MDM Tech Space Joy blogs about MIcrosoft Intune (MEM) and other Digital Workplace technologies

Microsoft Intune: Secure Boot 2023 CA Certificate Update Rollout - Part 3

Secure Boot Certificate Update Rollout at 50,000 Feet (and Devices): A Field Guide for the Sleep‑Deprived IT Admin – Part 3

March 24, 2026 1

Deploying the Secure Boot 2023 certificate update is the easy part. Proving it actually worked is where things get uncomfortable. In Part 3, the spotlight shifts from execution to evidence—where dashboards stop being trusted, reboots start to matter, and firmware finally gets a vote. This is the phase where Windows claims success, devices boot happily, and yet half your fleet may still be clinging to the 2011 trust chain like it’s a security blanket. Validation is where assumptions die, receipts are demanded, and “updated” stops being a feeling and starts being something you can prove. [Read More]

Why Agentic AI Needs Guardrails: A Zero Trust Take on Microsoft Agent 365

March 16, 2026 0

The Claude / Terraform incident wasn’t AI going rogue—it was automation executing perfectly without governance. This post breaks down why agentic AI is a Zero Trust problem, not an intelligence one, and how Microsoft Agent 365 signals a shift toward scoped, observable, and approval‑gated agents designed to limit blast radius before damage happens. [Read More]

Intune Multi-Admin Approval: The Security Feature You’ll Wish You Enabled Before Someone Presses “Wipe All”

Intune Multi-Admin Approval: The Security Feature You Wish You’d Enabled Before Someone Pressed “Wipe All”!

March 13, 2026 0

There are some security lessons that arrive as a whitepaper, and then there are the ones that arrive like a brick through the server room window. This post explores why Intune Multi-Admin Approval is no longer just a nice governance feature, but a critical security control for preventing destructive remote actions like wipe, retire, and delete from being abused at scale. [Read More]

Secure Boot 2023 CA Certificate Update Rollout - Part 2

Secure Boot Certificate Update Rollout at 50,000 Feet (and Devices): A Field Guide for the Sleep‑Deprived IT Admin – Part 2

March 11, 2026 4

Part 2 of the Secure Boot 2023 CA Update series dives into the actual rollout: how Windows applies the new KEK/DB certificates, why automatic updates aren’t guaranteed, and how Intune admins can safely trigger and manage the update workflow using registry‑based signals and proactive remediations. [Read More]

Secure Boot 2023 Certificate Update Rollout

Secure Boot Certificate Update Rollout at 50,000 Feet (and Devices): A Field Guide for the Sleep‑Deprived IT Admin – Part 1

March 9, 2026 11

Before you roll out the Secure Boot 2023 certificates, map your fleet. This guide shows how to inventory posture with Intune—reports, proactive remediations, JSON outputs, and OEM gotchas. [Read More]

Modern Windows Provisioning - Autopilot Internals - Part 2

Modern Windows Provisioning Internals – Part 2

March 3, 2026 0

Behind the first OOBE screen, Windows launches a dense chain of provisioning tasks that never surface in the UI. As soon as the device comes online, CloudExperienceHost and the provisioning engine begin executing ZDP update checks, initializing and validating the TPM (EK, SRK, AIK), and activating hardware attestation. In parallel, Autopilot performs token‑based device discovery, retrieves its deployment profile, and drives the consumer‑vs‑enterprise pivot that determines the rest of setup. This part of the series breaks down those hidden flows — the CEH pipelines, TPM trust establishment, Autopilot token exchanges, and the orchestration logic that shapes modern Windows provisioning. [Read More]

The Day Intune Finally Stopped Kidnapping Personal Laptops

February 27, 2026 0

There are many perfectly valid, intentional ways a Windows device can end up enrolled into Intune. All of these make sense. They involve planning. They involve intent. And then there was… the most popular method of [Read More]

Hybrid Entra Join Continues To Exist — Not Because Anyone Wants It, But Because Reality Is Inconvenient.

February 20, 2026 Comments Off

Hybrid Entra Join was never meant to be a permanent destination — yet for many organisations, it quietly became one.
As businesses push toward modern identity models, they find themselves tangled between on‑prem dependencies, device provisioning challenges, and the politics of re‑imaging at scale. But with Microsoft’s new Hybrid Entra Join powered by Entra Kerberos (Preview), the old sync‑and‑wait pain finally meets its match. This article breaks down why Hybrid became a long‑term tenant, what the new Kerberos-based model changes, and how organisations can finally reclaim their cloud‑native roadmap. [Read More]

Autopilot v1 or Autopilot v2? A Strategic Guide to Modern Windows Provisioning

February 18, 2026 Comments Off

Windows Autopilot has evolved—but not in a way that makes the choice obvious. With the introduction of Autopilot v2 (Device Preparation), organizations now have a faster, cloud‑first provisioning model alongside the classic Autopilot experience. This article breaks down Autopilot v1 vs v2 through real‑world scenarios, helping you decide which model fits your identity strategy, device mix, and Windows 11 modernization goals. [Read More]

Want to Learn Intune? Get yourself a M365 Dev Test Tenant

Want to Learn Intune? Get an M365 Dev Tenant

July 9, 2021 Comments Off

Want to Learn Intune? It’s important to have a lab tenant for you to test and build your experience.

Do you know that you can sign-up with the M365 Developer Program and get a fully functional tenant with 25 M365 E5 licenses for your lab use. [Read More]

Multi Admin Approval in Intune

December 16, 2022 Comments Off

This blog post is all about sharing my experience of trying out the new Multi Admin Approval (MAA) feature introduced in Intune with the November service release. [Read More]

The Day Intune Finally Stopped Kidnapping Personal Laptops

February 27, 2026 0

Zebra management options with MEM Intune

December 20, 2021 Comments Off

This post is about managing Android rugged devices in an enterprise environment, especially, Zebra device management options with MEM Intune. [Read More]

MS Intune new feature? Importing 3rd-party ADMX into MEM

August 23, 2022 Comments Off

Intune service release 2208 saw a new public preview feature surfacing, the ability to import 3rd-party ADMX directly to MEM Admin center. This blog post walks you through the new development. [Read More]

Android Enterprise Multi-App KIOSK deployment with MEM Intune

Android Enterprise Dedicated device Multi-App KIOSK deployment with MEM Intune

December 15, 2021 3

This blog post is walkthrough of minimum configuration for Android Enterprise Dedicated device Multi-App KIOSK deployment with MEM Intune. [Read More]

Move to Windows 11 with Intune

October 5, 2021 Comments Off

This short blog post helps you with how you can get Windows 11 deployed to your managed Windows 10 endpoints with Intune and WUfB. [Read More]

How to Blacklist/Whitelist Extensions in Chrome with Intune

March 5, 2025 Comments Off

Chrome extensions are small software programs that customize and enhance the functionality of the Google Chrome browser. They can perform a variety of tasks, such as blocking ads, managing passwords, translating web pages, and integrating with [Read More]

Disable Browser Toast Notification with Intune

Disable browser toast notifications with Intune

March 4, 2024 2

This blog post shows how you can disable browsers (Chrome/Edge) from generating toast notifications on managed-Windows endpoint with Intune. [Read More]

Random Posts