Updating Enterprise App Catalog apps

This week is all about creating awareness about the recently introduced functionality to easily update apps from the Enterprise App Catalog. The Enterprise App Catalog is part of Enterprise App Management and provides a collection of apps that are prepared by Microsoft for usage within Microsoft Intune. This new functionality provides IT administrators with a guided experience for updates that are available for apps within the catalog. That starts with a brief overview of the available updates for apps that are used from the catalog, and that overview results in to a pretty straight forward guided experience for updating a specific app. That guided experience eventually creates a new Win32 app that supersedes the current version of the app, and that can be deployed towards …

Read more

Limiting access to apps during non-working time

This week is all about a relatively new functionality for limiting access to apps on iOS and Android devices during non-working time. Working time settings allow organizations to enforce policies that limit access to apps and to mute notification messages from apps during non-working time. Muting notifications is something that was already possible by using global quiet time, as described in this earlier post. Limiting access, however, is something relatively new that can be used for limiting access to specific apps during non-working time. That can be achieved by using app protection policies to block or warn users from using Microsoft Teams and Microsoft Edge on their iOS and Android devices, during non-working time. For that, a new setting is introduced in the conditional launch …

Read more

Enabling optional Windows updates

This week is all about enabling optional Windows updates. Enabling optional updates is all related to the Get the latest updates as soon as they’re available slider in the Settings app. That slider can be used to enable optional updates on a Windows device. Optional updates provide new features and non-security changes. Besides that, optional updates can also include features that are gradually rolled out. Those rollouts are also known as controlled feature rollouts (CFRs). Most of those optional updates are released on the fourth Tuesday of the month and are also known as non-security preview releases, while regular updates are released on the second Tuesday of the month. Nowadays, regular updates are also known as B week releases, while optional updates are also known as …

Read more

Getting started with Windows protected print mode

This week is all about another new feature within Windows 11, version 24H2. Mainly to create awareness. That new feature is Windows protected print mode. Windows protected print mode builds on top of the existing IPP print stack. Main enhancement is that only Mopria certified printers are supported and that it disables the ability to load third-party print drivers. Securing the printing stack has always been, and still remains, challenging. Mainly because it has to deal with compatibility of legacy drivers and high effective permissions of the printer drivers. That’s not all that easy to address. Windows protected print mode, however, is a step into the right direction. That adds some long-awaited improvements to the print security in Windows that should make the impact smaller of challenges …

Read more

Easily managing Personal Data Encryption for known Windows folders

This week is a follow up to this post of a few months ago about getting started with Personal Data Encryption (PDE). That post was really focused on the early introduction of PDE and the functionality that it brings to the table, while this post will basically add-on to that functionality and knowledge. PDE is still a pretty unknown feature that is now actually growing in useful functionalities and could become a very welcome addition to the available data protection capabilities on Windows. With the latest version of Windows 11, version 24H2, PDE now also contains the ability to protect personal data in known Windows folders. Those known Windows folders are Documents, Desktop, and Pictures. That provides organizations with more protection capabilities for personal data, …

Read more

Getting started with Windows enrollment attestation

This week is all about adding an additional layer of protection to the enrollment of Windows devices. That additional layer of protection is Windows enrollment attestation. Windows enrollment attestation is focused on making the process of enrolling into Microsoft Intune more secure and trustworthy for Windows devices. It relies on using the Trusted Platform Module (TPM) to store the private keys of the MDM certificate from Microsoft Intune and the access token from Microsoft Entra. That information is attested during the enrollment of Windows devices, making it less prone to tampering. That should provide better protection against attackers that for example steal an Intune MDM certificate. This blog post will start with a brief introduction about Windows enrollment attestation, followed with the central insights and …

Read more

Understanding the local diagnosing and troubleshooting options for Endpoint Privilege Management

This week is focused on creating some awareness around the EpmTools PowerShell module. That PowerShell module is available to be used to diagnose and troubleshoot issues with Endpoint Privilege Management (EPM). Besides that, it can also be used to get the required attributes directly from a file or application. The best part is that the EpmTools PowerShell module is included by default with the installation of the Microsoft EPM agent. That provides IT administrators with a set of cmdlets to easily retrieve information about the actual local configuration of the Microsoft EPM agent, including the received policies, the applied client settings, and more. This blog post will provide an overview of the available cmdlets in the EpmTools PowerShell module, followed the steps and examples for …

Read more

Connecting Microsoft Intune with Managed Google Play – The new and easy way

This week is all about connecting Microsoft Intune with Managed Google Play. There has been multiple post already on this blog describing all the different management options available to Android devices. The biggest part being focused on Android Enterprise. Not really strange as Android Enterprise is the most common used program by organizations to integrate support for their Android devices into their management solution. That includes Microsoft Intune. The availability of the APIs belonging to Android Enterprise make sure that the management of Android devices can be standardized and contains many configuration capabilities cross vendor. To get that integration between Microsoft Intune and Android Enterprise, it’s important to connect Microsoft Intune with a Managed Google Play account. Creating that connection has never really been a …

Read more

Understanding the pause config refresh remote action for Windows devices

This week is sort of a follow up on a post of almost a year ago about scheduling automatic policy refreshes for Windows devices without requiring a check-in. While that post was focused on actually scheduling automatic policy refreshes for Windows devices, by using Config Refresh, this post will be focused on temporarily pausing that scheduled policy refresh. Temporarily pausing the scheduled policy refreshes provides the IT administrator with a window for troubleshooting the device. Without pausing the scheduled policy refreshes, the supported configurations will automatically refresh their policies. That can be pretty disturbing when verifying specific behavior with specific configurations. So, pausing the automatic policy refreshes is an important piece of the scheduled policy refresh. Automatic policy refresh relies on Config Refresh that is …

Read more

Getting started with just-in-time registration and compliance remediation

This week is all about just-in-time (JIT) registration and compliance remediation. Not something completely new, but it’s new that it’s now available for all iOS and iPadOS enrollments. In a way this post is a follow-up, or deeper dive, to this post about getting started with web-based device enrollment. While that post was really focused on the web-based device enrollment, this post is focused more on a specific feature that’s also used for web-based device enrollment. That feature is JIT registration. JIT registration, however, can be used for more than just the registration of the device. It can also be used for the compliance remediation of the device. This post will start with a short introduction to JIT registration and JIT compliance remediation, followed with …

Read more