MDM & GP Tips Blog

Nov 2022

Managing Windows Package Manage with Group Policy

Microsoft made an announcement back in 2021 that Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. Microsoft wants organizations to transition to Windows Package Manager (WPM) instead. WPM is a command-line tool that utilizes either PowerShell or the Widows Package Manager Client terminal, also referred to as Winget-cli. If you are running Windows 10 version 1809 or greater, it should be installed on your computer through a prior update. You can also install it with the App Installer from the Microsoft Store.

There are two primary components when it comes to WPM. The first is the package, which represents an ap, application or program. The other is the manifest file, which contains metadata used by the Windows Package Manager to install and upgrade software on the Windows operating system. WPM functions similarly to Linux package manager as it doesn’t actually host the packages. What is does is let you create manifests that form a script to download your desired apps from central repositories such as GitHub or the Microsoft Store.

The point of this brief article isn’t to get into the details of WPM but to show how you can manage it with Group Policy. To do this, you will first need the Desktop App Installer Policies” Group Policy Administrative Template files, which you can download from the Microsoft Download Center. You will need to copy these files over to your central store. The create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Desktop App Installer. You will then see a variety of available settings as shown in the screenshot below.

Let’s look at some of the most important settings here.

  1. Enable App Installer: Enable this policy so that users can use WPM. This and many of the WPM policy settings only require you to enable or disable them as shown in the screenshot below.

  2. Enable App Installer settings: Enabling this setting will allow users to change settings for WPM
  3. Enable App Installer Default Source. Note that the default source for Windows Package Manager is an open-source repository of packages located at Disabling the policy will make the default source unavailable.
  4. Enable App Installer Microsoft Store Source: When enabled, the Microsoft Store becomes available as a source.
  5. Enable App Installer Additional Sources: When enabled, additional sources will be available. Note that once additional sources are added here, they cannot be removed. You must specify the source location as shown in the screenshot below.

  6. Enable Windows Package Manager Allowed Sources: This policy is somewhat like the previous one. When enabled, users will be able to choose a source from a list of approved user sources. Here, you must also specify the approved source locations

    You can refer to this site for the latest information regarding Windows Package Manager.


Nov 2022

How To Set Time Zones using Intune

If you’re using Intune as your endpoint management solution, there’s a good chance you are managing devices dispersed over a wide geographical area. That may include multiple time zones. So how do you go about ensuring that each machine is matched with its correct time zone?

There are a variety of ways to assign time zones to a Windows 10 computer.

  1. You can configure it within the registry by navigating to


Then create GPO using Group Policy Preference to deploy the registry settings.

  1. In Windows 10/11 you can use the Windows Time Zone Utility. This is a command-line tool that you run using an Administrator command prompt. The command is tzutil.exe. You can use the question mark to see the available commands.

    To see the list of time zones supported by Windows 10, you can use the /l switch. Keep this command in mind for future reference later in the article.
  2. You can also use PowerShell. The screenshot below shows a couple of available commands. The second command is used to assign the desired time zone. Note that I am using “Hawaiian Standard Time” that appeared using the tzutil /l command above.

  3. While you could deploy the PowerShell using Intune, there is a simpler way using the settings catalog.  Log onto the Intune portal and go to Devices > Configuration Profiles and create a profile. Choose Windows 10 as the platform and Settings catalog as the Profile type. Name the profile and then click the “Add Settings” link. Using the Settings picker, do a search for “time zone” and choose “Time Language Settings” as the category. Then select “Configure Time Zone” as shown in the screenshot below.

    Then input the desired time zone as shown below. These are the same time zone names we saw using the tzutil command utility earlier. In the example below I am assigning Eastern Standard Time. Other possible assignments could be Central America Standard Time, Central Brazilian Standard Time, GMT Standard Time, Pacific Standard Time, etc.

    Then like any configuration profile, select any optional scope tags, and assign the profile to the desired group or users.

Nov 2022

Should You Delete or Retire Computers from Intune?

We often talk about adding devices to the Intune environment, but what about deleting them. What’s the best way to do it? There are several options. One option is to have inactive devices automatically removed from Intune using a cleanup rule. An inactive device means it hasn’t checked into Intune for a set number of days. You can configure the time window by going to Devices > Device clean-up rules and configuring the two required settings. You can input a number between 30 and 270. In the example below I have chosen 120 days as the cutoff. This means that day any device that has been inactive for 121 days or more will be deleted from Intune immediately. By clicking on the “View affected devices” link you can see the list of devices that will be deleted once the rule is saved. Device clean-up rules do not affect Android devices.


To Delete or Retire?

You can choose to delete or retire a computer from Intune at any time. What’s the difference? The answer is not much. Let’s outline what happens when a computer is retired.

  • The device is removed from the company Intune portal
  • Intune Endpoint Protection is removed
  • Intune deployed certificates are removed
  • Device configuration settings are no longer enforced or required so users can override them
  • The computer will no longer received its updates from the Intune service
  • Apps can no longer be installed from the portal and any Intune client software is removed
  • WiFi and VPN profile settings are removed

When you retire a device, the retire process will begin the next time the device checks in and it will be removed from Intune once the steps outlined above in the list are completed. Delete means that the computer is removed from the Intune “All devices” list immediately. However, the retire process will begin the first time the device checks in. In other words, Delete performs the same tasks that Retire does. It just hastens the removal of the device from the listings page. The exception is cleanup rules that do delete devices immediately but do not retire them.

To retire or delete a device, go to Devices > All devices and select the computer you want to delete. Then choose the appropriate action you want as shown in the screenshot below.


Oct 2022

How to Import ADMX and ADML Templates into Intune

Both Group Policy and Intune offer multiple Administrative Templates out of the box that provide settings for Microsoft operating systems and applications. Some third-party vendors provide ADMX and ADML templates that you can use to deploy settings for their products as well, but you must obtain them from the vendor and import them.  

Importing Administrative Templates into Group Policy

Importing third-party administrative templates into Group Policy simply requires that you paste the templates into the SYSVOL. Let’s say I wanted to manage settings for Zoom. I downloaded the templates and then placed them in the SYSVOL of one of my domain controllers as shown in the screenshot below. Note that you must also place the corresponding ADML templates into the appropriate language folder as well.

Then I use Group Policy Manager to create a GPO and the Zoom ADMX templates settings will appear automatically.

The Intune Importing Process

The process for importing ADMX and ADML templates into Intune is of course completely different. First off there are few limitations at present to keep in mind.

  • You can upload a maximum of 10 ADMX files
  • You can only upload one ADML file for each ADMX file
  • Only en-us ADML files are supported currently
  • Each file must be 1 MB or smaller
  • Some ADMX files may have dependencies that must be uploaded first

After the matching ADMX and ADML templates are downloaded, go to Devices > Configuration profiles and select “Import ADMX.”

Click the Import link and navigate to the matching ADMX and ADML files as shown in the screenshot below.

Once completed, the imported ADMX template will now be listed. You must allot ample time for the templates to upload before using them as shown below.

In this case, the upload failed. In the screenshot below I clicked on the link to find out the details of the error.

It says that an ADMX file reference file called NamespaceMissing: Microsoft.Policies.Windows. was not found. This is one of the gotchas I mentioned above. To fix this, you must first click the ellipsis to the right and delete it. Then you need to upload the Windows ADMX and ADML files. These files are in your SYSVOL folder by default.  Upload them the same way you did the Zoom template files.

Once you complete the import wizard, click refresh until you see that the Windows.admx is available. Then upload the Zoom template once again. This time the upload process shouldn’t fail, and you will see both ADMX files available as shown below.

Now you can create Configuration profiles that use your imported ADMX files. Go to Profiles > Create profile and choose Windows 10 and later as the platform and Templates as the profile type. Then select “Imported Administrative templates (Preview)“as shown below.

Then you can select and configure the settings you want in your policy.

Then complete the profile configuration process by assigning the profile to your designated users.


Oct 2022

How to Setup Printing in the Cloud Using Universal Print (Part 3)

So, in our last article, we talked about registering printers with the Universal Print portal. We registered a couple of printers using the Universal Print Connector and then shared them to designated users through group assignment. Users can then browse the list of shared printers that they have access to and pick the appropriate printer according to factors such as location or printing capabilities. While this is fine for users needing to send something to a printer they normally don’t use, it’s easier for users to directly install printers on client machines. This is done by creating an Intune policy.

Creating a Printer Policy

All users that will be receiving the printer policy must be assigned a universal print license as mentioned in Part 1 of this series.  You also need the Printer Administrator role to create the policies and the target computers must have Windows 10 or Windows 11.

Using MEM go to Intune > Devices > Configuration profiles and create a new profile. Choose Windows 10 and later as the platform and Settings catalog as the Profile type. Name the policy, click “Add settings” and do a search for the word “printer” as shown below. Scroll down and select Printer Provisioning and select Printer Shared ID User.

You will need three bits of information about each printer you want to install. You can access this information from the overview section of each printer in the Universal Print portal as shown below.

Next, Input the Printer ID, Printer Share Name and Share Id in their designated boxes as shown below.

The final step is to assign the profile to the designated users.  You can then monitor the status of the policy using Intune as shown below.

While Universal Print may not be a viable choice for large enterprises yet, it may be a good solution for SMBs that have moved to Azure AD in pursuit of a native cloud solution and want to deprecate their on-prem printing infrastructure.

Sep 2022

How to Setup Printing in the Cloud Using Universal Print (Part 2)

In my previous article I outlined the prerequisites for Universal Print, a Microsoft 365 subscription-based service that you can use to centrally mange your printers using Azure. As mentioned, most printers require the Universal Print Connector to be registered in Azure for universal printing. You can download the UP Connector here.

The prerequisites for the UP Connector are shown below.

  • You can install it on Windows Server 2016 64-bit but Windows Server 2019 is recommended.
  • You may also install it on Windows 10 64-bit Pro or Enterprise, version 1809 or later.
  • The host computer will also need .NET Framework 4.7.2 or later.
  • The host computer should have a permanent internet connection and have sleep/hibernate disabled

Once downloaded, simply run the installer

Once installed you will see the screen below. Here will need to sign onto your Azure portal using an Azure AD account that is assigned to the Printer Administrator role.

Once you are signed in, you will need to create a Connector Name as shown in the screenshot below. This could be the name of a building, a department, a site, or just about anything that has significance within your organization.

In this example I chose Central_Office. You will then register the Connector name.

Once registered, you will be able to see the connector in your Azure Universal Printer portal. If you can’t readily find the UP portal in Azure, you can do a search for “Universal Print” to navigate to it as shown below.

Then click connectors to see your newly registered connector.

Now it’s time to register for the printers. You need to install the printers onto the computer hosting your connector.  These printers will then be shown as available printers within the UP Connector admin console. Select the printer or printers you want from the list and click register.  The printer(s) will now move to the registered printer list as shown below. The printer is now registered in Azure.

Now we need to share the printer. Go to the Universal Print Portal and you will see that your printer is registered and ready but not shared.

To share, select the printer’s checkbox and click Share as shown below.

Now you will give the printer a share name and select the groups or users that can access the share as shown below.

You can then select Printer properties and provide descriptors so that users know where the printer is located within your enterprise. This allows them to search for printers according to location. I have filled out some of the properties in the screenshot below.

Now the printer is shared and ready and will show all green as shown in the screenshot below.

Registering Universal Printers Directly

Printers that natively support Universal Print can be registered with Azure without going through the UP Connector. Simply access the printer’s admin console through a web browser. Every vendor’s admin portal is different but essentially you will need to name the printer and configure its network properties so it can access the Internet. Usually in the advanced settings, there will be a way to register the printer. The registration process will require you to logon to Azure with the proper credentials. The printer will then be registered and assigned a registration code. Once registered, you will then log onto Azure in the same manner I did earlier and share the printer.

Next: Creating Intune Policies

In our third and final segment on Universal Print, we will review the process of installing registered universal printers on computers across the network.

Sep 2022

How to Setup Printing in the Cloud Using Universal Print (Part 1)

So, you’ve migrated your enterprise’s on prem AD presence to Azure AD and now and are thinking that everything will be native cloud from here on out. There’s just one problem. Your users are still printing stuff and those printers rely on on-prem infrastructure. While many consider printing to be a legacy technology, organizations still depend on it. The problem is that printer management can be a time consuming and manually intensive ordeal having to deal with so many different types of printers, associated drivers, and spoolers. What’s more, assigning printers using Intune can be challenging at best.

Fortunately, there is an option available from Microsoft that allows you to upgrade your printer environment to a cloud-based print solution. It’s called Universal Print, a subscription-based service that runs on Microsoft Azure, providing a centralized print management for print administrators. Some of the benefits of Universal Print include the following:

  • No need to install printer drivers on PCs as printing takes place using the Internet Printing Protocol (IPP). There’s also no need for print servers for supported printers.
  • Provides remote users the ability to print at the corporate office and integrates with Windows 365 virtual PCs.
  • Printers can be assigned end-user locations at a granular level so users can easily find the right printer for their location whether it be a country, town, site, building, floor, etc. You can also assign printers using Intune.
  • Extensive reporting is available to monitor your print capacity as well as obtain a daily aggregated job count for each printer or user, giving you the visibility to understand what is happening in your print environment each month.
  • Enhanced security as machines must be joined to Azure AD to print and printing takes place over encrypted connections while all print data is contained in the same secure platforms that Online Exchange and Teams utilizes.

There’s obviously a lot of benefits to Universal Print so let’s look at how to implement it.

Prerequisites for Universal Print

Let’s start with the printers themselves. Some printers can integrate directly with Universal Print out of the box. Here’s a list from Microsoft of Universal Print ready printers. Chances are, most of your printers don’t support Universal print. In that case, you need to download the Universal Print Connector to an on-prem machine and add your printers to it. The Connector will serve as the intermediary between Azure and legacy printers.

Next you will need the right subscription. Universal Print is included with multiple commercial and educational Windows 365 and Windows 10 subscriptions. You can also purchase a standalone subscription as well. Applicable licenses include the following:

  • Windows 365 Enterprise F3, E3, E5, A3, A5
  • Windows 10 Enterprise E3, E5, A3, A5
  • Microsoft 365 Business Premium
  • Universal Print (standalone)

You can confirm whether your current license provides Universal Print access by going to your Azure portal and navigating to Azure Active Directory > Licenses > All products. Select a product from your list and click on “Service plan details.”

Each print user will need an assigned license. A Universal Print license is also required for all print administrators regardless of whether they print or not. Keep in mind that the designated license doesn’t allot you unlimited printing. Universal Print uses the same OPEX model that is characteristic of cloud computing services in that you only pay for the resources that you use. Universal Print comes with a pool of print jobs that equates to 5 print jobs per user per month. That means that 100 licensed users will be able to print 500 print jobs each month. A print job constitutes a single printed document regardless of how many pages or the number of copies printed. A colored printed document counts the same as a standard print job and attributes such as single vs. double sided do not matter either. Note that there is currently no way to enforce a print quota on individual users. While the license allots 5 print jobs per user, one user can consume all the print jobs over the course of a month. It is believed that quota management will be introduced down the road.

To configure or manage Universal Print, an admin must be a global administrator or be assigned the Printer Administrator role. I had to assign myself the print administrator role even though I was a global administrator to complete the configuration steps for this article series.

Finally, client devices must be running Windows client OS, version 1903 or greater.

Next: Installation and Configuration

In the next article, I will show how to install the Universal Print Connector to an on-prem machine and configure the Universal Print service. We will then assign the printers using Intune.


Aug 2022

A Closer Look at Safeguard Holds

There are no guarantees in life. That’s certainly the case with software updates. Sometimes an update that offers a new operating system version just doesn’t’ work out due to compatibility issues with a particular device. This can cause the update to either fail or rollback. Even worse, it could result in data loss or a loss of connectivity or key functionality.  That’s why Microsoft monitors quality and compatibility data to identify issues before they can affect too many machines. Issues may also be reported from Microsoft partners and customers as well. Once these issues are identified, Microsoft enacts a Safeguard Hold to prevent other devices with this known compatibility issue from being offered the designated feature update. The safeguard hold is enforced long enough to give Microsoft ample time to address the issue. Once a fix is derived and verified, the hold is lifted, and the Windows update will once again be readily offered to devices.

Disabling Safeguards

While its not necessarily recommended, you can disable safeguards so that devices will ignore them. Keep in mind that the update may likely fail. If you want to take the chance, however, create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business and enable the “Disable safeguards for Feature Updates” setting as shown below.


You can also do this using an MDM such as Microsoft Endpoint Manager with the DisableWUfBSafeguards CSP. The required custom OMA-URI settings are as follows:

  • OMA-URI: ./Vendor/MSFT/Policy/Config/Update/DisableWUfBSafeguards
  • Data type: Select Integer
  • Value: 1

Safeguards for Two Types of Issues

New Windows feature updates that are deployed using either Windows Update service or Windows Update for Business are subject to Safeguard holds for a known issue.  A “known issue” is a confirmed problem that may occur after an upgrade for a specific set of devices. In addition to known issues, there are also “likely issues.” A likely issue means that the problem has not been confirmed by Microsoft but has been discovered through machine learning out in the ecosphere. Issues could involve rollbacks, connectivity issues, app or driver malfunction as well as problems with graphics and audio. Once identified, a temporary safeguard hold is enabled on the designated update until either the issue has been confirmed and upgraded to a known issue (in which the safeguard hold is continued) or it has been identified as a false positive, in which case the hold is removed.

The Windows Update for Business Deployment Service

The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It provides a next level of control concerning the approval, scheduling, and safeguarding of Windows updates. Here you can use safeguard holds against likely updates issues. You can also do things such as bypass preconfigured Windows Update for Business policies to manually deploy a security update on command across your organization should an emergency arise. To utilize this service, you must have one of the following subscriptions:

  • Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
  • Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
  • Windows Virtual Desktop Access E3 or E5
  • Microsoft 365 Business Premium

You can then do a search for it in MEM and configure as you need to.

To see if you are affected by a Safeguard hold you can use Update Compliance in MEM to run a Safeguard Holds report that can provide insights into existing holds that are preventing devices from updating or upgrading. You can get more information about these reports here.



Aug 2022

12 New Policies and Security Baseline for Microsoft Edge v104

Microsoft just released a security baseline for Microsoft Edge version 104.  Be aware that when you go to download it you won’t see version 104 listed because it still utilizes version 98 as none of the security policies have changed yet. Microsoft v104 introduced 12 new settings that can be used within Computer and User policies. The new setting policies are as follows:

  • Allow import of data from other browsers on each Microsoft Edge launch
  • Configure browser process code integrity guard setting
  • Define domains allowed to access Google Workspace
  • Double Click feature in Microsoft Edge enabled (only available in China)
  • Enable Drop feature in Microsoft Edge
  • Get user confirmation before closing a browser window with multiple tabs
  • Text prediction enabled by default
  • XFA support in native PDF reader enabled
  • Enables Microsoft Edge mini menu *
  • Get user confirmation before closing a browser window with multiple tabs *
  • Restrict the length of passwords that can be saved in the Password Manager

* These policies are available as both mandatory and user override settings

You can download the three ADMX templates new for Edge version 104 here as shown below.

One of these settings, “Configure browser process code integrity guard setting” restricts the ability to load non-Microsoft signed binaries. When enabled, there are three mode options:

  • Disabled (0) = Do not enable code integrity guard in the browser process.
  • Audit (1) = Enable code integrity guard audit mode in the browser process.
  • Enabled (2) = Enable code integrity guard enforcement in the browser process.

Administrators are encouraged to run this setting in Audit mode (1) early on for compatibility purposes. Audit mode is currently the default but a future security baseline will change this to Enabled (2) once Microsoft has enough data to proceed.  The setting options are shown in the screenshot below:

If you haven’t yet imported the secruity baseline, you can do so by running the Baseline-ADImport.ps1 script as shown below.

You can refer to my blog on the Security Baseline for Edge v95 for more information about how to use security baselines for Microsoft Edge.



Jul 2022

Use Group Policy or Intune to Reclaim Disk Space with Storage Sense

Storage Sense is a disk cleanup feature found in Windows 10 and Windows 11 to free up drive space. When enabled, it serves as a silent assistant that automatically gets rid of items that you no longer need such as temporary files and items in your Recycle Bin. When enabled with its default settings it will run whenever the device is low on disk space. It can also delete neglected cloud backed content; a process referred to as Cloud Content Dehydration. This is especially valuable for users whose cloud storage far exceeds their local drives.

Using Group Policy to Manage Storage Sense

You can enable Storage Sense and configure settings using either Group Policy or Intune/MEM.  To enable it using Group Policy, create a GPO and go to Computer Configuration > Administrative Templates > System > Storage Sense and enable “Allow Storage Sense” as shown below.

Once enabled, Storage Sense will delete files from the Recycle Bin by default after 30 days. You can modify this period by enabling “Configure Storage Sense Recycle Bin cleanup threshold” and choose any digit between 0 and 365. A value of zero means that the files will never be deleted. You would do this if you wanted to enable Storage Sense but disable its Recycle Bin capabilities. The screenshot below shows the available policy settings.

Storage Sense also deletes Temporary files by default as well so there is no need to enable the “Allow Storage Sense Temporary Files cleanup” but you do need to specifically disable it if you don’t want it utilized.

One folder that Storage Sense doesn’t clean up by default is the Downloads folder. All those downloads become forgotten over time and can quickly add up, especially if it includes large ISO files. You can turn on this feature by enabling the “Configure Storage Storage Downloads Cleanup Threshold” and once again choosing 0 to 365 days. (BTW that isn’t a typo, the setting does repeat the world storage).

Next, lets enable the “Configure Storage Sense Cloud Content Dehydration Threshold” setting. Here you will input the minimum number of days you want a cloud-backed file to be unopened before being deleted. I chose 90 days in the screenshot below.

Finally, there is the “Configure Storage Sense Cadence” setting. By default, Storage Sense will run whenever it detects low disk space, but you can force it to run on a scheduled cadence using this setting as shown in the screenshot below.

Intune/Endpoint Manager and Storage Sense

You can also manage Storage Sense using Intune/MEM as well.  Create a Configuration Profile and select Windows 10 and later as the platform and Settings as the Profile type. After naming the configuration profile, do a search for Storage Sense and select Storage as the category once found. Then choose the desired settings you want to configure. The process is illustrated in the screenshot below.

Once the settings are configured, complete the wizard, and assign to the group your designated group(s). Now you won’t have to worry about forgotten files taking up footprints across your PC fleet.