Category Archives: intune

Intune – Require Bitlocker PIN for Windows 10 1703

This post will show how you can use Intune to deploy a Device Configuration Profile to an MDM enrolled Windows 10 1703 machine to require a startup PIN for Bitlocker. It will also show the end user experience prompting the user to configure Bitlocker and set a PIN.

In the Intune portal in https://portal.azure.com , select Intune > Device Configuration > Profiles > Create profile

BitlockerPIN01

Select Windows 10 and later as the platform, select Endpoint protection for the profile type, then click on Configure.

Under Windows Experience, select Require next to Encrypt Devices.

Select Enable next to Configure encryption methods if you would like to configure the encryption methods.

Select Enable next to Additional authentication at start up.
Compatible TPM startup – Do not allow TPM
Compatible TPM startup PIN – Require startup PIN with TPM
Compatible TPM startup key – Do not allow startup key with TPM
Compatible TPM startup key and PIN – Do not allow startup key and PIN with TPM

BitlockerPIN02

You can read more about these startup policies in this GPO “Require additional authentication at startup” description:

BitlockerPIN13

If the Additional authentication at startup settings are configured incorrectly, then a user may see “The Group Policy settings for Bitlocker startup options are in conflict and cannot be applied. Contact your system administrator for more information.”

BitlockerPIN11

Back to Intune – Configure the Assignments and select a group that will receive the Bitlocker policy

BitlockerPIN03

The Windows 10 1703 machine will get a notification saying that the machine needs Bitlocker configured.

BitlockerPIN04

BitlockerPIN05

BitlockerPIN06

BitlockerPIN07

The user is prompted to enter a PIN:

BitlockerPIN08

BitlockerPIN09

BitlockerPIN10

After Bitlocker has finished encrypting the drive and the machine is restarted, the user will be prompted to enter a PIN to unlock the drive at startup:

BitlockerPIN12

Advertisements

Intune – customize the start menu on Windows 10 1703

This post will show how you can deploy a custom start menu on a Windows 10 Pro/Enterprise machine enrolled with Intune by using the Intune portal in Azure.

This post assumes you have customized the start menu on a test machine, and exported the start menu layout to an XML file. For a guide on doing this, see Customize and export Start layout.  My test machine is Windows 10 1703 Enterprise joined to Azure AD and enrolled in Intune.

In the new Intune portal in Azure (https://portal.azure.com) go to Intune > Device Configuration > Profiles > Create Profile

StartMDM01

Give the profile a name, and select Windows 10 and later for the Platform, and select Device restrictions for the Profile type.

Now scroll down and select Start, then click on the Browse button to upload your custom start menu which you generated earlier from your test machine using the Microsoft guide (Customize and export Start layout)

StartMDM02

Click on OK then OK again,and click on Create.

Now we will Assign the policy to a user group. Click on Assignments, then Select groups to include, then select the group, then click on Select, and then Save.

StartMDM04

On the Windows 10 machine enrolled in Intune, you can force a sync by going to Start > Settings > Accounts > Access work or school > Select the account then Info > Sync

After it has synced, once you log off and log back on, you can now see that the start menu has applied.

StartMDM03

Intune – Denying access to Windows 10 without Bitlocker enabled

This blog post will show how you can deny access to Exchange Online and SharePoint Online to Windows 10 machines without Bitlocker enabled, using Conditional Access.

This is a lab environment, conditional access requires some planning as you can potentially deny access to all machines if you deploy the conditional access policy to all users.

First I will create the compliance policy for Windows 10 to require encryption.

In https://portal.azure.com go to Intune, then Device compliance, then Policies, then Create Policy

Condaccbit01

Give the policy a name, and select Windows 10 and later for the platform then click Configure. Under System Security, you will see down the bottom Encryption of data storage on device, click Require. 

Condaccbit02

Create the policy, then assign the policy to a group. In my testing, I have a group called Intune.

Condaccbit02_2

Next I will create the Conditional Access policy to require Windows devices to be compliant to access Exchange Online and SharePoint online. Be careful about who you deploy the policy to. I am using a group with some test users here, rather than all users so I don’t block access to all unenrolled Windows machines.

Click on Azure Active Directory, then click on Conditional Access

Condaccbit03

Under Users and groups, I selected a pilot group with a few users. You could create a group with Windows 10 machines included to deploy the conditional access policy to.

I have given it a name “Windows 10 – Bitlocker required”. For the Cloud apps I have selected Exchange Online and SharePoint online”

Condaccbit04

I have selected Windows as the platform.

Condaccbit05

I have selected Browser and Mobile apps and Desktop clients.

Condaccbit06

Under Grant,  have selected Require device to be marked as compliant. This means the device needs to be enrolled in Intune, and also compliant.

Condaccbit07

Now, this is the user experience on my Windows 10 Pro machine. I have not enrolled it in Intune. When I go to https://outlook.office365.com using either Edge or IE11, I am presented with the message below:

Condaccbit08

Once I have MDM enrolled by Windows 10 machine into Intune, you can see the popup in the bottom right hand corner saying Encryption needed. The user needs to select this to kick off the encryption.

Condaccbit09

Once I have clicked on Encryption needed, I will follow the prompts:

Condaccbit10

Condaccbit11

Condaccbit12

Condaccbit13

Once the encryption has finished, I can now access Exchange Online and SharePoint Online.

Condaccbit14

 

Intune – Windows 10 Device Configuration

This post will show how you can set device configurations for MDM enrolled Windows 10 machines in the Intune preview in the Azure portal. This is using Intune standalone and not Intune hybrid. The device configurations I will deploy includes setting a wallpaper on a Windows 10 1703 Enterprise machine, and setting password restrictions. After configuring the Device configuration policy in Intune, it will also show the user experience in Windows 10.

In the Intune blade, select Device Configuration

IntuneDevCon01

Select Profiles, then select Create Profile

IntuneDevCon02

Type in a Name for the profile, for the Platform select Windows 10 and later, and for Profile type, select Device Restrictions

IntuneDevCon03

For this post, I will create password restrictions. I have selected Password as the category and configured some settings on the right hand side.

IntuneDevCon04

I will also set the desktop background picture in the Personalization category, by pasting in a URL to where I have uploaded the wallpaper. Note this CSP was only added in Windows 1703, and supported on Enterprise. See https://msdn.microsoft.com/en-gb/windows/hardware/commercialize/customize/mdm/personalization-csp

IntuneDevCon05

Now I will click on Assignments to assign the device configuration policy to my Intune group I created in Azure AD.

IntuneDevCon06

Select the group and click Save.

IntuneDevCon07

Now on my Windows 10 Enterprise 1703 machine I am prompted to change my password

IntuneDevCon08

And the custom wallpaper has been set

IntuneDevCon09

Intune – Require Device Encryption (BitLocker) on Windows 10 1703

This post will show how you can create a compliance policy in the Intune preview portal to require Device Encryption (BitLocker) for a Windows 10 1703 Pro or Enterprise machine. It will also show the user experience. I will be testing this on a Hyper-V Gen 2 machine with the TPM enabled.

In portal.azure.com select Intune, then select Device compliance

encryp01

Select Policies

encryp02

Select Create Policy

encryp03

Enter in the name for the policy, and select Windows 10 and later for the Platform. Then select System Security, and select Require under Encryption.

encryp04

Save the policy and click on Assignments to deploy the policy to a user group.

encryp05

On my test Hyper-V Gen 2 machine, I have shut the machine down. Right click on the VM and click Settings, then select Security, and check the box Enable Trusted Platform Module so we can test BitLocker.

You can see that there is a notification now on the Windows 10 1703 Pro/Enterprise machine that Encryption is needed. The user needs to click on it.

encryp06

If you open up the Company Portal, you can also see there is a policy issue. If you click on View, you can see that the device requires encryption.

encryp07encryp08

When clicking on the notification that the device needs encryption (clicking the notification in the earlier screenshot, or clicking the notification in the bottom right corner) the user needs to go through the encryption wizard process.

encryp09

You can choose where to save the key.

encryp10encryp11encryp12

If you chose the option to save the BitLocker key to the cloud, you can view the BitLocker key in the Azure portal (portal.azure.com) by going to Azure Active Directory > Users and groups > All Users > select the user > Devices > Select the Device >

encryp13

Deploy .MSI app to MDM enrolled Windows 10 device in Intune preview

This post will show how you can deploy an .MSI to an MDM enrolled Windows 10 machine in the Intune preview in the Azure portal. As noted, the device is enrolled in Intune, and does not have the Intune client installed.

This post will use 7Zip .msi as an example and it will be deployed as “Available” in the Company Portal app for a Windows 10 1703 device.

In the Azure portal (portal.azure.com), click on More Services, then search for Intune and select it.

intunemsi00

Click on Mobile apps

intunemsi01

In the Apps section under Manage, click on Add

intunemsi02

Select Line-of-business app

intunemsi03

Click on the blue browse button and select your MSI (allowed file extensions are ipa, apk, msi, xap, appx, appxbundle.)

intunemsi04

Fill in the required details. For my example I have filled in the Name, Description, Publisher, and also selected an icon.

intunemsi05

The .msi will begin to upload and you will get a notification when the .msi has been uploaded. Once it has been uploaded, you can assign the application to a group.

intunemsi06

Next step is to assign the application to a group. This can be done under Assignments. In my example I have made it as Available to my user group called Intune. You can see the the other options below in the screenshot.

intunemsi07

Now I will open the Company Portal app on my Windows 10 machine and install 7Zip.

intunemsi08intunemsi09

Intune – Require users to use Outlook app on iOS and Android devices

This post will go into how you can use Intune preview in the Azure Portal to set a Conditional Access policy to require iOS and Android users to use the Outlook app, rather than the native iOS mail and Android mail applications. It will also show the user experience for a user using an iOS device and an Android device. To use the Outlook app once the policy has applied, the iOS device needs the Microsoft Authenticator app installed, and Android users need the Company Portal app installed.

In portal.azure.com click on More Services then search for Intune and click on Intune App Protection (you can click the Star to pin it to your list)

IntuneCA1

Intune App Protection

Now click on Exchange Online under Conditional Access.

IntuneCA2

Exchange Online – Conditional Access

Click on Allowed Apps, I have selected Allow apps that support Intune app policies

IntuneCA3

Allowed apps – Conditional Access, Exchange Online

Restricted Groups is where you will choose who to deploy the policy to. In Azure Active Directory, I have created a group called Intune which has my users in there with an Intune license assigned. Its a good idea to deploy this to some test users first, and not to a group with all your users in there.

IntuneCA4

Restricted user groups – Conditional Access, Exchange Online

On an Android device, I have updated the gmail application to support Office 365. I have added my account. When I check the inbox I can see an email saying that the IT department requires me to use the Outlook app.

IntuneCA5

On an iOS device, the user experience is very similar. When using the iOS native mail application, as soon as you check the inbox you will see a very similar email stating again that you require to use the Outlook app for Exchange Online.

IntuneCA6

Like I was saying earlier in the post, for Android you need the Company Portal App, and for iOS you need the Microsoft Authenticator App to register the devices in Azure AD (not enroll, only register). On an Android device, if you do not have the Company Portal app, you will see the following screen

IntuneCA7

Android – Company Portal app required

And this is the user experience for iOS without the Microsoft Authenticator app

 

IntuneCA8

Once the apps are installed you can then login to Exchange Online using the Outlook app.