted, follow these steps:

Step 1: Confirm Your Permissions

Ensure your account has one of the following roles:

  • Global Administrator
  • Cloud Device Administrator

You can verify your roles here: https://entra.microsoft.com → My Roles

Step 2: Check the Join Type

In the Entra Admin Center → Devices → All Devices, look at the device’s join type:

Join TypeDescriptionDeletion Method
Azure AD JoinedCloud-joined deviceCan be deleted directly if permissions allow
Azure AD RegisteredBYOD registrationCan be deleted directly
Hybrid Azure AD JoinedSynced from ADMust be deleted from on-prem AD first

If the device is Hybrid Azure AD Joined, delete it from Active Directory Users and Computers on-prem, then let Azure AD Connect sync the deletion.

Step 3: Graph PowerShell Method (Cloud-only Devices)

A. Install Microsoft Graph PowerShell SDK

Install-Module Microsoft.Graph -Scope CurrentUser -AllowClobber -Force

B. Connect to Microsoft Graph

Connect-MgGraph -Scopes "Device.ReadWrite.All"

C. Find and Remove Device

# Replace 'DEVICE-NAME' with the actual name
$device = Get-MgDevice -Filter "displayName eq 'DEVICE-NAME'"
Remove-MgDevice -DeviceId $device.Id

If you already have the Object ID, skip the lookup and run:

Remove-MgDevice -DeviceId "<device-object-id>"

Note on Autopilot Devices

In some scenarios, Autopilot devices can lose their connection to the Entra device object, especially if the device has been reset outside of Autopilot flows (e.g., manually or using third-party imaging). This causes:

  • The Autopilot object to remain in the Autopilot portal
  • The Entra ID device to become orphaned
  • Intune showing no matching device

This was exactly the case during a troubleshooting session with Carsten Lund Meilbak, where we were diagnosing an enrollment failure on a Microsoft Teams Room (MTR) device. The Entra ID device had become orphaned, preventing the MTR from successfully enrolling. Manual deletion of the Entra device object was required to resolve the issue.

In these cases, the orphaned Entra ID device must be deleted manually as described above.

Conclusion

Understanding how devices register and appear in Microsoft Intune and Entra ID is crucial for device management. Cross-portal visibility, proper cleanup, and the ability to handle errors like 0x80180014 efficiently ensure a secure and manageable environment for both users and administrators.

If device records are left stale or orphaned, they can interfere with future enrollment attempts, Autopilot deployments, and compliance policies. Always keep your portals clean and verify device join and MDM status regularly.

Mastering Indicators in Microsoft Defender for Endpoint

Posted on by
Reply

As hackers get more daring and attacks more sophisticated, organizations need to continuously look at how they can enhance their security protocols. Concerning statistics show that the cost of cybercrime, already well into the trillions, could surpass $23 trillion by 2027.

Faced with the reality that cybercrime is unquestionably on the rise, a proactive approach is now necessary to lessen the risk of attack. One of the best ways to achieve that is by utilizing the indicators that Microsoft Defender for Endpoint has.

By using these, IT admins can preemptively block malicious entities and prevent them from accessing the organization’s resources. With this in mind, the focus for this blog will be to provide you with detailed information concerning indicators.

Explaining Microsoft Defender for Endpoint Indicators

Indicators provide IT administrators with certain data that can help identify individuals with nefarious intentions. This data can enable organizations to pinpoint malicious IP addresses, untrusted certificates, suspicious URLs, and more. Moreover, an organization can then set up its indicators accordingly thereby enabling a proactive approach to dealing with threats.

In Microsoft Defender for Endpoint, the indicators operate by applying specific rules to endpoint devices. These rules will use predetermined criteria to govern whether or not devices allow or block certain types of activity. A good example of this would be blocking all traffic to and from IP addresses that have been determined to be carrying out malicious activities.

Importance of Indicators

Indicators play a major role in improving organizational security by enabling businesses to take a proactive approach and block malicious actors before they can do any damage. And if an incident does occur, indicators will help you to quickly identify threats and implement a swift response. Additionally, using indicators allows you to customize your security to effectively meet the specific needs of your organization.

These tools are invaluable for intercepting attacks. Once it has been determined that an attack is ongoing, the malicious entities can be immediately blocked therefore limiting the impact from affecting the entire organization.

Types of Indicators with Microsoft Defender for Endpoint

In this section, we’re going to look at four types of indicators that Microsoft Defender for Endpoint supports. These indicators are essential for responding to different threats.

IP ADDRESS INDICATORS

This type is used for preventing access to IP addresses suspected of malicious activities. Once a specific IP address has been determined, an action is implemented that blocks all devices within an organization from connecting to that IP address. To do this, you need to navigate to Microsoft 365 Defender portal > Settings > Indicators. Next, you’ll need to add a new indicator and then select IP Address. With this done, you can now set up the action as Block and specify devices affected.

URL AND DOMAIN INDICATORS

These indicators are used to block access to malicious domains and phishing sites. After you’ve specified the URL concerned, you can then implement an action blocking all devices within your organization from connecting to that particular URL. Microsoft Defender for DNS is recommended if you want to have DNS-level protection.

FILE HASH INDICATORS

These will enable you to block access to known malicious files based on their hash (MD5, SHA-1, or SHA-256). You can use Advanced Hunting in Microsoft Defender or third-party threat intelligence sources to get the necessary file hashes.

CERTIFICATE INDICATORS

With this fourth type, you can block executables signed by untrusted certificates.

How to Set Up Microsoft Defender for Endpoint Indicators

The process of setting up indicators is not an overly complicated one. You start by navigating to the Microsoft 365 Defender portal where you need to sign in with your administrator account. Following this, you can then begin creating an indicator.

CREATION PROCESS

  • Head over to Settings > Indicators.
  • Click on Add Indicator.
  • Select the type of indicator required.
  • Provide the necessary information:
  • Indicator Type: IP Address, URL, File Hash, or Certificate.
  • Action: Block or Allow
  • Scope: Specify which devices/groups will be affected by the action to be performed.
  • Expiration Date: Provide an expiration date for temporary indicators (this is optional).
  • Description: For documentation purposes, a description will be required.

COMPLETING THE PROCESS

After you’ve completed the creation process, you can click Create to save the indicator. You’ll also have the capability to monitor the indicator’s impact by taking advantage of Reports and Advanced Hunting. Advanced Hunting offers a powerful, query-based tool that helps you track threats and evaluate how effectively the indicators are working. Hunting works best if you use filters to get more specific results, as well as if you save and reuse queries during the monitoring processes.

Using Indicators Effectively

Like most other apps and services, you can’t set up indicators once and forget about them. You need to constantly review them and update them when necessary so your security remains strong.

As already mentioned, some indicators are temporary and so you need to remember to set expiration dates for these so that you avoid cluttering your environment. Not only that, but you should ensure that indicators are targeting the specific devices or groups they are created for.

Furthermore, IT admins should continuously evaluate the information obtained from Advanced Hunting and reports so that they are always aware of whether or not the indicators are performing to expectations. And then to enhance your security posture even more, you can combine indicators with Conditional Access policies for better results.

Wrap up

The staggering figures that we hear being thrown around when discussing cybercrime are almost beyond belief. But, the reports about cybercrime provide a lot of insights that enable organizations to take the necessary steps to improve their security. Leveraging the indicators available in Microsoft Defender for Endpoint goes a long way in securing your network and reducing the risk of attack. If applied correctly and used as recommended, indicators can be some of the best tools in an organization’s cybersecurity arsenal.

Resolving the Microsoft ODBC Driver 18 Prerequisite Error During Configuration Manager 2503 Upgrade

Posted on by
Reply

Upgrading to Microsoft Configuration Manager (ConfigMgr) version 2503 is a critical step for IT administrators aiming to leverage the latest security enhancements and bug fixes. However, many have encountered a recurring issue during the prerequisite check

[Failed]: Install the Microsoft ODBC driver 18 for SQL setup from https://go.microsoft.com/fwlink/?linkid=2220989.

This error often appears even when the ODBC Driver 18 is already installed. This article delves into the root cause of this problem and provides a comprehensive solution.

Understanding the Issue

The Configuration Manager 2503 prerequisite checker mandates the installation of the Microsoft ODBC Driver 18 for SQL Server. However, the link provided in the error message (https://go.microsoft.com/fwlink/?linkid=2220989) directs users to an outdated version of the driver. Consequently, even if a version of the driver is installed, the prerequisite check may fail if it’s not the expected version.

Administrators have reported that installing the driver from the provided link results in a message indicating that a newer version is already present, yet the prerequisite check continues to fail. This inconsistency stems from the prerequisite checker not recognizing newer versions of the driver – Reddit – System Center Dudes

To resolve this issue, it’s essential to ensure that the correct version of the Microsoft ODBC Driver 18 for SQL Server is installed. The recommended version is 18.5.1.1 or later.

Step 1: Uninstall Existing ODBC Driver 18 Versions

Before installing the correct version, remove any existing installations of the ODBC Driver 18:

  1. Open Control Panel.
  2. Navigate to Programs and Features.
  3. Locate Microsoft ODBC Driver 18 for SQL Server.
  4. Right-click and select Uninstall.

Step 2: Download and Install the Correct Version

Download the latest version of the ODBC Driver 18 for SQL Server (version 18.5.1.1 or later) from the official Microsoft website:

Choose the appropriate installer based on your system architecture (e.g., x64).

Step 3: Re-run the Prerequisite Check

After installing the correct version:

  1. Open the Configuration Manager Console.
  2. Navigate to Administration > Updates and Servicing.
  3. Right-click on the Configuration Manager 2503 update and select Run prerequisite check.

The check should now pass without errors related to the ODBC driver.

Additional Considerations

  • Multiple ODBC Versions: Some administrators have multiple versions of the ODBC driver installed (e.g., versions 17, 18, and 19). While multiple versions can coexist, ensure that version 18.5.1.1 or later is present, as it’s the one recognized by the prerequisite checker.
  • Silent Installation: For automated deployments, the ODBC driver can be installed silently using the following command: bashCopyEditmsiexec /i msodbcsql18.msi /quiet /norestart

Replace msodbcsql18.msi with the actual filename of the downloaded installer.

  • Verify Installation: After installation, verify the driver version:
    1. Open ODBC Data Source Administrator.
    2. Navigate to the Drivers tab.
    3. Ensure that ODBC Driver 18 for SQL Server is listed with version 18.5.1.1 or later.

Conclusion

The prerequisite check failure during the Configuration Manager 2503 upgrade, related to the Microsoft ODBC Driver 18 for SQL Server, is primarily due to version discrepancies. By uninstalling outdated versions and installing the recommended version 18.5.1.1 or later, administrators can ensure a smooth upgrade process.

References

Benefits of Windows 365 Link

Posted on by
1

Since its launch in 2021, Windows 365 has benefited from countless new features and updates that have enhanced the Cloud PC experience. And 2024 has not been an exception. But, arguably the biggest Windows 365 announcement comes right as the year is coming to an end. Microsoft is introducing a purpose-built device that has been specifically designed to enable users to quickly and securely connect to their Windows 365 Cloud PCs. As the first Cloud PC device, Windows 365 Link is generating a lot of interest. And it’s looking to be the the high-fidelity experience Microsoft promises.

Unboxing

Once you receive your Windows 365 Link device, you can expect to find the following:

HardwareWindows 365 Link device.Power adaptor.Quick start guide.
PortsOn the front panel, you’ll find a USB-A port, a 3.5 mm audio jack, as well as a power button and LED indicator. On the back panel, you’ll find 2 USB-A ports, 1 USB-C port, 1 Display Port, 1 ethernet port, 1 HDMI port, and the power supply port.
Side PanelThe side panel has a Kensington lock to physically secure the device.
Monitor SupportBoth the HDMI and Display Port support one monitor each, up to 4k in resolution.
Peripheral SupportUsers will get USB and Bluetooth support for their keyboards, mice, headphones, and cameras.
SoftwareThe device comes pre-installed with a small, Windows-based OS called Windows CPC. To add to the convenience, updates are downloaded in the background and then installed during off hours. However, to ensure these updates occur, verify that the device is plugged in and powered on (in standby or sleep mode).
Wireless SupportHere you get Wi-Fi 6E as well as Bluetooth 5.3.

Why would I need this?

Understandably, whenever a new device comes on the market, businesses want to know how purchasing the product can benefit them. After all, the Windows 365 Link device will set you back US$349.

According to Microsoft, this new device aims to resolve some of the problems that Cloud PC users encounter. These include, but are not limited to, latency issues, security challenges, and complicated sign in processes. From what we’ve heard so far, the biggest positives of using the Link device will be:

CLOUD-POWERED PERFORMANCE

Users can harness the full power of the cloud to increase their efficiency and enjoy a more seamless experience. With the ability to connect to their Windows 365 Cloud PCs in seconds, users can maximize productivity. This ensures that businesses get full value for their investment. Additionally, users will benefit from responsive, high-fidelity experiences with access to all their favorite Microsoft 365 productivity apps.

SECURE BY DESIGN

The Windows 365 Link devices comes with security measures that will address the concerns about endpoint vulnerability that IT professionals have raised. Because of these concerns, the Link device has a locked-down operating system with no local data or apps, and no local admin users. By designing it this way, Microsoft has significantly reduced the potential attack surface thus making the task of compromising devices much harder.

Furthermore, the availability of passwordless authentication using Microsoft Entra ID means that users can sign in with MFA using the Microsoft Authenticator app, a cross-device passkey using a QR code, or a FIDO USB security key. Consequently, the use of all these security measures will serve to improve overall device protection.

SIMPLIFY IT MANAGEMENT

Another key issue that Windows 365 Link wants to resolve is complex management. I’m sure that we’ve all at one point or another been frustrated about just not seeming to have enough time to complete all the tasks at hand.

Fortunately, Windows 365 Link gives us a possible solution by enabling admins to configure and manage devices using Intune. By allowing admins to leverage the knowledge and policies they already have, the Link device helps improve IT management efficiency.

ALIGNMENT WITH SUSTAINABILITY GOALS

Many organizations are looking for ways that can help them make a positive environmental impact while simultaneously enhancing business operations. With this in mind, Microsoft has built the Windows 365 Link device to be a sustainable product.

The device is built with 90% post-consumer recycled aluminum alloy in its top shield, 100% pre-consumer recycled aluminum alloy in its bottom plate, and its motherboard contains 100% recycled copper and 96% recycled tin solder.

In addition, when in operation, Windows 365 Link consumes less energy than your average desktop with external monitors and peripherals connecting to Windows 365. And as a device that has been designed to have a long life, the lack of moving parts means that frequent replacements will not be an issue with this gadget.

Get an early look

As mentioned before, Windows 365 will become generally available as of April 2025. In the interim, those who want to get an early look may be able to participate in the public preview.

Anyone interested in getting Windows 365 Link devices for their organization should get in touch with their Microsoft account team. Additionally, you could also join the Customer Connections Program and Office hours for the latest updates as part of your participation.

Wrap up

The new purpose-built device that Microsoft is introducing will make accessing Cloud PCs much simpler for users. With the ability to wake quickly and connect you to your Cloud PC in seconds, this device has the potential to be an excellent productivity tool. Announced at Microsoft’s Ignite 2024 tech conference in Chicago, Windows 365 Link will provide users with a high-fidelity experience with access to all the familiar Microsoft 365 apps.

The public preview period should provide us with a lot more information in the coming months. But, as something that Microsoft hopes will bring positive change to the future of virtualization, the lightweight Link device will have a lot riding on its petite frame.

Mastering Flow Dynamics Calibration on the Bambu Lab X1 Carbon

Posted on by
Reply

Flow dynamics calibration is critical to achieving high-quality 3D prints, especially when using the Bambu Lab X1 Carbon (X1C). Proper calibration ensures precise material extrusion, improved surface quality, and optimal dimensional accuracy. In this detailed guide, we’ll dive into everything you need to know about flow dynamics calibration for the X1C, including why it’s important, when you should do it, how the printer handles calibration, and how to perform and save a manual calibration properly.

1. Understanding Flow Dynamics Calibration

Flow dynamics calibration is the process of tuning how the printer compensates for the behavior of melted filament as it moves through the nozzle and onto the print bed. Factors such as filament type, viscosity, print speed, and temperature all impact flow characteristics.

Flow dynamics calibration helps determine the optimal “pressure advance” (K value), which corrects for the lag between extrusion start/stop and nozzle pressure buildup/release.

Without proper calibration, you might experience issues like:

  • Over-extrusion at corners
  • Blobs and zits on surfaces
  • Inconsistent line widths
  • Dimensional inaccuracies

Thus, a good flow dynamics calibration is essential for high-fidelity prints.

2. How Bambu Lab X1C Handles Flow Dynamics Calibration

The X1C offers two primary ways to calibrate flow dynamics:

2.1 Automatic Flow Dynamics Calibration Before a Print

When you enable “Flow Dynamics Calibration” in the print settings before a print, the printer will perform a calibration sequence. However:

  • The result is used only for that specific print.
  • It is not saved to any filament profile or memory for future prints.

This method is quick and convenient but not optimal for consistent results across multiple prints.

2.2 Manual Calibration via Bambu Studio

Performing a manual calibration through Bambu Studio allows you to:

  • Calibrate flow dynamics accurately
  • Save the resulting K value directly into a filament profile
  • Apply this calibration automatically every time you use the filament

This ensures consistent quality without the need to recalibrate every print.

3. When Should You Perform Flow Dynamics Calibration?

Calibration isn’t necessary before every single print, but there are several situations where you should perform it manually:

  • Using a new brand or type of filament (e.g., switching from PLA to PETG)
  • Changing nozzle sizes (e.g., from 0.4mm to 0.6mm)
  • After significant nozzle wear
  • Changing maximum volumetric speeds
  • Noticing under- or over-extrusion artifacts
  • Filament moisture exposure

Remember: better calibration means fewer failed prints and higher part quality.

4. How to Manually Calibrate Flow Dynamics (and Save It)

Let’s walk through the manual calibration process in detail.

4.1 Preparation

Before you begin, make sure:

  • Your printer is clean and the nozzle is not partially clogged.
  • You are using dry filament.
  • Your AMS system is correctly loaded (if used).
  • Bambu Studio is updated to the latest version.

4.2 Step-by-Step Manual Calibration

Step 1: Open Bambu Studio

Launch Bambu Studio and connect your X1C printer.

Step 2: Select Calibration Menu

  • Navigate to Device > Calibration.
  • Select Flow Dynamics Calibration (Pressure Advance).

Step 3: Choose Filament and Profile

  • Select the filament you want to calibrate.
  • Choose the correct nozzle size (if applicable).

Tip: If you’re unsure about the nozzle size, you can find it in your printer’s configuration or by physical inspection.

Step 4: Start the Calibration Process

  • Click Start Calibration.
  • The printer will print a special pattern designed to measure pressure advance.

This process usually takes around 5-10 minutes.

Step 5: Analyze Results

Once the test print is complete:

  • Bambu Studio will automatically analyze the printed lines.
  • It will suggest an optimal K value.
  • Accept the suggested value if it looks good, or manually adjust based on visual inspection.

Step 6: Save the Calibration

After accepting the K value:

  • Save it directly into the filament profile.
  • The K value will now automatically apply every time you use this filament with this profile.

Congratulations! You’ve now successfully saved your flow dynamics calibration for ongoing use.

5. Important Tips for Successful Calibration

  • Calibrate at typical print temperatures: If you normally print PETG at 240°C, calibrate at that temperature.
  • Use default speed settings: Don’t alter speed drastically during calibration unless necessary.
  • Keep environmental factors constant: Big changes in ambient temperature (cold garage vs warm room) can affect extrusion behavior.
  • Dry your filament: Especially important for hygroscopic materials like nylon and PETG.

6. Troubleshooting Calibration Problems

Problem 1: Inconsistent calibration results

  • Check nozzle for partial clogging.
  • Make sure filament is dry.

Problem 2: K value seems too high or too low

  • Double-check filament diameter consistency.
  • Look for under/over-extrusion or strange surface artifacts.

Problem 3: Calibration pattern looks messy

  • Level your bed.
  • Ensure proper first layer adhesion before starting.

7. Expert Tips for Advanced Users

  • Tune Flow Rate Afterwards: After setting pressure advance, consider tuning “flow rate” or “extrusion multiplier” for perfect walls.
  • Multiple Calibrations: Some experts recommend doing calibration at both slow and fast speeds and averaging the K value.
  • Custom G-code Scripts: Advanced users can embed calibration K values into startup G-code scripts if they want different K values for different speeds automatically.

8. FAQs About Flow Dynamics Calibration on Bambu Lab X1CQ1: Can I use the same calibration across different filament colors?

Sometimes yes, but darker pigments (like black) and translucent filaments often behave slightly differently.

Q2: Do I need to recalibrate if I switch from PLA to PLA+?

It’s recommended, because even minor changes in formulation affect flow.

Q3: Will nozzle wear affect calibration?

Definitely. A worn-out nozzle has larger internal diameter, affecting pressure buildup and release.

Q4: What’s the default K value if I never calibrate?

Bambu Lab sets conservative defaults, but they’re not optimized for every filament.

Q5: Can I copy calibration profiles between filaments?

You can, but performance may degrade. It’s better to calibrate each filament.

9. Conclusion

Flow dynamics calibration is a cornerstone of achieving professional-level results with your Bambu Lab X1 Carbon. While the automatic on-the-fly calibration is convenient for quick prints, for serious or repeatable results, manual calibration is the way to go.

By taking the time to manually calibrate and save your pressure advance values into filament profiles, you’ll:

  • Save time on reprints
  • Improve surface finishes
  • Ensure accurate dimensions
  • Reduce mechanical stresses in parts

Remember, every filament is unique. Treat your printer and materials with care, and they will reward you with stunning prints every time.

10. Resources and Further Reading

From Anet A8 Plus to Bambu Lab X1 Carbon – My Journey into Effortless 3D Printing

Posted on by
Reply

When I think back to how my 3D printing journey started, it all began with a big box of parts and a manual that felt like it was translated by an AI still in beta. That was the Anet A8 Plus—my very first printer. It was as DIY as it gets. You didn’t just build the prints—you practically built the printer itself.

The A8 Plus was a fantastic learning tool. I learned what a stepper driver was, how to flash firmware, how to fix a failed thermistor, and that fire hazards were very real if you weren’t careful with your wiring.

Later, I upgraded to the Creality Ender-5 Pro, which felt like a huge step up. It was sturdier, more consistent, and less prone to spontaneous meltdowns. But even that required regular tinkering—manual bed leveling, frequent nozzle changes, and more “printer babysitting” than I liked to admit.

Then came the Bambu Lab X1 Carbon.

If the A8 Plus was the equivalent of building your own race car and the Ender-5 Pro was a dependable but clunky commuter, the X1C is a Tesla Model S of printers: sleek, fast, nearly autonomous, and kind of magical.

The Evolution of Setup: Screws, Springs, and… Silence?

The Anet A8 Plus was where I learned patience. Assembly took hours. Wiring felt like a bomb defusal mission. Firmware? Let’s just say I bricked it once and learned to never skip backups again.

The Ender-5 Pro was pre-assembled to an extent, but still required manual leveling and tuning. Every time I moved the printer, I had to redo everything. Good prints were possible—but they weren’t guaranteed.

Then the Bambu Lab X1C showed up.

Fully assembled. No Z-bracing hacks needed. No fiddling with springs and wheels. It booted up with a clean interface, and after a few taps on the touchscreen, that was easly mounted, it auto-calibrated everything from bed leveling to flow rate compensation.

It felt like jumping into a self-driving car after years of clutch-kicking old stick shifts.

Unboxing: From Cardboard Chaos to Premium Packaging

The Ender-5 Pro came in a box filled with foam blocks, mystery screws, and semi-labeled bags. Not quite chaos, but you definitely needed a good table and some spare time.

Unboxing the Bambu Lab X1 Carbon was a totally different experience. Think “Apple product”. Everything was labeled, secured, and neatly packed. The AMS (Automatic Material System) had its own box, clearly organized with guides and quick-start instructions.

In 20 minutes, I had it powered on and connected to Wi-Fi. No zip ties. No half-translated instructions. Just plug-and-play. And it felt luxurious.

First Print: A Benchmark Benchy, But Make it Beautiful

We all do it. The first print is always a Benchy. But with the X1C, it wasn’t just to test the printer—it was to witness what modern hardware could do with zero tinkering.

This Benchy came out faster, cleaner, and more detailed than any print I’d ever done on my Ender-5 Pro or Anet A8 Plus. The hull was smooth, the portholes were crisp, and the layers? Practically invisible.

No first layer anxiety. No extrusion hiccups. Just hit “print” and watch it go.

AMS: The Game-Changer I Didn’t Know I Needed

Back on the A8 and Ender, multi-color printing was a manual mess. Pause the print, swap the filament, purge, hope the printer doesn’t blob up the nozzle, and repeat.

With the AMS, that whole drama vanished. I loaded four filaments, selected colors in Bambu Studio, and let it run. The AMS handled filament switching, detection, and purging all on its own.

Watching it print a multicolor model—with seamless transitions—felt like magic.

Speed and Precision: CoreXY Muscle

On the Ender-5 Pro, I had to balance speed with quality. Push too fast, and the prints got sloppy. Stick to 50mm/s and you’d wait overnight.

The X1C prints at up to 500mm/s thanks to its CoreXY motion system. That’s not a typo. And somehow, it doesn’t shake, doesn’t wobble, and doesn’t lose accuracy.

A model that took 7 hours on the Ender now finishes in under 3. And with better quality.

Noise and Smell: Office Friendly at Last

Both the Anet and Ender were noisy. Stepper motor whine, fans, open-frame echoing… not something you want running next to your desk.

The X1C is enclosed and well-insulated. The AMS adds some clicking during filament changes, but overall it’s just a soft hum. No PLA smell. No ABS fumes. Finally, a printer that doesn’t dominate the room it’s in.

Slicer Experience: From Cura Tuning to Bambu Smoothness

Cura served me well, especially on the Ender. But getting prints dialed in took work—adjusting profiles, testing retraction, tuning speeds.

Bambu Studio is built for the X1C. It has presets that just work, but also allows deep customization. It connects directly to the printer, offers real-time monitoring, and even supports remote starts.

I send models from my laptop and start prints from my phone. No SD card shuffle. No hassle.

Downsides? A Few.

  • Cost: It’s a premium machine, and the AMS adds to the price. Not for budget tinkerers.
  • Filament Drying: AMS isn’t a dryer. You still need dry storage for hygroscopic filaments.
  • Ecosystem Lock-In: It works best with Bambu gear and software. You can go open-source, but it takes more effort.

Still, these are minor trade-offs compared to the value and time it saves.

What I Still Use the Ender For

Believe it or not, the Ender-5 Pro still gets some use. It’s great for rough prototypes, quick PETG brackets, or experimental filaments I don’t want to risk clogging the AMS.

The A8 Plus? It retired with honors. It taught me everything I needed to know about 3D printing—the hard way.

Final Thoughts: Worth the Hype

The Bambu Lab X1 Carbon changed how I think about 3D printing. It’s no longer a technical project—it’s a creative tool. It’s fast, reliable, versatile, and smart.

For anyone coming from the tinker-heavy days of Anet or Creality machines, the X1C feels like stepping into the future.

Would I recommend it? 100%. If you want to focus on printing instead of troubleshooting, the X1C is the printer you’ve been waiting for.

And once you try it, there’s no going back.

Bambu Lab X1C 3D Printer
Bambu Lab AMS 2 Pro – Automatic Material System

Windows Autopilot Device Preparation – Overcoming the Win32 App Deployment Challenge

Posted on by
Reply

Windows Autopilot is a set of technologies that is built to simplify the process of deploying, setting up, and configuring new devices. By using this technology, users can avoid going through the traditional imaging process and save countless productive hours.

However, Autopilot is not without its faults. One of the more common instances of running into problems occurs when using Managed Installer policies with Win32 app deployment during the Autopilot device preparation phase. As an issue that can cause quite a headache, this blog will help you better understand this problem as well as provide you with solutions for addressing it.

Windows Autopilot Explained

Windows Autopilot gives organizations a solution that eliminates the challenges that come with building, maintaining, and generally applying custom images. IT admins can use this service to set up new desktops to join pre-existing configuration groups and apply profiles to the desktops. What this does is give users the opportunity to access fully functional desktops from their first login.

Importance of Managed Installer Policies

Managed Installer policies are useful for dictating which applications can be installed on your organization’s devices. Once enabled, Managed Installer uses a special rule collection in AppLocker to designate binaries. These are trusted by your organization as an authorized source for application installation.

The problem IT admins will run into is that currently Windows Autopilot device preparation doesn’t guarantee the delivery of the Managed Installer policy before trying to install Win32 apps. Because of this, you may end up with deployment failures during the App Installation phase of Autopilot.

INVESTIGATING THE PROBLEM

A regular deployment scenario follows a series of steps that begins with the launch of the Autopilot Device Preparation process. Following this, Win32 apps are then scheduled for installation as part of the device preparation policy.

At this point, the Managed Installer policy won’t yet have been installed. The reason why you may see the Win32 app installations failing is because the policy is set up to block apps from unverified sources.

WHAT TO EXPECT With Windows Autopilot

One of the things you can expect to see because of this issue is the Autopilot deployment process stopping at the app installation phase. You will also get error messages showing application deployment failures. Another thing to expect is that deployment reports will show failed Win32 app installations. Lastly, end-users may receive incomplete or improperly configured devices.

How has Microsoft addressed the issue?

Microsoft is fully aware of the issue at hand and has offered some recommendations that provide a temporary solution. IT admins can start by removing Win32 apps from all Autopilot device preparation policies.

Also, devices should be left to complete Autopilot and reach the desktop. Furthermore, Win32 apps and Managed Installer policies need to be applied after the user gets to the desktop.

In October 2024, Microsoft announced service release 2410 that introduced some new changes that will see Win32 and Microsoft Store apps being automatically skipped during device preparation and instead continuing to the desktop. To implement these solutions, you’ll need to follow the steps below:

AUDIT YOUR EXISTING Windows AUTOPILOT DEVICE PREPARATION POLICIES

For this process, organizations need to identify all device preparation policies configured in Intune. You’ll also need to verify any Win32 apps included in these policies. With all this done, make sure to document these apps as well as their purpose.

REMOVE WIN32 APPS FROM DEVICE PREPARATION POLICIES

Navigate to Microsoft Intune and edit your existing device preparation policies. Then, proceed to remove all Win32 apps from these policies. Once these tasks are complete, save and apply the updated policies.

MONITOR DEPLOYMENT STATUS

Use the updated policies to deploy your devices. You can track the progress of this process using the Autopilot Deployment Report. Make sure that you check that devices reach the desktop without app installation failures.

DEPLOY WIN32 APPS POST-ENROLLMENT

Once a device has reached the desktop, you can reassign your Win32 apps to deploy. You’ll need to use Required or Available for enrolled devices deployment settings in Intune. The success of app installation can be monitored using Intune’s reporting tools.

Alternative Options

In addition to the recommendations by Microsoft, there are other options that organizations can consider to address the above-mentioned issue. These include:

PRE-STAGE CRITICAL APPLICATIONS

One thing that organizations can consider doing is pre-staging key apps that are required to be on the device at deployment. This can be done using offline methods such as:

  • Injecting apps into the Windows image using tools like OSDCloud or Configuration Manager.
  • App deployment using PowerShell scripts post-Autopilot.

CONDITIONAL ACCESS AND APP PROTECTION POLICIES

If your organization is worried about security, then using Conditional Access policies will help block access to corporate resources until the necessary apps have been installed. An example of this would be enforcing Conditional Access policies to ensure that non-compliant devices are prevented from accessing the organization’s resources.

Optimize Enrollment Status Page (ESP) Configuration

The Enrollment Status Page plays a key role in controlling app deployment during Windows Autopilot. This is done by dividing the deployment into several stages, thus allowing you to prioritize the apps you consider more important.

USER VS DEVICE ASSIGNMENTS

With device-based deployments, there is a greater likelihood of encountering problems with Managed Installer policies. Because of this, it’s worth considering changing your app deployment from device-based to user-based assignments.

PILOT AND TEST NEW CONFIGURATIONS

Before rolling out new deployment configurations to the entire organization, it’s always wise to test them on a small pilot group. Doing it this way gives you the opportunity to identify problems and address them early.

Monitoring and Troubleshooting

The availability of Autopilot Deployment Reports in Microsoft will provide organizations with key information concerning the deployment process. This allows them to evaluate skipped apps, failed deployments, and device readiness status.

Additionally, organizations should also use Intune Diagnostics and Event Viewer to analyze deployment logs. By evaluating these logs, IT admins can pinpoint specific app failures and then determine whether they’re related to the Managed Installer policy.

If all else fails and your deployment issues are still yet to be resolved, you’ll have the option of reaching out to Microsoft Support for any help you need. Alternatively, engaging with the Intune community on X may yield assistance from those who have dealt with the issues you may be confronting.

Wrap Up

Windows Autopilot offers organizations a powerful tool to help simplify the process of deploying and setting up devices. Processes are made simpler and faster, thus helping businesses operate more efficiently. And although there may be issues with Wind32 app deployment during device preparation, there are ways to deal with it.

But, in addition to the workaround, we can look forward to Microsoft developing a more permanent solution to this challenge. Updates are sure to be forthcoming and we will be keeping an eye on what Autopilot will bring us next.

Advanced Security and Compliance Strategies for Cloud PCs: Windows 365 and Azure Virtual Desktop Integration

Posted on by
2

The evolution of powerful cloud computing has resulted in the development of platforms like Windows 365 and Azure Virtual Desktop (AVD). These services can offer numerous benefits to businesses including greater degrees of flexibility and efficiency.

Additionally, employees can get better computing performance by leveraging the resources that Windows 365 and AVD can offer. However, the key to getting the most from these solutions is implementing effective security and compliance strategies. Below, we’ll be looking at some of the strategies you can use to enhance organizational security and improve operations.

Introducing Windows 365 and Azure Virtual Desktop

WHAT IS WINDOWS 365?

Windows 365 is a cloud-based solution that offers users Windows virtual machines (Cloud PCs). Each of these Cloud PCs will be assigned to an individual user and this becomes their dedicated Windows device. Simply put, Windows 365 is your PC in the cloud accessible from anywhere.

WHAT IS AZURE VIRTUAL DESKTOP?

With Azure Virtual Desktop, Microsoft offers clients a desktop and app virtualization service that runs on Azure. By using this service, businesses get a virtual desktop infrastructure that provides multi-session Windows experiences. AVD is generally considered more technical than Windows 365 and this allows for more customization.

DIFFERENCES BETWEEN WINDOWS 365 AND Azure Virtual Desktop

 Identity ManagementSecurity PoliciesMulti-sessionBuilt-in Security
Windows 365Azure ADIntune and Endpoint securitySingle user Cloud PCFully Microsoft managed
Azure Virtual DesktopHybrid Azure AD or AD DS integration Group Policies, Intune, and NSGsOffers multi-session Windows experiencesCan be customized but this would require hands-on security setup

Why is Security and Compliance So Important?

Every organization needs to put in place strong security measures to minimize the risks of any data breaches or loss. Without advanced security and compliance strategies, malicious actors can take advantage and attempt to compromise your network. This is why it’s vital for organizations that are adopting cloud-based computing solutions to enhance their cybersecurity so that remote access does become a vulnerability.

Moreover, most industries such as finance and healthcare will have certain strict regulations that businesses must adhere to. Such regulations have been put in place to not only safeguard businesses but to ensure that sensitive client data remains protected. Some of the risks to protect against include Identity theft, unsecured endpoints, and malware attacks among others.

Utilizing Zero Trust Security with Windows 365 and Azure Virtual Desktop

Zero Trust security employs a system that strictly verifies the identity of every individual and device attempting to access the resources of an organization’s network. This security model is essential for providing a high standard of protection for Windows 365 and Azure Virtual Desktop.

By using Zero Trust, no one is trusted by default whether in or outside the organization’s network. This means that everyone needs to be authenticated and authorized before being granted access.

In addition to the above, those verified will only be provided the minimum level of access necessary for whatever tasks they may need to carry out. But, even with such a strategy in place, breaches may still occasionally occur. Fortunately, the Zero Trust model was built with this in mind and is designed to minimize the impact of a network breach.

Effective Advanced Security Strategies

CONDITIONAL ACCESS AND MULTI-FACTOR AUTHENTICATION

Conditional Access enforces security policies that determine who gets access to which resources and under what conditions. As an integral element of Azure AD security, Conditional Access can help organizations control access to Cloud PCs. To get the best from Conditional Access, organizations need to force all external connections to perform multi-factor authentication (MFA).

But, even with this in place, access from high risk locations still needs to be blocked. Furthermore, as an organization, you need to have strict compliance regulations governing which devices will be considered compliant and thus granted access to corporate resources.

ENDPOINT SECURITY POLICIES

Endpoint Security policies aim to help you improve the security of your endpoints and mitigate the risk of malicious attacks. One of the main Endpoint Security policies is Antivirus Protection which is responsible for ensuring that Microsoft Defender is functioning properly and regularly updated.

Another key policy is Disk Encryption which implements BitLocker on all Windows 365 devices. Furthermore, organizations also benefit from Firewall Rules that establish firewall policies designed to reduce attack surfaces.

MICROSOFT DEFENDER FOR CLOUD AND ADVANCED THREAT PROTECTION

These solutions will ensure that your organization gets high level security for both Windows 365 and AVD environments. With the availability of Threat Detection capabilities, you can rest assured that all suspicious activity will be identified and dealt with accordingly.

Moreover, you also have Compliance Monitoring which assesses security configurations before making the appropriate recommendations. In addition, integration with Azure Sentinel means centralized incidence response and monitoring.

Compliance Strategies

As mentioned earlier, different industries, including government departments, have certain regulations that they need to adhere to. For instance, there is the well known General Data Protection Regulation (GDPR), HIPAA for the healthcare sector, and PCI-DSS for the finance sector, among others. To ensure that these compliance regulations are met, organizations need to:

  • Put in place Data Loss Protection policies that safeguard sensitive data
  • Leverage Azure Policy to enforce regulatory requirements at the infrastructure level.
  • Conduct regular reviews of security strategies and baselines enabling you to make the appropriate changes when necessary.

Monitoring, Auditing, and Incident Response

The monitoring tools available include Azure Monitor which gives you insights into resource health and performance. Another tool is Microsoft Defender for Endpoint responsible for detecting and acting on endpoint threats. Additionally, Azure Sentinel is available to offer centralized logging and threat detection for Windows 365 and AVD environments.

To get the best incidence response, you can start by configuring Automated Playbooks in Azure Sentinel for swift responses. Furthermore, you should regularly test security policies and run tabletop exercises.

Managing Security and Compliance with Windows 365 & Azure Virtual Desktop

To effectively manage security and compliance, you need a complete understanding of an organization’s compliance requirements. With that done you can implement a Zero Trust model so that all policies align with Zero Trust principles. Then, you should select a small group of users to pilot and test security policies before expanding.

Additionally, you should also enable automated security updates and use Intune and Microsoft Defender for updates and patches. Another good practice would be using Azure Sentinel and Microsoft Defender to help you continuously monitor your environments. And then arguably the most important tool available to an organization is ensuring that end users have a comprehensive understanding of security policies.

Wrap up

Virtual computing environments offer countless benefits to organizations. Increased flexibility, potentially lowering hardware costs, and excellent computing performance, among others immediately come to mind. However, to get the most from solutions like Windows 365 and Azure Virtual Desktop, effective advanced security and compliance strategies are necessary. Without such strategies, organizations leave themselves open to malicious attacks.

The Go-To Guide for Setting Up SFTP Access with Azure Blob Storage and Microsoft Entra ID

Posted on by
1

Introduction

In today’s business environment, securely exchanging data with external partners is essential. Azure Blob Storage with native SFTP support offers a scalable, secure solution, while Microsoft Entra ID provides robust identity management. Together, these tools help organizations share data with external users while ensuring security and compliance.

This go-to guide will walk you through configuring Azure Blob Storage for SFTP, managing user access with Entra ID, and showcase three real-world use cases—payment reconciliation, logistics data sharing, and healthcare data exchange.

Why Use Azure Blob Storage with SFTP and Entra ID?

Azure Blob Storage with native SFTP support simplifies secure file transfers without the need for third-party SFTP servers. Integrating Microsoft Entra ID enhances security by enforcing multi-factor authentication (MFA), conditional access, and role-based access control (RBAC).

Benefits at a Glance

  • Scalable and Cost-Effective: Pay only for the storage you use.
  • Secure File Transfer: Use the SFTP protocol for encrypted data transfer.
  • Centralized Access Management: Use Entra ID to control and monitor external access.
  • Automation and Integration: Seamless integration with tools like Azure Logic Apps and Power Automate.

Step 1: Setting Up Azure Blob Storage with SFTP Support

Follow these steps to set up Azure Blob Storage for SFTP access.

1.1 Create an Azure Storage Account

  1. Sign in to the Azure Portal.
  2. Go to Create a Resource and select Storage Account.
  3. Configure the storage account:
    • Subscription and Resource Group: Choose your existing or create new ones.
    • Storage Account Name: Must be globally unique.
    • Region: Select the region closest to your users.
    • Performance: Choose Standard for general use or Premium for high-performance workloads.
    • Replication: Choose Locally Redundant Storage (LRS) or Geo-Redundant Storage (GRS) based on your redundancy needs.
  4. Under the Advanced tab, enable SFTP Support (Preview).
  5. Click Review + Create, then Create the storage account.

Step 2: Configuring SFTP Access for External Partners

  1. Navigate to your newly created storage account.
  2. Under Data Transfer, select SFTP Settings.
  3. Click Add Local User to create an SFTP user:
    • Username: Use a descriptive name like partner1.
    • Authentication: Choose SSH Key-based authentication for enhanced security.
    • Home Directory: Assign a specific container (e.g., /transactions).
    • Permissions: Grant appropriate permissions (Read, Write, List).
  4. Generate an SSH Key if you don’t have one:
    • Use ssh-keygen (Linux/Mac) or PuTTYgen (Windows).
  5. Save the configuration and take note of the SFTP endpoint.

Step 3: Integrating Microsoft Entra ID for Access Control

To ensure only authorized users access your SFTP service, use Microsoft Entra ID to manage identity and access.

3.1 Conditional Access Policies

  1. Go to the Azure AD Portal.
  2. Create a new Conditional Access Policy to enforce MFA and restrict access based on location.

3.2 Role-Based Access Control (RBAC)

Assign roles to external users to limit their access to only the relevant Azure Blob containers.

Step 4: Real-World Use Cases

Case 1: Payment Reconciliation – Mastercard Data Exchange

A retail company needs to securely exchange Mastercard transaction data with an external payment processor for daily reconciliation.

Workflow:

  1. The payment processor uploads transaction data to the SFTP endpoint.
  2. Azure Blob Storage receives and stores the files.
  3. Business Central or an ERP system processes the data for reporting and reconciliation.

Security Measures:

  • Use MFA and Conditional Access for external user authentication.
  • Configure audit logging to monitor access and activity.

Case 2: Logistics Data Sharing – Real-Time Inventory Updates

A manufacturing company needs to share real-time inventory data with its logistics partner.

Workflow:

  1. The logistics partner downloads inventory files and uploads shipping updates to the SFTP server.
  2. An Azure Function processes these updates and integrates them into the company’s ERP.

Security Measures:

  • RBAC ensures the logistics partner only accesses relevant files.
  • Data encryption protects information in transit and at rest.

Case 3: Healthcare Data Exchange – Secure File Transfers with External ClinicsA hospital exchanges patient data with external clinics, ensuring compliance with GDPR and HIPAA regulations.

Workflow:

  1. Clinics upload test results and patient data to the hospital’s SFTP endpoint.
  2. An Azure Logic App validates and integrates the data into the hospital’s EMR system.
  3. Doctors receive automatic notifications for new updates.

Security Measures:

  • Conditional Access restricts access by IP and enforces MFA.
  • Data masking during processing protects sensitive information.

Step 5: Automating Data Processing

Azure Logic Apps

Automate file processing with Logic Apps to trigger workflows when a file is uploaded.

Azure Functions

Run custom code to process files and integrate them with external systems.

Power Automate

Create simple automation workflows for notifications and approvals.

Step 6: Security Best Practices

  1. Enforce Multi-Factor Authentication for all external users.
  2. Use Conditional Access Policies to limit access by device and location.
  3. Encrypt Data at Rest and in Transit.
  4. Rotate SSH Keys Regularly.
  5. Audit and Monitor Access Logs for unusual activity.

Conclusion

Azure Blob Storage with SFTP support and Microsoft Entra ID provides a powerful and secure platform for exchanging data with external partners. Whether you are exchanging financial data, inventory files, or healthcare records, this setup ensures security, compliance, and scalability.

By following this step-by-step guide and using the real-world use cases as inspiration, you can create a secure, reliable solution for your organization’s external data exchange needs.

Further Reading:

Windows 365 Link Device Onboarding – All You Need to Know

Posted on by
2

The business environment today is constantly evolving and organizations that fail to adapt can quickly find themselves falling behind. And in this era of rapid technology changes, it can sometimes prove impossible to catch up. If we look back at just the last five years, for instance, we have witnessed significant change in hybrid work acceptance. Services such as Windows 365 have given organizations a secure, reliable platform that enables employees to remain productive anywhere.

With this kind of flexibility as well as the capability to access Cloud PCs from any device, business productivity can soar. By introducing Windows 365 Link, the advantages will be even greater.

Having gone over the process for setting up Windows 365 Link in a previous post, today we’ll be looking at how you can onboard Windows 365 Link devices to your organization’s environment. As you get started with this process, it’s important to remember that Windows 365 Link devices have been designed to be shared.

After unboxing and turning on your Link device, the first time it boots it will load the Out of Box Experience to guide you through a straightforward process. This process joins the device to Entra ID and enrolls into Intune management. With this complete, the device will display a sign-in screen from where any user can authenticate and connect to their own Cloud PC.

Any standard user can onboard Windows 365 Link devices using the OOBE process as long as they have the requisite permissions. However, organizations can also decide to have admins onboard Windows 365 Link devices and complete the onboarding before delivering the devices to users. Another option would be to split the tasks with admins onboarding some devices and users onboarding others. To help you decide, you can consider the following information:

ConsiderationsAdmin-driven OnboardingUser-driven onboarding
Device will be availed to multiple, different users.Yes. 
Device will be availed to one specific user. Yes.
Users will not be allowed to join or register devices.Yes. 
Users will get their devices shipped directly to them. Yes.

Admin-driven Onboarding

An account with the designation of a Device Enrollment Manager (DEM) can onboard devices shared by multiple users. Although this account doesn’t require admin privileges in the tenant, it can still enroll up to 1000 devices in Intune. DEMs remain subject to the limit on the number of devices allowed to join to Entra ID. With this in mind, you may want to consider increasing the maximum number of devices per user to a value you expect a DEM to enroll.

By using this DEM account to onboard Link devices, this will:

  • Enroll the Windows 365 Link devices in a shared device mode.
  • Bypass any Intune enrollment restrictions for platforms as well as any device limits that may be in place.
  • Eliminate the need for any changes to allow personal Windows devices.
  • Not require designating a primary user of the device. And with no primary user of the device, Windows 365 Link will not appear in a user’s list of devices in Intune, Entra, Company Portal, or other places.

This requires you to follow the steps below:

  • Create the account you’ll be using for Windows 365 Link device onboarding.
  • Assign the required licensing (Microsoft Entra Premium, Intune, Windows, etc ).
  • Verify that the user has the requisite permissions to join devices to Microsoft Entra ID.
  • The user will then need to be added to the list of Device Enrollment Managers.
  • Lastly, you need to provision a Cloud PC for this DEM account so that you can validate connectivity.

This requires you to follow the steps below:

  • Turn on the Windows 365 Link device.
  • Sign in with the DEM account. You can only join the device to Microsoft Entra and enroll in Intune by completing all the authentication steps.
  • After you’ve connected to the Cloud PC, you’ll need to then disconnect and restart Windows 365 so that any available updates can properly install.
  • Shut down Windows 365 Link.
  • Once the above steps have are complete, the Windows 365 Link device is now ready for use by anyone in the organization with a Cloud PC.

User-driven Onboarding

Organizations don’t need to have IT admins onboard each Windows Link and can instead have users complete the OOBE to join them to Microsoft Entra and enroll them in Intune. By using this method:

  • A user will need to be designated as the primary user of the device.
  • The Windows 365 Link will subsequently appear in their list of devices.
  • All users within the organization can then use the device to access their own Cloud PCs.

THINGS TO VERIFY

  • All users should have the necessary licenses.
  • All users need to have permissions to join devices to Microsoft Entra IP.
  • Users must not exceed the maximum number of devices that can be joined.
  • Users must not be blocked from Intune enrollment by any restrictions or device limits.
  • Each user should have a Cloud PC provisioned and consented to single sign-on.
  • Provide users with the Windows 365 Link devices.
  • Turn the device on.
  • Sign in with the user’s account. You can only join the device to Microsoft Entra and enroll in Intune by completing all the authentication steps.
  • After you’ve connected to the Cloud PC, you’ll then disconnect and restart Windows 365 so that any available updates can install properly.
  • Shut down Windows 365 Link.
  • Once the above steps have been successfully completed, the Windows 365 Link device is now ready for use by anyone in the organization with a Cloud PC.

Wrap up

Windows 365 Link is designed to make accessing Cloud PCs a faster and more secure process. It does this by addressing latency issues and complicated sign in processes to name but two problems. Windows 365 is all about being easy to use so it’s not surprising that onboarding Link devices to your organization’s environment is a relatively straightforward process. Whether you give the task to admins or the users do it themselves, getting your Windows Link devices up and running should be quick and hassle-free.