More control on Windows-as-a-Service with Microsoft Intune Feature Update Deployments

On By Ronny de JongIn Configuration Manager, Intune, Microsoft Intune, Modern Management, Windows 10, Windows Update for BusinessLeave a comment

With the introduction of Feature Update Deployments, IT-administrators get more control over how Windows 10 feature updates are installed via Windows Update for Business. With Feature Update Deployments, they have the ability to choose a given feature update (e.g. 1803, 1809, or 1903) and stay there indefinitely*. It provides more granular and predictable control the way feature updates find their way to devices across your organization.

With Windows 10 feature updates, you select the Windows feature version that you want devices to remain at.

Continue reading “More control on Windows-as-a-Service with Microsoft Intune Feature Update Deployments”

Revise your OneDrive (Sync) restrictions when shifting to a Modern Workplace!

On By Ronny de JongIn Azure Active Directory, Azure AD, Microsoft Intune, Modern Management, Office 365, Windows 10Leave a comment
OneDrive client is unable to sync your folders.

What is a modern workplace these days without having your personal- or group data synced to OneDrive and taking the full advantage Microsoft’s cloud storage has to offer!? One of the most asked feature is silently configuring your OneDrive client to automatically synchronize your (personal) data.

Silent configuration

Over time the silent configuration of OneDrive for Business has been improved. In the early days we were designated using semi-automatic methods using registry keys and scripts by Per Larsen, old school group policies, or by custom OMA-URI policies to do the magic. Nowadays OneDrive can easily be configured using Administrative Templates (31 settings) via Microsoft Intune. (almost the same as GPO but wrapped in a modern UI called Microsoft Intune 😉)

SETTING NAME Prevent users from redirecting their Windows known folders to their PC Silently move Windows known folders to OneDrive Silently sign in users to the OneDrive sync client with their Windows cred.. STATE Enabled Enabled Enabled Device Device Device \OneDrive \OneDrive \OneDrive
OneDrive for Business client configuration using Microsoft Intune Administrative Templates.

Modern Workplace

Last week I was preparing a modern workplace demo fully automated and managed by cloud. This puts Windows Autopilot on the menu including automatic enrollment & management, encryption, policies, software deployment and…silently configuration of OneDrive for Business client.

Challenge

But what if silent configuration isn’t working as expected? This might become challenging where traditional and modern workplace comes together, you can end up in a situation where they do not fit. This will be the case when you’re preventing managed computers to sync OneDrive which are joined to a specific (Active Directory) domain(s).

It’s a no-brainer to opt-in for automatically (silently) configure the OneDrive for Business client. But in this case the OneDrive for Business client configuration was far from silent if you asked me! We ran into a challenge where OneDrive for Business client won’t be configured silently. Even when we tried to configure OneDrive sync manually, we didn’t succeed and ran into the following error “Sorry, OneDrive can’t add your folder right now“. So I reached out and contacted support 😉

OneDrive is restricted from syncing to only specified AD domains only.

Root cause

After some research I came across a blog of Chen Tian Ge who used Fiddler to take down a similar scenario. So after installed Fiddler myself, it was clear to me what caused the problem. I had found the undisputed proof. The reason for the failure is the fact the customer had implemented OneDrive sync client restrictions by using (AD) domain GUID. The modern workplace of course, did not meet the domain GUIDs requirement because it belongs to an Azure AD domain instead of AD joined domain.

Reproducing the root cause using sync restrictions based on (AD) domain GUID’s.

Restrict OneDrive syncing to specific domains

This feature works fine for computers which are joined to an Active Directory (AD) domain, but causes challenges when shifting to a modern workplace joined to Azure Active Directory (Azure AD).

OneDrive Home Sharing Sync Storage Device access Compliance Notifications Data migration Sync Use these settings to control syncing of files in OneDrive and SharePoint. Download the sync client Fix sync problems Show the Sync button on the OneDrive website Allow syncing only on PCs joined to specific domains Enter each domain as a GUID on a new line. cd004ec9-8i7d-3rc6-8wd7-d3vintfe50si1e -B2df-cd3a2e 134a09 Block sync on Mac OS Block syncing of specific file types
Restrict OneDrive from syncing to specific (AD) domains.

Conditional Access

The underlying reason for implementing these controls is to make sure companies remain control of where your corporate data is going through. Lastly, preventing from ending up at unmanaged or non-compliant devices. Allow syncing only on computers joined to specific domains works for AD joined devices but doesn’t fit for a (native) modern workplace which is Azure AD Joined.

New e Info Name Assignments Users and groups C) All users Cloud apps or actions O 1 app included Conditions 4 conditions selected Access controls Grant O 3 controls selected Session i O controls selected Enable policy X Cloud apps or actions Select what this policy applies to x Cloud apps Include O None Exclude > O All cloud apps @ Select apps Select Office 365 SharePoint Online Office 365 SharePoint On... . Selecting SharePoint Online will also affect apps such as Microsoft Teams, Planner, Delve, MyAnalytics, and Newsfeed _
Azure AD Conditional Access provides tailored controls to address your corporate needs.

Azure AD Conditional Access control capabilities in Azure AD offer simple ways for you to secure resources in the cloud. The OneDrive for Business client works with the Conditional Access control policies to ensure syncing is only done with managed and/or compliant devices. For example, you might require sync to be available only on domain-joined devices or devices that meet compliance as defined by Microsoft Intune.

Alongside Conditional Access, Microsoft Cloud App Security (MCAS) can be used to implement complementary data leak prevention (DLP) policies to make sure you stay in control no matter where your corporate data goes. 

Get out of the old, get in with the new

Shifting from a traditional to a modern workplace isn’t just a matter of migrating the current, but a real transformation. Controls which worked well for many years in a traditional environment are often outdated by modern solution(s) that often work better and meet the revised needs/standards according a modern workplace.

Happy & safe syncing!

Sources

Microsoft keeps its Password-less promise and ships native FIDO2 support to Azure AD & Windows 10

On By Ronny de JongIn Azure Active Directory, Azure AD, Enterprise Mobility, Identity, Microsoft Intune, Modern Management, Password-less, Windows 10, Windows Hello for Business13 Comments

Microsoft continues to deliver it’s password-less promise and introduces native FIDO2-based authentication to Windows 10 & Azure AD.

“There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.”

Bill Gates, RSA 2004

Continue reading “Microsoft keeps its Password-less promise and ships native FIDO2 support to Azure AD & Windows 10”

Together, we achieve more. Great achievements in a Microsoft Modern Workplace era

On By Ronny de JongIn America, EventsLeave a comment

Exiting times! Needless to say I’m proud and humble rewarded for the 5th consecutive year as a Microsoft MVP (EnterpriseMobility).

It’s a great honorand pleasure to be able to make a modest contribution for the Microsoft community and help others by inspiring and sharing your experiences. As mentioned, this is such a great way to help others getting them further.

Continue reading “Together, we achieve more. Great achievements in a Microsoft Modern Workplace era”

Microsoft Defender ATP’s diary: From a SecAdmin’s Perspective

On By Ronny de JongIn Andriod, iOS, Microsoft Intune, Security, Windows 101 Comment

This blog post is an introduction of a series of blogs to cover the game changing risk-based approach Microsoft Defender ATP offers to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.

As mentioned in “The evolution of Microsoft Threat Protection” by Debraj Ghosh, PM of Microsoft Threat Protection, security comes
in general with two responsibilities: 1) Security Operations (SecOps) and 2) Security Administrations (SecAdmins).

SecOps act by incident response via a centralized alert view and powerful hunting capabilities enabling ad-hoc investigations.

SecAdmins will gain the visibility, control, and guidance necessary to understand and act on the threats currently impacting their organization, as well as information on past and future threats.

In this series of blogs I will focus exclusively on the responsibility of a SecAdmin and all aspects that Microsoft Defender ATP has to offer in regards. Therefore we kick off this serie starting with Configuration Management and Threat & Vulnerability Management.

Continue reading “Microsoft Defender ATP’s diary: From a SecAdmin’s Perspective”

Moving away from passwords with Windows 10, Windows Hello for Business & Microsoft Intune

On By Ronny de JongIn Microsoft Intune, Modern Management, Password-less, Windows 10, Windows 10, Windows Hello dor Business, Windows Hello for BusinessLeave a comment

In 2004, long before we went online massively concepts like phishing or ransomware were on the rise, Bill Gates, predicted at the RSA Conference that year the demise of passwords saying “they just don’t meet the challenge for anything you really want to secure.”

For years, we’ve been discussing the vulnerabilities of passwords (80 percent of security breaches are down to stolen passwords & credentials) and the need to ditch them for more robust & secure solutions. Many initiatives have been launched like Microsoft’s CardSpace, the Higgins project, the Liberty Alliance, NSTIC, the FIDO Alliance and various Identity 2.0 proposals. All with the explicit goal of eliminating passwords.

Continue reading “Moving away from passwords with Windows 10, Windows Hello for Business & Microsoft Intune”

Windows Defender ATP: Onboarding your Windows 10 endpoints, do it the right way!

On By Ronny de JongIn Microsoft Intune, Modern Management, Security, Threat, Windows 10, Windows Defender Advanced Threat Protection, Windows Defender ATP1 Comment

In the early days of onboarding Windows 10 endpoints to Windows Defender ATP you had to define a custom device configuration policy via Intune, in order to enable and register your Windows Defender ATP agents at scale.

Onboard Windows Defender ATP via custom device configuration policy.

Continue reading “Windows Defender ATP: Onboarding your Windows 10 endpoints, do it the right way!”