Controlling devices connected to Windows devices

This week is all about device control. Device control is often referred to as a feature of Microsoft Defender for Endpoint and is focused on preventing data leakage. That is achieved by limiting the devices that can be connected to a Windows device. The idea is also pretty straight forward: control which devices can connect to a Windows device. That can be achieved by looking at the hardware device installation, at the removable storage and at the bluetooth connections. Besides that it’s even possible to get creative with printers. Most of these settings – with exception of the printer settings – are configurable via the endpoint security options, but most settings are actually configured via different CSPs on the Windows device. This post will walk …

Read more

Getting started with Test Base for Microsoft 365

This week is about something relatively new, but especially something rather unknown. And that is Test Base for Microsoft 365 (Test Base). Test Base is a validation service based in a secure Azure environment, that enables Software Vendors (SVs) and System Integrators (SIs) to validate their applications against pre-released Windows security and feature updates. The best part is that it also enables customers and partners to do the same. That enables organizations to automatically test their critical business app with the upcoming Windows security and feature updates. A sort of automated testing. That helps organizations to be even better prepared for the upcoming Windows security and feature updates. This post is to create more awareness for Test Base and to make sure that organization are …

Read more

Configuring Windows Hello for Business dynamic lock

The last few weeks – before my vacation – were all around Windows Hello for Business. And especially around unlocking devices by using Windows Hello for Business functionalities. This week, however, is a little different. This week is around the automatic lock functionality of Windows Hello for Business. That functionality is Windows Hello for Business dynamic lock. Dynamic lock enables organizations to automatically lock devices when users step away from their device. That automatic lock can be achieved by using the bluetooth signal of a paired phone. The device will automatically lock when the signal of that paired phone falls below the configured minimum value. Of course, automatically locking the device doesn’t prevent users from forgetting to lock their device, but it does prevent the …

Read more

Configuring Windows Hello for Business multi-factor unlock

This week continues the journey through Windows Hello for Business. The last weeks were all about requiring the use of Windows Hello for Business, while this week is all about requiring the use of something extra with Windows Hello for Business. That something extra is a second unlock factor. By default, Windows requires the use of a single authentication factor to verify the identity of a user and to unlock the device. And even though the construction of Windows Hello for Business can be considered multi-factor authentication, as it combines something that you have (e.g. a device with a hardware TPM) with something that you know (e.g. a PIN) or with something that you are (e.g. a fingerprint), the unlock factor of the device with …

Read more

Excluding the password credential provider

This week is a follow up on the post of last week. In that post there was a reference to the option to completely exclude the password credential provider to force the user in to using Windows Hello for Business. This week is all about that option to exclude the password credential provider – and basically any other credential provider – from use during authentication. Credential providers are the primary mechanism for authenticating users in Windows and to verify their identity. Those credential providers are shown as different small tiles to the user as different options to authenticate in Windows. With Windows 10 and later, credential providers are also used for authenticating users in apps, websites, and more. By installation default, Windows already provides a …

Read more

Requiring the use of Windows Hello for Business for interactive logons

This week is all about Windows Hello for Business. Windows Hello for Business provides a really convenient and user-friendly method to authenticate in Windows, as it enables users to verify their identity by using a gesture (face, fingerprint or PIN). More importantly, however, Windows Hello for Business is also an important step in the transition to a passwordless environment, as it replaces the need for the traditional username-password authentication with a strong two-factor authentication on Windows devices. By default, Windows Hello for Business will be an additional method to get authenticated in Windows. When working towards a passwordless environment, it’s important to also take further actions for Windows devices, by preventing the use of the traditional username-password and by requiring the use of Windows Hello …

Read more

Alternatives for querying and visualizing Update Compliance data

This week is follow-up on the post of last week about enhancing Update Compliance with a custom Workbook in Microsoft Endpoint Manager admin center. There were multiple questions on that post regarding alternatives for querying and visualizing the Update Compliance data. The good news is that there are actually multiple alternatives for querying Update Compliance data, but, in all fairness, all the alternatives rely on the same API. The Azure Log Analytics REST API. That API can be called by specifying the workspace, providing a token and running the required query. Pretty straight forward. Also, that API is an important part of most other methods that are used for querying Update Compliance data. This post will provide a quick introduction to the Azure Log Analytics …

Read more

Enhance Update Compliance with a custom Workbook in Microsoft Endpoint Manager admin center

This week is all about enhancing Update Compliance by using a custom Workbook within the Microsoft Endpoint Manager admin console. The Update Compliance Workbook. That Update Compliance Workbook enables the IT administrator to get a quick view on the most important details. Besides that, adding that Update Compliance Workbook in the Microsoft Endpoint Manager admin center enables the IT administrator to pin the different queries of that Update Compliance Workbook to the dashboard. That provides the IT administrator with a dashboard that contains all the status information about the Microsoft Intune environment and a quick overview of the update status of the Windows 10 devices within that environment. This post provides that Update Compliance Workbook with the most important status information coming from the Update …

Read more

Using filters for assigning apps, policies and profiles to specific devices

This week is all about filters. Filters are basically a super-set of the functionalities of applicability rules – already available for a while for Windows 10 – and are a great new addition to assigning apps policies and profiles to specific devices. Those specific devices are only the devices that meet the specific properties that are configured in the filters. A great method for specifically targeting apps, policies and profiles. This post starts with a short introduction about filters, followed with information about creating and using filters (including the steps for using and creating filters). This post ends with the administrator experience with filters. Introducing filters For device configuration profiles for Windows 10 devices it was already possible to use applicability rules. Applicability rules would …

Read more