In this video I show how I install all the common PowerShell modules that I use when building/provisioning Windows 10 devices that are registered in MEM.In this video I show how I install all the common PowerShell modules that I use when building/provisioning Windows 10 devices that are registered in MEM.
During a number of my recent deployment of Microsoft Endpoint Manager and conversation I have had with customers. One thing that always comes up is security from the different browsers the end-users run to perform their daily tasks. A recent discussion we touched on Mozilla Firefox and how it can be managed using Microsoft Endpoint Manager as they currently perform this tasks with on-premises GPOs.
Like Google Chrome, Firefox can also be managed using a Custom configuration profile for Windows 10. The policy consists of two parts. The first part is used to deploy the Firefox ADMX file to the Intune managed device. The second part of the policy is used to manage the settings ofchoice.
Ingest the Firefox ADMX file
The Firefox ADMX file has been made available on GitHub. Download this file as it will be required later within this blog post.
We now need to sign-in to the Microsoft Endpoint Manager portal.
Browse to the following location (1) Devices – (2) Windows
On the (3)Configuration Profiles tab click (4) Create profile
Select Windows 10 and later –> Custom –> Create
We will now need to populate the Name field for this profile, you can also provide a description to get more information about what this profile does. Once you have populated the required information press Configure under Settings and Add
Now we are going to be adding rows to the profile, the first row will be ingestion of the Firefox ADMX file followed by any Firefox profiles you would like to introduce. Please follow the text and screenshots below
Name: Firefox ADMX Ingestion OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Firefox/Policy/FirefoxAdmx Data Type: String Value: As value copy the entire content of the ADMX file in the value field
The value information could be different to what is shown in the screenshot above, so to validate this open the .admx in Notepad or another program.
At the top of the opened file you will see the value which will need to copy and added to your row.
Understanding the OMA-URL for configuring policies
Now this was something very new to me and I have had to learn exactly how to intepret the ADMX file to obtain the required information to create the OMA-URL for each setting I would like to apply.
Lets split up the OMA-URI in separate parts to make sure you fully understand how the OMA-URL is put together. First of all the default for managing applications using an ADMX file: ./Device/Vendor/MSFT/Policy/Config/ So you will always require this when adding a new row for a policy. I am going to use DisablePrivatingBrowsing as an example of how we achieve the required outcome.
The part that comes next is not always the same, we need to follow some rules: It starts with Firefox (this is the file name of the admx template firefox.admx) followed by Policy and every word is separated with the following sign ~ as shown below.
The next part is split into two different categories. The first category is always found at the top of the ADMX file and as you can see its called “firefox”
The next category will be one of the following;
As we are configure DisablePrivateBrowsing the catergory required is called firefox so my complete OMA-URL would be ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~firefox/DisablePrivateBrowsing including /settingname as shown below
Now that we understand the OMA-URI, we now need to provide string value information to enable this new policy. For this particular policy, we just need to put <enabled/>. In order to make it active.
Windows Information Protection enables organization to create a clear line between what is personal data vs corporate data. When implementing Windows Information Protection (WIP) you might find that none recognized corporate apps may lose the ability to write data to the corporate protected applications and data stores. For example;
You are using GitHub and storing the cloned repos into your OneDrive Known Folders and WIP gets enabled to “Block” access.
That lovely GitHub repo you want to clone will now be blocked 🙁
So how do we implement Windows Information Protection to ensure that are organizations are secure.
Lets start with WIP Learning
So first of all, you would have need to configure App Protection within Microsoft Endpoint Manager for all the apps you want to protect with WIP as show below
WIP Learning is a report that allows you to monitor your WIP-enabled apps and WIP-unknown apps. The unknown apps are the ones not deployed by your organization’s IT department. You can export these apps from the report and add them to your WIP policies to avoid productivity disruption before they enforce WIP in “Block” mode.
In addition to viewing information about WIP-enabled apps, you can view a summary of the devices that have shared work data with websites. With this information, you can determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps.
When working with WIP-enabled apps and WIP-unknown apps, we recommend that you start with Silent or Allow Overrides while verifying with a small group that you have the right apps on your protected apps list. After you’re done, you can change to your final enforcement policy, Block.
What are the protection modes?
WIP looks for inappropriate data sharing practices and stops the user from completing the action. Blocked actions can include sharing info across non-corporate-protected apps, and sharing corporate data between other people and devices outside of your organization.
WIP looks for inappropriate data sharing, warning users when they do something deemed potentially unsafe. However, this mode lets the user override the policy and share the data, logging the action to your audit log.
WIP runs silently, logging inappropriate data sharing, without blocking anything that would have been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.
Switching on WIP
Browse to your App Protection Policy and go to its Properties, under Required Settings you will be able to select which mode you would like to enable for your organization. Please Note: You will need to define your “Corporate Identity” if you have multiple domains they can added as ‘Protected domains’ under the ‘Network perimeter’ in the ‘Advanced settings’ tab.
Once you have done an initial pilot to discovery the applications being used to access Corporate data, you can generate a report from Apps –> Monitor –> App Protection Protection Status –> Reports –> App Learning report for Windows Information Protection. In my case I can see that my GitHub applications has been discovered.
Now that you have your report you are able to create the required excepts to ensure the non-corporate applications can access corporate data.
Its time to unleash the power of Microsoft Endpoint Manager against OneDrive for Business. If you are licensed for Microsoft Intune you have so many cool features and policies available to you when it comes to configuring OneDrive for Business. In my role as an IT Architect I am seeing more and more customers moving their data to the cloud and leveraging all the functionality available from Microsoft Endpoint Manager.
One of the biggest changes in behaviour I have seen is moving Group Policies to Microsoft Endpoint Manager. Administrative Template is an execlent solution that has grown in not only populaity but functionality as well. An easy way of finding out if you can move your current on-premises Group Policies to Microsoft Intune is available on GitHub. If you haven’t come across it yet, please check out MMAT on GitHub. One of the most powerful tools for gathering data of what is supported via Microsoft Endpoint Manager.
Administrative Templates is a growing function within Microsoft Endpoint Manager, in recently times it has included more and more great functionality which covers the following;
– Windows – Office – Edge
As we are focusing on just OneDrive lets have a look at what is available to us today. Currently we have 31 different settings available for OneDrive for Business and when I am working with my customers I always recommend looking at the following settings;
– Disable the tutorial that appears at the end of OneDrive setup – Prevent users from changing the locaton of their OneDrive folder – Prevent users from fetching files remotely – Prevent users from moving their Windows known folders to OneDrive – Prevent users from syncing personal OneDrive accounts – Set the default location for the OneDrive folder – Silently move Windows known folders to OneDrive – Silently sign in users to the OneDrive sync client with their Windows credentials
Polices for Office Apps
This is a new kid to the block and only currently has one policies for OneDrive for Business but expect this to change massively over the course of 2020.
And thats your lot, please check out what Microsoft Endpoint Manager can do for you today as you maybe pleasantly surprised how powerful the Microsoft Cloud has become.
In a world where security and encryption are becoming more and more important for organisations, it’s safe to say Microsoft is doing it’s part in empowering businesses to protect their corporate data on end user devices.
Today we are going look at how easy it is to enable Bitlocker for your corporate devices using Microsoft Endpoint Manager.
So once you have logged into https://devicemanagement.microsoft.com you will need to browse to Devices –> Configuration Policies –> Create Profile
Select Windows 10 or Higher and Endpoint Protection, you will need to provide a profile name in order to save this configuration once complete.
As you can see below, once you go into Endpoint Protection –> Windows Encryption you are able to configure the ability to encrypt your Windows 10 devices. Ensure you read all configuration options to understand how the behaviour will affect your end user computers.
At the next check in once youve assigned this new profile of course, the device will start encrypting.
Recently during a rollout of Microsoft Endpoint Manager, I noticed that my configured Lockscreen and Desktop background where not being applied to my newly enrolled Windows 10 devices. 🙁 After a bit of investigation I noticed that the device was running as Windows 10 Pro, even though the image used to build the machine was Windows 10 Enterprise.
Launch https://devicemanagement.microsoft.com and browse to Device –> Configuration Profiles –> New – Name = Provide a name – Description = (Optional) – Platform = Windows 10 and later – Profile Type = Edition upgrade and mode switch – Settings = Select Windows 10 Enterprise and provide your key
Now assign the policy to the affected devices and you will now have Windows 10 Enteprise devices.
Isn’t it annoying when your time zone on your Azure AD Join, Hybrid Azure AD Joined or Autopilot enrolled device has the incorrect time?
Is there a simple way of resolving this issue for all devices?
Of course, there is… Now let’s look at how it is done.
First of all log into your Microsoft Endpoint Manager Admin center via https://devicemanagement.microsoft.com/ or the Azure Intune Portal. You will now need to create a new Device Configuration Policy with the following information
– Name = Something you can identify the profile easily – Platform = Windows 10 and later – Profile Type = Custom
Microsoft Endpoint Manager is great however, if you want to encrypt Windows 10 device silently with a normal standard user logged in then you might find it difficult to do so via the MEM Portal settings. So this is where this blog post will come in handy 🙂
In order to encrypt the device silent you need to create a Custom Configuration Policy. Browse to your Microsoft Endpoint Manager Portal or Intune Portal –> Go to Device Configurations Profile –> Create New Profile
Enter a Name for the Profile
Select Windows 10 and later from Platform
Select Custom from Profile type
Select Configure from Settings
We will now need to enter the following information to configure encryption.
Once you have created the policy, assign it to your required devices and BitLocker will now encrypt the devices.
Oh but wait!!!
In my experience in performing this procedure have ran into an issue where Intune recognises the device has compliant against “Require BitLocker” but non-compliant against “Encryption of data storage on the device”.
This is due to the device not being able to backup the BitLocker Encryption Key to Azure Active Directory. The workaround for this was to deploy a PowerShell script using Intune that forces the key to be backup up.
So lets add a script to Intune which will execute the required steps; First go to Device Configuration –> Scripts –> Add
Provide a Name which will easily identify the script in the Intune Portal.
Browse to the script location on your local machine or network drive Tick Yes to Run script in 64 bit PowerShell host.
And save then assign to the required AAD Group to execute on the client macine.
I cannot take any credit for the script but it resolves the issue I encountered and my compliant policy was once again “Compliant” for all devices. I have made this script available via my GitHub account.
Back in July Microsoft announced that it is now possible to configure enrolled Windows 10 devices with Administrator templates that are very similar to Windows Group Policies. Since this announcement Microsoft has made further progress introducing administrative templates for Windows, Office and most recently Edge.
Microsoft Endpoint Manager is becoming more common as businesses around the globe adapt, adopt and migrate more of their workloads to the Microsoft Cloud.
Let’s dive into the reasoning for removing Windows 10 Group Policies and adopting Administrative Templates from Microsoft Intune. One of the most valuable things that any business can do is enrol their Windows 10 devices in Microsoft Endpoint Manager as it provides a lot of additional functionality which cannot be deployed using the conventional on-premises infrastructure.
This modern management of Windows 10 allows businesses to apply policies to devices that may not be connected to the corporate LAN but have an internet connection. This provides the protection, configuration and compliance to the end-user device whether they are in or out of network.
I have been working with several customers recently who have seen huge value from moving their group policy objects (GPO) to Administrative Templates. Many of the organisations deployed legacy or out of date group polices to their end-users which are not needed and in some cases cause a security hole within their Windows 10 build.
Adopting Microsoft Endpoint Manager allows businesses to evaluate their GPO structure and condense their requirements. Condensing your GPO’s with administrative templates is just the start of the journey to modern management.
Do you deploy applications via GPOs?
Do you deploy registry keys via GPOs?
If you do, these can also be delivered using the power of the Microsoft Cloud and specifically Microsoft Endpoint Manager. I have recently been deploying a large number of core applications to Windows 10 including reg key modifications using a PowerShell script from within the MEM portal. So as soon as the Windows 10 device is enrolled and has an internet connection, all applications and policies are configured with the devices regularly poling for any updates/changes made within the Intune portal.
So isnt time you investigated what Microsoft Endpoint Manager can do for you today?