Thanks!

Good question. We ask the same. Endpoint Security is good to use if you have a seperate SecOps devision that you want to give access to policy. They can use the Entra role Security Admin to get access to these kind of policies. Settings Catalog is kind of the universal place we Intune admins use, but it can be hard sometimes to build the right policy pack, whereas Endpoint Security is more of a template kind of thing, THIS is the settings that you want to consider. Hope this helped you.

​@@MSEndpointMgr Good points, thanks! Feels like they should just make the same profiles show up in both places then... oh well :)

They will continue to be updated. Everything you have that is installed via store will still be updated. By using this new policy you prohibit, manual store app shopping and also winget install locally.

@@MSEndpointMgr Okay that's good to know. Regarding your last point about winget locally, does that mean if I open a terminal prompt and run winget install x, this will not work?

At 15:38 you mention that updates won’t be blocked, however, in the informational bubble in the Settings picker screen it states, “Access to the Store is required for installing app updates.” I wouldn’t put it past Microsoft forgetting to update this information, but have you successfully tested that updates are possible for UWP apps? I’m asking because we recently began vulnerability testing in which a large number of the UWP apps were missing updates. This was due to a GPO we configured to block access to the store. I’m trying to move away from a hybrid configuration in my environment and would like to configure this via Intune but need to make sure it works. Is there a way to test (or force) apps to fetch updates with this Configuration Profile in place? Also, it looks like this is only supported for Windows Enterprise or Windows Education. Unfortunately, we’re only running Windows Professional.

@@Minerva___ yes only for those platforms. The text in the setting is very clunky written. It is confirmed by MSFT that above stated is indeed the behavior. Apps will update

Absolutely exciting! PIN on a global level, can you elaborate? You can assign the policy and thereby target your devices.

@@MSEndpointMgr One of our customers requires the same bit locker startup PIN across all Intune MDM Windows endpoints. Is there a way to push the 6 digit PIN without end user interaction ?

@@KiwiEngineer-0 hmm so a startup pin which is the same for all devices and telling the user afterwards? Why bother to have PIN then? Shouldersurf one device and steal the code. It does not sound as a very good idea to be honest.

@@MSEndpointMgrThe reason to do that is to automate applying an initial PIN on all devices. Standard users cannot create Bitlocker PINs; they can only change existing PINS. You would require users to change the PIN after they receive their device so they would not all have the same PIN. A simple way to ensure users will change the PIN ASAP is to set the initial PIN to be much longer and more complex than the minimum requirements. Set a 25 character default PIN and then tell users the minimum PIN length is 7 characters and they will all change the PIN to something else rather than keep using the PIN they were given.

Preach it. We need more options, but let's add the feature request and keep asking until we get it :)

I do not get it. PSADT is only great when user interaction is required

@@AbdullahOllivierreIT it is also great for logging and standardizing your package estate