Preventing installation of apps from outside the Store
In Windows 10 Creators Update, if you navigate to Settings > Apps > Apps & features, you can see app installing options. Here, you can choose from the following three options:
Allow apps from anywhere
Warn me before installing apps from outside the Store
Allow apps from the Store only
This is the message the users are shown when using : “Allow apps from the Store only”
The Configure App Install Control can be configured with a Group Policy
Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender SmartScreen -> Explorer -> Configure App install Control
App Install Control is a feature of Windows Defender SmartScreen that helps protect PCs by allowing users to install apps only from the Store. SmartScreen must be enabled for this feature to work properly.
If you enable this setting, users will only be able to install apps from the Store.
If you disable this setting, users will be able to install apps from anywhere, including files downloaded from the Internet.
If you do not configure this setting, users will be able to choose their own setting for App Install Control.
Then it is not possible for the end user to change the settings or install Application other places then Windows Store.
After the policy is applied I have tested if it possible to install a Appx and a MSI file.
When installing the Appx files from a elevated permissions powershell Promt it is possible to install a modern Application that is not from the Windows Store.
When installing the MSI files from a elevated permissions powershell Promt it is not possible to install a MSI file.
I the world we are living in now, security is the most important when we are talking about information technology. We need to look more into help our end user to be more secure on all there devices. In this blog post I will cover how to easy implement Applocker policies to help the end user not to run apps or scripts that are not approved from the IT department, I have seen many companies trying to implement blacklist of apps that are not allowed to run on a device, but it does not help against the threat of activating malware or ransomware. Using whitelist you are in control of what can be executed on your device, but to figure out what you need to need to whitelist in your organisation can be difficult, so AaronLocker is a easy way to getting started.
In this blog post I will walk trough how to implement it with Microsoft Intune, it only applies to Windows 10 as Windows 7 or Windows server does not have a build-in MDM stack.
From the AaronLocker docs: AaronLocker’s strategy can be summed up as: if a non-admin could have put a program or script onto the computer – i.e., it is in a user-writable directory – don’t allow it to execute unless it has already been specifically allowed by an administrator. This will stop execution if a user is tricked into downloading malware, if an exploitable vulnerability in a program the user is running tries to put malware on the computer, or if a user intentionally tries to download and run unauthorized programs.
AaronLocker is created by Aaron Margosis @AaronMargosis from Microsoft Cybersecurity Services in the doc for AaronLocker there is a guide on how to implement with GPO, so I will not cover that in this blog post. Please read the AaronLocker docs before implementation it in your production environment.
First you need to create the AppLocker files:
You can use the AppLocker wizard as descripted in the AppLocker docs
or you can just run Create-Policies.ps1 from AaronLocker toolkit
After the script is done running you will get “AppLockerRules-%date%-Audit.xml” and “AppLockerRules-%date%-Enforce.xml” that is perfect for using it directly with a GPO, but with Intune you need to split it up in different files with each section.
In my case the files was in encoding=”utf-16″ so I had to change it to UTF-8 before uploading to Intune.
Note: The AppLocker XML files need to be in UTF-8 encoding ween uploading to Intune
How to leverage Aarolocker on a Intune managed device:
In this blogpost I only show the “AaronLocker – Enforce” policy, you should always create a “AaronLocker – Audit” and deploy to a test group before deploying the enforce policy in production.
Start Microsoft Endpoint Manager admin Center
Click Devices
Click Windows
Click Configuration profiles
Click Create profile
Enter name : AaronLocker – Enforce
Enter Description : AaronLocker Enforce policy
Platform : Windows 10 and later
Profile type : Custom
Click Setting
Click Add
Name: AaronLocker Store Apps
Description : AaronLocker configuration for inbox Microsoft store applications
When we are doing modern management of Windows 10 devices with AzureAD then sometimes we are missing the easy way from group policies preferences, but in Intune we have the Intune Management extension previous known as Project Sidecar. In basic it is just a way to run a powershell script on a Intune managed devices once.
To silently configure OneDrive for Business there is some pre-requirements
The device needs to be AzureAD joined or hybrid AzureAD joined
You need to run the latest version of OneDrive for business to ensure that it is working correctly
The user need a OneDrive for Business license
We only need to set to regkeys to get this working – but there is no native way of manipulation with the registre database in Windows – so we just do it with powershell.
The 3 regkeys we need to add is:
HKCU:\SOFTWARE\Microsoft\OneDrive\EnableADAL
This one will enable ADAL for OneDrive for business, this needs to be set in the user context.
This one will enable files on demand – this will only work on Windows 10 1709, this needs to be set in the computer context.
In a Windows 10 devices that is AzureAD joined and Intune managed – the Intune Management Extension is the easy way to setup OneDrive for Business with Silent Account Configuration.
Start by creating two powershell scripts – one for the HKCU and one for the HKLM.
Autopilot hardware hash is a mystery for many IT admins – I often get a question on what data the hardware hash contains. In my work with Windows Autopilot over the last year, I also found some different diagnostic tools that I have tried to get into this blog post. I hoping to help others that are having to answer questions to people on how Autopilot is working, there is a lot of great answers in the diagnostic tools that are build onto Windows 10.
When we look at what information there is in the Autopilot hardware hash – then we also get the idea why we need a new hardware hash after e motherboard replacement.
The minimum requirement for unique values in the SMBIOS:
ProductKeyID
SmbiosSystemManufacturer
SmbiosSystemProductName
SmbiosSystemSerialNumber
SmbiosSkuNumber
SmbiosSystemFamily
MacAddress
SmbiosUuid
DiskSerialNumber
TPM EkPub
Where is Windows autopilot device information stored??
Windows Autopilot data is stored in the United States (US), and not in the region where your AAD tenant is places. It is not customer data that are stored, but business data which enables Microsoft to provide a service
First you need to download the Windows ADK from https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install – Note you need to use at least ADK version 1703 or above.
After installation of Microsoft ADK you can find the tool you need here:
C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\Licensing\OA30\oa3tool.exe
If you run the command : oa3tool.exe /DecodeHwHash=
Then you are getting the result of what is stored in the hardware hash
If you are troubleshooting Windows Autopilot after RS5 then you can use MdmDiagnosticsTool.exe – with the parameter -area and -cab (At this moment when I point to a location for my export files need to be places they all end up in %Temp%)
It creates a lot of useful logfiles – On Windows 10 RS6 insider build it is including the Windows Autopilot .csv export to import directly into the Autopilot service (Tested on build 18298)
An example is the MDMDiagReport.xml
Before Windows 10 RS5 (It also works on RS5) Licensingdiag.exe is the tool to get diagnostic data from your device
Then you get a log of usefull logfiles
An example is the AutoPilotDiagEvent.evtx
More info on the MdmDiagnosticsTool.exe:
Usage1: C:\WINDOWS\system32\MdmDiagnosticsTool.exe -out * Output MDM diagnostics info only to given folder path specified in -out parameter. eg: C:\WINDOWS\system32\MdmDiagnosticsTool.exe -out c:\temp\outputfolder Usage2: C:\WINDOWS\system32\MdmDiagnosticsTool.exe -area -cab * Collect predefined area logs and create a log cab to given cab file. * Supported area name example: Autopilot DeviceProvisioning Tpm * It also supports multiple areas, separated by ‘;’, example: Autopilot;DeviceEnrollment;Tpm * Please find all possible areas in registry under: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MdmDiagnostics\Area eg: C:\WINDOWS\system32\MdmDiagnosticsTool.exe -area Autopilot;Tpm -cab c:\temp\AutopilotDiag.cab Usage3: C:\WINDOWS\system32\MdmDiagnosticsTool.exe -area -zip * Collect predefined area logs and create a log zip to given zip file. Areas supported are the same as Usage2 for creating cab Usage4: C:\WINDOWS\system32\MdmDiagnosticsTool.exe -xml -zip -server
* Collect information specified in the xml and create a log zip to given zip file.
More info on the Oa3tool.exe
When you are running oa3tool.exe with /? then you get the information
OEM Activation Tool 3.0
(c) Copyright 2018 Microsoft Corp.
DESCRIPTION: The OEM Activation Tool 3.0 assembles, reports, and returns a unique identifier used for the activation of OEM computers, while on the factory floor. The identifier is based on several things, including the product key, the hardware hash, the OEM ID, and any additional OEM and Microsoft
information, including language, programs, and so on.
OEM Activation Tool 3.0 OPTIONS: /Assemble – Retrieves the product key value from the Key Provider, and then assembles the MSDM binary file (OA3.bin) and the XML (OA3.xml) file. /Report – Creates the OA3.xml and generates the hardware hash, and reports the OEM Activation Tool 3.0 information back to the Key Provider. /Return – Returns the OEM Activation Tool 3.0 information to the Key
Provider.
Diagnostic Specific: /CheckHwHash – Compares and validates the reported hardware hash. /DecodeHwHash – Decodes base64-encoded element from a report file to XML. /CheckEdition – Compares and validates the edition of the injected key against the edition of the shipping Windows. /Validate – Performs a validation pass to ensure that the MSDM table exists, that the MSDM table header includes all of the required fields, and that the MSDM table entries exist and conform to the correct formats. /ValidateSMBIOS – The TotalPhysicalRAM and PrimaryDiskTypeCapacity values are obtained from the SMBIOS structures of the device. It is the responsibility of the OEMs to properly initialize these structures. To validate that these structures are properly initialized. /VerifyHwSpec – Verifies that the device hardware configuration meets the
specification requirements.
Configuration File Information: /ConfigFile – Specifies the name and location of the OEM Activation 3.0 Tool configuration file. This file includes the Key Provider information and the destination location for the OA3.bin and
OA3.xml files.
Read more:
Windows Autopilot FAQ
Windows Autopilot support information
Do to GDPR I have customers asking for this one – how to manged and/or prevent sync of contact information onto the native contact apps, in this blog post I will not go into what or why the data can be under the GDPR or other regulation, that is up to each company to figure out, but some times is it also internal security policy that do not allow customer data in the corporate address book to stored with out any kind of control.
The native contact app on IOS and Android is allowed to takes backup to iCloud or Google backup. When company data is leaving the device we as a company do not have control over the data any more. So if we are helping the end user by using Intune MAM with conditional access to ensure that they are only using approved apps like Outlook mobile and IOS or Android.
In this blog post I will show how to mange the contact information inside Outlook mobile – not how to configure MAM and Conditional Access.
The reason for starting using Outlook Mobile with Intune MAM is mainly security. After applying the MAM policy to your users they will get the policy at next login to Outlook no matter if their devices is enrolled or not. As soon as the policy applies to the app – the IT department have control over the containerized company data and can remote wipe it – without removing other data on the device like the personal pictures, personal mails etc.
All the Intune app protection policies is working even if you have a third part MDM solution do to that you can dot it without enrollment.
How to configure the contact sync:
Inside the app protection policy in Intune data protection section
Dashboard -> Client apps – App protection policies -> Intune App Protection – Properties -> Data protection
You can enable or disable “sync app with native contact app”
If you are enabling contact sync then you maybe want to do it more granular.
So you need to create a App configuration policies
Click Client apps
Click App protection policies
Click Add
Name : “Outlook Configuration”
Device enrollment type : select “Managed apps”
Click Associated app
Select Outlook for both IOS and Android if you want the same behavior on both platforms
Click “Configuration Settings”
Enter
Name : com.microsoft.outlook.ContactSync.AddressAllowed
Value : false
Enter
Name : com.microsoft.outlook.ContactSync.BirthdayAllowed
Value : false
You can enter all the different settings that you want to configure on the Outlook Mobile app here.
Then you just need to assign it to you users that need this settings.
The biggest advanced about this feature is that it does not require your end user to be enrolled – just to have the managed Outlook installed and by logging in to the app the policy will apply.
How is the end user experience:
I will show 3 different user experiences.
The first one – where the end user is not allowed to sync contacts at all, then it is completely removed from the UI in Outlook mobile
The second one – where the end user is allowed to sync contacts but addresses is blocked from being synced.
The third one – where the end user is allowed to sync contacts but address,Birthday is blocked from being synced.
Happy deployment
Read more:
Configure Contact Field Sync to native Contacts for Outlook for iOS and Android
First, if you are already are using Adobe Acrobat Reader Intune mobile app, it is a good idea to start removing it from your end users devices and deploy Adobe Reader instead.
Adobe has build the Intune SDK into the “normal” Adobe Reader mobile app.
Adobe will discontinue support for the Adobe Acrobat Reader Intune mobile app on November 30, 2019. All customers must migrate to Adobe Acrobat Reader mobile app, which now supports Microsoft Intune, to continue working in Acrobat on the go.
What does this means for you if you that are starting to managing Adobe Reader on IOS and Android?? Moving forward you don’t need to instruct your users to download a special version of Adobe Reader where the only way the end user can see the difference is a small icon in the top left corner.
Note: I may be a good idea to create a uninstall of Adobe Reader for Intune on your managed devices or at least inform your end user that they need to use the “normal” Adobe Reader for IOS/Android
What can Intune do with the Intune app protection on Adobe Reader??
Disabling copying
Disabling printing
Disabling save to untrusted location
How to configure Intune App Protection for Adobe Reader:
If you are already are using Intune App protection it is easy to add Adobe Reader to you Intune Managed apps all you need to do is add Adobe Reader as a target app in your Intune App protection policy.
Then you have Acrobat Reader in your app protection container and have protection with the properties that you have configured.
If you also want to block the end user to save into Adobe Cloud you need a extra Intune app configuration policy
Click Client Apps
Click App configuration policies
Click Add
Enter a Name – Adobe Reader App configuration
Select Device enrollment type : Managed apps
Click Associated apps
Select Adobe Reader on Andoird and IOS/iPadOS
Click Configuration settings
Enter name : allowDocumentCloudFSAndServicesAccess
Enter value : false
How about the end user experience??
I will divide this section up into two – one for Android and one for IOS. In my personal opinion the end user experience is way better on Android then IOS. The reason for that is the end user don’t need to take any action on Android – where on IOS the end user need to enroll Adobe Reader for Intune app protection them self.
Android:
For Android it is easy to get the App protection policy applied to Adobe Reader.
Just install Adobe Reader on your Android device, and if you already are using a app with the App protection policy applied to it – Outlook is one example.
You will be prompted “Your organization protects data in this app” Click OK
In the Adobe Reader app
Click on the icon with the head
To ensure that the App is under Intune management you can check by:
Look at the enrollment status for Adobe Reader
When you are opening a .pdf file on you Android device
Try to copy something out to the clip board
Starts an unmanaged app – in my case the Samsung Note app
Set in the text you copied before and you get this response “Your organization’s data cannot be pasted here”
IOS:
IOS is not as end user friendly as on Android, so it requires some information to your end user. Once that your end user has enrolled Adobe Reader into Intune the experience is the similarity to the one on Android.
First of all Adobe Reader need to be installed on the end users iPhone or iPad, when the app is started for the first time you will be meet by this welcome screen.
Click on the X to continue
Then Adobe Reader is working without any Intune integration – you need to enroll the app into Intune.
Click on the icon in the top right corner with the head on it
Click Preferences
Click the Enroll bottom
You now need to sign in with you corporate account
Click next and enter your password
Now Adobe Reader will check for the App protection policy “Checking your organization’s data access requirements for this app
Note: Asking to set Device Passcode only happen if you do not have any passcode on your device
Click OK – setup your device passcode and reopen the app
If you already had setup a device passcode, you will only be prompted for:
Your IT administrator is now helping you protect work or school data in this app
Then you have to configure the PIN as stated in your App protection policy
Afterwords if you are using the build-in copy feature
Do the past in in the build-in Notes app
You will get “Your organization’s data cannot be posted here” message
Happy testing
Read more:
End of life | Adobe Acrobat Reader Intune app for iOS and Android
Adobe Reader – Enterprise Mobility Management
Adobe Acrobat chooses Microsoft 365 for built-in app protection
