Enrollment of co-managed devices based on Azure AD device token with ConfigMgr 1906

August 7, 2019August 6, 2019 by Martin Bengtsson

Introduction

A short and sweet peek into the latest improvement to the enrollment of co-managed devices into Microsoft Intune.

Prior to SCCM 1906 (System Center Configuration Manager), the enrollment into Microsoft Intune required a user to sign in to the device. This has now changed and the device is able to auto-enroll into Microsoft Intune based on its Azure AD device token.

Note: This is not an A-Z guide, so I’m sadly not covering all the basics and requirements around enrollment nor co-management. Instead I’m touching base with some of the interesting parts, based on my own environment, setup and curiosity. 🙂

Configure OneDrive Known Folder Move with Administrative Templates in Microsoft Intune

July 10, 2019July 10, 2019 by Martin Bengtsson

Introduction

Short and sweet: Back in May 2019, Administrative Templates in Intune went from preview to General Availability. Back then the feature was released with a list of 277 settings. Not much, huh?

Today this will be extended by additional 2500 settings and among these will be the ability to configure OneDrive Known Folder Move. Exciting!

While the configuration of OneDrive Known Folder Move using Administrative Templates in Intune is pretty easy and straightforward, I figured it deserved a post here as well.

Also, initially when OneDrive Known Folder Move was introduced, I did this post on the topic: https://www.imab.dk/how-to-enable-onedrive-known-folder-move-using-sccm-system-center-configuration-manager/

Intune enrollment, Multi-Factor Authentication and registering Security Information with Conditional Access

June 14, 2019June 14, 2019 by Martin Bengtsson

Introduction

This is a little something on the new option with Conditional Access, where you can specify restrictions for registering the end users security information used with Multi-Factor Authentication.

This is a nifty addition, enabling you to control when and where the security information can be added or changed, making sure it’s not an attacker who’s messing with the details.

In this post i’m trying to put this into the context of enrolling a new device, in this example an iOS device, where MFA is required for enrollment.

If the enrollment is being done by a user who’s without security information (imagine a newly hired employee), the user is initially prompted to register the security information. Now also imagine this being done by an attacker instead. Not good. Therefore it’s desirable to control from where the registering of the security information can be done. Curious? Read on 🙂

Connect to Exchange Online with Powershell, Modern Authentication and Conditional Access

April 2, 2019March 31, 2019 by Martin Bengtsson

Introduction

This is not one of the usual topics I blog about, but nonetheless it’s quite relevant. If you leverage Conditional Access to protect your corporate resources, good chances are that you are blocking legacy authentication (or at least that is something you should consider doing).

If you also fancy connecting to Exchange Online using Powershell for automation reasons, another good chance is that this is done with basic/legacy authentication. This is obviously a conflict with my first statement, so I figured it would make a good blog post to describe how to connect to Exchange Online automated with Modern Authentication while being protected by Conditional Access.

Connect to Microsoft Graph for Intune with Powershell ISE Add-ons

April 18, 2019March 4, 2019 by Martin Bengtsson

Introduction

If you are working with Microsoft Intune on a daily basis, chances are that you are familiar with the awesome Powershell Intune Graph script samples over at GitHub: https://github.com/microsoftgraph/powershell-intune-samples.

I have previously blogged specifically about putting 2 of the scripts to use here:

If you are less familiar with Powershell, the script samples might seem a bit intimidating and difficult for some to put to use. The new Microsoft.Graph.Intune PowerShell Module to the rescue!

Now, this post is not about using the actual module, but how you with a single click can connect to the Graph API and gain access to all the available cmdlets in a very easy and sufficient way.

Install Google Chrome Extensions using Microsoft Intune in 3 different ways (Powershell, ADMX ingestion and MSI)

March 3, 2019February 27, 2019 by Martin Bengtsson

Introduction

I have previously covered the approach on how to install Google Chrome extensions using System Center Configuration Manager. Find my post here: https://www.imab.dk/forcefully-deploy-the-windows-defender-google-chrome-extension-using-configuration-manager/

Then it came to my attention that Microsoft released another and new extension for Chrome last week. It’s called Microsoft Web Activities. This made me go through the approach again, and figured I wanted to cover the methods on how to install Google Chrome Extensions using Microsoft Intune.

PXE boot your way into Windows AutoPilot and Windows 10 Shared PC

March 1, 2019February 18, 2019 by Martin Bengtsson

Introduction

This is a continuation of my previous post on Windows AutoPilot for existing devices. This time covering a similar scenario, where I’m PXE booting an existing device (known or unknown to ConfigMgr) into a Windows 10 Shared PC with Windows AutoPilot and Microsoft Intune

Now, the scenario might have many similarities compared to last week, but nevertheless there’s a real purpose with the crazyness. This is about getting started with Windows AutoPilot and giving you inspiration on how to do that. In my environment, it’s a whole lot easier to make the switch into AutoPilot for non-user devices (I bet I’m not alone on this one). That be devices which are shared between users in public spaces and kiosk devices in particular.

Also, devices in this category are quite often not brand new and might even be old repurposed user-devices (hence we cannot ask our reseller to add them into AutoPilot prior to delivery and thus we have to do it ourselves) 🙂

A peek into the **AutoPilot Deployment Profiles** in my environment

Install RSAT (Remote Server Administration Tools) for Windows 10 v1809 using Microsoft Intune

December 30, 2018December 29, 2018 by Martin Bengtsson

Introduction

I don’t know if this will have many uses, but I did a similar post on how to deploy RSAT for Windows 10 v1809 using SCCM (System Center Configuration Manager) back in October when 1809 was initially released. As most people know by now, RSAT is no longer a separate downloadable add on to Windows, but something which is included as “Features on Demand” in the OS itself.

For your convenience, find my previous post here: https://www.imab.dk/deploy-rsat-remote-server-administration-tools-for-windows-10-v1809-using-sccm-system-center-configuration-manager/)

What if you don’t have SCCM and instead are fancying Microsoft Intune for software deployments? You might even run SCCM and Microsoft Intune Co-Management and like to do stuff differently and experimenting like I do? Then this post will be for you 🙂

Company Portal displaying my RSAT 1809 Win32 app (Sorry for the obscure language (Danish). Company portal insists on being in Danish on my computer)

Azure AD Application Proxy, Single Sign-On and Conditional Access

November 19, 2018November 18, 2018 by Martin Bengtsson

Introduction

As the topic suggests, the following post will be about the Azure AD Application Proxy feature – a feature within Azure Active Directory. I haven’t blogged specifically about this feature before, but I do think it deserves a mention here as well.

I will go into details on how to provide secure remote access to an internal IIS website, and give an example on how to add single sign-on to that experience while protecting everything with Conditional Access.

This post will be followed up with a continuation, where everything will be put to use on a mobile device with a Microsoft Intune managed Edge browser. Curious? Read on and stay tuned 🙂

The end result where an internal IIS is reachable from www

How to automatically join Windows AutoPilot devices to On-Premises AD (Hybrid Azure AD Join)

November 10, 2018November 7, 2018 by Martin Bengtsson

Introduction

Good news everyone! The feature was introduced at Ignite earlier this year and now it’s finally here. Windows AutoPilot now allows you to join your Windows 10 v1809 devices to your on-premises Active Directory (Hybrid Azure AD Join). All the magic lies in a new Intune connector for Active Directory. Sounds exciting, right? This will be everything you need to know, on how to get started with this new amazing feature.

The new Intune Connector for Active Directory (Preview)