Part 13 – Configure Microsoft Intune – Microsoft Store for Business

Introduction

 

Microsoft Store for Business is an Enterprise app store for Windows devices. You can manage volume-purchased Windows apps in Microsoft Store for Business (MSfB). MSfB will extend the standard Windows app store on Windows device with the apps which are managed by MSfB and delivered through MS Intune. The apps will appear in the portal of MS Intune and can then be delivered to the Windows clients. There are more in MSfB, like:

  • You can track how many licenses are available, and how many are being used in the Intune administration console.
  • Intune blocks assignment and installation of apps if there are an insufficient number of licenses available.
  • Apps managed by Microsoft Store for Business will automatically revoke licenses when a user leaves the enterprise, or when the administrator removes the user and the user devices.

More information about the integration:

Let’s begin

 

First, we have to connect MSfb with MS Intune. Go to the MS Intune portal -> Mobile Apps ->Microsoft Store for Business

Click on the Enable button to enable the sync with MSfB.

Click on the link Open the business store. Click on the login button in the right corner. Go to Manage.

Click on the button Accept.

Click on the button Got it.

Go to Settings -> Distribute. Scroll down for the Intune part.

Click on Activate.

 

 

 

 

 

 

Go back to the MS Intune portal and choose your language. After that click on the Save button. Now you can click on the Sync button.

But we didn’t add some apps into the store, so go back to MSfB portal. Search for some free apps in the store.

Go to Shop for my group and search for an app, in my example I was searching for remote desktop. Click on the icon of the app.

Click on the button Get the app.

The app is added in the inventory. Click on the Close button.

Click on the button with the dots and choose for Add to private store.

Go to Manage -> Products & service -> Apps & Software. The app(s) you just added is(are) listed here.

Go back to the MS Intune portal and hit the Sync button.

Let’s check if Remote Desktop is listed in the MS Intune. The sync can take few minutes, so be patient.

 

 

 

 

 

 

 

Only thing you have to do in MS Intune is to assign to a group for deployment. Click on the Microsoft Remote Desktop for more information.

Click Assignment -> Add group -> Choose for assignment type required. For this time, I choose for all users and devices. So, click on the buttons Yes and Click on the Ok button(twice).

Click on the Save button the assignment is ready, now we have to wait few minutes.

Remote desktop is installed by MS Intune.

Check the status in MS Intune.

Final

 

This is what we did in this blog post. We made a connection with Microsoft Store for Business (MSfB) With this integration you got a private store for your Enterprise apps, like LOB apps and volume-purchased apps. The only thing what MS Intune does is the distribution of those apps.

Advertisements

Part 12 – Configure Microsoft Intune – Mobile Apps

Microsoft Intune is a Mobile Device/Applications Management solution, which is manages devices but also applications on Android, iOS, Mac OS and Windows devices. One of the functions is deploying an application to a device or user. MS Intune supports almost every (mobile) platform to push a store app or WIN32 application. It is just like System Center Configuration Manager. In this blogpost I will talk more about how to add an app into MS intune and deploy it to a device. More information about Mobile apps in MS Intune: https://docs.microsoft.com/en-us/intune/apps-add

MS Intune supports different types of apps, which are:

App types Installation Updates
Apps from the store (store apps) Intune installs the app on the device. App updates are automatic.
Apps written in-house (line-of-business) Intune installs the app on the device (you supply the installation file). You must update the app.
Apps that are built-in (built-in apps) Intune installs the app on the device. App updates are automatic.
Apps on the web (web link) Intune creates a shortcut to the web app on the device home screen. App updates are automatic.

Specific type of apps:

App Type General Type
Android store apps Store app
iOS store apps Store app
Windows Phone 8.1 store apps Store app
Microsoft store apps Store app
Android for Work apps Store app
Office 365 apps for Windows 10 Store app (Office 365)
Office 365 apps for macOS Store app (Office 365)
Android line-of-business (LOB) apps LOB app
iOS LOB apps LOB app
Windows Phone LOB apps LOB app
Windows LOB apps LOB app
Built-in iOS app Built-in app
Built-in Android app Built-in app
Web apps Web app

An EXE installation isn’t support in MS Intune, just only MSI. There is a workaround to deploy EXE via MS Intune. You have to use PowerShell scripts to deploy and install an EXE on a Windows device. There is an option to push a PowerShell script to a device with MS Intune. This workaround is not in this blogpost.

Let’s begin with importing an app in MS Intune. We got Microsoft 365 license, so we can deploy the full Office365 to a Windows 10 device.

Go to the MS Intune portal -> Mobile apps -> Apps. Click on the Add button.

App Type is Office 365 suite for Windows 10.

Click on Configure App Suite. You get more options. Select the one which you want to test. I choose only for OneDrive, Outlook and Word. Click on the OK button.

Click on App Suite information. Give this deployment a name and some more information about the app. Click on the Ok button.

Click on App Suite Settings and choose your settings. I also added some languages. Click on OK and on the Add button to create the Office 365 deployment.

Click on Assignment to assign this deployment to the users. Click on the Add group button.

Assignment type is Required. This will push Office to the devices without an action from the user. Search for the group and click Select. Click on the Ok button (twice). Click on the save button. Now you have to wait for the deployment. Office 365 will be deployed to the users which are in the group that you have chosen for the assignment.

This is optional >> I want to test Outlook, but the test user hasn’t a mailbox yet. For this you have the give the user Office365 license. Without this license the user has limited of functionality and the user doesn’t have a mailbox. To give the user a license, you have to go to https://portal.office.com and login with your admin credentials.

Click on the Admin app.

Go to Users -> Active users. You will get a list of all users which are in the Azure AD. Search for the user who has already have an enrolled device.

You get more options after clicking on the user. Click Edit next to Product licenses.

Turn on Office 365 Enterprise E5 license and click on the Save button. You are done and go back to the MS Intune portal. <<<

Go to your Windows 10 device and check if Office is installed. Open the start menu and search for Word or Outlook. Or just look at Recently Added, like mine.

You could also check the status in the MS Intune portal. You have to your app deployment and click on Device Install status. Here you can see on which computer Office is done with installation.

Go back to your Windows 10 device. Office is installed, so we can open Outlook. Outlook is at first run, so you have to add the mailbox.

Enter here the email address of the logged in user. Click Connect.

Outlook will get the correct information from Exchange Online, so you don’t have to enter extra more information. Account setup is complete. Click on the OK button.

Click Microsoft Edge, we don’t need this. Go back to Outlook.

So, Outlook is configured and working. We can use this for testing the MAM policies, but this is for another blogpost.

We can test also a LOB application, like 7zip for example. Follow these steps. Download the MSI file from the 7zip website. Go to MS Intune – > Mobile Apps -> Apps

Click on the Add button.

Choose Line-of-business app. Click on App Package file.

Browse to the MSI file and click on the Open button. Click on the Ok button.

Click on App information.

Enter the required fields with some information. Click on the OK button. Then Click on the Add button.

Click on the app, we need to assignment this app to a group.

Make this assignment type required. You can make also the assignment available. The app will appear in the company portal available for installation. Required pushes the application to the device without user’s action. Click Ok.

Click on the Save button. After few minutes the application is installed on the device.

Check the status at Device install status.

The application is installed on the device. Now you can use the application.

In this blogpost we did a deployment with MS Intune to a Windows 10 device. We have installed Office and 7Zip. So, with few clicks you can deploy an application to multiple devices if you want.

It is also an option to use Microsoft Windows Store for Business (WfSB) for deploying UWP apps. But, also for this I will write a blogpost about this feature in MS Intune later.

Part 11 – Configure Microsoft Intune – Mobile Application Management Without Enrollment

Time for something different. I want to write about the MAM functionality on a Windows 10 bring your own device (BYOD). This device will not be enrolled into MS Intune but based on without enrollment. The app or application will get the protection policies from MS Intune.

To protect the corporate data and to separate the data from the personal data, Windows 10 uses Windows Information Protection (WIP). WIP is supported in MS Intune. So, based on WIP you can protect and manage your corporate data on a Windows 10 BYOD device.

More information on: https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip

You need an unmanaged Windows 10 device for this practice.

Let’s begin with MAM w/o Enrollment. They are also called MAM-WE, what’s mean: Mobile Application Management Without Enrollment. To test WIP we have to download Office from portal.office.com on the unmanaged Windows 10 device.

Download Office from https://portal.office.com

Click on the Run button to start the download and installation.

Office is installing.

The installation is done. Click Close to close the setup. Microsoft Edge is still open, close this one also.

We got now an unmanaged Windows 10 device with Office 2016 installed. So, we can test the MAM-WE functionality in MS Intune. Let’s continue with the MS Intune portal and from there you go to Mobile Apps – App Protection policies.

Click Add a policy.

Enter a name for the policy. Platform is Windows 10 and Enrollment state is Without enrollment. Click on Protected apps.

Click on the button Add apps.

Select these apps. These apps will also work with corporate data. Click on the Ok button. From here click again on Add app.

Change the option from recommended apps to Desktop apps.

Enter here the Office apps, like Outlook and Word. You need this as PUBLISHER “O=Microsoft Corporation, L=Redmond, S=Washington, C=US” Click on the Ok button. Now do the same for Outlook.


These apps will be protected by MS Intune based on the protection policy. Click on the Ok button. We skip exempt apps, for this not necessary.


Go to Required Settings and click on the Block button. This will block enterprise/corporate data to go outside the protected apps. This means you can’t copy text from the protected app to a unprotected app, like Notepad. Click on the Ok button.


Go to Advanced settings and click on Cloud resources. We have to edit this property. Add a | and after that add this outlook.office365.com. Click on the Ok button (twice) and then on the create button to create the policy.


Click on the created app. Click on Assignments to assign the group.

It’s time to test this policy on an unmanaged Windows 10 Device.


Go to your device and open Outlook. This is the first run for Outlook. You see this window and enter here an email address.


Click on Office 365.


Enter here the password. Click on Sign in.

Maybe the user must verify his login. Click Next.

Click Yes.

Click Create PIN.

Enter here the PIN, don’t use simple PIN, like 1234 or 8888.

Click Next.

Enter here the password of the logged in user. Click on the OK button. You can also check the MS Intune -> Device > Azure AD device. The machine will be Azure AD registered.

Deselect Set up Outlook Mobile and click on the Ok button.

Outlook is configured and ready to use. Click on the button Accept and start Outlook

Open Word. Type some text and go to the menu to save this document.

Save this document on a corporate storage, like OneDrive or SharePoint.

So, now is your document protected by Windows Information Protection. Let’s try to copy the text and paste into Notepad. We didn’t make a policy for Notepad, which means that the app is not protected.

You see that notepad is not a protected app and doesn’t allow to paste the text. Let’s try this in Outlook. Copy the text in Word again and try to paste into Outlook.

This action is allowed by WIP. This will work also vice versa. Make a new mail and type some text into it. Then copy the text and paste it into Notepad. You will get the same message as before with Word.

You can do this also with Microsoft Edge and Internet Explorer. They are also protected by WIP.

And if you go to your corporate (web)site, like SharePoint you will see this briefcase icon in the menu. This website is protected by WIP. Losing corporate data is now prevented by the policy.

This is how WIP in Internet Explorer looks like.

If you delete the work/school account from the BYOD device and you try to open the work-related document, you will get like this:

This will also work for Windows 10 Home Edition (1803). I think that the most BYOD windows 10 device are with Windows 10 Home Edition. I want to be sure if WIP also work on a Home Edition device.

So, this is what we did. We made a protection policy to protect corporate data in an app. We tested this on an unmanaged Windows 10 device with Office 2016. First, we saved the document on a corporate space/storage and later we copied the text from the document and paste it into an unprotected application, like Notepad. We did this also for Outlook, Microsoft Edge and Internet Explorer.

Part 10 – Configure Microsoft Intune – Windows Defender Advanced Threat Protection

Microsoft has announced ago a new feature in MS Intune few months. You can now use Windows Defender ATP as a compliance for your environment. This means you can give the device access to your corporate resource by the status of Windows Defender ATP, based on risk scores. If the device is not healthy or has to high risk score in ATP then the access to the resources will be blocked by MS Intune. Windows Defender ATP help prevent security breaches, and help limit the impact within in your organization. For more information: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection

You need Windows Defender ATP subscription. This subscription has to be connected with MS Intune. These are the steps how to connect with Windows Defender ATP. If you don’t have a Windows Defender ATP subscription, you can create a trail subscription and use this one to connect with your MS Intune environment. Link: https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp

Go to MS Intune portal -> Device compliance -> Windows Defender ATP

Click on the link Connect Windows Defender AP to Microsoft Intune in the Windows Defender Security Center.

Turn on Microsoft Intune connection and click on the Save preference button.

You get this message.

Go back to the MS Intune portal and click on the refresh button. Connection has been made and the status is available. The status will change to Connected later.

Turn on the options Connect Windows devices version… and Block unsupported OS versions. Click on the save button.

The next step is to onboard your test device into Windows Defender ATP. Go to the Windows ATP dashboard/portal: https://securitycenter.windows.com/

Click Settings in the menu.

Click Onboarding

You have to change Deployment method to Mobile Device Management/Microsoft Intune. Click on the Download Package. Save the Zip in Downloads.

Open the ZIP file and extract/copy the XML file and paste it Documents or somewhere else.

Now go to the MS Intune portal. We need to create a new device configuration profile. MS Intune portal -> Device Configuration -> Profiles

Click on the button Create profile.

Name the profile. Platform is Windows 10 and later. Profile type is Windows Defender ATP (Windows 10 Desktop). You get more settings at the right side.

Click on the folder upload a signed configuration… and browse to the XML file.

Enable the other options. Click on the OK button and then on the create button.

Click Assignments, search for the group and click on the select button. Click the save button. The profile is ready and will deployed to your device in few minutes.

Then we have to make a new compliance policy based on device health. Go back and go to Device compliance -> Policies. Click on the Create Policy button.

You have to give the policy a name. Platform is Windows 10 and later. Click on Device health.

You got few options to choose:

  • Secured: This level is the most secure. The device cannot have any existing threats and still access company resources. If any threats are found, the device is evaluated as noncompliant.
  • Low: The device is compliant if only low-level threats exist. Devices with medium or high threat levels are not compliant.
  • Medium: The device is compliant if the threats found on the device are low or medium. If high-level threats are detected, the device is determined as noncompliant.
  • High: This level is the least secure, and allows all threat levels. So devices that with high, medium or low threat levels are considered compliant.

Choose level and click on the Ok button (twice). Click create to create the policy.

Click Assignments and search for the group. Select the group and click on the save button. The policy will over few minutes applied on the devices.

Go back to the Windows Defender ATP portal. Click Machines list in the menu. Here you have to see your device. If not, then you have to wait longer. The devices must be in this list. The device is now also managed by Windows Defender ATP.

It’s time to test Windows ATP. You can go to this site for testing Windows ATP. Go to Help in Windows ATP dashboard and click on Simulations & tutorials.

Click on the button Copy Simulation script of Scenario 2.

Go back to your device and open Windows PowerShell with administrative privileges.

Copy the script into the PowerShell window on your device. If you are using Hyper-V. Click in the menu on Clipboard -> Type clipboard text.

Hit enter to run the script. You see in few seconds starting Notepad and automatically closed.

The attack is done, injected and running.

Go back to the Windows Defender ATP dashboard and go to Alerts. You see new alerts, these alerts are because of  your action. So, you see how Windows Defender ATP work.

Click on the computer name to get an overview of the machine.

From here you can do some actions to cure the machine from viruses. You can do some action, investigate and review the activity. To go too depth in details I save this for a new blog post later. It’s too much for this blog post right now.

To see more information about the device health state in the All devices view, you can add a column.

Go the Devices -> All Devices. Click on the button Column to add a new column to the view.

Select Device Health State and click on the apply button.


Scroll to the right and you see the new column based on the health level from Windows Defender ATP.

Check your compliances if the machine is compliant or not.

This blog was about the integration with MS Intune and Windows Defender ATP. Now you can use compliance policy based on risk score or level. A machine with a high risk score are not allowed to use corporate resources. And so, your organization is prevent for spreading out the viruses to your others clients by blocking the infected one based on compliance policy and conditional access.

What we did is:
– integrate Windows Defender ATP with MS Intune;
– test Windows Defender ATP and check the alerts;
– made a compliance policy based on Device health state.

The last one, the compliance policy, will be used for Conditional Access to block the device based on the status of the compliance. But that, I will write this in another blog post.

Part 9 – Configure Microsoft Intune – Windows Defender Application Control

Windows Defender Application Control is one of the security features in Windows 10. Windows Defender Application Control (WDAC) can help mitigate security threats by restricting the applications that users are allowed to run and the code that runs in the kernel. WDAC policies also block unsigned scripts and MSIs. WDAC is like AppLocker. WDAC is can be managed by MS Intune. By default Windows components and all apps from Windows store are trusted to run. So if you enable this feature Windows 10 will still running without crashing or blocking the important apps/components. So, it’s safe to enable this. With AppLocker is this different. You had to be very careful with blocking files and processes with AppLocker. Requirement for this feature is you must use Windows 10 Enterprise only.

More information about Windows Defender Application Control: https://docs.microsoft.com/nl-nl/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control

Before deploying this profile to your test device, download and install 7zip on the device. We need this application to test WDAC.

Open MS Intune portal -> Device configuration -> Profiles

Click on the button Create Profile

Enter a name. Platform is Windows 10 and later. Profile type is Endpoint Protection. Click on Windows Defender Application Control. You will get more settings at the right side.

Change the setting Application control code integrity policies to Enforce. You can also enable Trust apps with good reputation, but then you can’t test the simple famous applications like 7Zip anymore. So I have this one on not configured. I’m going to test 7Zip with this profile. Click Ok (twice) and click on Create to create the profile.

Click on assignment and search for the group. Select the group and click on the Save button. The policies will now deployed on the device. You have to wait few seconds. To check the status of the deployment go to the MS Intune portal -> Devices -> All Devices -> Name of the devices -> Device Configuration.

Go to your Windows 10 device and try to start 7zip from the start menu. You get this message.

WDAC is working and is blocking unknowing applications or Store apps. Only the default Windows applications and Windows store apps are trusted and will not block by WDAC.

Part 8 – Configure Microsoft Intune – Windows Defender Exploit Guard

Another security feature in Windows 10 is Windows Defender Exploit Guard. This feature can also be managed by MS Intune. Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your users.

There are four features in Windows Defender EG:

  • Exploit protection can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps. Works with third-party antivirus solutions and Windows Defender Antivirus (Windows Defender AV).
  • Attack surface reduction rules can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware. Requires Windows Defender AV.
  • Network protection extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization’s devices. Requires Windows Defender AV.
  • Controlled folder access helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware. Requires Windows Defender AV.

More information about Windows Defender EG: https://docs.microsoft.com/nl-nl/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard

You have to make a new device configuration in MS Intune. Go to MS Intune portal -> Device configuration -> Profiles

Click on create profile

Enter a name for the profile. Platform is Windows 10 and later and Profile type is Endpoint Protection. Click on Windows Defender Exploit Guard to get more settings.

Click on Attack Surface Reduction and enable this feature. I have changed all settings to Block for testing this function. For production you have to check which Line of Business (LOB) application will be blocked or not. To check this you could change some or all settings to audit only. If you audit some functions in WDEG, you have to check the eventlog which LOB application or process is suspicious. If your LOB application is suspicious then you can exclude this LOB from WDEG.

Here you can exclude files or folders in WDEG.

Click Ok and change also the other features of WDEG. After that click Ok (thrice) and on the create button to create the profile.

Click on Assignments and search for the group. Select the group and click on the save button. Now you have to wait for few minutes. The profile is now in pending for deployment to your device.

Now the profile is applied, we have to test the settings. Everything is in blocking, so we should see some block messages. To test the working of Windows Defender EG, Microsoft has some test files and tools available. You can find it on this website: https://demo.wd.microsoft.com/

Open the website on your managed device and click on the link.

You have to login in with your Microsoft account. After that you are on this site.

You have to download some files, these files are test files for testing the function of WDEG.

Download these files and save them in a folder like Demo on the C: drive.

If you run/open this VBS script: TestFile_PsexecAndWMICreateProcess_D1E49AAC-8F56-4280-B9BA-993A6D77406C you will get this notification. You have to click on the popups to end the VBS script.

For more information you could use the eventlog. First you have to download the eventlog from this website: https://aka.ms/mp7z2w

Open de ZIP file and copy the eventlogs; asr-events, cfa-events, ep-events, np-events.xml and save them in Documents or somewhere else.

Open eventlog via Run in the start menu or by pressing WIN+R.

Right click on Custom Views and click on Import Custom View from the menu.

Browse to the copied events in Documents, select the first one and click on the Ok button. Repeat this for the others.

Click on Attack Surface Reduction view. You see the logs which are generated by WDEG. You see also a warning which says that an operation is blocked by Windows Defender Antivirus. So with other words, WDEG is working on the Windows 10 device.

This is how Windows Defender Exploit Guard work. One of the features of the Windows 10 security stack. Enjoy..

Part 7 – Configure Microsoft Intune – Windows Defender SmartScreen

Windows Defender SmartScreen can also be managed by MS Intune. With a device configuration you can enable the SmartScreen. SmartScreen is a Windows 10 feature for browsing on the Internet. SmartScreen has been designed to warn users when unsafe websites are accessed in the web browser. This covers outright malicious sites that attack the browser or underlying system directly. More information about this feature: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview

Go to the MS Intune portal -> Device configuration -> Profile

Click on Create profile

Give the profile a name. Choose for Windows 10 and later. Profile type is Endpoint Protection. Click on Windows Defender SmartScreen on the right to get more settings.

Enable SmartScreen and click on Ok (twice). Click on Create to create the profile.

Click assignment and search for the group to apply this profile. Click on the save button. Wait for few minutes. Check the status via Devices -> All Devices -> Click on the device -> Device Configuration.

To verify if the profile work, go to your device and open Internet Explorer. Mostly if you run IE for the first time, you will get a popup with the question if you want to turn on SmartScreen. If you don’t get this window and you run IE for the first time, then the profile is doing its work.

Let’s check, open Internet Explore and go the menu Tools -> Safety -> Turn on Windows Defender SmartScreen..

You see that SmartScreen is turned on by MS Intune. And also for Microsoft Edge..

Ok, great… Now we have to test this feature. Open Microsoft Edge and go to this website: https://secure.eicar.org/eicar.com.txt. This will download a txt file. Click Open. You will get this message

Or you can try this website: https://demo.smartscreen.msft.net/ and click on the links on the website.

You will get this message from SmartScreen.

This is a nice test and as you see SmartScreen is working. This will block unsafe websites for the users.