With Microsoft Intune we can control the Windows 10 Update rings by using the Software Updates policies. For the Office365 Pro-Plus installations this is a different story, at this moment we are not able to configure this through a GUI policy within Intune. In my current project it’s one of the requirements to control and enforce the update channels of the Office365 Pro-Plus installations. I was discussing this requirement with my colleague Peter van der Woude and he challenged me to check if this was possible through ingesting a Office ADMX policy file. My answer was: Challenge Accepted! 
Continue reading
Intune and assigning policies to limited users/devices
StandardThis blogpost is about assigning Intune policies/apps to a limited group of users or devices. I want to look into the different sections like Configuration Policies, Compliance Policies and Apps and explain what options you have regarding assigning them to a limited set of users/devices. For the policies (Configuration and Compliance) you can use the include and exclude assignment to exclude users/devices from a policy. For App assignments the include/exclude assignment is not available but you will have some other options! Continue reading
Windows 10 AlwaysOn Conditional Access Connection Fix
StandardLast year I wrote a couple of blogposts about the Windows 10 AlwaysOn VPN solution with AzureAD Conditional Access. You can find the blogposts here:
- Windows 10 AlwaysOn VPN with Conditional Access – Part 1
- Windows 10 AlwaysOn VPN with Conditional Access – Part 2
- Windows 10 AlwaysOn VPN with Conditional Access – Part 3
After testing this solution more and more I had a strange issue where the user was able to set-up a AlwaysOn VPN connection even when the conditional access conditions were not met. So if my conditional access policy was requiring a compliant device I was able to connect with a non compliant device. I could do this by clicking on the X (Close) icon when I was in the Conditional Access flow. Together with Microsoft I’ve investigated this and a solution has been found.
2017 in Review and Happy New Year
StandardNormally I write this blogpost at the end of the year but the last couple of weeks of 2017 were very busy so the time to write blogposts was very limited. 2017 started great with receiving my second MVP Award. I really like sharing my knowledge with the community and again receiving the MVP award for this is a honor. In 2017 I also changed jobs, I started at KPN Consulting as a Technical Consultant with a strong focus on Intune, ConfigMgr and Windows 10. With this job switch my knowledge area changed from primarily RDS to Intune, ConfigMgr and Windows 10. All these changes were great and I’m looking forward to continue sharing my knowledge in 2018.
Continue reading
Intune Policy conflicts caused by ‘hidden’ setting
StandardThis week I was looking into an issue with Intune and conflicting policies. In our case the Device Restriction and the Software updates policy were in conflict. In this blogpost I want to share you how I did some troubleshooting and how I solved the conflicting policies.My first step was trying to look into the configured policies and looking for the policies which have a high percentage of error deployments.
Continue reading
Backup Bitlocker Recovery Key with Intune PowerShell
StandardThis weeks blogpost is about the new PowerShell capabilities we get through the Intune Management Extension. This new capability is released in the latest Intune release from 2 weeks ago. With the ability to run PowerShell on MDM managed devices many scenarios are possible. The scenario I wanted to test is to add an additional Bitlocker Recovery key to the Bitlocker configuration. If you’ve applied an Intune Endpoint Protection policy this key is automatically saved into AzureAD. From the past I know that this is not easy because we need to run the scripts in an elevated PowerShell user session. But I accepted the challenge and I got it working. Credits also to my colleague David Omisi since he helped me developing the PowerShell script.
Continue reading
Intune Device Compliance Notifications
StandardThis weeks short blogpost is all about the new Device Compliance Notification functionality in Microsoft Intune. With this new option you can send notifications to your users when the device of the user becomes non-compliant. This is a great new way of informing users about the compliance state of their device. When using Device Compliance in AzureAD Conditional Access it’s very important to inform your users about the compliance state of the device. Users can view the compliance state in the Intune Company portal and this is just a new additional functionality.
Continue reading
Windows 10 AlwaysOn VPN with Conditional Access – Part 3
StandardThis is the last part of the blogpost series about Windows 10 AlwaysOn VPN with AzureAD Conditional Access. In the first part I described what infrastructure is needed to get up and running with the Windows 10 AlwaysOn VPN. The second part was about the configuration which was needed to add AzureAD Conditional Access to the configuration. In the second post I also showed how MFA can be enforced on AlwaysOn VPN connections with AzureAD Conditional Access. In this last part I want to show you that AzureAD can also enforce a compliant device and I want to describe the scenario of blocking access to the AlwaysOn VPN.
Continue reading
Scenario: Using both Intune Device and App Based Conditional Access – conclusion
StandardLast week I visited IT/DEV Connections in San Francisco. During this week I visited some great sessions and I talked to some great people. During the last day I visited the sessions of Simon May (PM within the Intune team of Microsoft). I discussed the Conditional Access scenario where I wanted to combine both App and Device Based Conditional Access. During this discussion we together both concluded that this scenario must now be possible. With this blogpost I want to provide an update on this scenario.
Continue reading
Windows 10 AlwaysOn VPN with Conditional Access – Part 2
StandardThis is the second part of the series about the Windows 10 AlwaysOn VPN solution. In the first part, which you can find here, I described how to set up the infrastructure for the AlwaysOn VPN solution. The infrastructure which is described in that blogpost is a prerequisite for this blogpost. This blogpost will focus on the configuration needed to add AzureAD Conditional Access to the solution. With AzureAD Conditional Access we add a great set of capabilities to control who can connect to the VPN solution and which conditions the user must meet before the connection can be made. In this blogpost I configure the first scenario and that is enforcing a Multi-Factor authentication request before the VPN connection can be activated.
Continue reading