Microsoft Intune

Getting familiar with the Intune Management Extension log files

by

This week is another post about the Intune Management Extension (IME). This week the focus is on the log files of the IME. Probably not the most interesting subject, but definitely an important subject. Especially as an IT administrator, it’s important to be familiar with the available log files of the IME and to understand the usage of those log files. Besides that, it can also be interesting to be familiar with the configuration options for those log files. Together that will help with a better understanding of the logging capabilities of the IME and the log files that should be used to find the information related to a specific problem. This post will have a closer look at the IME log files and the …

Read more

Understanding the Intune Management Extension client health check

by

This week is sort of a follow-up on the posts of the last couple of weeks about Win32 apps. This week, however, the focus is more on the process that is in place to make sure that everything around the Intune Management Extension (IME) keeps functioning. The IME contains many important components for installing Win32 apps, for running PowerShell scripts, for running inventories, and more. That makes it important that the IME is running successfully. To make sure that the IME is running successfully, the Intune Management Extension Health Evaluation was introduced. That evaluation is focused on performing checks on the service of the IME. This post will have a closer look at the IME client health check and the actions that it performs. Starting …

Read more

Understanding Win32 app inventory

by

This week is another week about apps on Windows devices. The major difference with last week is that this week is all about the discovered apps on Windows devices. In other words, the app inventory on Windows devices. Within Microsoft Intune that inventory always used to be a huge challenge. It was often not complete and simply missing pieces. Nowadays, it’s getting more and more mature. It contains nearly all application types, is structurally inventoried, and is displayed in a (basic) report. Within Microsoft Intune that report is the Discovered apps report. That report contains a aggregated list of the discovered apps on the devices within the tenant. So, it acts as the software inventory within the tenant. This post will look at the process …

Read more

Working with the restart grace period of Win32 apps

by

This week is sort of a follow-up on a post of years ago about working with the restart behavior of Win32 apps. That post was focussed on the behavior of Win32 apps, based on the return codes and the configured restart behavior. This post will add the restart grace period in that mix. The restart grace period can be used to determine after which time the device will actually require a restart, when required by the successful installation of a Win32 app. The configuration for the restart grace period has already been available for some time, but since recently it’s now also possible for non-administrator users to snooze that restart. This post will have a closer look at the configuration options for the restart grace …

Read more

Getting started with the Global Secure Access client for Windows

by

This first week is all about the Global Secure Access client for Windows. Global Secure Access is the Security Service Edge (SSE) solution of Microsoft. Gartner defines SSE as a solution that secures access to the web, cloud services and private applications regardless of the location of the user or the device they are using or where that application is hosted. Within Global Secure Access, Microsoft introduced the (Microsoft Entra) Internet Access and (Microsoft Entra) Private Access products to provide that functionality. Of these products Internet Access is focused on secured access to Microsoft 365, SaaS, and public apps, while Private Access is focused on secured access to private or internal resources. The Global Secure Access client can be used to connect to the Global …

Read more

Preventing users from shutting down specific devices

by

This week is a short post about the ability to prevent users from shutting down, or restarting, specific devices. That is something already often used for specific servers, like domain controllers, to prevent users from shutting them down. There are, however, also good reasons why that might also be very useful and beneficial on specific devices. Think about devices that host critical business processes that can only be turned off, or restarted, during specific windows. For those devices the user right to shutdown that device, should only be provided to a few trusted users, or administrators. So, not just removing the shutdown, or restart, button, but actually removing the user right to perform a shutdown. Luckily, nowadays there is an easy method for configuring the …

Read more

Discouraging data leakage on Windows 365

by

This week is all about a few newly introduced features to discourage data leakage specifically for Windows 365. Within the Microsoft 365 solution there are many different options for protecting data. On the data itself as well as platform specific options. Windows 365 is the latest platform that can be added to that list with platform specific solutions. Windows 365 recently introduced screen capture protection that can be used to discourage leaking data by preventing it from being captured. Besides that, it also introduced watermarking that can be used to discourage leaking data by adding a watermark to the desktop that can be traced to the session or desktop of the user. Different solutions, for different scenarios. This post will start by briefly introducing both …

Read more

Managing security policies for Dev Drive

by

This week is all about another new Windows 11 features and that feature is Dev Drive. Dev Drive is a new form of a storage volume that is aimed at improving performance for key developer workloads. It enables users to create a separate volume on their device that will improve the performance for disk-bound operations such as cloning, building, copying files, and package restore. To gain that performance, Dev Drive builds on ReFS technology. That technology provides file system optimizations and more control over storage volume settings and security. That includes trust designation, antivirus configuration, and administrative control over what filters are attached. All of that, could also be a reason to make sure that some security-minded Dev Drive configurations are in place. To make sure …

Read more

Working with web sign-in on Windows 11

by

This week is a bit of a follow-up on a post of about two years ago and is mainly focussed on creating some awareness. That post was specifically about enabling web sign-in to Windows for usage with Temporary Access Pass. That web sign-in functionality provides a web-based sign-in experience on Microsoft Entra joined devices. At that time, that web-based sign-in experience was limited to Temporary Access Pass (TAP). Starting with Windows 11 version 22H2 with KB5030310 and later, that has changed. The supported scenarios and capabilities of web sign-in are now expanded. Besides TAP, it can now also be used for a passwordless sign-in experience with the Microsoft Authenticator app, a seamless Windows Hello for Business PIN reset experience, and even a federated identity with …

Read more

Deploying and configuring the Azure VPN Client app on Windows devices

by

This week is all about deploying and configuring the Azure VPN Client app on Windows devices. The Azure VPN Client app can be used to connect to any Azure VPN gateway. That provides access to specific Azure virtual networks, even when working from a remote location. That can useful in many different situations. The great part is that, nowadays, the Azure VPN Client app can be deployed and configured by using Microsoft Intune. At least, when using Microsoft Entra ID for authentication. In that case, it’s possible to make it all automatically available to user. The only action left for the user is to authenticate. To achieve that, there are a few specific configurations required. This post will walk through the main configurations regarding the …

Read more