On another note, Italian-language articles from members of the Italian community are finally coming in more often (I was starting to get tired of always having to hunt down content from the usual foreign names).

Happy reading!

⚠️ Important!

The ITSpecialist.News editorial offering has just expanded with a new English section, featuring a curated selection of my main articles.

Since most of these are the same contents available in both languages, you might prefer not to receive them twice.

If you’d like to receive updates only in your preferred language:
→ Go to itspecialistnews.substack.com/account
→ Open the “Notifications” section
→ If you’re an English reader, keep only “ITSpecialist.News – Same Content, in English” enabled and disable the others.
→ If you’re an Italian reader, keep only “ITSpecialist.News | Riccardo Corna” enabled.

📌 In this issue

• FAQ… with style: “Intune error event codes can be a bit cryptic at times. Where can I find a quick and easy reference list of Intune configuration profile error codes?”

• Microsoft News Radar: the latest straight from Microsoft sources.

• Community Picks: the most interesting community-created content this month.

• Events: Global Azure everywhere, plus the usual appointments and, even if we’re getting ahead of ourselves, AperiTeams Conference 2026.

• On a personal note: that’s it, I’ve made up my mind!

❓ FAQ… with style

Question

”Intune error event codes can be a bit cryptic at times. Where can I find a quick and easy reference list of Intune configuration profile error codes?”

Answer

Microsoft maintains official documentation dedicated to exactly this:

📎 Error and status codes in Microsoft Intune.

Here you’ll find a complete table of MDM error codes (iOS/iPadOS, Android, Windows) with descriptions and common causes — very handy when you’re staring at cryptic hex codes in device reports.

For errors specific to app installation (VPP, LOB), there’s also a dedicated page:

📎 App installation error codes for Microsoft Intune.

Bookmark both pages: they’re the first ones to check whenever a profile or app fails without a clear message!

🛰️ Microsoft Radar

A curated selection of content straight from Microsoft sources.

• Microsoft Intune

  • Windows 365 + Intune Advanced Endpoint Management Capabilities: Better Together

  • What’s new in Microsoft Intune – March

  • Secure apps: Where people, data, and AI intersect

• Surface IT Pro

  • Vibe Coding for the NPU

• Microsoft Defender for Endpoint

  • Introducing effective settings: See security configurations enforced on your device

• Microsoft Entra

  • Evolving identity security: How the Conditional Access Optimization Agent helps you adapt

  • Strengthen identity resilience: Recover with confidence using Microsoft Entra Backup and Recovery

  • External MFA in Microsoft Entra ID is now generally available

🌐 Community Picks

The most useful community content I've come across these past few weeks.

• 🔗 WinGet: building evergreen Win32 apps with Microsoft Intune
  👤 Simone Termine
  In the Intune world, WinGet and PowerShell come together to turn classic Win32 apps into evergreen objects that install, update, and uninstall based on the actual software state on the client. A concrete pattern, with scripts and logging included, to cut repetitive work without giving up enterprise-grade governance.

• 🔗 Windows Autopatch: a practical guide to reporting for monitoring updates, readiness, and anomalies
  👤 Davide Salsi
  A structured map of all Windows Autopatch reports in Intune: how to read dashboards, trends, and alerts to truly understand what’s happening with Quality and Feature Updates, measure readiness, spot anomalies, and turn patching from a technical task into a risk management tool.

• 🔗 Windows Autopatch Quick Start: updates take care of themselves (including saying goodbye to Windows 10)
  👤 Francesco Facco
  A practical guide to turning update chaos into an automated flow managed by Intune and Windows Autopatch, from assessing eligibility for Windows 11 all the way to test, pilot, and production rings, with real-world advice on risk, timelines, monitoring, and user management.

🎭 Eventi e Call for Speaker

Community and Microsoft events, plus the main open Calls for Speakers.

• 🌐 Global Azure 2026
  📅 13, 16–18 April 2026 – 💻 Online and/or 🌍 In person
  Global Azure 2026 is back: special days in April 2026 to share our passion for Microsoft Azure through technical sessions, inspiration, and networking. Here’s the list of Italian editions with links to their websites so you can find all the details you need.

  • Global Azure Torino 2026 (I’ll be there, as an attendee)

  • Global Azure Veneto 2026 (I’ll be there, as an attendee)

  • Global Azure Pordenone 2026

  • Global Azure Puglia 2026

  • Global Azure Ticino 2026 (Switzerland) (I’ll be there, as a speaker)!

  • Global Azure Milano 2026

Details of my session at Global Azure Ticino 2026:

💻 SCEP It Easy With Intune Cloud PKI
In this session, we’ll explore best practices for implementing the Simple Certificate Enrollment Protocol (SCEP) and integrating it with Intune to ensure secure, automated certificate deployment, comparing the pros and cons of an on-premises SCEP infrastructure versus an Intune Cloud PKI solution.

• ⌚ BeConnected Hour
  📅 30 April 2026 – 💻 Online
  Monthly update on what’s new in Microsoft 365, Teams, MTR, Purview, MDO, and Copilot, together with Luca Vitali, Fabrizio Volpe, and Raffaele Colavecchi.

• AperiTeams Conference 2026
  📅 24 June 2026 – 💻 Online and 🌍 In person
  A free one-day conference at the Microsoft House in Milan for IT professionals, focused on infrastructure, hybrid cloud, modern workplace, cybersecurity, and artificial intelligence, with technical sessions, demos, and networking, organized by Inside Technologies.

Call for Speaker

Here are a few interesting Calls for Speakers.

• BeConnected Day 14

Disclaimer

The events I highlight in “Have you tried turning it off and on again?” are not meant to be a complete list: I only share those I personally come across and consider useful for the community. If an event is missing, it simply slipped past me or I wasn’t aware of it. If you’d like to flag yours, feel free to reach out. Publication is for informational purposes only and does not imply endorsement, approval, sponsorship, or partnership, unless explicitly stated otherwise.

🎧 On a personal note

Outside the IT world, here’s what’s been inspiring me lately.

📖 What I’m reading (books, newsletters, and more)

• Non aprite quella parentesi

• Il mercato del tradimento

• Stamattina 8 miliardi di persone si sono svegliate volendo essere te. Tu ti sei svegliato vergognandoti

🎵 What I’m listening to (this month’s musical obsessions)

• Ephemeral / What We All Come to Need / Pelican

• Luminance / Creative Eclipses / Cave-In

• Wasting Time / Vhs / Castlebeat

✍️ Random thoughts

Folks, after years of fascination and binge-watching vanlife videos, I’ve decided: I’m renting a van for a weekend to see what it’s really like. I still need to pick the dates but, I swear, this time I’m actually doing it.

See you soon!

Riccardo

Some of the links on this site point to products or books sold by third parties. If you choose to make a purchase through these links, I may earn a commission as an affiliate, at no additional cost to you. This helps support the work I do and allows me to keep providing quality content.

Short story.​

Regarding the Italian language, I’ve always chosen to use it as the main (and essentially only) language for my publications because I believe that, when you share knowledge, it’s right to do it “here and now” for the local community. There isn’t much more to add: I’ve been doing it since 2011 (the year of my very first blog) and I still do it today.​

Now let’s talk about English. I started publishing in English too in 2023, after my first MVP Summit. The idea was to connect somehow with the community outside of Italy as well. It didn’t work out because my main effort was still focused on Italian content: social posts, talks, events, and so on. English was just something extra that I had added in a rush of enthusiasm, but without any solid foundation behind it. After some time, I realized it was a pointless effort that only ate up time and energy. Today on Substack there is an English section with a few selected pieces of content and, above all, AI gives me a big hand with translations, saving me a lot of time. Has anything changed? No, pretty much nothing, apart from the effort I put into translating, which is definitely lower thanks to AI.​

So what? Maybe it’s a bit of a simple and “naively enthusiastic” thought, but every time I come back from an event like the recent Tech Connect 2026 in Seattle, where there are literally people from all over the world... I remember that there is a whole world out there. 😃​

You might think: “Well, no kidding!”. And you’d be right, but sometimes you need to have things right in front of your eyes to really become aware of them.​

So? All of this to say that I have this idea stuck in my head. The problem is that, in terms of effort, focus, time, and so on, I definitely wouldn’t be able to produce content in two languages with the same quality and intensity. Besides my job at Microsoft and the “IT Specialist” project (driven purely by passion and from which I don’t make a single euro), let’s just say I also like to have a life. 😅​

What would a new project in English mean, according to what this idea is suggesting to me? It would definitely mean choosing just one of the two languages, not both.​

And this is where things become extremely difficult.​

I’ll think about it; in the meantime, I wanted to share this doubt that’s been nagging at me.​

Maybe this idea is just the beginning of something new… or maybe it will just go away on its own, like many other late‑night ideas. 😄​

And probably even these kinds of ideas are born around that time.​

But there’s one question that really matters to me: if one day ITSpecialist.News used another language, would that change the way you follow it?​

Having some points of view on this would be important.​

Vote in the poll, and feel free to write to me here or in private to talk about it!​

See you soon,​

Rick

Anyway, moving on: the next big event is Global Azure, you'll find all the details below. As for the rest, you'll find the usual tasty FAQs and plenty of useful official Microsoft resources.

📌 In this issue

• FAQ… but with style: “How can I find the Bundle ID of an iOS app available on the App Store?”

• Microsoft News Radar: updates directly from Microsoft sources.

• Community Picks: the most interesting content created by the community this month.

• Events: Global Azure everywhere, plus the other usual appointments.

• On a personal note: winter restlessness as soon as the days get nicer and warmer.

❓ FAQ… but with style

Question

“How can I find the Bundle ID of an iOS app available on the App Store?”

Answer

It’s not possible to search directly for Bundle IDs within the Apple App Store. However, you can find it by accessing a specific file associated with your app or by using an online method.

If the app is already published on the App Store, proceed as follows:

1. Find the app’s web page on the App Store (for example, by searching for the corresponding link).

   1. Example: Apple Pages, whose URL is https://apps.apple.com/us/app/pages-crea-documenti/id361309726

2. Copy the number following the letters id in the URL. In the example given, the number is 361309726.

3. Open the address https://itunes.apple.com/lookup?id=361309726 in your browser, replacing the number with the one for your app.

4. In the displayed output, look for the bundleId field. In the example, it appears like this: “bundleId”:”com.apple.Pages”. Therefore, the app’s Bundle ID is com.apple.Pages.

📎 Get App Bundle ID - Microsoft Intune

📎 Bundle IDs for iPhone and iPad Apple apps

🛰️ Microsoft Radar

A selection of content directly from Microsoft sources.

• Microsoft Intune

  • What’s New in Microsoft Intune – February

  • Protect browser-based work on agency-managed Windows PCs

  • Admin tasks in Microsoft Intune: Centralized control today, AI-ready for tomorrow

• Windows IT Pro

  • What to know about Windows 11, version 26H1

  • Plan for Windows Server 2016 and Windows 10 2016 LTSB end of support

  • Windows first sign-in restore experience now available

• Microsoft Defender for Endpoint

  • Introducing library management in Microsoft Defender

🌐 Community Picks

The most useful community content I stumbled upon in recent weeks.

• 🔗 Microsoft Intune: dynamic groups with Microsoft Graph and PowerShell
  👤 Simone Termine
  The article explains how to use PowerShell and Microsoft Graph to create custom Dynamic Groups using extensionAttributes. It also includes a demo showing step-by-step how to intervene on Entra, Intune, and PowerShell, as well as how to rollback custom attributes and troubleshooting procedures.

• 🔗 The Unexpected Enrollment: How Personal Windows Home Devices Slipped into Intune and How You Can Finally Block Them
  👤 T-Bone Granheden
  In this piece, T-Bone shows how personal Windows Home PCs still manage to end up in Intune via the “Allow my organization to manage my device” flow when the user adds their work account in apps like Outlook/Teams. He also explains how to plug the hole using the new “Disable MDM enrollment when adding work or school account on Windows” setting, with practical details on the portal, Graph, limits, and impact on BYOD and SSO. It’s very useful if you need to tidy up personal and corporate devices without breaking the user experience.

• 🔗 Intune Administrator Is the New Domain Admin
  👤 James Robinson
  An Intune Administrator can cause damage comparable to a Domain Admin. The article addresses real risks (mass code execution, insecure configurations, loss of segregation of duties) and how to mitigate them with RBAC, scope tags, and MAA.

🎭 Events and Call for Speakers

Community and Microsoft events, plus the main open Call 4 Speakers.

• ⌚ BeConnected Hour
  📅 March 25, 2026 - 💻 Online
  Monthly update on news from the world of Microsoft 365, Teams, MTR, Purview, MDO, and Copilot, together with Luca Vitali, Fabrizio Volpe, and Raffaele Colavecchi.

• 🌐 Global Azure 2026
  📅 April 13, 16-18, 2026 - 💻 Online and/or 🌍 In-person
  Global Azure 2026 returns: special days in April 2026 to experience together the passion for Microsoft Azure through technical sessions, inspiration, and networking. Here is the list of the Italian instances with the relative link to each website, so you can get all the necessary information. The list is partial and I will update it as the websites become available.

  • Global Azure Torino 2026

  • Global Azure Veneto 2026

  • Global Azure Pordenone 2026

  • Global Azure Puglia 2026

  • Global Azure Ticino 2026 (Switzerland)

  • Global Azure Milano 2026

Disclaimer
The events I point out in “Have you tried restarting?” are not an exhaustive list: I share the ones I personally intercept and find useful for the community. If an event is missing, it simply slipped by me or I wasn’t aware of it: if you want to point yours out to me, write me. The publication is for informational purposes and does not imply endorsement, approval, sponsorship, or partnership, unless explicitly stated otherwise.

🎧 On a personal note

Outside the IT world, here is what’s been inspiring me lately.

📖 What I’m reading (books, newsletters, and various things)

• Il patetico spezzone delle papere AI di Sanremo

• Il lento suicidio della Russia in Ucraina

• Sui social non devi essere te stesso

🎵 What I’m listening to (musical fixations of the month)

• Dumb / Nirvana / Nirvana

• Descending / Fear Inoculum / Tool

• Heliotrope / Vaya / At The Drive-In

✍️ Random thoughts

Craving the sun, spring, the sea, craving to be outside the walls of my home and office, craving to travel.

See you soon!

Riccardo

Some of the links on this site point to products or books sold by third parties. If you decide to purchase through these links, I may receive an affiliate commission at no extra cost to you. This supports the work I do and allows me to continue offering quality content.

📰 What do you prefer? Video or article?

A few notes to help you get the most out of this content.

If you prefer to watch the full video, easy: you’ll find it right above in the header.

If you prefer reading, that’s just as easy: keep scrolling here. For each step I’ve embedded the specific video segment, so you’ll only see the screens you care about, without my talking head in the way.

Either way, subscribe to the newsletter to make sure you never miss a new tutorial.

Iscriviti ora

OK, let’s go!

Disclaimer

Before we dive into the actual configuration, a key disclaimer: this policy only works on Supervised devices.
This means devices must be enrolled in Intune via Apple Business Manager (ABM) using an Automatic Device Enrollment (ADE) profile. If you are managing manually enrolled devices or a BYOD scenario, this procedure will have no effect.

With that out of the way, let’s jump into the Intune portal and start “operating”! 😆

Retrieving Bundle IDs for System Apps

To hide an app, Intune needs its Bundle ID, a unique string that identifies the application within the operating system. In this article we’ll focus on two native apps that IT admins often want to remove from users’ view: Freeform and Games.

Fortunately, Apple gives us an official resource. There is an Apple Support page that’s a real gold mine for us admins: it lists all the Bundle IDs of the native apps preinstalled on iOS and iPadOS, ready to be copied.

Here’s the link to the support page:

• ID pacchetto per app Apple per iPhone e iPad

Creating the Policy in Intune

Once you have collected the required IDs, move over to the Microsoft Intune portal to create the actual configuration. To achieve the result, we’ll use an iOS/iPadOS-specific Device Restrictions profile (or alternatively the Settings Catalog).

One small but important technical detail: even though the Intune portal lets you hide apps by simply entering the App Store URL, I personally always prefer to use the Bundle ID.

So let’s go ahead and paste in the strings we gathered in the previous step.

The trick for third‑party app Bundle IDs

We’ve seen how to handle Apple’s native apps, but what if you want to hide a third‑party app (for example a social network or a messaging app)?
In this case Apple does not provide a handy list like it does for system apps. However, there is a very quick “trick” to get the Bundle ID starting from the App Store web page.

The method is to search for the desired app on the web version of the App Store, identify the numeric ID in the page URL, and use it (via a specific query or free online tools) to obtain the exact Bundle ID to add to your policy.

Here is the link where you “append” the app’s numeric code so you can retrieve the text file and extract the Bundle ID (you can see the exact procedure in the video below).

• https://itunes.apple.com/lookup?id=<qui il codice>

Final Result on the Device

After applying the policy and waiting for the device to sync, it’s time to verify the result.
As you can see in the video below, when scrolling through the App Library and the Home Screen on our test iPhone, the Freeform and Games icons have disappeared. It’s important to note that the apps are still technically installed on the system, but they’ve been made completely inaccessible and invisible to the user.

Documentation

For anyone who wants to dig into every single technical detail, below you’ll find what I’d call an absurd amount of documentation (yes, mandatory quote 😆).

• iOS/iPadOS device restrictions in Intune

• iOS/iPadOS Bundle IDs for built-in apps

• iOS/iPadOS supervised mode with Intune

• iOS/iPadOS device feature settings in Intune

• Get App Bundle ID from Intune admin center

Make sure you study it.

Conclusions

We’ve seen how to clean up the interface of our corporate devices by hiding everything that isn’t strictly necessary for day‑to‑day work.

If you found this article useful, subscribe to the ITSpecialist.News newsletter so you don’t miss upcoming deep dives into the Microsoft Enterprise world.

See you next time!

Rick

As soon as I’ve decided how to plan this “spring season” of events, you’ll of course hear about it here. I hope to see you there and, as always, happy reading!

Rick

📌 In this issue

• FAQ… with style: “When an Intune admin is limited by a specific scope tag and reviews Endpoint Privilege Management elevation requests, what do they see? Only requests within their scope tag or all tenant requests?”

• Microsoft News Radar: updates straight from official Microsoft sources.

• Community Picks: the most interesting community content from this month.

• Events: things are starting to move again for the upcoming event season.

• On a personal note: I’m a Seattleite.

❓ FAQ… with style

Question

“When an Intune admin is limited by a specific scope tag and reviews Endpoint Privilege Management elevation requests, what do they see? Only requests within their scope tag or all tenant requests?”

Answer

With the update released in the week of November 10, 2025 (Service Release 2511), Microsoft implemented scope tag enforcement for Endpoint Privilege Management elevation requests.

Before this update

Admins with permissions to manage elevation requests could see all tenant requests, regardless of the scope tags assigned.

After the update

Scope tag enforcement is now active: admins can view and manage only the requests related to devices and users that fall within the scope of their assigned scope tag. This change helps maintain administrative boundaries and strengthens security by aligning Endpoint Privilege Management with Zero Trust principles and reducing unnecessary visibility into devices and users outside their area of responsibility.

In short: if an admin is assigned the “Italy” scope tag, they will only see elevation requests coming from devices and users tagged with “Italy”, ensuring more granular and secure permission management.

As always, I’ll leave you with the comfort of the official documentation for further reading.

📎 Scope tag enforcement for Endpoint Privilege Management elevation requests

📎 About support approved elevations

📎 What’s new in Microsoft Intune: December 2025

📎 Use role-based access control (RBAC) and scope tags for distributed IT

🛰️ Microsoft Radar

A selection of content directly from official Microsoft sources: tons of new features were announced at Ignite.

• Microsoft Intune

  • What's new in Microsoft Intune

  • Microsoft Intune - Important Notices

  • Microsoft Intune servicing information and details

• Windows IT Pro

  • Announcing hardware-accelerated BitLocker

  • Windows news you can use: December 2025

  • Windows skilling snacks: bite-sized learning for IT pros

• Microsoft Entra

  • Road to the cloud - Case studies to reduce your dependency on traditional on-premises Active Directory services - Microsoft Entra

🌐 Community Picks

The most useful community content I’ve come across over the past few weeks.

• 🔗 Active Directory: le best practice da seguire
  👤 Silvio Di Benedetto
  A practical guide to making Active Directory resilient: least‑privilege access, clear role separation, a well‑disciplined Tier Model, local passwords managed with LAPS, and thoughtful KRBTGT key rotation. It’s well worth reading because it provides concrete criteria to prevent compromise and strengthen your entire infrastructure.
  

• 🔗 Come utilizzare uno script PowerShell come installer type per le app Win32 in Microsoft Intune
  👤 Simone Termine
  The article explains a new feature from January 2026: how to use PowerShell as an “installer type” to handle prerequisites, logging and post-config, without repackaging .intunewin every time. It includes examples and practical tips on detection, return codes and troubleshooting.
  

• 🔗 Automated Windows Autopilot Weekly Reporting with Azure Logic Apps 📊
  👤 Simone Colella
  How to automate a weekly Windows Autopilot report with Azure Logic Apps and Microsoft Graph, sending the Service Desk emails with KPIs and detailed CSVs. It’s interesting because it turns raw logs into ready-to-use metrics, enabling proactive monitoring, failure analysis and optimization of Autopilot deployments.
  

🎭 Events and Call for Speaker

Community and Microsoft events, plus the main open Calls for Speakers.

• 🌐 Global Azure 2026
  📅 13, 16-18 April 2026 - 💻 Online e/o 🌍 In presence
  Global Azure 2026 is back: special days in April 2026 to share a passion for Microsoft Azure through technical sessions, inspiration and networking. Here’s a list of the Italian events with links to their websites so you can find all the details you need. The list is partial and I’ll update it as new sites go live.

  • Global Azure Torino 2026

  • Global Azure Veneto 2026

  • Global Azure Puglia 2026

Even though there’s still some time to go (the event will take place in April), most of the Calls for Speakers are already closed. Below are the ones still open as of today (11 February 2026).

• 🌐 Call for Speaker: Global Azure Pordenone 2026

Disclaimer

The events I feature in “Have you tried restarting?” are not meant to be a complete list: I share the ones I personally come across and consider useful for the community. If an event is missing, it simply slipped past me or I wasn’t aware of it; if you’d like to highlight yours, just reach out. Publication is for informational purposes only and does not imply endorsement, approval, sponsorship or partnership, unless explicitly stated otherwise.

🎧 On a personal note

Outside the IT world, here’s what’s been inspiring me lately.

📖 What I’m reading (books, newsletters)

Books

• This month, no books on my list yet, but I’m on the hunt for inspiration—if you have any recommendations, I’m all ears!

Newsletter

• Crans Montana e il gioco dei 26 Cantoni / Daniela Amenta

• Fatturi, fai utili e fallisci lo stesso / Frank Merenda

• French -Touch! / Mattia Ravanelli

🎵 What I’m listening to (this month’s earworms).

• ‎Ex Lion Tamer / Pink Flag / Wire

• Stay / Diving For A Prize / Sea Lemon

• Crystals (feat. Benjamin Gibbard) / Diving For A prize / Sea Lemon

✍️ Scattered thoughts.

Seattle here we go! This month I’ll be visiting Seattle, a city I’m returning to for the fourth time: at this point I can almost call myself a “Seattleite” and I’m really starting to grow fond of the place. A little trip to break up the routine (which has been exactly the same for the past few months) was just what I needed.

See you soon!

Riccardo

Some of the links on this site point to products or books sold by third parties. If you decide to purchase through these links, I may earn a commission as an affiliate, at no additional cost to you. This supports the work I do and allows me to keep offering quality content.

📰 Video or article? What do you prefer?

Some notes to make the most of this content.

If you prefer watching the full video, easy: find it above in the header.

If you prefer reading, also easy: keep reading here. For each step, I’ve inserted the specific video clip, so you’ll only see the screens that interest you, without my face talking.

Either way, subscribe to the newsletter to make sure you don’t miss any new tutorial releases.

Iscriviti ora

Perfect, let’s get started!

What are preinstalled apps?

When talking about “preinstalled apps,” we mean the Microsoft Store in-box apps that Windows 11 provides by default (those you already find ready in Start and the Installed apps list).

They’re convenient in consumer scenarios, but in enterprise environments they’re often just noise: they increase user confusion, generate avoidable tickets, and complicate base image standardization.

Approach

The approach is: create a configuration profile in Intune’s Settings Catalog, enable “Remove default Microsoft Store packages from the system,” and set to True the apps you want to remove.

Enforcement happens during specific events like OOBE/provisioning or user sign-in after upgrade/policy update, so it’s normal not to see “instant” results.

Requirements

To use the RemoveDefaultMicrosoftStorePackages setting, you need precise OS/edition prerequisites:

• The feature is designed for Windows 11 Enterprise/Education

• Requires Windows 11 version 25H2 (or later)

• The PC must be managed by Microsoft Intune

• Does not support multi-session environments

Important note 1: not a “universal” anti-bloatware

With this configuration, you remove only the Microsoft “in-box” default apps listed in the policy, not any third-party bloatware (OEM, trials, “exotic” stuff).

For those, continue using custom scripts (PowerShell) or Remediations/Proactive Remediations via Intune, as per tradition.

Important note 2: policy application timing and scenarios

The policy activates in specific situations, so if you expect apps to disappear instantly on an existing machine with an already-created user profile, listen carefully to what I’m about to say.

Here are the situations where the policy activates:

• Out-of-box experience (OOBE)

• User login after an OS upgrade

• User login after a policy change

This means removal is guaranteed on new user profiles created on the machine after policy application, while for existing ones, you need at least logoff-logon a few hours after policy creation.

Perfect, now we’re ready to start!

Initial situation verification

Before touching Intune, it’s best to check the “out of the box” situation: standard Windows 11 PC with default apps present, so you have a clean and measurable before/after.

You can do this verification from Settings → Apps → Installed apps (or searching “Xbox,” “Camera,” etc. in Start).

Removal configuration

In Microsoft Intune admin center, create a Configuration profile for “Windows 10 and later” using “Settings catalog,” then search for the setting Remove default Microsoft Store packages from the system.

If you want to navigate the tree manually, find everything under the node:

Administrative Templates → Windows Components → App Package Deployment

Policy application verification

Now log into a machine targeted by our policy and verify that the selected apps are no longer installed.

Microsoft describes policy application in scenarios like OOBE/provisioning and sign-in after upgrade or policy update, so correct verification timing is crucial.

For an “admin” verification, you can also check that the policy has written the registry keys in HKLM\SOFTWARE\Policies\Microsoft\Windows\Appx\RemoveDefaultMicrosoftStorePackages.

Deep dives (generous like extra pounds)

Here’s the usual dump of official Microsoft documentation (yes: it needs to be STUDIED).

• Policy-based in-box app removal (Microsoft Learn)

• Windows IT Pro official blog

Conclusions

Finally, a supported and “clean” method to manage default apps on Windows 11 Enterprise/Education without relying solely on scripts that eventually bill you during Autopilot or after an upgrade!

If you liked the article, leave a like, reshare everywhere on your favorite socials, and subscribe to the ITSpecialist.News newsletter: it’s the best way not to miss practical guides on Intune, Windows, and security.

See you in the next video! Talk soon… LEGENDARY!

Rick

If you’d like to chat about it, just reply to this email with your feedback on the newsletter: I read and respond to everyone!

Perfect, let’s begin!

📌 In this issue

• FAQ... but with style: “In my environment I have Azure Virtual Desktop machines in multi-session mode, managed with Intune. Some policies I created on these machines don’t work. Why? Are there any limitations on the types of policies and settings applicable to AVD multi-session session hosts?”

• Microsoft News Radar: news directly from Microsoft sources.

• Community Picks: community creators never stop, not even during the holiday season: fortunately they’re there.

• Events: new year, new events, new calls for speakers!

• On a personal note: the keyword is...

❓ FAQ... but with style

Question

“In my environment I have Azure Virtual Desktop machines in multi-session mode, managed with Intune. Some policies I created on these machines don’t work. Why? Are there any limitations on the types of policies and settings applicable to AVD multi-session session hosts?”

Answer

Yes, and what you’re experiencing is completely normal. Intune has limitations when it comes to managing multi-session AVD hosts. Not all settings and policies that work perfectly on traditional desktop endpoints are supported on Windows Enterprise multi-session.

The specific limitations

Microsoft officially supports multi-session in Intune, but only a few configuration templates are truly supported: trusted certificates (Trusted, SCEP, PKCS) and VPN (Device Tunnel only). All other traditional templates are not supported and will appear as “Not applicable” in your compliance reports.

The device vs. user constraint

There’s a critical aspect that many don’t know: while on a classic endpoint this wouldn’t be a problem, on AVD multi-session device-level configurations cannot be assigned to users, and vice versa. In a multi-session environment, where dozens of users access the same physical host, most policies must be assigned at the device level through device groups. If you assign a policy to a user thinking it will work, you’ll get errors.

Okay, so how do you know which settings will work?

Few people know this simple trick: start filtering the Settings Catalog using “OS edition = Enterprise multi-session” to display only the configurations actually supported.

After applying the filter, the available settings will be those truly compatible with AVD multi-session.

Then assign all policies at the device level, not to users. And most importantly, always test your configurations by checking compliance reports: if a policy shows “Not applicable”, it’s because it’s not supported on multi-session.

As always, I’ll leave you with the comfort of official documentation for further insights.

📎 Using Azure Virtual Desktop multi-session with Microsoft Intune

📎 Assign device profiles in Microsoft Intune

🛰️ Microsoft Radar

A selection of content directly from Microsoft sources: lots of news announced at Ignite.

• Microsoft Intune

  • What’s new in Microsoft Intune: December 2025

• Microsoft Defender for Endpoint

  • Sensor Disconnection Notifications with Microsoft Defender for IoT and Microsoft Sentinel

• Surface IT Pro

  • Improved address management in service orders on Surface Portals

• Microsoft Entra

  • Securing the AI era starts with identity

• Microsoft 365 copilot

  • New capabilities for AI admins from Ignite 2025

🌐 Community Picks

The most useful community content I’ve come across in these weeks.

• 🔗 Surface Management Portal: complete technical analysis for IT Administrator
  👤 Francesco Cantoni
  An article that explores the Surface Management Portal in depth in Intune, illustrating its functions, advantages, limitations and ideal scenarios for enterprise Surface management.
  

• 🔗 Windows Admin Center v2511

  👤 Silvio Di Benedetto
  The article presents the news in Windows Admin Center v2511, including high availability, advanced security for Windows Server 2025 and migration tools from VMware to Hyper-V, offering practical insights for modernizing infrastructure management, auditing and automation.

• 🔗 Updated My Script To “Cleanup Entra ID Devices”, Faster and better logging👤 Mr T-Bone
  The updated version of a very useful PowerShell script for cleaning up obsolete devices on Entra: faster, more robust, with advanced logging/reporting. Useful for security, accurate inventory and automation.

🎭 Events and Call for Speakers

Community and Microsoft events, plus the main open Call 4 Speakers. Here’s my selection.

• 🔋 #POWERCON2026

  📅 January 23, 2026 - 💻 Online

  POWERCON2026 is a free online event that brings together innovation, security and modern IT governance, with concrete technical sessions on cloud, AI, Microsoft 365 and hybrid infrastructures, led by top experts and MVPs, with full recordings available.
  

• ⌚ Be Connected Hour

  📅 January 30, 2026 - 💻 Online

  Monthly update on news from the Microsoft 365, Teams, MTR, Purview, MDO, Copilot world, together with Luca Vitali, Fabrizio Volpe, Raffaele Colavecchi.
  

• 🌐 Global Azure 2026

  📅 April 13, 16-18, 2026 - 💻 Online and/or 🌍 In person

  Global Azure 2026 returns: special days in April 2026 to share the passion for Microsoft Azure together through technical sessions, inspiration and networking.

Since Global Azure will be in April (there’s still time) and there are several Italian instances, more than the event itself I’d like to highlight the calls for speakers. Here they are.

• 🌐 Call for Speaker: Global Azure Torino 2026

• 🌐 Call for Speaker: Global Azure Pordenone 2026

• 🌐 Call for Speaker: Global Azure Veneto 2026

• 🌐 Call for Speaker: Global Azure Milano 2026

I’m certain that there will also be an instance in Italian at Lugano (Switzerland) but, at the time I’m writing this newsletter issue, the C4S is not yet available. You’ll definitely find it in the next February issue!

Disclaimer

The events I highlight in “Have you tried restarting?” do not constitute a complete list: I share the ones I personally pick up and that I think are useful to the community. If an event is missing, I simply missed it or didn’t become aware of it: if you want to let me know about yours, write to me. Publication is for informational purposes only and does not imply endorsement, approval, sponsorship or partnership unless explicitly stated otherwise.

🎧 On a personal note

Outside the IT world, here’s what’s been inspiring me lately.

📖 What I’m reading (books, newsletters and more)

Books

• The Scortese Method: A contrarian guide to making it in everyday life (Ilaria Albano / Solferino Publisher)

Newsletters

• Barron’s Top 10 Stocks for 2026

• Il 2026 sarà l’anno dei porno

• What remains if no one is watching you

🎵 What I’m listening to (monthly musical monkeys)

• Plimsoll Punks / Artist: Alvvays / Album: Antisocialities

• Believe / Artist: Staind / Album The Illusion of Progress

• Zelda / Artist: TOLEDO / EP: Inertia

✍️ Random thoughts

I expected different holiday vacations: more active, less “lazy” and during which I could re-knot some things left hanging, resume habits frozen after a decidedly strange and exceptional period. Instead, they were decidedly “lazy”, perhaps too much. The keyword now is “shock”.

See you soon!

Riccardo

Some of the links on this site redirect to products or books sold by third parties. If you decide to purchase through these links, I may receive a commission as an affiliate, at no additional cost to you. This supports the work I do and allows me to continue to provide quality content.

What Does “Reducing AD” Mean?

In the Microsoft document (you’ll find the link at the end of the article), the concept refers to reducing reliance on traditional AD services (domain join, GPO, infrastructure, and operational overhead) by shifting identity and device management toward the cloud.
The stated benefits are clear: lower infrastructure costs, modern security (e.g., Conditional Access), improved user experience, and simpler, centralized management.

Do You Have to Go Full Cloud?

No: case studies show different paths, and that’s the interesting part.
Practical example: you can start with devices (provisioning and management) without “turning off AD tomorrow morning,” and even that significantly reduces domain dependency.

3 Practical Insights from Case Studies

1. Chugai Pharmaceutical: transition from domain-joined devices to cloud-managed endpoints, using Windows Autopilot for “cloud-first” provisioning.

2. NTT Communications: evolution from hybrid to “100% cloud” device management with Microsoft Intune, reducing AD dependencies and simplifying operations.

3. We Are Era: on-prem AD decommissioning with a focus on modern authentication and Zero Trust principles, including integration between cloud identities and on-prem resources where necessary.

Want to Learn More?

Here’s the full article 👉🏻 Active Directory Minimization Case Studies

I’m heading into 2026 knowing I’ll definitely simplify my online presence even more, and I’ll also cut back on events (without disappearing altogether). In the meantime, there’s still plenty to read over the holidays this month, especially after Microsoft Ignite 2025!

But you know what? Put this issue aside. Just send me a quick Christmas hello by replying to this email (if you feel like it), and then go do something else entirely. You can always catch up later, the holiday break is meant to be enjoyed.

No long speech: whatever your take is on the holidays (and everything that comes with them), I simply hope they’re a good one and that you get to enjoy them at your best. See you in 2026! Byyyyyye!

📌 In this issue

• FAQ… but make it stylish: “What’s this about Intune Suite now being included with Microsoft 365 licenses? 😱”

• Microsoft News Radar: post-Ignite 2025 updates straight from Microsoft sources.

• Community Picks: I haven’t been very active on LinkedIn lately, but the hunt for great community content never stopped. Here’s a selection of the most interesting finds this month.

• Events: yep, after WPC we’re not slowing down, and the events keep coming, with a techy Christmas twist!

• On a personal note: a year that… honestly, I don’t even know.

❓ FAQ… with style

Question

“What’s this about Intune Suite now being included with Microsoft 365 licenses? 😱”

Answer

In early December, Lior Bela (Director @ Microsoft Intune) dropped a bomb on LinkedIn one evening.

All Microsoft Intune Suite capabilities will be included and redistributed within EMS E3, Microsoft 365 E3, and E5.

All hell broke loose.

“What do you mean? When? Which features go into E3 and which into E5? TELL ME RIGHT NOW… AAAARGHHHH”

Let’s bring some order with a Q&A on the key points.

Which Intune features are included in the different Microsoft 365 plans?

The answer is in the table in the image.

What does Intune Plan 2 include?

The Intune Plan 2 features, included in EMS E3, include:

• Microsoft Tunnel for Mobile Application Management (MAM): provides secure VPN connectivity for individual apps, enabling access to corporate resources without requiring full device enrollment.

• Specialty device management: helps secure specialized devices such as AR/VR headsets, smart displays, and meeting room systems.

• Firmware over-the-air (FOTA) updates: firmware updates for supported Zebra devices.

When will these changes take effect?

A common question is, of course, about timing. The changes will take effect in 2026, and the process will be largely automatic:

• All eligible tenants with Enterprise Mobility and Security E3 and Microsoft 365 E5 will automatically receive provisioning of Intune Suite capabilities.

• Microsoft will notify administrators of eligible organizations 30 days before the change is applied via the Microsoft 365 admin center.

• There’s no need to change plans to take advantage of these new capabilities.

As always, here are some verifiable sources where you can dive deeper into your licensing considerations.

📎 Microsoft 365 adds advanced Microsoft Intune solutions at scale

🛰️ Microsoft Radar

A selection of content straight from Microsoft sources: a ton of new announcements from Ignite.

• Microsoft Ignite 2025 Book of News

• Microsoft Intune

  • What’s new in Microsoft Intune at Ignite

  • What’s new in Microsoft Intune

  • Debunking the myth: Cloud-native Windows devices and access to on-premises resources

  • Essential Intune reading list: MVP community content for 2025

• Windows IT Pro

  • Experience next-gen productivity with Windows 365 AI-enabled Cloud PCs

  • Windows 365 and Azure Virtual Desktop support external identities, now generally available

• Microsoft Entra

  • ICYMI: Watch replays of Microsoft Entra sessions at Microsoft Ignite 2025

🌐 Community Picks

he most useful community content I came across over the past few weeks.

• 🔗 Intune and Secure Boot Certificate Updates: What You Must Fix Before the 2026 Expiry
  👤 Florian Salzmann
  How to manage Secure Boot certificate updates on devices managed with Microsoft Intune, with practical guidance to keep Windows systems secure. A hands-on approach to avoid issues in June 2026.

• 🔗 Windows Backup for Organizations: a modern approach with Microsoft Intune
  👤 Nicky De Westelinck
  This article explains how to use Windows Backup for Organizations with Microsoft Intune to protect and easily restore settings and Microsoft Store apps on Windows 11 devices, simplifying IT management and improving the user experience in case of a reset or device replacement.
  

• 🔗 Troubleshoot configured Defender AV settings with effective settings in Defender
  👤 Jeffrey Appel
  This article explains how to use the Effective Settings feature in Microsoft Defender to analyze which Defender AV antivirus configurations are actually applied on devices when policies come from multiple sources (Intune, GPO, MECM, scripts, etc.), helping identify conflicts that can disable or weaken protection.

🎭 Events and Call for Speaker

Eventi di community e Microsoft, oltre alle principali Call 4 Speaker aperte.

• ⌚ Be Connected Hour
  📅 19 December 2025 - 💻 Online
  Monthly update on what’s new across Microsoft 365, Teams, MTR, Purview, MDO, and Copilot, together with Luca Vitali, Fabrizio Volpe, and Raffaele Colavecchi.
  

• 🎅🏻 Santa Cloud Day
  📅 20 December 2025 - 🌍 Meetup (Lecce)
  A day dedicated to Generative AI, Cloud, and Security, organized together with Global AI Lecce, plus talks, hands-on demos, and plenty of networking among enthusiasts and industry professionals.

🎧 On a personal note

Outside the IT world, here’s what’s been inspiring me lately.

📖 What I’m reading (books, newsletters)

• Books

  • Sommersi: Resistere nellʼera delle notifiche e dellʼinfodemia social / Mattia Marangon / Apogeo

🎵 What I’m Listening To (my musical obsessions)

• ‎Smash (Remastered) / The Offspring

• Gimme / Artist: Hazel English / Singolo: Gimme

• Breakdown / Artist: Sea Lemon / Album: Stop at Nothing - EP
  (this one in particular has been obsessing me)

✍️ Random Thoughts

I’m not usually one to have thoughts like this, but 2025 is a year I’m more than happy to file away and move on from. Even so, I’ve got a feeling that 2026 will mean rolling up our sleeves to tackle a few things.

See you soon!

Riccardo

Some links on this site point to products or books sold by third parties. If you choose to purchase through these links, I may earn an affiliate commission at no additional cost to you. This supports the work I do and helps me continue to provide high-quality content.

📰 What’s your preference? Video or article?

A few notes to help you get the most out of this content:

• If you prefer watching the full video, easy: you’ll find it right above in the header.

• If you prefer reading, also easy: just keep scrolling. For each section, I’ve included the relevant video snippet so you’ll only see the screens that matter — no talking head in the way.

Iscriviti ora

Either way, make sure to subscribe to the newsletter so you won’t miss any future tutorials.

Let’s get started!

What are Device Cleanup Rules?

Device Cleanup Rules let you hide devices from the Intune console if they haven’t checked in for a certain number of days.
They’re not deleted, just removed from view, helping you avoid an endless list of zombie devices.

This feature is essential for:

• Keeping the console tidy

• Improving readability and manageability

• Reducing noise in reports and policies

Two things to know before using them

1. Devices can reappear

If a device was hidden due to inactivity but is turned back on and still has a valid Intune management certificate, it will reappear in the console.
So this isn’t permanent cleanup, it’s more like temporary archiving.

2. Cleanup applies only to Intune, not Entra

Device Cleanup Rules only affect Intune. If you want to keep Entra ID clean as well, you’ll need to implement a separate cleanup flow.

Here’s what to do:

• For Entra Joined devices: check the ApproximateLastSignInDateTime attribute

• For Hybrid Joined devices: clean up in Active Directory by deleting stale computer objects or moving them to an OU that’s not synced with Entra Connect

How to configure Device Cleanup Rules

You can set up these rules from the Intune portal and even differentiate them by platform (Windows, iOS, Android, macOS).
This is handy if you have different policies for mobile and desktop devices.

How to check the Intune management certificate expiration

There are two ways to verify if a device still has a valid certificate:

1. On the client

You can check the certificate directly on the device.

2. In the Intune portal

In the device’s section of the Intune portal, you’ll find the certificate expiration date.

Useful documentation

For those who want to dig deeper, here’s a selection of official resources and helpful scripts:

• Automatically Hide Devices With Cleanup Rules

• How to manage stale devices in Microsoft Entra ID

Conclusion

Cleaning up your tenant isn’t just about aesthetics, it’s a solid governance practice.
Intune’s Device Cleanup Rules are a great starting point, but remember: Entra and AD need separate management.

Thanks for reading all the way through!
If you found this helpful, share the article and subscribe to the ITSpecialist.News newsletter so you won’t miss future updates.

Until next time, and keep those tenants clean 💪

Riccardo

🛠️ Enabling Remote Help on the Tenant

Let’s start with the first step: enabling Remote Help in the Intune tenant. This is necessary to make the feature available globally.

📦 Deploying the Remote Help App

Download the Remote Help PKG app from the following URL:

https://aka.ms/downloadremotehelpmacos

Then upload it to Intune to deploy it to macOS devices.
This is a Managed PKG! If you’re not sure what the difference is between Managed and Unmanaged PKGs, no worries, I’ve included the usual bucketload of documentation at the end of the article or in the description. 😊

👥 Required Permissions for Help Desk Operators

Anyone providing support must have the correct permissions.
The Help Desk Operators role in Intune is sufficient to use Remote Help.

✅ Requirements for a Smooth macOS Experience

To avoid issues during support sessions, the Mac must have:

• Enterprise SSO configured (even better if using Platform SSO).
  If you want to see how to configure PSSO, check out my video linked in this article.

• Company Portal open and user signed in

🔐 Configuring Accessibility and Screen Capture Permissions

Create an Intune policy to configure Accessibility and Screen Capture permissions.

⚠️ Important: Screen Capture still needs to be manually authorized by the user, as macOS doesn’t allow MDM to force the “Allow” setting.
With Intune, the best we can do is allow even standard users to change this permission, no admin rights required.

💻 Verifying Permissions on macOS

Launch the Remote Help app on macOS and check that permissions are correctly set.
The user will only see the manual prompt for screen capture.

👩🏻‍💻 User Experience (IT Specialist and End User)

With some incredible special effects (I definitely need to improve my video editing skills) 😊 we’ll explore the user experience from both perspectives: the support provider and the end user.

In full screen, I’ve shown your experience as the IT Specialist providing support.
In a small overlay at the bottom right, I’ve also recorded what’s happening simultaneously on the end user’s side, so you can fully understand the experience from both points of view.

📄 Attached Documentation

Here are some useful links to dive deeper into Remote Help and macOS permissions management.
As always, freshly baked and delightfully crisp documentation:

• Use Remote Help to Assist Users Authenticated by your Organization

• Plan for Remote Help with Microsoft Intune

• Deploy Remote Help with Microsoft Intune

• Using Remote Help on Windows to Assist Authenticated Users

• Troubleshoot and monitor Remote Help for Microsoft Intune

• How to Add macOS Line-of-Business Apps to Microsoft Intune

• Add an Unmanaged macOS PKG App to Microsoft Intune

📩 Conclusion

Awesome! Remote Help is now correctly configured on macOS via Intune.
Thanks for sticking with me this far!
If you found this video helpful, subscribe to my newsletter at ITSpecialist.News to stay up to date on all things Microsoft Intune, Entra, and Security.

To you and all IT Specialists, see you soon… you legends!

Riccardo

Let’s start with AperiTeams Conference: it took place on October 8, 2025, and I was there as a speaker. It’s always fun to attend and a great opportunity to chat with other speakers and, most importantly, to connect with the people who actually use the technologies we talk about: our customers.

I owe a double thank-you to Silvio Di Benedetto and Irene Bugatti: the first “thank you” is for inviting me and trusting me, the second because, unintentionally, I… “stole” something. Yes, really… let me explain. 😆

When I started this newsletter, I already had in mind that, editorially, there would be two sections: a technical video tutorial and a more “chatty” column, the one you’re reading now: “Have you tried restarting?” Back then, though, I hadn’t decided on the title yet, so I posted a poll on LinkedIn with several options.

One of those options was exactly “Have you tried restarting?” The rest is history. Too bad that… deep in the dark corners of Silvio and Irene’s data centers, without us talking to each other, they were also planning a column with the same title. 😅

How did it end? With a few (joking) curses from Silvio and Irene and an awesome T-shirt! 👇🏻

Thanks again and see you at the next AperiTeams! I owe you the title of a column. 😜

Now let’s talk about WPC 2025! This year, besides being a speaker, I’ll also be the agenda lead for the Security & Compliance and Infrastructure & Devices tracks. What does that mean? It means I helped Overnet select the sessions and speakers for WPC. I still can’t believe it: a few years ago I almost “envied” (constructively, of course 😅) those who stepped on that stage and thought I’d never make it there. Today, in 2025, I’ve been speaking at WPC for some time, and this year I even contributed a little during the planning phase. I’m thrilled and super happy. This WPC will be special! Thanks to Overnet and Michele Sensalari for the trust and the opportunity. 🙏🏻
You’ll find all the WPC details later in this email, including the full agenda and my session.

Thanks and talk soon!

📌 In this issue

• FAQ… with style: “I’ve set up an Intune remediation to run every day at 2:00 PM. Today is November 5, and when I created and assigned the remediation it was 5:00 PM. When will the first execution happen? Today, November 5, right after the client receives the policy, or tomorrow, November 6 at 2:00 PM?”

• Microsoft News Radar: updates straight from Microsoft sources.

• Community Picks: the best content from the IT Specialist community in Italy and beyond. This month, a special mention for the AperiTeams Conference held on October 8, 2025.

• Events: I’ll just say… WPC 2025! The Italian event dedicated to Microsoft technologies. Less than a month to go…

• On a personal note: cats named after Star Wars princesses.

❓ FAQ… with style

Question

“I’ve set up an Intune remediation to run every day at 2:00 PM. Today is November 5, and when I created and assigned the remediation it was 5:00 PM. When will the first execution happen? Today, November 5, right after the client receives the policy, or tomorrow, November 6 at 2:00 PM?”

Answer

This is one of those real-world cases where I thought I knew how a feature behaved. Turns out… I didn’t.

Logic suggests that if I create and assign a remediation at 5:00 PM on November 5 to run daily at 2:00 PM, the first execution should happen on November 6 at 2:00 PM. But no.

Here’s the actual behavior:

• Once created and assigned, the remediation policy “lands” on the client as soon as it checks in with Intune.

• As soon as the policy is received, the detection runs immediately for the first time, regardless of the scheduled time.

• The usual mechanism doesn’t change: if exit = 1, remediation is triggered; otherwise, nothing happens.

• Future executions will follow the schedule set in the portal. So, in our case, the second run will actually happen on November 6 at 2:00 PM.

Here’s an example: a remediation created and assigned in my lab on October 16 in the late afternoon (around 5:45 PM), definitely after 2:00 PM. The policy is clear: I want it to run daily at 2:00 PM.

The test detection I wrote was designed to trigger the remediation. The remediation was supposed to write a text file to C:\.

My expectation was that no file would be written until October 17 at 2:00 PM.

And yet… the image speaks for itself: the remediation ran on October 16, 2025, at 6:25 PM.

So, detection and remediation were executed immediately upon policy receipt, regardless of the fact that I had set 2:00 PM.

The moral of the story? If you plan remediations, remember that the first execution will always happen as soon as the policy is received. Subsequent runs will follow the schedule you set, whether that’s “once every hour” or at a specific time.

As I mentioned, this behavior isn’t documented, but if you want to dive deeper into Intune remediations, here are the usual links that survived Halloween night, plus a few examples! 🎃

📎 Use Remediations to Detect and Fix Support Issues - Microsoft Intune

📎 PowerShell Scripts for Remediations - Microsoft Intune

🛰️ Microsoft Radar

Top picks from official Microsoft sources.

• Microsoft Intune

  • What’s new in Microsoft Intune - Microsoft Intune | Microsoft Learn

  • Microsoft Intune Advanced Analytics in action: Real-world scenarios for IT teams

  • Deep dive into Windows Autopilot device preparation: How to deploy and when to use it

• Windows IT Pro

  • An IT pro’s guide to Windows 11, version 25H2

  • Windows 10 Extended Security Updates for Windows 365

  • Hotpatch efficiency unlocked: Smaller update size

• Microsoft Entra

  • Learn about the latest features and change announcements across Microsoft Entra

  • The Conditional Access Optimization Agent keeps getting better—and making your life easier

🌐 Community Picks

The most useful community content I’ve come across in recent weeks. This month, a special mention goes to the resources from AperiTeams Conference, the event organized by Inside Technologies for CIOs, IT Managers, and decision makers, where key IT topics are explored: Cloud, Security, Modern Work, and Infrastructure.

• 🔗 AperiTeams Conference - Security Day 2025
  👤 Silvio Di Benedetto, Vito Francavilla, Michele Sensalari, Simone Frigerio, Mario Serra, Nino Crudele, Francesco Castano
  The full playlist of all conference sessions: the main theme of the day was Identity and its security. Tons of must-watch content and, best of all, it’s free.
  

• 🔗 Getting Windows Kiosks to work in Intune whilst avoiding InPrivate browsing
  👤 Andrew Taylor
  A practical guide to configuring Windows Kiosks in Intune while avoiding InPrivate mode, which causes issues with conditional access policies.
  

• 🔗 Balancing Control and Convenience: Preventing Edge Password Sync on Unmanaged Devices
  👤 Kenneth van Surksum
  This guide explains how to block password sync in Microsoft Edge on unmanaged devices, protecting corporate data. Perfect for those looking to balance security and convenience in browser management.

🎭 Events and Call for Speaker

Eventi di community e Microsoft, oltre alle principali Call 4 Speaker aperte.

• ⌚ Be Connected Hour
  📅 28 November 2025 - 💻 Online
  Monthly update on what’s new in Microsoft 365, Teams, MTR, Purview, MDO, and Copilot, together with Luca Vitali, Fabrizio Volpe, and Raffaele Colavecchi.
  

• 🔴 WPC 2025 - 30a edizione
  📅 2, 3, 4 December 2025 - 🌍 On site
  WPC is Italy’s #1 ICT conference dedicated to Microsoft technologies, featuring over 100 brand-new technical sessions. It brings together MVPs, experts, and decision makers for three days of training, networking, and innovation. A must-attend event to stay up to date, exchange ideas, and bring new solutions to your team. Spoiler: I’ll be there with my own session!

All the details about my session: what, where, when.

🧑🏻‍💻 Windows Autopilot Device Preparation: provisioning cloud‑ready… in every sense
With Windows Autopilot Device Preparation, provisioning becomes truly cloud-ready. After covering prerequisites and comparing it with Autopilot v1, we’ll dive into practice: configuring Device Preparation, optimizing Microsoft 365 app deployment, various script-based automations, creating Intune profiles for physical PCs and (plot twist!) Windows 365 Frontline Cloud PCs. As promised… cloud in every sense!

📅 Tuesday December 2 at 12:00 PM
📍 NH Milano Congress Centre - Assago (MI)
⚫ Black Room

📑 Here’s the full WPC agenda with all sessions and speakers.

🎧 On a personal note

Beyond Tech: what’s inspiring me right now.

📖 What I’m Reading (Books, Newsletters & More)

I’ve realized that a good part of the time I dedicate to reading is spent on newsletters as well as books. So, why not share some interesting newsletters too?

• Newsletter

  • Non siate coerenti - by Carmela Giglio - OraBuca

  • Come Schiantare 130 Milioni Vendendo Occhiali di Velluto: Il Capolavoro Involontario di Lapo Elkann

  • Studia tutto, tranne l’AI. - by Mizio Ratti

• Books

  • No books this month, even though I already have a few in my sights. If you have any suggestions, reply to this email with your recommendation! 😉

🎵 What I’m Listening To (a.k.a. This Month’s Musical Obsessions)

• ‎Tennis / Artist: CASTLEBEAT / Album: Vhs

• Calgary / Artist: Hazel English / Singolo: Calgary

• Tenderness / Artist: Jay Som / Album: Anak Ko

✍️ Random Thoughts

Soft and purring news: a little furry princess named Padmé has joined our home. The Force is strong with her, and we’re already head over heels in love. 🤩 Plus, she seems to have a certain IT Specialist vibe… 😄

Talk to tou soon!

Riccardo

Some of the links on this site point to products or books sold by third parties. If you decide to purchase through these links, I may earn a commission as an affiliate, at no additional cost to you. This helps support the work I do and allows me to keep providing quality content.

📰 What do you prefer? Video or article?

Some notes to make the most of this content.

If you prefer to watch the full video, easy: you’ll find it right above in the header.

If you prefer reading, that’s easy too: just keep going here. For each step I’ve included the specific video snippet, so you’ll only see the screens that matter, without my face talking.

In any case, subscribe to the newsletter to make sure you don’t miss any new tutorials.

Iscriviti ora

Perfect, let’s get started!

Will being a Help Desk Operator through Intune RBAC be enough?

Our main character is Hazel, a help desk operator, who already has the Help Desk Operator role assigned via Intune RBAC. But… will that be sufficient?

Even though Hazel has the correct role in Intune, she won’t be able to view the BitLocker keys. Why? Because this permission is not managed by Intune, but by Microsoft Entra.

With a Zero Trust Security approach, let’s see how to grant the minimum permissions needed to allow Hazel to read the BitLocker recovery keys of devices managed by Intune.

🛠️ Create a group assignable to Entra roles

First, we need to create a security group that can be assigned to Entra roles.

⚠️ Attention: this option can only be enabled at the moment of group creation and cannot be modified later.

Once the group is created, we add Hazel as a member.

🧩 Create the custom role in Entra

Now let’s create a custom role in Entra. The permissions we need are:

microsoft.directory/deviceBitLockerKeys/read
microsoft.directory/bitlockerKeys/metadata/read

This allows reading the BitLocker recovery keys associated with devices registered in Entra.

🔗 Assign the role to the group

With the role ready and the group created, we can proceed with assigning the custom role to the group that contains Hazel. This is the step that effectively enables the visualization of the keys.

✅ Verification: can Hazel see the keys now?

Let’s go back to Intune and log in with Hazel’s account. This time, thanks to the Entra role, she will be able to correctly view the BitLocker keys of the devices.

📚 Attached documentation and useful links

To explore the topic further, here are some official documents with a hint pumpkin cake:

• 📎 Create a custom role in Microsoft Entra ID

• 📎 Overview of role-based access control in Microsoft Entra ID

• 📎 Assign Microsoft Entra roles

📬 Conclusions

We’ve seen how a simple Intune role is not enough to access BitLocker keys, and how to solve the problem with a custom role in Entra.

If you found this useful, subscribe to the ITSpecialist.News newsletter to receive more practical content, guides, and updates from the Microsoft 365 world.

As always, thank you for following me this far!

See you soon… LEGENDS!

Riccardo

🧭 Objective

Disable synchronization with Active Directory and remove on-premises attributes from synchronized users, making everything cloud-only.

⚠️ Disclaimer

You should not use this method for any kind of troubleshooting. Disabling synchronization between AD and Entra is an action to be taken only if you intend to permanently convert your users to cloud-only.

If you’re doing this in a production environment, make sure you’ve completed all the necessary preparatory steps to do it safely.

The information and procedures described in this document are provided for informational purposes only and must be executed with the utmost caution. I take no responsibility for any damage, service interruptions, or data loss resulting from the application of the instructions provided, especially if implemented in production environments.
It is strongly recommended to always test these procedures in a development or staging environment before applying them in production, and to perform full backups of all involved systems.

Furthermore:

📎 Source: Turn off directory synchronization for Microsoft 365 - Microsoft 365 Enterprise | Microsoft Learn

🛠️ Method 1: Microsoft Graph Explorer

1. Sign in to Microsoft Graph Explorer
   Go to Microsoft Graph Explorer and sign in with a Global Administrator account.

2. Modify permissions
   In the Modify Permissions section, grant the Organization.ReadWrite.All permission.

3. Run the PATCH request
   Enter the following request, replacing {organization-id} with your Tenant ID:

PATCH https://graph.microsoft.com/beta/organization/{organization-id}

4. Request body (JSON)

{
  "onPremisesSyncEnabled": false
}

5. Execute the query
   Click Run Query. Changes may take anywhere from 4–5 minutes up to 72 hours to reflect in the Azure portal, depending on the size of the objects.

🛠️ Method 2: Microsoft Graph PowerShell

1. Install the PowerShell modules

Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -Force

2. Connect with the administrator account

Connect-MgGraph -Scopes “Organization.ReadWrite.All,Directory.ReadWrite.All”

3. Check the current synchronization status

Get-MgOrganization | Select OnPremisesSyncEnabled

4. Store the Tenant ID and parameters

$organizationId = (Get-MgOrganization).Id
$params = @{ onPremisesSyncEnabled = $false }

5. Update the configuration

Update-MgOrganization -OrganizationId $organizationId -BodyParameter $params

6. Verify the change

Get-MgOrganization | Select OnPremisesSyncEnabled

Below is the full script:

# Install v1.0 and beta Microsoft Graph PowerShell modules 
  Install-Module Microsoft.Graph -Force
  Install-Module Microsoft.Graph.Beta -AllowClobber -Force 
  
  # Connect With Hybrid Identity Administrator Account
  Connect-MgGraph -scopes “Organization.ReadWrite.All,Directory.ReadWrite.All” 
  
  # Verify the current status of the DirSync Type
  Get-MgOrganization | Select OnPremisesSyncEnabled 
  
  # Store the Tenant ID in a variable named organizationId
  $organizationId = (Get-MgOrganization).Id 
  
  # Store the False value for the DirSyncEnabled Attribute
  $params = @{
  	onPremisesSyncEnabled = $false
  }
  
  # Perform the update
  Update-MgOrganization -OrganizationId $organizationId -BodyParameter $params 
  
  # Check that the command worked
  Get-MgOrganization | Select OnPremisesSyncEnabled

📎 Source: Turn off directory synchronization for Microsoft 365 - Microsoft 365 Enterprise | Microsoft Learn

✅ Final Result and Conclusions

Once the procedure is completed, previously synchronized users will be converted into cloud-only users.

Enjoy!

Riccardo

📰 What do you prefer? Video or article?

Here are a few notes to help you get the most out of this content.

• If you’d rather watch the full video, easy: you’ll find it right above in the header.

• If you prefer reading, that’s just as easy: keep scrolling here. For each step, I’ve included the exact video snippet, so you’ll only see the screens that matter—without my face talking in between.

Either way, make sure to subscribe to the newsletter so you won’t miss any of my upcoming tutorials.

Iscriviti ora

Perfect, let’s get started!

What is LAPS

LAPS, short for Local Administrator Password Solution, is a technology that allows you to securely and automatically manage the local administrator account password on a device.

What is it for? Its purpose is to prevent the same password from being reused across multiple devices, reducing the risk of lateral movement and improving the overall security of your infrastructure.

Things to consider before implementing LAPS for macOS

Before you start configuring LAPS for macOS, here are three key points to keep in mind:

• You cannot choose the length or complexity of the password: it is defined by Microsoft and will always be 15 characters long, including uppercase and lowercase letters, numbers, and special characters.

• Password rotation is fixed: it occurs every 6 months, with no customization options.

• Configuration takes place in the enrollment profile associated with the Enrollment Token Program: therefore, the Mac must be supervised, enrolled via ADE, and registered in Apple Business Manager.

Note: Points 1 and 2 represent a major difference compared to the configuration options available with LAPS for Windows. At the time of writing this article (September 2025), this is the current state of the technology. It may change in the future, but for now, this is how it works.

Configurazione del LAPS nel profilo di enrollment

Now let’s go into Intune to see how to configure LAPS for macOS. In the following example, I used a mix of static text and variables for the local administrator username, choosing the format admin-. I also chose to hide the administrative account in the Users & Groups panel as an additional measure to obscure the presence of the admin account.

These configurations are just an example to illustrate the customization possibilities: it’s important to select the most appropriate settings for your own infrastructure. Remember that this option is only available if the Mac has been properly enrolled via ADE and is supervised.

Final Result

Once everything is configured, here’s what happens on the Mac at the time of enrollment: the local administrator account password is generated automatically, it is unique for each device, and you can view it directly in Intune whenever you need it for technical interventions.

Configuring LAPS by modifying an existing enrollment profile has no effect on Macs that are already associated with that profile and enrolled. The configuration will only take effect once the Mac is reset and re-enrolled.

Role Based Access Control for the new macOS LAPS

With the release of the new feature, the corresponding RBAC controls have also been introduced, allowing you to grant permissions to rotate the local Mac admin password without necessarily being an Intune Administrator.

The settings can be found under the Enrollment programs category:

• Rotate macOS admin password

• View macOS admin password

Attached Documentation

To explore further, here are some links to Microsoft’s official documentation:

• Set up local admin account creation and password management for macOS devices

• Create a custom role in Intune

• Set up automated device enrollment (ADE) for macOS

• Create an Apple enrollment profile

Takeaways

Thank you for reading this article! I hope it helped you understand how LAPS for macOS works and how you can start using it right away in your infrastructure.

If you’d like to support my work and stay up to date with the latest IT news, subscribe to ITSpecialist.News, your support is essential to keep creating content like this.

Iscriviti ora

See you soon… LEGENDARY!

Riccardo

This video is a bit longer than usual, but it’s absolutely worth it. So sit back, spritz in hand, and let’s get started!

📰 What do you prefer? Video or article?

Some notes to help you get the most out of this content.

• If you’d rather watch the full video, easy: you’ll find it right above in the header.

• If you’d rather read, that’s just as easy: simply keep scrolling here. For each step, I’ve included the specific video clip, so you’ll only see the screens that matter—without my face talking at you.

Either way, make sure to subscribe to the newsletter so you don’t miss any of my upcoming tutorials.

Iscriviti ora

Ok, let’s get started!

What is Windows Autopilot Device Preparation?

Windows Autopilot Device Preparation is a Microsoft solution that automates and standardizes the process of configuring corporate PCs. Each device is prepared quickly, securely, and in compliance with company policies—without any manual intervention from IT administrators.

In short? A magic wand for anyone who wants to simplify deployment.

Key Differences Compared to Autopilot v1

• No more hardware hash: the PC’s serial number is enough.

• Entra Join only: no hybrid mode (with Active Directory domain join). For those who still need it, the classic version of Autopilot remains available.

• No PC name templates: but this can be worked around with a script.

A more detailed comparison table between Autopilot v1 and v2 follows below.

🔨 Requirements

Make sure you have all the necessary requirements in place.
As per my usual style, here’s some summer-flavored documentation, with just a hint of sunscreen. 😊

📎 Windows Autopilot device preparation requirements | Microsoft Learn

🪪 Verify Autoenrollment and Entra Join Permissions

To make Autopilot Device Preparation work, make sure that:

• Users have the necessary permissions for autoenrollment in Intune.

• Users must be able to perform Entra Join.

🖥️ Create a Static Device Group

Create a static group in Intune and set as owner a specific Service Principal called Intune Provisioning Client, which has the following AppId:

f1346770-5b25-470b-88bd-d5744ab7952c

This service principal has an AppId that is the same across all tenants.

If you don’t find any service principal corresponding to this Id in your tenant, you’ll need to create it. No worries, it only takes a few PowerShell commands.

Install-Module Microsoft.Graph.Authentication
Install-Module Microsoft.Graph.Applications
Connect-MgGraph -Scopes "Application.ReadWrite.All"
New-MgServicePrincipal -AppID f1346770-5b25-470b-88bd-d5744ab7952c

This group will be automatically populated with the devices registered in the Corporate Identifiers (we’ll get to that shortly). That’s right, you won’t need to populate it yourself, it will be filled automatically!

In the meantime, create the group and remember to set the service principal as the Owner: this step is essential!

👯 Create a Static User Group

Create a static user group and add the people you want to include in the Autopilot scope.
In this case, unlike the device group, you’ll be the one populating it manually.

🔢 Serial Number Registration in Corporate Device Identifiers

Enter the serial numbers of your PCs into the Corporate Device Identifiers.
This allows the device to immediately recognize that it’s managed by Autopilot.

🪄 Creating the Autopilot Policy

We’ve finally reached the heart of the process: the Autopilot Device Preparation policy. This is where you’ll configure:

• Deployment settings

• Security configurations

• Apps or scripts to install during the initial phase

Let’s just say that with this policy, we’re tying together all the configurations we’ve made so far.

💻 Hands-On Test on a PC (Shortened OOBE Phase)

Let’s power on a PC and walk through the OOBE (Out-Of-Box Experience) phase.
The video is sped up to show you the entire process from A to Z.

📃 Attached Documentation

You wouldn’t want to miss this truckload of documentation while lounging under your beach umbrella, would you? 😄

📎 What's new in Windows Autopilot device preparation | Microsoft Learn

📎 Overview of Windows Autopilot device preparation | Microsoft Learn

📎 Windows Autopilot device preparation scenarios | Microsoft Learn

📎 Windows Autopilot device preparation FAQ | Microsoft Learn

📎 Windows Autopilot troubleshooting FAQ | Microsoft Learn

📎 Windows Autopilot device preparation known issues | Microsoft Learn

📫 Wrap-Up

In short:

• Automation

• Speed

• Fewer errors

• Less manual work

• More focus on the user

Windows Autopilot Device Preparation makes device onboarding easier—for both IT and end users. And finally… no more hash calculations! 🥳

I hope you enjoyed this video, even if it was a bit longer and more intense than usual—thank you!

Subscribe to the ITSpecialist.News newsletter to stay up to date with all the latest from the Microsoft world. It means a lot to me and really shows your support.

Iscriviti ora

See you soon… LEGENDARY!

Hi! A quick intro before we start the article: I'm publishing here on the newsletter the first technical content, starting with a video/article that I had actually already published. I'm doing this for two reasons:

1. To get familiar with the Substack platform

2. Because on LinkedIn, thanks to the magic of the algorithm, nobody (and when I say nobody, this is very close to the literal meaning of the word) had seen this content.

I’ve almost decided that I’ll follow an “alternating” editorial plan: when there’s new and specific technical content (like today’s, for example), the newsletter will be a kind of “text” version of the video.
In other newsletter issues, I’ll collect some useful info, highlighting interesting community articles, events, official Microsoft news, and so on.

What do you think?

Ok, let's really get started…

In this article, we'll explore how to simplify the daily experience of using Microsoft 365 Copilot on macOS, through a wepclip.

What is a web clip in macOS?

A webclip is a quick way to reach our favorite websites, by pinning an icon on the macOS dock. Through Intune we can natively manage webclips, simplifying access to Microsoft 365 Copilot. I used a web clip because, at the time I'm publishing this article, there is no official app yet on the Mac App Store for Microsoft 365 Copilot.

This is the URL the web clip will point to:

https://m365.cloud.microsoft/chat

Let's see right away how to create the policy and deploy the web clip."

Verifying the webclip on the Mac

After deploying the webclip, let's verify that it has been correctly placed on our Mac's dock. The webclip should appear at the bottom right, in a specific area of the dock.

Attached documentation

As always, here is some useful documentation:

📎 Add web apps to Microsoft Intune

Conclusions

We've seen how to use Intune to create and deploy a webclip that points to Microsoft 365 Copilot, simplifying access to Copilot on macOS. This workaround allows us to replicate a behavior similar to pinning on the Windows taskbar, improving the Microsoft 365 Copilot user experience. Thank you for following this article all the way to the end.

See you soon, you legend!
Riccardo

Please note: the video is narrated in Italian. English subtitles are available for non-Italian speakers.

Mapping the physical Copilot key

Today we focus on mapping the physical Copilot key, available on newer PCs. This key lets you launch the Microsoft 365 Copilot app with a single tap, further simplifying the user experience. To achieve this, we use a custom Microsoft Intune OMA-URI.

Let’s see right away how to create the policy and deploy this setting.

Creating a custom OMA-URI

Creating a custom OMA-URI is a quick and simple process: the specific details of the OMA-URI used are available below, right after the video snippet.

➡️ Name: SetCopilotHardwareKey
➡️ OMA-URI: ./User/Vendor/MSFT/Policy/Config/WindowsAI/SetCopilotHardwareKey
➡️ Data type: String
➡️ Value: Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe!Microsoft.MicrosoftOfficeHub

Verification of policy application

Let’s see what happens on the Windows client in the personalization panel.

Test with the Copilot key

It’s time to press the key and see if everything works!

Perfect, everything works! 😊

Attached documentation

As always, here is some useful documentation:

📌 SetCopilotHardwareKey
📌 How to find the AUMID

Conclusions

Thank you for following this article all the way to the end! Implementing these policies is an effective way to streamline the Microsoft 365 Copilot user experience. If you already have PCs with the physical Copilot key in your device fleet, this policy is simple to implement and offers great benefits.

Let me know what you think in the comments of the video or on my social profiles!

See you soon, legends!

Your IT Specialist,
Riccardo

As always, before diving headfirst into this “risky” journey (pun intended 🤣), we need to introduce another concept: you need to understand what signals are.

What is a signal?

In Entra ID, a signal is defined as a property or a particular condition that a user and an authentication have. Here are some examples:

• User’s IP address

• IP and user geolocation

• Application they are trying to access.

• The operating system of the device they are using (Windows, Linux, macOS, iOS, Android?)

• What type of client the user is using to access M365 services? An app that supports Modern Authentication, a browser, or an app that only supports legacy authentication?

• If it’s a browser, which browser?

• Which Azure AD groups does their account belong to?

• And so on…

These are all signals, and as you can see, Entra ID is capable of detecting many of them.

You might be wondering: ”Rick, why are you bothering me with this signal stuff?”

I’ll answer that without too much beating around the bush: because “risk” is a signal!

And so, how does risk fit in among the signals, and what is it?

What is risk in Entra ID Protection?

In Entra ID Protection, risk is an assessment of user actions, authentications, and their properties. Cross-analysis of user properties and actions provides an assessment of how clean or suspicious the authentication is and how secure or insecure the user is.

Risk can be:

• Calculated in real-time (evaluations available in 5/10 minutes)

• Calculated by Microsoft cloud intelligence based on an analysis of authentication events in your tenant, which happens in the background (evaluations available in a few hours)

It is further divided into two types:

• User Risk

• Sign-in Risk

User Risk

Here are the risk signals associated with a user.

These signals are constantly updated and improved. The ones listed above are those available at the time of writing this article. If you want to ensure you are always up to date, I recommend referring to the official documentation:

• What are risk detections? | Microsoft Docs

Sign-in Risk

Here are the risk signals associated with a single authentication.

These signals are constantly updated and improved. The ones listed above are those available at the time of writing this article. If you want to ensure you are always up to date, I recommend referring to the official documentation:

• What are risk detections? | Microsoft Docs

How can risk in Entra ID Protection be useful?

The concept of risk is extremely useful when used in combination with Conditional Access and Multi-Factor Authentication! Even more so if you have access to Azure Sentinel and want to automate automatic responses.

Concrete examples? Here they are:

• If two authentications from Italy and Spain are detected within 5 minutes (impossible travel), I request Multi-Factor Authentication for access (Conditional Access + MFA).

• If it’s detected that the user’s password matches one found in public lists of compromised credentials (risk), I block the authentication (Conditional Access), raise an incident, and lock the user account (Azure Sentinel).

Where can you find risk assessments and events?

You can simply navigate to the Entra ID portal under

Microsoft Entra ID -> Security -> Identity Protection.

License requirements for Entra ID Protection

Here’s an official Microsoft document that will clarify which licenses are required to take advantage of these features:

• License Requirements | Microsoft Docs

Conclusions on risk and Entra ID Protection

As you can see, the limit to securing your identities in a simple and automated way is only your imagination and, of course, a careful analysis of your needs and environment.

Are you already using Entra ID Protection? Have you automated reactions in case of high risk? Let’s discuss it in the comments or on my social media channels; I’m here!

Your IT Specialist,

Riccardo