Posts

Showing posts from 2023

Enabling Edge Workspaces on Windows 11 with Microsoft Intune

Image
Présentation Edge Workspaces provides an incredible way for customers to organize their browsing tasks into dedicated windows. Each Edge Workspace contains its own sets of tabs and favorites, all created and curated by the user and their collaborators. Edge Workspaces are automatically saved and kept up to date. Workspaces are accessible anywhere customers use Microsoft Edge with their Microsoft Entra accounts. Prérequisites Users must have a Microsoft Entra tenant and Microsoft Edge version 114 or later installed or  Microsoft Edge for Business version 116 To manage via group policy, Admins must have Microsoft Edge version 114 or later installed and version 114 of the policy files. Users must have access to a OneDrive for Business license to create an Edge Workspace Enable feature with Microsoft Intune Go to intune.microsoft.com Select Devices / Windows / Configuration Profiles and click Create Create profile Platform : Windows 10 and later Profile type : Settings catalog Complete

Allow Windows 365 users to reset their Cloud PC

Image
A new option for Windows 365 Cloud PC users has just appeared. It allows you to delegate a right allowing the user to reset his cloud PC. In this blog post, we can see how to configure this option and  Reset option's configuration Go to Intune.microsoft.com Navigate to Devices / Windows 365 Click on tab  User settings Click ADD for create a new rule or select an existing rule for modify them configuration Tick the case :  Enable users to reset their Cloud PC Click Next Assignment, Select User group and click Next Review + create, click Create Launch reset from Windows 365 client Open Windows 365 client Click on the three small dots Select Reset Tick the case Yes, I am sure I want to reset this Cloud PC and click Reset The reset takes about 20 to 30 minutes. As soon as provisioning is complete, the cloud reappears in the Windows 365 client.

Windows 365, disable local drive redirection using Microsoft Intune

Image
In the interests of securing AVD and Windows 365 environments, it may be interesting to ask the question of the redirection of local drive or folder to remote session. Often, Windows 365 users use a personal and potentially insecure computer to access a customer's Windows 365/AVD services. It is therefore essential to guard against the dangers that this type of scenario may entail. To avoid this, it is possible to prohibit the mounting of local drives in a remote session. To do this, I invite you to follow the procedure below. Configuration profile creation Go to intune.microsoft.com Go to  Devices / Windows / Configuration Profiles Click  Create Profile Select :  Platform :  Windows 10 and later Profile Type :  Settings Catalog Complete the Name field  and click  Next Click Add settings Go to Administrative Templates \ Windows Components \ Remote Desktop Services \ Remote Desktop Session Host \ Device and Resource Redirection Select Do not allow drive redirection Close the pane

Microsoft Intune, Uninstall Win32 app with the company portal

Image
With the arrival of build 2307 of Microsoft Intune , Microsoft provides a new option on the Application part. Source :  What's new in Microsoft Intune | Microsoft Learn This option allows us to offer users the possibility of uninstalling an Win32 application via the Company Portal. Below you will find the procedure to activate the option in the Microsoft Intune console. Prerequisites Intune tenant up to date Win32 app available in the company portal A valid Uninstall command line Enabling the Uninstall option Go to  Intune.microsoft.com Navigate to Apps / Windows Select an  Win32 App and click Properties On Program , click Edit Activate the option Allow available uninstall  by switching the option to Yes Click Review + Save for all sections and click Save User side Open the company portal then select an available Win32 application. After updating, you should see the mention Uninstall.  Click Uninstall for remove the application.

How to disable access to removable storage devices with Microsoft Intune

Image
Your computer's USB ports are an obvious gateway to trying to compromise your security. You must therefore limit its use and thus prevent a user from connecting a storage device that could contain a virus or other malware that could affect your security. Microsoft Intune provides the ability to address this vulnerability by creating a CSP. Setting it up will prevent access to the following elements: External USB Storage SD Card To do this, I invite you to follow the procedure below. Create the Configuration Profile Go to  Intune.microsoft.com Navigate to  Devices  /  Windows  /  Configuration Profiles Click  Create Profile In  Create a Profile,  select : Platform :  Windows 10 and later Profile Type :  Template Template Name :  Device Restriction Click  Create Enter the profile name  in the  name field  and click  Next Configuration Settings , navigate to  General For  Removable Storage , switch the parameter to  Block Click  Next Assignements , select  Devices group or All devices

How to resize Windows 365 cloud PC

Image
Microsoft recently added a function in the Microsoft Intune management console to resize a Windows 365 PC cloud. Small clarification, this option is currently available in Preview. With this new feature, we have the possibility to adjust the following elements: CPU Memory Hard drive The desired changes must match the configurations proposed in the Windows 365 license program. Prerequisites Admin rights Here is the list of prerequisites necessary to perform the resizing of a Cloud PC : For a Cloud PC provisioned with a direct assigned license , at least one of the following roles Global Admin Intune Service Admin Intune Reader + Cloud PC Admin roles Intune Reader + Windows 365 Admin For a Cloud PC provisioned with a group-based license , at least one of the following roles Global Admin Intune Service Admin Intune Reader + Windows 365 Admin In addition to one of the previous three roles, a role with Azure AD group read/write membership and licensing permissions, like the Windows 365 Admi

How to limit rights on C drive for Authenticated Users

Image
In some cases, it can be interesting to control the level of authorization that we leave to users on the C: drive.  With this in mind and to respond to certain customer requests, I made a PowerShell script to limit write rights for authenticated users using the icacls command. The script is available on github :  https://github.com/ChrisMogis/DriveC_RightsModification Script details  <# .DESCRIPTION This script allows you to revoke user rights in C: and thus prevent creating folders or files anywhere on the hard disk system. .NOTES   Version:        1.0   Author:         Christopher Mogis   Creation Date:  07/11/2023 #> #Script Parameters Param ( [Parameter(Mandatory= $true )] [ValidateSet( "Remove" , "Add" )] [String[]] $Param ) #Variables $Date = Get-Date #Log Folder Function CreateLogsFolder   {     If (!( Test-Path "C:\CCMTune\Logs\" ))     {     Write-Host "$( $Date ) : Create logs folder C:\CCMTune\Logs"     New-Item -Force -Pa

How to customize Windows 365 device name

Image
Since its release, Windows 365 did not offer the possibility of naming devices. It was necessary to pass either by script or by CSP. Microsoft has just made available feature that finally allows you to name a cloud PC as you can do with an autopilot PC. 1. Process for an existing Provisioning Policy To do this, simply perform the actions below: Go to  Microsoft Intune console Click Devices \ Windows 365 Select your Windows 365 Provisioning Policy In Configuration section, click Edit Tick "Apply device name template" Complete the field "Enter a name Template"  with the appropriate value for your context Check the summary of changes and click Update at the bottom of the page. To be active on existing Cloud PCs, it will be necessary to launch a device reprovisioning. 2. Process for a new Provisioning Policy To do this, in the creation of a provisioning rule, simply check the Cloud PC Naming box and add a naming rule in step 3.

Windows LAPS, secure your local admin accounts using Microsoft Intune

Image
LAPS lets you manage local account passwords on Windows devices. The solution allows you to control and securely recover the built-in local administrator password. Limited until now to On-premise integration, this solution represented an obstacle to the migration of certain customers to full cloud management of their IT equipment. With the availability of the cloud version of LAPS, customers can now manage securing their Azure AD devices' on-premises Admin accounts and Azure AD Hybrid Join devices from the Microsoft Intune or Microsoft Entra console. 1. Prerequisites for Windows LAPS Microsoft Intune and Azure subscription Windows 10/11 licences , Pro, Enterprise or Education edition Hybrid Azure AD or Azure AD joined devices. An administration account with the necessary rights to perform the different steps. 2. Service activation We have two possibilities, go through the Azure console or Microsoft Entra. In my case, I opt for activation via Microsoft Entra. Go to Microsoft Ent