[Gsuite]Deploy Google MDM (Windows device management)

Overview: Enhanced desktop security for Windows

As an administrator, you can set up company-owned and personal Microsoft Windows devices to use Google’s single-sign on (SSO) access security, push Windows settings, and wipe device data remotely.

Enhanced desktop security for Windows has two complementary features that can be set up together or individually:

  • Google Credential Provider for Windows (GCPW)—Use Google Account authentication on Windows 10 devices.
  • Windows device management—Manage Windows settings on enrolled devices.

At this post we will be focusing on the Windows device management

Requirements

License

  • GCPW is available with all G Suite and Cloud Identity editions. However, to deploy GCPW and Windows device management together, you must have G Suite Enterprise, G Suite Enterprise for Education, G Suite Enterprise Essentials, or Cloud Identity Premium.
  • Windows device management is available with G Suite Enterprise, G Suite Enterprise for Education, G Suite Enterprise Essentials, or Cloud Identity Premium.

System

  • Windows 10 Pro, Pro for Workstations, Enterprise, or Education, version 1803 or later
  • For GCPW, Chrome Browser 81 or later

Enable Windows device management

Recommended – Before you begin: To apply the setting for certain users, put their accounts in an organizational unit.

  1. In your Google Admin console (at admin.google.com)…
  2. Go to Devices.
  3. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  4. On the left, click SettingsWindows settings.
  5. Click Desktop security setup.
  6. Next to Windows device management, select Enabled.
  7. Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit’s settings.

There are 2 ways to enroll a device

Manual way : Enroll a Windows device

  1. Sign in to the Windows 10 device.
  2. Open https://deviceenrollmentforwindows.googleapis.com/v1/deeplink in a Chrome or Edge browser.
  3. In the message that asks whether you meant to switch apps, click Yes.
  4. Enter the Google email address you would like to use for this feature.
  5. Click Next to start device enrollment.
  6. Sign in to your managed Google Account.

Automatic way : Enroll a Windows device

Automatic enrollment in Windows device management — If you use GCPW and Windows device management, devices are automatically enrolled in Windows device management.

Install GCPW

  1. Get the GCPW installer onto the device. You can download the installer from https://tools.google.com/dlpage/gcpw and distribute it to devices using GPO or other deploy methods , or the user can download it directly.
  2. On the device, run the installer:
    1. Open the Command Prompt.
    2. Run gcpwstandaloneenterprise64.msi as administrator.

Verify enrollment of a Windows device

  1. In your Google Admin console (at admin.google.com)…
  2. Go to Devices.
  3. Click Endpoints.
  4. Check the list of Windows devices to verify that the device enrolled. Tip: Click Add a filterManagement Type and select Enhanced desktop security to show only devices enrolled in Windows device management.

It’s very recommend to create A “playground” OU and move your user to this OU for testing before you deploy it to all your organization.


Apply Windows settings on the managed hosts.

Block apps on Windows 10 devices with custom settings.

Example XML For blocking EXE apps. (Putty and Ditto)

<RuleCollection Type="Exe" EnforcementMode="Enabled">
    <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%\\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
      <Conditions>
        <FilePathCondition Path="*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="c6ed8334-5b63-4418-aa9f-653321413bb7" Name="%PROGRAMFILES%\\Ditto\\Ditto.exe" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%\\Ditto\\Ditto.exe" />
      </Conditions>
      <Exceptions>
        <FileHashCondition>
          <FileHash Type="SHA256" Data="0x7E988D388840A8AC096BE6BBF20F9657C025C452A2659BE9B7728A0FC0A67113" SourceFileName="Ditto.exe" SourceFileLength="5040128" />
        </FileHashCondition>
      </Exceptions>
    </FilePathRule>
    <FileHashRule Id="dd0060fd-79ff-4ba1-b3cb-c2b87be9fdf3" Name="putty.exe" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FileHashCondition>
          <FileHash Type="SHA256" Data="0x88D37305A54641AEAB56E8E134F82711E91A3F8F9FE3FC97F8A5A26EB9EBB99B" SourceFileName="putty.exe" SourceFileLength="883600" />
        </FileHashCondition>
      </Conditions>
    </FileHashRule>
  </RuleCollection>

Example XML For blocking Store apps. (Microsoft Store)

<RuleCollection Type="Appx" EnforcementMode="Enabled">
  <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
        <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id="21d5002d-f66c-4460-ae41-fc734e006eaa" Name="Microsoft.WindowsStore, version 12007.1001.0.0 and above, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
    <Conditions>
      <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsStore" BinaryName="*">
        <BinaryVersionRange LowSection="12007.1001.0.0" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
</RuleCollection>

Generating XML

  1. Follow the instructions in the “Generating the XML” section of this Microsoft article. Stop following the instructions when you get to the “Creating the Policy” section. Note: These instructions describe how to create a policy for an application that is installed on the device. To create a policy for an application that isn’t installed on the device, in step 6, select Use a packaged app installer as a reference.
  2. After you export the XML file, in Groups Policy editor, remove the policy you created. Otherwise, the policy is enforced on the device.

Create A Policy


Sync and test your policy manually

Windows Defender Application Guard as browser extensions in Google Chrome and Mozilla Firefox

The Windows Defender Application Guard extension for Google Chrome and Mozilla Firefox is rolling out to Windows Insiders today and will be generally available very soon. This is available for users on Win 10 Enterprise and Pro SKUs on 1803 or later.

To extend our container technology to other browsers and provide customers with a comprehensive solution to isolate potential browser-based attacks, we have designed and developed Windows Defender Application Guard extensions for Google Chrome and Mozilla Firefox.

Windows Defender Application Guard extension on Chrome web store

How it works

The extensions for Google Chrome and Mozilla Firefox automatically redirect untrusted navigations to Windows Defender Application Guard for Microsoft Edge. The extension relies on a native application that we’ve built to support the communication between the browser and the device’s Application Guard settings.

When users navigate to a site, the extension checks the URL against a list of trusted sites defined by enterprise administrators. If the site is determined to be untrusted, the user is redirected to an isolated Microsoft Edge session. In the isolated Microsoft Edge session, the user can freely navigate to any site that has not been explicitly defined as trusted by their organization without any risk to the rest of system. With our upcoming dynamic switching capability, if the user tries to go to a trusted site while in an isolated Microsoft Edge session, the user is taken back to the default browser.

To configure the Application Guard extension under managed mode, enterprise administrators can follow these recommended steps:

  1. Ensure devices meet requirements.
  2. Turn on Windows Defender Application Guard.
  3. Define the network isolation settings to ensure a set of trusted sites is in place.
  4. Install the new Windows Defender Application Guard companion application from the Microsoft Store.
  5. Install the extension for Google Chrome or Mozilla Firefox browsers provided by Microsoft.
  6. Restart the devices.

Intuitive user experience

We designed the user interface to be transparent to users about Windows Defender Application Guard being installed on their devices and what it does. We want to ensure that users are fully aware that their untrusted navigations will be isolated and why.

  1. When users initially open Google Chrome or Mozilla Firefox after the extension is deployed and configured properly, they will see a Windows Defender Application Guard landing page.
Windows Defender Application Guard landing page

2.If there are any problems with the configuration, users will get instructions for resolving any configuration errors.

Error page instructions for resolving any configuration errors
Error page instructions for resolving any configuration errors


3. Users can initiate an Application Guard session without entering a URL or clicking on a link by clicking the extension icon on the menu bar of the browser.

Start an Application Guard session by clicking the extension icon on the menu bar of the browser
Start an Application Guard session by clicking the extension icon on the menu bar of the browser

Microsoft starts testing Android screen mirroring on Windows 10

This new addition lets users mirror an Android phone’s screen directly on a Windows 10 PC, but — as you might expect — this feature isn’t available to all.

image

This feature will gradually roll out to Insiders on 19H1 builds. It may take a few days for this feature to show up inside the Your Phone app (version 1.0.20701.0 and above).

You can use the Your Phone app on any Windows 10 PC running Windows builds 1803 (RS4) or newer and any Android phone running Android version 7.0 or newer. But the new phone screen feature is initially only compatible with a limited set of devices. Surface Go will be the first device in the Surface lineup to preview this feature. We will continue to expand the list of devices over time for both the PC and phone.

Enable high-performance GPU in Win10.

This feature was recently added to Windows 10 v1803. It lets you control what GPU is used by an application. Using this feature, we will set high-performance GPU for Microsoft Edge.

Step 1: Open Settings. Navigate to System, then Display.

Step 2: Scroll down and click on Graphics Settings.

Step 3: Now you need to choose an application to set preference. From the drop-down menu select Universal App as Microsoft Edge is a Windows Universal App.

Configure Windows Spotlight on the lock screen

Applies to

  • Windows 10

Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10.

For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps.

[!NOTE] In Windows 10, version 1607, the lock screen background does not display if you disable the Animate windows when minimizing and maximizing setting in This PC > Properties > Advanced system settings > Performance settingsVisual Effects, or if you enable the Group Policy setting Computer Configuration > Administrative Templates > Windows Components > Desktop Windows Manager > Do not allow windows animations.

In Windows 10, version 1703, you can use the Personalization CSP settings to set lock screen and desktop background images.

What does Windows Spotlight include?

  • Background imageThe Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. Additional images are downloaded on ongoing basis.
  • Feature suggestions, fun facts, tipsThe lock screen background will occasionally suggest Windows 10 features that the user hasn’t tried yet, such as Snap assist.

How do you turn off Windows Spotlight locally?

To turn off Windows Spotlight locally, go to Settings > Personalization > Lock screen > Background > Windows spotlight > select a different lock screen background

personalization background

How do you disable Windows Spotlight for managed devices?

Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mobile device management (MDM) settings to help you manage Windows Spotlight on enterprise computers.

[!NOTE] These policies are in the User Configuration \Policies\Administrative Templates\Windows Components\Cloud Content path in the Group Policy Management Console, and in the User Configuration \Administrative Templates\Windows Components\Cloud Content path in the Local Group Policy Editor.

Group PolicyMDMDescriptionApplies to
Do not suggest third-party content in Windows spotlightExperience/Allow ThirdParty Suggestions In Windows SpotlightEnables enterprises to restrict suggestions to Microsoft apps and servicesWindows 10 Pro, Enterprise, and Education, version 1607 and later
Turn off all Windows Spotlight featuresExperience/Allow Windows SpotlightEnables enterprises to completely disable all Windows Spotlight features in a single settingWindows 10 Enterprise and Education, version 1607 and later
Configure Spotlight on lock screenExperience/Configure Windows Spotlight On Lock ScreenSpecifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabledWindows 10 Enterprise and Education, version 1607 and later
Turn off the Windows Spotlight on Action CenterExperience/Allow Windows Spotlight On Action CenterTurn off Suggestions from Microsoft that show after each clean install, upgrade, or on an on-going basis to introduce users to what is new or changedWindows 10 Enterprise and Education, version 1703
Do not use diagnostic data for tailored experiencesExperience/Allow Tailored Experiences With Diagnostic DataPrevent Windows from using diagnostic data to provide tailored experiences to the userWindows 10 Pro, Enterprise, and Education, version 1703
Turn off the Windows Welcome ExperienceExperience/Allow Windows Spotlight Windows Welcome ExperienceTurn off the Windows Spotlight Windows Welcome experience which helps introduce users to Windows, such as launching Microsoft Edge with a web page highlighting new featuresWindows 10 Enterprise and Education, version 1703
Turn off the Windows Spotlight on SettingsExperience/Allow Windows Spotlight on SettingsTurn off the Windows Spotlight in the Settings app.Windows 10 Enterprise and Education, version 1803

In addition to the specific policy settings for Windows Spotlight, administrators can replace Windows Spotlight with a selected image using the Group Policy setting Computer Configuration > Administrative Templates > Control Panel > Personalization > Force a specific default lock screen image (Windows 10 Enterprise and Education).

[!TIP] If you want to use a custom lock screen image that contains text, see Resolution for custom lock screen image.

lockscreen policy details

Pay attention to the checkbox in Options. In addition to providing the path to the lock screen image, administrators can choose to allow or Turn off fun facts, tips, tricks, and more on lock screen. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages.

Resolution for custom lock screen image

A concern with custom lock screen images is how they will appear on different screen sizes and resolutions.

A custom lock screen image created in 16:9 aspect ratio (1600×900) will scale properly on devices using a 16:9 resolution, such as 1280×720 or 1920×1080. On devices using other aspect ratios, such as 4:3 (1024×768) or 16:10 (1280×800), height scales correctly and width is cropped to a size equal to the aspect ratio. The image will remain centered on the screen

Lock screen images created at other aspect ratios may scale and center unpredictably on your device when changing aspect ratios.

%d bloggers like this: