In this blog, I will show you how to remove the OOBE stage when NOT using autopilot. When using autopilot you can configure the OOBE experience like this. When NOT using autopilot, you have got some challenges. One of them is skipping this kind of questions: Configuring the user account type, is the second challenge. You really want to have a standard user and not an admin! Luckily I already blogged about it, how you can prevent users from becoming…
Granting your users local admin permissions when deploying Windows 10 is really really best practice…I’m joking, no it’s not! I must be saying this a lot lately. You need to be certain all of your endpoints are managed, so you can make sure your users don’t have local admin permissions. You don’t believe me that your endpoints need to be managed? Take a look at these two examples (Alex Fields): Removing local admin permissions mitigates a lot of critical Microsoft…
Some time ago I showed you the options you have to block the administrative tools like CMD and Regedit. Within the latest insider preview 20185 I noticed a new ADMX file So? We can block cmd and regedit by configuring a CSP, right? I enrolled a new Window 10 Enterprise VM and updated to the last insider preview update. After my new VM was configured, I tried to configure this CSP by creating a new device configuration profile like this:…
Protecting your devices with Windows Defender ASR rules is best practice but… make sure you’re aware of the caveats. The sun was probably shining when you configured your ASR rules! And after you decided you wanted to use Solarwinds for monitoring your devices, you pushed the agent to your endpoints. Then suddenly the weather changed… If like me, you configured a new Solarwinds Win32 with the packaging tool. After you start deploying it to some test devices. You’ll notice a…
Making sure your devices are up to date with the latest Microsoft updates is one of the key pillars of hardening your endpoints. Updating your devices through Intune is a piece of cake. Setting up your Windows 10 update rings can be done within a few seconds. Setting up the Windows update rings can be done manually, or you can automate the whole process. I personally like to automate the whole tenant deployment process. But that’s not the main reason of this blog. You need to ask yourself; how can I monitor my…
Nowadays everyone should be securing their Microsoft 365 Tenant, their identity and the endpoints. Also, hardening your Office 365 apps is necessary because your devices are often targeted by malicious emails/websites. In one of my latest blogs (the forgotten fruits of securing your Windows 10 endpoint), I pointed out the DIF and Sylk extensions. There is more, much more. Today I’ll show you how to this in Intune: Open Intune and create a new Administrative Template. There are about 60…
In this blog, we’ll be talking about how to make sure your team site sync automatically to all your devices within a few minutes. Microsoft offers this option as well, only their solution might take up to 8 hours! Today I’ll show you how to speed up this process. For anyone who wants to sync the team site libraries automatically, you can configure it in Intune. Okay, not my cup of tea. I feel users should be able to decide which team sites are important for them. Also, It’s…
Step 1: Least Privilege (No local admin) *ONLY using Autopilot? You also denied the registering personal devices? Good, if not… You need a solution to make sure your users are not admins. Step 2: Applocker *Nice… users are no longer admins. Why not implement an Applocker policy? Step 3: Bitlocker *Make sure you enable Bitlocker. You can do this through the Intune portal or with a custom made Intunewin app based on a PowerShell script. Your choice… Step 4: Windows Defender with ASR rules (Got money? Enable Windows Defender ATP) *Please turn on Windows Defender and configure the ASR Rules. You can automate the deployment like I did with the Applocker policy. Step 5: Baseline policies *Take a look at…
In one of my last blogs, I explained how to make sure access to Administrative Tools can be restricted using a GUI. It’s really simple to implement. But… you can do more, much more. What if I tell you, you can deploy a complete Applocker policy just within a few seconds? It only requires two scripts; a deployment script which makes the connection to Graph and another script which contains the JSON (config) itself Links to the Scripts (in a…
Unfortunately there is no simple GUI option to block the Command Prompt/Windows Powershell and Regedit in intune. Guess what? That’s wrong. You can make sure these apps can be denied. To do so, open the education Intune portal instead of the normal Intune portal. https://intuneeducation.portal.azure.com/ Groups –> All Devices (or create a custom group) –> Settings –> Apps –> Block Access to administrative apps Guess what it does? It just creates a custom Applocker policy in your normal Intune Portal….