This is a pretty cool improvement for Conditional Access, that you as a IT admin can select that your end user need to be on a compliant device to change or setup security information on the user for Azure MFA or Azure AD password reset. Device compliance requires that the device is managed by Intune and have a compliance state that is set to true. There is also other things to test on – location or Hybrid Azure AD joined device it is up to you and your companies security policy to configure the new conditional access rule.
Start your favorite portal for Azure AD management
Go to the Conditional Access blade – create a new a new Conditional Access policy
Name : Register security information – trusted device
Click Users and groups
Select a group for testing – and when you are satisfied with the result you can move to All users
Note: It is a good idea to have your break the glass global admin account in the exclude page.
Click Cloud apps or actions
Select User actions
Click Register security information (preview)
Under Access controls – Click Grant
Select Require device to be marked as compliant
Note : If you don’t have any Intune compliant devices then you are not able to verify your security settings on the user and they are not able to login to Azure AD!
You are ready to Enable the policy and test it.
How is the user experience ?
If your users is not enrolled in to MFA or Azure AD password reset when they are logging in to a service that are using Azure AD – an example could be Office 365 then the end user will be promote to setup additional security information.
The end user will also be promote on the interval that is setup in the Azure AD Password reset service.
You will get a message that says “You can’t get there from here” if the device is not compliance.
If you are using a browser that does not having insight into the device compliance status, you need to install the extension or use a browser that supports device compliance status. Otherwise you will get this message
There is a new Apple Enrollment admin experience along with some new features. This was announced at the What’s new in Microsoft Intune Week of February 19, 2018 https://docs.microsoft.com/en-us/intune/whats-new it is stated that this new Apple Enrollment features only are enabled in new created tenants and will be there for the rest of us this feature is being rolled out through April.
What is new in the Apple Enrollment?
You can find the new features in:
Device enrollement
Apple enrollment
Apple MDM Push certificate
In the Apple MDM Push certificate there is no news:
The same applies for the Apple Configurator settings – the only news here is a design facelift
All the real news is in the Enrollment program tokens, also known as Apple DEP program
Intune now supports enrolling devices from up to 100 different Apple Device Enrollment Program (DEP) or Apple School Manager accounts. Each token uploaded can be managed separately for enrollment profiles and devices. A different enrollment profile can be automatically assigned per DEP/School Manager token uploaded. If multiple School Manager tokens are uploaded, only one can be shared with Microsoft School Data Sync at a time.
The first change is:
Click Enrollment program tokens
Select the DEP token where you what to make the changes – settings and features is per DEP token
Under profiles you can now set Default Profile
This is the same feature that was in the Silverlight Portal of Intune before Microsoft migrated the feature to Azure Portal.
Select Set Default Profile
Now you can select the DEP profile you want to set as default when new devices is synced to Intune from Apple’s DEP program.
The second change is:
When using User Affinity you can change from authenticate with Apple Setup Assistant to authenticate with Company Portal – when you do this then, Intune will skips user authentication in IOS Setup Assistant and you are enabled modern authenticate, this means that the end user can use Azure Active Directory multi-factor authentication when can be enforced without blocking Apple DEP enrollment methods.
This is a blog post on how to create a Enterprise Deployment of Adobe Reader.
First you need to download the Adobe Reader Enterprise
Select an Operating system
Select a language
Select a version
After you have downloaded the installer you can extract the .exe files so you can access the .MSI file
The parameters are:
-sfx_ne : Do not execute any file after installation (overrides the -e switch) This switch should be used if user only wants to extract the installer contents and not run the installer. -sfx_o : Specifies the name of folder where the expanded package is placed. The folder name should be enclosed in quotation marks. It is best if you do not use an existing folder.
-sfx_nu : Silently extracts the installation files from the EXE.
This is not a blogpost about the use of Surface Hub, but only the modern management capabilities and the Microsoft tools to support it.
There is 2 sections in this blogpost:
Microsoft Active Directory or Azure Active Directory
Settings management of the SurfaceHub – devided in 3 solutions
Provisioning profiles
MDM management with Intune standalone
MDM management with SCCM
The first thing you need to know about the Surface Hub is running Windows 10 Team – not the same version as on your modern device, laptop or desktop – but Windows 10 Team is based on Windows 10 Enterprise. You can login to Edge, Windows Store and other apps – but credentials are deleted when users press I’m done.
Windows 10 teams does also have a lot of building security feature:
Surface Hubs are not managed like traditional PCs. Use MDM or provision profiles to configure settings.
The first decision you need to make is do you what to join Surface Hub in Active Directory or in Azure Active Directory. What is the different?
Active Directory:
Grant admin rights to members of a specified security group in AD.
Backup the device’s BitLocker recovery key by storing it under the computer object in AD. See Save your BitLocker key for details.
Synchronize the system clock with the domain controller for encrypted communication
Surface Hub does not support applying group policies or certificates from the domain controller.
Azure Active Directory:
Grant admin rights to members of Azure AD Global Admin (AzureAD Basis)
Grant admin rights to a specific user in Azure AD (AzureAD Premium) If you use this option – then all AzureAD joined devices gets the user as an local admin!
Backup the device’s BitLocker recovery key by storing it under the account that was used to Azure AD join the device. See Save your BitLocker key for details.
Automatic MDM enrollment in Microsoft Intune (AzureAD Premium)
Surface Hub does not support single sign-on for Windows Store for Business on a AzureAD joined device.
The second decision you need to make is do you what to use MDM or provision profiles to configure your Surface Hub. This is only examples of what you can configure with provision profiles and MDM management.
Provision profiles:
Use the Windows Imaging and Configuration Designer (ICD) to crate a Provision profile – download the Windows ADK
The manual process to apply a provision profile on the Surface Hub
As part of the OOBE
Full OS in the settings App
Bulk enrollment works in System Center Configuration Manager (SCCM) + Intune hybrid environment where the ppkg is generated from the SCCM console.
Here is an example for setting a custom WSUS server and change the MaintenanceHours from the default 03 to 01.
Start the ICD
Select Advanced provisioning
Enter a name for your ICD project
Select “Common to Windows 10 Team edition”
Here is a list of the common settings on Windows 10 Team
Go to – WindowsTeamSettings – MaintenanceHours – StartTime
Enter the value to 01 – this change the default value in this case from 03
Go to Rumtime settings – Policies – Update – UpdateServiceUrl
Change the value to match your WSUS server – in my case http://wsus.isddeployment.dk:8530
Save the provision profile and you are ready to use it on your Sureface Hub.
Go to the Settings App – This Device – Device Management – Add or Remove Provisioning package
MDM Management:
Intune Standalone
Intune hybrid with System Center Configuration Manager (SCCM)
On-premises Mobile Device Management in System Center Configuration Manager ( requires SCCM 1602 or newer)
Here is a couple of examples for setting a custom configuration policy with Intune standalone.
Go to : http://manage.microsoft.com
Create a “General Configuration (Windows 10 Team and later)” policy
Enter The settings you need, save and deploy it to your Surface Hub device group.
A new setting is the “Enable Azure Operational Insights” so that the Surface Hub will be monitored by the Surface Hub solutions in Microsoft Operations Management Suite.
And it will show up on the Surface Hub Device
Another example is a “Custom Configuration (Windows 10 Desktop and Mobile and Later)”
Here I will set a home page in the Edge browser and set a my own WSUS server in the Surface Hub.
Go to : http://manage.microsoft.com
Create a “Custom Configuration (Windows 10 Desktop and Mobile and Later)” policy
Here is the Home pages on Edge changed from Intune
The settings with Intune standalone is the same as in SCCM.
SCCM with Intune hybrid and SCCM with on-premises MDM uses the same wizards, and settings no matter which solutions you choose.
This is a walk through of the same settings as I did on the settings with the Intune standalone.
Go into the SCCM Console – Asset and Compliance
Click Create Configuration Item
Enter a Name
Select “Settings for devices managed without the Configuration Manager Client” – Windows 8.1 and Windows 10
Click Next
Select Windows 10 – All Windows 10 Team and higher
Click Next
Click Next
Enter The settings you need, save and deploy it to your Surface Hub device group.
A new setting is the “Enable Azure Operational Insights” so that the Surface Hub will be monitored by the Surface Hub solutions in Microsoft Operations Management Suite.
Click Next
Click Next
Click Close
Now the CI can be deployed with a Configuration Baseline
Another example is a “Custom Configuration (Windows 10 Desktop and Mobile and Later)”
Here I will set a home page in the Edge browser and set a my own WSUS server in the Surface Hub.
Create a new Configuration Item
Enter a name
Select “Settings for devices managed without the Configuration Manager Client” – Windows 8.1 and Windows 10
Click Next
Here you need to select the Windows 10 section
Click Next
Select “Configure additional settings that are not in the default settings group”
This is a blog post on how to create a Enterprise Deployment of Adobe Reader.
First you need to download the Adobe Reader Enterprise
Select an Operating system
Select a language
Select a version
After you have downloaded the installer you can extract the .exe files so you can access the .MSI file
The parameters are:
-sfx_ne : Do not execute any file after installation (overrides the -e switch) This switch should be used if user only wants to extract the installer contents and not run the installer. -sfx_o : Specifies the name of folder where the expanded package is placed. The folder name should be enclosed in quotation marks. It is best if you do not use an existing folder.
-sfx_nu : Silently extracts the installation files from the EXE.
OMS Office 365 management solution now in public preview.
With the Office 365 solution, you can perform the following types of management activities:
Monitor user activities on your Office 365 accounts to analyze usage patterns as well as identify behavioral trends. For example, you can extract specific usage scenarios, such as files that are shared outside your organization or the most popular SharePoint sites.
Monitor admin activities to track configuration changes or high privilege operations.
Detect and investigate unwanted user behavior, which can be customized for your organizational needs.
Demonstrate audit and compliance. For example, you can monitor file access operations on confidential files, which can help you with the audit and compliance process.
Perform operational troubleshooting by using OMS Search on top of Office 365 activity data of your organization.
Start your Microsoft OMS Workspace or create a new one.
Go into Settings
Click Visit the Gallery
Select the Office 365 (Preview) Solutions
Click Add
Click Office 365 on the Dashboard
Click Connect Office 365
Enter your Office 365 global admin account and sign in
Click Accept
Now is it just waiting for the next 4 hours
I will create another blogpost about what OMS Office 365 management solutions can be used for when I get some data in my OMS Workspace.
There is a new Apple Enrollment admin experience along with some new features. This was announced at the What’s new in Microsoft Intune Week of February 19, 2018 https://docs.microsoft.com/en-us/intune/whats-new it is stated that this new Apple Enrollment features only are enabled in new created tenants and will be there for the rest of us this feature is being rolled out through April.
What is new in the Apple Enrollment?
You can find the new features in:
Device enrollement
Apple enrollment
Apple MDM Push certificate
In the Apple MDM Push certificate there is no news:
The same applies for the Apple Configurator settings – the only news here is a design facelift
All the real news is in the Enrollment program tokens, also known as Apple DEP program
Intune now supports enrolling devices from up to 100 different Apple Device Enrollment Program (DEP) or Apple School Manager accounts. Each token uploaded can be managed separately for enrollment profiles and devices. A different enrollment profile can be automatically assigned per DEP/School Manager token uploaded. If multiple School Manager tokens are uploaded, only one can be shared with Microsoft School Data Sync at a time.
The first change is:
Click Enrollment program tokens
Select the DEP token where you what to make the changes – settings and features is per DEP token
Under profiles you can now set Default Profile
This is the same feature that was in the Silverlight Portal of Intune before Microsoft migrated the feature to Azure Portal.
Select Set Default Profile
Now you can select the DEP profile you want to set as default when new devices is synced to Intune from Apple’s DEP program.
The second change is:
When using User Affinity you can change from authenticate with Apple Setup Assistant to authenticate with Company Portal – when you do this then, Intune will skips user authentication in IOS Setup Assistant and you are enabled modern authenticate, this means that the end user can use Azure Active Directory multi-factor authentication when can be enforced without blocking Apple DEP enrollment methods.
Windows 10 Enterprise E5 is the newest offer for customers who want to take advantage of everything in E3 with the addition of Windows Defender Advanced Threat Protection (Windows Defender ATP) – a new service that helps enterprises detect, investigate, and respond to advanced attacks on their networks.
Building on the existing security defenses in Windows 10, Windows Defender ATP provides a new post-breach layer of protection to the Windows 10 security stack. With a combination of client technology built into Windows 10 and a robust cloud service, it can help detect threats that have made it past other defenses, provide enterprises with information to investigate the breach across endpoints, and offer response recommendations
Ensure that you have a Windows 10 Enterprise E5 licens in you AzureAD tenant
Sign in to AzureAD with you global Admin
Go to http://securitycenter.windows.com/
Click next
Select where the location for your data storage
This option cannot be changed without completely offboarding from Windows Defender ATP and completing a new enrollment process.
Select the location for data storage. For more information, see the Data storage and privacy section in the Windows Defender ATP guide.
Click Next
Select the retention time for you data – default is 180 days
Click Next
Select your organization size
Click Next
Select your industry preferences – this can be changed in the Windows Defender ATP portal at a later point.
Click Next
Click Continue
Windows Defender ATP cloud instance is now being created with in your tenant
Now the setup is complete.
You can select your deployment tool and download packages for the one you want to use.
This can also be done from the Windows Defender ATP portal at a later time.
Now you are ready to onboard your clients
Here is my blog post How to get Windows 10 onboarded with Windows Defender ATP – Intune (MDM)
OMS Office 365 management solution now in public preview.
With the Office 365 solution, you can perform the following types of management activities:
Monitor user activities on your Office 365 accounts to analyze usage patterns as well as identify behavioral trends. For example, you can extract specific usage scenarios, such as files that are shared outside your organization or the most popular SharePoint sites.
Monitor admin activities to track configuration changes or high privilege operations.
Detect and investigate unwanted user behavior, which can be customized for your organizational needs.
Demonstrate audit and compliance. For example, you can monitor file access operations on confidential files, which can help you with the audit and compliance process.
Perform operational troubleshooting by using OMS Search on top of Office 365 activity data of your organization.
Start your Microsoft OMS Workspace or create a new one.
Go into Settings
Click Visit the Gallery
Select the Office 365 (Preview) Solutions
Click Add
Click Office 365 on the Dashboard
Click Connect Office 365
Enter your Office 365 global admin account and sign in
Click Accept
Now is it just waiting for the next 4 hours
I will create another blogpost about what OMS Office 365 management solutions can be used for when I get some data in my OMS Workspace.
In Windows 1703 – Windows Defender Security Center was first introduces.
In Windows 10 1709 there is a lot of new policies and settings and one of them is settings for Windows Defender Security Center. Windows 10 1709 is still in insider ring and subject to be chanced. Microsoft is doing a lot of investment to configure Windows 10 when it is MDM managed – there will never be as many setting in CSP as there are in GPO.
I will show how to hide “Family options” and leave the rest ‘ they can all be hidden with different CSP.
Some of the other new settings in Windows Defender Security Center is company customization with branding and custom information, (Phone using Skype, Email, Help portal URL) in Windows Defender Security Center. For the custom settings to take effect on the device you need to set EnableCustomizedToasts or EnableInAppCustomization enabled.
