Applying your Windows 10 Start Layout using Microsoft Intune.

Applying your Windows 10 Start Layout using Microsoft Intune.

One of the many cool things about Microsoft Intune is the granular configuration of Windows 10 devices using the native functions available us today. In this little post we will look at just how easy is it to create a corporate Windows 10 layout and publish to all of your client desktops automatically.

The general prerequisites for this feature is that your Windows 10 desktops are synchronized and present in Azure Active Directory.

Export the Start Layout

When you have the Start screen layout that you want your users to see, use the Export-StartLayout cmdlet in Windows PowerShell to export the Start screen to an .xml file.

  1. From Start, open Windows PowerShell.
  2. At the Windows PowerShell command prompt, enter the following command:

Export-StartLayout –path $env:userprofile\desktop\StartLayout.xml

PowerShell Cmd

Applying a Start layout

Once you have an exported Start Layout you can use the XML file to apply this start layout to your entire organization using Microsoft Intune. Browse to your Intune Portal and go to Device Configuration –> Profile

Hopefully you may already have a Windows 10 – Device Restriction Profile.

If not, dont worry you will just have to create a new profile for Windows 10 and Device Restrictions.

Device Configuration Profiles

Once in the profile properties, go to Settings and look for “Start” as at this point you can upload your Windows 10 start menu layout. If you may chose you will also be able to affect the look of the start menu by blocking or hide elements on the menu. For example you can block Fast Switching and hide File Explorer from the Start.

Device Restriction Profile for Start Menu Settings

Once you have saved your configured and your Windows 10 device has checked in, it will receive your new and improved Start Menu

New Windows 10 Start Menu

The Author – Blogabout.Cloud

Installing and Managing Google Chrome with Microsoft Intune

Installing and Managing Google Chrome with Microsoft Intune

As the power of Microsoft Intune grows with great force, in this blog post we are going to look at how to install Google Chrome and manage via Microsoft Intune. I have been recently looking how to leverage Microsoft Intune for more than just Microsoft based tooling and Google Chrome can be installed and managed for Windows 10 desktop estate.

Installing Google Chrome

Download Google Chrome Package

Visit the following url to download Google Chrome for Enterprise

Microsoft Intune

First of all, we need to log into your Azure Portal and go to the following location;

  • Microsoft Intune
  • Client Apps
  • Add
Microsoft Intune –> Client Apps –> Add
  • Line-of-business app
App Type

Now we need to select the GoogleChromeStandaloneEnterprise msi located within the zip file package

Google Chrome Enterprise Package
App package file

You will now need to populate a bit of information under App information field below App package files before being able to assign Google Chrome to all your enterprise or selected security groups.

As you can see from the image below I have targeted several security groups within my personal tenant and make the app required for all users / all devices.

Make sure you save you configured as you exit this configuration.

Managing Google Chrome

Import Google Chrome ADMX Templates

  • Download the Chrome ADMX templates.
    • You would have already completed this step when downloading the Google Chrome Msi.
  • Sign in to the Microsoft Azure portal.
  • Go to Intune  Device configuration  Profiles.
  • Next to Devices configuration – Profiles, click Create profile.
  • Enter the following text in these fields:
FieldText to enter
Name Windows 10 – Chrome configuration (or use any descriptive name)
Description Enter a description (optional)
Platform Windows 10 and later
Profile type Custom
Settings Custom (select from drop-down list)

Selecting Custom in the step above opens a new menu for OMA-URI settings. Click Add to add specific policies you can configure and enter the following text:

FieldText to enter
Name Chrome ADMX Ingestion
Description Enter a description (optional)
OMA-URI /Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx
Data type Profile type String (select from drop-down list)
  • Once you select String, a Value text field opens below. On your computer, go to
  • Copy the text from chrome.admx.
  • In the Value field, paste the chrome.admx text.
  • Click OK and OK again to save the Custom OMA-URI settings.
  • Click Create to create a new profile.

Configure Google Chrome Policy

  • Go to Intune –> Device Configuration –> Profile
  • Click the Windows 10 – Chrome configuration profile you created previous
  • Select Properties –> Settings –> Configure to open Custom OMA-URI setting
  • Click Add to a row
  • Enter text into the fields, following the examples below for the type of policy you’re implementing.

Example A: Disable Password Manager

FieldText to enter
Name Chrome – ADMX – PasswordManagerEnabled
DescriptionDisable Password Manager
OMA-URI ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~PasswordManager/PasswordManagerEnabled
Data typeString

List of all Google Chrome Configurations

The below tables provides all the settings that are available for delivery using Microsoft Intune

PolicyOMA-URIData typeExample value
Chrome – ADMX – AllowOutdatedPlugins./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/AllowOutdatedPluginsstring<disabled/>
Chrome – ADMX – AudioCaptureAllowedUrls./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/AudioCaptureAllowedUrlsstring<enabled/> <data id=”AudioCaptureAllowedUrlsDesc” value=”1&#xF000;[*.]“/>
Chrome – ADMX – AutoFillEnabled./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/AutoFillEnabledstring<disabled/>
Chrome – ADMX – CloudPrintSubmitEnabled./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/CloudPrintSubmitEnabledstring<disabled/>
Chrome – ADMX – DefaultBrowserSettingEnabled./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/DefaultBrowserSettingEnabledstring<enabled/>
Chrome – ADMX – DefaultPopupsSetting./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~ContentSettings/DefaultPopupsSettingstring<enabled/> <data id=”DefaultPopupsSetting” value=”1″/>
Chrome – ADMX – DefaultSearchProviderEnabled./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~DefaultSearchProvider/DefaultSearchProviderEnabledstring<enabled/>
Chrome – ADMX – DefaultSearchProviderName./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~DefaultSearchProvider/DefaultSearchProviderNamestring<enabled/> <data id=”DefaultSearchProviderName” value=”Google Encrypted Search”/>
Chrome – ADMX – DefaultSearchProviderSearchURL./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~DefaultSearchProvider/DefaultSearchProviderSearchURLstring<enabled/> <data id=”DefaultSearchProviderSearchURL” value=”{searchTerms}”/>
Chrome – ADMX – DisableSafeBrowsingProceedAnyway./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/DisableSafeBrowsingProceedAnywaystring<enabled/>
Chrome – ADMX – ExtensionInstallForcelist./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForceliststring<enabled/> <data id=”ExtensionInstallForcelistDesc” value=”1&#xF000;heildphpnddilhkemkielfhnkaagiabh;”/>
Chrome – ADMX – ForceGoogleSafeSearch./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ForceGoogleSafeSearchstring<enabled/>
Chrome – ADMX – ImportAutofillFormData./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ImportAutofillFormDatastring<disabled/>
Chrome – ADMX – ImportBookmarks./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ImportBookmarksstring<enabled/>
Chrome – ADMX – ImportHistory./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ImportHistorystring<disabled/>
Chrome – ADMX – ImportHomepage./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ImportHomepagestring<enabled/>
Chrome – ADMX – ImportSavedPasswords./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ImportSavedPasswordsstring<disabled/>
Chrome – ADMX – ImportSearchEngine./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/ImportSearchEnginestring<disabled/>
Chrome – ADMX – NotificationsAllowedForUrls./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~ContentSettings/NotificationsAllowedForUrlsstring<enabled/> <data id=”NotificationsAllowedForUrlsDesc” value=”1&#xF000;[*.]“/>
Chrome – ADMX – PasswordManagerEnabled./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~PasswordManager/PasswordManagerEnabledstring<disabled/>
Chrome – ADMX – PluginsAllowedForUrls./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~ContentSettings/PluginsAllowedForUrlsstring<enabled/> <data id=”PluginsAllowedForUrlsDesc” value=”1&#xF000;[*.];2&#xF000;[*.]“/>
Chrome – ADMX – SafeBrowsingEnabled./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~SafeBrowsing/SafeBrowsingEnabledstring<enabled/>
Chrome – ADMX – VideoCaptureAllowedUrls./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome/VideoCaptureAllowedUrlsstring<enabled/> <data id=”VideoCaptureAllowedUrlsDesc” value=”1&#xF000;[*.]“/>

This concludes this post.

The Author – Blogabout.Cloud

Microsoft 365 Device Management Part 1 – Device Enrollment

Microsoft 365 Device Management Part 1 – Device Enrollment

Microsoft 365 Device Management otherwise known as InTune, is a very popular and command device management solution you will see in most organizations. The evolution of InTune has moved very quickly with the times and you probably have the correct licenses within your organization but are currently using something like AirWatch. This post is going to dive into my personal tenant where I have configured 365 Device Management for my Android phone. In this post I am going to run through the basics of getting Microsoft 365 Device Management up and running for mobile devices likes phones and tablets. All configuration is based on what is current set within my own environment and may not apply to your organisation.

The Dashboard

Microsoft 365 Device Management Dashboard

The Microsoft 365 Device Management dashboard is configurable to your requirements. If there is something on the dashboard you would like to see or not, you can easily edit the page and add in additional tiles as shown below.

Editing the Dashboard

You can also create your own Dashboard leaving the defaults as they are;

Customized Dashboard

All Services

This section contains all the services that available within the M365 Device Management Portal, as you can some of the options dont know contain a gold star. All this basically means is that the option is not displayed on your left hand panel which is customizable to the options you want to see.

All M365 Device Management Services

Device Enrollment

Apple enrollment

In order to support iOS device Microsoft inTune requires an Apple MDM Push Certificate to manage and support multiple enrollment methods.

Android enrollment

Microsoft Intune by default supports all Android devices. Managed Google Play enables management of Work Profile and other Android Enterprise functionality.

Android Enterprise provides 3 additional functions within this selected once Managed Google Play is configured.

Personal devices with work profiles

This options allows your corporation to manage corporate data and apps on user-owned Android device. You are able to approve applications within the Google Play Store which you organization would like to manage for example Outlook. Once the applications are approved, Enrollment Restrictions allows you to configure with greater control, which groups of users should be managed using Work Profiles.

Corporate-owned dedicated devices

This option allows your corporation to manage manage device owner enrollments for kiosk and task devices using with QR Codes or tokens.

Corporate-owned, fully managed users devices (Preview)

This option is only in Preview currently and more developments are expected. In its current state, end users are able to enroll their corporate-owned devices by sending a company token. You can also use the Zero Touch Portal for auto provisioning deployment, this features apart of the InTune portal but will be coming soon.

Windows enrollment

In this section we can configure Microsoft Intune enrollment for Windows devices.

Automatic Enrollment

This options allows your corporation to configure Automatic Enrollment when a Windows devices join or register with Azure Active Directory. You can configure user scopes for MDM and MAM.

Unsure of the the different between the two?

MDM: addresses lack of control over corporate and personal devices, and lost device security

  • Ensures device compliance through user and device registration, configuration on-premises and passcode management
  • Secures devices on the network so you can monitor, report, track and update devices – and even locate, lock and wipe devices, if lost or stolen

MAM: addresses lack of compliance with data and privacy requirements, and lost data retrieval

  • User identity policy, single sign-on and conditional access tailored by role and device (with Intune or Active Directory on premises or in the cloud)
  • Monitors and pushes app updates, including mobile document management for online or cloud-provisioned apps like SharePoint and OneDrive

Windows Hello for Business

This option allows your corporation to replace password with strong two-factor authentication. Please note: This is a default Windows Hello for Business configuration applied with the lowest priority to all users regardless of group membership. Devices must be Windows 10, Windows 10 Mobile or later to be supported.

CNAME Validation

This option is a must for all organizations as its removes the need for end user to provide the MDM server address when enrolling this devices.

Enrollment Status Page

This option allows your end user to see the status of how the enrollment process. However, you can also block devices until all apps and profiles are installed.

Deployment Profiles

Windows Autopilot deployment profiles lets you customize the out-of-box experience for your devices


Windows Autopilot lets you customize the out-of-box experience (OOBE) for your users.

Intune connector for Active Directory

This option requires your organisation to download the Intune connector for Active Directory to support the Hybrid connection for Azure AD.

Terms and conditions

This option can be configured with Intune but the look and feel is quite basic as shown below;

Intune T&Cs

However, if you configure Azure AD T&C it gives a better slicker output within your Company Portal.

Enrollment restrictions

A device must comply with the highest priority enrollment restrictions assigned to its user. You can drag a device restriction to change its priority. Default restrictions are lowest priority for all users and govern userless enrollments. Default restrictions may be edited, but not deleted.

Device categories

Create device categories from which users must choose during device enrollment. You can filter reports and create Azure Active Directory device groups based on device categories

Corporate device identifiers

This option you add devices in based on the IMEI or serial, this can be done manually or via CSV upload.

Device enrollment managers

This option allows certain users to enroll larger quantities of devices. More details can be obtained from


This sections allows you to monitor device enrollment failures, incomplete user enrollments and audit logs.

This completes Part 1, in Part 2 I will be looking at Device Compliance.

The Author – Blogabout.Cloud

Selectively wipe data using app protection policy access actions in Intune

Selectively wipe data using app protection policy access actions in Intune

Just a bit like Thanos you can selectively wipe your corporate data if you have implemented app protection policy. This provides extra flexibility for managing your corporate data across company and non-company owned device. I am currently working on an organisation where users are nervous enrolling their personal devices via the Company Portal. As an Administrator has the ability to completely Factory Reset their devices but with selectively wiping only corporate data using a particular app like (Outlook) has calmed their woes.

Don’t get me wrong, everyone is human and mistakes can be made but educating your Service Desk or responsible parties for InTune in using selective wipe reduces the risk of the Thanos Factory Reset Button.

Image result for thanos captain america
Captain America “No you won’t Factory Reset my device”

Create an app protection policy using access actions

Click Client Apps –> Click App Protection Policies

Create Policy

Create Policy

Provide Information for Name, Description and Platform Fields
Select Apps

Select all the applications you would like to manage with selective wipe
Press Select

Under Settings you can either leave the defaults or modify to your requirements.
Press Create to finish the creation of the Application Protection Policy you can repeat this process for other platform you if you require.

Wiping Applications

Under App selective wipe
Click Create wipe request

Under Users
Find a select the users who you would like to wipe
Under Device
Select the device you would like to wipe

Important Notice

Please note: It can take anywhere up to 30 minutes for this process to complete, I have seen it take up to nearly 45 minutes within my own testing.

Once the applications are listed as completed, on the select device all corporate data will be removed safety not affecting another the users normal mail accounts or applications.

The Author – Blogabout.Cloud

New functionality now in preview for Conditional Access

New functionality now in preview for Conditional Access

So I was happily minding my own business looking at the configuration of my Conditional Access and notice 3 new options have appeared;

  • Baseline policy: End user protection (Preview)
  • Baseline policy: Block legacy authentication (Preview)
  • Baseline policy: Require MFA for Service Management (Preview)

Baseline policy: End user protection (Preview)

This policy protects users by requiring multi-factor authentication (MFA) during risky sign-in attempts to all applications. Users with leaked credentials are blocked from signing in until a password reset.

Once the policy is enabled, users are required to register for MFA within 14 days of their first login attempt. The default method of MFA registration is the Microsoft Authenticator App.

This policy is either On or Off and you can also exclude users from receiving this policy

Baseline policy: Block legacy authentication (Preview)

This policy blocks all sign-ins using legacy authentication protocols that don’t support multi-factor authentication (such as IMAP, POP, SMTP). The policy does not block Exchange ActiveSync.

  • Office 2013 (without registry keys)
  • Office 2010
  • Thunderbird client
  • Legacy Skype for Business
  • Native Android mail client

This policy is either On or Off and you can also exclude users from receiving this policy. This policy is great as I have configured a custom built policy for just this but my policy also includes Exchange Active Sync.

Baseline policy: Require MFA for Service Management (Preview)

This policy requires users logging into services that rely on the Azure Resource Manager API to perform multi-factor authentication (MFA).

Services requiring MFA include:

  • Azure Portal
  • Azure Command Line Interface (CLI)
  • Azure PowerShell Module

This policy is either On or Off and you can also exclude users from receiving this policy

Its great to see some more brilliant developments in Conditional Access and really excited to see these go live with customers.

The Author – Blogabout.Cloud