Secure Boot certificate updates won’t flip Secure Boot ON for you. This post shows how to safely enable Secure Boot at scale using Intune orchestration + PowerShell execution, with BitLocker readiness gates, and OEM-supported tooling for Lenovo and Dell. [Read More]
WinCsFlags.exe doesn’t write Secure Boot certificates into firmware — it sets intent.
This deep‑dive explains how WinCS works behind the scenes, how the Secure Boot 2023 CA update actually flows from Windows to UEFI firmware, why two reboots are expected, and how to validate success using UEFICA2023Status. A practical, engine‑room explanation bridging Part 2 (0x5944) and Part 3 (validation) of the Secure Boot series—without vibes, myths, or guesswork. [Read More]
Deploying the Secure Boot 2023 certificate update is the easy part. Proving it actually worked is where things get uncomfortable. In Part 3, the spotlight shifts from execution to evidence—where dashboards stop being trusted, reboots start to matter, and firmware finally gets a vote. This is the phase where Windows claims success, devices boot happily, and yet half your fleet may still be clinging to the 2011 trust chain like it’s a security blanket. Validation is where assumptions die, receipts are demanded, and “updated” stops being a feeling and starts being something you can prove. [Read More]
The Claude / Terraform incident wasn’t AI going rogue—it was automation executing perfectly without governance. This post breaks down why agentic AI is a Zero Trust problem, not an intelligence one, and how Microsoft Agent 365 signals a shift toward scoped, observable, and approval‑gated agents designed to limit blast radius before damage happens. [Read More]
There are some security lessons that arrive as a whitepaper, and then there are the ones that arrive like a brick through the server room window. This post explores why Intune Multi-Admin Approval is no longer just a nice governance feature, but a critical security control for preventing destructive remote actions like wipe, retire, and delete from being abused at scale. [Read More]
Part 2 of the Secure Boot 2023 CA Update series dives into the actual rollout: how Windows applies the new KEK/DB certificates, why automatic updates aren’t guaranteed, and how Intune admins can safely trigger and manage the update workflow using registry‑based signals and proactive remediations. [Read More]
Before you roll out the Secure Boot 2023 certificates, map your fleet. This guide shows how to inventory posture with Intune—reports, proactive remediations, JSON outputs, and OEM gotchas. [Read More]
Behind the first OOBE screen, Windows launches a dense chain of provisioning tasks that never surface in the UI. As soon as the device comes online, CloudExperienceHost and the provisioning engine begin executing ZDP update checks, initializing and validating the TPM (EK, SRK, AIK), and activating hardware attestation. In parallel, Autopilot performs token‑based device discovery, retrieves its deployment profile, and drives the consumer‑vs‑enterprise pivot that determines the rest of setup. This part of the series breaks down those hidden flows — the CEH pipelines, TPM trust establishment, Autopilot token exchanges, and the orchestration logic that shapes modern Windows provisioning. [Read More]
There are many perfectly valid, intentional ways a Windows device can end up enrolled into Intune. All of these make sense. They involve planning. They involve intent. And then there was… the most popular method of [Read More]
Today let’s have a look at Behind-The-Scenes activities that take place during the Android Enterprise Work Profile provisioning process with Microsoft Intune a.k.a Microsoft Endpoint Manager. So without wasting any time, let’s get started. The previous [Read More]
This blog post helps you to get started with Registration Campaign in Azure AD to nudge users to set up MS Authenticator for MFA. [Read More]
This blog post is to help beginners with the fundamentals of Intune RBAC and how it plays a critical role as part of the Zero-Trust model. [Read More]
This blog post is a follow-up to the recent post that I made on the Office Update channel topic. But in there, I talked about the change of the Office update channel due to Cloud Policy [Read More]
This post is a catalog for all the blog posts related to Android management with MEM Intune by me that can be found at either anoopcnair.com or here at joymalya.com [Read More]
Modern Windows management has undergone a significant transformation over the past decade. What was once considered cutting-edge—OMA-DM and MDM-based workflows—has now become legacy as enterprises demand greater scalability, resilience, and efficiency. The shift from an imperative model, where servers orchestrate every configuration step, to a declarative model powered by MMP-C and WinDC marks a new era in device management. This evolution reduces complexity, minimizes network chatter, and enables self-healing capabilities, making it ideal for large-scale environments. In this post, we explore why OMA-DM is now seen as traditional, how MMP-C redefines “modern,” and what this means for the future of Windows management. [Read More]
This blog post is all about sharing my experience of trying out the new Multi Admin Approval (MAA) feature introduced in Intune with the November service release. [Read More]
Are you aware of Windows 10 running on ARM processors? If you want to know more about Windows 10 on ARM, then this post is for you. [Read More]
As the title suggests, this post is all about brushing up our knowledge about the basics of Intune MAM (App Protection policy) for the iOS/iPadOS platform. [Read More]
Copyright © 2022, MDM Tech Space - Joymalya Basu Roy