Category Archives: intune

Intune – Windows Information Protection without enrollment

This post will show how you can use the Office 365 suite of apps deployed to a Windows 10 Pro 1709 device (with an EMS E3 license assigned), to enroll the device into MAM. This involves deploying a Windows Information Protection policy in Intune using the “without enrollment” setting, which means the device is not enrolled into Intune.

Suggested reading:
Protect your enterprise data using Windows Information Protection (WIP)
Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune

Make sure the MAM groups are configured, in the Intune portal in https://portal.azure.com go to Azure Active Directory > Mobility (MDM and MAM) then Microsoft Intune.

wipmam01

I have an Azure AD group called Intune and an Azure AD group called MAM enrollment. The user I will be using in this demonstration is a member of the MAM enrollment group.

A caution from Microsoft “If both MAM user scope and automatic MDM enrollment (MDM user scope) are enabled for a group, only MAM is enabled. Only MAM is added for users in that group when they workplace join personal device. Devices are not automatically MDM enrolled.”

wipmam02

Now i’ll create the MAM/Windows Information Protection policy. In Intune > Mobileapps > App protection policies, select Add a policy

wipmam03

Give the policy a name and description, select Windows 10 for the platform, and select without enrollment for the enrollment state. Click on Add apps.

wipmam04

I’ll be adding some apps to allow them to access my corporate data.

wipmam05

After clicking OK on the section above, I will add some more apps such as Outlook and Word. For the publisher, make sure you specify “O=Microsoft Corporation, L=Redmond, S=Washington, C=US”

wipmam06

For now, I will skip the Exempt apps. On the required settings, in this demonstration I will select the Block setting, which will prevent users from moving data from an allowed app into a non-allowed app.

wipmam07

In the advanced settings, I will rename the Cloud resources section to Office 365, and also add OneDrive to the list and Office 365 email. In the example I have added “<domain>-my.sharepoint.com for OneDrive, and outlook.office365.com for Exchange Online. Seperate these by a “|”. So my full list is <domain>-my.sharepoint.com|<domain>.sharepoint.com|outlook.office365.com

wipmam08

Click on Create, then assign the policy to a group.

wipmam10

Once the policy has been assigned to a group, on a Windows 10 1709 Pro machine, with Office 365 installed, when adding an account to Microsoft Office product such as Word, it will ask you to sign in. This is where you can register the device in Azure AD and enroll the device into MAM.

Click Sign in

wipmam11

Type in the account that is a member of the group that has the MAM enrollment enabled, and also a member of the group which had the WIP policy assigned

wipmam12

Enter in the password and click Sign in

wipmam13

Make sure you say Yes here. This is where it will register the device in Azure AD, and also enroll it into MAM.

wipmam14wipmam15wipmam16

From the above steps, in the Azure portal, we can see the device now in Azure AD as Azure AD Registered.

wipmam17

Also on the Windows 10 device you can go to Settings > Accounts > Access work or school, and you should see your Azure AD account there. Select it and click Info. You can see the Management Server Address shows its enrolled into MAM now.

wipmam20

Earlier in the policy I set Microsoft Word to be a protected app to access enterprise data. In this demonstration I will save some corporate data, and click the drop down near File name and select Work.

wipmam18

Now if I try and copy and paste text out of the protected document into a non protected app such as Notepad running in personal context, I get the message “Can’t use content here. Your organization doesn’t allow you to use work content here”. This is because I set the Windows Information Protection Mode to Block in the WIP policy above.

wipmam19

What happens if the device is unenrolled from MAM? The encryption key has been revoked and you will get this message when opening a Work protected document

wipmam21

Advertisements

SCCM TP 1802 – Cloud Management Gateway Azure Resource Manager and Azure User collection deployments

Microsoft recently released update 1802 for SCCM Current Branch Technical Preview. Two new features that I was excited to test were:

  • Improvements in Cloud Management Gateway – Cloud management gateway support for Azure Resource Manager – When you deploy CMG with Azure Resource Manager, Azure AD is used to authenticate and create the cloud resources and does not require the classic Azure management certificate.
  • Install user-available applications on Azure AD-joined devices – You can now browse and install user-available applications from Software Center on Azure AD-joined devices.

This post will go into testing and configuring the Cloud Management Gateway in SCCM Technical Preview 1802 in Azure Resource Manager, creating a Cloud Distribution Point, installing the SCCM client on a machine enrolled into Intune to let SCCM manage the machine, and then finally deploying an application to a user collection containing Azure AD users.

In my lab, I currently have the following certificates:

  • Management certificate uploaded to the Azure portal and exported to PFX. Instructions Here
  • Management Point certificate for IIS, so the management point can be in HTTPS to authenticate Azure AD Clients. Instructions Here.
  • Certificate for my Cloud DP which was created by Digicert.
  • Certificate for my CMG which was created by Digicert
  • Trusted Root certificate exported from a client used for the CMG setup. Instructions Here.

Azure AD User Discovery:

First I have created the Cloud Management service in \Administration\Overview\Cloud Services\Azure Services. This will set up Azure AD User Discovery and allow clients to authenticate using Azure AD.

Right click Azure Services and select Configure Azure Services. Select Cloud Management.

CloudMgmt01

Select Browse next to Web App and click on Create to create the web app in Azure.

CloudMgmt0

Give everything a name, then sign into Azure AD and click on OK.

CloudMgmt03

Follow the same steps for the Native Client app. Once created, click OK.

CloudMgmt05

You can configure the polling schedule by clicking on Settings. Next Next finish…

CloudMgmt06

Now we need to grant the permissions in the apps we created in the Azure portal. Login to https://portal.azure.com Then click on Azure Active Directory, then App Registrations. Click the drop down to All Apps so you can see the apps that were created

CloudMgmt09

Now select the app, click on Settings, then Required permissions, then click on Grant Permissions. Do this for both apps.

CloudMgmt08

Once the permissions have updated, you shouldn’t see any access denied errors in SMS_AZUREAD_DISCOVERY_AGENT.log on your site server.

Cloud Management Gateway:

Now we will create the Cloud Management Gateway. In the SCCM console go to \Administration\Overview\Cloud Services\Cloud Management Gateway and right click Cloud Management Gateway and click Create Cloud Management Gateway.

Make sure Azure Resource Manager deployment is selected. Login with your Azure account and click Next.

CMGResMg-01

I have created a new resource group. Select your certificate file. I am using a certificate from Digicert. If you need to create a certificate see Here

Because I am using a certificate from Digicert, I have also created a CNAME in my external DNS to point my <cmgname>.domain.com to <cmgname>.cloudapp.net

Click on Certificates and add your Trusted Root certificate. I have cleared Verify Client Certificate Revocation. For details on how to get this certificate, see Here. Complete the rest of the wizard.

 

CMGResMg-02

Now I will add the Cloud management gateway connection point role on my site server from \Administration\Overview\Site Configuration\Servers and Site System Roles. Complete this wizard and make sure it connects to the newly created CMG.

CMGResMg-03

To authenticate the Azure AD clients, the Management Point must be in HTTPS and allow configuration manager cloud management gateway traffic. Make sure you have changed the bindings in IIS so the HTTPS uses the correct certificate. Details for that are Here

CMGResMg-04

Make sure clients can communicate with the Cloud distribution point and the Cloud management gateway in your client settings. You can do this by editing the client settings in the console here – \Administration\Overview\Client Settings

CMGResMg-05

Cloud Distribution Point:

First, login to the Azure portal https://portal.azure.com then go to Subscriptions. Take a note of your subscription ID as you will need it later, then click on your subscription. Click on Management Certificates under Settings, then Upload your management Certificate. Tip – you can create a management certificate using these steps Here.

In Administration\Cloud Services\Cloud Distribution Points, right click and Create Cloud Distribution Point.

Type in your Azure subscription ID and then browse to select the Management certificate.  Click Next.

CloudDP01

I am using a certicate from Digicert, I have created a CNAME in my external DNS that points the <clouddpname>.domain.com to <clouddpservicename>.cloudapp.net. If you need to create a certificate from your CA, then see the steps Here.

Click on Next then finish the wizard.

CloudDP02

Install the SCCM client from Intune:

In this section we will upload the ccmsetup.msi to Intune located on our SCCM site server in C:\Program Files\Microsoft Configuration Manager\bin\i386

In the Azure portal (https://portal.azure.com) go to Intune then Mobile Apps, then Add App. Select Line-of-business-app and browse to the ccmsetup.msi and click on Next.

CloudMgmt07

Fill in the required details including the command line arguments.

Note: An easy way to generate the command line arguments for the SCCM client is to configure the first few screens of the co-management wizard in the SCCM console in \Administration\Overview\Cloud Services\Co-management. You will then be presented with a box with the command line arguments that you can copy and paste. See the screenshot below.

IntuneClient01IntuneClient02

Once ccmsetup.msi has been uploaded. assign it to a group. I have a group with my Azure AD joined and Intune enrolled Windows 10 1709 machine.

IntuneClient03

On my Azure AD Joined and Intune enrolled Windows 10 1709 machine, after syncing with Intune, you can see that the client is now installing and grabbing the rest of the source files from the Cloud Distribution point I created earlier.

IntuneClient04

The client is now communicating through the Cloud Management Gateway and can now be seen in the SCCM devices.

IntuneClient05

I have created a User Collection containing my Azure AD Users that have been discovered. I will now create an application, and then deploy it to my Azure AD User collection.

IntuneClient06

I will deploy the application to my Cloud Distribution Point.

IntuneClient07

On my client you can see it downloaded the application from the Cloud Distribution Point and it is now seen as Installed in Software Center.

IntuneClient08IntuneClient10

 

Intune – Windows 10 Interactive Logon Message

This blog post will show how you can set a logon message for a Windows 10 1709 Pro or Enterprise machine enrolled into Intune. To do this, I will create a custom Device Configuration profile in Intune and use the “InteractiveLogon_MessageTitleForUsersAttemptingToLogOn” policy CSP to set a message title, and “InteractiveLogon_MessageTextForUsersAttemptingToLogOn” policy CSP to set the message text. To read more about using custom OMA-URI see Custom device settings for Windows 10 devices in Microsoft Intune

You can read more about the interactive logon message here – Interactive logon: Message text for users attempting to log on
For more information about the Policy CSP that we will use:

Login to the Intune portal in Azure https://portal.azure.com

For the message title, go to Intune, then Device configuration, then Profiles, Create Profile, give the profile a name, select Windows 10 and later for the Platform, and select Custom for the Profile type. Then click Configure.

message01

Click on Add, then give it a name, I have chosen Interactive Message Title, and then for the OMA-URI put in “./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn” and then select String for the Data type. For the value, I have put “WARNING:”

message02

Click on OK a few times then click on Create. Next we will assign the Configuration profile to a group.

message03

Now we will create another Device configuration profile for the message text.

For the OMA-URI, put in “./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn” and the Data type is String again, and type in your message text.

message04

message05

Also assign this policy to a group.

message06

Once the machine has done a sync and has been restarted, you can see the interactive logon message.

message07

On the Windows 10 1709 machine, you can also open up gpedit.msc and under Computer Configuration, Windows Settings, Security Settings,  Local Policies,  Security Options,  we can see the settings.

message08

 

Intune – Windows Defender Security Center device configuration section

In the week of December 11, 2017, Microsoft added a new Windows Defender Security Center device confiugration profile section to Intune. This allows you to hide sections from the user:

  • Virus and threat protection
  • Device performance and health
  • Firewall and network protections
  • App and browser control
  • Family options

You can also add your IT contact information to the Windows Defender app and customize notifications. This post will show how to configure it and the end user experience.

In the Intune portal (portal.azure.com) go to Intune > Device configuration > Profiles > Create Profile. Give the profile a name, and select Windows 10 and later for Platform. Then for the Profile type, select Endpoint protection. Down the bottom you will see Windows Defender Security Center.

defender01

Now here you can configure which sections to hide, customize the notifications and add your IT contact information. In my example, I have decided to hide everything and have added some dummy contact information.

defender02

Once you have created the profile, I have selected All Devices under Assign to to assign this configuration profile to all my devices.

defender03

This is how my Windows Defender Security Center previously looked on my Windows 10 1709 Enterprise machine.

defender04

After doing a sync, you can see it says Nhogarth.net has disabled Windows Defender Security Center. I have also added my dummy contact information.

defender05

Intune – Deploying Office 365 ProPlus

Intune makes it easy to deploy the Office 365 ProPlus suite to your Windows 10 Intune enrolled machines. A while ago you had to use the ODT (Office Deployment Tool) to create a custom XML to configure the Office 365 ProPlus suite. Now in Intune you can easily select the Office 365 ProPlus products you would like to include or exclude, choose either 32bit or 64bit, select the languages, select the update channels and other settings.

Recommended reading:

Overview of update channels for Office 365 ProPlus

How to assign Office 365 ProPlus 2016 apps to Windows 10 devices with Microsoft Intune

This post will show how you can configure and deploy Office 365 ProPlus to a Windows 10 machine enrolled in Intune.

In the Intune portal (portal.azure.com) select Intune, Mobile apps, Apps, then click Add.

o36501

For the App type, select Windows 10 underneath Office 365 suite, then under Configure App Suite, select the Office 365 apps that you would like to include or exclude. You also have the ability to select the additional apps such as Project Online Desktop Client and Visio Pro for Office 365.

o36502

Under App Suite Information, give the suite a name and a description. Intune will add the Office 365 ProPlus logo for you automatically.

o36503

Under the App Suite Settings, select the Office Version you would like and the update channel. I have selected Semi-Annual (which use to be called Deferred). For an overview of the Office 365 Update Channels, see https://support.office.com/en-us/article/Overview-of-update-channels-for-Office-365-ProPlus-9ccf0f13-28ff-4975-9bd2-7e4ea2fefef4

I have also selected to automatically accept the EULA. I am not using shared computer activation which is usually used for remote desktop farms.

o36504

Next step is to assign the app to a group. I have added a group I created in Azure AD which has a dynamic rule to include Windows 10 devices. I have also made this app as Required.

o36505

After doing a Sync on the Windows 10 machine, we can see the Office 365 setup running.

o36506

The Click-to-run setup will begin downloading the Office 365 ProPlus bits.

o36507

Co-management – Enabling Co-management SCCM 1710

This post will show how you can enable co-management in SCCM 1710 and how to automatically enroll a Windows 10 1709 machine into Intune (Intune standalone) when it is currently managed by SCCM 1710.

Prerequisites:

  • Configuration Manager version 1710 or later
  • Azure AD
  • EMS or Intune license for all users
  • Azure AD automatic enrollment enabled
  • Intune subscription (MDM authority in Intune set to Intune)

Suggested readings:
Co-management for Windows 10 devices
Enable Windows 10 automatic enrollment
How to configure hybrid Azure Active Directory joined devices

In portal.azure.com then Azure Active Directory, Mobility (MDM and MAM), Microsoft Intune, I have set my MDM user scope to All for automatic Intune enrollment for Windows.

intunecomgmt-17

In the SCCM console, in Administration, expand Cloud Services, right click on Co-management to create a new co-management policy.

intunecomgmt-02

Sign in with the Intune account

intunecomgmt-03

I have set automatic enrollment in Intune to pilot.

intunecomgmt-04

Configure the workloads.

intunecomgmt-05

I have created a collection called Comanagement Pilot. I have added my test Windows 10 1709 machine managed by SCCM 17010 into this collection.

intunecomgmt-06

intunecomgmt-07

You can check the Monitoring node and look for the CoMgmtSettingsPilot status. You can see my test machine WIN10MDT has successfully had the co-management policy applied.

intunecomgmt-16

Previously in the Azure Active Directory then Devices blade in portal.azure.com you can see that my Windows 10 1709 machine is Hybrid Azure AD joined but the MDM was set to none.

intunecomgmt-19

Once the policy was applied above, you can see the machine has changed from None under MDM, to Microsoft Intune.

intunecomgmt-18

Co-management – Installing SCCM 1710 Client from Intune

With co-management available in SCCM Current Branch 1710, you can install the SCCM client on a Windows 10 1709 Intune enrolled machine (Intune standalone) by creating an app in Intune. This will leverage the Cloud Management Gateway and Azure AD User Discovery. This example post is for a Windows 10 1709 Intune enrolled machine, but you could also use Autopilot with the steps below to get the SCCM client installed as well.

Microsoft lists two paths for co-management. This post is about the second path.

Co-management for Windows 10 devices

https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-overview

There are two main paths to reach to co-management. One is Configuration Manager provisioned co-management where Windows 10 devices managed by Configuration Manager and hybrid Azure AD joined get enrolled into Intune. The other is Intune provisioned devices that are enrolled in Intune and then installed with the Configuration Manager client reach a co-management state.

Prerequisites:

  • SCCM Current Branch 1710 – https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1710
  • Cloud Management Gateway configured – See https://blogs.technet.microsoft.com/arnabm/2016/12/19/step-by-step-cloud-management-gateway/
  • Azure AD User Discovery configured – See https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/Azure-services-wizard#webapp
  • Cloud Distribution Point – See https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/use-a-cloud-based-distribution-point
  • Windows 10 1709 machine enrolled in Intune and Azure AD joined
  • Management Point with HTTPS enabled for Azure AD user authentication

Firstly, distribute the Configuration Manager Client Package to the Cloud Distribution Point.

intunecomgmt-01

Next co-management will be enabled. This will provide the SCCM command line arguments with the correct information to install the SCCM client through Intune.

In Administration section, expand Cloud Services and right click Co-management

intunecomgmt-02

Sign in with your Intune account and click Next.

intunecomgmt-03

Select the required settings. Copy the command line arguments for later as this will be used in Intune to deploy the SCCM client.

intunecomgmt-04

I have set all to Pilot Intune.

intunecomgmt-05

I have created a test Pilot Intune collection.

intunecomgmt-06

Close the Wizard.

intunecomgmt-07

ccmsetup.msi needs to be uploaded from C:\Program Files\Microsoft Configuration Manager\bin\i386 on the SCCM 1710 site server to Intune

In portal.azure.com go to Intune then Mobile Apps, then Apps and click Add.

intunecomgmt-08

Browse to the ccmsetup.msi

intunecomgmt-09

Fill in the details. You can change the name and other information as you like. For the Command-line arguments, paste in the details that we copied before.

intunecomgmt-10

The ccmsetup.msi will then begin to upload. You can view the notifcation below to see when it has been uploaded.

Click on Assignments and select a group. I created an Azure AD dynamic group for Windows 10 1709 machines and made the app as “Required”

intunecomgmt-11

On the Windows 10 1709 machine, you can do a Sync, then you can see the SCCM client is installing. If you see the ccmsetup.log file, it will start to grab the SCCM client files from the Cloud DP (make sure the client is distributed to the Cloud DP)

intunecomgmt-13

When you open up Company Portal now, you will see “Your apps are located in Software Center”. You can see in Software Center my SCCM applications are now appearing.

intunecomgmt-14

You can now see the device appearing in the SCCM console as active as it is communicating through the CMG.

intunecomgmt-15