Conditional access and Outlook on the web for Exchange Online

This week a blog post about conditional access. More specifically, about conditional access and enforced restrictions with Outlook on the web for Exchange Online. This can be used to provide users with access to Outlook on the web, but still protect company data. That can be achieved by configuring a limited experience for users with regards to attachments. The enforced restrictions can enable a read only option for attachments in the browser and can completely block attachments in the browser. In this post I’ll walk through the required configurations, with the focus on conditional access, and I’ll show the end-user experience.

Configuration

Let’s start with looking at the configuration. The main focus in the configuration is conditional access, but as that configuration has no use without configuring the Outlook on the web mailbox policies, I’ll also provide the main configuration options from an Exchange Online perspective.

Exchange Online configuration

The most important and only configuration, from an Exchange Online perspective, is to configure the Outlook on the web mailbox policy. That configuration must be done by using PowerShell. When there is an Outlook on the web mailbox policy, the required cmdlet is Set-OwaMailboxPolicy. That cmdlet contains the parameter ConditionalAccessPolicy. That parameter can be used to specify the Outlook on the web mailbox policy for limited access and can have the following values:

  • Off: This value means that no conditional access policy is applied to Outlook on the web;
  • ReadOnly: This value means that users can’t download attachments to their local computer, and can’t enable offline mode on non-compliant computers;
  • ReadOnlyPlusAttachmentsBlocked: This value means that all restrictions from ReadOnly apply, but that users can’t view attachments in the browser.

Note: In the end-user experience section, I’ll show the experience for both values.

Conditional access configuration

Once the conditional access policy configuration is in place for the Outlook on the web mailbox policy, it’s time to look at the actual conditional access configuration in Azure AD. The following eight steps walk through the steps to create a conditional access policy that will require multi-factor authentication and enforce a restriction on Outlook on the web, for devices that are not hybrid Azure AD joined and that are not compliant.

1 Open the Azure portal and navigate to Microsoft Intune > Conditional access > Policies or to Azure Active Directory > Conditional access > Policies;;
2 On the Policies blade, click New policy to open the New blade;
3

OOTW-UsersGroupsOn the New blade, select the Users and groups assignment to open the Users and groups blade. On the Users and groups blade, select All users and click Done;

Explanation: This configuration will make sure that this conditional access policy is applicable to all users.

4

OOTW-CloudAppsOn the New blade, select the Cloud apps assignment to open the Cloud apps blade. On the Cloud apps blade, select Select apps > Office 365 Exchange Online and click Done;

Explanation: This configuration will make sure that this conditional access policy is applicable to Exchange Online.

5a

OOTW-DevicePlatformsOn the New blade, select the Conditions assignment to open the Conditions blade. On the Conditions blade, select Device platforms to open the Device platforms blade. On the Device platforms blade, click Yes with Configure, select All platforms (including unsupported) and click Done to return to the Conditions blade;

Explanation: This configuration will make sure that this conditional access policy is applicable to all platforms.

5b

OOTW-ClientAppsBack on the Conditions blade, select Client apps (preview) to open the Client apps (preview) blade. On the Client apps (preview) blade, click Yes with Configure, select Browser and click Done to return to the Conditions blade;

Explanation: This configuration will make sure that this conditional access policy is applicable to browser sessions.

5c

OOTW-DeviceStateBack on the Conditions blade, select Device state (preview) to open the Device state (preview) blade. On the Device state (preview) blade, click Yes with Configure, select Device Hybrid Azure AD joined and Device marked as compliant on the Exclude tab and click Done and Done;

Explanation: This configuration will make sure that this conditional access policy is applicable to unmanged devices, by excluding hybrid Azure AD joined and compliant devices (which are both considered managed).

6

OOTW-GrantOn the New blade, select the Grant access control to open the Grant blade. On the Grant blade, select Grant access > Require multi-factor authentication and click Select;

Explanation: This configuration will make sure that this conditional access policy will require multi-factor authentication .

7

OOTW-SessionOn the New blade, select the Session access control to open the Session blade. On the Session blade, select Use app enforced restrictions and click Select;

Explanation: This configuration will make sure that this conditional access policy will enforce the configured restrictions in Outlook on the web for Exchange Online..

8 Open the New blade, select On with Enable policy and click Create;

End-user experience

Let’s end this post by looking at the end-user experience, for both configurable values for the Outlook on the web mailbox policy for limited access. When using an unmanaged device the user must user multi-factor authentication, which will be followed by the experiences showed below.

The first value is the ReadOnly value, which forces read only restrictions to any email attachment. Besides that it also prevents users from saving the attachments locally, as it only allows the user to save the attachments to OneDrive. Below is an example of that behavior. It also shows on top of the mail that the user is notified about the limited experience.

OutlookOTW-ReadOnly

The second value is the ReadOnlyPlusAttachmentsBlocked value, which forces email attachments to be blocked from being opened via Outlook on the web. Basically it prevents any interaction with the attachment. Below is an example of that behavior. It also shows on top of the mail that the user is notified about the limited experience.

OutlookOTW-ReadOnlyPlusAttachmentsBlocked

Note: This behavior does require disciplined users, as these type of limitations in the user experience might trigger users to forward messages to another account.

More information

For more information about conditional access in combination with Outlook on the web for Exchange Online, please refer to the following articles:

Quick tip: Intune Diagnostics for App Protection Policies via about:intunehelp

This week a relatively short blog post about a feature that already exists for a long time, but that is not that known. That feature is the Intune Diagnostics for App Protection Policies (APP). The Intune Diagnostics can be really useful with troubleshooting APP. Especially when looking at APP for apps on unmanaged devices.  The Intune Diagnostics provides information about the device, provides the ability to collect logs and provides the ability to look at the applied APP for the different apps. The Intune Diagnostics can be accessed on iOS devices, by using the Intune Managed Browser or by using Microsoft Edge. In this post I’ll only look at the experience when with the Intune Diagnostics.

The experience

Let’s start at the beginning, which is to get to the Intune Diagnostics. This can be achieved by opening the Intune Managed Browser or Microsoft Edge and simply type about:intunehelp as the address. That will open the Intune Diagnostics page, as shown below. The Intune Diagnostics page contains two sections, 1) the Collect Intune Diagnostics section and 2) the Shared Device Information section. The first section can be used to collect logs of all Microsoft Intune managed apps and the second section provides information about the device and the managed apps.

IMG_0155

When clicking on the Get Started link in the Collect Intune Diagnostics section, it will open the Collect Intune Diagnostics page, as shown below. The Collect Intune Diagnostics page can be used to actually share the Microsoft Intune managed apps logs with an administrator (or with Microsoft), by simply clicking on the Share Logs link.

IMG_0156

When clicking View Intune App Status link in the Shared Device Information section, it will open the Intune App Status page, as shown below. The Intune App Status page can be used to actually look at the info about the installed managed apps. By selecting an app in the top of the page, it will show the currently applied policy (including information regarding the app version and the policy check-in). This can be really useful with for example verifying if the latest APP is applied.

IMG_0157

For simplifying the end-user experience, an app configuration policy can be used for the Intune Managed Browser and Microsoft Edge to add a bookmark. That can be achieved by using the following information:

  • key: com.microsoft.intune.mam.managedbrowser.bookmarks
  • value: Intune Diagnostic|about:intunehelp

More information

For more information about the Intune Diagnostics page, please refer to the following articles:

Hybrid Azure AD join with Windows Autopilot

This week is all about a very often requested feature, which is the ability to hybrid Azure AD join a device when using Windows Autopilot. The combination of the latest updates to Microsoft Intune with Windows 10, version 1809, provides just that! The ability to hybrid Azure AD join a device when using Windows Autopilot! In other words, the device will join the on-premises Active Directory and register in Azure Active Directory. In this blog post I’ll start with a short introduction about the hybrid Azure AD join with Windows Autopilot, followed by the most important configurations. I’ll end this post by looking at the experience.

Introduction

Let’s start with a little introduction about the hybrid Azure AD join through Windows Autopilot. A short summary would be that Intune uses an on-premises connector to create an offline domain join (ODJ) blob for the device that will be provided to the device during enrollment. Now lets go through the high-level Autopilot flow for this scenario and see how that fits.

  • The hardware ID of the device is registered with the Windows Autopilot service;
  • The device is sent to the employee and the employee unboxes the device and turns it on;
  • The device connects to the Windows Autopilot service;
  • The Windows Autopilot service delivers the Autopilot profile to the device;
  • The device performs a MDM-enrollment with Microsoft Intune;
  • Microsoft Intune will use the on-premises connector to generate a machine object in Active Directory, which will generate an ODJ blob;
  • The connector sends the ODJ blob to Microsoft Intune;
  • Microsoft Intune sends the ODJ blob to the device;
  • The MDM-enrollment is completed;
  • The user logs on to the device to complete the domain join;
  • The device receives any targeted group policies;

Configuration

Now let’s continue by looking at the configurations that are required to enable the hybrid Azure AD join scenario via Windows Autopilot. I’ll do that by going through the new Intune-related configurations. That means, I’ll show how to install the Intune connector, I’ll show how to configure the Autopilot deployment profile and I’ll show how to configure the domain join profile.

Requirements

Before looking at the configurations, let’s start with a few important requirements and limitations:

  • The hybrid Azure AD join environment configurations must be in place;
  • The device must run Windows 10, version 1809 or later;
  • The device must have Internet access;
  • The device must have direct access to Active Directory;
  • Automatic enrollment must be configured (Azure AD > Mobility (MDM and MAM));
  • The server hosting the Intune connector must have delegated permissions to create computer accounts in the specified OU;
  • The server hosting the Intune connector must be Windows Server 2016, or later;
  • The server hosting the Intune connector must have Internet connectivity;

Intune connector

The first configuration that should be in place is the installation of the Intune connector. Multiple connectors can be installed to increase scale and availability (or even to support multiple Active Directory domains). The following nine steps walk through the steps to install the Intune connector.

1 Open the Azure portal and navigate to Microsoft Intune > Device enrollment > Windows enrollment to open the Device enrollment – Windows enrollment blade;
2 On the Device enrollment – Windows enrollment blade, select Intune Connector for Active Directory (Preview) to open the Intune Connector for Active Directory (Preview) blade;
3 On the Intune Connector for Active Directory (Preview) blade, select Add connector to open the Add connector blade;
4 On the Add connector blade, click the Download the on-premises Intune Connector for Active Directory to download the connector for Active Directory (ODJConnectorBootstrapper.exe);
5 On the server that should be running the Intune connector for Active Directory, run ODJConnectorBootstrapper.exe;
6 On the Intune Connector for Active Directory Setup dialog box, select I agree to license terms and conditions and click Install;
7 On the Intune Connector for Active Directory Setup dialog box, after the installation completed, select Configure Now ;
8 On the Intune connector for Active Directory dialog box, select Sign In to sign in with a global administrator account to enroll the connector in the tenant and close the dialog box;
9 Back on the Intune Connector for Active Directory (Preview) blade, it should now show an entry for the added connector with the name of the server that is running the connector;
ICforAD

Note: At this moment, make sure that a language pack is installed and configured as described in the Intune Connector (preview) language requirements.

Autopilot deployment profile

The second configuration that should be in place is the Windows Autopilot deployment profile. The following four steps walk through the steps to create the deployment profile. That deployment profile can be assigned to an Azure AD group that contains the required Autopilot devices.

1 Open the Azure portal and navigate to Microsoft Intune > Device enrollment > Windows enrollment to open the Device enrollment – Windows enrollment blade;
2 On the Device enrollment – Windows enrollment blade, select Deployment Profiles in the Windows Autopilot Deployment Program section to open the Windows Autopilot deployment profiles blade;
3 On Windows Autopilot deployment profiles blade, select Create profile to open the Create profile blade;
4a WADP-HAADJOn the Create profile blade, provide the following information and click Create;

  • Name: Provide a unique name for the Windows Autopilot deployment profile;
  • Description: (Optional) Provide a description for the Windows Autopilot deployment profile;
  • Convert all targeted devices to Autopilot: Select Yes to automatically convert Intune managed devices to Autopilot;
  • Deployment mode: Select User-Driven, as that deployment mode provides the functionality that is needed for this post;
  • Join to Azure AD as: Select Hybrid Azure AD joined (Preview), as that will trigger the on-premises domain join with device registration in Azure AD;
  • Out-of-box experience (OOBE): See 4b

Note: The hybrid Azure AD join is only available for user driven deployments.

4b

On the Out-of-box experience (OOBE) blade, provide the following information and click Save.

  • End user license agreement (EULA): Select Hide to hide the EULA during the Windows Autopilot hybrid Azure AD join experience;

  • Privacy Settings: Select Hide to the hide the privacy settings during the Windows Autopilot hybrid Azure AD join experience;
  • Hide change account options: Select Hide to hide the change account options during the Windows Autopilot hybrid Azure AD join experience;
  • User account type: Select Standard to only make any user on the device a standard user;
  • Apply computer name template (Windows Insider Only): Not applicable, as the computer name standard is defined in the Domain Join profile (see next section);
WADP-HAADJ-OOBE

Domain Join profile

The third configuration that should be in place is the domain join profile. The following four steps walk through the steps to create the domain join profile. That domain join profile can be assigned to an Azure AD group that contains the required Autopilot devices.

1 Open the Azure portal and navigate to Microsoft Intune > Device configuration > Profiles to open the Device configuration – Profiles blade;
2 On the Device configuration – Profiles blade, select Create profile to open the Create profile blade;
3a On the Create profile blade, provide the following information and click Create;

  • Name: Provide a unique name for the domain join profile;
  • Description: (Optional) Provide a description for the domain join profile;
  • Platform: Select Windows 10 and later;
  • Profile type: Select Domain Join (Preview);
  • Settings: See 3b;
3b On the Domain Join (Preview) blade, provide the following information and click OK;

  • Computer name prefix: Provide a computer name prefix. The remaining characters of the 15 characters of a computer name will be random;
  • Domain name: Provide the domain name that the device will join;
  • Organizational unit: (Optional) Provide the OU that the computer account is created in;
WADP-HAADJ-DJP

Note: When no OU is specified, the well known computer object container is used.

End-user experience

Let’s end this post by looking at the end-user experience. The beginning of the out-of-box-experience (OOBE) is similar to any other Windows Autopilot deployment. The difference is happening in the background, as explained during the introduction, and can be noticed during the Network configuration. The configuration will take longer than with a Azure AD join. Another thing that an administrator might notice is that the device will be available within Intune before it’s available within the Active Directory. That makes perfect sense as the domain join profile must come via Microsoft Intune.

WADP-HAADJ-CORP

Note: From an administrator perspective the Event Viewer, on the server running the connector, will show Event ID 30140 in the log ODJ Connector Service from the source ODJ Connector Service Source, with a successful creation of the computer object.

More information

For more information regarding Windows Autopilot and hybrid Azure AD join, please refer to the following articles:

Require an Internet connection during device setup

This week I’m going to look at a well hidden configuration option that is recently introduced and can be really useful in specific scenarios. That configuration option is to require an Internet connection during the device setup. Requiring an Internet connection during device setup can be useful when trying to prevent users from resetting the device (either accidently or on purpose) and configuring it without an Internet connection, as configuring a device without Internet connectivity would enable a user to configure the device with a local user and without enrollment. In this blog post, I’ll start with a short introduction about why this configuration option would be useful and what the options are with this configuration option. Followed by the configuration steps and the end-user experience.

Introduction

Configuring a device without Internet connectivity would enable a user to configure the device with a local user and without an enrollment to Microsoft Intune (and Azure AD). That’s often what organizations want to prevent, as it disconnects a device from the organization. Minor detail, this configuration option must be configured once. Of course it would be great if this configuration option could be a Windows default, or available via the Windows Autopilot configuration. However, to my understanding this is currently not possible due to legal requirements. At this moment it’s simply legally not allowed to require an Internet connection on a device during the initial setup. Having said that, as this setting is configured via the TenantLockdown CSP, I can imagine that, in a Windows Autopilot for existing devices scenario, this can be configured as a Windows default, via PowerShell, by using the WMI Bridge Provider.

Configuration

Before looking at the configuration, let’s start with a few important requirements and limitations:

  • The device must run Windows 10, version 1809 or later;
  • The device must be configured once before the setting is applicable;

Now let’s continue by looking at the required configuration. The following four steps walk through the steps to get create a new device configuration profile and the specific configuration option. That device configuration profile can be assigned to an Azure AD group.

1 Open the Azure portal and navigate to Microsoft Intune > Device configuration > Profiles to open the Device configuration – Profiles blade;
2 On the Device configuration – Profiles blade, select Create profile to open the Create profile blade;
3a On the Create profile blade, provide the following information and click Create;

  • Name: Provide a unique name for the device configuration profile;
  • Description: (Optional) Provide a description for the device configuration profile;
  • Platform: Select Windows 10 and later;
  • Profile type: Select Device restrictions;
  • Settings: See 3b;
3b On the Device restrictions blade, select General to open the General blade. On the General blade, select Require with Require users to connect to network during device setup and click OK to return to the Device restrictions blade. On the Device restrictions blade, click OK;
OOBE-Configure-Network

Note: This setting must be configured before it’s applicable. In other words, it’s not applicable during the initial out-of-box experience.

End-user experience

Let’s end this post by looking at the end-user experience. Once the configuration is in place and a reset is performed on the device, there will be an additional check during the device setup. When the device is not connected to the Internet, the end-user will receive a message as shown below. It requires the user to connect to the Internet. The user will not be able to continue without that connection. Once the user is connected to the Internet, the page below will show a Next button that can be used to continue with the device setup.

OOBE-Connect-Network

More information

For more information regarding the device configuration options and the TenantLockdown CSP, please refer to the following articles:

Windows Autopilot self-deploying mode

This week a new blog post about Windows Autopilot. More specifically, Windows Autopilot self-deploying mode. Autopilot self-deploying mode is really useful for devices that are function specific, like for example kiosk devices. The biggest benefit is that a device with a wired network connection (with Internet) can be completely configured without any user interaction. Simply connect the device to the wired network and power it on! Real zero touch provisioning! In this post I’ll provide the configuration steps to create that experience, followed by some known errors and the end-user experience.

Configuration

Let’s start with a few important requirements and limitations:

  • The device must run Windows 10, version 1809 or later;
  • The device can only be Azure AD joined (Active Directory join is not supported);
  • The device must be a physical device with TPM 2.0 (virtual machine is not supported);

Now let’s continue by looking at the available configuration options. In this case I’ll look at the different available configurations options and the related impact of those configuration options. The following four steps walk through the steps to get create a new Windows Autopilot self-deploying profile (including the available settings). That deployment profile can be assigned to an Azure AD group that contains devices.

1 Open the Azure portal and navigate to Microsoft Intune > Device enrollment > Windows enrollment to open the Device enrollment – Windows enrollment blade;
2 On the Device enrollment – Windows enrollment blade, select Deployment Profiles in the Windows Autopilot Deployment Program section to open the Windows Autopilot deployment profiles blade;
3 On Windows Autopilot deployment profiles blade, select Create profile to open the Create profile blade;
4a

WA-SD-CreateProfileOn the Create profile blade, provide the following information and click Create;

  • Name: Provide a unique name for the Windows Autopilot deployment profile;
  • Description: (Optional) Provide a description for the Windows Autopilot deployment profile;
  • Convert all targeted devices to Autopilot: Select Yes to automatically convert Intune managed devices to Autopilot;
  • Deployment mode: Select Self-Deploying (preview), as that deployment mode provides the functionality that is needed for this post;
  • Join to Azure AD as: Azure AD joined is selected by default and grayed-out, as it’s the only configuration option supported for Windows Autopilot self-deploying devices;
  • Out-of-box experience (OOBE): See 4b.

Note: The Self-Deploying (preview) deployment mode, defines the available Azure AD settings and the available out-of-box experience (OOBE) settings.

4b

On the Out-of-box experience (OOBE) blade, provide the following information and click Save.

  • Language (Region): Select the Language that should be automatically configured during the Windows Autopilot self-deploying experience. This configuration will only be performed when the device is on a wired network connection (with Internet);
  • Automatically configure keyboard: Select Yes to automatically configure the keyboard based on the selected Language. This setting is only available when a Language is configured and this configuration will only be performed when the device is on a wired network connection (with Internet);
  • End user license agreement (EULA): Select Hide to hide the EULA during the Windows Autopilot self-deploying experience;
  • Privacy Settings: Select Hide to the hide the privacy settings during the Windows Autopilot self-deploying experience;
  • Hide change account options: Select Hide to hide the change account options during the Windows Autopilot self-deploying experience;
  • User account type: Select Standard to only make any user on the device a standard user. With the exception of global administrators and company administrators;
  • Apply computer name template (Windows Insider Only): Create a computer name, according to the configured template, for devices at initial startup;
WA-SD-OOBE

Note: The Autopilot settings can only be downloaded when a network connection is in place. That’s the reason why a wired network connection should be in place. When a wired network connection is not available, it’s required to configure the region, the keyboard and a Wi-Fi.

Known errors

During the testing of Windows Autopilot self-deploying, I ran into multiple errors. More information about an error can always be found in the Event Viewer, at Application and Services Logs > Microsoft > Windows > Provisioning-Diagnostics-Provider > AutoPilot (thank you for the reminder Sandy!). The errors that I’ve seen on screen are documented and explained in the table below. If you’ve seen errors that are not on this list, let me know and I’ll add them.


Error Description
0x800705B4 This error means that the device is either a virtual machine, or does not have TPM 2.0, and is not capable of running Autopilot self-deploying.
0x801c03ea This error means that the device is TPM 2.0 capable, but that the TPM still needs to be upgraded from 1.2 to 2.0.
0xc1036501 This error means that the device cannot do an automatic MDM enrollment, because there are multiple MDM configurations in Azure AD.

End-user experience

As always, let’s end this post by having a look at the end-user experience. The end-user experience will provide a welcome message (see below) after receiving the Autopilot deployment profile and an automatic restart. An easy differentiation between the Autopilot user-driven experience and the Autopilot self-deploying experience, besides the interaction, is the logo that’s used. At this moment the Autopilot user-driven experience uses the square logo of the Azure AD company branding and the Autopilot self-deploying experience uses the banner logo of the Azure AD company branding.

20181104_165048

Note: From and administrator perspective, an Autopilot self-deploying device can be easily recognized by the Management name of the device. It contains a GUID instead of a username.

More information

For more information about enrolling Windows devices by using Windows Autopilot self-deploying mode, please refer to the documentation named Windows Autopilot Self-Deploying mode.

Automagically convert Intune managed devices to AutoPilot

Tweet-AutoPilotThis week a short blog post about my tweet of a bit more than a week ago. In that tweet I mentioned a new easy method to automagically convert Intune managed devices to AutoPilot. That method makes some scenarios a whole lot easier. Like for example what I did in this post to get the AutoPilot device information of Intune managed devices. That type of custom scripting is not needed anymore!

As I got many reactions to that tweet, mainly related to the location of that configuration, I thought it would be good to make a short post describing the configuration option and the expected behavior. In this post I’ll provide the steps to make this configuration and I’ll describe the expected behavior. There is no real end-user or administrator experience to show for this configuration. So, no section related to that. I’ll do explain the the expected behavior in the introduction.

Introduction

Let’s start with a short introduction about the mentioned configuration option. That configuration option is the Convert all targeted devices to AutoPilot setting. By default an AutoPilot deployment profile is only applied to already existing AutoPilot devices and doesn’t apply to non-AutoPilot devices. Configuring the Convert all targeted devices to AutoPilot setting to Yes will automagically convert all devices in the assigned group to AutoPilot. This is a one-time conversion that also works for co-managed devices. That also means that removing the AutoPilot profile will not remove the converted devices from AutoPilot. After conversion the devices can only be removed by using the Windows AutoPilot devices view. Keep in mind that it can take up to 48 hours for the conversion to be completed.

Configuration

Now let’s continue by having a look at the actual configuration. And in this case only the specific Convert all targeted devices to AutoPilot setting. The following four steps walk through the steps to get to the specific setting and are not meant to create a complete the Windows AutoPilot deployment profiles.

1 Open the Azure portal and navigate to Microsoft Intune > Device enrollment > Windows enrollment to open the Device enrollment – Windows enrollment blade;
2 On the Device enrollment – Windows enrollment blade, select Deployment Profiles in the Windows AutoPilot Deployment Program section to open the Windows AutoPilot deployment profiles blade;
3 On Windows AutoPilot deployment profiles blade, either select Create profile or select [existing deployment profile] > Properties to open the Create profile blade or the [existing deployment profile] – Properties  blade;
4 On the Create profile blade or the [existing deployment profile] – Properties  blade, the setting Convert all targeted devices to AutoPilot must be switched to Yes (below is an example of the the [existing deployment profile] – Properties  blade, the Create profile blade looks similar) ;
MSIS-AutoPilot-Target

Note: There’s not a real easy method to see which devices are converted to AutoPilot. Those devices will show as any other imported device, without enrollment state. However, as the configuration is done via an AutoPilot deployment profile, the device is immediately assigned to a profile. Again, without creating any fancy configurations, like query based dynamic device groups.

More information

For more information about enrolling Windows devices by using Windows AutoPilot, please refer to the documentation named Enroll Windows devices by using the Windows Autopilot.

Join us at Experts Live Europe in Prague

b-B6v-rUA bit less than two weeks from now, October 25-26, Experts Live Europe will be in Prague. Together with my finest colleague, Arjan Vroege, I will deliver two sessions! And we hope to see you there!

Experts Live Europe is a Microsoft community conference with a focus on Microsoft cloud, datacenter and workplace management. During this conference, top experts from around the world present discussion panels, ask-the-experts sessions and breakout sessions and cover the latest products, technologies and solutions.

About our sessions

The maybe-not-that-sexy version of modern management – A true story –

In this session, we will take you into the real world of modern management. Modern management is a great buzzword and by now we all know the lovely story of modern management. We all know how it should work, but we often lack the real-world examples of organizations using modern management. During this session, we will show you how we internally deployed Windows 10 with Azure AD join and Intune management for over 10k devices. What choices did we make? Which challenges did we run into? Did we close all the gaps? We’ll try to answer these question. To conclude will also look at the available options right now and how they could have helped us. We will also have a couple of cool demos. To provide a sneak preview, here is a small list with subjects that will be part of our session: Win32 apps, MSIX and Windows AutoPilot.

Thursday Friday 2:40 PM – 3.40 PM

Create your ultimate hybrid workplace, what options do you have?

During this session we will take you into the world of the hybrid workplace. The modern workplace is a great story, for cloud only organizations, but the reality is often that there are a lot of components still on-premises. During this session we will touch the different delegate subjects from identity until apps and from management until connectivity. That means, a lot of ground to cover and a lot of choices to be made. Besides that we will have a couple of cool demos, here is a small list with a sneak preview of subjects that will be part of our session:  Pass-through authentication, Co-management, Win32 apps, MSIX and Azure AD Application Proxy.

Friday 8:00 AM – 9:00 AM

Make sure that you don’t miss these sessions!

Quick tip: Location services required for enhanced jailbreak detection

This week a short blog post about an end-user experience that might be slightly unexpected when using an iOS device. That experience is the “Turn on location services” compliance message in the Company Portal app. That message is caused by the Enhanced jailbreak detection compliance policy setting, as  that setting uses the location services of the iOS device for the enhanced detection, In this post I’ll first show the mentioned end-user experience, as that’s the trigger for this post, followed by the configuration that triggers the experience.

End-user experience

Let’s start this time by looking at the end-user experience. The user will notice that the iOS device is non-complaint and after opening the Company Portal app, the user will get the message “Turn on location services” (as shown below). That message also includes the required steps to eventually enable the location services on the iOS device;

20181003_171841643_iOS

Configuration

Now let’s have a look at the configuration that triggers the mentioned end-user experience. That configuration is not part of an actual compliance policy, but is part of the overall compliance policy settings. The compliance policy settings basically describes the default behavior for compliance policies. The two steps below show how to configure the Enhanced jailbreak detection setting.

1 Open the Azure portal and navigate to Intune > Device compliance > Compliance policy settings to open the Device compliance – Compliance policy settings blade;;
2 On the Device compliance – Compliance policy settings blade, select Enabled with Enhanced jailbreak detection and click Save;
MSI-DeviceCompliancePolicySettings

Note: Keep in mind that enabling this setting impacts the battery usage of iOS devices and causes iOS devices to check-in more frequently with Microsoft Intune.

More information

For more information about compliance policy settings, please refer to the documentation about Get started with device compliance policies in Intune – Ways to deploy device compliance policies.

Deploy customized Win32 apps via Microsoft Intune

Last week Microsoft announced the ability to deploy Win32 apps via Microsoft Intune during Microsoft Ignite. That takes away one of the biggest challenges when looking at modern management and Microsoft Intune. I know that I’m not the first to blog about this subject, but I do think that this subject demands a spot on my blog. Besides that, I’ll show in this post that the configuration looks a lot like deploying apps via ConfigMgr. Not just from the perspective of the configuration options, but also from the perspective of the configuration challenges when the installation contains multiple files. In this post I’ll show the configuration steps, followed by the end-user experience, when deploying a customized Adobe Reader DC app (including the latest patch).

Pre-process Win32 app

The first step in deploying Win32 apps via Microsoft Intune is using the Microsoft Intune Win32 App Packaging Tool to pre-process Win32 apps. Wrap the Win32 app. The packaging tool wraps the application installation files into the .intunewin format. Also, the packaging tool detects the parameters required by Intune to determine the application installation state.  After using this tool on apps, it will be possible to upload and assign the apps in the Microsoft Intune console. The following six steps walk through wrapping the Adobe Reader DC app, including some customizations and the latest patch.

1 Download the Microsoft Intune Win32 App Packaging Tool. In my example C:\Temp;
2 Create a folder that contains the Adobe Reader DC installation files (including the latest MSP and the MST that contains the customizations). In my example C:\Temp\AdobeReader;
3 Create an installation file that contains the complete installation command and place that file in the directory with the installation files. In my example I created an Install.cmd in C:\Temp\AdobeReader that contains msiexec /i “%~dp0AcroRead.msi” TRANSFORMS=”%~dp0AcroRead.mst” /Update “%~dp0AcroRdrDCUpd1801120063.msp” /qn /L*v c:\InstallReader.log ;
MSI-Win32-Explorer
Note: This method is similar to an easy method in the ConfigMgr world to make sure that the installation process would look at the right location for the additional files.
4 Open a Command Prompt as Administrator and navigate to the location of IntuneWinAppUtil.exe. In my example that means cd \Temp;
5 Run IntuneWinAppUtil.exe and provide the following information, when requested

  • Please specify the source folder: C:\Temp\AdobeReader;
  • Please specify the setup file: AcroRead.msi;
  • Please specify the output folder: C:\Temp
MSI-IWAU-start
Note: Even though I will use a command file to trigger the installation, it’s important to specify the MSI as setup file. That will make sure that, during the configuration in Microsoft Intune, the information will be preconfigured based on the information of the MSI.
6 Once the wrapping is done. The message Done!!! will be shown. In my example a file named AcroRead.intunewin will be created in C:\Temp.
MSI-IWAU-end

Note: It’s possible to use something like 7-Zip to open the created AcroRead.intunewin file. Besides content, that file contains a Detection.xml file that shows the detected information of the installation file.

Configure Win32 app

Now let’s continue by looking at the actual configuration steps, within Microsoft Intune, to configure the Win32 app. The following 17 steps walk through all the steps to configure the Win32 app, by using the .intunewin file. After configuring the app, make sure to assign the app to a user group.

1 Open the Azure portal and navigate to Intune > Client apps > Apps to open the Client apps – Apps blade;
2 On the Client apps – Apps blade, click Add to open the Add app blade;
3 On the Add app blade, select Windows app (Win32) – preview to show the configuration options and select App package file to open the App package file blade.
4 MSI-Win32-AppPackageFileOn the App package file blade, select the created AcroRead.intunewin as App package file and click OK to return to the Add app blade;
5 Back on the Add app blade, select App information to open the App information blade;
6

MSI-Win32-AppInformationOn the App information blade, provide at least the following information and click OK to return to the Add app blade;

  • Name: Adobe Acrobat Reader DC is pre-provisioned as name of the app;
  • Description: Provide a description of the app;
  • Publisher: Provide the publisher of the app;

Note: The remaining information regarding the Information URL, the Privacy URL, the Developer, the Owner, the Notes and the Logo is optional.

7 Back on the Add app blade, select Program to open the Program blade;
8 MSI-Win32-ProgramOn the Program blade, change the Install command to “Install.cmd”, verify the Uninstall command and click OK to return to the Add app blade;
9 Back on the Add app blade, select Requirements to open the Requirements blade;
10

MSI-Win32-RequirementsOn the Requirements blade, provide at least the following information and click OK to return to the Add app blade;

  • Operating system architecture: Select the applicable platforms;
  • Minimum operating system: Select a minimum operating system version;
11 Back on the Add app blade, select Detection rules to open the Detection rules blade;
12 On the Detection rules blade, select Manually configure detection rules and click Add to open the Detection rule blade.
13 MSI-Win32-DetectionRuleOn the Detection rule blade, select MSI as Rule type, verify the pre-provisioned MSI product code and click OK to return to the Detection rules blade;
14 Back on the Detection rules blade, click OK to return to the Add app blade;
15 Back on the Add app blade, select Return codes to open the Return codes blade;
16 MSI-Win32-ReturnCodesOn the Return codes blade, verify the preconfigured return codes and click OK to return to the Add app blade;
17 Back on the Add app blade, click Add to actually add app.

Note: The Intune Management Extension will be used for installing the Win32 app. That also means that the process regarding detection, download and installation, of the Win32 app, can be followed in the IntuneManagementExtension.log file.

End-user experience

Let’s end this post by looking at the end-user experience. The user will receive a notification that changes are required, followed by a notification that a download is in progress, followed by a notification about a successful installation. All three stages are shown below. After the last message, the Start Screen shows the newly installed Adobe Reader DC app. Also, in this case, the Desktop doesn’t show the default desktop icon, which I removed using the customization file (MST).

MSI-AAR-Desktop

More information

For more information about the Microsoft Intune Win32 App Packaging Tool, please refer to the GitHub location here.

Assign a user to a Windows AutoPilot device

This blog post uses capabilities that are added in Windows 10, version 1809, which is currently still in preview.

This week a short blog about another relatively new Windows AutoPilot feature. This week is all about assigning a specific user to a specific Windows AutoPilot device. That enables an administrator to directly assign a user to a Windows AutoPilot device. Assigning a user to a Windows AutoPilot device will make sure that the username will be pre-filled during Windows setup. It also lets the administrator set a custom greeting name, which will also be added during the Windows setup. In this post I’ll show the actual configuration steps, followed by the end-user experience.

Configuration

Before starting with the actual configuration steps, it’s important to name a few prerequisites.

  • Azure AD company branding is configured;
  • Device is running Windows 10, version 1809 or later;
  • User is Microsoft Intune licensed

When the prerequisites are in place, it’s time to start looking at the actual configuration. The following five steps walk through assigning a user to a Windows AutoPilot device.

1 Open the Azure portal and navigate to Intune > Device enrollment > Windows enrollment to open the Device enrollment – Windows enrollment blade;
2 On the Device enrollment – Windows enrollment blade, click Devices to open the Windows AutoPilot devices blade;
3 On the Windows AutoPilot devices blade, select the specific device (make sure to check the box) and click Assign user to open the Select user blade;
AP-AssignUser
4 On the Select user blade, select the specific user and click Select, which will open the Properties blade of the device;
5

AP-UserFriiendlyNameOn Properties blade of the device, provide the User Friendly Name and click OK to return to the Windows AutoPilot devices blade.

Note: This will provide a message like in this case “Awesome dude has ben successfully assigned to 3008-9109-1000-6969-987…

End-user experience

Now let’s end this post by looking at the end-user experience when using a user-driven deployment. After configuring the location and the keyboard, the user will get a personal welcome message. The message includes the configured custom user friendly name and the username will be preconfigured (as shown below). The user only needs to provide a password and click Next.

AP-UserExperience

Note: This experience does not work when used in combination with ADFS.

More information

For more information about assigning a user to a Windows AutoPilot device, please refer to the documentation Enroll Windows devices by using the Windows AutoPilot | Assign a user to a specific Autopilot device.