MDM & GP Tips Blog

Group Policy admins have been mapping drives for years, while trying to map network drives using an MDM has proved challenging. The good news is that you can use both Group Policy Preferences and Microsoft Intune to map network drives for your users. Its just a lot easier with Group Policy.

Mapping Drives with Group Policy Preferences

Let’s start with Group Policy. Create a GPO using the Group Policy Management Console and go to User Configuration > Preferences> Windows Settings > Drive Maps. As this is a brand-new mapping I will select Create as the Action. Then type in the UNC path of the shared folder you want users to access. Check the Reconnect box to make it a persistent connection that will appear every time they log on. Under Drive Letter, I assigned a specific drive letter as shown below.

Because I am using Group Policy Preferences I can take advantage of Item-level Targeting to target the GPO more specifically at the exact users I want. Item-level Targeting is a feature not available in traditional Group Policy or Intune. In this case I want to target it to members of the managers group, but only have the mapping applied to desktop computers running Windows 10. The screenshot below shows how I did this after clicking on the Common tab.

Mapping Network Drives with Intune

For users who solely use their laptops for mobile or remote functions, mapping a network drive to a laptop managed by an MDM may not be logical. However, if all your computers are joined to Azure Domain and you wish to map drives, Intune doesn't provide a straightforward menu-driven method. You'll need to rely on PowerShell. Begin by creating a PowerShell cmdlet, structured as follows:

New-PSDrive -Name "M" -PSProvider FileSystem -Root "ADDRESSOFTHEFILESHARE" -Persist

In this instance, the cmdlet looks like this:

New-PSDrive -Name "M" -PSProvider FileSystem -Root “\\Fileserver1\Marketing” -Persist

BTW – If you wanted to use PS to map a local drive, it would look like the following:

New-PSDrive -Name "Document" -PSProvider "FileSystem" -Root "C:\Users\susan\Documents"

Save your PS script and now go to the Microsoft Intune Admin Center. Go to Devices > Scripts and Add a Windows 10 Script. Name the script and then configure the following settings as shown in the screenshot below.

Then assign the script to the designated users and finish out the wizard. For those who don’t want to use PowerShell, there are third-party solutions out there such as custom ADMX templates that you can download and then import into Intune

Typosquatting, often referred to as URL hijacking or domain mimicking, involves registering domain names strikingly similar to well-known websites. It preys on users who mistype web addresses, leading them to imitation websites instead of their intended destinations. Once there, users might unknowingly enter sensitive information or inadvertently download malware.

Major browsers like Microsoft Edge have built-in typosquatting protection. If users enter a potentially harmful site address by mistake, Edge alerts them. Though this feature is typically active by default, it's wise to verify its status. You can do this with Intune by creating a Configuration Profile.

Create a new Configuration Profile and select ‘Windows 10 and later’ as the Platform and choose the Settings catalog as the Profile. Click ‘Add settings’ > search for the word ‘typo’ and select:

Microsoft Edge \Typosquatting Checker Settings.

You can then choose either of the Configure Edge TyposquattingChecker options as shown in the example below. I chose both just to illustrate. Once selected you can enable the settings to the left. Then click Next and assign the policy to your designated groups and save it.

You’ve just deployed a new application or client-side extension to your Windows laptops and suddenly their system performance and battery life begin to crater. The culprit could be Windows Defender. Windows Defender automatically scans new software and its activities for potential threats as part of its real-time scanning feature. Naturally, this scanning process will manifest as higher CPU usage. If the new software handles a lot of data, such as in the case of a web filter client app, it could create perpetual CPU spikes that can degrade system performance and consume battery power.

If you trust the new software you've installed and don't want Windows Defender to continuously monitor it (and thereby use up CPU resources), you can set an exclusion path for it. An exclusion path tells Windows Defender to skip scanning the files and activities associated with a specific directory where trusted applications are installed. You can create an exclusion path policy using either Group Policy or an MDM such as Intune. Exclusions should always be used judiciously to maintain a strong security posture so only use them when you need to.

Creating Path Exclusions with Group Policy

Let’s use a scenario in which I need to create an exclusion path for a web filter client application simply called WebFilter. Create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Exclusions and enable “Path Exclusions.”  Once enabled you must then add the path(s) to be excluded. In this case there are two paths.

C:\Program Files (x86)\WebFilter\AuthenticationAgent\bin

C:\Program Files (x86)\WebFilter\MobileZoneAgent\bin

The policy configuration is shown below.

Another option is to create a process exclusion which would exclude a designated process or executable from being scanned. In this case the process path might be C:\ProgramFiles\WebFilter\WebFilter.exe. You can also use wildcards in a process exclusion list such as C:\ProgramFiles\WebFilter\*

Creating Path Exclusions with Group Policy

Using the Microsoft Intune Center, go to Devices > Configuration Profiles > and create a new profile using Windows 10 and later as the Platform and Administrative Templates for the Profile type. Name the policy and then navigate to Computer Configuration > Windows Components > Microsoft Defender Antivirus and Enable “Path Exclusions” as I did earlier with Group Policy as shown below.

You will then be prompted to provide the exclusion paths as shown below. Process Exclusions are also available if you want to go that way.

After implementing these path exclusions, you should witness a notable decrease in CPU utilization, effectively resolving the issue of CPU spikes and battery depletion.

Group Policy veterans will recall when it was common practice to redirect user files from the Windows known folders (like Desktop, Documents, and Pictures) to a central shared directory on an on-prem server. This allowed for roaming profiles, easier backups, and kept files off client devices. Well, you can also redirect those same files to OneDrive for Business to accommodate real-time collaboration and accessibility, compliance, and control.

If you aren’t currently utilizing OneDrive, you should as it offers a list of great features. First off, it maintains the user familiarity with file locations so folder navigation is the same. Because OneDrive is cloud bases, your users can access their files from anywhere on any device. It also offers file versioning and deleted items capabilities that allows users to perform self-service file recovering.  Here I will show you how to redirect the Windows known folders to OneDrive as well as a couple of other tips.

Using Group Policy to Manage OneDrive

If you have any existing Folder Redirection Group Policies, you will need to disable those before moving forward. Then make sure you have the necessary administrative template files. If you have OneDrive installed on your management machine you can get them using this file path.

%localappdata%\Microsoft\OneDrive\BuildNumber\adm

Which will look something like this in Windows Explorer.

Copy both template files to your central store and then create a GPO. In the Group Policy Management Editor, go to Computer Configuration > Administrative Templates > OneDrive. If you don’t see OneDrive, then you are missing the template files. The screenshot below shows the available settings.

To redirect files from the Windows Known folders, enable the “Silently move Windows known folders to OneDrive” and provide the Tenant ID for your enterprise. By default, all three known folders are selected but you can choose to only redirect specific ones as shown in the screenshot below.

Before implementing this, you may want to alert users of your intention for them to transition to OneDrive for Business by enabling the “Prompt user to move Windows Known folders to OneDrive.” Once enabled, your tenant users that sync their OneDrive will see a popup message that reads “Your IT department wants you to protect your important folders" the next time they sign in. A reminder notification will then appear in the activity center until all three known folders are moved.

Users also may have more than one OneDrive account so you may want to prevent them from uploading files to other organizations. You can do this by enabling the “Allow syncing OneDrive accounts to only specific organizations” and then list the allowed tenant IDs as is shown below.

Using Intune to Redirect Known Folders to Intune

Let’s do the same thing using Intune now. Using the Microsoft Intune Admin Center, navigate to Devices > Configuration profile > Create profile and select Windows 10 and later as the Platform and Administrative templates as the Profile type. Give a name to the profile and go to Computer Configuration > OneDrive and enable the “Silently move Windows known folders to OneDrive” setting as shown in the screenshot below.

To discourage users from uploading excessively large files or questionable file types, you can enable “Exclude specific kinds of files from being uploaded” and input keywords for the designated file types as shown below.

Blocking the C drive has always been one of the common restrictions that Group Policy admins enforced for standard user accounts. There are multiple reasons for restricting access to the C Drive for non admin users.

• The first is system stability because it prevents basic users from accessing, altering, or deleting critical system files on their computers, thus minimizing potential issues that disrupt desktop operations and initiate a help desk ticket.
• It reduces the chances of malware being introduced into the system and prevents users from installing unauthorized applications, opening suspicious files or clicking on malicious executables.
• Blocking the C drive in some cases may be required by compliance regulations to restrict user access to certain system resources.
• Keeping users out of the C drive can potentially simplify troubleshooting as it eliminates user file tampering.
• For shared desktop computers it can help protect the data of other users who have logged onto the device

Because Intune uses many of the same Windows Administrative Templates, it is easy to block C Drive access with Intune as well. Using the Microsoft Intune admin center, go to Devices > Configuration Profiles and click “Create profile.”  Select “Windows 10 and later” as the Platform and Administrative Templates as the profile. Name the configuration profile and go to User Configuration > Windows Components > File Explorer as shown in the screenshot below.

Scroll down through the settings and select “Prevent access to drives from My Computer” and choose Enabled. You can then select the drives you wish to block access to as shown below.

Click OK and click next. Then assign the configuration profile to the designated groups and you are done.

Personal Data Encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides an additional encryption capability to Windows. PDE is different than BitLocker in that it encrypts individual files while BitLocker encrypts entire volumes. PDE utilizes Windows Hello for Business to link encryption keys with user credentials. This means you need only log on a single time while BitLocker requires a separate PIN be inputted. Another difference is that unlike BitLocker that releases data encryption keys at bootup, PDE releases them once a user signs in using Windows Hello for Business. Until then, users cannot access the protected file content.

There are 3 prerequisites for PDE:

1. The computer must be Azure AD joined
2. It must be running the Enterprise or Education edition of Windows 11, version 22H2 or later
3. Windows Hello for Business Overview

Windows Hello provides fully integrated biometric authentication based on either facial recognition or fingerprint matching. Many laptops today have fingerprint readers or integrated compatible cameras to support it.

You should consider PDE as just another encryption layer for Windows on top of BitLocker that administrators can use to safeguard sensitive data. Don’t be confused by its name because standard users cannot initiate PDE, nor can they protect personal files with it. When you stop to think about it, it makes sense as you wouldn’t want malicious insiders to use it to hide data they shouldn’t have on their corporate devices. PDE can only be implemented by administrators who also selectively choose which filles to encrypt. PDE is ideal for business applications that work with sensitive files and should be heavily considered by those organizations that must adhere to compliance requirements.

You can enable PDE through Intune. By default, PDE on Windows 11 Devices in the Intune settings catalog is disabled. There are two ways to enable PDE in the Microsoft Intune Admin Center. The easiest way is to navigate to Devices > Configuration profiles and choose the Settings catalog as the profile. Using the Settings picker, search for personal data encryption and select the PDE category. Then check enable “Personal Data Encryption” as shown below.

Assign the policy to the designated groups or users and save it. You can also use OMA-URI settings to create the policy using:

./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption

as the OMA-URI path.  Then choose integer as the data type with an assigned value as 1. The final configuration should look like the screenshot below.

While support for PDE is limited currently, more applications will utilize it in the future.  

If you have ever worked with Window Group Policy, you may have used WMI filtering to target the application of your GPOs to a specific set of computers or users based on their characteristics. You could for instance create a WMI filter to apply a policy only to computers running a specific version of Windows or systems with a set amount of RAM or IP subnet.

Microsoft Intune doesn’t utilize WMI filtering but it does use Azure Dynamic Groups which has a similar outcome. Dynamic groups automatically manage group membership based on user or device attributes in Azure AD. The membership of a dynamic will automatically update when the designated attributes of a device or user change. Automated group management relieves administrators from the task of manually adding or removing users or devices from groups as their attributes change. Imagine if your company had a lot of employee turnover or recently implemented a laptop refresh? Dynamic groups can then be used to assign policies to a set of users or devices.

Let’s start with a basic example. Let’s say you manage a fleet of corporate laptops running either Windows 10 or Windows 11 and you want to create policies that will specifically target each operating system. To create a Windows 11 dynamic group, use the Microsoft Intune admin center and go to Groups and click on New Group. Select “Security” as the Group type, give a group name and optional description and select Dynamic Device as the Membership type as shown in the screenshot below. Then click Add dynamic query.

Here you will add the expression(s) that will govern the group’s membership. As shown in the screenshot below, I selected “deviceOSType” as the Property, “Starts With” as the Operator and typed 10.0.2 as the value. Notice that the input values automatically appeared in the Rule syntax underneath.

Before clicking Save to create the group, you can first validate the rule(s) to ensure that they will apply the desired result. Copy the Rule syntax and click on “Validate Rules.” Paste the text into the Rules syntax box and select a device to run the validation with.

Once validated and saved, you can apply configuration policies to the new dynamic group. Let’s do another example where I want to create a dynamic group for three models of Dell laptops. In the example below I chose “deviceModel” from the Property drop down menu as well as the “Contains” Operator and then made an expression for each Dell model as shown below.

Note that you cannot add more than 5 expressions using the rule builder. If you need to work with more than 5 expressions, you need to add them directly into the rule syntax box. Here is an example below in which the rule builder is no longer available to edit the rule.

You can create dynamic groups for users as well. Simply create a new group and select “Dynamic User” as the Membership type and click “Add dynamic query” as shown below.

Here you will see a separate set of properties available for users. In the example below I chose “department” and “city” as the two Property attributes and assigned them values so that only salespeople in the Atlanta office will be added to the group. Should someone be transferred to a different office, that account will be automatically removed from the group.

As you can see, dynamic groups can simply group management in large dynamic organizations. They are a great way to ensure that policies, access rights and licenses are delivered according to real-time user and device attributes.

From websites to email and SaaS applications, the web browser is now the go-to app for your users. Optimizing the user digital experience often starts with optimizing their browser environment. Whether you implement Group Policy or Intune, you need to create a policy for your organization’s preferred browser, and we are going to do just that. I have chosen Edge because it is generally easier to secure with these two management tools. There are so many settings in Edge that GP and Intune can manage. We are just going to outline some of the basics that serve as a good start.

Enforce Bing and Google SafeSearch

Most organizations want to filter out explicit or inappropriate content from search results. If you don’t have an enterprise web filter or just want to create a backup policy in case your filter goes down, you can enforce Bing SafeSearch and Google SafeSearch. For Intune, go to Devices > Configuration profiles > Create profile. Select Windows 10 and later as the platform and Templates > Administrative Templates as the Profile type. Then go to User Configuration > Microsoft Edge and find the settings “Enforce Bing SafeSearch” and “Enforce Google SafeSearch.” In the example below I chose moderate search restrictions which will filter adult images and videos but not text.

You can do the same using Group Policy by following the same Administrative Template path as shown in the screenshot below.

Restrict Access to Developer Tools

In our previous example, you had to sift through multiple pages of settings until you could access the Enforce SafeSearch settings. For instance, the first page of settings for Microsoft Edge only contains two settings as shown here.

This time we will restrict user access to the developer tools in the Edge browser. To make it easier to find the desired setting, let’s use the Settings catalog for the profile type rather than the Administrative templates. Using the Settings Catalog, do a search for the word “developer” and then click on Microsoft Edge in the results as shown below.

Then enable the “Control where developer tools can be used (User) and select “Don’t allow using the developer tools” in the drop-down menu as I have done in the example below.

In Group Policy, you can use the Filter to quickly find the exact setting you need. Simply filter the word developer as shown in the screenshot below.

Then navigate to User Configuration > Microsoft Edge and configure the “Control where developer tools can be used” setting as shown in the screenshot below.

Managing Installed Web Extensions

You want to have control over what browser extensions your users will have. Let’s start with which extensions will be allowed. Using Intune, use Administrative Templates once again as your profile type and navigate to Microsoft Edge > Extensions and enable “Allow specific extensions to be installed.” You will then have to input the ID for each web extension. I the example below I have added the ID for Microsoft Translator (gjknjjomckknofjidppipffbpoekiipm), followed by Adobe Acrobat (klcieihbeepdihlppjcammejcejholkl). Note that the extension IDs are different for each web browser.

We can do the same thing using Group Policy for the LastPass web extension ID (nngceckbapebfimnlniiiahkandclblb).

You would then follow this up by enabling the “Blocks external extensions from being installed” setting to prevent all other extensions from installing as shown in the screenshot below.

Configuring the Home Page

We will wrap up this discussion by assigning a mandatory home page for all users. You can find this setting in Group Policy by going to Administrative Templates > Microsoft Edge > Startup > and enabling the “Configure the home page URL” setting and inputting the desired home page.

You can do the same with Intune as shown in the screenshot below.

Of course, there are many other settings you can add to your Edge policy. Always test your setting configurations first before implementing them in a production environment.

A cyberattack isn’t a sudden single event, but a storyline compromised of multiple stages. First is the initial compromise, followed by the establishment of a foothold or beachhead that the attackers will base operations from. From there the attackers move laterally across the network to perform reconnaissance. The objectives here are to escalate privilege and identify high-value data to target. The final stage is the actual attack itself.

The initial compromise is usually conducted using a compromised standard user account that was captured using a credential stuffing attack or phishing email. To achieve their mission, attackers must work to escalate their privilege to gain access to all areas of the network. This means targeting a privileged user next such as a domain administrator or senior executive. This process may involve the taking over of multiple accounts in the process.

This is why you should enable auditing that will target privilege escalation activities. One option is to enable “Audit Directory Service Changes” which will alert you when a change is made to an AD object. This could be adding a user account to a privilege group for instance or resetting a password. Any alert will provide information about the old and new properties of the changed objects.

To do so, create a GPO and navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration as shown below.

You can also enable auditing for “Privilege Use” which will alert you when a security principle is exercising a user right or privilege. You can do so by creating a GPO and going to Computer Configuration > Windows Settings > Local Policies > Audit Policy as shown in the screenshot below.

Many K12 school districts are concerned about providing a secure environment for online testing. The integrity of online testing relies on the ability to prevent students from opening a new browser tab to google for answers or copy exam question text to an archive. Take a Test is a secure browser provided by Microsoft that can be set up to only provide access to a single URL or a list of URLs. Students cannot perform the following actions when taking an exam using Microsoft Take a Test:

• Access other applications
• Open another browser tab
• Print or use screen capture
• Change system settings
• Access Cortona
• Access content copied to the clipboard

Microsoft Take a Test is a secured instance of Intune, not an application. There are 2 modes for Microsoft Take a Test. The first is intended for a brief test or quiz that a teacher might wish to administer. By creating a secure assessment URL and sending it to students via email or OneNote, teachers may accomplish this task quickly and easily. The assessment link is constructed in three stages using Microsoft's secure link generator.

• Paste the link to the assessment URL
• Select the options you want to allow during the test
• Generate the link by selecting the button Create link

Below is a screenshot of the secure generator page.

When the students click on the link, Edge will open a secure test taking session for the student to take the exam. Keep in mind that the student must be logged on to a Windows machine already. This deployment method would be a challenge for a large-scale exam such as a high school proficiency or college entrance exam. This is where the Take a Test in Kiosk Mode is better suited. This mode can be deployed using either regular Intune or Intune Education edition.

Intune Education edition is specifically designed to meet the needs of schools and provides a simpler interface than regular Intune. Intune Education edition is the easiest way to deploy Take a Test in kiosk mode as the settings are available in the menu interface. To configure devices for Take a Test, go to Groups and select a group to configure Take a Test for. Then go to Windows device settings > Take a Test profiles and select “Assign a new Take a Test profile. Here you will specify a Profile Name, Account Name, Assessment URL, and an option Description. Finish it by selecting Create and assign profile as shown in the screenshot below.

Once deployed, test takers can log on to a Windows machine using the test taker profile. They will only be able to access the test in a single browser session.

You can also deploy this mode using regular Intune as well although it is a little messier because you must provide the following OMA-URI settings as shown below.

OMA-URI:

./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn
Data Type: Integer
Value: 1

OMA-URI: 

./Vendor/MSFT/Policy/Config/WindowsLogon/HideFastUserSwitching

Data type: Integer

Value: 1

OMA-URI: ./Vendor/MSFT/SharedPC/AccountModel

Data type: Integer

Value: 1

OMA-URI: ./Vendor/MSFT/SharedPC/EnableAccountManager

Data type: Boolean

Value: True

OMA-URI: ./Vendor/MSFT/SharedPC/KioskModeAUMID

Data type: String

Value: Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App

OMA-URI: ./Vendor/MSFT/SharedPC/KioskModeUserTileDisplayText

Data type: String

Value: Take a Test (or a string of your choice to display in the sing-in screen)

OMA-URI: ./Vendor/MSFT/SecureAssessment/LaunchURI

Data type: String

Value: 

The screenshot below shows all OMA-URIs fully inputted.

Finish the creation wizard out by assigning the configuration profile to a group and you are done. Students will again only have access to the active test session in a locked down desktop environment.