Configuring Mozilla Firefox for usage with device-based Conditional Access

This week is all about managing and configuring Mozilla Firefox, with the main focus on using it with device-based Conditional Access. When looking specifically at Conditional Access, Mozilla Firefox is nowadays a supported browser for device-based Conditional Access scenarios on devices running Windows 10 and later. That is of course a really good thing, but it does require a specific configuration that should be in place within the browser. A single configuration that could be a real lifesaver on managed devices. Even better, on managed devices that configuration can also be set by using Microsoft Intune. To facilitate that, Mozilla provides easy configuration options via Group Policy templates. This blog post will provide a brief overview of importing those settings, followed with the steps to …

Read more

Updating Enterprise App Catalog apps

This week is all about creating awareness about the recently introduced functionality to easily update apps from the Enterprise App Catalog. The Enterprise App Catalog is part of Enterprise App Management and provides a collection of apps that are prepared by Microsoft for usage within Microsoft Intune. This new functionality provides IT administrators with a guided experience for updates that are available for apps within the catalog. That starts with a brief overview of the available updates for apps that are used from the catalog, and that overview results in to a pretty straight forward guided experience for updating a specific app. That guided experience eventually creates a new Win32 app that supersedes the current version of the app, and that can be deployed towards …

Read more

Enabling optional Windows updates

This week is all about enabling optional Windows updates. Enabling optional updates is all related to the Get the latest updates as soon as they’re available slider in the Settings app. That slider can be used to enable optional updates on a Windows device. Optional updates provide new features and non-security changes. Besides that, optional updates can also include features that are gradually rolled out. Those rollouts are also known as controlled feature rollouts (CFRs). Most of those optional updates are released on the fourth Tuesday of the month and are also known as non-security preview releases, while regular updates are released on the second Tuesday of the month. Nowadays, regular updates are also known as B week releases, while optional updates are also known as …

Read more

Getting started with Windows protected print mode

This week is all about another new feature within Windows 11, version 24H2. Mainly to create awareness. That new feature is Windows protected print mode. Windows protected print mode builds on top of the existing IPP print stack. Main enhancement is that only Mopria certified printers are supported and that it disables the ability to load third-party print drivers. Securing the printing stack has always been, and still remains, challenging. Mainly because it has to deal with compatibility of legacy drivers and high effective permissions of the printer drivers. That’s not all that easy to address. Windows protected print mode, however, is a step into the right direction. That adds some long-awaited improvements to the print security in Windows that should make the impact smaller of challenges …

Read more

Easily managing Personal Data Encryption for known Windows folders

This week is a follow up to this post of a few months ago about getting started with Personal Data Encryption (PDE). That post was really focused on the early introduction of PDE and the functionality that it brings to the table, while this post will basically add-on to that functionality and knowledge. PDE is still a pretty unknown feature that is now actually growing in useful functionalities and could become a very welcome addition to the available data protection capabilities on Windows. With the latest version of Windows 11, version 24H2, PDE now also contains the ability to protect personal data in known Windows folders. Those known Windows folders are Documents, Desktop, and Pictures. That provides organizations with more protection capabilities for personal data, …

Read more

Getting started with Windows enrollment attestation

This week is all about adding an additional layer of protection to the enrollment of Windows devices. That additional layer of protection is Windows enrollment attestation. Windows enrollment attestation is focused on making the process of enrolling into Microsoft Intune more secure and trustworthy for Windows devices. It relies on using the Trusted Platform Module (TPM) to store the private keys of the MDM certificate from Microsoft Intune and the access token from Microsoft Entra. That information is attested during the enrollment of Windows devices, making it less prone to tampering. That should provide better protection against attackers that for example steal an Intune MDM certificate. This blog post will start with a brief introduction about Windows enrollment attestation, followed with the central insights and …

Read more

Understanding the local diagnosing and troubleshooting options for Endpoint Privilege Management

This week is focused on creating some awareness around the EpmTools PowerShell module. That PowerShell module is available to be used to diagnose and troubleshoot issues with Endpoint Privilege Management (EPM). Besides that, it can also be used to get the required attributes directly from a file or application. The best part is that the EpmTools PowerShell module is included by default with the installation of the Microsoft EPM agent. That provides IT administrators with a set of cmdlets to easily retrieve information about the actual local configuration of the Microsoft EPM agent, including the received policies, the applied client settings, and more. This blog post will provide an overview of the available cmdlets in the EpmTools PowerShell module, followed the steps and examples for …

Read more

Understanding the pause config refresh remote action for Windows devices

This week is sort of a follow up on a post of almost a year ago about scheduling automatic policy refreshes for Windows devices without requiring a check-in. While that post was focused on actually scheduling automatic policy refreshes for Windows devices, by using Config Refresh, this post will be focused on temporarily pausing that scheduled policy refresh. Temporarily pausing the scheduled policy refreshes provides the IT administrator with a window for troubleshooting the device. Without pausing the scheduled policy refreshes, the supported configurations will automatically refresh their policies. That can be pretty disturbing when verifying specific behavior with specific configurations. So, pausing the automatic policy refreshes is an important piece of the scheduled policy refresh. Automatic policy refresh relies on Config Refresh that is …

Read more

Managing recommended security settings for Windows Subsystem for Linux

This week is all about Windows Subsystem for Linux (WSL) and managing the recommended settings. WSL is a feature of Windows that allows users to run a Linux environment directly on their Windows machine. All without the need of running a separate VM. It’s designed to provide a seamless and productive experience for users who want to use both Windows and Linux at the same time. Of course, it’s important to address that level of productivity with the right level of security. Luckily, Microsoft also provides a guidance around enabling the secure use of Linux with WSL in an enterprise environment. All focused on using Microsoft Intune and Microsoft Defender. This post will have a brief look at the recommended security settings for WSL, followed …

Read more

Working with support approved elevations

This week is all about highlighting some recent functionalities that have been introduced in Endpoint Privilege Management (EPM). The most important functionality is probably the newly supported file extensions of .msi and .ps1. That provides a larger footprint for EPM in the world of often elevated file extensions. The same experience as already known for executables. Besides that, there is more new functionality within EPM that might even be more powerful. That functionality is support approved elevations. Support approved elevations allow IT administrators to require approval before an elevation is allowed. That makes sure that when a user tries to run a file in an elevated context that the user is prompted to submit an elevation request. That request is sent to Intune for a …

Read more