Enabling remote access for specific users on Azure AD joined devices

This week is sort of a follow-up on my previous posts about restricting the local log on to specific users. While those posts were focused on restricting the local log on, this post will be focused on enabling remote access for specific users. More specifically, remote access for specific users on Azure AD joined devices. That’s not something to exciting, but definitely something that comes in useful every now and then. Besides that, this was already possible – for a long time – but would often require the device to be joined to the same tenant and take out some security configurations (like Network Level Authentication). That’s no longer required – already for almost a year – as it it can now rely on Azure …

Read more

Fixing self-service when restricting the local log on

This week is a quick follow-up on the post of last week. That post was focussed on restricting the local log on to Windows devices. Part of that post was also the broken self-service password reset and self-service PIN reset functionalities. When using the most restrictive option of a whitelist, for configuring the users that are allowed to log on locally, that will break those functionalities. This week will be all about a follow-up on that behavior. When it’s required to restrict the local log on Windows devices, and users should still be able to use the different self-service functionalities, this post will provide a solid starting point. Of course, that’s not applicable to every scenario. Only scenarios in which there are actual users logging …

Read more

Restricting the local log on to specific users

This week is about restricting the local logon on Windows devices to specific users. Not because it is something particularly new, but simply because it is been an ask every now and then. Think about further locking down a kiosk device, for example. Restricting the local logon can be achieved by either only allowing specific users to log on, or by denying specific users to log on. In other words, whitelisting versus blacklisting. The allow-option is basically a whitelist and the deny-option is basically a blacklist. When looking at restricting the local logon, a whitelist is the easiest method to get quickly really restrictive, as only the users on the list are allowed to log on locally. Luckily, nowadays there is easy method for configuring …

Read more

Getting started with Windows driver update management

This week is about a very recent introduced feature around updating Windows devices and that feature is driver updates. Driver update management on itself is not that new, as that was introduced a few months ago as a part of the Windows Update for Business deployment service. However, being able to use Microsoft Intune to manage driver updates via that deployment service is definitely something new. That makes it a lot easier to use the driver management functionality. Microsoft Intune introduced a new Driver updates for Windows 10 and later profile that does all the heavy lifting for managing driver updates on Windows devices. This post will start with an introduction about Windows driver update management, followed with the steps for creating and assigning the profiles. …

Read more

Creating supplemental Application Control policies for the base Application Control policies created with the built-in controls

This week is a follow-up on the post of last week about easily configuring the Intune Management Extension as managed installer for Windows Defender Application Control. That post already had a note regarding supplemental Application Control policies. This week, the focus will be on adding supplemental Application Control policies on top of the base Application Control policies that are created when using the built-in controls in the creation of an Application Control policy. The great thing is that those base Application Control policies all have standard configurations and can easily be reused. This post will focus on those base Application Control policies and using those with supplemental Application Control policies. This post will finish with the distribution of such supplemental Application Control policies and the …

Read more

Easily configuring the Intune Management Extension as managed installer for Windows Defender Application Control

This week is all about a great feature that has been introduced with the latest service release of Microsoft Intune (2306). That feature is the ability to easily configure the Intune Management Extension as a managed installer on Windows devices. Until this new ability, it’s always been challenging to work with the Intune Management Extension in combination with Windows Defender Application Control (WDAC). The main challenge was to configure the Intune Management Extension as a managed installer, to simplify the acceptance of applications that were installed via that extension. With this new feature, it’s now possible to configure the Intune Management Extension as a managed installer, by using a tenant-wide configuration. So, that will take away any challenging configuration to configure a managed installer. This …

Read more

Managing updates for Visual Studio

This week is all about something relatively new with Microsoft Intune and that is managing Visual Studio settings. Many settings for managing Visual Studio were already available via registry keys and ADMX-files. Those ADMX-files could already be imported within Microsoft Intune, but are now also directly available within the Settings Catalog with the latest service release (2305). That enables organizations to easily manage the most important configuration settings that are required to at least make sure that the basics of the Visual Studio installation are compliant with the company policies. An important part of that is managing the updates for Visual Studio. That can make sure that the installations of Visual Studio within the organization, at least have the latest security updates installed. This post …

Read more

Configuring the default credential provider

This week is a short post about configuring the default credential provider and this is basically a small addition to the blog posts of about two years ago around configuring credential providers. That time the focus was around actually making it impossible to use specific credential providers. This time the focus is around configuring the default credential provider. That can be a powerful combination, but that can also be a step in the direction of guiding users away from using username-password. So, guiding users instead of forcing users. From a technical perspective that could make it a bit easier, as it doesn’t involve removing functionalities. In this case, it simply provides the configured credential provider as the default credential provider. That default credential provider will …

Read more

Using Conditional Access for Remote Help

This week is a short post about a small nice addition to Remote Help. That small nice addition, however, can be an important piece towards the solid zero trust implementation within the organization. That addition is the ability to use Conditional Access specifically for Remote Help. That doesn’t mean, however, that Conditional Access was not applicable towards Remote Help before. When assigning a Conditional Access to all cloud apps that would (and will always) also include Remote Help. The main change is that it’s now possible to create a service principal for the Remote Assistance Service that can be used as a cloud app in the assignment of a Conditional Access policy. That enables organizations to create a custom Conditional Access policy specifically for Remote …

Read more

Understanding Windows Autopatch groups

This week something completely different, but maybe even more intriguing at some level. That something is Windows Autopach groups. Windows Autopatch groups are logical containers, or units, that can group several Azure AD groups and different software update policies, within Windows Autopatch. That’s a really nice addition to Windows Autopatch that is available starting with the latest service update of May 2023. Windows Autopatch groups enable organizations to create different selections of devices with as many as 15 unique deployment rings, custom cadences and content. And a tenant can contain up to 50 Windows Autopatch groups. That enables IT administrator to create nearly any structure for patching their devices within Windows Autopatch. This post will start with some more details for understanding Windows Autopatch groups, …

Read more