Microsoft Intune Suite

Explicitly denying elevation of specified files using Endpoint Privilege Management

by

This week is all about a new feature that was recently introduced in Endpoint Privilege Management (EPM), and that feature is the ability to explicitly deny elevation. Explicitly denying the elevation blocks the specified file from running in elevated context. That enables organizations to work the other way around. Instead of configuring which file elevations are allowed, this enables organizations to allow every elevation with the exception of the elevations of those specifically specified files. Of course, the recommendation is to tightly control which files are allowed to elevate. That is, however, not always the situation that every organization is in. Often simply getting insights into what users are installing is already a huge step forward. Especially in combination with no local administrator privileges. As …

Read more

Understanding Device query for multiple devices

by

This week is all about Device query for multiple devices. A long awaited feature. With that, this will also be a follow up on this post about getting started with Device query and this post adding additional hardware properties to the device inventory. Especially the latter might be a little bit surprising, but will be explained throughout this post. Device query for multiple devices provides IT administrators with the ability to easily query for devices with specific properties and values (e.g. all Windows devices with specific application crash events) and the ability to easily summarize data about devices (e.g. count all devices with a specific CPU). Those queries, however, are not performed in real-time on the Windows devices within the environment, but are relying on …

Read more

Understanding the local diagnosing and troubleshooting options for Endpoint Privilege Management

by

This week is focused on creating some awareness around the EpmTools PowerShell module. That PowerShell module is available to be used to diagnose and troubleshoot issues with Endpoint Privilege Management (EPM). Besides that, it can also be used to get the required attributes directly from a file or application. The best part is that the EpmTools PowerShell module is included by default with the installation of the Microsoft EPM agent. That provides IT administrators with a set of cmdlets to easily retrieve information about the actual local configuration of the Microsoft EPM agent, including the received policies, the applied client settings, and more. This blog post will provide an overview of the available cmdlets in the EpmTools PowerShell module, followed the steps and examples for …

Read more

Working with support approved elevations

by

This week is all about highlighting some recent functionalities that have been introduced in Endpoint Privilege Management (EPM). The most important functionality is probably the newly supported file extensions of .msi and .ps1. That provides a larger footprint for EPM in the world of often elevated file extensions. The same experience as already known for executables. Besides that, there is more new functionality within EPM that might even be more powerful. That functionality is support approved elevations. Support approved elevations allow IT administrators to require approval before an elevation is allowed. That makes sure that when a user tries to run a file in an elevated context that the user is prompted to submit an elevation request. That request is sent to Intune for a …

Read more

Getting started with the Remote Help web app

by

This week is all about the Remote Help web app. Remote Help on itself is nothing new, but it does have an often overlooked feature that can be useful in multiple occasions. That feature is the Remote Help web app. The Remote Help web app can be used to help users on managed and unmanaged devices, without installing the Remote Help app, and in some scenarios even on Linux devices. The former might sound a little bit weird, but due to the nature of the web app, it does technically work in some scenarios to provide support on Linux. Together that makes the Remote Help web app an interesting feature to be familiar with. It is good to know that the web app only supports …

Read more

Quick tip: Only turn off notifications network usage when there is a direct requirement

by

This week is a relatively short post, mainly focused on providing a warning around turning off notifications network usage on Windows devices. Turning off notifications network usage can be used to prevent applications from using the notifications network the send notifications. No matter if that notification is a tile update, tile badge, toast, or any raw updates. It basically turns off the connection between Windows and the Windows Push Notification Services (WNS). WNS enables third-party developers to send those notifications. It provides a mechanism to deliver updates to users and devices in a power-efficient and dependable way. The important thing, however, is to keep in mind that WNS is not only used by third-party developers. It’s also used by many different Microsoft products, including Microsoft …

Read more

Looking closer at enabling Endpoint analytics

by

This week is all about Endpoint analytics and indirectly Advanced Analytics. More specifically, about enabling Endpoint Analytics and what happens after enabling Endpoint analytics. The process of enabling Endpoint analytics is not that special and can only be performed once per tenant. It is, however, good to be familiar with what happens after enabling Endpoint analytics. To understand the settings that become available and the impact of adjusting those settings. Especially the impact for the Windows devices within the environment. Besides that, it’s also important to be familiar with configurations that are not directly part of Endpoint analytics, but that do influence the results provided by Endpoint analytics. This post will focus on exactly those subjects! This post will provide an overview of what enabling …

Read more

Using a BYOCA with Microsoft Cloud PKI

by

This week is a follow-up on the post of last week about getting started with Microsoft Cloud PKI (Cloud PKI). This time it’s all about using a bring your own certificate authority (BYOCA) with Cloud PKI. BYOCA is focused on providing organizations with the ability to rely on an existing private CA. That can for example be an existing on-premises PKI infrastructure based on Active Directory Certificate Services (ADCS). BYOCA enables the IT administrator to create an issuing CA in Cloud PKI that is anchored to that existing private CA. By doing that, the issuing CA becomes an extension of the already existing (on-premises) PKI infrastructure. That might take some of the previously mentioned benefits away, as this won’t takeaway all the need to maintain …

Read more

Getting started with Microsoft Cloud PKI

by

This week is sort of another follow-up on the earlier posts about new Microsoft Intune Suite add-on capabilities. This time it’s all about the latest addition, Microsoft Cloud PKI (Cloud PKI). Cloud PKI provides organizations with a cloud-based service that simplifies and automates the certificate lifecycle management for Intune managed devices. It literally provides a public key infrastructure (PKI) from the cloud. That PKI environment can be built within a few minutes, by simply going through a couple of wizards. Even when relying on at least a two-tier hierarchy, with a root certificate authority (CA) and an issuing CA. There is no longer a need to maintain on-premises servers, connectors, or hardware. Cloud PKI handles the certificate issuance, renewal, and revocation for Intune managed devices. …

Read more

Getting started with Device query

by

This week is basically a follow-up on an earlier post about Advanced Analytics. At that time, it was all still in preview and still listening to the name of Advanced Endpoint Analytics. Advanced Analytics is also one of the latest additions to the Microsoft Intune Suite and it builds on top of those earlier previewed functionalities. On top of those features from the preview, Microsoft now also added Battery Health and Device query to the mix of features of Advanced Analytics. Even more insights and more options to actual query devices for information. Battery Health is a report that provides insights into the health of the batteries of the devices within the environment and how it influences the user experience. An interesting report, for even …

Read more