Allow users to connect remotely to this computer via Windows 10 MDM (ADMX-style)

This week another blog post about new MDM capabilities that are introduced in Windows 10, version 1703. This post is focused on enabling the setting to allow users to connect remotely to this computer via Remote Desktop. To enable that specific setting, Windows 10, version 1703, introduced ADMX-backed policy via the Policy CSP. In this post I’ll provide a short introduction about ADMX-backed policies, which is actually a short summary of the Microsoft docs, and I’ll show a configuration example. I’ll end this post by showing the end-user experience. Introduction Starting with Windows 10, version 1703, the Policy CSP can now also handle ADMX-backed policies. In an ADMX-backed policy, an administrative template contains the metadata of a GPO. Each administrative template specifies the registry keys, …

Read more

Quick tip: View device in Azure Active Directory

This week a quick and short blog post about the feature, in Configuration Manager, to view a device in Azure AD. This is small new feature that was introduced in Configuration Manager 1702 and is mainly used for getting additional information about the compliance state of domain joined devices. Devices managed by a Configuration Manager client. In this post I’ll show the steps to use that feature and I’ll show the provided information. View device in Azure AD The feature to view a device in Azure AD, is only available when looking at non-compliant or compliant devices.  This can be achieved by going through the steps below. 1 Open the Configuration Manager administration console and navigate to Monitoring > Overview > Compliance Settings > Compliance …

Read more

Easily configure Start via Windows 10 MDM

This blog post is about the ability to configure Start on Windows 10 devices. Mainly focused on Windows 10 Desktop devices. Before Windows 10, version 1703, it was already possible to configure the layout of Start by using the StartLayout setting. Windows 10, version 1703, introduces many, many more settings related to configuring Start via Windows 10 MDM. All of these settings are available via the existing Policy CSP. These new settings range from configuring settings available in the Settings panel until configuring settings related to the Power button and the user tile. In this post I’ll go through almost all newly introduced settings and I’ll briefly show how to configure these settings by using Microsoft Intune hybrid and standalone. I’ll end this post by …

Read more

Conditional access and Google Chrome on Windows 10

This week a short blog post to create some awareness about conditional access for Google Chrome on Windows 10. Starting with Windows 10, version 1703, it’s now possible to use Google Chrome in combination with conditional access. It will no longer simply being blocked. This can be achieved by installing and enabling the Windows 10 Accounts extension in Google Chrome. The screenshot below contains the name and URL of the extension. Introduction The Windows 10 Accounts extension for Google Chrome provides a single sign-on experience, to supported websites, to end-users that have a Microsoft supported identity on Windows 10,. Also, the Windows 10 Accounts extension for Google Chrome is required when the organization has implemented conditional access policies, to get the expected end-user experience. Currently, …

Read more

Conditional access and app enforced restrictions

This blog post is about a recently introduced feature in conditional access, named Session controls. More specific, the Session control of app enforced restrictions. Session controls enable a limiting experience within a cloud app. The great thing about Session controls is is that those controls are enforced by the cloud apps and that those controls rely on additional information provided by Azure AD to the cloud app, about the session. In other words, these controls can be used to require Azure AD to pass the device information to the cloud app. This enables the cloud app to know if the user is coming from a (non-)compliant device or (non-)domain joined device. Currently Session controls are only supported with SharePoint Online as the cloud app. In …

Read more

Easily configure desktop and lock screen image via Windows 10 MDM

This blog post uses the Personalization configuration service provider (CSP) to manage the desktop and lock screen image on Windows 10 devices. This CSP was added in Windows 10, version 1703, which is currently available as Insider Preview build. This blog post is about the ability to easily configure separate images for the desktop and the lock screen on Windows 10 devices. Before Windows 10, version 1703, this was possible by using an MSI or by using the EnforceLockScreenAndLogonImage setting. However, the latter setting was only able to configure the lock screen image and not the desktop image. Windows 10, version 1703, introduces the Personalization CSP, which enables the administrator to manage the desktop and lock screen image. In this post I’ll briefly go through …

Read more

Require BitLocker drive encryption via Windows 10 MDM

This blog post uses the BitLocker configuration service provider (CSP) to manage drive encryption on Windows 10 devices. This CSP was added in Windows 10, version 1703, which is currently available as Insider Preview build. This blog post will be about requiring BitLocker drive encryption on Windows 10 devices. Until Windows 10, version 1703, this was not possible. It was only possible to create a compliance policy that would block access to Windows 10 devices without BitLocker enabled. Windows 10, version 1703, introduces the BitLocker CSP, which enables the administrator to manage BitLocker settings via Windows 10 MDM. In this post I’ll briefly go through the available settings in the BitLocker CSP and I’ll show how to require BitLocker drive encryption via Microsoft Intune hybrid …

Read more

Offboard Windows 10 devices of Windows Defender Advanced Threat Protection

This week a follow-up on my post of last week. Last week was about onboarding Windows 10 devices for Windows Defender Advanced Threat Protection (ATP) and this week will be about offboarding Windows 10 devices of Windows Defender ATP. For devices that are leaving the company, for whatever reason, it’s good to first offboard those devices of Windows Defender ATP. That will remove the Windows Defender ATP settings from the device and the device will stop collecting and sending data. In this post I’ll show how to offboard Windows 10 devices, via Configuration Manager and Microsoft Intune, and I’ll show the end result. The steps in this post will be similar to the steps in the post of last week. Configuration Just like last week, …

Read more

Onboard Windows 10 devices for Windows Defender Advanced Threat Protection

This week a blog post about onboarding Windows 10 devices for Windows Defender Advanced Threat Protection (ATP). Windows Defender ATP is a relatively new service that will help enterprises to detect, investigate, and respond to advanced attacks on their networks. In this post I’ll show how to onboard Windows 10 devices, via Configuration Manager and Microsoft Intune, and I’ll show the end result in the Windows Defender Security Center and the Configuration Manager administration console. Configuration There are multiple methods available to onboard Windows 10 devices for Windows Defender ATP, Group Policy, Configuration Manager, mobile device management (including Microsoft Intune) and a local script. I’ll have a closer look at the configurations for onboarding Windows 10 devices via Configuration Manager and Microsoft Intune. Create onboarding …

Read more

Company Portal app enrollment for Windows 10

This week a small blog post about the Company Portal app enrollment experience, for Windows 10 Desktop devices, that has been recently added to the Company Portal app. This new experience enables the end-user to perform the enrollment procedure during the initial sign-in to the Company Portal app and aligns the enrollment experience with the other supported platforms.. This blog post will show this new enrollment experience, the new alterative enrollment experience and the end result. Main end-user enrollment experience Now let’s start by looking at the main new end-user enrollment experience on Windows 10 Desktop devices via the Company Portal app. This complete experience is nothing more than the following 4 simple steps. 1 The end-user opens the Company Portal app and is prompted …

Read more