Microsoft Apps for Enterprise – Changing Channels, New Channel and Default changes.

Microsoft Apps for Enterprise – Changing Channels, New Channel and Default changes.

Microsoft has now announced that Microsoft Apps for Enterprise will receive 3 changes to its product releases. These changes are currently In Development but I dont expect them to be in that state for long as I am already seeing one of the changes within my own tenant.

Changes to the current Channel Names

https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=63585

Over the lifetime of Office ProPlus which is now Microsoft Apps for Business, Microsoft have changed the name for the channels multiple time. So this new development isnt a surprise as Microsoft does love a name change.

Existing Channel NameNew Channel Name
Semi-AnnualSemi-Annual Enterprise
Semi-Annual (Targeted)Semi-Annual Enterprise (Preview)
MonthlyCurrent
Monthly (Targeted)Current (Preview)

New update channel for Microsoft Apps for Enterprise

https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=63591

In the past, there have only ever been 4 main Channels for Microsoft Apps for Enterprise (not including the insider release channels). Microsoft has announced that they are creating a new channel to help customers seeking to stay up to date with features updates, such as real-time collaboration and AI capabilities. This channel will be called Monthly Enterprise

Default Channel for new Office 365 Tenants

https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=63757

The existing Office 365 tenants you should be firmilar that Semi-Annual Channel is the default channel, however for new Office 365 tenants the default will become the Current Channel.

Regards
The Author – Blogabout.Cloud

Delivering your favourite configuration, tweaks and PowerShell modules to all of your Microsoft Endpoint Managed Windows 10 devices.

Delivering your favourite configuration, tweaks and PowerShell modules to all of your Microsoft Endpoint Managed Windows 10 devices.

In recent times I have had to rebuild a number of my Windows 10 devices and reinstall my favourite scripts, applications and tweaks. Which got me thinking there must be a better way of rebuilding my devices, so heres my approach.

Azure Blob Storage

After transitioning from a very UC focused role I have been learning an appreciation for the whole M365 stack and how Microsoft Azure can work hand in hand with potential problems or scenarios. Microsoft have done a very good job in providing a platform to enable businesses and organisations to leverage their subscriptions in more power ways, so with that being said lots looks at Azure Blob Storage.

First of all we need to log into the Azure Portal as this is where all the required work will now take place. Once logged in you will need to search for Storage account as this is where all files will need stored. In my case, I have already created a Storage Account but you can complete this by using the Add button.

Storage Accounts

As you have now created the Storage Account, you will need to go to Containers as shown below.

Containers

Again in my case I already have a container called intuneblogaboutcloud but you can create your container by clicking + Container

New / Existing Containers

We can now upload all required PowerShell scripts, installers, images etc.. depending on what you are attending to achieve. In my container, I have created folders to structure the data.

Structure to the container

One of the key things to understand with each file uploaded it has a unique URL, please keep this in mind as later in this post I will be demostrating how I use this URL to deliver customizations to my Windows 10 devices.

Example of the blob uploaded

PowerShell Scripts

So Microsoft Endpoint Manager has the ability to deliver PowerShell scripts to any and all Windows 10 enrolled devices. As I was getting annoyed in having to reinstall PowerShell customizations and tweaks I like to perform on my client machines. I created several scripts that do the hard work for me.

Now we will need to connect to Microsoft Endpoint Manager portal. Once logged in browse to Devices –> PowerShell Scripts.

PowerShell Scripts

As you can see from the above I am curently delivering 3 scripts to my Windows 10 endpoints so lets look at them a bit closer.

Microsoft Teams – Custom Backgrounds

Please refer to my dedicated post about publishing custom backgrounds for Microsoft Teams.

PowerShell – Common Modules

In my line of work, I use a number of PowerShell modules to help me achieve the required outcomes to complete a project or ad-hoc work for customers.

The below script installs the following PowerShell modules

One of the unique features of this script is to check for updated versions of the module from the PSGallery. However, this feature isn’t effective using MEM for delivery unless a modified script is upload to the MEM.

https://github.com/TheWatcherNode/blogaboutcloud/blob/master/Get-CommonModules.ps1

PowerShell – Custom PowerShell Tweaks

While working on a customer engagement there was a requirement to deliver customization to Windows 10 endpoint and to be able to achieve this via a “Cloud First Approach”.

The below script has designed to action the following;

  • Create a local directory to download all files from Azure Blob Storage (C:\_build)
  • Download all specified files from Azure Blob Storage
  • Run all applications or scripts
  • Remove C:\_build folder directory
  • Run any necessary PowerShell commands to configure applications.

https://github.com/TheWatcherNode/blogaboutcloud/blob/master/Get-AppsfromBlobStorage.ps1

As mentioned in the Azure Blob Storage section the unique URL will have an important part to play. As you can see from the image below, I have highlighted 3 sections

  • 1 – The unique URL with its our unique variable name $chromeinstaller
  • 2 – The download command
  • 3 – The installer command

Even with limited PowerShell experience, you will be able to understand how this script works and customize to your needs. Whether its an .msi, .exe, .ps1 you just modify the script to your needs.

W32 Apps

Finally, delivering applications to Windows 10 using the native W32 App method. Microsoft have already made it easier with Microsoft Apps for Enterprise aka Office ProPlus but as you can see I have leverage MEM to install a number of MSI files that I like on my machines. I will not going into detail on this section as its quite straight forward.

So there you have it, customizing my Windows 10 devices with my tweaks, modules and applications via Microsoft Endpoint Manager + Azure Blob Storage and PowerShell.

Regards
The Author – Blogabout.Cloud

Windows 10 – Administrative Templates (Improvements)

Windows 10 – Administrative Templates (Improvements)

Since the introduction of Administrative Template in Microsoft Intune as it was known at the time. I have tried to include my customers in the journey of adopting a “Cloud First” approach over on-premise Group Policies, as always in my experience. Most of the customers today have 10s to 100s of GPOS in place that are either legacy or not relevant to their environment today.

One of the biggest challenges for myself as a consultant was wading through the lines and lines of configuration options available in Administrative Templates.

So as you can see from the below, its just lines and lines of configuration settings

Now with the improvements to the Administrative Templates, we have the look and feel of on-premise Group Policy. This is a massive step in the right direction to ensure that any IT professional that hasn’t had any cloud experience receives a common interface they are used to.

If you still feel that Administrative Templates is still not quite there for your enterprise needs, do not fear MMAT is another great solution for understanding your current group policies and identify which polices can be migrated to the cloud using Custom OMA-URI profiles.

https://github.com/WindowsDeviceManagement/MMAT

IMPORTANT Reminder
Microsoft Endpoint Manager portal will be removed from the Azure Portal. So get into the habit now of browsing to http://endpoint.microsoft.com the home of modern management.

Regards
The Author – Blogabout.Cloud

Deploying custom Microsoft Teams Backgrounds with Azure Blob Storage and Microsoft Endpoint Manager

Deploying custom Microsoft Teams Backgrounds with Azure Blob Storage and Microsoft Endpoint Manager

In previous blogs I have mentioned how to install applications and perform customization using Azure Blob Storage. The following process use the same guidelines;

I have uploaded the images to a container within Azure, if you are unsure how to complete this please refer to;

The above post provides detailed information in configuring Azure Blob Storage for your needs.

Once you have the files you would like to push to the client devices.

Download the get-teamsbackgroundfromblobstorage.ps1 script from GitHub.

https://github.com/TheWatcherNode/blogaboutcloud/blob/master/Get-TeamsBackgroundfromBlobStorage.ps1

Modified the URLs to reference your Azure Blob Storage, as shown below

You will need to go to your Microsoft Endpoint Manager Dashboard http://endpoint.microsoft.com –>

Then browse to Devices –> Scripts –> Add

Once you have added the modified script and assigned to the relevant Users or Device or both. At the next check in the PowerShell script will execute against the device to make the new background available.

As you can see from my image below, my 2 new images have appeared as options.

Regards,
The Author – Blogabout.Cloud

Going Passwordless with YubiKey by Yubico

Going Passwordless with YubiKey by Yubico

This has been on my To-Do list for such a long time and because of Covid-19 I have finally found the hours required to get this done. A while back I received two Yubico and never got around to testing them 🙁 naughty I know. So let’s look at Yubico;

Microsoft and Yubico have been created a path for a passwordless future for organizations of all shapes and sizes. With a technology standard called FIDO2 and U2F which Yubico co-authored with, Microsoft and Google. Yubico became a founding member of the FIDO Alliance.

How does it all work, I hear you

The Yubikey supports multiple methods for authentication, enabling and the same key to be used across services and applications. With an out of the box native integration for the Microsoft environment provides a rapid deployment.

Diagram that outlines the steps involved for user sign-in with a FIDO2 security key
  1. The user plugs the FIDO2 security key into their computer.
  2. Windows detects the FIDO2 security key.
  3. Windows sends an authentication request.
  4. Azure AD sends back a nonce.
  5. The user completes their gesture to unlock the private key stored in the FIDO2 security key’s secure enclave.
  6. The FIDO2 security key signs the nonce with the private key.
  7. The primary refresh token (PRT) token request with signed nonce is sent to Azure AD.
  8. Azure AD verifies the signed nonce using the FIDO2 public key.
  9. Azure AD returns PRT to enable access to on-premises resources.

Enabling support for Yubikey

Time to log into your Azure Active Directory via http://portal.azure.com

Select Security
Select Authentication methods
Select FIDO2 Security Key and Enable for your environment

Now thats the easy bit completed, the next step is educating the users.

NOOooooo That's impossible!!!!! - Luke Skywalker - quickmeme

Configuring Yubikey

Each user will need to visit the following your https://myprofile.microsoft.com/

Select Security Info
Click Add Method
Select Security Key –> Add
Select USB device
Press Next
Insert your Security Key into one of your USB ports.
Specify a security key PIN
Touch the button on the security key
Provide a name to identity the security key
All Done!!

Hows does the sign-in work?

Well, really simple. Check out the video below

Regards
The Author – Blogabout.Cloud

Cloud App Discovery: New activity policy templates for Microsoft Teams

Cloud App Discovery: New activity policy templates for Microsoft Teams

Microsoft has now released 3 brand new Activity policies for Microsoft Teams and with the current state of the world. I believe these additions are perfect for organisations that was forced into “Working from Home” culture but wasnt geared up for it. These activity policy templates enable you to detect potentially suspicious activities in Microsoft Teams:

  • Access level change (Teams): Alerts when a team’s access level is changed from private to public.
  • External user added (Teams): Alerts when an external user is added to a team.

Please see the below screenshoot for an example of the alert you would see in Cloud App Security.

  • Mass deletion (Teams): Alerts when a user deletes a large number of teams.

Please see the below screenshoot for an example of the alert you would see in Cloud App Security.

Regards
The Author – Blogabout.Cloud

Receive a voucher to take the AZ-900 for free!!

Receive a voucher to take the AZ-900 for free!!

Microsoft has decided to run a number of multiple full day virtual training events on the Fundamentals of Azure! This is excellent news for all those affected by Covid19 as there is no excuse not to attend 🙂 also in attending the attend your will receivey a free Microsoft Exam voucher so you can go take the AZ-900 Exam from home.

The course details are as followed;


To create your vision for tomorrow, you need to understand what the cloud can do for you and your company today. Microsoft Azure Virtual Training Day: Fundamentals explains cloud-computing concepts, models, and services, covering topics such as public, private, and hybrid cloud as well as infrastructure as a service, platform as a service, and software as a service. 

  • Common cloud concepts 
  • Benefits of Azure 
  • Strategies for transitioning to Azure cloud 
  • Azure computing, networking, storage and security basis 
AZ-900 Free

During this free virtual event you will learn: 

By attending the event, you will have the knowledge needed to take the AZ-900 Microsoft Azure Fundamentals certification exam and receive a voucher to take the exam for free at a date and time of your choice. 

Virtual training will be in English.


So here are the options available for attending the virtual event.

April 21st , GMT+2 timezone :
https://info.microsoft.com/CE-AzureINFRA-WBNR-FY20-04Apr-21-MicrosoftAzureVirtualTrainingDayFundamentalsMaster-SRDEM17525_LP01Registration-ForminBody.html

May 5th, Eastern Time Zone:
https://info.microsoft.com/en-us-landing-MicrosoftAzureVirtualTrainingDayFundamentalsMaster-may5-none.html?ls=Website&lsd=AzureWebsite

June 17th (Pacific Time Zone):
https://info.microsoft.com/en-us-landing-MicrosoftAzureVirtualTrainingDayFundamentalsMaster-jun17-none.html?ls=Website&lsd=AzureWebsite

June 2nd (Eastern Time Zone):
https://info.microsoft.com/en-us-landing-MicrosoftAzureVirtualTrainingDayFundamentalsMasterJun02-none.html?ls=Website&lsd=AzureWebsite

Two day Virtual Event

This will be the same content but delivered over two days. Each day will deliver 2 of the 4 modules listed above.

May 12 – 13 (Eastern Time Zone):
https://info.microsoft.com/en-us-landing-MicrosoftAzureVirtualTrainingDayFundamentalsMaster-none.html?ls=Website&lsd=AzureWebsite

May 27 – 28 (Pacific Time Zone):
https://info.microsoft.com/en-us-landing-MicrosoftAzureVirtualTrainingDayFundamentalsMastermay27-none.html?ls=Website&lsd=AzureWebsite

June 24 – 25 (Pacific Time Zone):
https://info.microsoft.com/en-us-landing-MicrosoftAzureVirtualTrainingDayFundamentals-None.html?ls=Website&lsd=AzureWebsite

There are more options available and you can see them all over here: https://azure.microsoft.com/en-ca/community/events/?query=Microsoft+Azure+Training+Day%3A+Fundamentals

PS: Additional assistance available for passing your exam as Pluralsight is also free for the entire month of April 2020

Regards
The Author – Blogabout.Cloud

Deploying Firefox Settings using Microsoft Endpoint Manager

Deploying Firefox Settings using Microsoft Endpoint Manager

During a number of my recent deployment of Microsoft Endpoint Manager and conversation I have had with customers. One thing that always comes up is security from the different browsers the end-users run to perform their daily tasks. A recent discussion we touched on Mozilla Firefox and how it can be managed using Microsoft Endpoint Manager as they currently perform this tasks with on-premises GPOs.

Like Google Chrome, Firefox can also be managed using a Custom configuration profile for Windows 10. The policy consists of two parts. The first part is used to deploy the Firefox ADMX file to the Intune managed device. The second part of the policy is used to manage the settings ofchoice.

Ingest the Firefox ADMX file

The Firefox ADMX file has been made available on GitHub. Download this file as it will be required later within this blog post.

We now need to sign-in to the Microsoft Endpoint Manager portal.

  • Sign-in to the Endpoint Management Portal
  • Browse to the following location (1) Devices – (2) Windows
  • On the (3) Configuration Profiles tab click (4) Create profile
Create Policy

Select Windows 10 and later –> Custom –> Create

Windows 10 or later –> Custom –> Create

We will now need to populate the Name field for this profile, you can also provide a description to get more information about what this profile does. Once you have populated the required information press Configure under Settings and Add

Now we are going to be adding rows to the profile, the first row will be ingestion of the Firefox ADMX file followed by any Firefox profiles you would like to introduce. Please follow the text and screenshots below

Name: Firefox ADMX Ingestion
OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Firefox/Policy/FirefoxAdmx
Data Type: String
Value: As value copy the entire content of the ADMX file in the value field

The value information could be different to what is shown in the screenshot above, so to validate this open the .admx in Notepad or another program.

At the top of the opened file you will see the value which will need to copy and added to your row.

<?xml version=”1.0″ encoding=”utf-8″?>
<policyDefinitions revision=”1.14″ schemaVersion=”1.0″>
<policyNamespaces>
<target prefix=”firefox” name=”Mozilla.Policies.Firefox”/>
<using prefix=”Mozilla” name=”Mozilla.Policies”/>
</policyNamespaces>
<resources minRequiredRevision=”1.14″/>

Understanding the OMA-URL for configuring policies

Now this was something very new to me and I have had to learn exactly how to intepret the ADMX file to obtain the required information to create the OMA-URL for each setting I would like to apply.

Lets split up the OMA-URI in separate parts to make sure you fully understand how the OMA-URL is put together. First of all the default for managing applications using an ADMX file:
./Device/Vendor/MSFT/Policy/Config/
So you will always require this when adding a new row for a policy. I am going to use DisablePrivatingBrowsing as an example of how we achieve the required outcome.

The part that comes next is not always the same, we need to follow some rules:

It starts with Firefox (this is the file name of the admx template firefox.admx) followed by Policy and every word is separated with the following sign ~ as shown below.

Firefox~Policy~


The next part is split into two different categories. The first category is always found at the top of the ADMX file and as you can see its called “firefox”

The next category will be one of the following;

  • firefox
  • Authentication
  • Popups
  • Cookies
  • Addons
  • Flash
  • Bookmarks
  • Homepage
  • Certificates
  • Extensions
  • Search
  • Permissions
  • Camera
  • Microphone
  • Location
  • Notifications
  • Autoplay
  • Preferences
  • SanitizeOnShutdown
  • TrackingProtection

As we are configure DisablePrivateBrowsing the catergory required is called firefox so my complete OMA-URL would be ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~firefox/DisablePrivateBrowsing including /settingname as shown below

Now that we understand the OMA-URI, we now need to provide string value information to enable this new policy. For this particular policy, we just need to put <enabled/>. In order to make it active.

Now you have completed the basics you can go visit the ReadMe file to see what other policy settings you can implement https://github.com/mozilla/policy-templates/blob/master/README.md

Regards
The Author – Blogabout.Cloud

Beating enforced home working due to Covid-19 using Microsoft Security Management.

Beating enforced home working due to Covid-19 using Microsoft Security Management.

Unless you have been living under a rock for the past couple of months, Covid-19 has forced organisations to promote home-working. The issue with this is that most organisations today, are just not prepared for home-working. So in this post I will look at the quick wins which can be implemented using Microsoft Security Management tools to first of all identify and protect against potential threats to your Cloud platform. So Microsoft Security Management is just a name for a number of its products and features, as today I am going to go through what can be used to improve your environment.

Microsoft Secure Score

Microsoft Secure Score is a measurement of an organization’s security posture, with a higher number indicating more improvement actions taken. Following the Security Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft 365 security center, organizations can monitor and work on the security of their Microsoft 365 identities, data, apps, devices, and infrastructure.

Secure Score helps organizations:

  • Report on the current state of the organization’s security posture.
  • Improve their security posture by providing discoverability, visibility, guidance, and control.
  • Compare with benchmarks and establish key performance indicators (KPIs).

Organizations gain access to robust visualizations of metrics and trends, integration with other Microsoft products, score comparison with similar organizations, and much more. The score can also reflect when third-party solutions have addressed recommended actions.

Browsing to https://securescore.office.com will allow you to direct access your Microsoft Secure Score and see what recommendations have been made.

Check out what’s coming to Microsoft Secure Score. https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score-whats-coming?view=o365-worldwide

Audit Logging

Turning on auditing within your Office 365 tenancy is possibly one of the quickest things you can do today. By enabling Audit Logging user and admin activity from your organization is recorded in the audit log and retained for 90 days.

In order to switch on Audit Logging using your tenancy you will need to visit the following URL https://protection.office.com/homepage then go to Search –> Audit Log search

Then simply press Turn on auditing

Microsoft will now prepare Office 365 audit log and this may take up to a couple of hours to complete.

  1. Connect to Exchange Online PowerShell
  2. Run the following PowerShell command to turn on audit log search in Office 365. PowerShell

1
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Office 365 Increased Security

Without reinventing the wheel, I suggest organizations look at the following URL to see where they can make improvement to this Office 365 security. https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security?view=o365-worldwide

Reports!!!

It is important that you review you Reports Dashboard to help identify any potential issues within your environment. Visit the URL below to start you investigations

https://protection.office.com/insightdashboard

Regards,
The Author – Blogabout.Cloud

What’s dropped this month in Microsoft Endpoint Manager – March Update

What’s dropped this month in Microsoft Endpoint Manager – March Update

New URL for the Microsoft Endpoint Manager admin center

To align with the announcement of Microsoft Endpoint Manager at Ignite last year, we have changed the URL for the Microsoft Endpoint Manager admin center (formerly Microsoft 365 Device Management) to https://endpoint.microsoft.com. The old admin center URL (https://devicemanagement.microsoft.com) will continue to work, but we recommend you start accessing the Microsoft Endpoint Manager admin center using the new URL.

For more information, see Simplify IT tasks using the Microsoft Endpoint Manager admin center.

App management

Script support for macOS devices (Public Preview)

You can add and deploy scripts to macOS devices. This support extends your ability to configure macOS devices beyond what is possible using native MDM capabilities on macOS devices. For more information, see Use shell scripts on macOS devices in Intune.

macOS and iOS Company Portal updates

The Profile pane of the macOS and iOS Company Portal has been updated to include the sign-out button. Additionally, UI improvements have been made to the Profile pane in the macOS Company Portal. For more information about the Company Portal, see How to configure the Microsoft Intune Company Portal app.

Retarget web clips to Microsoft Edge on iOS devices

Newly deployed web clips (pinned web apps) on iOS devices that are required to open in a protected browser, will open in Microsoft Edge rather than the Intune Managed Browser. You must retarget pre-existing web clips to ensure they open in Microsoft Edge rather than the Managed Browser. For more information, see Manage web access by using Microsoft Edge with Microsoft Intune and Add web apps to Microsoft Intune.

Use the Intune diagnostic tool with Microsoft Edge for Android

Microsoft Edge for Android is now integrated with the Intune diagnostic tool. Similarly to the experience on Microsoft Edge for iOS, entering “about:intunehelp” into the URL bar (the address box) of Microsoft Edge on the device will start the Intune diagnostic tool. This tool will provide detailed logs. Users can be guided to collect and send these logs to their IT department, or view MAM logs for specific apps.

Updates to Intune branding and customization

We have updated the Intune pane that was named “Branding and customization” with improvements, including:

  • Renaming the pane to Customization.
  • Improving the organization and design of the settings.
  • Improving the settings text and tooltips.

To find these settings in Intune, navigate to the Microsoft Endpoint Manager admin center, select Tenant administration > Customization. For information about existing customization, see How to configure the Microsoft Intune Company Portal app.

User’s personal encrypted recovery key

A new Intune feature is available that enables users to retrieve their personal encrypted FileVault recovery key for Mac devices through the Android Company Portal application or through the Android Intune application. There is a link in both the Company Portal application and Intune application that will open a Chrome browser to the Web Company Portal where the user can see the FileVault recovery key needed to access their Mac devices. For more information about encryption, see Use device Encryption with Intune.

Optimized dedicated device enrollment

We’re optimizing the enrollment for Android Enterprise dedicated devices and making it easier for SCEP certificates associated with Wi-Fi to apply to dedicated devices enrolled prior to November 22, 2019. For new enrollments, the Intune app will continue to install, but end-users will no longer need to perform the Enable Intune Agent step during enrollment. Installment will happen in the background automatically and SCEP certificates associated with Wi-Fi can be deployed and set without end-user interaction.

These changes will be rolling out on a phased basis throughout the month of March as the Intune service backend deploys. All tenants will have this new behavior by the end of March. For related information, see Support for SCEP certificates in Android Enterprise dedicated devices

Configure Delivery Optimization agent when downloading Win32 app content

You can configure the Delivery Optimization agent to download Win32 app content either in background or foreground mode based on assignment. For existing Win32 apps, content will continue to download in background mode. In the Microsoft Endpoint Manager admin center, select Apps > All apps > select the Win32 app > Properties. Select Edit next to Assignments. Edit the assignment by selecting Include under Mode in the Required section. You will find the new setting in the App settings section. For more information about Delivery Optimization, see Win32 app management – Delivery Optimization.

Improved sign-in experience in Company Portal for Android

We’ve updated the layout of several sign-in screens in the Company Portal app for Android to make the experience more modern, simple, and clean for users. For a look at the improvements, see What’s New in the app UI.

Improved user interface experience when creating device restrictions profiles on Android and Android Enterprise devices

When you create a profile for Android or Android Enterprise devices, the experience in the Endpoint Management admin center is updated. This change impacts the following device configuration profiles (Devices > Configuration Profiles > Create profile > Android device administrator or Android Enterprise for platform):

  • Device restrictions: Android device administrator
  • Device restrictions: Android Enterprise device owner
  • Device restrictions: Android Enterprise work profile

For more information on the device restrictions you can configure, see Android device administrator and Android Enterprise.

Improved user interface experience when creating configuration profiles on iOS/iPadOS and macOS devices

When you create a profile for iOS or macOS devices, the experience in the Endpoint Management admin center is updated. This change impacts the following device configuration profiles (Devices > Configuration Profiles > Create profile > iOS/iPadOS or macOS for platform):

  • Custom: iOS/iPadOS, macOS
  • Device features: iOS/iPadOS, macOS
  • Device restrictions: iOS/iPadOS, macOS
  • Endpoint protection: macOS
  • Extensions: macOS
  • Preference file: macOS

Hide from user configuration setting in device features on macOS devices

When you create a device features configuration profile on macOS devices, there’s a new Hide from user configuration setting (Devices > Configuration profiles > Create profile > macOS for platform > Device features for profile > Login items).

This feature sets an app’s hide checkmark in the Users & Groups login items apps list on macOS devices. Existing profiles show this setting within the list as unconfigured. To configure this setting, administrators can update existing profiles.

When set to Hide, the hide checkbox is checked for the app, and users can’t change it. It also hides the app from users after users sign in to their devices.

Hide apps on macOS devices after users sign in to the device in Microsoft Intune and Endpoint Manager

For more information on the setting you can configure, see macOS device feature settings.

This feature applies to:

  • macOS

Device configuration

New user experience when creating administrative templates on Windows devices

Based on customer feedback, and our move to the new Azure full screen experience, we’ve rebuilt the Administrative Templates profile experience with a folder view. We haven’t made changes to any settings or existing profiles. So, your existing profiles will stay the same, and will be usable in the new view. You can still navigate all settings options by selecting All Settings, and using search. The tree view is split by Computer and User configurations. You will find Windows, Office and Edge settings in their associated folders.

Applies to:

  • Windows 10 and newer

VPN profiles with IKEv2 VPN connections can use always on with iOS/iPadOS devices

On iOS/iPadOS devices, you can create a VPN profile that uses an IKEv2 connection (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > VPN for profile type). Now, you can configure always-on with IKEv2. When configured, IKEv2 VPN profiles connect automatically, and stay connected (or quickly reconnect) to the VPN. It stays connected even when moving between networks or restarting devices.

On iOS/iPadOS, always-on VPN is limited to IKEv2 profiles.

To see the IKEv2 settings you can configure, go to Add VPN settings on iOS devices in Microsoft Intune.

Applies to:

  • iOS/iPadOS

Delete bundles and bundle arrays in OEMConfig device configuration profiles on Android Enterprise devices

On Android Enterprise devices, you create and update OEMConfig profiles (Devices > Configuration profiles > Create profile > Android Enterprise for platform > OEMConfig for profile type). Users can now delete bundles and bundle arrays using the Configuration designer in Intune.

For more information on OEMConfig profiles, see Use and manage Android Enterprise devices with OEMConfig in Microsoft Intune.

Applies to:

  • Android Enterprise

Configure the iOS/iPadOS Microsoft Azure AD SSO app extension

The Microsoft Azure AD team created a redirect single sign-on (SSO) app extension to allow iOS/iPadOS 13.0+ users to gain access to Microsoft apps and websites with one sign-on. All apps that previously had brokered authentication with the Microsoft Authenticator app will continue to get SSO with the new SSO extension. With the Azure AD SSO app extension release, you can configure the SSO extension with the redirect SSO app extension type (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device features for profile type > Single sign-on app extension).

Applies to:

  • iOS 13.0 and newer
  • iPadOS 13.0 and newer

For more information about iOS SSO app extensions, see Single sign-on app extension.

Enterprise app trust settings modification setting is removed from iOS/iPadOS device restriction profiles

On iOS/iPadOS devices, you create a device restrictions profile (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device restrictions for profile type). The Enterprise app trust settings modification setting is removed by Apple, and is removed from Intune. If you currently use this setting in a profile, it has no impact, and is removed from existing profiles. This setting is also removed from any reporting in Intune.

Applies to:

  • iOS/iPadOS

To see the settings you can restrict, go to iOS and iPadOS device settings to allow or restrict features.

Troubleshooting: Pending MAM policy notification changed to informational icon

The notification icon for a pending MAM policy on the Troubleshooting blade has been change to an informational icon.

UI update when configuring compliance policy

We’ve updated the UI for creating compliance policies in Microsoft Endpoint manager (Devices > Compliance policies > Policies > Create Policy). We’ve a new user experience that includes the same settings and details you’ve used previously. The new experience follows a wizard-like process to create the compliance policy and includes a page where you can add Assignments for the policy, and a Review + Create page where you can review your configuration before creating the policy.

Retire noncompliant devices

We’ve added a new action for noncompliant devices that you can add to any policy, to retire the noncompliant device. The new action, Retire the noncompliant device, results in removal of all company data from the device, and also removes the device from being managed by Intune. This action runs when the configured value in days is reached and at that point the device becomes eligible to be retired. The minimum value is 30 days. Explicit IT admin approval will be required to retire the devices by using the Retire Non-compliant devices section, where admins can retire all eligible devices.

Support for WPA and WPA2 in iOS Enterprise Wi-Fi profiles

Enterprise Wi-Fi profiles for iOS now support the Security type field. For Security type, you can select either of WPA Enterprise or WPA/WPA2 Enterprise, and then specify a selection for the EAP type. (Devices > Configuration profiles > Create profile and select iOS/iPadOS for Platform and then Wi-Fi for Profile).

The new Enterprise options are like those that have been available for a Basic Wi-Fi profile for iOS.

New user experience for certificate, email, VPN, and Wi-Fi, VPN profiles

We’ve updated the user experience in the Endpoint Management Admin Center (Devices > Configuration profiles > Create profile) for creating and modifying the following profile types. The new experience presents the same settings as before, but uses a wizard-like experience that doesn’t require as much horizontal scrolling. You won’t need to modify existing configurations with the new experience.

  • Derived credential
  • Email
  • PKCS certificate
  • PKCS imported certificate
  • SCEP certificate
  • Trusted certificate
  • VPN
  • Wi-Fi

Device enrollment

Configure if enrollment is available in Company Portal for Android and iOS

You can configure whether device enrollment in the Company Portal on Android and iOS devices is available with prompts, available without prompts, or unavailable to users. To find these setting in Intune, navigate to the Microsoft Endpoint Manager admin center and, select Tenant administration > Customization > Edit > Device enrollment.

Support for the device enrollment setting requires end users have these Company Portal versions:

  • Company Portal on iOS: version 4.4 or later
  • Company Portal on Android: version 5.0.4715.0 or later

For more information about existing Company Portal customization, see How to configure the Microsoft Intune Company Portal app.

Device management

New Android report on Android Devices overview page

We’ve added a report to the Microsoft Endpoint Manager admin console in the Android Devices overview page that displays how many Android devices have been enrolled in each device management solution. This chart (like the same chart already in the Azure console) shows work profile, fully managed, dedicated, and device administrator enrolled device counts. To see the report, choose Devices > Android > Overview.

Guide users from Android device administrator management to work profile management

We’re releasing a new compliance setting for the Android device administrator platform. This setting lets you make a device non-compliant if it’s managed with device administrator.

On these non-compliant devices, on the Update device settings page users will see the Move to new device management setup message. If they tap the Resolve button, they’ll be guided through:

  1. Unenrolling from device administrator management
  2. Enrolling in work profile management
  3. Resolving compliance issues

Google is decreasing device administrator support in new Android releases in an effort to move to modern, richer, and more secure device management with Android Enterprise. Intune can only provide full support for device administrator-managed Android devices running Android 10 and later through Q2 CY2020. Device administrator-managed devices (except Samsung) that are running Android 10 or later after this time won’t be able to be entirely managed. In particular, impacted devices won’t receive new password requirements.

For more information about this setting, see Move Android devices from device administrator to work profile management.

Microsoft Endpoint Manager tenant attach: Device sync and device actions

Microsoft Endpoint Manager is bringing together Configuration Manager and Intune into a single console. Starting in Configuration Manager technical preview version 2002.2, you can upload your Configuration Manager devices to the cloud service and take actions on them in the admin center. For more information, see Features in Configuration Manager technical preview version 2002.2.

Review the Configuration Manager technical preview article before installing this update. This article familiarizes you with the general requirements and limitations for using a technical preview, how to update between versions, and how to provide feedback.

Bulk remote actions

You can now issue bulk commands for the following remote actions: restart, rename, Autopilot reset, wipe, and delete. To see the new bulk actions, go to Microsoft Endpoint Manager admin center > Devices > All devices > Bulk actions.

All devices list improved search, sort, and filter

The All devices list has been improved for better performance, searching, sorting, and filtering. For more information, see this Support Tip.

Change Primary User for Windows devices

You can change the Primary User for Windows hybrid and Azure AD Joined devices. To do so, go to Intune > Devices > All devices > choose a device > Properties > Primary User. For more information, see Change a device’s primary user.

A new RBAC permission (Managed Devices / Set primary user) has also been created for this task. The permission has been added to built-in roles including Helpdesk Operator, School Administrator, and Endpoint Security Manager.

This feature is rolling out to customers globally under preview. You should see the feature within the next few weeks.

Monitor and troubleshoot

The Data Warehouse now provides the MAC address

The Intune Data Warehouse provides the MAC address as a new property (EthernetMacAddress) in the device entity to allow admins to correlate between the user and host mac address. This property helps to reach specific users and troubleshoot incidents occurring on the network. Admins can also use this property in Power BI reports to build richer reports. For more information, see the Intune Data Warehouse device entity.

Additional Data Warehouse device inventory properties

Additional device inventory properties are available using the Intune Data Warehouse. The following properties are now exposed via the devices collection:

  • ‘Model’ – The device model.
  • ‘Office365Version’ – The version of Office 365 that is installed on the device.
  • ‘PhysicalMemoryInBytes` – The physical memory in bytes.
  • TotalStorageSpaceInBytes – Total storage capacity in bytes.

For more information, see Microsoft Intune Data Warehouse API and the Intune Data Warehouse device entity.

Help and support workflow update to support additional services

We’ve updated the Help and support page in the Microsoft Endpoint Manager admin center where you now choose the management type you use. With this change you’ll be able to select from the following management types:

  • Configuration Manager (includes Desktop Analytics)
  • Intune
  • Co-management

Security

Use a preview of security administrator focused policies as part of Endpoint security

As a public preview, we’ve added several new policy groups under the Endpoint security node in the Microsoft Endpoint Management admin center. As a security admin you can use these new policies to focus on specific aspects of device security to manage discrete groups of related settings without the overhead of the larger Device Configuration policy body.

With the exception of the new Antivirus policy for Microsoft Defender Antivirus (see below), the settings in each new of these new preview policies and profiles are the same settings that you might already configure through Device configuration profiles today.

The following are the new policy types that are all in preview, and their available profile types:

The Antivirus profile for Microsoft Defender Antivirus is an exception that introduces a new instance of settings that are found as part of a device restriction profile. These new Antivirus settings:

  • Are the same settings as found in device restrictions, but support a third option for configuration that’s not available when configured as a device restriction.
  • Apply to devices that are co-managed with Configuration Manager, when the co-management workload slider for Endpoint Protection is set to Intune.

Plan to use the new Antivirus > Microsoft Defender Antivirus profile in place of configuring them through a device restriction profile.

  • Windows Security experience – Manage the Windows Security settings that end users can view in the Microsoft Defender Security center and the notifications they receive. These settings are unchanged from those available as a Device configuration Endpoint Protection profile.
  • Disk encryption (Preview):
    • macOS:
      • FileVault
    • Windows 10 and later:
      • BitLocker
  • Firewall (Preview):
    • macOS:
      • macOS firewall
    • Windows 10 and later:
      • Microsoft Defender Firewall
  • Endpoint detection and response (Preview):
    • Windows 10 and later: –Windows 10 Intune
  • Attack surface reduction (Preview):
    • Windows 10 and later:
      • App and browser isolation
      • Web protection
      • Application control
      • Attack surface reduction rules
      • Device control
      • Exploit protection
  • Account protection (Preview):
    • Windows 10 and later:
      • Account protection

Regards
The Author – Blogabout.Cloud