Part 17 – Configure Microsoft Intune – Corporate Device Identifiers

Import a device or multiple devices into Intune based on a CSV file. This is one of the options if you want to block personal devices. With this block the user cannot enroll his device into Intune just like that. The device must first be identified as a corporate owned device. How this trick works in Intune? Please continue, because this time it is about Corporate device identifiers.

Why should I assign the device as corporate-owned?

To refine management and identification. Intune can perform additional management tasks and collect additional information such as the full phone number and an inventory of apps from corporate-owned devices.

When is the device corporate-owned?

Within Intune you have multiple options to enroll the device. You have:

  • For iOS – Device Enrollment Program (DEP), Apple School Manager or Apple Configurator.
  • For Windows – Azure Active Directory join.
  • For Samsung device only – Knox enrollment.

With these options the device will be assigned automatically as corporate-owned.

There are also options to assign manually the device as corporate-owned, which are:

  • By a CSV list. (Mostly if your organization uses different types of Android device)
  • By manually to change the ownership per device to corporate.
  • Enrolled with a Device Enrollment Manager account (for all platforms)

If you have block personally owned in Enrollment restrictions, the user cannot enroll his device into Intune just like that. If the device is enrolled by DEP, Azure AD join or Knox then the device will be assigned automatically as corporate-owned. If you have a device which are not compatible with DEP, Azure AD join or Knox, then you have to use CSV file. By importing from a CSV file, the device will be assigned as corporate-owned and gives also the user permission to enroll the device.

Alrighty then, let’s try this out

First, we have to block personal devices.

Go to the Intune portal -> Device enrollment -> Enrollment restrictions

Click on Default

Click on Properties and then on Configure platforms.

Click on the block button beneath Personally owned. Click on the Ok button.

Click on the save button. Now it is not possible to enroll the device by user itself, because it will identify as a personal. The enrollment must be initiate via Intune, by DEP. Knox or manually by importing the CSV file.

Let’s try on the Android device

If you don’t have the Intune Company Portal app already, please download and install the app from the App store.
Open Intune Company Portal
Sign in.
Enter here your email address/login name.
Enter here your password.
The app is connecting to Intune.
Checking for security requirements
Continue
Continue
Next
Allow
Scroll down for more options.

Activate this device administrator.

Processing, adding your device to Company Portal.
This is the message you get if enrolling the device as a personally device.

Sign out.

You are back at the sign in page.

You see that a personal device is not allowed to enroll into Intune. You must make this device as a corporate owned device. Before you do that, you have to find the serial and/or IMEI number from your device. You will need this for the following steps.

Go to the settings of your device and touch on About phone.
Touch on Status.
Touch on IMEI information.
Here you can find the IMEI numbers. If your device has more than 1 IMEI then you have to use the one which will be used for enrollment.

Note the one which you are going to use.

Now that you have the IMEI number, you have to add this into a CSV file. CSV must be based on a two-column, comma-separate value without a header. The first one is for the serial or IMEI number. The second column is for details. Details are limited to 128 characters and are for administrative use only. Details aren’t displayed on the device. Limit of a CSV file is 5,000 rows per .csv file.

Save as a CSV file on your hard drive.

Go back to the Intune portal.

Go to the Intune portal -> Device enrollment -> Corporate device identifiers. Click on the button Add.

Choose for IMEI and browse to your CSV file. Click on the button Add.

Click on the button Refresh to refresh the list. You see your imported device in the list. Now is your device identified as a corporate device. Please continue with enrolling your device.

Let’s try

Open the Intune Company Portal app.
Sign in.
Enter here your email address/login name.
Enter here your password.
The app is connecting to Intune.
Checking for security requirements
Continue
Continue
Next
Allow
Scroll down for more options.

Activate this device administrator.

Processing, adding your device to Company Portal.
Processing, the final steps.
And the enrollment has finished with success.

Done

Now you are in the Company Portal. You see a number 1 beside the flag. Touch it, this will open notifications.
The ownership is changed to corporate. This is because of the import and identified as corporate.

After enrollment, check All devices in Intune. The device is marked as corporate.

If you go back to Device enrollment -> Corporate device identifiers, then you see that the state is changed into Enrolled.

Final

This is how Corporate Device identifiers works in Intune. This might come in handy if you are using Android devices which are not from Samsung. Samsung is the only one who using Knox for enrollment and MDM solution. With Apple and Windows is the best practice to use DEP and Azure AD join.

Thanks for reading this blogpost. If you have any questions or comments, don’t hesitate to contact me by email or post a comment on this blogpost.

Take care now, bye bye then.

Advertisements

Part 15 – Configure Microsoft Intune – Windows Automatic Redeployment

Besides Windows Autopilot (blog here), Windows 10 has another great feature that you may like to use. Since Windows 10 Fall Creators Update (1709) there is new feature called Windows Automatic Redeployment. This feature allows the user to reset his device without permissions or help from an IT person. This can be initiate at the login screen by pressing a keystroke on a Windows 10 device.

Do you want to know more about this nice feature in Windows 10? Please, continue with reading. Because this time, it is about Windows Automatic Redeployment.

How Windows Automatic Redeployment works?

By pressing the keystroke CTRL +

+ R at the login screen, the user initiates the redeployment process. Windows 10 asks for an account who has local admin permissions on the laptop. This can be a local account or an Azure AD account. After entering the credentials, Windows 10 begins with resetting the device. The reset will remove all personal data, settings and applications.

If you have enabled Autopilot, then is this function perfect for your organization. After the reset, Autopilot will do his work for configuring the device, like joining in Azure AD and enrolling the device in Microsoft Intune. Autopilot will start also with deploying the policies, profiles and apps. This all without visiting the IT department for help and support. This could be at home or elsewhere in the world. The only thing you must have is an Internet connection.

If the user has some problems with applications or the user has problems with login, user can initiate a reset to resolve the problems. This is faster and easier then ask help from the IT department.

Let’s begin:

Before the user can use this feature, you have to enable this function in Windows 10. Go to the MS Intune portal -> Device configuration

Create a new profile.

For a new profile, you have to choose for Platform Windows 10 and Profile type Device restrictions. Click on Settings -> General.

Scroll down. You see Automatic Redeployment. Change this one to Allow. Click on Ok (twice). After that click on the create button.

Click on Assignments to assign a group.

Search and select the group. Click on the Save button to start the assignment. Check the Device status often for the configuration.

The policy is active on the client. Now, the user can use this feature in Windows 10.

Now that the policy is applied, we have to test this function on a Windows 10 device. Go to the device and press CTRL +

+ R at the login screen.

Enter here the Azure AD credentials or local user that has administrator permissions.

The device is resetting. This take a few minutes. Take some coffee or thee. This will take approximately 10 – 15 minutes.

After the reset, Windows Autopilot take the control over Windows 10. Windows Autopilot starts with Azure AD joining and enrolling into Microsoft Intune.

Redeployment has finished. Try to login. You got a clear Windows 10 device.

Side note:

If the user doesn’t have permissions to do a reset, then you could create a local admin user for redeployment. The best option is to use Intune to create a local admin, by using a PowerShell script (which I have explained in this blogpost) or by using OMA-URI. I have this done by using a PowerShell script, like this:

$Username = "RedeployAdmin"

$Password = "P@ssw0rd"

$group = "Administrators"

$adsi = [ADSI]"WinNT://$env:COMPUTERNAME"

$existing = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $Username }

if ($existing -eq $null) {

    Write-Host "Creating new local user $Username."

    & NET USER $Username $Password /add /y /expires:never

       Write-Host "Adding local user $Username to $group."

    & NET LOCALGROUP $group $Username /add

}

else {

    Write-Host "Setting password for existing local user $Username."

    $existing.SetPassword($Password)

}

Write-Host "Ensuring password for $Username never expires."

& WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE

Save this script and add it into Intune. Found the script here.

The user must use this local account for redeployment instead his account.

Final

This is how Windows Automatic Redeployment works. After the reset, Intune will continue to manage the device. If the apps are available for deployment, they will start shorty.

If the user has a strange error or problem in an application or in Windows itself, the user has the option to do a quick reset. This will be a faster solution for him then contacting the IT department for help and troubleshoot the error or problem. By resetting the device, Windows 10 will set it back to default factory settings. Personal data and settings will be deleted, and the applications or apps will be removed also. What the IT department did with spending their time to resolve and resetting the device, they have time left for other IT related things because of this functionality.

I am ending this blog post. I hope that you like my post about Windows Automatic Redeployment. If you have any a question of comment, don’t hesitate to contact me by email or post a comment.

Thanks for reading my blogpost about Windows Automatic Redeployment. Stay tuned for new blogposts on All about enterprise mobility and security.

Greetings..

Part 16 – Configure Microsoft Intune – PowerShell Scripts

Basically, Microsoft Intune can deploy only the mobile apps for iOS, Windows and Android platform and MSI installers for Windows 10. Some legacy applications got only an EXE installer. Which means that you cannot deploy this specific legacy application via Microsoft Intune. Fortunately, Microsoft Intune has something awesome! You can use PowerShell scripts for configuring, deploying or removing on Windows 10 devices. This means that you can use a PowerShell script to deploy the legacy application on the Windows 10 devices. Do you want to know how this work? Then you have to read further. Because this time, it is all about PowerShell in Microsoft Intune!

What does this PowerShell option do in Microsoft Intune?

Within Device Configuration, you have the option to use a configuration profile or PowerShell script. With a script, you can do everything on the client, like renaming the computer name, configuring the IP address, install an applications based on EXE installation and so on. It is so powerful.

Microsoft Intune use an extension that lets you to upload PowerShell scripts in Intune to run on Windows 10 devices. Intune installs the Intune Management Extension first before running the scripts on the Windows 10 device.

For more information: https://docs.microsoft.com/en-us/intune/intune-management-extension

Preparation

Before we implementing the script into Intune, you have to make a script first. I already have one, like this. I got his from Oliver Kieselbach (Thanks! and this is his blogsite: https://oliverkieselbach.com/about/) and modified a bit.

Code:

<#
 Version: 1.2
 Author: Albert Neef
 Script: Intune_PSScript_test.ps1
 Description:
 Intune Management Extension - PowerShell script template with logging,
 error codes, standard error output handling and x64 PowerShell execution.
 Release notes:
 Version 1.0: Original published version.
 Version 1.1: Added standard error output handling.
 Version 1.2: modified for Adobe Reader and errorhandling
 The script is provided "AS IS" with no warranties.
 #>

$exitCode = 0

if (![System.Environment]::Is64BitProcess)
 {
 # start new PowerShell as x64 bit process, wait for it and gather exit code and standard error output
 $sysNativePowerShell = "$($PSHOME.ToLower().Replace("syswow64", "sysnative"))\powershell.exe"

$pinfo = New-Object System.Diagnostics.ProcessStartInfo
 $pinfo.FileName = $sysNativePowerShell
 $pinfo.Arguments = "-ex bypass -file `"$PSCommandPath`""
 $pinfo.RedirectStandardError = $true
 $pinfo.RedirectStandardOutput = $true
 $pinfo.CreateNoWindow = $true
 $pinfo.UseShellExecute = $false
 $p = New-Object System.Diagnostics.Process
 $p.StartInfo = $pinfo
 $p.Start() | Out-Null

$exitCode = $p.ExitCode

$stderr = $p.StandardError.ReadToEnd()

if ($stderr) { Write-Error -Message $stderr }
 }
 else
 {
 # start logging to TEMP in file "scriptname".log
 Start-Transcript -Path "$env:TEMP\$($(Split-Path $PSCommandPath -Leaf).ToLower().Replace(".ps1",".log"))" | Out-Null

# Check if Software is installed already in registry.
 $CheckADCReg = Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | where {$_.DisplayName -like "Adobe Acrobat Reader DC*"}
 # If Adobe Reader is not installed continue with script. If it's istalled already script will exit.
 If ($CheckADCReg -eq $null)
 {
 # Path for the temporary downloadfolder. Script will run as system so no issues here
 $Installdir = "c:\temp\install_adobe"
 New-Item -Path $Installdir -ItemType directory

# Download the installer from the Adobe website. Always check for new versions!!
 $source = "ftp://ftp.adobe.com/pub/adobe/reader/win/AcrobatDC/1800920044/AcroRdrDC1800920044_en_US.exe"
 $destination = "$Installdir\AcroRdrDC1800920044_en_US.exe"
 try
 {
 Invoke-WebRequest $source -OutFile $destination
 }
 catch
 {
 Write-Error -Message "Could not download the installer from the Adobe website" -Category OperationStopped
 $exitCode = -1
 }

# Start the installation when download is finished
 try
 {
 Start-Process -FilePath "$Installdir\AcroRdrDC1800920044_en_US.exe" -ArgumentList "/sAll /rs /rps /msi /norestart /quiet EULA_ACCEPT=YES"
 }
 catch
 {
 Write-Error -Message "Could not install Adobe Reader" -Category OperationStopped
 $exitCode = -1
 }
 # Wait for the installation to finish. Test the installation and time it yourself. I've set it to 240 seconds.
 Start-Sleep -s 240

# Finish by cleaning up the download. I choose to leave c:\temp\ for future installations.
 rm -Force $Installdir\AcroRdrDC*
 }
 Stop-Transcript | Out-Null
 }

exit $exitCode

What does the script do? This script will download Adobe Reader from Adobe.com and install Adobe Reader on the client. There is some logging and error handling in the script. For example, if the download is not succeeded, then you will find this back in the log. The error will reported to Microsoft Intune. You can see the status back under Device Status of the script but for more information, you have to check the log on the client. Maybe you can build an option to upload the log to a central point.

Copy this script to PowerShell ISE and save this script. We have to upload the .ps1 file to Microsoft Intune later in this blog.

Let’s begin:

Go to the Intune portal -> Device Configurations -> PowerShell scripts

Click on Add.

Enter a name and browse to your PowerShell script file. Click on Configure.

Leave the settings. The script must run under system context and no check on trusted signature. Click on the Ok button and on the create button.

The script is added to Intune. Now you have to assign the script to a group. Go to assignments.

Click on the Select group button and add the group. Click on the select button. Click on the Save button.

The deployment will begin in few minutes. To check the installation, check the Device status or on the client self.

Intune will install an extension first before running the scripts.

On the client in Program and Features, you see that Intune Management Extension is installed. Intune will continue with the script. If you have enabled logging in the script, you should see some logging on the client. You can also check the Task Manager for running process; maybe you will find the installation process.

This is it. Adobe Reader installation has finished, based on a script.

Final:

You have installed an application, based on an EXE installer, on a Windows 10 device. Not with SCCM but with Microsoft Intune only. Because of supporting PowerShell, it makes Intune more flexible for Windows 10. PowerShell is powerful and you can use it for almost everything. This make it for the IT guy or girl very easy to deploy legacy applications or do some remotely configurations on the client.

I am ending this blog. I hope you liked the post. If you have any questions or comments, please do not hesitate to send an email of leave a comment.

Good luck and greetings..

Part 14 – Configure Microsoft Intune – Windows Autopilot

This month, I have made some blogs about Microsoft Intune. If you have followed these blogs, you got have nice environment. Good job! This time I want to write about Windows Autopilot. This feature is new since the Windows 10 Creators Update and will help the IT guys and girls to deliver the device faster to the end-users then before.

What does Windows Autopilot do?

Windows Autopilot make it you easier to enroll the devices into your environment. This will enable end-user to get productive very quickly and without Administrator intervention. The nice part of this is, that the device can be delivered to the end-user directly, without a stopover at the IT department for configuring. The user unboxes the device and turn the device for the first time on. the out of box experience is starting up and the user has to follow few steps. One of these steps is the make a connection with the Internet, like a Wi-Fi connection. Then the user has to enter his or her AD credentials.  Based on the hardware ID and the AD credentials, the device will automatically join the Azure AD and enroll the device into Microsoft Intune. These processes will be running on the background, no interaction of the user is needed. If the user is a member of a group which is assigned to an app, then the app will be automatically pushed to the device. After the device is complete with out of box experience, the user has a full blown configured device which is joined and managed by Azure AD and Microsoft Intune.

How does Autopilot know which device must be configured by Autopilot?

Autopilot works with hardware ID. Each device has a unique hardware ID. This hardware ID is based 3 several IDs which is, Device Serial Number, Windows Product ID and Hardware Hash. Your supplier or hardware vendor has this information. You can also get this information by running a PowerShell script (later in this blog). The hardware supplier or vendor, like HP, Lenovo or Dell, does have the option and specific kind of access to add the hardware ID’s, which you have ordered of course, into Microsoft Intune. This will be done during the ordering of the new devices. Based on this information, Autopilot does know which device must be configured by Autopilot.

Because of this feature, the device has not to be delivered at the IT department for preparing. This step can be skipped. There is also no support from System Center Configuration Manager (SCCM) server. I see this most of the time at customers. The old or current way is mostly that the device is delivered at the IT department for prepare the corporate image on the device. Before you can use an image on a device, you have to make a new image and then test the image on several devices. After that you can use this image for production purpose. This is a lot of time consuming. Autopilot make this more efficient by skipping this process and without the help of SCCM. This will spare a lot of time.

For more information about Windows Autopilot, see this link: https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-10-autopilot

Or watch this video: https://www.youtube.com/watch?time_continue=42&v=JrEU84KK2lQ

Let’s begin

Before we begin configuring the Autopilot profile, you need the hardware info of your test machine. There is a PowerShell script you can use. You can find it here: https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo/1.3/DisplayScript

Note: this is only if you already have the device and if you are using virtual machine. The advantage of Autopilot is that the hardware supplier can deliver the correct hardware information to you or into Autopilot. This without approaching you for acceptance. The supplier got the restrict access to your tenant for adding the hardware IDs. They have a kind of database of these hardware IDs. For them is it easier to find the IDs. So, this part can be skipped if you have ordered a new device and the supplier can add the IDs into Intune. For this example I use a virtual machine and because of that I have to find the IDs by myself.

To get the information, open a PowerShell prompt with admin privileges.

Enter this command: Install-Script -Name Get-WindowsAutoPilotInfo and hit the Y for Yes.

Yes again.

And Yes again, because we need that script.

Oke, the script is downloaded. Enter Get-WindowsAutoPilotInfo.ps1 -outputfile C:\temp\autopilot.csv (are you can use the TAB function to autocomplete the name of the script) and hit the enter key.

Maybe you will get this warning. You have to change the execution policy within PowerShell.

Please run this command: Set-ExecutionPolicy -ExecutionPolicy Bypass (use the tab, make it easier to type the command)

Answer this question with Y for Yes. You can change it back later by using the same command, but instead of Bypass you have to type Restricted.

Oke, that is set. Now run the script again, Get-WindowsAutoPilotInfo.ps1 -Outputfile C:\temp\autopilot.csv

You need the CSV to import the computer into Microsoft Intune. Go to the MS Intune portal -> Device enrollment -> Windows enrollment.

Click on Devices.

Click on the button Import to import the CSV.


Browse to your CSV file and click on the Ok button.

The results are good and click on the import button to import the device.

You will get this message. The sync will take few minutes.

The results; the device is imported. Now we have to make a profile or just edit the default Autopilot profile. Go to MS Intune portal -> Device enrollment -> Windows enrollment.

Click on Deployment Profiles.

Click on Autopilot Profile to edit.

Click on Settings

Here you can change the OOBE (Out of Box Experience) settings. This is default, so I didn’t change these settings.

You see that there no devices are assigned to this profile. So, we have to go back to Devices.

Select the specific device and click on the Assign profile button.

Choose the profile, like Autopilot Profile and click on the button Assign.

Status is Assigning. Wait for few minutes and click on the Refresh button for a refresh.

The status is changed to Assigned. The device is prepared for Autopilot.

There is a new option to follow the process of Autopilot. You can see the status which part of autopilot is running.

To enable this option, you have to go MS Intune portal -> Device enrollment -> Windows enrollment.

Click on Enrollment Status Page (Preview)

Click on Default to edit.

Click on Settings and change some settings. After that click on the Save button.

You are done with configure Autopilot. Now you have to use a not configured Windows 10 installation. So, for me in example, I have to reinstall Windows 10 in my virtual machine again. To be sure that I’m not have got a configured device. Maybe you have enrolled the device also. Then you have to delete the device from Intune and also from Azure AD, to be sure.

Oke, after the installation of Windows 10 I got this. The default steps in OOBE.

Choose your region and click on the Yes button.

Choose the keyboard layout and click on the Yes button.

Click on the Skip button.

Enter here the login name or email address. Click on the Next button.

Enter here your password, click on the Next button.

Enter here the code which you have received by SMS or phone call. Click on the Next button.

You have to wait for this process to be complete.

During “Setting up” the device has been added to Azure AD and enrolled into Intune.

And on the background, Autopilot is working on security policies and installing the apps which are set on required. Click on Show details for more information. This view has been set by the profile of enrollment result page.

Autopilot part is done and now you have to set up a PIN.

Enter the code which you have received by a SMS or phone call. Click Next.

You have to enter a PIN code. Sorry about the screenshot, I have missed this one…

Click Ok.

You see that the apps are installed, and everything is configured by Intune.

Final

This is how Autopilot works. Simple and easy for the end-user but also for the IT guy or girl. They spare a lot of time for other things.

Next blog will be all about Windows Automatic Redeployment. Stay tuned for the next blog! Thanks for reading the blog and if you have some question, don’t hesitate to send me a comment or email.

See you and greetings, Albert

Part 13 – Configure Microsoft Intune – Microsoft Store for Business

Introduction

 

Microsoft Store for Business is an Enterprise app store for Windows devices. You can manage volume-purchased Windows apps in Microsoft Store for Business (MSfB). MSfB will extend the standard Windows app store on Windows device with the apps which are managed by MSfB and delivered through MS Intune. The apps will appear in the portal of MS Intune and can then be delivered to the Windows clients. There are more in MSfB, like:

  • You can track how many licenses are available, and how many are being used in the Intune administration console.
  • Intune blocks assignment and installation of apps if there are an insufficient number of licenses available.
  • Apps managed by Microsoft Store for Business will automatically revoke licenses when a user leaves the enterprise, or when the administrator removes the user and the user devices.

More information about the integration:

Let’s begin

 

First, we have to connect MSfb with MS Intune. Go to the MS Intune portal -> Mobile Apps ->Microsoft Store for Business

Click on the Enable button to enable the sync with MSfB.

Click on the link Open the business store. Click on the login button in the right corner. Go to Manage.

Click on the button Accept.

Click on the button Got it.

Go to Settings -> Distribute. Scroll down for the Intune part.

Click on Activate.

 

 

 

 

 

 

Go back to the MS Intune portal and choose your language. After that click on the Save button. Now you can click on the Sync button.

But we didn’t add some apps into the store, so go back to MSfB portal. Search for some free apps in the store.

Go to Shop for my group and search for an app, in my example I was searching for remote desktop. Click on the icon of the app.

Click on the button Get the app.

The app is added in the inventory. Click on the Close button.

Click on the button with the dots and choose for Add to private store.

Go to Manage -> Products & service -> Apps & Software. The app(s) you just added is(are) listed here.

Go back to the MS Intune portal and hit the Sync button.

Let’s check if Remote Desktop is listed in the MS Intune. The sync can take few minutes, so be patient.

 

 

 

 

 

 

 

Only thing you have to do in MS Intune is to assign to a group for deployment. Click on the Microsoft Remote Desktop for more information.

Click Assignment -> Add group -> Choose for assignment type required. For this time, I choose for all users and devices. So, click on the buttons Yes and Click on the Ok button(twice).

Click on the Save button the assignment is ready, now we have to wait few minutes.

Remote desktop is installed by MS Intune.

Check the status in MS Intune.

Final

 

This is what we did in this blog post. We made a connection with Microsoft Store for Business (MSfB) With this integration you got a private store for your Enterprise apps, like LOB apps and volume-purchased apps. The only thing what MS Intune does is the distribution of those apps.

Part 12 – Configure Microsoft Intune – Mobile Apps

Microsoft Intune is a Mobile Device/Applications Management solution, which is manages devices but also applications on Android, iOS, Mac OS and Windows devices. One of the functions is deploying an application to a device or user. MS Intune supports almost every (mobile) platform to push a store app or WIN32 application. It is just like System Center Configuration Manager. In this blogpost I will talk more about how to add an app into MS intune and deploy it to a device. More information about Mobile apps in MS Intune: https://docs.microsoft.com/en-us/intune/apps-add

MS Intune supports different types of apps, which are:

App types Installation Updates
Apps from the store (store apps) Intune installs the app on the device. App updates are automatic.
Apps written in-house (line-of-business) Intune installs the app on the device (you supply the installation file). You must update the app.
Apps that are built-in (built-in apps) Intune installs the app on the device. App updates are automatic.
Apps on the web (web link) Intune creates a shortcut to the web app on the device home screen. App updates are automatic.

Specific type of apps:

App Type General Type
Android store apps Store app
iOS store apps Store app
Windows Phone 8.1 store apps Store app
Microsoft store apps Store app
Android for Work apps Store app
Office 365 apps for Windows 10 Store app (Office 365)
Office 365 apps for macOS Store app (Office 365)
Android line-of-business (LOB) apps LOB app
iOS LOB apps LOB app
Windows Phone LOB apps LOB app
Windows LOB apps LOB app
Built-in iOS app Built-in app
Built-in Android app Built-in app
Web apps Web app

An EXE installation isn’t support in MS Intune, just only MSI. There is a workaround to deploy EXE via MS Intune. You have to use PowerShell scripts to deploy and install an EXE on a Windows device. There is an option to push a PowerShell script to a device with MS Intune. This workaround is not in this blogpost.

Let’s begin with importing an app in MS Intune. We got Microsoft 365 license, so we can deploy the full Office365 to a Windows 10 device.

Go to the MS Intune portal -> Mobile apps -> Apps. Click on the Add button.

App Type is Office 365 suite for Windows 10.

Click on Configure App Suite. You get more options. Select the one which you want to test. I choose only for OneDrive, Outlook and Word. Click on the OK button.

Click on App Suite information. Give this deployment a name and some more information about the app. Click on the Ok button.

Click on App Suite Settings and choose your settings. I also added some languages. Click on OK and on the Add button to create the Office 365 deployment.

Click on Assignment to assign this deployment to the users. Click on the Add group button.

Assignment type is Required. This will push Office to the devices without an action from the user. Search for the group and click Select. Click on the Ok button (twice). Click on the save button. Now you have to wait for the deployment. Office 365 will be deployed to the users which are in the group that you have chosen for the assignment.

This is optional >> I want to test Outlook, but the test user hasn’t a mailbox yet. For this you have the give the user Office365 license. Without this license the user has limited of functionality and the user doesn’t have a mailbox. To give the user a license, you have to go to https://portal.office.com and login with your admin credentials.

Click on the Admin app.

Go to Users -> Active users. You will get a list of all users which are in the Azure AD. Search for the user who has already have an enrolled device.

You get more options after clicking on the user. Click Edit next to Product licenses.

Turn on Office 365 Enterprise E5 license and click on the Save button. You are done and go back to the MS Intune portal. <<<

Go to your Windows 10 device and check if Office is installed. Open the start menu and search for Word or Outlook. Or just look at Recently Added, like mine.

You could also check the status in the MS Intune portal. You have to your app deployment and click on Device Install status. Here you can see on which computer Office is done with installation.

Go back to your Windows 10 device. Office is installed, so we can open Outlook. Outlook is at first run, so you have to add the mailbox.

Enter here the email address of the logged in user. Click Connect.

Outlook will get the correct information from Exchange Online, so you don’t have to enter extra more information. Account setup is complete. Click on the OK button.

Click Microsoft Edge, we don’t need this. Go back to Outlook.

So, Outlook is configured and working. We can use this for testing the MAM policies, but this is for another blogpost.

We can test also a LOB application, like 7zip for example. Follow these steps. Download the MSI file from the 7zip website. Go to MS Intune – > Mobile Apps -> Apps

Click on the Add button.

Choose Line-of-business app. Click on App Package file.

Browse to the MSI file and click on the Open button. Click on the Ok button.

Click on App information.

Enter the required fields with some information. Click on the OK button. Then Click on the Add button.

Click on the app, we need to assignment this app to a group.

Make this assignment type required. You can make also the assignment available. The app will appear in the company portal available for installation. Required pushes the application to the device without user’s action. Click Ok.

Click on the Save button. After few minutes the application is installed on the device.

Check the status at Device install status.

The application is installed on the device. Now you can use the application.

In this blogpost we did a deployment with MS Intune to a Windows 10 device. We have installed Office and 7Zip. So, with few clicks you can deploy an application to multiple devices if you want.

It is also an option to use Microsoft Windows Store for Business (WfSB) for deploying UWP apps. But, also for this I will write a blogpost about this feature in MS Intune later.

Part 11 – Configure Microsoft Intune – Mobile Application Management Without Enrollment

Time for something different. I want to write about the MAM functionality on a Windows 10 bring your own device (BYOD). This device will not be enrolled into MS Intune but based on without enrollment. The app or application will get the protection policies from MS Intune.

To protect the corporate data and to separate the data from the personal data, Windows 10 uses Windows Information Protection (WIP). WIP is supported in MS Intune. So, based on WIP you can protect and manage your corporate data on a Windows 10 BYOD device.

More information on: https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip

You need an unmanaged Windows 10 device for this practice.

Let’s begin with MAM w/o Enrollment. They are also called MAM-WE, what’s mean: Mobile Application Management Without Enrollment. To test WIP we have to download Office from portal.office.com on the unmanaged Windows 10 device.

Download Office from https://portal.office.com

Click on the Run button to start the download and installation.

Office is installing.

The installation is done. Click Close to close the setup. Microsoft Edge is still open, close this one also.

We got now an unmanaged Windows 10 device with Office 2016 installed. So, we can test the MAM-WE functionality in MS Intune. Let’s continue with the MS Intune portal and from there you go to Mobile Apps – App Protection policies.

Click Add a policy.

Enter a name for the policy. Platform is Windows 10 and Enrollment state is Without enrollment. Click on Protected apps.

Click on the button Add apps.

Select these apps. These apps will also work with corporate data. Click on the Ok button. From here click again on Add app.

Change the option from recommended apps to Desktop apps.

Enter here the Office apps, like Outlook and Word. You need this as PUBLISHER “O=Microsoft Corporation, L=Redmond, S=Washington, C=US” Click on the Ok button. Now do the same for Outlook.


These apps will be protected by MS Intune based on the protection policy. Click on the Ok button. We skip exempt apps, for this not necessary.


Go to Required Settings and click on the Block button. This will block enterprise/corporate data to go outside the protected apps. This means you can’t copy text from the protected app to a unprotected app, like Notepad. Click on the Ok button.


Go to Advanced settings and click on Cloud resources. We have to edit this property. Add a | and after that add this outlook.office365.com. Click on the Ok button (twice) and then on the create button to create the policy.


Click on the created app. Click on Assignments to assign the group.

It’s time to test this policy on an unmanaged Windows 10 Device.


Go to your device and open Outlook. This is the first run for Outlook. You see this window and enter here an email address.


Click on Office 365.


Enter here the password. Click on Sign in.

Maybe the user must verify his login. Click Next.

Click Yes.

Click Create PIN.

Enter here the PIN, don’t use simple PIN, like 1234 or 8888.

Click Next.

Enter here the password of the logged in user. Click on the OK button. You can also check the MS Intune -> Device > Azure AD device. The machine will be Azure AD registered.

Deselect Set up Outlook Mobile and click on the Ok button.

Outlook is configured and ready to use. Click on the button Accept and start Outlook

Open Word. Type some text and go to the menu to save this document.

Save this document on a corporate storage, like OneDrive or SharePoint.

So, now is your document protected by Windows Information Protection. Let’s try to copy the text and paste into Notepad. We didn’t make a policy for Notepad, which means that the app is not protected.

You see that notepad is not a protected app and doesn’t allow to paste the text. Let’s try this in Outlook. Copy the text in Word again and try to paste into Outlook.

This action is allowed by WIP. This will work also vice versa. Make a new mail and type some text into it. Then copy the text and paste it into Notepad. You will get the same message as before with Word.

You can do this also with Microsoft Edge and Internet Explorer. They are also protected by WIP.

And if you go to your corporate (web)site, like SharePoint you will see this briefcase icon in the menu. This website is protected by WIP. Losing corporate data is now prevented by the policy.

This is how WIP in Internet Explorer looks like.

If you delete the work/school account from the BYOD device and you try to open the work-related document, you will get like this:

This will also work for Windows 10 Home Edition (1803). I think that the most BYOD windows 10 device are with Windows 10 Home Edition. I want to be sure if WIP also works on a Home Edition device. So, I have used the Home edition for this blogpost.

So, this is what we did. We made a protection policy to protect corporate data in an app. We tested this on an unmanaged Windows 10 device with Office 2016. First, we saved the document on a corporate space/storage and later we copied the text from the document and paste it into an unprotected application, like Notepad. We did this also for Outlook, Microsoft Edge and Internet Explorer.