Easily enforcing specific Windows Sandbox configurations

This week is all about Windows Sandbox. About two years ago I wrote a post about simply enabling Windows Sandbox, by using a simple PowerShell script and distributing that script by using Microsoft Intune. Windows Sandbox is a really nice feature for running applications in an isolated environment. That isolated environment supports simple configuration files, which provide a minimal set of customization parameters. With the latest version of Windows 10, the administrator receives some controls for enforcing specific customization parameters. That won’t prevent the user from creating a configuration file, but that does prevent specific customization parameters from applying to the Windows Sandbox. In this post I’ll briefly go through the currently available policies, followed with the steps of configuring those policies. I’ll end this …

Read moreEasily enforcing specific Windows Sandbox configurations

Easier managing local administrators via Windows 10 MDM on Windows 10 20H2 and later

This week back to the Windows platform. This week is again about managing local administrators on Windows 10 devices. Even in a modern world, there can still be a need for managing the local administrators on a Windows 10 devices and often that still requires more flexibility than provided with the default Azure AD functionality. I’ve also discussed managing local administrators already multiple times – either by using a Windows 10 MDM policy setting or by using proactive remediations – and this time it’s about a new method that became available in Windows 10, version 20H2 and later. That method is a new Windows 10 MDM policy setting. In this post, I’ll provide an introduction to that new policy setting and I’ll show how to …

Read moreEasier managing local administrators via Windows 10 MDM on Windows 10 20H2 and later

Opting out of safeguard holds

This week is all about safeguard holds. More specifically, the ability of opting out of safeguard holds. Safeguard holds prevents devices with a known compatibility issue from being offered a new Windows 10 feature update by using Windows Update. That protects the device and user from a failed or poor experience with the Windows 10 feature update. Starting with the October 2020 security update, devices running Windows 10, version 1809 and above, receive a new setting that can be used for opting out of safeguard holds. In this post I’ll start with an introduction to safeguard holds, followed with the steps of creating a device configuration profile for opting out of safeguard holds. Important: Opting out of a safeguard hold can put devices at risk …

Read moreOpting out of safeguard holds

Remediating local administrators with proactive remediations

Like last week, this week is all about proactive remediations, a feature of Endpoint Analytics. As mentioned last week, proactive remediations are script packages that can detect common issues and remediate those issues if needed. All of that before the user even realizes that there is an issue. Those remediations can help with reducing support calls. The strength is that the remediations can be anything to address potential issues, as long as it can be addressed by using PowerShell. Each script package contains a detection script and a remediation script and that script package is deployed through Microsoft Intune. For deploying script packages, Microsoft Intune relies on the Intune Management Extension (IME). To show the real power of proactive remediations, I’ll further develop the local …

Read moreRemediating local administrators with proactive remediations

Detecting local administrators with proactive remediations

This week is all about proactive remediations, which is a feature of Endpoint Analytics. Proactive remediations are script packages that can detect common issues and remediate those issues if needed. All of that before the user even realizes that there is an issue. Those remediations can help with reducing support calls. The strength is that the remediations can be anything to address potential issues, as long as it can be addressed by using PowerShell. Each script package contains a detection script and a remediation script and that script package is deployed through Microsoft Intune. For deploying script packages, Microsoft Intune relies on the Intune Management Extension (IME). To show the power of proactive remediations, I’ll use local administrators as an example. I’ve did something similar …

Read moreDetecting local administrators with proactive remediations

Deploy Microsoft Defender Application Control policies without forcing a reboot

This week is all about Microsoft Defender Application Control (MDAC). More specifically, about configuring MDAC policies on Windows 10 devices by using Microsoft Intune without forcing a reboot. MDAC, often still referred to as Windows Defender Application Control (WDAC), restricts application usage by using a feature that was previously already known as configurable Code Integrity (CI) policies. To make the history lesson complete, configurable CI policies was one of the two main components of Windows Defender Device Guard (WDDG). History aside, CI policies help with protecting Windows 10 devices by checking apps based on the attributes of the code signing certificates and the app binaries, the reputation of the app, the identity of the process that initiated the installation (managed installer) and the path from …

Read moreDeploy Microsoft Defender Application Control policies without forcing a reboot

Windows 10 MDM Bridge WMI Provider: Settings template

This week my post is a few days later, as my post is an extension of my session at the Workplace Ninja Virtual Summit 2020. At the virtual summit I did a session about Getting to know the Windows 10 MDM WMI Bridge provider and during my session I shared how to easily work with the Windows 10 MDM Bridge WMI provider. Similar to using Microsoft Intune to address the different CSPs, we can also use PowerShell via the WMI bridge. The main thing that I’ve showed at the end of that session was a setting template, basically a PowerShell-function, that can be used to set, adjust and remove nearly all settings via the MDM WMI Bridge provider. That PowerShell-script is available below and I’ve …

Read moreWindows 10 MDM Bridge WMI Provider: Settings template

Getting started with Endpoint Data Loss Prevention

Completely fresh after my vacation I thought it would be awesome to have a look at Endpoint Data Loss Prevention (DLP), which was announced during Microsoft Inspire. Endpoint DLP extends the activity monitoring and protection capabilities of DLP to sensitive content on Windows 10 devices. The best part of it is that the actual functionality is built-in to Windows 10 (and the Edge Chromium browser). No additional agent is required, just the onboarding of the device. In this post I want to start with a short introduction about Endpoint DLP, followed by the actions to onboard devices and to configure DLP policies and settings. I want to end this post by having a quick look at the end-user experience. Introduction to Endpoint DLP Let’s start …

Read moreGetting started with Endpoint Data Loss Prevention

Quick tip: Easy method for constructing settings of ingested ADMX-files

This week a quick extra blog post, just before the start of my vacation, about an easy method for construction settings of ingested ADMX-files. A few years ago I did a post about a deep dive for ingesting third-party ADMX-files and until today I still receive questions on that post that are related to constructing settings of ingested ADMX-files. Even though the described method is still available, there is an easier method for constructing the settings of ingested ADMX-files. A method that is less sensitive to errors. The following four steps walk through that easy method by again using chrome.admx as an example. The first step is ingesting the ADMX-file. That can be achieved by following the same steps as provided in my earlier post. …

Read moreQuick tip: Easy method for constructing settings of ingested ADMX-files

Working with Attack Surface Reduction rules to reduce the attack surface of applications

This week is al about Attack Surface Reduction (ASR) rules. ASR rules are originally introduced as one of the four main features of Windows Defender Exploit Guard. Windows Defender Exploit Guard was introduced as a major update to Microsoft Defender Antivirus, in Windows 10 version 1709, and was the successor of Enhance Mitigation Experience Toolkit (EMET). Nowadays ASR rules are just part of the attack surface reduction controls of Microsoft Defender, but many configuration paths will still refer to Windows Defender Exploit Guard. In this post I’ll have a closer look at configuring ASR rules by using Microsoft Intune. I’ll start with a short introduction about licensing and the different configuration options, followed by the steps for configuring ASR rules and showing the actual configuration. …

Read moreWorking with Attack Surface Reduction rules to reduce the attack surface of applications