How do you get smarter in MDM & Group Policy?
With Jeremy Moskowitz
To consult about an on-site (Private) Group Policy class or the Group Policy Health Check, please call Laura Rubinstein at (720) 693-8144 or email laura[[att]]policypak.com
To purchase seats in a LIVE or ONLINE training class, contact Laura Rubinstein at (720) 693-8144 or email laura[[att]]policypak.com
Get serious, and perform “Best Practices” around Group Policy management. Take back control and get your IT life back!
Dates | Class | Actions |
---|---|---|
No Public Classes Scheduled |
Call if you have 3 or more people to help us get started! In the meantime, click here to checkout our Online Class
How do you get smarter in MDM & Group Policy?
Intune Makes it Easier to Deploy Microsoft Store Apps
You can use Intune to manage and deploy apps from the Microsoft Store to your managed devices. These include default store apps as well as apps that you upload to your Microsoft Store for Business or Education. While it has always been relatively easy to deploy apps in this manner, Intune just made it even easier.
To deploy Microsoft Store apps in Intune you go to Apps > All apps > Add and select the desired App type. In this example, I will select “Microsoft Store app (legacy)” to demonstrate the former way of configuring app deployment. This gets you to the following screen:
Here you need some required app details such as Name, Description, Publisher and Appstore URL. So how do you find the publisher and Appstore URL?
Let’s say I want to deploy Python 3.11 to a team of developers or student group. To find the Appstore URL I will go to the Microsoft Store and search for Python as shown below where I will choose Python 3.11.
As you can see below, the app category is listed in the top left-hand corner. In the bottom right I will click the link for “Endpoint Manager” to get the Appstore URL.
Then simply copy the link as shown in the screenshot below.
I then paste the URL into the App Information page. Then assign the app to the designated groups and complete the creation wizard.
Now let’s add it again but this time I will choose “Microsoft Store app (new)” as the App type. That will bring me to the wizard screen once again as is shown below. Now in App information you need only click the Search hyperlink. I did a search for “Python” and selected Python 3.11.
You will then paste the URL into the App Information page. Then assign the app to the designated groups and complete the creation wizard.
Now let’s add it again but this time I will choose “Microsoft Store app (new)” as the App type. That will bring me to the wizard screen once again as is shown below. Now in App information you need only click the Search hyperlink. I did a search for “Python” and selected Python 3.11.
There is no need to surf the store itself or copy/paste links anymore. Again, finish out the creation wizard by assigning the app to your designated groups and you are done.
Use Intune to Restrict Access to the Advanced Startup Menu
Some users will always try to get around the Windows setting restrictions you implement using Intune or Group Policy. A few will even attempt to reset their device. Denying standard users local admin rights is one way to prevent them from doing so using Recovery settings. That doesn’t prevent them from resetting their device using the Advanced Startup menu, however. There are several ways to access the Advanced Startup menu such as pressing the F8 key as the computer is booting up. From there you navigate to Troubleshoot > Reset this PC and make select the desired options such as “Keep my files” or choosing to remove everything. Besides the reset option, the Advanced Startup Menu gives users access to System Restore, Startup Repair, Command Prompt, and a few other things.
Fortunately, Intune provides a way to keep standard users out of this area. In Intune go to Devices > Configuration profiles > Create profile and select Windows 10 and later as the platform and Settings catalog as the profile type. Name the profile and go to Configuration Settings. Using the Settings picker do a search for “recovery” and choose the Security category and select both available options as shown in the screenshot below.
- Recovery Environment Authentication
- Recovery Environment Authentication (User)
Then assign the profile to your desired group(s) and wait for the profile to be delivered. Now when a user accesses the Advanced Startup Menu to do something such as resetting their device, they will be prompted to select a local admin account as shown in the picture below. In this case I am choosing the Tech Admin account.
The user is then prompted for the credentials of that account as shown here.
Unless the correct credentials are typed in, further access to the advanced startup options is not available.
How to Enable Alternative Authentication Methods using Group Policy and Intune
We know the vulnerabilities of passwords today. User accounts are constantly under siege by credential stuffing attacks and malicious code and tools like key loggers that aim to capture passwords as users type them in. That’s why it is essential to support password authentication with some type of multifactor authentication such as a text messaging, authenticator apps or FIDO keys.
For Windows 10 and Windows 11, there are alternative sign-in methods available. For instance, biometric logons might be a good choice for those users that have laptops with built-in fingerprint sensors. Picture passwords may appeal to some organizations as an alternative. The Windows picture password sign-in requires a user to duplicate several gestures on a selected picture. Then again, those organizations that want to enforce standard desktop for all users may not want this option to be available. For users that always log onto the same computer, a PIN may be lucrative as a PIN is local to a specific device so a compromised pin is only good for its assigned device.
The point of this blog is just to show you how to enable/disable these alternatives using Group Policy or Intune. Let’s start with picture passwords. If you want to disable this option using Group Policy, create a GPO and go to Computer Configuration > Administrative Templates > System > Logon and enable “Turn off picture password sign-in” as shown below. The PIN setting is in the same location. In the screenshot below, I have disabled both options.
You use the same Administrative Template path in for Intune as well. Create a configuration profile and select Windows 10 and later as the platform and Templates > Administrative templates as the profile. Then navigate to Computer Configuration > Administrative Templates > System > and enable Turn off picture password sign-in as shown in the screenshot below. Once again, the PIN setting is there as well.
For fingerprint scanning or other biometric authentication options, create a GPO and go to Computer Configuration > Windows Components > Biometrics and select “Allow the use of biometrics” and “Allow users to log on using biometrics.” In the screenshot below I have enabled both of these.
To manage biometric settings using Intune, create a configuration profile and select Windows 10 and later as the platform and Templates > Identity protection as shown below.
After naming the profile, go an enable “Configure Windows Hello for Business. This will then provide access to all of its category settings. Then select, “Allow biometric authentication” with the result looking like the screenshot below.
How to Disable Nearby Sharing with Group Policy and Intune
Nearby Sharing is a feature in Windows 10 and Windows 11 that allows you to transfer documents, pictures, and links to other compatible devices that are near each other using a combination of Bluetooth and wireless communication. It’s a great feature that fosters collaboration between team members. Maybe. So indeed, there are some instances in which you don’t want to allow this feature such as an educational environment where students are taking an online exam for instance. We will look at a couple of ways to disable this feature.
Nearby Sharing is found under Shared experiences in your system settings as shown below.
To manage Nearby Sharing using Group Policy, create a GPO and go to Computer Configuration > Policies > Administrative Templates > System\Group Policy > and disable “Continue experiences on this device” as shown in the screenshot below. When disabled, Windows device will not be discoverable by other devices and cannot participate in cross-device experiences.
If you want to use Intune, create a configuration profile, and select Windows 10 and later as the platform and choose Templates > Administrative templates as the profile. Then follow the same template path - Computer Configuration > Policies > Administrative Templates > System\Group Policy > and disable “Continue experiences on this device” as shown below.
Users will no longer be able to transfer files amongst each other on their enterprise devices.
After taking Jeremy’s Group Policy Class, my staff and I were able to reduce the number of help desk calls dramatically! Thank you Jeremy!
Scott Iver
MCSE Systems Administrator, Royal Canin USA, Inc
If you want to learn everything about Group Policy, then you need to attend Jeremy’s training class, I came in as a novice and left an expert. Jeremy speaks to you, not above you.
John Shorey
Desktop Computing Specialist, Princeton University
Jeremy is absolutely the best presenter and instructor I have seen. I really would like to get the same type of instruction for other IT courses. He has a wonderful way of sharing his knowledge in a simple, effective way that leaves you thinking “Wow! That makes so much sense. ” After taking his “Group Policy Online University” courses and reading his books I feel like a pro — truly understanding Group Policy. And whenever I have a question, Jeremy is always there to help. I really liked the fact you can review the online course TWICE. It’s almost like getting TWO courses in one. Add in his weekly tips and simply you can’t go wrong. Thanks Jeremy — and your staff for creating a great learning experience that I benefit from every day.
Glen Morris
Network Administrator, Mondial Assistance
I used the tools he demonstrated and those tools saved me a lot of time and money.
Will Fahim
Senior Network Engineer, County of Orange, CA
After hearing Jeremy speak, I was immediately able to confidently use GPMC, and successfully deploy many GPO’s which have saved my sanity and added years to my life. Having a copy of Jeremy’s Group Policy, Profiles, and IntelliMirror book on hand has given me instant access to many of those “How does this work in the real world?” questions. Thanks Jeremy, You are awesome!
Tad Johnson
Lead Systems Administrator
After taking Jeremy’s class, I was able to create and troubleshoot Group Policy in our environment. Others tried to convince me that the “Microsoft Standard” is to have one huge policy, but troubleshooting that policy for them was a nightmare. After they saw how easy it was to create smaller, less complicated policies, troubleshooting became a piece of cake.
David Nietrzeba
Server Administrator, University of Toledo
I was able to apply some of the Group Policy best practices that I had not already implemented. I am also looking forward to implementing the many new Vista/W2K8 GPOs.
Anthony White
Sr. Systems Administrator, Adventist Health Systems
I sincerely enjoyed the class in Boston and I learned a lot. Within two work days of coming back I had a major update to a core product piece of software that, because of your class, I knew to ask for an MSI file for the update and how to properly create a GPO to distribute to the appropriate users and make it do an install without interaction or granting them administrator rights. When they logged in this morning the update applied beautifully. This one process alone has made the whole class worth it to me. With the many other things I learned and will also put to use in the near future and I am extremely happy. Thanks again for coming to Boston.
Richard DiNardo
Tech Support Specialist, Fidelity Bank
After listening to Jeremy, I felt much more confident in working with Group Policy and using it for many benefits in our Organization. The book was a great supplement, too.
Mark Flannery
Manager, IT Operations, Miller-Valentine Group
Jeremy has a way of explaining things that are down to earth. He takes a potentially dry subject and makes it more fun. These Group Policy courses are invaluable to help me in my job. As we transition to new machines and new operating systems, I can use the information and tools learned in class immediately. The pre-built virtual lab machines made it so I could focus on the labs right away. The hands-on labs are awesome! I am really glad I signed up for Jeremy’s online courses–even though I ended up taking them on my own after work. It was a really good investment.
Deborah Adam
ATK Launch Systems