Posts

Windows 10 ESU license and November Update

Image
  What is Windows 10 ESU? It stands for Extended Security Updates. This license was released by Microsoft after Windows 10 reached the end of support on October 14th, 2025. This solution was introduced to help many companies and individuals who are still using Windows 10 for any reason and want to migrate their work to Windows 11. The license covers 1-3 years. This license is free for home users, but for companies it costs $60 per user for the first year.   If you want to get a license, you can buy it from one of Microsoft's partners. And deploy ESU MAK via Intune or any other option.   If you deployed the ESU Key and it is installed, but you did not receive the Nov updates, no worries, you are not alone. I have the issue, and after deploying my license, I did not get the update on Tuesday, November 11 th , 2025. I did all the troubleshooting you can imagine to see when the update will be, but I get the message that the version has reached the end of support. ...
Post a Comment
Read more

Legacy Vulnerabilities Still Hiding in Modern Endpoints

Image
  Defender – Intune   Modern Management and old problems I typically review the vulnerabilities and examine the recommendations in Microsoft Defender. I know it is a long list. However, I haven’t come to mind, but I will still see some legacy vulnerabilities there.   Even in a modern Intune and Microsoft Defender environment, legacy software configurations can persist quietly and lower your Threat & Vulnerability Management for Easier Identification, I call it ( TVM ) score than expected. Recently, while reviewing Defender TVM reports, I noticed three vulnerabilities that stood out: ·          Disable Flash on Adobe Acrobat Pro XI ·          Disable Flash on Adobe Reader DC ·          Block outdated ActiveX controls for Internet Explorer ·          Block webpages from automatically running...
Post a Comment
Read more

Update firewall configurations to include new Intune network endpoints

Image
 This morning, I noticed this notification in Microsoft Intune started showing.     If you click on the link, it will take you to M365 Admin Center, I reviewed the document to ensure I understand everything before I apply it. So, what to do? According to Microsoft Document, there are changes in IP Ranges and Service Tags for both Public and Government Cloud. These changes are part of the Secure Feature Initiative (SFI) and must be completed before December 2nd, 2025. Entities (companies and government) need to configure their outbound firewall traffic for Intune or Azure to match Microsoft's new ranges. This must be done on the firewall, router, proxy, and NSG levels, also by adding the new ranges without removing any existing network or firewall configuration. Include a new Azure Front Door tag, ‘AzureFrontDoor.MicrosoftSecurity’. To download the document (JSON) file for the government and the public, click the links below. Public clouds: ...
Post a Comment
Read more

Intune Security Policies – E2

Image
Security – Audit After my first episode, I was busy working on different projects. Today, I decided to start with the security journey and recommendations. After “ Administrative Templates Personalization ," I realized I should discuss another security aspect: Audit. In Intune settings, there are 59 settings related to "Auditing," and in this blog, I selected some of the most important ones, which are also recommended by all Cyber Security and CIS Benchmark. Audit Process Creation(Enable): This policy setting determines what information is logged in security audit events when a new process is created. This setting only applies if the Audit Process Creation policy is enabled. When enabled, the command line information for every process will be logged in plain text within the security event log as part of the Audit Process Creation event 4688, ‘a new process has been created’ on the workstations and servers where this policy is applied. If this policy setting is disa...
Post a Comment
Read more

How to create a BitLocker policy to exclude a specific USB model from encryption

Image
  BitLocker is one of Microsoft's well known policies to secure drives by encrypting them, using different encryption methods. It is not a new method, it has been around since SCCM, and when Intune was introduced, it became available on the cloud side. The new policy will focus on TPM 2.0, which has become mandatory for Windows 11. There are many fantastic blogs in our community about BitLocker details, and Microsoft has well documented it, so I will go very quickly on how to configure it, because my blog is about USB encryption. How to configure BitLocker Policy:- You can do it in different ways, by configuring a new policy under ‘Devices’, or you can do it from ‘Endpoint Security. I personally prefer the  2nd way. Endpoint Security>Device encryption> create a new policy and select Windows and BitLocker Configuration settings:- These settings have many submenus (I'm doing Entra join if you have a different selection, AD, or both, like I did). BitLocker: BitL...
Post a Comment
Read more

New LAPS for Windows 11 24H2

Image
  Windows LAPS automatically manages and backs up the password of a local administrator account on devices joined to Microsoft Entra ID (formerly Azure AD) or Windows Server Active Directory. This feature helps protect against pass-the-hash and lateral-traversal attacks, enhances security for remote help desk scenarios, and facilitates device recovery if they become inaccessible.   As many of you know, LAPS for Entra joined devices was announced around 2023 and has worked perfectly since then on Entra, Hybrid, joined, and On-premises devices via AD as well. One of the big challenges we all know is that the first version (if I can say that) of LAPS did not allow you to create a new custom admin account or change the existing admin account, which meant we had to use custom configuration or scripts to do that.   Microsoft announced the new LAPS about 3 weeks ago via Arnab Mitra, Sr. Program Manager at Microsoft, and it was a great announcement. Let us go ahead and co...
Post a Comment
Read more