Microsoft Intune

Using temporary enterprise feature control for early testing new features in Windows

by

This week is all about creating awareness around a recently new feature for controlling the availability of new features in Windows 11. That new feature is temporary enterprise feature control. Temporary enterprise feature control is introduced – together with permanent enterprise feature control – to manage the introduction of new features within the enterprise. With the continuous innovation that was recently introduced by Microsoft, new features are no longer only introduced with the latest feature update. New features are now already introduced with the Latest Cumulative Update (LCU), but are off by default. And new features with impact (like new experiences, new in-box applications, removing existing capabilities, or overriding previously configured settings) are behind that new feature, temporary enterprise feature control. New features behind that …

Read more

Scheduling automatic policy refreshes for Windows devices without requiring a check-in

by

This week is sort of a follow-up on a blog post of about four (!) years ago. That post was focussed on the policy refresh on Windows devices. Since very recently, there is now something new available to refresh the applied configurations. That something new is: Config Refresh. Config Refresh can be used to configure a refresh cadence in which the already received configuration policies will be refreshed. No matter if the device is online, or offline. A great addition to at least make sure that the received configuration is applied. Config Refresh became available as a configuration option in Microsoft Intune, with the latest service release (2309). Besides that, it relies on an addition in the DMClient CSP that became available just recently in …

Read more

Enabling remote access for specific users on Azure AD joined devices

by

This week is sort of a follow-up on my previous posts about restricting the local log on to specific users. While those posts were focused on restricting the local log on, this post will be focused on enabling remote access for specific users. More specifically, remote access for specific users on Azure AD joined devices. That’s not something to exciting, but definitely something that comes in useful every now and then. Besides that, this was already possible – for a long time – but would often require the device to be joined to the same tenant and take out some security configurations (like Network Level Authentication). That’s no longer required – already for almost a year – as it it can now rely on Azure …

Read more

Fixing self-service when restricting the local log on

by

This week is a quick follow-up on the post of last week. That post was focussed on restricting the local log on to Windows devices. Part of that post was also the broken self-service password reset and self-service PIN reset functionalities. When using the most restrictive option of a whitelist, for configuring the users that are allowed to log on locally, that will break those functionalities. This week will be all about a follow-up on that behavior. When it’s required to restrict the local log on Windows devices, and users should still be able to use the different self-service functionalities, this post will provide a solid starting point. Of course, that’s not applicable to every scenario. Only scenarios in which there are actual users logging …

Read more

Restricting the local log on to specific users

by

This week is about restricting the local logon on Windows devices to specific users. Not because it is something particularly new, but simply because it is been an ask every now and then. Think about further locking down a kiosk device, for example. Restricting the local logon can be achieved by either only allowing specific users to log on, or by denying specific users to log on. In other words, whitelisting versus blacklisting. The allow-option is basically a whitelist and the deny-option is basically a blacklist. When looking at restricting the local logon, a whitelist is the easiest method to get quickly really restrictive, as only the users on the list are allowed to log on locally. Luckily, nowadays there is easy method for configuring …

Read more

Easily removing access to the Microsoft Store

by

This week is all about access to the Microsoft Store. And more specifically, about a single policy setting to potentially turn of access to the Microsoft Store. Many organizations struggle with the Microsoft Store on Windows devices, because the Microsoft Store enables users to install apps in their profile that aren’t necessarily work related. That brings organization on a crossroad. When an organization decides to block access to the Microsoft Store, there were already different options available. So far, the most effective methods were to either configure Windows to show the private store only, or to use AppLocker. None of those methods, however, would be complete and simple. Often it was still possible to use winget to still install apps, or the configuration would get …

Read more

Getting started with Remote Help for Android

by

This week is back to the Android platform. More specifically, Remote Help for Android. Remote Help on itself is nothing new, as it was already introduced a while ago for Windows devices, but it is new for Android devices. Starting with the latest service release of Microsoft Intune (service release 2308), Microsoft introduced support for Remote Help on Android devices. More specifically, support for Remote Help on Android Enterprise dedicated devices. And even more specifically, only Samsung and Zebra devices. That enables IT administrators to provide remote support to users on Android Enterprise dedicated devices, by simply starting a screen sharing session or asking for full control. This post will start with a short introduction, followed with the steps to get Remote Help working for …

Read more

Getting started with Windows 365 Switch

by

This week is a follow-up on a blog post of a couple of months ago about a new feature for Windows 365 Enterprise. That post was focused on Windows 365 Boot and that post mentioned that last year Microsoft announced many nice upcoming features with Windows 365 App, Windows 365 Boot, Windows 365 Offline and Windows 365 Switch and more recently even a great licensing enhancement with Windows 365 Frontline. This time it’s about Windows 365 Switch, which is another new feature that was announced and recently released in public preview. Windows 365 Switch provides users with the ability to easily switch between the local desktop and a Windows 365 Cloud PC. That provides a seamless experience via the Task View feature on Windows 11. …

Read more

Quick tip: App inventory for corporate-owned Android Enterprise devices

by

This week another short post. Not just because I missed blogging during my vacation, but mainly to create awareness for a very interesting and often requested feature. That feature is the app inventory for corporate-owned Android Enterprise devices. Until recently the app inventory was not available for corporate-owned Android Enterprise devices, but that has changed. With the recent Microsoft Intune service release (2307), Microsoft has now made some changes to app management and app inventory. Those changes are actually triggered by Google, as Google has started deprecating features and methods of the Google Play EMM API. And even though there are alternatives within that API available, the general advise is to move to the modern Android Management API. That’s exactly what Microsoft is doing and …

Read more