Mobile Device Managment

Blocking the Microsoft Store (App) with AppLocker

15/06/202615/06/2026 by Remy Kuster

If you want to stop users from installing apps from the Microsoft Store and apps.microsoft.com, while still letting built-in Store apps like Photos, Paint, and Snipping Tool run and update automatically in the background, this post will show you how I pulled it off using AppLocker deployed through a Custom OMA-URI policy in Microsoft Intune. … Read more

Building a Secure LAPS Password Portal with Azure and Microsoft Graph

04/06/202607/04/2026 by Remy Kuster

We are planning to implement Local Administrator Password Solution, but the first thing I wondered was how inconvenient it would be for support engineers and helpdesk staff to retrieve LAPS account and password. Log into the Intune portal, navigate to the devices tab, search for the device, and dig through the properties to find the LAPS password — every single time they need an admin account. That had to be faster.

So (with some help of a good friend) I built the LAPS Portal: an Azure Web App with an Azure Function App as the backend, secured by two app registrations for authentication and Graph API calls. It runs at no extra cost and works on any device. Especially useful when you’re standing next to a device in the field and need the LAPS account and password right then and there — just open the portal on your phone, type the device name, and you’re done.

Here is exactly how you can set this up.

Soft‑Deleted Entra ID Group Broke an Intune Role

11/03/2026 by Remy Kuster

Recently, I ran into a confusing Intune issue that looked like a permissions problem… but turned out to be something completely different and far more subtle.
If you work with Intune RBAC, custom roles and scope tags, this story may save you a lot of troubleshooting.

Create a Custom Entra ID Role to View LAPS Passwords in Microsoft Intune

04/02/202626/01/2026 by Remy Kuster

We’re planning to roll out Windows Local Administrator Password Solution (LAPS), and a key requirement is that our helpdesk staff and workplace admins can access the LAPS password. This post shows how to view LAPS passwords in Intune without granting to much permissions. I will explain how to create a custom Microsoft Entra ID role that allows controlled visibility of LAPS passwords, and how to integrate this role seamlessly with existing Privileged Identity Management (PIM) group.

Assign Intune device category based on users department property

05/04/202414/02/2024 by Remy Kuster

macOS devices enrolled via Apple Business Manager don’t have the option to be enrolled to Intune with a group tag like Windows devices. With a group tag you can create a dynamic device group and then auto assign a scope tag to those devices. So it would be nice to think of something so macOS devices also could be added to a dynamic group and then auto assign a scope tag to those devices. In order to achieve this I created a PowerShell script with Intune Graph to auto assign a (department) category to the macOS Intune managed devices based on the users department property. You can read my post to find out how you can achieve this.