Remotely collecting diagnostic logs for managed Microsoft 365 apps

This week is sort of a follow-up on a post of more then 5 years ago, about checking diagnostic logs for managed apps on iOS and Android devices. That post was focussed on how to achieve that locally on the device. Since recently, a lot has changed. The local option is still available, but it’s now also possible to remotely collect those diagnostic logs for managed Microsoft 365 apps. That make the troubleshooting of app protection and app configuration policies a lot easier. Without really difficult, or challenging, activities from an user perspective. The main thing that is left for the user, is accepting the remote collections of the diagnostics logs. There are, however, some other details to keep in mind. This post will focus …

Read more

Getting started with Personal Data Encryption

This week is all about a nice feature that has been introduced over a year ago, but that didn’t receive a lot of attention yet. That feature is Personal Data Encryption (PDE). PDE was introduced with Windows 11, version 22H2, as a security feature that provides file-based data encryption functionalities to Windows. Not as an alternative to BitLocker, but to work alongside BitLocker. Were the decryption key of BitLocker is released during the boot of the device, the decryption key of PDE is released during the sign-in of the user by using Windows Hello for Business. That makes sure that PDE is basically an additional layer of security, on top of BitLocker, that can focus on providing an additional layer of security for specific apps …

Read more

Why enrolling personal Windows devices might be a really bad idea

This week is basically a brief follow-up on one of my sessions at the Modern Endpoint Management Summit 2024. More specifically, my session about Protecting corporate data on personal Windows devices – Your options. During that session I went into a bit more detail about the discussion that I started earlier on Twitter/X around enrolling personal Windows devices. My opinion around that might be lightly biased from what I’ve seen over the years, but I do think that I can provide some insights into why I think that it’s not a good idea to enroll personal Windows devices. In this blog post, I’ll provide a short summary of what I’ve shared during my session. It’s good to have an opinion, but it’s even better to …

Read more

Quick tip: Only turn off notifications network usage when there is a direct requirement

This week is a relatively short post, mainly focused on providing a warning around turning off notifications network usage on Windows devices. Turning off notifications network usage can be used to prevent applications from using the notifications network the send notifications. No matter if that notification is a tile update, tile badge, toast, or any raw updates. It basically turns off the connection between Windows and the Windows Push Notification Services (WNS). WNS enables third-party developers to send those notifications. It provides a mechanism to deliver updates to users and devices in a power-efficient and dependable way. The important thing, however, is to keep in mind that WNS is not only used by third-party developers. It’s also used by many different Microsoft products, including Microsoft …

Read more

Troubleshooting MAM for Windows

This week is a short follow-up on a post of a few months ago about getting started with Mobile Application Management (MAM) for Windows. That post was really focused on getting started with MAM for Windows, while this post will be more focused on what’s coming after that. The concept and the basic configuration of MAM for Windows is pretty straight forward, once being familiar with the available configuration options. However, it gets more challenging when verifying the configuration and the behavior. Especially when there is not that much information available. The (location of the) log file is not really well documented, as is the process to verify the applied configuration. This post will provide answers to those questions. It will described were to find …

Read more

Looking closer at enabling Endpoint analytics

This week is all about Endpoint analytics and indirectly Advanced Analytics. More specifically, about enabling Endpoint Analytics and what happens after enabling Endpoint analytics. The process of enabling Endpoint analytics is not that special and can only be performed once per tenant. It is, however, good to be familiar with what happens after enabling Endpoint analytics. To understand the settings that become available and the impact of adjusting those settings. Especially the impact for the Windows devices within the environment. Besides that, it’s also important to be familiar with configurations that are not directly part of Endpoint analytics, but that do influence the results provided by Endpoint analytics. This post will focus on exactly those subjects! This post will provide an overview of what enabling …

Read more

Using a BYOCA with Microsoft Cloud PKI

This week is a follow-up on the post of last week about getting started with Microsoft Cloud PKI (Cloud PKI). This time it’s all about using a bring your own certificate authority (BYOCA) with Cloud PKI. BYOCA is focused on providing organizations with the ability to rely on an existing private CA. That can for example be an existing on-premises PKI infrastructure based on Active Directory Certificate Services (ADCS). BYOCA enables the IT administrator to create an issuing CA in Cloud PKI that is anchored to that existing private CA. By doing that, the issuing CA becomes an extension of the already existing (on-premises) PKI infrastructure. That might take some of the previously mentioned benefits away, as this won’t takeaway all the need to maintain …

Read more

Getting started with Microsoft Cloud PKI

This week is sort of another follow-up on the earlier posts about new Microsoft Intune Suite add-on capabilities. This time it’s all about the latest addition, Microsoft Cloud PKI (Cloud PKI). Cloud PKI provides organizations with a cloud-based service that simplifies and automates the certificate lifecycle management for Intune managed devices. It literally provides a public key infrastructure (PKI) from the cloud. That PKI environment can be built within a few minutes, by simply going through a couple of wizards. Even when relying on at least a two-tier hierarchy, with a root certificate authority (CA) and an issuing CA. There is no longer a need to maintain on-premises servers, connectors, or hardware. Cloud PKI handles the certificate issuance, renewal, and revocation for Intune managed devices. …

Read more

Adding company branding to Microsoft Edge for Business

This week is all about Microsoft Edge for Business and the new ability to add company branding. Microsoft Edge for Business is the new dedicated Microsoft Edge experience that is created for work accounts. It provides IT administrators with the capabilities to provide users with a productive and secure browsing experience across managed and unmanaged devices. That includes the ability to add company branding to the work account in Microsoft Edge for Business. Adding company branding can be especially useful for differentiating between multiple profiles in the browser. The company branding includes organization details like the company name in the profile pill, and the company color and logo in the profile flyout. Besides that, it’s even possible to add a logo to overlay the Microsoft …

Read more

Remotely locating corporate-owned Android Enterprise devices

This week is all about remotely locating corporate-owned Android Enterprise devices. More specifically, about the configurations that are related to remotely locating those devices. With one of the latest service updates of Microsoft Intune (2401) a new configuration was introduced to specifically block the location on corporate-owned Android Enterprise devices. That configuration, however, has a direct impact on the ability to locate those devices. Besides that, the availability of remotely locating the device depends on the Android Enterprise deployment method. So, multiple reasons why the ability of remotely locating devices could be unavailable. This post will focus on the available settings related to the location of Android Enterprise devices, followed with the steps to configure those settings. This post will end with the user experience. …

Read more