Enhance inventory reporting with local administrator information

This week is all about enhancing inventory reporting with information about the local administrators on the managed Windows 10 devices. This time is not about managing the different local administrators on those Windows 10 devices, but this time is about creating a report that provides insights to the different local administrators that are configured on those Windows 10 devices. The solution to enhance the inventory reporting, relies on PowerShell, Log analytics, Workbooks and the Azure Monitor HTTP Data Collector API. PowerShell is used to gather the information on the local device and uses the Azure Monitor HTTP Data Collector API to write the gathered information to Log analytics. Workbooks are used to visualize the gathered data from Log analytics. This solution is inspired and based …

Read more

Locating lost or stolen Windows 10 devices

This week is all about a small new feature for Windows 10 devices that was introduced with the latest service release of Microsoft Intune. That new feature is the ability to find lost or stolen Windows 10 devices. Starting with the 2104 service release of Microsoft Intune, the Locate device remote device action – already available for supervised iOS and iPadOs device – also becomes available for Windows 10 devices. That enables IT administrators to find lost or stolen Windows 10 devices. This post will start by going through the information about the new remote action, including the implications, followed with the steps for configuring the privacy settings. This post will end by showing the IT administrator and user experience. Introduction to the location service …

Read more

Conditional access and registering or joining devices to Azure AD

This week is all about registering and joining devices to Azure Active Directory (Azure AD). More specifically, about requiring multi-factor authentication (MFA) when registering or joining devices to Azure AD. Starting with March 2021, Azure AD contains a new feature in Conditional Access (CA) that provides more flexibility for requiring MFA when registering or joining devices to Azure AD. That new feature is the Register or join devices user action. This post will start with a short introduction about that new user action, followed with the steps to configure that user action. This post will end with a look at sign-in logs. Important: The Register or join devices user action is also the new recommended method for enforcing MFA when registering or joining a device …

Read more

Using Setup Assistant with modern authentication

This week is all about the support for a new authentication method when using Automated Device Enrollment (ADE). That new authentication method is Setup Assistant with modern authentication and is available for iOS/iPadOS devices running version 13.0 and later and for macOS devices running version 10.15 and later. Setup Assistant with modern authentication enables organizations to require authentication with Azure AD, including the ability to require MFA, and enables users to immediately use their device. This post provides an introduction to this new authentication method, followed with the steps to configure an enrollment profile with this new authentication method. This post ends with a quick look at the enrollment experience when using Setup Assistant with modern authentication. Note: At the moment of writing Setup Assistant …

Read more

Working with supersedence relationships for Win32 apps

This week is all about Win32 apps in Microsoft Intune. Last year I’ve written a lot about the different features of Win32 apps and now, starting with the 2102 service release of Microsoft Intune, there is a new feature for Win32 apps. That feature is the ability to create supersendence relationships between different Win32 apps. That relationship can be used to update a Win32 app to a newer version of the Win32 app, or to replace a Win32 app with a different version of the Win32 app. Actually, it can even be used to replace a Win32 app with a completely different Win32 app. This post will start with the theory of supersedence relationships for Win32 apps, followed with the steps to configure a supersedence …

Read more

Working with Exploit Protection to protect devices from being exploited

This week is all about Exploit Protection. An often overlooked security feature that is available in the Windows Security app, screaming for more awareness. Exploit Protection was originally introduced as one of the four main components of Windows Defender Exploit Guard (Exploit Guard). Exploit Guard itself was introduced as a major update to Microsoft Defender Antivirus, in Windows 10 version 1709, and was the successor of Enhance Mitigation Experience Toolkit (EMET). Actually, the Exploit Protection component contains the actual replacement functionality of EMET, and more. Nowadays Exploit Protection is part of the App & browser control section in the Windows Security app, but many configuration paths still refer to Exploit Guard. In this post I’ll start with an introduction about Exploit protection, followed with the …

Read more

Standardizing and simplifying management with Windows 10 in cloud configuration

This week is al about Windows 10 in cloud configuration (also known as cloud config). Cloud config is focused on standardizing and simplifying management for users with focused workflow needs and initially started as a documented set of recommended configuration settings. At that point in time, it was already known that eventually it would evolve to be more than just documentation. And it really did evolved. With the latest service updates to Microsoft Intune (2103), a new guided scenario is introduced that will walk the IT administrator through a few important variables and that will create all the earlier mentioned recommended configuration settings. This post will start with a quick introduction about cloud config, followed with the steps to walk through the guided scenario. This post …

Read more

Getting started with Windows Defender Credential Guard

This week is again back to Windows. This week is all about Windows Defender Credential Guard (Credential Guard). Credential Guard is definitely not something new, it’s actually available since the beginning of Windows 10, but it’s still a little unknown and still not always used. A little awareness is on its place. Credential Guard uses virtualization-based security to isolate secrets and to make sure that only privileged access is allowed. That helps with preventing unauthorized access that can lead to known credential theft attacks, like Pass-the-Hash and Pass-the-Ticket. Besides awareness, there is also another new configuration location within Microsoft Intune that might be interesting. This post will start with a quick introduction about Credential Guard, followed with the steps to configure Credential Guard by using …

Read more

Getting started with Shared iPad devices

This week is all around Shared iPad devices with Microsoft Intune. Shared iPad is an iPadOS configuration that easily lets multiple user share the same iPad. That configuration enables a personal experience for a user, on a device that is shared between multiple users. That personal experience enables users to be more productive, as users can simply pick-up where they left off previously. This post will start with a short introduction to Shared iPad devices, followed with the configuration steps for those devices. This post will end by describing and showing the user experience with Shared iPad devices. Introduction to Shared iPad devices With shared devices, this post is referring to company-owned multi-user devices that can be used – depending on the use case – …

Read more

Using Microsoft Defender for Endpoint in app protection policies for Android and iOS

This week is all about some new and exiting functionality related to Microsoft Defender for Endpoint (MDE) that was announced around Microsoft Ignite. That new and exiting functionality is that MDE risk signals can now be used in app protection policies for Android and iOS. Those signals are based on the protection against phishing, unsafe network connections (on Android and iOS), and malicious apps (on Android only). That enables the usage of MDE on unmanaged devices for even better protection of work data. This behavior can be achieved by configuring an integration between MDE and Microsoft Intune, to send the required signals to Microsoft Intune, and by configuring an app protection policy, to create a conditional launch for the app, based on the signals provided …

Read more