Bikash Shrestha

Stale Devices Are Killing Your Secure Score

Thu, 04 Jun 2026 00:00:00 +1000

Most tenants accumulate device inventory debt over time. Decommissioned VMs, test machines someone joined to Entra ID and never cleaned up, Windows 365 devices from a trial that ended months ago. They sit in Defender doing nothing except skewing your Secure Score.

I ran into this recently with a client. They had 200+ stale end-user devices that hadn’t checked in for months, plus a pile of ad-hoc VMs joined to Entra ID and then discarded. The interesting one was the AVD environment. An autoscale misconfiguration had been spinning up session host VMs and then deleting them without offboarding them from Defender first. The VMs were gone, but Defender still listed 30 to 40 of them as active devices.

Migrating Sentinel to Defender XDR: What to Avoid and What to Confirm

Tue, 12 May 2026 00:00:00 +0000

I’ve run this migration in tenants from single-workspace SMB through to multi-region MSSP delivery. The data plane stays put, in your Log Analytics workspace. The operator surface moves to security.microsoft.com, and the friction sits in RBAC, KQL scope, and incident schema. This is written for SOC engineers and platform owners who own the cutover, not the people who approve it.

What Actually Changes

The Azure portal Microsoft Sentinel blade gives way to security.microsoft.com. Onboarding is per-tenant via Microsoft Sentinel → Settings → Defender XDR, and selects one primary workspace. Sentinel surfaces as a left-rail node beside Investigation, Email & Collaboration, Endpoints, and Identities. Authoring still uses the Sentinel pages. The chrome around them is unified.

Intune vs GPO: Making the Case for Modern Endpoint Management Internally

Sat, 09 May 2026 00:00:00 +0000

Your GPOs have been quietly running the show for fifteen years. They work. But they were designed for a world where every device is on-premises, domain-joined, and within reach of a domain controller. That world is shrinking fast.

This isn’t a post about ripping out Group Policy tomorrow. It’s about understanding where Intune genuinely replaces it, where it doesn’t, and how to walk into that internal conversation without getting destroyed by the first engineer who’s actually done a migration.

Microsoft Secure Score: From the 30s to 90+

Thu, 01 May 2025 00:00:00 +0000

Most inherited tenants sit somewhere between 28 and 45. The controls are there, they’ve just never been touched. Getting above 90 is achievable in most environments, but the path there isn’t obvious. Here’s what works, what doesn’t, and where to start.

What Secure Score Actually Measures

Secure Score is a prioritised recommendation list with a number attached. That number is a ratio: current points divided by the maximum achievable points in your tenant. Controls are weighted, with some worth 2 points and others 16. Some are free to implement; others require licences you may not have.

About

Mon, 01 Jan 0001 00:00:00 +0000

Microsoft Cloud Security Engineer based in Warragul, Victoria. 18+ years across security, infrastructure, and cloud — currently specialising in Microsoft Sentinel, Defender XDR, Zero Trust, and the ASD Essential Eight.

This blog is where I write about the technical problems I run into and the approaches that actually work. No fluff, no vendor talking points.