Improved MDM diagnostics from Windows 10 Insider Preview #16232

Note: the content in this blog post may subject to change as it’s based on Windows 10 Insider Preview build 16232/16237.

In the early days of Windows 8.x modern management made it’s appearance but due it’s limitations at that time not widely adopted.

Traditional vs Modern

The introduction of Windows 10 as the cloud OS with tight integration of Azure AD changed this rapidly. Combined with configuration service provider (CSP) modern management provides increased capabilities and therefore closing the gap with traditional management.

Another often-heard challenge of modern management is the troubleshooting part. This can sometimes be challenging as it is experienced as a black box. Common tools  (e.g. Event Viewer, PowerShell, WMI) are sometimes cryptic and thus challenging to interpret, until today!

Troubleshooting

To illustrate the ease of troubleshooting (low entry), we configured a custom policy by Microsoft Intune which configures Windows Defender Application Guard (currently in preview) and check the process of the policy being applied on our endpoint .

Microsoft Intune Custom Policy

Once assigned the policy in Microsoft Intune we triggered a policy refresh cycle.

Updated interface

Update Management Profile GUI

In the updated GUI we can now determine which policy categories are configured, including our Windows Defender Application Guard (AppHVSI) policy. Besides the outline of the policy categories we can also determine the installed applications. 

 Improved Management Profile GUI PolicyManager MDM Category

Management Diagnostic log files

The updated GUI goes beyond just displaying what is configured/applied and provides the ability drill down to our MDM configuration. The MDM configuration can be exported in a management log file which is exported in HTML format to C:\Users\Public\Documents\MDMDiagnostics\MDMDiagReport.html

MDM Diagnostics GUI

The MDM diagnostic log file provides general information of your system. However the most interesting part is yet to come.

Base MDM Diagnostic Information

First of all it provides insights of the configuration sources and resource (CSPs) and  whether it’s a device- or user based policy. The Resource section correlates to the various policies and installed apps. I highlighted a guid which correlates to an installed application.

MDM Configuration Sources

Further it provides a detailed list of which policy categories are deployed by your MDM solution. These categories are listed in the updated interface I mentioned before. Further this section provides the detailed configuration of your policies.

In our scenario we deployed Windows Defender Application Guard policy. It shows you the policy area, default value, current value and whether it’s a device- or user based policy.  It confirms the custom Windows Defender Application Guard Policy has been landed and successfully applied.

MDM Managed Policies

When looking under the hood we’ve the confirmation here too, Windows Defender Application Guard is configured properly. And mentioned earlier you’ll find the policy categories once again.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\AppHVSI

PolicyManager MDM Registry

Complementary to the Windows Defender Application Guard CSP configuration you can keep track of the group policy (backed ADMX) equivalent.

PolicyManager MDM Group Policy

Installed Applications

As mentioned before the MDM diagnostic log file also includes the list of installed applications through MDM channel.

Managed Applications by MDM

Finally, we also have access to settings which are not set via CSP.

Unmanaged MDM Policies

Summary

The updated interface in this Windows 10 preview build is a simple as ingenious extension and help us to get useful insights to troubleshoot your modern management end-points.

Sources

Introduction to configuration service providers (CSPs) for IT pros

https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers

WindowsDefenderApplicationGuard CSP

https://docs.microsoft.com/en-us/windows/client-management/mdm/windowsdefenderapplicationguard-csp

Continue reading “Improved MDM diagnostics from Windows 10 Insider Preview #16232”

Part 1 – Deploying Microsoft Intune PFX connector in an Enterprise world…common practices

Last year I had the change to implement PFX certificate infrastructure for a large enterprise customer. Occasion of the project was a migration of Citrix XenMobile (XDM) to Microsoft Intune as strategic mobile device- and application management solution.

microsoft-intune-pfx-connector-architecture-overview
Microsoft Intune PFX connector certificate deployment architecture.

In a series of blogposts I’m sharing my experiences, design decisions, common practices and challenges of implementing Microsoft Intune PFX connector as certificate deployment mechanism in an enterprise environment.

Top 3 feature enhancements of Windows 10 Creators Update

Yesterday I received an update of the Windows Insiders Program which contains some great improvements which I’d to share with you. Hereby some highlights.

Mobile application management

With the Creators Update we’re introducing mobile application management, a new feature that will protect data on personal devices without requiring the device to be enrolled in a Mobile Device Management solution. As employees use their own devices at work more and more, we are providing IT with oversight to apply policies to the applications employees use to be productive. This helps keep corporate data more secure without taking on the added responsibility of managing employees’ personal devices.

 

Continue reading “Top 3 feature enhancements of Windows 10 Creators Update”

Microsoft Teams: How to overcome challenges with Windows Information Protection & Conditional Access

Recently Microsoft announced Microsoft Teams, a new chat-based platform in Office 365. For all mobile platforms (Android, iOS and Windows 10 Mobile) Microsoft released an native app, including a desktop app for Windows 10 and Mac OS X. The Microsoft Teams apps can be downloaded here. After I installed the Microsoft Teams desktop app on Windows 10 I bumped into the following funny message ‘Yikes! Looks like someone pulled the plug on the internet’.

clip_image001

Continue reading “Microsoft Teams: How to overcome challenges with Windows Information Protection & Conditional Access”

Windows Information Protection…notes from the field! #MSIgnite

Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps organizations to protect corporate data against potential data leakage.

information-protection-needsThe concept is fairly simple and is actually based on defining two lists:

  • A corporate boundary list, which represents both on-premise & cloud network locations where managed apps can access corporate data;
  • A list of managed (trusted) apps, which are allowed to open, modify & store corporate data within the corporate boundary list.

In this blog we will look at some practical examples which you have to consider for a successful implementation of Windows Information Protection including a top 4 of recommended practices.

Continue reading “Windows Information Protection…notes from the field! #MSIgnite”