Tuesday, 30 May 2017

Intune app-based conditional access to SharePoint Online

App-based conditional access is a new recent addition to the Intune family and is a really useful feature. Only mobile apps that have Intune app protection policies applied to them can access SharePoint resources. This helps to prevent data leakage and protect our data. Let's see how to configure it and what it looks like in the field.

Sign into the Azure portal (https://portal.azure.com)
Choose More services from the left menu, then type Intune in the text box filter.

Choose Intune App Protection and select All Settings in the Intune mobile application management blade.

Choose the SharePoint Online tile. On the Allowed apps blade, choose Allow apps that support Intune app policies option to allow only apps that are supported by Intune app protection policies.

The Allowed apps are listed. Now open the Restricted user groups blade and choose Add user group.

Select the user groups that should receive the policy.

OK, so what does this look like on a device. For testing I'm using an iPhone and the "SharePlus for Office 365 and SharePoint" app.

SharePlus is an unmanaged app that you can use to work with your SharePoint libraries. I've installed it on the iPhone.

SharePlus cannot have Intune app protection policies applied so it will not be possible to authenticate the app to access SharePoint. An error is encountered. It isn't a very clear or intuitive error message but the functionality is perfect. Access is prevented by the app-based CA policy.

Once I remove the per-app CA policy, SharePlus can successfully authenticate with SharePoint Online. This is very cool.

Until next time.......

Stay secure using Skycure integration with Microsoft Intune

Skycure is one of the industry leaders in Mobile Threat Defense and the platform is very effective at proactively protecting mobile devices from a broad range of known and unknown threats.

Skycure can now integrate with Microsoft Enterprise Mobility + Security, which allows enterprises to secure mobile devices by leveraging data from three dimensions – user identity, device identity and real-time risk. This integration with Intune and Azure Active Directory allows administrators to dynamically control mobile access to corporate resources and data based on Skycure’s real-time risk and compliance analysis. It looks like an exciting partnership for Microsoft.

So, how does it work?

You install the Skycure mobile app on Android and iOS devices. The app captures file system, network stack, device and application telemetry, and sends it to the Skycure cloud service to assess the device's risk for mobile threats.

Intune compliance policies now include a rule for Skycure mobile threat defense, which is based on the Skycure risk assessment. If the device is found to be non-compliant, access to resources like Exchange Online and SharePoint Online are blocked. Users on blocked devices receive guidance from the Skycure mobile app to resolve the issue and regain access to corporate resources.

How can I get started?

The solution is supported on Android 4.1 and later and iOS 8 and later.

You will also need the following subscriptions:
  • Azure Active Directory Premium
  • Microsoft Intune
  • Skycure Mobile Threat Defense subscription (get a trial here)

Steps to configure the solution:
  1. Configure Skycure to use Azure Active Directory Single Sign On (SSO) - enter your Azure tenant ID in the Skycure Management console.
  2. Download Skycure iOS app configuration policy - log in to the Skycure Management Console to download the iOS app configuration policy.
  3. Add Skycure apps, Microsoft Authenticator and iOS app configuration policy - add the apps and the policy in the Intune portal.
  4. Deploy Skycure apps, Microsoft Authenticator and iOS app configuration policy - deploy the apps and policy to your users.
  5. Set up Skycure integration with Intune - add Skycure apps into Azure AD to have Single Sign On capabilities. Configure the Intune connector in the Skycure Management console.
  6. Enable Skycure Mobile Threat Defense in Intune - configure the Skycure and Intune integration in the Intune administrator console
  7. Create Skycure Mobile Threat Defense compliance policy in Intune - create Skycure compliance policy in the Intune console and apply to conditional access policy.
You can read more about this exciting new development in the official documentation

Until next time......

Tuesday, 18 April 2017

Test driving OMS Upgrade Readiness

Last week I advised a smaller customer on their upcoming Windows 10 migration. As a smaller shop (approx. 100 users) they don't have access to the usual tools that I would recommend, although they use MDT for imaging and WSUS for patching. They don't have any tool for hardware and software inventory so we were unable to have a conversation about application compatibility. I thought this would be a good opportunity to test drive Upgrade Readiness, a "free" component of Microsoft Operations Management Suite (OMS). Let me clarify that, I was told it was free but I was unsure what I'd actually get.

This is from the Microsoft TechNet article, looks hopeful:

"You can use Upgrade Readiness to plan and manage your upgrade project end-to-end. Upgrade Readiness works by establishing communications between computers in your organization and Microsoft. Upgrade Readiness collects computer, application, and driver data for analysis. This data is used to identify compatibility issues that can block your upgrade and to suggest fixes that are known to Microsoft".

Getting Started

Upgrade Readiness is a component of OMS and was formerly known as Upgrade Analytics which was previously known as Windows Analytics (I mention this as you'll still see these terms). The first step in this process is to sign up and create an OMS Workspace. This must be linked to an Azure subscription (either new or existing) even though you will not be charged.

Navigate to the following page to sign up for Upgrade Readiness (even though the page still says Windows Analytics).

If you already have an Azure subscription you should sign in with the subscription owner account. This is to allow you to easily link your new OMS Workspace with your existing Azure subscription.

If you are already using OMS you can choose "Existing OMS Customers". Otherwise choose "New Customers". This is the one we need.

This is the "Create New Workspace" page of OMS. 
Choose a workspace name eg. yourdomain

From now you will access your workspace using this link:


Enter the rest of your details (Workspace region, name, contact email address, phone number, company name and country).
Select Create to create your OMS workspace.

The OMS workspace has been created and your Azure subscription is available. Choose Link to link your workspace with your subscription.

If you don't have an Azure subscription (ie the account you have signed in as is not the owner of any Azure subscriptions), you will need to create one before you can continue. Select "Create New" and run through the wizard to create a new Azure subscription. You will need a credit card for this although you will not be charged if you only want the free Upgrade Readiness.

The OMS workspace has been created and linked to your Azure subscription. Now you have to add the Upgrade Readiness solution. Check that box and select Add. (I've also added Update Compliance (Preview) but that is optional).

This is our OMS workspace. See that the Data Plan = Free in the top right corner. We'll have a look at that again later.

Configuring OMS

See that Upgrade Readiness requires configuration. Click on the tile and the Settings dashboard opens. Navigate to the Windows telemetry panel.

Copy and save your commercial ID key. You’ll need to insert this key into the Upgrade Readiness deployment script later so it can be deployed to user computers.

Click Subscribe for Upgrade Readiness. The button changes to Unsubscribe. Unsubscribe from the Upgrade Readiness solution if you no longer want to receive upgrade-readiness information from Microsoft.

Click Overview on the Settings Dashboard to return to your OMS workspace portal. The Upgrade Readiness tile now displays summary data. Click the tile to open Upgrade Readiness.

Proxy Configuration

The following endpoints should be whitelisted. They need to be accessible in order for your clients to send telemetry data to Microsoft. This data will subsequently be displayed in Upgrade Readiness.

  • https://*vortex*.data.microsoft.com/

Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint.
  • https://*settings*.data.microsoft.com/

Enables the compatibility update KB to communicate with Microsoft.
  • https://go.microsoft.com/fwlink/?LinkID=544713
  • https://compatexchange1.trafficmanager.net/

This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system.
If you are using a Windows Compatibility Update published after February 2017 (appraiser.dll version >= 10.0.14979) you don’t need access to these endpoints

Client configuration - compatibility updates

The compatibility update KB scans your computers and enables application usage tracking. If you don’t already have the KBs installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using WSUS or ConfigMgr. I'm just running a pilot for now so I'll install them manually.

For Windows 7 I need the following

Windows 7 SP1
Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see https://support.microsoft.com/kb/2952664

KB 3150513
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see https://support.microsoft.com/kb/3150513
NOTE: KB2952664 must be installed before you can download and install KB3150513.

There are different KB requirements for the various operating systems. You'll find that information here

Client configuration - execute Upgrade Readiness deployment script

The Upgrade Readiness deployment script does the following:
  1. Sets commercial ID key + CommercialDataOptIn + RequestAllAppraiserVersions keys.
  2. Verifies that user computers can send data to Microsoft.
  3. Checks whether the computer has a pending restart. 
  4. Verifies that the required KBs are installed.
  5. If enabled, turns on verbose mode for troubleshooting.
  6. Initiates the collection of the telemetry data that Microsoft needs to assess your organization’s upgrade readiness.
  7. If enabled, displays the script’s progress in a cmd window, providing you immediate visibility into issues (success or fail for each step) and/or writes to log file.

Download the script package from here. See here for full script instructions but you have to edit the script with the following information:
  • Location for log information
  • Commercial ID
  • Log behaviour

Executing RunConfig.bat.

In my pilot I copied the script files locally to a folder C:Temp\Pilot. I also used a local log file C:\Windows\Temp.

What does Upgrade Readiness give us?

I onboarded two Windows 7 clients for my pilot.

This is what I could see in my OMS workspace after a few days.

Drill into Upgrade Readiness to see more details.

Scroll over. Now we can see really useful information. We can find applications and drivers with known issues. These are the issues we need to resolve before the Windows 10 deployment.

Note that the information can be exported to Excel and saved locally. That's really cool.

The not-so-good stuff

I have a few little problems with the solution which I felt I should mention:
  • Windows 7 computers require that two KBs are installed for the solution to work. KB2952664 and KB3150513 are required. It's unfortunate that KB2952664 has to be installed already before KB3150513 can be installed. I appreciate that computers should be fully patched but that isn't always the case. I needed multiple reboots for my pilot clients with this customer. It will now be a little awkward to automate this to the remaining clients using a Group Policy computer startup script.
  • This TechNet article contains exit codes for the upgrade readiness script. 0 is the "successful" exit code. However I got a 0 code even though the script could not run and a log file was not created. This was a little confusing.
  • It can take quite a while to onboard devices - up to 3 days for my second pilot client.
  • Windows 10 Version 1703 is not yet available as a target version. Perhaps it's too early, or perhaps it will be available when 1703 is declared business ready.
  • The free data plan is a little restrictive. The daily upload limit is 500MB and the data retention period is 7 days. Note that the initial upload for each client is expected to average 2MB.
  • You can increase this by purchasing an another offering.

Next steps

Integrate Upgrade Readiness with ConfigMgr to access client upgrade compatibility data in the admin console. You'll then be able to target devices for upgrade or remediation from the device list.

Final Verdict

I'm generally quite happy with the solution. It will do exactly what I need for this customer.

Until next time......

Thursday, 13 April 2017

My new ConfigMgr training video series

I'm been very quiet online recently but I've been very busy. I've been adding the finishing touches to my chapters in the upcoming ConfigMgr Current Branch Unleashed book (available for pre-order from Amazon).

Also, I've been working on a training video series for Packt Publishing. It's a lot of work. It's a two-part series of videos.

The contents are as follows:

Course 1 – Introducing the Configuration Manager environment

Section 1. Planning the Configuration Manager environment
1.1 Configuration Manager overview
1.2 Configuration Manager site planning and network design

Section 2. Installing Configuration Manager
2.1 Configuration Manager Prerequisites
2.2 Installing Configuration Manager
2.3 Easy Setup

Section 3. Getting Started with Configuration Manager
3.1 Using the Configuration Manager console
3.2 Configuration Manager and PowerShell
3.3 Discovery and boundaries
3.4 Configuration Manager Client installation
3.5 Create and manage collections
3.6  Configuration Manager Compliance
3.7 Hardware and software inventory

Section 4. Security & Role-Based administration (RBA)
4.1 Configuration Manager security overview
4.2 Role-Based administration
4.3  Securing the Configuration Manager environment

Section 5. Configuration Manager reporting and site maintenance
5.1 Configuration Manager Reporting
5.2 Configuration Manager Backup, Recovery & Maintenance

Course 2 – Implementing Configuration Manager features

Section 6. Software Distribution

6.1 Applications
6.2 Packages

Section 7. Software Updates
7.1 Introduction to software updates in Configuration Manager
7.2 Deploy a software updates solution with Configuration Manager
7.3 Automatic Deployment rules

Section 8. Operating System Deployment
8.1 Introduction to Operating System Deployment in Configuration Manager
8.2 Build and Capture a Windows 10 image with Configuration Manager
8.3 Deploying a Windows 10 image with a Configuration Manager task sequence
8.4 Working with device drivers

Section 9. Endpoint Protection
9.1 Enabling Endpoint Protection with Configuration Manager
9.2 Endpoint Protection client configuration
9.3 Managing Endpoint Protection with Configuration Manager

Section 10. Intune hybrid
10.1 Integrating Intune into Configuration Manager
10.2 Managing mobile devices with Configuration Manager
10.3 Advanced hybrid features of Configuration Manager

I'm very pleased to say that Course 1 is now available for pre-order. I've just started working on Course 2.


The videos average about 10 minutes long and are presentation-driven with lots of demonstrations throughout. I hope you enjoy watching as much as I enjoyed presenting.

Special thanks to Paul Winstanley @SCCMentor who reviewed the course.

Until next time.......

Wednesday, 12 April 2017

WMUG event - Windows 10 and Azure Cloud

I'm very pleased to be involved with the Windows Management User Group in London. We're hosting an event on 21st April in Hotel Xenia (160 Cromwell Rd, London SW5 0TL).

We're a ConfigMgr/Intune-oriented group and this time we'll be discussing Windows 10 and Azure. Please come along it's free.

My session is titled "10 top tips for deploying Windows 10". I've done a lot of work in his area recently, primarily for Microsoft Consultancy Services, so I've picked up some tricks along the way. I'd like my session to be interactive so that we can learn from each other. If you attend please join in and tell us your war stories.

The agenda is as follows

Morning sessions:

Afternoon sessions:

Although the event is free you must register in advance here

Hope to see you there.....

Tuesday, 28 March 2017

My favourite features of ConfigMgr 1702

Configuration Manager Current Branch 1702 was released this week and is available as an in-console update for existing 1606 and 1610 sites. Read the official blog post here

As we've come to expect, 1702 offers a raft of new features for managing our estate of devices. There are some big hitters such as:
  • Support for express installation files for Windows 10 updates
  • Ability to add software update points to boundary groups to control which SUP clients can use
  • Being able to configure Office 365 installation settings from the Office 365 Client Management dashboard
Note that there are some deprecations also. Most notably, support has been dropped for the following:
  • SQL Server 2008 R2 for site database servers
  • Windows Server 2008 R2, for site system servers and most site system roles

Often though, my favourite features are less obvious. I've got two in this latest release:

1. I've always hated when customers ask me to create an OSD solution and give them the ability to deploy the OS using stand-alone media. I didn't like the idea of sending USB keys out in the field with no version control and no great way to withdraw them if they were superseded. Now we can set start and expiration dates on standalone media. Perfect, we can now timebomb the media so that it won't work after a pre-defined period.

I've configured the media so that it can't be used for a few days and will then expire in 2 months. I don't care if I never get it back now.

2. A new hardware inventory class (SMS_Firmware) and property (UEFI) have been added to determine if a computer is enabled to start in UEFI mode. This is a welcome addition so that we can report on the UEFI status of the estate. You're missing a trick if you're not using UEFI and enabling security features like Secure Boot. After all you already own it. That's like not locking the doors of your house or car because you couldn't be bothered.

I hope you're enjoying 1702. Until next time.....

Thursday, 2 March 2017

ConfigMgr OSD - use MDT without using MDT

The title may not make much sense but please read on about a recent customer requirement.

Customer requirement

In the task sequence, set the computer name to match the service tag


Easy - use the OSDComputerName variable with a value of %SerialNumber% (or was it that easy?)

Problem Statement

How does the %SerialNumber% value get populated in this case? This is straightforward if I'm using MDT integration as I can use the Gather step. However, the customer does not have MDT integrated and this would take a few weeks to organize with a strict change request procedure.
So what do I do?

Solution (revised)

Do I actually need MDT integrated or do I just need some MDT files?

I had a word with @ncbrady from @WindowsNoob and we came up with a plan. I installed MDT on a laptop and created a deployment share.

I figured that these files were all that I needed - only 45MB. I copied the files to my content source location and created an MDT Gather package (with no program).
Then I configured the TS as shown in the screenshots.

First I ran ZTIGather.wsf with this command

Cmd.exe /c cscript.exe .\Scripts\ZTIGather.wsf /debug:TRUE

This was to "discover" the service tag.

The next step was to set the hostname to match the serial number (service tag).

Unfortunately the task sequence failed:

"Gathering complete, but no INI file found” with an error code of 0x00001F40

On examining the smsts.log file the hostname was in fact set to the service tag, even though the task sequence failed. Happy days. I was just missing a customsettings.ini file. I manually created a default .ini file and copied it to the scripts folder.



That did it - SUCCESS.
Thanks for the assistance Niall.

Until next time.......

Edit #1:

Jörgen Nilsson has contacted me to say that only a few of the MDT files are actually required (less than 800KB). Here they are:

Thanks Jörgen.

Edit #2:

I've had some feedback about other ways to set the computer name to the service tag without using MDT. Thanks for that. However, the whole point of this post was to show how you can achieve MDT functionality without actually integrating MDT with ConfigMgr.

After all, the title is "Use MDT without using MDT".

Tuesday, 17 January 2017

PowerShell script - add and configure Intune Subscription

I've been deploying Microsoft Intune a lot recently. Adding and configuring the Intune subscription in the Configuration Manager console is very straightforward but can take be time-consuming. I've created a simple PowerShell script to automate this.

This script adds an Intune subscription to ConfigMgr Current Branch and configures the subscription to enable management of Android, iOS, Windows and Windows Phone devices.

The cmdlets in this script require a valid Intune subscription. They require Configuration Manager 1511 or later, although it is recommended to use 1606 or later. There are published workarounds for using the cmdlets in pre-1606 environments.

Instructions for use
  1. Download an APN certificate request from ConfigMgr and generate the APN certificate directly from Apple in advance of running this script. Save the Apple APN certificate to a local folder eg (E:\Sources\MDM\Apple\AppleCert.pem) https://identity.apple.com
  2. Save script to installation folder
  3. Install the System Center Configuration Manager Cmdlet Library (if you are already using PoSH with ConfigMgr you will have done this already) https://www.microsoft.com/en-us/download/details.aspx?id=46681
  4. Run PowerShell and browse to the installation folder (you may have to run PoSH as administrator as the first step is to set the execution policy to unrestricted)
  5. Run IntuneSubscriptionScript.ps1
  6. The script will prompt you to enter the following information:
  • Enter Site Server name
  • Enter Site Code
  • Enter Intune subscription username
  • Enter Intune subscription password
  • Enter Company Color Scheme (options: Blue, Magenta, Purple, Teal, Lime, Brown, Pink, Orange, Red or Green)
  • Enter your organization name
  • Enter valid contact email address
  • Enter contact name
  • Enter path to Apple APN certificate
  • Enter Apple APN certificate password - leave blank if no password

The script will create the hybrid Intune subscription with your required parameters.

It will then enable management for Android, iOS, Windows and Windows Phone platforms.

Android enabled.

iOS enabled.

Windows enrolled as MDM enabled.

Windows Phone enabled.
Note that the script does not have much error checking for now. I'll get to that when I have a chance.
Download from the TechNet gallery and try it.
Until next time....

Monday, 2 January 2017

Manage Windows Defender ATP with ConfigMgr or Intune

As a result of a customer request I was recently reading about Windows Defender Advanced Threat Protection (ATP). It is a really cool Microsoft cloud service that integrates with Windows 10 v1607 (Enterprise, Education and Professional versions) and allows organizations to detect, investigate and respond to advanced threats on their networks. The service uses telemetry data sent from the Windows 10 devices to a private and isolated cloud instance of Windows Defender ATP. This telemetry data is supplemented by advanced threat intelligence and is translated into detections and recommended responses.

This sounded great to me so I wanted to give it a go. I was very curious to find out how straightforward it would be to deploy the technology in an organization and how quickly and easily I could receive meaningful information and recommendations.

How do you get Windows Defender ATP?

A Windows 10 Enterprise E3 license includes advanced security features such as Device Guard, Credential Guard and Managed User Experience. A Windows 10 Enterprise E5 license includes all the features and functionality available in Windows 10 Enterprise E3 plus Windows Defender Advanced Threat Protection and advanced IT administration management.

OR you can do what I did for this blog post and apply for a trial. Sign up for a Windows Defender ATP trial here

Tip: There is no guarantee that you will be accepted for a trial. I was turned down once but was approved the second time. In my second application I was economical with the truth regarding the number of PCs in my company.

You will get an acknowledgment to tell you that your application will now be reviewed and that you will be contacted within 7 business days. In actual fact it will be more like 3 days.

You will then receive an email with log in details and endpoint onboarding instructions.

Welcome to the Windows Defender Security Center.

Endpoint onboarding

Select Endpoint Management > Endpoint Onboarding

There are five methods of onboarding available. Select the one you need and click "Download package".

Group Policy
Use this method if you have no device management tool.

The package contains an admx and adml file that are to be deployed to the endpoints. You will find full instructions here

SCCM 2012/2012R2/1511/1602
Use this method for SCCM versions earlier than 1606. Why are there two different deployment methods for SCCM? This is because Windows Defender ATP Policies are natively integrated with SCCM v1606 and later.

This download package contains a single script that you can deploy using the traditional package/program method - full instructions here

Microsoft Intune

This package contains a single .onboarding file. This is to be deployed using a Windows 10 custom configuration policy with the following OMA-URI settings:
  • Setting name: eg Windows Defender ATP Policy
  • Setting description: eg Windows Defender ATP Policy
  • Data type: Select String.
  • OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding
  • Value: Copy and paste the contents of the WindowsDefenderATP.onboarding file you downloaded.
Local script
Use this option if want to onboard devices manually (for testing purpose perhaps).

The package contains a single script file that you can run manually (as administrator) on a Windows 10 device.

SCCM v1606
This is the option I am interested in for this blog post.

The package contains a single .onboarding file which we can deploy with SCCM.

First navigate to Administration > Cloud Services > Updates and Servicing > Features. Right click and Turn on Windows Defender Advanced Threat Protection. 

Restart the console and navigate to Assets and ComplianceEndpoint Protection. Windows Defender ATP Policies is new.

Right click to create a new policy.

Name the policy and choose onboarding.

Browse to the .onboarding file that you downloaded earlier. The Organization ID automatically populates.

Choose All files. The default is not to share any files.

Click Next to continue and create the policy.

The policy has been created and now can be deployed to a collection of Windows 10 1607 devices.

Troubleshooting endpoint onboarding

I manually ran Machine Policy retrieval on my test computer (I only had one) but nothing seemed to happen for about an hour. I wasn't sure how long it should take so I carried out some troubleshooting in the mean-time.

Deployment status:

All looked normal with the SCCM deployment.

Event log:

Applications and Services Logs > Microsoft > Windows > SENSE

No errors in event log. Actually there was evidence that the local Defender ATP service had successfully contacted the cloud service.

Telemetry and diagnostics service:

Service enabled and started.

Defender ATP Service:

Service started.

If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy. You can find full details of this here

So what now??

After about an hour of unnecessary troubleshooting and second-guessing I could see my endpoint onboarded and healthy.

Navigate to Monitoring > Security > Windows Defender ATP Status to see the health of your endpoints.

You can also see the status in the Windows Defender Security Center.

Now refer back to the welcome email. We are given instructions on how to run an attack simulation.

We are invited to open a safe looking MS Word document which could be delivered by email.

Once we enable macros an attacker's command shell opens on the computer.

The attacker can then run some innocent looking commands remotely.

Almost immediately the attack is detected in the Windows Defender Security Center (this was literally almost instantaneous).

Details of the attack and recommended actions are provided.

Note that we can configure email notifications for high severity alerts.

I have to say that I'm seriously impressed with how easy it was to get started with this service. It was very straightforward to onboard devices and the speed of threat detection was alarming.

Have a look at a recent Microsoft blog post describing a real life attack. It's quite impressive.

I hope this blog post was useful. Until next time.....