Using Endpoint Analytics (Preview) | Let’s see if we can Proactive remediate installed PowerShell Modules.

Using Endpoint Analytics (Preview) | Let’s see if we can Proactive remediate installed PowerShell Modules.

If you have followed my blog for some time now you will know how much I bang on about keeping your PowerShell modules up to date. Its been a while since I have looked at Microsoft Endpoint Manager and recently discovered Endpoint Analytics.

Which got me thinking about how I could automatically remediate out of date installed PowerShell modules.

Detection Script

As you can see from below, I have created a PowerShell which allows me to detect PowerShell modules that are not up to date. The detection scripts works on the basis of comparing the install version vs. cloud version available from the PowerShell Gallery. If matching versions are found it will move on to the next module installed until;

1. All PowerShell modules installed are matched to the Cloud Version.
or
2. A module is found where a latest version is available.

I am using an Array to pull Get-InstalledModules into Foreach Loop.

Remediation Script

The remediation script works in the same way as the detection script but if a new module is found. The script will remove the legacy version then install the latest version from the PowerShell Gallery.

So all this sound simple enough, lets put it to work.

So how does this look in Microsoft Endpoint Manager?

Browse to http://endpoint.microsoft.com

Select Reports from the left hand menu and select Endpoint Analytics as shown below.

Select Proactive Remediation

So as you can see already from the screen shot below, I have already create a script package to address my Windows 10 Virtual Machines with out of date PowerShell modules. It has identified 3 machines with issues and this issue has recurred 3 times. Which I would accept as I installed a number of old modules to demonstrate this process.

So how do we create our Script Package simple!! First of all you will need the scripts from my Github https://github.com/TheWatcherNode/Proactive-Remediation then follow this simple video.

Log Checking

All the PowerShell script are executed by the Intune Management Extension

– C:\ProgramData\Microsoft\IntuneManagementExtension\Logs

All scripts executed against the device are stored in the following location;

– C:\Windows\IMECache\HealthScripts

Negative side

As you may have 10s or 100s of modules installed I don’t believe Proactive Remediate is fully geared up my script currently. I need a bit more work to really make fully compliant in how Proactive Remediate works.

https://github.com/TheWatcherNode/blogaboutcloud/blob/master/Get-InstalledModulesUpdate.ps1

Conclusion

I was able to successful remediate my PowerShell modules but not 100% happy how it display back into the Endpoint Portal can see a lot of value in Proactive Remediation and I accept this area to grow when more and more Consultants start writing scripts to detect and remediate issues.

Regards
The Author – Blogabout.Cloud

Managing firmware updates for Jabra Devices with Microsoft Endpoint Manager

Managing firmware updates for Jabra Devices with Microsoft Endpoint Manager

Updated!! – 21st August 2020

After an interesting call today understanding the offerings from Jabra, my little mind got spinning on how to manage Jabra Devices so firmware patches can be applied. Jabra has 2 different solution approaches, Jabra Xpress and Jabra Direct so let’s incorporate this into Microsoft Endpoint Manager for full modern workspace experience.

Jabra Xpress

This solutions allows you control deployment, settings and firmware updates for all your Jabra devices within your organisation. Heres a quick video from Jabra about Xpress.

https://www.jabra.co.uk/software-and-services/jabra-xpress

The best part of Jabra Xpress it’s completely FREE!! unlike its competitors who charge for the same functionality.

Dealing with different kinds of roommates – the Absent One, the ...

Jabra Direct

This solution allows the end-user to control updates to their Jabra device, this would only apply where Jabra Xpress is not utilized. In many organizations you may come across a mixture of device vendors so this approach may be better if theres only a handful of devices.

Heres a quick video from Jabra about Xpress.

How does this work with Microsoft Endpoint Manager?

Microsoft Endpoint Manager has the ability to push both client MSI files to the end user workstations or even make it available in the Company Portal.

Jabra Xpress

The MSI package for Jabra Xpress is created within the console, so whether if you have Cloud or On-Premises edition. The client will talk directly back to you corporate console to check for updates.

Once you have downloaded your Jabra Xpress msi installed, head over to https://endpoint.microsoft.com

Browse to All Apps via Apps and Click Add

Select Line-of-Business App and press Select

Select the MSI file and Press Ok.

Enter a publisher’s name, as you won’t be able to continue from this point until it has been completed.

Now for the most important element, a command line argument which will link this installation to your Jabra Xpress Dashboard.

When you download the installation files from the Jabra Xpress Portal

You will see 2 .bat files one for x64 and the other x32. You will need to open this file and copy argument and add it under “Command-line arguments”

You may also like to include an image which will appear in the Company Portal, then Press Next

If you are using Scope Tags, select the one relevant to you and Press Next

Define your assignments of the installation of the new application and Press Next

Press Create

This will now install the Jabra Xpress client on my Windows 10 Virtual Machines.

Easy!!!

Jabra Direct

For Jabra Direct the same principle applies apart from the Command-line arguments, head over to download the installer from https://www.jabra.co.uk/software-and-services/jabra-direct.

Add to Apps but under assignment depending on if you have an Azure AD Group for users with Jabra Devices use the “Available for Enrolled Devices” so the end-user can install freely from the Company Portal.

If you would like move information about Jabra Xpress, reach out to Jabra and they will happily provide more information or setup a tech session.

Regards
The Author – Blogabout.Cloud

Does your organization need to COPE with Corporate Owned devices but Personal Enabled

Does your organization need to COPE with Corporate Owned devices but Personal Enabled

Corporate-owned, personally enabled devices is now in preview

Microsoft Endpoint Manager aka Intune now supports Android Enterprise corporate-owned devices with a work profile for OS versions Android 8 and above. This solution enables Corporate-owned devices to run with a work profile and is a new corporate management scenario for Android Enterprise solution set.

This scenario is targetted for single user devices intended for corporate and personal use. This corporate-owned, personally-enabled (COPE) scenario offers:

  • work and personal profile containerization
  • device-level control for admins
  • a guarantee for end users that their personal data and applications will remain private

While the organization own the devices in my experience, the main thing organizations are mainly concerned about it “Data Security” so leveraging Work Profile to containerize the corporate data. Allowing the end user to use the device as they would if it was personal is a better option for work/life balance.

The first public preview release will include a subset of the features that will be included in the generally available release. Additional features will be added on a rolling basis. The features that will be available in the first preview include:

  • Enrollment: Admins can create multiple enrollment profiles with unique tokens that do not expire. Device enrollment can be done through NFC, token entry, QR code, Zero Touch, or Knox Mobile Enrollment.
  • Device configuration: A subset of the existing fully managed and dedicated device settings.
  • Device compliance: The compliance policies that are currently available for fully managed devices.
  • Device Actions: Delete device (factory reset), reboot device, and lock device.
  • App management: App assignments, app configuration, and the associated reporting capabilities
  • Conditional Access

Video to be release soon !!!

Regards
The Author – Blogabout.Cloud

Whats new in Microsoft Intune (Service Release 2007)

Whats new in Microsoft Intune (Service Release 2007)

As of 13th July Microsoft have introduced Service Release 2007 here whats available now

App management

Win32 app installation notifications and the Company Portal

End users can now decide whether the applications shown in the Microsoft Intune Web Company Portal should be opened by the Company Portal app or the Company Portal website. This option is only available if the end user has the Company Portal app installed and launches a Web Company Portal application outside of a browser.

Exchange On-Premises Connector support

Intune is removing support for the Exchange On-Premises Connector feature from the Intune service beginning in the 2007 (July) release. Existing customers with an active connector will be able to continue with the current functionality at this time. New customers and existing customers that do not have an active connector will no longer be able to create new connectors or manage Exchange ActiveSync (EAS) devices from Intune. For those customers, Microsoft recommends the use of Exchange hybrid modern authentication (HMA) to protect access to Exchange on-premises. HMA enables both Intune App Protection Policies (also known as MAM) and Conditional Access through Outlook Mobile for Exchange on-premises.

S/MIME for Outlook on iOS and Android Enterprise devices managed without enrollment

You can now enable S/MIME for Outlook on iOS and Android Enterprise devices using app configuration polices for devices managed without enrollment. In Microsoft Endpoint Manager admin center, select Apps > App configuration policies > Add > Managed apps. Additionally, you can choose whether or not to allow users to change this setting in Outlook. For general information about S/MIME, see S/MIME overview to sign and encrypt email in Intune. For more information about Outlook configuration settings, see Microsoft Outlook configuration settings and Add app configuration policies for managed apps without device enrollment. For Microsoft Exchange specific S/MIME information, see S/MIME scenarios and Configuration keys – S/MIME settings.

Device configuration

New VPN settings for Windows 10 and newer devices

When you create a VPN profile using the IKEv2 connection type, there are new settings you can configure (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > VPN for profile > Base VPN):

  • Device Tunnel: Allows devices to automatically connect to VPN without requiring any user interaction, including user log on. This feature requires you to enable Always On, and use Machine certificates as the authentication method.
  • Cryptography suite settings: Configure the algorithms used to secure IKE and child security associations, which allow you to match client and server settings.

To see the settings you can configure, go to Windows device settings to add VPN connections using Intune.

Applies to:

  • Windows 10 and newer

Configure more Microsoft Launcher settings in a device restrictions profile on Android Enterprise devices (COBO)

On Android Enterprise Fully Managed devices, you can configure more Microsoft Launcher settings using a device restrictions profile (Devices > Configuration profiles > Create profile > Android Enterprise for platform > Device Owner only > Device restrictions > Device experience > Fully managed).

To see these settings, go to Android Enterprise device settings to allow or restrict features.

You can also configure the Microsoft Launcher settings using an app configuration profile.

Applies to:

  • Android Enterprise device owner fully managed devices (COBO)

New features for Managed Home Screen on Android Enterprise device owner dedicated devices (COSU)

On Android Enterprise devices, administrators can use device configuration profiles to customize the Managed Home Screen on dedicated devices using multi-app kiosk mode (Devices > Configuration profiles > Create profile > Android Enterprise for platform > Device Owner Only > Device Restrictions for profile > Device experience > Dedicated device > Multi-app).

Specifically, you can:

  • Customize icons, change the screen orientation , and show app notifications on badge icons
  • Hide the Managed Settings shortcut
  • Easier access to the debug menu
  • Create an allowed list of Wi-Fi networks
  • Easier access to the device information

For more information, see Android Enterprise device settings to allow or restrict features and this blog.

Applies to:

  • Android Enterprise device owner, dedicated devices (COSU)

Administrative templates updated for Microsoft Edge 84

The ADMX settings available for Microsoft Edge have been updated. End users can now configure and deploy new ADMX settings added in Edge 84. For more information, see the Edge 84 release notes.

Device enrollment

Corporate-owned, personally enabled devices (preview)

Intune now supports Android Enterprise corporate-owned devices with a work profile for OS versions Android 8 and above. Corporate-owned devices with a work profile is one of the corporate management scenarios in the Android Enterprise solution set. This scenario is for single user devices intended for corporate and personal use. This corporate-owned, personally-enabled (COPE) scenario offers:

  • work and personal profile containerization
  • device-level control for admins
  • a guarantee for end users that their personal data and applications will remain private

The first public preview release will include a subset of the features that will be included in the generally available release. Additional features will be added on a rolling basis. The features that will be available in the first preview include:

  • Enrollment: Admins can create multiple enrollment profiles with unique tokens that do not expire. Device enrollment can be done through NFC, token entry, QR code, Zero Touch, or Knox Mobile Enrollment.
  • Device configuration: A subset of the existing fully managed and dedicated device settings.
  • Device compliance: The compliance policies that are currently available for fully managed devices.
  • Device Actions: Delete device (factory reset), reboot device, and lock device.
  • App management: App assignments, app configuration, and the associated reporting capabilities
  • Conditional Access

For more information about corporate-owned with work profile preview, see the support blog.

Device management

Updates to the remote lock action for macOS devices

Changes to the remote lock action for macOS devices include:

  • The recovery pin is displayed for 30 days before deletion (instead of 7 days).
  • If an admin has a second browser open and tries to trigger the command again from a different tab or browser, Intune lets the command to go through. But the reporting status is set to failed rather than generating a new pin.
  • The admin isn’t allowed to issue another remote lock command if the previous command is still pending or if the device hasn’t checked back in. These changes are designed to prevent the correct pin from being overwritten after multiple remote lock commands.

Device actions report differentiates between wipe and protected wipe

The Device actions report now differentiates between the wipe and protected wipe actions. To see the report, go to Microsoft Endpoint Manager admin center > Devices > Monitor > Device Actions (under Other).

Device security

Microsoft Defender Firewall rule migration tool preview

As a public preview, we’re working on a PowerShell based tool that will migrate Microsoft Defender Firewall rules. When you install and run the tool, it automatically creates endpoint security firewall rule policies for Intune that are based on the current configuration of a Windows 10 client. For more information, see Endpoint security firewall rule migration tool overview.

Endpoint detection and response policy for onboarding Tenant Attached devices to MDATP is Generally Available

As part of endpoint security in Intune, the Endpoint detection and response (EDR) policies for use with devices managed by Configuration Manager are no longer in preview and are now Generally Available.

To use EDR policy with devices from a supported version of Configuration Manager, configure Tenant attach for Configuration Manager. After you complete the tenant attach configuration, you can deploy EDR policies to onboard devices managed by Configuration Manager to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).

Bluetooth settings are available in Device Control profiles for Endpoint security Attack surface reduction policy

We’ve added settings to manage Bluetooth on Windows 10 devices to the Device control profile for Endpoint security Attack surface Reduction policy. These are the same settings as those that have been available in Device restriction profiles for Device configuration.

Manage source locations for definition updates with endpoint security antivirus policy for Windows 10 devices

We’ve added two new settings to the Updates category of endpoint security antivirus policy for Windows 10 devices that can help you manage how devices get update definitions:

  • Define file shares for downloading definition updates
  • Define the order of sources for downloading definition updates

With the new settings you can add UNC file shares as download source locations for definition updates, and define the order in which different source locations are contacted.

Improved security baselines node

We’ve made some changes to improve the usability of the security baseline node in the Microsoft Endpoint Manager admin center. Now when you drill in to Endpoint security > Security baselines and then select a security baseline type like the MDM Security Baseline, your presented with the Profiles pane. On the Profiles pane you view the profiles you’ve created for that Baseline type. Previously the console presented an Overview pane which included an aggregate data roll up that didn’t always match the details found in the reports for individual profiles.

Unchanged, from the Profiles pane you can select a profile to drill-in to view that profiles properties as well as various reports that are available under Monitor. Similarly, at the same level as Profiles you can still select Versions to view a the various versions of that profile type that you’ve deployed. When you drill-in to a version, you also gain access to reports, similar to the profile reports.

Derived credentials support for Windows

You can now use derived credentials with your Windows devices. This will expand on the existing support for iOS/iPadOS and Android, and will be available for the same derived credential providers:

  • Entrust Datacard
  • Intercede
  • DISA Purebred

Support for Widows includes use of a derived credential to authenticate to Wi-Fi or VPN profiles. For Windows devices, the derived credential is issued from the client app that’s provided by the derived credential provider that you use.

Manage FileVault encryption for devices that were encrypted by the device user and not by Intune

Intune can now assume management of FileVault disk encryption on a macOS device that was encrypted by the device user, and not by Intune policy. This scenario requires:

  • The device to receive disk encryption policy from Intune that enables FileVault.
  • The device user to use the Company Portal website to upload their personal recovery key for the encrypted device to Intune. To upload the key, they select the Store recovery key option for their encrypted macOS device.

After the user uploads their recovery key, Intune rotates the key to confirm it is valid. Intune can now manage the key and encryption as if it used policy to encrypt the device directly. Should a user need to recover their device, they can access the recovery key using any device from the following locations:

  • Company Portal website
  • Company Portal app for iOS/iPadOS
  • Company Portal app for Android
  • Intune app

Hide the personal recovery key from a device user during macOS FileVault disk encryption

When you use endpoint security policy to configure macOS FileVault disk encryption, use the Hide recovery key setting to prevent display of the personal recovery key to the device user, while the device is being encrypted. By hiding the key during encryption, you can help keep it secure as users won’t be able to write it down while waiting for the device to encrypt.

Later, if recovery is needed, a user can always use any device to view their personal recovery key through the Intune Company Portal website, the iOS/iPadOS Company Portal, the Android Company Portal, or the Intune app.

Improved view of security baseline details for devices

You can now drill-in to the details for a device to view the settings details for security baselines that apply to the device. The settings appear in a simple, flat list, which includes the setting category, setting name, and status. For more information, see View Endpoint security configurations per device.

Monitor and troubleshoot

Device compliance logs now in English

The Intune DeviceComplianceOrg logs previously only had enumerations for ComplianceState, OwnerType, and DeviceHealthThreatLevel. Now, these logs have English information in the columns.

Role-based access control

Assign profile and Update profile permission changes

Role-based access control permissions has changed for Assign profile and Update profile for the Automated Device Enrollment flow:

Assign profile: Admins with this permission can also assign the profiles to tokens and assign a default profile to a token for Automated Device Enrollment.

Update profile: Admins with this permission can update existing profiles only for Automated Device Enrollment.

To see these roles, go to Microsoft Endpoint Manager admin center > Tenant administration > Roles > All roles > Create > Permissions > Roles.

Scripting

Additional Data Warehouse v1.0 properties

Additional properties are available using the Intune Data Warehouse v1.0. The following properties are now exposed via the devices entity:

  • 1
    ethernetMacAddress
    – The unique network identifier of this device.
  • 1
    office365Version
    – The version of Office 365 that is installed on the device.

The following properties are now exposed via the devicePropertyHistories entity:

  • 1
    physicalMemoryInBytes
    – The physical memory in bytes.
  • 1
    totalStorageSpaceInBytes
    – Total storage capacity in bytes.

For more information, see Microsoft Intune Data Warehouse API.

Regards
The Author – Blogabout.Cloud

Preventing applications from being installed on Fully Managed Andriod devices

Preventing applications from being installed on Fully Managed Andriod devices

I recently saw a blog post discussing the challenges of preventing applications being installed on Fully Managed Android devices where the end-user able to install applications from the Public Store. In some very important cases, this can cause security concerns.

So let’s look at one app in particular…

Its has 3.7 million active users since its launch in 2016 and as not only an IT Professional but as a parent I have also had my concerns.

cdn.worldvectorlogo.com/logos/tiktok-icon-black...

Important Note

This process doesnt apply to devices being managed in the following methods;
– Work Profile
– Dedicated
– Device administrator
– Corporate-owned work profile

Browse to the Microsoft Endpoint Management Dashboard https://endpoint.microsoft.com

Select Apps –> Android

Select Add –> Managed Google Play app

Search for the application you would like to block

Select the application

Press Approve

Press Done

Press Sync

Select Properties –> Assignments

For this post I am blocking the application on all devices as shown below

Save the configuration

Now any device that tries to download TikTok from the public Google Play store will not be able to find the application.

Regards
The Author – Blogabout.Cloud

Your one stop shop for all things Microsoft UserVoice related

Your one stop shop for all things Microsoft UserVoice related

Microsoft UserVoice is a platform where organisations and Microsoft collaborate to understand key product development asks from the community. The higher number of votes, the more likely Microsoft will investigate and introduce the new ask.

Below table provides links to all the Microsoft UserVoice.

IMPORTANT NOTE

This is a developing list and more links will be included once they have been discovered.
TopicURL
Accesshttps://access.uservoice.com
Bookingshttps://outlook.uservoice.com/forums/314907-microsoft-bookings
Business Centerhttps://office365.uservoice.com/forums/600793-office-365-business-center
Connectionshttps://office365.uservoice.com/forums/600610-microsoft-connections
Delvehttps://office365.uservoice.com/forums/273487-delve
– Bloghttps://office365.uservoice.com/forums/273487-delve?category_id=153906
– Boardshttps://office365.uservoice.com/forums/273487-delve?category_id=100468
– Content typeshttps://office365.uservoice.com/forums/273487-delve?category_id=163845
– Delve for Androidhttps://office365.uservoice.com/forums/273487-delve?category_id=103383
– Delve for Windowshttps://office365.uservoice.com/forums/273487-delve?category_id=153948
– Delve for iOShttps://office365.uservoice.com/forums/273487-delve?category_id=103386
– People Experienceshttps://office365.uservoice.com/forums/273487-delve?category_id=101694
– Praisehttps://office365.uservoice.com/forums/273487-delve?category_id=153909
– Searchhttps://office365.uservoice.com/forums/273487-delve?category_id=153915
Excelhttps://excel.uservoice.com
FastTrackhttps://office365.uservoice.com/forums/602104-fasttrack
Flowhttps://powerusers.microsoft.com/t5/Flow-Feedback/ct-p/Feedback
Formshttps://microsoftforms.uservoice.com
Generalhttps://office365.uservoice.com/forums/264636-general
Invoicinghttps://office365.uservoice.com/forums/600781-microsoft-invoicing
Listingshttps://office365.uservoice.com/forums/600778-microsoft-listings
M365 (Microsoft 365) Admin Mobilehttps://office365.uservoice.com/forums/312601-m365-microsoft-365-admin-mobile
Microsoft Connection email marketinghttps://office365.uservoice.com/forums/600610-microsoft-connections-email-marketing
Microsoft Endpoint Managerhttps://microsoftintune.uservoice.com/forums/291681-ideas
– Android-specifichttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=210853
– App protection policies (APP/MAM)https://microsoftintune.uservoice.com/forums/291681-ideas?category_id=148986
– App config and deploymenthttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=115719
– Autopilot / Windows enrollmenthttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=368299
– Azure Admin Consolehttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=189016
– Bitlocker Managementhttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=386689
– Certs, Emails, VPN, Wi-Fihttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=324422
– Co-Managementhttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=331534
– Company Portal (all platforms)https://microsoftintune.uservoice.com/forums/291681-ideas?category_id=115704
– Compliance Policieshttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=386695
– Conditional Accesshttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=155130
– Device Configuration Profileshttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=386686
– Documentationhttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=115707
– Fencing – Geo, Time Speed, etchttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=338164
– Intune Data Warehousehttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=209608
– Intune PC Clienthttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=115716
– Intune for Eductionhttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=190729
– Inventory (All Platforms)https://microsoftintune.uservoice.com/forums/291681-ideas?category_id=319828
– Language / Translationhttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=128305
– MacOS-specifichttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=210850
– Managed Browserhttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=210862
– Mobile Device Management (General)https://microsoftintune.uservoice.com/forums/291681-ideas?category_id=115713
– Remote Assistance / Controlhttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=176502
– Reporting https://microsoftintune.uservoice.com/forums/291681-ideas?category_id=386692
– Role-based Access Control (RBAC)https://microsoftintune.uservoice.com/forums/291681-ideas?category_id=358603
– Scripting-Graph / PowerShellhttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=187750
– Silverlight Admin Consolehttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=115722
– Telecom Expense Managementhttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=210859
– Terms and Conditions (All Platforms)https://microsoftintune.uservoice.com/forums/291681-ideas?category_id=319825
– Troubleshootinghttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=359635
– User Managementhttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=115710
– Windows Updateshttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=379660
– Windows-specifichttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=210856
– iOS-specfichttps://microsoftintune.uservoice.com/forums/291681-ideas?category_id=210847
Microsoft Information Protectionhttps://office365.uservoice.com/forums/928576-microsoft-information-protection-mip
– Auto-labeling for data at resthttps://office365.uservoice.com/forums/928576-microsoft-information-protection-mip?category_id=385018
– Data Loss Preventation (DLP)https://office365.uservoice.com/forums/928576-microsoft-information-protection-mip?category_id=385009
– OMEhttps://office365.uservoice.com/forums/928576-microsoft-information-protection-mip?category_id=385015
– Right Managementhttps://office365.uservoice.com/forums/928576-microsoft-information-protection-mip?category_id=385012
– Sensitivity labels in Office applicationshttps://office365.uservoice.com/forums/928576-microsoft-information-protection-mip?category_id=385021
– Sensitivtes Information Typeshttps://office365.uservoice.com/forums/928576-microsoft-information-protection-mip?category_id=385027
Microsoft Invoicing https://office365.uservoice.com/forums/600781-microsoft-invoicing
Microsoft Listings Online Presencehttps://office365.uservoice.com/forums/600778-microsoft-listings-online-presence
Microsoft Searchhttps://office365.uservoice.com/forums/925270-microsoft-search
– Adminhttps://office365.uservoice.com/forums/925270-microsoft-search?category_id=373870
– Clienthttps://office365.uservoice.com/forums/925270-microsoft-search?category_id=373873
– Connectorshttps://office365.uservoice.com/forums/925270-microsoft-search?category_id=373876
– UX Customizationhttps://office365.uservoice.com/forums/925270-microsoft-search?category_id=373879
MyAnalyticshttps://myanalytics.uservoice.com/
Office 365https://office365.uservoice.com
Office 365 Adminhttps://office365.uservoice.com/forums/273493-office-365-admin
– Apps and App Launcherhttps://office365.uservoice.com/forums/273493-office-365-admin?category_id=127975
– Exchange Adminhttps://office365.uservoice.com/forums/273493-office-365-admin?category_id=96338
– Lync Adminhttps://office365.uservoice.com/forums/273493-office-365-admin?category_id=96339
– Message Centerhttps://office365.uservoice.com/forums/273493-office-365-admin?category_id=94710
– Service Health Dashboardhttps://office365.uservoice.com/forums/273493-office-365-admin?category_id=94709
– SharePoint Adminhttps://office365.uservoice.com/forums/273493-office-365-admin?category_id=96337
Office 365 Business Centerhttps://office365.uservoice.com/forums/600793-office-365-business-center
Office 365 Groupshttps://office365.uservoice.com/forums/286611-office-365-groups
Office 365 Security & Compliancehttps://office365.uservoice.com/forums/289138-office-365-security-compliance
– Advanced Security Managementhttps://office365.uservoice.com/forums/289138-office-365-security-compliance?category_id=174141
– Auditinghttps://office365.uservoice.com/forums/289138-office-365-security-compliance?category_id=137187
– Communication Compliancehttps://office365.uservoice.com/forums/289138-office-365-security-compliance?category_id=379534
– Compliance Managerhttps://office365.uservoice.com/forums/289138-office-365-security-compliance?category_id=323794
– DLP & Transport Ruleshttps://office365.uservoice.com/forums/289138-office-365-security-compliance?category_id=137265
– Information Governance and Records Managementhttps://office365.uservoice.com/forums/289138-office-365-security-compliance?category_id=379531
– Information Protectionhttps://office365.uservoice.com/forums/289138-office-365-security-compliance?category_id=379528
– Insider Risk Managementhttps://office365.uservoice.com/forums/289138-office-365-security-compliance?category_id=384439
– Malwarehttps://office365.uservoice.com/forums/289138-office-365-security-compliance?category_id=137184
– Message Encryption & Right Managementhttps://office365.uservoice.com/forums/289138-office-365-security-compliance?category_id=137262
– Message Tracehttps://office365.uservoice.com/forums/289138-office-365-security-compliance?category_id=137181
– Privacyhttps://office365.uservoice.com/forums/289138-office-365-security-compliance?category_id=333217
– Reportshttps://office365.uservoice.com/forums/289138-office-365-security-compliance?category_id=137175
– Service Trust Portalhttps://office365.uservoice.com/forums/289138-office-365-security-compliance?category_id=323791
– Spam & Phishinghttps://office365.uservoice.com/forums/289138-office-365-security-compliance?category_id=137178
– eDiscoveryhttps://office365.uservoice.com/forums/289138-office-365-security-compliance?category_id=139404
Office 365 Suite Navigation Barhttps://office365.uservoice.com/forums/926008-office-365-suite-navigation-bar
Office.comhttps://office365.uservoice.com/forums/325347-office-com-home-page
Office + Edition Browser Extenstionhttps://office365.uservoice.com/forums/926797-office-editor-browser-extension
Office Lenshttps://officelens.uservoice.com
OneDrivehttps://onedrive.uservoice.com
OneNotehttps://onenote.uservoice.com
Outlookhttps://outlook.uservoice.com
Plannerhttps://planner.uservoice.com
Power BIhttps://ideas.powerbi.com/forums/265200-power-bi-ideas
PowerAppshttps://powerusers.microsoft.com/t5/Product-Feedback/ct-p/PA-feedback
PowerPointhttps://powerpoint.uservoice.com
Projecthttps://microsoftproject.uservoice.com
SharePointhttps://sharepoint.uservoice.com
StaffHubhttps://staffhub.uservoice.com
Skype for Businesshttps://www.skypefeedback.com
Streamhttps://techcommunity.microsoft.com/t5/Microsoft-Stream-Ideas/idb-p/StreamIdeas
Swayhttps://sway.uservoice.com
Teamshttps://microsoftteams.uservoice.com/forums/555103-public
To-Dohttps://todo.uservoice.com/
Visiohttps://visio.uservoice.com
Wordhttps://word.uservoice.com
Yammerhttps://yammer.uservoice.com

Regards
The Author – Blogabout.Cloud

Configuring Microsoft Endpoint Manager Connector for Managed Google Play Store

Configuring Microsoft Endpoint Manager Connector for Managed Google Play Store

In this video, I run through how to connect Managed Google Play Store to Microsoft Endpoint Manager and approve applications that can be published to your Android devices.

Regards
The Author – Blogabout.Cloud

Installing PowerShell modules using Microsoft Endpoint Manager

Installing PowerShell modules using Microsoft Endpoint Manager

In this video I show how I install all the common PowerShell modules that I use when building/provisioning Windows 10 devices that are registered in MEM.In this video I show how I install all the common PowerShell modules that I use when building/provisioning Windows 10 devices that are registered in MEM.

Regards
The Author – Blogabout.Cloud

Configuring your Windows 10 devices with custom Desktop and Lockscreen backgrounds with Microsoft Endpoint Manager.

Configuring your Windows 10 devices with custom Desktop and Lockscreen backgrounds with Microsoft Endpoint Manager.

Using Microsoft Endpoint Manager and Azure Blob Storage to deliver customized Desktop and Lockscreen backgrounds.

Regards
The Author – Blogabout.Cloud

What’s dropped this month in Microsoft Endpoint Manager – May Round Up

What’s dropped this month in Microsoft Endpoint Manager – May Round Up

In this post, you can see all the new items that have been released in the following product areas

– Device Management
– App Management
– Device Configuration
– Device enrollment
– Monitor and Troubleshoot
– Security

Device Management

Use sync remote action in bulk for iOS

You can now use the sync remote action on up to 100 iOS devices at a time. To see this feature, go to Microsoft Endpoint Manager admin center > Devices > All devices > Bulk device actions.

Automated device sync interval down to 12 hours

For Apple’s Automated Device Enrollment, the automated device sync interval between Intune and Apple Business Manager has been reduced from 24 hours to 12 hours. For more information on sync, see Sync managed devices.

App Management

Customize self-service device actions in the Company Portal

You can customize the available self-service device actions that are shown to end-users in the Company Portal app and website. To help prevent unintended device actions, you can configure these settings for the Company Portal app by selecting Tenant Administration > Customization. The following actions are available:

Auto update VPP available apps

Apps that are published as Volume Purchase Program (VPP) available apps will be automatically updated when Automatic App Updates is enabled for the VPP token. Previously, VPP available apps did not automatically update. Instead, end-users had to go to the Company Portal and reinstall the app if a newer version was available. Required apps continue to support automatic updates.

Unified delivery of Azure AD Enterprise and Office Online applications in the Company Portal

This feature has been delayed. On the Customization pane of Intune, you can select to Hide or Show both Azure AD Enterprise applications and Office Online applications in the Company Portal. Each end-user will see their entire application catalog from the chosen Microsoft service. By default, each additional app source will be set to Hide. This feature will first take effect in the Company Portal website, with support in the Windows, iOS/iPadOS, and macOS Company Portals expected to follow. In the Microsoft Endpoint Manager admin center, select Tenant administration > Customization to find this configuration setting. For related information, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app.

Android Company Portal user experience

In the 2005 release of Android Company Portal, end-users of Android devices that are issued a warn, block, or wipe by an app protection policy will see a new user experience. Instead of the current dialog experience, end-users will see a full page message describing the reason for the warn, block, or wipe and the steps to remediate the issue. For more information, see App protection experience for Android devices and Android app protection policy settings in Microsoft Intune.

Support for multiple accounts in Company Portal for macOS

The Company Portal on macOS devices now caches user accounts, making sign-in easier. Users no longer need to sign into the Company Portal every time they launch the application. Additionally, the Company Portal will display an account picker if multiple user accounts are cached, so that users don’t have to enter their user name.

Newly available protected apps

The following protected apps are now available:

  • Board Papers
  • Breezy for Intune
  • Hearsay Relate for Intune
  • ISEC7 Mobile Exchange Delegate for Intune
  • Lexmark for Intune
  • Meetio Enterprise
  • Microsoft Whiteboard
  • Now® Mobile – Intune
  • Qlik Sense Mobile
  • ServiceNow® Agent – Intune
  • ServiceNow® Onboarding – Intune
  • Smartcrypt for Intune
  • Tact for Intune
  • Zero – email for attorneys

For more information about protected apps, see Microsoft Intune protected apps.

Search the Intune docs from the Company Portal

You can now search the Intune documentation directly from the Company Portal for macOS app. In the menu bar, select Help > Search and enter the key words of your search to quickly find answers to your questions.

Windows 32-bit (x86) apps on ARM64 devices

Windows 32-bit (x86) apps that are deployed as available to ARM64 devices will now be displayed in the Company Portal. For more information about Windows 32-bit apps, see Win32 app management.

Windows Company Portal app icon

The icon for the Windows Company Portal app has been updated. For more information about the Company Portal, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app.

Update to icons in Company Portal app for iOS/iPadOS and macOS

We’ve updated the icons in Company Portal to create a more modern look and feel that’s supported on dual screen devices and aligns with the Microsoft Fluent Design System. To see the updated icons, go to UI updates for Intune end-user apps.

Device Configuration

Improvements to OEMConfig support for Zebra Technologies devices

Intune fully supports all features provided by Zebra OEMConfig. Customers managing Zebra Technologies devices with Android Enterprise and OEMConfig can deploy multiple OEMConfig profiles to one device. Customers can also view rich reporting about the status of their Zebra OEMConfig profiles.

For more information, see Deploy multiple OEMConfig profiles to Zebra devices in Microsoft Intune.

There is no change in OEMConfig behavior for other OEMs.

Applies to:

  • Android Enterprise
  • Zebra Technologies devices that support OEMConfig. For specific details on support, contact Zebra.

Configure system extensions on macOS devices

On macOS devices, you can create a kernel extensions profile to configure settings at the kernel-level (Devices > Configuration profiles > macOS for platform > Kernel extensions for profile). Apple is eventually deprecating kernel extensions, and replacing them with system extensions in a future release.

System extensions run in the user space, and don’t have access to the kernel. The goal is to increase security and provide more end user control, while limiting attacks at the kernel level. Both kernel extensions and system extensions allow users to install app extensions that extend the native capabilities of the operating system.

In Intune, you can configure both kernel extensions and system extensions (Devices > Configuration profiles > macOS for platform > System extensions for profile). Kernel extensions apply to 10.13.2 and newer. System extensions apply to 10.15 and newer. From macOS 10.15 to macOS 10.15.4, kernel extensions and system extensions can run side-by-side.

To learn about these extensions on macOS devices, see Add macOS extensions.

Applies to:

  • macOS 10.15 and newer

Configure app and process privacy preferences on macOS devices

With the release of macOS Catalina 10.15, Apple added new security and privacy enhancements. By default, applications and processes are unable to access specific data without user consent. If users don’t provide consent, the applications and processes may fail to function. Intune is adding support for settings that enable IT administrators to allow or disallow data access consent on behalf of end-users on devices running macOS 10.14 and later. These settings will ensure that applications and processes continue to function properly, and reduce the number of prompts.

For more information on the settings you can manage, see macOS privacy preferences.

Applies to:

  • macOS 10.14 and newer

Device enrollment

Company Portal for Android guides users to get apps after work profile enrollment

We’ve improved the in-app guidance in Company Portal to make it easier for users to find and install apps. After they enroll in work profile management, users will get a message explaining how to find suggested apps in the badged version of Google Play. The last step in Enroll device with Android profile has been updated to show the new message. Users will also see a new Get Apps link in the Company Portal drawer on the left. To make way for these new and improved experiences, the APPS tab was removed. To see the updated screens, go to UI updates for Intune end-user apps.

Enrollment restrictions support scope tags

You can now assign scope tags to enrollment restrictions. To do so, go to Microsoft Endpoint Manager admin center > Devices > Enrollment restrictions > Create restriction. Create either type of restriction and you’ll see the Scope tags page. For more information, see Set enrollment restrictions.

Autopilot support for Hololens 2 devices

Windows Autopilot now supports Hololens 2 devices. For more information on using Autopilot for Hololens, see Windows Autopilot for HoloLens 2.

Monitor and troubleshoot

Device reports UI update

The reports overview pane will now provide a Summary and a Reports tab. In the Microsoft Endpoint Manager admin center, select Reports, then select the Reports tab to see the available report types. For related information, see Intune reports.

Security

Derived credentials support for DISA Purebred on Android devices

You can now use DISA Purebred as a derived credentials provider on Android Enterprise fully managed devices. Support includes retrieving a derived credential for DISA Purebred. You can use a derived credential for app authentication, Wi-Fi, VPN, or S/MIME signing and/or encryption with apps that support it.

Send push notifications as an action for noncompliance

You can now configure an action for noncompliance that sends a push notification to a user when their device fails to meet conditions of a compliance policy. The new action is Send push notification to end user, and is supported on Android and iOS devices.

When users select the push notification on their device, the Company Portal or Intune app opens to display details about why they are noncompliant.

Endpoint security content and new features

The documentation for Intune Endpoint Security is now available. In the endpoint security node of the Microsoft Endpoint Manager admin center you can:

  • Create and deploy focused security policies to your managed devices
  • Configure integration with Microsoft Defender Advanced Threat Protection, and manage security tasks help remediate risks for at-risk devices as identified by your ATP team
  • Configure security baselines
  • Manage device compliance and conditional access policies
  • View compliance status for all your devices from both Intune and Configuration Manager when Configuration Manager is configured for client attach.

In addition to the availability of content, the following are new for Endpoint Security this month:

  • Endpoint security policies are out of preview and are now ready to use in production environments, as generally available, with two exceptions:
    • In a new public preview, you can use the Microsoft Defender Firewall rules profile for Windows 10 Firewall policy. With each instance of this profile you can configure up to 150 firewall rules to compliment your Microsoft Defender Firewall profiles.
    • Account protection security policy remains in preview.
  • You can now create a duplicate of endpoint security policies. Duplicates keep the settings configuration of the original policy, but get a new name. Then new policy instance doesn’t include any assignments to groups until you edit the new policy instance to add them. You can duplicate the following policies:
    • Antivirus
    • Disk encryption
    • Firewall
    • Endpoint detection and response
    • Attack surface reduction
    • Account protection
  • You can now create a duplicate of a security baseline. Duplicates keep the settings configuration of the original baseline, but get a new name. The new baseline instance doesn’t include any assignments to groups until you edit the new baseline instance to add them.
  • A new report for endpoint security antivirus policy is available: Windows 10 unhealthy endpoints. This report is a new page you can select when your viewing your endpoint security antivirus policy. The report displays the antivirus status of your MDM-managed Windows 10 devices.

Support for S/MIME signing and encryption certificates with Outlook on Android

You can now use certificates for S/MIME signing and encryption with Outlook on Android. With this support, you can provision these certificates by using SCEP, PKCS, and PKCS imported certificate profiles. The following Android platforms are supported:

  • Android Enterprise Work Profile
  • Android Device Administrator

Support for Android Enterprise Fully Managed devices is coming soon.

For more information about this support, see Sensitivity labeling and protection in Outlook for iOS and Android in the Exchange documentation.

Use Endpoint detection and response policy to onboard devices to Defender ATP

Use endpoint security policy for Endpoint detection and response (EDR) to onboard and configure devices for your deployment of Microsoft Defender Advanced Threat Protection (Defender ATP). EDR supports policy for Windows devices managed by Intune (MDM), and a separate policy for Windows devices managed by Configuration Manager.

To use the policy for Configuration Manager devices, you must set up Configuration Manager to support the EDR policy. Set up includes:

  • Configure your Configuration manager for tenant attach.
  • Install an in-console update for Configuration Manager to enable support for the EDR policies. This update applies only to hierarchies that have enabled tenant attach.
  • Synchronize your device collections form your hierarchy to the Microsoft Endpoint Manager admin center.

Scripting

macOS script support

Script support for macOS is now generally available. In addition, we have added support for both user assigned scripts and macOS devices that have been enrolled with Apple’s Automated Device Enrollment (formerly Device Enrollment Program). For more information, see Use shell scripts on macOS devices in Intune.

Regards
The Author – Blogabout.Cloud