CCMTune

The July 2025 update to Microsoft Intune introduces an intriguing new feature: The Local Administrator Password Solution (LAPS) for macOS . ( What’s new in Microsoft Intune: July 2025 - Microsoft Intune Blog ) Below, I'll go through all the prerequisites and actions you'll need to activate this option in Microsoft Intune. 🛠️Prerequisites MacOS version 12 or later Devices must be synced with Apple Business Manager or Apple School Manager Enrollment must use Automated Device Enrollment (ADE) via Intune Admin must have appropriate RBAC permissions in Intune to view or rotate password Category: Enrollment programs Set Rotate macOS admin password to Yes Set View macOS admin password to Yes 📋 Step-by-Step Configuration Guide 1. Create an ADE Enrollment Profile Go to Microsoft Intune Admin Center Navigate to: Devices > macOS > Enrollment > Enrollment Program Tokens Select your token and create a new ADE profile Enable "Create a local admin account" and confi...

Apple Intelligence arrived in France with the update to MacOS 15 and add a lot of feature based on AI. For the moment, the features available with Apple Intelligence are :  Rereading, rewriting and summarizing text with Writing Tools Correct photos and relive unique moments with a smarter Photos app Create fun and original images with Image Playground Create Genmoji to express yourself in any situation Add a new dimension to Notes with Baguette graphique Set priorities and stay focused Improves interaction with Siri One-click access to local information with visual intelligence Use ChatGPT with Siri and Writing Tools Apple mentions that this solution respects privacy and confidentiality rules, but certain tasks linked to the use of the ChatGPT layer can be quite intrusive, and it is therefore preferable to limit or even block access to these functions. Manage Apple Intelligence using Microsoft Intune Go to intune.microsoft.com Select Devices / macOS / Configuration and select Crea...

In this new article, we will focus on an option that has been available in Preview for a few months now, it is Remediation on-demand The proactive remediations is scripts package available in the Microsoft Intune administration console. They detect and resolve common support issues on a user's device before they even realize there is a problem. We will see below what the necessary prerequisites are and how to use this new functionality. Prerequisites Whether enrolling devices via Intune or Configuration Manager, Remediation scripting has the following requirements: Devices must be Microsoft Entra joined or Microsoft Entra hybrid joined and meet one of the following conditions: Is managed by Intune and runs an Enterprise, Professional, or Education edition of Windows 10 or later. A co-managed device running Windows 10, version 1903 or later. Co-managed devices on preceding versions of Windows 10 will need the Client apps workload pointed to Intune (only applicable up to version 1607...

  In this article, we will see how to disable Copilot on Windows using the Microsoft Intune solution. As a reminder, Windows Copilot is an Artificial Intelligence feature introduced by Microsoft in Windows 11 and which acts as a personal assistant by providing you with personalized recommendations, information and streamlined workflows to improve productivity and user experience . In some cases, it may be necessary to consider deactivating Windows Copilot and to do so, there are several possibilities :  GPO OMA-URI Settings Catalog Here, we will see the method via Settings Catalog . Disable Copilot for Windows with Settings Catalog Go to the Intune.microsoft.com console then perform the following actions: Go to Devices , Windows , Configuration Profiles and click on Create and New Policy In the Create Profile section, choose the following options: Platform : Windows 10 and later Profile Type Settings catalog Click Create In the Create a profile section, complete the fields...

A secure work environment involves the implementation of processes, particularly those related to packaging, to allow the user to access reliable applications that have been tested and validated by the IT team. As soon as this first step is completed, it is necessary to restrict access to the Microsoft Store so that users can only install software provided through the corporate catalog. We'll see below how to block access to the Store through the Microsoft Intune solution, while still allowing apps flowing from it to continue receiving updates. Block access to the Microsoft Store Log on to Intune.microsoft.com and perform the following steps: Click on Devices / Windows  And select  Configuration Profiles Click on Create and New Policy When creating, select the following parameters Platform: Windows 10 and later Profile Type: Settings Catalog Click Create Complete Name field and click Next Then click Add Settings In the Search box , find, add and configure the followin...

Présentation Edge Workspaces provides an incredible way for customers to organize their browsing tasks into dedicated windows. Each Edge Workspace contains its own sets of tabs and favorites, all created and curated by the user and their collaborators. Edge Workspaces are automatically saved and kept up to date. Workspaces are accessible anywhere customers use Microsoft Edge with their Microsoft Entra accounts. Prérequisites Users must have a Microsoft Entra tenant and Microsoft Edge version 114 or later installed or  Microsoft Edge for Business version 116 To manage via group policy, Admins must have Microsoft Edge version 114 or later installed and version 114 of the policy files. Users must have access to a OneDrive for Business license to create an Edge Workspace Enable feature with Microsoft Intune Go to intune.microsoft.com Select Devices / Windows / Configuration Profiles and click Create Create profile Platform : Windows 10 and later Profile type : Settings catalog Compl...

In the interests of securing AVD and Windows 365 environments, it may be interesting to ask the question of the redirection of local drive or folder to remote session. Often, Windows 365 users use a personal and potentially insecure computer to access a customer's Windows 365/AVD services. It is therefore essential to guard against the dangers that this type of scenario may entail. To avoid this, it is possible to prohibit the mounting of local drives in a remote session. To do this, I invite you to follow the procedure below. Configuration profile creation Go to intune.microsoft.com Go to  Devices / Windows / Configuration Profiles Click  Create Profile Select :  Platform :  Windows 10 and later Profile Type :  Settings Catalog Complete the Name field  and click  Next Click Add settings Go to Administrative Templates \ Windows Components \ Remote Desktop Services \ Remote Desktop Session Host \ Device and Resource Redirection Select Do not all...

With the arrival of build 2307 of Microsoft Intune , Microsoft provides a new option on the Application part. Source :  What's new in Microsoft Intune | Microsoft Learn This option allows us to offer users the possibility of uninstalling an Win32 application via the Company Portal. Below you will find the procedure to activate the option in the Microsoft Intune console. Prerequisites Intune tenant up to date Win32 app available in the company portal A valid Uninstall command line Enabling the Uninstall option Go to  Intune.microsoft.com Navigate to Apps / Windows Select an  Win32 App and click Properties On Program , click Edit Activate the option Allow available uninstall  by switching the option to Yes Click Review + Save for all sections and click Save User side Open the company portal then select an available Win32 application. After updating, you should see the mention Uninstall.  Click Uninstall for remove the application.

Your computer's USB ports are an obvious gateway to trying to compromise your security. You must therefore limit its use and thus prevent a user from connecting a storage device that could contain a virus or other malware that could affect your security. Microsoft Intune provides the ability to address this vulnerability by creating a CSP. Setting it up will prevent access to the following elements: External USB Storage SD Card To do this, I invite you to follow the procedure below. Create the Configuration Profile Go to  Intune.microsoft.com Navigate to  Devices  /  Windows  /  Configuration Profiles Click  Create Profile In  Create a Profile,  select : Platform :  Windows 10 and later Profile Type :  Template Template Name :  Device Restriction Click  Create Enter the profile name  in the  name field  and click  Next Configuration Settings , navigate to  General For  Removable Storage ,...

In some cases, it can be interesting to control the level of authorization that we leave to users on the C: drive.  With this in mind and to respond to certain customer requests, I made a PowerShell script to limit write rights for authenticated users using the icacls command. The script is available on github :  https://github.com/ChrisMogis/DriveC_RightsModification Script details  <# .DESCRIPTION This script allows you to revoke user rights in C: and thus prevent creating folders or files anywhere on the hard disk system. .NOTES   Version:        1.0   Author:         Christopher Mogis   Creation Date:  07/11/2023 #> #Script Parameters Param ( [Parameter(Mandatory= $true )] [ValidateSet( "Remove" , "Add" )] [String[]] $Param ) #Variables $Date = Get-Date #Log Folder Function CreateLogsFolder   {     If (!( Test-Path "C:\CCMTune\Logs\" ))     {     Write-Host "$( $...