Search This Blog

Monday, June 24, 2019

Edge Insider and group policy support

I have been using the Edge Insider (Chromium), for awhile and I am impressed.

You can find the download here, and not only for Windows 10 as shown here:


We now also have a preview of an admx file (Policy settings).

You can find the preview here

The admx file is attached as a zip file:


The current Edge policies in your GPO’s are not used with the insider versions:


After downloading and unpacking the zip file you will see msedge.admx and belonging adml file:


Copying admx and adml file to your central store, you will get new Edge policies:



After adding some policies you will be able to see the active policies by using the address edge://policy/ (just like Google Chrome Smile)


If you add a new policy the page will auto update and show the change, very nice.

For now I am missing support for Enterprise mode, but it should be added later.

So far Edge based on Chromium is very promising, it could very well be the preferred enterprise browser in the future.

Tuesday, June 18, 2019

SSPR and only allow registration of security information from trusted location

At our last Mindcore Tech event, we took a closer look at Self-service Password reset in Azure AD.

One question we did not have the time to pursue, was how to only allow entering security information from a trusted location.

We have SSPR setup and users are required to setup security information at first logon as explained here:

In this test we will only allow entering security information from our company IP address.

First we create a new user to use for this test (blockuser).


Blockuser will be added to the AD group pwdresetgrp, because this is the group we used in the previous post about SSPR, we will also use this group for the conditional access policy.


Next step is to create a new Conditional Access Policy in Azure AD.


Name the policy and in Users and groups select the group pwdresetgrp to be included in this policy.


In Cloud apps or actions select user actions and Register security information.


In Conditions select locations and include Any location.


We will exclude our Company IP address (Mindcore location) and trusted MFA IPs.


Select to block access.


Then enable the policy and create.


In this example the location Mindcore is created as an IP address range.


Now let try from an unknown IP address and do a first time login with the user blockuser.




We will still see the More information required.


But since this is an untrusted location we will get You cannot access this right now.


Changing location to a secure location (Mindcore IP address), we will see this instead:


Mindcore Tech

Friday, June 14, 2019

Mindcore Tech and SSPR follow-up

Yesterday at our Mindcore Tech meeting, one of our test sceneries did not work as expected.

We did not get the reset password option on the Windows 10 insider build.

The reason behind was “just” some missing configuration in the lab we build during the meeting Smile

In order to use  SSPR from the Windows 10 login page the computer must be Azure AD joined or Hybrid Azure AD joined, and our test computer was neither.


No SCP (service connection point) was created and the computer was in an OU not getting synchronized by Azure AD connect.

So first I moved the computer to the correct OU and setup SCP as shown here:







SCP in AD:


After some time status on the client changed:


And the required certificates gets inserted in the local computer certificate store:


And just like magic Smile



Thanks  to all of you joining the Mindcore Tech meeting, and see you all next time Smile

Thursday, May 23, 2019

Connect Microsoft Store for Business with Intune

This time let’s try to connect Store for Business with Intune and deploy the Company Portal to all users.

First thing to do is to register Store for Business, so sign in to using the same tenant account you use to sign into Intune.

Microsoft Store for Business - Sign in

Select Manage:

Microsoft Store for Business - Manage

Click SettingsDistribute and under Management tools activate Microsoft Intune:

Microsoft Store for Business - Settings

Search for the company portal.

Microsoft Store for Business - Company Portal

Select the Company Portal:

Microsoft Store for Business - Shop for my group

Click Get the app (please note that this test has been done on the current insider build and at the time of writing there are known problems with 1903).

Microsoft Store for Business - Get the app Online


Microsoft Store for Business - Purchased

Now go to Intune management portal – Client appsMicrosoft Store for Business and Enable sync – remember to Save your settings.

Intune and Microsoft Store for Business- Enable

Now Sync the apps.

Intune and Microsoft Store for Business- Sync

Synchronization will start.

Intune and Microsoft Store for Business- Starting Sync

And status change to Active.

Intune and Microsoft Store for Business- Active

After synchronization, you will see your applications from Store for Business in Apps, click on the Company Portal App:

Client apps - Microsoft 365 Device Management

Click Assignments and Add group.

Intune - Assignments

In this test the Company Portal will be installed for all users, so change Assignment type to Required and select Included Groups.

Intune - Required

Select Yes to Make this app required for all users and OK and remember to save your changes.

Intune - Add Group

And finally the result on an Intune/autopilot enrolled Windows 10 device.

Intune - Windows 10 Start menu and Company Portal