Microsoft Endpoint Manager

Requiring the use of Windows Hello for Business for interactive logons

by

This week is all about Windows Hello for Business. Windows Hello for Business provides a really convenient and user-friendly method to authenticate in Windows, as it enables users to verify their identity by using a gesture (face, fingerprint or PIN). More importantly, however, Windows Hello for Business is also an important step in the transition to a passwordless environment, as it replaces the need for the traditional username-password authentication with a strong two-factor authentication on Windows devices. By default, Windows Hello for Business will be an additional method to get authenticated in Windows. When working towards a passwordless environment, it’s important to also take further actions for Windows devices, by preventing the use of the traditional username-password and by requiring the use of Windows Hello …

Read more

App protection policies and managed iOS devices

by

This week is all about app protection policies for managed iOS devices. More specifically, about some default behavior that might be a little bit confusing when not known. When creating app protection policies, those policies can be configured for managed devices or managed apps. That sounds simple. By default, however, when creating and assigning separate policies for managed devices and managed apps, every iOS device will apply app protection policies that are assigned to managed apps. That behavior is caused by the fact that the device will only be identified as a managed device when a specific configuration is in place. That configuration is the user UPN setting. Even better, the user UPN setting opens even more use cases for managed devices. This post will …

Read more

Getting started with Shared Device Mode for iOS devices

by

This week is all about Shared Device Mode for iOS (and iPadOS) devices. Shared Device Mode is based on Azure AD and is the Microsoft solution for shared iOS devices. Those shared iOS devices are company-owned multi-user devices. Shared Device Mode is provided for iOS (and iPadOS) 13 and later devices and enables multiple users to use the same Apple device and to sign in and out of apps by using an Azure AD account. When those apps support Shared Device Mode, those apps provide the global sign in and global sign out functionality. That enables a user to sign in to an app, at the start of a shift, and automatically be globally signed in to all apps that support Shared Device Mode. That’s …

Read more

Alternatives for querying and visualizing Update Compliance data

by

This week is follow-up on the post of last week about enhancing Update Compliance with a custom Workbook in Microsoft Endpoint Manager admin center. There were multiple questions on that post regarding alternatives for querying and visualizing the Update Compliance data. The good news is that there are actually multiple alternatives for querying Update Compliance data, but, in all fairness, all the alternatives rely on the same API. The Azure Log Analytics REST API. That API can be called by specifying the workspace, providing a token and running the required query. Pretty straight forward. Also, that API is an important part of most other methods that are used for querying Update Compliance data. This post will provide a quick introduction to the Azure Log Analytics …

Read more

Enhance Update Compliance with a custom Workbook in Microsoft Endpoint Manager admin center

by

This week is all about enhancing Update Compliance by using a custom Workbook within the Microsoft Endpoint Manager admin console. The Update Compliance Workbook. That Update Compliance Workbook enables the IT administrator to get a quick view on the most important details. Besides that, adding that Update Compliance Workbook in the Microsoft Endpoint Manager admin center enables the IT administrator to pin the different queries of that Update Compliance Workbook to the dashboard. That provides the IT administrator with a dashboard that contains all the status information about the Microsoft Intune environment and a quick overview of the update status of the Windows 10 devices within that environment. This post provides that Update Compliance Workbook with the most important status information coming from the Update …

Read more

Using authentication contexts to add step-up authentication to specific SharePoint sites

by

This week is all about authentication contexts. Authentication contexts are another great feature for Condition Access policies. That feature enables IT administrators to further secure data and actions in apps, by providing a step-up authentication. Those apps can be custom apps, SharePoint sites, Privileged Identity Management (PIM), and even apps protected by Microsoft Cloud App Security (MCAS). The focus of this post is on authentication contexts with SharePoint sites. This post starts with an introduction to authentication contexts, followed with the different activities to create authentication contexts, to assign Conditional Access policies to authentication contexts and to tag SharePoint sites with authentication context. This post ends with experiencing authentication contexts. Important: At the moment of writing, authentication contexts are still public preview. For Azure AD …

Read more

Using filters for devices as condition in Conditional Access policies

by

This week is also all about filters. Last week was about filters for assigning apps, policies and profiles to specific devices in Microsoft Intune and this week is about filters for devices as a condition in Conditional Access policies. Filters for devices are a nice addition to Conditional Access policies to only target specific devices. A great option for addressing specific scenarios. This post starts with a short introduction about filters for devices, followed with the steps for configuring a filter within a Conditional Access policy. This post ends with the administrator experience. Important: At the moment of writing, filters for devices are still public preview. For Azure AD features that means that the feature is provided without a service level agreement, and that the …

Read more

Using filters for assigning apps, policies and profiles to specific devices

by

This week is all about filters. Filters are basically a super-set of the functionalities of applicability rules – already available for a while for Windows 10 – and are a great new addition to assigning apps policies and profiles to specific devices. Those specific devices are only the devices that meet the specific properties that are configured in the filters. A great method for specifically targeting apps, policies and profiles. This post starts with a short introduction about filters, followed with information about creating and using filters (including the steps for using and creating filters). This post ends with the administrator experience with filters. Introducing filters For device configuration profiles for Windows 10 devices it was already possible to use applicability rules. Applicability rules would …

Read more

Enhance inventory reporting with local administrator information

by

This week is all about enhancing inventory reporting with information about the local administrators on the managed Windows 10 devices. This time is not about managing the different local administrators on those Windows 10 devices, but this time is about creating a report that provides insights to the different local administrators that are configured on those Windows 10 devices. The solution to enhance the inventory reporting, relies on PowerShell, Log analytics, Workbooks and the Azure Monitor HTTP Data Collector API. PowerShell is used to gather the information on the local device and uses the Azure Monitor HTTP Data Collector API to write the gathered information to Log analytics. Workbooks are used to visualize the gathered data from Log analytics. This solution is inspired and based …

Read more

Locating lost or stolen Windows 10 devices

by

This week is all about a small new feature for Windows 10 devices that was introduced with the latest service release of Microsoft Intune. That new feature is the ability to find lost or stolen Windows 10 devices. Starting with the 2104 service release of Microsoft Intune, the Locate device remote device action – already available for supervised iOS and iPadOs device – also becomes available for Windows 10 devices. That enables IT administrators to find lost or stolen Windows 10 devices. This post will start by going through the information about the new remote action, including the implications, followed with the steps for configuring the privacy settings. This post will end by showing the IT administrator and user experience. Introduction to the location service …

Read more