Tag Archives: intune

Intune – Windows Information Protection without enrollment

This post will show how you can use the Office 365 suite of apps deployed to a Windows 10 Pro 1709 device (with an EMS E3 license assigned), to enroll the device into MAM. This involves deploying a Windows Information Protection policy in Intune using the “without enrollment” setting, which means the device is not enrolled into Intune.

Suggested reading:
Protect your enterprise data using Windows Information Protection (WIP)
Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune

Make sure the MAM groups are configured, in the Intune portal in https://portal.azure.com go to Azure Active Directory > Mobility (MDM and MAM) then Microsoft Intune.


I have an Azure AD group called Intune and an Azure AD group called MAM enrollment. The user I will be using in this demonstration is a member of the MAM enrollment group.

A caution from Microsoft “If both MAM user scope and automatic MDM enrollment (MDM user scope) are enabled for a group, only MAM is enabled. Only MAM is added for users in that group when they workplace join personal device. Devices are not automatically MDM enrolled.”


Now i’ll create the MAM/Windows Information Protection policy. In Intune > Mobileapps > App protection policies, select Add a policy


Give the policy a name and description, select Windows 10 for the platform, and select without enrollment for the enrollment state. Click on Add apps.


I’ll be adding some apps to allow them to access my corporate data.


After clicking OK on the section above, I will add some more apps such as Outlook and Word. For the publisher, make sure you specify “O=Microsoft Corporation, L=Redmond, S=Washington, C=US”


For now, I will skip the Exempt apps. On the required settings, in this demonstration I will select the Block setting, which will prevent users from moving data from an allowed app into a non-allowed app.


In the advanced settings, I will rename the Cloud resources section to Office 365, and also add OneDrive to the list and Office 365 email. In the example I have added “<domain>-my.sharepoint.com for OneDrive, and outlook.office365.com for Exchange Online. Seperate these by a “|”. So my full list is <domain>-my.sharepoint.com|<domain>.sharepoint.com|outlook.office365.com


Click on Create, then assign the policy to a group.


Once the policy has been assigned to a group, on a Windows 10 1709 Pro machine, with Office 365 installed, when adding an account to Microsoft Office product such as Word, it will ask you to sign in. This is where you can register the device in Azure AD and enroll the device into MAM.

Click Sign in


Type in the account that is a member of the group that has the MAM enrollment enabled, and also a member of the group which had the WIP policy assigned


Enter in the password and click Sign in


Make sure you say Yes here. This is where it will register the device in Azure AD, and also enroll it into MAM.


From the above steps, in the Azure portal, we can see the device now in Azure AD as Azure AD Registered.


Also on the Windows 10 device you can go to Settings > Accounts > Access work or school, and you should see your Azure AD account there. Select it and click Info. You can see the Management Server Address shows its enrolled into MAM now.


Earlier in the policy I set Microsoft Word to be a protected app to access enterprise data. In this demonstration I will save some corporate data, and click the drop down near File name and select Work.


Now if I try and copy and paste text out of the protected document into a non protected app such as Notepad running in personal context, I get the message “Can’t use content here. Your organization doesn’t allow you to use work content here”. This is because I set the Windows Information Protection Mode to Block in the WIP policy above.


What happens if the device is unenrolled from MAM? The encryption key has been revoked and you will get this message when opening a Work protected document



SCCM TP 1802 – Cloud Management Gateway Azure Resource Manager and Azure User collection deployments

Microsoft recently released update 1802 for SCCM Current Branch Technical Preview. Two new features that I was excited to test were:

  • Improvements in Cloud Management Gateway – Cloud management gateway support for Azure Resource Manager – When you deploy CMG with Azure Resource Manager, Azure AD is used to authenticate and create the cloud resources and does not require the classic Azure management certificate.
  • Install user-available applications on Azure AD-joined devices – You can now browse and install user-available applications from Software Center on Azure AD-joined devices.

This post will go into testing and configuring the Cloud Management Gateway in SCCM Technical Preview 1802 in Azure Resource Manager, creating a Cloud Distribution Point, installing the SCCM client on a machine enrolled into Intune to let SCCM manage the machine, and then finally deploying an application to a user collection containing Azure AD users.

In my lab, I currently have the following certificates:

  • Management certificate uploaded to the Azure portal and exported to PFX. Instructions Here
  • Management Point certificate for IIS, so the management point can be in HTTPS to authenticate Azure AD Clients. Instructions Here.
  • Certificate for my Cloud DP which was created by Digicert.
  • Certificate for my CMG which was created by Digicert
  • Trusted Root certificate exported from a client used for the CMG setup. Instructions Here.

Azure AD User Discovery:

First I have created the Cloud Management service in \Administration\Overview\Cloud Services\Azure Services. This will set up Azure AD User Discovery and allow clients to authenticate using Azure AD.

Right click Azure Services and select Configure Azure Services. Select Cloud Management.


Select Browse next to Web App and click on Create to create the web app in Azure.


Give everything a name, then sign into Azure AD and click on OK.


Follow the same steps for the Native Client app. Once created, click OK.


You can configure the polling schedule by clicking on Settings. Next Next finish…


Now we need to grant the permissions in the apps we created in the Azure portal. Login to https://portal.azure.com Then click on Azure Active Directory, then App Registrations. Click the drop down to All Apps so you can see the apps that were created


Now select the app, click on Settings, then Required permissions, then click on Grant Permissions. Do this for both apps.


Once the permissions have updated, you shouldn’t see any access denied errors in SMS_AZUREAD_DISCOVERY_AGENT.log on your site server.

Cloud Management Gateway:

Now we will create the Cloud Management Gateway. In the SCCM console go to \Administration\Overview\Cloud Services\Cloud Management Gateway and right click Cloud Management Gateway and click Create Cloud Management Gateway.

Make sure Azure Resource Manager deployment is selected. Login with your Azure account and click Next.


I have created a new resource group. Select your certificate file. I am using a certificate from Digicert. If you need to create a certificate see Here

Because I am using a certificate from Digicert, I have also created a CNAME in my external DNS to point my <cmgname>.domain.com to <cmgname>.cloudapp.net

Click on Certificates and add your Trusted Root certificate. I have cleared Verify Client Certificate Revocation. For details on how to get this certificate, see Here. Complete the rest of the wizard.



Now I will add the Cloud management gateway connection point role on my site server from \Administration\Overview\Site Configuration\Servers and Site System Roles. Complete this wizard and make sure it connects to the newly created CMG.


To authenticate the Azure AD clients, the Management Point must be in HTTPS and allow configuration manager cloud management gateway traffic. Make sure you have changed the bindings in IIS so the HTTPS uses the correct certificate. Details for that are Here


Make sure clients can communicate with the Cloud distribution point and the Cloud management gateway in your client settings. You can do this by editing the client settings in the console here – \Administration\Overview\Client Settings


Cloud Distribution Point:

First, login to the Azure portal https://portal.azure.com then go to Subscriptions. Take a note of your subscription ID as you will need it later, then click on your subscription. Click on Management Certificates under Settings, then Upload your management Certificate. Tip – you can create a management certificate using these steps Here.

In Administration\Cloud Services\Cloud Distribution Points, right click and Create Cloud Distribution Point.

Type in your Azure subscription ID and then browse to select the Management certificate.  Click Next.


I am using a certicate from Digicert, I have created a CNAME in my external DNS that points the <clouddpname>.domain.com to <clouddpservicename>.cloudapp.net. If you need to create a certificate from your CA, then see the steps Here.

Click on Next then finish the wizard.


Install the SCCM client from Intune:

In this section we will upload the ccmsetup.msi to Intune located on our SCCM site server in C:\Program Files\Microsoft Configuration Manager\bin\i386

In the Azure portal (https://portal.azure.com) go to Intune then Mobile Apps, then Add App. Select Line-of-business-app and browse to the ccmsetup.msi and click on Next.


Fill in the required details including the command line arguments.

Note: An easy way to generate the command line arguments for the SCCM client is to configure the first few screens of the co-management wizard in the SCCM console in \Administration\Overview\Cloud Services\Co-management. You will then be presented with a box with the command line arguments that you can copy and paste. See the screenshot below.


Once ccmsetup.msi has been uploaded. assign it to a group. I have a group with my Azure AD joined and Intune enrolled Windows 10 1709 machine.


On my Azure AD Joined and Intune enrolled Windows 10 1709 machine, after syncing with Intune, you can see that the client is now installing and grabbing the rest of the source files from the Cloud Distribution point I created earlier.


The client is now communicating through the Cloud Management Gateway and can now be seen in the SCCM devices.


I have created a User Collection containing my Azure AD Users that have been discovered. I will now create an application, and then deploy it to my Azure AD User collection.


I will deploy the application to my Cloud Distribution Point.


On my client you can see it downloaded the application from the Cloud Distribution Point and it is now seen as Installed in Software Center.



Intune – Windows 10 Interactive Logon Message

This blog post will show how you can set a logon message for a Windows 10 1709 Pro or Enterprise machine enrolled into Intune. To do this, I will create a custom Device Configuration profile in Intune and use the “InteractiveLogon_MessageTitleForUsersAttemptingToLogOn” policy CSP to set a message title, and “InteractiveLogon_MessageTextForUsersAttemptingToLogOn” policy CSP to set the message text. To read more about using custom OMA-URI see Custom device settings for Windows 10 devices in Microsoft Intune

You can read more about the interactive logon message here – Interactive logon: Message text for users attempting to log on
For more information about the Policy CSP that we will use:

Login to the Intune portal in Azure https://portal.azure.com

For the message title, go to Intune, then Device configuration, then Profiles, Create Profile, give the profile a name, select Windows 10 and later for the Platform, and select Custom for the Profile type. Then click Configure.


Click on Add, then give it a name, I have chosen Interactive Message Title, and then for the OMA-URI put in “./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn” and then select String for the Data type. For the value, I have put “WARNING:”


Click on OK a few times then click on Create. Next we will assign the Configuration profile to a group.


Now we will create another Device configuration profile for the message text.

For the OMA-URI, put in “./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn” and the Data type is String again, and type in your message text.



Also assign this policy to a group.


Once the machine has done a sync and has been restarted, you can see the interactive logon message.


On the Windows 10 1709 machine, you can also open up gpedit.msc and under Computer Configuration, Windows Settings, Security Settings,  Local Policies,  Security Options,  we can see the settings.



Intune – Windows Defender Security Center device configuration section

In the week of December 11, 2017, Microsoft added a new Windows Defender Security Center device confiugration profile section to Intune. This allows you to hide sections from the user:

  • Virus and threat protection
  • Device performance and health
  • Firewall and network protections
  • App and browser control
  • Family options

You can also add your IT contact information to the Windows Defender app and customize notifications. This post will show how to configure it and the end user experience.

In the Intune portal (portal.azure.com) go to Intune > Device configuration > Profiles > Create Profile. Give the profile a name, and select Windows 10 and later for Platform. Then for the Profile type, select Endpoint protection. Down the bottom you will see Windows Defender Security Center.


Now here you can configure which sections to hide, customize the notifications and add your IT contact information. In my example, I have decided to hide everything and have added some dummy contact information.


Once you have created the profile, I have selected All Devices under Assign to to assign this configuration profile to all my devices.


This is how my Windows Defender Security Center previously looked on my Windows 10 1709 Enterprise machine.


After doing a sync, you can see it says Nhogarth.net has disabled Windows Defender Security Center. I have also added my dummy contact information.


Intune – TeamViewer for Windows

In the week of October 16 2017, Microsoft released the support for TeamViewer for Windows in the Azure Intune portal. Previously TeamViewer in the Azure Intune portal only supported Android devices. This is very simple to set up, and you can do it with a trial from TeamViewer. To see what else is new in Intune, see https://docs.microsoft.com/en-us/intune/whats-new

In the Azure Portal (https://portal.azure.com) go to Microsoft Intune > Devices > TeamViewer Connector

Click on Connect


Read through terms and conditions and click on OK if you agree.


The status will now be Connecting.


You will get a popup to accept the permissions.


Another message will be displayed that TeamViewer and Intune have been connected.


You can see that the Connection status is now Active.


On your Windows 10 machine, select the Device, then click the More button, and you will now see New Remote Assistance Session.


Click Yes.


In the top right of the screen you will see a message about initiating the new remote assistance session.


Now you will see a screen saying that the session has been initiated. Under Remote Assistance, click on Start Remote Assistance.


A new tab will open in your browser, and TeamViewer will begin to download.


Run the download and you will be presented with the TeamViewer details and a screen waiting for the Intune enrolled machine to connect.



Now on the Windows 10 enrolled machine:

Make sure you have the latest version of the Company Portal on your Windows 10 machine. Open the Company Portal, and you will now see a notification flag. Click it and you will see Your IT administrator is requesting control of this device for a remote assistance session.


TeamViewer will now open up in a browser. Run the download


Select Allow


You are now connected to the Windows 10 MDM enrolled machine.


Intune – Require Bitlocker PIN for Windows 10 1703

This post will show how you can use Intune to deploy a Device Configuration Profile to an MDM enrolled Windows 10 1703 machine to require a startup PIN for Bitlocker. It will also show the end user experience prompting the user to configure Bitlocker and set a PIN.

In the Intune portal in https://portal.azure.com , select Intune > Device Configuration > Profiles > Create profile


Select Windows 10 and later as the platform, select Endpoint protection for the profile type, then click on Configure.

Under Windows Experience, select Require next to Encrypt Devices.

Select Enable next to Configure encryption methods if you would like to configure the encryption methods.

Select Enable next to Additional authentication at start up.
Compatible TPM startup – Do not allow TPM
Compatible TPM startup PIN – Require startup PIN with TPM
Compatible TPM startup key – Do not allow startup key with TPM
Compatible TPM startup key and PIN – Do not allow startup key and PIN with TPM


You can read more about these startup policies in this GPO “Require additional authentication at startup” description:


If the Additional authentication at startup settings are configured incorrectly, then a user may see “The Group Policy settings for Bitlocker startup options are in conflict and cannot be applied. Contact your system administrator for more information.”


Back to Intune – Configure the Assignments and select a group that will receive the Bitlocker policy


The Windows 10 1703 machine will get a notification saying that the machine needs Bitlocker configured.





The user is prompted to enter a PIN:




After Bitlocker has finished encrypting the drive and the machine is restarted, the user will be prompted to enter a PIN to unlock the drive at startup:


Intune – customize the start menu on Windows 10 1703

This post will show how you can deploy a custom start menu on a Windows 10 Pro/Enterprise machine enrolled with Intune by using the Intune portal in Azure.

This post assumes you have customized the start menu on a test machine, and exported the start menu layout to an XML file. For a guide on doing this, see Customize and export Start layout.  My test machine is Windows 10 1703 Enterprise joined to Azure AD and enrolled in Intune.

In the new Intune portal in Azure (https://portal.azure.com) go to Intune > Device Configuration > Profiles > Create Profile


Give the profile a name, and select Windows 10 and later for the Platform, and select Device restrictions for the Profile type.

Now scroll down and select Start, then click on the Browse button to upload your custom start menu which you generated earlier from your test machine using the Microsoft guide (Customize and export Start layout)


Click on OK then OK again,and click on Create.

Now we will Assign the policy to a user group. Click on Assignments, then Select groups to include, then select the group, then click on Select, and then Save.


On the Windows 10 machine enrolled in Intune, you can force a sync by going to Start > Settings > Accounts > Access work or school > Select the account then Info > Sync

After it has synced, once you log off and log back on, you can now see that the start menu has applied.