In this blog I will give you my opinion on how I prefer apps to be deployed. When deploying a zero-trust modern workplace you need to make sure your users are not member of the local admin group. Take a look at my blogs if you want to make sure a user is never a local admin. When your users are no local admin anymore, you can implement an AppLocker policy to make sure your devices are secure. But here…
In this blog, I will show you how to remove the OOBE stage when NOT using autopilot. When using autopilot you can configure the OOBE experience like this. When NOT using autopilot, you have got some challenges. One of them is skipping this kind of questions: Configuring the user account type, is the second challenge. You really want to have a standard user and not an admin! Luckily I already blogged about it, how you can prevent users from becoming…
The Microsoft Store. An ideal place to download Spotify/Netflix on a Company Owned device. Of course, you want to block this. There are several ways to block the Microsoft Store so it can’t be accessed at all. But why not only allowing certain Apps, so only Microsoft Apps or Company apps can be installed/opened. The best option is to make sure only your Private store is available. It only requires a CSP to do so. ./User/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly But, looking at the…
Today I spend some time to enrol existing azure ad joined devices into Intune. These devices were azure ad joined without Intune enabled/configured. There are 2 ways to make sure the device will be registered in intune Group Policy: Computer Configuration > Administrative Templates > Windows Components > MDM. 2. Registry: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM]“AutoEnrollMDM”=dword:00000001“UseAADCredentialType”=dword:00000001 When you apply these changes. You will notice a new Task is being created in the task scheduler. Give it some time… and…
Microsoft just released an update to Intune. The old GPO’s structure is back. But it is still missing settings… Sometimes you really want to push a simple hkey_current_user setting. Normally that is not a problem when you are NOT blocking PowerShell π . But my opinion.. not blocking PowerShell for the non-admins is a no go. Because malware/cryptoware/privilege escalation uses most of the time Powershell. And a normal user.. does not need access to PowerShell (except for loading scripts π…
A while ago i posted a linked message to ask for the differences between a normal Azure Ad join and the famous Autopilot function. Of course I know the differences… but I wanted to start a conversation. Because most of the benefits of autopilot, I think you can the same with a regular Azure Ad join. To start with one of the benefits: Removing the local admin. This is certainly a thing you have to make sure of this is…
I have been thinking a lot about creating a website and to start blogging. The time is now. This a video (in dutch…) how I configured one of my test office365 tenants. The setup of this tenant took about a half-hour. Below the video are some details of what I have done in about a half-hour (after waiting a long time for the Microsoft 365 Business License to be activated on the tenant) Some stuff I had to do manually….