Kenneth van Surksum - MVP

🚀 New Conditional Access Baseline (v2025-10) is now live on GitHub! 👉 github.com/kennethvs/caba… It includes: ✅ JSON export of all CA policies 📄 PDF overview via Merill’s CA Documenter 🧰 Export tooling by Mikael Karlsson Based on my earlier Conditional Access Demystified whitepaper still updated regularly with the latest Microsoft Entra ID practices. Full post 👉 vansurksum.com/2025/10/18/con…

Registration for AppManagEvent 2026 recently opened! Join speakers like Brian Madden, @Timothymangan , @Samilaiho , @Paulacqure, @Mikael_nystrom @ronnipedersen @Jimmoyle , @Tim_Dk , @kennethvs , @pdaalmans and many more. We look forward to welcome you coming fall.

Identity attacks continue to evolve, and so must our defenses. Session : What’s Next After You Mitigated AITM? Speakers ⭐️ Erik Loef @erikloef ⭐️ Kenneth van Surksum @kennethvs Over the last decade we moved from passwords to MFA, and more recently to phishing-resistant MFA to mitigate adversary-in-the-middle attacks. But attackers continue to adapt, and new threats are emerging. In this session, Erik and Kenneth will explore what comes next in protecting identities, including risks such as token theft and session hijacking, and what organizations should consider as the next step in strengthening their identity security strategy. What you will learn • How identity attacks have evolved from passwords to AITM attacks • Why phishing resistant MFA is only part of the solution • What new threats such as token theft mean for modern identity security Discover the full agenda and all sessions at endpointsummit.com #MEMSummit #Endpointmanagement

On February 5th, we’re excited to have @pdaalmans and @kennethvs take the stage at MC2MC Connect. Their session, “Essential Tips and Tricks for Today’s Workplace Admin,” is packed with actionable, real-world insights. 🎟️ connect.mc2mc.be #MC2MC #ConnectMC2MC2026

🚀 Speaker Announcement! Excited to welcome Ugur Koc, well-known community contributor and Senior Product Manager at glueckkanja, to WP Ninja Connect on 4 Feb 2026! Creator of many tools that truly help the community move forward. 🔗 nl.wpninjas.global/wpninjas-conne… 🥷🏼 #WPNinjasNL

@MihaPecnik That is unintentionally, let me fix that

@kennethvs Just going through this, considering it for a project. I see that CAU005 is missing, is that on purpose?

🚀 New Conditional Access Baseline (v2025-10) is now live on GitHub! 👉 github.com/kennethvs/caba… It includes: ✅ JSON export of all CA policies 📄 PDF overview via Merill’s CA Documenter 🧰 Export tooling by Mikael Karlsson Based on my earlier Conditional Access Demystified whitepaper still updated regularly with the latest Microsoft Entra ID practices. Full post 👉 vansurksum.com/2025/10/18/con…

RT @Mister_MDM: The Intune MDM Device Certificate and its renewal… Next year (around 03/04 of 2025) every single Intune MDM certificate wi…

Microsoft keeps rolling out new #Copilot features at lightning speed, great for innovation, but risky without #governance. In my new blog I share how to bring order to this fast-moving rollout in Microsoft 365 👇 vansurksum.com/2025/10/29/bri…

Ever feel like Intune takes its time to apply a policy? That behavior isn’t something new…. it goes back to the original “get, set, get” model Microsoft built nearly twenty years ago. The same OMA DM Protocol that once powered Windows Phone became the blueprint for every Intune policy still running today. Even now, you can still spot WindowsPhoneProvider references buried inside the OMA DM client code. This blog looks at where Intune all started: patchmypc.com/blog/the-histo… #Intune #MSIntune #Windows #Windows11

Balancing Control & Convenience — Preventing Edge Password Sync on Unmanaged Devices 🖥️ How to secure Microsoft Edge with: ✔️ Conditional Access ✔️ Edge Management Service ✔️ Smart sign-in restrictions Learn how to block password sync safely 👉 vansurksum.com/2025/10/20/bal… #MicrosoftEdge #Intune #ConditionalAccess #EntraID #Security #M365

.@Office365 #Entra and #Microsoft365 are formed from many apps. A recent update exposes additional Microsoft 1st party apps for Conditional Access policies. Most are linked to the My Sign-Ins portal. Here's what's happening: office365itpros.com/2025/10/15/my-…

Ever wondered what those S 1 12 1 entries in your Administrators group actually represent With the new AADSidToNameV2Support feature, Entra group and role SIDs are automatically translated into real names and stored on the device (cached) Here is the blog that explains how it works patchmypc.com/blog/windows-f… #Intune #MSIntune #Windows #Entra #Windows11 #Azure

When “Block All” in Conditional Access blocks too much… 🔒 Until recently, guest users couldn’t change their MFA methods when you blocked all cloud apps. The My Sign-ins app is now selectable in Conditional Access 🎉 Finally possible: ✅ Limit guests to M365 resources ✅ Keep self-service (MFA, profile) working 🧩 Read how to configure it: vansurksum.com/2025/10/12/con… #EntraID #ConditionalAccess #Microsoft365 #Intune

@wpninjasummit is kicking off soon. All paths lead to Baden.

@Mister_MDM 🙈

Heads up!! Quality Updates During OOBE is been pulled back (again) Microsoft announced it. The Enrollment Status Page finally got a new toggle to enforce updates (or prevent) after Autopilot. I traced how it runs in Autopilot. Now the rollout is again paused. The ESP toggle stays. The Update screen??? That is gone! #Intune #MSIntune #WindowsAutopilot #Windows11 #Windows call4cloud.nl/windows-autopi…

@Mister_MDM 🙈

🚨 KB5065848: The ZDP Update That broke Autopilot and Broke the BitLocker Policies! First, BitLocker policies started failing silently. The event logs showed “applied,” but devices didn't accept the 256-bit encryption. Then, Windows Autopilot devices were stuck on the "Identifying" stage during ESP. Same week. Same Windows image. Same assignments. Same Policies The trail led us to KB5065848, a Zero Day Patching (ZDP) update dropped during OOBE. This ZDP quietly introduced the restore functionality for Windows Backup for organizations, but also updated the PolicyManager.dll. Combining Application Guard and Edge policies will break the omadmclient.exe. Microsoft has since pulled the ZDP update, which fixed BitLocker and Autopilot but it also means the restore functionality for Windows Backup for Organizations, the very thing KB5065848 was meant to enable, is now gone again. Two problems, one ZDP package, and one feature quietly disappearing. 🔗BitLocker ISSUE: patchmypc.com/blog/bitlocker… 🔗Autopilot ISSUE and FIX: patchmypc.com/blog/windows-a… #Intune #MSIntune #Windows #WindowsAutopilot

🛡️ Identity #Security at its Best🛡️ Our #IdentitySecurity Track dives deep into the challenges & innovations shaping secure identity infrastructures. From token theft protection to Conditional Access. 👉identitysummit.cloud #IdentitySummit #MicrosoftEntra #ConditionalAccess

🧠 Deep Dive into Identity Management 🧠 Our #IdentityManagement Track brings together top experts to explore the future of identity in the cloud. From Entra ID to external identities and automation. 👉identitysummit.cloud #IdentitySummit #MicrosoftEntra #IAM #CloudSecurity

Join @Kennethvs & @ErikLoef at AppManagEvent on Oct 11 for “Fighting Adversary in the Middle” — a deep dive into detecting & defending against AiTM attacks. Don’t miss it! #AppmanagEvent #CyberSecurity #MicrosoftSecurity #IdentityProtection

When productivity meets flexibility, security must keep up. In this session, Kenneth van Surksum shows how to protect your data in Microsoft 365 and other SaaS apps, without blocking collaboration. Real-world experience, demos, and practical strategies to secure your workplace.