Modern Device Management

In Windows 10 and 11, the operating system can provide protection from malicious code by isolating certain processes in the PC’s memory using virtualization on supported hardware. This protection runs under Memory Integrity under Core Isolation feature. With Windows 11 22H2, Microsoft made this feature default. However, as of writing this post, Memory Integrity will only turn on new devices by default. For existing devices upgrading to Windows 11 22H2, the feature will need to be managed separately. Memory integrity is also known as Hypervisor-protected Code Integrity (HVCI). Being a device guard feature, it hasn't made to the dedicated security profiles under Endpoint Security Attack Surface Rules in Intune as a standalone policy. Official documentation by Microsoft suggests that it can be enabled as part of Applocker Code Integrity CSP .  Alternatively, one can also enable it through the Applocker policy in Application control ASR, if you want to enable Applocker policy as a w...

I recently had a requirement for setting up policies for Adobe Acrobat Reader DC to lockdown and configure some features against Autopilot provisioned AAD devices. Adobe does provide GPO templates, but what's astonishing is that these templates do not support all the settings. According to Adobe, the templates are basic starter templates containing the most important setting and are broadly spread across the following categories: 1. General enterprise settings: Features such as disabling updates and setting the default PDF handler. 2. Security: Application security features such as enhanced security, sandboxing, and JS controls. 3. TrustManager: Trusting Windows OS security zones as defined in Internet Explorer. 4. Digital Signatures: Adobe Acrobat Trust List integration. I imported the templates in Intune to check what all policies are supported in Intune and there were only a handful settings. According to Adobe, one can use Preference Reference to extend the templates, but this...

Working on a project led me to the requirement of targeting some Intune policies on devices that are both Intune and Co-managed. In case of Co-managed, I would normally use Cloud sync to assign the policies on a Microsoft Configuration Manager collection synched with Azure AD and in case of Intune, I would just create a Dynamic Azure AD group containing Autopilot devices or use some basic AAD group attributes in conjunction with device filters in Intune. But this time, I wanted to simplify the grouping and decided to explore the idea of using a single Azure AD dynamic group for all my policy assignments in Intune.  Enter deviceManagementAppid attribute for dynamic grouping of devices in Azure AD. Microsoft have provided Appids for Intune and Co-managed devices that can be used for dynamic grouping. For a complete list of supported device attributes, you can refer to the official link over here . In order to use the Microsoft Intune value ("0000000a-0000-0000-c000-000000000000...

  Microsoft recently released next version of  Windows 11 known as 22H2. This feature update comes with many new security capabilities and one of such capability is Enhanced Phishing Protection. As part of Microsoft Defender SmartScreen, Enhanced Phishing Protection helps in protecting Microsoft school or work passwords against phishing and unsafe usage on sites and apps. It currently supports the following 3 scenarios: 1. If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection will alert them. It will also prompt them to change their password so attackers can't gain access to their account. 2. Reusing work or school passwords on sites and apps will prompt them to change their password. 3. Storing plaintext passwords in text editors such as Notepad or Office applications like Word, will result in a warning and a recommendation for removing the password from the file. If yo...

A large number of my customers are implementing Autopilot device provisioning process in an effort to move away from traditional imaging solutions like ConfigMgr and adopt cloud first strategy, whilst retaining their investment in ConfigMgr. This normally results in a mixed workload management through Co-management which can be setup and configured easily. For devices being provisioned using Autopilot, there is actually more than 1 way to achieve a co-managed state for the endpoints. If you are looking for a native solution, then Microsoft recently introduced Co-management settings right in MEM Console which can be used to apply the settings automatically during ESP phase. However, this method doesn't support all scenarios and there are some limitations, namely - - Hybrid Azure AD-joined devices are not supported. - Autopilot pre-provisioning, also known as white glove provisioning is not supported. - Workloads switched to Pilot Intune with pilot collections are not supported. - Cl...