@Anavem_ Haha, totally. Then you try to do something that’d have taken you 5 seconds in GPP only to find you’re forced to write remediation scripts to achieve the same thing but is a slower more clunky way.
English
Steve Prentice | SWB
46.7K posts
Steve Prentice | SWB
@steveprentice
Somerset Whisky Blog | https://t.co/4SCJmzOojk | IAM Architect, Somerset Council | FB/IG/Threads: @steveprentice | Bluesky: @steveprentice.uk
Somerset, UK Beigetreten Ocak 2009
1.9K Folgt3.6K Follower
Intune vs GPO.
I LOVE Intune. Seriously.
But let's be real: we traded total control (GPO) for cloud dependency that flakes out sometimes.
No internet? Good luck. Slow portal? Restart everything.
We gained flexibility… but lost reliability when it hits the fan.
You rage sometimes too, or is it just me?
#sysadmin #intune #gpo #cloudmanagement
English
@edandersen @ClintRutkas @JenMsft It it? Seems fine to me. From my perspective, and no offence, but it seems weird to be calling it out.
English
@ClintRutkas @JenMsft No offense but as a customer it’s a bit weird
English
Hey @JenMsft, check your email, sent you something you may be interested in 😄
English
@AdamGell Amazingly, AD is around for a long time yet. ☺️
English
English
@steveprentice @merill Follow @merill for sure, but @rucam365 has a lot of great Entra Conditional Access content as well. :)
English
Had a great time talking about #Microsoft #Entra Private Access with @merill last week. We compared Global Secure Access (GSA) with traditional VPN technologies and discussed #VPN migration strategies. Check it out! #mobility #security #DirectAccess #aovpn #ztna #identity
Merill Fernando@merill
Most VPN migrations fail before they even start. Not because of technology. Because of approach. In our latest podcast, remote access expert @richardhicks shares something interesting: He’s helped organizations transition away from legacy VPNs multiple times and the successful migrations all follow a similar pattern. One of the biggest secrets? 👉 Don’t rip out the VPN first. Instead: 🔹 Deploy Microsoft Entra Private Access alongside the existing VPN 🔹 Let the new client intercept traffic before the tunnel 🔹 Gradually move apps over 🔹 Then retire the VPN This reduces risk dramatically and gives teams time to understand how identity-based access changes the model. The shift is bigger than most teams expect: 🔰 Legacy VPN → network access 🔰 Modern Zero Trust → application access If you're considering moving to Microsoft Entra Private Access, this episode is full of practical lessons from someone who has already done it several times. 🎧 Watch the full conversation at entra.news/p/how-to-migra…
English
@richardhicks @merill Cool that's basically exactly what I mean and what I'll probably try. I've created a new AO VPN profile with split routes as reduced as possible to just DC ranges to allow for logins, then plan to GSA for users after login with any luck after that.
English
GSA/Entra Private Access doesn't support device connection. It's user only. With that, the solution is better suited to native Entra joined deployments. If you have hybrid-join you can always continue to use the Always On VPN device tunnel for machine connectivity and transition to GSA/EPA for user access. I have a PoC going with a customer now for that setup.
English
@richardhicks @merill Exactly that, it's split. Ok cool, no worries, was just interested as I'd only just noticed. Makes sense it can't dial after GSA has grabbed the stack. I tried to see if the VPN URL could be excluded but there's no way to do that.
English
@steveprentice @merill If you are using split-DNS it could happen. It's not something I've run into yet, though.
English
@richardhicks @merill Thinking Hybrid Join devices that need line of sight to a DC pre login, how would you do that? My plan is device tunnel AOVPN for the DC comms, then GSA connects after user login? Any other way seems to end me up needing to blat devices and Entra Join them, which is painful.
English
@richardhicks @merill Enjoying this, watching at the mo! Great timing as I'm evaluating AOVPN->GSA at the moment and looking at coexistence. I find you have to dial VPN first before GSA is enabled and it works, but not the other way around, can't dial the IKEv2 VPN if GSA is enabled, is that expected?
English
@beamex78 @fabian_bader Exactly what I’ve done. Still wasn’t working yesterday when I tried, so hopefully it’ll be rolled out to our tenant soon.
English
@fabian_bader So creating a dynamic group with our cloud only admins and target for this would be a great idea?
English
Microsoft just announced official support to store device bound Passkeys for Entra ID in the Windows Hello container. No app, no external hardware key but built in support. Sadly no attestation while in preview.
mc.merill.net/message/MC1247…
#Passkey #EntraID
English
@spirit_speyside Come on then... it's midday on the 18th... where's the preview? :-)
English
The #Dram26 programme goes live on 18 February.
A varied line-up of tastings, walks, food, craft and social events across Speyside, with plenty of time to explore before tickets go on sale.
#spiritofspeyside #whiskyfestival #speysidewhisky
English
@NathanMcNulty @fabian_bader To answer my own question, should be out next month. 😆
English
@NathanMcNulty @fabian_bader I guess by reading between the lines that it's a work in progress, which at least I suppose is good to know. Passkeys are great, but they just feel a bit more clunky than an Authenticator push, where as WHfB would fix that, no need to get phone out, connect, etc. Maybe.
English
@NathanMcNulty Hello! :-) You're a man who knows things, any idea around passkeys and windows hello? I thought I'd be clever and try to register a passkey and use face from my device, but no joy. I've tried adding some WHfB AAGUIDs into Fido 2 Auth method. To qualify...
English
@kaidja Sounds good… I do indeed kql against log analytics and generally have a 20 minute lag… how would I do what you suggest instead?
English
If you're building PIM activation alerting with Logic Apps + KQL against Log Analytics - check Microsoft's own docs first.
Entra ID AuditLogs routed to Log Analytics: up to 3 days latency. No SLA.
Your "real-time PIM alert" fires hours after someone already has Global Admin.
For actual real-time: use native PIM role activation notifications.
English
@acjuelich I know, right? I get automated emails from MS nagging me to use multiple DCs for redundancy.
English
@GWRHelp @pandorakernow Crikey that didn’t half sound totally AI generated. 😕
English
I’m very sorry for the frustration this caused. I understand how upsetting this must have been, particularly as you’ve previously travelled with your e-bike on other services, including with GWR and SWR, without any issues. Station supervisors make decisions based on local conditions and safety considerations, which can sometimes lead to different outcomes at different locations.
To raise a formal complaint for investigation, please fill in our complaints form at railhelp.co.uk/gwr/make-a-com…. The customer support team will be in touch as soon as they can - Cece
English
Hey @GWRHelp after taking my bike safely on uour trains several times i suddenly find myself being denied entry to exeter Central station to continue my journey home. Could you please explain the sudden change which means my legal e-bike is now denied?
English
@richardhicks I was wondering if something like this might shed any light… #troubleshoot-a-safeguard-hold-manually" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/windows/…
English
My workstation is stuck at Windows 11 23H2. Recently updated to TPM 2.0. PC health check tool shows it meets all requirements. However, it isn't updated to 25H2. All of my other devices have. Thoughts, anyone?
English
@whiskyrepublic Hello sir! Good to see you’re emerging. Hope I bump into you in 2026. 😃
English
Well hello 2026! Emerging from a few “challenged health” weeks. Lined up a few recent auction purchases from 1 of my favourite distilleries - Tobermory/Ledaig.
One already opened but which one is next?
Have a great w/e folks
😀👍🏼
English
Steve Prentice | SWB retweetet
Book your tickets for this exquisite classical concert now, taking place @castletaunton
#Taunton #ClassicalConcert #somerset
#firstfeb
ticketsource.co.uk/whats-on/taunt…
English
@CraigStoneUK I’m sorry to hear that Craig. ☹️ Love to you and your family.
English
@Mister_MDM Great deep dive! But the short answer is, just use a remediation (until one day maybe windows team will fix it, but don't want to wait)?
English
Secure Boot policies failing with Error 65000 in Intune?
Like everyone else, we now have to deal with Secure Boot certificates that are going to expire. Microsoft made it sound simple by providing a built-in Intune policy to trigger the Certificate update.
In reality, the policy deploys, and Intune reports the most generic error of them all: Error 65000. When you look at the device itself, the real reason shows up immediately: policy is rejected by licensing.
What makes this even more confusing is that it does not stop at Windows Pro. The same rejected by licensing error appears on Enterprise devices as well. Especially those upgraded through subscription activation, where Enterprise is effectively layered on top of Pro.
At that point, this is no longer an Intune question. It becomes a Windows question. The decision is made by the licensing engine (SLAPI), all based on an internal MDM policy allow list.
LicensingDiag is the only tool that actually exposes that evaluated result.
I followed that path to see where the policy really fails. The full story is in the blog.
patchmypc.com/blog/intune-po…
#SecureBoot #Intune #MSIntune #Windows #Windows11
English