Testing Device Registration Connectivity for Microsoft Intune

Testing Device Registration Connectivity for Microsoft Intune

I have been recently working with a customer where we was experiencing issues with connectivity to relevant Microsoft urls. While looking at potential solutions I came across a PowerShell script which tested for the following URLs

login.microsoftonline.com
device.login.microsoftonline.com
enterpriseregistration.windows.net

However this script didnt take into account “Single Sign On” and its required URL.
autologon.microsoftazuread-sso.com

I have made the necessary modifications which now allow for it test autologon.microsoftazuread-sso.com, as shown above.

Download the script

Test-DeviceRegConnectivity (11 downloads)

Regards
The Author – Blogabout.Cloud

Hybrid Azure AD Tip – The device object by the given id (ID of machine) is not found.

Hybrid Azure AD Tip – The device object by the given id (ID of machine) is not found.

Recently when working with a customer I was troubleshooting why their devices were showing up as Azure AD Registered in the Azure portal in Azure Active Directory when they should be Hybrid Azure AD joined. These were Windows 10 1809 devices.

When running “dsregcmd /status” on one of the machines, it would show as AzureAdJoined : NO. When it is Hybrid Azure AD joined, it should still say Yes.

If you run the command as admin, you will see there is Diagnostic Data section. On my devices, it said:

Client ErrorCode : 0x801c03f2
Server ErrorCode : DirectoryError
Server Message: The device object by the given id (guid) is not found.

This is because the device(s) has not been synced to Azure AD by Azure AD Connect. Make sure that the OU’s that the computer objects are in is set to sync to Azure AD. In my customer’s configuration, they had additional filtering where the users and computer objects needed to be in a Security Group to be synced to Azure AD.

Once the Azure AD Connect sync had completed successfully, and the device registration task had run again on the client, the machine now shows as Hybrid Azure AD joined in the Azure portal.

Regards,
Author @ Blogabout.Cloud

Microsoft Intune Developments from the Office 365 Roadmap for October 2019

Microsoft Intune Developments from the Office 365 Roadmap for October 2019

The following post contains the new features and updated features from October 2019. This post enables you to quickly glance at the Office 365 Roadmap that directly targets Microsoft Intune based on the latest information provided from Microsoft.

New Features

No new features announced this month

New Features Current Status

Updated Features

Updated Current Status
Microsoft Intune management of Windows Defender Firewall rules Launched
Outlook for Android: App configuration support without Microsoft Intune integration with Apple’s volume purchase program (VPP) for macOS Launched
Microsoft Intune support for Managed Home Screen app on kiosks Launched
Microsoft Intune support for fully managed Android Enterprise devices
Launched
Microsoft Intune support for derived credentials on iOS Launched
Microsoft Intune administration evolves with Microsoft 365 Device Management center Launched
Microsoft Intune mobile threat defense for applications without enrollment Launched

Remember if you would like to receive all the Microsoft Roadmaps updates to your Teams Client, check out this post.

Regards
The Author – Blogabout.Cloud

Using Azure Blob Storage for your Intune applied Lock Screen and Desktop Backgound

Using Azure Blob Storage for your Intune applied Lock Screen and Desktop Backgound

Leveraging your Azure subscription for Microsoft Intune massively reduces the requirements for on-premises infrastructure. In this post I will show you how to use Azure Blob Storage to provide the Lock Screen and Desktop background all with the power of the Microsoft Cloud.

First up you will need to create a storage account within your Azure subscription.

Create Storage Account

Specify the following;
– Resource Group
– Storage Account Name
– Location (Europe) UK South

Specify settings

Once the storage account has successful created, you will need to go to the resource

Go to resource

Go to “Containers”
Create new “Container”
Specify the name of the Container
Specify the Public Access level as “Blob”
Then click ok

Specify settings

Click on your new “Container”

Created Container

Click Upload
You will need to upload your required .jpg file

Click on the uploaded file and you will be provided a URL which can be used

Provide the URL into your required destination for example Lock Screen as shown below

As you can see from below my Lockscreen and Desktop backgrounds are what I have specifed.

Image for Lockscreen
Lockscreen
Image for Desktop
Desktop

Regards
The Author – Blogabout.Cloud

Enabling Windows Information Protection

Enabling Windows Information Protection

Enterprise organizations today are becoming more and more security conscious of where the corporate resides. If you have come across Windows Information Protection yet, check out the below video from Microsoft.

Right let us jump right into it

Windows Information Protection is configured via the Microsoft Intune portal. Browse to Client Apps –> App protection policies –> Required settings

Windows Information Protection mode

Windows Information Protection mode

  • Block: Block enterprise data from leaving protected apps
  • Allow overrides: User is prompted when attempting to relocate data from a protected to a non-protected app. If they choose to override this prompt, the action will be logged.
  • Silent: User is free to relocate data off of protected apps. No actions are logged.
  • Off: User is free to relocate data off of protected apps. No actions are logged.

You will need to specify your corporate identity, if you have multiple identities you will need to “Protected Domains” under “Advanced settings” –> “Add network boundary”

Protected domains

Once you have selected the Windows Protection mode, we need some applications to protect.

Protected Apps

This step is definitely one of the easiest to do, as Microsoft has already generated a list of all the default applications and all you need to do is go to “Protected Apps” and “Add apps”.

For the purpose of this blog, I have missed out the Cloud Resources as shown below.

This detail can be found via the following url

Now you are good to go to protect your corporate information

Regards
The Author – Blogabout.Cloud

Autopilot – Provisioning information could not be located. Contact the customer IT admin to troubleshoot

Autopilot – Provisioning information could not be located. Contact the customer IT admin to troubleshoot

I have recently been running into the following issue where using white-glove experience for Windows Autopilot. The error already occurs around the 14-minute mark when “Registering the device for mobile management”.

Device prepartion
Windows Autopilot Configuration

This issue is cause by multiple MDM enrollment applications defined within the Mobility (MDM and MAM) window within your Azure Active Directory

Once I had remove Microsoft Intune Enrolment, Windows Autopilot provisioing was able to successful complete.

Regards
The Author – Blogabout.Cloud

Windows Information Protection with Enrollment

Windows Information Protection with Enrollment

After a bit of recent investigate App Protection policies I have noticed a large chunk of information missing from Microsoft resources and other blog posts. I have recently experienced an issue where network boundaries were not configured correctly and I had to ensure that all applications that were being protected do not experience any issues access corporate resources.

It is recommended to use the following when adding a network boundary.

TypeNameValue
Cloud ResourcesOffice 365portal.office.com|tasks.office.com|protection.office.com|meet.lync.com|teams.microsoft.com
Cloud ResourcesOutlook Onlineoutlook.office.com|outlook.office365.com
Cloud ResourcesAppCompat/*AppCompat*/
Cloud ResourcesSharePointcontoso.sharepoint.com|contoso-my.sharepoint.com|contoso-files.sharepoint.com
Neutral ResourcesNeutrallogin.windows.net,login.microsoftonline.com
Cloud ResourcesYammerwww.yammer.com|yammer.com|persona.yammer.com
Intune App Protection – Advanced settings

This will provide all the required boundaries relevant to most Microsoft deployments.

Regards
The Author – Blogabout.Cloud

Microsoft Intune Developments from the Office 365 Roadmap for September 2019

Microsoft Intune Developments from the Office 365 Roadmap for September 2019

The following post contains the new features and updated features from September 2019. This post enables you to quickly glance at the Office 365 Roadmap that directly targets Microsoft Intune based on the latest information provided from Microsoft.

New Features

New Features Current Status
Microsoft Intune company portal web site supports SaaS app lifecycle In Development

Updated Features

Updated Current Status
Outlook for iOS: App configuration support without enrollment Launched
Outlook for Android: App configuration support without enrollment Launched
Microsoft Intune support for Managed Home Screen app on kiosks Launched
Microsoft Intune support for fully managed Android Enterprise devices
Launched

Remember if you would like to receive all the Microsoft Roadmaps updates to your Teams Client, check out this post.

Regards
The Author – Blogabout.Cloud

Applying your Windows 10 Start Layout using Microsoft Intune.

Applying your Windows 10 Start Layout using Microsoft Intune.

One of the many cool things about Microsoft Intune is the granular configuration of Windows 10 devices using the native functions available us today. In this little post we will look at just how easy is it to create a corporate Windows 10 layout and publish to all of your client desktops automatically.

The general prerequisites for this feature is that your Windows 10 desktops are synchronized and present in Azure Active Directory.

Export the Start Layout

When you have the Start screen layout that you want your users to see, use the Export-StartLayout cmdlet in Windows PowerShell to export the Start screen to an .xml file.

  1. From Start, open Windows PowerShell.
  2. At the Windows PowerShell command prompt, enter the following command:

1
Export-StartLayout –path $env:userprofile\desktop\StartLayout.xml

PowerShell Cmd

Applying a Start layout

Once you have an exported Start Layout you can use the XML file to apply this start layout to your entire organization using Microsoft Intune. Browse to your Intune Portal and go to Device Configuration –> Profile

Hopefully you may already have a Windows 10 – Device Restriction Profile.

If not, dont worry you will just have to create a new profile for Windows 10 and Device Restrictions.

Device Configuration Profiles

Once in the profile properties, go to Settings and look for “Start” as at this point you can upload your Windows 10 start menu layout. If you may chose you will also be able to affect the look of the start menu by blocking or hide elements on the menu. For example you can block Fast Switching and hide File Explorer from the Start.

Device Restriction Profile for Start Menu Settings

Once you have saved your configured and your Windows 10 device has checked in, it will receive your new and improved Start Menu

New Windows 10 Start Menu

Regards
The Author – Blogabout.Cloud

Installing and Managing Google Chrome with Microsoft Intune

Installing and Managing Google Chrome with Microsoft Intune

As the power of Microsoft Intune grows with great force, in this blog post we are going to look at how to install Google Chrome and manage via Microsoft Intune. I have been recently looking how to leverage Microsoft Intune for more than just Microsoft based tooling and Google Chrome can be installed and managed for Windows 10 desktop estate.

Installing Google Chrome

Download Google Chrome Package

Visit the following url to download Google Chrome for Enterprise
https://cloud.google.com/chrome-enterprise/browser/download/

Microsoft Intune

First of all, we need to log into your Azure Portal and go to the following location;

  • Microsoft Intune
  • Client Apps
  • Add
Microsoft Intune –> Client Apps –> Add
  • Line-of-business app
App Type

Now we need to select the GoogleChromeStandaloneEnterprise msi located within the zip file package

Google Chrome Enterprise Package
App package file

You will now need to populate a bit of information under App information field below App package files before being able to assign Google Chrome to all your enterprise or selected security groups.

As you can see from the image below I have targeted several security groups within my personal tenant and make the app required for all users / all devices.

Make sure you save you configured as you exit this configuration.

Managing Google Chrome

Import Google Chrome ADMX Templates

  • Download the Chrome ADMX templates.
    • You would have already completed this step when downloading the Google Chrome Msi.
  • Sign in to the Microsoft Azure portal.
  • Go to Intune  Device configuration  Profiles.
  • Next to Devices configuration – Profiles, click Create profile.
  • Enter the following text in these fields:
FieldText to enter
Name Windows 10 – Chrome configuration (or use any descriptive name)
Description Enter a description (optional)
Platform Windows 10 and later
Profile type Custom
Settings Custom (select from drop-down list)

Selecting Custom in the step above opens a new menu for OMA-URI settings. Click Add to add specific policies you can configure and enter the following text:

FieldText to enter
Name Chrome ADMX Ingestion
Description Enter a description (optional)
OMA-URI /Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx
Data type Profile type String (select from drop-down list)
  • Once you select String, a Value text field opens below. On your computer, go to
  • Copy the text from chrome.admx.
  • In the Value field, paste the chrome.admx text.
  • Click OK and OK again to save the Custom OMA-URI settings.
  • Click Create to create a new profile.

Configure Google Chrome Policy

  • Go to Intune –> Device Configuration –> Profile
  • Click the Windows 10 – Chrome configuration profile you created previous
  • Select Properties –> Settings –> Configure to open Custom OMA-URI setting
  • Click Add to a row
  • Enter text into the fields, following the examples below for the type of policy you’re implementing.

Example A: Disable Password Manager

FieldText to enter
Name Chrome – ADMX – PasswordManagerEnabled
DescriptionDisable Password Manager
OMA-URI ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~PasswordManager/PasswordManagerEnabled
Data typeString
Value
1
<disabled/>

List of all Google Chrome Configurations

The below tables provides all the settings that are available for delivery using Microsoft Intune

PolicyOMA-URIData typeExample value
Chrome – ADMX – AllowOutdatedPlugins./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/AllowOutdatedPluginsstring<disabled/>
Chrome – ADMX – AudioCaptureAllowedUrls./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/AudioCaptureAllowedUrlsstring<enabled/> <data id=”AudioCaptureAllowedUrlsDesc” value=”1&#xF000;[*.]example.com“/>
Chrome – ADMX – AutoFillEnabled./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/AutoFillEnabledstring<disabled/>
Chrome – ADMX – CloudPrintSubmitEnabled./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/CloudPrintSubmitEnabledstring<disabled/>
Chrome – ADMX – DefaultBrowserSettingEnabled./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/DefaultBrowserSettingEnabledstring<enabled/>
Chrome – ADMX – DefaultPopupsSetting./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~ContentSettings/DefaultPopupsSettingstring<enabled/> <data id=”DefaultPopupsSetting” value=”1″/>
Chrome – ADMX – DefaultSearchProviderEnabled./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~DefaultSearchProvider/DefaultSearchProviderEnabledstring<enabled/>
Chrome – ADMX – DefaultSearchProviderName./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~DefaultSearchProvider/DefaultSearchProviderNamestring<enabled/> <data id=”DefaultSearchProviderName” value=”Google Encrypted Search”/>
Chrome – ADMX – DefaultSearchProviderSearchURL./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~DefaultSearchProvider/DefaultSearchProviderSearchURLstring<enabled/> <data id=”DefaultSearchProviderSearchURL” value=”https://www.google.com/search?q={searchTerms}”/>
Chrome – ADMX – DisableSafeBrowsingProceedAnyway./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/DisableSafeBrowsingProceedAnywaystring<enabled/>
Chrome – ADMX – ExtensionInstallForcelist./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForceliststring<enabled/> <data id=”ExtensionInstallForcelistDesc” value=”1&#xF000;heildphpnddilhkemkielfhnkaagiabh;https://clients2.google.com/service/update2/crx”/>
Chrome – ADMX – ForceGoogleSafeSearch./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ForceGoogleSafeSearchstring<enabled/>
Chrome – ADMX – ImportAutofillFormData./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ImportAutofillFormDatastring<disabled/>
Chrome – ADMX – ImportBookmarks./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ImportBookmarksstring<enabled/>
Chrome – ADMX – ImportHistory./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ImportHistorystring<disabled/>
Chrome – ADMX – ImportHomepage./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ImportHomepagestring<enabled/>
Chrome – ADMX – ImportSavedPasswords./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ImportSavedPasswordsstring<disabled/>
Chrome – ADMX – ImportSearchEngine./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ImportSearchEnginestring<disabled/>
Chrome – ADMX – NotificationsAllowedForUrls./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~ContentSettings/NotificationsAllowedForUrlsstring<enabled/> <data id=”NotificationsAllowedForUrlsDesc” value=”1&#xF000;[*.]example.com“/>
Chrome – ADMX – PasswordManagerEnabled./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~PasswordManager/PasswordManagerEnabledstring<disabled/>
Chrome – ADMX – PluginsAllowedForUrls./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~ContentSettings/PluginsAllowedForUrlsstring<enabled/> <data id=”PluginsAllowedForUrlsDesc” value=”1&#xF000;[*.]example1.com&#xF000;2&#xF000;[*.]example2.com“/>
Chrome – ADMX – SafeBrowsingEnabled./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~SafeBrowsing/SafeBrowsingEnabledstring<enabled/>
Chrome – ADMX – VideoCaptureAllowedUrls./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/VideoCaptureAllowedUrlsstring<enabled/> <data id=”VideoCaptureAllowedUrlsDesc” value=”1&#xF000;[*.]example.com“/>

This concludes this post.

Regards,
The Author – Blogabout.Cloud