Search This Blog

Friday, August 21, 2020

Modern Roaming Profile - Enterprise State Roaming (ESR) + UE-V

Amazon Time Sync Service | Miadria

 

  

Introduction

Enterprise State Roaming is available to any organization with an Azure AD Premium or Enterprise Mobility + Security (EMS) license.

It enables users to sync user- and application settings across devices. It is an upgraded version of what you probably know as Roaming profile, but with no on-premise server involved.

What if we could have an environment where device replacement would have much less impact on users?

Read along!

 

Prerequisites

  • Azure Active Directory Premium subscription.
  • Windows Creators Update (Build 15063) or above
  • Win 10 computers should be Azure AD, or Hybrid Azure AD joined.

 

How to enable ESR in your Azure tenant

https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-enable#to-enable-enterprise-state-roaming

 

How to enable ESR on the clients

Easy, it will apply automatically to the user when the setting in Azure has been set

If you are in a hybrid environment, my colleague Lars Lohmann have created a thorough guide how to:

https://blog.mindcore.dk/2019/01/enterprise-state-roaming.html

 

How to disable ESR on specific clients using Intune

Sometimes we have different needs and as ESR enables on the user, it will be enabled on every Azure AD enabled device. If you have some groups of devices where this setting should not apply, simply create a policy to disable it on device level.

https://endpoint.microsoft.com/

Devices -> Windows -> Configuration profiles -> Create Profile -> Windows 10 and later -> Custom

clip_image002

clip_image004

clip_image005

- ESR Sync Disable

- Enable Enterprise State Roaming

- ./VENDOR/MSFT/POLICY/CONFIG/EXPERIENCE/ALLOWSYNCMYSETTINGS

- Interger

- 0

Hit “add” and next

clip_image007

Assign it to a test group

clip_image008

Press Select -> Next –> Create

 

What is synced by Enterprise State Roaming?

https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-windows-settings-reference#windows-settings-details

https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-faqs

image

 

How to make a nice device platform with UE-V

A lot of businesses are still running legacy applications, and the benefit for moving towards MSIX has not been huge enough to make it happen. Also, not all apps are able to be packaged as MSIX as it has limitations. If you like to have a nice desktop roaming solution for other items than covered in above matrix, you must deal with UE-V and add the setting you like to roam. Let us have a look how to do that.

Instead of doing a post how to do UE-V, Aaron parker (Follow this guy, he is brilliant) already did an extensive post on how to set it up and how to deal with no on-prem servers.

https://stealthpuppy.com/user-experience-virtualzation-intune/

 

UE-V Templates ready to download

https://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V&f%5B0%5D.Text=UE-V

 

Custom UE-V templates to fit your needs

https://docs.microsoft.com/en-us/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications

 

Known Issues

There are always know errors and I am not going to rewrite what Microsoft already did well. There are known issues on different versions of windows and what settings are not working. I recommend you check it out before ripping of your hair in frustration if you see any troubles in your environment

https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-troubleshooting#known-issues

Summary

To ensure data roaming across devices in a modern world where on-prem servers are not present, we can build a nice environment gathering 3 technologies together.

  • Enterprise State Roaming
  • User Experience Virtualization
  • OneDrive

This will ensure that it is easier for the user obtaining a new device when the current is broken or just old and needs to be upgraded.

Wednesday, August 19, 2020

Microsoft Endpoint Analytics – Proactive remediations

Introduction

Proactive remediations in Endpoint analytics will help your organization to fix common issues automatically. Stuff that you know are broken or reoccur can be automated and your helpdesk and Admins will save time. It can also be used for monitoring in your environment, and in this blog post I will show you how to monitor your windows clients are licensed. This can save you some time when Microsoft Audit visit.

image

 

Prerequisites

https://docs.microsoft.com/en-us/mem/analytics/proactive-remediations#bkmk_prereq

 

Licensing

https://docs.microsoft.com/en-us/mem/analytics/proactive-remediations#licensing

 

Permissions

https://docs.microsoft.com/en-us/mem/analytics/proactive-remediations#permissions

 

Example how to monitor Windows is activated

Go to https://endpoint.microsoft.com/

Reports -> Endpoint analytics (Preview) -> Proactive remediations

Create Script Package

clip_image001

 

Add text that document itself

clip_image003

Add script

Can be downloaded from here

If you wonder where the values came from, check out this site

 

clip_image005

Leave out the remediation script unless you like to activate devices that turns out not to be licensed.

 

clip_image006

Assign a group to apply remediation to

 

clip_image007

Using a test group to start with where the only member is myself

 

clip_image008

Create

Now sit back and relax. From now and the next 24 hours you will see info from the script.

 

Other script resources ready to copy and paste to your environment

https://docs.microsoft.com/en-us/mem/analytics/powershell-scripts

Summary

Proactive remediations in Endpoint analytics can be used as reporting and not only for fixing broken stuff.

image

image

image

Happy testing!

Monday, August 10, 2020

Microsoft 365 Apps modern management, get rid of nag screens

How often have you clicked through numerous screens when starting the local office package? I know I have done my fair shares, and I am done with it.

image

 

As we enter the cloud with more and more services, we also have new tools providing control across our devices. I mean with Microsoft 365 apps it enables us to work anywhere with the online access, and with a local copy at home. We need tools to provide policies to all locations and not only at work.

Work is not a place.

 

If you like me do not like prompts, tips or other “helpful” popups while using Office 365 on a new device, then you should read along.

In this guide I will use 3 techniques. I could easily put everything in a PowerShell script, but I like to use the tools we are given by Microsoft.

 

1. https://config.office.com/

2. Administrative Templates (intune)

3. Powershell Script

 

Prompts we are removing: (some pictures in Danish)

clip_image001

clip_image002

clip_image003

clip_image004

clip_image005

Ok so I have seen these prompts like a ton of times and I just want to use Office without having to click a million prompts.

First set default policies to https://config.office.com/ as we can define a baseline that will target all accounts authenticating to Microsoft 365 Apps.

 

Go to https://config.office.com/

Log on as an administrator

clip_image006

clip_image007

Give it a default name

clip_image008

Click Assignments

clip_image009

Choose “this policy configuration applies to users”

clip_image010

(I create a test group before applying to all users. You might do the same.)

Target your Azure AD group

clip_image011

Configure Policies

clip_image012

Search for these policies and set them to “Enabled”

clip_image013

Hit Create

clip_image014

First step done. These settings will apply from the cloud on every device where you use your office 365 account. Pretty neat!

 

Next, we like to remove the tips that Microsoft are giving us. I have not come across that this is a GPO that can be added, so here we need to create a PowerShell script. I already did, so you can have mine.

https://github.com/mindcoredk/Public/blob/master/RemoveBalloons.ps1

Save the script to your device as we need to upload it to Intune.

 

Go to https://endpoint.microsoft.com

Devices -> Windows -> PowerShell Scripts -> Add

clip_image015

Build a standard structure that document itself.

clip_image016

Upload the script and “Run this script using the logged-on credentials”

clip_image017

Assign it by selecting a group

clip_image018

Again, I start with a test group before adding new stuff to everyone

clip_image019

Add it

clip_image020

Ok so we are pretty much ready for a silent start of every product in the Microsoft 365 Apps for business.

 

Last thing to setup is Outlook to automatically configure your profile based on primary SMTP address.

Go to https://endpoint.microsoft.com

Devices -> Windows -> Configuration profiles -> Create Profile

clip_image021

clip_image022

Naming standards + make it easy to get overview of your setting when debugging or reviewing them later.

clip_image023

Enable “Automatically configure only the first profile based on ac….”

clip_image024

clip_image025

Assign it to your test group

clip_image026

Create

clip_image027

Happy testing!

Friday, August 7, 2020

How to activate app lock on Microsoft Authenticator app

clip_image001

Microsoft Authenticator app has been around for a long time, originally released as beta in 2016. It has served us well with easier and safer access to our resources using Microsoft accounts as well as Azure AD accounts. By using the app, we can do two-factor authentication without the need of email or text codes verification. Just hit the authenticate button when asked (if you know it is you it prompts for of course )

Now you can use the app as a no-password sign-in (no big news about that) but that makes the life of users and not at least security, much easier and more secure.

This blogpost is not intended to go into “how to configure the app” or using it, but to inform about a new coming feature change. Microsoft Authenticator app have had an app lock for a long time, but it was set to “off”, which means that you had to go set the setting manually on every device using the app. Well in these days where users must do more and more themselves, it is not easy to make sure they remember to set the app lock.

We have scenarios on mobile devices. I give 2 examples:

Bring your own device (BYOD) and Company owned device (COD). (I am not going to explain what they are in this blog post)

So, what is all the fuss about? Let us have an example:

If you are a family, you have times where the kids just need to cool off and you let them sit with your phone. It would be terrible bad if someone with bad intentions were trying to break into your account while the kids were playing as they just click whatever blocks there view of the current activity. That would make the intruder able to access your account and there you have it.

With this app lock you will have an extra layer of security and not just the pin / biometric of your phone.

So, what do we do about it?

Download the newest version of the Microsoft Authenticator app 6.4.22+ (Pictures in Danish)

clip_image003

My current version of Microsoft Authenticator

clip_image005

App lock NOT enabled.

clip_image007

Go to the App store and update if not set to automatically update your apps.

clip_image009

After updating a message pops up saying your app lock is now activated!

clip_image011

We confirm that we got the correct version installed

clip_image013

Perfect. App locker activated by default and that is the big news!

Intune cannot set this app lock, so it is either the manual way, or updating to the newest version.