Intune Settings Rundown - 2409

Intune Settings Rundown - 2409

Continuing my new (semi) regular feature to document interesting new or updated Intune policy settings and UI changes in an easily digestible format!

Note: UI changes can sometimes take time so may not be visible immediately in your tenant.


MacOS 15 and iOS 18 Support

Leading on from the settings added last month as part of 2408 and in preparation for Day-Zero Intune support for MacOS 15 and iOS 18, the official blog has all the info on the new settings:

Day zero support for iOS/iPadOS 18 and macOS 15
Learn more about day zero support for iOS/iPadOS 18 and macOS 15!

Expect some more additions to the MacOS OpenIntuneBaseline soon ;)


Personal Data Encryption (PDE)

Personal Data Encryption (PDE) is an interesting little feature that was added back in Windows 11 22H2. The core concept is to sit alongside existing BitLocker encryption, but secure user directories with additional encryption only unlocked with a successful Windows Hello login event. Providing you're on an Entra-Joined, WHfB-unlocked device, that is.

PDE has actually been available via the Settings Catalog for a while, but a brand new template for it is being surfaced via Endpoint Security > Disk Encryption:

PDE Template Creation

Unfortunately this initial implementation seems... Half-baked?
Firstly, the settings in the template all have a minimumSupportedVersion of 10.0.25272 meaning they're only valid for Insider builds, even though the CSP is supported from Win11 22H2 10.0.22621.

Secondly, the only available options are to protect the Desktop, Documents, and Pictures folders. That's it. There's no configuration of the underlying PDE Protection Levels, for example:

PDE Protection Levels

I'd argue being able to programmatically configure the above settings is absolutely crucial to the viability of deploying PDE. It could certainly bridge a security "gap" that might exist if you're not using BitLocker pre-boot PINs...

Overall, a good start in managing a really interesting feature, but needs more time in the oven.


Windows Sandbox

Anyone not familiar with Windows Sandbox really should be. It's an amazing alternative to test stuff without having to deploy whole VMs, especially for things like Intune app packaging when combined with community solutions like Run-In-Sandbox by MVP Damien Van Robaeys (SystAndDeploy).

Unfortunately it's lacked any form of Enterprise control, meaning it's a potential data exfiltration black hole and/or opportunity to bypass corporate policy (though you do need to be admin to enable the feature).

Enter the WindowsSandbox CSP which now allows some level of control over the security aspect of the feature.

Note that there are some CSP settings (AllowMappedFolders and AllowWriteToMappedFolders) that are currently only applicable to Windows Insider, but will hopefully be added into Settings Catalog soon to further secure what you can do within a Sandbox session!

Edit 2024/09/30: The CSP has been updated to show an applicable OS of "Windows 11, version 24H2 [10.0.26100] and later", so hopefully these will be added soon!


Windows 365 Cloud Desktop

Two new Cloud Desktop specific settings via the CloudDesktop CSP to provide some troubleshooting capability by allowing access to the physical device when using W365 BootToCloud.


Delivery Optimization (DO)

Some interesting new DO options for limiting Foreground and Background bandwidth between specific business hours.

DO Business Hours Limits

Microsoft Edge

A bunch of new settings from Edge 127 & 128, as well as new Edge Update settings:

DynamicCodeSettings

Policy Name Dynamic Code Settings
Policy Location Microsoft Edge
Policy Tooltip This policy controls the dynamic code settings for Microsoft Edge.
Disabling dynamic code improves the security of Microsoft Edge by preventing potentially hostile dynamic code and third-party code from making changes to Microsoft Edge's behavior. However this might cause compatibility issues with third-party software that must run in the browser process.
If you set this policy to 0 (the default) or leave unset, then Microsoft Edge will use the default settings.
If you set this policy to 1 – (EnabledForBrowser) then the Microsoft Edge browser process is prevented from creating dynamic code.
Policy options mapping:
* Default (0) = Default dynamic code settings
* EnabledForBrowser (1) = Prevent the browser process from creating dynamic code
Use the preceding information when configuring this policy.
Available Settings Enabled / Disabled
Policy Scopes (Device) and (User)

EdgeOpenInSidebarEnabled

Policy Name Enable open in sidebar
Policy Location Microsoft Edge
Policy Tooltip Allow/Disallow user open a website or an app to the sidebar.
If you enable or don't configure this policy, users will be able to access the feature.
If you disable this policy, users will not be able to access the feature.
Available Settings Enabled / Disabled
Policy Scopes (Device) and (User)

EdgeSidebarCustomizeEnabled

Policy Name Enable sidebar customize
Policy Location Microsoft Edge
Policy Tooltip Allow/Disallow to use sidebar customize.
If you enable or don't configure this policy, users will be able to access sidebar customize.
If you disable this policy, users will not be able to access the sidebar customize.
Available Settings Enabled / Disabled
Policy Scopes (Device) and (User)

KeyboardFocusableScrollersEnabled

Policy Name Enable keyboard focusable scrollers
Policy Location Microsoft Edge
Policy Tooltip This policy provides a temporary opt-out for the new keyboard focusable scrollers behavior.
When this policy is Enabled or unset, scrollers without focusable children are keyboard focusable by default. Further, scrollers are click focusable and programmatically focusable by default.
When this policy is Disabled, scrollers are not focusable by default.
This policy is a temporary workaround and will be removed in Edge Stable 135.
Available Settings Enabled / Disabled
Policy Scopes (Device) and (User)

ShowDownloadsInsecureWarningsEnabled_recommended

Policy Name Enable insecure download warnings
Policy Location Microsoft Edge - Default Settings (users can override)\\Downloads
Policy Tooltip Enables warnings when potentially dangerous content is downloaded over HTTP.
If you enable or don't configure this policy, when a user tries to download potentially dangerous content from an HTTP site, the user will receive a UI warning, such as "Insecure download blocked." The user will still have an option to proceed and download the item.
If you disable this policy, the warnings for insecure downloads will be suppressed.
Available Settings Enabled / Disabled
Policy Scopes (Device) and (User)

ExtensionDeveloperModeSettings

Policy Name Control the availability of developer mode on extensions page
Policy Location Microsoft Edge\\Extensions
Policy Tooltip Control if users can turn on Developer Mode on edge://extensions.
If the policy isn't set, users can turn on developer mode on the extension page unless DeveloperToolsAvailability policy is set to DeveloperToolsDisallowed (2).
If the policy is set to Allow (0), users can turn on developer mode on the extensions page.
If the policy is set to Disallow (1), users cannot turn on developer mode on the extensions page.
If this policy is set, DeveloperToolsAvailability can no longer control extensions developer mode.
Policy options mapping:
* Allow (0) = Allow the usage of developer mode on extensions page
* Disallow (1) = Do not allow the usage of developer mode on extensions page
Use the preceding information when configuring this policy.
Available Settings Enabled / Disabled
Policy Scopes (Device) and (User)

ExtensionExtendedBackgroundLifetimeForPortConnectionsToUrls

Policy Name Configure a list of origins that grant an extended background lifetime to connecting extensions.
Policy Location Microsoft Edge\\Extensions
Policy Tooltip Extensions that connect to one of these origins will keep running as long as the port is connected.
If unset, the policy's default values are used. These are the app origins that offer SDKs that are known to not offer the possibility to restart a closed connection to a previous state:
- Smart Card Connector
- Citrix Receiver (stable, beta, back-up)
- VMware Horizon (stable, beta)
If set, the default value list is extended with the newly configured values. The defaults and policy-provided entries will grant the exception to the connecting extensions, as long as the port is connected.
Example value:
chrome-extension://abcdefghijklmnopabcdefghijklmnop/
chrome-extension://bcdefghijklmnopabcdefghijklmnopa/
Available Settings Enabled / Disabled
Policy Scopes (Device) and (User)

Edge Update

The following settings are available globally, or per channel (Stable/Beta/Dev/Canary):

  • Let users update all apps on metered connections
  • Prevent Desktop Shortcut creation upon install default
  • Remove Desktop Shortcuts upon update default

That's it for this month!

Massive thanks to Tom Plant in making these blogs far easier for me to write up!😊

And as always, thanks for reading!

James Robinson

James Robinson

With 20 years of experience, James is a Principal Consultant specialising in Modern Workplace and End User Compute technologies, with a focus on Modern Management and Cloud-Native endpoints.
Brighton(ish), United Kingdom