Event banner
Event details
That concludes this AMA! Thanks for joining us and we hope you enjoyed this session.
If you missed the live broadcast, don’t worry – you can watch it on demand.
Stay up to date on the latest in Windows! Bookmark the Windows IT Pro Blog and follow MSWindowsITPro on X and LinkedIn. Want more tips, tricks, and insights from the experts? Tune in to Windows Office Hours each month here on the Tech Community.In addition to the questions posted on this page, we also answer questions posted in reply to the event on LinkedIn and X (Twitter). Here are the questions we answered today:
From LinkedIn -- What's the difference between Windows Hello and Windows Hello ESS? - answered at 3:25
From X -- Is Win32 app isolation integrated with Visual Studio? - answered at 6:35
From X -- (Referring to pluton for servers) topic Is this something we should be looking at for our on-prem 2022 servers? - answered at 25:50
From LinkedIn -- Is the Secure Future Initiative different than Trustworthy Computing - or just an evolution? - answered at 39:35
From LinkedIn -- How is PDE different than BitLocker? Where should it be used? - answered at 47:10
- It would be really nice if in the Intune built in compliance settings we had a Windows Hello for Business setting natively so we could ensure users have it registered since our business requires it to be registered (we are currently relying on custom compliance scripts that are a bit wonky)
- Jason_Sandys
Microsoft
Thank you for the feedback. There are aspirations for this but nothing to share at this time. An alternate approach here is to remove the password credential provider from the Windows login screen ensuring that users can only use WHfB to sign in: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-passwordless-experience-expands/ba-p/3962005- Thanks! This would be something that we'd look at a bit farther along in the future since we are not quite there to support a true password less environment yet 🙂
The Config Refresh option in Intune settings catalog is reversed? When the "Enable config refresh" switch is enabled, the text says "ConfigRefresh is disabled". This seems confusing.
Just saw that as well. I feel like it should be the other way around.
- Jason_SandysI'll note this for the team and follow up.
We're halfway through the AMA: Windows security and best practices! Keep your questions coming. Thanks!
Hi i heard that Microsoft is introducing new configurations in Windows Firewall. Can you talk about the enhanced management and capabilities for the built-in Windows Firewall to help IT provide better overall protection? Would love your feedback ex. One example Application Control for Business (as known as Windows Defender Application Control) app ID tagging with Windows Firewall rules though Intune. This enables IT to target Windows Firewall rules to specific applications without an absolute file path.
Thanks for participating in today's session of AMA: Windows security and best practices! For reference, the panel covered your question at 27:40.
- When will Config Refresh be GA?
Thanks for participating in today's session of AMA: Windows security and best practices! For reference, the panel covered your question at 32:40.
- Joe_Lurie
Kevin1575 When we GA a new feature from a preview status, that GA date is based on quality, not on the calendar. Today we do not have a GA date to share. Please keep an eye on the https://aka.ms/IntuneNew page for any updates to Config Refresh.
- Jason_SandysKevin Sheehan addressed this on camera a few minutes ago (somewhere around the 18 minute mark). It's already GA today but requires the 5D update (May out of band quality update which will be rolled into the June monthly cumulative update). To my knowledge, there is a blog in coordination that will discuss this as well.
We are looking at using Security BaseLines in Intune and move away from the CIS hardening policy we currently apply via GPO as part of our migration away from GPO'S. Is there an already documented process that can easily identify each setting in security baseline and where they map against CIS policy?
- Jason_SandysHi Simon. I'm not sure if I follow the intent here. If you are moving away from CIS, why do you need to have a mapping between the Windows security baseline and CIS? Ultimately, to answer the question though, no, CIS is the product of a third-party and thus we don't provide any direct collateral or guidance on how to use or implement it. Our recommendation and guidance is that the Windows security baseline is sufficient to begin your journey for locking down Windows.
- Joe_Lurie
SimonHalpin There is no one to one mapping between Security Baselines and CIS Benchmarks. See FAQ here: Learn about Intune security baselines for Windows devices | Microsoft Learn
- OK, my scenario is I need to justify to our IT security team why I believe Intune Baselines would be better for us as an organistion over the CIS policy. My main reason is to get away from GPO and eventyually move devices to Entra joined rather than hybrid. When we scan a machine witht the CIS SAT checker tool , the CIS policies make it 64% compliant where as a security baseline only built machine is 43% compliant. Now, I did try to explain that the CIS tool is marking its own homework so it wasnt a fair comparison but I need to show that baselines will secure us better and make it easier to make changes moving forward
- We remove Quick Assist from our devices because there are no policies that provide us with security and control over who can send or receive requests. Will there be any policies coming for Enterprises to control Quick Assist?
Thanks for participating in today's session of AMA: Windows security and best practices! For reference, the panel covered your question at 20:10.
- Jason_SandysI don't know of anything specific planned for Quick Assist itself as central management requires a management tool like Intune and thus this is the entire purpose of Remote Help in Intune.
- The problem with Remote Help in Intune is that it requires an additional license. Not sure why it's not included as part of the normal Intune license.
- What is the roadmap for Defender and ARM and feature parity with x64 processors?
Thanks for participating in today's session of AMA: Windows security and best practices! For reference, the panel covered your question at 26:50.
- Joe_Lurie
bdoknack Thanks for the question. We can't really give roadmap info here, but generally speaking, we are looking throughout the Intune admin center to any place where Arm management does not have feature parity to x64, and looking to add that parity. Keep an eye on the https://aka.ms.IntuneInDev and https://aka.ms/IntuneNew pages for features under development or newly released.
How about Microsoft Recall? We have Citrix Farm and we offer SSH/RDP access for Windows clients which are not under our control. And we dont like the idea that Windows is automating in taking screenshots even if they are stored locally (for now).
From which apps will be screenshots taken? Only Microsoft owned apps or anyone?
Thanks for participating in today's session of AMA: Windows security and best practices! For reference, the panel covered your question at 29:40.
