From Windows 10 1607 it is possible to buy Windows 10 Enterprise E3 on Microsoft CSP (Cloud Solution Provider) the benefits is that you don’t need to use a MAK key or KMS service.

When you AzureAD joiner a Windows 10 Pro device – the device is getting a SKU transformation and are becoming a Windows 10 Enterprise  with all the Enterprise features.

Windows 10 Enterprise edition. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit does not include Long Term Service Branch (LTSB).

• Support from one to hundreds of users. Although the Windows 10 Enterprise E3 in CSP program does not have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations.
• Deploy on up to five devices. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices.
• Roll back to Windows 10 Pro at any time. When a user’s subscription expires or is transferred to another user, the Windows 10 Enterprise device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 90 days).
• Monthly, per-user pricing model. This makes Windows 10 Enterprise E3 affordable for any organization.
• Move licenses between users. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.

First you need to buy Windows 10 Enterprise E3 from a CSP partner. Then you can go into your O365 admin portal http://portal.office.com

Billing -> Subscriptions

Then you can see that the Windows 10 Enterprise E3 is active

Find the user you need to give a Windows 10 Enterprise E3 license

Edit the Product licenses

Add the Windows 10 Enterprise E3 licenses to the user

Click save

And the user now have Windows 10 Enterprise E3 licenses  for 5 different devices

How does this looks like for the user:

The user unboxing a new Windows 10 device and getting the OOBE up and running. (This can also be done when you are imaging a device – see my blogpost here)

Select the “Use Express settings”

Select “My work or school owns it”

Click Next

Select “Join Azure Active Directory”

Click Next

Sign in with you AzureAD user (O365 user)

After you login for the first time the Windows Pro will start the SKU transformation – and after a restart Windows is running Windows 10 Enterprise subscription

We are constantly trying to get more security on login other then username and password, so Multi Factor Authentication (MFA) is a good solution, MFA combined with Azure AD conditional Access it a even better way. MFA is relatively easy to implement in a organisation where the end user has a company owned mobile phone or the end user is willing to use there own mobile phone, but there are industries where this is not possible so we need another solution
In October 2018 Microsoft announced the availability of OATH hardware token support in Azure MFA.

In my opinion it is a great alternative for Microsoft Authenticator app when the end user do not have a mobile device for a reason, but there is a overhead of administrative task like keeping control over what user have witch hardware token, but that just require a process and then you are ready to go.
I have testes :

• Token2
• Yubico (Requires an accessory app.)

In this case I do not like the Yubico key do to the requirement of a app – in this blog post I will show and tell of the process with the Token2 key – but because OATH is a standard, you’re not locked to a single vendor.
When you have purchase the OATH hardware keys from your vendor, there is some work you need to do:

1. Send a mail to Token2 at [email protected] with the serial numbers for you hardware tokens
2. You are getting a .csv back with the secret key, serial number, time interval, manufacturer, and model for each token.
3. Then you have to replace [email protected] with your end users UPN
4. Upload the .csv file to the AzureMFA
5. Activate the hardware tokens in Azure MFA
6. Deliver the right hardware token to the right end user

Then you are ready to go.

Requirement: Azure AD P1 or P2

Hardware OATH token

How to get the hardware token .csv file into Azure MFA:

Start your favorite portal for Azure AD : https://aad.portal.azure.com

1. Click Azure Active Directory
2. Click MFA

1. Click OATH tokens
2. Click Upload

Point to your .csv file you got from Token2 or any other vendor you have

After a success upload of the .csv file you can see a status – also if somethings have failed

Then you just need to activate the hardware token by clicking Activate

You will be prompted for a verification code that you get from the hardware token

After activation your tokens you can see the activation status in the portal

That is all you need to do – now you can deliverer the right hardware token to the right end user!

How does the end user experience look like:

When you get the sign in page for Azure AD the end user just enters there username as normal

After they entered the password – they will get the MFA challenge in this case a 5 digit code from the hardware token.

Some times the end user get a message that Azure AD need more information

Then they just need to verify there hardware token.

Happy deployment!

Read more:
Hardware OATH tokens in Azure MFA in the cloud are now available

By default it is not configured – so this means that the default behavior on Windows 10 takes effect. When a Windows 10 device is Azure Active Directory joined there will kick in a two-step verificering of the user, that is a part of the Azure Multifactor Authentication (MFA) service that ensures that the users are who the said there are.

This is a nice feature in most scenarios, but in a education environment where students in primary school from the age from 7 – 10, it is not a good idea to use Windows Hello for Business as it requires two-step verification – MFA with a phone or a mail.

In a company, Windows Hello for Business is much more easy to implement and a way to get the users to sign in to Windows 10 in a more secure way. The user dont have to use there company password to sign-in to there Windows 10 devices and getting access to company cloud resources.

In Windows 10 desktop and mobile versions prior to the Anniversary Update, you could set two different PINS that could be used to authenticate to resources:

• The device PIN could be used to unlock the device and connect to cloud resources.
• The work PIN was used to access Azure AD resources on user’s personal devices (BYOD).

In the Anniversary Update, these two PINS were merged into one single device PIN. Any Intune configuration policies you set to control the device PIN, and additionally, any Windows Hello for Business policies you configured, now both set this new PIN value. If you have set both policy types to control the PIN, the Windows Hello for Business policy will be applied on both Windows 10 desktop and mobile devices. To ensure policy conflicts are resolved and that the PIN policy is applied correctly, update your Windows Hello for Business Policy to match the settings in your configuration policy, and ask your users to sync their devices in the Company Portal app.

How to setup Windows Hello for Business in the new Intune Portal:

Go into https://portal.azure.com and find the Intune service.

Click on Device enrollment

Click on “Windows Hallo for Business”

Click on the Default policy All users

I have created a Intune User Voice in hope to get the possibility to create more than one Windows Hello for Business – please Vote!!!

https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/18659878-windows-hallo-for-business-setting-per-group-assig

In the All Users blade

Click Settings

Then it is possibility to Configure Windows Hello for Business:

The default is : Not Configured

If you select Disable – Then the user will not get prompted for two-step verification when they are AzureAD joining a device.

When selecting Enable – you can configure the settings for Windows Hello for Business

Here are the settings:

Configure Windows Hello for Business:
If disabled, the user cannot provision Windows Hello for Business except on Azure Active Directory joined mobile phones where provisioning may be required. Not configured will honor configuration done on the client.

Use a Trusted Module (TPM):
A Trusted Platform Module (TPM) provides an additional layer of data security. If set to required, only devices with an accessible TPM can provision Windows Hello for Business. If set to preferred, devices attempt to use a TPM, but if not available will provision using software.

Minimum PIN length:
Minimum PIN length must be between 4 and 127

Maximum PIN length:
Maximum PIN length must be between 4 and 127

Lowercase letters in PIN:
If required, user PIN must include 1+ lowercase letters.

Uppercase letters in PIN:
If required, user PIN must include 1+ Uppercase letters.

Special characters in PIN: If required, user PIN must include 1+ special characters letters.

Special characters include: ! ” # $ % & ‘ ( ) * + , – . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

PIN expiration (days):
If configures, the user will be forced to change their PIN after the set number of days. The user can still proactively change there PIN before expiration. The default is 41 days.

Remember PIN history:
If set to remember, the user will not be able to reuse this number of previous PINs.

Allow enhanced anti-spoofing, when available:
If yes, devices will use enchained anti-spoofing, when available (for example, detecting a photograph of a face instead of a real face). If no, anti-spoofing will be blocked. Not configured will honor configuration done on the client.

Allow phone sign-in:
If allowed, users with Azure Active Directory joined desktops may use a portable, registered device as a companion for desktop authentication. The companion device must be configured with a Windows Hello for Business PIN.

Try it out and see what settings are the right for your organization.

When MDM managed Windows 10 devices with Intune – I’am missing a overview of who my devices is compliant with my Software Update strategy.

Here is the solutions – Using MSOMS as a extra management tool, now I can report my software update compliant level.

How do we accomplice this with minimal  work – I already have my Windows 10 devices managed by Intune with the MDM joined feature.

First download the MSOMS agent.

Because Intune MDM can only deploy MSI – I extract the MMASetup-AMD64.exe by running MMASetup-AMD64.exe  /C

Enter the place to extract the MSOMS agent

Now the agent is extracted as a MSI file MOMAgent.msi ready to upload to Intune

Login to the Intune Console

Go to APPS

Click “Add App”

Click Next

Select “Windows Installer through MDM (*msi)

Click Browse

Browse for the MOMAgent.msi

Enter Publisher

Click Next

Enter “Command line arguments”

ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_ID= OPINSIGHTS_WORKSPACE_KEY= AcceptEndUserLicenseAgreement=1

Where OPINSIGHTS_WORKSPACE_ID and OPINSIGHTS_WORKSPACE_KEY is from the MSOMS workspace.

Click Next

Click close

Click Close

Now the application can be deployed to all Windows 10 MDM joined devices

And the Microsoft Monitoring Agent is shown in Programs and Features

When we talk about devices and modern devices in education we also are saying Intune for Education, in this blog post I will show how to use Windows Autopilot and Intune for Education to provision a shared device nice and easy.
In many education cases I have been involved in there is one student per device – but there is also devices with many users on it. In that case the end user experience is not the best – that is why Windows 10 shared device settings is a great feature.

Pre requisition :

• Intune for Education
• Windows Autopilot configured
• Device imported in autopilot
• Device running Windows insider build 17672 or later
• Physical TPM 2.0 chip
• Ethernet connection

Note: If you not have Ethernet connection at the first startup point, Windows AutoPilot will show the regional and keyboard page, and prompt for a Wifi connection,

What is Shared PC mode:

Windows 10, version 1607, introduced shared PC mode, which optimizes Windows 10 for shared use scenarios, fast login and automatic cleanup in unused user profile. A Windows 10 PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen.

How to setup Shared PC mode with Intune for Education:

Start Intune for Education portal : https://intuneeducation.portal.azure.com

Click on Groups

1. Select All Autopilot SharedDevice
2. Click Settings

For information on creating a group for AutoPilot Shared Devices – ee my blogpost on How to auto assign Windows Autopilot profiles in Intune

1. Expand “Shared device settings”
2. Click Enable

Optimize devices for shared use
Optimizing devices for shared use also enables “Remove built in apps” under Basic device settings and “Block access to local storage” under Device sharing settings. You can disable those settings without affecting other settings for shared use

This setting is automatically turned on when the “Optimize devices for shared use” setting is turned on. The following apps are fully removed from your users’ computers when this setting is turned on:

• 3DBuilder
• Bing Weather
• Desktop App Installer
• Get Started
• Microsoft Office Hub
• Solitaire Collection
• One Connect
• Windows Feedback Hub
• Xbox
• Groove Music
• Mail
• Calendar

Note: If you have enabled Intune Enrollment Status Page (Preview) this will show up for every user on the Shared device

Read more about Enrollment Status Page (Preview)

Policies set  by the Shared PC mode

Read more:
Set up a shared or guest PC with Windows 10

I just moved my VPP token from one Apple account to another, and found in the Intune DEP profile Install Company Portal with VPP was showing “No VPP tokens found”

It is not the first time I see it or get the question on why it is there. That’s the reason for this blog post. The first and most obvious reason is that you don’t have configured your VPP token inside Intune. But if that is not the case – then there is another possible reason.

It is clearly stated in the documentation that you need to get the Company Portal from Apple VPP.
So I was sure that I had already done this – so I wend in to Client Apps

1. Click Apps
2. Search for Company Portal

Company Portal from IOS volume purchase program was not to be found in Intune – then back to ensure that I had configured Apple VPP and  there was no issue with that.

1. Open the Apple VPP Portal

I figured out the I forgot to get Microsoft Company Portal from Apple VPP when I switch to my new Apple DEP/VPP token.

Solution get the Company Portal from Apple VPP.

Note : I always get a factor 2 license of my active users when I get a free app from VPP so I don’t run dry on license when I deploy apps.

I don’t have the patience to wait on the scheduled sync from VPP to Intune, so I used the Powershell Script AppleVPP_sync.ps1 from Github

Wend back in to my client apps in Intune to verify that I got the Intune Company Portal

In my DEP profil I now has access to set Use Token :

Hope it helps if you are in the same situations

Read more:

Automatically enroll iOS devices with Apple’s Device Enrollment Program

I got a question week about setting lock screen picture not working  when the picture is in OneDrive. Personal I never use OneDrive or any other service that requires a login token when deploying pictures or other settings down to a windows 10 client with Intune. The reason for this is, if for some reason the device is not able to authenticate then my setting will not apply, I love to use Azure file storage for this one – do to that is it both secure and we can embed the authentication token in the link that we deploy to the end user device. But if you don’t have a Azure subscription then just use the free Azure service with 5GB of Azure Blob Storage – just be sure that you are in control of the service, not like OneDrive where a SharePoint administrator or a security administrator can change the security settings on OneDrive that may effect your policy.

Note : Supported in Windows 10 Enterprise and Education SKUs

How to upload the picture to Azure Blob Storage:

First of all if you already have a Azure Storage account you can skip this section if not then start the Azure portal search for free service find the Azure Blob Storage and click create

Click start free

Click Start free – and follow the guide to sign up

Once you are finish search for storage account and click add

1. Create a resource group if you not have any or just use a existent one
2. Enter you Storage account name : osdintune
3. Click Review+ create

1. Click create if all the information is correct

1. Click Open in Explorer – you need the Azure Storage Explorer installed

1. Create a folder
2. Upload your picture
3. Click Change Access Tier

1. Change when the access token expiry – remember when it expires your end users will not have access to the picture any more and the Intune policy will have no effect.

1. Copy the URL with the access token embedded
2. Click Close

Now you are ready to create your Intune profile:

Start the Microsoft 365 Device Management portal

1. Click Device configuration
2. Click Profiles
3. Click Create profile

Then there is the two setting – one for Lockscreen picture and one for desktop bagground picture – you can easy create both setting in the same profile – in this example I have done it.

1. Name : Windows 10 – Personalization
2. Platform : Windows 10 and later
3. Profile type : Device restrictions
4. Click : Settings
5. Click : Locked Screen Experience
6. Enter the URL in “Locked screen picture URL”

1. Name : Windows 10 – Personalization
2. Platform : Windows 10 and later
3. Profile type : Device restrictions
4. Click : Settings
5. Click : Personalization
6. Enter the URL in “Desktop background picture URL”

Last for the End user experience:

Remember like for any other policy or device restriction the end user cannot change the behavior that the IT admin has setup on the end user device – but for some companies it is very important to have the company branding on every thing including desktop background and lock screen.

End user experience for background picture.
In Intune there is not a easy way of setting background picture for different screen resolutions, this one will also choose a fit.

End user experience for lock screen picture.

Read more:

Personalization CSP

Here in march 2019 my tenant was updated to install Microsoft Teams as part of the Office 365 ProPlus Click to Run installer. According to the Microsoft documentation this roll-out started in in late February 2019. There is some thing you need to know about this change.
Why is this important?? if you have not deployed Microsoft Teams for your users yet – you may want to ensure that Teams are not installed

1.  It only applies to new installations of Office ProPlus
2. Skype for Business is installed as default
3. It is still the same installer as the MSI installer Microsoft previous has released – this also means if you are uninstalling Office ProPlus you also need to uninstall Teams

Why is this important?? if you have not deployed Microsoft Teams for your users yet – you may want to ensure that Teams are not installed. If you already are using Teams in your organisation you don’t need to think about installing Teams for your end users anymore. If your organisation has already moved from Skype for Business to Teams you

This is some important dates – from this

If you take a look at Office Customization Tool http://config.office.com you can see the build numbers that are including the Teams installer.

If you are running Semi-Annual Channel you are not getting Teams yet

If you are running Semi-Annual Channel Target with the 1902 version you will get teams – on the same channel you can also select the 1808 version with out Teams

Both Monthly Channel and Monthly Channel (Target) has Teams as default.

How do we handle Office ProPlus installer from Intune with  or without Teams??

Intune do not have the option for disable Microsoft Teams at the moment – but there is way of working around it. Remember that this new feature of deploying teams is only when Office 365 ProPlus is installed and not updated online.

As you can see when you are creating a Office 365 ProPlus application Skype for Business is still default checked to be installed – leave that setting enabled if you need Skype installed.

Then you need to set a Suite Name – Office 365 ProPlus with S4B – and I have set the version number in the Suite Description

In the App Suite Setting is here where you choose the Update channel and specific version. If you are setting the update channel to Semi-Annual channel you will not be installing Teams.

If you are selection Semi-Annual (Target) you need to select the version number to be 1808, if you select 1902 you will get Microsoft Teams installed

If you what to install Office 365 ProPlus with Microsoft Teams there is now a way to do it in Intune with out deploying the Microsoft Teams MSI installer your self.

First you need to figure out if you also want Skype for Business installed on your devices – if not be sure to deselect Skype for Business in Configure App Suite

Then you need to set a Suite Name – Office 365 ProPlus with Teams – and I have set the version number in the Suite Description

In the App Suite Setting is here where you choose the Update channel and specific version. If you are setting the update channel to Semi-Annual (Target), Monthly channel or Monthly (Target) you will get Microsoft Teams as part of the Office 365 ProPlus installation.

If you are selection Monthly channel you need to select the version number to be 1902 or newer to get Microsoft Teams.

Happy testing

Read more:

Deploy Microsoft Teams with Office 365 ProPlus

Update history for Office 365 ProPlus

When we are starting to test a new browser in our organization we also need an how we are configuring the browser both from a end user and a security perspective. If your end user has one browser on there device that are not managed, then in my experience that is also the browser that the end user will use as there primary browser to surf the internet and doing there everyday work in the company. Why is it important to know what extensions that your end user has on there corporate devices?? It does not require admin privileged to install extensions and there can be malicious code inside the extensions or the extensions can get access to corporate data or identity,

You also need to understand that with Microsoft Edge based on chromium you can install first part extensions from the Microsoft Store or you can use a 3. part store like Chrome web store.

So in this blog post you will learn how to use Intune to manage browser extensions for Edge  browser.

If your browser does not have a extensions policy then the end user can install browser extensions as they see fit. That can be fine in some companies but in other companies they need to have full control over what extensions that are allowed to be installed. To help the end user get the extensions that you are allowing them to use in your company – you can automatic deploy the extensions with a policy.

On your test device you can install the extensions both for testing but also to get the information you need to deploy it automatic with a policy.

First the Microsoft Store find the extension you want to install

I have found the Office browser extension in Microsoft Store for the new Edge browser, if you have been using extensions on the build in Edge browser in Windows 10 you will see that it is many of the same extensions.

You can also get extensions from a 3 part store like Chrome web store by default 3 part stores are disabled and you as a end user need to do a manual action

1. Enable : Allow extensions from other stores
2. Click Allow

Then you can use 3 part. extension stores, in this case I just searched for Microsoft extensions in Chrome web Store

1. Search for Microsoft
2. Click on Microsoft Teams Screen sharing

Then you can click Add to Chrome and

Then you have the two extensions installed.

If you don’t want the end user to install the extensions on there devices you can install the extensions automatic in a policy. But fist you need the strings where the extensions are stored online. There is different URLs for Microsoft and Chrome

For Microsoft it is : https://extensionwebstorebase.edgesv.net/v1/crx

For Chrome web store it is : https://clients2.google.com/service/update2/crx

A easy way of finding the unique identifier for the extensions is to:

1. Enable Developer Mode
2. Get the ID for Office extension from Microsoft Store
3. Get the ID for Microsoft Teams Screen sharing extension from Chrome web store

Save this information – you are going to need it when creating the policy.

Now to creating a Edge policy in Intune:

Start Microsoft 365 Device Management portal

1. Click Device Configuration
2. Click Profiles
3. Click Add

Do to Edge being a win32 app, we have GPO settings to configure Edge, and in Intune that is Administrative Templates. You need to have Edge version 77 or never installed for the policy to be applying.

In “What’s new in Microsoft Intune – Week of August 26, 2019” Configure Microsoft Edge settings using administrative templates for Windows 10 and newer was announced.

Microsoft Edge version 77 and later. Windows 10 RS4 and newer with KB 4512509 installed Windows 10 RS5 and newer with KB 4512534 installed

Windows 10 19H1 and newer with KB 4512941 installed

1. Enter Name : ADMX – Edge Browser Extensions
2. Select Platform : Windows 10 and later
3. Select Profile type : Administrative Templates

In this blog post I will configure 3 different settings there is many more setting that you can look into configure in your own environment.

The easy way to filter on what policy you can set is to click all products in the top left corner

1. Select Edge version 77 or newer

The first policy I set is : “Control which extensions cannot be installed” I Use “*” to block all extensions that aren’t explicitly listed in the allow list.

With this policy I control 100% what extensions is installed on my managed devices.

1. Click Control which extensions cannot be installed
2. Click Enable
3. Enter *

The second policy I set is :  “Control which extensions are installed silently”
In the policy setting I force the installation that I have tested previous in this blog post, you need the information that you found earlier.

The third policy I set is :  “Allow specific extensions to be installed”
In the policy setting I specify the extension that I have tested previous in this blog post,  you need the information that you found earlier. When you block all extensions by setting the ‘ExtensionInstallBlockList’ policy to “*,” users can only install extensions defined in this policy.

1. Click Allow specific extensions to be installed
2. Click Enable
3. Enter the extensions id gggmmkjegpiggikcnhidnjjhmicpibll

   dhheiegalgcabbcobinipgmhepkkeidk

Now you are ready to deploy to policy to a test group.

Now for the end user experience:

When you are entering edge://extensions/ in the Edge browser you can see the all the extensions removal is grayed out.

If you are trying to install a extension from Microsoft Store you will get the message: “An Error has occurred”

If you are trying to install a extension from Chrome web store you will get the message: “Oooops”

1. Click Add to Chrome
2. Click Close

If you enter edge://policy/ in the Edge browser you can see all the policy that the IT admin has deployed to the end user and in this case you can also see the 3 browser extension policy that is deployed to this device

Happy testing

Read more:

Microsoft Edge – Policies

Deploy Microsoft edge dev for business as a msi with intune

I’m writing this blogpost to help understanding what happens when you are deploying Office Pro Plus on a Intune managed device. First of all Office 365 installation is not a application installation in traditional sense!! It is not the same as a Win32 app deployed from Intune that are using the Intune Management extension (IME) or MSI LOB app deployment that are using the build-in  MDM stack in Windows 10.

Office Pro Plus installation from Intune is a policy – a CSP policy

That is also the reason why you cannot create a dependencies from a Win32 app installation, on a Office Pro Plus app in Intune. The example I often get is, can we create a Win32 app that are installing a plugin for Office only if Office is already installed.
Trouble shooting is also different for Office Pro Plus installation as you need to look for different thinks on the end user device and not in the IME logs.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeCSP

In the Default key there is a link to http://go.microsoft.com/fwlink/?LinkID=829801 – that link point to installation of setup.exe

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeCSP\9725059b-1892-443f-bee1-509ca15c0c16

In Default you can see the configuration.xml file that are used to install Office Pro Plus

Here is the default configuration.xml from the Intune installation. If you need other settings in your installation you can upload a custom configuration.xml file into Intune.

14/12/2020 9:04:16 AM

FinalStatus:

• When status = 0: 70 (succeeded)
• When status != 0: 60 (failed)

In file:///C:/Users/Public/Documents/MDMDiagnostics/MDMDiagReport.html you can also see that Office is installed

The end user will also get a notification when you Office Pro Plus is finish installing.

Happy deployment

Read more:

Office CSP
Description of Office 365 Desktop Setup Tool logging errors