All about Microsoft Intune

Hiding the recommended section from the Start layout and multi-app kiosk mode

Peter van der Woude — Mon, 08 Jun 2026 17:45:00 +0000

This week is all about another relatively small, but essential, configuration to further enhance the Start layout experience. Especially when using multi-app kiosk mode. That configuration is to hide the recommended section from the Start layout. Hiding that section is especially relevant when using a multi-app kiosk mode, as that includes a link to the Settings app when there are no recommendations. Even though that might sound pretty small, it does take away another item that a user could potentially click on and hitting an unnecessary blockage. In those cases lesser is better. That means that there are definitely scenarios in which it can be really useful to prevent the Start layout from displaying recommended applications and files. This post will provide a closer look ...

Using Microsoft Edge secondary tiles in the Start layout and multi-app kiosk mode

Peter van der Woude — Mon, 01 Jun 2026 18:45:00 +0000

This week is all about Microsoft Edge secondary tiles. Microsoft Edge secondary tiles are website shortcuts that are pinned to the Start layout. Those pins provide quick access to specific websites directly from the Start layout. Basically, those pins function similar to any other app shortcuts that are pinned to the Start layout. Any user can create website shortcuts in the Start layout by simply navigating in Microsoft Edge to Settings > More tools > Pin to Start. There can scenarios in which it might be useful to already pre-pin specific websites for the user. The most common scenario is a multi-app kiosk mode configuration in which specific websites must be pinned for the users of those devices. That’s where Microsoft Edge secondary tiles become ...

Using sensitivity labels for protecting labeled content in Microsoft 365 online apps

Peter van der Woude — Mon, 25 May 2026 17:45:00 +0000

This week is all about Microsoft Edge. More specifically, this week is all about even using sensitivity labels for protecting Microsoft 365 online apps in Microsoft Edge. Sensitivity labels on itself are nothing new, using it in Microsoft 365 online apps not either, but support for using it in Outlook on the web is. The basics of sensitivity labels are still the same. After applying a sensitivity label, the IT administrator can prevent actions like copying, pasting, taking screenshots, forwarding emails, replying to emails, and more. Initially that functionality was only available in Microsoft 365 desktop applications, and now slowly moved towards Microsoft 365 online apps via Microsoft Edge. Within Microsoft Edge, that same behavior can now be enforced. Of course that does require the ...

Introducing enhanced app inventory for Windows devices

Peter van der Woude — Mon, 18 May 2026 17:45:00 +0000

This week is all about the new and enhanced app inventory for Windows devices. A lot has been written about that feature already, but it is such an important enhancement that it deserves it place on this blog as well. For many years the best thing for app inventory in Microsoft Intune was the Discovered apps report. That report provided some pretty limited insights abouts the apps that are installed on the devices and the totals for all devices in the environment. The sources used for those insights, however, were pretty limited, which was the main reason why the information was never really useful. That might all change now, with the enhancements to the app inventory for Windows devices. It now uses a new upload ...

Dynamically removing preinstalled Microsoft Store apps using native functionality

Peter van der Woude — Mon, 11 May 2026 17:45:00 +0000

This week is all about a really nice addition to the native functionality to remove preinstalled Microsoft Store apps. That nice addition is the ability to dynamically remove any preinstalled MSIX/APPX app, which builds on the functionality described earlier about removing preinstalled Microsoft Store apps using native functionality. The story around removing those apps is still the same. When working with Windows devices in an enterprise environment, a common request is to control the preinstalled Microsoft Store apps. These default apps, which ship as part of the Windows image, often include consumer-oriented or redundant functionality that does not align with corporate standards. That makes removing often desirable. Removing these apps often required custom scripting, or other creative solutions. Starting with Windows 11 version 24H2, however, ...

Locking down Windows devices by suppressing key combinations

Peter van der Woude — Mon, 04 May 2026 17:45:00 +0000

This week is not about something new. Not even close actually. This week is all about further locking down specific types of Windows devices, such as shared devices, kiosk devices, or even just actual locked down devices, by suppressing specific key combinations. There can be many scenarios on those types of devices that might require preventing users from using specific key combinations. That can be useful for preventing users from getting out of the locked down experience. And that should help with the device integrity and preventing unwanted access to the environment. There are actually multiple methods to actually achieve that configuration, and the best part is that Windows already contains one of those methods. As a part of the Windows Embedded experience, Windows contains ...

Introducing cross-tenant support for MAM on Windows devices

Peter van der Woude — Mon, 27 Apr 2026 17:45:00 +0000

This week is basically sort of a follow-up on last week. This week is all about introducing cross-tenant support for Mobile Application Management (MAM) on Windows devices. That functionality was already briefly mentioned during the previous blog post about protecting downloads in MAM enrolled profiles on managed Windows devices. This week will be more about that functionality specifically. MAM on itself is nothing new, not even for Windows devices. The challenge, however, has been around mixing and matching different environments. That is also often referred to the contractor scenario, in which the user already has a managed device from their own employer and wants to combine that with access to the productivity tools of the customer. For Windows devices that functionality is coming! That is ...

Protecting downloads in MAM enrolled profiles on managed Windows devices

Peter van der Woude — Mon, 20 Apr 2026 18:45:00 +0000

This week is all about a combination of new features. That combination of features is allowing MAM enrollment on managed Windows devices and protecting downloads in Microsoft Edge. Both features are relatively new features in Microsoft Edge, that are both currently still behind experimental feature flags. The first feature enables MAM enrollment on managed devices (also known as cross-tenant support) and the second feature protects the downloads in Microsoft Edge in that scenario. That feature makes sure that downloads are always redirected to a folder that is managed within the home tenant of the user account and that enforces organizational compliance. In practice that means that when the user downloads files, in that MAM enrolled profile on a device that is already managed by another ...

Working with the automatic enablement of Windows hotpatch security updates

Peter van der Woude — Mon, 13 Apr 2026 17:45:00 +0000

This week is all about the recently introduced configuration that will enable Windows hotpatch security updates by default. The configuration to enable the usage of hotpatch security updates has been available since the introduction of Windows 11 version 24H2, and can be configured relatively as shown in this post. Starting with the Windows security update of May 2026, Windows Autopatch will enable hotpatch security updates by default. That should help organizations with easier getting more secure. The configuration is achieved via a tenant-wide configuration via Windows Autopatch that is only applied when no quality update policies are applied to the device. That configuration is available in Microsoft Intune and will be enabled by default. This post will provide a closer look at that new tenant-wide ...

Managing geolocation access for websites in Microsoft Edge

Peter van der Woude — Mon, 06 Apr 2026 17:45:00 +0000

This week is all about managing (geo)location access for websites in Microsoft Edge. When apps are allowed access to the location of the user, that also includes the Microsoft Edge browser. That means that – depending on the configuration in Microsoft Edge – every website could potentially access the location of the user, or at least ask the user for access. Within Microsoft Edge there are, however, controls available that can be used for controlling the access of websites to the location of the user. Those controls enable the organization to define the default behavior, and also the behavior for specific websites. That enables a layered level of control over the location access in Microsoft Edge. The first layer is the access of apps in ...