Enabling hotpatch for Windows 11 Enterprise

This week is all about the latest changes in updating Windows 11 devices. That change is the introduction of hotpatch updates for Windows 11 Enterprise. Hotpatching helps organizations with keeping Windows secure, while minimizing the disruptions for the user. A significant step in keeping Windows more secure and productive. Hotpatching removes the requirement for Windows devices to reboot after every update installation, while still providing a complete set of security fixes. That’s exactly the point of importance for the user experience, as the device has less required reboots. This post will start with a brief introduction about Windows hotpatch, followed with the configuration steps. This post will end with experiencing the configuration. Note: The hotpatch technology is already being used for two years on Windows …

Read more

Working with device compliance for Windows Subsystem for Linux

This week is all about the device compliance capabilities for Windows Subsystem for Linux (WSL). WSL is a feature of Windows that allows the user to run a Linux environment on their Windows device, without needing a separate VM or a dual boot. It’s designed to provide a seamless experience for users that want to use Windows and Linux at the same time. By default, Ubuntu is used as the Linux distribution. There are, however, more options such as Debian, Kali, and SUSE. For the IT administrator it’s good to have the ability to be able to check the Linux distribution and version that is used. That can be achieved by using device compliance policies, as there is now a section specifically focused on adding …

Read more

Configuring Google Chrome for usage with device-based Conditional Access

This week is sort of a follow-up on last week. Last week the focus was on configuring Mozilla Firefox for usage with device-based Conditional Access, while this week the focus is on configuring Google Chrome for usage with device-based Conditional Access. That is already a supported scenario for many years, but in the early days that would require the Windows Accounts extension. That, however, has changed, making it easier to configure without installing a specific extension in the browser. Nowadays, there is a setting available that can be configured to automatically sign-in user accounts backed by a Microsoft Cloud identity provider. So, that’s even easier to configure. Especially when knowing that Microsoft Intune has Google Chrome configuration options directly available via the Settings Catalog. Minor …

Read more

Configuring Mozilla Firefox for usage with device-based Conditional Access

This week is all about managing and configuring Mozilla Firefox, with the main focus on using it with device-based Conditional Access. When looking specifically at Conditional Access, Mozilla Firefox is nowadays a supported browser for device-based Conditional Access scenarios on devices running Windows 10 and later. That is of course a really good thing, but it does require a specific configuration that should be in place within the browser. A single configuration that could be a real lifesaver on managed devices. Even better, on managed devices that configuration can also be set by using Microsoft Intune. To facilitate that, Mozilla provides easy configuration options via Group Policy templates. This blog post will provide a brief overview of importing those settings, followed with the steps to …

Read more

Updating Enterprise App Catalog apps

This week is all about creating awareness about the recently introduced functionality to easily update apps from the Enterprise App Catalog. The Enterprise App Catalog is part of Enterprise App Management and provides a collection of apps that are prepared by Microsoft for usage within Microsoft Intune. This new functionality provides IT administrators with a guided experience for updates that are available for apps within the catalog. That starts with a brief overview of the available updates for apps that are used from the catalog, and that overview results in to a pretty straight forward guided experience for updating a specific app. That guided experience eventually creates a new Win32 app that supersedes the current version of the app, and that can be deployed towards …

Read more

Enabling optional Windows updates

This week is all about enabling optional Windows updates. Enabling optional updates is all related to the Get the latest updates as soon as they’re available slider in the Settings app. That slider can be used to enable optional updates on a Windows device. Optional updates provide new features and non-security changes. Besides that, optional updates can also include features that are gradually rolled out. Those rollouts are also known as controlled feature rollouts (CFRs). Most of those optional updates are released on the fourth Tuesday of the month and are also known as non-security preview releases, while regular updates are released on the second Tuesday of the month. Nowadays, regular updates are also known as B week releases, while optional updates are also known as …

Read more

Getting started with Windows protected print mode

This week is all about another new feature within Windows 11, version 24H2. Mainly to create awareness. That new feature is Windows protected print mode. Windows protected print mode builds on top of the existing IPP print stack. Main enhancement is that only Mopria certified printers are supported and that it disables the ability to load third-party print drivers. Securing the printing stack has always been, and still remains, challenging. Mainly because it has to deal with compatibility of legacy drivers and high effective permissions of the printer drivers. That’s not all that easy to address. Windows protected print mode, however, is a step into the right direction. That adds some long-awaited improvements to the print security in Windows that should make the impact smaller of challenges …

Read more

Easily managing Personal Data Encryption for known Windows folders

This week is a follow up to this post of a few months ago about getting started with Personal Data Encryption (PDE). That post was really focused on the early introduction of PDE and the functionality that it brings to the table, while this post will basically add-on to that functionality and knowledge. PDE is still a pretty unknown feature that is now actually growing in useful functionalities and could become a very welcome addition to the available data protection capabilities on Windows. With the latest version of Windows 11, version 24H2, PDE now also contains the ability to protect personal data in known Windows folders. Those known Windows folders are Documents, Desktop, and Pictures. That provides organizations with more protection capabilities for personal data, …

Read more

Getting started with Windows enrollment attestation

This week is all about adding an additional layer of protection to the enrollment of Windows devices. That additional layer of protection is Windows enrollment attestation. Windows enrollment attestation is focused on making the process of enrolling into Microsoft Intune more secure and trustworthy for Windows devices. It relies on using the Trusted Platform Module (TPM) to store the private keys of the MDM certificate from Microsoft Intune and the access token from Microsoft Entra. That information is attested during the enrollment of Windows devices, making it less prone to tampering. That should provide better protection against attackers that for example steal an Intune MDM certificate. This blog post will start with a brief introduction about Windows enrollment attestation, followed with the central insights and …

Read more

Understanding the local diagnosing and troubleshooting options for Endpoint Privilege Management

This week is focused on creating some awareness around the EpmTools PowerShell module. That PowerShell module is available to be used to diagnose and troubleshoot issues with Endpoint Privilege Management (EPM). Besides that, it can also be used to get the required attributes directly from a file or application. The best part is that the EpmTools PowerShell module is included by default with the installation of the Microsoft EPM agent. That provides IT administrators with a set of cmdlets to easily retrieve information about the actual local configuration of the Microsoft EPM agent, including the received policies, the applied client settings, and more. This blog post will provide an overview of the available cmdlets in the EpmTools PowerShell module, followed the steps and examples for …

Read more