Part 6 – Configure Microsoft Intune – Windows Defender Firewall

This blog is all about Windows Defender Firewall. Also in MS Intune you can manage the Windows Firewall on a Windows 10 device. Let’s begin with enabling the firewall on a Windows 10 device.

Go to the MS Intune portal -> Device Configuration -> Profiles

Create Profile.

Enter a name for the profile. Platform is Windows 10 and later. Profile type is Endpoint Protection. You see more settings, click on Windows Defender Firewall.

Click on Domain network

Enable the firewall and change the other settings. Click Ok. Do this the same for Private and Public network. Click Ok (twice) and then create for creating the profile.

Click on assignments and search for the group. Select the group and click on the save button.

After few minutes the firewall is changed. Check the status on your Windows 10 device. Go to the control panel -> Windows Defender Firewall

This configuration is simple and it will turn on or off the firewall. For this configuration there are no requirements except you have to use Windows 10 1709 and later for the fully support of Firewall CSP, for more information about Firewall CSP: https://docs.microsoft.com/en-us/windows/client-management/mdm/firewall-csp

Advertisements

Part 5 – Configure Microsoft Intune – Windows Defender Application Guard

 

This part is all about Windows Defender Application Guard. Windows Defender Application Guard (WDAG) is a security feature in Windows 10 and Microsoft Edge/Internet Explorer. This feature can be also managed by Microsoft Intune.

This feature allows your users to secure browsing on the Internet. Protecting your company while your employees browse the Internet. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V enabled container, which is separate form the host operating system. More information: https://docs.microsoft.com/nl-nl/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview

Before we are going to configure this, there are some requirements for this feature to enable. The device must at least have:

  • 4 CPUs (CPU virtualization extensions enabled),
  • 8GB of memory
  • 5GB of space.
  • You will need Windows 10 Enterprise, version 1709 or higher (I use 1803) or
  • Windows 10 Professional edition, version 1803.

If you are testing this on a virtual machine you must enable nested Hyper-V. Run this PowerShell on the host of you Hyper-V:

Set-VMProcessor -VMName “The name of your Virtual Machine” -ExposeVirtualizationExtensions $true

This will enable Hyper-V in a virtual machine.

More information: https://docs.microsoft.com/nl-nl/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard

Let’s give this a try. Go to the Microsoft Intune portal and go to Device configuration -> Profiles

Create Profile

Give the profile a name. Platform is Windows 10 and later. Profile type is Endpoint protection. You will get more settings and go to Windows Defender Application Guard.

Enable some settings and click on Ok (twice). Then you have to create the profile by clicking the create button.

Go to assignments and search for the group. Select the group and click on the save button.

About few minutes this profile is deployed on the device. On the background Intune installs Hyper-V and Windows Defender Application Guard.

Let’s look at the device. You have to restart the machine first, otherwise it wont work.

Open Microsoft Edge and click on the dots to expand the menu. Click New Application Guard Window

You have now opened a new Microsoft Edge window in an isolated in a Hyper-V container. This is secure browsing.

Part 4 – Configure Microsoft Intune – Windows Encryption

This part of the blog series is how to configure Windows encryption. Within Microsoft Intune is it possible to enable encryption on a Windows 10 device. You have to create a profile which specifies the settings for the device. The profile will configure the settings on the device and turn on Bit locker.

Ok, I was forgotten that Windows 10 Hyper-V TPM chipset supports. So, I have turned this feature on. Now I can encrypt my virtual drives on my Windows 10 virtual machine. Let’s try this with a device configuration.

Go to the Intune portal -> Device Configuration -> Profiles

Click Create Profile

Give the profile a name and choose as Platform Windows 10 or later and Profile type Endpoint Protection. You will see more settings at the right.

The ones in purple are changed. This my default configuration for Bit locker. Click Ok(twice) and then for create.

Profile is created.

Go to Assignments and include here the user group. Then click on the Save button. Now we have to wait for few minutes.

The profile has been applied on the device and the drive is encrypted. If the status shows an error, then you have might a bootable disk or USB connected to your device. You have to unplug your ISO, DVD or USB before device continues with encrypting.

You see that the C: drive (the OS drive) is encrypted, pushed by device configuration profile.

Oh, and de recovery key is stored in Azure AD. You can find the key MS Intune portal -> Devices -> Azure AD Devices -> click on a device for more information.

Here you see the recovery key for Bit locker. This is needed if Bit locker won’t work and ask for a recovery key.

Part 3 – Configure Microsoft Intune – Device compliance and configuration

Previous blog posts:

https://albertneef.wordpress.com/2018/05/02/part-1-how-to-create-a-new-azure-tenant-with-ems-subscription/

https://albertneef.wordpress.com/2018/05/02/part-2-how-to-configure-microsoft-intune-windows-hello-and-mobility-mdm-and-mam/

We continue with configuring Microsoft Intune. In this blog post we are going to make some compliance policies and device configuration policies.

We have already enrolled a Windows 10 device. For these steps we can use the same device to test the policies.

So, go back to the Intune portal and go to Device compliance -> Compliance. There we have to create new compliancy policy for our Windows 10 device.

Click on the button Create Policy

You have to give the policy a name and you have to choose the correct platform. After you click on Settings then you will get a new menu.

I have just only configured System Security. This one is most important and usable for testing purpose. The ones in purple are changed. So, I have enabled a lot for compliancy and I knew already that my device will not be compliant because of the missing TPM/Bit locker. But, that’s not a problem, is nice example how it works. Click on the Ok button twice and then click on the create button to create the policy.

To use this policy, you have to assign the policy to a specific user group. First, we have to make a new user group. Go to Azure Active Directory -> Groups. Click on the button New Group.

You have to give the group a name. Group Type is Security and Membership type is assigned. Then you have to assign a member. This member must be the user which you have used to enroll the device into MS Intune in the previous part. Select the member and after that click on the Create button.

Go back to Device Compliance -> Intune -> Device Compliance -> Policies

Click on the new created policy. You will get more options.

Click Assignments

Click Select groups to include

Search for the new created group, select the group and click on the select button.

The group has been added and click on the Save button.

Now we have to wait. The policy will be pushed to the device in few minutes.

I got this message

This means that the compliance policy is applied on the device. Now we have to wait for few minutes to get more information from the MS Intune portal.

Go to the MS Intune portal – Device compliance -> Device compliance.

You will see that the status of compliance has changed into Not compliant. Click on the device for more information.

This is global information about the device. Go to Device Compliance for more information about the compliancy.

You see that status of the new created policy is Error. This means that something is not compliant on the device. Click on the policy for more information.

What I have said, my device is not compliant because of Encryption of data storage on device. The others are compliant, so that’s good. I have no TPM on my device I must change the compliance, otherwise I can’t go further with the configuring and testing MS Intune. But this is only for testing purpose. In production I recommend having a TPM on each device to encrypt your OS and Data drive.

I have disabled “Encryption required” and now the device is complaint again.

It’s time to do some device configurations. Go to MS Intune portal -> Device configuration -> Profiles

Click on the Create Profile button.

Give the profile a name and choose the platform and profile type. In my example I use Device restrictions for Password.

 

Change the settings which you like and click on the Ok button (twice).

Then you have to create the profile by clicking the create button.

The profile has to be assigned to a group. You can use the previous created group to assign this profile to the user.

Go to Assignment in the menu and click on Select groups to include. Search for your user group and click Select.

Click on the save button to save the configuration. Now you have to wait some few minutes. The policy will be deployed on your Windows 10 device after few minutes. To check the status of the assignment, go to Devices -> All Devices.

Click on your device and then on Device Configuration.

Here you will see the status of the policy/profile.

After few minutes it will change to Succeeded or something else. The configuration is now applied on your device.

Recap:

What we did is making a new compliance policy for the Windows 10 device. By this policy you can make the device compliant or not. That is useful later if you want to work with Conditional Access. Based on compliancy you can give the user access to Azure resources or like deploying apps to the device.

We have made a device configuration. This one was a device restriction based on password. But there are more. Like blocking camera, OneDrive sync and so on. Device restriction is one of the device configuration types. In the next blog post I will write more about the other device configuration types.

 

 

Part 2 – Configure Microsoft Intune – Windows hello and Mobility (MDM and MAM)

In the previous Part I have guide you to create a new tenant on demos.microsoft.com. This is one is working, and we can use this tenant to configure Microsoft Intune to manage a Windows 10 device.

In this part we go further with Microsoft Intune.

We are going to enable Windows 10 automatic enrollment. Go to the Azure Portal – > Azure Active Directory -> Microsoft Intune

For testing purpose is user scope All enough. So, set the scope on All. You could change this later for a specific user group, for MDM as MAM. Hit the save button.

What does this function do? This function will automatically enroll the Windows 10 device into Microsoft Intune if they are Azure AD joined. As a user you can join the Windows 10 device into Azure AD. During this joining process/registration the device will also be enrolled into Microsoft Intune automatically.

We go further with configure Microsoft Intune. We have to enable Windows device enrollment. You will need, of course, the Intune portal. Go to All Services (because by default the Intune icon is not in the left sidemenu) -> search for Intune -> click on Intune (you can also click on the * for adding Intune into the sidemenu) -> Device enrollment -> Windows enrollment.

Go to Windows Hello for Business

Click on Default

Click Settings

Click on the button Not configured and choose for enabled. You will get more settings. These are my settings for Windows 10 device. TPM is not required because I’m using a virtual machine without TPM.

Click on the Save button and go back to the begin in Microsoft Intune portal.

Let’s try if enrollment works. Go to your Windows 10 device. Crab a random user from Azure AD and try to sign in.

Enter the password.

We have to do some extra security verifications.

Choose your favorite option to verify. I choose always text message.

I received a text message.

We have to create an app password, but this is for later.

Click Next, we are not done yet.

Please choose your option and click Accept.

Please choose your option and click Accept.

Please choose your option and click Accept.

Please choose your option and click Accept.

Please choose your option and click Accept.

Please choose your option and click Accept.

Please choose your option and click Accept.

Windows 10 is Azure AD joined and enrolled into MS Intune. We have enabled Windows Hello in MS Intune and because of that you see this message “Your organization requires Windows Hello” This is a good sign and that applies our configuration in MS Intune.

We must create a PIN. Let’s try 1234… Tis PIN is not allowed by our Windows Hello configuration. You will get this message.

Let’s try 8888 and still it is not allowed, they are too simple. So, I go for a complex one, like 7948. This one is allowed, and everything is all set.

To verify if Windows 10 is joined and enrolled, you have to go settings -> Accounts -> Access Work or School.

You see the name of the Azure AD tenant and beneath that the account name which you have used. Click on that and will get some buttons. Click on the info button.

This gives us information about the sync status with Microsoft Intune.

Go to the Intune portal to verify the sync. From the portal go to Devices -> All Devices. You have to see your enrolled Windows 10 device. The device is managed by MDM. This is all good and your device is managed by Mobile Device Management (MDM)

End of part 2

 

Part 1 – Configure Microsoft Intune – the begin, create a new Azure tenant with EM+S subscription

Modern management is a hot topic these days. Microsoft has announced Microsoft 365 few months ago. Because of that I want to help to guide you into the installation and configuration in Azure and Microsoft Intune. I will begin with the simple basic stuff and later I will go deep dive into the matter.

What you need is the following:

  • An Azure Tenant
  • EM+S Subscription
  • Windows 10 test device/virtual machine. I got Hyper-V on my computer and created a Windows 10 Dev Env. (will downloaded automatically if you will use the wizard)

Let’s begin with a demo environment. I have made an environment on demos.microsoft.com, created a new Microsoft 365 Enterprise tenant.

You have to login with your MPN/partner credentials. After that go to Environments to create a new tenant.

I have chosen for Microsoft 365 Enterprise Demo Content. Click on the button Create Tenant. You must give a PIN for the tenant to secure the environment. After that he will creating a new tenant for you. You will see this information if the process is done.

Copy the username and go to the Azure portal (https://portal.azure.com) Login with the new created credentials.

For license you can check Azure Active Directory -> Licenses -> Products

Now you have a working Azure/EM+S environment for testing Microsoft Intune with Windows 10 device. The users are created, and they are assigned to use EM+S, Office 365 and Windows 10 features.

Do you want to go the next part? Click here

 

MAM without enrollment and Outlook mobile app

It has been a long time that I have posted a blog on my blogsite. So, it is time to do a blogpost. It was for me confusing about the Outlook for iOS and Android app and that’s why I made this post to clarify this.  Maybe you ran to a problem with Mobile Application Management (MAM) in Microsoft Intune for the Outlook for iOS and Android app. I was one of them and could can’t get the correct information from the Internet how about the support within the Outlook app and the Native mail app on iOS, Android and Window 10.

We got 2 different scenarios at this moment. We got an Exchange 2016 version which running on-premise. The second one is that we got have an Exchange Online which is running in the Cloud.  So how do you manage a BYOD as in MAM based on these 2 different scenarios?

App protection policies for Office Mobile apps will work only if they are connected to Office 365 services. App protection policies will not work in the Office Mobile apps if you are using a on-premise Exchange, Skype for Business or SharePoint.

With an Exchange on-premise you got less functionality than if you are using a Exchange Online environment. Within Microsoft Intune you have the option to choose for Conditional Access (CA), App Protection policies (MAM) and Email Profiles.

Then you got 2 different apps to get your email on your mobile device (BYOD) You got the Outlook App (which is available for iOS and Android) and you have got the system app, called the native mail app. The functionality is 1-on-1 not the same with the Outlook app and the native mail app. Of course is this depending on which kind of Exchange version you are using at the moment.

Microsoft Intune has an Exchange Connector to connect your Exchange on-premise with Microsoft Intune. This is required if you want to use Conditional Access (CA). I’m not going further with the configuration of the Exchange connector in this blogpost.

App Protection Policies

Outlook app will support these policies. Native mail app doesn’t support the App Protection Policies, only the managed apps which are compatible with Mobile Application Management (Intune SDK has to be integrated in the app). With App Protection policies you can limit some functions within the app, like copy/paste to an un-managed app. Save the attachments to a local storage and so on.

This function can be done without enrollment of the device into Microsoft Intune. The only thing is required for this function is, for IOS is that you have to install the Microsoft Authenticator App and for Android you have to install Microsoft Intune Company App. You don’t have to login in the app.

Outlook for iOS and Android app: Only if you have Office 365/Exchange Online the policies will work on the BYOD device based on Mobile Application Management.

Native mail app: App Protection Policies doesn’t support native mail apps. Mobile Application Management will not work for native mail apps.

Email profile auto-setup: 

Email profile auto-setup will not work in Outlook app, but works only in the native mail app. Except for the older versions of Android and based on which is enrolled. In Android you got 2 different type of MDM, the traditional and Android for Work. Email profile will work only if you Android devices are managed with Android for Work and not on the traditional way of managing.  The only way to use email profiles is, is to enroll your device in MDM. MAM will not work.

NOTE: Since January (2018) the Outlook for iOS and Android app supports email profile push from Microsoft Intune.  Link: https://blogs.technet.microsoft.com/exchange/2018/01/30/now-your-enterprise-mobility-management-solution-can-be-used-to-simply-set-up-and-configure-outlook-for-ios-and-android-for-exchange-on-premises/

Outlook for iOS and Android app: Email profile will work, but only if the device is enrolled in Microsoft Intune. This will be MDM and not MAM (without enrollment) if you are using Office365 account push is not needed. The account information will be discovered automatically.

Native mail app: Only if the device is enrolled. Based on MAM will it not work.

Conditional Access: 

If you want to use CA you have to enroll your devices into Microsoft Intune and your Microsoft Intune must have a connection with your Exchange on-premise environment. Based on the condition of the device CA you can grant access to the sources.  With Exchange Online you can force the user to use the Outlook App in place the Native mail app. If the user is setting up his mail account in the native mail app, the user will get a message that he must download and use the Outlook App to get his mail. This can be done with MAM without Enrollment, but only for Exchange Online and you have to use modern authentication( is enabled by default)

Outlook for iOS and Android app: Only if you are using Office 365 then you can use Conditional Access in MAM without enrollment. This is only available if Microsoft Intune is connected to Exchange online environment.

Native mail app: It will only work if the device is enrolled in Microsoft Intune. This will not work with MAM without enrollment.

Selective Wipe:

Within Microsoft Intune you have the option to do a (remote) wipe on a device. There are 2 different wipes. You got a selective wipe and a full wipe. Selective wipe means that Microsoft Intune will only remove corporate data (the personal data will be intact) from the device and full wipe means that Microsoft Intune will reset the device to his factory defaults. To use selective wipe you have to setup email profile in Microsoft Intune. You have just read the email profile section above. Selective wipe in MAM without enrollment will not work. You have to enroll the device into Microsoft Intune. This means also that you can’t use the Outlook app, but only the Native mail app.

I have read on Microsoft Docs that all managed apps  will support selective wipes based on MAM without Enrollment. If you have send the request to do a wipe, the data will be wiped if the user opens the app.  https://docs.microsoft.com/en-us/intune/apps-selective-wipe

Outlook for iOS and Android app: Based on MAM without enrollment you can do a selective wipe for the app. The data will be wiped from that specific app. For Outlook only the corporate mail will be removed and the personal mailbox will be intact on the device.

Native mail app: only if the device is enrolled. Then you can do a selective wipe or full wipe. The selective wipe will not remove only the mail but everything with corporate related will be removed from the device.

Best of both worlds is that you have to use MDM with MAM policies if you are not using Exchange Online but only the on-premise version.