Getting started with Remote help for Windows devices

This week is all about getting started with Remote help for Windows devices. Remote help is recently introduced as a new feature in Microsoft Intune that can be used for providing remote assistance to users on Windows devices. It looks a lot like the existing Quick Assist app on Windows, but it has a few big advantages. It integrates with Microsoft Endpoint Manager for providing remote assistance to managed devices, it integrates with Azure Active Directory for providing authentication and compliance information, and it provides a better administrator experience. There are communication options with the user and there is the ability to work with elevated permissions. This post will go through the steps for configuring Remote help in the tenant and through the steps for …

Read more

Working with custom compliance settings

This week is all about the latest capabilities that are available within compliance policies. Those capabilities are custom compliance settings. Custom compliance settings enable the IT administrator to basically check for anything and to use that for the compliance state of the device. The IT administrator can use PowerShell script in the custom compliance setting, to verify the status of anything that is available on the device. The results can be compared to rules and values that are configured in a JSON file. The result of that comparision can be used as part of the compliance policy. This post will proivde a quick introduction to custom compliance settings, followed with the steps to create the require PowerShell script and JSON file. This post will end …

Read more

Getting started with Security Management for Microsoft Defender for Endpoint

This week is all about Security Management for Microsoft Defender for Endpoint. Security Management for Microsoft Defender for Endpoint is the new configuration channel that can be used for managing the security configuration for Microsoft Defender for Endpoint (MDE) on devices that are not enrolled into Microsoft Endpoint Manager (MEM). Not in Microsoft Intune, nor in Configuration Manager. With that new configuration channel, MDE retrieves, enforces, and reports on the policies that are assigned via MEM. After onboarding to MDE, the devices are automatically joined to Azure AD and become visible in the MEM (and Azure AD and Microsoft 365 Defender). Within MEM those devices are marked as managed by MDE. This post will go through the steps to configure the required tenant configurations, the …

Read more

Different options for upgrading devices to Windows 11

This week is again all about upgrading devices to Windows 11, by using Microsoft Intune. When discussing the upgrade to Windows 11, the first and foremost thing to mention is that managed devices won’t automatically upgrade to Windows 11. There is always an action required by the IT administrator to make sure that managed devices are allowed to upgrade to Windows 11. The options to configure those managed devices, however, were limited when using Microsoft Intune. That has changed with the latest service release (2111) of Microsoft Intune. That service release introduced a few more options for managing and controlling the upgrade to Windows 11. This post will go through those different methods for upgrading devices to Windows 11, followed the configuration options for those …

Read more

Managing Windows Insider Preview Builds within the organization

This week is al around managing Windows Insider Preview Builds. Even though it’s not a new subject, it’s good to at least get a refresher. Especially when mentioning the Windows Insider Preview for Business program, as it’s often still unknown. The fun part, however, is that it’s actually pretty simple to get started. For organizations, the Windows Insider Preview for Business program enables them not having to register each device or user in the program and to easily set important policies around preview builds. The only requirement is to register an Azure AD tenant, so it can be used for authentication.This post walks through that requirement and more, as prequisites for configuring Windows Insider Preview Builds within the organization, followed with the steps for creating …

Read more

Allowing users to opt-in for Windows 11 by using access packages

This week is all about providing users with an easy method to opt-in for using Windows 11. That easy method can be created by using standard functionality that is provided by Azure AD entitlement management – an identity governance feature – and that can be used to automate access request workflows, access assignments, reviews, and expiration. More specifically, entitlement management introduces the concept of an access package and those packages provide an easy method to govern access. In a way, an access package can be used to create a simple automated flow to allow users to opt-in for Windows 11. That can be achieved adding the user to an Azure AD group and using that group for the assignment of a feature update deployment. This …

Read more

Controlling devices connected to Windows devices

This week is all about device control. Device control is often referred to as a feature of Microsoft Defender for Endpoint and is focused on preventing data leakage. That is achieved by limiting the devices that can be connected to a Windows device. The idea is also pretty straight forward: control which devices can connect to a Windows device. That can be achieved by looking at the hardware device installation, at the removable storage and at the bluetooth connections. Besides that it’s even possible to get creative with printers. Most of these settings – with exception of the printer settings – are configurable via the endpoint security options, but most settings are actually configured via different CSPs on the Windows device. This post will walk …

Read more

Getting started with Test Base for Microsoft 365

This week is about something relatively new, but especially something rather unknown. And that is Test Base for Microsoft 365 (Test Base). Test Base is a validation service based in a secure Azure environment, that enables Software Vendors (SVs) and System Integrators (SIs) to validate their applications against pre-released Windows security and feature updates. The best part is that it also enables customers and partners to do the same. That enables organizations to automatically test their critical business app with the upcoming Windows security and feature updates. A sort of automated testing. That helps organizations to be even better prepared for the upcoming Windows security and feature updates. This post is to create more awareness for Test Base and to make sure that organization are …

Read more

Configuring Windows Hello for Business dynamic lock

The last few weeks – before my vacation – were all around Windows Hello for Business. And especially around unlocking devices by using Windows Hello for Business functionalities. This week, however, is a little different. This week is around the automatic lock functionality of Windows Hello for Business. That functionality is Windows Hello for Business dynamic lock. Dynamic lock enables organizations to automatically lock devices when users step away from their device. That automatic lock can be achieved by using the bluetooth signal of a paired phone. The device will automatically lock when the signal of that paired phone falls below the configured minimum value. Of course, automatically locking the device doesn’t prevent users from forgetting to lock their device, but it does prevent the …

Read more