Getting started with Azure Monitor agent on Windows client devices

This week is about something totally different compared to the last weeks and maybe even months. There have been examples before about gathering additional data of Windows devices and using that information for dashboards and more. Those examples were mainly focused on existing data and custom scripting. This time the focus is on the Azure Monitor agent for Windows client devices. A few months ago Microsoft introduced the Windows client installer that can be used to collect data from desktops, workstations and laptops, in addition to the already existing options for servers and virtual machines. It enables the collection of Event Logs, Performance Counters and more. That could be useful with for example the introduction of AppLocker, to gather events about the behavior of apps. …

Read more

Easily installing Progressive Web Apps

This week is not something completely new, but more something nice to be aware of. This week is all around Progressive Web Apps (PWAs) and easily and automatically installing them on Windows devices. The great thing about a PWAs is that they’re basically websites that are enhanced to function like installed, native apps on supporting platforms, while functioning like regular websites on other browsers. That provides a great cross-platform experience. On Windows devices, PWAs can actually be installed like a native app and in some ways even behave like native apps. That provides a really powerful experience. With Microsoft Edge basically any website can be installed as an app. The behavior depends on the capabilities of the website. A nice add-on to that is that the …

Read more

Verifying installed applications as part of the compliance of Windows devices

This week is focused on the installed applications on Windows devices. More specifically, this week is focused on making sure that Windows devices are compliant with a list of unapproved apps. There are many methods for making sure that users won’t or can’t install specific apps on their Windows device. That could be by simply making sure that users don’t have the permissions to install apps and lock down their Windows devices, but that could also be by verifying the installed apps on their Windows devices. This post will focus on the latter, by comparing the installed apps with a list of unapproved apps. That can be achieved by using custom compliance settings. A few months ago I wrote about working with custom compliance settings. That …

Read more

Protecting important folders with controlled folder access

This week is all about controlled folder access. Not something particular new, but something important to be familiar with. Controlled folder access is a great addition to further minimize the attack surface of Windows devices. It helps protect the data in the controlled folders from malicious apps and threats, by checking apps against a list of known, trusted apps. That makes it a perfect addition to further protect the (corporate) data on Windows devices. That also makes it mainly a local security feature. To get detailed reporting information, it can be used with Microsoft Defender for Endpoint. This post will mainly focus on the local configuration of controlled folder access and the user experience. Introducing controlled folder access Controlled folder access is a great method …

Read more

Further simplifying management of the Google Chrome browser on Windows devices

This week is all about further simplifying management of the Google Chrome browser on Windows devices. The configuration of the Google Chrome browser was already possible by ingesting ADMX-files, by using PowerShell, or by using Chrome Browser Cloud Manager, but the IT administrator was always in for a sub-optimal experience. It was either a lot of work (when looking at ADMX-files), or it provided limited reporting capabilities (when using PowerShell), or it was a completely separate solution (Chrome Browser Cloud Manager). Non of those were optimal. The great thing is that with the latest service release of Microsoft Intune (2203), the Settings Catalog (and the Administrative Templates) now also include settings for the Google Chrome browser. That enables the IT administrator to simply use the …

Read more

Excluding removable USB-drives from automatic encryption

This week a short blog post to address a scenario that’s been challenging for a while. That scenario is around removable USB-drives and automatic encryption. When organizations have configured that removable drives require encryption, that introduces challenges with storage built into specialized devices like video cameras, voice recorders, conferencing systems, medical devices and many more. That would also require that type of storage to be required, when read access wasn’t sufficient. That, however, would often cause more problems than solutions. To address that challenge, Microsoft has introduced a new policy. That policy can be used to create an exclusion list of devices for which the user will not be prompted for encryption. Even when encryption of removable drives is required. This post will introduce that …

Read more

Allowing users to opt-in for Windows Insider Preview Builds

This week is all about providing users with a method to deliberately opt-in for running Windows Insider Preview Builds. That option to opt-in is created by using an access package. That makes this post basically a combination between an earlier post about allowing users to opt-in for Windows 11 and an earlier post about managing Windows Insider Preview Builds. By default, many organizations prevent users from simply enabling and using Windows Insider Preview Builds. Often the main reason is to prevent unpredicted and unwanted issues from happening on the devices of users. Using an access package makes sure that the user consciously chooses to use Windows Insider Preview Builds, possibly in combination with the approval of a manager and in combination with sharing information in …

Read more

Using update status as part of the compliance of Windows devices

This week is focused on the update status of Windows devices. More specifically, this week is focused on making sure that Windows devices can only be compliant when running the latest cumulative update. Within a device compliance policy, it was already possible to specify a specific Windows version. That, however, is a manual action. Over and over again. That can be achieved easier nowadays. A few months ago I wrote about working with custom compliance settings. That enables the ability to add custom scripting to device compliance policies. Custom scripting basically means that anything is possible. Including the check on the update status. This post will show how to leverage that functionality with a small custom script to check for the update status of the …

Read more

Translating Windows Defender Application Control Policy Wizard sliders to Windows Defender Application Control policy options

This week is a short post focussed on Windows Defender Application Control (WDAC). More specifically, this short post is focussed on the different policy rules that can be configured by using the Windows Defender Application Control Policy Wizard. That policy wizard is an an open-source Windows desktop application written in C# and bundled as an MSIX package. It provides IT administrators with a user-friendly method for creating, edditing and merging WDAC policies. The WDAC policy wizard relies on the ConfigCI PowerShell cmdlets and that makes sure that the output of the policy wizard is identical to using the cmdlets manually. WDAC is genarally used to control what runs on Windows 10 and Windows 11 devices. That is achieved by setting policies that specify whether a …

Read more

Getting familiar with the Windows Update for Business deployment service

This week is a follow-up on last week. Last week the focus was on getting started with the Windows Update for Business deployment service and this week is about getting more familiar with the Windows Update for Business deployment service. Last week the focus was on getting information and this week the focus is on adding information. More specifically, this week is about enrolling devices, creating groups, adding devices to groups, creating feature update deployments and assigning groups to feature update deployments. In other words, this week is about creating custom feature update deployments. For the basics of the Windows Update for Business deployment service have a look at last weeks post, this post will continue on that information. This post will go through the …

Read more