There are no guarantees in life. That’s certainly the case with software updates. Sometimes an update that offers a new operating system version just doesn’t’ work out due to compatibility issues with a particular device. This can cause the update to either fail or rollback. Even worse, it could result in data loss or a loss of connectivity or key functionality.  That’s why Microsoft monitors quality and compatibility data to identify issues before they can affect too many machines. Issues may also be reported from Microsoft partners and customers as well. Once these issues are identified, Microsoft enacts a Safeguard Hold to prevent other devices with this known compatibility issue from being offered the designated feature update. The safeguard hold is enforced long enough to give Microsoft ample time to address the issue. Once a fix is derived and verified, the hold is lifted, and the Windows update will once again be readily offered to devices.

Disabling Safeguards

While its not necessarily recommended, you can disable safeguards so that devices will ignore them. Keep in mind that the update may likely fail. If you want to take the chance, however, create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business and enable the “Disable safeguards for Feature Updates” setting as shown below.

You can also do this using an MDM such as Microsoft Endpoint Manager with the DisableWUfBSafeguards CSP. The required custom OMA-URI settings are as follows:

• OMA-URI: ./Vendor/MSFT/Policy/Config/Update/DisableWUfBSafeguards
• Data type: Select Integer
• Value: 1

Safeguards for Two Types of Issues

New Windows feature updates that are deployed using either Windows Update service or Windows Update for Business are subject to Safeguard holds for a known issue.  A “known issue” is a confirmed problem that may occur after an upgrade for a specific set of devices. In addition to known issues, there are also “likely issues.” A likely issue means that the problem has not been confirmed by Microsoft but has been discovered through machine learning out in the ecosphere. Issues could involve rollbacks, connectivity issues, app or driver malfunction as well as problems with graphics and audio. Once identified, a temporary safeguard hold is enabled on the designated update until either the issue has been confirmed and upgraded to a known issue (in which the safeguard hold is continued) or it has been identified as a false positive, in which case the hold is removed.

The Windows Update for Business Deployment Service

The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It provides a next level of control concerning the approval, scheduling, and safeguarding of Windows updates. Here you can use safeguard holds against likely updates issues. You can also do things such as bypass preconfigured Windows Update for Business policies to manually deploy a security update on command across your organization should an emergency arise. To utilize this service, you must have one of the following subscriptions:

• Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
• Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
• Windows Virtual Desktop Access E3 or E5
• Microsoft 365 Business Premium

You can then do a search for it in MEM and configure as you need to.

To see if you are affected by a Safeguard hold you can use Update Compliance in MEM to run a Safeguard Holds report that can provide insights into existing holds that are preventing devices from updating or upgrading. You can get more information about these reports here.

Microsoft just released a security baseline for Microsoft Edge version 104.  Be aware that when you go to download it you won’t see version 104 listed because it still utilizes version 98 as none of the security policies have changed yet. Microsoft v104 introduced 12 new settings that can be used within Computer and User policies. The new setting policies are as follows:

• Allow import of data from other browsers on each Microsoft Edge launch
• Configure browser process code integrity guard setting
• Define domains allowed to access Google Workspace
• Double Click feature in Microsoft Edge enabled (only available in China)
• Enable Drop feature in Microsoft Edge
• Get user confirmation before closing a browser window with multiple tabs
• Text prediction enabled by default
• XFA support in native PDF reader enabled
• Enables Microsoft Edge mini menu *
• Get user confirmation before closing a browser window with multiple tabs *
• Restrict the length of passwords that can be saved in the Password Manager

* These policies are available as both mandatory and user override settings

You can download the three ADMX templates new for Edge version 104 here as shown below.

One of these settings, “Configure browser process code integrity guard setting” restricts the ability to load non-Microsoft signed binaries. When enabled, there are three mode options:

• Disabled (0) = Do not enable code integrity guard in the browser process.
• Audit (1) = Enable code integrity guard audit mode in the browser process.
• Enabled (2) = Enable code integrity guard enforcement in the browser process.

Administrators are encouraged to run this setting in Audit mode (1) early on for compatibility purposes. Audit mode is currently the default but a future security baseline will change this to Enabled (2) once Microsoft has enough data to proceed.  The setting options are shown in the screenshot below:

If you haven’t yet imported the secruity baseline, you can do so by running the Baseline-ADImport.ps1 script as shown below.

You can refer to my blog on the Security Baseline for Edge v95 for more information about how to use security baselines for Microsoft Edge.

Storage Sense is a disk cleanup feature found in Windows 10 and Windows 11 to free up drive space. When enabled, it serves as a silent assistant that automatically gets rid of items that you no longer need such as temporary files and items in your Recycle Bin. When enabled with its default settings it will run whenever the device is low on disk space. It can also delete neglected cloud backed content; a process referred to as Cloud Content Dehydration. This is especially valuable for users whose cloud storage far exceeds their local drives.

Using Group Policy to Manage Storage Sense

You can enable Storage Sense and configure settings using either Group Policy or Intune/MEM.  To enable it using Group Policy, create a GPO and go to Computer Configuration > Administrative Templates > System > Storage Sense and enable “Allow Storage Sense” as shown below.

Once enabled, Storage Sense will delete files from the Recycle Bin by default after 30 days. You can modify this period by enabling “Configure Storage Sense Recycle Bin cleanup threshold” and choose any digit between 0 and 365. A value of zero means that the files will never be deleted. You would do this if you wanted to enable Storage Sense but disable its Recycle Bin capabilities. The screenshot below shows the available policy settings.

Storage Sense also deletes Temporary files by default as well so there is no need to enable the “Allow Storage Sense Temporary Files cleanup” but you do need to specifically disable it if you don’t want it utilized.

One folder that Storage Sense doesn’t clean up by default is the Downloads folder. All those downloads become forgotten over time and can quickly add up, especially if it includes large ISO files. You can turn on this feature by enabling the “Configure Storage Storage Downloads Cleanup Threshold” and once again choosing 0 to 365 days. (BTW that isn’t a typo, the setting does repeat the world storage).

Next, lets enable the “Configure Storage Sense Cloud Content Dehydration Threshold” setting. Here you will input the minimum number of days you want a cloud-backed file to be unopened before being deleted. I chose 90 days in the screenshot below.

Finally, there is the “Configure Storage Sense Cadence” setting. By default, Storage Sense will run whenever it detects low disk space, but you can force it to run on a scheduled cadence using this setting as shown in the screenshot below.

Intune/Endpoint Manager and Storage Sense

You can also manage Storage Sense using Intune/MEM as well.  Create a Configuration Profile and select Windows 10 and later as the platform and Settings as the Profile type. After naming the configuration profile, do a search for Storage Sense and select Storage as the category once found. Then choose the desired settings you want to configure. The process is illustrated in the screenshot below.

Once the settings are configured, complete the wizard, and assign to the group your designated group(s). Now you won’t have to worry about forgotten files taking up footprints across your PC fleet.

We all know how serious the ransomware threat is today and that unfortunately, there is no one magical solution to stop it. Protecting against ransomware requires a multilayer cybersecurity strategy, also referred to as defense in depth. This includes steps such as ensuring that all systems are up to date in their patching, enforcing MFA for email access, and not allowing local admin rights for standard users. There are also some group policy settings that you can use to incorporate into your strategy as well. Below are four that can help in different ways.

1. Enabling Network Protection

Network protection is a Windows features that helps prevent users from using an application inadvertently to access dangerous domains that may host phishing scams, exploits, ransomware payloads and other malicious content.  It’s a component of Microsoft Defender for Endpoint and requires Windows 10 or 11 Pro (Pro and Enterprise) and Windows Server 2019+. The list of domains is supplied by Microsoft. Network protection blocks all HTTP and HTTPS traffic that attempts to connect to these contains. Think of it as web protection for non-browser applications.

To enable this feature, create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Network Protection. There there are two policies for you to configure. The first step is to enable “This setting controls whether Network Protection is allowed to be configured into blog or audit mode” as shown below.

You then need to choose between Block and Audit. Block is self-explanatory in that users will not be able to access the domains in question. Audit mode allows users to still connect to the flagged domains but records the event into a log file. This allows you to get a read on what sites your users are utilizing before blocking them entirely. The screen shot below shows how to select between the two options.

2. Enable Controlled Folder Access

Controlled folder access was made available in Windows 10 and is supported in Window 11 as well as Server 2019 and 2022. It’s a component of Windows Defender Exploit Guard that prevents the data hosted in designated folders from being altered. In other words, if malware attempts to modify (encrypt) the files in these protected folders without authorization, the attempt is blocked, and an alert is generated. By default, certain system folders are protected such as a user’s Documents folder, Pictures, Desktop, etc. but you can also add folders as well. Note that the controlled folder access feature does not function if a third-party antivirus application is installed on the targeted system.

To configure Controlled folder access simply create a GPO and go to Computer configuration > Administrative templates > Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access. Start by enabling “Configure controlled folder access” as shown below. You can choose to disable it, block it or choose Audit mode, both of which in the same fashion as Network Protection. You can also choose to only block or audit disk modifications which involve the writing to disk sectors by untrusted apps.

You can add additional folders to the list by clicking “Configure Protected Folders” and add the folders you want protected.

The end result will look like the example below. Note that you can also choose “Configure allowed application” to specify applications that are allowed to alter the data contained in the protected folders.

3. Disable Remote Desktop

Once a ransomware variant takes hold in your network, it then works to spread laterally across your IT estate. One of the ways is through remote desktop connection. That’s one of the reasons why Windows 11 has an account lockout policy enabled that only allows for 10 failed sign-in attempts over a 10-minute period. This blocks RDP brute-force attacks. Because some ransomware variants utilize RDP connection to spread, it’s a good idea just to disable it unless required.

Create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host and disable “Allow users to connect remotely by using Remote Desktop Services” as shown in the screenshot below.

4. Show Hidden File Extensions

Cybercriminals use multiple nefarious tactics to get users to click on a malicious file. One of these methods includes the use of double file extensions. An example may be “letter.doc.exe” in which a user mistakes the file for a Word document if the executable extension is hidden. To ensure that file extensions are visible you can create a GPO and go to User Configuration > Group Policy Preferences > Control Panel Settings > Folder Options and make sure that “Hide extensions for known file types” is unchecked as shown in the screenshot below.

We’ve only touched the surface here. There are many other group policy settings available that can aid in preventing ransomware from bringing down your systems and we will cover more in the future.