Windows 11

Working with the automatic enablement of Windows hotpatch security updates

by

This week is all about the recently introduced configuration that will enable Windows hotpatch security updates by default. The configuration to enable the usage of hotpatch security updates has been available since the introduction of Windows 11 version 24H2, and can be configured relatively as shown in this post. Starting with the Windows security update of May 2026, Windows Autopatch will enable hotpatch security updates by default. That should help organizations with easier getting more secure. The configuration is achieved via a tenant-wide configuration via Windows Autopatch that is only applied when no quality update policies are applied to the device. That configuration is available in Microsoft Intune and will be enabled by default. This post will provide a closer look at that new tenant-wide …

Read more

Managing geolocation access for websites in Microsoft Edge

by

This week is all about managing (geo)location access for websites in Microsoft Edge. When apps are allowed access to the location of the user, that also includes the Microsoft Edge browser. That means that – depending on the configuration in Microsoft Edge – every website could potentially access the location of the user, or at least ask the user for access. Within Microsoft Edge there are, however, controls available that can be used for controlling the access of websites to the location of the user. Those controls enable the organization to define the default behavior, and also the behavior for specific websites. That enables a layered level of control over the location access in Microsoft Edge. The first layer is the access of apps in …

Read more

Restoring Windows during first sign-in

by

This week is all about the recently introduced Windows Restore functionality during first sign-in. That functionality is part of the Windows Backup for Organizations feature. That feature on itself not new, but the ability to restore during first sign-in is. Before, the ability to restore the configuration was only available as a tenant-wide configuration that would be available during out-of-box-experience (OOBE). For the basics to get started with Windows Backup for Organizations have a look at this previous post. This post will look at the new functionality to restore during the first sign-in. That functionality does not rely on a tenant-wide configuration, and can be assigned to specific groups of users or devices. The scope of the restore, however, remains the same. This post will …

Read more

Understanding the profile assignment of multi-app kiosk mode on Windows 11

by

This week is all about multi-app kiosk mode on Windows 11. That on itself is not something really new and to get started with that, have a look at this post around configuring multi-app kiosk mode on Windows 11. The documentation, however, is getting better and better, by describing more and more capabilities for multi-app kiosk mode on Windows 11. One of the challenges used to be the profile assignment of the multi-app kiosk mode configuration. Especially when looking at an autologon scenario. There are now configurations available to address basically all of the different scenarios that could be required. From autologon, to global assignment, to individual assignments, to group assignments. And from local accounts to Entra accounts. This post will provide a closer look …

Read more

Blocking the Microsoft Store Web Installer using Entra Internet Access

by

This week is all about addressing a really specific scenario and that scenario is related to the Microsoft Store. Many organizations are preventing access to the Microsoft Store app by using the policy setting Turn off the Store application. That policy setting, however, does literally what the name implies, it turns off the Store application. That does not prevent users from navigating to apps.microsoft.com, downloading an app and installing it directly. In the early days that download option did not exist, meaning that this scenario did not exist. That all changed with the Microsoft Store Web Installer. The Microsoft Store Web Installer is a standalone installer for Store apps that helps with downloading and installing apps from apps.microsoft.com. It basically creates a stub .exe-based installer …

Read more

Disabling MDM enrollment when adding work or school account

by

This week is all about a recently introduced setting in the automatic enrollment configuration of Windows devices, and that setting is Disable MDM enrollment when adding work or school account. That is a setting that many IT administrators have been waiting for, as it addresses that terrible experience when adding a work or school account to an app. That was the fantastic checkbox experience in which the user had to uncheck Allow my organization to manage my device to prevent a (personal) device from being enrolled into Microsoft Intune. Luckily, that has changed for the better. That whole experience got a whole lot better, as the new recently introduced experience differentiates with two screens between app sign-in and device management. Best part of it, with …

Read more

Getting started with point-in-time restore in Windows

by

This week is all about another restore capability in Windows, and that capability is point-in-time restore. Recently, Microsoft has introduced many new features related to the backup, restore and recovery of Windows. That started with Quick Machine Recovery, which is focused on recovering Windows devices when encountering critical errors that prevent the device from booting, and that was quickly followed by Windows Backup for Organizations, which is focused on making it easier to switch towards new Windows devices. Now, the next addition is point-in-time restore, which is focused on restoring a Windows device to the exact state of that earlier point in time. Point-in-time restore relies on restore points that are stored locally on the device and that are captured by using Volume Shadow Copy …

Read more

Being careful with the ability to configure the preferred Entra tenant domain name

by

This week will be a relatively short blog post about a relatively often seen challenge with the configuration to set the preferred Entra tenant domain name. More specifically, this post will be about the PreferredAadTenantDomainName policy setting. That setting can be used by an IT administrator to basically preconfigure the tenant domain name for the user. Practically that would mean that when the organization uses the @petervanderwoude.nl tenant domain name, this policy setting would be configured with petervanderwoude.nl and would make sure that the user only has to specify their username without the tenant domain name to actually sign in to the device. That can provide a much easier experience. It does, however, come with some drawbacks that should be taken into consideration. The main …

Read more

Getting started with the PowerShell script installer for Win32 apps

by

This week is all about the recently introduced functionality to use PowerShell scripts for installing and uninstalling Win32 apps. That functionality enables IT administrators to use a PowerShell script as the installer type for Win32 apps. To make that a little bit more concrete; it enables the IT administrator to select a PowerShell script that should be used for installing a Win32 app. Before it was already possible to use a PowerShell script within the command line for the installation of a Win32 app, but that always had to be a script that existed within the Win32 app content. The major challenge with that approach was that every adjustment to that PowerShell script would require building a new Win32 app. That was far from ideal, …

Read more

Getting started with secure password deployment in Microsoft Edge

by

This week is still about Microsoft Edge. More specifically, this week is all about the secure password deployment feature of Microsoft Edge. Secure password deployment enables IT administrators to securely deploy encrypted shared passwords to users. That can be useful with shared credentials for specific user accounts and applications. For example for easily getting access to a specific dashboard, or to specific social media accounts. There are many possible use cases. With secure password deployment, users will receive the deployed passwords in their work profile in Microsoft Edge on their managed device. That will help with reducing the risk of (over)sharing passwords with the wrong audience, and with that it helps with enhancing the overall security posture of the organization. This post will look closer …

Read more