Now it is finally available – that being the feature to restrict enrollment for Windows device in Intune to corporate owned device only. There is many companies that will not allow there user to enroll private owned devices in there corporate environment. It has been a possibility for some time on other device type like IOS, Android and macOS.
The following methods qualify as being authorized as a Windows corporate enrollment:
The enrolling user is using a device enrollment manager account.
The device enrolls through Windows AutoPilot.
The device is registered with Windows Autopilot but is not an MDM enrollment only option from Windows Settings.
The device’s IMEI number is listed in Device enrollment > Corporate device identifiers. (Not supported for Windows Phone 8.1.)
The device enrolls through a bulk provisioning package.
The device enrolls through automatic enrollment from SCCM for co-management.
How to set it up:
Start the Microsoft 365 Device Management portal
Click on Device enrollment
Click Enrollment restrictions
Click Default
Click Properties
Click Configure
Click Block
Now the end user is not allowed to enroll a personal Windows Devices.
What is the end user experience like:
When trying to enroll a device from the settings app on Windows 10
Accounts:
Access work or school
Enroll only in Device management
Enter the Azure AD credential
Then this message will show up for the end user
There is many scenarios where the device enrollment restriction can be of value – but please only use it if you need it and under no circumstances allow your users to use there own devices.
If you allow users to use there own devices – I will be a great idea to let the end user be able to enroll there devices so that they can be Intune managed and be marked as compliant to use with Conditional Access.
As you can see the App Name / ID is the same skype-room-system/9nblggh5799l so the URL link you just need to replace www with businessstore in the link.
The you can get the app in the Windows Store for Business and put it in your inventory or use a deployment tool like Intune or ConfigMgr to deploy the app.
After the app in the Windows Store for Business you can search for it in the Store app on Windows 10.
2. Windows Configuration Designer
This app is not hidden in the public store but only in the Windows Store for Business.
So you can search for it in Windows Store find it and install it with your MSA account.
You can also search for it in windows store in a webbrowser – then you can get the deep link you need to find it in Windows Store for Business.
But in this case for some unknown reason is not available in Windows Store for Business.
The solution in this blog post has been possible by help from one of my colleagues and fellow Microsoft MVP – Windows and Devices for IT, Jesper Nielsen – @DotJesper
First you need to have a KMS service up and running : See my blogpost Windows 10 KMS Active Directory Activation
Then you have to Download the “Microsoft Office 2016 Volume License Pack”
Now you can install the Microsoft Office 2016 Volume License Pack
Click on the download file to install
Select “Click here to accept the Microsoft Software License Terms.”
Click Continue
Click Next
Click Next
If you are logged in with a user with out rights to the AD – then select the “Alternate credentials”
Enter you KMS key.
Optional – Enter a display name (I recommend this – so it is easy to se the object in AD if you have multiple KMS keys in same AD, ex. Windows8, Windows 10, Office2013 or Office 2016)
Click next
Click Commit to activate online
Click yes
Click close – if you click Next at this point you will delete the AD object you just created
Click Yes
Now you can use ADSI edit to browse the AD to see your KMS object
In the Display name you can see the text created earlier.
One of the biggest issue with Windows servicing on Windows 10 is language packs, from Windows 10 1803 this will be fixed with Microsoft using Microsoft Store to deliverer language packs. The benefit of using store app for language packs is that they are not removed as part of the Windows servicing and will there for be retained when a end user is getting a new Windows build upgrade.
In this blogpost I will describe how you can deploy Language packs with Intune and Microsoft Store for Business (MSfB) based on the preferred language settings on the end user, and how to use Intune Company Portal as self-service for language packs.
Prerequirement:
A Azure AD tenant
Signup for Microsoft Store for Business
Microsoft Intune (automatic deployment)
Windows 10 1803
How to get the Language Packs from MSfB:
First you have to go to the Microsoft Store for Business portal: https://aka.ms/MSfB
Search for Local Expirence Pack
Select the Local Experience Pack you need in your organisation
Click “Get the app”
By getting the app it will go in your MSfB and you can use it with a deployment tool like Intune or SCCM – if you what the end user to use the private Store in Windows 10 you also need to get in in the private store.
Click “Get the app” do it for all the Local Experience Pack you need
Click close
And now it will get in your management tool like Intune or SCCM at next sync schedule – or you can initiate the sync manually.
How to deploy Local Experience Pack with Intune:
After the sync from MSfB you can see the Local Experience Packs in Intune – seletct one to deploy it.
In my case I selected the Danish Local Experience Packs
Click Assignments
Click group
In this case I will do it required based on the end user Preferred Language – so I have already created Azure AD dynamic groups based on the attribute. See the blogpost here.
Now we have to assign the Local Experience Packs
Select “Required”
Select “Include Groups”
Select “groups to include”
Select the dynamic language group for da-dk
You can also create assignment as available so that the end user can use the Intune Company Portal to install the Local Experience Packs.
Create a collection for Local Experience Packs
The reason for creating a collection in MSfB is so that the apps are grouped in the private Windows Store.
Create a collection:
Click your private store
Click Add collection
Give the collection a name – Local Experience Pack
Then you can add the Local Experience Packs to the collection
And now for the end user experience – in the blogpost I did 3 different thing – so there will also be 3 different user experience.
Local Experience Packs as required – the end user will not notice any thing in the installation
Available from Intune Company Portal – the end user will see it and can installed it on request
In the Windows Private Store – the end user will see it and can installed it on request
With Intune update in juni 2016 (version 5.0.7000.0) we got Conditional Access for Outlook Web Access (OWA).
This meens that the company can grant or deny access to portal.office.com based on the device is:
Domain joined
Compliant
Domain joined or Compliant
Support for mobile devices
iOS 7.1 and later
Android 4.0 and later, Samsung Knox Standard 4.0 or later
Windows Phone 8.1 and later
You can restrict access to SharePoint Online when accessed from a browser from iOS and Android devices. Access will only be allowed from only supported browsers on compliant devices:
Safari (iOS)
Chrome (Android)
Managed Browser (iOS and Android)
Unsupported browsers will be blocked.
Support for PCs
Windows 8.1 and later (when enrolled with Intune)
Windows 7.0 or Windows 8.1 (when domain-joined)
Domain-joined PCs must be set up to automatically register with Azure Active Directory. AAD DRS will be activated automatically for Intune and Office 365 customers. Customers who have already deployed the ADFS Device Registration Service will not see registered devices in their on-premises Active Directory.
If the policy is set to require domain join, and the PC is not domain-joined, a message is displayed to contact the IT admin.
If the policy is set to require domain-join or compliant, and the PC does not meet either requirement, a message is displayed with instructions about how to install the Company Portal app and enroll.
Office 365 modern authentication must be enabled, and have all the latest Office updates.Modern authentication brings Active Directory Authentication Library (ADAL) based sign-in to Office 2013 Windows clients and enables better security like multi-factor authentication, and certificate-based authentication.
The workflow is like this:
Important
Conditional access for PCs and Windows 10 Mobile devices with apps using modern authentication is not currently available to all Intune customers. If you are already using these features, you do not need to take any action. You can continue to use them.+
If you have not created conditional access policies for PCs or Windows 10 Mobile for apps using modern authentication, and would like to do so, you must to submit a request. You can find out more information about known issues as well as how to get access to this feature at the connect site.
The user experience is like this when a device is not compliant
First of all, Office Pro Plus 2019 is not the preferred Office Suite to deploy, that is Office 365 Pro Plus that is updated on a monthly basis with new cool features. But there are scenarios where Office Pro Plus 2019 is a better solution, an example is a user less shared device where you need a Office installed, Office 2019 can be deployed from Intune in that case.
Office 2019 is a click to run installation like Office 365 Pro Plus unlike Office 2016/2013 and 2010 that are MSI based installations
In this blog post I will:
Show how to create a custom xml file to deploy Office 2019
Create and deploy Office 2019 application with Intune
Show how you can upgrade Office 2019 to Office 365 with out reinstalling
Start config.office.com either sign in or continue with out signing in.
Products and releases
Select Office Suites : Office Professional Plus 2019 – Volume License
Languages
Select Primary language – Match Operation System
Installation options
Show installation to user
To make the installation silent for the end user
Product key
Office 2019 is not subscription based activation like Office 365 Pro Plus and when you deploy Office 2019 with Intune you do not always have access to a KMS server that is the reason for choosing MAK keys
Select Multiple Activation key (MAK)
Set Autoactivate to On
Set Automatically accept the EULA to On
Application Preferences
Search for Office + First Run
Select Disable First Run Movie
Disable Office First Run on-application boot
Disable First Run Movie
Disable Office First Run on-application boot
Search for Office + Privacy + Trust Center
Select Disable Opt-in Wizard on first run
Disable Opt-in Wizard on first run
Default File Format
Select Office Open XML formats
Export configuration to XML
Select “I accept the terms in the license agreement”
File Name : OOP2019
Click Export
Create you Office Pro Plus 2019 application in Intune
Start devicemanagement.microsoft.com
Select Client apps
Select Apps
Click Add
Select Office 365 Suite – Windows 10
Enter App type : Windows 10
Select Settings format : Enter XML data
Click App Suite inforamtion – Configure the app suite information
Enter Suite Name : Office Pro Plus 2019
Enter Suite Description : Office Pro Plus 2019
Click Enter XML data
Copy you Office 2019 xml file you created earlier
Now you are ready to assign you new Office 2019.
User experience for installing Office Pro Plus 2019 with Intune
The end user can now start Company Portal to get the application you have assigned
Click on Office Pro Plus 2019
When the installation is finish the end user getting the massage in Company Portal and ready to use Office 2019 with the basic configuration your created so they will not be prompted for any thing at the first launch.
Upgrade Office 2019 to Office 365 ProPlus
If you figure out the Office 2019 was not the right version for you then you don’t have to uninstall Office 2019 and install Office 365 you can just to a “upgrade” with a Intune ADMX based policy
Click Device configuration
Click Profiles
Click Create profile
Enter name : Upgrade Office 2019 to Office 365 ProPlus
Platform : Windows 10 and later
Profile type : Administrative Templates
Click Settings
Search for upgrade
Select “Upgrade Office 2019 to Office 365 ProPlus”
Now you just have to deploy the Intune profile “Upgrade Office 2019 to Office 365 ProPlus” to the devices where you want to change from Office 2019 to Office 365
Happy deployment
Read more:
What’s the difference between Office 365 and Office 2019?
I see more and more customers that are allowing Azure Active Directory join of Windows 10 Devices also with automatic MDM enrollement into Intune, and many are concerned about letting personal devices getting into Intune and there for having the possibility to be complaint. When a device is compliant, we can use it to give access to corporate resources with Conditional Access.
There is a way to block Intune enrollment of personal devices, but it requires that you need to understand the consequences for doing that.
A Windows device that the end user is enrolling into Intune is personal unless that you tell Intune that it is a corporate device or you AzureAD join from OOBE.A corporate Windows devices is also:
Hybrid joined Windows device with automatic MDM enrollment GPO set
SCCM Co-managed device
Autopilot device
Bulked enrolled with WCD or set up school PC
Enrollment with a Device Enrollment Manager
Start the Microsoft 365 device management portal
Click on Device enrollment
Click on Device restriction
Click on default
Click on properties
Click on Select platforms
Ensure that you are allowing Windows (MDM) enrollment set to allow or all Windows enrollment will be blocked
Click on properties
Click on configure
Click on block for Windows personally owned
From a end user perspective they will get a welcome message when the device is a Autopilot device
Note: If you are injecting the AutopilotConfigurationFile.json file in you image solution or other ways with out uploading the Autopilot device information to Intune, it does not have a corporate ID in Intune and are there for a personal device!
But when it is not a Autopilot device – AKA a personal device the end user will get a error message that the device will not enroll and you need to contact your system administrator
If you have configured Windows Information Protection (WIP) without enrollment it will still work.
When a user is installing Office365 ProPlus C2R from https://office365download.com after the installation has ended the end user normally just click yes without reading what there is written – and if WIP is not configured and the end user will get a error here. In my case WIP without enrollment is configured to secure access to corporate data.
The device will be registered to AzureAD so that Microsoft can check Office activation and check if the device need to be automatic MDM enrolled, WIP without enrollment or just do the device registering
After is it done you can check in the settings app that the device mas a management server address : https://wip.mam.manage.microsoft.com that shows it is not managed but get the WIP without enrollment policy from Intune (This still requires a Intune license)
Happy testing 🙂
Read more:
Blocking personal Windows devices
https://docs.microsoft.com/en-us/intune/enrollment-restrictions-set#blocking-personal-windows-devices
The SharedPC configuration service provider is used to configure settings for Shared PC usage.
What is Shared PC mode:
A Windows 10 PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen. Users who sign-in are signed in as standard users, not admin users.
Create a Custom Configuration (Windows 10 Desktop and Mobile and later) Policy
Microsoft Intune Win32 App management support was announced at Microsoft Ignite 2018, this has been the biggest ask from customers around the world since Microsoft released Windows 10 back in Aug 2015 with a build-in MDM stack so we was able to AzureAD join and automatic MDM enroll a device into Microsoft Intune. At the beginning we only had single MSI install, Windows Store and Appx support in Intune.
In 2017 we got the Intune Management Extension where we was able to create a powershell script that downloaded (from a “fileshare”) and install the app without any installation status went back to Intune – so the IT Pro was able to see if the applicaiton was a fail or success.
So the Win32 app deployment feature is Intune Management Extension with the availability to deploy complex application. If you know of the application model in SCCM this new feature will be very familiar to you.
If you want more – take a look at the Microsoft Ignite Sessions:
BRK3285 – Deep dive into evolution of Windows app management with Intune
Requirement for running the new Win32 app deployment feature is:
Windows 10 version 1607 or later (Enterprise) Windows 10 AAD or hybrid AAD joined devices with automatic MDM enrollement
Windows application size is capped at 2GB per app in the public preview
Note: Microsoft has not tested on Windows 10 Pro
First you need to get the prep tool from github
Microsoft Intune Win32 App Upload Prep Tool
There are very few parameters that can be used
-h Help -c Setup folder for all setup files. -s Setup file (such as setup.exe or setup.msi). -o Output folder for the generated .intunewin file.
-q Quiet mode
In this blog post I will show how to deploy Adobe Reader DC – see how to packages Adobe Reader here
It is to use Adobe Reader as a example – it has all that have been missing from Intune, multiple files and a .exe installer.
I have copied the IntuneWinAppUtil.exe in c:\temp\AcroRdrDC19 and put all the files in c:\temp\AcroRdrDC19\AcroRdrDC19 and want the output in this folder : C:\temp\AcroRdrDC19\AcroRdrDC19.intunewin
Is runs at at last it completes at 100% under the way it is encrypting with SHA256 and compress the installations files like a .zip file – in this example it goes from 386MB to 202MB
How to create the app in Intune:
Start the Microsoft 365 Device Management portal : Https://devicemanagement.microsoft.com
Click Client apps
Click Apps
Click Add
Add app – app type Windows app (Win32) – Preview
Select app type : Windows app (win32) – preview
Click Select file
Click to upload the .intunewin file
Click Configure
Enter Name : Adobe Reader DC
Enter Description : Adobe Reader DC PDF reader
Publisher : Adobe
Scroll down until :
Click Select Image
Upload Icon file to Adobe Reader
Click Configure
Enter the install command – for Adobe Reader it is “setup.exe -s”
Enter the uninstall command – MsiExec.exe /x {AC76BA86-7AD7-1033-7B44-AC0F074E4100} /q
In the event log you can see the MSI Installer ID used for the uninstall string
Click Configure
Operating system architecture – select 32-bit and 64-bit
Minimum operating system – select Windows 10 1607 (unless you want to restrict to a newer version of Windows)
Disk space required (MB) – enter 475
You can always see on a device where the software is installed in Apps & Features in the settigns app on Windows 10 what the disk space required (MB) is.
Click Configure
Select Manually configure detection rules (It can also be a custom script)
Click Add
Detection rule
Rule type : MSI (It can also be a file or registry)
MSI product code : enter the MSI product code
As the last point you can specify a custom return code if the application installer is not using a standard return code.
Then the application is uploading
Then you are ready for the assignment
Click Assignments
Click Add group
Assignment type – there are 3 different options
Available for enrolled devices – in the company portal
Required
Uninstall
Select Available for enrolled devices
Cli
In the Audit log you can see that the application is created
More details when you click on the audit entry
Now to the end user experience:
In the Company Portal the app is now ready for the end user to install
Click Install
In regedit you can see all the settings on the device:
