I had the honor to deploy Windows Hello for Business several times for customers transitioning to a modern workplace using Azure AD and Microsoft Intune to manage their Windows 10 devices - combined with hybrid user identities. Now I want to share the most common hurdles and my experiences with you.
Just to make sure that you have the modern mindset - here’s a little quote to reconsider your hybrid strategy (if not already done):
You don’t need a Hybrid Azure AD join for your Windows 10 devices. Be brave and don’t be afraid and switch to an Azure AD join. It will simplify your device management and significantly reduce the complexity.
Why additional configuration is required # To access on premise resources who rely on Active Directory (file shares, applications) kerberos is used as authentication protocol. If you have Azure AD connect in place and a user sign’s in with his hybrid Identity using a password to a Windows 10 device which is Azure AD joined he automatically receives the required kerberos tickets if he wants to access resources.
But if the sign-in happens with Windows Hello for Business credentials (pin, biometrics) the authentication flow get’s interrupted because whether the domain controller (if it’s not a Windows Server 2016 DC) or the client can verify the integrity of each other.
Microsoft Defender ATP (MDATP) for macOS hit finally the public preview status. We can now protect our macOS endpoints with cloud based power. I created a little guide about the onboarding process with Microsoft Intune and the user experience.
Prerequisites # From a macOS endpoint perspective:
macOS version 10.12 (Sierra) or newer No third party endpoint protection installed At least 1GB of free disk space macOS client enrolled in your Intune tenant If you want to enable macOS enrollment for your Intune tenant - I’ve written a post about the enrollment process.
From a Microsoft 365 perspective:
Microsoft Defender ATP license (Windows 10 Enterprise E5) Intune tenant wit macOS enrollment enabled Access to the Microsoft Defender Security Center Appropriate user rights to create and assign an Intune device configuration, LOB App This post assumes that you perform the tasks and file preparation on a macOS machine.
Preparing the onboarding package and files # Access the Microsoft Defender Security Center and gather the installation and onboarding package:
To deploy the installation package with Microsoft Intune we need the Intune app wrapping tool for macOS which is available here.
As Microsoft starts to empower the integration for non Windows devices and also the available apps for macOS devices you might want to profit from your existing MDM solution of choice (Microsoft Intune) and enable features like conditional access or Windows Defender ATP on your macOS devices. This post covers the enrollment with the company portal app. If you want to enroll your devices with DEP (device enrollment program) you can find a great guide here.
Mind the enrollment restrictions # Let’s start and check the configured enrollment restrictions to make sure that the macOS enrollment is not blocked for your tenant. You’ll find them on your Intune dashboard under: Microsoft Intune > Device enrollment - Enrollment restrictions
Intune enrollment restrictions Get an Apple MDM push certificate # Without loosing into details - you need an Apple MDM push certificate (also called APNs) to manage apple devices with MDM. The push certificate allows your MDM solution to send notifications about device actions to your end devices (e.g. wipe, app installation, new policy). To request a push certificate you need a valid Apple ID.
When using your notebooks and portable devices together with a docking station your users might like to close the lid. The Windows 10 1903 release introduces additional power CSP settings. One of them allows you to configure the lid close action while on ac power - so the device doesn’t switch to hibernate mode as by default.
Policy CSP configuration # To configure this policy with Microsoft Intune use the following OMA-URI configuration within a new custom device configuration:
| Name | SelectLidCloseActionPluggedIn | | Description | Action that Windows takes when a user closes the lid on a mobile PC. | | OMA-URI | ./Device/Vendor/MSFT/Policy/Config/Power/SelectLidCloseActionPluggedIn | | Data type | Integer | | Value | 0 |
Other possible values are:
0 - Take no action 1 - Sleep 2 - System hibernate sleep state 3 - System shutdown End user experience # After the next MDM policy refresh the configured policy takes effect and is visible under the power options in control panel:
Reviewing the latest OneDrive features I wanted to try the new AutoMountTeamSites setting which lets you preconfigure SharePoint online sites to sync automatically for defined users and devices.
Updated on 12.07.2019: Included the Intune administrative template configuration
The setting is officially described as follow:
This setting lets you specify SharePoint team site libraries to sync automatically the next time users sign in to the OneDrive sync client. (Microsoft)
If you enable this setting, the OneDrive sync client will automatically download the contents of the libraries you specified as online-only files the next time the user signs in. The user won’t be able to stop syncing the libraries. (Microsoft)
Prerequisites # In order to get things up an running we need at least:
OneDrive sync client version 19.012.0121.0011 or newer Windows 10 Version 1709 or newer OneDrive Files On-Demand enabled (described below) Be aware that this feature is not supported with on-premises SharePoint sites and not recommended to enable this setting for more than 1'000 devices. The device limit is related to the Windows Push Notification Service which tells the OneDrive clients when a file change occurs on a server side. When you exceed that limit clients will find themselves in a polling mode. Hans Brender explains this behavior well on his blog.
Recently a customer needed a drive mapping solution to access his on premise file shares during his transition phase to a cloud-only workplace. I wanted to share the solution with you because it’s a frequently asked question around a modern workplace migration. The following solution can also be extended or modified for a printer mapping or other PowerShell scripts which need to run on each user logon.
Updated 04.08.2019: I’ve developed an automated solution to generate network drive mapping configurations with an online tool which also migrates group policy network drive mappings. See: next-level-network-drive-mapping-with-intune.
Direct link to the final scripts
Lets assume we have the following scenario:
- Customer with hybrid user-identities (Azure AD Connect) - On premise ressources with legacy file shares - Devices are Azure AD joined ( **not** hybrid joined) - MDM managed with Intune - [Optional] Always on VPN for external on-premise resource access - [Optional] Windows Hello for Business deployment as described [here](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso) Architecture # With my colleague Alain Schneiter I designed the following solution:
Main PowerShell script stored on Azure blob storage which handles the drive mapping - driveletters, UNC paths and descriptions can be configured within the script Client side script deployed with Intune which triggers the main script during logon. The main script is not stored locally which makes it easy to customize (no updates oder changes needed on client side) Deployment is user targeted via Azure AD group and Intune Azure blob storage configuration # We wanted to store the script within Azure because the customer was already using Azure blob storage. It’s also possible to store the PowerShell script on GitHub if you don’t want to use Azure.
If you are using Azure AD and the time passes you’ll have a lot of old device entries. If you enable the automatic device cleanup rule in Microsoft Intune the device is only removed within MDM and the Azure AD entry still exists.
Intune device cleanup rule For this reason I created a tiny PowerShell snippet to create a report with all devices which didn’t contact your Azure AD tenant since the treshold date specified. If you confirm the operation you can also delete all affected devices.
Please be careful when running the script because when removing a device from Azure AD the stored Bitlocker recovery keys are also removed. I can recommend Roger Zander’s Azure table-based Bitlocker recovery key solution.
If you want to assign Microsoft licenses to your Azure AD users e.g. Microsoft 365 E3 licenses you can do this with group based licensing as described here. The problem is that even with group based licensing the UsageLocation property for each user must be set individually.
Update: 13.01.2019: Since group based licensing is GA the tenant location is used if no UsageLocation is set on a user object. Use this guide if you want to manually assign licenses or override the tenant settings if you need to configure different UsageLocations.
Possible bulk and automation solutions # You can achieve this with the following options:
“Manual” trough Azure or Office 365 portal PowerShell (must be triggered manually or through scheduled task) Azure AD Connect synchronisation (UsageLocation populated in on prem AD) Azure automation with PowerShell runbook as in this post 🙂 Azure automation sounds expensive? # Fortunately Azure automation offers 500 minutes of script runtime for free. Find more details under Automation pricing. Just to give you an idea: If the executed script has an average runtime of 1 minute you could run it (500 minutes / (30 calendear days / 1 minute script runtime)) = 16x per day. Each month. For free.
That’s it. Saturday morning, the day after my SwissSkills 2018 competition in Bern. Waiting for a call to answer even though I know that my performance was not good enough to deserve a podium spot.
Update, 16.09.2018: the rankings are now available and I made it to the fourth place. Missing third by 0.05 points (!) My journey # Last year I had the privilege to compete at the national ICT skills after qualifying through the regional championships. I went there with no expectations I just wanted to know where I stand amongst others. In the end I was overwhelmed with the 3rd place.
With this achievement a few things had changed. I’ve gotten new opportunities regarding my job, had the chance to attend great events and had a confidence boost to finish my apprenticeship.
Because of my 3rd place last year I was automatically qualified to compete this year at the SwissSkills in Bern. Now I had expectations and wanted to qualify myself for the upcoming WorldSkills in Kazan.
The SwissSkills competition # I went to the event with a good feeling and felt confident. I had prepared myself well - even better than last year and I wanted this podium spot so badly. During the competition I was realizing that just because you want something it doesn’t have to mean that you will get it. No matter how much you want it. I gave my very best but approximately after 5 hours into the competition I had trouble to focus properly and was unable to concentrate. Of course the tasks were difficult but not at an unsolvable level.
OneDrive KFM (Known Folder Move) allows you to redirect common Windows folders (Desktop, Documents and Pictures) to the users personal OneDrive. OneDrive Known Folder Move is the modern replacement for the well known folder redirection group policy. The deployment with Microsoft Intune allows you to trigger or automate the OneDrive KFM configuration for your end users.
Updated on 04.08.2019: Added administrative template configuration This post is based on a great article from Oliver Kieselbach about Deep dive ADMX ingestion to configure SilentAccountConfig with OneDrive. I used his blog to play around with the admx ingestion.
Prerequisites # To automatically deploy OneDrive Known Folder Move the following prerequisites must be met:
OneDrive sync client with build 18.111.0603.0004 or greater Azure AD Joined or Hybrid Azure AD Joined Windows 10 Device Running Windows 10 1709 or later Intune Configuration # Configure SilentAccountConfig # Option #1 - ADMX Templates # With SilentAccountConfig enabled OneDrive for Business gets automatically configured with the current user account who’s signing in to Windows.