In today’s digital workplace, customizing browser settings can enhance productivity and user satisfaction. In this post, I’ll guide you through the process of setting Google as the default search engine in Microsoft Edge using Intune. Follow these steps to optimize your team’s browsing experience.
Recently, I wanted to change the default search engine in Microsoft Edge from Bing to Google for our organization. Using the Intune Settings Catalog, I successfully implemented this change. Here’s how I did it:
Step 1: Access the Intune admin portal at intune.microsoft.com.
Step 2: In the left pane, click on Devices. In the Devices Overview page, select Configuration Profiles under the Policy section. Click on “+ Create Profile.”
Step 3: Under Platform, choose Windows 10 and later. Under Profile Type, select Settings catalog and then click on “Create”.
Step 4: Provide a meaningful name and description for the new policy, then click Next.
Step5: In the Settings Catalog, search for Microsoft Edge and select Microsoft Edge\Default search provider.
Enable and configure the following settings:
Configure the new tab page search box experience: Address bar
Step 6: Configure any necessary Scope tags and click Next. Under the Assignments tab, specify where the policy will be applied. Assign it to a Security Group containing your Base Intune Configuration.
Step 7: On the Review page, check the policy for any issues and then click Create. The policy will successfully apply to your designated group.
Finally, on my test machine, I searched for something in the address bar and confirmed that Google was set as the default search provider instead of Bing!
This simple change streamlined the browsing experience for our users, making searches more efficient and familiar. If you’re looking to do the same, following these steps should help you achieve the desired configuration.
While the official name is “Windows Autopilot Device Preparation,” it’s a bit of a mouthful and doesn’t quite capture its essence. Essentially, it’s useful to think of it in terms of “v1” versus “v2”:
With Autopilot v1, devices were registered with the Autopilot service by you or your OEMs/resellers, creating a “big database of devices in the cloud.” Profiles were assigned to groups of these devices, often using dynamic groups, although static groups could also be used if you were registering the devices yourself. During deployment, devices retrieved their Autopilot profile details from the service to complete OOBE, AAD or AD join, MDM enrollment, and the remaining provisioning steps. Autopilot v2, however, does away with this “big database of devices in the cloud” (to some extent — more on this later). When a Windows device starts up, it follows the usual OOBE screens, such as accepting the EULA and choosing between personal or work/school accounts, until you enter your Entra ID (AAD) credentials. This triggers the Entra ID Join (AAD Join) and MDM enrollment processes, with the Autopilot device preparation details (formerly known as the Autopilot profile and ESP profile) being sent to the device as part of the enrollment payload. Initially, it might have seemed, from my “reading the tea leaves” post, that there was a “new ESP page” and a “new profile type” (Autopilot Device Preparation) that would apply to all Autopilot scenarios, v1 and v2. However, it’s now clear that these changes are exclusive to v2; v1 won’t receive these updates.
Lets start creating a Device Preparation Policy
Step 1: Create a security group and add users who will add their device to Autopilot V2 enrollment
Begin by logging into the Microsoft Endpoint Manager admin center and navigating to the “Groups” section. Create a new security group, ensuring to assign a meaningful name that reflects its purpose. Once the group is created, add the users who will be responsible for adding their devices to the Autopilot V2 enrollment. This setup ensures that only authorized users can enroll devices, enhancing security and manageability.
Step 2: Create a security group for devices and add Intune Provisioning Client as owner
Create a group for Devices, this group will be used to manage devices enrolled through Autopilot V2. After creating the group, assign the Intune Provisioning Client as the owner. This step ensures that the provisioning client has the necessary permissions to manage device enrollment and configuration, streamlining the Autopilot V2 process.
Step 3: Create a Device Preparation Policy for Autopilot V2 in the Microsoft Intune Portal
Access the Microsoft Intune Portal and navigate to the “Devices” section. From there, select “Windows” and then “Windows enrollment.” Choose the “Device Preparation Policy” tab and click on “Create profile.” Configure the necessary settings for the Device Preparation Policy.
Starting Creating the policy.
Step 4: Follow the steps to create the Device Preparation Policy.
Provide a valid Name and Description.
Add the Device Group that we created earlier.
In Configuration Settings, configure the Deployment Settings, OOBE Settings, Apps and Scripts.
We can add up to 10 apps and scripts for our Autopilot Deployment. Note :Apps should be Assigned the Autopilot Device Group
Under Assignment add the Autopilot Users Group.
.
Out-Of-Box-Experience for Windows Autopilot V2
Select Country or Region
..
Connect to Internet
.
Provide a Device Name or skip the step.
Select work or school account and sign up with your organizational credentials.
Autopilot V2 Device Registration and Configuration
When using Microsoft Autopilot V2, the initial setup process involves registering the device by without its hash values, this makes Intune to recognize and manage the device with Autopilot configurations only after the sign-in process .The actual Autopilot configuration, which includes applying profiles and policies, occurs only after the user signs in for the first time. This means that users might see the standard Windows out-of-box experience (OOBE) screens initially, as Autopilot V2 does not allow customization or control over these pages.
Additionally, it’s important to note that Autopilot V2 currently does not support Hybrid Azure AD joined devices, which are devices that are joined to both Azure Active Directory and on-premises Active Directory.
To ensure that devices are correctly identified as either corporate-owned or personal, administrators need to add device identifiers in the Intune Admin Portal. This differentiation is crucial for applying the appropriate policies and security measures, as corporate devices often require stricter controls compared to personal devices. By accurately categorizing devices, organizations can maintain a secure and efficient IT environment.
Unlocking true value in IT operations means embracing SaaS (Software as a Service) delivery. Without it, there’s no relief from operational burdens. But remember, SaaS must also offer data residency for robust governance and audits.
Lets configure Windows Auto Pilot using Microsoft Endpoint Manager with a deployment profile and manually importing the device into Microsoft Endpoint Manager.
Create a Group to hold Windows Auto Pilot Devices
Devices – Enroll Devices – Windows Enrollment – Deployment Profiles
Create a Deployment Profile
Configure as below –
In Windows 10, version 2004 and later, if the Autopilot deployment profile Language/Region setting is not set to User Select, then OOBE will progress past the language/region/keyboard selection screens. This causes the pre-provisioning technician to arrive at the Azure AD login page, which is too late to enter pre-provisioning. This issue is fixed in Windows 11.
Windows Auto Pilot Deployment Profile
Run PowerShell as administrator
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutoPilotInfo
Get-WindowsAutoPilotInfo.ps1 -OutputFile HP.csv
FN + Ctrl + F10 in Lenovo – For Auto Pilot – From Setup Screen
Get-WindowsAutoPilotInfo.ps1 -Online
Now get the CSV File to Devices
Import the Device to Windows Auto Pilot
Add the Associated devices to Group
Reset PC to Test Auto Pilot – Remove Everything – Cloud or local install – (Cloud install if you have a good connection speed)
If you wish to use Pre Provisioning – Press Windows Key 5 times to enter into a different page.
If finger print sensor exist – It will detect finger print for Windows Hello for Business
If you wish to use Pre Provisioning – Press Windows Key 5 times to enter into a different page.
In this blog post, we’ll delve into the seamless integration of Intune Policy with OneDrive, focusing particularly on the effortless migration of Known Folders. Exploring the myriad options available, we’ll navigate through the Intune Settings Catalog to configure the OneDrive Known Folders move policy.
Whether it’s a physical setup or a virtual environment like AVD or Cloud PC, the OneDrive Known Folders Move (KFM) emerges as a pivotal solution. Among the familiar Windows Folders—Desktop, Documents, and Pictures—this policy ensures a smooth transition, optimizing storage utilization.
To complement the OneDrive KFM, it’s imperative to implement the OneDrive Files On-Demand policy, a strategic move to conserve device space by adopting an on-demand file access approach.
Finally, we’ll unravel the step-by-step configuration process of the OneDrive Known Folder Move (KFM) policy, facilitating automatic user logins and seamless file saving, all orchestrated through the Intune Settings Catalog.
Objective:
Setup OneDrive for Business for end-users
Enable KFM (Known Folder Move)
Block end-users from reverting known folders configuration to their PC
Block personal OneDrive accounts
Restrict OneDrive client to sync only specific Azure AD tenant
Enable Files On-Demand
Step 1: To begin setting up the Known Folder Move and restricting the OneDrive client to a single tenant, start by retrieving the Azure AD tenant ID. Sign in to the Azure AD portal, then navigate to Azure Active Directory > Properties. Here, you’ll find the Tenant ID. Copy this ID for later use.
Step 2: With the Tenant ID in hand, let’s proceed to create the Configuration Profile for configuring OneDrive policy settings. Log in to the MEM Admin Center portal, navigate to Devices, then Configuration Profiles, and click on Create Profile.
Step 3: Choose “New Policy,” then in the Platform section, select “Windows 10 and later.” Under Profile Type, opt for “Setting Catalog.”
Step 4: In the Basic section, enter a Name and Description for the configuration policy.
Step 5: Navigate to the Configuration Settings page and select “All Settings.” In the search bar, enter ‘OneDrive‘ to find all of the OneDrive available settings.
Based on the above objectives, we’ll create the appropriate settings, I will break these down per objective.
Step 6: “Setup OneDrive for Business for end-users“, this setting lets you ‘Silently sign in the users to the OneDrive sync clientwith their Windows Credentials’ and set this to Enabled.
Step 7: “Enable KFM (Known Folder Move)“, Enable the “Silently move Windows known folders to OneDrive” setting, input the Tenant ID, and choose whether to display notifications to users.
Step 8: ‘Block end-users from reverting known folders configuration to their PC‘, locate the setting titled ‘Prevent users from redirecting their Windows known folders to their PC‘ and set it to ‘Enabled‘.
Step 9: Locate the setting ‘Prevent users from syncing personal OneDrive accounts‘ and Enable it.
Step 10: Locate the setting ‘Allow syncing OneDrive accounts for only specific organizations’, and Enable it.
Step 11: Find the setting ‘Use OneDrive Files On-Demand‘ and set this to Enabled.
Step 12: Assign the policy to a group, then proceed by clicking on “Next.”
Step 7:Review the policy in the final step and click on “Create” to finish the process.
Hello everyone! Today, let’s explore how to hide the Gaming section on Windows devices using Intune. If you’ve used Windows 11, you might have seen the Gaming section in the Settings app. This section includes options for the Xbox Game Bar, Captures, and Game Mode.
Game Mode on Windows is designed to prioritize system resources for gaming, ensuring that games run smoothly and efficiently. When enabled, Game Mode allocates more system resources to games, prevents Windows updates from installing drivers, stops restart notifications, and adjusts the frame rate for optimal gaming performance. This results in a more immersive and seamless gaming experience.
Despite the benefits, some organizations may want to hide the Gaming section in the Settings app for various reasons. Let’s delve into how this can be achieved using Intune.
Reasons to Hide Gaming on Windows
Hiding games on Windows 11 corporate devices may be necessary for several reasons:
Minimizing Workplace Distractions: Gaming can be a major distraction, reducing employee productivity. By hiding games, employees can focus more on their work.
Preserving System Resources: Games often consume significant system resources, which can lead to performance issues and affect critical tasks. Hiding games ensures that resources are available for essential business activities.
Adhering to Corporate Policies: Some games may be banned by company policies or contain inappropriate content for the workplace. Hiding games helps maintain a professional environment and ensures compliance with these policies.
By hiding games on corporate devices, organizations can promote a productive, efficient, and policy-compliant work environment.
App
Description
Xbox Game Bar
It’s a customizable gaming overlay built into Windows 10 that works with most PC games
Captures
It controls how you capture your game through screenshots and recording
Game Mode
Game Mode is a built-in Windows 11 feature to optimize your PC for digital play
Initial Setup in Windows 11: Gaming Options
During the initial setup of Windows 11, users are presented with various options related to Gaming. This setup includes configurations for the Xbox Game Bar, Captures, and Game Mode.
Hide Gaming on Windows Devices using Intune – Configuration Policy
Step 1: Sign in to the Microsoft Intune Admin portal and navigate to Devices > Configuration profiles > Create profile>New Policy.
Step 2: After clicking on “Create Profile,” a new window will appear. In this window, set the “Platform” to “Windows 10 and later.” For the “Profile Type,” choose “Templates.” Search and select “Device Restriction“, and then click on the “Create” button to proceed.
Step 3: In the Basic section, enter a Name and Description for the configuration policy.
Step 4: In the Basic section, enter a Name and Description for the configuration policy.
Step 5: In the Configuration Settings, select the drop-down menu for “Control Panel and Setting,” then navigate to the “Gaming” section and choose “Block.”
Select “Block” and click on Next.
Step 6: Assign the policy to a group, then proceed by clicking on “Next.”
Step 7: Review the policy in the final step and click on “Create” to finish the process.
End User Experience The Gaming Section has been successfully removed from the targeted Windows Device.
