Quid Pro Quo EMS

September 14, 2016

Hello,

Quid Pro Quo …or in the words of Austin Powers : Squid Pro Quo, meaning “a feavour for a feavour”. From the corporate ICT’s perspectieve this translates to : we provide additional services that you can use whenever, wherever but … We need to have some information about the location and device before we do that.

Sounds good … Let’s take a popular cloud service like mail/calendar or cloud storage as an example.

What might be a good compromise :

We’ll provide you access to onedrive for business but … We like to make sure the device is locally encrypted , has a minimum of security applied to it and is not jailbroken.

And we provide you with a single sign on experience on your corporate machines but require some kind of multi factor authentication on BYOD.

Let’s see how we could do this. You’ll need active directory Premium to start with this.

First we open our admin center -> Azure AD -> Domain -> and use the applications tab

clip_image002

Now we’ll continue for the Sharepoint online service and configure it.

clip_image004

Now we’ll activate the MFA for a sepcific Office 365 security group of users and request MFA only when the user is not in a “work” location.

clip_image006

You’ll need to define what work locations are by clicking the link . So first we’ll go for the scenario when we require MFA when the user is not @ Work.

Additional info can be found here : https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-azuread-connected-apps/?rnd=1

So we’ll define the work locations in this case based on ip / subnet combination.

Now if I logon to the onedrive from my machine in that ip subnet -> we expect no MFA

Unfortunately I kept on recieving the Additional verification box …

BTW : the Microsoft Authenticator App is simply a great tool !

No more hassles with copy/paste of codes through sms or applications. The app simply allows you to approve or deny the authentication request.

Install the app -> link your account by scanning a QR code ( use myapss.microsoft.com )

clip_image008

And approve or deny

clip_image010

Great functionality there … But back to the subject … Why do I require MFA now ? …

clip_image012

Now if I modified the trusted IP range with my external IP address recieved from my ISP ( as my Wifi router is of course using NATting )

clip_image014

Bingo ! No MFA request …

clip_image016

While if I do this from another machine -> I recieve the request for MFA.

clip_image018

 

Okay now let’s go one step further and deny access if not @ work.

clip_image020

 

Now let’s see the result if we try to connect on a not @ Work location machine.

clip_image022

 

 

Yes ! No access …

So overall this is some great functionality , MFA is not a on/off scenario and we can have a granular implementation per service and define different settings per location.

We can select to force MFA when not on work location or simply block access completely. It’s clear that cloud first mobile first is really on track.

Next up : device based access rules.

Enjoy.

Gino D


Teamviewer in Intune

September 8, 2016

Hello,

Since the beginning of the computer era , endusers require support, preferably on site with some coffee and chocolates to go. But reality is remote using some kind of tool that allows remote control.

Windows 8 and above lack that functionality with windows intune, not the fault of Intune but something proper to the OSE itself.

Now we can integrate cloud service 1 ( Intune ) with cloud service 2 ( Teamviewer ) for remote assistance. Great ! Let’s see how it goes.

First we need to activate the teamviewer functionality in Intune.

Check out Administrator -> Teamviewer -> Activate

clip_image002

Now follow the wizard as it will guide you through the creation of a user with the required service and allows the creation of a trial account for testing.

clip_image004

Now let’s pretend to be a needy user on a Windows 10 anniversary update build so he/she opens the intune portal and requests assistance

clip_image006

Now we ( the admin ) actually the same person 🙂 sees the alert in the intune admin console

clip_image008

Now we can immediately start the session from the console …

clip_image010

Teamviewer software is being downloaded and installed

clip_image012

And request validation is launched on the client machine

clip_image014

After installation connection is created automatically

clip_image016

The user grants access …

clip_image018

… Et voila we have client side to see who is taking control …

clip_image020

… And the admin side for helping out our customer.

clip_image022

You can perform some more advanced actions like blank screen on user side, block input, lock screen etc.

clip_image024

And you recieve a free word of advice from and a pat on the back from Teamviewer ! We (always) play it fair.

So there you have it, easy and simple but a world of difference for our connected enduser.

Enjoy

Gino D


Add URL to customized Windows 10 Start Menu

September 1, 2016

Hi,

Since more and more of our customers are adopting Windows 10 in their environment we start to learn more tricks every day.

An important component of Windows 10 is the start menu. Administrators could apply a default startmenu layout for all users by using a GPO but downside of this approach is that the user isn’t able to add any custom applications himself. That’s why I prefer to set the startlayout during the Windows 10 deployment task sequence using a Powershell script.

Afterwards the default layout is set when the user first logs in, from then on the user can edit his start menu as he likes. Adding “classical” applications such as Word, Excel and Powerpoint is quite easy as those applications are already present when the user first logs in. Adding a shortcut to a website might be a little bit harder, in this post I’ll be explaining the steps that need to be taken to accomplish this. It’s a combination of Powershell, SCCM  (also applicable for MDT) and Group Policy Preferences. Let’s get started

First of all start by customizing the start menu as you like on a test machine. The start menu I want is the one shown below. We’ll be focusing on the highlighted icon in the start menu as this is a URL, other shortcuts are applications.

Screenshot_1

When the start layout is finished, launch powershell and execute the following command to export the startlayout:

Export-Startlayout -Path “C:\windows\temp\Startlayout.xml”

The XML generated looks as follows (text in bold is related to the Citrix URL):

<LayoutModificationTemplate Version=”1″ xmlns=”http://schemas.microsoft.com/Start/2014/LayoutModification”&gt;
<LayoutOptions StartTileGroupCellWidth=”6″ />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth=”6″ xmlns:defaultlayout=”http://schemas.microsoft.com/Start/2014/FullDefaultLayout”&gt;
<start:Group Name=”Webbrowsers” xmlns:start=”http://schemas.microsoft.com/Start/2014/StartLayout”&gt;
<start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationID=”Microsoft.InternetExplorer.Default” />
</start:Group>
<start:Group Name=”Office ” xmlns:start=”http://schemas.microsoft.com/Start/2014/StartLayout”&gt;
<start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”0″ DesktopApplicationID=”{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office15\WINWORD.EXE” />
<start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationID=”Microsoft.Office.OUTLOOK.EXE.15″ />
<start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”2″ DesktopApplicationID=”{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office15\POWERPNT.EXE” />
<start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”2″ DesktopApplicationID=”{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Microsoft Office\Office15\EXCEL.EXE” />
</start:Group>
<start:Group Name=”” xmlns:start=”http://schemas.microsoft.com/Start/2014/StartLayout”&gt;
<start:DesktopApplicationTile Size=”2×2″ Column=”2″ Row=”0″ DesktopApplicationID=”Microsoft.SoftwareCenter.DesktopToasts” />
<start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationID=”Microsoft.Windows.ControlPanel” />
</start:Group>
<start:Group Name=”” xmlns:start=”http://schemas.microsoft.com/Start/2014/StartLayout”&gt;
<start:DesktopApplicationTile Size=”2×2″ Column=”0″ Row=”0″ DesktopApplicationID=”https://citrix.contoso.com&#8221; />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>

Now create an SCCM Package containing the XML file and a Powershell script with the following content:

Import-StartLayout -LayoutPath $PSScriptroot\StartLayout.xml -MountPath $env:systemdrive\

Now this can be executed using a Run Powershell Script during the SCCM OSD task sequence.

Without performing further actions when a user first logs in the start menu will be generated but the URL to citrix.contoso.com will not be present. To make sure it’s there we need to create a Group Policy Preference to put the exact URL in the start menu for the user. Pay close attention because the target URL specified in the GPP must EXACTLY match the value of DesktopApplicationID (without the “”)

Screenshot_2

Now when the user (for which the GPP is applied) logs on for the first time on a Windows 10 computer, the default Start layout will be applied properly and the URL will also appear.

Hope this helps!

 

Best regards,

Bert

 

 


EMS

August 15, 2016

Hello,

Empowerment of users is always great, we all want to be able to do some required actions when we want to, instead of logging requests and waiting for the actions to occur.

The Microsoft EMS is a combined set of cloud services wrapped up in one license formule. More info can be found here : https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility. But today we focus on the olympic games in Rio 2016 self serivce group management and password reset.

First we need to enable the required features in Azure AD.

clip_image002

Now add the test user to the required Azure groups and open https://myapps.microsoft.com

Now this user can create new security or office 365 groups ( depending on the group membershp above )

Now what’s really great is that we can delegate the group membership ( adding or removing users to the group ) to the group owners. We could also do this using AD and supply a users and computers mmc internally or use FIM but this is straight out of the box.

Let’s see how it looks.

clip_image004

Now we can create a new group ( we’ll use an O365 group )

clip_image006

Now we have set up this group to require owner approval, so in this case we can decide who can be a member.

So if we log on with another user ( with an EMS license ) , look for the group we can request access !

clip_image008

Let’s join.

clip_image010

And the owner can approve / deny,

clip_image012

And the requested user can verify the status of his request using the same interface but my requests

clip_image014

That’s it , great functionality for delegating the creation and the ownership of security or office 365 groups. Power to the users !

Enjoy.

Gino D.


Windows Store For Business

May 17, 2016

Hello,

Windows Store for business is an exciting new concept of a seperate Windows Store for business users. You log on with your corporate account and have access to commercial or LOB apps provided by your company.

https://businessstore.microsoft.com/en-gb/lob/AppDetails/

Let’s get started !

Log on as admin and invite a publisher, this allows that specific account to upload a universal application in order to be available in the Windows Store for company X. This should be a Microsoft Dev Account ( personal or Business, both work ).

High-level the process is as follows

clip_image002

Now in this scenario we will only present the LOB by the Windows Store for business, you can however also deploy the app offline by using ESD or sync with a your MDM for deployment ( Intune ex. )

Additional info about these scenario’s can be found here https://technet.microsoft.com/en-gb/itpro/windows/manage/manage-apps-windows-store-for-business-overview

After completing check your LOB publishers.

clip_image004

Check the LOB publishers in order to verify the user is approved

clip_image006

Now as soon as your publisher has uploaded his/her custom universal app and validation has succeeded it will be available in your store ( may take approx 48 hours !)

clip_image008

48hours later … All right … app available.

clip_image010

Now you can add the app to your inventoy …

clip_image012

Now open Manage -> Inventory and you should see your universal app.

clip_image014

clip_image016

Now add your app to the private store.

clip_image018

Add in progress ( may take up to 24 hours )

clip_image020

Wait for it ! Meanwhile you can see the mixture of personal and corporate account linked to the Windows Store. In my case I have multiple accounts added on my Azure AD joined machine so you’ll see both accounts. If I click a link in the normal, commercial store my hotmail account will be used, in a link from the Realdolmen store my corporate account will be used.

clip_image022

Now let’s install the test app

clip_image024

Yes installed !

clip_image026

Now you as an admin can see the used license and recall if required, now this particular test app has unlimited licenses.

clip_image028

Now we also observed that as soon as a new version of our universal app is uploaded to the store the application is updated without any notification / interaction from the user.

Enjoy.

Gino D


Reboot notifications

May 9, 2016

Hello,

Reboot notifications , we all hate to reboot. Normally the less the better but as … an admin you want to pursuade your users into rebooting the device from time to time. Keeps it healthy and running smoothly.

Now in sccm we have several options for rebooting. In this particalur case we supress the reboot for the update deployment. So the user gets notified but not forced to reboot.

Unfortunately the result was this :

clip_image002

That’s odd the windows update reboot notification was not wat we wanted. If we check the notifications area we see 2 notifications : one for sccm client and one for windows update.

clip_image004

The setting required to modify this behavior was the following :

· System -> Windows Components -> Windows Update -> Configure Automatic Updates :Disabled

· Re-prompt for restart : Disabled.

clip_image006

After modification of these policies the result was better ! Just one notification.

clip_image008

And if the user presses the Open restart button :

clip_image010

Or select the restart now option :

clip_image012

In the software center applet you can see detailed info about which update requires a reboot.

clip_image014

Now the behavior is different for software installations requiring a reboot. For example this IE11 installation returns a 3010.

clip_image016

The user will be notified about a required reboot on the device , the settings are be configured by the sccm client settings for “Computer Restart”

clip_image018

The user will recieve a popup :

clip_image020

If ignored the restart icon will stay in the notification area.

clip_image022

Now according to the settings there is a permanent message shown as soon as there is only 15′ left on the clock. The color of the progress bar will change and the hide button will become unavailable.

clip_image024

Enjoy

Gino D


Quick Tip ! Automate it !

April 28, 2016

Hello,

I am a big fan of automation , you improve efficiency by generating a consistent result fast.

But it needs to be worth it, you need a certain quantity of requests before the investment pays off.

Luckily we have these kind of environments in our partner portfolio.

Here we use the service manager portal not for the end-users but we present the portal to the first line helpdesk so they don’t have to escalate certain tasks to second line. All requests are automated by orchestrator runbooks.

clip_image002

And we are on 4874 completed request.

clip_image004

Simple math : about 10 minutes if the action is performed manually , this makes 48740 minutes -> 812 hours -> 101 working days saved, this time can be spent on tasks that create a real added value for the partner.

Enjoy.

Gino D