Windows 10

Using Smart App Control as starting point for Windows Defender Application Control

by

This week is all about Smart App Control and Windows Defender Application Control (WDAC). Starting with Windows 11, version 22H2, Microsoft introduced Smart App Control for additional protection for consumers against threats by blocking apps that are malicious, untrusted, or potentially unwanted. Smart App Control is based on WDAC and works in a similar way. It provides basic protection rules that can also be reused within an enterprise environment. Smart App Control on itself is only available on a fresh installation of Windows 11, version 22H2, and not after an upgrade. On enterprise managed devices, Smart App Control is automatically turned off. That doesn’t mean, however, that Smart App Control doesn’t provide any useful standard configurations. Smart App Control can be an excellent starting point, …

Read more

Informing users of newly enrolled devices

by

This week is all about a nice small new feature that became general available with the latest service release of Microsoft Intune (2301). That feature is enrollment notification. Enrollment notifications provide organizations with an easy method to notify users when a new device is enrolled. That provides organizations with more grip on the devices that are enrolled within the environment, as users will be informed when a new device was enrolled using their credentials. Besides that, it also provides organizations with an alternative method to welcome employees. In other words, a great way to trigger users. Enrollment notifications can be used for Windows, Android, iOS/iPadOS, and MacOS devices that are enrolled by using the user-driven enrollment methods. The notifications can be email notifications and push …

Read more

Managing privacy controls for Office products

by

This week is all about managing privacy controls for Office products. That includes Office on Android devices, Office on iOS devices, Office for Mac devices, Office for the web, and Microsoft 365 apps for enterprise on Windows devices. Most organizations often already have a good look at the required configurations options for the privacy controls on Windows devices. Office for other platforms, however, are often forgotten. Just like Office for the web. Good thing, though, is that there are nowadays multiple privacy controls available that can be configured for Office on all platforms. For some platforms there are even multiple configurations options. Best part of those configuration options is that there is also an option to configure the privacy controls cross platforms. This post will …

Read more

Configuring Shared PC mode with OneDrive sync enabled and configured

by

This week another short blog post about another nice configuration addition to Windows. This time it’s about configuring Shared PC mode with OneDrive sync. Shared PC mode on itself is nothing new, or special, but there was something missing. That something was the OneDrive sync, as there are scenarios in which it’s still required to use OneDrive on a Shared PC. The default behavior of Windows, however, was to prevent the usage of OneDrive, once Shared PC mode was enabled. That’s still the case but starting with Windows 11 version 22H2 a new setting is introduced that enables IT administrators to enable Shared PC mode with OneDrive sync enabled. A new setting to enabled Shared PC mode. This post will start with a short introduction …

Read more

Easier configuring additional LSA protection

by

This week another short blog post about another nice configuration addition to Windows. This time it’s about configuring additional Local Security Authority (LSA) protection for credentials. LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. Starting with Windows 8.1 and later, additional protection is provided for the LSA, to prevent reading memory and code injection by non-protected processes. That provides added security for the credentials that LSA stores and manages. Not really something new, but it’s good to know that something has changed from a configuration perspective. The protected process setting for LSA can also be configured in Windows 8.1 and later. That would, however, always require the manual creation of a …

Read more

Automatically switching the Windows Firewall profile on Azure AD joined devices

by

This new year starts with short blog post about another nice configuration addition to Windows. Starting with the latest release of Windows 11, it’s now possible to make the Windows Firewall aware of the location of the device. That maybe sounds a bit more than what it actually is. The idea is that it enables Windows to check if it’s on a domain connected network, based on the accessibility of one or more URLs. When one of the URLs is available, Windows will switch the Windows Firewall profile to domain. When none of the URLs are available, Windows will work how it always worked and in general simply rely on the public profile. That behavior enables IT administrators to configure specific firewall exclusions, only when …

Read more

Configuring Windows Package Manager

by

This week is all about configuring Windows Package Manager. With the ability of standard users installing apps by using winget and with release of the new Microsoft Store apps within Microsoft Intune, the configuration of Windows Package Manager gets more and more important. Of course, it was already important to have a solid configuration, but with Windows Package Manager getting a more prominent role, a good configuration is required. The good thing is that with the introduction of Windows 11, version 22H2, Microsoft also introduced new configuration options for Windows Package Manager. Before, the configuration was limited to Group Policy settings and the settings.json file. Now there are also Configuration Service Provider (CSP) settings. The Policy CSP now contains nodes for the configuration of the …

Read more

Test Base for Microsoft 365 integration with Microsoft Intune

by

This week is all about the Test Base for Microsoft 365 (Test Base) integration with Microsoft Intune. About a year ago Test Base was also a subject on this blog. Back then it was focused on getting started with Test Base. In the meantime, a lot has changed. And changed in a good way. Some really nice features were added, and one of those features is the integration with Microsoft Intune. As one of the focus areas of Test Base is on IT professionals who want to validate their applications, that integration will make their lives a lot easier. That integration will simplify the creation of a package within the Test Base account. It will preconfigure values during the creation of a package. Of those …

Read more

Simplifying the management and configuration of your favorite browser

by

This week is all about simplifying the management and configuration of your favorite browsers, by using Microsoft Intune. That’s definitely not the sexiest subject, but it’s important to be familiar with the easy options that are available nowadays. With the latest additions to Microsoft Intune, the management and configuration of the different browsers became more of a native functionality. Native functionality was already available for Microsoft Edge, and recently became available for Google Chrome. And now, with the recent addition of importing third-party administrative templates, it became available for every browser that could be easily managed within an on-premises environment, by using Group Policies. Besides that, there are even alternatives when really needed. This post will provide an overview of the different options for managing …

Read more

Excluding Azure file shares from Conditional Access policies requiring MFA

by

This week is another short follow-up on the last couple of weeks. While the last couple of weeks were all about configuring the authentication on Azure file shares and on mapping Azure file shares, this week is all about the exclusion for multi-factor authentication (MFA). During the initial post, about using Azure AD Kerberos authentication for Azure file shares, it was mentioned that Azure AD Kerberos doesn’t support using MFA for accessing Azure file shares. The steps to prevent that, just weren’t described. And based on comments and feedback, it’s good to still walk through the steps for configuring that exclusion. This post will briefly discus the challenge, followed with the steps to create the exclusion for Azure file shares. This post will end with the …

Read more