Allowing users to opt-in for Windows Insider Preview Builds

This week is all about providing users with a method to deliberately opt-in for running Windows Insider Preview Builds. That option to opt-in is created by using an access package. That makes this post basically a combination between an earlier post about allowing users to opt-in for Windows 11 and an earlier post about managing Windows Insider Preview Builds. By default, many organizations prevent users from simply enabling and using Windows Insider Preview Builds. Often the main reason is to prevent unpredicted and unwanted issues from happening on the devices of users. Using an access package makes sure that the user consciously chooses to use Windows Insider Preview Builds, possibly in combination with the approval of a manager and in combination with sharing information in …

Read more

Using update status as part of the compliance of Windows devices

This week is focused on the update status of Windows devices. More specifically, this week is focused on making sure that Windows devices can only be compliant when running the latest cumulative update. Within a device compliance policy, it was already possible to specify a specific Windows version. That, however, is a manual action. Over and over again. That can be achieved easier nowadays. A few months ago I wrote about working with custom compliance settings. That enables the ability to add custom scripting to device compliance policies. Custom scripting basically means that anything is possible. Including the check on the update status. This post will show how to leverage that functionality with a small custom script to check for the update status of the …

Read more

Translating Windows Defender Application Control Policy Wizard sliders to Windows Defender Application Control policy options

This week is a short post focussed on Windows Defender Application Control (WDAC). More specifically, this short post is focussed on the different policy rules that can be configured by using the Windows Defender Application Control Policy Wizard. That policy wizard is an an open-source Windows desktop application written in C# and bundled as an MSIX package. It provides IT administrators with a user-friendly method for creating, edditing and merging WDAC policies. The WDAC policy wizard relies on the ConfigCI PowerShell cmdlets and that makes sure that the output of the policy wizard is identical to using the cmdlets manually. WDAC is genarally used to control what runs on Windows 10 and Windows 11 devices. That is achieved by setting policies that specify whether a …

Read more

Getting familiar with the Windows Update for Business deployment service

This week is a follow-up on last week. Last week the focus was on getting started with the Windows Update for Business deployment service and this week is about getting more familiar with the Windows Update for Business deployment service. Last week the focus was on getting information and this week the focus is on adding information. More specifically, this week is about enrolling devices, creating groups, adding devices to groups, creating feature update deployments and assigning groups to feature update deployments. In other words, this week is about creating custom feature update deployments. For the basics of the Windows Update for Business deployment service have a look at last weeks post, this post will continue on that information. This post will go through the …

Read more

Getting started with the Windows Update for Business deployment service

This week is about the Windows Update for Business deployment service. That subject has been touched recently when discussing the different options for upgrading devices to Windows 11, but that subject never got the attention that it deserves. The deployment service provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update. And the often still unknown part is that it’s actually actively used already within Microsoft Intune. The Feature updates for Windows 10 and later profile and the Quality updates for Windows 10 and later profile, both rely on that deployment service. This post will start with a quick introduction of the Windows Update for Business deployment service, followed with the basics of the deployment service APIs. Introduction to the Windows …

Read more

Even easier managing local administrators

This week is back in the Windows platform. This week is another time about managing local administrators on Windows 10 devices and later. That subject has been discussed multiple times before – either by using custom device configuration profiles or by using proactive remediations – and this time it’s about a new configuration option within Microsoft Intune that provides a friendly configuration experience for the IT administrator around the custom device configuration profile option. That configuration relies on the LocalUsersAndGroups policy that is available with Windows 10 20H2 or later, or Windows 11. This blog post will provide an introduction to a new profile type and will show how to use that new profile type to easily manage local administrators. This blog post will end by …

Read more

Retiring non-compliant devices with Azure Logic Apps and Adaptive Cards for Teams

This week is another follow-up on the first few weeks of this year. Those weeks the focus was on monitoring the status of the different connectors, certificates, tokens and deployments, while this week the focus is on more than just monitoring. This week will be about non-compliant devices marked to retire. That means querying information and actually performing an action. When looking at device compliance policies, the IT administrator can configure the actions for non-compliance. One of those actions is to configure Retire the noncompliant device. That action, however, won’t actually retire the device and will only add the device to the Retire Noncompliant Devices view. Once added to that view, there is still a manual action required by the IT administrator to actually retire …

Read more

Getting started with Remote help for Windows devices

This week is all about getting started with Remote help for Windows devices. Remote help is recently introduced as a new feature in Microsoft Intune that can be used for providing remote assistance to users on Windows devices. It looks a lot like the existing Quick Assist app on Windows, but it has a few big advantages. It integrates with Microsoft Endpoint Manager for providing remote assistance to managed devices, it integrates with Azure Active Directory for providing authentication and compliance information, and it provides a better administrator experience. There are communication options with the user and there is the ability to work with elevated permissions. This post will go through the steps for configuring Remote help in the tenant and through the steps for …

Read more

Working with custom compliance settings

This week is all about the latest capabilities that are available within compliance policies. Those capabilities are custom compliance settings. Custom compliance settings enable the IT administrator to basically check for anything and to use that for the compliance state of the device. The IT administrator can use PowerShell script in the custom compliance setting, to verify the status of anything that is available on the device. The results can be compared to rules and values that are configured in a JSON file. The result of that comparision can be used as part of the compliance policy. This post will proivde a quick introduction to custom compliance settings, followed with the steps to create the require PowerShell script and JSON file. This post will end …

Read more

Getting started with Security Management for Microsoft Defender for Endpoint

This week is all about Security Management for Microsoft Defender for Endpoint. Security Management for Microsoft Defender for Endpoint is the new configuration channel that can be used for managing the security configuration for Microsoft Defender for Endpoint (MDE) on devices that are not enrolled into Microsoft Endpoint Manager (MEM). Not in Microsoft Intune, nor in Configuration Manager. With that new configuration channel, MDE retrieves, enforces, and reports on the policies that are assigned via MEM. After onboarding to MDE, the devices are automatically joined to Azure AD and become visible in the MEM (and Azure AD and Microsoft 365 Defender). Within MEM those devices are marked as managed by MDE. This post will go through the steps to configure the required tenant configurations, the …

Read more