Every couple of years a familiar incident pattern surfaces in environments that use Microsoft Intune with on-premises Active Directory Certificate Services: SCEP enrollment quietly stops working. Wi-Fi profiles fail to renew. VPN connections drop. Devices fall out of compliance. The cause, almost always, is that one of several certificates in the NDES + Intune Certificate
Last year I wrote that IT/OT convergence is a control plane problem, not a network problem. Two months on, I want to put down what we have actually learned by doing the work, across active Azure Local deployments running at OT network level. This post is what I would say to a customer asking me,
Microsoft’s Windows UEFI CA 2011 and Microsoft Corporation KEK CA 2011 expire in June 2026. Every Windows device with Secure Boot enabled needs the 2023 replacement certificates installed in firmware before that, or it will eventually stop receiving boot-level security updates. The deadline is real, the deployment is straightforward, and the inventory across a mixed
During an Azure governance review last month, a customer asked a simple question. Who has Owner role assignments in their tenant, and at which level of the management group hierarchy? The Azure portal answered the first half, then asked us to click into every Management Group and Subscription one by one to finish the answer.
An app registration in a tenant I reviewed recently had no configured permissions in its manifest. The service principal behind it had been granted Directory.ReadWrite.All anyway, eight months earlier. Nobody on the operations team knew. The grant did not show up in any of the dashboards they checked. That gap, configured permissions versus granted permissions,
Reviewing a tenant for an access governance project, I noticed something odd. A senior consultant had three MFA phone numbers registered in Entra ID. Two of them belonged to a guest account from a project two years earlier, created during onboarding and never cleaned up. The account everyone actually used for daily work had none
Autopilot makes the first-boot experience for a new Windows device almost magical — until Windows Update kicks in. Then the device sits on the Enrollment Status Page for fifteen, twenty, sometimes forty minutes with no real signal to the user about what is happening. Behind the scenes, PSWindowsUpdate is doing its job under SYSTEM context,
IT/OT convergence is one of those phrases that gets used without anyone agreeing what it means. For some, it’s a vendor pitch. For others, it’s a Wednesday morning meeting where one team explains for the fifth time why the engineering workstation on a plant floor cannot just join Entra ID. After running a few of
If you live in Microsoft Entra PIM, you click. A lot. Every workday starts the same way — open the portal, find the right role, type a justification, pick a duration, activate, repeat for the next role. After about the fourth click I started looking for a PowerShell shortcut. When I couldn’t find one that
Get an inside look at the exclusive Microsoft Security Engineering Airlift 2025 in Redmond—where elite partners strategized, networked, and provided direct product group feedback to shape the future of security.
