Tag Archives: intune

Intune – Require Device Encryption (BitLocker) on Windows 10 1703

This post will show how you can create a compliance policy in the Intune preview portal to require Device Encryption (BitLocker) for a Windows 10 1703 Pro or Enterprise machine. It will also show the user experience. I will be testing this on a Hyper-V Gen 2 machine with the TPM enabled.

In portal.azure.com select Intune, then select Device compliance


Select Policies


Select Create Policy


Enter in the name for the policy, and select Windows 10 and later for the Platform. Then select System Security, and select Require under Encryption.


Save the policy and click on Assignments to deploy the policy to a user group.


On my test Hyper-V Gen 2 machine, I have shut the machine down. Right click on the VM and click Settings, then select Security, and check the box Enable Trusted Platform Module so we can test BitLocker.

You can see that there is a notification now on the Windows 10 1703 Pro/Enterprise machine that Encryption is needed. The user needs to click on it.


If you open up the Company Portal, you can also see there is a policy issue. If you click on View, you can see that the device requires encryption.


When clicking on the notification that the device needs encryption (clicking the notification in the earlier screenshot, or clicking the notification in the bottom right corner) the user needs to go through the encryption wizard process.


You can choose where to save the key.


If you chose the option to save the BitLocker key to the cloud, you can view the BitLocker key in the Azure portal (portal.azure.com) by going to Azure Active Directory > Users and groups > All Users > select the user > Devices > Select the Device >


Deploy .MSI app to MDM enrolled Windows 10 device in Intune preview

This post will show how you can deploy an .MSI to an MDM enrolled Windows 10 machine in the Intune preview in the Azure portal. As noted, the device is enrolled in Intune, and does not have the Intune client installed.

This post will use 7Zip .msi as an example and it will be deployed as “Available” in the Company Portal app for a Windows 10 1703 device.

In the Azure portal (portal.azure.com), click on More Services, then search for Intune and select it.


Click on Mobile apps


In the Apps section under Manage, click on Add


Select Line-of-business app


Click on the blue browse button and select your MSI (allowed file extensions are ipa, apk, msi, xap, appx, appxbundle.)


Fill in the required details. For my example I have filled in the Name, Description, Publisher, and also selected an icon.


The .msi will begin to upload and you will get a notification when the .msi has been uploaded. Once it has been uploaded, you can assign the application to a group.


Next step is to assign the application to a group. This can be done under Assignments. In my example I have made it as Available to my user group called Intune. You can see the the other options below in the screenshot.


Now I will open the Company Portal app on my Windows 10 machine and install 7Zip.


Intune – Require users to use Outlook app on iOS and Android devices

This post will go into how you can use Intune preview in the Azure Portal to set a Conditional Access policy to require iOS and Android users to use the Outlook app, rather than the native iOS mail and Android mail applications. It will also show the user experience for a user using an iOS device and an Android device. To use the Outlook app once the policy has applied, the iOS device needs the Microsoft Authenticator app installed, and Android users need the Company Portal app installed.

In portal.azure.com click on More Services then search for Intune and click on Intune App Protection (you can click the Star to pin it to your list)


Intune App Protection

Now click on Exchange Online under Conditional Access.


Exchange Online – Conditional Access

Click on Allowed Apps, I have selected Allow apps that support Intune app policies


Allowed apps – Conditional Access, Exchange Online

Restricted Groups is where you will choose who to deploy the policy to. In Azure Active Directory, I have created a group called Intune which has my users in there with an Intune license assigned. Its a good idea to deploy this to some test users first, and not to a group with all your users in there.


Restricted user groups – Conditional Access, Exchange Online

On an Android device, I have updated the gmail application to support Office 365. I have added my account. When I check the inbox I can see an email saying that the IT department requires me to use the Outlook app.


On an iOS device, the user experience is very similar. When using the iOS native mail application, as soon as you check the inbox you will see a very similar email stating again that you require to use the Outlook app for Exchange Online.


Like I was saying earlier in the post, for Android you need the Company Portal App, and for iOS you need the Microsoft Authenticator App to register the devices in Azure AD (not enroll, only register). On an Android device, if you do not have the Company Portal app, you will see the following screen


Android – Company Portal app required

And this is the user experience for iOS without the Microsoft Authenticator app



Once the apps are installed you can then login to Exchange Online using the Outlook app.


Intune App Protection Policies

Intune App Policies can be used to protect company data whether the mobile device is enrolled in Intune, or another MDM solution, or not enrolled at all. As long as the users have an Intune license and the App Policy is deployed to the user, the App Policies will work for managed apps. If you have an Intune license, you can login to the Azure Portal (portal.azure.com), click More Services, and search for Intune App Protection to start deploying App Policies.


From my testing, if a user does not have an Intune license, or the App Policy is not deployed to them, they can still use the app as normal without any protection using their work account. You can use the new Azure AD group-based license  in portal.azure.com to license users with Intune (group), and deploy the Intune App Policies to the same group. More can be read here.

At the moment you can create App Policies for iOS and Android devices. If you have an Android you will need to install the Company Portal App, but you do not need to be enrolled or configure it.

When creating an App Policy you are able to select the following apps to protect:


Some of the settings you can configure on the apps include, preventing save as, encrypting app data, requiring PIN for access, preventing copy and paste from non-managed apps and so on. A full list of settings can be seen when you create the policy. In order to create the App Policies see Create and deploy app protection policies with Microsoft Intune. Don’t forget to deploy the policy once you have created it.

End User Experience:

The following screenshots will show the end user experience on an Android Device (with Company Portal installed but not configured or enrolled). iOS is very similar as well:

The policy I set included the Microsoft Word app. When opening it, it says that the organization now protects it, and I must set a 4 digit PIN. One thing to note is that these policies are only enforced when using apps in a Work context, not in a personal context.


Another setting I chose was to not allow cut/copy/paste outside of a managed app. When I try and copy out of Word (managed app) into the Android memo app (non managed app) and paste, I get the following:


You can also view the built-in dashboards in the Intune App Protection section in the Azure portal to view more information about your users. For example the dashboard below shows that I have checked in on my iPhone for Word and OneDrive but not others.



Intune Hyrbid – Setting Edge homepage on Windows 10 machine using configuration baseline

This post will show how to set the Edge browser homepage on a Windows 10 machine enrolled in an Intune Hybrid environment with ConfigMgr 1610. I will create a configuration item, add it to a baseline, and then deploy the baseline to my Intune user collection. For a guide on setting up hyrbrid MDM with ConfigMgr, see Setup hybrid mobile device management (MDM) with System Center Configuration Manager and Microsoft Intune

In the ConfigMgr console, right click Configuration Items and select Create Configuration Item


Give the configuration item a name, and select Windows 8.1 and Windows 10 under Settings for devices managed without the Configuration Manager client and click Next.


In the Supported Platforms section, select Windows 10 as the supported platform and click Next.

On the Device Settings section, select Configure additional settings that are not in the default settings groups and select Next.


In the Additional Settings section, click on Add.

In the Available Settings search bar, search for “home” then select Homepages and click Select.


I have given the name a rule and given the Homepages value of “nhogarth.net” – you can make this any site you like then click OK.


Now click Select to select the setting you created.

On the Additional Settings page, click Next.


Click on Close to close the Completion screen.

Now we will create the Configuration Baseline and add the Configuration Item we created.


Give the baseline a name, and then click on Add, then Configuration Items.


Select the Available configuration item, then click on Add then click on OK.

Once the Configuration Item is added to the baseline, click on OK.

Now we will Deploy the baseline to our Intune user group. Right click on the baseline and click on Deploy.


With the selected configuration baseline (top right), select the Remediate non compliant rules when supported, and select your Intune user collection.


Now on our enrolled Windows 10 machine, we can check the compliance in the Company Portal to speed things up.


Now we can see that it has set our Edge browser to use the specified homepage from our Configuration Item.


Intune Hybrid – Deploy Office 365 click-to-run and enroll Windows 10 computer

This post will cover how to deploy Office 365 click-to-run to an enrolled Windows 10 machine using a Hybrid ConfigMgr 1610 environment with an Intune subscription. I will generate the .msi for Office 365 ProPlus and deploy it using ConfigMgr, enroll a Windows 10 machine, then install Office 365 ProPlus from the Comapany Portal using Click-to-Run.

My hybrid environment is already set up, and PC enrollment is already enabled. For this see https://docs.microsoft.com/en-us/sccm/mdm/understand/hybrid-mobile-device-management

First to create the Office 365 click-to-run msi which we will deploy from ConfigMgr to our Intune user group, download and install “Microsoft Office ProPlus Install Toolkit” from http://officedev.github.io/Office-IT-Pro-Deployment-Scripts/XmlEditor.html


Install it and open it up. I have configured the options to what suits my environment. Have a good look through the options and customize it to your needs.




You can choose to exclude certain products if you like.



I have enabled updates.


I have set the Display Level to none, and accepted the EULA.


Make sure the install type is MSI and select the file path to output the msi.


Once you click Generate, you will be left with a 2mb msi which we will deploy through ConfigMgr to our Intune user group.



Now we will create the application in the ConfigMgr console


Make sure to specify the type as Windows Installer through MDM (*.msi) and also specify the UNC path to the earlier generated msi.


Click Yes.


Click Next.


Specify the information you would like here such as Name.


I have left all other options as default and clicked Next.


Now we will go to the properties of the application we created and choose to use a logo to display in the Company Portal.


Click on the Application Catalog tab and browse and select an icon you would like to use. I searched the web for an icon for Office 365 and made sure its 250×250 in size or smaller.


Now we will deploy the application to our Intune user group.



Make sure to distribute the msi to the Intune distribution point. Select Add then Distribution Point, then select the manage.microsoft.com distribution point.



Click Next


I am deploying this Appliction as Available so the user can install it from the Company Portal.



Now I will enroll my Windows 10 Pro 1607 machine. The prerequisites are here https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/enroll-hybrid-windows

Click on Start, then Settings.


Select Accounts


Click on Access work or school then click on Connect.


Enter in your details for an account with an Intune license.





Now the device is enrolled. If we take a look in the ConfigMgr console, we can see the Windows 10 machine is enrolled as a mobile device.


I have installed the Company Portal application from the Windows Store. Once opened, I can see the Microsoft Office 365 ProPlus. Click on it, then click on Install.


If you load up task manager, you can see the set up files running.


After a while you can see the programs in the program list on the Windows 10 machine.


Intune Hybrid – Deploy msi to enrolled Windows 10 machine with ConfigMgr

This post will show how to deploy an MSI application to a Windows 10 machine enrolled as a mobile device in a ConfigMgr Current Branch 1610 environment with an Intune subscription. The Windows 10 machine has already been enrolled and has the Company Portal installed. For details on how to configure hybrid MDM and how to enroll devices, see Setup hybrid mobile device management (MDM) with System Center Configuration Manager and Microsoft Intune

Right click Applications, select Create Application.


Make sure to specify the type as Windows Installer through MDM (*.msi) and specify the location of the .msi file. In my example I am using the 32bit 7zip msi.


I have clicked Yes.



I have changed the name and left it as all default information.




Now I will deploy the application as an available application for the user to download and install from the Company Portal. Right click on the application and click Deploy.


I have selected a user collection and clicked Next.


Click on Add then select distribution point, then I will distribute the package to the cloud based intune DP.


I am deploying this as Available in this example and have left all other options as default and clicked Next on each screen.


Now the application is deployed.


In the content status section of the ConfigMgr console, I have made sure that the application has been successfully distributed to the Intune distribution point.


Now on my enrolled Windows 10 (1607) machine I have opened up Company Portal and can see the 7zip application available.


I have clicked on the application and then clicked on Install.


Now 7zip has installed successfully.


Intune Hybrid – Creating compliance setting for iOS device in the ConfigMgr console

In this post, I will be using hybrid Intune with ConfigMgr to create a compliance policy to control the security settings on iOS device, in particular, iPhones. It will also show the user experience on the iPhone. First I will create the Configuration Item for iOS, then I will add the Configuration Item to a Baseline, and then deploy the Baseline to a collection where my Intune enrolled users are located.

I am using ConfigMgr Current Branch 1610 with an Intune subscription and have an iPhone 6 enrolled.

Right click on Configuration Items and select Create Configuration Item


Give the configuration item a name first, then under Settings for devices without the Configuration Manager client, select iOS and Mac OS X


I am only using this for iPhones so I have selected iPhone as the platform.


A list of groups for the device settings are displayed. In this example I have only selected Password. You can select the other groups to view which settings you can control.


In this example, I have selected the Minimum password length (characters) to be 6. Currently the iPhone has a passcode of 4 characters. I have selected the Number of failed logon attempts before device is wiped to 4. I have also selected Password complexity to be Strong and Number of complex Characters required in password to be 2.



Now that the configuration item has been created, it needs to be added to a Baseline.Right click on Configuration Baselines and select Create Configuration Baseline.


Give the baseline a name and click on Add, then Configuration Items.


Select the Configuration Item that was created before and click Add.


Now I will deploy the Baseline. Right click the Baseline and select Deploy.


The configuration baseline is already selected. I have selected Remediate noncompliant rules when supported. I have also selected a user collection I would like to deploy the baseline to.


This iPhone had a 4 digit passcode originally. The configuration item I configured said the iPhone needs a 6 character passcode length. Because the iPhone is not compliant, a Passcode Requirement prompt is on the iPhone giving the user 60 minutes to configure the new passcode. Once the user presses continue, the user is forced to set a 6 character passcode with 2 special characters.


Intune Hybrid with ConfigMgr – Deploying required app to iOS from App Store

This post will show how to deploy a required application to an iPhone (or iOS device) from the App Store (Microsoft Excel) and also create a Mobile Application Management (MAM) Policy as Microsoft Excel requires it. My environment below is ConfigMgr Current Branch 1610 with an Intune subscription.

In the ConfigMgr console, go into Software Library, right click Applications and select Create Application


Select the type App Package for iOS from App Store. Paste the link of the app from the App Store. In this example, I have pasted the link for Microsoft Excel. You can browse the other apps from https://itunes.apple.com and get the link  and paste it in. Click Next.



You can add the required information here and click Next.


Click Next



Now we will create our MAM (mobile application management) policy for Microsoft Excel, as it is required before we deploy the application. Right click on Application Management Policies and select Create Application Management Policies.


Select the platform as iOS.


I have left the options as default.



Now we can deploy our Microsoft Excel application we created before. Select the Application, right click and select Deploy.


I will be deploying it to my Intune Users collection


In my example, I am deploying it as Required. Alternatively you can deploy it as Available and then download it from the Company Portal app.


All other options have been left as default. Now on the Application Management section I have selected the MAM policy I created before. If you didn’t create this MAM policy then you will not be able to proceed (For Microsoft Excel anyway)


Now I am going to initiate a Send Sync Request to my iPhone.


Once the iPhone receives the policy, because it was a required application I deployed, the iPhone is presented with this screen. Microsoft Excel will begin to install.


Intune Hybrid MDM – Remote Wipe iPhone

This post will show how you can use ConfigMgr (I am using ConfigMgr Current Branch 1610) with an Intune subscription (hybrid MDM) to completely wipe an iPhone if it has been lost or stolen. When doing a full wipe, it will restore the iPhone to its factory settings (removing all company and user data).

In the ConfigMgr console, select the device and right click and select Remote Device Actions, then select Retire/Wipe


The warning below will be displayed where you can either do a selective wipe, or a full wipe. In my example, I will be doing a full wipe.


Another warning is displayed


I will send a sync request from the console to save time (new feature in ConfigMgr Current Brach 1610)


Once the iPhone has received the sync request, you can see it is now doing a full factory restore, removing all company and user data.

iphonewipe5   iphonewipe6