Microsoft Endpoint Configuration Manager: Latest Improvements to the Product Lifestyle Dashboard

Information is key for any business to function optimally. That is why there has been such a massive increase in the use of big data during the last decade. But, this information is not only that which you can obtain externally, it’s also information concerning your internal operations. And this is where Microsoft’s Product Lifecycle Dashboard enters the fray.

It simplifies the way your organization functions by providing you with information concerning all the products that you have installed on devices that are managed by Microsoft Endpoint Configuration Manager. This is a fantastic feature that has had some improvements added to it and that is what we’ll be going over below.

Getting started

Microsoft has made a few changes over the years and from version 1806 you’ll now be able to use the Configuration Manager product lifecycle dashboard to view the Microsoft Lifecycle Policy. So what exactly does this ‘dashboard’ do?

The Product Lifecycle Dashboard is a tool that shows you the state of the Microsoft Lifecycle Policy for Microsoft products installed on devices managed with Microsoft Endpoint Configuration Manager.

Not only that, but you also receive data concerning the various Microsoft products in your environment, supportability state, and support end dates. Therefore by using both Asset Intelligence and the Asset Intelligence Synchronization Point, the dashboard can give you a clear overview of the lifecycle of each product.

By using the dashboard, you can easily find out what support is available for each product. With this information in hand, it will allow you to plan accordingly and update all products before their support expires. And then from version 1810, the dashboard also adds information for System Center 2012 Configuration Manager and later.

What are the requirements?

As a product continues to improve, the requirements to use that product will also expectedly change. For you to see data in the product lifecycle dashboard, you need the following:

  • Internet Explorer 9 or later
  • You need to install and configure a service connection point role. And the latter must be online or synchronized regularly if offline.
  • For hyperlink functionality in the dashboard, you need a reporting services point.
  • You need to configure and synchronize the asset intelligence synchronization point.

Using the dashboard

This tool is designed to make it easier for your organization to have access to up-to-date data about the products that you are using. And by leveraging the inventory data that the site collects from managed devices, the dashboard displays information about all current products. However, not all versions are supported. Only Windows Server 2008 and later, Windows XP and later, SQL Server 2008 and later, will have information displayed for OSs and SQL Server. To access the lifecycle dashboard in the Microsoft Endpoint Configuration Manager console:

1) Go to the Assets and Compliance workspace,

2) Expand Asset Intelligence,

3) Select the Product Lifecycle node.

What else do you get?

Clients will find that from the newer version of SCCM 1902, they’ll get information for installed versions of Office 2003 through Office 2016. And this data is available after the site runs the lifecycle summarization task, which is something that occurs every 24 hours. In addition, you can also benefit from using the dashboard even if you don’t have Configuration Manager. You can use Azure Monitor Logs to provide a Dashboard to help with managing the supportability of your environment.

Upgrading products

Taking a simple look at your dashboard will allow you to see any products that need to be updated urgently. When you have several computers to deal with and you need to know which ones need upgrades, all you need to do is click on the hyperlinks found in the Number in environment column and that will show you a report.

And doing this will direct you to the Lifecycle 01A – Computers with a specific software product report. This is a huge improvement when you consider that in the past you had to investigate problem clients individually to find out whether or not an upgrade was needed.

Reports in the product lifecycle set

In addition to the dashboard, you have additional reports that are available as well. These you’ll find in the Microsoft Endpoint Configuration Manager console, where you then go to Monitoring workspace and you expand Reporting. The new reports, which are found under the Asset Intelligence category are as follows:

  • Lifecycle 01A – Computers with a specific software product: You can see a list of computers on which a specified product is detected.
  • Lifecycle 02A – List of machines with expired products in the organization: This report, which you can filter by product name, shows you all the computers which have expired products on them.
  • Lifecycle 03A – List of expired products found in the organization: View details for products in your environment that have expired lifecycle dates.
  • Lifecycle 04A – General Product Lifecycle overview: Here you can see a list of product lifecycles and filter the list by product name and days to expiration.
  • Lifecycle 05A – Product lifecycle dashboard: From version 1810, this report will have similar information as the in-console dashboard. All you have to do is choose a category to view the count of products in your environment as well as the days of support remaining.

Wrap up

Every organization needs products that will help them to optimize their time. And as the number of available products increases, the choice of which product to go for becomes harder. Microsoft’s Product Lifecycle Dashboard gives your business many benefits that businesses have needed for a long time.

Reduce the time you spend trying to keep track of all the products you have installed on countless devices with a simple, easy to use dashboard. If you’re looking for a tool that gives you a more efficient way of device management, then the Product Lifecycle Dashboard is one that is certainly worth a look.

Reconsidering Certifications for Digital Transformation

The way that IT departments have worked for years is by having your IT professionals take up specific responsibilities to cater for. Now, however, as technology continues to evolve, you’ll find the responsibilities overlapping from one role to another. And it’s because of situations like these that we need to be reconsidering certifications across the board.

As a business, you should be looking at what changes you can make. How can you equip your IT team to become more efficient at what they do? Are there any tech companies offering potential solutions to these challenges?

Understanding key concepts

The first thing we need to do is to clear up the confusion surrounding some of these concepts so that we’re on the same page. When we talk of certification, this refers to an independent evaluation of knowledge and/or skills.

Essentially, what this means is assessing an individual to see if they have the necessary skills, and how they got them doesn’t matter. Because of this, an individual that has acquired certain knowledge and skills should be able to get certification without the need to undergo training. And quality certification is demonstrated only when:

  • The identity of the individual can be verified beyond any doubt,
  • The work has been checked to ensure that it was done by the person that submitted it,
  • Taking a prescribed learning path is not necessary to pass the exam,
  • The evaluation process has been proven to be psychometrically sound.

The difference between certification and a certificate is that the latter is what you receive on completion of a training program. Therefore, in this instance, you’ll need to take part in training after which an assessment will be carried out.

Microsoft is making changes

As already mentioned above, the complex nature of the responsibilities facing IT professionals is rapidly increasing. So to better equip your IT teams and have them operate effectively, Microsoft has made some rather significant changes. By now, most people are aware that Microsoft Technology Associate (MTA) certifications and exams are reaching the end of the road.

The reason that Microsoft has given for retiring these is that this change will help students build the technical skills they need to keep pace and succeed in emerging jobs. How? By redesigning the certifications in such a way as to align with industry and hiring trends. The recommendation is for people to start moving to the new certifications in anticipation of the retiring of MTA certifications by June 2022.

The exams listed below are the ones that will be retired:

  • Database Administration Fundamentals
  • HTML5 Application Development Fundamentals
  • Introduction to Programming Using HTML and CSS
  • Introduction to Programming Using Java
  • Introduction to Programming Using JavaScript
  • Introduction to Programming Using Python
  • Mobility and Devices Fundamentals
  • Networking Fundamentals
  • Security Fundamentals
  • Software Development Fundamentals
  • Windows Operating System Fundamentals
  • And Windows Server Administration Fundamentals.

What is an MTA certificate?

An MTA certificate is an entry-level certification for anybody who wants to start a career in the IT industry or is thinking about changing their career to one in the IT industry.

The targets for this certification are beginners, IT generalists, and students lacking technical experience or specialization. The certification is an online-based program where people can learn new material and demonstrate their skills.

The MTA exams, which are part of the MCP program, can help beginners to boost their career progression and function as a springboard to getting advanced certifications such as MCSD, MCSE, and MCSA. 

The way forward

With the above changes coming into place, students and educators alike will be wondering where they go from here. And Microsoft offers us fundamentals certifications as the place to start. The certifications you’ll find are the ones below:

  • Microsoft Certified: Power Platform Fundamentals
  • Microsoft Certified: Azure AI Fundamentals
  • Microsoft Certified: Dynamics 365 Fundamentals Customer Engagement Apps (CRM)
  • Microsoft Certified: Dynamics 365 Fundamentals Finance and Operations Apps (ERP)
  • Microsoft 365 Certified: Fundamentals
  • Microsoft Certified: Azure Fundamentals
  • Microsoft Certified: Azure Data Fundamentals
  • Microsoft Certified: Dynamics 365 Fundamentals
  • Microsoft Certified: Security, Compliance, and Identity Fundamentals

The above certifications should enable students to validate foundation understanding with mixed concepts and applied learning of Microsoft technologies. With these certifications, you can easily proceed to role-based training and certifications across emerging and in-demand career areas. These include but are not limited to Microsoft 365 and Dynamics, Power Platform, and Microsoft Azure.  

Reasons for these changes

The modern business environment and its various problems are making greater demands on IT professionals. Because of this, it’s now very common to find responsibilities completely ignoring traditional role boundaries.

For example, when looking at the roles at Microsoft, you can often find Azure solutions architects performing some of the responsibilities of Azure data engineers, enterprise admins, and Azure admins. And this overlapping of responsibilities is visible in many different roles.

Consequently, if you’re a security administrator, for instance, you also need to be familiar with the responsibilities of enterprise admins, Azure solutions architects, and messaging administrators. Furthermore, roles work with various technologies so you’ll also need to familiarize yourself with a broad range of technologies to operate successfully in these roles.

Transitioning to role-based certifications

From the reasons stated above, it is becoming clearer as time goes on that changes need to be made. The current approach has worked well for decades but now the industry is evolving, and it is doing so at a very fast pace. And according to Microsoft, there has been plenty of feedback from its customers and other partners that have inspired this shift from product-centric certifications.

With role-based certifications, you’ll get a program that covers many different technologies instead of focusing on technologies in general.

Therefore, the new certification program is designed to offer credentials and skills that are tailor-made for jobs and areas of responsibility that are in-demand. So these role-based certifications will validate the skills that technical professionals at beginner, intermediate, and advanced level learn in any of the following job roles:

  • Developer
  • Administrator
  • Solutions Architect
  • Data Engineer
  • Data Scientist
  • AI Engineer
  • DevOps Engineer
  • Security Engineer
  • Functional Consultant

Taking your business forward

All businesses need to put themselves in a position to carry out digital transformation. And you need to be able to do this effectively. But, without the necessary skills to carry out the process, most organizations will face great difficulty when it comes to ensuring their IT infrastructure can meet their business needs.

This is why it’s crucial to reconsider the training of your IT personnel and in particular their certifications. The current way of training your IT personnel is beginning to lag behind and that could have huge repercussions in the future. With the right sets of skills available to you in-house, you can vastly simplify tasks such as digitally transforming your data centers, migrating workloads to the cloud, app development, and data integration.   

New skills development methods

The changes that Microsoft is bringing in should enable the certifications program to remain current. By doing this, it will fully equip IT professionals with the knowledge and skills they need for the latest Microsoft technologies as well as those technologies that Microsoft Certified Professionals use every day.

Leveraging up-to-date certifications from technology vendors is extremely important if your organization is to retain IT professionals with the skill set to build a successful IT organization.

When considering certification programs you’ll need to look at a few things such as whether the skills on offer are evolving with technology, whether the program is relevant to your business’ needs, and whether the program will include performance-based testing among other things.

What does this mean for other certifications?

Microsoft will stop offering MTA licenses for purchase on June 30, 2021 and you’ll have until June 30, 2022 to register and take the exam. So if you pass the exam by the deadline date then you’ll earn the certification.

However, if you need to retake a failed exam after the deadline for purchasing passes, you may not be able to do so unless you have an additional purchased voucher. And for those that are pursuing exams that are retiring, you can still earn your certification provided that you pass the required exam before it expires.

Also, Microsoft won’t allow you to trade in your MTA voucher for another exam so you’ll have to make sure that you make use of it before it expires.

Furthermore, you don’t need to worry about the MTA certification that you already have because they will remain on your certification transcript and will be printable even after the exams retire. Two years after the retirement of the certifications, they will be moved to the Certification History section of your transcript.

Steps to take

Now that you know what role-based certifications are, what steps will you need to take in order to start?

  1. Choose a learning path depending on your current role or the one you aspire to. Then, prepare for the exams with a series of courses through online learning, books, instructor-led training, etc. To check your progress, there are practice tests that you can take to assess your strengths and weaknesses.
  2. Plan for the exam. You’ll need about 3 hours, including 30 minutes for the introduction, instructions, and comments. You can expect 40–60 questions, and, since your job is hands-on, the exams will be, too. The idea is to test you on real-world situations that you will potentially face in your day-to-day activities.

When all is said and done, you should be able to fully demonstrate the knowledge and skills you have that you have learned for you to attain your certification.

Why Microsoft certifications?

A lot of people will understandably not be too thrilled about all these changes that are taking place. So the question they will need answers to is why should they be concerned about Microsoft certifications anyway?

Well, with Microsoft certification, you can easily demonstrate your expertise, prove your skills, and thus place yourself at a great advantage as an IT professional. As a Microsoft certified professional, you can expect to receive higher recognition of your skills due to validation.

Also, 23% of IT professionals that are certified by Microsoft will earn 20% more. And if that’s not enough, up to 49% believe that having cloud certifications will increase your employability. Therefore, if the knowledge and skills alone are not enough to get you to consider Microsoft certifications, then the other potential benefits should.         

For an organization to grow, you need to perform consistently at a high level. And this is what Microsoft’s role-based certifications aim to offer. You need to have IT professionals that will consistently outperform other colleagues across all roles.

As the cliché goes, time is money. So if you can have highly-skilled IT professionals, they can save you plenty of time on tasks such as setting up infrastructure, determining the scope of impact of security issues, and designing and implementing Microsoft 365 services to name a few.

Therefore it’s easy to see how certifications that focus on the broad responsibilities of the various IT roles can be of immense value to your organization.

Wrap up

The success of your organization may very well hinge on the skill and expertise of your IT department. In a fast-paced business environment, you need IT professionals that are capable of leveraging new technologies to boost productivity. And this is what Microsoft role-based certifications are all about.

The goal is to equip your IT professionals with all the knowledge and capabilities required to execute their day-to-day tasks. So rather than having individuals who are great with specific technologies, you can now get a group of people who are experts at performing across a wide range of responsibilities and technologies. 

Top 10 Benefits of Windows Autopilot

Gaining even the slightest advantage over your competitors can make a massive difference to the success of your business.

With so much technology available, you need to choose the right solutions for the growth of your organization. Windows Autopilot is a collection of technologies that helps you to make better use of your time. It does this by helping you to pre-configure new devices and thus reducing the time to productivity.

So, not only is this going to simplify the operations of your IT department, but it will also empower your employees. Below we’ll go over the top 10 benefits of Windows Autopilot to your business.

1.    Self-deployment

There are few better ways to enhance your productivity than by having new devices ready for business straight off the shelf. Any new Windows 10 devices that have been pre-enrolled in the Windows Autopilot program will be ready to use on arrival with zero-touch and no involvement from your IT team. When a user takes possession of such a device, all they’ll need to do is turn it on, connect to a network, and then wait a little.

2.    No OS re-imaging

This part of setting up new devices is one that has always taken up a significant amount of time. With IT departments having to manually install apps and drivers, manage infrastructure, and set policies, the process took relatively long. But, Windows Autopilot does away with all that. By using a smart and easy pre-configuration, all of this becomes an automatic process. Once you have set up an Autopilot profile in Microsoft Intune, all the Windows devices that you have under that profile will have these settings applied.

3.    Customize OOB experience

To save time, Autopilot allows you to customize the out-of-the-box experience (OOBE) in advance. All you need to do is set your organization’s preferences. And this will simplify things for end-users by eliminating entire sections during setup that previously required manual input. So now they’ll be able to get through the setup process much faster and with a lot less hassle. With this kind of capability, you can ship devices directly to end-users and they’ll be up and running in no time.

4.    Enrollment status

Bypassing IT when setting up devices is something that will understandably concern some people. However, Autopilot has an enrollment status feature to alleviate those concerns. What this feature does is to ensure that a device is fully configured, compliant, and secure before the end-user gains access. That way, IT still gets to assess devices, make sure that they are properly set up, and resolve any errors when issues arise.

5.    Independent of MDM

Can you use Autopilot if your organization doesn’t use Microsoft Endpoint Manager/Microsoft Intune? The answer is yes you can. Any MDM will work with Autopilot but for an optimum experience with all the features then Intune would be best. So for any business that prefers other non-Microsoft technologies, you can still reap the benefits that Autopilot offers. You may be missing out on using this fantastic technology because of some of the misconceptions that people have.

6.    Available for existing devices

This is another area that often requires clarification as some existing devices can qualify. To be specific, users with Windows 1809 and above can also benefit from Windows Autopilot for existing devices. IT people can now facilitate processes like Windows 7 to Windows 10 migration through Autopilot. They can do this by using a ConfigMgr task sequence and then followed by an Autopilot user-driven mode.

7.    Simple redeployment

Occasionally, certain devices will need to be given to new users or repurposed entirely. Autopilot makes wiping a device a simple process that you can do in minutes. And once that is done, you’ll have a device back in OOBE status and ready to be handed over to someone else. This new user will receive the device with the specific configurations that they need already in place. By making resetting devices this easy, Autopilot further empowers IT teams and enhances their productivity.

8.    Avails latest technology

By pre-configuring devices, Autopilot enables end-users to immediately gain access to the latest versions of essential tools. These include Microsoft technologies such as Teams, Word, PowerPoint, Excel, etc. And so without the need to wait on IT, end-users will have all the essential apps they need with all the necessary settings already applied. Furthermore, you no longer need to worry about third-party bloatware that is often a nightmare to deal with. 

9.    No maintenance of images and drivers

Custom images require a significant time investment to create and maintain. And they will need you to wipe every single device that your organization acquires. Undoubtedly, they place a lot of work on the schedules of your IT people. With Autopilot, however, these custom images become unnecessary. All you have to do during provisioning is to get in touch with the manufacturer to get the device ID.

What’s New with Windows Autopilot for HoloLens 2

Billedresultat for hololens 2

In early 2020, Microsoft announced that it was going to bring Windows Autopilot to the HoloLens platform. Initially, it was only in private preview on HoloLens 2. However, later on that year, Microsoft made it available for public preview. Windows Autopilot plays a key role in simplifying deployments and reducing the time required to productivity.

As a result, it helps your organization to cut down on costs and enhance efficiency. So if your business needs to introduce new devices, then Autopilot offers you a great solution for that. This announcement from Microsoft expectedly aroused significant interest so we’re going to take a look at what all this could mean for you.

HoloLens 2 overview

HoloLens 2 is the next step in the evolution of Microsoft’s revolutionary mixed reality headset. This device is one that you place over your head and has a visor that goes over your eyes offering users a new way to interact with information.

The technology provides apps and solutions that will enhance communication, learning, collaboration, and much more through the use of mixed reality. The challenge that organizations have had to face is that as this technology has grown in popularity and use, its deployment at scale has become a laborious and costly affair. Hence the need for Windows Autopilot to provide a simpler, more effective, and more streamlined deployment solution.

Device set up

To get started, you’ll need to go through the process of device set up. Fortunately, setting up your devices will only involve a few simple steps. Once a user has started the self-deployment process, Autopilot then proceeds with the following steps:

  • Join the device to Azure AD. However, it’s important to remember that Autopilot for HoloLens does not support Active Directory join or Hybrid Azure AD join.
  • Enroll the device in Microsoft Endpoint Manager (or another MDM) using Azure AD.
  • Download certificates, apps, device-targeted policies, and networking profiles and then apply them.
  • Provision the device.
  • Present the sign-in screen to the user.

With the public preview, Windows Autopilot for HoloLens devices can be configured using Microsoft Endpoint Manager (MEM) controls. And this applies to all customer tenants. To get started, you’ll have to log into the MEM admin center. Once there, select Devices > Windows > Windows enrollment. And then under Windows Autopilot Deployment Program, select Deployment Profiles > Create profile > HoloLens (preview).

Requirements

To use Windows Autopilot, you’ll need to have Windows Holographic, version 2004 (released May 2020) or newer. However, Microsoft only began shipping devices with this version pre-installed in late September 2020.

Fortunately, though, Microsoft allows you to use the Advanced Recovery Companion (ARC) to re-flash your devices to the latest operating system. Using ARC, you can also check the build version that is currently installed on your devices.

The process is not overly complicated and you can find instructions here. Ideally, it would be best to request from your distributor that they supply you with Autopilot-ready devices.

Tenant Lock for HoloLens 2

This feature allows organizations to permanently bind devices to their Tenants and keep them under management after initial enrollment. With this feature, your device will always be deployed by Autopilot and managed by MEM. Even in the event of OS updates, accidental or intentional resets, or wipes.

If your organization deploys HoloLens 2 devices with Autopilot, you can set up a specific policy. This policy which is deployed post-enrollment enforces:

  • the permanent enforcement of Autopilot deployment,
  • the prevention of local user creation during device setup,
  • mandatory network connection,
  • the prevention of all other escape hatches during device setup, and
  • the prevention of device ownership during the device setup process except for the organization Tenant it is registered to with Windows Autopilot.

Using Autopilot with Wi-Fi connection

Microsoft will also allow you to use Windows Autopilot Deployment for HoloLens 2 with a Wi-Fi connection in addition to the regular Ethernet-based connection. This is something that you can get as part of Insider Preview (Build 19041.1364 or above).

What this means is that you do not need to use ethernet to USB C or Wi-Fi to USB C adapter. Instead, all you simply need to do is to connect the device to your available Wi-Fi internet network and deploy the device with Windows Autopilot.

User experience

After the process of configuring Autopilot for HoloLens 2 is complete, you then move on to the provisioning of the HoloLens devices. The Autopilot experience needs internet access and you have several options to choose from. You can connect your device to a Wi-Fi network in OOBE and then let it detect Autopilot experience automatically.

Alternatively, you can use “USB-C to Ethernet” adapters for wired internet connectivity and let HoloLens 2 complete Autopilot experience automatically. And with the third option, you can connect your device with “USB-C to Wifi” adapters for wireless internet connectivity and let HoloLens 2 complete Autopilot experience automatically.

During the next step in the provisioning process, the device will automatically start OOBE and all that is required of you is to let HoloLens 2 detect network connectivity and leave it to complete OOBE automatically. And when the OOBE process is complete, you can then sign in to the device using your user name and password.

Simplifying deployments

Windows Autopilot has provided countless benefits to a lot of organizations by reducing the complex nature of deployments at scale. This cloud-based platform significantly reduces time to productivity and empowers end-users. And so it only makes sense that HoloLens 2 is now able to leverage the capabilities of this fantastic technology. Organizations cannot afford to spend vast amounts of time dealing with deployment scenarios for which fast, cost-effective solutions are available. From medical institutions to academic ones, HoloLens 2 gives you an amazing new way of interacting with information and Autopilot enhances that experience.

Philips Hue Bridge POE

IOT, Smart Home, Intelligent home; Meaning a lot of connected devices (and power adapters & cables!)
I have been using the Philips Hue system from the very beginning, recently upgraded to the Philips Hue Bridge 2.1 Square-shape bridge (supports Apple HomeKit)

After my last upgrade to the home infrastructure. with the new and improved UniFi Switch PRO 24 PoE I wanted to get the most out of the switch with POE (Power-Over-Ethernet)

I would have loved to see the Philips Hue Bridge with build-in POE, but unfortunately that was not the case of the 2.1 release. Luckily with a bit of creativeness this can be achieved with the correct equiptment and cables.

The bridge comes with a regular DC barrel plug adapter

Parts list for the items you will need:

Barrel adapter to USB – NOTE: The V2 bridge barrel is 5.5 x 2.5 mm
Direct link: 5.5 x 2.5 mm DC USB
If you buy a barrel adapter to USB, you will be able to use any POE adapter.
Ubiquiti Instant 802.3AF to USB adaptor requires not configuration plug and play!

NOTE: 2 Networking cables will be needed with this solution, 1 for POE, and 1 for the actual device connection.
If you do not want to use 2 ports, go for a POE splitter with barrel adapters (802.3af POE splitter with 5 volts DC)

Amazon.com: 802.3af PoE Splitter with 5 Volts DC Plug | PLUSPOE Power Over  Ethernet for 5v Devices Like Foscam, Amcrest, Dropcam and More, 3.5x1.35mm DC  Barrel: Kindle Store

The wall mounts used printed on the Ender-5 Pro
– Philips Hue wall mount: https://www.thingiverse.com/thing:2458638
– Ubiquiti Instant wall mount: https://www.thingiverse.com/thing:4497478

Latest Updates for Windows 10 Driver Management

Microsoft has claimed that the main cause of Windows 10 or hardware failures has been the hardware drivers themselves. And this happens to be an area in which Microsoft has had no control.

In the past, Microsoft has given the driver update authority to the various hardware manufacturers. As a result of that, these manufacturers have retained the ability to directly push drivers to their users through the system update.

Given the number of issues that users have been facing, Microsoft has decided to make some adjustments to their driver update management policy. These updates will likely have a significant impact so let’s take a look and see what this means for us all.

Addressing the issues

In early 2020, Microsoft quietly went about the process of starting to address the driver issues that have been plaguing users. It started with the announcement that there was going to be an introduction of rolling out drivers in phases.

And this would differ from the past where all Windows 10 computers were receiving major and minor updates automatically via Windows Updates that were released on the same day for everyone. The idea with the phase system is to allow the pushing of updates to highly active devices from where Microsoft can then collect diagnostic data that helps to assess compatibility issues.

Also, Microsoft mentioned implementing a new policy where their hardware partners can now ask them to block Windows 10 feature upgrades on a PC running an incompatible driver. The widespread problems that arose from Microsoft being the only one doing the assessing and blocking necessitated this change in approach. By doing all of this, Microsoft can begin the process of resolving the countless headaches that we have been facing.

Driver installation

So to bring an answer to this issue, Microsoft made another announcement to the effect that they would be adjusting the automatic driver installation strategy for Windows 10 20H2 from November 2020.

This update is meant to provide users with a greater degree of control over the driver update and in this way you will have better stability. This new driver management model is going to give hardware manufacturers options, either automatic or manual.

This is what Microsoft has said regarding the adjustments that came in to effect on the 5th of November last year:

1. Automatic driver updates will automatically be installed on your machine either when you plug-in a peripheral device for the first time, or when a device manufacturer publishes a driver to Windows Update. In other words, there will be no change to the plug-and-play scenario when an automatic driver is available on Windows Update.

2. Manual driver updates can be installed manually on your machine if you specifically request them by navigating to Settings > Update & Security > Windows Update > View optional updates.

However, these changes will only affect devices that receive updates directly from Windows Update. So if you’re an IT professional who manages drivers for a business, then these adjustments won’t affect the way you operate.

Manual driver updates

According to Microsoft, the abovementioned adjustments should now enable you to see a clear distinction between automatic and manual updates in Windows Update. With the end goal being to create a total transformation of the management of drivers, something that began earlier in the year with the rolling out of updates in phases.

All this should give users greater control by redefining the servicing of manual drivers for machines running Windows 10, version 2004 and later. Previously, when a user would connect a peripheral device with an optional driver such as a camera to their machine for the first time, there would be an automatic installation of that driver. Instead, with the changes that Microsoft has implemented, you now have control over how you proceed.

Driver distribution

When you submit a driver to Windows Update, the Driver Delivery Options section will present you with two radio buttons: Automatic and Manual. Under the Automatic option, there are two further options:

  • Automatically delivered during Windows Upgrades – under this option, drivers are classified as a Dynamic Update. When upgrading the OS, this is where Windows will automatically preload drivers.
  • Automatically delivered to all applicable systems – when you select this option, the drivers will be downloaded and installed automatically on all applicable systems once they are released.

How to submit a driver to Windows Update

Publishing a driver to Windows Update will require the creation of a hardware submission. Once that is done you can then proceed with the steps given below:

1) Find the hardware submission with the driver that you want to distribute.

2) Head over to Distribution and select New shipping label.

3) Under shipping label, go to Details and enter a name for the shipping label in the space provided. It’s this name that will allow you to search for and organize your shipping labels.

4) In the Properties section you will need to fill in the following fields: Destination, Specify the partner (if any) that is allowed visibility into this request, and Driver Delivery Options.

5) Go to Targeting and choose the driver package that you want to publish.

6) At this point, Select PNPs is now available so you can go ahead and choose the hardware IDs that you want to target.

7) Enter each CHID into the text box and select Add CHID(s) if you would like to add them.

8) You can limit public disclosure of your Shipping Label in the Windows Update Catalog and WSUS Catalog, by checking the Limit Public Disclosure of this Shipping Label information box.

9) If your driver targets Windows 10 in S mode, then you will need to select both boxes.

10) Select Publish to send your request to Windows Update or Save if you don’t want to publish as yet.

Optional installation

The optional updates feature is now available to users that have upgraded to Windows 10 20H2. With this feature, the system will let you know of the availability of device drivers other than the ones that the PC is currently using. If you go to the View optional updates section, you’ll see where it says Driver updates. And if you click on it, it will display a list of all the device drivers that are available for the target PC. Essentially what you get with this feature is the ability to install specific drivers if and when necessary. Otherwise, automatic updates will keep your drivers updated.

To install any of these drivers, simply follow the steps below:

1) Press WinKey + I to launch the Settings app.

2) Go to Update & Security and click on Windows Update.

3) Over on the right side, you’ll see View Optional updates just under the Check for updates button. Click on it.

4) Under the Driver Updates section, you’re going to find a list with all of the available updates for the computer.

5) Check all the boxes corresponding to the device drivers that you want to install. Click Download and install.

Windows 10 October 2020 Update common problems — and the fixes | Windows  Central

Windows 10 will then immediately start downloading the chosen driver updates. Once the process is complete, the system will install the updates and prompt the users to Restart Windows.

Should you install optional updates?

As mentioned above, you can install optional device drivers if the need for them arises. For instance, when doing a clean install of Windows 10, some may find it preferable to manually install graphic drivers that you download from Intel and NVIDIA.

However, it’s important to note that Windows will still automatically install all mandatory updates, including security updates and non-optional cumulative updates. Therefore you don’t need to worry about automatic driver updates because this new approach won’t affect them. This is because they will continue to be installed via Windows Update when they are published by the manufacturer or when you connect the device.

So with optional updates, Microsoft has changed the system such that driver updates are no longer forced on you. You can select those that you want and block any that give you problems. Most users will probably be leveraging this functionality for those times when compatibility issues arise.

Potential issues

Microsoft’s new model for driver management aims at resolving the multitude of problems that users have been grappling with. However, this new model is not without its potential issues. As much as it may give users more control, it’s also going to present challenges for peripherals that don’t have automatic drivers readily available.

This is because not everyone may be aware that they need to go to Windows Update and manually download the necessary driver for the hardware to work. Without this, Windows will return a Driver Not Found error that may leave more than a few people stuck.

Since Microsoft is also going to be blocking users from applying OEM or manufacturer drivers if Windows can’t verify software publisher, this will probably lead to a few driver errors when Microsoft is unable to verify the drivers. If verification fails, there are two error messages that you’ll likely see with the first being “Windows can’t verify the publisher of this driver software” and the second “No signature was present in the subject”. Microsoft’s advice in these scenarios is that you contact the manufacturer and ask them to upload the driver with appropriate fixes.

Key differences

Under the View Optional updates link, users get to view the optional updates that they won’t receive automatically. Using this link will replace having to use Windows 10’s Device Manager controls to find optional updates.

With Microsoft making minor adjustments to how Windows 10 drivers arrive for Windows Update service users, it’s important to note that this change is more than just a simple user-interface modification.

Those using the newer version of Windows 10 will get updated drivers only when they search for them using the View optional update command. And they’ll be getting only the drivers that are already on the device without searching for new ones via the Windows Update service.

In Windows 10, version 1909 and earlier, Windows Update automatically distributes manual drivers when:

a) a device has no applicable drivers available in the Driver Store (raising a “driver not found” error), and there is no applicable Automatic driver

b) a device has only a generic driver in the Driver Store, which provides only basic device functionality, and there is no applicable Automatic driver

But for users of Windows 10, version 2004, Windows Update distributes only Automatic drivers for a system’s devices. When Manual drivers are available for devices on the computer, the Windows Update page in the Settings app displays View optional updates.

Time to enhance driver management

The challenges that we have all witnessed in recent years were in dire need of a solution. And a major one at that. The countless incompatibility issues that saw the trashing of Windows 10 were slowly but surely eroding the confidence that users have in the operating system.

Problems such as audio not working, system crashes, slow performance, etc, are significant issues that can severely hinder the productivity of a business. So it’s not really a surprise when we look at all the updates that Microsoft made to its driver management policy in 2020.

Security has improved and the new driver management model is a more stable platform that gives users greater control. And all of this you’ll get without having to worry about key updates being affected. Those are still performed automatically to ensure that your system remains as secure as possible. Undoubtedly, there are still a few bugs to iron out here and there, but the rapidly improving system is certainly enhancing the Windows 10 experience.

Modernize Your Business With Azure Active Directory

The capabilities of the cloud have literally changed the way organizations view remote work. Because it is designed to simplify access from anywhere, the cloud allows organizations to efficiently manage their remote workforce by handling more typical in-house IT tasks. Azure Active Directory (Azure AD) is one of the key technologies that can improve how your business operates. So what is it and how can it help you?

What is Azure AD?

Plenty of office networks utilize Microsoft’s Active Directory to manage policies and permissions. What Azure AD does is to put that capability on the cloud. In short, it’s a cloud-based directory and identity management system. This infrastructure will enable your employees to sign in and access external resources in Office 365 as well as other SaaS applications. Being entirely cloud-based means that Azure AD can serve as your only directory or use Azure AD Connect to sync up with your on-premises directory.

 Transforming your business

Azure AD gives IT complete control over access to apps and resources. This is because of security protocols such as conditional access and MFA. By using built-in governance controls, IT can also apply automated lifecycle management and privileged access limitations. For end-users, they are going to benefit from faster and easier access to corporate resources using various devices and from just about anywhere. And with support for other virtual tools and operating systems, Azure AD enables you to leverage the technologies that are best for you.

Business security will improve

Azure AD has a wide range of security protocols to safeguard your organization from malicious or accidental issues. These include multi-factor authentication (MFA), privileged identity management (PIM), conditional access, and threat detection. Using MFA and conditional access will give you improved application security and management control. And then you also have advanced threat protection that gives you access to comprehensive reporting that monitors application usage. With this, you can apply enhanced security measures to protect your business.

Improving customer security

Customers need hassle-free solutions with robust security to optimize their experiences. And with Azure AD B2C you get a product that fully delivers. It uses reliable, proactive security measures to ensure world-class protection. Customers will get highly secure access across your web and mobile apps through MFA. Add threat detection to that and customers can have peace of mind knowing that their identities are very secure. Because the platform is based on Microsoft Azure, you’ll also retain the significant potential to scale according to your needs.

Adapting to innovation

Trying to hold on to legacy systems can prove very costly to a business. Not only are they costly to maintain but the complexity of running them is hardly worth it. Technology such as Azure Active Directory offers you incredible benefits for modernizing your infrastructure. With increased security and customer satisfaction, reduced overhead, and more streamlined operations, it’s worth signing up for or at least reading up on these technologies.

Building a Modernizing Infrastructure Using Microsoft Technologies

If what you have is working great, then why change it? While that may very well be true, every business needs to adapt to the times and modernize if they want to maintain their success. Otherwise, your rivals won’t hesitate to take advantage if they can. Take Nokia for instance.

During the 90s, it dominated the smartphone market and at its peak in late 2007, it had a 50.9% share of the smartphone market. Yet, just 6 years later that number had plummeted to just 3.1%. Other companies came in with new technologies, the market changed, and Nokia has never fully recovered.

Modernizing helps you to expand your capabilities while reducing operational costs. And by leveraging cloud capabilities, you can unlock the limitless potential that can take your business to the next level. Microsoft Technologies provide you with the ideal platform to transform your IT infrastructure. And in this blog, we’ll show you just what these solutions can add to your business.   

Created for evolving businesses

Technology has changed the way businesses operate. The various solutions that are available to us have created new markets as well as exciting ways to serve clients. Whether it’s the scalability that Azure gives you, the flexibility provided by Endpoint Manager, or the security you get with Microsoft Defender ATP. The benefits are plenty. Evolving businesses can put themselves in a position where they reduce their overhead, streamline their operations, and market themselves better. Microsoft has recognized the needs that businesses have regarding effective IT solutions. 

Overview of Microsoft Technologies

The Microsoft Technologies that we’ll be going over consist of brilliant tools that will modernize your IT infrastructure. Rather than being individual entities that operate completely apart, Microsoft has designed these technologies such that they can function together. This will enhance your overall IT management and bring greater efficiency to your organization. The following technologies are going to be the focus of this blog:

1) Azure Active Directory

Microsoft’s cloud-based multi-tenant identity and access management service enables employees to sign in and access services from anywhere. Azure Active Directory (Azure AD) has plenty of features that help modernize your infrastructure, among which:

  • Application management: manages all apps, both cloud and on-premises, using Application Proxy, single sign-on, the MyApps portal, and any SaaS apps.
  • Authentication: manages Azure AD self-service password reset, MFA, smart lockout, and custom banned password list.
  • Conditional access: enforces and maintains control over access to your cloud apps.
  • Device management: controls the access that cloud and on-premises devices get to corporate data.
  • Business-to-business: helps you to maintain control over corporate data by managing guest users and external partners.
  • Reports and monitoring: allows you to receive insights concerning the security and usage patterns in your environment.

Key benefits

The advantage you’ll get from features like single sign-on is that employees won’t need multiple sign-ons for all their apps so password compliance issues are reduced. Simplified collaboration with guest users is possible because Azure AD allows you to invite these users into your directory to assign access. Also, the availability of real-time monitoring in conjunction with MFA and conditional access provides your organization with excellent application security and management control. And if you have productivity solutions that aren’t Microsoft products, you can still use them because Azure AD supports other OS and virtual tools.

2) Windows Autopilot

Windows Autopilot is Microsoft’s solution for transforming the provisioning of devices into an automated and friendly process. It aims to eliminate the countless, painful hours spent manually setting up devices. Undoubtedly, this is a product that will be a big hit with IT teams and it should please most employees as well. Its features include:

  • User-driven mode: provides a simple do-it-yourself approach to setting up new devices. This enables end-users to quickly get up and running without needing IT.
  • Self-deploying mode: allows you to deploy a Windows 10 device as a kiosk, digital signage device, or a shared device with minimal user interaction.
  • Support for existing devices: makes the process of deploying the latest version of Windows 10 to your existing devices quick and painless. In addition, whatever apps you need will be installed automatically and you’ll get your work profile synched as well.
  • Pre-provisioned deployment: partners and IT can pre-provision Windows 10 devices and have them business-ready for companies and their end-users.
  • Windows Autopilot reset: allows you to easily repurpose a device by wiping personal files, apps, and settings then restoring the device’s original settings.
  • Enrollment Status Page (ESP): the ESP tracks the setting up of the device to ensure that the device is fully configured correctly before the end-user can gain access.

Key benefits

As the saying goes, time is money. Hence the importance of the customized out-of-the-box experience (OOBE). It gets devices set up according to an organization’s preferences so that when the end-user receives it, they can immediately start using it. And they’ll have all the collaboration and productivity apps they need already installed. You’ll also gain time by not having to do any OS re-imaging because it’s done automatically. All of this will help to create an environment that empowers the user thereby increasing productivity rather than the restrictive nature of legacy IT.

3) Microsoft Endpoint Manager

Announced at Ignite 2019, Microsoft Endpoint Manager (MEM) is a brilliant development that merges ConfigMgr and Intune into a unified management platform. And you’ll get a lot of services with the product including co-management, Desktop Analytics, and the above-mentioned Windows Autopilot. MEM plays a key role in demonstrating the integration of Microsoft Technologies. Moreover, clients who already have Microsoft 365 licensing can benefit from the majority of the technologies that are within Microsoft Endpoint Manager.

What can MEM do for you?

According to Brad Anderson, Microsoft corporate vice president for Microsoft 365, MEM came about as a way to resolve the confusion surrounding modern management. It offered simplicity. And this simplicity should ease the way of doing business. For clients with ConfigMgr licenses, they automatically get Intune licenses thus enabling them to co-manage their devices.

With up to 190 million devices currently under ConfigMgr or Intune management, IT will get incredible insights that you can use for problem-solving and device deployment. MEM allows you to utilize the cloud where all data is stored in Azure thus eliminating data centers. This gives you the mobility advantages of the cloud as well as the security of Azure. However, some organizations prefer mixed environments so you can still use the cloud while retaining your on-premises infrastructure.

4) MSIX

The endless packaging and repackaging of applications has been the source of constant headaches over the years. Whenever you’d purchase new software, the problems would begin. Someone had to come up with a solution, and thus MSIX came to the fore.

MSIX is a universal package format designed for Windows 10 apps and has support for desktop, mobile, and all other Windows 10 devices. It’s an improvement on AppX and aims to resolve app packaging issues. The UWP features, app customization, and support for all Windows applications make MSIX a massive improvement on the currently available installers. Key features include:

  • Reliability: MSIX can just about guarantee installs with a success rate standing at a very impressive 99.96%.
  • Network bandwidth optimization: MSIX only downloads the 64k block and this allows for a reduction in impact to network bandwidth. It does this by leveraging the AppxBlockMap.xml file that’s in the MSIX app package.  
  • Disk space optimizations: MSIX doesn’t duplicate files across apps and Windows will manage the shared files across apps. Because apps remain independent, updates won’t affect other apps that share the file.

What you stand to gain

Microsoft has created a product that gives you the advantages of both MSI and AppX while eliminating their limitations. And it doesn’t just work on Windows only. You can use it on Linux, OSX, iOS, and Android. MSIX enables you to take a huge step towards modern management. Instead of the previous uncertainties, it offers you safety, reliability, and predictability of deployment. Security is enhanced as well with Windows giving you integrity for apps through tamper protection and policy controls.

5) Microsoft Defender ATP

As amazing as the above technologies are, you cannot successfully modernize your IT infrastructure without effective cybersecurity. In fact, all your efforts would probably be futile. But, with Microsoft Defender Advanced Threat Protection (MDATP), you get an enterprise endpoint security platform that enables your enterprise networks to prevent, detect, investigate, and remediate advanced threats.

Main capabilities

  • Endpoint behavioral sensors: these are sensors that are embedded in Windows 10 that collect and process behavioral signals from the OS. This data is then sent to your private, isolated, cloud instance of Microsoft Defender for Endpoint.
  • Threat and vulnerability management: MDATP has an overview of all the software on a device and can detect security vulnerabilities. It can then provide security recommendations for remediating endpoint vulnerabilities and misconfigurations.
  • Attack surface reduction: this capability enables you to put in place controls that reduce areas that are vulnerable to cyberattacks. With proper configuration settings and application of exploit mitigation techniques, this capability will resist attacks and exploitation.
  • Next-generation protection: MDATP offers you next-generation protection to catch all types of emerging threats.
  • Endpoint detection and response (EDR): EDR is designed to target advanced threats that make it past the first two security pillars.
  • Automated investigation and remediation: these capabilities help to create a reduction in the volume of alerts in minutes at scale.  
  • Microsoft secure score for devices: this tool will help you to carry out an assessment of the security status of your enterprise network and identify unprotected systems. After which, you can apply recommended actions to improve the overall security of your organization.

6) Windows Virtual Desktop

The advances that are happening in the field of technology not only enhance the modern workplace but can also completely change it. And with the internet creating “one global village”, the popularity of remote work has grown significantly. But for this to work, you need effective solutions. Enter Windows Virtual Desktop (WVD).

WVD is a desktop and app virtualization service that leverages the power of Microsoft Azure and runs on the cloud. So it can deliver a virtual desktop as well as remote apps to any device. Depending on your needs, you can configure WVD to run Windows 10 Enterprise, Windows 7 Enterprise, or Windows Server 2012 R2, 2016, 2019.

Benefits to your organization:

  • WVD gives you the ability to deliver Windows 10 desktops on any device, anywhere. By extension, you’ll give your employees an optimum virtual experience.
  • Cybersecurity is crucial and WVD has in-built intelligent security that is fully capable of proactive threat detection and remediation. Security protocols such as Azure Firewall, Azure Security Center, Azure Sentinel, and Microsoft Defender ATP ensure that corporate data is highly secure.
  • Your organization can become more efficient and productive because deployment and scaling can be carried out easily and quickly.
  • Utilizing the modern cloud-based virtual desktop infrastructure (VDI) is a great way to save costs. You’ll only pay for what you use.
  • Another way in which you’ll save costs is licensing. WVD is a free service so it comes with your Microsoft 365 or Windows per-user license.

Maximizing potential

By now most organizations are starting to appreciate just how legacy technology can hold them back. Instead of holding on to what has worked in the past, it’s important to know that technology can expire. Therefore, transformation is a must. Modern infrastructure will help you to reduce your costs, improve your cybersecurity, and provide easy and convenient access to corporate resources from anywhere. Microsoft has a vast array of technologies that can take your organization to the next level. The powerful and flexible hybrid-cloud architecture is something that we can all benefit from.

Microsoft Intune – New Updates in PowerShell Scripts

Microsoft Intune is one of those brilliant products that has helped to optimize IT infrastructure for many businesses. It’s a platform that can transform your business into a modern workplace. And its capabilities are almost without limit. If you want to upload PowerShell scripts in Intune, there is the Microsoft Intune management extension (IME) that you can use for that. This management extension can enhance Mobile Device Management (MDM) resulting in a simpler move to modern management. With all this done, you can then run these scripts on Windows 10 devices. PowerShell scripts are important in a lot of different use cases and this blog is going to take a look at what this technology can do.

What is PowerShell?

PowerShell is a scripting and automation platform belonging to Microsoft. It’s an amazing product that is both a scripting language as well as an interactive command environment that is built on the .NET framework. Released back in 2006, PowerShell was basically a replacement for Command Prompt as the default method for automation of batch processes and creation of customized system management tools. PowerShell can easily automate laborious admin tasks by combining commands known as cmdlets and creating scripts. Available in all Windows OS starting with Windows 2008R2, PowerShell plays a huge role in helping IT professionals configure systems.

Adopting modern management

Modern workplaces now have plenty of user and business-owned platforms allowing users to work from anywhere. With MDM services like Microsoft Intune, you can manage devices that are running Windows 10. The Windows 10 management client will communicate with Intune to run enterprise management tasks. Windows 10 MDM features will be supplemented by IME. With this in place, you can create PowerShell scripts to run on Windows 10 devices e.g, creating a PowerShell script that does advanced device configurations. Having done this, you can upload the script to Intune and assign the script to an Azure AD group. Then run the script. Moreover, you can monitor the run status of the script from start to finish.

Latest updates from Microsoft

In November 2020, Microsoft announced the general availability of PowerShell 7.1 which is built on the foundation of PowerShell 7.0. The goal was to bring about improvements and fixes to the existing technology. Some of these features, updates, and breaking changes include:

  • PSReadLine 2.1.0, including Predictive IntelliSense
  • PowerShell 7.1 has been published to the Microsoft Store
  • Installer packages have been updated for new operating system versions with support for ARM64
  • 4 new experimental features and 2 experimental features promoted to mainstream
  • A number of breaking changes that improve usability

Using scripts in Intune

Before IME can automatically install when a PowerShell script or Win32 app is assigned to the user or device, a few prerequisites should be met:

  • Windows 10 version 1607 or later, Windows 10 version 1709 or later for devices enrolled using bulk auto-enrollment.
  • Devices joined to Azure AD including Hybrid Azure AD-joined which consists of devices that are joined to Azure AD, and are also joined to on-premises Active Directory (AD).
  • Devices enrolled in Intune namely devices enrolled in a group policy, devices that are manually enrolled in Intune, and co-managed devices that use both Configuration Manager and Intune.

Script policy creation

Start by signing in to the Microsoft Endpoint Manager admin center. From there you’ll select Devices then PowerShell scripts then add. Under Basics, you will then have to provide a name and a description for the PowerShell script. Next, you go to Script settings and you’ll have to enter the required properties. After that, you select Scope tags, however, these are optional. And then select Assignments > Select groups to include and an existing list of Azure AD groups will be shown. Lastly, in Review + add, you’ll see a summary of the settings you configured. Select Add to save the script. When you have done so, the policy is deployed to the groups you chose.

Important considerations

If you have scripts that are set to user context with the end-user having admin rights, by default, the PowerShell script runs under the administrator privilege. Also, end-users don’t need to sign in to the device to execute PowerShell scripts. The IME agent checks with Intune once per hour and after every reboot for any new scripts or changes. In the event of a script failing, the agent attempts to retry the script three times for the next 3 consecutive IME agent check-ins. And as far as shared devices are concerned, the PowerShell script runs for every new user that signs in.

PowerShell scripts limitations

Although with Microsoft Intune you can deploy PowerShell scripts to Windows 10 devices, there are a few limitations worth noting. These include: 

  • You won’t get support for running PowerShell scripts on a scheduled basis.
  • Although you can see whether the PowerShell script execution succeeded or failed, the output generated is only available on the endpoint that executes it and is not returned to the MEM Admin Portal.
  • Since executed PowerShell scripts are visible in the Intune Management Extension log file as plain text, credentials can’t be passed securely.
  • The Intune Management Extension agent responsible for executing PowerShell scripts on the endpoints only checks once an hour for new scripts so there is a delay with execution.

Wrap up

Maximizing the time we have is increasingly a massive concern for most organizations. Technological innovation has made it such that we can have more productive time on our hands. PowerShell is a product that is very useful to IT professionals for overall system management. By being able to automate the administration of Windows OS and other applications, organizations can operate more efficiently. The evolution of this platform since its release fourteen years ago has seen it grow from strength to strength. Undoubtedly, this is a product that can easily boost your productivity.        

How AppLocker Improves Security and Compliance

The security of your organization is not something that you can afford to leave to chance. The wave of cybercrime over the last few years has been unrelenting. This is why you need to take advantage of platforms such as AppLocker. By leveraging its application whitelisting feature, you’ll get a very powerful way of stopping a multitude of attacks. And if you configure it correctly, you can massively increase the amount of time it would require for a cyberattacker to get around the system. This is the kind of technology that can enhance the security of your organization. Hence why we need to discuss just how AppLocker will help you with security and compliance measures.

Securing your organization

Arguably the biggest security risk for most organizations comes from employees simply running applications. As long as users can run executables or have access to files that can potentially contain malicious code, your organization is at risk. Such incidents could compromise the entire network and not just a single device. So by helping you to determine which files and applications users can run, AppLocker immediately improves your security. These files can include DLLs, scripts, Windows Installer files, and packaged app installers. Giving system admins greater control in these particular areas will shore up your business’ defenses.

Control allowed software

To maintain high-level security for corporate data and your business as a whole, system admins need to be strict about which softwares and applications are allowed to run. Otherwise, you risk giving access to software that can create vulnerabilities in your network. AppLocker is fully capable of denying applications from running when you exclude them from the list of allowed apps. And in the production environment, when AppLocker rules are enforced any apps that are not in the allowed rules are blocked from running. Therefore, users can’t intentionally or accidentally run software that is explicitly excluded from the allowed list.

AppLocker rules

AppLocker has several different types of files that it can block. This makes it extremely efficient in its whitelisting capabilities because it’s highly unlikely that anything that you want to block will make it through. The types of files that AppLocker can block include the following:

  • Executable files such as .exe, and .com
  • Windows installer files such as .mst, .msi and .msp
  • Executable files such as .bat, .ps1, .cmd, .js and .vbs
  • DLL executables
  • Packaged app installers such as .appx

The organization of the above into rule collections is something that will help you to easily differentiate the rules for different types of apps.

Default rules

In addition to the above, AppLocker also gives you default rules for each rule collection. These rules are allowed in an AppLocker rule collection and they are necessary if Windows is to function correctly. To start, you’ll have to go and open the AppLocker console. Having done that, right-click the appropriate rule type for which you want to generate default rules automatically. You can automatically create executable rules, Windows Installer rules, script rules, and packaged application rules. Lastly, click on Create Default Rules.

Monitoring app usage

After you set your rules and deploy the AppLocker policies, monitoring app usage can help you assess whether policy implementation is per your expectations. To understand what application controls are currently enforced through AppLocker rules, you can:

  • Analyze the AppLocker logs in Event Viewer.
  • Enable the Audit-only AppLocker enforcement setting to ensure that the AppLocker rules are properly configured for your organization.
  • Review AppLocker events with Get-AppLocker File Information.
  • Review AppLocker events with Test-AppLocker Policy Windows PowerShell cmdlet to see whether any of the rules in your rule collections will be blocked on your reference device or the device on which you maintain policies.

Main advantages

Several benefits come with AppLocker that help to make it a more attractive option for any business looking to enhance security and compliance. The first thing is the cost. How much you ask? Well, if you already have the enterprise edition of Windows Server, then there is no extra cost to talk about. Moreover, AppLocker comes as an integrated part of Group Policy, which most Windows Admins are already familiar with. Because of that, this can simplify the AppLocker user experience and make it a seamless one. Also, any AppLocker policy can be imported into Intune as an XML file giving you a similar level of control of apps for MDM-enrolled devices as you would for on-premises, domain-joined devices. And to further save you productive time, Windows internal apps are automatically whitelisted.

Why consider AppLocker?

Even with all the security benefits available, as an organization, you still have to determine whether or not you actually need AppLocker. And for most, the answer will probably be a resounding yes. If your organization needs the ability to verify which apps are allowed to run on your corporate network, then you need AppLocker. Furthermore, if you want to check which users are allowed to use the licensed program, then you probably also need it. To these, you can also add organizations that need to provide audit logs containing the type of apps that clients have been running. And of course, wherever there is a need to prevent overzealous users from running random software, AppLocker can play a significant role.

Wrap up

Only the best technology will do for any organization that seeks to keep cybercriminals away. Attacks are being orchestrated from all around and the degree of sophistication is constantly changing. Therefore, organizations need to take proactive measures to stay ahead of hackers. And platforms such as AppLocker can enable you to do that. By setting up blocks for different types of files and software, you instantly reduce your surface area of attack. It’s time to leverage all available technology to fight back against cybercrime.