Customizing only the initial Start menu layout

This week is all about customizing only the initial Start menu layout on Windows 11. That on itself is nothing new, as customizing the Start menu layout has been possible since the early days of Windows 11. The main configurations related to customizing the Start menu layout are described in this post. That also means that the ideas around customizing the Start menu layout have not changed. Customizing the Start menu layout enables organizations to create a standardized layout for their users by pinning apps, removing default apps, ordering apps and more. To create a standardized layout for Windows 11, the IT administrator should use a JSON-file that contains the configuration of the Start menu layout. What makes it extra interesting is the added functionality …

Read more

Configuring the visibility of the Settings pages

This week is not about something new, this week is about configuring the visibility of the different Settings pages. The Settings app is the Windows application that provides a unified interface to manage the different system settings. Almost everything that was configurable in the old days via Control Panel, is now configurable via the Settings app. With some exceptions of course. The main reasons to make adjustments to the visibility of the different Settings pages, are to create a more controlled and secure environment. That can be especially useful for specific types of devices, such as kiosk devices and student devices. In those cases, limiting the access to different Settings pages can help with preventing unauthorized changes and maintaining a consistent user experience. The good …

Read more

Removing preinstalled Microsoft Store apps using native functionality

This week is all about the native functionality to remove preinstalled Microsoft Store apps. Very useful. When working with Windows devices in an enterprise environment, a common request is to control the preinstalled Microsoft Store apps. These default apps, which ship as part of the Windows image, often include consumer-oriented or redundant functionality that does not align with corporate standards. Removing these apps often requires custom scripting, or other creative solutions. Starting with Windows 11 version 25H2, however, there will be native functionality available to facilitate the removal of most preinstalled Microsoft Store apps. That enables the IT administrator to easily remove those preinstalled Microsoft Store apps. Those configurations are available via Group Policy and via Configuration Service Provider (CSP), enabling basically any deployment scenario. …

Read more

Easily getting started with Intune Management Extension as managed installer

This week is all about the latest addition to the ability to easily configure the Intune Management Extension as a managed installer on Windows devices. That addition is the ability to easily configure the Intune Management Extension as a managed installer for a specific group of Windows devices. Before it was already really easy to get started with the Intune Management Extension as a managed installer, but that was a tenant-wide configuration, meaning that it was immediately applicable to all Windows devices within the environment. And that now changed. That configuration can now be assigned to specific group of Windows devices. That assignment provides a lot more flexibility with introducing and testing the Intune Management Extension as managed installer. Eventually, that will make the introduction …

Read more

Using offline mode and app access without signing in on Android Enterprise dedicated devices

This week is all about the recently introduced functionalities of offline mode and app access without signing in. Those functionalities are specifically created for Android Enterprise dedicated devices that are enrolled into Microsoft Entra shared device mode and that are using the Managed Home Screen as launcher for other approved apps. Both of these functionalities are focused on scenarios in which the user is required to sign in to the device before the apps on the device can be used. With these functionalities, however, the IT administrator can enable specific apps to be available even when the device is offline, and even before signing in to the device. That makes sure that the user can still be productive when the device is offline, and can …

Read more

Installing Windows security updates during the Windows out-of-box-experience

Important: While writing this post the news came that this capability got delayed again to help ensure delivery of the best possible experience. As the configuration is still available in Microsoft Intune, this post can still provide value. This week is all about the new functionality to install Windows security updates during the Windows out-of-box-experience (OOBE). That functionality is focused on making sure that Windows devices are secure and up-to-date at the moment that the user will actually start using the device. At this moment, one of the main challenges is that organizations have to rely on the preinstalled Windows version on the device. That might not – and often does not – include the latest Windows security updates. This new functionality can help with …

Read more

Preventing accidental device wipe with multiple administrative approval in Microsoft Intune

This week is all about the preventing accidental device wipes by using multiple administrative approval in Microsoft Intune. Multiple administrative approval on itself is nothing new, but the latest addition to that functionality makes it a lot more powerful. Before, multiple administrative approval was mainly focused adding apps and scripts to Microsoft Intune. Nowadays, multiple administrative approval can also be used for Intune roles and the most critical device actions. Those device actions include device wipe, device retire, and device delete. With those device actions, there will be a little safety net for IT administrators when performing impactful device actions without really giving in on security. Multiple administrative approval will help with preventing accidentally wiping a device. Every device wipe will require an approval from …

Read more

Getting started with Windows Backup for Organizations

This week is all about the new Windows Backup for Organizations feature that has become available. The Windows Backup for Organizations feature is initially aimed at making it easier to transition from Windows 10 to Windows 11. Besides that, it also makes it easier to switch towards new Windows 11 devices and versions. At this point in time Windows Backup for Organizations can be used to preserve user settings and Microsoft Store app configurations. Especially the first part seems to have a lot of similarities with the already existing Enterprise State Roaming functionality. One might consider Windows Backup for Organizations as the on steroids version of Enterprise State Roaming. Where Enterprise State Roaming is really focused on the basics of the user experience, Windows Backup …

Read more

Managing the usage of personal Microsoft accounts in the OneDrive app

This week is all around managing and containing the usage of personal accounts with the OneDrive app on managed Windows devices. That is definitely not something new, but a recent change in notifications did trigger this post around the usage of personal accounts. Actually, it all started with an item on the public roadmap (490064). That roadmap item is about a new feature that will prompt users for using their personal Microsoft accounts with the OneDrive app, but only when a personal account is already signed in on the device. Of course, one might wonder if that’s a really good approach, but especially the latter part is important; the user will only be prompted when a personal account is already signed in on the device. …

Read more

Using device clean-up rules in Microsoft Intune

This week is a relatively short post about the updated device clean-up rules in Microsoft Intune. There can be many reasons why it is important to clean-up devices in Microsoft Intune (and Microsoft Entra). That can be security related by preventing access to resources, that can be cost savings by preventing device licenses from being used, and that can often even be as simple as preventing clutter in the Microsoft Intune admin center portal and keeping reports accurate. The standard functionality within Microsoft Intune to automatically clean-up devices, got a nice update with the latest service release (2507). It is now possible to create device clean-up rules per platform. And, with that, differentiate per platform. The main concept remains the same. Device clean-up rules are …

Read more