In the early days of onboarding Windows 10 endpoints to Windows Defender ATP you had to define a custom device configuration policy via Intune, in order to enable and register your Windows Defender ATP agents at scale.
In this blog post I’ll explain how to configure and enable Windows Hello Multifactor Device Unlock using Microsoft Intune. Windows Hello Multifactor Device Unlock provides multifactor device authentication for login or unlocking Windows 10 devices.
Note: the content in this blog post may subject to change as it’s based on Windows 10 Insider Preview build 16232/16237.
In the early days of Windows 8.x modern management made it’s appearance but due it’s limitations at that time not widely adopted.
The introduction of Windows 10 as the cloud OS with tight integration of Azure AD changed this rapidly. Combined with configuration service provider (CSP) modern management provides increased capabilities and therefore closing the gap with traditional management.
Another often-heard challenge of modern management is the troubleshooting part. This can sometimes be challenging as it is experienced as a black box. Common tools (e.g. Event Viewer, PowerShell, WMI) are sometimes cryptic and thus challenging to interpret, until today!
To illustrate the ease of troubleshooting (low entry), we configured a custom policy by Microsoft Intune which configures Windows Defender Application Guard (currently in preview) and check the process of the policy being applied on our endpoint .
Once assigned the policy in Microsoft Intune we triggered a policy refresh cycle.
In the updated GUI we can now determine which policy categories are configured, including our Windows Defender Application Guard (AppHVSI) policy. Besides the outline of the policy categories we can also determine the installed applications.
Management Diagnostic log files
The updated GUI goes beyond just displaying what is configured/applied and provides the ability drill down to our MDM configuration. The MDM configuration can be exported in a management log file which is exported in HTML format to C:\Users\Public\Documents\MDMDiagnostics\MDMDiagReport.html
The MDM diagnostic log file provides general information of your system. However the most interesting part is yet to come.
First of all it provides insights of the configuration sources and resource (CSPs) and whether it’s a device- or user based policy. The Resource section correlates to the various policies and installed apps. I highlighted a guid which correlates to an installed application.
Further it provides a detailed list of which policy categories are deployed by your MDM solution. These categories are listed in the updated interface I mentioned before. Further this section provides the detailed configuration of your policies.
In our scenario we deployed Windows Defender Application Guard policy. It shows you the policy area, default value, current value and whether it’s a device- or user based policy. It confirms the custom Windows Defender Application Guard Policy has been landed and successfully applied.
When looking under the hood we’ve the confirmation here too, Windows Defender Application Guard is configured properly. And mentioned earlier you’ll find the policy categories once again.
Complementary to the Windows Defender Application Guard CSP configuration you can keep track of the group policy (backed ADMX) equivalent.
As mentioned before the MDM diagnostic log file also includes the list of installed applications through MDM channel.
The updated interface in this Windows 10 preview build is a simple as ingenious extension and help us to get useful insights to troubleshoot your modern management end-points.
Introduction to configuration service providers (CSPs) for IT pros
Undoubtedly you ever been asked the question to customize the Windows 10 start menu? Your response might be like “Sure, I’ll fix this by group policy, imaging (task sequence) or last resort by manually importing a .xml file.” All – almost all – valid options in a fully managed environment where your clients are domain joined (Active Directory) and/or fully managed by Configuration Manager or MDT. But hey what about your non-domain joined Windows 10 devices which are outside the company and managed by Microsoft Intune (MDM)? Well OMA-URI is your best friend!
Configuration Service Provider (CSP)
In Windows 10 Enterprise and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead. With Microsoft Intune (MDM), you define the Start layout using an OMA-URI setting, which is based on the Policy configuration service provider (CSP).
With the December update of Microsoft Intune a cool feature OMA-URI support has been added. This seemingly small feature introduces ‘endless’ management capabilities and scenario’s which allows you to take full advantage of managing Windows Phone devices with Microsoft Intune. This is useful when the setting you need is not configurable in a mobile device security policy.
A good example is to block the removal of Workplace of your managed Windows Phones. By default users are able to un-enroll their devices and thus become unmanaged. In this blog I’ll show you how to prevent un-enrollement and the ability to factory reset Windows Phone device by an OMA-URI policy template. Continue reading “Block un-enrollment Windows Phone devices by Microsoft Intune”
As per latest update release (currently enrolled) of Microsoft Intune, it provides now full support of OMA-URI. This seemingly small feature introduces ‘endless’ capabilities which opens a new era of Enterprise Mobility! Endless possibilities and scenario’s allows you to take full benefit of all existing and new features which offers Microsoft Intune and Windows Phone 8.1.
According to the Microsoft Intune update of December the Windows Phone 8.1 Enterprise Device Management Protocol guide has been updated including improved current feature set and introduces new capabilities such as managing Wi-Fi profiles configuration for Windows Phone 8.1.
Hereby an overview of updated and new Windows Phone 8.1 capabilities:
New in Windows Phone 8.1
- Enterprise application restrictions
- EnterpriseAssignedAccess configuration service provider
- Logging support for Enterprise server creation
- PolicyManager configuration service provider
- RemoteLock configuration service provider
- RemoteRing configuration service provider
- VPN configuration service provider
- Web Authentication Broker Support in enrollment process
- Wi-Fi configuration service provider
Updated in Windows Phone 8.1
- Certificate configuration
- CertificateStore configuration service provider
- Discovery web service
- DMClient configuration service provider
- Enterprise application install, update, uninstall
The updated Windows Phone 8.1 Enterprise Device Management Protocol document can be downloaded here.