Delivering your corporate applications can be a nightmare if you dont have a enterprise delivery solution like System Center or 3rd party mechanism.
So let’s see how Azure Blob Storage and Microsoft Intune can address this issue by using a storage location and PowerShell script.
Azure Storage Account
One of the requirements for this solution is an Azure Storage Account within your Azure subscription, this account will be used for storing the applications which you would like to roll out to your Windows 10 desktops that are managed using Microsoft Intune.
Specify the required settings within the Basic tab for creating a Storage Account.
Using the default settings as shown below
Click Review and Create Click Create
Configuring Storage Account with required Applications
Click Container Specify the Name Select Conditioner (anonymous read access for containers and blobs) under Public Access Level
Select your container Select Upload Select the files you want to upload Modify the block size if it’s less than the size of the files you are uploading Select Upload
Once the files are upload they all have a unique url which is used to identify the file as shown below.
The PowerShell Script!!!
I have created a PowerShell script that is available on GitHub and should be self-explanatory.
Step 1 – Download all the required files into C:\_Build Step 2 – Run installer files Step 3 – Run additional Powershell scripts (Optional) Step 4 – Remove C:\_Build Step 5 – Create RegKeys (Optional)
In recent times I have started to become a bit of an “expert, well I will use that word loosely” for Windows 10. Hybrid Azure AD Join is becoming a very popular option for a lot of the clients that I am currently working with and pops up all the time in discussions about “Modern Management” of Windows 10. I have experienced a few highs and lows when implementing Hybrid Azure AD Join and want to share that knowledge I have gain over the past 6 months.
What is Hybrid Azure AD Join?
Hybrid Azure AD Join is where your Windows 10 device is connected to your local Active Directory Domain and synchronized using Azure Active Directory Connect (AADC) to Azure AD.
Why would you do this?
This enables you to manage your Windows 10 devices from Microsoft Intune and leverage the offers from the cloud. Most organizations today have the required Microsoft subscriptions to implement Microsoft Intune but are unaware of how to start their journey.
What do I need for Hybrid Azure AD Join in a Managed Domain?
Azure Active Directory Connect version 1.1.819 or greater
Devices must be able to connect to the following URLs
All Computer Objects from your on-premises Active Directory must be within the sync scope
Service Connection point (SCP) is created for device registration (Completed via running AADC)
Implementing Hybrid Join for your organization
We are now going to run through the steps required to gear up your environment for Hybrid Join, first of all we are going to create the SCP using AADC. When you launch AADC you see “Configure device options”, select this option and proceed
In this section you will receive the following Overview of what can be configured and in this case, we are looking at Hybrid Azure AD Join only.
Hybrid Azure AD Join enables devices in your Active Directory forest to register with Azure AD for access management. Computers in your organization will automatically discover Azure AD using a service connection point (SCP) object that is created in your Active Directory Forest.
Device writeback is a prerequisite for enabling on-premises conditional access using AD FS and Windows Hello for Business. Device writeback synchronizes all devices registered in Azure AD back to on-premises. The device are synchronized to a device container that is created in your Active Directory forest.
Device writeback requires the Active Directory Schema version to be Windows 2012 R2 (level 69) or higher
You can confirm that the SCP has been created by launching ADSI Edit and browse to the location displayed below.
Now we have configured Active Directory we need to create a new GPO that configures the Windows 10 device to AutoEnroll into Azure AD. First of all we need the correct GPO templates installed in your SYSVOL, these templates can be download by the below URL.
I have been recently working with a customer where we was experiencing issues with connectivity to relevant Microsoft urls. While looking at potential solutions I came across a PowerShell script which tested for the following URLs
Recently when working with a customer I was troubleshooting why their devices were showing up as Azure AD Registered in the Azure portal in Azure Active Directory when they should be Hybrid Azure AD joined. These were Windows 10 1809 devices.
When running “dsregcmd /status” on one of the machines, it would show as AzureAdJoined : NO. When it is Hybrid Azure AD joined, it should still say Yes.
If you run the command as admin, you will see there is Diagnostic Data section. On my devices, it said:
Client ErrorCode : 0x801c03f2 Server ErrorCode : DirectoryError Server Message: The device object by the given id (guid) is not found.
This is because the device(s) has not been synced to Azure AD by Azure AD Connect. Make sure that the OU’s that the computer objects are in is set to sync to Azure AD. In my customer’s configuration, they had additional filtering where the users and computer objects needed to be in a Security Group to be synced to Azure AD.
Once the Azure AD Connect sync had completed successfully, and the device registration task had run again on the client, the machine now shows as Hybrid Azure AD joined in the Azure portal.
The following post contains the new features and updated features from October 2019. This post enables you to quickly glance at the Office 365 Roadmap that directly targets Microsoft Intune based on the latest information provided from Microsoft.
Leveraging your Azure subscription for Microsoft Intune massively reduces the requirements for on-premises infrastructure. In this post I will show you how to use Azure Blob Storage to provide the Lock Screen and Desktop background all with the power of the Microsoft Cloud.
First up you will need to create a storage account within your Azure subscription.
Specify the following; – Resource Group – Storage Account Name – Location (Europe) UK South
Once the storage account has successful created, you will need to go to the resource
Go to “Containers” Create new “Container” Specify the name of the Container Specify the Public Access level as “Blob” Then click ok
Click on your new “Container”
Click Upload You will need to upload your required .jpg file
Click on the uploaded file and you will be provided a URL which can be used
Provide the URL into your required destination for example Lock Screen as shown below
As you can see from below my Lockscreen and Desktop backgrounds are what I have specifed.
Enterprise organizations today are becoming more and more security conscious of where the corporate resides. If you have come across Windows Information Protection yet, check out the below video from Microsoft.
Right let us jump right into it
Windows Information Protection is configured via the Microsoft Intune portal. Browse to Client Apps –> App protection policies –> Required settings
Windows Information Protection mode
Block: Block enterprise data from leaving protected apps
Allow overrides: User is prompted when attempting to relocate data from a protected to a non-protected app. If they choose to override this prompt, the action will be logged.
Silent: User is free to relocate data off of protected apps. No actions are logged.
Off: User is free to relocate data off of protected apps. No actions are logged.
You will need to specify your corporate identity, if you have multiple identities you will need to “Protected Domains” under “Advanced settings” –> “Add network boundary”
Once you have selected the Windows Protection mode, we need some applications to protect.
This step is definitely one of the easiest to do, as Microsoft has already generated a list of all the default applications and all you need to do is go to “Protected Apps” and “Add apps”.
For the purpose of this blog, I have missed out the Cloud Resources as shown below.
This detail can be found via the following url
Now you are good to go to protect your corporate information
I have recently been running into the following issue where using white-glove experience for Windows Autopilot. The error already occurs around the 14-minute mark when “Registering the device for mobile management”.
This issue is cause by multiple MDM enrollment applications defined within the Mobility (MDM and MAM) window within your Azure Active Directory
Once I had remove Microsoft Intune Enrolment, Windows Autopilot provisioing was able to successful complete.
After a bit of recent investigate App Protection policies I have noticed a large chunk of information missing from Microsoft resources and other blog posts. I have recently experienced an issue where network boundaries were not configured correctly and I had to ensure that all applications that were being protected do not experience any issues access corporate resources.
It is recommended to use the following when adding a network boundary.
The following post contains the new features and updated features from September 2019. This post enables you to quickly glance at the Office 365 Roadmap that directly targets Microsoft Intune based on the latest information provided from Microsoft.