Preventing users from shutting down specific devices

This week is a short post about the ability to prevent users from shutting down, or restarting, specific devices. That is something already often used for specific servers, like domain controllers, to prevent users from shutting them down. There are, however, also good reasons why that might also be very useful and beneficial on specific devices. Think about devices that host critical business processes that can only be turned off, or restarted, during specific windows. For those devices the user right to shutdown that device, should only be provided to a few trusted users, or administrators. So, not just removing the shutdown, or restart, button, but actually removing the user right to perform a shutdown. Luckily, nowadays there is an easy method for configuring the …

Read more

Discouraging data leakage on Windows 365

This week is all about a few newly introduced features to discourage data leakage specifically for Windows 365. Within the Microsoft 365 solution there are many different options for protecting data. On the data itself as well as platform specific options. Windows 365 is the latest platform that can be added to that list with platform specific solutions. Windows 365 recently introduced screen capture protection that can be used to discourage leaking data by preventing it from being captured. Besides that, it also introduced watermarking that can be used to discourage leaking data by adding a watermark to the desktop that can be traced to the session or desktop of the user. Different solutions, for different scenarios. This post will start by briefly introducing both …

Read more

Managing security policies for Dev Drive

This week is all about another new Windows 11 features and that feature is Dev Drive. Dev Drive is a new form of a storage volume that is aimed at improving performance for key developer workloads. It enables users to create a separate volume on their device that will improve the performance for disk-bound operations such as cloning, building, copying files, and package restore. To gain that performance, Dev Drive builds on ReFS technology. That technology provides file system optimizations and more control over storage volume settings and security. That includes trust designation, antivirus configuration, and administrative control over what filters are attached. All of that, could also be a reason to make sure that some security-minded Dev Drive configurations are in place. To make sure …

Read more

Working with web sign-in on Windows 11

This week is a bit of a follow-up on a post of about two years ago and is mainly focussed on creating some awareness. That post was specifically about enabling web sign-in to Windows for usage with Temporary Access Pass. That web sign-in functionality provides a web-based sign-in experience on Microsoft Entra joined devices. At that time, that web-based sign-in experience was limited to Temporary Access Pass (TAP). Starting with Windows 11 version 22H2 with KB5030310 and later, that has changed. The supported scenarios and capabilities of web sign-in are now expanded. Besides TAP, it can now also be used for a passwordless sign-in experience with the Microsoft Authenticator app, a seamless Windows Hello for Business PIN reset experience, and even a federated identity with …

Read more

Deploying and configuring the Azure VPN Client app on Windows devices

This week is all about deploying and configuring the Azure VPN Client app on Windows devices. The Azure VPN Client app can be used to connect to any Azure VPN gateway. That provides access to specific Azure virtual networks, even when working from a remote location. That can useful in many different situations. The great part is that, nowadays, the Azure VPN Client app can be deployed and configured by using Microsoft Intune. At least, when using Microsoft Entra ID for authentication. In that case, it’s possible to make it all automatically available to user. The only action left for the user is to authenticate. To achieve that, there are a few specific configurations required. This post will walk through the main configurations regarding the …

Read more

Configuring Windows Hello for Business cloud Kerberos trust

This week is all about Windows Hello for Business. More specifically, about Windows Hello for Business cloud Kerberos trust. Not something really new, but definitely something that should be part of the default toolset. Hopefully familiar nowadays, Windows Hello for Business can be used to replace password sign-in with strong authentication on Windows. On top of that, Windows Hello for Business cloud Kerberos trust brings a simplified deployment experience for hybrid authentication with Windows Hello for Business. To provide that functionality, it relies on Microsoft Entra Kerberos for requesting Kerberos ticket-granting-tickets (TGTs). And those TGTs can then be used for on-premises authentication. A bing difference with other deployment models is the simplicity. No dependency on a public key infrastructure (PKI) and no need to synchronize …

Read more

Configuring multi-app kiosk mode on Windows 11

This week is all about multi-app kiosk mode on Windows 11 devices. Kiosk mode on itself is nothing new, nor is the configuration of kiosk mode. However, until a few months ago, it was not possible to configure multi-app kiosk mode on Windows 11. That’s possible now, except the configuration options via Microsoft Intune are not that straight forward yet. As in, it’s not available via a standardized configuration profile yet. It is, however, already possible to configure multi-app kiosk mode via the MDM WMI Bridge Provider. That provider relies on configuration capabilities within the MDM channel, which means that the configuration can also be achieved directly via Microsoft Intune. Multi-app kiosk mode relies on assigned access to run one or more apps from the …

Read more

Getting started with web-based device enrollment for iOS devices

This week is all about a new enrollment feature for iOS/iPadOS devices. That feature is web-based device enrollment. Web-based device enrollment is now one of the two device enrollment methods that is available for personal iOS/iPadOS devices. The other method is the already existing device enrollment with the Company Portal app. The main differentiator for web-based device enrollment is that it provides a faster and more user-friendly enrollment experience. It’s no longer required to first download the Company Portal app. Instead the user can just go to the Company Portal website, or start the new enrollment experience via an app that requires a compliant device. More user-friendly and accessible via the favorite browser of the user. Besides that, web-based device enrollment can be used in …

Read more

Using temporary enterprise feature control for early testing new features in Windows

This week is all about creating awareness around a recently new feature for controlling the availability of new features in Windows 11. That new feature is temporary enterprise feature control. Temporary enterprise feature control is introduced – together with permanent enterprise feature control – to manage the introduction of new features within the enterprise. With the continuous innovation that was recently introduced by Microsoft, new features are no longer only introduced with the latest feature update. New features are now already introduced with the Latest Cumulative Update (LCU), but are off by default. And new features with impact (like new experiences, new in-box applications, removing existing capabilities, or overriding previously configured settings) are behind that new feature, temporary enterprise feature control. New features behind that …

Read more

Scheduling automatic policy refreshes for Windows devices without requiring a check-in

This week is sort of a follow-up on a blog post of about four (!) years ago. That post was focussed on the policy refresh on Windows devices. Since very recently, there is now something new available to refresh the applied configurations. That something new is: Config Refresh. Config Refresh can be used to configure a refresh cadence in which the already received configuration policies will be refreshed. No matter if the device is online, or offline. A great addition to at least make sure that the received configuration is applied. Config Refresh became available as a configuration option in Microsoft Intune, with the latest service release (2309). Besides that, it relies on an addition in the DMClient CSP that became available just recently in …

Read more