• Methods to reset an autopilot device

    There are a few different ways to remotely reset a Windows 10/11 device from Intune: wipe, fresh start, reset.

    The following table summarises the behaviours of each method.

    MethodUsageOOBEUser dataIntune managementAzure AD enrollment
    Retire/DeleteGet rid of outdated devicesYesKeepremoveremove
    Wipe (keep enrollment)Reset device to default. Remove AppsNoKeepkeepkeep
    WipeReset OS to default.
    Good for lost stolen device and device handover
    Fresh Start (keep user data)Reset device to Signature Edition, remove Apps.
    Update to latest Windows version
    Fresh StartReset device to latest Windows Signature Edition.
    Update to latest Windows version
    Autopilot ResetReuse a device.
    Does not support Hybrid Azure AD joined devices

  • Different Azure AD Join Types

    It can take some research and tests to understand the difference between different Azure AD join types.

    I summarised some key differences in the following.

    Difference betweenAzure AD registeredAzure AD joinedHybrid Azure AD joined
    Primary audience        Bring your own device (BYOD) Mobile devicesOrganizational computerOrganizational computer
    OSWindows 10, iOS, Android, and MacOSWindows 10 devices (except Windows 10 Home) Windows Server 2019 Virtual Machines running in Azure (except Server core)Windows 10, 8.1 and 7 Windows Server 2008/R2, 2012/R2, 2016 and 2019
    Device sign in optionsLocal account Windows HelloOrganizational account in Azure AD Windows Hello for BusinessOrganizational account in on-prem AD Windows Hello for Business
    Sign in authenticate toLocal computerAzure ADOn-prem domain controller
    Device managementMDM (Intune)MDM (Intune)MDM (Intune) and Group policy
    SSOSSO to cloud resourcesSSO to both cloud and on-premises resourcesSSO to both cloud and on-premises resources
    Self-service Password ResetOnly for local accountFor Organizational account at login/lock screenFor Organizational account at login/lock screen

    As more and more staff work from home, IT starts to consider solutions to allow remote identity management without relying on line-of-sight to domain controllers. so:

    • If you want to login to a computer by authenticating to Azure AD, you will need to unbind the computer from on-prem AD then bind to Azure AD. A hybrid Azure AD joined computer will still authenticate to your domain controller
    • Microsoft recommends to use the MDM-only approach to manage all Azure AD joined devices, instead of co-management with SCCM.
  • Auto-create Default Outbound NSG for Servers in Azure


    In Azure, Network Security Group (NSG) is a basic firewall containing a list of security rules.

    NSG can be associated to subnets, individual NICs or both.

    By default the outbound NSG for a subnet allows all outbound traffic, which is not secure for servers.

    There are discussions [1] [2] on how to limit the outbound traffic while allowing traffic to Azure infrastructures required by different services like Windows updates.

    I found that existing methods created hundreds of rules which are difficult to maintain. This post introduces a method to create a single rule the allows the outbound traffic to all Azure IP ranges.


    Code – new

    The following script uses Azure Powershell az.

    As it doesn’t support GUI yet so there are more parameters to set before running it.

    Code – old

    The following script uses Azure Powershell.

    Adjust the 3 parameters before running it.

    After running the code

    After defining these Azure-related outbound rules, you may need to add some additional rules to permit outbound access to other legitimate non-Azure services, such as

    • public DNS servers
    • email services
    • APIs,
    • etc, that your applications may also need to access

    Then, you can create a rule at the end of the NSG to block all outbound traffic.




  • Exchange – “send as” and “send on behalf” records

    In Exchange 2010 and 2013, when you configure “send as” and “send on behalf” for a mailbox or shared mailbox, by default the sent emails are only copied to sender’s sent box but not from’s mailbox.

    If multiple persons have access to the same mailbox or shared mailbox, they may want to see the email/reply sent by other persons so that they are aware of the status/conversation.

    To copy sent emails to both sender and from mailbox: