Tag Archives: intune

Intune – Require Bitlocker PIN for Windows 10 1703

This post will show how you can use Intune to deploy a Device Configuration Profile to an MDM enrolled Windows 10 1703 machine to require a startup PIN for Bitlocker. It will also show the end user experience prompting the user to configure Bitlocker and set a PIN.

In the Intune portal in https://portal.azure.com , select Intune > Device Configuration > Profiles > Create profile

BitlockerPIN01

Select Windows 10 and later as the platform, select Endpoint protection for the profile type, then click on Configure.

Under Windows Experience, select Require next to Encrypt Devices.

Select Enable next to Configure encryption methods if you would like to configure the encryption methods.

Select Enable next to Additional authentication at start up.
Compatible TPM startup – Do not allow TPM
Compatible TPM startup PIN – Require startup PIN with TPM
Compatible TPM startup key – Do not allow startup key with TPM
Compatible TPM startup key and PIN – Do not allow startup key and PIN with TPM

BitlockerPIN02

You can read more about these startup policies in this GPO “Require additional authentication at startup” description:

BitlockerPIN13

If the Additional authentication at startup settings are configured incorrectly, then a user may see “The Group Policy settings for Bitlocker startup options are in conflict and cannot be applied. Contact your system administrator for more information.”

BitlockerPIN11

Back to Intune – Configure the Assignments and select a group that will receive the Bitlocker policy

BitlockerPIN03

The Windows 10 1703 machine will get a notification saying that the machine needs Bitlocker configured.

BitlockerPIN04

BitlockerPIN05

BitlockerPIN06

BitlockerPIN07

The user is prompted to enter a PIN:

BitlockerPIN08

BitlockerPIN09

BitlockerPIN10

After Bitlocker has finished encrypting the drive and the machine is restarted, the user will be prompted to enter a PIN to unlock the drive at startup:

BitlockerPIN12

Advertisements

Intune – customize the start menu on Windows 10 1703

This post will show how you can deploy a custom start menu on a Windows 10 Pro/Enterprise machine enrolled with Intune by using the Intune portal in Azure.

This post assumes you have customized the start menu on a test machine, and exported the start menu layout to an XML file. For a guide on doing this, see Customize and export Start layout.  My test machine is Windows 10 1703 Enterprise joined to Azure AD and enrolled in Intune.

In the new Intune portal in Azure (https://portal.azure.com) go to Intune > Device Configuration > Profiles > Create Profile

StartMDM01

Give the profile a name, and select Windows 10 and later for the Platform, and select Device restrictions for the Profile type.

Now scroll down and select Start, then click on the Browse button to upload your custom start menu which you generated earlier from your test machine using the Microsoft guide (Customize and export Start layout)

StartMDM02

Click on OK then OK again,and click on Create.

Now we will Assign the policy to a user group. Click on Assignments, then Select groups to include, then select the group, then click on Select, and then Save.

StartMDM04

On the Windows 10 machine enrolled in Intune, you can force a sync by going to Start > Settings > Accounts > Access work or school > Select the account then Info > Sync

After it has synced, once you log off and log back on, you can now see that the start menu has applied.

StartMDM03

Intune – Windows 10 Device Configuration

This post will show how you can set device configurations for MDM enrolled Windows 10 machines in the Intune preview in the Azure portal. This is using Intune standalone and not Intune hybrid. The device configurations I will deploy includes setting a wallpaper on a Windows 10 1703 Enterprise machine, and setting password restrictions. After configuring the Device configuration policy in Intune, it will also show the user experience in Windows 10.

In the Intune blade, select Device Configuration

IntuneDevCon01

Select Profiles, then select Create Profile

IntuneDevCon02

Type in a Name for the profile, for the Platform select Windows 10 and later, and for Profile type, select Device Restrictions

IntuneDevCon03

For this post, I will create password restrictions. I have selected Password as the category and configured some settings on the right hand side.

IntuneDevCon04

I will also set the desktop background picture in the Personalization category, by pasting in a URL to where I have uploaded the wallpaper. Note this CSP was only added in Windows 1703, and supported on Enterprise. See https://msdn.microsoft.com/en-gb/windows/hardware/commercialize/customize/mdm/personalization-csp

IntuneDevCon05

Now I will click on Assignments to assign the device configuration policy to my Intune group I created in Azure AD.

IntuneDevCon06

Select the group and click Save.

IntuneDevCon07

Now on my Windows 10 Enterprise 1703 machine I am prompted to change my password

IntuneDevCon08

And the custom wallpaper has been set

IntuneDevCon09

Intune – Require Device Encryption (BitLocker) on Windows 10 1703

This post will show how you can create a compliance policy in the Intune preview portal to require Device Encryption (BitLocker) for a Windows 10 1703 Pro or Enterprise machine. It will also show the user experience. I will be testing this on a Hyper-V Gen 2 machine with the TPM enabled.

In portal.azure.com select Intune, then select Device compliance

encryp01

Select Policies

encryp02

Select Create Policy

encryp03

Enter in the name for the policy, and select Windows 10 and later for the Platform. Then select System Security, and select Require under Encryption.

encryp04

Save the policy and click on Assignments to deploy the policy to a user group.

encryp05

On my test Hyper-V Gen 2 machine, I have shut the machine down. Right click on the VM and click Settings, then select Security, and check the box Enable Trusted Platform Module so we can test BitLocker.

You can see that there is a notification now on the Windows 10 1703 Pro/Enterprise machine that Encryption is needed. The user needs to click on it.

encryp06

If you open up the Company Portal, you can also see there is a policy issue. If you click on View, you can see that the device requires encryption.

encryp07encryp08

When clicking on the notification that the device needs encryption (clicking the notification in the earlier screenshot, or clicking the notification in the bottom right corner) the user needs to go through the encryption wizard process.

encryp09

You can choose where to save the key.

encryp10encryp11encryp12

If you chose the option to save the BitLocker key to the cloud, you can view the BitLocker key in the Azure portal (portal.azure.com) by going to Azure Active Directory > Users and groups > All Users > select the user > Devices > Select the Device >

encryp13

Deploy .MSI app to MDM enrolled Windows 10 device in Intune preview

This post will show how you can deploy an .MSI to an MDM enrolled Windows 10 machine in the Intune preview in the Azure portal. As noted, the device is enrolled in Intune, and does not have the Intune client installed.

This post will use 7Zip .msi as an example and it will be deployed as “Available” in the Company Portal app for a Windows 10 1703 device.

In the Azure portal (portal.azure.com), click on More Services, then search for Intune and select it.

intunemsi00

Click on Mobile apps

intunemsi01

In the Apps section under Manage, click on Add

intunemsi02

Select Line-of-business app

intunemsi03

Click on the blue browse button and select your MSI (allowed file extensions are ipa, apk, msi, xap, appx, appxbundle.)

intunemsi04

Fill in the required details. For my example I have filled in the Name, Description, Publisher, and also selected an icon.

intunemsi05

The .msi will begin to upload and you will get a notification when the .msi has been uploaded. Once it has been uploaded, you can assign the application to a group.

intunemsi06

Next step is to assign the application to a group. This can be done under Assignments. In my example I have made it as Available to my user group called Intune. You can see the the other options below in the screenshot.

intunemsi07

Now I will open the Company Portal app on my Windows 10 machine and install 7Zip.

intunemsi08intunemsi09

Intune – Require users to use Outlook app on iOS and Android devices

This post will go into how you can use Intune preview in the Azure Portal to set a Conditional Access policy to require iOS and Android users to use the Outlook app, rather than the native iOS mail and Android mail applications. It will also show the user experience for a user using an iOS device and an Android device. To use the Outlook app once the policy has applied, the iOS device needs the Microsoft Authenticator app installed, and Android users need the Company Portal app installed.

In portal.azure.com click on More Services then search for Intune and click on Intune App Protection (you can click the Star to pin it to your list)

IntuneCA1

Intune App Protection

Now click on Exchange Online under Conditional Access.

IntuneCA2

Exchange Online – Conditional Access

Click on Allowed Apps, I have selected Allow apps that support Intune app policies

IntuneCA3

Allowed apps – Conditional Access, Exchange Online

Restricted Groups is where you will choose who to deploy the policy to. In Azure Active Directory, I have created a group called Intune which has my users in there with an Intune license assigned. Its a good idea to deploy this to some test users first, and not to a group with all your users in there.

IntuneCA4

Restricted user groups – Conditional Access, Exchange Online

On an Android device, I have updated the gmail application to support Office 365. I have added my account. When I check the inbox I can see an email saying that the IT department requires me to use the Outlook app.

IntuneCA5

On an iOS device, the user experience is very similar. When using the iOS native mail application, as soon as you check the inbox you will see a very similar email stating again that you require to use the Outlook app for Exchange Online.

IntuneCA6

Like I was saying earlier in the post, for Android you need the Company Portal App, and for iOS you need the Microsoft Authenticator App to register the devices in Azure AD (not enroll, only register). On an Android device, if you do not have the Company Portal app, you will see the following screen

IntuneCA7

Android – Company Portal app required

And this is the user experience for iOS without the Microsoft Authenticator app

 

IntuneCA8

Once the apps are installed you can then login to Exchange Online using the Outlook app.

 

Intune App Protection Policies

Intune App Policies can be used to protect company data whether the mobile device is enrolled in Intune, or another MDM solution, or not enrolled at all. As long as the users have an Intune license and the App Policy is deployed to the user, the App Policies will work for managed apps. If you have an Intune license, you can login to the Azure Portal (portal.azure.com), click More Services, and search for Intune App Protection to start deploying App Policies.

intuneapp1

From my testing, if a user does not have an Intune license, or the App Policy is not deployed to them, they can still use the app as normal without any protection using their work account. You can use the new Azure AD group-based license  in portal.azure.com to license users with Intune (group), and deploy the Intune App Policies to the same group. More can be read here.

At the moment you can create App Policies for iOS and Android devices. If you have an Android you will need to install the Company Portal App, but you do not need to be enrolled or configure it.

When creating an App Policy you are able to select the following apps to protect:

intuneapp2

Some of the settings you can configure on the apps include, preventing save as, encrypting app data, requiring PIN for access, preventing copy and paste from non-managed apps and so on. A full list of settings can be seen when you create the policy. In order to create the App Policies see Create and deploy app protection policies with Microsoft Intune. Don’t forget to deploy the policy once you have created it.

End User Experience:

The following screenshots will show the end user experience on an Android Device (with Company Portal installed but not configured or enrolled). iOS is very similar as well:

The policy I set included the Microsoft Word app. When opening it, it says that the organization now protects it, and I must set a 4 digit PIN. One thing to note is that these policies are only enforced when using apps in a Work context, not in a personal context.

intuneapp3

Another setting I chose was to not allow cut/copy/paste outside of a managed app. When I try and copy out of Word (managed app) into the Android memo app (non managed app) and paste, I get the following:

intuneapp4

You can also view the built-in dashboards in the Intune App Protection section in the Azure portal to view more information about your users. For example the dashboard below shows that I have checked in on my iPhone for Word and OneDrive but not others.

intuneapp5