Use a QR code to point users to the Intune Company Portal app for enrollment
Quick post here, ever wonder how you can create a QR code that points to the Intune Company Portal in the iOS app store (or any app store), and paste it in an email and send it to your end users? Well it’s super easy to do. Simply search online for a QR code generator. Example: https://www.bing.com/search?q=qr%20code%20generator
When I searched for a QR code generator, a result came up inline of my search results and I pasted the URL that points to the Intune Company Portal in the Apple app store and it generated the QR code below.
If you’re interested, here’s the raw data behind the QR code:
Even better, the Intune Company Portal has 4.5 stars, hey that’s awesome! Ok shameless plug, however it’s really cool to have such a high rating.
Anyway, theoretically you can do this for any app in an app store, whether they’re Microsoft Office apps, 3rd party apps, one of your published apps, etc.
To save you time, I generated QR codes that point to the Intune Company Portal (or enrollment URL in MacOS case) for all the platforms supported by Microsoft Intune:
Here’s an example email I manually created. Create your own by copying a QR code and generating your own custom emails using your corporate email application such as Outlook. Your users will love it! Plus it streamlines their enrollment process.
Here an example of using the built-in camera in iOS to scan the QR code. As you can see it took me directly to the Intune Company Portal app in the Apple app store.
As I meet with organizations, I learn what their business goals are, what their end user goals are, and what their budgetary guidelines are. I also learn a lot about their endpoint management goals. What I’ve discovered is endpoint management has different meanings for each customer with a few common themes, user experience, simplification, and cost reduction.
The pace of change with technology is extremely rapid and organizations often struggle to keep up with all the updates across deployed technologies. When IT teams deploy technologies to help secure and simplify administration, they must provide evidence to the organization about the short- and long-term benefits of shifting to newer technologies, especially if they are duplicative of existing technologies. The evidence to rip and release a working solution is typically prioritized and is provided in the forms of cost reduction, end user benefits, and administrative simplification. Looking back in history, many would argue managing Windows in the enterprise has been a priority for most organizations. Many of these organizations today continue to manage Windows with a variety of technologies with one, (based on my interaction with hundreds of organizations) standing out the most, System Center Configuration Manager (ConfigMgr).
Configuration Manager has been around for a couple decades and for good reason, in my opinion it manages Windows best. For those familiar with ConfigMgr, you’re probably familiar with its history and the changes to the product over time. What I’ve seen is a blend of enhancing the client, infrastructure, and administrative experiences, including enhancements to reporting, management techniques, bandwidth controls, scale, performance, and more recently attaching Configuration Manager to the cloud. These advancements are critical to an ever-changing landscape of Windows computing and resource access.
Why write about this now?
There are a couple reasons:
Organizations are going through digital transformation and taking a hard look at existing endpoint management solutions.
Configuration Manager remains one of the most widely utilized endpoint management technologies across organizations today and I articulate the ongoing value of ConfigMgr in the content below.
Recently organizations have asked me the question if ConfigMgr is “dead” and my consistent answer is “no” is it not, ConfigMgr as of this post manages over 150 million endpoints, in fact there’s been continued investment in ConfigMgr year-over-year. Take a look at “What’s New in Configuration Manager” over the past several releases and you’ll see a growing list of exciting enhancements over each release.
You’ll also notice ConfigMgr has a release roughly every four months which provides a predicable release schedule for organizations needing to plan updates. Speaking of ConfigMgr updates, in console notifications of new releases provides an easy and informative method to update ConfigMgr to the next release by a click of a button. In addition, ConfigMgr technical previews allow organizations to test new features ahead of upgrading to the next service release of ConfigMgr. The servicing of ConfigMgr and technical previews are a win/win in my opinion.
I also receive questions such as “why stay with Configuration Manager, when I see Microsoft doubling down on efforts to enhance Intune toward feature parity?“. While partially true, there are clear advantages to continue utilizing ConfigMgr and leverage the cloud by cloud attaching ConfigMgr.
Preparing your infrastructure for cloud attach by extending ConfigMgr to Azure enables organizations to manage devices off the corporate network by utilizing Cloud Management Gateway . By attaching ConfigMgr to the cloud, it allows organizations to simplify management of Windows devices and administrators will have the advantage of leveraging current processes built around endpoint management with ConfigMgr.
Organizations needing high availability in ConfigMgr can take advantage of site server high availability and SQL Always On.
Cloud attach Windows 10 clients to Intune by enabling co-management in ConfigMgr allows organizations to utilize ConfigMgr and Intune to manage Windows devices. By enabling co-management, the organization benefits from the currently unparalleled strength of Configuration Manager as well as additional benefits cloud services such as Microsoft Intune and Azure Active Directory provide. For example, ConfigMgr client health will be reported directly to the device stats in Intune (shown below), remote actions may be initiated directly from the Intune admin console, as well as utilizing conditional access policies with Azure Active Directory to control access to company resources.
So why not move from ConfigMgr and manage all Windows devices with Intune?
Although managing devices may be viable for many modern management scenarios, there are scenarios where ConfigMgr remains as the preferred solution including:
Network controls for locations with low bandwidth
Down-level Windows 7/8 client management
Windows Server management
Devices that are network Air Gapped (isolated) and have no Internet access
OS deployment through network boot options
Complex application deployment scenarios
Third-party software updates
Co-management provides methods for organizations running ConfigMgr to decide where they manage certain workloads. Currently, there are a number of workloads that may be managed by Intune when devices are co-managed, including:
Resource access policies
Office Click-to-Run apps
Windows Update Policies
When utilizing co-management there are several advantages to utilizing Intune, for example in a co-managed scenario when moving “compliance policies” workload over to Intune, organizations can take advantage of Azure Active Directory Conditional Access. There are also immediate benefits of co-management such as executing remote actions directly from Intune including: Factory Reset, Selective Wipe, Device Restart, Fresh Start, etc. Intune compliance policies also play a significate role in controlling device health and access via Azure AD conditional access, for example Windows 10 compliance policies may require one or more of the following before accessing corporate resources:
Use a password to access devices
Encryption (e.g. BitLocker)
Windows Defender version and signature is up-to-date
Traditionally, setting up device health posture for an on-premises requires additional services and hardware such as a Network Access Control (NAC) solution. Whereas selecting workloads by enabling co-management for Intune to manage, organizations can take advantage of access controls delivered from Azure AD and Intune, including for on-premises web applications published through Azure AD Application Proxy. Not only is device health posture evaluated, additional access controls may be enabled including multi-factor authentication.
Below is an example of a device managed with ConfigMgr and Intune where compliance is reported back and shows in the ConfigMgr Software Center.
Intune Portal – shows compliant
Software Center – shows compliant (reported back from Intune)
Now let’s talk about Windows deployment options. Traditional deployment techniques for Windows typically involves an image that requires updating and then a system to publish those images so when a bare-metal boot takes place an image can be accessed, downloaded, and installed. OS image management can be a time-consuming process as it requires a human resource to manage and update the OS, drivers, apps, agents, etc. Some organizations offload OS image management to an OEM where the OEM preloads the image on the device, however the images still need to be maintained, and offloading to the OEM comes at a cost.
By leveraging Microsoft Intune and Azure Active Directory, organizations can take advantage of Windows Autopilot. Autopilot is very exciting as it eliminates the OS image management process which in turn can reduce IT costs. By pre-registering devices with Microsoft Intune when a user receives a device from the OEM, upon boot and connecting to the internet, the device will see that it’s registered with Microsoft Intune and go through the Autopilot process.
When organizations continue to utilize ConfigMgr, the CM agent can be pushed from Intune and the device now connects directly to ConfigMgr (when on corporate network) or through the Cloud Management Gateway giving your organization the confidence of maintaining current processes. Additionally, utilizing task sequences in ConfigMgr, Windows 7/8 devices may be upgraded to Windows 10 and automatically enabled for AutoPilot thereafter. The Windows 7/8 to 10 upgrade process may be pushed automatically or manually executed by end users (see screenshot below).
What about running scripts and installing software?
Both ConfigMgr and Intune support running PowerShell scripts and deploying Win32 applications, however for complex scripting scenarios such as running in task sequences and complex application deployments (i.e. deep app dependencies, etc.), ConfigMgr is unparalleled in this space.
My colleague Danny Guillory (who is also a PM on the Intune team) provided the following comments about Win32 applications and Intune:
“Win32 App Deployment in Intune is a great way to get those .exe applications deployed and installed on those Windows Devices. The Win32 Wrapping Tool wraps all the files within that folder (think of a zipped folder), then distributes and deploys those files to the endpoints. The addition of detection method and delivery optimization makes Win32 app deployment more robust, simplifies distribution of content, and makes Win32 apps a must to explore with Intune Application Deployment.”
Additionally, MSIX is a new app packaging format that can take existing Win32 applications such as APP-V, MSI, .exe, etc. and package them in the new MSIX format. Many partners already support MSIX as well and for more details on MSIX packaging please visit: https://docs.microsoft.com/en-us/windows/msix/
If you’re looking to simplify application deployment both ConfigMgr and Intune provide the tools needed to deploy applications.
Monitoring and Reporting
Finally let’s talk about monitoring and reporting. ConfigMgr comes with hundreds of built-in reports, in addition there are newer monitoring and reporting capabilities with co-managed devices and a new reporting feature called CMPivot that provides real-time state of devices (see screenshot below). If you’re looking to creating dashboards based on ConfigMgr data, look into the Power BI template for ConfigMgr.
There are many Ignite sessions covering the topics in this post as well, to watch videos and learn more about the services and features discussed in this post please visit: https://www.microsoft.com/en-us/ignite search for “configuration manager”, “MSIX”, “Intune”
In conclusion, as organizations plan for the future of modernizing Windows management processes, my message to those organizations is to continue to leverage your current investments in ConfigMgr and keep current with releases. In parallel, begin to look at the benefits of cloud attaching ConfigMgr and/or managing workloads with Intune.
Windows Autopilot is a Windows 10 feature that enables organizations to pre-register devices either through an OEM or manually. When users receive a Windows 10 device that is registered with Autopilot and turn it on, they’ll walk through a streamlined and customized out of box experience (OOBE). In summary, Autopilot helps to reduce the costs (and in some cases, infrastructure) of deploying devices to users.
If Autopilot were to run into an error there are several methods to check what and why issues occurred. Michael Niehaus has several posts about troubleshooting Autopilot including a recent blog post outlining new methods of accessing information to investigate Autopilot. Refer to Michael’s posts for detailed information on how to troubleshoot Autopilot.
In this post I’m sharing a simple script I wrote (based on the info Michael Niehaus outlined in his post) to view aggregated information about Autopilot from the registry and event viewer. In addition to registry and event viewer info, deeper investigation steps may be pursued with ETW.
Let’s get started
Windows 10, 1709 or later
Feel free to modify the script to suite your needs such as remotely pull information from devices, etc.
The script is straight forward, first it looks for the Windows 10 version, i.e. 1709, and if it’s greater than or equal to “1709” it runs through both steps and pull registry and event logs. If the installed OS is greater than “1709” it will only pull event logs for 1709 as registry entries didn’t show up until 1803. Lastly, the script only pulls the latest 10 events, however that is easily modified.
#Get Windows Version
$WinVersion = (Get-ItemProperty -Path “HKLM:SOFTWAREMicrosoftWindows NTCurrentVersion” -Name ReleaseId).ReleaseId
Write-Host WindowsVersion= $WinVersion
I recently read a really great post by Martin Bengtsson about utilizing Configuration Manager (SCCM) to force installation of the Windows Defender Browser Protection extension for Chrome. So I decided to take a different approach and deploy the extension utilizing a PowerShell script deployed through Microsoft Intune.
I saved the script as a .ps1 file and added to Intune utilizing the steps below:
Name the script, upload, and save
Assign the script to a group
Sync your Windows 10 device with Intune
Sync the device with Intune
Registry Before sync
Chrome without Defender browser protection
Registry after sync
Chrome with Defender browser protection
Once Chrome is launched, the extension is automatically downloaded to the extension directory and added to Chrome.
Chrome extension directory
In addition to configuration, Configuration Manager will also perform remediation if this is something you’re more concerned with, SCCM is the best path to go currently. Again read Martin Bengtsson’s detailed post for insight on deploying and remediating for the Windows Defender Browser Protection for Chrome extension through SCCM.
When I speak with organizations about managing Windows 10 devices with Microsoft Intune there is a concern about disruption of current projects to deploy new OSs, patches, etc.When moving to Intune for managing Windows devices, Intune will leverage the built-in MDM agent vs. having to install another agent to manage Windows 10 devices.
With modern management of Windows 10, the process of updating and upgrading Windows 10 devices is seen as continual process. Updating Windows doesn’t have to be seen a massive project, evaluate your current processes for updating Windows and look at updating Windows 10 as an ongoing predictable process for IT and end users. In addition your users and company benefit from the latest security features built into Windows 10.
Managing Windows policies are also a concern when moving to a newer OS. Traditionally, configuration policies are managed by Group Policy, however Modern Management of Windows 10 with Microsoft Intune also has a set of policies, even policies that are duplicative of Group Policy (where applicable, not all Group Policies are available via MDM or CSP). In environments where Group Policies are deployed and managed by Intune there’s the question of which policy wins. The following describes which policy wins according to Windows 10 version.
Windows 10 versions 1709 and earlier Group Policy will override MDM policies, even if an identical policy is configured in MDM.
Windows 10 version 1803 and beyond there is a new Policy CSP setting called ControlPolicyConflict that includes the policy of MDMWinsOverGP, where the preference of which policy wins can be controlled, i.e. Microsoft Intune MDM policy.
Since the ControlPolicyConfict policy applies to the device, we’ll have to utilize the following string: ./Device/Vendor/MSFT/Policy/Config/AreaName/PolicyName to configure the policy.
Next replace AreaName/PolicyName with ControlPolicyConflict/MDMWinsOverGP
After the modification to the string, the policy should look like the following: ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
Creating the policy
Let’s create a new policy in Intune to control the GP vs. MDM winner
Navigate to portal.azure.com and locate Intune
Select “Device configuration à Profiles à Create profile”
Under Platform select Windows 10 and later
Under Profile type select “custom” and “add”
Name the custom setting with something intuitive
For OMA-URI add the policy OMA-URI string: ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
For Data type select Integer and add the number 1
Supported values for this policy are as follows:
1 – The MDM policy is used and the GP policy is blocked.
Let’s take a look how the policy is applied
On the Windows 10 device, select the Windows icon > Settings > Accounts > Access work or school à under the account name select Info
Sync with Microsoft Intune by selecting “Sync”
Once the Sync as completed select “Create report”
Once the report is completed a folder will open containing an .html file
Open the .html report and search for “MDMwins”
GP Setting before the MDM policy takes place :
MDM setting after the policy is applied (note: Windows 10 1803 is required to override the GP):
Let’s take a look at a report in Intune regarding the policy and if it was successfully applied. This useful to make sure the policies are actually applying or not.
Being able to investigate modifications to a device is extremely important, especially when troubleshooting.
In event viewer we can access the event where the policy was applied as shown below. However digging through events, especially across multiple devices, can be a difficult process. This is where Microsoft Operations Management Suite (OMS) comes in.
Logging with Microsoft Operations Management Suite (OMS)
Within OMS there is the Log Analytics solution to manage logs from devices with the OMS agent installed. I won’t go into details about installing the OMS agent, however I will say it’s straight forward. Once the agent is installed (which I have it installed on all my devices so I can look at label changes with Azure Information Protection (see my previous post) and other aggregated information) we’ll need to grab the proper even log source name and populate that in Log Analytics.
Find and copy the event log source or name: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
Paste the event log path in Log Analytics to “Windows Event Logs under Settings > Data > Windows Event Logs” as shown below:
Give the logs a few minutes to sync from the device to OMS, then run the query below in log analytics analyzer and look for the MDMWinsOverGP policy created above:
That’s it, we’ve learned that there is a new policy added to Windows 10 1803 that will control if MDM policies win over Group Policies (where applicable, not all Group Policies are available via MDM or CSP), how to investigate policies via event viewer, and aggregate those logs using Log Analytics (OMS).
As of January 2019 this is no longer necessary as the Intune Company Portal app is now included in the default list of protected apps.
Organizations using Windows Information Protection (WIP) may experience issues accessing the Intune Company Portal app. Fortunately, exempting Intune Company Portal app and any other application from a WIP policy is straight forward.
By exempting an application the following pertains:
If you’re running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won’t include auto-encryption or tagging and won’t honor your network restrictions. It also means that your exempted apps might leak.
Since the Intune Company Portal App doesn’t store any sensitive company data, exempting it shouldn’t be an issue, however always check in with your security team to make sure.
The first step to exempting the Intune Company Portal App for Windows is to locate the app in the store. I’ve done this for you below and even though the app may be accessed from the consumer and business store, all we really care about is the AppID at the end, i.e. “9wzdncrfj3pz”.
As we can see, the AppID is the same regardless of what portal it was accessed from:
To create an app policy within Intune to exempt the Intune Company Portal app navigate to portal.azure.com à Intune à Mobile Apps à App protection policies à Add a policy
Give the policy a name and select Exempt apps
Select Add apps
From the drop-down menu select Store apps
At this point you’ll need to have some information handy about the app. Fortunately, there is an easy method of extracting this data using the URL below. I’ve already accessed the URL below; however, you can do this for any store app to find the name, publisher info, and product name.
Access following and replace the ID with the ID of the app you’d like to exempt, in this case, the Intune Company Portal app ID: 9wzdncrfj3pz
Now that we have the JSON information about the Intune Company Portal store app (using the URL above), we need to add that data to the policy as shown below.
Once finished adding the information, select OK and assign the policy. On the Windows device, either wait for your devices to sync with Intune of force a sync from Settings à Accounts à Access work or school.
Once the policy updates you’ll be able to access the Intune Company Portal app:
That’s it, if you’re not utilizing Windows Information Protection today, I highly encourage everyone to look into the benefits of protecting corporate information across personal and corporate owned devices with Intune, including Windows, iOS, and Android.
With the abundance of data across services it’s important to have a method (API) to access the data for export. Most organizations I speak with have some sort of SIEM to aggregate data and analyze it for informational and alerting purposes. Microsoft also offers a service called Microsoft Operations Management suite and within that suite is a service called Log Analytics. For more details about Log Analytics please visit: https://azure.microsoft.com/en-us/services/log-analytics/
For the purposes of this post we’ll look at how to query Log Analytics using PowerShell.
Below is the output from PowerShell query using GridView. Because the data is in JSON format we can use the data to import into an existing SIEM or dump the data in whatever format needed.
Below is a view of a query from log analytics, as we can see the query’s are identical using both methods. So utilizing the Log Analytics portal, we can craft queries and then use those queries in our PowerShell scripts to extract data. I recommend using the Log Analytics portal to prove out queries before utilize PowerShell.