Search This Blog

Monday, June 24, 2019

Edge Insider and group policy support

I have been using the Edge Insider (Chromium), for awhile and I am impressed.

You can find the download here https://www.microsoftedgeinsider.com/en-us/download/, and not only for Windows 10 as shown here:

image

We now also have a preview of an admx file (Policy settings).

You can find the preview here https://techcommunity.microsoft.com/t5/Discussions/Early-preview-of-Microsoft-Edge-group-policies/m-p/693929/thread-id/5164

The admx file is attached as a zip file:

image

The current Edge policies in your GPO’s are not used with the insider versions:

image

After downloading and unpacking the zip file you will see msedge.admx and belonging adml file:

image

Copying admx and adml file to your central store, you will get new Edge policies:

image

image

After adding some policies you will be able to see the active policies by using the address edge://policy/ (just like Google Chrome Smile)

image

If you add a new policy the page will auto update and show the change, very nice.

For now I am missing support for Enterprise mode, but it should be added later.

So far Edge based on Chromium is very promising, it could very well be the preferred enterprise browser in the future.

Tuesday, June 18, 2019

SSPR and only allow registration of security information from trusted location

At our last Mindcore Tech event, we took a closer look at Self-service Password reset in Azure AD.

One question we did not have the time to pursue, was how to only allow entering security information from a trusted location.

We have SSPR setup and users are required to setup security information at first logon as explained here:

https://blog.mindcore.dk/2019/03/azure-active-directory-azure-ad-self.html

In this test we will only allow entering security information from our company IP address.

First we create a new user to use for this test (blockuser).

image

Blockuser will be added to the AD group pwdresetgrp, because this is the group we used in the previous post about SSPR, we will also use this group for the conditional access policy.

image

Next step is to create a new Conditional Access Policy in Azure AD.

image

Name the policy and in Users and groups select the group pwdresetgrp to be included in this policy.

image

In Cloud apps or actions select user actions and Register security information.

image

In Conditions select locations and include Any location.

image

We will exclude our Company IP address (Mindcore location) and trusted MFA IPs.

image

Select to block access.

image

Then enable the policy and create.

image

In this example the location Mindcore is created as an IP address range.

image

Now let try from an unknown IP address and do a first time login with the user blockuser.

image

Password.

image

We will still see the More information required.

image

But since this is an untrusted location we will get You cannot access this right now.

image

Changing location to a secure location (Mindcore IP address), we will see this instead:

image

Mindcore Tech https://www.linkedin.com/groups/12247201/

Friday, June 14, 2019

Mindcore Tech and SSPR follow-up

Yesterday at our Mindcore Tech meeting, one of our test sceneries did not work as expected.

We did not get the reset password option on the Windows 10 insider build.

https://blog.mindcore.dk/2019/03/azure-ad-password-reset-on-login-screen.html

The reason behind was “just” some missing configuration in the lab we build during the meeting Smile

In order to use  SSPR from the Windows 10 login page the computer must be Azure AD joined or Hybrid Azure AD joined, and our test computer was neither.

image

No SCP (service connection point) was created and the computer was in an OU not getting synchronized by Azure AD connect.

So first I moved the computer to the correct OU and setup SCP as shown here:

image

image

image

image

image

image

SCP in AD:

image

After some time status on the client changed:

image

And the required certificates gets inserted in the local computer certificate store:

image

And just like magic Smile

image

image

Thanks  to all of you joining the Mindcore Tech meeting, and see you all next time Smile

Thursday, May 23, 2019

Connect Microsoft Store for Business with Intune

This time let’s try to connect Store for Business with Intune and deploy the Company Portal to all users.

First thing to do is to register Store for Business, so sign in to https://businessstore.microsoft.com using the same tenant account you use to sign into Intune.

Microsoft Store for Business - Sign in

Select Manage:

Microsoft Store for Business - Manage

Click SettingsDistribute and under Management tools activate Microsoft Intune:

Microsoft Store for Business - Settings

Search for the company portal.

Microsoft Store for Business - Company Portal

Select the Company Portal:

Microsoft Store for Business - Shop for my group

Click Get the app (please note that this test has been done on the current insider build and at the time of writing there are known problems with 1903).

Microsoft Store for Business - Get the app Online

Close.

Microsoft Store for Business - Purchased

Now go to Intune management portal – Client appsMicrosoft Store for Business and Enable sync – remember to Save your settings.

Intune and Microsoft Store for Business- Enable

Now Sync the apps.

Intune and Microsoft Store for Business- Sync

Synchronization will start.

Intune and Microsoft Store for Business- Starting Sync

And status change to Active.

Intune and Microsoft Store for Business- Active

After synchronization, you will see your applications from Store for Business in Apps, click on the Company Portal App:

Client apps - Microsoft 365 Device Management

Click Assignments and Add group.

Intune - Assignments

In this test the Company Portal will be installed for all users, so change Assignment type to Required and select Included Groups.

Intune - Required

Select Yes to Make this app required for all users and OK and remember to save your changes.

Intune - Add Group

And finally the result on an Intune/autopilot enrolled Windows 10 device.

Intune - Windows 10 Start menu and Company Portal