This weeks blogpost is about the new PowerShell capabilities we get through the Intune Management Extension. This new capability is released in the latest Intune release from 2 weeks ago. With the ability to run PowerShell on MDM managed devices many scenarios are possible. The scenario I wanted to test is to add an additional Bitlocker Recovery key to the Bitlocker configuration. If you’ve applied an Intune Endpoint Protection policy this key is automatically saved into AzureAD. From the past I know that this is not easy because we need to run the scripts in an elevated PowerShell user session. But I accepted the challenge and I got it working. Credits also to my colleague David Omisi since he helped me developing the PowerShell script.
Continue reading
Intune
Intune Device Compliance Notifications
StandardThis weeks short blogpost is all about the new Device Compliance Notification functionality in Microsoft Intune. With this new option you can send notifications to your users when the device of the user becomes non-compliant. This is a great new way of informing users about the compliance state of their device. When using Device Compliance in AzureAD Conditional Access it’s very important to inform your users about the compliance state of the device. Users can view the compliance state in the Intune Company portal and this is just a new additional functionality.
Continue reading
Windows 10 AlwaysOn VPN with Conditional Access – Part 3
StandardThis is the last part of the blogpost series about Windows 10 AlwaysOn VPN with AzureAD Conditional Access. In the first part I described what infrastructure is needed to get up and running with the Windows 10 AlwaysOn VPN. The second part was about the configuration which was needed to add AzureAD Conditional Access to the configuration. In the second post I also showed how MFA can be enforced on AlwaysOn VPN connections with AzureAD Conditional Access. In this last part I want to show you that AzureAD can also enforce a compliant device and I want to describe the scenario of blocking access to the AlwaysOn VPN.
Continue reading
Scenario: Using both Intune Device and App Based Conditional Access – conclusion
StandardLast week I visited IT/DEV Connections in San Francisco. During this week I visited some great sessions and I talked to some great people. During the last day I visited the sessions of Simon May (PM within the Intune team of Microsoft). I discussed the Conditional Access scenario where I wanted to combine both App and Device Based Conditional Access. During this discussion we together both concluded that this scenario must now be possible. With this blogpost I want to provide an update on this scenario.
Continue reading
Windows 10 AlwaysOn VPN with Conditional Access – Part 2
StandardThis is the second part of the series about the Windows 10 AlwaysOn VPN solution. In the first part, which you can find here, I described how to set up the infrastructure for the AlwaysOn VPN solution. The infrastructure which is described in that blogpost is a prerequisite for this blogpost. This blogpost will focus on the configuration needed to add AzureAD Conditional Access to the solution. With AzureAD Conditional Access we add a great set of capabilities to control who can connect to the VPN solution and which conditions the user must meet before the connection can be made. In this blogpost I configure the first scenario and that is enforcing a Multi-Factor authentication request before the VPN connection can be activated.
Continue reading
Windows 10 AlwaysOn VPN with Conditional Access – Part 1
StandardIn this series of blogposts I want to show you how you can use AzureAD Conditional Access to protect your Windows 10 / Server 2016 AlwaysOn VPN solution (deployed with Intune). This first part of the series will describe the initial requirements and setup of the infrastructure which is needed for the AlwaysOn VPN solution. The second part will focus on the configuration needed to add AzureAD Conditional Access for VPN connections to the flow and the last part of the series will focus on testing the Conditional Access features against AlwaysOn VPN connections. But let’s start with the description of the needed components and the initial configuration of those components.
Creating a Intune Application Deployment Overview – Part 2
StandardLast week I posted the first version of my Intune Application Deployment Overview script. This script exported device deployment information from Intune through the Graph API to a CSV file and a HTML file. The CSV file contained all the device deployment details and the HTML contained a summary of the deployment status for all applications. You can find this first post here. This blogpost is build on top of this first blogpost, this blogpost describes the next version of this script. In this version I’ve added the user deployment information of Intune Application deployments. Before you continue I want to advise you to first read the first blogpost.
Creating a Intune Application Deployment Overview
StandardThe last couple of weeks I toke some time to investigate the possibilities of the Microsoft Graph API with Intune and AzureAD. In this blogpost I want to share my results of these investigations. One of the big advantages of having Microsoft Intune on the ‘new’ platform is the availability of Microsoft Graph API. Through the Graph API you easily control Microsoft Intune. In this blogpost I want to focus on creating an Application Deployment overview for applications deployed with Microsoft Intune to your Windows 10 workstations. My goal was to create an overview of the applications with the following information: Number of deployments to devices and if they are successful or failed. And based on those numbers I wanted to have the percentage of successful and failed deployments.
Continue reading
Windows Store Apps as available App in Company Portal
StandardThis week a short blogpost about a recent change in Intune and the Company Portal. In the July What’s new documentation I found the following new feature: ‘With this release, admins can now assign the Microsoft Store for Business as available. When set as available, end-users can install the app from the Company Portal app or website without being redirected to the Microsoft Store.’ It looks like a tiny small feature but it has a great user experience improvement. Before this feature a user had two software portals: In the Company Portal were the applications visible from Intune and in the Windows Store for Business were the application visible from private business store. With this change we can combine those two and make the Company Portal the one-stop-shop for software on a Windows 10 MDM managed workstation.
Allow or Block Windows 10 versions accessing corporate data
StandardWith this blogpost I want to focus on controlling which Windows 10 versions can access corporate date and which versions will be blocked when accessing corporate date. To achieve this I’m using AzureAD Conditional Access together with Compliance Policies configured in Microsoft Intune. In this blogpost I want to focus on the scenario to only allow Windows 10 versions which are receiving updates and are supported by Microsoft. The second scenario is about allowing your users to run Insider Builds for testing purposes but block them to connect to corporate services and data.