Settings Catalog

Configuring the visibility of the Settings pages

by

This week is not about something new, this week is about configuring the visibility of the different Settings pages. The Settings app is the Windows application that provides a unified interface to manage the different system settings. Almost everything that was configurable in the old days via Control Panel, is now configurable via the Settings app. With some exceptions of course. The main reasons to make adjustments to the visibility of the different Settings pages, are to create a more controlled and secure environment. That can be especially useful for specific types of devices, such as kiosk devices and student devices. In those cases, limiting the access to different Settings pages can help with preventing unauthorized changes and maintaining a consistent user experience. The good …

Read more

Removing preinstalled Microsoft Store apps using native functionality

by

This week is all about the native functionality to remove preinstalled Microsoft Store apps. Very useful. When working with Windows devices in an enterprise environment, a common request is to control the preinstalled Microsoft Store apps. These default apps, which ship as part of the Windows image, often include consumer-oriented or redundant functionality that does not align with corporate standards. Removing these apps often requires custom scripting, or other creative solutions. Starting with Windows 11 version 25H2, however, there will be native functionality available to facilitate the removal of most preinstalled Microsoft Store apps. That enables the IT administrator to easily remove those preinstalled Microsoft Store apps. Those configurations are available via Group Policy and via Configuration Service Provider (CSP), enabling basically any deployment scenario. …

Read more

Getting started with the Microsoft Defender Browser Protection extension for Google Chrome

by

This week is sort of a follow-up on the last couple of weeks. The last couple of weeks the focus was on getting started with the different Microsoft Purview extensions for Google Chrome and Mozilla Firefox, while this week the focus is on getting started with the Microsoft Defender Browser Protection extension for Google Chrome. The Microsoft Defender Browser Protection extension brings protection against online threats, like phishing and malicious websites, functionality known from SmartScreen in Microsoft Edge, to the Google Chrome browser. With that functionality it protects users against threats such as clicking on links in phishing emails and websites that are designed to trick users into downloading and installing malicious software. Of course Google Chrome also provides similar built-in functionality, but that will not …

Read more

Getting started with Administrator protection

by

This week is all about the new functionality on Windows devices to help protect administrator users. That new functionality is Administrator protection. Administrator protection is aimed at protecting the users while still allowing them to perform their required elevated actions with just-in-time administrator privileges. That makes sure that when dealing with users that have local administrator privileges, instead of those users always having those high privileges, Administrator protection makes sure that those users must consent to actually activate those higher privileges. That makes sure that, by default, the user is now operating according to the least privilege concept and only gets those higher privileges when actually needed. In the end that lowers the attack vector for those users and makes sure that nothing happens without …

Read more

Managing recommended security settings for Windows Subsystem for Linux

by

This week is all about Windows Subsystem for Linux (WSL) and managing the recommended settings. WSL is a feature of Windows that allows users to run a Linux environment directly on their Windows machine. All without the need of running a separate VM. It’s designed to provide a seamless and productive experience for users who want to use both Windows and Linux at the same time. Of course, it’s important to address that level of productivity with the right level of security. Luckily, Microsoft also provides a guidance around enabling the secure use of Linux with WSL in an enterprise environment. All focused on using Microsoft Intune and Microsoft Defender. This post will have a brief look at the recommended security settings for WSL, followed …

Read more

Fixing self-service when restricting the local log on

by

This week is a quick follow-up on the post of last week. That post was focussed on restricting the local log on to Windows devices. Part of that post was also the broken self-service password reset and self-service PIN reset functionalities. When using the most restrictive option of a whitelist, for configuring the users that are allowed to log on locally, that will break those functionalities. This week will be all about a follow-up on that behavior. When it’s required to restrict the local log on Windows devices, and users should still be able to use the different self-service functionalities, this post will provide a solid starting point. Of course, that’s not applicable to every scenario. Only scenarios in which there are actual users logging …

Read more

Managing updates for Visual Studio

by

This week is all about something relatively new with Microsoft Intune and that is managing Visual Studio settings. Many settings for managing Visual Studio were already available via registry keys and ADMX-files. Those ADMX-files could already be imported within Microsoft Intune, but are now also directly available within the Settings Catalog with the latest service release (2305). That enables organizations to easily manage the most important configuration settings that are required to at least make sure that the basics of the Visual Studio installation are compliant with the company policies. An important part of that is managing the updates for Visual Studio. That can make sure that the installations of Visual Studio within the organization, at least have the latest security updates installed. This post …

Read more

Simplifying the management and configuration of your favorite browser

by

This week is all about simplifying the management and configuration of your favorite browsers, by using Microsoft Intune. That’s definitely not the sexiest subject, but it’s important to be familiar with the easy options that are available nowadays. With the latest additions to Microsoft Intune, the management and configuration of the different browsers became more of a native functionality. Native functionality was already available for Microsoft Edge, and recently became available for Google Chrome. And now, with the recent addition of importing third-party administrative templates, it became available for every browser that could be easily managed within an on-premises environment, by using Group Policies. Besides that, there are even alternatives when really needed. This post will provide an overview of the different options for managing …

Read more

Working with enhanced phishing protection in Microsoft Defender SmartScreen

by

This week is all about a new security feature that is part of Microsoft Defender SmartScreen and that was introduced with Windows 11, version 22H2. That feature is enhanced phishing protection. Enhanced phishing protection helps with protecting work accounts against phishing and unsafe usage on sites and apps. It works alongside existing Windows security features and alerts about typed work passwords in any Chromium browser, warns about reused work passwords on sites and apps, and warns when storing plaintext work passwords in Notepad, Word, or any Microsoft 365 Office app. That makes enhanced phishing protection an important addition to the Microsoft Defender SmartScreen security functionalities. This post will go through the available settings, the easy configuration, and the user experience with the enabled notifications. Note: …

Read more

Further simplifying management of the Google Chrome browser on Windows devices

by

This week is all about further simplifying management of the Google Chrome browser on Windows devices. The configuration of the Google Chrome browser was already possible by ingesting ADMX-files, by using PowerShell, or by using Chrome Browser Cloud Manager, but the IT administrator was always in for a sub-optimal experience. It was either a lot of work (when looking at ADMX-files), or it provided limited reporting capabilities (when using PowerShell), or it was a completely separate solution (Chrome Browser Cloud Manager). Non of those were optimal. The great thing is that with the latest service release of Microsoft Intune (2203), the Settings Catalog (and the Administrative Templates) now also include settings for the Google Chrome browser. That enables the IT administrator to simply use the …

Read more