Intune, O365, Windows 10, WSfB
December 10, 2017 — 6 Comments
AZUREAD, Intune, SCCM, Windows 10
January 15, 2017 — 2 Comments
This is a series of blog post about the new pre-release feature “Microsoft Operations Management Suite (OMS) Connector” in SCCM 1606.
As it is a pre-release feature it is not for production!
The OMS connector allows you to sync data such as collection from SCCM to OMS.
The blog post is as follow:
Part 1/4: how to enable OMS connector in SCCM
You need to start by enabling the Hierarchy Setting “Consent to use Pre-release features”
Go into the SCCM console
Administration -> Overview -> Site Configuration -> Sites
Click on Hierarchy Settings
Select “Consent to use Pre-release features”
Click Ok
Administration -> Overview -> Cloud services -> Update and Servicing -> Features
Select the “Microsoft Operations Management Suite (OMS) Connector”
Click Turn On
Click Yes
Now the feature is enabled
An now for the second part : How to configure the cloud part of OMS connector
As part of the new updated release of administrative templates that will let you use Intune to configure select Group Policy settings for Windows PCs. These templates use the Policy Configuration Service Provider (CSP) to provide up to 2500 additional settings from Office, Windows, and OneDrive.
With the ADMX based policies in Intune , we can easy create a policy that sets the OneDrive Know Folder Move (KFM) – in my opinion KFM is necessary to give the end user the best user experience for a Microsoft 365 driven device. It means that with 3 easy policy settings you can enable KFM for users.
Go into your favorite Azure Active Directive (AAD) tool and get your tenant ID.
Start the M365 Device Management Portal
Then it is just to find and configure the 3 most important setting to get KFM to work – you can also set other settings as your need in your enviroment.
Silently sign in users to the OneDrive sync client with their Windows credentials
Use OneDrive Files On-Demand
Silently move Windows known folders to OneDrive
Then you end up with a policy with this 3 settings and you are ready to deploy.
First of all the end user OneDrive verion has to be at least 2018 Build 18.116.0610.0002 I have seen that even if the OneDrive has been update for one user on the device user number 2 can have a different OneDrive version and there for the KFM will not work for that user.
OneDrive will get a new blade called “Auto Save” when KFM is enabled.
The Known Windows folder will get OneDrive Sync icon
The known Windows folders will show up in OneDrive
Happy deployment
Read more at :
Migrate Your Files to OneDrive Easily with Known Folder Move
Driver, MDT, SCCM
July 29, 2013 — 2 Comments
Application Deployment, Windows 8.1
July 16, 2013 — 4 Comments
Our new TeamViewer integration delivers a remote assistance solution for Intune agent-managed Windows PCs.
We’ve introduced a TeamViewer Connector within the Intune admin console that allows you to register your company’s TeamViewer account with Intune. Once you’ve done this, your end users can use the Intune Center on their PCs to request remote assistance, and they’ll receive help from your help desk through a TeamViewer connection. All of the TeamViewer features are available to use during your remote session including chat, remote restart, video, screen annotation, file transfer, and more.
If you’re not already using TeamViewer and want to see how this works, get started with a trial account from TeamViewer. Once you’ve tried it out, jump over to the TeamViewer site to purchase a license from TeamViewer. There are several license options, and all of them work with Intune. For more information about Intune and TeamViewer, please visit their site.
To integrate TeamViewer into Intune go to https://manage.microsoft.com
Admin –> TeamViewer –> Enable
Select Accept
Click Enable
Sign In to your TeamViewer Account
Click Allow
Click Close
Now TeamViewer is enabled and ready to use in Intune
How to silent install Lync 2013 Basis
setup.exe /admin
Starts the Microsoft Office Customization Tool
Enter “Organization Name”
Set the “Licensing and user interface”
Enable the “Disable Opt-in Wizard on first run” – With “Microsoft Office 2013 –> Privacy –> Trust Center”
And
Enable the “Disable First Run Movie” – With “Microsoft Office 2013 –> First Run”
And
Enable the “Disable Office First Run on application boot” – With “Microsoft Office 2013 –> First Run”
Save lync2013basic.msp in Lync source\updates
Now run setup.exe from commandline or MDT / SCCM – and Lync 2013 basis install silent
I have upgraded a customer’s AD Connect to the new version just release – with the feature of Device Write back gone from preview to GA. (remember Device back is a AzureAD premium feature)
https://azure.microsoft.com/da-dk/documentation/articles/active-directory-aadconnect-version-history/
The device write back was enable as this guide descripted https://azure.microsoft.com/da-dk/documentation/articles/active-directory-aadconnect-get-started-custom-device-writeback/
The only problem was that it was not working 😦
The devices came from AzureAD to the AD Connect database but not into the local AD – after some search for errors with Microsoft Support the solutions was found.
The solutions was to run a “Refresh directory schema”
And now it works 🙂
Microsoft have released CU1 for SCCM 2012 R2 – http://support.microsoft.com/kb/2938441/da
New stuff:
OSD fix for UEFI device – Task sequences may fail on a UEFI-based client if the “Format and Partition” task sequence step runs two times
EndPoint Protection is now included in the MS CU – http://blogs.technet.com/b/configmgrteam/archive/2014/03/27/anti-malware-platform-updates-for-endpoint-protection-will-be-released-to-mu.aspx
FEP and SCEP anti-malware protection support after OSes reach end-of-life – http://blogs.technet.com/b/configmgrteam/archive/2014/03/27/fep-and-scep-anti-malware-protection-support-after-oses-reach-end-of-life.aspx – For example, for Windows XP, this stage starts on July 14th, 2015.
I started this blog post series with “How to get started with Conditional Access” and will continue with some use cases. This use cases can be combined or be implemented stand alone – it all depends what you are your organisation want to accomplish.
In this use case we just add a extra layer of security on top of Azure Active Directory – by disabling legacy authentication, Service Now and other apps that provided a web access through Azure Active directory. This is a recommendation I have when I do EMS projects at customers – and it is a easy way to stop the bad guys from accessing your corporate data. After blog post #2 in the serie about enable MFA you already have modern authentication enabled on your tenant.
By disabling legacy authentication you block access from unsecure protocols – and you need this to be secure in the future. When enabling this you will remove all the loopholes that are in Conditional Access – where you can “cheat” the application to fall back to legacy authentication if modern authentication is failing. But design it will block:
The layout is to disable legacy authentication when:
Note: Disable legacy auth for Office 365 requires modern authentication enabled
Start the Azure Active Directory admin center
It is recommended to do this at a test group first, and go into production in faces
Important : Don’t lock yourself out! Please read and understand what you are doing so you don’t lock you out of the Azure Management Portal
Note: When you are trying to create a Conditional Access rules that block you need to have a exclusion on users, apps or conditions
If you for some reason what different rules on different OS then here is the place to select it
Note: If you have application that do not understand modern authentication like some users that are using Office 2010 on the inside network you need to find a solution if it is not possible to upgrade the application, and example is to use the location to allow legacy authentication on the inside of the network.
Now the Conditional Access rule are created and will first take effect when you sets the Enable policy to On
If the end user is using a application that understand modern authentication there is no change for the end user, but it the end user is using a application the do not understand modern authentication like Office 2010 some mail clients on Android and others.
Here is the example where the end user is trying to use the mail client on a Samsung Android phone with IMAP and getting blocked:
When we look at the sign in logs from Azure AD and see how many attempt that there are with legacy authentication
With in the Sign-ins logs we can see all the failed login attempts with legacy authentication in this case POP.
Note: When legacy authentication is not blocked there are approved application that can fallback to legacy authentication even if you have a Conditional Access rule that requires MFA.
You can also use PowerBi to investigate logins you don’t know about.
Start Microsoft PowerBi : https://powerbi.microsoft.com
In almost every tenant I have started using Conditional Access on – there has been sign-ins both failed but also success from places and applications the companies are using.
It is recommended to block all legacy authentication if it is possible. For some reasons there can be application that still are using legacy authentication – then you can limit from where, from what devices or to what application legacy authentication is allowed instead of allowing legacy authentication by default.
For some Office 365 service it is possible to block for legacy authentication on a service (Sharepoint, Onedrive, etc) level without Conditional Access so if you do not have the Azure AD P1 license please take a look at this.
Read more:
Azure AD Conditional Access support for blocking legacy auth is in Public Preview!
How to use the Azure Active Directory Power BI Content Pack
1) install ADK for WIndows 8.1
Download ADK from : http://www.microsoft.com/en-US/download/details.aspx?id=39982
2) Install MDT 2013
Download MDT from: https://www.microsoft.com/en-us/download/details.aspx?id=40796
3) Create a Deployment Share
Enter the place for the Deployment Share
Click Next
Enter the Deployment Share name
Click Next
Enter the Deployment Share discription
Click Next
Click Next
Click Next
Click Finish
4) Setup Deployment Share
Follow this step by step
4a) Create OS
Create a folder for the OS in MDT
Click Next
Click Next
Click Finish
Mount OS ISO
Import OS
Click Next
Enter the drive letter that the OS ISO is mounted on
Click Next
Change name
Click Next
Click Next
Click Finish
4b) Create Task Sequence for Server Template
Create a Task Sequence Folder
Click Next
Click Next
Click Finish
Create Server template Task Sequence
Give a unik Task Sequence ID
Give a Task Sequence Name
Click Next
Choose “Standard Server Task Sequence”
Click Next
Choose Operating System
Click Next
Click Next
Enter Organization
Click Next
Enter a Admin Password or choose “Do not specify an Administrator password at this time”
Click Next
Click Next
Click Next
Click Finish
Edit Server template Task Sequence
Enable Windows update by removing the “DIsable this Step”
Add “Install Roles and Features” For the server OS
Create a folder for Cleanup Image – for cleaning up the image for installed patches.
Create 3 steps:
5) Create a MDT “Media Share”
Create a folder on your disk fx. “D:\ServerTemplate_ISO”
Enter the path for your Media Folder
Click Next
Click Next
Click Finish
Enter properties for the Media Share
Change the content of Rules to:
[Settings]
Priority=Default
[Default] _SMSTSORGNAME=osddeployment.dk OSInstall=Y SkipAppsOnUpgrade=YES SkipAdminPassword=YES SkipProductKey=YES SkipComputerName=YES SkipDomainMembership=YES SkipUserData=YES UserDataLocation=AUTO SkipLocaleSelection=YES SkipTaskSequence=NO DeploymentType=NEWCOMPUTER SkipTimeZone=YES SkipApplications=YES SkipBitLocker=YES SkipSummary=YES SkipBDDWelcome=YES SkipCapture=YES ApplyGPOPack=NO SkipRoles=NO
FinishAction=SHUTDOWN
SkipFinalSummary=NO UILanguage=0409:00000409 InputLocale=0409:00000409 SystemLocale=0409:00000409 UserLocale=0409:00000409 KeyboardLocale=0406:00000406
DoNotCreateExtraPartition = YES
TimeZone=105
TimeZoneName=Romance Standard Time
JoinWorkgroup=WORKGROUP
And Change the Bootstrap.ini
SkipBDDWelcome=YES
Update the Media Content
Click Finish
Now your are ready to boot on the ISO you just created for creating a server template !
Create a VM – Start the VM
Select the Server Template Task Sequence
Click Next
Select Windows Roles and Features if you need it in your template
Click Next
The automated process for building a Server Template is now started and when the VM shuts down the template is ready!!!