Category Archives: InTune

Avoid conflicts with Group Policy and Microsoft Endpoint Manager – Identify Group Policy settings not supported by MDM.

When integrating your Windows 10 devices into Microsoft Endpoint Manager, you may encounter policy conflicts where the same setting is configured both on-premises via GPO and Intune. When this happens it can be a complete nightmare, so in this post I will show you how to identify GPOS not supported by MDM.

To run this tool follow the instructions below:

Install Remote Server Administration Tools. Windows 7 – https://www.microsoft.com/en-us/download/details.aspx?id=7887 Windows 8 – https://www.microsoft.com/en-us/download/details.aspx?id=28972
Window 8.1 – https://www.microsoft.com/en-us/download/details.aspx?id=39296
Windows 10 – https://www.microsoft.com/en-us/download/details.aspx?id=45520

Install this MMAT tool zipped Folder to your PC and unzip the folder.

Open a PowerShell Window running as an Admin.
Change directory to MMAT-master folder which contains all the scripts and exe inside.

Run the following script:

Set-ExecutionPolicy -ExecutionPolicy Unrestricted 

./Invoke-MdmMigrationAnalysisTool.ps1 -collectGPOReports -runAnalysisTool

When Invoke-MdmMigrationAnalysisTool.ps1 is completed,it will generate:

MDMMigrationAnalysis.xml: XML report containing information about policies for the target user and computer and how they map, if at all, to MDM.

As you can see from below you will have report defining what is and isnt supported

Regards
The Author – Blogabout.Cloud

Avoid conflicts with Group Policy and Microsoft Endpoint Manager – Make your MDM Policies Win

When integrating your Windows 10 devices into Microsoft Endpoint Manager, you may encounter policy conflicts where the same setting is configured both on-premises via GPO and Intune. When this happens it can be a complete nightmare, so in this post I will show you how to configure Microsoft Endpoint Manager so that your MDM policies rein over GPO.

Lets get to it and launch Microsoft Endpoint Manager dashboard –> Go to Devices –> Configuration Profile –> Create Profile

Platform – Windows 10 and later
Profile – Custom

Click Create

Click Add and enter the below

Name: ConflictPolicyConflict
Description: Enter value if required
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
Data type: Integer
Value: 1

Click Save –> Press Next

If you are using Scope Tags – Define your tags and Press Next

Define your selected groups of machines for the profile and Press Next

Define applicability rules if in use and Press Next

Press Create

This will now force MDM Policies to win over Group Policies assigned to a Windows 10 device.

Regards
The Author – Blogabout.Cloud

Decrease the delay of administratively assigned OneDrive libraries with Proactive remediations

There is a registry key that decreases the delay for end-users to see their administratively assigned libraries via the OneDrive sync client.

Important Note

The purpose of this Proactive Remediation profile is so that the reg key is set everytime a user reboots the client device. As this key is removed at reboot. Proactive Remediation is a solution that detects if this registry key exists and if not, create it, on a recurring schedule.

So lets get creating the Proactive Remediation profile

Navigate to Reports –> Endpoint Analytics 

Proactive Remediations; Click Create Script Package

Provide Name and Description

Now it’s time to upload the scripts, for the detection script, copy and paste the below PowerShell code

 Clear-Host
 <#Information
 
    Author: thewatchernode
    Contact: author@blogabout.cloud
    Published: 5th January 2021
    
    .DESCRIPTION
    This script is designed remediate OneDrive Flag 
    
    Version Changes            
    
    : 0.1 Initial Script Build
    : 1.0 Inital Release
     
    Credit:
    
    .EXAMPLE
    .\Detect_OneDriveDelayFlag.ps1
    
    Description
    -----------
    Runs script with default values.
    
    .INPUTS
    None. You cannot pipe objects to this script.
#>
 #region Shortnames
$Path = "HKCU:\SOFTWARE\Microsoft\OneDrive\Accounts\Business1"
$Name = "Timerautomount"
$Type = "QWORD"
$Value = 1
#endregion Shortnames

#region Function
Function Set-OneDriveRegKey {
Try {
    $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
    If ($Registry -eq $Value){
        Write-Output "Compliant"
        Exit 0
    } 
    Write-Warning "Not Compliant"
    Exit 1
} 
Catch {
    Write-Warning "Not Compliant"
    Exit 1
}
}
#endregion Function

#Script Block
Set-OneDriveRegKey

For the remediation script, copy and paste the below PowerShell code

 Clear-Host
 <#Information
 
 
    Author: thewatchernode
    Contact: author@blogabout.cloud
    Published: 5th January 2021
    
    .DESCRIPTION
    This script is designed remediate OneDrive Flag 
    
    Version Changes            
    
    : 0.1 Initial Script Build
    : 1.0 Inital Release
     
    Credit:
    
    .EXAMPLE
    .\Remediate_OneDriveDelayFlag.ps1
    
    Description
    -----------
    Runs script with default values.
    
    .INPUTS
    None. You cannot pipe objects to this script.
#>


#region Shortnames
$Path = "HKCU:\SOFTWARE\Microsoft\OneDrive\Accounts\Business1"
$Name = "Timerautomount"
$Type = "QWORD"
$Value = 1
#endregion Shortnames

#region Script Block
Set-ItemProperty -Path $Path -Name $Name -Type $Type -Value $Value
#endregion Script Block

Ensure that the Run this script using the logged-on credentials is set to Yes. The Settings should look like so

Assign the custom script to your require groups

As the default schedule is Daily, you may have a require to edit the schedule.

This concldues this post.

Regards
The Author – Blogabout.Cloud

QuickTip: Unable to see available applications for Windows 10 device in Company Portal

When enrolling new or existing Windows 10 devices into Microsoft Endpoint Manager, the user may not be able to see the available straight away as shown below;

Screenshot of no device shown.

The resolution for this is a very simple one from the Company Portal

http://portal.manage.microsoft.com go to ‘Devices’

Select Tap here.

Screenshot of my devices.

On the next screen, select your device to enroll it.

Screenshot of selecting which device.

You are returned to My Devices. The device should show a green check, as shown in the following screenshot.

Screenshot of my devices.

Return to the Apps screen. The applications should now be visible.

Screenshot of apps displayed.

Regards
The Author – Blogabout.Cloud

Whats new in Microsoft Intune (Service Release 2007)

As of 13th July Microsoft have introduced Service Release 2007 here whats available now

App management

Win32 app installation notifications and the Company Portal

End users can now decide whether the applications shown in the Microsoft Intune Web Company Portal should be opened by the Company Portal app or the Company Portal website. This option is only available if the end user has the Company Portal app installed and launches a Web Company Portal application outside of a browser.

Exchange On-Premises Connector support

Intune is removing support for the Exchange On-Premises Connector feature from the Intune service beginning in the 2007 (July) release. Existing customers with an active connector will be able to continue with the current functionality at this time. New customers and existing customers that do not have an active connector will no longer be able to create new connectors or manage Exchange ActiveSync (EAS) devices from Intune. For those customers, Microsoft recommends the use of Exchange hybrid modern authentication (HMA) to protect access to Exchange on-premises. HMA enables both Intune App Protection Policies (also known as MAM) and Conditional Access through Outlook Mobile for Exchange on-premises.

S/MIME for Outlook on iOS and Android Enterprise devices managed without enrollment

You can now enable S/MIME for Outlook on iOS and Android Enterprise devices using app configuration polices for devices managed without enrollment. In Microsoft Endpoint Manager admin center, select Apps > App configuration policies > Add > Managed apps. Additionally, you can choose whether or not to allow users to change this setting in Outlook. For general information about S/MIME, see S/MIME overview to sign and encrypt email in Intune. For more information about Outlook configuration settings, see Microsoft Outlook configuration settings and Add app configuration policies for managed apps without device enrollment. For Microsoft Exchange specific S/MIME information, see S/MIME scenarios and Configuration keys – S/MIME settings.

Device configuration

New VPN settings for Windows 10 and newer devices

When you create a VPN profile using the IKEv2 connection type, there are new settings you can configure (Devices > Configuration profiles > Create profile > Windows 10 and later for platform > VPN for profile > Base VPN):

  • Device Tunnel: Allows devices to automatically connect to VPN without requiring any user interaction, including user log on. This feature requires you to enable Always On, and use Machine certificates as the authentication method.
  • Cryptography suite settings: Configure the algorithms used to secure IKE and child security associations, which allow you to match client and server settings.

To see the settings you can configure, go to Windows device settings to add VPN connections using Intune.

Applies to:

  • Windows 10 and newer

Configure more Microsoft Launcher settings in a device restrictions profile on Android Enterprise devices (COBO)

On Android Enterprise Fully Managed devices, you can configure more Microsoft Launcher settings using a device restrictions profile (Devices > Configuration profiles > Create profile > Android Enterprise for platform > Device Owner only > Device restrictions > Device experience > Fully managed).

To see these settings, go to Android Enterprise device settings to allow or restrict features.

You can also configure the Microsoft Launcher settings using an app configuration profile.

Applies to:

  • Android Enterprise device owner fully managed devices (COBO)

New features for Managed Home Screen on Android Enterprise device owner dedicated devices (COSU)

On Android Enterprise devices, administrators can use device configuration profiles to customize the Managed Home Screen on dedicated devices using multi-app kiosk mode (Devices > Configuration profiles > Create profile > Android Enterprise for platform > Device Owner Only > Device Restrictions for profile > Device experience > Dedicated device > Multi-app).

Specifically, you can:

  • Customize icons, change the screen orientation , and show app notifications on badge icons
  • Hide the Managed Settings shortcut
  • Easier access to the debug menu
  • Create an allowed list of Wi-Fi networks
  • Easier access to the device information

For more information, see Android Enterprise device settings to allow or restrict features and this blog.

Applies to:

  • Android Enterprise device owner, dedicated devices (COSU)

Administrative templates updated for Microsoft Edge 84

The ADMX settings available for Microsoft Edge have been updated. End users can now configure and deploy new ADMX settings added in Edge 84. For more information, see the Edge 84 release notes.

Device enrollment

Corporate-owned, personally enabled devices (preview)

Intune now supports Android Enterprise corporate-owned devices with a work profile for OS versions Android 8 and above. Corporate-owned devices with a work profile is one of the corporate management scenarios in the Android Enterprise solution set. This scenario is for single user devices intended for corporate and personal use. This corporate-owned, personally-enabled (COPE) scenario offers:

  • work and personal profile containerization
  • device-level control for admins
  • a guarantee for end users that their personal data and applications will remain private

The first public preview release will include a subset of the features that will be included in the generally available release. Additional features will be added on a rolling basis. The features that will be available in the first preview include:

  • Enrollment: Admins can create multiple enrollment profiles with unique tokens that do not expire. Device enrollment can be done through NFC, token entry, QR code, Zero Touch, or Knox Mobile Enrollment.
  • Device configuration: A subset of the existing fully managed and dedicated device settings.
  • Device compliance: The compliance policies that are currently available for fully managed devices.
  • Device Actions: Delete device (factory reset), reboot device, and lock device.
  • App management: App assignments, app configuration, and the associated reporting capabilities
  • Conditional Access

For more information about corporate-owned with work profile preview, see the support blog.

Device management

Updates to the remote lock action for macOS devices

Changes to the remote lock action for macOS devices include:

  • The recovery pin is displayed for 30 days before deletion (instead of 7 days).
  • If an admin has a second browser open and tries to trigger the command again from a different tab or browser, Intune lets the command to go through. But the reporting status is set to failed rather than generating a new pin.
  • The admin isn’t allowed to issue another remote lock command if the previous command is still pending or if the device hasn’t checked back in. These changes are designed to prevent the correct pin from being overwritten after multiple remote lock commands.

Device actions report differentiates between wipe and protected wipe

The Device actions report now differentiates between the wipe and protected wipe actions. To see the report, go to Microsoft Endpoint Manager admin center > Devices > Monitor > Device Actions (under Other).

Device security

Microsoft Defender Firewall rule migration tool preview

As a public preview, we’re working on a PowerShell based tool that will migrate Microsoft Defender Firewall rules. When you install and run the tool, it automatically creates endpoint security firewall rule policies for Intune that are based on the current configuration of a Windows 10 client. For more information, see Endpoint security firewall rule migration tool overview.

Endpoint detection and response policy for onboarding Tenant Attached devices to MDATP is Generally Available

As part of endpoint security in Intune, the Endpoint detection and response (EDR) policies for use with devices managed by Configuration Manager are no longer in preview and are now Generally Available.

To use EDR policy with devices from a supported version of Configuration Manager, configure Tenant attach for Configuration Manager. After you complete the tenant attach configuration, you can deploy EDR policies to onboard devices managed by Configuration Manager to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).

Bluetooth settings are available in Device Control profiles for Endpoint security Attack surface reduction policy

We’ve added settings to manage Bluetooth on Windows 10 devices to the Device control profile for Endpoint security Attack surface Reduction policy. These are the same settings as those that have been available in Device restriction profiles for Device configuration.

Manage source locations for definition updates with endpoint security antivirus policy for Windows 10 devices

We’ve added two new settings to the Updates category of endpoint security antivirus policy for Windows 10 devices that can help you manage how devices get update definitions:

  • Define file shares for downloading definition updates
  • Define the order of sources for downloading definition updates

With the new settings you can add UNC file shares as download source locations for definition updates, and define the order in which different source locations are contacted.

Improved security baselines node

We’ve made some changes to improve the usability of the security baseline node in the Microsoft Endpoint Manager admin center. Now when you drill in to Endpoint security > Security baselines and then select a security baseline type like the MDM Security Baseline, your presented with the Profiles pane. On the Profiles pane you view the profiles you’ve created for that Baseline type. Previously the console presented an Overview pane which included an aggregate data roll up that didn’t always match the details found in the reports for individual profiles.

Unchanged, from the Profiles pane you can select a profile to drill-in to view that profiles properties as well as various reports that are available under Monitor. Similarly, at the same level as Profiles you can still select Versions to view a the various versions of that profile type that you’ve deployed. When you drill-in to a version, you also gain access to reports, similar to the profile reports.

Derived credentials support for Windows

You can now use derived credentials with your Windows devices. This will expand on the existing support for iOS/iPadOS and Android, and will be available for the same derived credential providers:

  • Entrust Datacard
  • Intercede
  • DISA Purebred

Support for Widows includes use of a derived credential to authenticate to Wi-Fi or VPN profiles. For Windows devices, the derived credential is issued from the client app that’s provided by the derived credential provider that you use.

Manage FileVault encryption for devices that were encrypted by the device user and not by Intune

Intune can now assume management of FileVault disk encryption on a macOS device that was encrypted by the device user, and not by Intune policy. This scenario requires:

  • The device to receive disk encryption policy from Intune that enables FileVault.
  • The device user to use the Company Portal website to upload their personal recovery key for the encrypted device to Intune. To upload the key, they select the Store recovery key option for their encrypted macOS device.

After the user uploads their recovery key, Intune rotates the key to confirm it is valid. Intune can now manage the key and encryption as if it used policy to encrypt the device directly. Should a user need to recover their device, they can access the recovery key using any device from the following locations:

  • Company Portal website
  • Company Portal app for iOS/iPadOS
  • Company Portal app for Android
  • Intune app

Hide the personal recovery key from a device user during macOS FileVault disk encryption

When you use endpoint security policy to configure macOS FileVault disk encryption, use the Hide recovery key setting to prevent display of the personal recovery key to the device user, while the device is being encrypted. By hiding the key during encryption, you can help keep it secure as users won’t be able to write it down while waiting for the device to encrypt.

Later, if recovery is needed, a user can always use any device to view their personal recovery key through the Intune Company Portal website, the iOS/iPadOS Company Portal, the Android Company Portal, or the Intune app.

Improved view of security baseline details for devices

You can now drill-in to the details for a device to view the settings details for security baselines that apply to the device. The settings appear in a simple, flat list, which includes the setting category, setting name, and status. For more information, see View Endpoint security configurations per device.

Monitor and troubleshoot

Device compliance logs now in English

The Intune DeviceComplianceOrg logs previously only had enumerations for ComplianceState, OwnerType, and DeviceHealthThreatLevel. Now, these logs have English information in the columns.

Role-based access control

Assign profile and Update profile permission changes

Role-based access control permissions has changed for Assign profile and Update profile for the Automated Device Enrollment flow:

Assign profile: Admins with this permission can also assign the profiles to tokens and assign a default profile to a token for Automated Device Enrollment.

Update profile: Admins with this permission can update existing profiles only for Automated Device Enrollment.

To see these roles, go to Microsoft Endpoint Manager admin center > Tenant administration > Roles > All roles > Create > Permissions > Roles.

Scripting

Additional Data Warehouse v1.0 properties

Additional properties are available using the Intune Data Warehouse v1.0. The following properties are now exposed via the devices entity:

  • 1
    ethernetMacAddress
    – The unique network identifier of this device.
  • 1
    office365Version
    – The version of Office 365 that is installed on the device.

The following properties are now exposed via the devicePropertyHistories entity:

  • 1
    physicalMemoryInBytes
    – The physical memory in bytes.
  • 1
    totalStorageSpaceInBytes
    – Total storage capacity in bytes.

For more information, see Microsoft Intune Data Warehouse API.

Regards
The Author – Blogabout.Cloud

Installing PowerShell modules using Microsoft Endpoint Manager

In this video I show how I install all the common PowerShell modules that I use when building/provisioning Windows 10 devices that are registered in MEM.In this video I show how I install all the common PowerShell modules that I use when building/provisioning Windows 10 devices that are registered in MEM.

Regards
The Author – Blogabout.Cloud

Configuring your Windows 10 devices with custom Desktop and Lockscreen backgrounds with Microsoft Endpoint Manager.

Using Microsoft Endpoint Manager and Azure Blob Storage to deliver customized Desktop and Lockscreen backgrounds.

Regards
The Author – Blogabout.Cloud

Deploying Firefox Settings using Microsoft Endpoint Manager

During a number of my recent deployment of Microsoft Endpoint Manager and conversation I have had with customers. One thing that always comes up is security from the different browsers the end-users run to perform their daily tasks. A recent discussion we touched on Mozilla Firefox and how it can be managed using Microsoft Endpoint Manager as they currently perform this tasks with on-premises GPOs.

Like Google Chrome, Firefox can also be managed using a Custom configuration profile for Windows 10. The policy consists of two parts. The first part is used to deploy the Firefox ADMX file to the Intune managed device. The second part of the policy is used to manage the settings ofchoice.

Ingest the Firefox ADMX file

The Firefox ADMX file has been made available on GitHub. Download this file as it will be required later within this blog post.

We now need to sign-in to the Microsoft Endpoint Manager portal.

  • Sign-in to the Endpoint Management Portal
  • Browse to the following location (1) Devices – (2) Windows
  • On the (3) Configuration Profiles tab click (4) Create profile
Create Policy

Select Windows 10 and later –> Custom –> Create

Windows 10 or later –> Custom –> Create

We will now need to populate the Name field for this profile, you can also provide a description to get more information about what this profile does. Once you have populated the required information press Configure under Settings and Add

Now we are going to be adding rows to the profile, the first row will be ingestion of the Firefox ADMX file followed by any Firefox profiles you would like to introduce. Please follow the text and screenshots below

Name: Firefox ADMX Ingestion
OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Firefox/Policy/FirefoxAdmx
Data Type: String
Value: As value copy the entire content of the ADMX file in the value field

The value information could be different to what is shown in the screenshot above, so to validate this open the .admx in Notepad or another program.

At the top of the opened file you will see the value which will need to copy and added to your row.

<?xml version=”1.0″ encoding=”utf-8″?>
<policyDefinitions revision=”1.14″ schemaVersion=”1.0″>
<policyNamespaces>
<target prefix=”firefox” name=”Mozilla.Policies.Firefox”/>
<using prefix=”Mozilla” name=”Mozilla.Policies”/>
</policyNamespaces>
<resources minRequiredRevision=”1.14″/>

Understanding the OMA-URL for configuring policies

Now this was something very new to me and I have had to learn exactly how to intepret the ADMX file to obtain the required information to create the OMA-URL for each setting I would like to apply.

Lets split up the OMA-URI in separate parts to make sure you fully understand how the OMA-URL is put together. First of all the default for managing applications using an ADMX file:
./Device/Vendor/MSFT/Policy/Config/
So you will always require this when adding a new row for a policy. I am going to use DisablePrivatingBrowsing as an example of how we achieve the required outcome.

The part that comes next is not always the same, we need to follow some rules:

It starts with Firefox (this is the file name of the admx template firefox.admx) followed by Policy and every word is separated with the following sign ~ as shown below.

Firefox~Policy~


The next part is split into two different categories. The first category is always found at the top of the ADMX file and as you can see its called “firefox”

The next category will be one of the following;

  • firefox
  • Authentication
  • Popups
  • Cookies
  • Addons
  • Flash
  • Bookmarks
  • Homepage
  • Certificates
  • Extensions
  • Search
  • Permissions
  • Camera
  • Microphone
  • Location
  • Notifications
  • Autoplay
  • Preferences
  • SanitizeOnShutdown
  • TrackingProtection

As we are configure DisablePrivateBrowsing the catergory required is called firefox so my complete OMA-URL would be ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~firefox/DisablePrivateBrowsing including /settingname as shown below

Now that we understand the OMA-URI, we now need to provide string value information to enable this new policy. For this particular policy, we just need to put <enabled/>. In order to make it active.

Now you have completed the basics you can go visit the ReadMe file to see what other policy settings you can implement https://github.com/mozilla/policy-templates/blob/master/README.md

Regards
The Author – Blogabout.Cloud

Implementing Windows Information Protection

Windows Information Protection enables organization to create a clear line between what is personal data vs corporate data. When implementing Windows Information Protection (WIP) you might find that none recognized corporate apps may lose the ability to write data to the corporate protected applications and data stores. For example;

You are using GitHub and storing the cloned repos into your OneDrive Known Folders and WIP gets enabled to “Block” access.

That lovely GitHub repo you want to clone will now be blocked 🙁

So how do we implement Windows Information Protection to ensure that are organizations are secure.

Lets start with WIP Learning

So first of all, you would have need to configure App Protection within Microsoft Endpoint Manager for all the apps you want to protect with WIP as show below

WIP Learning is a report that allows you to monitor your WIP-enabled apps and WIP-unknown apps. The unknown apps are the ones not deployed by your organization’s IT department. You can export these apps from the report and add them to your WIP policies to avoid productivity disruption before they enforce WIP in “Block” mode.

In addition to viewing information about WIP-enabled apps, you can view a summary of the devices that have shared work data with websites. With this information, you can determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps.

When working with WIP-enabled apps and WIP-unknown apps, we recommend that you start with Silent or Allow Overrides while verifying with a small group that you have the right apps on your protected apps list. After you’re done, you can change to your final enforcement policy, Block.

What are the protection modes?

Block

WIP looks for inappropriate data sharing practices and stops the user from completing the action. Blocked actions can include sharing info across non-corporate-protected apps, and sharing corporate data between other people and devices outside of your organization.

Allow Overrides

WIP looks for inappropriate data sharing, warning users when they do something deemed potentially unsafe. However, this mode lets the user override the policy and share the data, logging the action to your audit log.

Silent

WIP runs silently, logging inappropriate data sharing, without blocking anything that would have been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.

Switching on WIP

Browse to your App Protection Policy and go to its Properties, under Required Settings you will be able to select which mode you would like to enable for your organization. Please Note: You will need to define your “Corporate Identity” if you have multiple domains they can added as ‘Protected domains’ under the ‘Network perimeter’ in the ‘Advanced settings’ tab.

Once you have done an initial pilot to discovery the applications being used to access Corporate data, you can generate a report from Apps –> Monitor –> App Protection Protection Status –> Reports –> App Learning report for Windows Information Protection. In my case I can see that my GitHub applications has been discovered.

Now that you have your report you are able to create the required excepts to ensure the non-corporate applications can access corporate data.

Regards
The Author – Blogabout.Cloud

Unleashing the power of Microsoft Endpoint Manager against OneDrive for Business

Its time to unleash the power of Microsoft Endpoint Manager against OneDrive for Business. If you are licensed for Microsoft Intune you have so many cool features and policies available to you when it comes to configuring OneDrive for Business. In my role as an IT Architect I am seeing more and more customers moving their data to the cloud and leveraging all the functionality available from Microsoft Endpoint Manager.

One of the biggest changes in behaviour I have seen is moving Group Policies to Microsoft Endpoint Manager. Administrative Template is an execlent solution that has grown in not only populaity but functionality as well. An easy way of finding out if you can move your current on-premises Group Policies to Microsoft Intune is available on GitHub. If you haven’t come across it yet, please check out MMAT on GitHub. One of the most powerful tools for gathering data of what is supported via Microsoft Endpoint Manager.

https://github.com/WindowsDeviceManagement/MMAT

Administrative Templates

Administrative Templates is a growing function within Microsoft Endpoint Manager, in recently times it has included more and more great functionality which covers the following;

– Windows
– Office
– Edge

As we are focusing on just OneDrive lets have a look at what is available to us today. Currently we have 31 different settings available for OneDrive for Business and when I am working with my customers I always recommend looking at the following settings;

– Disable the tutorial that appears at the end of OneDrive setup
– Prevent users from changing the locaton of their OneDrive folder
– Prevent users from fetching files remotely
– Prevent users from moving their Windows known folders to OneDrive
– Prevent users from syncing personal OneDrive accounts
– Set the default location for the OneDrive folder
– Silently move Windows known folders to OneDrive
– Silently sign in users to the OneDrive sync client with their Windows credentials

Polices for Office Apps

This is a new kid to the block and only currently has one policies for OneDrive for Business but expect this to change massively over the course of 2020.

And thats your lot, please check out what Microsoft Endpoint Manager can do for you today as you maybe pleasantly surprised how powerful the Microsoft Cloud has become.

Regards
The Author – Blogabout.Cloud