Creating a Intune Application Deployment Overview – Part 2

Standard

Last week I posted the first version of my Intune Application Deployment Overview script. This script exported device deployment information from Intune through the Graph API to a CSV file and a HTML file. The CSV file contained all the device deployment details and the HTML contained a summary of the deployment status for all applications. You can find this first post here. This blogpost is build on top of this first blogpost, this blogpost describes the next version of this script. In this version I’ve added the user deployment information of Intune Application deployments. Before you continue I want to advise you to first read the first blogpost.

Continue reading

Creating a Intune Application Deployment Overview

Standard

The last couple of weeks I toke some time to investigate the possibilities of the Microsoft Graph API with Intune and AzureAD. In this blogpost I want to share my results of these investigations. One of the big advantages of having Microsoft Intune on the ‘new’ platform is the availability of Microsoft Graph API. Through the Graph API you easily control Microsoft Intune. In this blogpost I want to focus on creating an Application Deployment overview for applications deployed with Microsoft Intune to your Windows 10 workstations. My goal was to create an overview of the applications with the following information: Number of deployments to devices and if they are successful or failed. And based on those numbers I wanted to have the percentage of successful and failed deployments.
Continue reading

Windows Store Apps as available App in Company Portal

Standard

This week a short blogpost about a recent change in Intune and the Company Portal. In the July What’s new documentation I found the following new feature: ‘With this release, admins can now assign the Microsoft Store for Business as available. When set as available, end-users can install the app from the Company Portal app or website without being redirected to the Microsoft Store.’ It looks like a tiny small feature but it has a great user experience improvement. Before this feature a user had two software portals: In the Company Portal were the applications visible from Intune and in the Windows Store for Business were the application visible from private business store. With this change we can combine those two and make the Company Portal the one-stop-shop for software on a Windows 10 MDM managed workstation.

Continue reading

Allow or Block Windows 10 versions accessing corporate data

Standard

With this blogpost I want to focus on controlling which Windows 10 versions can access corporate date and which versions will be blocked when accessing corporate date. To achieve this I’m using AzureAD Conditional Access together with Compliance Policies configured in Microsoft Intune. In this blogpost I want to focus on the scenario to only allow Windows 10 versions which are receiving updates and are supported by Microsoft. The second scenario is about allowing your users to run Insider Builds for testing purposes but block them to connect to corporate services and data.

Continue reading

Controlling Office365 ProPlus channels during Installation with Intune

Standard

A couple of weeks ago Microsoft added a new app type in Intune. With this new App type we can deploy Office365 ProPlus very easy to our MDM Managed workstations. My colleague Peter van der Woude has written a great blogpost about how you can configure this new App type and how this works for the admin and the user. You can find his blogpost here. With this blogpost I want to focus on controlling the Office365 channels with this new app type. I’ve multiple customers where we want to configure and have control over the Office365 ProPlus update channels during the installation of Office365 ProPlus.
Continue reading

Scenario: Using both Intune Device and App Based Conditional Access – Part 3

Standard

In this part of the series around using both Device and App Conditional Access for securing Exchange Online I’m focusing on providing a user self-service solution to choose between ActiveSync or MAM Managed Exchange Online access. In the first part of the series I focused on securing Exchange Online Browser and ActiveSync access and in the second part I focused on securing App access to Exchange Online. After both blogposts the conclusion was that Device and App Conditional Access cannot co-exists in the scenario where we want to secure ActiveSync connections and provide Outlook App access to not-MDM enrolled mobile devices. Based on the tests and the documentation the user need to choose between using ActiveSync or using the Outlook App (not-enrolled). In this blogpost I want to share a solution where the user can choose between the scenarios using self-service.
Continue reading

Scenario: Using both Intune Device and App Based Conditional Access – Part 2

Standard

In Part 1 I described the Conditional Access scenario where you want to combine both Device and App Conditional Access for a single user. This series of blog posts is focusing on the Exchange Online. The first post of the series described how to configure Conditional Access to enforce MFA on accessing Exchange Online through for browser access and how to enforce a compliant device for Exchange Online ActiveSync. In this part I want to focus on configuring Conditional Access for the Exchange Online Apps. I want to achieve the following: when the device is MDM enrolled MAM with Enrollment should be applied on MAM capable apps and on these devices the user should be able to configure apps which are using ActiveSync (like the Inbox mailapps on Android and iOS). On devices which are not MDM enrolled the user should only be able to configure the Outlook App for Exchange Online. When the device is not MDM enrolled the user is not allowed to use and configure non-MAM capable apps. My ultimate goal is to provide these scenarios for each of the platforms: Windows, Android and iOS.
Continue reading

Scenario: Using both Intune Device and App Based Conditional Access – Part 1

Standard

With this blogpost I want to look into Conditional Access and the possibilities we have in combining both Device Conditional Access and App Conditional Access. I’ve seen this requirement at multiple customers when doing EM+S deployments. With Device Based Conditional Access we can enforce the device to be compliant before services can be used. With App Conditional Access we can enforce App restrictions on the applications used for services. Device Based Conditional Access can be done for almost all applications in AzureAD. App Based Conditional Access can be configured for Exchange and SharePoint Online. In this blogpost I will focus on a scenario for Exchange Online.
Continue reading

Configure Endpoint Protection (Bitlocker) with Intune on Windows 10

Standard

In this blogpost I want show you how to use the Endpoint Protection (Bitlocker) policy within Intune to configure Bitlocker on Windows 10. With Endpoint Protection policies you can configure and enforce Bitlocker on your Windows 10 devices. With the old policies we could already enforce Bitlocker but not enforce the settings of Bitlocker. With Windows 10 1703 the user interface for the end user was already improved but still the user needs to select the Bitlocker settings themselves. There are some settings where the user need to make the right decision and probably not all users know the consequences of some of the settings. The setting about saving the recovery key is for me to most important one. In a MDM scenario I want to enforce that the key will be saved in AzureAD an not locally on a USB drive. So most of the time I want to enforce this setting and more ideal I just want to enable it for the user without disturbing the user.
Continue reading

Users cannot join Windows 10 devices to AzureAD

Standard

The last couple of days I’m working on a issue with a customer related to joining Windows 10 workstations to AzureAD. This customer is using Dell Hardware and Windows 10 1703 (Creator’s Update) and a federated Azure AD with Intune MDM. When the failing workstations have installed Windows 10 and the user tries to add the device to AzureAD the user cannot login to ADFS. In the OOBE stage of the deployment the user enters his username and based on that it’s redirected tot the customers ADFS environment. The login form of ADFS loads and after entering the users credentials the login page returns. So the user stays in the ADFS login page (looping). Both on the Windows 10 client and the ADFS environment no errors are logged in the event logs.

Continue reading