Browsed by
Category: Adminless

Windows 10: The Sands of time

Windows 10: The Sands of time

This short blog will be about some Windows 10 time sync issues. It’s summertime again, time to set your clock one hour forward. Windows 10 has a built-in mechanism to configure the clock/time automatically for you. If it’s working, it’s great but yesterday some customers called. Their Windows 10 device did not automatically changed the system time. When you have admin privileges you can manually sync the time, but you don’t have this luxury if you’re a user without admin…

Read More Read More

Applocker on the Company portal Express

Applocker on the Company portal Express

This short blog will be about why baselines are very important and why you need to keep them up to date. I am not talking about security baselines this time. What I will be talking about, is the app baseline you need to deploy to your users Windows 10 devices to make sure users can install apps on their own. It’s best practice to implement adminless. *Source: Microsoft Vulnerabilities Report 2021 | BeyondTrust (great report!!) Of course, nowadays users are…

Read More Read More

Public Desktop icons and Adminless: The far side of Intune

Public Desktop icons and Adminless: The far side of Intune

This short blog will be about, why users don’t need admin permissions to delete the public desktop icons. There are not a lot of reasons why your Azure Ad users need to be local admins on their devices. You can do a lot even without admin permissions. To summon a few: -Restarting services can be done without local admin permissions The non admin user: The battle of restarting services – Call4Cloud -Installing applications The PowerShell Win32 App Express – Call4Cloud -Installing…

Read More Read More

The non admin user: The battle of restarting services

The non admin user: The battle of restarting services

Some time ago, Oliver Kieselbach discovered a very great new method to start the IME sync process with just a simple command: “intunemanagementextension://syncapp”.  You could push a shortcut to with command to all your user desktops. An excellent new approach. Like Oliver was mentioning, you could restart the Microsoft intune management service, which also triggers the sync. But when your users have no admin privileges, this is not possible. This got me thinking, shouldn’t it be possible to restart some…

Read More Read More

Company App: Unchained

Company App: Unchained

In this blog I will give you my opinion on how I prefer apps to be deployed. When deploying a zero-trust modern workplace you need to make sure your users are not member of the local admin group. Take a look at my blogs if you want to make sure a user is never a local admin. When your users are no local admin anymore, you can implement an AppLocker policy to make sure your devices are secure. But here…

Read More Read More

The chronicals of Win32 App installations: The RunOnce key, Onedrive and Adminless

The chronicals of Win32 App installations: The RunOnce key, Onedrive and Adminless

This blog will be about some weird RunOnce behavior when installing applications. This week, a customer asked me to push their Nuance Dragon speech software to some specific devices. I guess I am a nice person, so I immediately created a new Win32 App with some parameters. To start testing, it’s always recommended to have a dedicated M365 test tenant for testing purposes with some test virtual machines. I enrolled a new virtual Windows 10 and waited until the application…

Read More Read More

Birds of Printer drivers

Birds of Printer drivers

Implementing adminless can be hard, especially when a user is accustomed to the possibility of installing printers on their own. To take away some of this trouble of introducing adminless, you can give your end-users the possibility to install printer drivers on their own. Of course, Printix or Microsoft Universal Printer are better solutions when you have some “static” printers. But for the frontline workers, who suddenly may need to use a printer somewhere, this solution can come in handy….

Read More Read More

Guardians of the Local Admin rights

Guardians of the Local Admin rights

Granting your users local admin permissions when deploying Windows 10 is really really best practice…I’m joking, no it’s not! I must be saying this a lot lately. You need to be certain all of your endpoints are managed, so you can make sure your users don’t have local admin permissions. You don’t believe me that your endpoints need to be managed? Take a look at these two examples (Alex Fields): Removing local admin permissions mitigates a lot of critical Microsoft…

Read More Read More

Remove all Local Admins!!

Remove all Local Admins!!

A while ago i posted a linked message to ask for the differences between a normal Azure Ad join and the famous Autopilot function. Of course I know the differences… but I wanted to start a conversation. Because most of the benefits of autopilot, I think you can the same with a regular Azure Ad join. To start with one of the benefits: Removing the local admin. This is certainly a thing you have to make sure of this is…

Read More Read More