Windows 10

Conditional access for Exchange Online to the max

by

This week I want to show another look at conditional for Exchange Online. I want to do that by providing a scenario. That scenario will cover more than just conditional access. Mainly because conditional access simply blocks access to non-compliant devices, but what if I want to take it one step further? What if I also want to prevent potential data leakage? In that case I can’t just look at conditional access. In that case I also need to add mobile app management to the playing field. This post will address those subjects for Exchange Online. Scenario Now lets start with the scenario that I want to cover. Even though I know that I will use Microsoft Intune and related technologies to do the configuration, …

Read more

Conditional access for browsers

by

This week I’ll provide an overview about the latest addition to conditional access, which is conditional access for browsers. It’s a feature that many have been waiting for and a feature that is indeed a pretty welcome addition to conditional access. This post will provide the basics about conditional for browses, the configuration of conditional access for browsers and the end-user experience with conditional access for browsers. It will also be the introduction for something much better next week. Introduction Conditional access allows IT organizations to manage access to corporate email, files and other resources based on customizable conditions that ensure security and compliance. The addition of conditional access for browsers addresses the backdoor that still existed for end-users connecting to the Outlook Web App …

Read more

Windows 10 MDM and the MDM Bridge WMI Provider

by

This week another blog post about Windows 10 and OMA-DM, but this week will be short and different. Starting this week I won’t be referring to OMA-DM anymore, instead I’ll be referring to Windows 10 MDM. The main reason for that is change is to align with Microsoft. Also, it simply makes more sense. OMA-DM is the standards based protocol on which the Windows 10 MDM protocol is based. In other words, Windows 10 MDM is not exactly the same as the OMA-DM standards. Technically speaking it’s not wrong to refer to OMA-DM, but it simply makes more sense to refer to Windows 10 MDM. That being said, this blog post will be different for another reason. This week I’ll try to bring Windows 10 …

Read more

Managing Windows Update for Business on Windows 10 via OMA-DM

by

This week another blog post about Windows 10 and OMA-DM. This week I’m going to have a look at managing Windows Update for Business on Windows 10. However, this time I’ll group the currently available policy settings per subject, to easily provide some more background information. Also, by now I assume that I don’t have to go through all the steps to create a Configuration Item or a Configuration Policy anymore. To manage Windows Update for Business, IT organizations can use the Policy configuration service provider (CSP) and to report about Windows Update for Business IT organizations can mainly use the Update CSP. During this blog post I’ll provide more information about Windows Update for Business, the Policy CSP, the Update CSP and the available …

Read more

Reporting Windows Defender health on Windows 10 via OMA-DM

by

About a year ago I did a blog post about managing Windows Defender on Windows 10 via OMA-DM, by using the available policies in the Policy CSP. This week I’m going to have another look at Windows Defender, on Windows 10, but this time from a reporting perspective. This time I want to report about the health of Windows Defender on the Windows 10 devices that are managed via OMA-DM. To get that type of information I can use the Defender configuration service provider (CSP). The Defender CSP contains the information about the health of Windows Defender. During this blog post I’ll go through the Defender CSP, the required configuration to get the Windows Defender health information and the administrator experience. Defender CSP Before starting …

Read more

Conditional access, Windows 10 and Microsoft Intune: What are the compliance options?

by

Recently Microsoft released a couple of blog posts about The Path to Modernizing Windows Management and about Clear & Simple Guidance: When ConfigMgr and Intune should be used with Windows 10, which should be really helpful with deciding how to managing the Windows 10 devices within an organization. I would really recommend everybody to read those posts. This blog post will not be directly related, but will continue on a more detailed level about the options for conditional access and Windows 10 devices. In this blog post I will provide nice tables of the different compliance rules, for Windows 10 devices, that are currently available for Microsoft Intune standalone and Microsoft Intune hybrid. In those tables I’ll show the different management scenarios and the currently …

Read more

Conditional access and health attestation

by

This week another blog post about conditional access. And another blog post that is triggered by a feature that is introduced in ConfigMgr 1602. However, this time it’s about a feature that already did exist in Microsoft Intune standalone. I’m talking about the new conditional access rule that uses the Health Attestation Service. This new rule creates the ability to ensure that Windows 10 devices have trustworthy BIOS, TPM, and boot software configurations enabled. In this blog post I’ll show the detailed configuration steps for Microsoft Intune hybrid and I’ll briefly note the most important configurations for Microsoft Intune standalone. Introduction Device health attestation is an additional level of restricting access to Exchange Online and SharePoint Online for Windows 10 devices. Currently only available for …

Read more

Quick tip: Working with the device enrollment manager and automatic enrollment

by

This is another short and quick blog post. This time about the device enrollment manager in combination with the automatic enrollment in Microsoft Intune, which is powered by Azure AD. The device enrollment manager is a configuration within Microsoft Intune standalone, or Microsoft Intune hybrid (starting with ConfigMgr 1511). However, with really active use of the device enrollment manager, it is possible to run into some default configuration challenges. This post will provide a quick tip about those challenges. Configuration The documentation about the device enrollment manager contains a note that device enrollment manager user accounts, with more than 20 devices enrolled, might have problems using the Company Portal app. In case that potential problem is not an issue, for the usage within the company, …

Read more

How the settings in ConfigMgr translate to the command line of the Windows 10 upgrade

by

This week a short post about the settings in the Upgrade Operating System task sequence step and how these settings translate to the parameters used during the Windows 10 upgrade. I will go through the standard parameters, for the Windows 10 upgrade, used by the Upgrade Operating System task sequence step and I will go through the effect, of the configuration options in the Upgrade Operating System task sequence step, on the Windows 10 upgrade parameters. Configuration options Now let’s start by having a look at the standard parameters for the Windows Setup of the Windows 10 upgrade, used by the Upgrade Operating System task sequence step. To do this, let’s start with an Upgrade Operating System task sequence step with only Upgrade package selected. …

Read more

Many reasons to look at ConfigMgr 1511

by

At this moment Microsoft has just released System Center Configuration Manager (version 1511). This build was released to MSDN subscribers last week and is now general available and publically announced by Microsoft. During this blog post I will refer to this release as ConfigMgr 1511. In this blog post I will post my five main reasons to start looking at ConfigMgr 1511 as soon as possible. This will be followed by a list with great improvements that could also be good reasons to start looking. Before I start with all those reasons it might be worth mentioning that it’s possible to do an in-place upgrade of ConfigMgr 2012 to ConfigMgr 1511. This process will feel similar to a service pack upgrade. Main reasons Lets start …

Read more