Easier managing local administrators via Windows 10 MDM on Windows 10 20H2 and later

This week back to the Windows platform. This week is again about managing local administrators on Windows 10 devices. Even in a modern world, there can still be a need for managing the local administrators on a Windows 10 devices and often that still requires more flexibility than provided with the default Azure AD functionality. I’ve also discussed managing local administrators already multiple times – either by using a Windows 10 MDM policy setting or by using proactive remediations – and this time it’s about a new method that became available in Windows 10, version 20H2 and later. That method is a new Windows 10 MDM policy setting. In this post, I’ll provide an introduction to that new policy setting and I’ll show how to …

Read moreEasier managing local administrators via Windows 10 MDM on Windows 10 20H2 and later

Windows 10 MDM Bridge WMI Provider: Settings template

This week my post is a few days later, as my post is an extension of my session at the Workplace Ninja Virtual Summit 2020. At the virtual summit I did a session about Getting to know the Windows 10 MDM WMI Bridge provider and during my session I shared how to easily work with the Windows 10 MDM Bridge WMI provider. Similar to using Microsoft Intune to address the different CSPs, we can also use PowerShell via the WMI bridge. The main thing that I’ve showed at the end of that session was a setting template, basically a PowerShell-function, that can be used to set, adjust and remove nearly all settings via the MDM WMI Bridge provider. That PowerShell-script is available below and I’ve …

Read moreWindows 10 MDM Bridge WMI Provider: Settings template

Quick tip: Easy method for constructing settings of ingested ADMX-files

This week a quick extra blog post, just before the start of my vacation, about an easy method for construction settings of ingested ADMX-files. A few years ago I did a post about a deep dive for ingesting third-party ADMX-files and until today I still receive questions on that post that are related to constructing settings of ingested ADMX-files. Even though the described method is still available, there is an easier method for constructing the settings of ingested ADMX-files. A method that is less sensitive to errors. The following four steps walk through that easy method by again using chrome.admx as an example. The first step is ingesting the ADMX-file. That can be achieved by following the same steps as provided in my earlier post. …

Read moreQuick tip: Easy method for constructing settings of ingested ADMX-files

Configuring the usage of Bluetooth encryption via Windows 10 MDM

This week a short blog post about configuring Bluetooth on Windows 10 devices that are managed via Microsoft Intune. More specifically, about configuring the Bluetooth encryption strength that is required for pairing Bluetooth devices. Last year there was a vulnerability regarding the Bluetooth encryption key negotiation that was addressed with an update to Windows and a specific configuration that should be performed to required a specific encryption strength. By default Windows allows all Bluetooth traffic, but with this vulnerability in mind some organizations might want to enforce a minimal encryption key size to be required for Bluetooth traffic. Even if that means that some Bluetooth devices won’t work, or stop working. In this post I’ll start with showing how to configure the Bluetooth encryption key …

Read moreConfiguring the usage of Bluetooth encryption via Windows 10 MDM

Prevent non-administrator users from installing Windows app packages via Windows 10 MDM

This week a short new blog post about a new introduced Windows 10 MDM policy setting, in Windows 10, version 2004, to address new default behavior. That policy setting is related to the installation of Windows app packages. More specifically, that policy setting can be used to prevent non-administrator users from initiating the installation of (signed) Windows app packages. Starting with Windows 10, version 2004, every user – administrator and non-administrator – can initiate the installation of (signed) Windows app packages. On previous versions of Windows 10 that would require the administrator to at least enable the ability to sideload apps (part of the developer settings), for users to be able to initiate the installation of (signed) Windows app packages. This policy setting can be …

Read morePrevent non-administrator users from installing Windows app packages via Windows 10 MDM

Managing local administrators via Windows 10 MDM

This week is all about managing local administrators via Windows 10 MDM by using restricted groups. There has been many requests for a post like this after I wrote this post about creating local user accounts. And I have to admit that this post has been on my backlog for a long time. Better late than never, I think. Also, I’m definitely not the first to write about this subject, but I do think that I have some new insights that can be really helpfull. In this post I’ll start with an overview of the options for configuring local administrators on Azure AD joined (and Microsoft Inune managed) devices and reasons for using restricted groups, followed by the steps for configuring restricted groups. I’ll end …

Read moreManaging local administrators via Windows 10 MDM

Windows 10 MDM (PowerShell) scripting

A long, long time ago, I wrote about the MDM WMI Bridge provider. Nowadays I notice that the MDM WMI Bridge provider is still an unknown configuration layer for many IT admins. That’s why I’ve decided to do another post about the MDM WMI Bridge provider. A quick reminder: the MDM WMI Bridge provider is used to map the CSPs to WMI. This time my post is more focused on providing some examples and guidance. Besides that it’s also a nice addition on my latest posts about Windows 10 MDM configurations, policy refresh and troubleshooting. I’ll start this post by showing how to configure device settings and I’ll end this post by showing how to trigger device actions. Keep in mind that this post is …

Read moreWindows 10 MDM (PowerShell) scripting

Scheduling a reboot via Windows 10 MDM

This week is also about configuring Windows 10 devices. This week is all about scheduling a reboot on a Windows 10 device by using Microsoft Intune and Windows 10 MDM. That can be useful for scheduling reboots on for example shared devices. Simply making sure that even those type of devices get a reboot every now and then, or making sure that specific configurations or installations are getting fully applied. This can be achieved by using the Reboot CSP. In this post I’ll have a look at the available policy settings and the configuration of those policy settings. I’ll end this post by having a look at the results of the configuration. Available policy settings The Reboot CSP can be used to configure reboot settings. …

Read moreScheduling a reboot via Windows 10 MDM

Windows 10 MDM troubleshooting

This week another new blog post related to Windows 10 MDM. In the recent weeks I’ve discussed policy refresh, some configurations and now some troubleshooting. This post is also triggered by my previous as I used the MDM Diagnostics Tool (MdmDiagnosticsTool.exe) as an example. Based on that example I’ve received some requests for more information. There are more useful tools like dsregcmd, but this post will focus on the MDM Diagnostics Tool, as there’s not that much information available. In this post I’ll provide information about the usage and results of the MDM Diagnostics Tool as having the right information is really useful for troubleshooting Windows 10 MDM managed devices. Introduction of the MDM Diagnostics Tool The MDM Diagnostics Tool is a command line tool …

Read moreWindows 10 MDM troubleshooting

Triggering devices to upload (diagnostic) files to cloud storage

This week is all about triggering Windows 10 devices to upload (diagnostic) files to cloud storage. That can be very useful for gathering information and diagnosing potential issues. Starting with Windows 10, version 1903, Microsoft added additional functionality to the DiagnosticLog CSP. The DiagnosticLog CSP is used for generating and collecting diagnostic information from the device and the additional functionality enables triggering devices to upload existing event logs, log files, and registry values to cloud storage. That actually opens the route to some really nice scenarios regarding the collection of information on MDM managed Windows 10 devices. I’ll start this post by providing some information about the required setting, followed by going through the steps of configuring that setting. I’ll end this post by showing …

Read moreTriggering devices to upload (diagnostic) files to cloud storage