Block Microsoft from running experiments in the Microsoft Edge browser
Browsers like Firefox, Chrome or Microsoft Edge come with built-in functionality to run experiments. Browser makers like Mozilla or Google may enable or disable features or changes in select browsers; this is often used to A-B test features or get early feedback on new implementations. While most users may not even notice that experiments are running in their browsers, it happened in the past that experiments caused issues. The latest case was revealed in November when administrators from around the world reported that a Chrome experiment would crash browsers in organizations worldwide. Negative side-effects of experiments are a problem for home users and business users alike, and it is often desirable to disable or block experiments from being downloaded and run. Microsoft distinguishes between controlled feature rollouts and experiments in the company's new Chromium-based Microsoft Edge web browser. Both are made available to part of the user base when they start to roll out but similarities end here. Microsoft notes: Microsoft Edge builds have features and functionality that are still in development or are experimental. Experiments are like CFR, but the size of the user group is much smaller for testing the new concept. These features are hidden by default until the feature's rolled out or the experiment's finished. Experiment flags are used to enable and disable these features. System administrators may use the "Control communication with the Experimentation and Configuration Service" on pro and Enterprise editions of Windows 7, 8.1 or 10 to prevent experiments in the browser. Here is what is needed for that: Get the latest Microsoft Edge policy file from the Microsoft Edge Insider website. It is likely that the policies will become available natively eventually when Edge is released and integrated in Windows. Extract the file (first a cab, then a zip). Open Windows > Admx. Copy the two .admx template files to C:\Windows\PolicyDefinitions\. Open the language folder that matches the system language and copy the .adml files to the corresponding language folder of C:\Windows\PolicyDefinitions\ Open Start, type gpedit.msc and hit the Enter-key to open the Group Policy Editor. Consult this Docs page on the Microsoft website for additional scenarios, e.g. when domain controllers are used. Open Computer Configuration > Administrative Templates > Microsoft Edge. Open the policy "Control communication with the Experimentation and Configuration Service" policy. Set the policy to Enabled. Set it to either "Retrieve configurations only" or "Disable communication with the Experimentation and Configuration Service". Retrieve will download configuration payloads only, disable won't download or enable them. The behavior of not configuring the policy differs depending on whether it is a managed or unmanaged device. Managed devices will download the configuration only while unmanaged devices will retrieve configurations and experiments. Source
Block 3rd Party Mail/Calendar Apps
Hi all, Is it possible to block users from logging into their Office 365 accounts via 3rd party iOS apps such as MyMail which is found on the Appstore/Play Store ? Link to MyMail: https://itunes.apple.com/us/app/mymail-email-app/id722120997?mt=8 We're in the process of migrating all users to Outlook for iOS/Android. If corporate owned, they will enroll via the Company Portal app and have Outlook, Work, Excel, PowerPoint, Teams, OneDrive & Authenticator auto installed/pushed. If they are BYOD, I need them to only use Outlook for iOS/Android with an app password forced via Intune App Protection Policy. I've attempted disabling ActiveSync, + OWA for Devices within O365. No luck. Appreciate any input. Cheers Brett
Block USB Drive by Serial Number
I would love to see the ability to block a USB drive by it's serial number in Defender. When you see a USB storage device as the origin of a new threat introduced on the network it would be great to block it so it cannot continue to spread. Notes: I do not want to block all USB drives. Auto USB actions already blocked.Microsoft will be pushing out the new Edge via Windows Update to the majority of Windows 10 users
Microsoft will be pushing out the update, replacing the old Edge, to all Windows 10 users on Windows 10 RS4 (April 2018 Update) and newer. but there is a way Not to get it if you don't want to. To help our customers become more secure and up-to-date, Microsoft will distribute Microsoft Edge (Chromium-based) through Automatic Updates for Windows 10 RS4 and newer. The Blocker Toolkit is intended for organizations that would like to block automatic delivery of Microsoft Edge (Chromium-based) to machines in environments where Automatic Updates is enabled. The Blocker Toolkit will not expire. For computers running Windows 10 RS4 and newer, the Blocker Toolkit prevents the machine from receiving Microsoft Edge (Chromium-based) via Automatic Updates. The Blocker Toolkit will not prevent users from manually installing Microsoft Edge (Chromium-based) from internet download, or from external media. Organizations do not need to deploy the Blocker Toolkit in environments managed with an update management solution such as Windows Server Update Services or System Center Configuration Manager. Organizations can use those products to fully manage deployment of updates released through Windows Update and Microsoft Update, including Microsoft Edge (Chromium-based), within their environment. You can download the Blocker Toolkit executable file from https://msedgeblockertoolkit.blob.core.windows.net/blockertoolkit/MicrosoftEdgeChromiumBlockerToolkit.exe. More info and Source: https://docs.microsoft.com/en-au/deployedge/microsoft-edge-blocker-toolkit
Microsoft Family safety feature is not working with Edge Android or stable on Windows 10
My account is the group's organizer, the Microsoft account that I've added to my family group, as a member has Windows 10 latest version 20H2 with Edge stable and Windows Defender on laptop. signed in with the same Microsoft account in Windows 10 and Edge profile. when I add a website to be blocked in here, it's never blocked, I can still access it on Windows 10 using Edge stable 87. does anyone have any experience with this that can help? only if you've done this before successfully.
Fast Microsoft recommended driver block rules update with automatic scheduled task
Microsoft recommended driver block rules in Windows are automatically updated starting with Windows 11 22H2, twice per year, but the list itself is updated more often. Microsoft provides ways to update them faster and out of the schedule. I've created a PowerShell script that does this automatically and you only need to run the script once, then it will create a scheduled task in Windows that runs every 7 days and renews the recommended drivers block list. # create a scheduled task that runs every 7 days if (-NOT (Get-ScheduledTask -TaskName "MSFT Driver Block list update" -ErrorAction SilentlyContinue)) { $action = New-ScheduledTaskAction -Execute 'Powershell.exe' ` -Argument '-NoProfile -WindowStyle Hidden -command "& {Invoke-WebRequest -Uri "https://aka.ms/VulnerableDriverBlockList" -OutFile VulnerableDriverBlockList.zip;Expand-Archive .\VulnerableDriverBlockList.zip -DestinationPath "VulnerableDriverBlockList" -Force;Rename-Item .\VulnerableDriverBlockList\SiPolicy_Enforced.p7b -NewName "SiPolicy.p7b" -Force;Copy-Item .\VulnerableDriverBlockList\SiPolicy.p7b -Destination "C:\Windows\System32\CodeIntegrity";$job = Start-Job -Name "Job1" -ScriptBlock { CiTool.exe -r };Start-Sleep -s 15;Stop-Job $job;Remove-Item .\VulnerableDriverBlockList -Recurse -Force;Remove-Item .\VulnerableDriverBlockList.zip -Force;}"' $TaskPrincipal = New-ScheduledTaskPrincipal -LogonType S4U -UserId $env:USERNAME -RunLevel Highest # trigger $Time = New-ScheduledTaskTrigger ` -Once -At (Get-Date).AddHours(3) ` -RepetitionInterval (New-TimeSpan -Days 7) ` # register the task Register-ScheduledTask -Action $action -Trigger $Time -Principal $TaskPrincipal -TaskPath "MSFT Driver Block list update" -TaskName "MSFT Driver Block list update" -Description "Microsoft Recommended Driver Block List update" # define advanced settings for the task $TaskSettings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -Compatibility Win8 -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 3) # add advanced settings we defined to the task Set-ScheduledTask -TaskPath "MSFT Driver Block list update" -TaskName "MSFT Driver Block list update" -Settings $TaskSettings } https://github.com/HotCakeX/Harden-Windows-Security/wiki/Fast-and-Automatic-Microsoft-Recommended-Driver-Block-Rules-updates
