MDM & GP Tips Blog

Feb 2023

Use Intune to Restrict Access to the Advanced Startup Menu

Some users will always try to get around the Windows setting restrictions you implement using Intune or Group Policy. A few will even attempt to reset their device. Denying standard users local admin rights is one way to prevent them from doing so using Recovery settings. That doesn’t prevent them from resetting their device using the Advanced Startup menu, however. There are several ways to access the Advanced Startup menu such as pressing the F8 key as the computer is booting up. From there you navigate to Troubleshoot > Reset this PC and make select the desired options such as “Keep my files” or choosing to remove everything. Besides the reset option, the Advanced Startup Menu gives users access to System Restore, Startup Repair, Command Prompt, and a few other things.

Fortunately, Intune provides a way to keep standard users out of this area. In Intune go to Devices > Configuration profiles > Create profile and select Windows 10 and later as the platform and Settings catalog as the profile type. Name the profile and go to Configuration Settings. Using the Settings picker do a search for “recovery” and choose the Security category and select both available options as shown in the screenshot below.

  • Recovery Environment Authentication
  • Recovery Environment Authentication (User)

Then assign the profile to your desired group(s) and wait for the profile to be delivered. Now when a user accesses the Advanced Startup Menu to do something such as resetting their device, they will be prompted to select a local admin account as shown in the picture below. In this case I am choosing the Tech Admin account.

The user is then prompted for the credentials of that account as shown here.

Unless the correct credentials are typed in, further access to the advanced startup options is not available.


Feb 2023

How to Enable Alternative Authentication Methods using Group Policy and Intune

We know the vulnerabilities of passwords today. User accounts are constantly under siege by credential stuffing attacks and malicious code and tools like key loggers that aim to capture passwords as users type them in. That’s why it is essential to support password authentication with some type of multifactor authentication such as a text messaging, authenticator apps or FIDO keys.

For Windows 10 and Windows 11, there are alternative sign-in methods available. For instance, biometric logons might be a good choice for those users that have laptops with built-in fingerprint sensors. Picture passwords may appeal to some organizations as an alternative. The Windows picture password sign-in requires a user to duplicate several gestures on a selected picture. Then again, those organizations that want to enforce standard desktop for all users may not want this option to be available. For users that always log onto the same computer, a PIN may be lucrative as a PIN is local to a specific device so a compromised pin is only good for its assigned device.

The point of this blog is just to show you how to enable/disable these alternatives using Group Policy or Intune. Let’s start with picture passwords. If you want to disable this option using Group Policy, create a GPO and go to Computer Configuration > Administrative Templates > System > Logon and enable “Turn off picture password sign-in” as shown below. The PIN setting is in the same location. In the screenshot below, I have disabled both options.

You use the same Administrative Template path in for Intune as well. Create a configuration profile and select Windows 10 and later as the platform and Templates > Administrative templates as the profile. Then navigate to Computer Configuration > Administrative Templates > System > and enable Turn off picture password sign-in as shown in the screenshot below. Once again, the PIN setting is there as well.

For fingerprint scanning or other biometric authentication options, create a GPO and go to Computer Configuration > Windows Components > Biometrics and select “Allow the use of biometrics” and “Allow users to log on using biometrics.” In the screenshot below I have enabled both of these.

To manage biometric settings using Intune, create a configuration profile and select Windows 10 and later as the platform and Templates > Identity protection as shown below.

After naming the profile, go an enable “Configure Windows Hello for Business. This will then provide access to all of its category settings. Then select, “Allow biometric authentication” with the result looking like the screenshot below.

Jan 2023

How to Verify Your Current Intune Service Release Version

Anyone that works with Microsoft Intune has experienced this. You read about a newly released Intune preview feature that sounds enticing. You then logon to your Intune portal only to find its not there. What’s the deal?

Microsoft regularly releases new updates to the Intune platform at least once a month. Each service release includes new features, capabilities and bug fixes. Like regular Windows updates, these service releases are deployed using a phased approach. Not all tenants receive these service releases simultaneously, however. For instance, government related tenants are updated last. Some geographcial parts of the world receive them before others as well. This methodical approach is done to identify issues before being released to all Intune customers. If your Intune portal lacks a new feature you just read about, chances are it’s because you’re not running the latest Intune service release version yet.

The Tenant Status Page

There’s an easy way to find which service release version your Intune portal is currently running. Navigate to Tenant Administration and select Tenant Status. Here you will see the Service release version as shown in the screenshot below.

Here you will also find other information such as your Tenant name, Tenant Location, the number of licensed users present and the number of Intune enrolled devices. If you find that your Service release version doesn’t match up with the latest one you read about, just be patient and check back in a week.

Dec 2022

New Intune Feature - Multiple Admin Approval Process

A new feature update was released in the 2211 November update for Intune. The feature is called, Multiple Admin Approval Process (MAA). The premise for the new feature is to protect against a possible compromised administrative account using something called Intune access policies. These access policies require that a change be approved by a second administrative account before being applied.  An access policy states what resource will be protected and which group of accounts are permitted to approve the changes to those resources.

Currently, MAA is supported for the following resources

  • Apps deployments
  • Script deployments to devices running Windows of macOS

Anytime any admin goes to create or edit an object that involves a resource that is protected by an access policy, it must be approved by an approver without exception.

Let’s use a scenario to demonstrate how MAA works. First let’s create an access policy. To create an access policy, you must be assigned one of the following roles:

  • Intune Service Administrator
  • Azure Global Administrator

In the Microsoft Endpoint Management admin center, go to Tenant Administration > Multi Admin Approval > Access policies and click “Create” as shown in the screenshot below.

Name the policy and then choose the resource you want to protect.

The final step is to choose an Approver group. Any user that is a member of this group can approve requests.  Now I have created my first MAA access policy as shown below.

For this demonstration, I created a temporary Intune administrator account.  When creating temporary accounts for testing purposes, it is good to define an active time window for these accounts so that they are deactivated automatically if forgotten. As shown in the example below, I created an account called testadmin and I defined a start and ending time for its active state.

Now, I will log on to Intune using the account I just created. I go to Apps > All apps and click Add. I then create a policy to deploy Windows 365 apps to Windows machines. In the final Review + Create screen of the wizard, there is a Business Justification section at the bottom, prompting the requester to state the justification for doing this. Also note the outlined banner alerting requester that they must enter a business justification and that the request must be approved before being implemented. Once the business justification has been entered, click “Submit for approval” and the request is now sent to Received requests where it can be reviewed.

In a separate session, I have logged into Intune using an account that is a member of the approver group. As shown in the screenshot below, the request now appears (in this example, I created two requests). To approve or deny the request, click the URL in the Business justification column.

After clicking on the URL, the approver is shown the requested resource changes. The request can be approved or denied and the approver can add notes for feedback as shown in the screenshot below.  

Switching back to the testadmin account, I can see the status of the requests made by that account. As shown below, one is approved while one still waits approval.

Note that any individual who submits a request and is also a member of the approval group can see their own requests, however, they cannot approve their own requests. Should no action be taken on a request for 30 days, it becomes expired and must be resubmitted.


Dec 2022

New Feature: Send Organizational Messages to Your Users with Intune

Intune has a new feature called Organizational Messages. It’s a way to send branded messages directly to Windows 11 devices using Intune. These messages notify and update users about key important information updates or provide onboarding information for employees.  This can be especially handy for organizations that utilize hybrid work strategies. There are three types of messaging to choose from.

  • Taskbar messages appear just above the taskbar and remain viewable until the user acts on them. Taskbar messages can be used to alert users about things like a critical Windows update that will be installed at the end of the week that will disrupt desktop operations.
  • Notification messages appear in the Notification Center as a popup before disappearing. Notification messages are good for informational messages such as a future training session.
  •  Get Started app messages appear in the Get Started app the first time a user initiates it once the device has been enrolled in Intune. These messages are good for sending welcome messages, device tips, company policy changes and new employee information.

To access the Organizational Messages feature, go to Tenant Administration in Microsoft Endpoint Manager and select Organizational Messages (preview) as shown below in the screenshot.

To configure Organizational Messages, you must be assigned one of the following roles.

  • Azure AD Global Administrator
  • Intune Administrator
  • Organizational messages manager (Microsoft Intune role)
  • Organizational messages writer (Azure AD role)


Organization messages are only supported on devices running Windows 11, versions 22H2 or later. You must also have one of the following licenses for your users.

  • Microsoft 365 E3
  • Microsoft 365 E5
  • Endpoint Management + Security E3 and Windows Enterprise E3
  • Endpoint Management + Security E5 and Windows Enterprise E5

Each message type requires a logo for branding and identification purposes. This is usually the company logo. Only PNG files are supported, and each message type has a different dimensions requirement.

  • Taskbar messages must be 64 x 64 pixels
  • Notification area messages must be 48 x 48 pixels
  • Get Started app messages must be 50 pixels long and 50 – 100 pixels wide.

PNG files that don’t meet the exact dimension specifications will cause an error, preventing you from proceeding further in the message creation process as shown below.

You can include custom URLs in your messages, but they must be added to your list of verified Azure AD custom domain names.

Enabling Organizational Messages

Before creating your messages, you must enable the policy that allows the delivery of organizational messages. To do this, go to Devices > Configuration profiles and click “Create profile.” Select “Windows 10 and later” as the platform and “Settings catalog” as the profile type. Using the Settings picker, do a search for “experience” and then select it from the list of viewable categories. Then select “Enable delivery of organizational messages (User)” as shown in the screenshot below and complete the wizard by adding scope tags and user/group assignments.

Now you are ready to create your messaging.

Creating Organizational Messages

Go to Tenant Administration > Organizational messages (preview) and click on Message. You can then select the type of message you want to create as shown in the screenshot below. In this example we are creating a taskbar message.

Next you will upload your logo, which is required. You will also select which domain you want to apply the messages to and choose your preferred language. You can then preview what the message will look like.

Next you will configure a schedule for the message as shown below.

Complete the creation wizard by assigning the message to your targeted groups or users. Then review your created message.

The created message will then appear as part of your list of messages.

As mentioned previously, each of the three message types include different message templates. Below are some of the options for Notification messaging.

Some Limitations Concerning Organizational Messages

There are some limitations and issues concerning organizational messages that you should be aware of.

  • You cannot send messages to devices or mixed groups. An organizational message sent to both users and devices will only be sent to the users.
  • Users that belong to more than 200 groups are not supported by organizational messages (who knows why?)
  • You can’t assign priority levels to organizational messages so they will be received by users in random order.
  • Scope groups and scope tags aren't available in organizational messages.
Nov 2022

How To Set Time Zones using Intune

If you’re using Intune as your endpoint management solution, there’s a good chance you are managing devices dispersed over a wide geographical area. That may include multiple time zones. So how do you go about ensuring that each machine is matched with its correct time zone?

There are a variety of ways to assign time zones to a Windows 10 computer.

  1. You can configure it within the registry by navigating to


Then create GPO using Group Policy Preference to deploy the registry settings.

  1. In Windows 10/11 you can use the Windows Time Zone Utility. This is a command-line tool that you run using an Administrator command prompt. The command is tzutil.exe. You can use the question mark to see the available commands.

    To see the list of time zones supported by Windows 10, you can use the /l switch. Keep this command in mind for future reference later in the article.
  2. You can also use PowerShell. The screenshot below shows a couple of available commands. The second command is used to assign the desired time zone. Note that I am using “Hawaiian Standard Time” that appeared using the tzutil /l command above.

  3. While you could deploy the PowerShell using Intune, there is a simpler way using the settings catalog.  Log onto the Intune portal and go to Devices > Configuration Profiles and create a profile. Choose Windows 10 as the platform and Settings catalog as the Profile type. Name the profile and then click the “Add Settings” link. Using the Settings picker, do a search for “time zone” and choose “Time Language Settings” as the category. Then select “Configure Time Zone” as shown in the screenshot below.

    Then input the desired time zone as shown below. These are the same time zone names we saw using the tzutil command utility earlier. In the example below I am assigning Eastern Standard Time. Other possible assignments could be Central America Standard Time, Central Brazilian Standard Time, GMT Standard Time, Pacific Standard Time, etc.

    Then like any configuration profile, select any optional scope tags, and assign the profile to the desired group or users.

Nov 2022

Should You Delete or Retire Computers from Intune?

We often talk about adding devices to the Intune environment, but what about deleting them. What’s the best way to do it? There are several options. One option is to have inactive devices automatically removed from Intune using a cleanup rule. An inactive device means it hasn’t checked into Intune for a set number of days. You can configure the time window by going to Devices > Device clean-up rules and configuring the two required settings. You can input a number between 30 and 270. In the example below I have chosen 120 days as the cutoff. This means that day any device that has been inactive for 121 days or more will be deleted from Intune immediately. By clicking on the “View affected devices” link you can see the list of devices that will be deleted once the rule is saved. Device clean-up rules do not affect Android devices.


To Delete or Retire?

You can choose to delete or retire a computer from Intune at any time. What’s the difference? The answer is not much. Let’s outline what happens when a computer is retired.

  • The device is removed from the company Intune portal
  • Intune Endpoint Protection is removed
  • Intune deployed certificates are removed
  • Device configuration settings are no longer enforced or required so users can override them
  • The computer will no longer received its updates from the Intune service
  • Apps can no longer be installed from the portal and any Intune client software is removed
  • WiFi and VPN profile settings are removed

When you retire a device, the retire process will begin the next time the device checks in and it will be removed from Intune once the steps outlined above in the list are completed. Delete means that the computer is removed from the Intune “All devices” list immediately. However, the retire process will begin the first time the device checks in. In other words, Delete performs the same tasks that Retire does. It just hastens the removal of the device from the listings page. The exception is cleanup rules that do delete devices immediately but do not retire them.

To retire or delete a device, go to Devices > All devices and select the computer you want to delete. Then choose the appropriate action you want as shown in the screenshot below.


Oct 2022

How to Import ADMX and ADML Templates into Intune

Both Group Policy and Intune offer multiple Administrative Templates out of the box that provide settings for Microsoft operating systems and applications. Some third-party vendors provide ADMX and ADML templates that you can use to deploy settings for their products as well, but you must obtain them from the vendor and import them.  

Importing Administrative Templates into Group Policy

Importing third-party administrative templates into Group Policy simply requires that you paste the templates into the SYSVOL. Let’s say I wanted to manage settings for Zoom. I downloaded the templates and then placed them in the SYSVOL of one of my domain controllers as shown in the screenshot below. Note that you must also place the corresponding ADML templates into the appropriate language folder as well.

Then I use Group Policy Manager to create a GPO and the Zoom ADMX templates settings will appear automatically.

The Intune Importing Process

The process for importing ADMX and ADML templates into Intune is of course completely different. First off there are few limitations at present to keep in mind.

  • You can upload a maximum of 10 ADMX files
  • You can only upload one ADML file for each ADMX file
  • Only en-us ADML files are supported currently
  • Each file must be 1 MB or smaller
  • Some ADMX files may have dependencies that must be uploaded first

After the matching ADMX and ADML templates are downloaded, go to Devices > Configuration profiles and select “Import ADMX.”

Click the Import link and navigate to the matching ADMX and ADML files as shown in the screenshot below.

Once completed, the imported ADMX template will now be listed. You must allot ample time for the templates to upload before using them as shown below.

In this case, the upload failed. In the screenshot below I clicked on the link to find out the details of the error.

It says that an ADMX file reference file called NamespaceMissing: Microsoft.Policies.Windows. was not found. This is one of the gotchas I mentioned above. To fix this, you must first click the ellipsis to the right and delete it. Then you need to upload the Windows ADMX and ADML files. These files are in your SYSVOL folder by default.  Upload them the same way you did the Zoom template files.

Once you complete the import wizard, click refresh until you see that the Windows.admx is available. Then upload the Zoom template once again. This time the upload process shouldn’t fail, and you will see both ADMX files available as shown below.

Now you can create Configuration profiles that use your imported ADMX files. Go to Profiles > Create profile and choose Windows 10 and later as the platform and Templates as the profile type. Then select “Imported Administrative templates (Preview)“as shown below.

Then you can select and configure the settings you want in your policy.

Then complete the profile configuration process by assigning the profile to your designated users.


Jul 2022

Use Group Policy or Intune to Reclaim Disk Space with Storage Sense

Storage Sense is a disk cleanup feature found in Windows 10 and Windows 11 to free up drive space. When enabled, it serves as a silent assistant that automatically gets rid of items that you no longer need such as temporary files and items in your Recycle Bin. When enabled with its default settings it will run whenever the device is low on disk space. It can also delete neglected cloud backed content; a process referred to as Cloud Content Dehydration. This is especially valuable for users whose cloud storage far exceeds their local drives.

Using Group Policy to Manage Storage Sense

You can enable Storage Sense and configure settings using either Group Policy or Intune/MEM.  To enable it using Group Policy, create a GPO and go to Computer Configuration > Administrative Templates > System > Storage Sense and enable “Allow Storage Sense” as shown below.

Once enabled, Storage Sense will delete files from the Recycle Bin by default after 30 days. You can modify this period by enabling “Configure Storage Sense Recycle Bin cleanup threshold” and choose any digit between 0 and 365. A value of zero means that the files will never be deleted. You would do this if you wanted to enable Storage Sense but disable its Recycle Bin capabilities. The screenshot below shows the available policy settings.

Storage Sense also deletes Temporary files by default as well so there is no need to enable the “Allow Storage Sense Temporary Files cleanup” but you do need to specifically disable it if you don’t want it utilized.

One folder that Storage Sense doesn’t clean up by default is the Downloads folder. All those downloads become forgotten over time and can quickly add up, especially if it includes large ISO files. You can turn on this feature by enabling the “Configure Storage Storage Downloads Cleanup Threshold” and once again choosing 0 to 365 days. (BTW that isn’t a typo, the setting does repeat the world storage).

Next, lets enable the “Configure Storage Sense Cloud Content Dehydration Threshold” setting. Here you will input the minimum number of days you want a cloud-backed file to be unopened before being deleted. I chose 90 days in the screenshot below.

Finally, there is the “Configure Storage Sense Cadence” setting. By default, Storage Sense will run whenever it detects low disk space, but you can force it to run on a scheduled cadence using this setting as shown in the screenshot below.

Intune/Endpoint Manager and Storage Sense

You can also manage Storage Sense using Intune/MEM as well.  Create a Configuration Profile and select Windows 10 and later as the platform and Settings as the Profile type. After naming the configuration profile, do a search for Storage Sense and select Storage as the category once found. Then choose the desired settings you want to configure. The process is illustrated in the screenshot below.

Once the settings are configured, complete the wizard, and assign to the group your designated group(s). Now you won’t have to worry about forgotten files taking up footprints across your PC fleet.



Jun 2022

Microsoft Endpoint Manager Offers Built-in Settings for Google Chrome

Microsoft Endpoint Manager (Intune) has given admins the ability to manage and deliver Google Chrome settings for some time now.  Until recently however, one had to create a custom OMA-URI device configuration policy to do so, which no one considers a very fun thing to do.  For instance, if you wanted to enforce the home page in Chrome you would need to know the OMA-URI path which most people have to look up.


You would then configure the string value for the policy:

Data type: String


Well good news, MEM now supports built in settings for Google Chrome and there are two ways to do this.  In MEM go to Devices > Configuration profiles > Create profile.  Choose “Windows 10 and later” as the platform and under profile type select either Settings catalog or Templates. 

Let’s first use the Settings catalog to set the home page.  Hit the Create button, name the profile, and click Next.  Here you need to click Add settings as shown in the screenshot below.

This takes you to the Settings picker. While built in settings are preferable to configuring OMA-URI configuration profiles, it isn’t always easy to find the setting you want.  Rather than browsing through all the included settings, you should do a search to locate the settings as efficiently as possible. This is much like doing a Google search so the more specific you are the better.  For instance, you could do a search for “Chrome” and choose the Chrome Administrative Templates that users cannot override, but this would still narrow it down to only 516 setting results as shown below.

Therefore, it’s good to know the name of the setting to find it quickly.  In the example below I searched “configure home page”.  Then I clicked on the “Home page and New Tab page” category and chose “Configure the home page URL” on the user side.

After finding the correct setting, I then configured it as shown in the screenshot below by enabling it and typing in the designated home page.  Click next and assign the profile to one or more groups and finish out the wizard to save it.

We can accomplish the same thing using Administrative Templates option. Once again you will name the profile using the Wizard and click Next.  This time let’s make it a computer side policy setting so expand Computer Configuration > Google > Google Chrome > Startup, Home page and New Tab page > Configure the home page URL.  Then enable and input the desired URL as last time.  The process is shown in the example below.

There are many setting options available in the Administrative Templates.  For instance, the screenshot below shows how to enforce Google SafeSearch for users.

In another example, I have specified the minimum SSL version for Google Chrome under User Configuration as well.

While you still must know where to go to find the desired settings you want, managing Google Chrome settings is a lot easier now under MEM.