Category Archives: intune

Intune – Windows Defender Security Center device configuration section

In the week of December 11, 2017, Microsoft added a new Windows Defender Security Center device confiugration profile section to Intune. This allows you to hide sections from the user:

  • Virus and threat protection
  • Device performance and health
  • Firewall and network protections
  • App and browser control
  • Family options

You can also add your IT contact information to the Windows Defender app and customize notifications. This post will show how to configure it and the end user experience.

In the Intune portal (portal.azure.com) go to Intune > Device configuration > Profiles > Create Profile. Give the profile a name, and select Windows 10 and later for Platform. Then for the Profile type, select Endpoint protection. Down the bottom you will see Windows Defender Security Center.

defender01

Now here you can configure which sections to hide, customize the notifications and add your IT contact information. In my example, I have decided to hide everything and have added some dummy contact information.

defender02

Once you have created the profile, I have selected All Devices under Assign to to assign this configuration profile to all my devices.

defender03

This is how my Windows Defender Security Center previously looked on my Windows 10 1709 Enterprise machine.

defender04

After doing a sync, you can see it says Nhogarth.net has disabled Windows Defender Security Center. I have also added my dummy contact information.

defender05

Advertisements

Intune – Deploying Office 365 ProPlus

Intune makes it easy to deploy the Office 365 ProPlus suite to your Windows 10 Intune enrolled machines. A while ago you had to use the ODT (Office Deployment Tool) to create a custom XML to configure the Office 365 ProPlus suite. Now in Intune you can easily select the Office 365 ProPlus products you would like to include or exclude, choose either 32bit or 64bit, select the languages, select the update channels and other settings.

Recommended reading:

Overview of update channels for Office 365 ProPlus

How to assign Office 365 ProPlus 2016 apps to Windows 10 devices with Microsoft Intune

This post will show how you can configure and deploy Office 365 ProPlus to a Windows 10 machine enrolled in Intune.

In the Intune portal (portal.azure.com) select Intune, Mobile apps, Apps, then click Add.

o36501

For the App type, select Windows 10 underneath Office 365 suite, then under Configure App Suite, select the Office 365 apps that you would like to include or exclude. You also have the ability to select the additional apps such as Project Online Desktop Client and Visio Pro for Office 365.

o36502

Under App Suite Information, give the suite a name and a description. Intune will add the Office 365 ProPlus logo for you automatically.

o36503

Under the App Suite Settings, select the Office Version you would like and the update channel. I have selected Semi-Annual (which use to be called Deferred). For an overview of the Office 365 Update Channels, see https://support.office.com/en-us/article/Overview-of-update-channels-for-Office-365-ProPlus-9ccf0f13-28ff-4975-9bd2-7e4ea2fefef4

I have also selected to automatically accept the EULA. I am not using shared computer activation which is usually used for remote desktop farms.

o36504

Next step is to assign the app to a group. I have added a group I created in Azure AD which has a dynamic rule to include Windows 10 devices. I have also made this app as Required.

o36505

After doing a Sync on the Windows 10 machine, we can see the Office 365 setup running.

o36506

The Click-to-run setup will begin downloading the Office 365 ProPlus bits.

o36507

Co-management – Enabling Co-management SCCM 1710

This post will show how you can enable co-management in SCCM 1710 and how to automatically enroll a Windows 10 1709 machine into Intune (Intune standalone) when it is currently managed by SCCM 1710.

Prerequisites:

  • Configuration Manager version 1710 or later
  • Azure AD
  • EMS or Intune license for all users
  • Azure AD automatic enrollment enabled
  • Intune subscription (MDM authority in Intune set to Intune)

Suggested readings:
Co-management for Windows 10 devices
Enable Windows 10 automatic enrollment
How to configure hybrid Azure Active Directory joined devices

In portal.azure.com then Azure Active Directory, Mobility (MDM and MAM), Microsoft Intune, I have set my MDM user scope to All for automatic Intune enrollment for Windows.

intunecomgmt-17

In the SCCM console, in Administration, expand Cloud Services, right click on Co-management to create a new co-management policy.

intunecomgmt-02

Sign in with the Intune account

intunecomgmt-03

I have set automatic enrollment in Intune to pilot.

intunecomgmt-04

Configure the workloads.

intunecomgmt-05

I have created a collection called Comanagement Pilot. I have added my test Windows 10 1709 machine managed by SCCM 17010 into this collection.

intunecomgmt-06

intunecomgmt-07

You can check the Monitoring node and look for the CoMgmtSettingsPilot status. You can see my test machine WIN10MDT has successfully had the co-management policy applied.

intunecomgmt-16

Previously in the Azure Active Directory then Devices blade in portal.azure.com you can see that my Windows 10 1709 machine is Hybrid Azure AD joined but the MDM was set to none.

intunecomgmt-19

Once the policy was applied above, you can see the machine has changed from None under MDM, to Microsoft Intune.

intunecomgmt-18

Co-management – Installing SCCM 1710 Client from Intune

With co-management available in SCCM Current Branch 1710, you can install the SCCM client on a Windows 10 1709 Intune enrolled machine (Intune standalone) by creating an app in Intune. This will leverage the Cloud Management Gateway and Azure AD User Discovery. This example post is for a Windows 10 1709 Intune enrolled machine, but you could also use Autopilot with the steps below to get the SCCM client installed as well.

Microsoft lists two paths for co-management. This post is about the second path.

Co-management for Windows 10 devices

https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-overview

There are two main paths to reach to co-management. One is Configuration Manager provisioned co-management where Windows 10 devices managed by Configuration Manager and hybrid Azure AD joined get enrolled into Intune. The other is Intune provisioned devices that are enrolled in Intune and then installed with the Configuration Manager client reach a co-management state.

Prerequisites:

  • SCCM Current Branch 1710 – https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1710
  • Cloud Management Gateway configured – See https://blogs.technet.microsoft.com/arnabm/2016/12/19/step-by-step-cloud-management-gateway/
  • Azure AD User Discovery configured – See https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/Azure-services-wizard#webapp
  • Cloud Distribution Point – See https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/use-a-cloud-based-distribution-point
  • Windows 10 1709 machine enrolled in Intune and Azure AD joined
  • Management Point with HTTPS enabled for Azure AD user authentication

Firstly, distribute the Configuration Manager Client Package to the Cloud Distribution Point.

intunecomgmt-01

Next co-management will be enabled. This will provide the SCCM command line arguments with the correct information to install the SCCM client through Intune.

In Administration section, expand Cloud Services and right click Co-management

intunecomgmt-02

Sign in with your Intune account and click Next.

intunecomgmt-03

Select the required settings. Copy the command line arguments for later as this will be used in Intune to deploy the SCCM client.

intunecomgmt-04

I have set all to Pilot Intune.

intunecomgmt-05

I have created a test Pilot Intune collection.

intunecomgmt-06

Close the Wizard.

intunecomgmt-07

ccmsetup.msi needs to be uploaded from C:\Program Files\Microsoft Configuration Manager\bin\i386 on the SCCM 1710 site server to Intune

In portal.azure.com go to Intune then Mobile Apps, then Apps and click Add.

intunecomgmt-08

Browse to the ccmsetup.msi

intunecomgmt-09

Fill in the details. You can change the name and other information as you like. For the Command-line arguments, paste in the details that we copied before.

intunecomgmt-10

The ccmsetup.msi will then begin to upload. You can view the notifcation below to see when it has been uploaded.

Click on Assignments and select a group. I created an Azure AD dynamic group for Windows 10 1709 machines and made the app as “Required”

intunecomgmt-11

On the Windows 10 1709 machine, you can do a Sync, then you can see the SCCM client is installing. If you see the ccmsetup.log file, it will start to grab the SCCM client files from the Cloud DP (make sure the client is distributed to the Cloud DP)

intunecomgmt-13

When you open up Company Portal now, you will see “Your apps are located in Software Center”. You can see in Software Center my SCCM applications are now appearing.

intunecomgmt-14

You can now see the device appearing in the SCCM console as active as it is communicating through the CMG.

intunecomgmt-15

Intune – TeamViewer for Windows

In the week of October 16 2017, Microsoft released the support for TeamViewer for Windows in the Azure Intune portal. Previously TeamViewer in the Azure Intune portal only supported Android devices. This is very simple to set up, and you can do it with a trial from TeamViewer. To see what else is new in Intune, see https://docs.microsoft.com/en-us/intune/whats-new

In the Azure Portal (https://portal.azure.com) go to Microsoft Intune > Devices > TeamViewer Connector

Click on Connect

Teamviewer01

Read through terms and conditions and click on OK if you agree.

Teamviewer02

The status will now be Connecting.

Teamviewer03

You will get a popup to accept the permissions.

Teamviewer04

Another message will be displayed that TeamViewer and Intune have been connected.

Teamviewer05

You can see that the Connection status is now Active.

Teamviewer06

On your Windows 10 machine, select the Device, then click the More button, and you will now see New Remote Assistance Session.

Teamviewer07

Click Yes.

Teamviewer08

In the top right of the screen you will see a message about initiating the new remote assistance session.

Teamviewer09

Now you will see a screen saying that the session has been initiated. Under Remote Assistance, click on Start Remote Assistance.

Teamviewer10

A new tab will open in your browser, and TeamViewer will begin to download.

Teamviewer11

Run the download and you will be presented with the TeamViewer details and a screen waiting for the Intune enrolled machine to connect.

Teamviewer12

Teamviewer13

Now on the Windows 10 enrolled machine:

Make sure you have the latest version of the Company Portal on your Windows 10 machine. Open the Company Portal, and you will now see a notification flag. Click it and you will see Your IT administrator is requesting control of this device for a remote assistance session.

Teamviewer14

TeamViewer will now open up in a browser. Run the download

Teamviewer15

Select Allow

Teamviewer16

You are now connected to the Windows 10 MDM enrolled machine.

Teamviewer17

Intune – Require Bitlocker PIN for Windows 10 1703

This post will show how you can use Intune to deploy a Device Configuration Profile to an MDM enrolled Windows 10 1703 machine to require a startup PIN for Bitlocker. It will also show the end user experience prompting the user to configure Bitlocker and set a PIN.

In the Intune portal in https://portal.azure.com , select Intune > Device Configuration > Profiles > Create profile

BitlockerPIN01

Select Windows 10 and later as the platform, select Endpoint protection for the profile type, then click on Configure.

Under Windows Experience, select Require next to Encrypt Devices.

Select Enable next to Configure encryption methods if you would like to configure the encryption methods.

Select Enable next to Additional authentication at start up.
Compatible TPM startup – Do not allow TPM
Compatible TPM startup PIN – Require startup PIN with TPM
Compatible TPM startup key – Do not allow startup key with TPM
Compatible TPM startup key and PIN – Do not allow startup key and PIN with TPM

BitlockerPIN02

You can read more about these startup policies in this GPO “Require additional authentication at startup” description:

BitlockerPIN13

If the Additional authentication at startup settings are configured incorrectly, then a user may see “The Group Policy settings for Bitlocker startup options are in conflict and cannot be applied. Contact your system administrator for more information.”

BitlockerPIN11

Back to Intune – Configure the Assignments and select a group that will receive the Bitlocker policy

BitlockerPIN03

The Windows 10 1703 machine will get a notification saying that the machine needs Bitlocker configured.

BitlockerPIN04

BitlockerPIN05

BitlockerPIN06

BitlockerPIN07

The user is prompted to enter a PIN:

BitlockerPIN08

BitlockerPIN09

BitlockerPIN10

After Bitlocker has finished encrypting the drive and the machine is restarted, the user will be prompted to enter a PIN to unlock the drive at startup:

BitlockerPIN12

Intune – customize the start menu on Windows 10 1703

This post will show how you can deploy a custom start menu on a Windows 10 Pro/Enterprise machine enrolled with Intune by using the Intune portal in Azure.

This post assumes you have customized the start menu on a test machine, and exported the start menu layout to an XML file. For a guide on doing this, see Customize and export Start layout.  My test machine is Windows 10 1703 Enterprise joined to Azure AD and enrolled in Intune.

In the new Intune portal in Azure (https://portal.azure.com) go to Intune > Device Configuration > Profiles > Create Profile

StartMDM01

Give the profile a name, and select Windows 10 and later for the Platform, and select Device restrictions for the Profile type.

Now scroll down and select Start, then click on the Browse button to upload your custom start menu which you generated earlier from your test machine using the Microsoft guide (Customize and export Start layout)

StartMDM02

Click on OK then OK again,and click on Create.

Now we will Assign the policy to a user group. Click on Assignments, then Select groups to include, then select the group, then click on Select, and then Save.

StartMDM04

On the Windows 10 machine enrolled in Intune, you can force a sync by going to Start > Settings > Accounts > Access work or school > Select the account then Info > Sync

After it has synced, once you log off and log back on, you can now see that the start menu has applied.

StartMDM03