Getting started with Windows driver update management

This week is about a very recent introduced feature around updating Windows devices and that feature is driver updates. Driver update management on itself is not that new, as that was introduced a few months ago as a part of the Windows Update for Business deployment service. However, being able to use Microsoft Intune to manage driver updates via that deployment service is definitely something new. That makes it a lot easier to use the driver management functionality. Microsoft Intune introduced a new Driver updates for Windows 10 and later profile that does all the heavy lifting for managing driver updates on Windows devices. This post will start with an introduction about Windows driver update management, followed with the steps for creating and assigning the profiles. …

Read more

Creating supplemental Application Control policies for the base Application Control policies created with the built-in controls

This week is a follow-up on the post of last week about easily configuring the Intune Management Extension as managed installer for Windows Defender Application Control. That post already had a note regarding supplemental Application Control policies. This week, the focus will be on adding supplemental Application Control policies on top of the base Application Control policies that are created when using the built-in controls in the creation of an Application Control policy. The great thing is that those base Application Control policies all have standard configurations and can easily be reused. This post will focus on those base Application Control policies and using those with supplemental Application Control policies. This post will finish with the distribution of such supplemental Application Control policies and the …

Read more

Easily configuring the Intune Management Extension as managed installer for Windows Defender Application Control

This week is all about a great feature that has been introduced with the latest service release of Microsoft Intune (2306). That feature is the ability to easily configure the Intune Management Extension as a managed installer on Windows devices. Until this new ability, it’s always been challenging to work with the Intune Management Extension in combination with Windows Defender Application Control (WDAC). The main challenge was to configure the Intune Management Extension as a managed installer, to simplify the acceptance of applications that were installed via that extension. With this new feature, it’s now possible to configure the Intune Management Extension as a managed installer, by using a tenant-wide configuration. So, that will take away any challenging configuration to configure a managed installer. This …

Read more

Getting started with Windows 365 Boot

This week is a follow-up on a series of blog post of last year about Windows 365 Enterprise that started here. In the meantime, Microsoft announced many nice upcoming features with Windows 365 App, Windows 365 Boot, Windows 365 Offline and Windows 365 Switch and even a great licensing enhancement with Windows 365 Frontline. In other words, definitely time for a new blog post. This week is all about the introduction of Windows 365 Boot. Windows 365 Boot enables administrators to simplify the sign-in process for users on Windows 11 devices, by taking away the sign-in to their physical device and enabling the sign-in directly to their Windows 365 Cloud PC. So, basically turning the physical device into some sort of a thin client. Signing …

Read more

Managing updates for Visual Studio

This week is all about something relatively new with Microsoft Intune and that is managing Visual Studio settings. Many settings for managing Visual Studio were already available via registry keys and ADMX-files. Those ADMX-files could already be imported within Microsoft Intune, but are now also directly available within the Settings Catalog with the latest service release (2305). That enables organizations to easily manage the most important configuration settings that are required to at least make sure that the basics of the Visual Studio installation are compliant with the company policies. An important part of that is managing the updates for Visual Studio. That can make sure that the installations of Visual Studio within the organization, at least have the latest security updates installed. This post …

Read more

Configuring the default credential provider

This week is a short post about configuring the default credential provider and this is basically a small addition to the blog posts of about two years ago around configuring credential providers. That time the focus was around actually making it impossible to use specific credential providers. This time the focus is around configuring the default credential provider. That can be a powerful combination, but that can also be a step in the direction of guiding users away from using username-password. So, guiding users instead of forcing users. From a technical perspective that could make it a bit easier, as it doesn’t involve removing functionalities. In this case, it simply provides the configured credential provider as the default credential provider. That default credential provider will …

Read more

Providing users with global quiet times for notifications on their mobile devices

This week is a short post about a small nice feature that might be really useful for some users and organizations. That feature is the ability to schedule global quiet time settings for end users within the organization. Those settings make it possible to automatically mute Outlook email and Teams messages notifications on Android and iOS/iPadOS devices. These settings are available within new policies that can be used to limit end user notifications received outside work hours. That’s not something that’s applicable to every organization, but it does provide a great starting point when it is applicable. Besides that, it actually should be applicable to a lot of organizations, simply to provide users with a better balance between work and personal life. And, sometimes the …

Read more

Using authentication strengths in Conditional Access policies

This week is all about a nice feature of Conditional Access. Not a particular new feature, but an important feature for a solid passwordless implementation. That feature is authentication strengths. Authentication strengths is a Conditional Access control that enables IT administrators to specify which combination of authentication methods should be used to access the assigned cloud apps. Before authentication strengths, it was not possible to differentiate between the different authentication methods that can be used as a second factor. Now with authentication strengths, it enables organizations to differentiate the available authentication methods between apps, or to simply prevent the usage of less secure MFA combinations (like password + SMS). With that, it opens a whole new world of potential scenarios that can be easily addressed. …

Read more

Using Conditional Access for Remote Help

This week is a short post about a small nice addition to Remote Help. That small nice addition, however, can be an important piece towards the solid zero trust implementation within the organization. That addition is the ability to use Conditional Access specifically for Remote Help. That doesn’t mean, however, that Conditional Access was not applicable towards Remote Help before. When assigning a Conditional Access to all cloud apps that would (and will always) also include Remote Help. The main change is that it’s now possible to create a service principal for the Remote Assistance Service that can be used as a cloud app in the assignment of a Conditional Access policy. That enables organizations to create a custom Conditional Access policy specifically for Remote …

Read more

Understanding Windows Autopatch groups

This week something completely different, but maybe even more intriguing at some level. That something is Windows Autopach groups. Windows Autopatch groups are logical containers, or units, that can group several Azure AD groups and different software update policies, within Windows Autopatch. That’s a really nice addition to Windows Autopatch that is available starting with the latest service update of May 2023. Windows Autopatch groups enable organizations to create different selections of devices with as many as 15 unique deployment rings, custom cadences and content. And a tenant can contain up to 50 Windows Autopatch groups. That enables IT administrator to create nearly any structure for patching their devices within Windows Autopatch. This post will start with some more details for understanding Windows Autopatch groups, …

Read more