mobile device management

Winsage
July 7, 2026
Microsoft will enable the Windows settings backup and restore tool by default for enterprise systems joined to Microsoft Entra or operating in a hybrid environment with the upgrade to Windows 11 version 26H2. This tool, previously known as Windows Backup for Organizations, assists users in backing up and restoring Windows settings after events like device resets or upgrades. The tool debuted at the Microsoft Ignite conference in November 2024, became publicly available in August 2025, and requires the September 2025 Windows Monthly Cumulative Update for access. The default-on setting applies only to eligible devices where administrators have not set the policy otherwise, and IT administrators can manage this through mobile device management solutions. Restore functionality will not be enabled by default and requires administrative configuration. The default-on behavior will also be available in the Windows Insider Program Experimental channel starting July 2026.
Winsage
June 4, 2026
Active Directory Certificate Services (ADCS) now supports the generation of post-quantum certificates, enhancing quantum-safe cryptography within Windows' secure connection protocols. Microsoft has integrated PQ TLS hybrid key exchange into the Windows Transport Layer Security (TLS) stack, providing protection against "Harvest Now, Decrypt Later" attacks. The PQ TLS hybrid key exchange combines traditional cryptographic methods with the NIST ML-KEM algorithm, offering three hybrid combinations: X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1_MLKEM1024. This feature is available in preview via the Windows Insider Program and will be rolled out to Windows 11 and Windows Server. Additionally, Windows cryptography APIs now support composite ML-KEM and ML-DSA algorithms, which are NIST-approved standards for key exchange and digital signatures, enhancing security by requiring multiple components to be compromised. Microsoft emphasizes the importance of establishing new Certification Authorities (CAs) for implementing post-quantum certificate issuance, as existing CAs cannot be upgraded. The introduction of ML-DSA support within ADCS allows organizations to counter HNDL risks associated with long-lived data. Organizations are encouraged to inventory their use of public-key cryptography, prioritize systems protecting sensitive data, and test hybrid and composite approaches in non-production environments to facilitate a smooth transition to quantum-safe cryptography.
Winsage
May 1, 2026
Microsoft has updated its Windows 11 operating system to enhance the management of preinstalled applications. The new RemoveDefaultMicrosoftStorePackages policy allows IT administrators to remove any preinstalled MSIX/APPX applications by referencing their Package Family Name (PFN) through Group Policy Object (GPO) or custom OMA-URI for mobile device management (MDM). This feature requires devices to have at least the April 2026 Windows non-security update. It is available for Windows 11 version 24H2 Enterprise and Education editions, whereas it was initially exclusive to version 25H2 or later. A comprehensive list of supported applications and instructions for applying the policy are provided in Microsoft's documentation. Additionally, a new policy setting enables the uninstallation of the AI-powered Copilot digital assistant from enterprise devices after the April 2026 Patch Tuesday updates. The dynamic list option for this policy will be rolled out in the coming months.
Winsage
April 18, 2026
A series of updates have been released, focusing on system integrity and performance. Users should perform verification tasks, including installing, uninstalling, and repairing MSI packages, connecting and disconnecting cloud sync providers, and enrolling devices in Intune or MDM solutions. The Common Log File System driver (clfs.sys) is receiving a follow-up patch, along with updates to Storage Spaces (spaceport.sys) and app isolation file system drivers (bfs.sys, wcifs.sys). Users should also run Windows Update installation and rollback cycles, install and uninstall applications, and verify data integrity through backup solutions. For Storage Spaces, creating a pool with mirrored and thin virtual disks and ensuring clean deletion is necessary. April's updates for Office target MSI editions, including Excel 2016 (KB5002860), PowerPoint 2016 (KB5002808), Office 2016 shared libraries (KB5002859), and SharePoint Server editions from 2016 to 2019. These updates do not apply to Click-to-Run deployments like Microsoft 365 Apps. Users should validate complex Excel workbooks, PowerPoint presentations, SharePoint document libraries, and the functionality of Office add-ins. Testing for two High Risk components is essential: changes to Kerberos may disrupt services using RC4 keytabs, and the Remote Desktop client update requires validation of clipboard functionality, printer redirection, and session reconnection. Validating Secure Boot and BitLocker is critical as CVE-2023-24932 key rolling progresses. Additionally, cloud sync testing is important due to five patches to the Projected File System driver, and regression testing is needed for dual afd.sys updates and VPN/IPsec patches across remote-access infrastructure. Office updates are limited to MSI editions.
Winsage
March 11, 2026
Microsoft's Hyper-V is a hardware virtualization platform integrated into Windows 11 Professional, Enterprise, and Education editions, allowing users to host multiple virtual machines (VMs) on a single computer. It operates using a type 1 hypervisor directly on hardware, enabling VMs to share resources like CPU, memory, and storage. Hyper-V includes features such as dynamic memory allocation, software-defined networking, and saved checkpoints. IT administrators may need to disable Hyper-V due to compatibility issues with third-party virtualization software, high-precision applications, or driver conflicts. Disabling Hyper-V can also affect security features reliant on it, such as virtualization-based security (VBS) and Device Guard. Methods to disable Hyper-V include: 1. Using the Windows Features dialog. 2. Executing a PowerShell command: Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All, HypervisorPlatform, VirtualMachinePlatform. 3. Running a DISM command: dism /Online /Disable-Feature /FeatureName:Microsoft-Hyper-V-All /FeatureName:HypervisorPlatform /FeatureName:VirtualMachinePlatform. 4. Using the bcdedit command: bcdedit /set hypervisorlaunchtype off. 5. Modifying Group Policy to disable VBS. 6. Editing the Windows Registry to disable VBS or Credential Guard. For multiple managed computers, administrators can create and execute a PowerShell script or use Group Policy Objects to streamline the process. Testing in a controlled environment is recommended to ensure desired outcomes without compromising security or functionality.
Search