Category: Windows 11

Recommendations for moving away from deprecated enterprise features in Windows 10 and 11

Microsoft are deprecating features in the Windows client at a quicker pace than ever, and some of these are more or less broadly used in organizations. Some of the most common ones that are now deprecated are WMIC, VBscript, TLS 1.0 and 1.1, PSR, Update Compliance and WebDAV. Some great although less used features that are deprecated lately are Defender Application Guard for Edge and Office and Windows Information Protection. Let’s have a look at what this means and what possible replacements there are!

No need to panic!

Before going into alternative solutions, keep in mind that the definition of deprecated means that the feature is no longer developed and might be removed from a future Windows version. Thus, there is absolutely no need to panic. My recommendation is to start planning for moving away from features that are deprecated, and with that communicating this information to all relevant stakeholders.

Common features in organizations that are now deprecated

This is a table of the more or less commonly used features within organizations, with potential alternative solutions.

Deprecated featureOrganizational impact from my personal viewAlternative solutions
WMICHave you ever used or still use for instance “wmic csproduct get name” or “wmic bios get serialnumber“? Those classic commands are still very much used by some and will soon be removed from out of the box in Windows.Use PowerShell is the alternative solution! More at WMI command line (WMIC) utility deprecation: Next steps | Windows IT Pro blog (microsoft.com).
Microsoft Defender Application Guard for OfficeOnly a few organizations have implemented App Guard for Office unfortunately. As it has also been a Microsoft 365 E5/E5 security add-on feature this has not had the best basis for broad use. Microsoft recommends Attack Surface Reduction (ASR) and I agree with that. I would add to that to use Defender for Endpoints which means extra scanning of documents coming from emails or internet through web browsing. See Safe Documents for more info.
Microsoft Defender Application Guard for EdgeAlthough this s a super secure browsing experience, I do not know a single organization that used this. It adds significant administration and high end-user impact so the feature never made it out into organizations.Use Edge security recommendations found in Microsoft Edge for Business security whitepaper.
Problem Steps Recorder (PSR.exe)A few organizations use this and have instructed end-users to record problems and attach to service desk. Some organizations (have) use(d) PSR to create guides.Snipping Tools which not only offers creating an image of the desktop now also offers video recording possibilities is a personal favorite and I strongly recommend everyone to use this. In the new release you can also add shapes to highlight your screen shots!
WebDAV ClientWebDAV is very much still used in many organizations. I last came in contact with this just before Xmas last year where users have the need to map on-premises SharePoint document libraries to Windows Explorer.Possible alternative solutions:
1. Moving to SharePoint Online is obvious but currently many organizations cannot do that for confidential information.
2. Enable and use Map SharePoint on-premises using OneDrive for Business.
VBscriptI have not come across any organization that do not use VBscript at all, but to be honest on more recent years most VBscripts are replaced by other means. The popular MDT (Microsoft Deployment Toolkit) which has been used by thousands or organizations over the years is still much in use and contains thousands of lines of code in VBscript.For those VBscript solutions that are still there, consider migrating them to other languages such as PowerShell. Also note that VBscript is still available as a Feature on Demand.

If you are using MDT, see this eminent guide from my fellow MVP and former colleague Johan Arwidmark.
TLS 1.0 and 1.1I think most know that TLS 1.0 and 1.1 are considered unsecure, and that anything using TLS 1.0 or 1.1 should have moved to using TLS 1.2 a long time ago. However, this is far from the case as TLS 1.0 and 1.1 are still requirements in several Line of business applications and other critical systems in organizations.Windows clients and servers will have no problems with disabling TLS 1.0 and 1.1. Line of business applications are the problem area.

Handle this with basic Application Lifecycle Management, and make sure application owners and vendors become aware of the problem and make a plan for moving to TLS 1.2 or later.
TroubleshootersTo be honest, the built-in troubleshooters in Windows that has been around since Windows 7 are not used that much in my experience. It is sad though because they offer some basic troubleshooting stuff.What I will miss are the PowerShell scripts behind the troubleshooters, which have proven to be very valuable when doing “automated troubleshooting”. Retain whatever you can from C:\Windows\diagnostics\system before these are removed.
Windows Information ProtectionBeing able to protect your company data is essential and I think a lot of organizations use Intune App Protection for iOS and Android. Under that same section was Intune App Protection for Windows, which is essentially “Windows Information Protection”.

However, although a good feature not many, to say no organizations, deployed this feature in production.
If you are looking to protect company data on your Windows devices, you should have a look at and implement Endpoint Data Loss Prevention as part of Purview.
Update ComplianceI have helped numerous customers over the years to implement Update Compliance to keep track of Windows quality and feature updates, even as a compliment if the customer is already using Configuration Manager or WSUS.Anyone using Update Compliance or want more insights into patching as a compliment should enable Windows Update for Business Reports as this adds additional value!

Sources for deprecated features and more information:

Enable the passwordless experience in Windows 11 to enhance identity security

Going passwordless should be the goal for anyone who cares about security and preventing identity and cyber attacks. It is possible to be almost 100% passwordless using Microsoft passwordless technologies. However, even if you have moved to not using your password, the password options are still available at Windows sign-in and also within Windows when signed in. It is now possible to reduce the password use in Windows.

New passwordless experience options available in Windows 11

One big step towards truer passwordless experience is to set the policy named EnablePasswordlessExperience. This will give you the following benefits:

  • No password sign-in option on the default Windows sign-in screen.
  • The primary user of the device sees only non-password sign-in options, and can only sign into the device using:
    • Windows Hello for Business.
    • FIDO2 security keys.
    • Web sign-in, which in turn uses either Temporary Access Pass (TAP) or the Authenticator app.
    • Smart cards.
  • No password options within Windows, when for instance elevating as administrator (UAC prompts).
    Note: You can still use runas to elevate with password as well as use the password for a local admin account (such as when using Windows LAPS).
  • The password setting option is removed from Settings > Accounts > Sign-in options.

This will mean that once this new setting is enabled, any user who used to use passwords is now much more likely to sign into Windows with anything else than the password. You can find more about this CSP setting at learn.microsoft.com: Authentication Policy CSP – Windows Client Management | Microsoft Learn.

Password credential provider is hidden from certain UI part of Windows

The reason why I say much more likely to sign in with anything else other than password is that the EnablePasswordlessExperience setting means that the password credential provider is only hidden on the Windows “primary user” sign-in screen.

That means that there are a number of ways to still use passwords in Windows, which is for example required to make sure for instance remote support through help desk is still a viable option:

  • Clicking Other users on the sign-in screen will allow the user to sign in using a password, as the password credential provider is enabled there.
  • Password use is available in Remote Desktop Connections and for web sites in Microsoft Edge.
  • Password can be used with runas to elevate with password as well as use the password for local admin accounts (such as when using Windows LAPS
  • Password change can still be accessed from Ctrl+Alt+Delete prompt.

Pre-reqs:

Currently, the following operating systems support the new setting EnablePasswordlessExperience:

Configuration

The Enable Passwordless Experience settings are configured via Intune and are available in the Settings Catalog and this is how I recommend that you configure this new feature:

  • Enable Passwordless Experience is set to Enabled. This will in practice remove the password credential provider from the aforementioned parts of the Windows UI.
  • Enable Web Sign In is set to Enabled. This will show the “globe” as a sign-in option on the sign-in screen and acts as fallback for logging in if Windows Hello for Business sign-in fails, or if an administrator needs to sign into the device.

UI changed when passwordless is enabled

When these two settings are enabled, the password credential provider is removed from some UI elements, as well as introducing the web sign-in “globe” on the sign-in screen.

Sign-in screen

At the sign in screen, this is where we have maybe the most benefit of enabling the passwordless experience. The reason is that the option to sign in using password is gone! This will certainly reduce the use of password to sign in. At the same time you see the globe which can be used to sign in when or if Windows Hello for Business fails.

UAC Elevation Prompt

When trying to elevate as admin, UAC kicks in. With the passwordless experience enabled, you will only see passwordless options + the ability to use any local admin account (with password). This is to make sure that help desk for instance can still help via remote connections. The important thing is that the typical end users cannot choose any password options. Basically, this means that there is no option “Use a different account”.

Extra #1 – Interactive logon: Require Windows Hello for Business or smart card policy

Just to get this new passwordless experience one step further, I tried the good old policy setting Interactive logon: Require Windows Hello for Business or smart card policy to Enabled. The idea was to also prevent circumventing the “Other users” trick and disable password use even there, as well as completely in Windows.

But no, that setting will not allow you to sign in with Web Sign-in (which is working by design) so that means the setting is useless unless you can live with having no “back door” into your computers if authentication fails or there are problems.

Extra #2 – Excluding the password credential provider all together

To really go passwordless already, you can enable the more hardcore passwordless option that has been in Windows 10 and 11 for some time. It is the ExcludedCredentialProvider setting ADMX_CredentialProviders Policy CSP – Windows Client Management | Microsoft Learn.

This means that you can disable the password credential provider all together in Windows, leaving no room to use a password anywhere within Windows. This might sound good at first thought but will likely mean trouble for remote help for instance by help desk staff, as they will not be able to elevate as admin when needed.

Extra #3 – KQL Kusto Query to find out who are signing into Windows using passwords

The following query is something I use all the time, and it lists how many times your users sign into a Windows device using password. This is useful for “smoking out” password use at Windows sign-in but also in general in Microsoft 365, with a slight modification.

Kusto
SigninLogs
| where Resource == "Microsoft.aadiam" and AppDisplayName == "Windows Sign In"
| extend authenticationMethod_ = tostring(parse_json(AuthenticationDetails)[0].authenticationMethod)
| extend succeeded_ = tostring(parse_json(AuthenticationDetails)[0].succeeded)
| where authenticationMethod_== "Password" and succeeded_ == "true"
| extend authenticationStepDateTime_ = todatetime(tostring(parse_json(AuthenticationDetails)[0].authenticationStepDateTime))
| extend displayName_ = tostring(DeviceDetail.displayName)
| extend trustType_ = tostring(DeviceDetail.trustType)
| extend deviceId_ = tostring(DeviceDetail.deviceId)
| summarize Count = count() by displayName_, Identity

Thanks to Michael Hildebrand for this blog for being a good inspiration on KQL and dashboards in this topic: Azure AD Sign-in Logs + Workbooks = Know Who is Using Windows Hello for Business – Microsoft Community Hub

Extra #4 – Single Sign-On to on-premises resources

When signing into Windows with Windows Hello for Business or security keys, you do not have single-sign on to on-premises resources such as file shares, printers or applications. By enabling Azure AD Kerberos you enable single sign-on using security keys and by settings an Intune setting to use Windows Hello for Business Cloud Trust, you enable single sign-on using Windows Hello for Business.

Summary

The Enable Passwordless Experience that has been added to Windows 11 is a great step in the right direction of becoming fully passwordless, at the same time as not interfering with remote help and support. Anything that can be done to reduce the use of passwords is simply great!

Sidenote: If you use security keys with multiple identities, you have probably learned that when trying to sign into Windows it will sign you in with the last written identity on the security key. If you like me want to be able to choose which identity to sign in with, please upvote this Windows Feedback item!

Troubleshooting an application that crashes in Windows – a few tools, tips and tricks

This blog post is an example of a problem I encountered the other day in a project I am in. An application that is used by a part of the business is installed properly but crashes. I thought I’d share some tips and tricks based on this troubleshooting, a troubleshooting which turned out to be a true sunshine story.

Problem

A ClickOnce application is installed in Windows 10 and 11 but when trying to start the application it never starts and instead silently crashes.

Investigation

As always when something crashes, more details can be found in the Event Viewer. The event ID 1000 lists some very general information:

Faulting application name: X.Y.Client.WpfClient.exe, version: 1.0.0.0, time stamp: 0x565f048b
Faulting module name: KERNELBASE.dll, version: 10.0.25357.1, time stamp: 0xc0dc8053
Exception code: 0xe0434352
Fault offset: 0x0014e0a4
Faulting process id: 0x0x473C
Faulting application start time: 0x0x1D9824B72D664C7
Faulting application path: C:\Users\andre\AppData\Local\Apps\2.0\KP6YOQBZ.QBT\10VX2RL2.D3R\X...tion_ae3633e36a16d69b_0004.0000_6d9d02277ead5c24\X.Y.Client.WpfClient.exe
Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll

This in turn gives me nothing more to go on so next thing to do to get more information is to enable crash dump file generation for application crashes (or any other crashes apart from Windows crashes which already have dump files generated each time Windows crashes).

Enable crash dumps

Go to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting

First Create a key named LocalDumps so that you end up with this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps

Then in the LocalDumps registry key create these three registry values:

Name: DumpFolder
Type: REG_SZ
Value: C:\CrashTemp

Name: DumpCount
Type: REG_DWORD (32-bit)
Value: 10

Name: DumpType
Type: REG_DWORD (32-bit)
Value: 2

Restart the service named “Windows Error Reporting Service” and then start the application and note the DMP file created in the location that you specified above.

Analyze crash with WinDbg

Now we can analyze the DMP file with the classic tool Windows Debugging Tools. This is available in Windows ADK and SDK but the easiest way is to install WinDbg (Preview) via Store (or publish to Company portal). You can also use the winget command to install WinDbg by using “winget install 9PGJGD53TN86“.

Start WinDbg and then open the DMP file and choose:

!analyze -v

We can then clearly see some interesting exceptions:

Key  : CLR.Exception.System.ArgumentException._message
Value: Source property was not set before writing to the event log.
Key  : CLR.Exception.System.Security.SecurityException._message
Value: The source was not found, but some or all event logs could not be searched.  Inaccessible logs: Security.

This, plus the below entries also found as a result of analyzing the DMP file, clearly points toward event logs and specifically the security event log.

STACK_TEXT:
00f8eedc 64b54041 System_ni!System.Diagnostics.EventLogInternal.WriteEntry+0x16bc4d
00f8ef0c 649e53f9 System_ni!System.Diagnostics.EventLog.WriteEntry+0x19
00f8ef18 0314223b X_Y_Client_Business!X.Y.Client.Business.Logger.WriteToLog+0x103
00f8f034 0314211d X_Y_Client_Business!X.Y.Client.Business.Logger.WriteToLog+0x25

Process Monitor for the win!

To figure out what is going on I turn to my personal favorite tool named Process Monitor, a tool that has helped me troubleshoot and learn stuff about Windows for many years.

In Process Monitor, I did a simple recording and filtered on “Access denied”. The application process showed one access denied entry.

The application need read permissions on the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\security 

Said and done, I set users to “Read” on the registry key and started the application again. It crashed still.

I did another trace with Process Monitor and this time it showed that read/write permissions was required on the registry key above security. Strange, but I set Users to Full Control on the registry key referenced:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

I once again tried to start the application and after that, the application started! Note: The good(?) thing is that after first start, one can revert the permissions to default permissions and the application still work. More investigation is needed in this area.

Summary

A few tools, tips and tricks were involved in this troubleshooting, and I hope to inspire others to use these tools and methods in their own troubleshooting in day-to-day work. My next step now is to contact the developers of the application and point out the rather strange problem, and hopefully get the problem fixed.

Field report: 3 years with an ARM based Windows 10 / Windows 11 device

It is now exactly 3 years since I got my current device, the ARM based Surface Pro X SQ1 device. I’ve been using it as my primary work device since then, although much work has also been conducted on other devices for the customers I work with. Still, I’ve used my Surface Pro X almost every day.

This report is meant to help shed some light on the ARM platform, and aid in hopefully clearing out some questions marks for users or organizations looking to purchase for instance the Surface Pro 9 which comes both with an Intel processor as well as a Microsoft SQ3 (ARM) processor.

Windows 10 and ARM

When I got my Surface Pro X device Windows 11 was not available, so I started out with Windows 10 on ARM. Back then, there were to be honest quite a few things that did not work, which hindered me in performing my work.

The biggest problem was that x64 applications did not run at all! That included the 64-bit Microsoft 365 Apps for Enterprise as well as 64-bi compiled PowerShell modules which is used to manage Microsoft 365 and Azure resources. Thankfully, these obstacles are now a memory of the past!

Windows 11 bring ARM devices to a useable level

As soon as I upgraded to Windows 11 on my Surface Pro X it was a new world opening – and the obstacles I previously had was long gone. With Windows 11, there is x64 emulation meaning basically any application will run without problems, including the PowerShell modules I previously had problems running and also running Microsoft 365 Apps for Enterprise on 64-bit.

Since the release of Windows 11, more and more features have been enabled over time, bringing Windows 11 on ARM to an almost feature-complete Windows if you compare it to Windows 11 the 64-bit edition that is used on some 99%+ devices globally.

Limitations of Windows 11 on ARM

So, while there are no blockers for me to do my daily work, there are some limitations that you might want to be aware of.

Windows feature / componentLimitation / problemComments from the field
Drivers (hardware and software)Drivers for both hardware as well as software needs to have a driver compiled for the ARM64 platform. This might include printers, VPN software, antimalware applications and such.The only application I have encountered problems with is Camtasia screen recorder application. However, there used to be some manual work needed to get Adobe Photoshop installed, manually uninstalling Visual C++ runtimes, and then installing the ARM based Visual C++ runtimes. For hardware, the printers I have used have had ARM64 drivers.
Update March 14, 2023: For some more information on compatibility with antimalware and VPN solutions, scroll down to “A growing Arm ecosystem…” in this blog post Available today: Windows Dev Kit 2023 aka Project Volterra – Windows Developer Blog
Microsoft Defender Application GuardThis virtualization based feature of Windows is not available on Windows on ARM.This is too bad as I really like having the Application Guard feature protecting Office documents that come from the internet zone.
Update March 14, 2023: Since the blog post was written, David Weston announced on Twitter that Application Guard for ARM is here (unclear though what build you need to be on).
Hyper-V VMsYou can create and run Hyper-V virtual machines on Windows on ARM. However, you cannot run the x64 versions of Windows as guest OS in the VMs and are limited to Windows on ARM.This is a limitation for me – but although the Surface Pro X can run not only Hyper-V but also Android apps via Android Subsystem, the performance of the devices is just not fitted for running all these performance-demanding virtualization stuff.
Games, Windows Fax and Scan and moreMicrosoft has an official list of what could pose problems on ARM, see Windows Arm-based PCs FAQ – Microsoft SupportExcept the limitations I mention above, I have not seen any of the other problem that Microsoft describe in the article over the three years that I have used my ARM device.

ARM platform is expanding

Over the last year or so we have seen ARM compiled versions of Microsoft Teams and then also Company Portal app appearing. There are probably more examples, but these are what comes to mind.

Also, the number of devices based on ARM have increased over the years and most major computer manufacturers have ARM devices to choose from.

Management, ISO files, installation and recovery of the devices

One the biggest limitations is the lack of installation media (ISOs) for Windows on ARM. That means, every time I need to wipe my Surface Pro X I will have to download the 10GB recovery file, put in on a USB stick and recover.

After that I will be on Windows 10 1803 which means to get to Windows 11 22H2 I will have to run a number of Windows Update passes, with hours and hours to go until I am on the latest Windows release. This is the area where Microsoft can do a lot better! There are ISOs for Insider builds however.

When it comes to management of ARM based devices, there are some things to take into consideration, for instance regarding application deployment. Apart from that management of ARM devices are more or less the same as any Windows device, at least if you are managing them using Intune. If you are using Configuration Manager, have a look at this article.

If you want to have a great summary of what management and deployment of ARM (Surface devices) mean, read Deploy, manage, and service ARM-based Surface devices.

Does not make a sound

One of the biggest advantages which I have not mentioned yet is that the device is completely silent, and it has not given away one slightest sound over these three years. Fan-less, yet still enough powerful to do information work and being very mobile with the built in support for 4G/LTE.

Although the “no noise” thing is true for my Surface Pro X (SQ1) I recommend you look this up for the particular model you potentially will be purchasing.

ARM based devices generally use little energy and thereby produce little heat and with that often do not need any fans that generate noise.

Summary and recommendation

As I see it, the ARM platform is mature enough to put in hands of end-users. The security features of Windows are there (except for Application Guard which very few use) and basically all applications work, especially if you are using the Microsoft 365 suite.

Would/will I choose an ARM based device when the Surface Pro X support come to an end? The answer to that question is “yes, absolutely!”. Do I recommend end-users or organizations to try or evaluate ARM based devices? Yes, you should start today! As always, you need to test and make sure everything the end-users needs is working, before you do any broader deployments of ARM based devices.

Smart App Control vs Application Control in a cloud-native world

Smart App Control is a new feature in Windows 11 22H2 that allows only certain trusted, verified and reputable executables, DLL files and MSI installers to run. Anything not trusted will be blocked from running. This leaves us with a very high security posture.

Microsoft says this feature is intended for consumers and small businesses – and recommends larger organizations and enterprises to use Defender Application Control, which uses the same technology in the background, and has been available since the launch of Windows 10.

This blog post covers Smart App Control versus Defender Application Control in a cloud-native world, where Windows devices are connected only to Azure AD and Intune.

Background

One thing to start with – forget AppLocker as it is too weak and has too many flaws. We need something more secure that also includes anything running on the machine, regardless of user space vs kernel space and also applies to local administrators. At the same time, it must be hard to circumvent which is true for both Smart App Control and Application Control. AppLocker is too easy to circumvent, for instance by using a trusted process by AppLocker to load a malicious DLL file. See a number of examples on AppLocker bypasses here.

High-level overview

Smart App ControlApplication Control
Target audienceConsumers and small businesses.Organizations and enterprises.
ModesOn (Block), Evaluation (Audit), Off.Audit or Block mode.
ExceptionsNo exceptions possible – you are 100% in hands of Microsoft control and deciding what is trusted and reputable.You can create exceptions; however, it involves a certain amount of administration and manual work.
EnablementOnly for fresh deployment/installations, or resets of Windows 11 22H2.Any given time – whenever you choose to deploy it.

Goal is to set On (Block) mode, but first Evaluation (Audit) mode

Whenever enabling a technology that will effectively block stuff, it is highly recommended to first assess the situation obtaining intel about what would happen if we set a feature like this in On or Block mode.

So, our goal is without a doubt to first audit and collect information that we can use to evaluate how enabling either Smart App Control or Application Control in block would work. This is the focus to come, when we look at options on enabling audit/evaluation mode.

At the same time, we need to weigh in that running in audit mode gives us no raised security, it will only collect information. The sooner we can enable Block or On mode, the better.

Options to enable via Intune

Smart App ControlApplication Control (AppLocker CSP)Application Control (ApplicationControl CSP)
TechnologyRegistry value1.Endpoint Protection configuration profile (uses AppLocker CSP in background).Using Custom OMA-URI configuration profile using ApplicationControl CSP.
Mode of allow control featuresDefault Allow Microsoft binaries + Intelligent Security Graph (reputable binaries) + Microsoft recommended driver block rules + Microsoft recommended block rules (with exception of what is noted here)Default Allow policy in Audit or Block mode. “Optional” to use Intelligent Security Graph (reputable binaries), but if you want it to work and not block you from working you MUST use Intelligent Security Graph. Custom policy which might contain any number and type of rules, including Intelligent Security Graph.
Managed installerNo, not available.No, not available.Yes, this is possible. You can set Intune agent as Managed Installer to trust everything that comes through Intune. However, Managed Installer can only be applied via a custom created AppLocker XML file which must be applied with an AppLocker PowerShell command, plus the Application Control must use option 13 which is the “Managed Installer” enable switch.
RebootNo, not when applied but requires a reboot to take effect.When applied it forces a reboot of the computer, both in audit and block mode. This breaks ESP (Enrollment Status Page) when using Autopilot. No, not when applied, but needs a restart to take effect (unless you specify option 16 when creating the policy).

1 Registry value to configure Smart App Control is found in HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy. The DWORD value named VerifiedAndReputablePolicyState can be set to 0 = Off, 1 = On or 2 = Evaluation.

AppLocker CSP vs ApplicationControl CSP

The big difference is that the AppLocker CSP always requires a forced reboot, which means we cannot use it in practice when doing Autopilot and using the Enrollment Status Page. That leaves us with manual configuration of Application Control via ApplicationControl CSP, which is the most secure option where you are in total control. The only problem is that this involves many manual steps, and this surely needs a user interface (in Intune).

“WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only”

https://learn.microsoft.com/en-us/windows/client-management/mdm/applicationcontrol-csp?source=recommendations

Example policies and check if policy is applied

You can check what policies are applied, if any on your computers, by looking at two places in the file system. If only one single policy is applied, which is the case if using Application Control with AppLocker CSP, it will be found in the below directory and names SIPolicy.p7b:

C:\Windows\System32\CodeIntegrity\CIPolicies

However, if multiple policies are applied, which is the case if you applied Smart App Control or using ApplicationControl CSP with base and supplemental policies, they will be found in:

C:\Windows\System32\CodeIntegrity\CIPolicies\Active

You can also start msinfo32.exe and see the current configuration.

Caption from msinfo32.exe

Analyzing potential impact of Smart App Control or Application Control

Regardless of if you enable Smart App Control in Evaluation mode or Application Control in audit mode, you can and must follow-up in Microsoft 365 Defender portal (https://security.microsoft.com). This is where you find everything you need to get an overview of the current situation.

Timeline

If you go to a specific device in the Defender portal (https://security.microsoft.com), you can explicitly see the actions by Application Control (and Smart App Control).

Device timeline showing block actions for this particular device.

KQL – Advanced hunting

To be able to get the big picture in a larger organization we need to use advanced hunting to get all the information we can about the audit events.

Smart App Control or Application Control in Evaluation / Audit mode

Use the following KQL query to list everything that would be blocked if switching the Smart App Control to On or Application Control policy to Block mode.

DeviceEvents
| where ActionType == "AppControlCodeIntegrityPolicyAudited"

Smart App Control or Application Control in On / Block mode

Use the following KQL query to list everything that is noticed by users that is blocked when running in On or Block mode.

DeviceEvents
| where ActionType == "AppControlCodeIntegrityPolicyBlocked"

To execute these KQL queries, head over to security.microsoft.com and go to Hunting > Advanced hunting and run the query and note the results, see below example:

Blocked actions, i.e. files that were prevented from being executed.

Getting from audit / evaluation mode to Block / On

Getting from Evaluation mode to On when using Smart App Control is technically easy – but the limitation is that you cannot create any exceptions if necessary. This basically means that you will be forced to live with some things being blocked, provide other means of delivering that app such as via Cloud PC, or simply disabling Smart App Control. In the best of worlds, having Smart App Control in On mode from day 1, let it be only for some or almost all devices is a huge security gain.

Getting from Audit mode to Block for Application Control requires some work as you will have to create the baseline policies and test, test and test before deploying full scale.

Something to note here as well is that when using Application Control, it is a strong recommendation to have the policies signed with a code signing certificate to provide the best security, i.e. protect the policy or policies from tampering by users or administrators. The code signing recommendation also adds some complexity to the process and routines around handling the signing itself.

Summary

I agree with Microsoft that Smart App Control is limited when it comes to exceptions and that Application Control is the superior technology to use. However, as it looks right now, there are no shortcuts to using Application Control and for most organizations, the threshold to pass to get to a block mode today is extensive and very time-consuming. At the same time, there are technical implementations that break most Autopilot scenarios which is not OK to step aside from.

What I really like about Smart App Control is that you get it for free when fresh installing or obtaining Windows 11 22H2 machines, having the ability to easily turn on the protection mechanism that will truly protect your devices. And you can start monitoring from day 1, and with minimum effort easily enable the protection mechanism.

The big drawback of Smart App Control is that you cannot make any exceptions if something is blocked and you want to allow it, that is very obvious. In this scenario you would have to disable Smart App Control or present the application to the users in another way, via for instance Azure Virtual Desktop where you could publish the application as a remote application.

So, what Microsoft should provide are the tools that will help IT departments to enable Application Control. There must be an easy way via Intune to 1) making sure we have an easy way of defining the Intune agent to become a managed installer and 2) making it easy to create a great baseline policy, and 3) making it easy to create supplemental policies whenever something needs to be allowed (as an option to deploying the binary via the Intune agent).

Enrolling shared Hybrid Azure AD Joined Windows devices to Intune

I think this is a really interesting case and although Hybrid Azure AD Join is something I am not recommending over Azure AD Join, sometimes there are circumstances that leads to no other choice but to adjust and make the best out of the situation and plan for a better solution more long-term.

Current situation and scenario goal

The mission is to enroll all Windows devices (shared and Hybrid Azure AD Joined) to Intune and the specifications are as below:

  • Windows 10 and 11 Enterprise 21H2 (or 22H2) computers which are Hybrid Azure AD Joined.
  • The devices are used as shared computers, so there are no primary users of these devices.
  • Intune licenses are device based, not user based which is the typical and most common scenario.
  • Microsoft Endpoint Manager Configuration Manager is NOT used.

The million-dollar question is how these shared computers can be enrolled into Intune automatically? The scenario must cover both enrolling newly deployed computers as well as existing computers. The solution must be fully automated i.e., no manual steps must exist in the process.

Note: The typical GPO to enable MDM automatic enrollment via user credential cannot be used as the users do not have Intune licenses.

Potential solutions

My thoughts on how to come to a solution came pretty much in this order, and turns out to be a real challenge

1. Use “Device Credential” in the GPO “Enable automatic MDM enrollment…”

The GPO “Enable automatic MDM enrollment using default Azure AD credentials” got a new option some years ago and can be set to “device credential” instead of the default “user credential”. Sounds like the perfect solution!

Problem: Error code 0x80180001 in the event logs “Device based token is not supported to enrollment type OnPremiseGroup PolicyCoManaged”. It turns out that this setting is only supported using MEMCM/SCCM or Azure Virtual Desktop, and obviously blocked or not meeting the technical requirements on other machines.

2. Autopilot self-deploying mode profile

That was a good idea although self-deploying profiles cannot be used as it supports only Azure AD Join and not Hybrid Azure AD Join.

3. Provisioning package – Only enrollment

Using a provisioning package (PPKG) you could potentially enroll into an MDM solution (such as Intune) using Workplace/Enrollment settings as noted in Bulk enrollment – Windows Client Management | Microsoft Docs. However, “username and password security type not supported”. However, this enrollment seems to primarily be targeted and intended for third party MDM solutions or the now long gong feature to enroll into on-premises MDM in Configuration Manager, not Intune. Or did anyone succeed in enrolling into Intune this way? If so, please ping me!

4. Provisioning package – Using bulk enrollment token

Although this way is typically used for performing Azure AD Join + automatic Intune enrollment using a Device Enrollment Manager (DEM) account, I thought I’d try it out to see what happens as I never tried this on a Hybrid Azure AD Joined computer.

Well after obtaining the bulk enrollment token through the simple wizard in Windows Imaging and Configuration Designer, I switched to advanced mode and got rid of everything from the provisioning package apart from the Azure/bulk enrollment token parts.

I then ran the provisioning package on my target test machine and the enrollment seem to have worked. Although, it resulted in another device object in Azure AD, and it successfully enrolled into Intune.

Running a PPKG using Bulk Enrollment token on an already Hybrid Azure AD Joined Windows device – this is the result in Azure AD!

Hmm, not ideal but a big step in the right direction. Another question or thought is that even though this works technically, how far from being a supported is this scenario? Intune-device based licensing supports DEM accounts as enrollment type as per Licenses available for Microsoft Intune | Microsoft Docs, and the bulk enrollment is supported as well as per Enroll devices using a device enrollment manager account – Microsoft Intune | Microsoft Docs.

Next steps and summary

Well, automating the application of PPKG from step 4 above as part of the deployment process is easy, it needs some additional checks though as the provisioning package must only be run after the successful Hybrid Azure AD Join has taken place, otherwise I see this will fail. Not optimal and requires more testing, and even if this would work the scenario is a true corner-case!

Going back to Autopilot self-deploying mode seems a lot easier, so let’s evaluate what needs to be in place for this to become reality, overcoming the hurdles!

A modern Windows client platform connected to Azure AD and Intune only is the future – here is why you should start testing today!

By connecting your Windows devices solely to Azure AD and Intune you will improve the work lives of for your users and make it easier for you in IT to manage the platform during the device lifecycle.

Windows devices in the future are no longer connected to a traditional Active Directory, and they are not managed by Configuration Manager or other on-premises management tools, and not with Group Policies. The Windows devices of the future are independent of your datacenter which means IT can focus on improving availability of the resources the end users are dependent on in their daily work, which are applications, tools, and information.

End user experience and challenges today

Are you and your end users sick and tired of the fact that starting and logging into Windows takes several minutes? One common cause for this is a legacy of many years of GPOs and scripts that are executed at start and logon.

Do your end users still need to come into the office network to get all updates, configuration or changing password? This is something that becomes a non-issue in the cloud-only world. Even though these types of needs have decreased because of the pandemic I still see and hear about this too often.

Improving end user experience and simplifying are the keywords

The reasons of going cloud-only on your Windows devices are very much about significantly improving your end user experience, and at the same time making it easier to manage for you in IT. To continue doing what many organizations are doing today, i.e., managing Windows with existing on-premises AD and GPOs, running devices in Hybrid Azure AD Join state plus adding co-management and Intune just makes your life in IT more complex and harder, and give your end-users very few benefits to be honest. Everyone would gain from letting go of on-prem AD and traditional managing software such as Configuration Manager.

Microsoft recommends going cloud-only and not staying in hybrid mode

The fact is that Microsoft is recommending the hybrid scenario only as an interim solution for existing devices. For new devices Microsoft are very clear that they recommend cloud-only devices.

Keep in mind that while Microsoft fully supports hybrid Azure AD join, we designed this capability as an interim solution for existing endpoints. We strongly encourage customers to begin their planning and implementation of full Azure AD-joined systems as soon as possible.

Source(s): Success with remote Windows Autopilot and hybrid Azure Active Directory join – Microsoft Tech Community and Planning for cloud-native Windows endpoints and modern management – Microsoft Tech Community

The most common myth killed once and for all – access to on-premises resources

The fact is that most organizations still have, and will have for many years to come, user resources in their datacenter on-premises. How do users get access to file share, printers, and applications on-premises when the Windows device is only in the cloud? With Windows Hello for Business Cloud Trust or FIDO2 security keys, this has never been easier to setup and enable!

Pros for cloud-only Windows devices

  • Performance and user experience. Microsoft’s former corporate vice president for Microsoft 365, Brad Anderson, compared his iPhone to a cloud-only Windows device s few years ago. The Windows device started and became usable faster than an iPhone. That is a notable example that still is valid. Mobility, speed, and battery life is something the users really appreciate.
  • Reduced complexity. What I see is that customers that are running in the hybrid scenario has a complex day-to-day life in IT, in terms of managing and troubleshooting. You have two environments to take into consideration all the time which makes things sometimes twice as hard or take more time than it should to achieve the goal at hand.
  • More time for valuable work. How much time do IT spend on keeping the basic infrastructure working? By that I mean specially Configuration Manager which always have had problems with agents, driver packages becoming corrupt after working for years etc. I have through my years spent too much time on just keeping things at a working level, it is time to bury Configuration Manager and spend this time on more valuable work such as follow-up and proactiveness.
  • Get rid of your legacy. Most organizations have over the years migrated to a number of Windows client platforms, from Windows 2000, XP, Windows 7, to Windows 10 and soon Windows 11. What most organizations have in common is that the same GPOs and scripts are still being applied although first configured 15 years ago, even though some policies have been cleaned out through all migrations. Switching to cloud-only is the perfect fresh start of getting rid of all your legacy stuff and start building on something new!

Cons for cloud-only Windows devices

  • Not for everyone. Being able to utilize Microsoft cloud services is a pre-req of course. To be honest, there are more challenges that could block an organization from going cloud-only. Things such as 802.1x can be a challenge and specific requirements around security another. The point is, if you do not even try you will not know what to solve or what Microsoft will eventually deliver in their product and services to solve your blocker. Adding cloud-only Windows devices to your roadmap and work on dependencies is essential in making progress.

How to get started?

So how do you get started? In its simplest form, start with Autopiloting (Azure AD Join + Intune) the device and then perform all your day-to-day work on a cloud-only Windows PC. After that start solving the challenges that you face, creating a configuration baseline and deploying applications that you need. Some challenges will be harder to pass than others, and some might be blockers. The point is, without starting your journey toward a future cloud-only future Windows device you will not know what to fix and what to talk to for instance the network team about.

Microsoft has a good starting point at Get started with cloud native Windows endpoints – Microsoft Endpoint Manager | Microsoft Docs.

Summary

To summarize, the future is to have your Windows devices connected cloud-only Azure AD and Intune. That has great advantages for end-users as well as IT. The fact that Microsoft themselves are living by this already, and the fact that they point customers towards this direction and in combination with all benefits should make this decision easy.

Profile management overview in Windows – how to get back to a working state after a reinstall or reset (or renewal of device)

This is a high-level summary of the specific needs, business impact and listing of current profile management options for your physical and virtual Windows 10 and 11 devices. The focus is how to get back to a state which can make you productive as soon as possible after a device reinstall or reset. This scenario of course also covers when you get a new device that replaces an older one.

Business impact

Most organizations have a policy that “we will troubleshoot a problem on a Windows device for X number of minutes, if we can’t solve it, let’s do a reinstall or reset”.

This might seem like a great policy that saves time for the service desk. But the numbers the management do not see is how much time have service desk have to spend on helping the user get back on track after the reinstall or reset? The same goes when user needs help transferring from one device to another as part of regular renewal of device. The potential time-saver here is enormous. If the user can get to a state that has everything the user needs available instantly, the user can become productive much quicker.

A consequence of having everything brought back quickly is that not only can the user be productive quicker, but the user will much more likely agree to a reinstall or reset when knowing the user can start working without hazzle again. It might also mean that you can reduce troubleshooting time from say 60 minutes down to 15 before you do a reinstall or reset. Overall a real time-saver and money-saver!

Needs and goals

High-level goals:

  • Getting back to a state where a user can start working as soon as possible after re-install or reset of the device, or even when switching device as part of hardware renewal.
  • “Everything back as it was” (more details on this below). I.e., the time the user needs to spend on getting back to a state that just works as before needs to be minimized.

Expanded description of goals:

  • All files and documents back as they were and accessible by user.
  • All required applications back as they were. (This is out of scope for this blog post as most organizations use ConfigMgr, Intune or a third-party software to deploy applications).
  • All relevant settings back:
    • Specific settings for line of business applications.
    • Outlook signatures and calendar settings etc.
    • Printers and printer settings.
    • Browser related settings, favorites, and history, including saved passwords.
    • Mapped SharePoint sites (Teams files) in File Explorer.
    • Settings for apps.

Solutions

Let’s have a look at what Microsoft technologies are available to solve the needs.

Personal files and documents

  • OneDrive for Business with Known Folder Move.
    If you have the possibility to use OneDrive for Business this is the best solution out there. Make sure to set the GPO or MDM setting to silently configure OneDrive to automatically have your OneDrive folder available after re-install or reset. Also set the policy setting “Enable Known Folder Move” to make sure that Desktop, Documents and Pictures folders are redirected to your OneDrive Folder. Reality check, do you know anyone who do NOT save stuff they need on the desktop? :)
  • Work Folders (which I typically call the internal OneDrive).
    Setting up Work Folders is easy, the role has existed in Windows Server since 2012 R2, thus requires a Windows File Server to setup and enable. Once you’ve setup Work Folders, use good old redirection of Documents and Desktop folders (and maybe Pictures as well) pointing to the local Work Folders directory just like it is done with Known Folder Move for OneDrive for Business.
  • Folder Redirection + offline files.
    Only two words: Stay away! (And migrate as soon as possible to OneDrive for Business or Work Folders if you are already using it). For some organizations I have worked with I have made it opt-in to use offline files, clearly stating the potential risks when opting in. Offline files cause user problems and have very high risk of user data loss.

Common or shared files and documents

  • SharePoint Sites (Teams files directories).
    Many users prefer to work with SharePoint sites and Teams files by syncing them to work with the files in File Explorer. There is no official way of having these remapped automatically after a reinstall or reset of a Windows device.

Settings

  • User Experience Virtualization (UE-V).
    I have many times referred to UE-V as the best thing since sliced bread. It is a technology that was released for about 10 years ago, with the intent to provide roaming of settings for Windows and applications (both Microsoft and any third party), using on-premises file shares. It also roams printers if you are not deploying those through other means.

    Since Windows 10 version 1607 UE-V is integrated in the operating system. I’ve used UE-V quite a lot and this is a really good technology to get many settings back after a reinstall. In one case I could do a F12 reinstall of a Windows 10 device before going to lunch and after lunch I logged in and started working instantly, with all settings back. Those were the days!

    Over time as applications are moving to the app’s world, UE-V has basically become less effective in its job. Also, after adding UE-V to Windows version 1607, UE-V has not gotten much love from Microsoft and as no development has been made for almost six years this is still something that most will benefit from, but sad to see that Microsoft do not care for this.
  • Enterprise State Roaming.
    About the same time that UE-V was integrated into Windows 10 we also saw the introduction of Enterprise State Roaming. This is a technology that use the cloud (a private protected and untouchable area) in Azure to store profile settings that roams with the user. For instance, background image, Windows theme settings and some other stuff is being roamed when enabling this through Azure AD. Sad to say, this feature is facing the same destiny as UE-V, with no new features or changes for the last six years or so.

    Actually with Windows 11 the number of settings that roam using Enterprise State Roaming have decreased, now only roaming passwords, some Windows settings, and language preferences.
  • FSLogix profiles.
    Microsoft bought FSLogix and with that obtained their profile technology. This is a container-based profile solution used primarily in remote Windows solutions, such as Azure Virtual Desktop. Although the technology should be possible to use on physical machines as well, I haven’t many details regarding this and haven’t tried it our myself. One reason for this is that FSLogix profiles requires an Active Directory and is not yet (per January 2022) supported for Azure Active Directory, although this is announced in the future.
  • Edge profile sync.
    The new and lovely Edge has profile sync with roaming built-in which is very much appreciated. Sign in with your school or work account and off you go! You’ll also find some additional information on Configure Microsoft Edge enterprise sync | Microsoft Docs.
  • Outlook settings roaming.
    Finally you can roam your email signature and a bunch of other settings to the cloud – without doing anything other than making sure this option is enabled. Take a look at Outlook roaming options to get more information about this one.

Note 1: Roaming profiles take care of both files and settings but like with folder redirection and offline files: Stay away from roaming profiles to make your life happier.

Note 2: As apps in Windows always store their configuration and user specific data in a standardized location. That is C:\Users\%username%\AppData\Local\Packages\%AppName%\ which means Microsoft should be able to provide a supported way of roaming these settings.

What settings can you use?

Depending on how your Windows devices are managed you can use some or all these technologies. This is applicable for Windows 10, Windows 11, Windows 365 as well as Azure Virtual Desktop. Note: All technologies below are not necessarily supported for all physical and virtual use cases.

Active Directory JoinedHybrid Azure AD JoinedAzure AD Joined
User Experience Virtualization (UE-V)Yes, pointing to file shareYes, pointing to file shareYes, pointing to OneDrive
for Business local folder*
Enterprise State RoamingNoYesYes
FSLogix profilesYesYesNo (not supported yet)
Edge profile syncYesYesYes
Outlook settings roamingYesYesYes
Summary of what profile technologies are available for various Windows device join types.

* For configuration, this is a great start: Manage User Experience Virtualization on the Modern Desktop | Aaron Parker (stealthpuppy.com)

Support matrix

Windows 10/11 – PhysicalWindows 10/11 – VDIWindows 365Azure Virtual Desktop
User Experience Virtualization (UE-V)YesYes**
Enterprise State RoamingYesYesYesNot supported**
FSLogix profilesNot supportedYesNot supportedYes***
Edge profile syncYesYesYesYes
Outlook settings roamingYesYesYesYes
Summary of what profile technologies are supported officially by Microsoft.

* Technically it will work, but likely not supported by Microsoft for Windows 365 nor Azure Virtual Desktop.
** Supported only for personal pools – not multi-session Windows 10 or 11, nor Windows Server.
*** For Azure Virtual Desktop, currently there is no support for Azure AD Joined devices.

Summary

With the existing Microsoft tools and technologies, you can reach a state where most of the stuff you want back actually is configured and brought back automatically. Getting the files and documents back is easy. Edge profile sync and Outlook settings roaming are a no-brainer and should be used by everyone.

UE-V and Enterprise State Roaming are not developed anymore but they still fill a purpose and can be very useful to save time, starting today, as they are very easy to get started with and has a very low implementation cost. FSLogix profiles are primarily intended for datacenter hosted solutions.

With those facts, there is a strong need for Microsoft to strengthen profile management to make it the true time-saver it can be. IT management would very much appreciate it I can assure. But the ones that would appreciate this the most are the end users!

Problem with “New User” being the only account on the sign-in screen after reboot

This is one of the most mysterious problems I’ve encountered! Anyone who can provide input is more than welcome to ping me on Twitter or Teams, or help by entering some basic information in this form.

UPDATE September 6, 2022: Update the problem description as the Web sign-in setting is also causing problems using Cloud PC (Windows 365): “Another user is signed in. If you continue, they’ll be disconnected. Do you want to sign in anyway?”. See more below under “Problem #2”.

UPDATE July 6, 2022: A response from Microsoft leads to the root cause being Web sign-in being enabled, which is in preview (and has been for quite a few years) and is also unsupported. Still does not explain the extreme intermittent occurrence of the problem but at least a great indicator and something to validate.

UPDATE July 5, 2022: Added this form to gather and hopefully be able to get to the root cause. Also, I’ve gotten indications on a potential causes leading to the New user state, more below.

Problem #1

You restart your Windows 10 or Windows 11 device (Azure AD Joined + MEM/Intune enrolled) and after the restart, instead of displaying the last logged on user, the only account on the sign-in screen is an account named “New User”.

This happens extremely rarely, but I’ve seen it a few times. The “New User” comes from nowhere and if you click Switch user it just returns to the same view as below.

I have seen the problem a few times for multiple Windows 10 versions back to at least Windows 10 v1909, and on multiple devices from multiple vendors. Unfortunately I’ve seen it once on a Windows 11 device as well. The other day this problem hit a colleague of mine as well so it’s not just me :) .

Problem #2

Cloud PCs established as part of Windows 365, in Azure AD Joined mode, experience the sign-in message that Other user is already logged in, every time when logging in (and even after restart):

Another user is signed in. If you continue, they’ll be disconnected. Do you want to sign in anyway?

Cause

I’ve gotten reports (thanks to the community) with a response from Microsoft leads to the root cause being Web sign-in being enabled, which is in preview (and has been for quite a few years) and is also unsupported.

This is also true for the environments where I have seen this problem occur so this is the most likely cause of the “New user” phenomena causing Problem #1!

For Problem #2 this setting is confirmed to be the problem – as that problem was very easy to reproduce!

Solution

Disable Web sign-in!

Summary

The Web sign-in setting is really treacherous, causing a lof of head ache. I suppose this is the reason Microsoft is not recommending this setting.