Further simplifying management of the Google Chrome browser on Windows devices

by

This week is all about further simplifying management of the Google Chrome browser on Windows devices. The configuration of the Google Chrome browser was already possible by ingesting ADMX-files, by using PowerShell, or by using Chrome Browser Cloud Manager, but the IT administrator was always in for a sub-optimal experience. It was either a lot of work (when looking at ADMX-files), or it provided limited reporting capabilities (when using PowerShell), or it was a completely separate solution (Chrome Browser Cloud Manager). Non of those were optimal. The great thing is that with the latest service release of Microsoft Intune (2203), the Settings Catalog (and the Administrative Templates) now also include settings for the Google Chrome browser. That enables the IT administrator to simply use the …

Read more

Freezing the install of system updates on Android Enterprise corporate-owned devices

by

This week is all about a very recent new introduced feature for Android Enterprise corporate-owned devices. That feature is the ability to freeze the install of system updates for a period of time. Freezing system updates on Android Enterprise corporate-owned devices enables organizations to stick to a specific version of Android for the specified period of time. That can be usefull to get the right support of the vendor of an app, or to make sure that a specific app works with the latest verison of Android. That level of control makes Android more and more enterprise ready, without the need of additional management tooling (OEMConfig). This post will start with a quick introduction to the freeze period for system updates, followed with the steps …

Read more

Excluding removable USB-drives from automatic encryption

by

This week a short blog post to address a scenario that’s been challenging for a while. That scenario is around removable USB-drives and automatic encryption. When organizations have configured that removable drives require encryption, that introduces challenges with storage built into specialized devices like video cameras, voice recorders, conferencing systems, medical devices and many more. That would also require that type of storage to be required, when read access wasn’t sufficient. That, however, would often cause more problems than solutions. To address that challenge, Microsoft has introduced a new policy. That policy can be used to create an exclusion list of devices for which the user will not be prompted for encryption. Even when encryption of removable drives is required. This post will introduce that …

Read more

Allowing users to opt-in for Windows Insider Preview Builds

by

This week is all about providing users with a method to deliberately opt-in for running Windows Insider Preview Builds. That option to opt-in is created by using an access package. That makes this post basically a combination between an earlier post about allowing users to opt-in for Windows 11 and an earlier post about managing Windows Insider Preview Builds. By default, many organizations prevent users from simply enabling and using Windows Insider Preview Builds. Often the main reason is to prevent unpredicted and unwanted issues from happening on the devices of users. Using an access package makes sure that the user consciously chooses to use Windows Insider Preview Builds, possibly in combination with the approval of a manager and in combination with sharing information in …

Read more

Using update status as part of the compliance of Windows devices

by

This week is focused on the update status of Windows devices. More specifically, this week is focused on making sure that Windows devices can only be compliant when running the latest cumulative update. Within a device compliance policy, it was already possible to specify a specific Windows version. That, however, is a manual action. Over and over again. That can be achieved easier nowadays. A few months ago I wrote about working with custom compliance settings. That enables the ability to add custom scripting to device compliance policies. Custom scripting basically means that anything is possible. Including the check on the update status. This post will show how to leverage that functionality with a small custom script to check for the update status of the …

Read more

Simplifying repetitive administrative tasks by using low-code solutions: An overview

by

This week my post is a few days later, as my post is an extension of the session of me and Pim Jacobs at the Nordic Virtual Summit Third Edition. At the virtual summit we did a session about Simplifying repetitive administrative tasks by using low-code solutions​. During that session we shared information around the basics of low-code solutions and we provided some nice examples around Microsoft Intune and Azure AD. This post will provide a quick summary of that session. The slides (PDF) of that session are available for download here. Closing notes and summary It might sound a bit weird to start with the closing notes and summary. That, however, is the best summary of our session, as the biggest part of the session was demo. Besides the difference in what classifies …

Read more

Translating Windows Defender Application Control Policy Wizard sliders to Windows Defender Application Control policy options

by

This week is a short post focussed on Windows Defender Application Control (WDAC). More specifically, this short post is focussed on the different policy rules that can be configured by using the Windows Defender Application Control Policy Wizard. That policy wizard is an an open-source Windows desktop application written in C# and bundled as an MSIX package. It provides IT administrators with a user-friendly method for creating, edditing and merging WDAC policies. The WDAC policy wizard relies on the ConfigCI PowerShell cmdlets and that makes sure that the output of the policy wizard is identical to using the cmdlets manually. WDAC is genarally used to control what runs on Windows 10 and Windows 11 devices. That is achieved by setting policies that specify whether a …

Read more

Using the Microsoft Defender for Endpoint app for connecting to Microsoft Tunnel Gateway

by

This week is something completely different, compared to the last couple of weeks. This week is back to Microsoft Tunnel. Microsoft Tunnel is the VPN gateway solution for Microsoft Intune that fully integrates with Azure AD (and Conditional Access) for providing access to on-premises resources on iOS and Android devices. In the early stages of Microsoft Tunnel, there used to be a separate Microsoft Tunnel app for iOS and Android devices. One of the challenges with those devices is that there can only be one active VPN at the same time. That’s especially challenging when using it in combination with Microsoft Defender for Endpoint. That makes the combination of both products into a single app, a logic move. That’s been the case for Android already …

Read more

Getting familiar with the Windows Update for Business deployment service

by

This week is a follow-up on last week. Last week the focus was on getting started with the Windows Update for Business deployment service and this week is about getting more familiar with the Windows Update for Business deployment service. Last week the focus was on getting information and this week the focus is on adding information. More specifically, this week is about enrolling devices, creating groups, adding devices to groups, creating feature update deployments and assigning groups to feature update deployments. In other words, this week is about creating custom feature update deployments. For the basics of the Windows Update for Business deployment service have a look at last weeks post, this post will continue on that information. This post will go through the …

Read more

Getting started with the Windows Update for Business deployment service

by

This week is about the Windows Update for Business deployment service. That subject has been touched recently when discussing the different options for upgrading devices to Windows 11, but that subject never got the attention that it deserves. The deployment service provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update. And the often still unknown part is that it’s actually actively used already within Microsoft Intune. The Feature updates for Windows 10 and later profile and the Quality updates for Windows 10 and later profile, both rely on that deployment service. This post will start with a quick introduction of the Windows Update for Business deployment service, followed with the basics of the deployment service APIs. Introduction to the Windows …

Read more