Introducing cross-tenant support for MAM on Windows devices

by

This week is basically sort of a follow-up on last week. This week is all about introducing cross-tenant support for Mobile Application Management (MAM) on Windows devices. That functionality was already briefly mentioned during the previous blog post about protecting downloads in MAM enrolled profiles on managed Windows devices. This week will be more about that functionality specifically. MAM on itself is nothing new, not even for Windows devices. The challenge, however, has been around mixing and matching different environments. That is also often referred to the contractor scenario, in which the user already has a managed device from their own employer and wants to combine that with access to the productivity tools of the customer. For Windows devices that functionality is coming! That is …

Read more

Protecting downloads in MAM enrolled profiles on managed Windows devices

by

This week is all about a combination of new features. That combination of features is allowing MAM enrollment on managed Windows devices and protecting downloads in Microsoft Edge. Both features are relatively new features in Microsoft Edge, that are both currently still behind experimental feature flags. The first feature enables MAM enrollment on managed devices (also known as cross-tenant support) and the second feature protects the downloads in Microsoft Edge in that scenario. That feature makes sure that downloads are always redirected to a folder that is managed within the home tenant of the user account and that enforces organizational compliance. In practice that means that when the user downloads files, in that MAM enrolled profile on a device that is already managed by another …

Read more

Working with the automatic enablement of Windows hotpatch security updates

by

This week is all about the recently introduced configuration that will enable Windows hotpatch security updates by default. The configuration to enable the usage of hotpatch security updates has been available since the introduction of Windows 11 version 24H2, and can be configured relatively as shown in this post. Starting with the Windows security update of May 2026, Windows Autopatch will enable hotpatch security updates by default. That should help organizations with easier getting more secure. The configuration is achieved via a tenant-wide configuration via Windows Autopatch that is only applied when no quality update policies are applied to the device. That configuration is available in Microsoft Intune and will be enabled by default. This post will provide a closer look at that new tenant-wide …

Read more

Managing geolocation access for websites in Microsoft Edge

by

This week is all about managing (geo)location access for websites in Microsoft Edge. When apps are allowed access to the location of the user, that also includes the Microsoft Edge browser. That means that – depending on the configuration in Microsoft Edge – every website could potentially access the location of the user, or at least ask the user for access. Within Microsoft Edge there are, however, controls available that can be used for controlling the access of websites to the location of the user. Those controls enable the organization to define the default behavior, and also the behavior for specific websites. That enables a layered level of control over the location access in Microsoft Edge. The first layer is the access of apps in …

Read more

Restoring Windows during first sign-in

by

This week is all about the recently introduced Windows Restore functionality during first sign-in. That functionality is part of the Windows Backup for Organizations feature. That feature on itself not new, but the ability to restore during first sign-in is. Before, the ability to restore the configuration was only available as a tenant-wide configuration that would be available during out-of-box-experience (OOBE). For the basics to get started with Windows Backup for Organizations have a look at this previous post. This post will look at the new functionality to restore during the first sign-in. That functionality does not rely on a tenant-wide configuration, and can be assigned to specific groups of users or devices. The scope of the restore, however, remains the same. This post will …

Read more

Understanding the profile assignment of multi-app kiosk mode on Windows 11

by

This week is all about multi-app kiosk mode on Windows 11. That on itself is not something really new and to get started with that, have a look at this post around configuring multi-app kiosk mode on Windows 11. The documentation, however, is getting better and better, by describing more and more capabilities for multi-app kiosk mode on Windows 11. One of the challenges used to be the profile assignment of the multi-app kiosk mode configuration. Especially when looking at an autologon scenario. There are now configurations available to address basically all of the different scenarios that could be required. From autologon, to global assignment, to individual assignments, to group assignments. And from local accounts to Entra accounts. This post will provide a closer look …

Read more

Blocking the Microsoft Store Web Installer using Entra Internet Access

by

This week is all about addressing a really specific scenario and that scenario is related to the Microsoft Store. Many organizations are preventing access to the Microsoft Store app by using the policy setting Turn off the Store application. That policy setting, however, does literally what the name implies, it turns off the Store application. That does not prevent users from navigating to apps.microsoft.com, downloading an app and installing it directly. In the early days that download option did not exist, meaning that this scenario did not exist. That all changed with the Microsoft Store Web Installer. The Microsoft Store Web Installer is a standalone installer for Store apps that helps with downloading and installing apps from apps.microsoft.com. It basically creates a stub .exe-based installer …

Read more

Disabling MDM enrollment when adding work or school account

by

This week is all about a recently introduced setting in the automatic enrollment configuration of Windows devices, and that setting is Disable MDM enrollment when adding work or school account. That is a setting that many IT administrators have been waiting for, as it addresses that terrible experience when adding a work or school account to an app. That was the fantastic checkbox experience in which the user had to uncheck Allow my organization to manage my device to prevent a (personal) device from being enrolled into Microsoft Intune. Luckily, that has changed for the better. That whole experience got a whole lot better, as the new recently introduced experience differentiates with two screens between app sign-in and device management. Best part of it, with …

Read more

Managing Copilot in Microsoft Edge

by

This week is all about managing Copilot within Microsoft Edge. There were already some nice configurations available for a while and recently an additional configuration was added around sharing tenant-approved browser history with Copilot search. That was a nice trigger for this post, focused on managing those available configurations. Working with Copilot in Microsoft Edge, does often require the organization to make that functionality available to the users. The good part is that it is often already disabled by default when using an organizational account. Especially in the EU, Copilot in Microsoft Edge has some default constraints that can be adjusted when needed. That is for example applicable to configuration around accessing Microsoft Edge page content for Entra accounts. This post will provide a closer …

Read more

Getting started with point-in-time restore in Windows

by

This week is all about another restore capability in Windows, and that capability is point-in-time restore. Recently, Microsoft has introduced many new features related to the backup, restore and recovery of Windows. That started with Quick Machine Recovery, which is focused on recovering Windows devices when encountering critical errors that prevent the device from booting, and that was quickly followed by Windows Backup for Organizations, which is focused on making it easier to switch towards new Windows devices. Now, the next addition is point-in-time restore, which is focused on restoring a Windows device to the exact state of that earlier point in time. Point-in-time restore relies on restore points that are stored locally on the device and that are captured by using Volume Shadow Copy …

Read more