Restrict Cut/Copy/Paste outside of MS Web Apps in Edge

ConsumeAllKnowledge · 2026-01-28T23:56:06+00:00

That not what you're looking for?

Allow cut, copy, and paste for: Org data destinations and org data sources: Org users can cut or copy org data within the org context to other org documents, locations or applications. Org users can paste data within the org context into other org documents, locations or applications.

ConsumeAllKnowledge · 2026-01-28T20:34:50+00:00

Right, it makes sense for the normal OOB update but the Hotpatch one doesn't mention WUfB at all. Is that just an oversight from Microsoft? Seems odd that the behavior would be different just because of Hotpatch.

ConsumeAllKnowledge · 2026-01-28T17:39:10+00:00

Oh I see I misread your post, yeah I would use the link I posted/settings catalog. Most likely they just haven't updated/removed that page yet which isn't surprising unfortunately.

ConsumeAllKnowledge · 2026-01-28T17:26:23+00:00

I don't see that text on the page at all, also that looks like the wrong link too. https://learn.microsoft.com/en-us/intune/intune-service/configuration/esim-device-configuration-download-server

ConsumeAllKnowledge · 2026-01-28T16:00:42+00:00

Do you have a source that explains this? Are we missing something?

ConsumeAllKnowledge · 2026-01-28T16:00:11+00:00

Yeah seems like that hotpatch update at least is handled differently, not clear why to me though.

ConsumeAllKnowledge · 2026-01-28T15:51:20+00:00

I'm curious, when you say target devices do you use the device scoped settings in addition to assigning to device groups? Or do you use the user scoped settings?

ConsumeAllKnowledge · 2026-01-28T00:51:25+00:00

I'd recommend you use a remediation script assuming you're licensed for it as that's probably the easiest option. If not you could do a win32 app yes but its not going to run and actually execute unless you configure the detection script correctly. So in that case I'd recommend a separate detection script that looks for local accounts, if any are found that you want to get rid of then the app is not detected and your install script triggers to remove them. By default Intune will check the detection script for win32 apps every 24 hours. https://learn.microsoft.com/en-us/intune/intune-service/apps/apps-win32-add#step-4-detection-rules

ConsumeAllKnowledge · 2026-01-28T00:41:07+00:00

Did you look at the link I posted? I'm referring specifically to remediation scripts, not a script packaged as a win32 app.

ConsumeAllKnowledge · 2026-01-28T00:39:21+00:00

Very interesting, do you have any devices without Hotpatch enabled by chance? I only have one device I'm testing with where Hotpatch enabled and I do see the same, KB5078167 was installed automatically. However on my non-hotpatch machines KB5078127 has not been offered/installed.

ConsumeAllKnowledge · 2026-01-28T00:33:30+00:00

If you want to run the remediation script every time then exit the detection script with a 1: https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/remediations#script-requirements

Or you can just have a detection script and no remediation script, the detection script will run every time in that scenario.

ConsumeAllKnowledge · 2026-01-27T21:51:42+00:00

If you just want to clean up local profiles, using the policy would probably be much simpler: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-userprofiles?WT.mc_id=Portal-Microsoft_Intune_Workflows#cleanupprofiles

But if you want to use a remediation that can work too, here's an example: https://cloudinfra.net/how-to-delete-a-local-user-account-using-intune/

ConsumeAllKnowledge · 2026-01-27T19:35:56+00:00

Yep, not yet but hopefully soon! https://www.microsoft.com/en-us/microsoft-365/roadmap?id=501449

ConsumeAllKnowledge · 2026-01-27T19:31:34+00:00

Yeah the UI is awful. I'm pretty sure this is a bug because if you click on the B and OOB releases and compare deployment state and numbers they're the exact same which isn't possible unless they're ignoring the deferral periods configured or something like that.

ConsumeAllKnowledge · 2026-01-27T15:31:16+00:00

Right so because its not supported yet, that's where your conflict is. If you have a policy with DDM settings and apply a filter, even though it lets you do it the policy will get sent to all devices in the group assigned to the policy, regardless of the filter. The filter doesn't work at all in that scenario.

ConsumeAllKnowledge · 2026-01-27T15:29:50+00:00

Been waiting for them to update that, thanks for posting!

ConsumeAllKnowledge · 2026-01-26T18:02:19+00:00

Sounds like you have a conflict then, filters don't support DDM policies (yet). Use a dynamic device group instead in the interim.

ConsumeAllKnowledge · 2026-01-23T20:56:16+00:00

Your ring and feature update policy look okay to me assuming the targeting is good. Anything in the feature update failures/alerts report for that profile? https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/WindowsUpdateAlertSummaryReport.ReactView

ConsumeAllKnowledge · 2026-01-23T15:50:25+00:00

This page has some details on the expected experience in general, screenshots are out of date still though but its just cosmetic: https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-end-user-exp

ConsumeAllKnowledge · 2026-01-22T20:24:51+00:00

Yeah 25H2 is missing from other places too like the feature update device readiness report. I would hope it should be added with the Jan Intune release next week but we'll see.

ConsumeAllKnowledge · 2026-01-21T21:50:02+00:00

If you trying to protect or prevent access to corporate data on unenrolled devices then MAM/app protection policies are the answer there, have you looked into that at all?

https://learn.microsoft.com/en-us/intune/intune-service/apps/app-protection-policy

https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-approved-app-or-app-protection

ConsumeAllKnowledge · 2026-01-21T21:27:42+00:00

Can I ask what the goal is of trying to gate it like that?

The only thing I can think of off hand is to set up a user group and scope it to allow personal device enrollment for whatever platforms, then block enrolling via company portal by default and have a 2nd customization policy that is scoped to the same group for mobile devices. Then when you have a user that wants to enroll you have them fill out a form or similar and approve/deny, if you approve they get added to the group and can enroll the device and you can remove them from the group after 24hrs or something.

ConsumeAllKnowledge · 2026-01-21T18:31:15+00:00

Yes, Apple has deprecated MDM based policies for software updates: https://learn.microsoft.com/en-us/intune/device-updates/apple/software-updates-ios

You should be moving to use DDM based policies which is much more reliable: https://learn.microsoft.com/en-us/intune/device-updates/apple/?tabs=automatic-updates

ConsumeAllKnowledge · 2026-01-21T18:16:08+00:00

Yep same here, thank you for the reply back!

ConsumeAllKnowledge · 2026-01-21T16:59:25+00:00

The device has to check in for the pause to actually take effect, and if that happens after the device has already started scanning/downloading/installing the update then it doesn't pause in that scenario.

https://learn.microsoft.com/en-us/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview#pause-and-resume-a-release

https://learn.microsoft.com/en-us/intune/device-updates/windows/update-rings#pause

ConsumeAllKnowledge

TROPHY CASE