Tag Archives: intune

Intune – Windows Defender Security Center device configuration section

In the week of December 11, 2017, Microsoft added a new Windows Defender Security Center device confiugration profile section to Intune. This allows you to hide sections from the user:

  • Virus and threat protection
  • Device performance and health
  • Firewall and network protections
  • App and browser control
  • Family options

You can also add your IT contact information to the Windows Defender app and customize notifications. This post will show how to configure it and the end user experience.

In the Intune portal (portal.azure.com) go to Intune > Device configuration > Profiles > Create Profile. Give the profile a name, and select Windows 10 and later for Platform. Then for the Profile type, select Endpoint protection. Down the bottom you will see Windows Defender Security Center.

defender01

Now here you can configure which sections to hide, customize the notifications and add your IT contact information. In my example, I have decided to hide everything and have added some dummy contact information.

defender02

Once you have created the profile, I have selected All Devices under Assign to to assign this configuration profile to all my devices.

defender03

This is how my Windows Defender Security Center previously looked on my Windows 10 1709 Enterprise machine.

defender04

After doing a sync, you can see it says Nhogarth.net has disabled Windows Defender Security Center. I have also added my dummy contact information.

defender05

Advertisements

Intune – TeamViewer for Windows

In the week of October 16 2017, Microsoft released the support for TeamViewer for Windows in the Azure Intune portal. Previously TeamViewer in the Azure Intune portal only supported Android devices. This is very simple to set up, and you can do it with a trial from TeamViewer. To see what else is new in Intune, see https://docs.microsoft.com/en-us/intune/whats-new

In the Azure Portal (https://portal.azure.com) go to Microsoft Intune > Devices > TeamViewer Connector

Click on Connect

Teamviewer01

Read through terms and conditions and click on OK if you agree.

Teamviewer02

The status will now be Connecting.

Teamviewer03

You will get a popup to accept the permissions.

Teamviewer04

Another message will be displayed that TeamViewer and Intune have been connected.

Teamviewer05

You can see that the Connection status is now Active.

Teamviewer06

On your Windows 10 machine, select the Device, then click the More button, and you will now see New Remote Assistance Session.

Teamviewer07

Click Yes.

Teamviewer08

In the top right of the screen you will see a message about initiating the new remote assistance session.

Teamviewer09

Now you will see a screen saying that the session has been initiated. Under Remote Assistance, click on Start Remote Assistance.

Teamviewer10

A new tab will open in your browser, and TeamViewer will begin to download.

Teamviewer11

Run the download and you will be presented with the TeamViewer details and a screen waiting for the Intune enrolled machine to connect.

Teamviewer12

Teamviewer13

Now on the Windows 10 enrolled machine:

Make sure you have the latest version of the Company Portal on your Windows 10 machine. Open the Company Portal, and you will now see a notification flag. Click it and you will see Your IT administrator is requesting control of this device for a remote assistance session.

Teamviewer14

TeamViewer will now open up in a browser. Run the download

Teamviewer15

Select Allow

Teamviewer16

You are now connected to the Windows 10 MDM enrolled machine.

Teamviewer17

Intune – Require Bitlocker PIN for Windows 10 1703

This post will show how you can use Intune to deploy a Device Configuration Profile to an MDM enrolled Windows 10 1703 machine to require a startup PIN for Bitlocker. It will also show the end user experience prompting the user to configure Bitlocker and set a PIN.

In the Intune portal in https://portal.azure.com , select Intune > Device Configuration > Profiles > Create profile

BitlockerPIN01

Select Windows 10 and later as the platform, select Endpoint protection for the profile type, then click on Configure.

Under Windows Experience, select Require next to Encrypt Devices.

Select Enable next to Configure encryption methods if you would like to configure the encryption methods.

Select Enable next to Additional authentication at start up.
Compatible TPM startup – Do not allow TPM
Compatible TPM startup PIN – Require startup PIN with TPM
Compatible TPM startup key – Do not allow startup key with TPM
Compatible TPM startup key and PIN – Do not allow startup key and PIN with TPM

BitlockerPIN02

You can read more about these startup policies in this GPO “Require additional authentication at startup” description:

BitlockerPIN13

If the Additional authentication at startup settings are configured incorrectly, then a user may see “The Group Policy settings for Bitlocker startup options are in conflict and cannot be applied. Contact your system administrator for more information.”

BitlockerPIN11

Back to Intune – Configure the Assignments and select a group that will receive the Bitlocker policy

BitlockerPIN03

The Windows 10 1703 machine will get a notification saying that the machine needs Bitlocker configured.

BitlockerPIN04

BitlockerPIN05

BitlockerPIN06

BitlockerPIN07

The user is prompted to enter a PIN:

BitlockerPIN08

BitlockerPIN09

BitlockerPIN10

After Bitlocker has finished encrypting the drive and the machine is restarted, the user will be prompted to enter a PIN to unlock the drive at startup:

BitlockerPIN12

Intune – customize the start menu on Windows 10 1703

This post will show how you can deploy a custom start menu on a Windows 10 Pro/Enterprise machine enrolled with Intune by using the Intune portal in Azure.

This post assumes you have customized the start menu on a test machine, and exported the start menu layout to an XML file. For a guide on doing this, see Customize and export Start layout.  My test machine is Windows 10 1703 Enterprise joined to Azure AD and enrolled in Intune.

In the new Intune portal in Azure (https://portal.azure.com) go to Intune > Device Configuration > Profiles > Create Profile

StartMDM01

Give the profile a name, and select Windows 10 and later for the Platform, and select Device restrictions for the Profile type.

Now scroll down and select Start, then click on the Browse button to upload your custom start menu which you generated earlier from your test machine using the Microsoft guide (Customize and export Start layout)

StartMDM02

Click on OK then OK again,and click on Create.

Now we will Assign the policy to a user group. Click on Assignments, then Select groups to include, then select the group, then click on Select, and then Save.

StartMDM04

On the Windows 10 machine enrolled in Intune, you can force a sync by going to Start > Settings > Accounts > Access work or school > Select the account then Info > Sync

After it has synced, once you log off and log back on, you can now see that the start menu has applied.

StartMDM03

Intune – Windows 10 Device Configuration

This post will show how you can set device configurations for MDM enrolled Windows 10 machines in the Intune preview in the Azure portal. This is using Intune standalone and not Intune hybrid. The device configurations I will deploy includes setting a wallpaper on a Windows 10 1703 Enterprise machine, and setting password restrictions. After configuring the Device configuration policy in Intune, it will also show the user experience in Windows 10.

In the Intune blade, select Device Configuration

IntuneDevCon01

Select Profiles, then select Create Profile

IntuneDevCon02

Type in a Name for the profile, for the Platform select Windows 10 and later, and for Profile type, select Device Restrictions

IntuneDevCon03

For this post, I will create password restrictions. I have selected Password as the category and configured some settings on the right hand side.

IntuneDevCon04

I will also set the desktop background picture in the Personalization category, by pasting in a URL to where I have uploaded the wallpaper. Note this CSP was only added in Windows 1703, and supported on Enterprise. See https://msdn.microsoft.com/en-gb/windows/hardware/commercialize/customize/mdm/personalization-csp

IntuneDevCon05

Now I will click on Assignments to assign the device configuration policy to my Intune group I created in Azure AD.

IntuneDevCon06

Select the group and click Save.

IntuneDevCon07

Now on my Windows 10 Enterprise 1703 machine I am prompted to change my password

IntuneDevCon08

And the custom wallpaper has been set

IntuneDevCon09

Intune – Require Device Encryption (BitLocker) on Windows 10 1703

This post will show how you can create a compliance policy in the Intune preview portal to require Device Encryption (BitLocker) for a Windows 10 1703 Pro or Enterprise machine. It will also show the user experience. I will be testing this on a Hyper-V Gen 2 machine with the TPM enabled.

In portal.azure.com select Intune, then select Device compliance

encryp01

Select Policies

encryp02

Select Create Policy

encryp03

Enter in the name for the policy, and select Windows 10 and later for the Platform. Then select System Security, and select Require under Encryption.

encryp04

Save the policy and click on Assignments to deploy the policy to a user group.

encryp05

On my test Hyper-V Gen 2 machine, I have shut the machine down. Right click on the VM and click Settings, then select Security, and check the box Enable Trusted Platform Module so we can test BitLocker.

You can see that there is a notification now on the Windows 10 1703 Pro/Enterprise machine that Encryption is needed. The user needs to click on it.

encryp06

If you open up the Company Portal, you can also see there is a policy issue. If you click on View, you can see that the device requires encryption.

encryp07encryp08

When clicking on the notification that the device needs encryption (clicking the notification in the earlier screenshot, or clicking the notification in the bottom right corner) the user needs to go through the encryption wizard process.

encryp09

You can choose where to save the key.

encryp10encryp11encryp12

If you chose the option to save the BitLocker key to the cloud, you can view the BitLocker key in the Azure portal (portal.azure.com) by going to Azure Active Directory > Users and groups > All Users > select the user > Devices > Select the Device >

encryp13

Deploy .MSI app to MDM enrolled Windows 10 device in Intune preview

This post will show how you can deploy an .MSI to an MDM enrolled Windows 10 machine in the Intune preview in the Azure portal. As noted, the device is enrolled in Intune, and does not have the Intune client installed.

This post will use 7Zip .msi as an example and it will be deployed as “Available” in the Company Portal app for a Windows 10 1703 device.

In the Azure portal (portal.azure.com), click on More Services, then search for Intune and select it.

intunemsi00

Click on Mobile apps

intunemsi01

In the Apps section under Manage, click on Add

intunemsi02

Select Line-of-business app

intunemsi03

Click on the blue browse button and select your MSI (allowed file extensions are ipa, apk, msi, xap, appx, appxbundle.)

intunemsi04

Fill in the required details. For my example I have filled in the Name, Description, Publisher, and also selected an icon.

intunemsi05

The .msi will begin to upload and you will get a notification when the .msi has been uploaded. Once it has been uploaded, you can assign the application to a group.

intunemsi06

Next step is to assign the application to a group. This can be done under Assignments. In my example I have made it as Available to my user group called Intune. You can see the the other options below in the screenshot.

intunemsi07

Now I will open the Company Portal app on my Windows 10 machine and install 7Zip.

intunemsi08intunemsi09