Device compliance for Windows 365 Enterprise Cloud PCs

This week is a short follow-up on my posts of the last couple of weeks about getting started with Windows 365 Enterprise. One of the items that was not specifically addressed is device compliance. In general it would be great to address Cloud PCs like any other laptop or desktop within the organization. There are, however, some differences to keep in mind and that might require organizations to use a slightly adjusted configuration for Cloud PCs. One of the main reason for that could be disk encryption. This post will address how disk encryption is different for Cloud PCs and also how other hardening features are similar for Cloud PCs. Besides that, this post will provide an easy method to work with exceptions for Cloud …

Read more

Getting started with Windows 365 Enterprise using a custom image

The last couple of weeks were mainly focused on getting started with Windows 365 Enterprise. Mainly focused on the networking configurations and join types of Cloud PCs. This week the focus will go to the more advanced imaging options. When looking specifically at Windows 11, the available Gallery image only contains the Microsoft 365 apps for enterprise. In some scenarios that might not be sufficient and some tuning and additional apps are required. In those cases, it’s always possible to rely on a custom image. An image that is based on the same starting point, but tuned to be a better fit for that specific scenario. This post will go through a simple process for creating an image based on an Azure Virtual Machine (VM), …

Read more

Getting started with Windows 365 Enterprise using an Azure Network Connection

This week is a follow-up on last week. Last week was about Windows 365 Enterprise in its simplest form, while this week will be about the more advanced networking forms of Windows 365 Enterprise. In other words, the different options of the Azure network connections and what it brings to Cloud PCs. For a quick introduction about Cloud PCs in its simplest form, with a Microsoft hosted network connection, have a look at that previous post. The more advanced networking connections enable organizations to create a connection with an on-premises environment. That on-premises environment can be an environment running in Azure, or an environment running in any datacenter. As long as it’s connected. The idea of this post is to provide the basics around the …

Read more

Getting started with Windows 365 Enterprise using a Microsoft Hosted Network

This week is not about something totally new, but it is about something that really deserves a place on this blog. It’s all about Windows 365 Enterprise. More specifically, Windows 365 Enterprise in its simplest form, in a Microsoft Hosted Network. Windows 365 Enterprise is a cloud-service provided by Microsoft that will automatically create Windows virtual machines (a.k.a. Cloud PCs) for licensed users. A very straight forward method to provide users with a personal PC from the cloud (a.k.a. Cloud PC). It combines the strengths of different Microsoft products by relying on Microsoft Endpoint Manager for management, by relying on Azure AD for identity and access control and by relying on Azure Virtual Desktop for remote connectivity. The idea of this post is to provide …

Read more

Easily managing Universal Print printers on Windows 11 devices

This week is al about Microsoft Universal Print. Not, however, about the concept, the connectors, the printers, or the printer shares. Just about the configuration, via Microsoft Intune, on Windows devices. And in particular, at this moment, Windows 11 devices. Windows 11 devices now contain the UniversalPrint CSP that can be used to easily configure Universal Print printers on Windows devices. That replaces the existing Universal Print printer provisioning tool and provides a direct configuration (and integration) option with Microsoft Intune. Based on the provided configurations it retrieves the required printer information from the Universal Print service and installs the printer on the Windows device. This post will go through the available settings in the UniversalPrint CSP and the configuration via Microsoft Intune. Important [Updated: 16-08-22]: Eventually …

Read more

Getting started with Device Control Printer Protection

This week is a follow-up on an earlier post about controlling devices connected to Windows devices. That post was focussed on device control as a feature of Microsoft Defender for Endpoint, in general. This post will specifically focus on Device Control Printer Protection. Device Control Printer Protection is the printer protection feature that can be used to prevent users from printing via non-corporate network printers or non-approved USB-printers. That adds an additional layer of data protection and security. This post will look in more detail at the printer protection configuration options, at applying printer protection and at the experience with printer protection enabled (the user experience and the administrator experience). Note: The configuration options (protect) are available within a Microsoft 365 E3 license and the …

Read more

Using the software updates page in the Microsoft 365 admin center for a high-level overview

This week is all about creating some awareness for a newly introduced page within the Microsoft 365 admin center portal. That new page is the Software updates page and that page provides a high-level overview – in the Windows tab – of the installation status of Windows updates within the organization. It literally provides a high-level overview, as it currently only shows the most important pieces of information. Those pieces of information are the Windows update status information and the End of servicing information. That information provides key insights in the status of devices within the organizations. That includes a quick look at the status of the latest security updates on the devices within the organization, to make sure that the devices are protected from …

Read more

Getting started with Azure Monitor agent on Windows client devices

This week is about something totally different compared to the last weeks and maybe even months. There have been examples before about gathering additional data of Windows devices and using that information for dashboards and more. Those examples were mainly focused on existing data and custom scripting. This time the focus is on the Azure Monitor agent for Windows client devices. A few months ago Microsoft introduced the Windows client installer that can be used to collect data from desktops, workstations and laptops, in addition to the already existing options for servers and virtual machines. It enables the collection of Event Logs, Performance Counters and more. That could be useful with for example the introduction of AppLocker, to gather events about the behavior of apps. …

Read more

Easily installing Progressive Web Apps

This week is not something completely new, but more something nice to be aware of. This week is all around Progressive Web Apps (PWAs) and easily and automatically installing them on Windows devices. The great thing about a PWAs is that they’re basically websites that are enhanced to function like installed, native apps on supporting platforms, while functioning like regular websites on other browsers. That provides a great cross-platform experience. On Windows devices, PWAs can actually be installed like a native app and in some ways even behave like native apps. That provides a really powerful experience. With Microsoft Edge basically any website can be installed as an app. The behavior depends on the capabilities of the website. A nice add-on to that is that the …

Read more

Verifying installed applications as part of the compliance of Windows devices

This week is focused on the installed applications on Windows devices. More specifically, this week is focused on making sure that Windows devices are compliant with a list of unapproved apps. There are many methods for making sure that users won’t or can’t install specific apps on their Windows device. That could be by simply making sure that users don’t have the permissions to install apps and lock down their Windows devices, but that could also be by verifying the installed apps on their Windows devices. This post will focus on the latter, by comparing the installed apps with a list of unapproved apps. That can be achieved by using custom compliance settings. A few months ago I wrote about working with custom compliance settings. That …

Read more