Configuring Google Chrome for usage with device-based Conditional Access

This week is sort of a follow-up on last week. Last week the focus was on configuring Mozilla Firefox for usage with device-based Conditional Access, while this week the focus is on configuring Google Chrome for usage with device-based Conditional Access. That is already a supported scenario for many years, but in the early days that would require the Windows Accounts extension. That, however, has changed, making it easier to configure without installing a specific extension in the browser. Nowadays, there is a setting available that can be configured to automatically sign-in user accounts backed by a Microsoft Cloud identity provider. So, that’s even easier to configure. Especially when knowing that Microsoft Intune has Google Chrome configuration options directly available via the Settings Catalog. Minor …

Read more

Configuring Mozilla Firefox for usage with device-based Conditional Access

This week is all about managing and configuring Mozilla Firefox, with the main focus on using it with device-based Conditional Access. When looking specifically at Conditional Access, Mozilla Firefox is nowadays a supported browser for device-based Conditional Access scenarios on devices running Windows 10 and later. That is of course a really good thing, but it does require a specific configuration that should be in place within the browser. A single configuration that could be a real lifesaver on managed devices. Even better, on managed devices that configuration can also be set by using Microsoft Intune. To facilitate that, Mozilla provides easy configuration options via Group Policy templates. This blog post will provide a brief overview of importing those settings, followed with the steps to …

Read more

Updating Enterprise App Catalog apps

This week is all about creating awareness about the recently introduced functionality to easily update apps from the Enterprise App Catalog. The Enterprise App Catalog is part of Enterprise App Management and provides a collection of apps that are prepared by Microsoft for usage within Microsoft Intune. This new functionality provides IT administrators with a guided experience for updates that are available for apps within the catalog. That starts with a brief overview of the available updates for apps that are used from the catalog, and that overview results in to a pretty straight forward guided experience for updating a specific app. That guided experience eventually creates a new Win32 app that supersedes the current version of the app, and that can be deployed towards …

Read more

Limiting access to apps during non-working time

This week is all about a relatively new functionality for limiting access to apps on iOS and Android devices during non-working time. Working time settings allow organizations to enforce policies that limit access to apps and to mute notification messages from apps during non-working time. Muting notifications is something that was already possible by using global quiet time, as described in this earlier post. Limiting access, however, is something relatively new that can be used for limiting access to specific apps during non-working time. That can be achieved by using app protection policies to block or warn users from using Microsoft Teams and Microsoft Edge on their iOS and Android devices, during non-working time. For that, a new setting is introduced in the conditional launch …

Read more

Enabling optional Windows updates

This week is all about enabling optional Windows updates. Enabling optional updates is all related to the Get the latest updates as soon as they’re available slider in the Settings app. That slider can be used to enable optional updates on a Windows device. Optional updates provide new features and non-security changes. Besides that, optional updates can also include features that are gradually rolled out. Those rollouts are also known as controlled feature rollouts (CFRs). Most of those optional updates are released on the fourth Tuesday of the month and are also known as non-security preview releases, while regular updates are released on the second Tuesday of the month. Nowadays, regular updates are also known as B week releases, while optional updates are also known as …

Read more

Getting started with Windows protected print mode

This week is all about another new feature within Windows 11, version 24H2. Mainly to create awareness. That new feature is Windows protected print mode. Windows protected print mode builds on top of the existing IPP print stack. Main enhancement is that only Mopria certified printers are supported and that it disables the ability to load third-party print drivers. Securing the printing stack has always been, and still remains, challenging. Mainly because it has to deal with compatibility of legacy drivers and high effective permissions of the printer drivers. That’s not all that easy to address. Windows protected print mode, however, is a step into the right direction. That adds some long-awaited improvements to the print security in Windows that should make the impact smaller of challenges …

Read more

Easily managing Personal Data Encryption for known Windows folders

This week is a follow up to this post of a few months ago about getting started with Personal Data Encryption (PDE). That post was really focused on the early introduction of PDE and the functionality that it brings to the table, while this post will basically add-on to that functionality and knowledge. PDE is still a pretty unknown feature that is now actually growing in useful functionalities and could become a very welcome addition to the available data protection capabilities on Windows. With the latest version of Windows 11, version 24H2, PDE now also contains the ability to protect personal data in known Windows folders. Those known Windows folders are Documents, Desktop, and Pictures. That provides organizations with more protection capabilities for personal data, …

Read more

Getting started with Windows enrollment attestation

This week is all about adding an additional layer of protection to the enrollment of Windows devices. That additional layer of protection is Windows enrollment attestation. Windows enrollment attestation is focused on making the process of enrolling into Microsoft Intune more secure and trustworthy for Windows devices. It relies on using the Trusted Platform Module (TPM) to store the private keys of the MDM certificate from Microsoft Intune and the access token from Microsoft Entra. That information is attested during the enrollment of Windows devices, making it less prone to tampering. That should provide better protection against attackers that for example steal an Intune MDM certificate. This blog post will start with a brief introduction about Windows enrollment attestation, followed with the central insights and …

Read more

Understanding the local diagnosing and troubleshooting options for Endpoint Privilege Management

This week is focused on creating some awareness around the EpmTools PowerShell module. That PowerShell module is available to be used to diagnose and troubleshoot issues with Endpoint Privilege Management (EPM). Besides that, it can also be used to get the required attributes directly from a file or application. The best part is that the EpmTools PowerShell module is included by default with the installation of the Microsoft EPM agent. That provides IT administrators with a set of cmdlets to easily retrieve information about the actual local configuration of the Microsoft EPM agent, including the received policies, the applied client settings, and more. This blog post will provide an overview of the available cmdlets in the EpmTools PowerShell module, followed the steps and examples for …

Read more

Connecting Microsoft Intune with Managed Google Play – The new and easy way

This week is all about connecting Microsoft Intune with Managed Google Play. There has been multiple post already on this blog describing all the different management options available to Android devices. The biggest part being focused on Android Enterprise. Not really strange as Android Enterprise is the most common used program by organizations to integrate support for their Android devices into their management solution. That includes Microsoft Intune. The availability of the APIs belonging to Android Enterprise make sure that the management of Android devices can be standardized and contains many configuration capabilities cross vendor. To get that integration between Microsoft Intune and Android Enterprise, it’s important to connect Microsoft Intune with a Managed Google Play account. Creating that connection has never really been a …

Read more