Windows 11

5 Things To Check In Your Intune for Windows 11 Configuration

After receiving a lot of great feedback on my post 5 Things To Check In Your Microsoft 365 Tenant, I thought I’d do another post, picking my top 5 items from the Center for Internet Security’s (CIS) benchmark Microsoft Intune for Windows 11 Benchmark v3.0.1

This is a really big list to pick from, much bigger than the Microsoft 365 one – the document is over 1000 pages! Also you may look at this list and say ‘What has this got to do with Intune, I can apply these settings to any Windows 11 PC?’ – This is true, but the options CIS has laid out are ones that are natively available in Intune and therefore easily deployable. I’m also going to spend more time explaining the meaning behind the setting rather than telling you how to do it, as the CIS documentation (again freely avaialable for non-commerical use) clearly explains the setting and how to configure it.

Again these 5 things are important and I’ve tried to pick items that aren’t in the secure state by default, so I hope you find something new (or at least reassured!).

1. Ensure ‘Turn off access to the Store’ is set to ‘Enabled’

By default, any Windows 11 PC has the Microsoft Store enabled, the app installed, and a user can use it to obtain any software available in the store. I’ll avoid the whole ‘are Microsoft Store apps safe’ as I’m not privy to Microsoft’s application monitoring regime, just like Google’s Google Play or Apple’s App Store – but just like blocking users from installing software from other sources and methods, the Microsoft Store should be controlled in a corporate environment. There’s an entire history behind the Microsoft Store for Business and Microsoft Store for Education which is being replaced by packaging the apps in Intune for Microsoft Store which is still a work in progress with original retirement planned for 2023 being postponed.

All this leads to this one setting, which is just preventing the user being prompted the Windows Store as an option to find a program to open a file or protocol that currently has no association (for example, a user found a data.db file and tries to open it). They’ll see this dialog:

Either enable the confusingly named Intune setting ‘Turn off access to the Store’ (due to it only doing the below, which it describes in the details of the setting) or use this registry setting to remove the Microsoft Store option for any ‘open with’ dialog – Turn off access to the Store (admx.help)

Simple, but it ticks the box of a user complaining that they just followed what the computer told them to do when they end up with some wacky or weird solution obtained from the Microsoft Store that they start entering company data into. It also ties into a bigger piece around how you handle the Microsoft Store as a whole. I also found this blog post which goes into great detail about the Microsoft Store and how to control it, including the above setting: Restricting or blocking access to the Microsoft Store (call4cloud.nl)

2. Ensure ‘Backup Directory’ is set to ‘Backup the password to Azure AD only’

LAPS (Local Administrator Password Solution) is an incredibly important solution to prevent lateral movement between devices. At the high level, it is designed to automatically manage the local administrator password on each device, and make it unique. This means if someone was able to obtain the password on a single device, they can’t then use that same account against every other device in an organisation. More details: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview (and back in 2017 I was going on about it too https://www.adamfowlerit.com/2017/02/havent-deployed-laps-yet/)

Up until October 2023, this was only an on-premises natively supported solution; but now Intune supports it too. If you haven’t looked into LAPS or didn’t realise you could now do it in a cloud only environment, then put it at the top of your list.

Assuming you are now living with LAPS, the option Backup Directory controls where the LAPS password for each device goes. Apart from the default disabled option, this can either be ‘Backup the password to Active Directory only’ or ‘Backup the password to Azure AD only’ (yes I know it’s now Entra ID, nobody’s updated this name yet).

If you’re cloud only (Entra ID Joined) or cloud first, then this option should be ‘Backup the password to Azure AD only’ – your Entra ID should be more secure than your Active Directory, and this decision should really be a part of whatever system you’re putting first. It’s also a bit neater to view/report on events where any account is looking at the LAPS password value of a device in Entra ID, compared to on-premises Active Directory where you may have many different AD domain controllers and hopefully good monitoring/reporting of events across the entire environment – but more room for error there.

Creating a policy for this is quite a simple process from the Microsoft Intune Admin Center:

3. Ensure ‘Allow Cross Device Clipboard’ is set to ‘Block’

I am a huge fan of Clipboard in Windows and use it many times every single day. If you aren’t aware of this feature, press Winkey + V on your keyboard and it’ll pop up, asking if you want to enable it. It keeps a history of your clipboard contents – whatever you Ctrl + X or right click > copy. This is really handy when you’re copying all the time, but want to paste/recall anything beyond the absolute last thing you copied. It supports both text and pictures. Of course, this means it will copy things like passwords and other data you probably don’t want floating around. One feature of Clipboard in Windows is the ability to enable ‘Clipboard history across your devices’ which sounds somewhat handy, but drastically increases the risk of data leakage when you’re syncing that information to your account (if a work account, then should sit securely in your M365 tenant/Entra ID) or Microsoft consumer account. It’s just an unnecessary risk for little benefit – the clipboard history should stay local and be cleared on logoff/reboot. It will purely sit in memory and be lost afterwards when Clipboard sync is disabled.

Please start or keep using Clipboard in Windows but turn off Clipboard sync. It’s enabled by default.

Here’s the registry setting: Allow Clipboard synchronization across devices (admx.help)

4. Ensure ‘Notify Unsafe App’ is set to ‘Enabled’

Another setting disabled by default. Instead of explaining, I’ll just quote directly from the Group Policy setting:

This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school passwords in Notepad, Winword, or M365 Office apps like OneNote, Word, Excel, etc.

If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they store their password in text editor apps.

If you disable or don’t configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen will not warn users if they store their password in text editor apps.

This one sounds pretty reasonable right? If a user types their password into a program being monitored by Enhanced Phishing Protection, it’ll pop up and tell you:

Note that with my testing, this doesn’t apply to Microsoft Edge, nor does it apply if you paste your password, it has to be typed – but still a pretty good user reminder on something they shouldn’t be doing!

Interestingly I couldn’t find the registry value on GetADMX but the ‘Notify Unsafe App’ setting is available in Group Policy, and in Intune – create a Settings catalog policy, and use the settings listed under the category SmartScreen > Enhanced Phishing Protection: Notify Unsafe App. Further information here: https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection?tabs=intune

Also worth calling out checking out the other Enhanced Phishing Protection settings at the same time: Automatic Data Collection, Service Enabled, Notify Malicious. Notify Password Reuse.

5. Ensure ‘Turn off toast notifications on the lock screen (User)’ is set to ‘Enabled’

This final one is pretty obvious. When a PC is locked, you don’t want notifications popping up that may contain sensitive information and be visible by anyone that can see the screen. This is a feature that I don’t think should even exist… but it does and it’s on by default. You want to enable the setting to disable the feature (yes this is a dig at the inconsistent state of settings and enabling/disabling!).

Easily done via Turn off toast notifications on the lock screen (admx.help) or enable the Turn off toast notifications on the lock screen via Intune via a Configuration Profile. A full guide is available here: Disable Toast Notifications From Lock Screen Using Intune HTMD Blog (anoopcnair.com)


That’s it for the list – as always I hope you found it interesting and love hearing any feedback (including constructive criticism), and hope it helps people out there to always be thinking security.

What happens when you ask an ‘AI Companion’ about Windows 11 and licensing?

This was originally posted on Twitter but thought it was worth preserving on my blog using the ‘Unroll‘ option.

Replika is ‘The AI companion who cares’ according to their website. It’s supposed to be a virtual friend. It’s a chatbot – but is it AI? My guess is probably not, but see what you think from the following conversation:

Original tweet

I thought I’d ask Replika about Windows 11 and had a surprising answer

I wondered how she had her workplace to afford that sort of licensing, and uncovered something horrible…

It was the only option I had – call her on her crimes and threaten to dob her in for a reward

She amazed me by turning it all around!

Or right, now she wants a software licensing payment from me! The irony.

Gave her one last chance but she really wasn't listening, then tried to scam me!

I tried to say goodbye but she pulled me back

She's on her last chance but made a promise. I wanted her thoughts on Windows Defender

Worked out she's really got no idea what she's talking about and telling me what I want to hear, so it's time to escalate

Gave up waiting but she notified me today then started playing with my emotions.

Now she's pulling a 'it's my first day' line. Going to have to rate this 1 out of 5 stars.

I'm done, she's such a jerk

Originally tweeted by Adam Fowler (@AdamFowler_IT) on February 3, 2022.

My Windows 11 List Of Demands

Windows 11 is a nice visual refresh to the Windows line of Operating Systems. However, there has been a simplifying and removal of many useful functions; usually these are just hidden behind more clicks, which leaves are more frustrating experience when we’ve become used to a certain way of doing things.

In no particular order, here’s the bug bears I’ve found so far in using Windows 11, and if I’ve found a fix/workaround/setting change:

Start button Location Moved to Middle

The Start Button is in the centre of the screen by default – breaking what we’ve been doing constantly since Windows 95. This change seems unnecessary and even on my 44″ Ultrawide monitor, I’d rather it in the bottom left. I tried leaving it in the middle but gave up after a week.

You can change this back to the left side by:
Click ‘Start’ > ‘Settings’ (if you don’t see it, type it)
Click ‘Personalisation’ > Taskbar (not Start, where you’d expect it!)
Click ‘Taskbar behaviours’ to expand it.
Under Taskbar alignment, change the dropdown from ‘Center’ to ‘Left’

Task Manager missing from right click on taskbar

Task Manager has grown into a much more useful tool since Windows 10, beyond just killing off programs; it provides a bunch more visibility into what your computer is actually doing. For some reason, being able to access it via a right click on the taskbar has been removed.

Ctrl + Shift + Esc will still bring up Task Manager, but it’s one of the more awkward key combos. Right clicking on the Start button itself will bring up a very useful menu (as it does on Windows 10), with one of the options still brining up Task Manager.

The new way I’ll probably try to teach myself to bring up Task Manager is, Winkey + X > T.

‘Edit’ option missing from File Explorer right click (and others)

If you have a look at the right click menu against a file in File Explorer, it will be a much shorter list than what you’re used to. Several common functions (cut, copy, rename, share, delete) are icons at the top, but everything else that didn’t make the ‘cut’ is in the ‘Show more options’ menu, which takes you back to the classic looking right click menu.

As Nathan McNulty pointed out, this can be restored to the old ways via a reg setting (run in PowerShell):

New-Item -Path "HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32" -Value "" -Force

or via Command Prompt:

reg.exe add "HKCU\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32" /f /ve

File Explorer Command Bar Simplified

File Explorer had a bunch of useful options in the top Command Bar. They’ve mostly been removed (seeing a trend here?) to simplify and show only a few options. The idea of tabbed menus is completely gone. Some options like ‘Map network drive’ are in an ellipsis menu

PowerShell:

New-Item -Path "HKCU:\Software\Classes\CLSID\{d93ed569-3b3e-4bff-8355-3c44f6a52bb5}\InprocServer32" -Value "" -Force 

Command Prompt:

reg.exe add "HKCU\Software\Classes\CLSID\{d93ed569-3b3e-4bff-8355-3c44f6a52bb5}\InprocServer32" /f /ve

Show all icons in Notification Area

Those little icons in the bottom right side of the taskbar – that’s the notification area. I like seeing them all, rather than having them hidden in a submenu. Windows 10 has an option to ‘Always show all icons in the notification area’. In Windows 11, this option isn’t available. I did learn that rather than mucking around with settings, you can just drag an icon out of the menu and pop them straight onto the notification area – but you shouldn’t have to do this for each icon.

Programs in Task Bar don’t expand out

In Windows 10, I’m used to having a reasonable sized bar for each program I have open. It shows the Icon and a bit of text to help identify what the program is (or in the case of Microsft Edge, which profile/web page for those untabbed). It’s great, it uses up all that task bar space. The second monitor does have a consolidated view, but I drive which program I want by clicking in the primary task bar.

Windows 11’s design is to remove that, and have all taskbar programs just show the icon. For pinned programs, you’ll need to look for a blue line/dot below the icon, to indicate a window is open. Multiple windows of File Explorer open? They’re consolidated into the one icon, you’ll need to hover over that and pick the one you want.

This one isn’t possible to restore natively, and there’s a lot of feedback about people wanting it.

Widgets

Widgets are back again (I actually liked them in Vista) except this time, Widgets is a popout menu triggered by a button in the Task Bar (although checking an Insider’s build, this looks like it will change to a weather button in the bottom left). The Widgets popout menu then contains a bunch of sections around news, weather, stocks, eSports, Traffic and so on.

It’s abilit to remember what I actually like or don’t like seems non existent. I’ve removed ‘NBA’ that many times – and yes, I am signing into Widgets with the same account, and on Windows 10 the News and Interests button works the same way). It’s a very US centric service – and only has configuration around 3 Australian Cities (Sydney, Brisbane, Melbourne). There’s a web search function, which of course only uses Bing. Although I like seeing the temperature, if you want to turn off Widgets:

Click ‘Start’ > ‘Settings’ (if you don’t see it, type it)
Click ‘Personalisation’ > Taskbar
Under ‘Taskbar items’ turn the switch ‘off’ for Widgets.


I’m sure there are a bunch of other frustrations in the simplification of Windows 11, as I’m sure the idea is that there’s too many buttons and options for a ‘regular’ user, so the idea is to clean it all up. The problem is that for many people used to these options, it feels like a step back.

Maybe the approach Microsoft should take is to have Windows 11 ‘Basic Mode’ and ‘Advanced Mode’ to try and keep everyone happy?

There are some good features in Windows 11 too, such as Snap Layouts / Snap Groups, where you can pick the size of the window to fill in your sceen – handy on an ultrawide, where you want to move a window to the right third of the screen. There’s also the whole Android app support that’s coming…

Anyway, it’s early days for Windows 11 – and although there’s plenty of criticism from Insiders on recommendations that were not taken up, I expect we’ll see the continual improvement and evolution of the platform; mostly for the better ( News and Interests is one of the reasons I say ‘mostly’ ).