Tag Archives: intune

Intune – Windows Information Protection without enrollment

This post will show how you can use the Office 365 suite of apps deployed to a Windows 10 Pro 1709 device (with an EMS E3 license assigned), to enroll the device into MAM. This involves deploying a Windows Information Protection policy in Intune using the “without enrollment” setting, which means the device is not enrolled into Intune.

Suggested reading:
Protect your enterprise data using Windows Information Protection (WIP)
Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune

Make sure the MAM groups are configured, in the Intune portal in https://portal.azure.com go to Azure Active Directory > Mobility (MDM and MAM) then Microsoft Intune.

wipmam01

I have an Azure AD group called Intune and an Azure AD group called MAM enrollment. The user I will be using in this demonstration is a member of the MAM enrollment group.

A caution from Microsoft “If both MAM user scope and automatic MDM enrollment (MDM user scope) are enabled for a group, only MAM is enabled. Only MAM is added for users in that group when they workplace join personal device. Devices are not automatically MDM enrolled.”

wipmam02

Now i’ll create the MAM/Windows Information Protection policy. In Intune > Mobileapps > App protection policies, select Add a policy

wipmam03

Give the policy a name and description, select Windows 10 for the platform, and select without enrollment for the enrollment state. Click on Add apps.

wipmam04

I’ll be adding some apps to allow them to access my corporate data.

wipmam05

After clicking OK on the section above, I will add some more apps such as Outlook and Word. For the publisher, make sure you specify “O=Microsoft Corporation, L=Redmond, S=Washington, C=US”

wipmam06

For now, I will skip the Exempt apps. On the required settings, in this demonstration I will select the Block setting, which will prevent users from moving data from an allowed app into a non-allowed app.

wipmam07

In the advanced settings, I will rename the Cloud resources section to Office 365, and also add OneDrive to the list and Office 365 email. In the example I have added “<domain>-my.sharepoint.com for OneDrive, and outlook.office365.com for Exchange Online. Seperate these by a “|”. So my full list is <domain>-my.sharepoint.com|<domain>.sharepoint.com|outlook.office365.com

wipmam08

Click on Create, then assign the policy to a group.

wipmam10

Once the policy has been assigned to a group, on a Windows 10 1709 Pro machine, with Office 365 installed, when adding an account to Microsoft Office product such as Word, it will ask you to sign in. This is where you can register the device in Azure AD and enroll the device into MAM.

Click Sign in

wipmam11

Type in the account that is a member of the group that has the MAM enrollment enabled, and also a member of the group which had the WIP policy assigned

wipmam12

Enter in the password and click Sign in

wipmam13

Make sure you say Yes here. This is where it will register the device in Azure AD, and also enroll it into MAM.

wipmam14wipmam15wipmam16

From the above steps, in the Azure portal, we can see the device now in Azure AD as Azure AD Registered.

wipmam17

Also on the Windows 10 device you can go to Settings > Accounts > Access work or school, and you should see your Azure AD account there. Select it and click Info. You can see the Management Server Address shows its enrolled into MAM now.

wipmam20

Earlier in the policy I set Microsoft Word to be a protected app to access enterprise data. In this demonstration I will save some corporate data, and click the drop down near File name and select Work.

wipmam18

Now if I try and copy and paste text out of the protected document into a non protected app such as Notepad running in personal context, I get the message “Can’t use content here. Your organization doesn’t allow you to use work content here”. This is because I set the Windows Information Protection Mode to Block in the WIP policy above.

wipmam19

What happens if the device is unenrolled from MAM? The encryption key has been revoked and you will get this message when opening a Work protected document

wipmam21

Advertisements

SCCM TP 1802 – Cloud Management Gateway Azure Resource Manager and Azure User collection deployments

Microsoft recently released update 1802 for SCCM Current Branch Technical Preview. Two new features that I was excited to test were:

  • Improvements in Cloud Management Gateway – Cloud management gateway support for Azure Resource Manager – When you deploy CMG with Azure Resource Manager, Azure AD is used to authenticate and create the cloud resources and does not require the classic Azure management certificate.
  • Install user-available applications on Azure AD-joined devices – You can now browse and install user-available applications from Software Center on Azure AD-joined devices.

This post will go into testing and configuring the Cloud Management Gateway in SCCM Technical Preview 1802 in Azure Resource Manager, creating a Cloud Distribution Point, installing the SCCM client on a machine enrolled into Intune to let SCCM manage the machine, and then finally deploying an application to a user collection containing Azure AD users.

In my lab, I currently have the following certificates:

  • Management certificate uploaded to the Azure portal and exported to PFX. Instructions Here
  • Management Point certificate for IIS, so the management point can be in HTTPS to authenticate Azure AD Clients. Instructions Here.
  • Certificate for my Cloud DP which was created by Digicert.
  • Certificate for my CMG which was created by Digicert
  • Trusted Root certificate exported from a client used for the CMG setup. Instructions Here.

Azure AD User Discovery:

First I have created the Cloud Management service in \Administration\Overview\Cloud Services\Azure Services. This will set up Azure AD User Discovery and allow clients to authenticate using Azure AD.

Right click Azure Services and select Configure Azure Services. Select Cloud Management.

CloudMgmt01

Select Browse next to Web App and click on Create to create the web app in Azure.

CloudMgmt0

Give everything a name, then sign into Azure AD and click on OK.

CloudMgmt03

Follow the same steps for the Native Client app. Once created, click OK.

CloudMgmt05

You can configure the polling schedule by clicking on Settings. Next Next finish…

CloudMgmt06

Now we need to grant the permissions in the apps we created in the Azure portal. Login to https://portal.azure.com Then click on Azure Active Directory, then App Registrations. Click the drop down to All Apps so you can see the apps that were created

CloudMgmt09

Now select the app, click on Settings, then Required permissions, then click on Grant Permissions. Do this for both apps.

CloudMgmt08

Once the permissions have updated, you shouldn’t see any access denied errors in SMS_AZUREAD_DISCOVERY_AGENT.log on your site server.

Cloud Management Gateway:

Now we will create the Cloud Management Gateway. In the SCCM console go to \Administration\Overview\Cloud Services\Cloud Management Gateway and right click Cloud Management Gateway and click Create Cloud Management Gateway.

Make sure Azure Resource Manager deployment is selected. Login with your Azure account and click Next.

CMGResMg-01

I have created a new resource group. Select your certificate file. I am using a certificate from Digicert. If you need to create a certificate see Here

Because I am using a certificate from Digicert, I have also created a CNAME in my external DNS to point my <cmgname>.domain.com to <cmgname>.cloudapp.net

Click on Certificates and add your Trusted Root certificate. I have cleared Verify Client Certificate Revocation. For details on how to get this certificate, see Here. Complete the rest of the wizard.

 

CMGResMg-02

Now I will add the Cloud management gateway connection point role on my site server from \Administration\Overview\Site Configuration\Servers and Site System Roles. Complete this wizard and make sure it connects to the newly created CMG.

CMGResMg-03

To authenticate the Azure AD clients, the Management Point must be in HTTPS and allow configuration manager cloud management gateway traffic. Make sure you have changed the bindings in IIS so the HTTPS uses the correct certificate. Details for that are Here

CMGResMg-04

Make sure clients can communicate with the Cloud distribution point and the Cloud management gateway in your client settings. You can do this by editing the client settings in the console here – \Administration\Overview\Client Settings

CMGResMg-05

Cloud Distribution Point:

First, login to the Azure portal https://portal.azure.com then go to Subscriptions. Take a note of your subscription ID as you will need it later, then click on your subscription. Click on Management Certificates under Settings, then Upload your management Certificate. Tip – you can create a management certificate using these steps Here.

In Administration\Cloud Services\Cloud Distribution Points, right click and Create Cloud Distribution Point.

Type in your Azure subscription ID and then browse to select the Management certificate.  Click Next.

CloudDP01

I am using a certicate from Digicert, I have created a CNAME in my external DNS that points the <clouddpname>.domain.com to <clouddpservicename>.cloudapp.net. If you need to create a certificate from your CA, then see the steps Here.

Click on Next then finish the wizard.

CloudDP02

Install the SCCM client from Intune:

In this section we will upload the ccmsetup.msi to Intune located on our SCCM site server in C:\Program Files\Microsoft Configuration Manager\bin\i386

In the Azure portal (https://portal.azure.com) go to Intune then Mobile Apps, then Add App. Select Line-of-business-app and browse to the ccmsetup.msi and click on Next.

CloudMgmt07

Fill in the required details including the command line arguments.

Note: An easy way to generate the command line arguments for the SCCM client is to configure the first few screens of the co-management wizard in the SCCM console in \Administration\Overview\Cloud Services\Co-management. You will then be presented with a box with the command line arguments that you can copy and paste. See the screenshot below.

IntuneClient01IntuneClient02

Once ccmsetup.msi has been uploaded. assign it to a group. I have a group with my Azure AD joined and Intune enrolled Windows 10 1709 machine.

IntuneClient03

On my Azure AD Joined and Intune enrolled Windows 10 1709 machine, after syncing with Intune, you can see that the client is now installing and grabbing the rest of the source files from the Cloud Distribution point I created earlier.

IntuneClient04

The client is now communicating through the Cloud Management Gateway and can now be seen in the SCCM devices.

IntuneClient05

I have created a User Collection containing my Azure AD Users that have been discovered. I will now create an application, and then deploy it to my Azure AD User collection.

IntuneClient06

I will deploy the application to my Cloud Distribution Point.

IntuneClient07

On my client you can see it downloaded the application from the Cloud Distribution Point and it is now seen as Installed in Software Center.

IntuneClient08IntuneClient10

 

Intune – Windows 10 Interactive Logon Message

This blog post will show how you can set a logon message for a Windows 10 1709 Pro or Enterprise machine enrolled into Intune. To do this, I will create a custom Device Configuration profile in Intune and use the “InteractiveLogon_MessageTitleForUsersAttemptingToLogOn” policy CSP to set a message title, and “InteractiveLogon_MessageTextForUsersAttemptingToLogOn” policy CSP to set the message text. To read more about using custom OMA-URI see Custom device settings for Windows 10 devices in Microsoft Intune

You can read more about the interactive logon message here – Interactive logon: Message text for users attempting to log on
For more information about the Policy CSP that we will use:

Login to the Intune portal in Azure https://portal.azure.com

For the message title, go to Intune, then Device configuration, then Profiles, Create Profile, give the profile a name, select Windows 10 and later for the Platform, and select Custom for the Profile type. Then click Configure.

message01

Click on Add, then give it a name, I have chosen Interactive Message Title, and then for the OMA-URI put in “./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn” and then select String for the Data type. For the value, I have put “WARNING:”

message02

Click on OK a few times then click on Create. Next we will assign the Configuration profile to a group.

message03

Now we will create another Device configuration profile for the message text.

For the OMA-URI, put in “./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn” and the Data type is String again, and type in your message text.

message04

message05

Also assign this policy to a group.

message06

Once the machine has done a sync and has been restarted, you can see the interactive logon message.

message07

On the Windows 10 1709 machine, you can also open up gpedit.msc and under Computer Configuration, Windows Settings, Security Settings,  Local Policies,  Security Options,  we can see the settings.

message08

 

Intune – Windows Defender Security Center device configuration section

In the week of December 11, 2017, Microsoft added a new Windows Defender Security Center device confiugration profile section to Intune. This allows you to hide sections from the user:

  • Virus and threat protection
  • Device performance and health
  • Firewall and network protections
  • App and browser control
  • Family options

You can also add your IT contact information to the Windows Defender app and customize notifications. This post will show how to configure it and the end user experience.

In the Intune portal (portal.azure.com) go to Intune > Device configuration > Profiles > Create Profile. Give the profile a name, and select Windows 10 and later for Platform. Then for the Profile type, select Endpoint protection. Down the bottom you will see Windows Defender Security Center.

defender01

Now here you can configure which sections to hide, customize the notifications and add your IT contact information. In my example, I have decided to hide everything and have added some dummy contact information.

defender02

Once you have created the profile, I have selected All Devices under Assign to to assign this configuration profile to all my devices.

defender03

This is how my Windows Defender Security Center previously looked on my Windows 10 1709 Enterprise machine.

defender04

After doing a sync, you can see it says Nhogarth.net has disabled Windows Defender Security Center. I have also added my dummy contact information.

defender05

Intune – TeamViewer for Windows

In the week of October 16 2017, Microsoft released the support for TeamViewer for Windows in the Azure Intune portal. Previously TeamViewer in the Azure Intune portal only supported Android devices. This is very simple to set up, and you can do it with a trial from TeamViewer. To see what else is new in Intune, see https://docs.microsoft.com/en-us/intune/whats-new

In the Azure Portal (https://portal.azure.com) go to Microsoft Intune > Devices > TeamViewer Connector

Click on Connect

Teamviewer01

Read through terms and conditions and click on OK if you agree.

Teamviewer02

The status will now be Connecting.

Teamviewer03

You will get a popup to accept the permissions.

Teamviewer04

Another message will be displayed that TeamViewer and Intune have been connected.

Teamviewer05

You can see that the Connection status is now Active.

Teamviewer06

On your Windows 10 machine, select the Device, then click the More button, and you will now see New Remote Assistance Session.

Teamviewer07

Click Yes.

Teamviewer08

In the top right of the screen you will see a message about initiating the new remote assistance session.

Teamviewer09

Now you will see a screen saying that the session has been initiated. Under Remote Assistance, click on Start Remote Assistance.

Teamviewer10

A new tab will open in your browser, and TeamViewer will begin to download.

Teamviewer11

Run the download and you will be presented with the TeamViewer details and a screen waiting for the Intune enrolled machine to connect.

Teamviewer12

Teamviewer13

Now on the Windows 10 enrolled machine:

Make sure you have the latest version of the Company Portal on your Windows 10 machine. Open the Company Portal, and you will now see a notification flag. Click it and you will see Your IT administrator is requesting control of this device for a remote assistance session.

Teamviewer14

TeamViewer will now open up in a browser. Run the download

Teamviewer15

Select Allow

Teamviewer16

You are now connected to the Windows 10 MDM enrolled machine.

Teamviewer17

Intune – Require Bitlocker PIN for Windows 10 1703

This post will show how you can use Intune to deploy a Device Configuration Profile to an MDM enrolled Windows 10 1703 machine to require a startup PIN for Bitlocker. It will also show the end user experience prompting the user to configure Bitlocker and set a PIN.

In the Intune portal in https://portal.azure.com , select Intune > Device Configuration > Profiles > Create profile

BitlockerPIN01

Select Windows 10 and later as the platform, select Endpoint protection for the profile type, then click on Configure.

Under Windows Experience, select Require next to Encrypt Devices.

Select Enable next to Configure encryption methods if you would like to configure the encryption methods.

Select Enable next to Additional authentication at start up.
Compatible TPM startup – Do not allow TPM
Compatible TPM startup PIN – Require startup PIN with TPM
Compatible TPM startup key – Do not allow startup key with TPM
Compatible TPM startup key and PIN – Do not allow startup key and PIN with TPM

BitlockerPIN02

You can read more about these startup policies in this GPO “Require additional authentication at startup” description:

BitlockerPIN13

If the Additional authentication at startup settings are configured incorrectly, then a user may see “The Group Policy settings for Bitlocker startup options are in conflict and cannot be applied. Contact your system administrator for more information.”

BitlockerPIN11

Back to Intune – Configure the Assignments and select a group that will receive the Bitlocker policy

BitlockerPIN03

The Windows 10 1703 machine will get a notification saying that the machine needs Bitlocker configured.

BitlockerPIN04

BitlockerPIN05

BitlockerPIN06

BitlockerPIN07

The user is prompted to enter a PIN:

BitlockerPIN08

BitlockerPIN09

BitlockerPIN10

After Bitlocker has finished encrypting the drive and the machine is restarted, the user will be prompted to enter a PIN to unlock the drive at startup:

BitlockerPIN12

Intune – customize the start menu on Windows 10 1703

This post will show how you can deploy a custom start menu on a Windows 10 Pro/Enterprise machine enrolled with Intune by using the Intune portal in Azure.

This post assumes you have customized the start menu on a test machine, and exported the start menu layout to an XML file. For a guide on doing this, see Customize and export Start layout.  My test machine is Windows 10 1703 Enterprise joined to Azure AD and enrolled in Intune.

In the new Intune portal in Azure (https://portal.azure.com) go to Intune > Device Configuration > Profiles > Create Profile

StartMDM01

Give the profile a name, and select Windows 10 and later for the Platform, and select Device restrictions for the Profile type.

Now scroll down and select Start, then click on the Browse button to upload your custom start menu which you generated earlier from your test machine using the Microsoft guide (Customize and export Start layout)

StartMDM02

Click on OK then OK again,and click on Create.

Now we will Assign the policy to a user group. Click on Assignments, then Select groups to include, then select the group, then click on Select, and then Save.

StartMDM04

On the Windows 10 machine enrolled in Intune, you can force a sync by going to Start > Settings > Accounts > Access work or school > Select the account then Info > Sync

After it has synced, once you log off and log back on, you can now see that the start menu has applied.

StartMDM03