Deploying Microsoft Defender Application Guard for Office

This week is all about Microsoft Defender Application Guard (Application Guard) for Office. It’s a follow up on this post of almost 2 years ago. That time the focus was simply on getting started with Application Guard and it slightly missed out on Application Guard for Office. This time Application Guard for Office will be the main focus. Application Guard for Office uses hardware isolation to isolate untrusted Office files, by running the Office application in an isolated Hyper-V container. That isolation makes sure that anything potentially harmful in those untrusted Office files, happens within that isolated Hyper-V container and is isolated from the host operating system. That isolation provides a nice, but resource intensive, additional security layer. This post will start with a quick …

Read more

Configuring search on Windows 11 taskbar

This week a short blog post about a small new setting that became available within Windows 11. That setting is the ability to configure search on the taskbar. With the latest version of Windows 11, Microsoft added a search box to the taskbar that enables users to easily find almost anything. It searches across Windows, OneDrive, SharePoint, and more. And it can find apps, files, settings, help, people ,and more. That makes it a very versatile search option for daily Windows users. Very powerful. The new setting enables users to configure the availability of search on the Windows 11 taskbar. From hidden till icon and label. That new setting can also be configured by the administrator, to enforce specific behavior. It could, for example, be …

Read more

Using Smart App Control as starting point for Windows Defender Application Control

This week is all about Smart App Control and Windows Defender Application Control (WDAC). Starting with Windows 11, version 22H2, Microsoft introduced Smart App Control for additional protection for consumers against threats by blocking apps that are malicious, untrusted, or potentially unwanted. Smart App Control is based on WDAC and works in a similar way. It provides basic protection rules that can also be reused within an enterprise environment. Smart App Control on itself is only available on a fresh installation of Windows 11, version 22H2, and not after an upgrade. On enterprise managed devices, Smart App Control is automatically turned off. That doesn’t mean, however, that Smart App Control doesn’t provide any useful standard configurations. Smart App Control can be an excellent starting point, …

Read more

Informing users of newly enrolled devices

This week is all about a nice small new feature that became general available with the latest service release of Microsoft Intune (2301). That feature is enrollment notification. Enrollment notifications provide organizations with an easy method to notify users when a new device is enrolled. That provides organizations with more grip on the devices that are enrolled within the environment, as users will be informed when a new device was enrolled using their credentials. Besides that, it also provides organizations with an alternative method to welcome employees. In other words, a great way to trigger users. Enrollment notifications can be used for Windows, Android, iOS/iPadOS, and MacOS devices that are enrolled by using the user-driven enrollment methods. The notifications can be email notifications and push …

Read more

Managing privacy controls for Office products

This week is all about managing privacy controls for Office products. That includes Office on Android devices, Office on iOS devices, Office for Mac devices, Office for the web, and Microsoft 365 apps for enterprise on Windows devices. Most organizations often already have a good look at the required configurations options for the privacy controls on Windows devices. Office for other platforms, however, are often forgotten. Just like Office for the web. Good thing, though, is that there are nowadays multiple privacy controls available that can be configured for Office on all platforms. For some platforms there are even multiple configurations options. Best part of those configuration options is that there is also an option to configure the privacy controls cross platforms. This post will …

Read more

Getting started with multiple administrative approvals

This week is all about a nice new feature of Microsoft Intune. That new feature is multiple administrative approval (MAA). MAA enables organizations to require a second administrative user to approve a change before the change is actually applied. That limits the chance of accidental mistakes and even helps with the protection against compromised administrative accounts. With MAA, the most breaking and impactful changes can be protected. At this moment that includes specific resources, like apps and scripts. Changes to those resources can protected with MAA. That protection can be created by using Access policies. Access policies can be configured to protect specific resources with MAA. This post will go through the steps to configure those policies, followed with the behavior that those policies introduce. …

Read more

Configuring Shared PC mode with OneDrive sync enabled and configured

This week another short blog post about another nice configuration addition to Windows. This time itโ€™s about configuring Shared PC mode with OneDrive sync. Shared PC mode on itself is nothing new, or special, but there was something missing. That something was the OneDrive sync, as there are scenarios in which it’s still required to use OneDrive on a Shared PC. The default behavior of Windows, however, was to prevent the usage of OneDrive, once Shared PC mode was enabled. That’s still the case but starting with Windows 11 version 22H2 a new setting is introduced that enables IT administrators to enable Shared PC mode with OneDrive sync enabled. A new setting to enabled Shared PC mode. This post will start with a short introduction …

Read more

Easier configuring additional LSA protection

This week another short blog post about another nice configuration addition to Windows. This time it’s about configuring additional Local Security Authority (LSA) protection for credentials. LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. Starting with Windows 8.1 and later, additional protection is provided for the LSA, to prevent reading memory and code injection by non-protected processes. That provides added security for the credentials that LSA stores and manages. Not really something new, but it’s good to know that something has changed from a configuration perspective. The protected process setting for LSA can also be configured in Windows 8.1 and later. That would, however, always require the manual creation of a …

Read more

Automatically switching the Windows Firewall profile on Azure AD joined devices

This new year starts with short blog post about another nice configuration addition to Windows. Starting with the latest release of Windows 11, it’s now possible to make the Windows Firewall aware of the location of the device. That maybe sounds a bit more than what it actually is. The idea is that it enables Windows to check if it’s on a domain connected network, based on the accessibility of one or more URLs. When one of the URLs is available, Windows will switch the Windows Firewall profile to domain. When none of the URLs are available, Windows will work how it always worked and in general simply rely on the public profile. That behavior enables IT administrators to configure specific firewall exclusions, only when …

Read more

Configuring Windows Package Manager

This week is all about configuring Windows Package Manager. With the ability of standard users installing apps by using winget and with release of the new Microsoft Store apps within Microsoft Intune, the configuration of Windows Package Manager gets more and more important. Of course, it was already important to have a solid configuration, but with Windows Package Manager getting a more prominent role, a good configuration is required. The good thing is that with the introduction of Windows 11, version 22H2, Microsoft also introduced new configuration options for Windows Package Manager. Before, the configuration was limited to Group Policy settings and the settings.json file. Now there are also Configuration Service Provider (CSP) settings. The Policy CSP now contains nodes for the configuration of the …

Read more