Event banner
AMA: Windows security, chip to cloud
Event details
Let’s talk resiliency, security hardening, and recovery tools! We’re kicking off Tech Community Live: Windows edition, with a one-hour Ask Microsoft Anything (AMA) on all things Windows security. Identity protection, application safeguards, device health, access control—this is open forum designed to get you the answers you need to help ensure that hardware and software work together to protect your sensitive data, from the core of the device all the way to the cloud.
On the panel: Katharine Holdsworth, Jeffrey Sutherland, Abhijat Singh, Kevin Sheehan
Post your questions now! 😊 There's no registration necessary. Scroll to the bottom of this page and start typing where you see “Leave a comment”. All sessions will be recorded and available on demand after we conclude. We'll leave the Q&A open until 12pm Pacific Time, Friday, December 13 as well to make sure you get the answers you need.
- Heather_PoulsenCommunity Manager
Welcome to Tech Community Live: Windows edition - and today's Windows 11 security AMA! Post your questions here. Experts will be answering on camera and in the chat.
- lalanc01Iron Contributor
Is there a way to set applocker rules like we can with GPO UI, but with Intune?
Asking because it seems that the only way is to generate an xml file and upload it which can easily create issues/errors
Thks- perlarsen1975Microsoft
No, you need to use a custom policy in Intune to configure AppLocker.
Support Tip: Using AppLocker to create custom Intune policies for Windows 10 apps | Microsoft Community Hub
We have it on our roadmap to make it easier to create policies for Application Control for Business in Intune.- Joe_LurieMicrosoft
Here's the roadmap item so you can keep track!
https://www.microsoft.com/en-us/microsoft-365/roadmap?featureid=397885
- genaromayelesCopper Contributor
Is there a way to streamline the Multi-Admin Approval (MAA) process by automatically notifying other admins when a script or app requires approval?
- Joe_LurieMicrosoft
genaromayeles Today Intune doesn't notify admins about these requests, but it's great feedback! You could probably configure this in your tenant using PowerAutomate or Graph. I'll bring this to the PM working on this feature 😊
- lalanc01Iron Contributor
Is there a way to have a consolidated view of which Defender settings/exclusions are set for a specific devices in the Intune portal so to avoid having to connect directly on the device to get the info from the registry and via powershell?
Thks- perlarsen1975Microsoft
No, only by looking into each policy assigned to a device.
But thanks for the feedback.
- lalanc01Iron Contributor
Hi, is there a way to enable Smart app control when provisioning a device with OSD?
The docs say that it can only be used when enabled at device installation, but I don't see ways to enable it for hybrid joined devices.
This would be great to start our app hardening journey.
Thks in advance- Pearl-AngelesCommunity Manager
Thanks for participating in the AMA: Windows security: chip to cloud! For reference, the panel covered this topic at around 7:10.
- lalanc01Iron Contributor
Hi, are there other options than network unlock to prevent users from having to enter their bitlocker pin?
thks
- Jason_SandysMicrosoft
Hi Lalanc01. No. The options are extremely limited -- mostly by design and the limitations of the platform at the time it was designed. For this reason, this is one of the reasons many recommend not using a PIN at all. This is not a universal recommendation, but is something to consider when choosing whether or not to enforce a PIN. If your organization feels that they need a PIN, I'd first suggest revisiting this as there's a lot of unfounded and outdated FUD floating around out there on this. If you still come to the conclusion that you need to enforce a PIN, then you should look at Personal Device Encryption (PDE) instead or on top of BitLocker (without a PIN) as PDE implements a layer of file system encryption that is gated by Windows Hello for Business thus actually being more secure and easier to use for end-users.
- lalanc01Iron Contributor
Yes PDE will surely help once we move to 24h2 since it supports a broader scope of documents/places.
Could you elaborate a bit more on 'lot of unfounded and outdated FUD floating around'? This could help in our discussions with our security team for a new for the PIN.
Thks
- Joe_LurieMicrosoft
Hey Stefane lalanc01 good to see you here! Network Unlock is handy when devices are being updated and rebooted overnight, so the device is ready for the end user when they come in in the morning, instead of stuck at the PIN screen. You really have two choices here:
- Use Network Unlock
- Remove the PIN requirement
Fortunately, we added hotpatching to Windows 11 Enterprise, version 24H2. Make sure you join that AMA as well, as it will allow the updates to install and be active even without a reboot AMA: Hotpatching Windows - client and server - December 11, 2024 - Microsoft Event
- lalanc01Iron Contributor
Thks Joe, yes hotpatch is good, but since bitlocker is suspended during patching with Autopatch it's less of a concern.
It's more of when we need to reboot devices for whatever reason or when there's power outages and the user is working remotely from home and IT just power on the machine.
- Anikpal123Copper Contributor
How can see Ransomware in windows security?
- perlarsen1975Microsoft
Anikpal123 Can you elaborate on your question??
- Anikpal123Copper Contributor
To detect any type of malware in pc. So in windows defender security system ransomware feature is not found . How can I find this?
- genaromayelesCopper Contributor
When I have an MAA policy set in my tenant, I noticed that while building an application for deployment, the dependency and supersedence options are not editable after the detection rules step. Instead, it skips directly to scope tags and then to review and submit for approval. Could you explain why this happens and how to address it?
- Jason_SandysMicrosoft
This does not sound like expected behavior to me and could be an anomaly somewhere. I suggest opening a support case to investigate further, determine root cause, and pass on to the product team if action is required to address this.
- lalanc01Iron Contributor
Is there a way to test Administrator protection with 24h2 or we need to use insider builds?
If it's only on insider builds, do you know if it will be available later in 24h2 or only on 25h2?
thks- perlarsen1975Microsoft
It is currently only for insider builds Administrator protection on Windows 11 | Microsoft Community Hub
- jeddy_Iron Contributor
This is more of a comment than a question - I just wanted to call out that the Intune Policy CSP documentation still has large gaps when compared to traditional Group Policy documentation, especially for newly updated settings. I recently had an issue where the DeviceLock CSP documentation at https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-devicelock did not have any documented formatting for AccountLockoutPolicy, and I had to go find it in a Microsoft GitHub repo at https://github.com/microsoft/osconfig/blob/main/security/SecurityBaseline_WindowsServer_2025-2409.csv . This has been the case for some other CSP settings also.
- Kevin_SheehanMicrosoft
Great question! Not all settings in GP were originally brought to MDM. We added around 70 or so including new DeviceLock policies in 24H2, and will be backporting in the first quarter of '25 to all in service Win11 releases. Most of the new batch are local security policies, system services, user rights, etc. We'll update the docs when the backport is done, as we don't want to confuse people until they are available and in Settings Catalog.