We have finished the first 3 parts of this multi-part series focused on Windows 11 best practices. Today, we will move onto user experiences. Many of them I have written about, and some of it will be brand new. The different things we will cover are:

• Windows Hello for Business with Cloud Kerberos Trust
• OneDrive Best Practices
• Microsoft Edge Configuration
• User Password Solutions
• 3rd party ADMX Integrations with Intune
• Self Service Password Reset (SSPR)
• Office 365 Apps Cloud Policies

As you read on, feel free to check out our previous parts in the series:

• Part 1: Onboarding
• Part 2: Security
• Part 3: Advanced Security

Windows Hello for Business with Cloud Kerberos Trust

This is a topic that I covered awhile back here. Microsoft’s strategy for MFA on desktops is centered around the security model with Windows Hello for Business. A major part of the vision with passkeys is where you start with a temporary access pass and use it to enroll in Windows Hello for Business and enjoy a secure future.

Overall, WH4B has been challenging since its introduction with the initial solutions like key trust or cert trust. Both options had lofty requirements like ADFS or certificates. Obviously, these were concerns for companies because of the complexity.

Now, with the introduction of Cloud Kerberos Trust (CKT) life is much easier. We just simply onboard the “Azure AD Kerberos Server” and things will magically get the job done. The flow below as seen on my blog shows the partial TGT that is generated to facilitate a better WH4B experience.

Overall, this is where the end user experience story begins and ends. Delivering MFA without looking like MFA is a key component of a strong user experience.

OneDrive for Business Best Practices for User Experience

One of the best kept secrets is the Microsoft 365 Apps Admin Center (mainly because some Intune admins don’t have access). If you go here, you can see the OneDrive Sync app health metrics:

This gives you a good idea of where things are at in your environment. The big keys here are that folder backup percentages look bad. Additionally, if we check devices this is also NOT good (16 devices):

So, now we realize that we didn’t configure OneDrive correctly. That is NOT a good user experience! We can now build out a very easy policy in Intune to configure OneDrive, pull in sync health, and get our folder backup where it needs to be.

Check the video below showing you how to configure the OneDrive policy in Intune that will configure “Folder Backup.”

Configuring the Microsoft Edge User Experience

In previous articles, we talked about security baselines for Microsoft Edge. Today, we discuss building a strong user experience with Microsoft Edge. Overall, I don’t get too crazy with Edge. Let’s discuss the settings that I like to use and then you can see my policy below.

We care about a few specific items that I like to use:

• Microsoft Edge DNS over HTTPs
• Disabling Microsoft Edge Password Manager/Sync Devices
• Microsoft Edge Sleeping Tabs
• Microsoft Efficiency Mode and Performance Detector
• Startup Boost

Microsoft Edge DNS over HTTPs

Basically, Microsoft Edge by default will perform insecure DNS queries. We, simply decide to leverage HTTPs to encrypt our DNS lookups, which improve security posture and privacy of your users (Yeah you could argue this is more security, but I like it being on the user side of the fence).

Disabling Edge Password Manager/Sync Devices

In the next section, we will talk about password managers and how they are awesome. So, we leverage our policy to disable autofill, form filling, and synchronization of Microsoft sync services.

Once we deploy those settings, you can instruct users to clear their passwords from the wallet, as I have never seen a reliable way of doing this programmatically. Even with code like this below, it seems to come back eventually:

# Define the URL to clear browsing data in Edge
$edgeClearBrowsingDataURL = "ms-edge://settings/clearBrowserData"

# Create a new process to open Microsoft Edge with the clear browsing data URL
Start-Process "msedge.exe" -ArgumentList $edgeClearBrowsingDataURL

# Wait for Edge to open
Start-Sleep -Seconds 5

# Create a script block to send keystrokes
$scriptBlock = {
    # Wait for Edge to fully load the settings page
    Start-Sleep -Seconds 2

    # Send keystrokes to select the desired options and clear browsing data
    [System.Windows.Forms.SendKeys]::SendWait("{TAB}{TAB}{TAB}{TAB}{TAB}{SPACE}")  # Select "Browsing history"
    Start-Sleep -Seconds 1
    [System.Windows.Forms.SendKeys]::SendWait("{TAB}{SPACE}")  # Select "Cookies and other site data"
    Start-Sleep -Seconds 1
    [System.Windows.Forms.SendKeys]::SendWait("{TAB}{SPACE}")  # Select "Cached images and files"
    Start-Sleep -Seconds 1
    [System.Windows.Forms.SendKeys]::SendWait("{TAB}{SPACE}")  # Select "Password and other sign-in data"
    Start-Sleep -Seconds 1
    [System.Windows.Forms.SendKeys]::SendWait("{TAB}{SPACE}")  # Select "Autofill form data"
    Start-Sleep -Seconds 1
    [System.Windows.Forms.SendKeys]::SendWait("{TAB}{TAB}{SPACE}")  # Click "Clear now"
}

# Add the script block to the PowerShell background job
$job = Start-Job -ScriptBlock $scriptBlock

# Wait for the job to complete
Wait-Job -Job $job

# Clean up the job
Remove-Job -Job $job

Microsoft Edge Sleeping Tabs

Sleeping tabs are a really cool feature. These tabs put background tabs to sleep after 2 hours of inactivity to free up resources for your active tabs. You can even use policy to modify that timeout. Personally, I set it to 60 minutes.

For context, to prevent a tab from taking a nap these activities keep them active:

• Active tab
• Sharing its browsing instance with another page
• Company intranet site
• Being inspected by DevTools
• Playing audio
• Capturing a window, screen, or user media (e.g. webcam, microphone)
• Page being mirrored
• Page is part of a user’s block list in Settings (You can add sites that you never want to sleep)
• Using WebUSB

The technology itself builds on the Chromium freezing technology. Freezing pauses a tab’s script timers minimizing CPU usage and frees up memory.

You also have “discarded tabs” which removes the page content from memory. I tend to avoid it because it is inefficient and requires an entire page reload.

Microsoft Edge Efficiency Mode and Performance Detector

Efficiency mode extends battery life by minimizing power usage. It does this by reducing resource usage through modifying background tab activity and some of the foreground activity. Inactive tabs will be put to sleep after 30m to help with that idea.

When you add the policy, it will kick in when a device is unplugged/running on battery power. It leverages the same block list that sleeping tabs use to ensure specific sites are not impacted.

Microsoft Edge will take steps to minimize resources usage when a device is under pressure to run efficiently. Edge may put tabs to sleep on your device when memory pressure is detected. Performance Detector sometimes needs to help Edge, when things get difficult. Performance Detector helps identify high resource usage of tabs and provides you a way to fix it.

Edge Startup Boost

Edge Startup Boost helps Edge start up quicker by keeping the browser running in the background with minimal resources. It works really nicely after a reboot or after you reopen it. It even works on clicking hyperlinks that open in Microsoft Edge.

You can find the JSON of my policy here.

User Password Solutions

Last year, I wrote about moving to Dashlane, and not everyone is going to agree on this point. Some will just want to use Microsoft Edge’s password manager, and that is fine. It’s nice when you just want to save some passwords, but often we need a more holistic solution.

Password solutions like Dashlane or 1Password integrate directly into the browser to help autofill passwords for users that are secure and encrypted. Some of the things they add in addition to the Edge password story are:

• Separation of work and personal vaults
• Provisioning enterprise groups and delivering shared credentials down to devices
• Storing certificate or other crucial secrets
• Leveraging a BYOK model

There are other benefits overall, but Dashlane/1Password and others are great solutions that are scalable and deliver benefits to the organization and the user by giving them a personal vault as well.

Other neat things Dashlane gives us is a password generator, great analytics on the organization passwords health score, and a great administrative experience to help support users.

3rd party ADMX Integrations with Intune

An item I covered awhile back is the new 3rd party ADMX integrations in Intune. It is probably its biggest advantage over MDM competitors RIGHT NOW.

You can download any ADMX files and straight import them into Intune to deliver policy/customizations to applications. An amazing example I explored recently was Dell Command Update. I was able to import the file and push down policy to a fleet of devices. You can deliver the user experience you strive to deliver with almost any application while reducing complexity.

If we know anything about IT, when you reduce complexity, everyone wins. As a consultant, this capability is saving me a ton of time during design and deployment with its incredible simplicity. Check out the video demo below:

Self Service Password Reset (SSPR)

Not a ton to say to this one, but overall, you need a good SSPR strategy. With the growth of Entra’s platform we can now reset passwords/credentials in more ways than ever before.

For one, you have passwordreset.microsoftonline.com now, which helps you easily reset your password in the event you are having issues:

Many people don’t realize, you can now leverage Microsoft Entra self-service password reset at the Windows sign-in screen now:

You can check out the Microsoft article on setting it up here. We understand the idea. We want to avoid putting a huge burden on the help desk, while making sure users can securely reset their passwords. Eliminating that huge emotional burden on both sides is crucial to the success of your user experience story.

Office 365 Cloud App Policies

A major part of the user experience story is making sure that Office doesn’t single-handedly murder the user experience. Trust me, if you let it, it WILL! I recently covered the security best practices in the policy in my article here.

You have to build/design your Office user experience around those best practices to ensure you are being good to your users. Recently, I’ve been working on an issue where Adobe Acrobat uses a ton of unsigned macros/isn’t a trusted publisher in Word for example.

In these scenarios, you may not be able to outright block all unsigned macros. You may need to modify your policy to allow people in specific groups to use unsigned macros if necessary. The major key with building a good user experience by customizing things that matter.

We want to move away from any custom tweaks of the settings of Office applications and leverage these cloud policies to build the user experience your users are asking for.

Final Thoughts

When it comes to the user experience, you have been doing it all along if you’ve made good decisions around onboarding, security, and usability as we covered in the previous parts of this series. We refine some aspects of our Windows 11 deployment and layer in capabilities to enhance the user’s experience. There are other areas we could have covered, but we have discussed them many times in the past like Digital Employee Experience with ControlUp Edge DX, which includes remote management. We could have also covered Universal Print.

I chose to prioritize capabilities that will deliver a ton of value without significant cost or risk. We will continue to develop and refine our vision of an ideal Windows 11 state. It’s not one size fits all, but a mentality of the right fit for you.