Windows 11

Using temporary enterprise feature control for early testing new features in Windows

by

This week is all about creating awareness around a recently new feature for controlling the availability of new features in Windows 11. That new feature is temporary enterprise feature control. Temporary enterprise feature control is introduced – together with permanent enterprise feature control – to manage the introduction of new features within the enterprise. With the continuous innovation that was recently introduced by Microsoft, new features are no longer only introduced with the latest feature update. New features are now already introduced with the Latest Cumulative Update (LCU), but are off by default. And new features with impact (like new experiences, new in-box applications, removing existing capabilities, or overriding previously configured settings) are behind that new feature, temporary enterprise feature control. New features behind that …

Read more

Scheduling automatic policy refreshes for Windows devices without requiring a check-in

by

This week is sort of a follow-up on a blog post of about four (!) years ago. That post was focussed on the policy refresh on Windows devices. Since very recently, there is now something new available to refresh the applied configurations. That something new is: Config Refresh. Config Refresh can be used to configure a refresh cadence in which the already received configuration policies will be refreshed. No matter if the device is online, or offline. A great addition to at least make sure that the received configuration is applied. Config Refresh became available as a configuration option in Microsoft Intune, with the latest service release (2309). Besides that, it relies on an addition in the DMClient CSP that became available just recently in …

Read more

Enabling remote access for specific users on Azure AD joined devices

by

This week is sort of a follow-up on my previous posts about restricting the local log on to specific users. While those posts were focused on restricting the local log on, this post will be focused on enabling remote access for specific users. More specifically, remote access for specific users on Azure AD joined devices. That’s not something to exciting, but definitely something that comes in useful every now and then. Besides that, this was already possible – for a long time – but would often require the device to be joined to the same tenant and take out some security configurations (like Network Level Authentication). That’s no longer required – already for almost a year – as it it can now rely on Azure …

Read more

Fixing self-service when restricting the local log on

by

This week is a quick follow-up on the post of last week. That post was focussed on restricting the local log on to Windows devices. Part of that post was also the broken self-service password reset and self-service PIN reset functionalities. When using the most restrictive option of a whitelist, for configuring the users that are allowed to log on locally, that will break those functionalities. This week will be all about a follow-up on that behavior. When it’s required to restrict the local log on Windows devices, and users should still be able to use the different self-service functionalities, this post will provide a solid starting point. Of course, that’s not applicable to every scenario. Only scenarios in which there are actual users logging …

Read more

Restricting the local log on to specific users

by

This week is about restricting the local logon on Windows devices to specific users. Not because it is something particularly new, but simply because it is been an ask every now and then. Think about further locking down a kiosk device, for example. Restricting the local logon can be achieved by either only allowing specific users to log on, or by denying specific users to log on. In other words, whitelisting versus blacklisting. The allow-option is basically a whitelist and the deny-option is basically a blacklist. When looking at restricting the local logon, a whitelist is the easiest method to get quickly really restrictive, as only the users on the list are allowed to log on locally. Luckily, nowadays there is easy method for configuring …

Read more

Easily removing access to the Microsoft Store

by

This week is all about access to the Microsoft Store. And more specifically, about a single policy setting to potentially turn of access to the Microsoft Store. Many organizations struggle with the Microsoft Store on Windows devices, because the Microsoft Store enables users to install apps in their profile that aren’t necessarily work related. That brings organization on a crossroad. When an organization decides to block access to the Microsoft Store, there were already different options available. So far, the most effective methods were to either configure Windows to show the private store only, or to use AppLocker. None of those methods, however, would be complete and simple. Often it was still possible to use winget to still install apps, or the configuration would get …

Read more

Getting started with Windows 365 Switch

by

This week is a follow-up on a blog post of a couple of months ago about a new feature for Windows 365 Enterprise. That post was focused on Windows 365 Boot and that post mentioned that last year Microsoft announced many nice upcoming features with Windows 365 App, Windows 365 Boot, Windows 365 Offline and Windows 365 Switch and more recently even a great licensing enhancement with Windows 365 Frontline. This time it’s about Windows 365 Switch, which is another new feature that was announced and recently released in public preview. Windows 365 Switch provides users with the ability to easily switch between the local desktop and a Windows 365 Cloud PC. That provides a seamless experience via the Task View feature on Windows 11. …

Read more

Getting started with Mobile Application Management for Windows

by

This week is all about Mobile Application Management (MAM) for Windows. A long awaited feature that will be a big help with addressing unmanaged Windows devices. MAM for Windows enables organizations to manage the app in a similar way as already possible on mobile platforms. So, making sure that there is a separation between personal and work data, and making sure that the chances of accidental data leakages getting slimmer. In some areas, especially when looking at browser access, it might feel similar to what could already be achieved by using app enforced restrictions in Conditional Access, or by using Microsoft Defender for Cloud Apps in combination with Conditional Access. Big difference, however, is that MAM for Windows also includes the ability to use app …

Read more

Getting started with Windows driver update management

by

This week is about a very recent introduced feature around updating Windows devices and that feature is driver updates. Driver update management on itself is not that new, as that was introduced a few months ago as a part of the Windows Update for Business deployment service. However, being able to use Microsoft Intune to manage driver updates via that deployment service is definitely something new. That makes it a lot easier to use the driver management functionality. Microsoft Intune introduced a new Driver updates for Windows 10 and later profile that does all the heavy lifting for managing driver updates on Windows devices. This post will start with an introduction about Windows driver update management, followed with the steps for creating and assigning the profiles. …

Read more