MDM Tech Space Joy blogs about MIcrosoft Intune (MEM) and other Digital Workplace technologies

WinCsFlags.exe for Secure Boot 2023 CA Certificate Updates: What It Really Does and the OS → Firmware Flow.

WinCsFlags.exe and Secure Boot 2023 CA Updates – A Bridge Between Part 2 & Part 3

March 27, 2026 0

WinCsFlags.exe doesn’t write Secure Boot certificates into firmware — it sets intent.
This deep‑dive explains how WinCS works behind the scenes, how the Secure Boot 2023 CA update actually flows from Windows to UEFI firmware, why two reboots are expected, and how to validate success using UEFICA2023Status. A practical, engine‑room explanation bridging Part 2 (0x5944) and Part 3 (validation) of the Secure Boot series—without vibes, myths, or guesswork. [Read More]

Microsoft Intune: Secure Boot 2023 CA Certificate Update Rollout - Part 3

Secure Boot Certificate Update Rollout at 50,000 Feet (and Devices): A Field Guide for the Sleep‑Deprived IT Admin – Part 3

March 24, 2026 1

Deploying the Secure Boot 2023 certificate update is the easy part. Proving it actually worked is where things get uncomfortable. In Part 3, the spotlight shifts from execution to evidence—where dashboards stop being trusted, reboots start to matter, and firmware finally gets a vote. This is the phase where Windows claims success, devices boot happily, and yet half your fleet may still be clinging to the 2011 trust chain like it’s a security blanket. Validation is where assumptions die, receipts are demanded, and “updated” stops being a feeling and starts being something you can prove. [Read More]

Why Agentic AI Needs Guardrails: A Zero Trust Take on Microsoft Agent 365

March 16, 2026 0

The Claude / Terraform incident wasn’t AI going rogue—it was automation executing perfectly without governance. This post breaks down why agentic AI is a Zero Trust problem, not an intelligence one, and how Microsoft Agent 365 signals a shift toward scoped, observable, and approval‑gated agents designed to limit blast radius before damage happens. [Read More]

Intune Multi-Admin Approval: The Security Feature You’ll Wish You Enabled Before Someone Presses “Wipe All”

Intune Multi-Admin Approval: The Security Feature You Wish You’d Enabled Before Someone Pressed “Wipe All”!

March 13, 2026 0

There are some security lessons that arrive as a whitepaper, and then there are the ones that arrive like a brick through the server room window. This post explores why Intune Multi-Admin Approval is no longer just a nice governance feature, but a critical security control for preventing destructive remote actions like wipe, retire, and delete from being abused at scale. [Read More]

Secure Boot 2023 CA Certificate Update Rollout - Part 2

Secure Boot Certificate Update Rollout at 50,000 Feet (and Devices): A Field Guide for the Sleep‑Deprived IT Admin – Part 2

March 11, 2026 7

Part 2 of the Secure Boot 2023 CA Update series dives into the actual rollout: how Windows applies the new KEK/DB certificates, why automatic updates aren’t guaranteed, and how Intune admins can safely trigger and manage the update workflow using registry‑based signals and proactive remediations. [Read More]

Secure Boot 2023 Certificate Update Rollout

Secure Boot Certificate Update Rollout at 50,000 Feet (and Devices): A Field Guide for the Sleep‑Deprived IT Admin – Part 1

March 9, 2026 11

Before you roll out the Secure Boot 2023 certificates, map your fleet. This guide shows how to inventory posture with Intune—reports, proactive remediations, JSON outputs, and OEM gotchas. [Read More]

Modern Windows Provisioning - Autopilot Internals - Part 2

Modern Windows Provisioning Internals – Part 2

March 3, 2026 0

Behind the first OOBE screen, Windows launches a dense chain of provisioning tasks that never surface in the UI. As soon as the device comes online, CloudExperienceHost and the provisioning engine begin executing ZDP update checks, initializing and validating the TPM (EK, SRK, AIK), and activating hardware attestation. In parallel, Autopilot performs token‑based device discovery, retrieves its deployment profile, and drives the consumer‑vs‑enterprise pivot that determines the rest of setup. This part of the series breaks down those hidden flows — the CEH pipelines, TPM trust establishment, Autopilot token exchanges, and the orchestration logic that shapes modern Windows provisioning. [Read More]

The Day Intune Finally Stopped Kidnapping Personal Laptops

February 27, 2026 Comments Off

There are many perfectly valid, intentional ways a Windows device can end up enrolled into Intune. All of these make sense. They involve planning. They involve intent. And then there was… the most popular method of [Read More]

Hybrid Entra Join Continues To Exist — Not Because Anyone Wants It, But Because Reality Is Inconvenient.

February 20, 2026 Comments Off

Hybrid Entra Join was never meant to be a permanent destination — yet for many organisations, it quietly became one.
As businesses push toward modern identity models, they find themselves tangled between on‑prem dependencies, device provisioning challenges, and the politics of re‑imaging at scale. But with Microsoft’s new Hybrid Entra Join powered by Entra Kerberos (Preview), the old sync‑and‑wait pain finally meets its match. This article breaks down why Hybrid became a long‑term tenant, what the new Kerberos-based model changes, and how organisations can finally reclaim their cloud‑native roadmap. [Read More]

Get started with PowerShell to run MS Graph API queries – Part 1

April 20, 2021 Comments Off

This blog post helps you to learn how to implement MSAL auth flows in PowerShell to obtain an Access Token to work with Microsoft Graph API. [Read More]

Generate AAD TAP using PowerShell and MS Graph API

Generate Azure AD Temporary Access Pass using PowerShell and MS Graph API

May 4, 2021 Comments Off

Learn how you can easily generate Azure AD Temporary Access Pass for bulk users utilizing the power of Microsoft Graph API and PowerShell. [Read More]

Troubleshooting Intune NDES Certificate Connector expired certificate

Intune Certificate Connector certificate expired

May 13, 2024 3

On April 22, 2024, multiple Windows corporate enrolment failure report led to the discovery of a broken internet connection affecting the NDES server, which hindered certificate validation. Even after restoring connectivity and troubleshooting based on previous successful methods, issues persisted due to an expired Intune Certificate Connector, last successful on April 20, 2024. The resolution involved re-enrolling the connector without full reinstallation, ultimately restoring service and marking the resolution of the enrolment issue. [Read More]

Opt-in for Windows 11 with Intune and Azure AD (Without Approval Flows)

December 5, 2021 1

How you can use the Access Package feature of Azure Active Directory (Azure AD) entitlement management along with the Feature Update deployment policy from Intune to let end-users opt-in to get Windows 11 on their managed device. [Read More]

Modern Windows Provisioning Internals – Part 2

March 3, 2026 0

Intune RBAC for Noobs

January 7, 2022 5

This blog post is to help beginners with the fundamentals of Intune RBAC and how it plays a critical role as part of the Zero-Trust model. [Read More]

Use Filters for Policy Assignments in MEM Intune

Use Filters (in Preview!) for Policy Assignments in MEM Intune

May 13, 2021 Comments Off

A quick look at the new preview feature “Filters” in Intune that enables an Intune Admin to have better control over policy assignments. [Read More]

From OMA-DM to MMP-C: The Evolution of Modern Windows Management

October 29, 2025 Comments Off

Modern Windows management has undergone a significant transformation over the past decade. What was once considered cutting-edge—OMA-DM and MDM-based workflows—has now become legacy as enterprises demand greater scalability, resilience, and efficiency. The shift from an imperative model, where servers orchestrate every configuration step, to a declarative model powered by MMP-C and WinDC marks a new era in device management. This evolution reduces complexity, minimizes network chatter, and enables self-healing capabilities, making it ideal for large-scale environments. In this post, we explore why OMA-DM is now seen as traditional, how MMP-C redefines “modern,” and what this means for the future of Windows management. [Read More]

Start preparing for the upcoming Intune NAC Service deprecation!

September 8, 2022 Comments Off

This blog post is to make you aware of the upcoming major Intune change – Intune NAC service API deprecation as on Dec 31, 2022. [Read More]

Random Posts