Author Archives: nhogarth

Intune – Require Bitlocker PIN for Windows 10 1703

This post will show how you can use Intune to deploy a Device Configuration Profile to an MDM enrolled Windows 10 1703 machine to require a startup PIN for Bitlocker. It will also show the end user experience prompting the user to configure Bitlocker and set a PIN.

In the Intune portal in https://portal.azure.com , select Intune > Device Configuration > Profiles > Create profile

BitlockerPIN01

Select Windows 10 and later as the platform, select Endpoint protection for the profile type, then click on Configure.

Under Windows Experience, select Require next to Encrypt Devices.

Select Enable next to Configure encryption methods if you would like to configure the encryption methods.

Select Enable next to Additional authentication at start up.
Compatible TPM startup – Do not allow TPM
Compatible TPM startup PIN – Require startup PIN with TPM
Compatible TPM startup key – Do not allow startup key with TPM
Compatible TPM startup key and PIN – Do not allow startup key and PIN with TPM

BitlockerPIN02

You can read more about these startup policies in this GPO “Require additional authentication at startup” description:

BitlockerPIN13

If the Additional authentication at startup settings are configured incorrectly, then a user may see “The Group Policy settings for Bitlocker startup options are in conflict and cannot be applied. Contact your system administrator for more information.”

BitlockerPIN11

Back to Intune – Configure the Assignments and select a group that will receive the Bitlocker policy

BitlockerPIN03

The Windows 10 1703 machine will get a notification saying that the machine needs Bitlocker configured.

BitlockerPIN04

BitlockerPIN05

BitlockerPIN06

BitlockerPIN07

The user is prompted to enter a PIN:

BitlockerPIN08

BitlockerPIN09

BitlockerPIN10

After Bitlocker has finished encrypting the drive and the machine is restarted, the user will be prompted to enter a PIN to unlock the drive at startup:

BitlockerPIN12

Advertisements

Intune – customize the start menu on Windows 10 1703

This post will show how you can deploy a custom start menu on a Windows 10 Pro/Enterprise machine enrolled with Intune by using the Intune portal in Azure.

This post assumes you have customized the start menu on a test machine, and exported the start menu layout to an XML file. For a guide on doing this, see Customize and export Start layout.  My test machine is Windows 10 1703 Enterprise joined to Azure AD and enrolled in Intune.

In the new Intune portal in Azure (https://portal.azure.com) go to Intune > Device Configuration > Profiles > Create Profile

StartMDM01

Give the profile a name, and select Windows 10 and later for the Platform, and select Device restrictions for the Profile type.

Now scroll down and select Start, then click on the Browse button to upload your custom start menu which you generated earlier from your test machine using the Microsoft guide (Customize and export Start layout)

StartMDM02

Click on OK then OK again,and click on Create.

Now we will Assign the policy to a user group. Click on Assignments, then Select groups to include, then select the group, then click on Select, and then Save.

StartMDM04

On the Windows 10 machine enrolled in Intune, you can force a sync by going to Start > Settings > Accounts > Access work or school > Select the account then Info > Sync

After it has synced, once you log off and log back on, you can now see that the start menu has applied.

StartMDM03

SCCM TP 1708 – Software Center Customization

With the recently released SCCM Technical Preview 1708, you can now customize the Software Center look including the company name and logo, colour schemes, and hiding different tabs. This post will demonstrate how you can customize Software Center and how it looks.

These settings are configured in the Client Settings. You can see that there is now a Software Center section as displayed in the picture below.

Once you select Yes for Select these new settings to specify the company information, you can configure all the other settings. In my example below, I have set a company name, I have set the colour scheme and also used a logo. If you like, you can also choose to hide certain tabs.

SC01

When setting a logo for Software Center, note that the maximum dimensions are 100×400 pixels, and the file cannot be larger than 750kb in size.

SC02

This is how my Software Center previously looked without doing any customization.

SC03

Now after adding the colour scheme, Software Center logo and company name, the Software Center looks like the image below.

SC04

SCCM 1706 – Share an application from Software Center

With version 1706 coming out for SCCM Current Branch, one of the new useful features is the ability to give a user a direct link to an application in the Software Center. This can be useful for a scenario such as deploying an application as Available, and providing the users with a direct link to the application in Software Center so the users can choose to install the application if they like.

This post will show a quick demo on how to share the link to Office 365 ProPlus which was deployed as Available.

Open Software Center and click on the application you would like to share. Click the share button.

shareapp01

You can now copy the link below. In my example, I am going to email staff advising them that Office 365 ProPlus is available to install from Software Center. I will email a picture of an Office 365 ProPlus logo and add a hyperlink to the link below in the picture.

shareapp02

Below is a test email I can email staff and add a hyperlink in the image below pointing to the application in Software Center.

shareapp03

When a user clicks on the image above, it will open up the application in Software Center ready to be installed.

shareapp04

SCCM 1706 – Azure AD Discovery

SCCM 1706 was recently released and one of the new features is Azure AD Discovery. This was in Technical Preview 1705. This guide will show how to set up Azure AD  Discovery and install the SCCM client on a workgroup machine on the Internet without certificates using the Cloud Management Gateway.

For more information about SCCM 1706 see What’s new in version 1706 of System Center Configuration Manager

In my lab, I already have the Cloud Management Gateway set up. To set up the CMG you can see the documentation here https://docs.microsoft.com/en-us/sccm/core/clients/manage/setup-cloud-management-gateway

Once you have installed the 1706 update, expand Cloud Services, then right click on Azure Services and click Configure Azure Services

1706-azuread01

Select Cloud Management and click Next

1706-azuread02

Next create the Server and Client Apps. Click Browse on the Web App then click Create.

1706-azuread03

Enter in an Application Name, HomePage URL and App ID URL. Then Sign in to Azure AD with an admin account and it will create the app for you in Azure.

1706-azuread04

Select the app and click Ok.

1706-azuread05

Do the same as above but for the Client App and give it an Application Name and a Reply URL, then sign in to Azure with an Azure admin account. The app will then be created in Azure.

1706-azuread06

Enable Azure Active Directory User Discovery.

1706-azuread07

You need to grant permissions on both the client app and server app in Azure, otherwise you will see in SMS_AZUREAD_DISCOVERY_AGENT.log there will be access denied errors.

1706-azuread08

Login to https://portal.azure.com and go to Azure Active Directory, then App Registrations. Select the app and go to Required Permissions and click Grant Permissions. I did this for both the client app and server app.

1706-azuread09

Now looking back in SMS_AZUREAD_DISCOVERY_AGENT.log mine is now successful and has discovered by Azure AD users.

1706-azuread10

You can view the Azure AD users in the SCCM console in \Assets and Compliance\Overview\Users\All Users

An example below you can see that it is discovered by SMS_AZUREAD_USER_DISCOVERY_AGENT

1706-azuread11

In the SCCM console, in \Administration\Overview\Cloud Services\Azure Services, you can also run a full discovery by clicking Run Full Discovery Now, and view information about Azure AD Discovery like the Full Sync Schedule, Delta Sync Interval, and the Last Full Sync/Delta Sync time.

1706-azuread12

On a Windows 10 Azure AD joined machine, you can install the SCCM manually client without using any certificates. This is useful on Workgroup machines.

You can use the installation command

ccmsetup.exe /NoCrlCheck /Source:C:\CLIENT CCMHOSTNAME=SCCMPROXYCONTOSO.CLOUDAPP.NET/CCM_Proxy_ServerAuth/72457598037527932 SMSSiteCode=HEC AADTENANTID=780433B5-E05E-4B7D-BFD1-E8013911E543 AADTENANTNAME=contoso AADCLIENTAPPID= AADRESOURCEURI=https://contososerver

For a reference of how to obtain the information above, see https://docs.microsoft.com/en-us/sccm/core/clients/deploy/deploy-clients-cmg-azure#step-4-install-and-register-the-configuration-manager-client-using-azure-active-directory-identity

 

Intune – Denying access to Windows 10 without Bitlocker enabled

This blog post will show how you can deny access to Exchange Online and SharePoint Online to Windows 10 machines without Bitlocker enabled, using Conditional Access.

This is a lab environment, conditional access requires some planning as you can potentially deny access to all machines if you deploy the conditional access policy to all users.

First I will create the compliance policy for Windows 10 to require encryption.

In https://portal.azure.com go to Intune, then Device compliance, then Policies, then Create Policy

Condaccbit01

Give the policy a name, and select Windows 10 and later for the platform then click Configure. Under System Security, you will see down the bottom Encryption of data storage on device, click Require. 

Condaccbit02

Create the policy, then assign the policy to a group. In my testing, I have a group called Intune.

Condaccbit02_2

Next I will create the Conditional Access policy to require Windows devices to be compliant to access Exchange Online and SharePoint online. Be careful about who you deploy the policy to. I am using a group with some test users here, rather than all users so I don’t block access to all unenrolled Windows machines.

Click on Azure Active Directory, then click on Conditional Access

Condaccbit03

Under Users and groups, I selected a pilot group with a few users. You could create a group with Windows 10 machines included to deploy the conditional access policy to.

I have given it a name “Windows 10 – Bitlocker required”. For the Cloud apps I have selected Exchange Online and SharePoint online”

Condaccbit04

I have selected Windows as the platform.

Condaccbit05

I have selected Browser and Mobile apps and Desktop clients.

Condaccbit06

Under Grant,  have selected Require device to be marked as compliant. This means the device needs to be enrolled in Intune, and also compliant.

Condaccbit07

Now, this is the user experience on my Windows 10 Pro machine. I have not enrolled it in Intune. When I go to https://outlook.office365.com using either Edge or IE11, I am presented with the message below:

Condaccbit08

Once I have MDM enrolled by Windows 10 machine into Intune, you can see the popup in the bottom right hand corner saying Encryption needed. The user needs to select this to kick off the encryption.

Condaccbit09

Once I have clicked on Encryption needed, I will follow the prompts:

Condaccbit10

Condaccbit11

Condaccbit12

Condaccbit13

Once the encryption has finished, I can now access Exchange Online and SharePoint Online.

Condaccbit14

 

SCCM 1705 TP – Azure AD User Discovery

In the recently released update 1705 for the Technical Preview Branch of System Center Configuration Manager, you can now set up Azure Active Directory User Discovery. This post will show how you can test it in your lab once you have updated to 1705 Technical Preview. More about this feature can be read here – https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1705#new-capabilities-for-azure-ad-and-cloud-management

In the Console, expand Cloud Services, then right click on Azure Services and click Configure Azure Services

sccmaad01

Enter in the Name, I have chosen “Azure AD Connector” and make sure Cloud Management is selected.

sccmaad02

Click Browse to create the Server app and Client app

sccmaad03

Click on Create

sccmaad04

Enter in a Application Name, Homepage URL and Identifier URL (you can make these up). Click on Sign in to sign in with your Azure admin account then click OK.

sccmaad05

Select the app you created and click OK.

sccmaad06

Click on Browse to create the client app.

sccmaad07

Click Create.

sccmaad08

Enter in an Application Name and enter in a Reply URL (again, you can make this up). Then sign in to Azure AD with your admin account.

sccmaad09

Select the client app and click OK.

sccmaad10sccmaad11

Make sure Enable Azure Active Directory User Discovery is selected. Click Settings to enable Delta user discovery and adjust the scheduling to however you like it.

sccmaad12sccmaad13

Once the Wizard is done, open up SMS_AZUREAD_DISCOVERY_AGENT.log from the Logs location on your site server, and you will see a whole bunch of Forbidden errors when trying to access https://graph.windows.net

sccmaad14

Go into portal.azure.com, then Azure Active Directory, then App Registrations, then select the Server app you created before.

sccmaad15

Click on Required Permissions, then Grant Permissions, then Yes.

sccmaad16

If you wait a little while, you will see SMS_AZUREAD_DISCOVERY_AGENT.log will start to sync the Azure Active Directory Users.

sccmaad18

You can now view your Azure AD users in the SCCM console.

sccmaad17