In this blog post I’ll explain how to configure and enable Windows Hello Multifactor Device Unlock using Microsoft Intune. Windows Hello Multifactor Device Unlock provides multifactor device authentication for login or unlocking Windows 10 devices.
Note: the content in this blog post may subject to change as it’s based on Windows 10 Insider Preview build 16232/16237.
In the early days of Windows 8.x modern management made it’s appearance but due it’s limitations at that time not widely adopted.
The introduction of Windows 10 as the cloud OS with tight integration of Azure AD changed this rapidly. Combined with configuration service provider (CSP) modern management provides increased capabilities and therefore closing the gap with traditional management.
Another often-heard challenge of modern management is the troubleshooting part. This can sometimes be challenging as it is experienced as a black box. Common tools (e.g. Event Viewer, PowerShell, WMI) are sometimes cryptic and thus challenging to interpret, until today!
To illustrate the ease of troubleshooting (low entry), we configured a custom policy by Microsoft Intune which configures Windows Defender Application Guard (currently in preview) and check the process of the policy being applied on our endpoint .
Once assigned the policy in Microsoft Intune we triggered a policy refresh cycle.
In the updated GUI we can now determine which policy categories are configured, including our Windows Defender Application Guard (AppHVSI) policy. Besides the outline of the policy categories we can also determine the installed applications.
Management Diagnostic log files
The updated GUI goes beyond just displaying what is configured/applied and provides the ability drill down to our MDM configuration. The MDM configuration can be exported in a management log file which is exported in HTML format to C:\Users\Public\Documents\MDMDiagnostics\MDMDiagReport.html
The MDM diagnostic log file provides general information of your system. However the most interesting part is yet to come.
First of all it provides insights of the configuration sources and resource (CSPs) and whether it’s a device- or user based policy. The Resource section correlates to the various policies and installed apps. I highlighted a guid which correlates to an installed application.
Further it provides a detailed list of which policy categories are deployed by your MDM solution. These categories are listed in the updated interface I mentioned before. Further this section provides the detailed configuration of your policies.
In our scenario we deployed Windows Defender Application Guard policy. It shows you the policy area, default value, current value and whether it’s a device- or user based policy. It confirms the custom Windows Defender Application Guard Policy has been landed and successfully applied.
When looking under the hood we’ve the confirmation here too, Windows Defender Application Guard is configured properly. And mentioned earlier you’ll find the policy categories once again.
Complementary to the Windows Defender Application Guard CSP configuration you can keep track of the group policy (backed ADMX) equivalent.
As mentioned before the MDM diagnostic log file also includes the list of installed applications through MDM channel.
The updated interface in this Windows 10 preview build is a simple as ingenious extension and help us to get useful insights to troubleshoot your modern management end-points.
Introduction to configuration service providers (CSPs) for IT pros
In a mobile-first cloud first world the need of accessing corporate resources on unmanaged devices is rising. This is the cutting edge of managing your corporate data (keeping it safe) and give your users the freedom to be productive on any device.
With Conditional Access we can control access to corporate data (such as Exchange Online, SharePoint Online, Yammer, Delve, Teams, etc.) based on a device (health) status such as being managed or complaint. These scenarios (conditions) are based on devices being managed by your company (MDM managed). With the introduction of Session Controls, organizations are enabled to grant limited access to corporate resources without losing control on unmanaged devices.
Today I was happily surprised with the announcement, as of today Microsoft Enterprise Mobility + Security E5 licenses are available through Internal Use Rights (IUR). This is great news for those who’re a Silver or Gold EMM competency partner. By this Microsoft Partners are enabled to adopt the latest security features in their own organization too. “Practice what you preach”
One of the main benefits of the Microsoft Partner program are the IUR, which allows you to use Microsoft products in your own organization for free based on your partner competence levels. This applies to traditional software, software keys and Microsoft Online Services.
With IUR Microsoft Partners are able increase productivity, business value, and savings with your internal-use rights (IUR) benefits. The Enterprise Mobility + Security E3 had been available for some quite long time however the E5 was missing here, the more we’ve an imported role as partner to enable our customers with the latest Microsoft technology.
More information regarding Internal Use Rights can be found here.
New features like Azure AD Identity Protection & Azure AD Privileged Identity Management forms important (security) components in a more than ever emerging Enterprise Mobility + Security E5 proposition.
Click here to unlock your IUR benefits today!
ps. special thanks for those who make this possible ;-)
A long awaited feature became this week available in the new Azure portal: Azure AD Group Based licensing. With this we have an one-stop-shop to assign licenses on a per user- or group based.
Azure AD Group Based licensing was already available in the classic Azure portal, however it was limited to Azure AD Premium, Azure Rights Management, Microsoft Intune and Enterprise Mobility + Security licenses. For other licenses like Office 365 we were designated to the Office 365 Admin portal or custom (automated) solutions such as PowerShell or Graph API. Continue reading “One license solution rule them all: Azure AD Group Based Licensing!”
Yesterday I received an update of the Windows Insiders Program which contains some great improvements which I’d to share with you. Hereby some highlights.
Mobile application management
With the Creators Update we’re introducing mobile application management, a new feature that will protect data on personal devices without requiring the device to be enrolled in a Mobile Device Management solution. As employees use their own devices at work more and more, we are providing IT with oversight to apply policies to the applications employees use to be productive. This helps keep corporate data more secure without taking on the added responsibility of managing employees’ personal devices.
Recently Microsoft announced Microsoft Teams, a new chat-based platform in Office 365. For all mobile platforms (Android, iOS and Windows 10 Mobile) Microsoft released an native app, including a desktop app for Windows 10 and Mac OS X. The Microsoft Teams apps can be downloaded here. After I installed the Microsoft Teams desktop app on Windows 10 I bumped into the following funny message ‘Yikes! Looks like someone pulled the plug on the internet’.