How secure is Windows Intune? Keep calm and reassure your cloud security manager!

computer-security-14

Perhaps you noticed yourself but customers are asking more often how secure Microsoft clouds services are(Microsoft Azure, Office365 & Windows Intune)?  Valid questions like “What- and where my corporate data is stored? How my corporate data is protected in Microsoft datacenters? What security controls in place and what about backup, disaster recovery and data retention policies? Do I have control on what data is going synced to the cloud?” And so we can still go on…

By informing customers and providing them guidelines and best practices it is more clear what the impact of using Microsoft cloud services is for their organizations. This will eliminate possible restraints (rightly or not), increases confidence of cloud service as platform & accelerates the adaption as such.

This post might help you to get better understanding on what terms and conditions Microsoft clouds services performed and enables you to inform your cloud security officer! Continue reading

Troubleshooting: Configure Federation for Windows Intune

During a Windows Intune proof of concept (PoC) I was facing some issues configuring federation in order to enable Signle Sign On (SSO).

Proxy Authentication

When configuring federation we couldn’t convert the the default domain to a federated domain type. By using the –Verbose –Debug parameters of convert –MsolDomainToFederated cmdlet the root cause became clear. Proxy Authentication was required and therefore we couldn’t convert the domain. One down two to go!

clip_image001_thumb[3] Continue reading

Windows Intune User Provisioning: Having a closer look

At the moment there’re several scenario’s to manage and provisioning users to Windows Intune in order to enable Enterprise Mobility Management (EMM) or simply said – managing your mobile devices. As the process of provisioning users to Windows Intune in combination with Configuration Manager 2012 R2 is not always clear I’ll provide you some insights and tips where and how to troubleshoot.

clip_image001

As mentioned I’ll will focus in this post on a hybrid scenario using Configuration Manager 2012 R2, Windows Intune and on-premise Active Directory where Azure Active Directory Sync (aka DirSync) is used to syncronize on-premise users to Windows Intune (Azure Active Directory).

Process Overview Windows Intune User provisioning

  1. John Doe is created in (on-premise) Active Directory
  2. John Doe is synchronized by Azure Active Directory Sync to (off-premise) Azure Active Directory
  3. John Doe is discovered by Configuration Manager 2012 R2
  4. John Doe is add to Windows Intune collection in Configuration Manager 2012 R2
  5. John Doe is synchronized by Windows Intune Connector
  6. John Doe is enabled Windows Intune user

Continue reading

Keep your Service Manager CMDB in accurate shape!

One of the big advantages of using Service Manager as your Configuration Manager Database (CMDB) is the connector framework. By using the connector framework you are able to establish out-of-the box connections to your infrastructure – Active Directory – and System Center components like Configuration Manager-, Operations Manager and Virtual Machine Manager. Hereby you can easily gather and centrally store all relevant information into a single place which forms the basis for your IT Service Management (ITSM) processes.

One of the major challenges of a CMDB is to keep the – information contains – up to date and accurate. Also herein the connector framework have an important role to (automatically) update Configuration Items (CI) from different sources (connector framework).

A while ago Travis Wright (who else…) wrote a blog post regarding the behavior of what happens with CI’s in the CMDB when deleted from Active Directory and what permissions are required by the run-as account that is used for the AD connector.

In this post I’ll walkthrough how to configure and set proper rights for the run-as account used by the AD connector. Continue reading

Deploy Active Directory Federation Services (AD FS) 3.0 in a pre Windows Server 2012 R2 era

As you probably know a prerequisite for implementing Active Directory Federation Services (AD FS) based on Windows Server 2012 R2 is to have at least a Windows Server 2012 R2 domain controller available in your infrastructure.

image

This in order to take benefit of using Group Managed Service Accounts (GMSA – generated and maintained by the Key Distribution Service (KDS) on at least Windows Server 2012 domain controllers). The same applies to Device Registration service (DRS) aka Workplace Join, which is responsible for activation and enrolment of controlled devices and represented by a new schema class in Active Directory Domain Services (AD DS). Continue reading

Microsoft Azure Infographics

I found some great Microsoft (Windows) Azure posters. These technical posters and infographics are excellent resources for better understanding, learning and training purpose. Zoom into details, download, or print. Most of these posters and all future posters will link to deeper technical content through the mobile tags for a more complete set of information.

image

The set of Microsoft Azure posters (9 in total) can be downloaded here.

Continue reading