Edge Insider and group policy support

I have been using the Edge Insider (Chromium), for awhile and I am impressed.

You can find the download here https://www.microsoftedgeinsider.com/en-us/download/, and not only for Windows 10 as shown here:

We now also have a preview of an admx file (Policy settings).

You can find the preview here https://techcommunity.microsoft.com/t5/Discussions/Early-preview-of-Microsoft-Edge-group-policies/m-p/693929/thread-id/5164

The admx file is attached as a zip file:

The current Edge policies in your GPO’s are not used with the insider versions:

After downloading and unpacking the zip file you will see msedge.admx and belonging adml file:

Copying admx and adml file to your central store, you will get new Edge policies:

After adding some policies you will be able to see the active policies by using the address edge://policy/ (just like Google Chrome )

If you add a new policy the page will auto update and show the change, very nice.

For now I am missing support for Enterprise mode, but it should be added later.

So far Edge based on Chromium is very promising, it could very well be the preferred enterprise browser in the future.

SSPR and only allow registration of security information from trusted location

At our last Mindcore Tech event, we took a closer look at Self-service Password reset in Azure AD.

One question we did not have the time to pursue, was how to only allow entering security information from a trusted location.

We have SSPR setup and users are required to setup security information at first logon as explained here:

https://blog.mindcore.dk/2019/03/azure-active-directory-azure-ad-self.html

In this test we will only allow entering security information from our company IP address.

First we create a new user to use for this test (blockuser).

Blockuser will be added to the AD group pwdresetgrp, because this is the group we used in the previous post about SSPR, we will also use this group for the conditional access policy.

Next step is to create a new Conditional Access Policy in Azure AD.

Name the policy and in Users and groups select the group pwdresetgrp to be included in this policy.

In Cloud apps or actions select user actions and Register security information.

In Conditions select locations and include Any location.

We will exclude our Company IP address (Mindcore location) and trusted MFA IPs.

Select to block access.

Then enable the policy and create.

In this example the location Mindcore is created as an IP address range.

Now let try from an unknown IP address and do a first time login with the user blockuser.

Password.

We will still see the More information required.

But since this is an untrusted location we will get You cannot access this right now.

Changing location to a secure location (Mindcore IP address), we will see this instead:

Mindcore Tech https://www.linkedin.com/groups/12247201/

Mindcore Tech and SSPR follow-up

Yesterday at our Mindcore Tech meeting, one of our test sceneries did not work as expected.

We did not get the reset password option on the Windows 10 insider build.

https://blog.mindcore.dk/2019/03/azure-ad-password-reset-on-login-screen.html

The reason behind was “just” some missing configuration in the lab we build during the meeting

In order to use  SSPR from the Windows 10 login page the computer must be Azure AD joined or Hybrid Azure AD joined, and our test computer was neither.

No SCP (service connection point) was created and the computer was in an OU not getting synchronized by Azure AD connect.

So first I moved the computer to the correct OU and setup SCP as shown here:

SCP in AD:

After some time status on the client changed:

And the required certificates gets inserted in the local computer certificate store:

And just like magic

Thanks  to all of you joining the Mindcore Tech meeting, and see you all next time

Connect Microsoft Store for Business with Intune

This time let’s try to connect Store for Business with Intune and deploy the Company Portal to all users.

First thing to do is to register Store for Business, so sign in to https://businessstore.microsoft.com using the same tenant account you use to sign into Intune.

Select Manage:

Click Settings – Distribute and under Management tools activate Microsoft Intune:

Search for the company portal.

Select the Company Portal:

Click Get the app (please note that this test has been done on the current insider build and at the time of writing there are known problems with 1903).

Close.

Now go to Intune management portal – Client apps – Microsoft Store for Business and Enable sync – remember to Save your settings.

Now Sync the apps.

Synchronization will start.

And status change to Active.

After synchronization, you will see your applications from Store for Business in Apps, click on the Company Portal App:

Click Assignments and Add group.

In this test the Company Portal will be installed for all users, so change Assignment type to Required and select Included Groups.

Select Yes to Make this app required for all users and OK and remember to save your changes.

And finally the result on an Intune/autopilot enrolled Windows 10 device.