Modern Device Management

  The Removable Storage Access Control feature enables you to apply policy by using OMA-URI or by using Intune user interface to either user or device, or both. Until now, I have been using Endpoint security profiles to implement device control settings to manage write access to removable drives like USB. However, recently I needed to block access to removable storage altogether and I couldn't make it work using Endpoint security ASR Device control profile. As of writing this blog, these are relevant settings that are available in the Device control profile. I expected Block Removable storage to work, but it didn't. I couldn't find any obvious errors so decided to do some research. One way is to use OMA-URI CSPs which are broadly broken down into following categories - Using Default Enforcement, you can set the default access (Deny or Allow) for all Device Control features ( RemovableMediaDevices, CdRomDevices, WpdDevices, PrinterDevices ).  Another way is to use device sto...

I believe most will agree when I say that OEM branded configuration on Windows devices can be both unwanted and frustrating to remove. Especially when you provisioning devices using Autopilot and want to apply organization's configuration policies. I recently encountered an issue with Lenovo Windows 11 devices that came pre-installed and configured with things that the customer didn't want. While the procurement process gets worked out with the supplier to provide a clean image, I still needed to address these unwanted items. One of the items were pre-configured Edge bookmarks that had no place in the bookmarks that I was putting in place. It was obvious that they had to go.  The bookmarks are located under  C:\Users\<Userprofile>\AppData\Local\Microsoft\Edge\User Data\Default If you open it then you can match contents with what shows up in the favorites on Edge. Solution I created a simple 1 line script to delete the Bookmarks file as part of the Autopilot provisioning ...

  Network protection utilizes functions in SmartScreen to block phishing activities from malicious command and control sites. When an end user attempts to visit a website in an environment in which network protection is enabled, a toast notification may be presented based on the reputation of the URL. What if you don't want to give the user the ability to circumvent the blocked action at all? This is where the challenge lies, but luckily there is a way. First, let's look at the scenarios under which NP operates. 1. The URL has a known good reputation - In this case the user is permitted access without obstruction, and there's no toast notification presented on the endpoint. In effect, the domain or URL is set to Allowed. 2. The URL has an unknown or uncertain reputation - The user's access is blocked, but with the ability to circumvent (unblock) the block. In effect, the domain or url is set to Audit. The user will have access to the site for 24 hours; at which point th...