Intune MAM is a way to secure the corporate data on a App level. The MAM policy block for different user action, ensure encryption and authentication to the app.
This is a light way of doing the Intune MAM policy – the full MAM functions is still available in the Intune App protection part of Intune.
So the SharePoint administrator can create a Intune MAM policy that applies to all users in the tenant – with out any knowledge to Intune.
This policy only applies to users in your organization who are licensed for Microsoft Intune directly or indirectly trough the Enterprise Mobility + Security E3 or E5 license.
How to create the MAM policy as a SharePoint Admin
Start the OneDrive admin portal https://admin.onedrive.com/
Go to Device access
Click on Deploy this policy
Change the settings to match your security requirements
In a few minutes the policy will show up in Intune App protection console as deployed global to IOS and android platform.
The 2 apps is OneDrive for IOS and Android – take a look in the target apps inside the policy
In the OneDrive mobile policy – Policy settings
You can see the detailed settings that was set in the Onedrive admin portal
If the policy is disabled in OneDrive admin portal again
The policy is still visible as a Intune App protection policy – but the One Drive App is removed.
If the settings is grayed out like this – it is because the SharePoint Admin user do not have a Intune licens assigned.
One of the biggest issue with Intune from the beginning of modern management with the MDM stack on Windows 10 – has been software inventory. Many companies has a CMDB where they love to put in software inventory for different reasons there has been no good way other then installing a asset management solutions with agent on all deployed devices.
Looking at the Discovered apps on the device object in Intune – there is starting to show up Windows 32 apps – at first my thoughts was it was the applications installed with the Win32 app model in Intune – but I see apps that are installed manual on the device.
Intune management extension need to be installed on the device to get the win32 application inventoried, so you need to install at least one win32 app or run a powershell script from Intune on your devices.
The inventory part is a feature that is released with version 1901.
In Windows 10 we are using many different browsers for different reasons, this is not a blog post the are saying what browser you have to use on your Windows 10, but a blog post on how to manage favorites on Microsoft Edge and Internet Explorer on your Windows 10. The setting used in this blogpost is introduced in differents version of Windows 10.
The use case for manage browser is to help the enduser with some links to important websites – in the example in my blogpost it is for the IT admin so he can follow up on what is new in EMS. Sync browser favorites between Microsoft Edge and Internet Explorer so that the end user don’t need to care about what browser he is using. At the last point is to use Azure AD to store the end user personal favorites with Enterprise State Roaming.
So this blogpost is divided up in 3 sections:
Provision Favorites
Sync Favorites Between IE and MS Edge
Enterprise State Roaming (ESR)
You can combine the settings or use them separately.
Provision Favorites
Pros: It allows the IT Admin to provision corporate link to the end user. Cons: It only work with MS Edge – not other browser like Internet Explorer, Google Chrome etc.
How to setup Provision Facorites:
First you need to export a .html file with your favorites that you need to be provisioned to a user or device group. This can be done from Microsoft Edge Browser by entering settings
Then click on “import from another browser”
Click export to file
In the exported .html file you can remove what you don’t want to be provisioned to the end user.
Then you have the .html file to store in a location where the end user have access.
In this case I use Azure blob storage to store the .html file – it can also be a web server – as long as the end user has the right to access the .html file
And now I got a link that I can use in my Intune profile:
https://osddeployment.blob.core.windows.net/intunecontainer/What_is_new_Favorits.html?sp=rl&st=2018-08-12T12:15:54Z&se=2021-05-14T12:15:00Z&sv=2017-11-09&sig=fLuLfkmLEDFzT3G1RMYsQ7Xsoc7VdaezAt1buZYCILU%3D&sr=b
Start M365 Device admin center
Click Device Configuration
Click Profiles
Click Create profiles
Name: What is new – Favorites List
Platform : Windows 10 and later
Profile type: Device restrictions
Click Settings Configure
Select Microsoft Edge Browser
Inset the link to the .html file in Favorites List
This is how is looks like from the end user perspective:
Sync Favorites Between IE and MS Edge
Pros: It help end user to have the same favorites in MS Edge and IE, and with ESR makes it possible to sync IE favorites. Cons: It only work between IE and MS Edge – not other browser like Google Chrome
How to setup Sync Favorites Between IE and MS Edge in Intune:
Start M365 Device admin center
Click Device Configuration
Click Profiles
Click Create profiles
Name: Sync favorites between Microsoft browsers
Platform : Windows 10 and later
Profile type: Device restrictions
Click Settings Configure
Select Microsoft Edge Browser
Click Require at “Sync favorites between Microsoft browsers (Desktop only)”
Do the profile assignment to the user or device group you want to have this setting.
After the device sync with Intune at the next you can see in the MDMDiagReport.html report that the setting is enabled
Enterprise State Roaming (ESR)
Pros: It sync the end user favorites and other settings to a blob storage on user object in Azure AD, the ESR data will sync to every Azure AD joined device the end user is logging in to. Cons: It requires Azure AD P1 license, if you what to delete the ESR data for a user you need to create a Microsoft SR to the the data deleted.
Start the Azure Active Directory admin center
Click Azure Active Directory
Click Devices
Click Enterprise State Roaming
Select All or Selected
If you use Selected you need to specify a group of users that has Enterprise State Roaming enabled
On the device you can check if Enterprise State Roaming is working:
Start a command windows (cmd or powershell) Run the command dsregcmd.exe /status
Check that AzureAdJoined is set to Yes
Check that WamDefaultSet is set to Yes
Check that WamDefaultGUID is not empty and the is (AzureAD) at the end
In the Event Viewer > Applications and Services Logs > Microsoft > Windows > SettingSync
Read more:
Policy CSP – Browser
Enterprise State Roaming overview
Footnote:
1 – Supported versions, version 1607.
2 – Supported versions, version 1703.
3 – Supported versions, version 1709.
4 – Supported versions, version 1803.
5 – Added in the next major update to Windows of Windows 10.
When deploying Office 365 Click-to-Run then I want to remove as many as possible popup for the end users – there for this guide.
First download the “Office 2016 Administrative Template files (ADMX/ADML) and Office Customization Tool” from Microsoft : https://www.microsoft.com/en-us/download/details.aspx?id=49030
Update your GPO Central Store with the downloaded ADMX/ADML files.
First thing that the user see is this
This can be removed by this GPO
User Configuration -> Policies -> Administrative Templates -> Microsoft Office 2016 -> First Run
Then the user get this
This can be removed by this GPO
User Configuration -> Policies -> Administrative Templates -> Microsoft Office 2016 -> Subscription Activation
Then the user get this
This can be removed this GPO
User Configuration -> Policies -> Administrative Templates -> Microsoft Office 2016 -> Privacy -> Trust Center
Then the user get this
User Configuration -> Preferences -> Windows Settings -> Registry
HKEY_CURRENT_USER Key path Software\Microsoft\Office\16.0\Registration Value name AcceptAllEulas Value type REG_DWORD
Value data 1
And at last we in the EU get this
User Configuration -> Preferences -> Windows Settings -> Registry
HKEY_CURRENT_USER Key path Software\Microsoft\Office\16.0\Common\General Value name ShownFileFmtPrompt Value type REG_DWORD
Value data 1
And now all you have to do is deploy you new GPO the Office 2016 users.
Privacy is becoming increasingly important for companies and end users. Your end users might see more popups on their devices. However, as an IT administrator, you have the choice to configure those settings for your end users.
Some users experience Microsoft Teams keeps asking for permissions to access microphone and camera with a message like this.
What can we as IT administrators do to help our end user with the best possible end user experience??
You can adjust the privacy settings for Microsoft Teams on your end users’ devices. Use a management tool like Microsoft Intune for this task. With the Privacy CSP ./Device/Vendor/MSFT/Policy/Config/Privacy/ you can configure the behavior.
I will demonstrate how to force allow Microsoft Teams to use the Microphone, Camera, and location. This will not change the existing allow or deny settings for other apps configured by the end user.
Learn more about the policy here : https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-privacy
First I need to find the PackageFamilyName. I do that by getting the information from a device. This device should have Microsoft Teams already installed.
Start PowerShell
Create a directory where you can put an outputfile by using the command mkdir c:\temp
run the command Get-AppPackage > c:\temp\Get-AppPackages.txtThe creates a list of all AppPackages installed on your device.
You can then search inside the file for Microsoft Teams.
Then you can fine the PackageFamilyName : MSTeams_8wekyb3d8bbwe that you need inside your policy creating.
Start Microsoft Intune Admin Center – Device – Windows – Configuration – Create – New Policy
Enter the name of the policy: Privacy – Teams
Click Add Settings
Type Privacy
Click Search
Click Privacy
Select Let Apps Access Camera Force Allow These Apps, Let Apps Access Location Force Allow These Apps and Let Apps Access Microphone Force Allow These Apps
Enter the PackageFamilyName : MSTeams_8wekyb3d8bbwe in that you found earlier, in the Let Apps Access Microphone Force Allow These Apps policy setting.
Repeat for Let Apps Access Camera Force Allow These Apps, Let Apps Access Location Force Allow These Apps as well.
Keep Let Apps Access Camera, Let Apps Access Location and Let Apps Access Microphone configured to User in Control. If you want complete control over the settings on your end users’ devices, configure them to what you need.
Microsoft Teams are set to allow microphone use. The rest of the settings are left for the end user to change themselves.
You can be in control of many Windows settings on your end users devices. This control is possible as long as you find the right policy settings. I always recommend configuring Windows for security and also minimizes the popups that the end user needs to attend to on their corporate devices.
I hope that this blogpost helps you, if your end users have been complaining about the popup when Microsoft Teams starts on their device.
I the new world where we don’t trust, but always verify before getting access to corporate data. Conditional Access is the gate we are using with Microsoft 365, when we are talking about verifying device compliance, it is not enough that we know that our company is owning the device. We also needs to look at the state of the device. Examples is if Bitlocker and SecureBoot is enabled. There is also other parameter to look after with a compliance policy in Intune.
Valid operating system builds is a parameter you can use in your compliance policy for Windows. There is also a way just to look at a minimum and a maximum version, that require that all your Windows version are on the same build version all time.
When we are looking into the real world, there can be different reason for your organisation to have different Windows version, there can be some users are using application that is not working on a specific Windows build, or when you are in a middle of a ring deployment updating your Windows build to the latest version.
In this blog post I will walk you trough creating a compliance policy that looks after different Windows build version. Looking at the OS build version is a way to ensure that Windows is updated to a patch level that your company trust.
Create Windows Compliance policy:
Start Microsoft Endpoint Manager admin center : https://endpoint.microsoft.com
Click Devices
Click Windows
Click Compliance policies
Click Create Policy
Select Windows 10 and later
Enter Name: Windows Compliance – Valid operating system builds
Enter Valid operation system builds
Operating systems versions
Minimum OS version
Maximum OS version
Windows 10 1909
10.0.18363.815
10.0.18363.815
Windows 10 1903
10.0.18362.815
10.0.18362.815
Windows 10 1809
10.0.17763.1192
10.0.17763.1192
Windows 10 1803
10.0.17134.1456
10.0.17134.1456
Windows 10 1709
10.0.16299.1806
10.0.16299.1806
You can also configure
Action for noncompliance (Default = Mark device noncompliant : Immediately)
Scope tags
Assignments (A user group you want to test it on)
Compliance policy are only used for reporting inside Microsoft Intune, until you create a conditional access policy where you have a control that looks for “Require device to be marked as compliant”
End user experience:
The end user can go into Company Portal and and see the device compliance status on the device.
In this case the end user get a message that the device is not complaint and on witch build version the device needs to be on with a minimum and a maximum build version.
In this case it it just on build version we are looking for the latest build number from the day where the compliance policy was created.
The end user need to go into the settings apps / Update & Security – Windows Update
Then install the missing updates.
Happy testing.
Read more:
Windows 10 and later settings to mark devices as compliant or not compliant using Intune
Windows 10 release information
When Edge is configured as a Enterprise browser with corporate policies configured on it, for managed devices you can configure Microsoft Edge policies in Microsoft Intune. The personal profile is only a lightly managed profile, even on a managed device.
Only the following categories are automatically inherited from the work profile in the Microsoft Edge browser.
Security
Data Compliance
Microsoft Edge Update
You can see the complete list of policies that only applies to the Microsoft Edge work browser here : https://learn.microsoft.com/en-us/DeployEdge/edge-learnmore-personal-browser-policies
In this case you as an IT admin want to ensure what browser extensions are installed on you corporate devices. One way of doing that is by leveraging Microsoft Edge baseline version 128, as the recommendation is to block all extensions and then you can create a specific allow list.
In the Baseline the policy “Control witch extensions cannot be installed” is enabled and configured with “*” so the policy is preventing the end user from installing all extension and the policy is device wide.
In your work profile where you are signed in with your corporate Entra ID and you are trying to install an extension, in this case “Dino Roar” and the end gets a message that it is blocked by your administrator.
Lets check what the policy are saying now by entering edge://policy in your Edge Work profile
If we go to edge://policy we can verify that the policy has effect on the device and the status is OK.
As the policy is a device policy you would expect it to apply to everything on the device – so lets try to sign into Microsoft Edge with a personal account (MSA) – now you are allowed to install the same browser extension “Dino Roar” that you where blocked from installing with your profile signed in with your Entra ID.
Lets check what the policy are saying now by entering edge://policy in your personal Edge profile
It still shows that ExtensionInstallBlocklist applies to Device – but now the status shows as Ignored.
Lets say that you want to block installing browser extensions on your corporate devices – one option is to restrict witch accounts can be used to sign in to Microsoft Edge.
You can create the policy in Microsoft Intune by going to https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/DevicesWindowsMenu/~/configuration Click Create then New policy select Platform Windows 10 and later profile type Settings catalog click Create
Enter name Microsoft Edge – Restrict accounts enter Description Restrict which accounts can be used to sign in to Microsoft Edge
Search for Restrict which accounts can be used to sign in to Microsoft Edge and select Restrict which accounts can be used to sign in to Microsoft Edge
You need to Enable the policy settings and to put in which Entra domain name can be used in Microsoft Edge, in my case I enter .*@osddeployment.dk in Restrict which accounts can be used as Microsoft Edge primary accounts (Device)
Then you just need to assign it to a group of users or devices – and wait for your devices to sync.
If you have already are signed in with a account that is not in the list, you will get a message like this that I got for my personal account in Microsoft Edge.
If you try and Set up new personal profile in Microsoft Edge
You get a message that Your profile doesn’t have sign-in permissions
You can read more about the policy here : https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#restrict-which-accounts-can-be-used-to-sign-in-to-microsoft-edge
If you have requirements on what browser extensions your end users are allowed to install on there devices, it might be a good idea also to restrict how is allowed to sign into your Microsoft Edge browser.
I just showed you one way to do that with Microsoft Intune.
Works as a Senior Product Manager for Microsoft Endpoint Manager – Customer Acceleration Team – Commercial Management Experiences (CxP) Engineering, where we taking learnings from Microsoft’s largest and most strategic customers back into the rest of engineering to drive improvements into the service so our customers have a continuously improving product experience. We also helps deploy and adopt Microsoft Intune and Intune Suite . Per is primary focusing on Management and security of Windows and special devices like HoloLens 2, Surface Hub, Microsoft Teams Room System..
I’m also a former MVP in Enterprise Mobility – awarded the for the first time 1th Juli 2016 and ended when I joined Microsoft 1th April 2018.
All blog postings are provided “AS IS” with no warranties and is not supported by the author. All Trademarks and copyrights belong to their owners and are used for identification only. Also, the views expressed on this website/blog are mine alone and do not reflect the views of my company.
You see under the application GUID with a minimal sets of information.
User Configuration -> Preferences -> Windows Settings -> Registry
