That original script – Download-OD4BAccount.ps1 – quickly became one of my go-to tools for off-boarding and archiving user data. It let administrators export an entire OneDrive for Business library directly to on-premises storage without paying Microsoft to keep the data around.
Since then, the script has seen heavy real-world usage, and thanks to some great community feedback it just got a serious upgrade.
Why the Update
A reader recently reached out after running the script against a very large OneDrive. They noticed that not every file was exported.
After some digging, we discovered the root cause:
The Microsoft Graph PowerShell cmdlets Get-MgUserDriveRootChild and Get-MgUserDriveItemChild now page their results by default.
Without explicit pagination, large folders could quietly drop files from the export.
This was a subtle but critical issue – your export might look fine at first glance, but some files would never make it to disk.
What’s New in the Updated Script
The refreshed script keeps the original simplicity and speed but addresses these limitations and more.
– Full Pagination Support
Both Get-MgUserDriveRootChild and Get-MgUserDriveItemChild now run with the -All switch, ensuring every item – even in massive libraries – is fetched.
– Reliable Folder Traversal
Recursive folder expansion now preserves the full path, so deep folder hierarchies are exported exactly as they appear in OneDrive.
– Broader Microsoft Graph Scopes
The connection now requests:
Files.Read.All, User.Read.All, Directory.Read.All
These scopes ensure cross-user OneDrive exports work reliably across tenants and admin scenarios.
– Cleaner Reports
Removed an undefined $Job field from the file report, preventing runtime errors.
– More Robust Downloads
The script now checks and creates destination directories before writing each file, so missing folder paths won’t break the download process.
– Improved Batching and Multi-Threading
Thread batching logic is more resilient when splitting large file lists, while keeping the same multi-threaded performance boost that made the original so fast.
Microsoft Graph PowerShell Module (the script will auto-install if missing).
Azure AD user with admin consent to approve:
Organization.Read.All
User.Read.All
Directory.Read.All
Files.Read.All (new requirement)
When to Use This Script
Off-boarding – export a departing employee’s OneDrive to a secure archive before disabling their account.
Legal hold or compliance – capture a one-to-one copy of a user’s OneDrive library for audit purposes.
Bulk migration scenarios – move large OneDrive libraries to on-prem or a different tenant without relying on paid retention.
Community-Driven Improvement
This update wouldn’t have happened without feedback from the community. Real-world use exposed a change in the Microsoft Graph SDK behaviour, and the fix – adding -All – was simple but critical.
If you’ve used the original version, I highly recommend updating your copy with the new script to guarantee complete and reliable exports.
Organizations need to constantly re-evaluate their virtual environments to ensure that they are operating as productively as possible. Admins need to check that end-users have Cloud PCs capable of handling the workloads they need to deal with.
Simultaneously, they also need to verify that there are no under-utilized Cloud PCs that could be potentially repurposed. Dealing with issues like these is why Microsoft has consistently provided new features that will help admins better run their Cloud PC environments. With upgrades like the ‘Resize’ feature for the Frontline Cloud PCs, organizations will get a tool that enhances the operation of their virtual environments.
Introducing the Resize Feature
Since its introduction a few years ago, the Windows 365 Cloud PC has provided organizations with an exceptional service that delivers high-powered virtual PCs to employees anywhere. End-users can stream their desktops to their multiple devices and work remotely with ease.
Understandably, IT admins are constantly seeking for ways to run these virtual environments more efficiently. And with the addition of the Resize feature to the arsenal of management tools already available, organizations can now easily make resource adjustments across multiple Cloud PCs within a specific group or task assignment.
The adjustments can take place among resources such as CPU, storage, and RAM among others. A simple example of this could be a business with a group of Cloud PCs with allocated 4 GB of RAM and moderate computing power.
If a situation arises where end-users have more demanding workloads, admins can now quickly and easily perform a few steps that will deliver 8 GB of RAM. They can also increase processing power to every virtual device in that group. Having such a feature could potentially increase productivity with IT admins no longer having to dedicate significant time and effort to adjusting Cloud PCs individually.
Benefits
From the introduction, it’s not difficult to see why the Resize feature would be gladly welcomed by administrators. Organizations get to benefit from an upgrade that is perfectly in line with Windows 365’s goal of delivering streamlined operations that are highly efficient.
With the Resize feature, Microsoft is not simply looking to add another upgrade. Instead, it offers something that will also enhance the great features that Cloud PCs have become known for. Features such as flexibility, ease of working remotely, and scalability, among others, can be enhanced by the Resize feature. Organizations can look forward to:
STANDARDIZED RESOURCE ALLOCATION
One of the things that could previously hinder the effectiveness of a group was having varying Cloud PC configurations within a particular group. Unsurprisingly, without access to the same resources, the quality of work done is bound to suffer.
Fortunately, by using the new Resize feature, IT admins can ensure that all end-users within assignments or teams share a standard configuration for their Cloud PCs. This means that during the more demanding tasks, every user will have access to the same powerful resources. Because of this, every team member will have the capabilities to produce at the same level.
INCREASED EFFICIENCY
As one can imagine, manually adjusting every single Cloud PC that needs attention can be a difficult and time-consuming task. And that’s before we even mention the potential risk of administrative errors that can occur. IT admins will surely be thrilled with a tool that helps them make bulk adjustments swiftly and without hassle. All the time saved can then be dedicated toward more productive tasks.
FLEXIBLE SCALABILITY
Windows 365 is designed to deliver the resources that organizations need when they need them. This flexibility enables businesses to scale up or down as necessary. It also provides businesses another reason to choose the Cloud PC. Most businesses have periods during the year when they know that workloads will spike and greater resources will be required.
By leveraging the Resize feature, IT can quickly scale up resources. And they can do so without end-users facing downtime or the organization needing new virtual instances. This scaled up environment only requires maintenance for the duration of the workload spike. After which, admins can adjust resources back to normal status.
BETTER END-USER EXPERIENCE
To keep end-users happy and productive, having Cloud PCs that function as flawlessly as possible is a must. When teams are dealing with more demanding workloads, they need their computing resources adjusted quickly and accordingly. Busy frontline workers don’t want to be stuck with a sluggish device right when the pressure is on.
So, this gives end-users the resources they need exactly when they need them. It makes the Resize feature immensely valuable to more than just the individuals in the IT department.
How Does It Work?
The Resize feature operates by utilizing the Microsoft provisioning policies that you get in Windows 365. The process works as follows:
Provisioning assignments – whenever businesses create provisioning policies for their Cloud PCs, this is what defines the specifications (RAM, CPU, Disk Space, or GPU) of those virtual devices.
Group-Based Control – all the Cloud PCs that are linked to a particular assignment will be operating with the same configurations.
Resizing on command – IT admins can leverage the Resize feature to select a new predefined Cloud PC size from a dropdown list within the Windows 365 Admin Center. After the new size has been set, all the Cloud PCs that share this particular provisioning policy will be immediately modified.
Deployment with zero downtime – key to the success of this new feature is ensuring that end-users experience very little or ideally no disruption or downtime. This is possible by using Microsoft’s secure global Azure infrastructure which guarantees that the changes are carried out seamlessly and in real time.
Resizing Windows 365 Frontline Cloud PCs
Windows 365 Frontline as the name suggests, is a version of Microsoft’s Cloud PC solution. It’s also a game-changer for frontline workers. This particular service aims to be a cost-effective version that allows businesses to provision a single Cloud PC, sharable by multiple users with a single license.
Not surprisingly, Windows 365 Frontline provides a great solution for shift workers. They can easily sign in to Windows 365 from the web or via the Windows App. And at the end of their shift, all one has to do is sign out. From there, the Cloud PC becomes once again available for someone else.
To make the use of these virtual devices even more efficient, Microsoft now enables clients to use provisioning policies to resize Windows 365 Frontline Cloud PCs in dedicated mode. This means that for now, you cannot resize Windows 365 Frontline Cloud PCs in shared mode. The requirements for resizing are as follows:
ROLE REQUIREMENTS
IT admins need to have certain built-in Microsoft Entra roles before they can start resizing Cloud PCs.
They must have at least one of the roles below for Cloud PCs provisioned with direct assigned license:
Intune Service Administrator
Intune Reader + Cloud PC admin roles
Intune Reader+ Windows 365 Administrator
Similarly, IT admins must have at least one the roles below for Cloud PCs provisioned with a group-based license:
Intune Service Administrator
Intune Reader+ Windows 365 Administrator
Additionally, IT admins should have a role with Microsoft Entra group read/write membership and licensing permissions. This is much like the Windows 365 Admin role.
Note: Another option that clients have would be to assign a custom role that includes the permissions of these built-in roles.
IP ADDRESS REQUIREMENTS
In some situations, organizations may want to resize a Microsoft Entra hybrid join bring-your-own-network Cloud PC,. In these instances, it’s important to know that a second IP address is a must in the subnet for the Cloud PC to action a resize. This second IP address is required when transitioning to the new size during the resizing process.
The reason the requirement for a second IP has been created is to ensure that in the event that something goes wrong, the affected Cloud PC can be rolled back to the original. Setting it up this way also means that resize failures can occur if inadequate addresses are available. Organizations should therefore verify that:
Adequate IP addresses are available in the vNET so that all Cloud PCs can be resized.
Alternatively, organizations can stagger the resizing process thus ensuring that the address scope is maintained
ADDITIONAL REQUIREMENTS
Before using the Resize feature, IT admins should check that they have the appropriate licenses in the inventory for the resized Cloud PC configuration. Furthermore, any Cloud PC that you want to Resize must have a status of Provisioned in the Windows 365 provisioning node.
Resizing Cloud PCs in Dedicated Mode
The process of using a provisioning policy to resize Windows 365 Frontline Cloud PCs in dedicated mode is performed as follows:
Sign in to the Microsoft Intune admin center, select Devices > Windows 365 > Provisioning policies.
The provisioning policy you choose must include an assignment with the Windows 365 Frontline Cloud PCs in dedicated mode that you want to resize.
Next, you’ll need to select Edit next to Assignments on the policy page.
Navigate to the Cloud PC size column and on the Assignments tab, proceed to select the Cloud PC Frontline entry that you want to resize. Following this action, every Cloud PC in the assignment will be resized.
Head over to Available sizes and then in the Select Cloud PC size pane, choose the new Cloud PC size > Next.
Select Next on the Assignments page.
The last step will require you to navigate to the Review + save tab. Selecting Update will initiate the resize
You can get all the information you need and track the progress of the resize on the All Cloud PCs page. You can also track from the Cloud PC actions Report.
Cloud PC Size Recommendations
Microsoft provides Windows 365 with tools that they can use to better determine the Cloud PC resources they will require for their organizations. In addition to that, businesses can also go over the recommendations below to get a better idea of what they may need.
Cloud PC
Example Situations
Recommended Apps
2vCPU/4GB/256GB 2vCPU/4GB/128GB 2vCPU/4GB/64GB
Firstline workers, call centers, education/training/CRM access, mergers and acquisition, short-term and seasonal, customer services.
Microsoft 365 Apps, Microsoft Teams (Audio only), OneDrive, Adobe Reader, Microsoft Edge, line-of-business apps, Defender support.
2vCPU/8GB/256GB 2vCPU/8GB/128GB
BYOD scenarios, employees working from home, market researchers, government, consultants.
Microsoft 365 Apps, Microsoft Teams, Outlook, Excel, Access, PowerPoint, OneDrive, Adobe Reader, Microsoft Edge, line-of-business apps, Defender support.
Software developers, engineers, content creators, design and engineering workstations.
Microsoft 365 Apps, Microsoft Teams, Outlook, Access, OneDrive, Adobe Reader, Microsoft Edge, Power BI, Visual Studio Code, virtualization-based workloads: Hyper-V, Windows Subsystem for Linux (WSL), line-of-business apps, and Defender support.
GPU Standard 4vCPU/16GB/4GBvRAM/512GB GPU Super 8CPU/56GB/12GBvRAM/1TB GPU Max 16vCPU/110GB/16GBvRAM/1TB
Graphic design, image and video rendering, 3D modeling, gaming, data processing, and visualization
Microsoft 365 Apps, Microsoft Teams, Outlook, Excel, Access, Adobe, Figma, Autodesk, Revit, Illustrator, Blender, Unity, ArcGIS, Microsoft Edge, Power BI, Visual Studio Code, line-of-business apps, Defender support.
16vCPU/64GB/512GB 16vCPU/64GB/1TB
Software development, engineering, data analysis and visualization, financial services and wealth management.
Microsoft 365 Apps, Microsoft Teams, Outlook, Excel, Access, Adobe Reader, Microsoft Edge, Power BI, Tableau, Visual Studio Code, Blackrock Aladdin, Bloomberg, Eclipse, line-of-business apps, Defender support.
Wrap Up
The needs of an organization cannot be expected to remain the same at all times throughout the year. Sometimes employees will require greater computing resources and other times they will require less. To ensure that Windows 365 Frontline end-users always have the processing power they need when they need it, Microsoft has introduced the Resize feature. By leveraging this tool, IT admins can now ensure that Cloud PCs are constantly operating at optimum levels.
In as much as technology has evolved over the decades, there are still plenty of threats that can cause massive damage to organizations. Those with nefarious intentions have gotten increasingly sophisticated in their attack methods thus causing concern for tech companies. For Microsoft, however, providing regular security upgrades for all products and services is a sure way to minimize the risk that clients are exposed to. And by enabling Credential Guard and HVCI by default on Windows 11, this should go a long way in strengthening customers’ cybersecurity. These powerful tools have some excellent features that offer a formidable barrier against attacks.
What is Credential Guard?
Credential Guard is a security solution that aims to block credential theft attacks. It does so by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. This solution relies on Virtualization-based security to isolate secrets in a way that restricts access to privileged system software. Due to this isolation, there is a minimized risk of unauthorized access as this can often lead to credential theft attacks like pass the hash and pass the ticket.
How Does It Work?
With Credential Guard enabled, the Local Security Authority (LSA) process (lsass.exe) in the operating system will communicate with a component known as the isolated LSA process. It stores and protects the secrets, LSAIso.exe. All data stored by this isolated LSA process will be protected using VBS and the rest of the operating system will have no access to it. LSA utilizes remote procedure calls to talk to the isolated LSA process.
To keep security tight and minimize any issues, the isolated LSA process won’t host any device drivers. What it does, instead, is host a small subset of operating system binaries. These are required for security and nothing else. All the binaries must be signed with a certificate that is trusted by VBS. And the signatures require validation before launching the file in the protected environment.
Benefits of Credential Guard
Credential Guard has several benefits that can help improve the security status of Windows 11 users. Once Credential Guard is enabled, organizations can look forward to:
Hardware security – NTLM, Kerberos, and Credential Manager operate by leveraging platform security features such as Secure Boot and virtualization, to protect credentials.
Virtualization-based security – NTLM, Kerberos derived credentials, and other secrets run in a protected environment that is isolated from the running operating system.
Protection against advanced persistent threats – the use of VBS to protect credentials helps to significantly enhance organizations’ network security. This is because VBS has the capabilities to render ineffective many of the the credential theft attack techniques and tools used in a lot of targeted attacks. Owing to this, any secrets protected by VBS will be isolated from malware running in the operating system with administrative privileges.
Default Enablement
To ensure that Windows 11 clients get all the benefits discussed above, going forward Microsoft will be enabling VBS and Credential Guard by default in Windows 11, 22H2 and Windows Server 2025. This will only apply to devices that meet the requirements. However, IT admins will still have the flexibility to disable Credential Guard remotely if the need arises because the default enablement is without UEFI Lock. Once Credential Guard is enabled, VBS will be automatically enabled as well.
IT admins should also be aware that if they have Credential Guard explicitly disabled before updating a device to Windows 11 (version 22H2/ Windows Server 2025 or later), default enablement will not apply. Also, the existing settings will remain in place. As a result, even after updating to a version of Windows that has Credential Guard enabled by default, all such devices will continue to have Credential Guard disabled.
WINDOWS
All devices running Windows 11, 22H2 or later will have Credential Guard enabled by default if they meet the licensing, hardware, and software requirements. Additionally, these devices should not have Credential Guard explicitly disabled. Furthermore, all devices running Windows 11 Pro/Pro Edu 22H2 or later may have VBS and/or Credential Guard automatically enabled. This is if they meet the other requirements for default enablement, and have previously run Credential Guard. A good example would be if Credential Guard was enabled on an Enterprise device that later downgraded to Pro.
WINDOWS SERVER
All devices running Windows Server 2025 or later will have Credential Guard enabled by default if they meet the licensing, hardware, and software requirements. Additionally, these devices should not have Credential Guard explicitly disabled, should be joined to a domain, and should not be a domain controller.
What If You Need To Disable Credential Guard?
IT admins may need to disable Credential Guard for any number of reasons and fortunately ‘enabled by default’ does not mean can’t be disabled. You’ll be happy to know that there are several different options available to disable Credential Guard. The best option for you will depend on how Credential Guard is configured:
When running in a virtual machine, the host can disable Credential Guard.
If Credential Guard has been enabled without UEFI lock, or as part of the default enablement update, you can disable it using any one of Microsoft Intune/MDM, Group Policy, or Registry.
System Requirements
Credential Guard can only provide the protection it offers if the device meets certain hardware, firmware, and software requirements. It’s also important to note that all devices that exceed the minimum hardware and firmware requirements will benefit from additional protections. They will, as a result, offer better protection against certain threats.
HARDWARE AND SOFTWARE REQUIREMENTS
Credential Guard requires Virtualization-based security and Secure Boot. And although the following features are not required, they are highly recommended for the provision of additional protections:
Trusted Platform Module (TPM), as it provides binding to hardware. TPM versions 1.2 and 2.0 are supported, either discrete or firmware.
UEFI lock is crucial for blocking attackers from disabling Credential Guard with a registry key change.
CREDENTIAL GUARD IN VIRTUAL MACHINES
One of the biggest benefits of Credential Guard is that it is capable of protecting secrets in Hyper-V virtual machines. It does so the same way as it would on a physical machine. Enabling Credential Guard on a virtual machine means that all secrets will be protected from attacks inside the virtual machine.
However, Credential Guard won’t provide protection from privileged system attacks originating from the host. If you want to run Credential Guard in Hyper-V virtual machines, the Hyper-V host will need an IOMMU. Additionally, the Hyper-V virtual machine must be generation 2. This is because Credential Guard is only available on generation 2 VMs. Therefore, it won’t have support on Hyper-V or Azure generation 1 VMs.
Credential Guard Application Requirements
After Credential Guard is enabled, there are certain authentication capabilities that will be blocked. Consequently, any applications that need these capabilities will break. For this reason, these requirements are referred to as application requirements. IT admins need to ensure that they test applications before deployment to check compatibility with the reduced functionality.
Admins are also advised against enabling Credential Guard on domain controllers. This is because Credential Guard won’t offer any added security to domain controllers. Therefore, you can end up with application compatibility issues on domain controllers.
In like manner, Credential Guard offers no protections for the Active Directory database or the Security Accounts Manager (SAM). With Credential Guard enabled, all the credentials protected by Kerberos and NTLM are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
You should expect applications to break if any of the following are needed:
Kerberos DES encryption support
Kerberos unconstrained delegation
Kerberos TGT extraction
NTLMv1
Applications will also ask and expose credentials if any of the following are needed:
Digest authentication
Credential delegation
MS-CHAPv2
CredSSP
IT admins should note that apps may cause performance issues when they attempt to hook the isolated Credential Guard process LSAIso.exe. However, any services or protocols that are reliant on Kerberos will still work and are not affected by Credential Guard. These include services or protocols such as remote desktop or file shares.
Hypervisor-Protected Code Integrity
Coupled with Credential Guard, Hypervisor-Protected Code Integrity (HVCI) is now also enabled by default in Windows 11, 22H2 and Windows Server 2025. HVCI is a virtualization-based security (VBS) feature that is also known as memory integrity and is available in Windows 10, Windows 11, and Windows Server 2016 and later. HVCI and VBS are key elements in the threat model of Windows. And they ensure that the defenses against malware trying to exploit the Windows kernel are greatly enhanced.
VBS leverages the Windows hypervisor to build an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is an integral element of the security system and is responsible for protecting and fortifying Windows. It achieves this by running kernel mode code integrity within the isolated virtual environment of VBS.
Memory integrity will further strengthen security by restricting kernel memory allocations that can be used to compromise the system. Imposing this restriction ensures that kernel memory pages can only become executable after passing code integrity checks inside the secure runtime environment. Additionally, this also guarantees that executable pages themselves will never become writable.
Functionality
IT admins should know that HVCI can work better with Intel Kabylake and higher processors with Mode-Based Execution Control, and AMD Zen 2 and higher processors with Guest Mode Execute Trap capabilities. The emulation of these features (Restricted User Mode) that older processors are dependant on will typically have a bigger impact on performance. Moreover, if you enable nested virtualization, you should expect to see memory integrity functioning better when the VM is version >= 9.3.
On the other hand, also consider that in scenarios where Secure Boot with DMA is selected, Azure VMs will not support HVCI. What you will see instead is that VBS will appear as enabled but not running. The main features of memory integrity are as follows:
Protects modification of the Control Flow Guard (CFG) bitmap for kernel mode drivers.
Protection of the kernel mode code integrity process ensuring that other trusted kernel processes have a valid certificate.
How Can You Disable HVCI?
As we discussed for Credential Guard, scenarios may sometimes arise where IT admins may need to disable HVCI. In such cases, what you can do is:
Navigate to the Core Isolation Settings – in the Windows search bar, search for Core Isolation. Then, select the Core Isolation settings page .
Find the Memory Integrity setting and turn it to the off position.
To apply the changes you’ve made, you’ll be prompted to restart your device.
In addition to the above option, if need be you may also disable VBS via Registry as follows:
Similar to the above option, head over to the Windows search bar and search for regedit. Proceed to open the Registry Editor.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard.
Double-click on EnableVirtualizationBasedSecurity and change its value to 0. Click Ok.
After completing these steps, close the Registry Editor and then restart your computer to apply the changes.
Wrap Up
The enablement by default of Credential Guard and Hypervisor-Protected Code Integrity in Windows 11 is part of Microsoft’s ongoing effort to enhance security for its customers. For all devices that meet the requirements, this change will mean a more protected and fortified Windows 11 environment. It also allows organizations to improve their overall network security.
Persistent threat attacks continue to change in search of even the slightest of vulnerabilities. Upgrades like these offer a powerful mitigating solution. Coupled with the other security measures, this change will help keep malicious actors at bay.
When it comes to Windows 365 Cloud PC, there are different options available to cater to the different needs of various businesses. As one can imagine, a massive corporation operating in countless countries across different continents will have significantly different needs to those of a smaller organization with a handful of offices.
However, the need for Cloud PC Usage insights is something that all these businesses have in common. It’s important to have up-to-date information regarding usage patterns of Cloud PCs, how many Cloud PCs are required, correct size of Cloud PCs, and more. Having this data can help businesses operate much more efficiently.
Utilization Report
With the Cloud PC Utilization Report, Microsoft is offering clients a tool that will help them monitor and optimize Cloud PC usage. The data available shows you not only the amount of time that users are spending on their Cloud PCs but when they were last connected as well.
After noting Cloud PCs with low usage, businesses can then reduce operating costs by reassigning under-used Cloud PC licenses to other users who might use them more often. Another cost-cutting measure that organizations can implement is to identify and deprovision Cloud PCs that remain inactive for extended periods of time. To access this Cloud PC Utilization Report, you need to sign in to the Microsoft Intune admin center, select Devices > Cloud PC performance > Cloud PC utilization.
Tenant Data
On the Cloud PC Utilization Report page, you’ll find information with tenant data aggregated for the chosen timespan (28, 60, or 90 days):
This histogram gives you the number of Cloud PCs connected for each range:
High time connected: More than 80 hours.
Average time connected: 40-80 hours.
Low time connected: Less than 40 hours.
None: Zero hours.
List of individual Cloud PCs with the following columns:
Device name
User UPN: The user’s identifier in Active Directory in the form of an email address.
PC type
Time connected: The total hours that the user has been connected to the Cloud PC over the last four weeks.
Date last connected: The date when the user most recently connected to their Cloud PC (within the last 60 days). If the user isn’t currently connected to the Cloud PC, this date is the sign out time. If the user is connected to the Cloud PC, this date is the most recent connection time.
Date created: The date the Cloud PC was created.
Device type: The type of Cloud PC based on the offering (Enterprise, Frontline dedicated, Frontline shared).
FILTERS
Clients will also have access to an Add filters option that enables them to filter the table by PC type,time connected, and date last connected. Filters can be a key tool that organizations can leverage to have a better understanding of usage patterns. By analyzing this information, decisions about whether to deprovision or downgrade underused Cloud PCs become much easier to make.
Device Level Data
If you want to see the same usage data but on a per Cloud PC basis, you can:
Sign in to the Microsoft Intune admin center, select Reports > Cloud PC overview > Cloud PC utilization.
Select a device and then select Performance (preview).
The Time connected section shows usage data for this Cloud PC. For more detail, in this section, select View report.
Recommendations
Organizations using Windows 365 Cloud PCs will not only get usage insights but Cloud PC recommendations as well. The objective, in this case, is to provide businesses with an AI-powered tool that helps admins with determining the correct size of Cloud PC. This feature is designed to assess end-user Cloud PC usage patterns, platform level resource utilization data, and performance needs to help businesses come up with the optimal configuration for their Cloud PCs.
An evolving model will then analyze the data provided to find out how an organization’s Cloud PCs are working. It can also determine correct size and utilization capabilities. To access this Cloud PC Recommendations Report, you need to sign in to Microsoft Intune admin center, select Reports > Cloud PC Overview > Cloud PC recommendations.
OVERVIEW TAB
Cloud PC Insights
Details
Rightsized
These are Cloud PCs that are used regularly and whose size correctly matches the workload that they are being used for.
Undersized
These are Cloud PCs that are not powerful enough for the workload they are dealing with. As a result, end-users are probably getting a poor experience and need to increase the device’s resources by re-sizing to a larger SKU.
Oversized
In this, the Cloud PCs have far too much power for the workload they are supporting. End-users can still get the same quality experience with fewer resources. Businesses can free up resources by re-sizing these Cloud PCs to a smaller SKU.
Underutilized
These Cloud PCs are used infrequently or not at all. Businesses should consider them as potentially not needed. Any Cloud PC with less than 40 hours of active connected time over a 28 day period falls into this category.
Wrap Up
Windows 365 Cloud PCs offer businesses a powerful virtualization service that empowers employees to work from anywhere. Being able to access one’s desktop using multiple devices, regardless of location, can be a massive benefit for productivity. Not to mention the fact that Cloud PCs can provide significant computing resources.
With all this in mind, however, organizations need accurate usage insights to ensure that the resources they are paying for match their needs. And this is precisely what they get with the Cloud PC Utilization Report.
This feature enables administrators to have a clearer picture of the resources at their disposal along with usage. Having this up-to-date data will help businesses better manage their costs by increasing or decreasing Cloud PC resources as necessary.
Introduction: The Challenge of Managing Microsoft Teams Rooms
Microsoft Teams Rooms (MTR) are purpose-built devices that bring seamless Teams meetings into physical conference rooms. However, if you’re an IT admin or consultant trying to manage these devices with Microsoft Intune, you may have already hit a major wall: you can’t deploy standard applications like Win32 or MSI packages.
In this post, I’ll walk you through:
Why app deployment fails on MTRs
How to use Intune Proactive Remediation Scripts to install apps anyway
A real-world script-based workaround you can implement today
This article is especially useful for IT administrators, Microsoft 365 consultants, and organizations managing MTR on Windows devices using Microsoft Intune.
What Are Microsoft Teams Rooms (MTR) Devices?
Microsoft Teams Rooms are specialized endpoints running Windows or Android, designed to facilitate video conferencing in meeting spaces.
This article focuses on MTR on Windows, which:
Boots into a kiosk-like shell
Uses a locked-down local user account (usually “Skype”)
Automatically launches the Teams Rooms app
Is managed differently from typical Windows endpoints
Why Are MTRs So Locked Down?
Because they’re designed to do one thing very well: run meetings reliably and securely. That means:
Minimal background processes
No user distractions
Reduced vulnerability footprint
Unfortunately, this also means limited support for app deployment using traditional Microsoft Intune methods.
Why Standard App Deployment Doesn’t Work on MTR
Let’s quickly review how app deployment in Intune normally works:
You upload a Win32 or MSI app
Intune pushes it to the device
The app installs silently in the background
But MTRs are a special case:
Issue
Description
Kiosk Shell
MTR devices run a locked-down shell that prevents user interaction.
Limited Admin Access
The logged-in “Skype” user doesn’t have full local admin rights.
Silent Installs Often Fail
Even SYSTEM-context installs can hang or fail silently.
Win32 App Deployment Not Supported
MTRs are excluded from full app deployment via Intune.
TL;DR: Intune treats MTRs like they’re manageable—but for apps, they’re basically off-limits.
What Can You Manage on MTR with Intune?
Feature
MTR Support?
Enroll in Intune
✅ Yes
Configuration Profiles (Wi-Fi, Certificates)
✅ Yes
Compliance Policies
✅ Yes
PowerShell Scripts
⚠️ Limited
Win32/MSI App Deployment
❌ Not Supported
Store App Deployment
❌ Not Supported
Remediation Scripts
✅ Yes — this is our workaround!
The Workaround: Use Proactive Remediation Scripts
What Are Proactive Remediations in Intune?
Proactive Remediations are part of Endpoint Analytics in Microsoft Intune. They allow you to:
Detect issues on endpoints (e.g., missing apps or settings)
Run scripts in the SYSTEM context to remediate them
And because these scripts run as SYSTEM, they can bypass the user restrictions imposed by the MTR shell. That’s the secret sauce here.
Step-by-Step: Deploy Apps to MTR Devices Using Remediation Scripts
Step 1: Choose an Application
Pick an application with a silent installer. Examples include:
Zoom Rooms Plugin
Custom certificate tools
Remote support agents
Pro tip: Avoid apps that require UI interaction or restart the system.
Step 2: Host the Installer
Since you can’t upload Win32 apps, host the installer externally:
Azure Blob Storage with SAS token
SharePoint Online
A secure HTTPS server
Step 3: Write the Detection Script
This script checks whether the app is already installed.
For complex applications, consider a manual install window, or coordinate with the OEM.
Alternatives to Intune Remediation Scripts
Method
Notes
Manual Deployment
Good for one-off fixes
OEM Management Tools
Logitech Sync, Poly Lens, etc.
Group Policy
Works for Hybrid AAD Join MTRs
Teams Pro Management
Useful for Teams config, not apps
Conclusion: MTR App Deployment is Possible—With the Right Tools
Deploying applications to Microsoft Teams Rooms using Intune isn’t supported natively—but that doesn’t mean it’s impossible. With a bit of scripting and smart use of Proactive Remediation, you can achieve automated, scalable, and relatively safe application installs.
This method:
Uses supported Intune features (Endpoint Analytics)
Microsoft is offering clients an updated Intune Connector for Active Directory and this connector is what Intune will be using starting from Intune 2501. This connector uses Windows Autopilot to deploy devices that are Microsoft Entra hybrid joined.
The updated version of the connector aims to enhance security and will be using a Managed Service Account (MSA) instead of a SYSTEM account. Customers currently using the old version of the Intune Connector for Active Directory (that uses the local SYSTEM account) should know that this connector will no longer have support, starting in late June 2025.
Therefore, it’s important to start planning for the update because once support ends, enrollments from the old connector build will no longer be acceptable.
Key Features of the Intune Connector
The main role of the Intune Connector for Active Directory is to join computers to an on-premises domain and add them to an organizational unit (OU) allowing for central management and policies.
The Intune Connector also places joined computers within a specific OU, something that helps establish granular control over device configurations and settings. Furthermore, customers will also benefit from hybrid enrollment of devices which offers the convenience of device management by both on-premises AD and Intune.
The Intune Connector plays a key role in leveraging Windows Autopilot to set up and deploy devices. And for all those already using Autopilot, they will know that this feature will have a huge impact in making life easier for customers by simplifying deployment processes.
In addition to all the above, the Intune Connector ensures that the policies defined in both AD and Intune continue to enforce, thus offering compliance and consistency.
Why Switch to Managed Service Accounts?
As the new version of the Intune Connector for Active Directory makes the change to using Managed Service Accounts, it’s important to understand why they are important. The use of MSAs will enable the new connector to follow least privilege principles and thereby strengthen security.
With MSAs, clients enjoy managed domain accounts that have automatic password management. They are also generally permissible with privileges to perform their duties. With such measures in place, there is a reduction in the risk of compromise, intentional or otherwise.
You can only use standalone MSAs on one domain-joined machine and can thus only access resources within that domain. MSAs can easily and securely run services on a computer while simultaneously maintaining the capability to connect to network resources as a specific user principal. When taking all of this into account, it’s not difficult to see why Microsoft views the use of MSAs as better for the Intune Connector moving forward.
Securing The Future
The security update to the Intune Connector for Active Directory fits in seamlessly with Microsoft’s Secure Future Initiative. Microsoft is uniquely ideal within the tech industry to play a key role in safeguarding the future for all its clients.
As such, the tech giant is taking a comprehensive approach to cybersecurity with a key focus on certain areas that are critical to enhancing security across the board. There continues to be substantial progress in these areas:
identity and secret protection
Updates to Entra ID and Microsoft Account (MSA) are live for both public and U.S government clouds to generate, store, and automatically rotate access token signing keys using the Azure Managed Hardware Security Module (HSM) service.
Microsoft has continued to drive broad adoption of its standard identity SDKs, which provide consistent validation of security tokens. As a result, we now see this standardized validation covering more than 73% of tokens issued by Microsoft Entra ID for Microsoft owned applications.
Tenant Protection and Isolation of Production Systems
A full iteration of app lifecycle management for all production and productivity tenants has been performed. This has resulted in the elimination of 730,000 unused apps. Additionally, because of the elimination of 5.75 million inactive tenants, the potential cyberattack surface has become significantly smaller.
Not only that, but a new system to streamline the creation of testing and experimentation tenants with secure defaults is available. It also enforces a strict lifetime management.
Protect networks
More than 99% of physical assets on the production network record in a central inventory system. This enriches asset inventory with ownership and firmware compliance tracking. Virtual networks with backend connectivity are isolated from the Microsoft corporate network, as well. They are additionally subject to complete security reviews to reduce lateral movement.
With the expansion of platform capabilities such as Admin Rules to ease the network isolation of platform as a service (PaaS) resources such as Azure Storage, SQL, Cosmos DB, and Key Vault, Microsoft has made it easier for customers to secure their own deployments.
Protection of engineering systems
We are now experiencing more consistent, efficient, and trustworthy deployments because 85% of production build pipelines for the commercial cloud are now using centrally governed pipeline templates.
Other notable changes include shortening the lifespan of Personal Access Tokens to seven days, disabling Secure Shell (SSH) protocol access for all Microsoft internal engineering repos, and massively reducing the number of elevated roles with access to engineering systems.
Moreover, proof of presence checks for critical chokepoints in software development code flow are now available.
THREAT DETECTION AND MONITORING
A lot of progress continues toward the goal of pushing all Microsoft production infrastructure and services to adopt standard libraries for security audit logs. Additional efforts include those to emit relevant telemetry and to retain logs for a minimum of two years.
A good example is the establishment of central management and a two-year retention period for identity infrastructure security audit logs, including all security audit events throughout the lifecycle of current signing keys. Add to this the fact, that no less than 99% of network devices now have enablement with centralized security log collection and retention.
Accelerate response and remediation
We can now observe improved time to mitigate for critical cloud vulnerabilities because of the recent process updates across Microsoft. Customers will also appreciate the greater transparency provided by the publishing of critical cloud vulnerabilities as common vulnerability and exposures (CVEs). This is especially helpful even when there are no direct customer action requirements.
In addition to this, the establishment of the Customer Security Management Office (CSMO) will go a long way to improve public messaging and customer engagement for security incidents.
Required Permissions
As we look at the new version of the Intune Connector for Active Directory, one of the key areas that can help us distinguish this new connector from its previous version is doing a comparison of account permissions:
Create Computer Object Rights (required for hybrid Autopilot scenario)
Unlimited if connector is on the same machine as domain controller. Delegation is required if connector is not on the domain controller.
Explicit delegation required
Pre-requisites
As with any product or application, there are certain requirements that all customers intending to use the Intune Connector for Active Directory will need to meet. So, before proceeding with the set up of the new Intune Connector, you need to verify that you can meet all the pre-requisites. These requirements include:
The computer you’re installing Intune Connector for Active Directory to must be running Windows Server 2016 or later.
You should also verify that you have .NET Framework version 4.7.2 or later installed.
To facilitate communication with Microsoft’s Intune service, the server hosting the Intune Connector should have internet access.
The Intune Connector will need standard domain client access to domain controllers.
Customers must verify that they have a Microsoft Entra account with Intune Service Administrator permissions, as this is a requirement to download and manage the connector.
Also needed will be a domain account with local administrator privileges and the ability to create msDS-ManagedServiceAccount objects.
Verify that the Windows Server configuration aligns with the Desktop Experience and, for versions 2019 or earlier, install the Microsoft Edge browser manually before connector setup.
The Microsoft Entra account should have an Intune license assigned to it.
For those that will be using Hybrid Azure AD Join, they should check that it’s configured via Azure AD Connect tool.
Lastly, the Intune Connector machine must have the appropriate delegated permissions to create computer objects in the target OU.
Setting Up The Connector
To setup the new Intune Connector for Active Directory, you need to start by uninstalling the existing connector. You can do this by uninstalling from the Settings app on Windows and then, uninstalling using the ODJConnectorBootstrapper.exe (select Uninstall). With that done, you can download the connector build from Intune and then perform the installation (as described in detail in my previous blog).
Configuring organizational units (OUs) for domain join
Customers should be aware that by default MSAs won’t have access to create computer objects in any Organizational Unit (OU). Thus, if you intend to use a custom OU for domain join, you’ll need to update the ODJConnectorEnrollmentWiazard.exe.config file. Fortunately, this is something you can do before or after connector enrollment:
Update ODJConnectorEnrollmentWizard.exe.config:
Default location is “C:\Program Files\Microsoft Intune\ODJConnector\ODJConnectorEnrollmentWizard”
Add all the OUs required in OrganizationalUnitsUsedForOfflineDomainJoin
OU name should be the distinguished name.
You need to be aware that the MSA is only granted access to the OUs configured in this file (and the default Computer’s container). This means that if any OUs are removed from this list, completing the rest of the steps will revoke access.
Open ODJConnectorEnrollmentWizard (or restart it if it was open) and select the “Configure Managed Service Account” button.
If successful, a pop up will appear showing success.
Using the Intune Connector with multiple domains
For those who are already using the connector with more than one domain, they will be able to use the new connector by setting up a separate server per domain and installing a separate connector build for each domain.
Configuring the connector
Customers should install the Intune Connector for Active Directory on each of the domains that they want to use for domain join. In case a second account redundancy is required, customers must install the connector on a different server (in the same domain).
Go through the connector configuration steps meticulously and verify that everything has been done correctly. Also check that the MSA has the appropriate permissions on the desired OUs.
Verify that all connectors are present in the in the Microsoft Intune admin center (Devices > Enrollment > Windows > under Windows Autopilot, select Intune Connector for Active Directory) and that the version is greater than 6.2501.2000.5.
Configure Domain Join profile
Follow the steps given below.
Start by creating a domain join profile for each domain that you want to use for hybrid joining devices during Autopilot.
Target the domain join profile to the appropriate device groups.
Wrap Up
The Intune Connector for Active Directory provides an essential tool for managing hybrid devices in an Intune environment. With its many available features, customers will get centralized management capabilities for their environments thus allowing businesses to operate more efficiently.
But, with security having been a big concern for many, Microsoft has made the switch to using a Managed Service Account instead of a SYSTEM account. This action has effectively tightened security in customers’ environments. Going forward, the previous version of the Intune Connector will no longer be supported. Therefore, if you are yet to download and set up the new Intune Connector for Active Directory, the sooner you do the better.
Troubleshooting Errors Like 0x80180014 and Navigating Device Records in the Admin Portals
Introduction
Managing devices in a modern enterprise requires a clear understanding of how devices enroll into your organization’s management ecosystem, particularly in Microsoft Intune and Microsoft Entra ID (formerly Azure Active Directory). With the increasing adoption of mobile device management (MDM) and the demand for secure cloud identity integration, IT administrators frequently encounter various behaviors—and sometimes, errors—that can be confusing.
One of the more common challenges occurs when a device fails to enroll correctly, presenting cryptic error codes such as 0x80180014. This blog post provides a deep dive into how device registration and visibility work across Microsoft Intune and Entra ID. We’ll also unpack typical issues, explain where devices appear in each admin center, and how to cleanly troubleshoot enrollment errors.
This issue was thoroughly explored during a troubleshooting session with Carsten Lund Meilbak, the go-to expert for everything Microsoft Teams and Teams Meeting Room environments, where we investigated problems with a Microsoft Teams Room (MTR) device. During the session, we discovered how certain Autopilot scenarios could result in orphaned device records in Entra ID, preventing re-enrollment.
What Is Microsoft Intune?
Microsoft Intune is a cloud-based endpoint management solution that helps organizations manage user access, enforce compliance, and deploy apps and configurations to devices. Whether the devices are Windows, Android, iOS, or macOS, Intune serves as the command center for policy enforcement and inventory tracking.
What Is Microsoft Entra ID?
Microsoft Entra ID (previously known as Azure Active Directory) is Microsoft’s cloud-based identity and access management service. Devices can be registered, joined, or hybrid joined to Entra ID, and the identity status of these devices is critical for secure access, Conditional Access policies, and MDM enrollment flows.
Section 1: Device Lifecycle – From Registration to Management
Step 1: Device Registration in Entra ID
When a device first connects with a corporate identity, it can take one of several paths:
Azure AD Registered (Workplace Join):
Typical for BYOD (Bring Your Own Device).
Appears under the user’s profile in Entra ID.
Usually paired with manual or conditional enrollment in Intune.
Azure AD Joined:
Common for corporate-owned devices.
Full control over the device by the organization.
Required for Autopilot provisioning and device-based Conditional Access.
Hybrid Azure AD Joined:
Devices are joined to on-prem Active Directory and then synced to Entra ID via Azure AD Connect.
Offers compatibility for legacy environments still using GPOs or SCCM.
Step 2: Device Enrollment in Intune
After a device is registered in Entra ID, it may also become enrolled in Intune:
Automatic Enrollment via group policies or Autopilot.
Manual Enrollment by end-users through “Access Work or School” in Windows settings.
Co-management Scenarios where both Intune and ConfigMgr (SCCM) share responsibilities.
This enrollment is what allows policies, apps, and configurations to be deployed to the device.
Microsoft Entra Admin Center → Devices → All Devices
Here, you’ll see all devices that are registered or joined to your Entra tenant.
Each record provides the following key information:
Device Name
Join Type (Azure AD Registered, Azure AD Joined, or Hybrid)
OS Type and Version
MDM Enrolled (Yes/No)
Compliant (Yes/No)
Owner (User Principal Name)
If a device shows up here but not in Intune, it might not be enrolled in MDM. You can confirm this via the MDM Enrolled column or by selecting the device and checking details.
This view shows all devices that are successfully enrolled in Intune, either through automatic enrollment or manual addition.
Important fields include:
Compliance Status
Enrollment Type (Corporate, BYOD, Autopilot)
Primary User
Managed By
Last Check-In
Device Category
If a device is listed here but shows a warning or non-compliance, the issue often relates to Conditional Access, configuration profiles, or missing required apps.
Cross-Referencing Between Portals
It’s not uncommon for admins to find a device in one portal and not the other. Here’s what it typically means:
Found in Entra Only
Found in Intune Only
Found in Both
Device is only registered, not MDM-enrolled.
Rare; usually due to stale objects or migration.
Device is properly joined and managed.
A properly managed device should show up in both portals, and any inconsistency is a sign of an enrollment issue.
Section 3: Common Error – 0x80180014
What Does 0x80180014 Mean?
This error appears most often during the enrollment phase of a Windows 10/11 device. It typically means:
“The device is already enrolled.”
In other words, Windows believes the device is already managed, either because of a previous enrollment or residual data from a prior configuration.
Resolution Steps
Check Admin Portals: Remove the device from both Intune and Entra if it still exists.
Remove MDM Profile: Disconnect the work or school account in Settings.
Use PowerShell: Run dsregcmd /leave to unjoin from Entra ID.
Retry Enrollment: After cleanup, re-enroll the device manually or through Autopilot.
Section 4: Unable to Delete Device from Entra ID
If the device does not appear in Intune but is still stuck in Entra ID and can’t be deleted, follow these steps:
Step 1: Confirm Your Permissions
Ensure your account has one of the following roles:
# Replace 'DEVICE-NAME' with the actual name
$device = Get-MgDevice -Filter "displayName eq 'DEVICE-NAME'"
Remove-MgDevice -DeviceId $device.Id
If you already have the Object ID, skip the lookup and run:
Remove-MgDevice -DeviceId "<device-object-id>"
Note on Autopilot Devices
In some scenarios, Autopilot devices can lose their connection to the Entra device object, especially if the device has been reset outside of Autopilot flows (e.g., manually or using third-party imaging). This causes:
The Autopilot object to remain in the Autopilot portal
The Entra ID device to become orphaned
Intune showing no matching device
This was exactly the case during a troubleshooting session with Carsten Lund Meilbak, where we were diagnosing an enrollment failure on a Microsoft Teams Room (MTR) device. The Entra ID device had become orphaned, preventing the MTR from successfully enrolling. Manual deletion of the Entra device object was required to resolve the issue.
In these cases, the orphaned Entra ID device must be deleted manually as described above.
Conclusion
Understanding how devices register and appear in Microsoft Intune and Entra ID is crucial for device management. Cross-portal visibility, proper cleanup, and the ability to handle errors like 0x80180014 efficiently ensure a secure and manageable environment for both users and administrators.
If device records are left stale or orphaned, they can interfere with future enrollment attempts, Autopilot deployments, and compliance policies. Always keep your portals clean and verify device join and MDM status regularly.
As hackers get more daring and attacks more sophisticated, organizations need to continuously look at how they can enhance their security protocols. Concerning statistics show that the cost of cybercrime, already well into the trillions, could surpass $23 trillion by 2027.
Faced with the reality that cybercrime is unquestionably on the rise, a proactive approach is now necessary to lessen the risk of attack. One of the best ways to achieve that is by utilizing the indicators that Microsoft Defender for Endpoint has.
By using these, IT admins can preemptively block malicious entities and prevent them from accessing the organization’s resources. With this in mind, the focus for this blog will be to provide you with detailed information concerning indicators.
Explaining Microsoft Defender for EndpointIndicators
Indicators provide IT administrators with certain data that can help identify individuals with nefarious intentions. This data can enable organizations to pinpoint malicious IP addresses, untrusted certificates, suspicious URLs, and more. Moreover, an organization can then set up its indicators accordingly thereby enabling a proactive approach to dealing with threats.
In Microsoft Defender for Endpoint, the indicators operate by applying specific rules to endpoint devices. These rules will use predetermined criteria to govern whether or not devices allow or block certain types of activity. A good example of this would be blocking all traffic to and from IP addresses that have been determined to be carrying out malicious activities.
Importance of Indicators
Indicators play a major role in improving organizational security by enabling businesses to take a proactive approach and block malicious actors before they can do any damage. And if an incident does occur, indicators will help you to quickly identify threats and implement a swift response. Additionally, using indicators allows you to customize your security to effectively meet the specific needs of your organization.
These tools are invaluable for intercepting attacks. Once it has been determined that an attack is ongoing, the malicious entities can be immediately blocked therefore limiting the impact from affecting the entire organization.
Types of Indicators with Microsoft Defender for Endpoint
In this section, we’re going to look at four types of indicators that Microsoft Defender for Endpoint supports. These indicators are essential for responding to different threats.
IP ADDRESS INDICATORS
This type is used for preventing access to IP addresses suspected of malicious activities. Once a specific IP address has been determined, an action is implemented that blocks all devices within an organization from connecting to that IP address. To do this, you need to navigate to Microsoft 365 Defender portal > Settings > Indicators. Next, you’ll need to add a new indicator and then select IP Address. With this done, you can now set up the action as Block and specify devices affected.
URL AND DOMAIN INDICATORS
These indicators are used to block access to malicious domains and phishing sites. After you’ve specified the URL concerned, you can then implement an action blocking all devices within your organization from connecting to that particular URL. Microsoft Defender for DNS is recommended if you want to have DNS-level protection.
FILE HASH INDICATORS
These will enable you to block access to known malicious files based on their hash (MD5, SHA-1, or SHA-256). You can use Advanced Hunting in Microsoft Defender or third-party threat intelligence sources to get the necessary file hashes.
CERTIFICATE INDICATORS
With this fourth type, you can block executables signed by untrusted certificates.
How to Set Up Microsoft Defender for Endpoint Indicators
The process of setting up indicators is not an overly complicated one. You start by navigating to the Microsoft 365 Defender portal where you need to sign in with your administrator account. Following this, you can then begin creating an indicator.
CREATION PROCESS
Head over to Settings > Indicators.
Click on Add Indicator.
Select the type of indicator required.
Provide the necessary information:
Indicator Type: IP Address, URL, File Hash, or Certificate.
Action: Block or Allow
Scope: Specify which devices/groups will be affected by the action to be performed.
Expiration Date: Provide an expiration date for temporary indicators (this is optional).
Description: For documentation purposes, a description will be required.
COMPLETING THE PROCESS
After you’ve completed the creation process, you can click Create to save the indicator. You’ll also have the capability to monitor the indicator’s impact by taking advantage of Reports and Advanced Hunting. Advanced Hunting offers a powerful, query-based tool that helps you track threats and evaluate how effectively the indicators are working. Hunting works best if you use filters to get more specific results, as well as if you save and reuse queries during the monitoring processes.
Using Indicators Effectively
Like most other apps and services, you can’t set up indicators once and forget about them. You need to constantly review them and update them when necessary so your security remains strong.
As already mentioned, some indicators are temporary and so you need to remember to set expiration dates for these so that you avoid cluttering your environment. Not only that, but you should ensure that indicators are targeting the specific devices or groups they are created for.
Furthermore, IT admins should continuously evaluate the information obtained from Advanced Hunting and reports so that they are always aware of whether or not the indicators are performing to expectations. And then to enhance your security posture even more, you can combine indicators with Conditional Access policies for better results.
Wrap up
The staggering figures that we hear being thrown around when discussing cybercrime are almost beyond belief. But, the reports about cybercrime provide a lot of insights that enable organizations to take the necessary steps to improve their security. Leveraging the indicators available in Microsoft Defender for Endpoint goes a long way in securing your network and reducing the risk of attack. If applied correctly and used as recommended, indicators can be some of the best tools in an organization’s cybersecurity arsenal.
Upgrading to Microsoft Configuration Manager (ConfigMgr) version 2503 is a critical step for IT administrators aiming to leverage the latest security enhancements and bug fixes. However, many have encountered a recurring issue during the prerequisite check
This error often appears even when the ODBC Driver 18 is already installed. This article delves into the root cause of this problem and provides a comprehensive solution.
Understanding the Issue
The Configuration Manager 2503 prerequisite checker mandates the installation of the Microsoft ODBC Driver 18 for SQL Server. However, the link provided in the error message (https://go.microsoft.com/fwlink/?linkid=2220989) directs users to an outdated version of the driver. Consequently, even if a version of the driver is installed, the prerequisite check may fail if it’s not the expected version.
Administrators have reported that installing the driver from the provided link results in a message indicating that a newer version is already present, yet the prerequisite check continues to fail. This inconsistency stems from the prerequisite checker not recognizing newer versions of the driver – Reddit – System Center Dudes
Recommended Solution
To resolve this issue, it’s essential to ensure that the correct version of the Microsoft ODBC Driver 18 for SQL Server is installed. The recommended version is 18.5.1.1 or later.
Choose the appropriate installer based on your system architecture (e.g., x64).
Step 3: Re-run the Prerequisite Check
After installing the correct version:
Open the Configuration Manager Console.
Navigate to Administration > Updates and Servicing.
Right-click on the Configuration Manager 2503 update and select Run prerequisite check.
The check should now pass without errors related to the ODBC driver.
Additional Considerations
Multiple ODBC Versions: Some administrators have multiple versions of the ODBC driver installed (e.g., versions 17, 18, and 19). While multiple versions can coexist, ensure that version 18.5.1.1 or later is present, as it’s the one recognized by the prerequisite checker.
Silent Installation: For automated deployments, the ODBC driver can be installed silently using the following command: bashCopyEditmsiexec /i msodbcsql18.msi /quiet /norestart
Replace msodbcsql18.msi with the actual filename of the downloaded installer.
Verify Installation: After installation, verify the driver version:
Open ODBC Data Source Administrator.
Navigate to the Drivers tab.
Ensure that ODBC Driver 18 for SQL Server is listed with version 18.5.1.1 or later.
Conclusion
The prerequisite check failure during the Configuration Manager 2503 upgrade, related to the Microsoft ODBC Driver 18 for SQL Server, is primarily due to version discrepancies. By uninstalling outdated versions and installing the recommended version 18.5.1.1 or later, administrators can ensure a smooth upgrade process.
Since its launch in 2021, Windows 365 has benefited from countless new features and updates that have enhanced the Cloud PC experience. And 2024 has not been an exception. But, arguably the biggest Windows 365 announcement comes right as the year is coming to an end. Microsoft is introducing a purpose-built device that has been specifically designed to enable users to quickly and securely connect to their Windows 365 Cloud PCs. As the first Cloud PC device, Windows 365 Link is generating a lot of interest. And it’s looking to be the the high-fidelity experience Microsoft promises.
Unboxing
Once you receive your Windows 365 Link device, you can expect to find the following:
Hardware
Windows 365 Link device.Power adaptor.Quick start guide.
Ports
On the front panel, you’ll find a USB-A port, a 3.5 mm audio jack, as well as a power button and LED indicator. On the back panel, you’ll find 2 USB-A ports, 1 USB-C port, 1 Display Port, 1 ethernet port, 1 HDMI port, and the power supply port.
Side Panel
The side panel has a Kensington lock to physically secure the device.
Monitor Support
Both the HDMI and Display Port support one monitor each, up to 4k in resolution.
Peripheral Support
Users will get USB and Bluetooth support for their keyboards, mice, headphones, and cameras.
Software
The device comes pre-installed with a small, Windows-based OS called Windows CPC. To add to the convenience, updates are downloaded in the background and then installed during off hours. However, to ensure these updates occur, verify that the device is plugged in and powered on (in standby or sleep mode).
Wireless Support
Here you get Wi-Fi 6E as well as Bluetooth 5.3.
Why would I need this?
Understandably, whenever a new device comes on the market, businesses want to know how purchasing the product can benefit them. After all, the Windows 365 Link device will set you back US$349.
According to Microsoft, this new device aims to resolve some of the problems that Cloud PC users encounter. These include, but are not limited to, latency issues, security challenges, and complicated sign in processes. From what we’ve heard so far, the biggest positives of using the Link device will be:
CLOUD-POWERED PERFORMANCE
Users can harness the full power of the cloud to increase their efficiency and enjoy a more seamless experience. With the ability to connect to their Windows 365 Cloud PCs in seconds, users can maximize productivity. This ensures that businesses get full value for their investment. Additionally, users will benefit from responsive, high-fidelity experiences with access to all their favorite Microsoft 365 productivity apps.
SECURE BY DESIGN
The Windows 365 Link devices comes with security measures that will address the concerns about endpoint vulnerability that IT professionals have raised. Because of these concerns, the Link device has a locked-down operating system with no local data or apps, and no local admin users. By designing it this way, Microsoft has significantly reduced the potential attack surface thus making the task of compromising devices much harder.
Furthermore, the availability of passwordless authentication using Microsoft Entra ID means that users can sign in with MFA using the Microsoft Authenticator app, a cross-device passkey using a QR code, or a FIDO USB security key. Consequently, the use of all these security measures will serve to improve overall device protection.
SIMPLIFY IT MANAGEMENT
Another key issue that Windows 365 Link wants to resolve is complex management. I’m sure that we’ve all at one point or another been frustrated about just not seeming to have enough time to complete all the tasks at hand.
Fortunately, Windows 365 Link gives us a possible solution by enabling admins to configure and manage devices using Intune. By allowing admins to leverage the knowledge and policies they already have, the Link device helps improve IT management efficiency.
ALIGNMENT WITH SUSTAINABILITY GOALS
Many organizations are looking for ways that can help them make a positive environmental impact while simultaneously enhancing business operations. With this in mind, Microsoft has built the Windows 365 Link device to be a sustainable product.
The device is built with 90% post-consumer recycled aluminum alloy in its top shield, 100% pre-consumer recycled aluminum alloy in its bottom plate, and its motherboard contains 100% recycled copper and 96% recycled tin solder.
In addition, when in operation, Windows 365 Link consumes less energy than your average desktop with external monitors and peripherals connecting to Windows 365. And as a device that has been designed to have a long life, the lack of moving parts means that frequent replacements will not be an issue with this gadget.
Get an early look
As mentioned before, Windows 365 will become generally available as of April 2025. In the interim, those who want to get an early look may be able to participate in the public preview.
Anyone interested in getting Windows 365 Link devices for their organization should get in touch with their Microsoft account team. Additionally, you could also join the Customer Connections Program and Office hours for the latest updates as part of your participation.
Wrap up
The new purpose-built device that Microsoft is introducing will make accessing Cloud PCs much simpler for users. With the ability to wake quickly and connect you to your Cloud PC in seconds, this device has the potential to be an excellent productivity tool. Announced at Microsoft’s Ignite 2024 tech conference in Chicago, Windows 365 Link will provide users with a high-fidelity experience with access to all the familiar Microsoft 365 apps.
The public preview period should provide us with a lot more information in the coming months. But, as something that Microsoft hopes will bring positive change to the future of virtualization, the lightweight Link device will have a lot riding on its petite frame.