AMA: Windows security, chip to cloud

In addition to the questions posted on this page, we also answer questions posted in reply to the event on LinkedIn and X (Twitter). Here are the questions we answered:

Question -- Windows security discussion board on Tech Community -- I’ve read a few mentions of the Secure Future Initiative. And during Ignite I heard about something called the Windows resiliency initiative. Are these the same thing? Related? - answered at 4:27.

Question from the Tech Community -- Is there a way to enable Smart app control when provisioning a device with OSD? The docs say that it can only be used when enabled at device installation, but I don't see ways to enable it for hybrid joined devices. This would be great to start our app hardening journey. Thanks in advance. - answered at 7:10.

Follow up question - How does smart app control in the scenario where you have an unsigned app?  - answered at 10:48.

Question from LinkedIn -- Can you help me understand the distinction between User Account Control and admin protection? (Is there some sort of comparison graphic?) - answered at 14:44.

Question from X (formerly Twitter) - On Config Refresh - is there a min or max time frame? Can I set it different for certain groups of devices? - answered at 20:08.

Follow up question: What happens with Config Refresh if the PC goes offline? - answered at 23:01.

Question from Tech Community -- How does admin protection work if you remote into a user’s laptop? For example, if the user is working from home and you as IT support need to use a domain admin account on the remote computer e.g. need to remove some faulty software. - answered at 24:04.

Question from X -- How does Personal Data Encryption select what files to encrypt? - answered at 27:30.

Question from Tech Community - Going back to admin protection -- What about the hidden, system generated accounts and profiles? Is it only one always and preserved—or is there one generated per process and the whole profile deleted afterwards—or is it per user elevating things and the profiles deleted/kept around or ...? - answered at 29:38.

Question -- Your team has done a lot of work making sure more devices have access to device encryption by default, can you share more about what your team is focused on and what it means for users? - answered at 31:46.

Question from X -- Sorry if this is simple, but how do App Control and App Locker fit together? - answered at 33:22.

Question sent to our Windows Community Manager in a private message -- I am having SUCH a hard time getting our IT team to move past traditional Group Policy and into MDM or, seems far for us, Config Refresh. How do I convince them it's time to move forward and modernize some things? - answered at 38:23.

Question from Tech Community -- Is there a way to test Administrator protection with Windows 11, version 24H2 or do we need to use insider builds? - answered at 43:13.

Question from LinkedIn -- When should we use EFS vs. Personal Data Encryption? Can we use both? - answered at 44:31.

Question -- Do any Windows apps have Personal Data Encryption on by default if it's enabled on the device? Or do we always have to set it? - answered at 47:02. For demos on personal data encryption go to https://aka.ms/Ignite2024/BRK290 & https://aka.ms/ignite2024/OD811

Question -- Will it just prompt for a password instead of Windows Hello authentication which (from my understanding) is tied to the machine? - answered at 48:51.

Thank you for joining today's AMA at Tech Community Live! We'll leave the Q&A open here through 12pm PST Friday for those catching up on demand. Make sure to visit https://aka.ms/TCL/Windows for more great sessions.

This is more of a comment than a question - I just wanted to call out that the Intune Policy CSP documentation still has large gaps when compared to traditional Group Policy documentation, especially for newly updated settings. I recently had an issue where the DeviceLock CSP documentation at https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-devicelock did not have any documented formatting for AccountLockoutPolicy, and I had to go find it in a Microsoft GitHub repo at https://github.com/microsoft/osconfig/blob/main/security/SecurityBaseline_WindowsServer_2025-2409.csv . This has been the case for some other CSP settings also.

Is there a way to test Administrator protection with 24h2 or we need to use insider builds?

If it's only on insider builds, do you know if it will be available later in 24h2 or only on 25h2?

thks

When I have an MAA policy set in my tenant, I noticed that while building an application for deployment, the dependency and supersedence options are not editable after the detection rules step. Instead, it skips directly to scope tags and then to review and submit for approval. Could you explain why this happens and how to address it?

Is there a way to have a consolidated view of which Defender settings/exclusions are set for a specific devices in the Intune portal so to avoid having to connect directly on the device to get the info from the registry and via powershell?

Thks

Is there a way to streamline the Multi-Admin Approval (MAA) process by automatically notifying other admins when a script or app requires approval?

Is there a way to set applocker rules like we can with GPO UI, but with Intune?

Asking because it seems that the only way is to generate an xml file and upload it which can easily create issues/errors

Thks

How can see Ransomware in windows security?

Hi, are there other options than network unlock to prevent users from having to enter their bitlocker pin?

thks