Categories
Intune Tips & Tricks

Are the settings what you think they are?

Something I know a lot of Microsoft Intune admins have been frustrated about for a while, especially if you come from the GPO world, is making sure that the settings you applied are what you think they are on the device. I mean, things happen. Users can be local admins and change stuff, a support person could have changed something locally, or stuff just won’t work.

As we all know, an up and running Intune Windows device will check in with Intune every 8 hours to see if the settings are still correct. 8 hours is quite a long time if you have a faulty configuration, and not all users know that they can manually synchronize their device with Intune (or an admin can do so).

This is where the newly introduced Config Refresh enters the stage!

What is Config Refresh?

Config Refresh is a new setting in Windows 11 (23h2 or 22h2 with the 2024 June update) which lets you define the interval that the Windows device should refresh the configuration based on what is defined in Intune. In the GPO world, this happens automatically every 90 minutes, and in the Intune world this is 8 hours! But with Config Refresh we can squeeze this down as short as 30 minutes or push it all the way up to 24 hours (why someone would do that, I don’t know but I bet there are those scenarios).

But this isn’t just changing the default 8 hour intervall, this actually brings some new stuff to the table:

  • A reset operation to reset any settings you manage which use the Policy CSP
  • Configuration options to allow reset of managed settings to take place as frequently as every 30 minutes
  • Offline functionality, not requiring connectivity to an MDM server
  • Ability to pause Config Refresh for troubleshooting purposes with automatic resume after 24 hours

This means that we get a bunch of new features in the MDM world which we have not had before!

How do I configure it?

But how do I configure this in my environment? The Config Refresh policy is set in the settings catalog, so let’s jump straight into Devices – Windows – Configuration and add a new Settings Catalog policy.

As usual, give your policy a name which makes sense to you in your environment and click next. I’m going for “Win – Config Refresh” in this example.

Now let’s search for “Config Refresh” and add both the settings to our policy.

Let’s go for a 30-minute interval in this example but set what makes sense to your environment (default value is 90 minutes). Also, make sure to enable the “Config Refresh” setting before clicking on next.

If you are using scope tags, you can add that in the next step otherwise move on to assignment. Since this is a device scope setting, let’s target the device for this one so we can make sure that all our devices get this setting regardless of who signs in. If you want to filter our specific devices, add that as well here.

On the last step, review your settings before clicking on “Create“.

This will configure your devices to refresh their policies every 30 minutes!

Bonus:

If you for some reason want to prevent a device from doing a Config Refresh, you can find the device and press those three dots on the right side of the ribbon. You will then find “Pause config refresh”.

You can then pause the refresh for up to 24 hours.

Key take away

Using the Config Refresh we can make sure that our device has the correct configuration with greater certainty, and we can adjust the intervall to fit our needs.

This give us as admins a larger sence of control when managing devices and wanting to make sure that our devices has the correct settings. If you are coming from the GPO world you will be very familiar with this since GPOs refreshes every 90 minutes (default), and now you can make Intune work the same way! Yet one less thing that you will be missing from the old world!

Hope you find this as usefull as I do, and happy clicking!

Categories
Intune Intune for noobs

5 things you didn’t know you could do in Microsoft Intune

I thought I would share a few things you might not know that you are able to do in Intune, small things that might not be related to device management itself but you might not be aware off!

As all of you know, Microsoft Intune is constantly changing, there are news and updates each week. This means that some of these things might change in the future, who knows!

But let’s kick it off. Here are 5 things you didnt know you could do in Intune.

Change language and region

You have probably seen the settings icon in the top of the Intune portal, this is where you can access the portal settings.

When you click the settings icon, you will be taken to the Portal settings pane of Microsoft Intune.

As you can see, there are a lot of different things you can modify and control. E.g. if you have multiple directories or subscriptions you can change which your default is. This is also where you enable darkmode (if you are like me and prefer darkmode). But I though we would focus on the language settings.

If we navigate to the “Language + region” pane, we can select which language we want the portal to be in. This settings is not a global setting, this only affect my session. Like many others, I prefer to use the English version of MS Intune (the translations in Swedish are a bit wild some times), but I still want my regional format to be Swedish. I can easily select my preferences here and just hit apply and it will refresh the session with a new language for me.

If you are familiar with Azure or Entra, this works the same way!

Modify the left side menu

We probably all know and love the left side navigation menu, this is where we can select if we want to access devices or apps for example.

But did you know you can customize this menu?

If you navigate to “All services“, you will see a table of all the available services within Microsoft Intune, and if you look closely you will notice that there is a small star next to each service.

By default today, all is marked except for “Surface Management Portal” and if you want easy access to that you can simply just star that one too and it will show up in the navigation menu.

But let’s say I’m only interested in seeing devices, apps and groups, I can simply just mark them with a star and they will be the only one displayed in the navigation menu alongside with reports which we cannot remove.

One other neat feature is that you can rearrange the order of the navigation menu by simply dragging the headings around if you want to sort the differently.

Easily change between accounts

If you are using multiple accounts in Microsoft Intune, there is a simple way to just change which account you are using. If you have ever worked in the Azure portal, this is the same functionality.

Simply click your profile picture in the top right corner and sign in with a diffetent user. When you have signed in with an additional user, you can easily just switch by selecting that account.

Access the PIM portal

For most administrational roles, you use Microsoft Entra Priviledge Identity Management, or simply PIM, to grant the priviledged role that you will use in order for your account not to have that role all the time.

This can be setup in many different ways, and you can even PIM Intune roles if you use group feature.

However, you don’t need to go through the Entra portal to access your PIM roles. Simply navigate to Tenant Administration > Microsoft Entra Privileged Identity Management and you will reach the same portal.

From here, you can simply activate your roles, or approve other requests.

Shortcut to the Entra portal

Last but not least, when we are on the topic of Microsoft Entra. Did you know that there is a shortcut to the Entra portal in Intune?

Just navigate to All services in the navigation menu, and under “Other consoles” you will find Microsoft Entra.

When you click that link, a new tab will open with the Entra portal!

Categories
Intune Windows 365

Ignite 2022 – live in Seattle!

So, 2022 was the year Microsoft Ignite was FINALLY a physical event again, and for the first time on Microsoft home turf in Seattle.

Being an ex-Microsoft FTE, this gave me major flashbacks to TechReady, which was an internal training event Microsoft used to host in Seattle. Same location as Ignite, just no hilarious videos with Norm Judah encouraging everyone to fill out the evaluations.

Ignite was different this year since it’s a hybrid event, and the first big such for Microsoft which means that they are still trying out the concept.

Overall, I had a lot of fun. For me, meeting up with peers and having the time to focus on the content is important, if sessions are digital or physical doesn’t really matter. Some sessions made more sense virtually. But in-person sessions are usually the best, and you could really tell that people wanted this. Especially the big keynotes are always more fun in-person.

But I was missing the expo where you can meet vendors or just mingle with Microsoft people, there wasn’t really any space for this, except for an awesome Surface expo.

However, the width that the “old” Ignite had was missing and the break-down sessions were missing. The feeling was that this hybrid thing was more focused on people attending remote, and people on site were more the live audience.

There was a lot of news and I’ve picked out the ones I found most interesting.

Windows

Just before Ignite kicked off, there was a Surface event where some news around Windows 11 was released. Check it out here:

Introducing new Surface devices that take the Windows PC into the next era of computing | Microsoft Devices Blog

If you want to read more about all the Windows 365 news, check this out: What’s new in Windows 365: Microsoft Ignite 2022 edition – Microsoft Community Hub

Microsoft 365 and Windows 365 in the Metaverse

This was released a few days prior to Microsoft Ignite, but Microsoft 365 and Windows 365 will be supported on Meta Quest devices, providing a new kind of experience for productivity in the Metaverse.

This means that you will be able to run a fully supported productivity setup in the Metaverse with e.g., Microsoft Teams and Windows 365. Windows 365 is not yet released for Metaverse, but this indicates strongly which direction VR is heading now.

On top of Microsoft 365 apps being supported, you will also be able to manage the Meta Quest and Meta Quest 2 using Azure Active Directory and Microsoft Intune, which would provide IT admins with a whole new option of what a PC or workstation is for their end-users. You can read more on this blogpost by Microsoft: Microsoft and Meta partner to deliver immersive experiences for the future of work and play – The Official Microsoft Blog

The new Windows 365 app (preview)

The Remote Desktop app has for long been the go-to application for your VDIs, but now for Windows 365 you can use the brand-new Windows 365 app which is now in public preview. This app aligns more with the Windows 365 features found on the web portal but with the advantages of the desktop app! Read more here:

Experience the Windows 365 app: public preview available now – Microsoft Community Hub

Organizational messages

Getting messages out to end-users is always a struggle within IT. There is a new feature for Windows 11 where you can send organizational messages, natively in Windows, to your users instead of sending them email using Microsoft Intune coming in November to Windows 11 22h2. Read more here:

Deliver organizational messages with Windows 11 and Microsoft Intune – Microsoft Community Hub

Microsoft Intune

No more MEM…

The brand Microsoft Endpoint Manager or MEM is going away. The new product-family name will be Microsoft Intune where a bunch of things will be included, Configuration Manager amongst others. You can read more about the anoncment here:

Introducing the Microsoft Intune product family – Microsoft Community Hub

Add-ons for Microsoft Intune

Add-ons for Microsoft Intune is obviously here to stay, and it’s also growing bigger than just Remote Help which has been an add-on for a while now.

Out of the list of new add-ons coming, what caught my eye especially was these two which I think will solve a lot of headaches for a lot of IT admins.

You can read more here about all new add-ons:

Reduce your overall TCO with a new Microsoft Intune plan – Microsoft Community Hub

Endpoint privilege management in preview

Enabling local admin for users on a temporary basis has been a struggle with Intune managed devices. Old solutions relying on attributes in the on-premises AD do not work and there aren’t really any “best practices” established around this yet.

However, Microsoft is looking to solve this with the Endpoint Privilege Management which is in public preview. Read more in the link above.

Automated app patching as add-on

Keeping applications up to date is something that many stuggles with, and there are products around to solve that. Now Microsoft are throwing themselves into this game as well, which makes a lot of sense. This is just briefly mentioned in the “Further value and looking forward” part of the article, but if they are able to deliver on a native Microsoft Intune feature for this, that would simplify things a lot!

Categories
Intune Tips & Tricks

Remove Quick Assist

Updated on the 29th of September 2022 due to changes in Quick Assist installation.

Like I mentioned in the blogpost about Remote Help, the build in Quick Assist tool in Windows 10 and Windows 11 is great for supporting friends and family. However, it’s not that great to support an organization since vital features are missing like handling UAC and logging. There is also a lot to wish for when it comes to how accounts are managed and the overall experience in a corporate setup using Quick Assist.

So, when we have deployed Remote Help to all our users, we want to remove Quick Assist to improve security (so unauthorized people cannot remotely connect) and to ease confusion about what remote support tool to use.

There are several ways of doing this, but I’m taking the approach that we don’t have a custom image since our devices has been enrolled through Windows Autopilot using vanilla images. So how can we remove the feature, and make sure that the end-user doesn’t get creative with enabling it again?

The answer to this is using proactive remediations.

What is proactive remediations?

Proactive remediations is a part of the Endpoint analytics section of Microsoft Endpoint Manager. You can find it by going to Reports > Endpoint Analytics > Proactive Remediations. By default you will have to script packages published by Microsoft.

Proactive Remediations is a script package where you can find and fix things on your clients, before this generates a ticket to your help desk.

However, since these are scripts running, you can do about anything to be honest. Each script package consists of a detection script and a remediation script. The scripts are then deployed to the devices through MEM and will report back. You can find reports on how many times a script has run, and how many times it has fixed an issue. Fixed and issue means that it has run the remediation script. You can read more about how they work and what you can do on e.g. Microsoft Docs.

One thing you could do is to detect if a Windows component is active, and if found active then disable it.

How do I remove new Quick Assist?

Due to an update, Quick Assist have now moved in to the Microsoft Store, meaning that we need a new way to remove the store app. Next chapter will cover the old application which was a Windows Capability.

There are several ways to remove pre-installed application from Windows, you could either get the application from the Business Store and assign it as “Uninstall” for all devices/users, or you could user PowerShell to remove applications.

For this, we will use Proactive Remediation to detect if the Quick Assist is installed, and if so we will remove it. This would remove the application even if the user installs it them self. There are other ways to do this as well, like only deploying the removal part and blocking the application with AppLocker.

I’ve put these scripts in my GitHub repository, for this part use the *_app files.

First we will do detection:

WinCap = Get-AppxPackage -name "MicrosoftCorporationII.QuickAssist"

try {
If ($WinCap.Name -like "*MicrosoftCorporationII.QuickAssist"){
Write-Warning "Quick Assist installed - running remediation script"
Exit 1
}
Else{
Write-Host "Quick Assist missing - exiting"
Exit 0
}
}
catch {
Write-Host "Quick Assist missing - exiting"
Exit 0
}

If our detection script finds the application, we will run a remediation script to uninstall it, just two lines of simple PowerShell code (thanks @LasseiLarod for the contribution to this).

$WinCap = Get-AppxPackage -name "MicrosoftCorporationII.QuickAssist"
Remove-AppxPackage -package $WinCap.PackageFullName

Now all that we need to do is to make sure that we run the script in User Context, since the application is installed in the user context.

How do I remove old Quick Assist?

One way to disable Quick Assist, even if the user enables it again, I have found is to use a proactive remediation which checks if Quick Assist is enabled on the device, and if it finds that it is Quick Assist is disabled.

Quick Assist isn’t an app installed from the store, it’s a Windows capability which means that we cannot uninstall the app.

To do this, we firstly need a script which will identify if Quick Assist is enabled. One way of setting that up is like this, a simple PowerShell script that my college helped me create (thank you Daniel).

I’ve put these scripts in my GitHub repository.

$WinCap = Get-WindowsCapability -online -name App.Support.QuickAssist*

If ($WinCap.State -match "NotPresent"){
    Write-Warning "Windows Capability - Quick Assist missing - exiting"
    Exit 0
}
else {
    Write-Host "Windows Capability - Quick Assist installed, Running Remediation script"
    Exit 1
}

This simple script will check if the Windows capability is enabled, if enabled it will run the remediation script which disables Quick Assist. It’s a one-liner:

Remove-WindowsCapability -online -name App.Support.QuickAssist~~~~0.0.1.0

What could be good to keep in mind is that if the version of Quick Assist changes, this disable-part will stop working. I’ve’ tried using a more generic string, but I couldn’t get it to work. However, my PowerShell skills are quite limited.

Categories
Intune Tips & Tricks

Exclude devices from profile

One of the most common ways to assign Windows Autopilot profiles is to use the wildcard argument for Autopilot devices in an dynamic Azure AD group:

device.devicePhysicalIds -any (_ -contains "[ZTDId]")

This is a powerful way of gathering all devices imported to Autopilot into a single group to assign either enrollment profiles, configuration profiles or even applications without the need for any additional work or use of group tags.

However, this group being powerful makes things a bit harder when it comes to excluding devices that might need a different enrollment profile for testing, different device type or just a different use case.

There are different ways of doing this, but this is the way I found that works well and it assumes that you have another Azure AD group which you use to assign Enrollment Profiles, dynamic or assigned.

Let’s say we have two enrollment profiles:

  • Production profile
  • HoloLens profile

The “Production profile” is assigned using a group called “All Autopilot devices” which gets devices using the “device.devicePhysicalIds -any (_ -contains “[ZTDId]”)” string to gather all devices which are imported to the environment.

We have also imported the HoloLens devices in to our device list for Autopilot, which we are using a group tag to populate our “HoloLens devices” group with which is then used to assign the HoloLens profile.

Now comes the tricky part. Since we have the “catch all” group already, that will include the HoloLens’s which means that we will assign configuration profiles and applications that are assigned using that group.

Since our HoloLens’s are a different type of devices, we want to assign a separate set of configuration profiles and applications towards them, meaning that we need to exclude them from the “All Autopilot devices” group and add them a HoloLens specific group to assign our HoloLens profile.

Creating out groups

To add them to the HoloLens deployment profile you can create a dynamic group which is using Group Tags to populate. This will require you to add this group tag to all your HoloLens’s. In this case, we will use the Group Tag “Hololens”.

(device.devicePhysicalIds -any _ -eq "[OrderID]:Hololens")

This will assign the HoloLens specific deployment profile to the device.

However, we also want to make sure that we do not include these devices in the bigger group which is used to assign the “regular” Windows policies. This was a bit trickier than I thought to be honest.

After playing around with excluding the group tag, which for some reason didn’t work that great, the most effective way was to exclude devices from my big “All Autopilot devices” group by using the fact that it has a deployment profile assigned to it. This value can be used in the rules for the group by saying that we don’t want to include devices having a deployment profiled called “Autopilot HoloLens” assigned to them.

device.enrollmentProfileName -ne "Autopilot HoloLens"

The outcome

By changing the rule to say that in addition to “catch all” also no include anything that has the deployment profile “Autopilot HoloLens” assigned to it, we will now have a group which will exclude all HoloLens devices!

This can of course be used for other things than HoloLens, it applies for anything that has a deployment profile assigned to it.

There are other ways to accomplish this, but this is the easiest way I’ve found so far!

Categories
Windows 365

CloudLAPS on CloudPC?

So I’ve been playing around a bit with Windows 365 Enterprise and thinking about “okay, what cool things should we try?”.

First step is of course to set it up and I thought about writing a guide about that. Halfway through my guide I realised that the one written by Christiaan Brinkhoff was far superior to mine, so go check his guide out!

One thing came to mind however, could you get CloudLaps to work on a Cloud PC?

Of course, we needed to try this even though I’m not a 100% sure that you need it.

What CloudLaps does it that it provides your PCs with a unique, randomized password for the local admin account on the machines which is rotated on a given interval (default is every 3 days). By using this functionality, all your PCs will have unique passwords for their local admin accounts meaning that if this is handed out to an end-user or support personal, the password will stop working when the password is updated.

The Cloud PC configuration

If you have not yet implemented CloudLaps, have a look at the guide in the link above, but if you have it in place, you are ready to go.

Since CloudLaps is built on proactive remediations in Microsoft Intune, you will need to make sure that the Cloud PCs are included in the assignment by using (or adding) a group containing all your Cloud PCs. Windows 365 Enterprise gives you the benefit that Cloud PCs are being automatically enrolled into Microsoft Intune which gives you the possibility to manage them directly without any further actions!

In this example, all the Cloud PCs are included in the same group as all other PCs since we want all these PCs to have the same settings. This was done by adding an extra rule to our Dynamic Group.

device.deviceModel -contains "Cloud PC Enterprise"

No additional configuration needed!

The outcome

The outcome of this test was as expected, worked perfectly fine!

A local admin password is populated in the CloudLaps portal, and I can use it on the machine to elevate my rights on the Cloud PC.

Since you can use the exact same configuration for Cloud PCs as physical PCs, you will not need to separate how you manage the Cloud PCs. They are just another PC, but in the cloud!

Categories
Intune for noobs

Intune for noobs – Intro

I’ve been thinking about doing something more educational for a while now and I think this will be a great start to that. Writing a guide on how to setup your own Microsoft Intune lab. We will take shortcuts and do dirty tricks, just to get going. So please don’t use this as an implementation guide in a real environment. We will also skip all fancy steps as getting a real domain name and having an on-premises AD. But if you already have those in your lab, that’s great!

Here are the links to each part, and they are also published in the blog further down in the feed.

Sharing is caring, so my idea about this guide is to simply help you get started on your own Microsoft Intune journey and learn what it is and what it can do!

With this base, you can build further on your lab environment as you grow with the concept!

Enjoy!

Categories
Intune for noobs

Intune lab for noobs – part 1 // Pre reqs

I’ve been thinking about doing something more educational for a while now and I think this will be a great start to that. Writing a guide on how to setup your own Microsoft Intune lab. We will take shortcuts and do dirty tricks, just to get going. So please don’t use this as an implementation guide in a real environment. We will also skip all fancy steps as getting a real domain name and having an on-premises AD. But if you already have those in your lab, that’s great!

What do I need?

There are a few things you will need in order to get started:

  • An Azure AD tenant
  • Microsoft 365 or EMS licenses (E3 or E5)
  • Hyper-V or some other virtualization platform
  • A Windows image
  • A mobile device or two
  • A Google account
  • An Apple ID

There are more things, but this is a good start.

Getting a tenant

This can sound like the most cumbersome and expensive part, but it doesn’t have to be. Depending on your level of commitment, there are different ways to go at this. The Azure AD itself is free of charge, but you will need licenses to run Microsoft Intune. You could either buy these or get a test tenant for free from Microsoft. You can either get a one-month free trial from the Microsoft 365 info page which isn’t persistent if you don’t buy the license once it has expired. You can also sign up for a free trial of Microsoft Intune from Microsoft Docs, then enable a 90-day free trial of Enterprise Mobility + Security E5 if you go to Devices > Enroll Devices > Windows Enrollment > Automatic Enrollment. This will include everything you need to test Intune, but no Microsoft 365 services.

The best option is to sign up for the Microsoft 365 Developer program and get a tenant and licenses which will be renewed every 90 days if you sign in at least once.

My recommendation for your lab is to get the later one. You will want something that sticks around for more than 30 or 90 days.

By using the Microsoft 365 Developer program, you can also get sample data (users, generated emails, SharePoint sites) to make the environment more realistic with minimal effort.

The setup process is simple, you will need to register with Microsoft and then you will be able to create your tenant. Microsoft has a good step by step guide which you can find here!

Give your tenant a cool name (or just something you remember) and you are ready to go!

Once you have your tenant setup, use your admin account to sign in to endpoint.microsoft.com and BAAAM, you are now in the Intune portal!

Hyper-V or another virtualization platform

The reason we want a virtualization platform is to spin up some virtual test clients. There are numerous ways of doing this, but for small scale this is the simplest way.

If you are using a Windows based machine, you can enable in different ways. Easiest way is to simply run the PowerShell console as admin and run the following command (something I learned by writing this post):

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All

When the command is successful, reboot the machine.

If you are not comfortable with PowerShell, you can simply enable it in the “Turn Windows Features on or off” section of Programs and Features in the Settings app.

We will come back to how to use Hyper-V in a later section were we setup Windows management.

Getting a Windows image

There are a lot of different ways of getting a Windows image for testing purposes. If you have an MSDN/Visual Studio subscription, you can download this from your subscription repository of download. But if you don’t have that, the easiest way of getting a Windows image is to simply download it from Microsoft using the Media Creation Tool found here.

Once you have downloaded and started the tool, you can follow the on-screen wizard to obtain the image.

First, accept the terms and conditions page, then make sure to select “Create installation media”.

Select the language you require and make sure you get the 64-bit version (you don’t need 32 bit).

Select that you want this as an ISO-file

When you press next, it will ask you where you want to save the file and the download will start.

Mobile devices

Depending on what you want to do with your lab, I suggest you get at least one mobile phone. This could be any phone which is fairly up to date (iOS 12 and higher or Android 6.0 or higher).

For my lab, I’m using a cheap Samsung Galaxy A20 that I got on a sale which is running Android 10 and an iPhone X (which is my primary personal device). However, if possible, I strongly recommend using secondary devices for your lab, at least if you want the wipe features.

Google Account

Why do we need a Google account in the Microsoft world? It’s simply to activate and be able to use the Managed Google Play store and activate enterprise features. This can be a regular Google account; I’m using one that I’ve had for ages (in the real world make sure to use a dedicated which is NOT personal). If you already have a Gmail account, that will do just fine!

If you plan on sharing this environment with more people, use a dedicated account.

Apple ID

To enroll Apple devices in Microsoft Intune, we need to obtain a certificate from Apple. For that, we need an Apple ID.

Same goes here, for your personal lab you can use an already existing Apple ID which is not dedicated for the purpose (for real world use, setup a dedicated account). We will use this account later when we configure iOS/iPadOS management!

Ending notes…

And that’s about it for pre-reqs to setup your own Microsoft Intune lab!

In the next step, we will do some basic configuration of your brand-new Microsoft Intune tenant!

Categories
Intune for noobs

Intune lab for noobs – part 2 // The basics

This is part two of the series of building your own Microsoft Intune lab. We will take some shortcuts and do some dirty tricks, just to get going. So please don’t use this as an implementation guide in a real environment. We will also skip a lot of fancy steps as getting a real domain name and having an on-premise AD. But if you already have those in your lab, that’s great!

Setting up the basics

First step is to enter the magic world of Microsoft Intune, which you access from endpoint.microsoft.com. This is your go-to place for managing devices and you can also access the Azure Active Directory (Azure AD) from here.

The default landing page

To get you going, you will need a test-user and some groups, this is the first thing we will create.

In this part we will:

  • Enable MFA
  • Create users
  • Create groups
  • Enable Apple enrollment
  • Enable Google Android enrollment
  • Customize Company Portal

Enabling MFA

Security is important, even in a lab. I guess you are used to MFA by now, so let’s enable that for our lab tenant in the simplest way we can. It’s default enabled for your Global Admin account, but we need this for all accounts.

Depending on which way you got your license, this might or might not be available since it requires premium licenses for Azure AD.

Since there are a lot of better guides than I can ever write on this, this is how you do it in the most simple way: Enable per-user Multi-Factor Authentication – Azure Active Directory | Microsoft Docs

Creating a user

(If you already have users with assigned licenses, you can skip this part)

Simplest way to create a user is to click on Users in the left side menu and then just click “+ New user” in the top ribbon.

For this lab purpose, we will fill out the bare minimum which to set a user name, name and location (licenses needs location). Select to auto-generate the password and make sure to save it somewhere (OneNote is usually where I keep my lab information).

Next step is to assign a license to our new user. The easiset way to do this is to simply click on your newly created user and select “Licenses”.

Click on “+ Assignments” and then select the appropriate license you want to assign. Don’t forget to press save!

We now have a user which is allowed to enroll devices into Microsoft Intune!

Create groups

For this setup, we will create two groups. One user group and one Windows device group. You can of course create more groups, but to simplify we will start with these two!

To create a group, select Groups in the left side menu and then click “+ New group” in the ribbon.

For our user-group, we will keep it simple and set a name and use the “Dynamic User” as Membership type. Please note that this requires you to have a Azure AD P1/P2 license, if your trail does not come with that user “Assigned” as group type instead for the two groups we will create. This means that you will have to add the devices and users manually.

Next step is to create our rule by clicking “Add dynamic query” at the bottom. We will use a very simple rule which says to add all enabled accounts to the group.

This isn’t a good rule to use in real life, since we will also add all our admin users to this group. But for the sake of keeping things simple, this is good enough I would say.

Hit “Save” and then “Create“.

Next up is our Windows Autopilot group.

Same steps as previously, but this time select “Dynamic Device” as Membership type.

Next step is to create our rule by clicking “Add dynamic query” at the bottom. This time we will create a rule which will fetch all our Windows Autopilot devices.

Instead of manually entering the rules, click edit on the far right and add this string:

(device.devicePhysicalIDs -any (_ -contains "[ZTDId]"))

You will see that the property, operator and value is populated once you have added it.

Hit “Save” and then “Create“.

We have now created all the users and groups we need to get going but you can of course build on this and create even more groups and users to your liking.

Enable enrollment

As default, Windows enrollment is always enabled. For iOS, iPadOS, macOS and Android we will need to add some connectors to enable management.

Apple devices

To setup Apple enrollment, we need an Apple ID to request a certificate from Apple. For your lab (if you are the only one using it) you can use the Apple account you already have.

Select Devices in the left side menu, then select Enroll devices, then Apple enrollment. You will notice that all except one options is grayed out since we are missing the Apple MDM Push certificate which enables all the services

Select the “Apple MDM Push certificate” option and you will be asked to grant Microsoft permission to send information to Apple by checking the box. Secondly, download the CSR and save it somewhere on your computer.

Next step is to click the “Create your MDM push certificate” and you will be asked to sign in with your Apple ID to the Apple certificate portal.

As you can see, I have quite the few certificates from different previous labs (and my current one). Your list will most likely be empty.

Select “Create a Certificate” and accept the terms of use and on the next page upload the CSR file you downloaded previously. I’m also adding a comment for myself that this is for the Intune for Noobs environment. Then click “Upload“.

Once the CSR is uploaded, an Apple MDM Push certificate will be issued with an expiration date 1 year into the future. Intune will warn you once you are getting close to the renewal date.

Download the certificate to your computer and save it, then head back to the Microsoft Intune portal and enter the email adress of your Apple ID on step 4 then upload the certificate you just downloaded. Then click “Upload” and you have successfully enabled management of Apple devices and you can close the flyout with the X in the upper right corner to end up back on the “Enroll devices” page.

Google Android

To enable the modern management methods of Android called Android Enterprise, you will need to link a Google account to the Managed Google Play.

Select “Android Management” in the list and you will notice the same thing here, that all options under Android Enterprise is grayed out except to connect the Managed Google Play.

Click the “Managed Google Play” option and flyout will appear. Grant Microsoft premissions to send information to Google, then click “Launch Google to connect now“. A pop-up will appear asking you to sign-in to Google. If you don’t have a Google account you want to use, or want to create on for the purpose of this lab you can select to create an account to manage your organization with. Otherwise use an existing Google account.

Once you have signed in, click “Get started” on the landing page displayed.

Next step is to add your business name (this could be whatever). I’ve named mine the same as in the Microsoft world.

On the next step, you are asked to fill out some contact information, you can skip this and just check the box at the end. Then finish the wizard.

Once done and you have selected to finish the setup, you will be redirected back to Intune, and you will see that the service is active.

Customize Company Portal

Last thing we will do is to add some customization to Company Portal but also the sign-in experience (which we will use in Windows Autopilot).

First off, select “All services” in the left side menu and then select “M365 Azure Active Directory“. A new tab will open and select “Azure Active Directory” in the left side menu. Then navigate to “Company Branding” in the list. Select “Configure” to get started. You can add a lot of custom backgrounds and logos, but for now we will only enable “Show option to remain signed in” at the bottom and click save to keep it super simple. You can come back here later and add your custom things.

Click save and then close the Azure AD portal and head back to Microsoft Intune.

In Microsoft Intune, select “Tenant administration” in the left side menu, then navigate to “Customization“. This is where you call add customizations to the Company Portal app, which is the end-user side of Microsoft Intune and the portal where users get applications and information.

To edit the settings for the portal, click Edit at the top of the page (next to Settings).

To keep things simple, we will only add the required information to this, but you can come back later and add more.

I’ll add my company name, and leave the rest of the branding part to default.

Further down under Configuration I will add a URL to my “Privacy statement”. In this case it’s just the URL to my blog. You need to add something and it’s a good idea to choose something that exists so you can try the link when playing around in the company portal

Once you have added those two, click “Review + save” and then “Save“.

Ending notes…

We have now prepared our Microsoft Intune environment to start doing some real stuff. In the next part we will setup some really simple management of Windows including enrollment through Windows Autopilot.

Categories
Intune for noobs

Intune lab for noobs – part 3 // Windows

This is the third part of the series of building your own Microsoft Intune lab. We will take some shortcuts and do some dirty tricks, just to get going. So please don’t use this as an implementation guide in a real environment. We will also skip a lot of fancy steps as getting a real domain name and having an on-premises AD. But if you already have those in your lab, that’s great!

Windows management

As I stated in the previous part, Windows management is enabled by default. However, there is one you will need to enable which is Automatic Enrollment. This requires and Azure AD Premium license which is included in the EMS and M365 Dev setup.

To enable this, select Devices in the left side menu. Then navigate to Windows, then Windows Enrollment. Select the “Automatic Enrollment” option.

Make sure to set the “MDM user scope” to All then click save. You can leave everything else set to default.

That’s about it! We are now ready to start setting things up for your lab!

Guided scenarios

As I said, we will take some shortcuts in this tutorial to get you going, therefor we will use the Guided Scenarios found on the landing page of Microsoft Intune (just click Home in the left side menu).

Click start under “Deploy Windows 10 and later in cloud configuration” and the wizard for setting up a basic Windows Autopilot configuration will kick-off.

On the first screen, read through the information and then click Next.

On the Basics tab, leave “Apply device name template” set to default, but add a Resource Name Prefix such as Win10 to help you visually identify that this is for Windows. Then click Next.

On the Apps tab, leave everything to default, this will install Microsoft Teams and Microsoft Edge, but not the full M365 Apps suite (this can be added later on if needed). Click Next.

Since we already created a device group, select “Choose an existing group” and add the device group you created earlier. Click Next.

On the last page you will be able to review your settings under “Configurations to be made“. When you are happy with your options, select “Deploy” and wait for the process to finish.

You have now taken a real shortcut to get going with basic settings for your Windows devices.

You can of course build further on this, but as part of this tutorial we will leave it at this.

Preparing a Windows device

So next step is to prepare your Windows device for Windows Autopilot. The easiest way to do this to export the Hardware ID using PowerShell. Don’t be alarmed, you don’t need to be a code monkey or script kiddie to run this, it’s rows that you need.

Depending on what state your device is in, you can either run this from an elevated PowerShell prompt when you are in a Windows session which is up and running. In my example down below, I will run this from a Virtual Machine in Hyper-V during the OOBE setup. To create a Windows 10 VM in Hyper-V, you can follow this guide from Microsoft.

If you are using Hyper-V, make sure to enable the TPM feature in Settings on the virtual machine. We will need this for Bitlocker.

Once you reach the start of the OOBE, stop at selecting language.

Press SHIFT and F10 (you might need FN as well depending on your keyboard) to launch a command prompt. Then type powershell and hit enter to start PowerShell.

Next, we will run three lines of PowerShell commands. You can find more information about it on Microsoft Docs.

Install-Script -name Get-WindowsAutopilotInfo -Force
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Get-WindowsAutoPilotInfo -Online

Run the lines in the PowerShell windows. You can copy-paste by going to Clipboard > Type Clipboard text in the Hyper-V session.

You will be asked to press Y for yes a few times during the process to install the script.

When you have ran the “Get-WindowsAutoPilotInfo -Online” line, it will install a few modules and then you will be asked to sign in using your Microsoft account. Use the account you have signed into Intune with (it has the required access as Global Admin, but a user with the Intune Admin role will be sufficient in the long run).

When you run this the first time you will be asked for consent for using this, scroll down and press Accept.

Once you have accepted, the process of gathering the Hardware ID will start automatically, but don’t close the session until it has finished. This will take up to a few minutes. Once you can confirm that the script has finished successfully, turn of the computer or reset Windows if you are doing this from an already up and running Windows client (you will lose all data).

Head back over to Microsoft Intune to confirm that the computer was successfully imported by navigating to Devices > Windows > Windows Enrollment and select Devices.

This is the section where all your imported Windows Autopilot devices will be listed, and you can see if a Deployment profile has been assigned to the device.

Once the Deployment profile has been a assigned to the device, you will see that the Profile status is set to “Assigned“. This usually takes about 10-15 minutes and you can’t do more than just wait. If you click on the machine you can see some more information, such as what profile is assigned.

Enroll your device

Now it’s just the fun part left. Enroll your device!

Just simply start your computer or virtual machine again and follow in the on-screen instructions. Once you have selected language, keyboard locale and network (if physical device) you will end up on a screen saying, “Welcome to [your company name]” and you will be asked to sign in.

Sign in using the account we created earlier and just follow the flow. If this is the first time you sign in with this user, you will be asked to setup MFA and change the password.

The enrollment typically takes between 20-30 minutes depending on how many applications are being assigned. You can follow the progress on the screen. You can expand each section to track progress.

At one point in the process, you will be asked to sign in again, this is to set the user affinity and configure the “Account setup“.

Ending notes

We have now successfully setup an extremely basic Windows configuration that you can play around with. If you go to Devices > Windows > Windows Devices you will see all your enrolled devices and information about them. You can also perform remote actions on them, which I encourage to try!

Since this is an isolated lab environment, try stuff out. You can’t really break anything and worst-case scenario you will have to re-install the Windows client.

Play around. Have fun.

In the next part we will dig into iOS management!