Windows 11 – All about Microsoft Intune

Working with support approved elevations

July 15, 2024 by Peter van der Woude

This week is all about highlighting some recent functionalities that have been introduced in Endpoint Privilege Management (EPM). The most important functionality is probably the newly supported file extensions of .msi and .ps1. That provides a larger footprint for EPM in the world of often elevated file extensions. The same experience as already known for executables. Besides that, there is more new functionality within EPM that might even be more powerful. That functionality is support approved elevations. Support approved elevations allow IT administrators to require approval before an elevation is allowed. That makes sure that when a user tries to run a file in an elevated context that the user is prompted to submit an elevation request. That request is sent to Intune for a …

Understanding enrollment restrictions for Windows devices

July 8, 2024 by Peter van der Woude

This week is a follow up to the post of last week. That post was focused on understanding corporate identifiers for Windows devices. A method to identify specific devices as corporate Windows devices, which is especially useful in combination with Windows Autopilot device preparation. This post will actually add-on to those corporate identifiers, by focusing on enrollment restrictions for Windows devices. Enrollment restrictions for Windows devices can be used to restrict devices from enrolling in Microsoft Intune. The main differentiators so far, however, were the ownership and OS version of the devices. But something changed in that area as well. With the assignment of device enrollment restrictions for Windows devices it’s now also possible to use specific filters. Using those filters provides more granularity in …

Understanding corporate identifiers for Windows devices

July 1, 2024 by Peter van der Woude

This week is sort of a follow up to the post of last week. That post was focused on understanding enrollment time grouping in Windows Autopilot device preparation. This post will focus on corporate identifiers for Windows devices. Corporate device identifiers are an important, but not required, addition to the Windows Autopilot device preparation experience. As the concept of Windows Autopilot device preparation is slightly different compared to the Windows Autopilot deployment profiles, there are also different requirements to still register a device as a corporate device. There is no longer the requirement to register devices with the Windows Autopilot deployment service. That, however, also means that there must be something different to make sure that only trusted devices can go through the Windows Autopilot …

Understanding enrollment time grouping

June 24, 2024 by Peter van der Woude

This week is all about one of the key features of Windows Autopilot device preparation. That feature is enrollment time grouping. Windows Autopilot device preparation itself is a new iteration of Windows Autopilot and is used to quickly set up and configure new Windows devices. So far, nothing new. The focus, however, of Windows Autopilot device preparation is to further simplify the deployment of Windows devices, by delivering consistent configurations, enhancing the overall setup speed, and improving the troubleshooting capabilities. Besides that, it also takes away the requirement of first registering Windows devices with the Windows Autopilot service. Instead the Windows Autopilot device preparation profile is assigned to users and applied after user authentication during the out-of-box experience (OOBE). That provides a much more flexible …

Managing Windows AI features

June 17, 2024 by Peter van der Woude

This week is all about managing the different Windows AI features that are becoming available on Window 11. Main reason to look at those configurations is triggered by the recent introduction of Windows Recall. Recall is a feature that makes snapshots of the screen and puts that in a timeline. Those snapshots are locally stored on the device. The analyses provided by Recall enables the user to search through those snapshots by using natural language. A potentially really strong feature, but also feature that an organization might want to investigate before using. Something similar is also applicable to another Windows AI feature that was introduced a bit earlier, being Windows Copilot. Besides that, another interesting Windows AI feature is Image Creator in Windows Paint. That’s …

Getting started with the Remote Help web app

June 10, 2024 by Peter van der Woude

This week is all about the Remote Help web app. Remote Help on itself is nothing new, but it does have an often overlooked feature that can be useful in multiple occasions. That feature is the Remote Help web app. The Remote Help web app can be used to help users on managed and unmanaged devices, without installing the Remote Help app, and in some scenarios even on Linux devices. The former might sound a little bit weird, but due to the nature of the web app, it does technically work in some scenarios to provide support on Linux. Together that makes the Remote Help web app an interesting feature to be familiar with. It is good to know that the web app only supports …

Smoothly introducing new feature updates for Windows 11 as optional updates

June 3, 2024 by Peter van der Woude

This week is all about a new method to smoothly introduce a new feature update within the organization. That new method is the ability to create a feature update deployment policy with the option to make the new feature update available as an optional update. By making the latest feature update, or any other feature update that eventually must be deployed, available as an optional update, the user is still in control of actually installing the update. That leaves the IT administrator in control of making the feature update available and the user in control of the installation. Doing that, adds an easy step to smoothly introducing a new feature update in the organization. Besides a smooth process, this also provides an easy start when …

Combining the different layers of data security on personal Windows devices

May 20, 2024 by Peter van der Woude

This week is a continuation of my previous blog post about working with personal Windows devices. That post was focussed on the different options available for providing secure access to corporate data on personal Windows devices. This post is focussed on providing more details around using those different options actually as different layers in a single solution. All with the focus on providing secure access to corporate data on personal Windows devices, while still providing the user with as much flexibility and options to be productive. Besides that, using different layers of data security also enables the IT administrators to add more granularity to the solution. That makes the total solution less black-and-white. So, for example, not just block the ability of the user to …

Working with personal Windows devices

May 13, 2024 by Peter van der Woude

This week is kind of a follow up on my post of a couple of weeks ago about why enrolling personal Windows devices might be a really bad idea. That post was focussed on advising against allowing enrolling personal Windows devices into Microsoft Intune (or any other MDM provider). The logic follow up question would be: what are the alternatives? And that’s of course a fair question. This post will be about answering that specific question. And to be quite honest, the answer might come very close to a blog post of about four years around supporting unsupported platforms. The main difference will be what Microsoft has provided over the years. And that’s a lot, especially for the Windows platform. This post will focus on …

Getting started with Personal Data Encryption

April 29, 2024 by Peter van der Woude

This week is all about a nice feature that has been introduced over a year ago, but that didn’t receive a lot of attention yet. That feature is Personal Data Encryption (PDE). PDE was introduced with Windows 11, version 22H2, as a security feature that provides file-based data encryption functionalities to Windows. Not as an alternative to BitLocker, but to work alongside BitLocker. Were the decryption key of BitLocker is released during the boot of the device, the decryption key of PDE is released during the sign-in of the user by using Windows Hello for Business. That makes sure that PDE is basically an additional layer of security, on top of BitLocker, that can focus on providing an additional layer of security for specific apps …

S	M	T	W	T	F	S
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31