Microsoft Intune

Configuring Windows Hello for Business multi-factor unlock

by

This week continues the journey through Windows Hello for Business. The last weeks were all about requiring the use of Windows Hello for Business, while this week is all about requiring the use of something extra with Windows Hello for Business. That something extra is a second unlock factor. By default, Windows requires the use of a single authentication factor to verify the identity of a user and to unlock the device. And even though the construction of Windows Hello for Business can be considered multi-factor authentication, as it combines something that you have (e.g. a device with a hardware TPM) with something that you know (e.g. a PIN) or with something that you are (e.g. a fingerprint), the unlock factor of the device with …

Read more

Excluding the password credential provider

by

This week is a follow up on the post of last week. In that post there was a reference to the option to completely exclude the password credential provider to force the user in to using Windows Hello for Business. This week is all about that option to exclude the password credential provider – and basically any other credential provider – from use during authentication. Credential providers are the primary mechanism for authenticating users in Windows and to verify their identity. Those credential providers are shown as different small tiles to the user as different options to authenticate in Windows. With Windows 10 and later, credential providers are also used for authenticating users in apps, websites, and more. By installation default, Windows already provides a …

Read more

Requiring the use of Windows Hello for Business for interactive logons

by

This week is all about Windows Hello for Business. Windows Hello for Business provides a really convenient and user-friendly method to authenticate in Windows, as it enables users to verify their identity by using a gesture (face, fingerprint or PIN). More importantly, however, Windows Hello for Business is also an important step in the transition to a passwordless environment, as it replaces the need for the traditional username-password authentication with a strong two-factor authentication on Windows devices. By default, Windows Hello for Business will be an additional method to get authenticated in Windows. When working towards a passwordless environment, it’s important to also take further actions for Windows devices, by preventing the use of the traditional username-password and by requiring the use of Windows Hello …

Read more

App protection policies and managed iOS devices

by

This week is all about app protection policies for managed iOS devices. More specifically, about some default behavior that might be a little bit confusing when not known. When creating app protection policies, those policies can be configured for managed devices or managed apps. That sounds simple. By default, however, when creating and assigning separate policies for managed devices and managed apps, every iOS device will apply app protection policies that are assigned to managed apps. That behavior is caused by the fact that the device will only be identified as a managed device when a specific configuration is in place. That configuration is the user UPN setting. Even better, the user UPN setting opens even more use cases for managed devices. This post will …

Read more

Getting started with Shared Device Mode for iOS devices

by

This week is all about Shared Device Mode for iOS (and iPadOS) devices. Shared Device Mode is based on Azure AD and is the Microsoft solution for shared iOS devices. Those shared iOS devices are company-owned multi-user devices. Shared Device Mode is provided for iOS (and iPadOS) 13 and later devices and enables multiple users to use the same Apple device and to sign in and out of apps by using an Azure AD account. When those apps support Shared Device Mode, those apps provide the global sign in and global sign out functionality. That enables a user to sign in to an app, at the start of a shift, and automatically be globally signed in to all apps that support Shared Device Mode. That’s …

Read more

Alternatives for querying and visualizing Update Compliance data

by

This week is follow-up on the post of last week about enhancing Update Compliance with a custom Workbook in Microsoft Endpoint Manager admin center. There were multiple questions on that post regarding alternatives for querying and visualizing the Update Compliance data. The good news is that there are actually multiple alternatives for querying Update Compliance data, but, in all fairness, all the alternatives rely on the same API. The Azure Log Analytics REST API. That API can be called by specifying the workspace, providing a token and running the required query. Pretty straight forward. Also, that API is an important part of most other methods that are used for querying Update Compliance data. This post will provide a quick introduction to the Azure Log Analytics …

Read more

Enhance Update Compliance with a custom Workbook in Microsoft Endpoint Manager admin center

by

This week is all about enhancing Update Compliance by using a custom Workbook within the Microsoft Endpoint Manager admin console. The Update Compliance Workbook. That Update Compliance Workbook enables the IT administrator to get a quick view on the most important details. Besides that, adding that Update Compliance Workbook in the Microsoft Endpoint Manager admin center enables the IT administrator to pin the different queries of that Update Compliance Workbook to the dashboard. That provides the IT administrator with a dashboard that contains all the status information about the Microsoft Intune environment and a quick overview of the update status of the Windows 10 devices within that environment. This post provides that Update Compliance Workbook with the most important status information coming from the Update …

Read more

Using authentication contexts to add step-up authentication to specific SharePoint sites

by

This week is all about authentication contexts. Authentication contexts are another great feature for Condition Access policies. That feature enables IT administrators to further secure data and actions in apps, by providing a step-up authentication. Those apps can be custom apps, SharePoint sites, Privileged Identity Management (PIM), and even apps protected by Microsoft Cloud App Security (MCAS). The focus of this post is on authentication contexts with SharePoint sites. This post starts with an introduction to authentication contexts, followed with the different activities to create authentication contexts, to assign Conditional Access policies to authentication contexts and to tag SharePoint sites with authentication context. This post ends with experiencing authentication contexts. Important: At the moment of writing, authentication contexts are still public preview. For Azure AD …

Read more

Using filters for devices as condition in Conditional Access policies

by

This week is also all about filters. Last week was about filters for assigning apps, policies and profiles to specific devices in Microsoft Intune and this week is about filters for devices as a condition in Conditional Access policies. Filters for devices are a nice addition to Conditional Access policies to only target specific devices. A great option for addressing specific scenarios. This post starts with a short introduction about filters for devices, followed with the steps for configuring a filter within a Conditional Access policy. This post ends with the administrator experience. Important: At the moment of writing, filters for devices are still public preview. For Azure AD features that means that the feature is provided without a service level agreement, and that the …

Read more