Microsoft has now announced that Microsoft Apps for Enterprise will receive 3 changes to its product releases. These changes are currently In Development but I dont expect them to be in that state for long as I am already seeing one of the changes within my own tenant.
Over the lifetime of Office ProPlus which is now Microsoft Apps for Business, Microsoft have changed the name for the channels multiple time. So this new development isnt a surprise as Microsoft does love a name change.
Existing Channel Name
New Channel Name
Semi-Annual Enterprise (Preview)
New update channel for Microsoft Apps for Enterprise
In the past, there have only ever been 4 main Channels for Microsoft Apps for Enterprise (not including the insider release channels). Microsoft has announced that they are creating a new channel to help customers seeking to stay up to date with features updates, such as real-time collaboration and AI capabilities. This channel will be called Monthly Enterprise
In recent times I have had to rebuild a number of my Windows 10 devices and reinstall my favourite scripts, applications and tweaks. Which got me thinking there must be a better way of rebuilding my devices, so heres my approach.
Azure Blob Storage
After transitioning from a very UC focused role I have been learning an appreciation for the whole M365 stack and how Microsoft Azure can work hand in hand with potential problems or scenarios. Microsoft have done a very good job in providing a platform to enable businesses and organisations to leverage their subscriptions in more power ways, so with that being said lots looks at Azure Blob Storage.
First of all we need to log into the Azure Portal as this is where all the required work will now take place. Once logged in you will need to search for Storage account as this is where all files will need stored. In my case, I have already created a Storage Account but you can complete this by using the Add button.
As you have now created the Storage Account, you will need to go to Containers as shown below.
Again in my case I already have a container called intuneblogaboutcloud but you can create your container by clicking + Container
We can now upload all required PowerShell scripts, installers, images etc.. depending on what you are attending to achieve. In my container, I have created folders to structure the data.
One of the key things to understand with each file uploaded it has a unique URL, please keep this in mind as later in this post I will be demostrating how I use this URL to deliver customizations to my Windows 10 devices.
So Microsoft Endpoint Manager has the ability to deliver PowerShell scripts to any and all Windows 10 enrolled devices. As I was getting annoyed in having to reinstall PowerShell customizations and tweaks I like to perform on my client machines. I created several scripts that do the hard work for me.
One of the unique features of this script is to check for updated versions of the module from the PSGallery. However, this feature isn’t effective using MEM for delivery unless a modified script is upload to the MEM.
As mentioned in the Azure Blob Storage section the unique URL will have an important part to play. As you can see from the image below, I have highlighted 3 sections
1 – The unique URL with its our unique variable name $chromeinstaller
2 – The download command
3 – The installer command
Even with limited PowerShell experience, you will be able to understand how this script works and customize to your needs. Whether its an .msi, .exe, .ps1 you just modify the script to your needs.
Finally, delivering applications to Windows 10 using the native W32 App method. Microsoft have already made it easier with Microsoft Apps for Enterprise aka Office ProPlus but as you can see I have leverage MEM to install a number of MSI files that I like on my machines. I will not going into detail on this section as its quite straight forward.
So there you have it, customizing my Windows 10 devices with my tweaks, modules and applications via Microsoft Endpoint Manager + Azure Blob Storage and PowerShell.
Since the introduction of Administrative Template in Microsoft Intune as it was known at the time. I have tried to include my customers in the journey of adopting a “Cloud First” approach over on-premise Group Policies, as always in my experience. Most of the customers today have 10s to 100s of GPOS in place that are either legacy or not relevant to their environment today.
One of the biggest challenges for myself as a consultant was wading through the lines and lines of configuration options available in Administrative Templates.
So as you can see from the below, its just lines and lines of configuration settings
Now with the improvements to the Administrative Templates, we have the look and feel of on-premise Group Policy. This is a massive step in the right direction to ensure that any IT professional that hasn’t had any cloud experience receives a common interface they are used to.
If you still feel that Administrative Templates is still not quite there for your enterprise needs, do not fear MMAT is another great solution for understanding your current group policies and identify which polices can be migrated to the cloud using Custom OMA-URI profiles.
Once you have added the modified script and assigned to the relevant Users or Device or both. At the next check in the PowerShell script will execute against the device to make the new background available.
As you can see from my image below, my 2 new images have appeared as options.
This has been on my To-Do list for such a long time and because of Covid-19 I have finally found the hours required to get this done. A while back I received two Yubico and never got around to testing them 🙁 naughty I know. So let’s look at Yubico;
Microsoft and Yubico have been created a path for a passwordless future for organizations of all shapes and sizes. With a technology standard called FIDO2 and U2F which Yubico co-authored with, Microsoft and Google. Yubico became a founding member of the FIDO Alliance.
How does it all work, I hear you
The Yubikey supports multiple methods for authentication, enabling and the same key to be used across services and applications. With an out of the box native integration for the Microsoft environment provides a rapid deployment.
The user plugs the FIDO2 security key into their computer.
Windows detects the FIDO2 security key.
Windows sends an authentication request.
Azure AD sends back a nonce.
The user completes their gesture to unlock the private key stored in the FIDO2 security key’s secure enclave.
The FIDO2 security key signs the nonce with the private key.
The primary refresh token (PRT) token request with signed nonce is sent to Azure AD.
Azure AD verifies the signed nonce using the FIDO2 public key.
Azure AD returns PRT to enable access to on-premises resources.
Microsoft has now released 3 brand new Activity policies for Microsoft Teams and with the current state of the world. I believe these additions are perfect for organisations that was forced into “Working from Home” culture but wasnt geared up for it. These activity policy templates enable you to detect potentially suspicious activities in Microsoft Teams:
Access level change (Teams): Alerts when a team’s access level is changed from private to public.
External user added (Teams): Alerts when an external user is added to a team.
Please see the below screenshoot for an example of the alert you would see in Cloud App Security.
Mass deletion (Teams): Alerts when a user deletes a large number of teams.
Please see the below screenshoot for an example of the alert you would see in Cloud App Security.
Microsoft has decided to run a number of multiple full day virtual training events on the Fundamentals of Azure! This is excellent news for all those affected by Covid19 as there is no excuse not to attend 🙂 also in attending the attend your will receivey a free Microsoft Exam voucher so you can go take the AZ-900 Exam from home.
The course details are as followed;
To create your vision for tomorrow, you need to understand what the cloud can do for you and your company today. Microsoft Azure Virtual Training Day: Fundamentals explains cloud-computing concepts, models, and services, covering topics such as public, private, and hybrid cloud as well as infrastructure as a service, platform as a service, and software as a service.
Common cloud concepts
Benefits of Azure
Strategies for transitioning to Azure cloud
Azure computing, networking, storage and security basis
During a number of my recent deployment of Microsoft Endpoint Manager and conversation I have had with customers. One thing that always comes up is security from the different browsers the end-users run to perform their daily tasks. A recent discussion we touched on Mozilla Firefox and how it can be managed using Microsoft Endpoint Manager as they currently perform this tasks with on-premises GPOs.
Like Google Chrome, Firefox can also be managed using a Custom configuration profile for Windows 10. The policy consists of two parts. The first part is used to deploy the Firefox ADMX file to the Intune managed device. The second part of the policy is used to manage the settings ofchoice.
Ingest the Firefox ADMX file
The Firefox ADMX file has been made available on GitHub. Download this file as it will be required later within this blog post.
We now need to sign-in to the Microsoft Endpoint Manager portal.
Browse to the following location (1) Devices – (2) Windows
On the (3)Configuration Profiles tab click (4) Create profile
Select Windows 10 and later –> Custom –> Create
We will now need to populate the Name field for this profile, you can also provide a description to get more information about what this profile does. Once you have populated the required information press Configure under Settings and Add
Now we are going to be adding rows to the profile, the first row will be ingestion of the Firefox ADMX file followed by any Firefox profiles you would like to introduce. Please follow the text and screenshots below
Name: Firefox ADMX Ingestion OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Firefox/Policy/FirefoxAdmx Data Type: String Value: As value copy the entire content of the ADMX file in the value field
The value information could be different to what is shown in the screenshot above, so to validate this open the .admx in Notepad or another program.
At the top of the opened file you will see the value which will need to copy and added to your row.
Understanding the OMA-URL for configuring policies
Now this was something very new to me and I have had to learn exactly how to intepret the ADMX file to obtain the required information to create the OMA-URL for each setting I would like to apply.
Lets split up the OMA-URI in separate parts to make sure you fully understand how the OMA-URL is put together. First of all the default for managing applications using an ADMX file: ./Device/Vendor/MSFT/Policy/Config/ So you will always require this when adding a new row for a policy. I am going to use DisablePrivatingBrowsing as an example of how we achieve the required outcome.
The part that comes next is not always the same, we need to follow some rules: It starts with Firefox (this is the file name of the admx template firefox.admx) followed by Policy and every word is separated with the following sign ~ as shown below.
The next part is split into two different categories. The first category is always found at the top of the ADMX file and as you can see its called “firefox”
The next category will be one of the following;
As we are configure DisablePrivateBrowsing the catergory required is called firefox so my complete OMA-URL would be ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~firefox/DisablePrivateBrowsing including /settingname as shown below
Now that we understand the OMA-URI, we now need to provide string value information to enable this new policy. For this particular policy, we just need to put <enabled/>. In order to make it active.
Unless you have been living under a rock for the past couple of months, Covid-19 has forced organisations to promote home-working. The issue with this is that most organisations today, are just not prepared for home-working. So in this post I will look at the quick wins which can be implemented using Microsoft Security Management tools to first of all identify and protect against potential threats to your Cloud platform. So Microsoft Security Management is just a name for a number of its products and features, as today I am going to go through what can be used to improve your environment.
Microsoft Secure Score
Microsoft Secure Score is a measurement of an organization’s security posture, with a higher number indicating more improvement actions taken. Following the Security Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft 365 security center, organizations can monitor and work on the security of their Microsoft 365 identities, data, apps, devices, and infrastructure.
Secure Score helps organizations:
Report on the current state of the organization’s security posture.
Improve their security posture by providing discoverability, visibility, guidance, and control.
Compare with benchmarks and establish key performance indicators (KPIs).
Organizations gain access to robust visualizations of metrics and trends, integration with other Microsoft products, score comparison with similar organizations, and much more. The score can also reflect when third-party solutions have addressed recommended actions.
Turning on auditing within your Office 365 tenancy is possibly one of the quickest things you can do today. By enabling Audit Logging user and admin activity from your organization is recorded in the audit log and retained for 90 days.
New URL for the Microsoft Endpoint Manager admin center
To align with the announcement of Microsoft Endpoint Manager at Ignite last year, we have changed the URL for the Microsoft Endpoint Manager admin center (formerly Microsoft 365 Device Management) to https://endpoint.microsoft.com. The old admin center URL (https://devicemanagement.microsoft.com) will continue to work, but we recommend you start accessing the Microsoft Endpoint Manager admin center using the new URL.
You can add and deploy scripts to macOS devices. This support extends your ability to configure macOS devices beyond what is possible using native MDM capabilities on macOS devices. For more information, see Use shell scripts on macOS devices in Intune.
macOS and iOS Company Portal updates
The Profile pane of the macOS and iOS Company Portal has been updated to include the sign-out button. Additionally, UI improvements have been made to the Profile pane in the macOS Company Portal. For more information about the Company Portal, see How to configure the Microsoft Intune Company Portal app.
Retarget web clips to Microsoft Edge on iOS devices
Use the Intune diagnostic tool with Microsoft Edge for Android
Microsoft Edge for Android is now integrated with the Intune diagnostic tool. Similarly to the experience on Microsoft Edge for iOS, entering “about:intunehelp” into the URL bar (the address box) of Microsoft Edge on the device will start the Intune diagnostic tool. This tool will provide detailed logs. Users can be guided to collect and send these logs to their IT department, or view MAM logs for specific apps.
Updates to Intune branding and customization
We have updated the Intune pane that was named “Branding and customization” with improvements, including:
Renaming the pane to Customization.
Improving the organization and design of the settings.
A new Intune feature is available that enables users to retrieve their personal encrypted FileVault recovery key for Mac devices through the Android Company Portal application or through the Android Intune application. There is a link in both the Company Portal application and Intune application that will open a Chrome browser to the Web Company Portal where the user can see the FileVault recovery key needed to access their Mac devices. For more information about encryption, see Use device Encryption with Intune.
Optimized dedicated device enrollment
We’re optimizing the enrollment for Android Enterprise dedicated devices and making it easier for SCEP certificates associated with Wi-Fi to apply to dedicated devices enrolled prior to November 22, 2019. For new enrollments, the Intune app will continue to install, but end-users will no longer need to perform the Enable Intune Agent step during enrollment. Installment will happen in the background automatically and SCEP certificates associated with Wi-Fi can be deployed and set without end-user interaction.
Configure Delivery Optimization agent when downloading Win32 app content
You can configure the Delivery Optimization agent to download Win32 app content either in background or foreground mode based on assignment. For existing Win32 apps, content will continue to download in background mode. In the Microsoft Endpoint Manager admin center, select Apps > All apps > select the Win32 app > Properties. Select Edit next to Assignments. Edit the assignment by selecting Include under Mode in the Required section. You will find the new setting in the App settings section. For more information about Delivery Optimization, see Win32 app management – Delivery Optimization.
Improved sign-in experience in Company Portal for Android
We’ve updated the layout of several sign-in screens in the Company Portal app for Android to make the experience more modern, simple, and clean for users. For a look at the improvements, see What’s New in the app UI.
Improved user interface experience when creating device restrictions profiles on Android and Android Enterprise devices
When you create a profile for Android or Android Enterprise devices, the experience in the Endpoint Management admin center is updated. This change impacts the following device configuration profiles (Devices > Configuration Profiles > Create profile > Android device administrator or Android Enterprise for platform):
Improved user interface experience when creating configuration profiles on iOS/iPadOS and macOS devices
When you create a profile for iOS or macOS devices, the experience in the Endpoint Management admin center is updated. This change impacts the following device configuration profiles (Devices > Configuration Profiles > Create profile > iOS/iPadOS or macOS for platform):
Custom: iOS/iPadOS, macOS
Device features: iOS/iPadOS, macOS
Device restrictions: iOS/iPadOS, macOS
Endpoint protection: macOS
Preference file: macOS
Hide from user configuration setting in device features on macOS devices
When you create a device features configuration profile on macOS devices, there’s a new Hide from user configuration setting (Devices > Configuration profiles > Create profile > macOS for platform > Device features for profile > Login items).
This feature sets an app’s hide checkmark in the Users & Groups login items apps list on macOS devices. Existing profiles show this setting within the list as unconfigured. To configure this setting, administrators can update existing profiles.
When set to Hide, the hide checkbox is checked for the app, and users can’t change it. It also hides the app from users after users sign in to their devices.
New user experience when creating administrative templates on Windows devices
Based on customer feedback, and our move to the new Azure full screen experience, we’ve rebuilt the Administrative Templates profile experience with a folder view. We haven’t made changes to any settings or existing profiles. So, your existing profiles will stay the same, and will be usable in the new view. You can still navigate all settings options by selecting All Settings, and using search. The tree view is split by Computer and User configurations. You will find Windows, Office and Edge settings in their associated folders.
Windows 10 and newer
VPN profiles with IKEv2 VPN connections can use always on with iOS/iPadOS devices
On iOS/iPadOS devices, you can create a VPN profile that uses an IKEv2 connection (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > VPN for profile type). Now, you can configure always-on with IKEv2. When configured, IKEv2 VPN profiles connect automatically, and stay connected (or quickly reconnect) to the VPN. It stays connected even when moving between networks or restarting devices.
On iOS/iPadOS, always-on VPN is limited to IKEv2 profiles.
Delete bundles and bundle arrays in OEMConfig device configuration profiles on Android Enterprise devices
On Android Enterprise devices, you create and update OEMConfig profiles (Devices > Configuration profiles > Create profile > Android Enterprise for platform > OEMConfig for profile type). Users can now delete bundles and bundle arrays using the Configuration designer in Intune.
Configure the iOS/iPadOS Microsoft Azure AD SSO app extension
The Microsoft Azure AD team created a redirect single sign-on (SSO) app extension to allow iOS/iPadOS 13.0+ users to gain access to Microsoft apps and websites with one sign-on. All apps that previously had brokered authentication with the Microsoft Authenticator app will continue to get SSO with the new SSO extension. With the Azure AD SSO app extension release, you can configure the SSO extension with the redirect SSO app extension type (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device features for profile type > Single sign-on app extension).
Enterprise app trust settings modification setting is removed from iOS/iPadOS device restriction profiles
On iOS/iPadOS devices, you create a device restrictions profile (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device restrictions for profile type). The Enterprise app trust settings modification setting is removed by Apple, and is removed from Intune. If you currently use this setting in a profile, it has no impact, and is removed from existing profiles. This setting is also removed from any reporting in Intune.
Troubleshooting: Pending MAM policy notification changed to informational icon
The notification icon for a pending MAM policy on the Troubleshooting blade has been change to an informational icon.
UI update when configuring compliance policy
We’ve updated the UI for creating compliance policies in Microsoft Endpoint manager (Devices > Compliance policies > Policies > Create Policy). We’ve a new user experience that includes the same settings and details you’ve used previously. The new experience follows a wizard-like process to create the compliance policy and includes a page where you can add Assignments for the policy, and a Review + Create page where you can review your configuration before creating the policy.
Retire noncompliant devices
We’ve added a new action for noncompliant devices that you can add to any policy, to retire the noncompliant device. The new action, Retire the noncompliant device, results in removal of all company data from the device, and also removes the device from being managed by Intune. This action runs when the configured value in days is reached and at that point the device becomes eligible to be retired. The minimum value is 30 days. Explicit IT admin approval will be required to retire the devices by using the Retire Non-compliant devices section, where admins can retire all eligible devices.
Support for WPA and WPA2 in iOS Enterprise Wi-Fi profiles
Enterprise Wi-Fi profiles for iOS now support the Security type field. For Security type, you can select either of WPA Enterprise or WPA/WPA2 Enterprise, and then specify a selection for the EAP type. (Devices > Configuration profiles > Create profile and select iOS/iPadOS for Platform and then Wi-Fi for Profile).
The new Enterprise options are like those that have been available for a Basic Wi-Fi profile for iOS.
New user experience for certificate, email, VPN, and Wi-Fi, VPN profiles
We’ve updated the user experience in the Endpoint Management Admin Center (Devices > Configuration profiles > Create profile) for creating and modifying the following profile types. The new experience presents the same settings as before, but uses a wizard-like experience that doesn’t require as much horizontal scrolling. You won’t need to modify existing configurations with the new experience.
PKCS imported certificate
Configure if enrollment is available in Company Portal for Android and iOS
You can configure whether device enrollment in the Company Portal on Android and iOS devices is available with prompts, available without prompts, or unavailable to users. To find these setting in Intune, navigate to the Microsoft Endpoint Manager admin center and, select Tenant administration > Customization > Edit > Device enrollment.
Support for the device enrollment setting requires end users have these Company Portal versions:
Company Portal on iOS: version 4.4 or later
Company Portal on Android: version 5.0.4715.0 or later
New Android report on Android Devices overview page
We’ve added a report to the Microsoft Endpoint Manager admin console in the Android Devices overview page that displays how many Android devices have been enrolled in each device management solution. This chart (like the same chart already in the Azure console) shows work profile, fully managed, dedicated, and device administrator enrolled device counts. To see the report, choose Devices > Android > Overview.
Guide users from Android device administrator management to work profile management
We’re releasing a new compliance setting for the Android device administrator platform. This setting lets you make a device non-compliant if it’s managed with device administrator.
On these non-compliant devices, on the Update device settings page users will see the Move to new device management setup message. If they tap the Resolve button, they’ll be guided through:
Unenrolling from device administrator management
Enrolling in work profile management
Resolving compliance issues
Google is decreasing device administrator support in new Android releases in an effort to move to modern, richer, and more secure device management with Android Enterprise. Intune can only provide full support for device administrator-managed Android devices running Android 10 and later through Q2 CY2020. Device administrator-managed devices (except Samsung) that are running Android 10 or later after this time won’t be able to be entirely managed. In particular, impacted devices won’t receive new password requirements.
Microsoft Endpoint Manager tenant attach: Device sync and device actions
Microsoft Endpoint Manager is bringing together Configuration Manager and Intune into a single console. Starting in Configuration Manager technical preview version 2002.2, you can upload your Configuration Manager devices to the cloud service and take actions on them in the admin center. For more information, see Features in Configuration Manager technical preview version 2002.2.
Review the Configuration Manager technical preview article before installing this update. This article familiarizes you with the general requirements and limitations for using a technical preview, how to update between versions, and how to provide feedback.
Bulk remote actions
You can now issue bulk commands for the following remote actions: restart, rename, Autopilot reset, wipe, and delete. To see the new bulk actions, go to Microsoft Endpoint Manager admin center > Devices > All devices > Bulk actions.
All devices list improved search, sort, and filter
The All devices list has been improved for better performance, searching, sorting, and filtering. For more information, see this Support Tip.
Change Primary User for Windows devices
You can change the Primary User for Windows hybrid and Azure AD Joined devices. To do so, go to Intune > Devices > All devices > choose a device > Properties > Primary User. For more information, see Change a device’s primary user.
A new RBAC permission (Managed Devices / Set primary user) has also been created for this task. The permission has been added to built-in roles including Helpdesk Operator, School Administrator, and Endpoint Security Manager.
This feature is rolling out to customers globally under preview. You should see the feature within the next few weeks.
Monitor and troubleshoot
The Data Warehouse now provides the MAC address
The Intune Data Warehouse provides the MAC address as a new property (EthernetMacAddress) in the device entity to allow admins to correlate between the user and host mac address. This property helps to reach specific users and troubleshoot incidents occurring on the network. Admins can also use this property in Power BI reports to build richer reports. For more information, see the Intune Data Warehouse device entity.
Additional Data Warehouse device inventory properties
Additional device inventory properties are available using the Intune Data Warehouse. The following properties are now exposed via the devices collection:
‘Model’ – The device model.
‘Office365Version’ – The version of Office 365 that is installed on the device.
‘PhysicalMemoryInBytes` – The physical memory in bytes.
TotalStorageSpaceInBytes – Total storage capacity in bytes.
Help and support workflow update to support additional services
We’ve updated the Help and support page in the Microsoft Endpoint Manager admin center where you now choose the management type you use. With this change you’ll be able to select from the following management types:
Use a preview of security administrator focused policies as part of Endpoint security
As a public preview, we’ve added several new policy groups under the Endpoint security node in the Microsoft Endpoint Management admin center. As a security admin you can use these new policies to focus on specific aspects of device security to manage discrete groups of related settings without the overhead of the larger Device Configuration policy body.
With the exception of the new Antivirus policy for Microsoft Defender Antivirus (see below), the settings in each new of these new preview policies and profiles are the same settings that you might already configure through Device configuration profiles today.
The following are the new policy types that are all in preview, and their available profile types:
Microsoft Defender Antivirus – Manage Antivirus policy settings for cloud protection, Antivirus exclusions, remediation, scan options, and more.
The Antivirus profile for Microsoft Defender Antivirus is an exception that introduces a new instance of settings that are found as part of a device restriction profile. These new Antivirus settings:
Are the same settings as found in device restrictions, but support a third option for configuration that’s not available when configured as a device restriction.
Apply to devices that are co-managed with Configuration Manager, when the co-management workload slider for Endpoint Protection is set to Intune.
Plan to use the new Antivirus > Microsoft Defender Antivirus profile in place of configuring them through a device restriction profile.
Windows Security experience – Manage the Windows Security settings that end users can view in the Microsoft Defender Security center and the notifications they receive. These settings are unchanged from those available as a Device configuration Endpoint Protection profile.