MDM & GP Tips Blog

Jul 2022

4 Group Policy Settings That Can Help Prevent Ransomware

We all know how serious the ransomware threat is today and that unfortunately, there is no one magical solution to stop it. Protecting against ransomware requires a multilayer cybersecurity strategy, also referred to as defense in depth. This includes steps such as ensuring that all systems are up to date in their patching, enforcing MFA for email access, and not allowing local admin rights for standard users. There are also some group policy settings that you can use to incorporate into your strategy as well. Below are four that can help in different ways.

1. Enabling Network Protection

Network protection is a Windows features that helps prevent users from using an application inadvertently to access dangerous domains that may host phishing scams, exploits, ransomware payloads and other malicious content.  It’s a component of Microsoft Defender for Endpoint and requires Windows 10 or 11 Pro (Pro and Enterprise) and Windows Server 2019+. The list of domains is supplied by Microsoft. Network protection blocks all HTTP and HTTPS traffic that attempts to connect to these contains. Think of it as web protection for non-browser applications.

To enable this feature, create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Network Protection. There there are two policies for you to configure. The first step is to enable “This setting controls whether Network Protection is allowed to be configured into blog or audit mode” as shown below.

You then need to choose between Block and Audit. Block is self-explanatory in that users will not be able to access the domains in question. Audit mode allows users to still connect to the flagged domains but records the event into a log file. This allows you to get a read on what sites your users are utilizing before blocking them entirely. The screen shot below shows how to select between the two options.

2. Enable Controlled Folder Access

Controlled folder access was made available in Windows 10 and is supported in Window 11 as well as Server 2019 and 2022. It’s a component of Windows Defender Exploit Guard that prevents the data hosted in designated folders from being altered. In other words, if malware attempts to modify (encrypt) the files in these protected folders without authorization, the attempt is blocked, and an alert is generated. By default, certain system folders are protected such as a user’s Documents folder, Pictures, Desktop, etc. but you can also add folders as well. Note that the controlled folder access feature does not function if a third-party antivirus application is installed on the targeted system.

To configure Controlled folder access simply create a GPO and go to Computer configuration > Administrative templates > Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access. Start by enabling “Configure controlled folder access” as shown below. You can choose to disable it, block it or choose Audit mode, both of which in the same fashion as Network Protection. You can also choose to only block or audit disk modifications which involve the writing to disk sectors by untrusted apps.

You can add additional folders to the list by clicking “Configure Protected Folders” and add the folders you want protected.

The end result will look like the example below. Note that you can also choose “Configure allowed application” to specify applications that are allowed to alter the data contained in the protected folders.

3. Disable Remote Desktop

Once a ransomware variant takes hold in your network, it then works to spread laterally across your IT estate. One of the ways is through remote desktop connection. That’s one of the reasons why Windows 11 has an account lockout policy enabled that only allows for 10 failed sign-in attempts over a 10-minute period. This blocks RDP brute-force attacks. Because some ransomware variants utilize RDP connection to spread, it’s a good idea just to disable it unless required.

Create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host and disable “Allow users to connect remotely by using Remote Desktop Services” as shown in the screenshot below.

4. Show Hidden File Extensions

Cybercriminals use multiple nefarious tactics to get users to click on a malicious file. One of these methods includes the use of double file extensions. An example may be “letter.doc.exe” in which a user mistakes the file for a Word document if the executable extension is hidden. To ensure that file extensions are visible you can create a GPO and go to User Configuration > Group Policy Preferences > Control Panel Settings > Folder Options and make sure that “Hide extensions for known file types” is unchecked as shown in the screenshot below.

We’ve only touched the surface here. There are many other group policy settings available that can aid in preventing ransomware from bringing down your systems and we will cover more in the future.



Jun 2022

Managing Removable Disks and Devices Using Group Policy and MEM

Your organization can invest in an entire portfolio of cybersecurity tools including email and web filtering, next generation firewall appliances and endpoint security solutions to protect your Windows computing devices. But deploying all those tools can still leave your machines vulnerable to zero-day attacks and malware infestations. That’s because all the filtering and firewall policies in the world won’t stop malicious code from being transferred from an insertable USB stick. The USB port remains a viable attack avenue for hackers and their malicious code creations to infiltrate computers thanks to users sharing USB drives. Fortunately, there are easy ways to manage removable storage access for your fleet of enterprise Windows devices.

Using Group Policy

Let’s start with Group Policy. You can manage removable storage settings on the Computer or User side. A Computer policy would prevent IT personnel with admin privileges from using USB sticks, thus preventing them from performing some of their everyday tasks. The purpose of this policy is to prevent standard users from transferring malicious code, so a User Configuration policy makes the most sense. Create a GPO and go to User Configuration > Administrative Templates > System > Removable Storage Access as shown below.

Let’s clear up any confusion concerning the various removable storage options listed. If you are younger than age 30 you probably don’t know what a floppy disk is and that’s a good thing. For most modern computers today, you need only worry about Removable Disks (USB sticks and external drives) and Windows Portable Devices which include things such as smart phones, cameras, etc. An example would be transferring pictures from a smart phone to a laptop. In the screenshot above I have enabled settings to deny read and write access to removable disks and denied write access to WPD devices.

Another option is to prevent users from installing removable devices onto their machines. You can only do this on the Computer side but there is a setting called “Prevent installation of devices not described by other policy settings” that is perfect for this situation. You can find it by going to Computer Configuration > Administrative Templates > System > Device Installation Restrictions. The enabled policy is shown below.

Using MEM

You can also configure removable storage policies using Microsoft Endpoint Manager. There are a couple of ways to do it. The first is to go to Devices > Configuration profiles and create a profile. Select “Windows 10 and later” as the platform and Templates as the Profile > then choose Administrative Templates from the list of available templates.  Name the policy and then drill down to System. Here you will find both groups of desired settings as shown below.

Drilling down into Device Installation we can enable the “Prevent installation of devices not described by other policy settings” policy for MDM enrolled devices.

You can then go up one level and scroll over to the Removable Storage Access settings. Below I have enabled the “Removable Disks: Deny execute access” setting.

You can also configure these settings using the Settings picker.  Rather than choosing Templates as the profile type, select Settings. Then use the Settings picker to search for “Removable Storage” and select the correct category. Then choose the desired settings in the section below and configure them as shown in the screenshot below. You can do the same then for Device Installation settings.

Jun 2022

Microsoft Endpoint Manager Offers Built-in Settings for Google Chrome

Microsoft Endpoint Manager (Intune) has given admins the ability to manage and deliver Google Chrome settings for some time now.  Until recently however, one had to create a custom OMA-URI device configuration policy to do so, which no one considers a very fun thing to do.  For instance, if you wanted to enforce the home page in Chrome you would need to know the OMA-URI path which most people have to look up.


You would then configure the string value for the policy:

Data type: String


Well good news, MEM now supports built in settings for Google Chrome and there are two ways to do this.  In MEM go to Devices > Configuration profiles > Create profile.  Choose “Windows 10 and later” as the platform and under profile type select either Settings catalog or Templates. 

Let’s first use the Settings catalog to set the home page.  Hit the Create button, name the profile, and click Next.  Here you need to click Add settings as shown in the screenshot below.

This takes you to the Settings picker. While built in settings are preferable to configuring OMA-URI configuration profiles, it isn’t always easy to find the setting you want.  Rather than browsing through all the included settings, you should do a search to locate the settings as efficiently as possible. This is much like doing a Google search so the more specific you are the better.  For instance, you could do a search for “Chrome” and choose the Chrome Administrative Templates that users cannot override, but this would still narrow it down to only 516 setting results as shown below.

Therefore, it’s good to know the name of the setting to find it quickly.  In the example below I searched “configure home page”.  Then I clicked on the “Home page and New Tab page” category and chose “Configure the home page URL” on the user side.

After finding the correct setting, I then configured it as shown in the screenshot below by enabling it and typing in the designated home page.  Click next and assign the profile to one or more groups and finish out the wizard to save it.

We can accomplish the same thing using Administrative Templates option. Once again you will name the profile using the Wizard and click Next.  This time let’s make it a computer side policy setting so expand Computer Configuration > Google > Google Chrome > Startup, Home page and New Tab page > Configure the home page URL.  Then enable and input the desired URL as last time.  The process is shown in the example below.

There are many setting options available in the Administrative Templates.  For instance, the screenshot below shows how to enforce Google SafeSearch for users.

In another example, I have specified the minimum SSL version for Google Chrome under User Configuration as well.

While you still must know where to go to find the desired settings you want, managing Google Chrome settings is a lot easier now under MEM.

May 2022

Use Intune or GPOs to Move the Windows 11 Taskbar to the Traditional Left

Users are creatures of habit. They expect things a certain way and when they aren’t, they often call the help desk. For years, users have been accustomed to the Windows taskbar and Start button tucked in the left-hand corner of the screen. Thus, the default position of the Windows 11 start menu in the center may throw some for a loop. There is an easy way to fix this as an individual user using the Personalization tab in the Settings menu. To do this for all your users requires a policy and here are two ways to do it.  Each involves making a change to the registry.

Group Policy Preferences

We need to add a value called "TaskbarAl" that will reside in the following registry key path:


It will be assigned a value “0”.

Using the Group Policy Management Editor go to User Configuration > Preferences > Registry.  Right click and choose New > Registry Item.  Then fill out the property fields as shown in the screenshot below.

If you want to deploy the setting using Microsoft Endpoint Manager you will have to do it using a PowerShell script.  There are multiple ways to write the necessary script but below is one approach. This script format makes it easy to add other Start Menu and Taskbar values to the same registry location.

# Move the Windows 11 Taskbar to left


$registryPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"

$Al = "TaskbarAl" # Shift Start Menu Left

$value = "0"

New-ItemProperty -Path $registryPath -Name $Al -Value $value -PropertyType DWORD -Force -ErrorAction Ignore


Paste the script into PowerShell ISE and save it. Using Microsoft Endpoint Manager go to Devices > Scripts.  Click Add and select Windows 10 and later.  Name the policy and upload the script in the next screen as shown in the screenshot below.

Now assign the script to the designated group(s) and complete the wizard.  Be patient because it can take a little while for the script to force the bar to move over. It may seem like a trivial matter but it may save you some support calls.

May 2022

How to Filter Windows 11 Machines with Intune

Unless you are an SMB, you are probably going to phase in your Windows 11 upgrade over time.  That means that you will have to manage both versions until the upgrade is complete, which might require you to manage their settings or application deployments differently.  If you are using Intune to manage your Windows machines, you can use filtering to reduce the complexity of doing so. 

You can use Intune filters to target configurations, policies, and applications to specific device attributes such as Manufacturer, Model and OS version.  In this case we will create two filters that each target a different OS version.  Using Microsoft Endpoint Manager go to Intune > Tenant administration > Filters and create a new filter and name it as shown below.

Create a rule and select osVersion as the property, StartsWith as the operator and 10.0.2 as the value which I did myself in the screenshot below.  Then finish out the wizard to complete the filter.

Now create a second filter.  There are a couple of options when creating these filters.  You could use the same approach as the previous filter and match it with the Windows 10 value.  In this example, we chose a different approach and instead used the NotEquals operator, typing in 10.0.2 as the value.  This means that any Windows version other than Windows 11 will be included in this filter.

Now that you have the filters created, you can start applying them when needed.  In the example below, I have created a configuration profile that I have assigned to a computer group.  The group is made up of both Windows 10 and Windows 11 machines.  Because I want this profile to only apply to Windows 11 machines, I will click the filter link and choose “include filtered devices in assignment” and select the Windows 11 filter I created earlier.

Finish out the wizard and the configuration profile will now only target Windows 11 devices.  Those familiar with Group Policy will note the similarity to WMI filtering.  Once you upgrade all your Windows 10 devices, simply delete its designated filter.   


May 2022

How to Prevent Users from Resetting Windows 10 Devices with Applocker and MEM

Anyone who has been a Windows device admin for a school system that implements a student laptop program is aware of the constant battle to keep students in check when it comes to their devices.  A common ploy by the students is to reset their devices to factory default to bypass enforced security policies.  Even if students can’t get to system settings, they can always hold down the shift key while they use the mouse to select the Restart option from the Windows Start button.  This gets them to the Advanced Startup screen where they can then reset the device.  This of course starts the computer with a clean slate, giving students time to make local accounts on their device.  It also gives them access to the command prompt screen and other things.  For computers that are managed byGroup Policy, students that reset their devices off premise will enjoy a newfound freedom until the computer returns to campus and receives its assigned policies once again.  What’s more, a PC tech may have to manually deploy a package file to install the required applications, consuming precious time from both the student and the technician.  For those computers managed by an MDM provider, policies and applications will be deployed once the computer connects to the Internet, making any acquired freedom brief, but perhaps meaningful enough to be worth the effort to the student.

Even if you don’t work for a school system, you still might want to stop your users from resetting their devices.  Fortunately, there is an easy way to do it using AppLocker to create a policy that can be deployed using Group Policy or your preferred MDM solution that will prevent standard users from implementing a factory reset. 

Create an AppLocker Executable Rule

Using Windows Group Policy Management Editor, create a GPO and go to Computer Configuration > Security Settings > Application Control Policies > AppLocker > Executable Rules.  Right-click and select Create New Rule as shown in the screenshot below.

Using the wizard, choose Deny as the action.  You can target a specific group or just go with the default Everyone group as shown below.

In the next screen choose “Path” as the primary condition.  There are two path executables we need to block.  Each will require their own rule.  For this rule let’s choose:


as shown in the following screenshot.

Continue with the Wizard.  Name the rule and click Create.  Now create another executable rule using the same process.  This time we will use environmental variables for the file path which is %SYSTEM32\ReAgentc.exe.  Now you will have two rules as shown below.

Now assign the GPO to the targeted computers.  But what about Windows 10 devices that are managed by Microsoft Endpoint Manager or similar MDM provider?  In that instance, you can export the AppLocker rules by right-clicking on AppLocker and exporting the policy as shown below.

Name the policy and save it as an XML file.

Now import that XML file into MEM by going to Devices > Configuration profiles > Create policy > Windows 10 and later > Templates and choose Custom and click the Create button.

Now open the saved XML file with a text editor and highlight and copy all the content within the AppLocker tags as shown in the screenshot below.

Using the wizard, name the policy and go to configuration settings.  Here you will need to add the OMA-URI settings.  In the OMA-URI textbox you will input the following path:


Choose String as the Data type and then paste the XML code you copied into the Value box as shown below.  Then click next until you finish out the wizard and create the policy.

You will then assign the policy to your targeted users.  The next time a student or user attempts a factory reset, they will receive a message informing them that the action is not allowed for their organization. 


Apr 2022

Managing Compliance Deadlines for Windows

Keeping your Windows devices updated is critical today, not only from a security point of view, but a productivity one as Microsoft continues to deliver new features that spawn greater user innovation.  Deploying these updates is only part of the equation when it.  A computer can download a feature update for instance, but unless the computer is rebooted, it won’t be fully installed.  Often, users will delay the rebooting process, thus prolonging the pending start status and preventing it from attaining compliance.  That’s why you must enforce compliance.  Both Group Policy and Microsoft Endpoint Manager (MEM) give admins the ability to create an enforceable compliance window to ensure that Windows update processes are fully completed.

Deadlines and Grace Periods

These compliance policies allow you to configure a deadline that defines the number of days until a device is forced to restart to ensure compliance.  You can also configure an additional grace period to give users a little extra window if needed.  Note that you are restricted to defined ranges when assigning these time windows.  For Group Policy the ranges are as follows:

  • For quality updates the deadline can be between 0 and 7 days.
  • For feature updates the deadline can be between 0 and 14 days
  • Grace periods are limited to 0 to 3 days regardless of the type of update

MEM provides longer durations to accommodate mobile devices.

  • For quality updates the deadline can be between 2 and 30 days.
  • For feature updates the deadline can be between 2 and 30 days
  • Grace periods are limited to 0 to 7 days regardless of the type of update

For quality updates, the deadline and grace period start once the update is offered to the computer.  In the case of feature updates, both start once the update has been installed and the computer reaches a pending restart state.

Configuring Compliance Policies

To enforce a compliance policy using the Group Policy Administrative Console, go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience and choose “Specify deadlines for automatic updates and restarts.”  You can then configure the deadline and grace periods for both quality and feature updates as shown below.

Note that you have other settings available concerning the restarting process that you can assign as well.

To configure deadline and grace period durations using the Microsoft Endpoint Manager admin center and go to Devices > Create Update ring for Windows 10 and later.  Turn on the Allow button to enable deadlines and then assign the deadline and grace period for each update category.    Note that the deadlines and grace periods are appended to any configured deferral period.  The process is shown in the screenshot below.

By enforcing update compliance for your Windows machines through GP or MDM, you can ensure that required update processes are completed, keeping your computers secure and maximizing user productivity. 

Apr 2022

Analyze your GPOs with Group Policy Analytics

Many organizations are choosing to use some type of MDM provider to manage their mobile devices.  Some organizations are even turning to MDM for all of their client devices.  If you have been relying on Group Policy to deliver configuration and security settings to these your Windows devices, you should know that there is still a disparity gap between between Group Policy and an MDM such as Microsoft Endpiont Manager (MEM) when it comes to setting coverage.  While Microsoft has closed this gap considerably over the past couple of years, there are still a number of Group Policy settings that MEM and other MDM solutions don’t accommodate.   Obviously, you need to know what settings can’t be replicated when considering a move to MDM.

MEM now provides an easy to use tool called Group Policy Analytics (Preview) that will analyze your on-premise GPOs and determine how they will translate into the cloud.  It will analyze a specific GPO and identify which settings are supported in the MDM, which ones have been deprecated and which ones are simply not available.  The first step is to select the GPO you want to test out in the Group Policy Management Console.  As shown in the screenshot below, simply right click on your selected GPO and choose “Save Report.”  Save it as an XML file.

The next step is to import the XML file into MEM.  Using the MEM admin center, go to Devices > Group Policy analytics (preview).  Select Import and point to the saved XML file as shown in the screenshot below.  Note that the saved XML cannot be larger than 4 MB. 

Click the X in the upper righthand corner and wait for the analyzation process to complete.  You will then see the percentage of settings are supported by the MDM.

Now click on the stated percentage and review the status of all your settings.  The supported settings will list the corresponding CSP mapping in the righthand column as shown below.

Group Policy analytics is a great tool to determine the MDM setting coverage of your GPOs.  If any of the non-supported settings are critical to your management or security policies, you may want to continue using Group Policy for a while longer or utilize a third-party settings management solution.


Mar 2022

Everything you Want to Know about Managing Windows Updates (Part 4)

In our final segment of this series, we are going to wrap up our discussion concerning Windows update management.  So now that you’ve configured your update rings and settings, you can create a compliance policy to reinforce them using Microsoft Endpoint Manager and going to the
“Devices |Overview” section and selecting Compliance policies near the bottom of the menu as shown below.  Here you can also click on Compliance status and view the compliance status of your enterprise fleet

Create a new policy and choose Windows 10 and later as the platform.  Name your policy and then go to Compliance settings > Device Properties.  Here you can set the minimum OS version to be compliant.  You can also set a maximum if desired.  In the example below I have assigned 21H1 as the minimum OS version with 21H2 as the max. 

You can then determine what your action will be for non-compliant status.  You can choose to either send an email to the user of the device or choose the hard-core action of retiring the device for noncompliance as shown in the screenshot below.  A grace period of 3 days has also been configured.

The final step is to assign the compliancy policy to your designated group(s). 

Managing Updates in a Co-managed Environment

Those enterprises that use Microsoft Endpoint Manager Configuration Manager can utilize either WSUS or Windows Update as their update source.  Here’s a good example of the flexibility this offers.  Let’s create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Server Update Service.   Here you would configure settings to specify the IP address of the WSUS server.  The settings we want to focus on is “Specify source service for specific classes of Windows Updates” as is shown in the screenshot below.

Enable the policy and then choose the source service for each update class.  In the example below I am assigning the WSUS server as the feature update source and Windows Update for quality updates.

While we are in Group Policy, let’s look at some other useful settings.  If you are fully managing the update environment for your end user devices, there is no need to perpetually send Windows update notifications to users.  In the screenshot below I enabled the Display options for update notifications.  Note that I have also enabled “Speficy deadlines to use Windows Updates and restarts” where just as I demonstrated in MEM earlier, you can assign a deferral period and grace period for Quality updates and Feature updates.  I also chose to remove access to all Windows update features for good measure by enabling that policy.

Here I chose to disable all update notifications other than restart warnings in order to give them a heads up about pending restarts.


Ensuring that all your Windows machines receive the latest quality updates is one of the most important steps you can do to secure your devices.  Quality updates fix bugs and improve the reliability of your machines so that they run optimally for users.  While feature updates are not as imperative, they cannot be ignored either as you need to make sure that users have access to new features that can help stimulate innovation and improve productivity.  It’s a big job, but Microsoft provides the management tools to ensure that your machines remain update accordingly. 

Mar 2022

Turn Back Time with Windows Known Issue Rollback

There are times when we all wish we had the ability to turn back time to undo a mistake.  This is certainly the case for Windows support teams that have had to deal with a sudden surge of help desk calls due to the havoc created by a recent non-security bug fix in a recent Windows update.  The traditional way to remediate such an issue has been to uninstall the update, a time-consuming process that overstretched IT personnel don’t have time for.  How great it would be if there were a way to simply roll back to the prior state up the update by implementing a single policy.

Known Issue Rollback (KIR)

Microsoft released Known Issue Rollback (KIR) beginning with Windows 10, version 2004.  Its purpose is to improve support for non-security bug fixes and make life a little easier for internal IT by rolling back the undesired changes of an update.  KIR starts at the code level as every non-security bug fix retains the old code while adding the fix on top of that.  Fixes are enabled by default, thus disabling the old code.  A KIR policy, however, can disable the fix however and revert the OS back to the old code-path, problem averted.

Now, when Microsoft determines that a non-security update has an issue, it generates a KIR to roll it back.  Microsoft’s goal is to deploy a KIR within 24 hours of identifying the root cause of a reported problem so that most users are never exposed to the bug.  For non-enterprise users, the process is completely automated, requiring them to do nothing.  In many cases the KIR will be implemented prior to the download being installed.  End users that have installed the update will be prompted to reboot their machines.

KIR and the Enterprise

The process is a little more involved for enterprise customers.  In this case, Microsoft releases a policy definition MSI file that admin teams can deploy using Group Policy (an Intune solution reportedly on its way).  These KIR policy definitions have a limited lifespan of only a few months as the aim for Microsoft is to quickly address the issue through a new update.  KIRs are announced by Microsoft through Windows Update KB articles and listed on the Known Issues list located on the Windows Health Release Dashboard where you can find a link to download the MSI.

Creating a KIR Group Policy

Once downloaded, simply run the MSI which will install the ADMX/ADM template files into the local store at C:\Windows\PolicyDefinitions as is shown in the screenshot below:

You can use the Local Group Policy editor to create a KIR policy for the local machine.  To deploy the policy to multiple machines across your domain, you will need to copy the files to your central store located in your SYSVOL folder.  Be sure to include the ADML template file located in the EN-US folder.

In this example I am using a KIR that was released last year for Windows 10 version 2004.  I first made a GPO using the Group Policy Management Console and named it KIR Issue 001.  Then go to Computer Configuration > Administrative Templates > and select the KB rollback issue listed as shown below.

Then open the policy setting and choose Disabled.

You can create a WMI filter to specifically target machines running the designated Windows version. This is done in the Group Policy Management Console by right-clicking WMI Filters and selecting New.  Name the filter something like “Apply to all Windows 10, version 2004 devices.”   Then insert the following string:

SELECT version, producttype from Win32_OperatingSystem WHERE Version = "10.0.19041"

The screenshot below shows the newly created WMI.  You can find out the build number of your Windows version here

Now go back and highlight the GPO you just created and look for the WMI Filtering section at the bottom where you will select the appropriate filter.  You can also use a third-party solution such as PolicyPak to for granular filtering as well.


KIR is a recent Windows servicing technology that can help you escape from the nightmare of a Windows update bug-fix gone bad.  This is also a good example of why you should manage your Windows updates using Windows Update for Business that gives you greater management control over when and how updates are implemented throughout your enterprise.