Search This Blog

Tuesday, July 20, 2021

Identity Protection and guests

This time we will have a closer look at Identity Protection and possible impact for guest users (B2B collaboration users).


So in order to test this out we will create a Identity protection user risk policy requiring all users to change password if there risk is calculated to medium or higher (tenant A):


In this test we will use a guest user in another tenant (tenant B). The guest has been invited to tenant A earlier and access has been tested and confirmed working.


For the test to work our test user (testrisk) now has a calculated risk level of medium in tenant B even though Identity Protection is not enabled in tenant B only in tenant A.


We need to know that the user risk for B2B collaboration users is evaluated at their home directory.


Now if we try to access for example a Microsoft team in tenant A from our risky user in tenant B we will see this information:


Your account is blocked.

We’ve detected suspicious activity on your account.


If we check the sign-ins on tenant A we can see that the user is blocked due to risk on home tenant.


There are well documented limitations in the implementation of Identity Protection for B2B collaboration users in a resource directory due to their identity existing in their home directory. The main limitations are as follows:

  • If a guest user triggers the Identity Protection user risk policy to force password reset, they will be blocked. This block is due to the inability to reset passwords in the resource directory.
  • Guest users do not appear in the risky users report. This limitation is due to the risk evaluation occurring in the B2B user's home directory.
  • We cannot dismiss or remediate a risky B2B collaboration user in their resource directory. This limitation is due to administrators in the resource directory not having access to the B2B user's home directory.

So if a risky B2B user in our directory is blocked by your risk-based policy, the user will need to remediate that risk in their home directory.


Users can remediate their risk by performing a secure password reset in their home directory.


If they do not have self-service password reset enabled in their home directory, they will need to contact their own organization's IT Staff to have an administrator manually dismiss their risk or reset their password.


This guest user also has access to a ASP.NET Core web app with B2B sign-in enabled, testing this application we get the same error: Your account is blocked.


The shown behavior is not always what we would like to see, and luckily we have several options to fix the issue.


In this example we will simply exclude all guests from Identity protection.


First we create a new dynamic group with all guests using this rule:

(user.objectId -ne null) and (user.userType -eq "Guest")


Then we exclude our new group (ALL_Guests) from our User risk policy:


And after this change we can again access our ASP.NET Core web app with B2B sign-in enabled:


You can find the app used here:


Remember to change appsettings.json to only use Accounts in this organizational directory only.


Finally by excluding our guest from Identity protection, we can fine grain this even more using conditional access.


As an example we can do User risk policies targeting selected guests, selected applications and have different risk levels accepted.



We can also change the the behavior so that guests with a calculated risk set in there home directory are forced to do MFA instead of forcing them to do a password reset ending in a block condition.



Please remember that Identity protection is an Azure AD P2 feature.


That's it for now. Happy testing!


As always if you have any questions regarding this topic, feel free to reach out to us.











    Wednesday, July 7, 2021

    Fix PrintNightmare via Endpoint Manager using expedite updates


    With the expedited updates feature in Microsoft Endpoint you can deploy updates like the most recent patch Tuesday release or out-of-band security updates.

    For example, we just saw a flaw with the windows print spooler where the attacker could execute arbitrary code with SYSTEM privileges on a non-patch system.

    Not all updates can be expedited as it is currently only available for Windows 10 security updates.

    So why use this feature instead of my configured Windows 10 ring rollout?

    You want to use this feature to speed things up. Expedite updates uses the available services, like push notification channels, which is a process to download and install updates as soon as possible, without having to wait for the device to check in for updates.


    - Use Intune to expedite Windows 10 quality updates - Azure | Microsoft Docs

    Create expedite patch deployment

    Go to

    Choose Devices



    Choose Windows 10 quality updates (Preview)



    Create profile



    Give it a name that you can easily find



    Add groups



    I have grouped devices into waves, so that I can test on small groups before going global








    Patch report for your management

    When something bad happens and your company is potentially at risk, management usually are a bit pushy on some reports. This is how you can give them what they want.

    Go to



    Windows updates (preview)



    Choose reports



    Windows Expedited Update report (Preview)



    Select an expedited update profile



    Select the expedited update we created earlier






    Export data and give it to the management.



    I hope this post gave you some insight how to get around with zero-day patching and Endpoint Manager easily and quickly. It is here to ease your life as an admin in your daily job. Go try it out yourself!

    Happy patching!



    Use Intune to expedite Windows 10 quality updates - Azure | Microsoft Docs

    Windows message center | Microsoft Docs

    Thursday, July 1, 2021

    Analyze on-premises GPOs with MEM Group Policy Analytics (preview)



    In this blog post I will be looking at Group Policy Analytics (preview) in Microsoft Endpoint Manager. Organizations have been using group policy objects (GPOs) for decades to configure user and computer settings on devices in their environment. But in these modern days, where many organizations are embracing cloud solutions and they want to move workloads to Microsoft Endpoint Manager, we need a way to review and analyze the on-premises GPOs to determine which settings can be moved to the cloud, this is where Group Policy Analytics in Microsoft Endpoint Manager will be handy.

    Group Policy Analytics is a feature in Microsoft Endpoint Manager that analyzes your on-premises GPOs. It helps you determine how your GPOs translate in the cloud. The output shows which settings are supported in MDM providers, including Microsoft Intune. It also shows any deprecated settings, or settings not available to MDM providers.

    Source: Microsoft Docs

    . This is a preview feature – but don't worry, public previews are fully supported by Microsoft - Source: Microsoft Docs


    Prerequisites and Requirements

    • On-premises Computer / Domain Controller
    • Policies applicable for Windows 10 and later
    • Microsoft Endpoint Manager
    • A MEM Role that has the Security Baselines permissions or one of the following permissions in Azure AD
      • Global Administrator
      • Intune Administrator


    Export / Backup GPOs as an XML File

    So, first we'll need to export the GPOs in order to analyze them in Group Policy Analytics.

    . Make sure that the file is less than 750 KB. If the exported file is greater than 750 KB, then include fewer GPOs when you save your report from the Group Policy Management. Group Policy Analytics will check the sizes of your individual GPO XML files. A single GPO can't be bigger than 750 KB though. The import will fail if the GPO XML file is larger than 750 KB.

    Source: Microsoft Docs

    Open “Group Policy Management” from a on-premises computer** or domain controller.
    Expand to “Group Policy Objects” and right-click on a GPO and select either “Back Up…” or “Save Report…”

    ** Requires that the optional feature RSAT is installed.

    If you selected “Back Up…” – Set location, add description (optional), click “Back Up” and click “OK”

    If you selected “Save Report…” – Navigate to the correct location, add file name and type. Click “Save”

    This is of course also possible from PowerShell, just edit and run this command from an elevated PowerShell session on a DC.
    Get-GPOReport -Name "The_Policy_Name" -ReportType XML -Path "C:\Temp\The_Policy_Name.xml"

    I ran all three methods just for the sake of this blog post – the results should look something like this.


    Group Policy Analytics (preview)

    Once we have exported the GPO, we must import it to Group Policy Analytics.
    Go to

    Click on “Devices” and select “Group Policy analytics (preview)” from the “Policy” section. Click “Import”

    Select your exported GPO – once the status is “import completed” you can close this page by clicking on the X.

    Microsoft Endpoint Manager will analyze the GPO and determine which settings in this policy has MDM support.

    The GPO will be listed with the following information:

    Group Policy name The name is automatically generated using information in the GPO.
    Active Directory Target The target is automatically generated using the organizational unit (OU) target information in the GPO.
    MDM Support Shows the percentage of group policy settings in the GPO that have the same setting in Intune.
    Unknown Settings This is new and doesn't seem to be documented yet – but I'll guess it could be custom settings (e.g. Registry settings) or unsupported settings.
    Targeted in AD Yes means the GPO is linked to an OU in on-premises group policy.
    No means the GPO isn't linked to an on-premises OU.
    Last imported Shows the date of the last import.

    In my example - 84% of the settings in my GPO will be MDM supported.
    Click on the percentage for your policy.

    The GPO settings will be listed with the following information:

    Setting Name The name is automatically generated using information in the GPO setting.
    Group Policy Setting Category Shows the setting category for ADMX settings, such as Internet Explorer and Microsoft Edge. Not all settings have a setting category.
    ADMX Support Yes means there's an ADMX template for this setting.
    No means there isn't an ADMX template for the specific setting.
    MDM Support Yes means there's a matching setting available in Endpoint Manager. You can configure this setting in a device configuration profile. Settings in device configuration profiles are mapped to Windows CSPs.
    No means there isn't a matching setting available to MDM providers, including Intune.
    Value Shows the value imported from the GPO. It shows different values, such true, 900, enabled, false, and so on.
    Min OS Version Shows the minimum Windows OS version build numbers that the GPO setting applies. It may show 18362 (1903), 17130 (1803), and other Windows 10 versions.
    Scope Shows if the imported GPO targets users or targets devices.
    CSP Name A Configuration Service Provider (CSP) exposes device configuration settings in Windows 10. This column shows the CSP that includes the setting. For example, you may see Policy, BitLocker, PassportforWork, and so on.
    CSP Mapping Shows the OMA-URI path for the on-premises policy. You can use the OMA-URI in a custom device configuration profile.

    Supported CSPs

    Group Policy Analytics can parse the following CSPs:

    The above information explains each column very well and I have marked a few settings in the below screenshot that we will take a closer look at.

    Settings Page Visibility/Settings Page Visibility

    Setting Name Settings Page Visibility/Settings Page Visibility
    Group Policy Setting Category Control Panel
    ADMX Support No
    MDM Support No
    Value hide:gaming-gamebar;gaming-gamedvr;gaming-broadcasting…
    Min OS Version 0
    Scope Device
    CSP Name N/A
    CSP Mapping N/A

    Show first sign-in animation

    Setting Name Show first sign-in animation
    Group Policy Setting Category System/Logon
    ADMX Support No
    MDM Support Yes
    Value Disabled
    Min OS Version 18362 (Windows 10 build 1903)
    Scope Device
    CSP Name Policy
    CSP Mapping ./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnableFirstLogonAnimation

    Show Windows Store apps on the taskbar

    Setting Name Show Windows Store apps on the taskbar
    Group Policy Setting Category Start Menu and Taskbar
    ADMX Support Yes
    MDM Support Yes
    Value Disabled
    Min OS Version 15063 (Windows 10 build 1703)
    Scope User
    CSP Name Policy
    CSP Mapping ./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar

    One setting is not supported (we'll get back to that one...) - two of the settings is MDM supported, which means that you can create a custom device configuration profile in Microsoft Endpoint Manager by using the OMA-URI from the CSP Mapping column – but as you can see from the above information, the “Show Windows Store apps on the taskbar” setting is also ADMX supported, which means that there is an ADMX template for this setting.  

    Let's take a look at how to create a device configuration profile based on the above results.

    Creating a device configuration profile based on CSP (OMA-URI)

    Creating a device configuration profile based on ADMX template.

    Settings catalog (preview)

    Settings catalog lists all the settings you can configure, and all in one place. There are thousands of settings to choose, including settings that haven't been available before. These settings are directly generated from the Windows configuration service providers (CSPs). You can also configure Administrative Templates (ADMX) and have more Administrative Template settings available. As Windows adds or exposes more settings to MDM providers, these settings are added quicker to Microsoft Intune for you to configure.

    Source: Microsoft Docs

    Try out the new settings catalog (preview) I quickly found all three settings from the above examples.


    Group Policy Analytics Report

    As written earlier in this post, I would come back to the setting “Settings Page Visibility/Settings Page Visibility” which is unsupported and by looking at its name it doesn't seem right.

    So, let's see if the report for Group Policy Analytics can give us any clue on what is going on.
    Go to

    Click on “Reports” and select “Group policy analytics (preview)” from the “Device management” section.

    From the summary page we can see that we have uploaded 1 GPO with 26 settings in total and 4 settings is not supported.

    Click on “Reports” and click on “Group policy migration readiness”

    From the reports page, we can filter on Migration Readiness, Profile Type and CSP name.
    Once the report is generated, we can choose to export it as an CSV file.


    Select “Not supported” from the migration readiness dropdown menu and click “Generate again”

    And as expected we can see that the setting “Settings Page Visibility/Settings Page Visibility” is listed as “Not supported”

    This is where things get weird, because I was able to find the setting in the settings catalog! If we go back to the previous migration readiness report, we can actually see that each of the four unsupported settings are listed twice (as supported and unsupported) and you won't find that information anywhere else besides in this report.

    So, I will leave that hanging in the unknown – but I would say it's a bug and that's to be expected when still in preview.



    Now you know how to analyze your on-premises GPOs with Group Policy Analytics in Microsoft Endpoint Manager and generate a readiness report. I think it's a awesome tool! Yes, it still need some work and I would like to see some kind of automation built into it. I've actually heard that they are working on a feature that will be able to create device configuration profiles automatically based on your supported GPO settings - I've tried to sign up for this feature but haven't heard back from them yet.

    That's it folks. Happy testing!

    If you have any questions regarding this topic, feel free to reach out to us.

    Saturday, June 26, 2021

    Assign apps, policies, and profiles with the new filters in Endpoint Manager


    In May Microsoft introduced Filters in Endpoint Manager. Many would go with a device centric approach instead of a user centric approach as one would normally do in configuration manager.

    So how can filters help us?

    Filters are here to assign policies and apps to users and then be able to manage what type of device, OS version, hardware model and much more, they apply to.

    Why would I use such an approach? Because it will be much easier for your organisation to shift hardware as the policies now follow the user and not the device. No need to create tons of dynamic Azure AD groups to be able to leverage the correct policies which has proven to be slow in larger environments. There are many other reasons but I will stop here as the post is about how to use them actively in your environment.

    In the bottom of this post, I will share the filters that I use. I will put more into this post as I discover more use cases and the need of filter rules.


    Feedback goes into this link:


    Are you afraid to use preview features in a production environment?

    Don’t be, Microsoft got you fully supported

    Public preview overview in Microsoft Intune - Azure | Microsoft Docs



    • Microsoft Endpoint Manager


    Filters works on following platforms:



    To see what policies and app types supported you can go to this link:
    Platforms and policy types supported by filters in Microsoft Intune - Azure | Microsoft Docs


    Enable Filters (Preview)

    Sign into Endpoint Manager with an Intune Administrator.

    Press Tenant administration



    Choose Filters (preview)



    Click the red text



    Turn on the Filters (preview) and press ok.



    3 ways into to create a filter

    Sign into Endpoint Manager

    Tenant administration -> Filters (preview)



    Devices -> Filters (preview)



    Apps -> Filters (preview)



    Let’s create a filter

    Sign into Endpoint Manager




    Press create



    Give it a filter name

    Give it a description

    And finally choose the platform for the filter to apply. (It is important to choose the correct platform, because it will only be available to use on the chosen platform when we assign it in a minute.)



    For this filter to work we will specify the osVersion and startWith 10.0.18363



    Click Create



    Use filter on assignment

    Sign into Endpoint Manager





    Choose one of your configuration profiles








    Edit Filter



    Choose whether you want to include or exclude the filter applied.

    OBS! You can only choose 1 filter.

    Press select



    Press Review + save



    Now keep an eye on your devices and see how the filter works



    This means the filter matches the device OS level and will therefore apply as it is in “Include” mode.



    Filters that I use in my environment

    Device properties what they are:

    Supported filter device properties and operators in Microsoft Intune - Azure | Microsoft Docs


    Windows 10



    (device.osVersion -startsWith "10.0.17763")

    Filter on all your 1809 windows versions

    (device.osVersion -startsWith "10.0.18363")

    Filter on all your 1909 windows versions

    (device.osVersion -startsWith "10.0.19041")

    Filter on all your 20H1 windows versions

    (device.osVersion -startsWith "10.0.19042")

    Filter on all your 20H2 windows versions

    (device.osVersion -startsWith "10.0.19043")

    Filter on all your 21H1 windows versions

    (device.operatingSystemSKU -ne "Holographic") and (device.operatingSystemSKU -eq "Enterprise")

    You have HoloLens in your environment and users logon to them and do not want assignment to apply to that platform.

    See all the SKU in the above link

    (device.manufacturer -eq "Lenovo")

    You only need to include or exclude device manufacturer Lenovo

    (device.manufacturer -eq "Microsoft")

    You only need to include or exclude device manufacturer Microsoft

    (device.manufacturer -in ["HP", "Hewlett-Packard"])

    You only need to include or exclude device manufacturer HP

    (device.manufacturer -eq "Dell")

    You only need to include or exclude device manufacturer Dell

    (device.model -in ["Latitude 5540", "Latitude 5550"])

    Specific models to include or exclude

    (device.enrollmentProfileName -startsWith "AutoPilot")

    If you need policies to apply to devices enrolled with a specific autopilot profile name




    (device.deviceOwnership -eq "Personal")

    Include or exclude only personal devices

    (device.deviceOwnership -eq "Corporate")

    Include or exclude only corporate devices

    (device.deviceOwnership -eq "Unknown")

    Include or exclude only Unknown devices

    (device.enrollmentProfileName -eq "iPad shared devices")

    If you need policies to apply to devices enrolled with a specific profile name


    I currently do not have any Mac’s where I need filters and the same goes for Android devices.


    If you have conflicting assignments for the same policy.

    Filter reports and troubleshooting in Microsoft Intune - Azure | Microsoft Docs


    Hope this post helped you on clarify what filters can be used for and how to use a user centric approach in your organization.

    Happy testing!


    Create filters in Microsoft Intune - Azure | Microsoft Docs

    Supported filter device properties and operators in Microsoft Intune - Azure | Microsoft Docs

    Platforms and policy types supported by filters in Microsoft Intune - Azure | Microsoft Docs

    Filter reports and troubleshooting in Microsoft Intune - Azure | Microsoft Docs