Conditional Access: Restrict access to company resources and only grant access to trusted IPs

Introduction

I have previously given a few examples on use cases for Conditional Access, and I admit, for the Conditional Access newbie, the options available can seem daunting. So how about a very simple scenario, where access to company resources are blocked, if not coming from a trusted IP?

Imagine service accounts running some Powershell scripts for automation in your Azure/O365 tenant or other accounts who are never meant to be used outside of your organization. Simply block those from authenticating in Azure/O365 if not coming from your headquarter public IP. This is how you can do just that, using Conditional Access.

Illustration of the conditions of a Conditional Access rule. In this scenario, location is in focus

Read more…

Flipping the switch, part 3: Moving Software Updates workload to Intune MDM (Co-management with SCCM)

Introduction

Continuing on the Co-management and flipping the switch journey. I have previously been going through how to initially enable Co-management with Configuration Manager and Microsoft Intune, and how to move some of the Endpoint Protection workloads to Intune MDM.

This time I will walk you through how I moved the Software Updates workload from Configuration Manager to Intune MDM. Everything still based on a production environment and along the lines some additional ramblings on the topic.

Example of 2 Windows 10 update rings in Microsoft Intune

Read more…

Microsoft Intune and Conditional Access in a Co-management scenario

Introduction

Last week I gave an example on how to leverage Microsoft Intune and Conditional Access to restrict access to Exchange Online for iOS devices. This week, I’m continuing the use of Microsoft Intune and Conditional Access, and will give an example on how to restrict access to company e-mail if not using a Windows 10 1803 device. All of this based on a computer co-managed with both Microsoft Intune and Configuration Manager.

So basically; no e-mails if not running on the latest and greatest version of Windows 10 on my co-managed device.

Read more…

Conditional Access: Restrict access to Exchange Online and only grant access to company enrolled devices using the Outlook app

Introduction

Long title, but that’s actually what this post is going to cover; how you can secure the access to company e-mail accounts and only allow access to such, if coming from an enrolled (compliant) Intune device and that device uses the Outlook app.

In this scenario, we only uses iOS devices and of such only allow enrollment of iOS devices, but this can of course be android and Windows as well. Everything in this post is achievable with the use of Microsoft Intune and Conditional Access in Azure. Curious? Read on 🙂

Read more…

How to renew Apple Push Certificate in Microsoft Intune standalone

Introduction

I have previously done a short post on how to renew the Apple Push Certificate when having Intune integrated with Configuration Manager (Hybrid). Since then, I’ve changed the MDM authority to Intune standalone and therefore the procedure changes slightly. Again, this is taken directly from an production environment and my certificate was due to expire in roughly 30 days. For the curious, this is the exact steps I went through to renew our Apple Push Certificate in Microsoft Intune standalone.

Picture of the front page of the Apple Push Certificate portal

Read more…

Flipping the switch, part 2.1: Exploit Guard challenges (Co-management with Intune MDM and SCCM)

Introduction

Just quickly following up on my previous post, on how I moved some of the Endpoint Protection workloads into Intune MDM (in a Co-management scenario with Configuration Manager). More specifically, I moved the Exploit Guard capabilities and while walking through the process, I mentioned the possible impact of Exploit Guard in an enterprise environment.

Again, this post is to highlight the possible impact of turning on a very specific ASR (Attack Surface Reduction) rule in Exploit Guard. Turns out, that this specific rule is not documented by Microsoft (at least I can’t find it in the Exploit Guard documentation: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules) and the impact is quite significant to those using Configuration Manager (and possible other stuff too). Curious? Keep reading 🙂

What Attack Surface Reduction rule?

The rule in question is having an ID of: D1E49AAC-8F56-4280-B9BA-993A6D77406C. This is not mentioned anywhere in the Exploit Guard documentation. In Intune, it’s the one I’m highlighting below:

Read more…

Flipping the switch, part 2: Moving Endpoint Protection workload to Intune MDM (Co-management with SCCM)

Introduction

Continuing the Co-management journey from last week, where I went through the steps required to setup co-management with Configuration Manager. This week I’m moving the Endpoint Protection workloads into Intune MDM. The ability to transition the Endpoint Protection workloads is brand new, and became available in Configuration Manager 1802. As of now, the endpoint protection workloads consists of following features:

  • Windows Defender Application Guard
  • Windows Defender Firewall
  • Windows Defender SmartScreen
  • Windows Encryption (BitLocker)
  • Windows Defender Exploit Guard
  • Windows Defender Application Control
  • Windows Defender Security Center
  • Windows Defender Advanced Threat Protection

Following walkthrough is exactly how I moved some of the Endpoint Protection features (more specifically Exploit Guard and some modifications to the Defender Security Center) into Intune MDM for at pilot group consisting of computers.

Endpoint Protection device configuration profiles

Read more…

Flipping the switch: How to enable Co-management in SCCM Current Branch (System Center Configuration Manager)

Introduction

Co-management! This will be a quick post, because it’s actually quite easy to setup. It was announced last year at Ignite in Orlando and it’s being pushed heavily these days by Microsoft. For those who don’t know the ups and downs, co-management is basically (for those using ConfigMgr already) managing computers with both a Configuration Manager client and Intune MDM.

There are different possibilities to achieve co-management. It may sound complicated, but it’s not. I will walk you through the few steps required, as well as cover the precise prerequisites and how to troubleshoot issues if any. Note: This is precisely how I have done in a production environment. Curious? Read on 🙂

My 2 devices being co-managed

Read more…

Remove inactive devices in Intune automatically using Microsoft Graph API and Powershell (and a scheduled task)

Introduction

*Updated July 23 2018: Minor changes to the script doing the deletion*

Just like we do in Configuration Manager, Active Directory, Exchange and anywhere else (where possible), It’s a good idea to keep things clean (at least I think so). Clean in terms of removing inactive computers, objects, mailboxes and so forth. This brings me to Microsoft Intune and how we can leverage Microsoft Graph API through Powershell to automatically remove inactive devices, and doing so on a schedule through a scheduled task. Curious? Read on 🙂

Example of devices that haven’t checked in for 30 days

Read more…

Change device ownership in Microsoft Intune standalone using Microsoft Graph API and Powershell

Introduction

When enrolling devices into Microsoft Intune using the Company Portal, the devices end up enrolling as personal owned. This can be changed manually on each device directly in the Intune portal after enrollment. Making sure that all devices are company owned refines management and identification, as well as enabling Intune to perform additional management tasks. Also, for additional security, you can configure device restrictions to block enrollment of devices that are not company owned.

But what if we don’t like to do stuff manually and have hundreds or thousands of devices? Automation through Microsoft Graph API and Powershell to the rescue.

Read more…