From f6da88dacb8710d4b7f5352db35972bf0c93e40e Mon Sep 17 00:00:00 2001
From: CharlieLinMS <119984924+CharlieLinMS@users.noreply.github.com>
Date: Wed, 11 Dec 2024 13:34:16 +0800
Subject: [PATCH 1/4] Update manage-microsoft-edge.md
---
memdocs/intune/apps/manage-microsoft-edge.md | 21 +++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
diff --git a/memdocs/intune/apps/manage-microsoft-edge.md b/memdocs/intune/apps/manage-microsoft-edge.md
index 51ec4fd0a3..3bdf9c1bb3 100644
--- a/memdocs/intune/apps/manage-microsoft-edge.md
+++ b/memdocs/intune/apps/manage-microsoft-edge.md
@@ -590,6 +590,16 @@ You can configure a policy to enhance users' experience. This policy is recommen
|:--|:----|
|com.microsoft.intune.mam.managedbrowser.ProfileAutoSwitchToWork |**1**: (Default) Switch to work profile even if the URL is blocked by Edge policy.
**2**: The blocked URLs will open under personal profile if personal profile is signed in. If personal profile is not signed in, the blocked URL will opened in InPrivate mode. |
+#### Manage Sub Resource Blocking
+By default, AllowListURLs and BlockListURLs apply only at the navigation level. When you embed blocked URLs (either URLs configured in BlockListURLs or URLs not configured in AllowListURLs) as sub resources within a web page, those sub resource URLs are not blocked. To further restrict these sub resources, you can configure a policy to block the sub resource URLs.
+
+|Key |Value |
+|:--|:----|
+|com.microsoft.intune.mam.managedbrowser.ManageRestrictedSubresourceEnabled |**false**: (Default) Sub resource URLs will not be blocked even if the sub resource URLs are blocked.
**true**: Sub resource URLs will be blocked if they are listed as blocked. |
+
+> [!NOTE]
+> It is recommended to use this policy in conjunction with BlockListURLs. If used with AllowListURLs, ensure that all subresource URLs are included in the AllowListURLs. Otherwise, some sub resources may fail to load
+
#### URL formats for allowed and blocked site list
You can use various URL formats to build your allowed/blocked sites lists. These permitted patterns are detailed in the following table.
@@ -600,7 +610,8 @@ You can use various URL formats to build your allowed/blocked sites lists. These
- You can specify port numbers in the address. If you do not specify a port number, the values used are:
- Port 80 for http
- Port 443 for https
-- Using wildcards for the port number is **not** supported. For example, `http://www.contoso.com:*` and `http://www.contoso.com:*/` aren't supported.
+- Using wildcards for the port number is supported. For example, you can specify `http://www.contoso.com:*` and `http://www.contoso.com:*/`.
+- Specifying IPv4 addresses with or without CIDR notation is supported. For example, you can specify 127.0.0.1 (a single IP address) or 127.0.0.1/24 (a range of IP addresses)
|URL |Details |Matches |Does not match |
|:----|:-------|:----------|:----------------|
@@ -613,6 +624,12 @@ You can use various URL formats to build your allowed/blocked sites lists. These
|`http://www.contoso.com:80`|Matches a single page, by using a port number |`www.contoso.com:80`| |
|`https://www.contoso.com`|Matches a single, secure page|`www.contoso.com`|`www.contoso.com/images`|
|`http://www.contoso.com/images/*` |Matches a single folder and all subfolders |`www.contoso.com/images/dogs`
`www.contoso.com/images/cats` | `www.contoso.com/videos`|
+ |`http://contoso.com:*` |Matches any port number for the HTTP service |`contoso.com:80`
`contoso.com:8080` | `contoso.com:443`|
+ |`https://contoso.com:*` |Matches any port number for the HTTPs service |`contoso.com:443`
`contoso.com:8443` | `contoso.com:80`|
+ |`http://192.168.1.1` |Matches a single IP address |`192.168.1.1`| `192.168.1.2`|
+ |`http://192.168.1.1:*` |Matches any port number for a single IP address |`192.168.1.1:8080`| `192.168.1.2:8080`|
+ |`http://10.0.0.0/24` |Matches a range of IP addresses from 10.0.0.0 to 10.0.0.255 |`10.0.0.0`
`10.0.0.100`| `192.168.1.1`|
+
- The following are examples of some of the inputs that you can't specify:
- `*.com`
@@ -620,10 +637,8 @@ You can use various URL formats to build your allowed/blocked sites lists. These
- `www.contoso.com/*images`
- `www.contoso.com/*images*pigs`
- `www.contoso.com/page*`
- - IP addresses
- `https://*`
- `http://*`
- - `http://www.contoso.com:*`
- `http://www.contoso.com: /*`
### Disable Edge internal pages
From 5838cf35fb4d6094751a3b5e1363172f6bd221b9 Mon Sep 17 00:00:00 2001
From: CharlieLinMS <119984924+CharlieLinMS@users.noreply.github.com>
Date: Wed, 11 Dec 2024 15:50:43 +0800
Subject: [PATCH 2/4] Update manage-microsoft-edge.md
---
memdocs/intune/apps/manage-microsoft-edge.md | 18 +++++++-----------
1 file changed, 7 insertions(+), 11 deletions(-)
diff --git a/memdocs/intune/apps/manage-microsoft-edge.md b/memdocs/intune/apps/manage-microsoft-edge.md
index 3bdf9c1bb3..a736bc9695 100644
--- a/memdocs/intune/apps/manage-microsoft-edge.md
+++ b/memdocs/intune/apps/manage-microsoft-edge.md
@@ -561,8 +561,8 @@ Use the following key/value pairs to configure either an allowed or blocked site
|:--|:----|
|com.microsoft.intune.mam.managedbrowser.AllowListURLs
This policy name has been replaced by the UI of **Allowed URLs** under Edge Configuration settings|The corresponding value for the key is a list of URLs. You enter all the URLs you want to allow as a single value, separated by a pipe `|` character.
**Examples:**
`URL1|URL2|URL3`
`http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com` |
|com.microsoft.intune.mam.managedbrowser.BlockListURLs
This policy name has been replaced by the UI of **Blocked URLs** under Edge Configuration settings|The corresponding value for the key is a list of URLs. You enter all the URLs you want to block as a single value, separated by a pipe `|` character.
**Examples:**
`URL1|URL2|URL3`
`http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com` |
-|com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock |**true** (default) allows Edge for iOS and Android to transition restricted sites. When personal accounts aren't disabled, users are prompted to either switch to the personal context to open the restricted site, or to add a personal account. If com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked is set to true, users have the capability of opening the restricted site in the InPrivate context.
**false** prevents Edge for iOS and Android from transitioning users. Users are simply shown a message stating that the site they are trying to access is blocked. |
-|com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked
This policy name has been replaced by the UI of **Redirect restricted sites to personal context** under Edge Configuration settings |**true** allows restricted sites to be opened in the Microsoft Entra account's InPrivate context. If the Microsoft Entra account is the only account configured in Edge for iOS and Android, the restricted site is opened automatically in the InPrivate context. If the user has a personal account configured, the user is prompted to choose between opening InPrivate or switch to the personal account.
**false** (default) requires the restricted site to be opened in the user's personal account. If personal accounts are disabled, then the site is blocked.
In order for this setting to take effect, com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock must be set to true. |
+|com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock
This policy name has been replaced by the UI of **Redirect restricted sites to personal context** under Edge Configuration settings|**true** (default) allows Edge for iOS and Android to transition restricted sites. When personal accounts aren't disabled, users are prompted to either switch to the personal context to open the restricted site, or to add a personal account. If com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked is set to true, users have the capability of opening the restricted site in the InPrivate context.
**false** prevents Edge for iOS and Android from transitioning users. Users are simply shown a message stating that the site they are trying to access is blocked. |
+|com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked |**true** allows restricted sites to be opened in the Microsoft Entra account's InPrivate context. If the Microsoft Entra account is the only account configured in Edge for iOS and Android, the restricted site is opened automatically in the InPrivate context. If the user has a personal account configured, the user is prompted to choose between opening InPrivate or switch to the personal account.
**false** (default) requires the restricted site to be opened in the user's personal account. If personal accounts are disabled, then the site is blocked.
In order for this setting to take effect, com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock must be set to true. |
|com.microsoft.intune.mam.managedbrowser.durationOfOpenInPrivateSnackBar | Enter the number of seconds that users will see the snack bar notification "Access to this site is blocked by your organization. We’ve opened it in InPrivate mode for you to access the site." By default, the snack bar notification is shown for 7 seconds.|
The following sites except copilot.microsoft.com are always allowed regardless of the defined allow list or block list settings:
@@ -610,8 +610,8 @@ You can use various URL formats to build your allowed/blocked sites lists. These
- You can specify port numbers in the address. If you do not specify a port number, the values used are:
- Port 80 for http
- Port 443 for https
-- Using wildcards for the port number is supported. For example, you can specify `http://www.contoso.com:*` and `http://www.contoso.com:*/`.
-- Specifying IPv4 addresses with or without CIDR notation is supported. For example, you can specify 127.0.0.1 (a single IP address) or 127.0.0.1/24 (a range of IP addresses)
+- Using wildcards for the port number is supported in Edge for iOS only. For example, you can specify `http://www.contoso.com:*` and `http://www.contoso.com:*/`.
+- Specifying IPv4 addresses with CIDR notation is supported. For example, you can specify 127.0.0.1/24 (a range of IP addresses).
|URL |Details |Matches |Does not match |
|:----|:-------|:----------|:----------------|
@@ -624,14 +624,10 @@ You can use various URL formats to build your allowed/blocked sites lists. These
|`http://www.contoso.com:80`|Matches a single page, by using a port number |`www.contoso.com:80`| |
|`https://www.contoso.com`|Matches a single, secure page|`www.contoso.com`|`www.contoso.com/images`|
|`http://www.contoso.com/images/*` |Matches a single folder and all subfolders |`www.contoso.com/images/dogs`
`www.contoso.com/images/cats` | `www.contoso.com/videos`|
- |`http://contoso.com:*` |Matches any port number for the HTTP service |`contoso.com:80`
`contoso.com:8080` | `contoso.com:443`|
- |`https://contoso.com:*` |Matches any port number for the HTTPs service |`contoso.com:443`
`contoso.com:8443` | `contoso.com:80`|
- |`http://192.168.1.1` |Matches a single IP address |`192.168.1.1`| `192.168.1.2`|
- |`http://192.168.1.1:*` |Matches any port number for a single IP address |`192.168.1.1:8080`| `192.168.1.2:8080`|
- |`http://10.0.0.0/24` |Matches a range of IP addresses from 10.0.0.0 to 10.0.0.255 |`10.0.0.0`
`10.0.0.100`| `192.168.1.1`|
+ |`http://contoso.com:*` |Matches any port number for a single page |`contoso.com:80`
`contoso.com:8080` | |
+ |`10.0.0.0/24` |Matches a range of IP addresses from 10.0.0.0 to 10.0.0.255 |`10.0.0.0`
`10.0.0.100`| `192.168.1.1`|
-
-- The following are examples of some of the inputs that you can't specify:
+ - The following are examples of some of the inputs that you can't specify:
- `*.com`
- `*.contoso/*`
- `www.contoso.com/*images`
From b90fdb05b8215586a4a4a01e557ea2d6e8df4b5d Mon Sep 17 00:00:00 2001
From: CharlieLinMS <119984924+CharlieLinMS@users.noreply.github.com>
Date: Wed, 11 Dec 2024 15:58:33 +0800
Subject: [PATCH 3/4] Update manage-microsoft-edge.md
---
memdocs/intune/apps/manage-microsoft-edge.md | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/memdocs/intune/apps/manage-microsoft-edge.md b/memdocs/intune/apps/manage-microsoft-edge.md
index a736bc9695..a98bbdc648 100644
--- a/memdocs/intune/apps/manage-microsoft-edge.md
+++ b/memdocs/intune/apps/manage-microsoft-edge.md
@@ -591,14 +591,16 @@ You can configure a policy to enhance users' experience. This policy is recommen
|com.microsoft.intune.mam.managedbrowser.ProfileAutoSwitchToWork |**1**: (Default) Switch to work profile even if the URL is blocked by Edge policy.
**2**: The blocked URLs will open under personal profile if personal profile is signed in. If personal profile is not signed in, the blocked URL will opened in InPrivate mode. |
#### Manage Sub Resource Blocking
-By default, AllowListURLs and BlockListURLs apply only at the navigation level. When you embed blocked URLs (either URLs configured in BlockListURLs or URLs not configured in AllowListURLs) as sub resources within a web page, those sub resource URLs are not blocked. To further restrict these sub resources, you can configure a policy to block the sub resource URLs.
+By default, AllowListURLs and BlockListURLs apply only at the navigation level. When you embed blocked URLs (either URLs configured in BlockListURLs or URLs not configured in AllowListURLs) as sub resources within a web page, those sub resource URLs are not blocked.
+
+To further restrict these sub resources, you can configure a policy to block the sub resource URLs.
|Key |Value |
|:--|:----|
|com.microsoft.intune.mam.managedbrowser.ManageRestrictedSubresourceEnabled |**false**: (Default) Sub resource URLs will not be blocked even if the sub resource URLs are blocked.
**true**: Sub resource URLs will be blocked if they are listed as blocked. |
> [!NOTE]
-> It is recommended to use this policy in conjunction with BlockListURLs. If used with AllowListURLs, ensure that all subresource URLs are included in the AllowListURLs. Otherwise, some sub resources may fail to load
+> It is recommended to use this policy in conjunction with BlockListURLs. If used with AllowListURLs, ensure that all sub resource URLs are included in the AllowListURLs. Otherwise, some sub resources may fail to load
#### URL formats for allowed and blocked site list
From aec3bb820b478bfff7478da7a6d8bfe808d005d1 Mon Sep 17 00:00:00 2001
From: Anders Ahl <58516456+GenerAhl@users.noreply.github.com>
Date: Wed, 11 Dec 2024 11:48:09 +0100
Subject: [PATCH 4/4] Update device-profile-troubleshoot.md
We preface the article with a statement that since 2022, Windows 8.1 is no longer supported. Because of this, there's no need to be explicit with policy refresh times on an OS that isn't supported.
---
memdocs/intune/configuration/device-profile-troubleshoot.md | 2 --
1 file changed, 2 deletions(-)
diff --git a/memdocs/intune/configuration/device-profile-troubleshoot.md b/memdocs/intune/configuration/device-profile-troubleshoot.md
index 45ae7faf52..033ed40794 100644
--- a/memdocs/intune/configuration/device-profile-troubleshoot.md
+++ b/memdocs/intune/configuration/device-profile-troubleshoot.md
@@ -58,7 +58,6 @@ If a device doesn't check in to get the policy or profile after the first notifi
| iOS/iPadOS | About every 8 hours |
| macOS | About every 8 hours |
| Windows 10/11 PCs enrolled as devices | About every 8 hours |
-| Windows 8.1 | About every 8 hours |
If devices recently enroll, then the compliance, noncompliance, and configuration check-in runs more frequently. The check-ins are **estimated** at:
@@ -68,7 +67,6 @@ If devices recently enroll, then the compliance, noncompliance, and configuratio
| iOS/iPadOS | Every 15 minutes for 1 hour, and then around every 8 hours |
| macOS | Every 15 minutes for 1 hour, and then around every 8 hours |
| Windows 10/11 PCs enrolled as devices | Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours |
-| Windows 8.1 | Every 5 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours |
For app protection policy refresh intervals, go to [App Protection Policy delivery timing](../apps/app-protection-policy-delivery.md).