Getting started with Windows protected print mode

This week is all about another new feature within Windows 11, version 24H2. Mainly to create awareness. That new feature is Windows protected print mode. Windows protected print mode builds on top of the existing IPP print stack. Main enhancement is that only Mopria certified printers are supported and that it disables the ability to load third-party print drivers. Securing the printing stack has always been, and still remains, challenging. Mainly because it has to deal with compatibility of legacy drivers and high effective permissions of the printer drivers. That’s not all that easy to address. Windows protected print mode, however, is a step into the right direction. That adds some long-awaited improvements to the print security in Windows that should make the impact smaller of challenges …

Read more

Easily managing Personal Data Encryption for known Windows folders

This week is a follow up to this post of a few months ago about getting started with Personal Data Encryption (PDE). That post was really focused on the early introduction of PDE and the functionality that it brings to the table, while this post will basically add-on to that functionality and knowledge. PDE is still a pretty unknown feature that is now actually growing in useful functionalities and could become a very welcome addition to the available data protection capabilities on Windows. With the latest version of Windows 11, version 24H2, PDE now also contains the ability to protect personal data in known Windows folders. Those known Windows folders are Documents, Desktop, and Pictures. That provides organizations with more protection capabilities for personal data, …

Read more

Getting started with Windows enrollment attestation

This week is all about adding an additional layer of protection to the enrollment of Windows devices. That additional layer of protection is Windows enrollment attestation. Windows enrollment attestation is focused on making the process of enrolling into Microsoft Intune more secure and trustworthy for Windows devices. It relies on using the Trusted Platform Module (TPM) to store the private keys of the MDM certificate from Microsoft Intune and the access token from Microsoft Entra. That information is attested during the enrollment of Windows devices, making it less prone to tampering. That should provide better protection against attackers that for example steal an Intune MDM certificate. This blog post will start with a brief introduction about Windows enrollment attestation, followed with the central insights and …

Read more

Understanding the local diagnosing and troubleshooting options for Endpoint Privilege Management

This week is focused on creating some awareness around the EpmTools PowerShell module. That PowerShell module is available to be used to diagnose and troubleshoot issues with Endpoint Privilege Management (EPM). Besides that, it can also be used to get the required attributes directly from a file or application. The best part is that the EpmTools PowerShell module is included by default with the installation of the Microsoft EPM agent. That provides IT administrators with a set of cmdlets to easily retrieve information about the actual local configuration of the Microsoft EPM agent, including the received policies, the applied client settings, and more. This blog post will provide an overview of the available cmdlets in the EpmTools PowerShell module, followed the steps and examples for …

Read more

Connecting Microsoft Intune with Managed Google Play – The new and easy way

This week is all about connecting Microsoft Intune with Managed Google Play. There has been multiple post already on this blog describing all the different management options available to Android devices. The biggest part being focused on Android Enterprise. Not really strange as Android Enterprise is the most common used program by organizations to integrate support for their Android devices into their management solution. That includes Microsoft Intune. The availability of the APIs belonging to Android Enterprise make sure that the management of Android devices can be standardized and contains many configuration capabilities cross vendor. To get that integration between Microsoft Intune and Android Enterprise, it’s important to connect Microsoft Intune with a Managed Google Play account. Creating that connection has never really been a …

Read more

Understanding the pause config refresh remote action for Windows devices

This week is sort of a follow up on a post of almost a year ago about scheduling automatic policy refreshes for Windows devices without requiring a check-in. While that post was focused on actually scheduling automatic policy refreshes for Windows devices, by using Config Refresh, this post will be focused on temporarily pausing that scheduled policy refresh. Temporarily pausing the scheduled policy refreshes provides the IT administrator with a window for troubleshooting the device. Without pausing the scheduled policy refreshes, the supported configurations will automatically refresh their policies. That can be pretty disturbing when verifying specific behavior with specific configurations. So, pausing the automatic policy refreshes is an important piece of the scheduled policy refresh. Automatic policy refresh relies on Config Refresh that is …

Read more

Getting started with just-in-time registration and compliance remediation

This week is all about just-in-time (JIT) registration and compliance remediation. Not something completely new, but it’s new that it’s now available for all iOS and iPadOS enrollments. In a way this post is a follow-up, or deeper dive, to this post about getting started with web-based device enrollment. While that post was really focused on the web-based device enrollment, this post is focused more on a specific feature that’s also used for web-based device enrollment. That feature is JIT registration. JIT registration, however, can be used for more than just the registration of the device. It can also be used for the compliance remediation of the device. This post will start with a short introduction to JIT registration and JIT compliance remediation, followed with …

Read more

Managing recommended security settings for Windows Subsystem for Linux

This week is all about Windows Subsystem for Linux (WSL) and managing the recommended settings. WSL is a feature of Windows that allows users to run a Linux environment directly on their Windows machine. All without the need of running a separate VM. It’s designed to provide a seamless and productive experience for users who want to use both Windows and Linux at the same time. Of course, it’s important to address that level of productivity with the right level of security. Luckily, Microsoft also provides a guidance around enabling the secure use of Linux with WSL in an enterprise environment. All focused on using Microsoft Intune and Microsoft Defender. This post will have a brief look at the recommended security settings for WSL, followed …

Read more

Temporarily removing apps and configurations from mobile devices

This week is all about a new feature that is specifically for mobile devices, and that feature is the ability to remove, reinstall, and re-apply specific configuration policies, configuration profiles, and apps. The best part is that it can be achieved without changing the assignments of those apps and configurations. That can be really useful to help with resolving specific challenges and to quickly restore the productivity of the user. The apps and configurations that were removed will automatically be restored within 8-24 hours. Alternatively, the IT administrator can also manually initiate an action to restore the removed apps and configurations earlier. So, in the end, the focus remains on ensuring that the devices remain consistent with the assigned apps and configurations. This post will …

Read more

Working with support approved elevations

This week is all about highlighting some recent functionalities that have been introduced in Endpoint Privilege Management (EPM). The most important functionality is probably the newly supported file extensions of .msi and .ps1. That provides a larger footprint for EPM in the world of often elevated file extensions. The same experience as already known for executables. Besides that, there is more new functionality within EPM that might even be more powerful. That functionality is support approved elevations. Support approved elevations allow IT administrators to require approval before an elevation is allowed. That makes sure that when a user tries to run a file in an elevated context that the user is prompted to submit an elevation request. That request is sent to Intune for a …

Read more