Windows 10 AlwaysOn Conditional Access Connection Fix – Part 2

Standard

The last couple of months I worked together with Microsoft on protecting the Windows 10 AlwaysOn VPN connection with AzureAD Conditional Access. As I’ve explained in this blogpost I found a strange issue where a user was able to connect without having being compliant to the Conditional Access request. I described that in this blogpost. After publishing that blogpost Microsoft came back to me that even that configuration is not the ‘total’ solution. The reason is that the VPN backend (RAS or NPS) should enforce the use of the AzureAD Conditional Access certificate. In this blogpost I will explain the steps needed to get this configured.
Continue reading

Join me at the Tech Summit AMSTERDAM Next Week!

Standard

Next week I will be speaking on the Microsoft Tech Summit which takes place in the Amsterdam RAI. On Wednesday the 28th I will be speaking about ‘Protect your Windows 10 VPN solution with AzureAD Conditional Access’. Beside my own session I will also take part in the Microsoft 365 Keynote where we will share our KPN Microsoft 365 Migration experiences. At the end of the day I will also be present on the ‘Ask-the-Experts’ session. On Thursday I will also be at the Tech Summit but just as an attendee Smile. I hope to see you at my session in the The Hub Theater.

image

Session Abstract:
In this demo-rich session I will discuss the Windows 10 AlwaysOn VPN solution. Beside the solution I will also show how we can publish the VPN through Microsoft Intune to our Windows 10 workstations and how we can protect the AlwaysOn VPN with AzureAD Conditional Access. Come to this session if you want to learn more about the AlwaysOn VPN and how to protect it with AzureAD Conditional Access.

Updated Bitlocker Experience with Windows 10 Insider and Intune

Standard

This blogpost describes the current Bitlocker experience on Windows 10 1709 and the experience with the Windows 10 1803 Insider Build release (Build number: 17101 and 17107). In this blogpost I’m using Microsoft Intune to configure the Bitlocker settings on the client. Within Microsoft Intune a setting is added to improve the Bitlocker experience. Since this setting only has a different behavior on Windows 10 1803 Insider builds don’t expect any improvements on Windows 10 1709. To be complete in this post I will also describe the experience with Windows 10 1709.

This blog post uses the AllowWarningForOtherDiskEncryption setting of the Bitlocker configuration service provider (CSP), to silently enable Bitlocker on Windows 10 1803 devices. Windows 10 1803 is currently available as Insider Preview build.
Continue reading

Collect and report on custom data with Intune

Standard

This weeks blogpost is about collecting ‘custom’ data which is not inventoried by Intune or Windows Analytics in a Windows 10 Modern Management scenario. In a modern management scenario data about the device like Device Model, Installed Applications, Windows Updates Compliance are collected by either Microsoft Intune or Windows Analytics. But at this moment there are some ‘gaps’ when looking to which data is collected and which not, examples are BIOS information and Office365 Pro-Plus deployment information. In this blogpost I’m describing a solution which you can use to collect additional data and create reports based on the collected data.
Continue reading

Control Office365 Pro-Plus version/channels with Intune

Standard

With Microsoft Intune we can control the Windows 10 Update rings by using the Software Updates policies. For the Office365 Pro-Plus installations this is a different story, at this moment we are not able to configure this through a GUI policy within Intune. In my current project it’s one of the requirements to control and enforce the update channels of the Office365 Pro-Plus installations. I was discussing this requirement with my colleague Peter van der Woude and he challenged me to check if this was possible through ingesting a Office ADMX policy file. My answer was: Challenge Accepted! Smile
Continue reading

Intune and assigning policies to limited users/devices

Standard

This blogpost is about assigning Intune policies/apps to a limited group of users or devices. I want to look into the different sections like Configuration Policies, Compliance Policies and Apps and explain what options you have regarding assigning them to a limited set of users/devices. For the policies (Configuration and Compliance) you can use the include and exclude assignment to exclude users/devices from a policy. For App assignments the include/exclude assignment is not available but you will have some other options! Continue reading

Windows 10 AlwaysOn Conditional Access Connection Fix

Standard

Last year I wrote a couple of blogposts about the Windows 10 AlwaysOn VPN solution with AzureAD Conditional Access. You can find the blogposts here:

After testing this solution more and more I had a strange issue where the user was able to set-up a AlwaysOn VPN connection even when the conditional access conditions were not met. So if my conditional access policy was requiring a compliant device I was able to connect with a non compliant device. I could do this by clicking on the X (Close) icon when I was in the Conditional Access flow. Together with Microsoft I’ve investigated this and a solution has been found.

Continue reading

2017 in Review and Happy New Year

Standard

Normally I write this blogpost at the end of the year but the last couple of weeks of 2017 were very busy so the time to write blogposts was very limited. 2017 started great with receiving my second MVP Award. I really like sharing my knowledge with the community and again receiving the MVP award for this is a honor. In 2017 I also changed jobs, I started at KPN Consulting as a Technical Consultant with a strong focus on Intune, ConfigMgr and Windows 10. With this job switch my knowledge area changed from primarily RDS to Intune, ConfigMgr and Windows 10. All these changes were great and I’m looking forward to continue sharing my knowledge in 2018.
Continue reading

Intune Policy conflicts caused by ‘hidden’ setting

Standard

This week I was looking into an issue with Intune and conflicting policies. In our case the Device Restriction and the Software updates policy were in conflict. In this blogpost I want to share you how I did some troubleshooting and how I solved the conflicting policies.My first step was trying to look into the configured policies and looking for the policies which have a high percentage of error deployments.
Continue reading

Backup Bitlocker Recovery Key with Intune PowerShell

Standard

This weeks blogpost is about the new PowerShell capabilities we get through the Intune Management Extension. This new capability is released in the latest Intune release from 2 weeks ago. With the ability to run PowerShell on MDM managed devices many scenarios are possible. The scenario I wanted to test is to add an additional Bitlocker Recovery key to the Bitlocker configuration. If you’ve applied an Intune Endpoint Protection policy this key is automatically saved into AzureAD. From the past I know that this is not easy because we need to run the scripts in an elevated PowerShell user session. But I accepted the challenge and I got it working. Credits also to my colleague David Omisi since he helped me developing the PowerShell script.
Continue reading