Translating Windows Defender Application Control Policy Wizard sliders to Windows Defender Application Control policy options

This week is a short post focussed on Windows Defender Application Control (WDAC). More specifically, this short post is focussed on the different policy rules that can be configured by using the Windows Defender Application Control Policy Wizard. That policy wizard is an an open-source Windows desktop application written in C# and bundled as an MSIX package. It provides IT administrators with a user-friendly method for creating, edditing and merging WDAC policies. The WDAC policy wizard relies on the ConfigCI PowerShell cmdlets and that makes sure that the output of the policy wizard is identical to using the cmdlets manually. WDAC is genarally used to control what runs on Windows 10 and Windows 11 devices. That is achieved by setting policies that specify whether a …

Read more

Using the Microsoft Defender for Endpoint app for connecting to Microsoft Tunnel Gateway

This week is something completely different, compared to the last couple of weeks. This week is back to Microsoft Tunnel. Microsoft Tunnel is the VPN gateway solution for Microsoft Intune that fully integrates with Azure AD (and Conditional Access) for providing access to on-premises resources on iOS and Android devices. In the early stages of Microsoft Tunnel, there used to be a separate Microsoft Tunnel app for iOS and Android devices. One of the challenges with those devices is that there can only be one active VPN at the same time. That’s especially challenging when using it in combination with Microsoft Defender for Endpoint. That makes the combination of both products into a single app, a logic move. That’s been the case for Android already …

Read more

Getting familiar with the Windows Update for Business deployment service

This week is a follow-up on last week. Last week the focus was on getting started with the Windows Update for Business deployment service and this week is about getting more familiar with the Windows Update for Business deployment service. Last week the focus was on getting information and this week the focus is on adding information. More specifically, this week is about enrolling devices, creating groups, adding devices to groups, creating feature update deployments and assigning groups to feature update deployments. In other words, this week is about creating custom feature update deployments. For the basics of the Windows Update for Business deployment service have a look at last weeks post, this post will continue on that information. This post will go through the …

Read more

Getting started with the Windows Update for Business deployment service

This week is about the Windows Update for Business deployment service. That subject has been touched recently when discussing the different options for upgrading devices to Windows 11, but that subject never got the attention that it deserves. The deployment service provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update. And the often still unknown part is that it’s actually actively used already within Microsoft Intune. The Feature updates for Windows 10 and later profile and the Quality updates for Windows 10 and later profile, both rely on that deployment service. This post will start with a quick introduction of the Windows Update for Business deployment service, followed with the basics of the deployment service APIs. Introduction to the Windows …

Read more

Even easier managing local administrators

This week is back in the Windows platform. This week is another time about managing local administrators on Windows 10 devices and later. That subject has been discussed multiple times before – either by using custom device configuration profiles or by using proactive remediations – and this time it’s about a new configuration option within Microsoft Intune that provides a friendly configuration experience for the IT administrator around the custom device configuration profile option. That configuration relies on the LocalUsersAndGroups policy that is available with Windows 10 20H2 or later, or Windows 11. This blog post will provide an introduction to a new profile type and will show how to use that new profile type to easily manage local administrators. This blog post will end by …

Read more

Retiring non-compliant devices with Azure Logic Apps and Adaptive Cards for Teams

This week is another follow-up on the first few weeks of this year. Those weeks the focus was on monitoring the status of the different connectors, certificates, tokens and deployments, while this week the focus is on more than just monitoring. This week will be about non-compliant devices marked to retire. That means querying information and actually performing an action. When looking at device compliance policies, the IT administrator can configure the actions for non-compliance. One of those actions is to configure Retire the noncompliant device. That action, however, won’t actually retire the device and will only add the device to the Retire Noncompliant Devices view. Once added to that view, there is still a manual action required by the IT administrator to actually retire …

Read more

Getting started with filtering and selecting Microsoft Intune data via Microsoft Graph

This week is another week focussed on retrieving data of Microsoft Intune via Microsoft Graph. This week, however, is not focussed on creating a solution, but on providing some guidance on getting started with filtering and selecting specific data. It’s relativly simple to retrieve a bulk of data, but in many cases it might be more efficient and better performing to immediately filter the data and only select specific objects and properties. This post will provide a closer look at the basics of the main query parameters and show how to use them to filter data immediately in the request. The examples provided in this post are using the managedDevice objects as example and are all tested by using Microsoft Graph Explorer. Important: The Microsoft …

Read more

Monitoring Windows Autopilot deployments with Azure Logic Apps and Adaptive Cards for Teams

This week is another follow-up on the last couple of weeks. The last couple of weeks the focus was on monitoring the status of the different connectors, certificates and tokens, while this week the focus is on monitoring deployments. More specifically, on monitoring Windows Autopilot deployments. Especially when dealing with many (remote) Windows Autopilot deployments, it can be useful to retrieve some deployment triggers without constantly having to check the Microsoft Endpoint Manager admin center. That can help with getting a good feeling about the stability and with getting triggered when users deal with failed Windows Autopilot deployments (as not all users call IT about failures). This post walks through the main components that are required to query Windows Autopilot deployment status information in Microsoft …

Read more

Collection of information for monitoring the status of connectors, certificates and tokens

This week is a follow-up on last week. Last week the focus was on providing an example for monitoring the Apple MDM push certificate with Azure Logic Apps and Adaptive Cards for Teams and this week the focus is on providing more endpoints in Microsoft Graph that can be used for monitoring all different connectors, certificates and tokens. This blog post will provide a collection of the different endpoints, the properties to verify and example queries to use. All summarized in tables, including links to the documentation. The following connectors, certificates and tokens are addressed within this post. Note: This list of connectors, certificates and tokens is made based on the information available within Microsoft Endpoint Manager admin center (Tenant administration > Connectors and tokens). …

Read more

Monitoring Apple MDM push certificate with Azure Logic Apps and Adaptive Cards for Teams

This new year starts again with something completely new. That means, some of the technology hasn’t be part of any of the posts on this blog before. This post will provide a look at using Azure Logic Apps for querying Microsoft Intune (via Microsoft Graph) and posting the results in Microsoft Teams. That’s an awesome combination for automating administrative tasks and triggering IT administrators to perform actions. The idea of this post is to show the power of that combination and to show the simplicity to automate administrative tasks. This post provides a simple example that will query status information about the Apple MDM push certificate in Microsoft Intune and posts that information in an adaptive card in a Microsoft Teams chat, when action is …

Read more