This is quick blog post about getting the list of clients that require a specific software update contained (it can be based on title,article ID(KB),bulletin ID).

You can get the client list using the default software update compliance reports but it doesn't give you the inventory information about client ,like ip address,hardware scan,software update scan ,OS etc and creating custom SQL allow you to filter lot more like collection ID,hostname contains,OS not like etc.

Adobe has released a security update (APSB17-32) for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. This update addresses a critical type confusion vulnerability that could lead to code execution.

Security team has requested to get this updated on all machines that are required by this update ,so in order to proceed further, you need to identify the list of clients prior and notify to application team(mainly for servers) and follow the change request etc.

Below is the SQL query to get list of clients that are required by bulletin ID: APSB17-32 .I have also added couple of filter options like excluding server OS 2003 and include only server OS.

I have also added title,article ID,collection ID,hostname which are commented in the query .If you want filter the results using these ,you can simply uncomment them (removing the dashes - - )

You can use this SQL query to create SSRS to run the report directly from the URL , without running it from SQL server management studio.

select vrs.Name0 [Host],os.Caption0 [OS],
IP.IPAddress AS [IP Address],
CONVERT(VARCHAR(26), ws.lasthwscan, 100) as [LastHWScan],
CONVERT(VARCHAR(26), uss.lastscantime, 100) AS 'LastSUScanTime',
CONVERT(nvarchar(26), OS.LastBootUpTime0, 100) AS [Last Reboot],
ui.InfoURL as InformationURL,ui.Title,ui.dateposted [Date Posted]
from V_UpdateComplianceStatus  css
join v_UpdateInfo ui on ui.CI_ID=css.CI_ID
inner join v_FullCollectionMembership fcm on fcm.ResourceID=css.ResourceID
JOIN dbo.v_R_System AS vrs ON vrs.ResourceID = css.ResourceID
join v_GS_OPERATING_SYSTEM OS on os.ResourceID=css.ResourceID
join v_GS_WORKSTATION_STATUS WS on ws.ResourceID=css.ResourceID
join v_UpdateScanStatus USS on uss.ResourceID=css.ResourceID
JOIN (SELECT     IP1.resourceid AS rsid2, IPAddress = substring
((SELECT     (IP_Addresses0 + ', ')
FROM    v_RA_System_IPAddresses IP2
WHERE     IP2.IP_Addresses0 NOT LIKE '169%' AND IP2.IP_Addresses0 NOT LIKE '0.%' AND IP2.IP_Addresses0 NOT LIKE '%::%' AND
IP_Addresses0 NOT LIKE '192.%' AND IP1.resourceid = IP2.resourceid
ORDER BY resourceid FOR xml path('')), 1, 50000)
FROM    v_RA_System_IPAddresses IP1
GROUP BY resourceid) IP ON IP.rsid2 = fcm.resourceid
WHERE css.Status=2 --for required
and ui.BulletinID='APSB17-32'
--AND ui.Title='2017-08 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems (KB4034664)'
--and ui.ArticleID='4034664'
and vrs.operatingSystem0 not like '%2003%'
--and fcm.CollectionID='PS100118'
--and (fcm.name like '%WP%')
and vrs.operatingSystem0 like '%server%'
group by vrs.Name0,vrs.operatingSystem0 ,ui.InfoURL,ui.Title,ui.dateposted,
os.caption0,
ws.lasthwscan,
uss.lastscantime,
IP.IPAddress,
OS.LastBootUpTime0
ORDER BY 1

Hope  it helps!

Since few weeks i was working on office 365 stuff including o365 applications teams ,onedrive and managing the mobile devices +windows (MDM/MAM) using intune.

while working on this ,i found that ,windows 10 devices that are applied with WIP policies ,internet is getting blocked (access denied) on 3rd party browsers like Google chrome,Firefox but it works fine on Edge, internet explorer browsers.

To know more about windows information protection ,read TechNet article https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip

To use 3^rd party browsers such as Chrome,Firefox , we need to define a Cloud Resource rule and pass through the /*AppCompat*/ variable. This is because when an unenlightened app like chrome,Firefox tries to connect to a cloud resource through an IP, Windows cant determine if it is a corporate location or a personal location, so the default behaviour for Windows is to block all connections. To resolve this you will need to simply add Cloud Resources like below, which defines the cloud resource locations you want to make as corporate.

To know more about how Unenlightened app, please read https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/app-behavior-with-wip

How do you allow 3rd party browsers to access internet  (this is not protecting the data on the application but just to allow internet access )?

Login to www.portal.azure.com

Go to intune app protection, click on App policy (intune app protection – app policy) ,click on the windows 10 compliance policy (you will notice windows on the platform)

On the windows 10 app protection policy ,click on Advanced settings –click on cloud resources

Add |/*AppCompat*/ in the value field and click ok. There is no sequence to add this value ,you can add it anywhere .

Once you add the value, make sure you have tick mark on the right-side to make sure the changes are valid.

Click save for advanced settings .

Now users who are using the windows 10 devices should be able to access internet using 3rd party browses.

Recommended reading

https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/app-behavior-with-wip 

https://docs.microsoft.com/en-au/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip

Hope it helps!

Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.

Since few days, I have been busy in testing windows information protection policies on BYOD devices to protect enterprise data  and note the test cases for any such data leakage issues using corporate managed applications such as office 365 pro plus (word,excel and other apps).

If you want read more about what is Windows information protection ,please go through https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip

During my testing ,i have noticed couple of issues on windows 10 with build 1703 (on my surface and also couple of vm’s)  of which ,some of them are fixed (with some simple configuration settings) but there are still some outstanding for which ,i have no fix on the data leakage.

In this blog post, i will list the issues that i have fixed and some outstanding issues .If you see any solution for the outstanding issues ,please report via comment section.

Note: I will be updating all my test cases in this post when i find something interesting .

1. If the device is WIP managed ,internet access is blocked on 3rd party browsers (exclude IE and Edge ) such as chrome,Firefox etc. The fix for this is ,to add /*AppCompat*/ to cloud resource section. More information about this ,please refer this post

2. Unable to upload o365 protected files to Onedrive (onedrive for business) on windows 10 using windows information protection (WIP) policies . I get the following error while trying to upload files that are saved on my desktop .These files are protected using my corporate identify which is set under required settings in WIP policy.

I open the corporate managed apps like word,excel or notepad and save the file as work with eskonr.onmicrosoft.com.After i save the doc ,it is protected with brief case icon on it (if you choose to display show enterprise data protection icon in WIP policy).

when i try to upload these protected docs to my corporate onedrive ,it fail with error ,can’t be synced with onedrive . A policy set by your IT administrator prevents you from synching this work file to your onedrive. This is because ,all the files are protected with the user identify . In this case the user identify is eswar@eskonr.com .This is the user ID that user used to do workplace join on his BYOD to access company resources.

In this case ,user ID is eswar@eskonr.com ,UPN is eskonr.com which not recognized as protected domain. To fix this ,we need to edit the WIP policy to make some changes on the advanced settings.

Go to WIP policy that you have assigned to users ,click on advanced settings ,select Add network boundary ,choose protected domain for boundary type, give the name (anything that suit for you) and in the value ,add eskonr.com

If you have multiple UPN id’s like eskonr.com.sg ,eskonr.com.in,eskonr.com.hk ,you need to add the UPN names here separated with |.

In my case, the setting look like this for multiple UPN’s.

Once am done with this ,sync the policies on user device .This time ,it will allow you to upload files to onedrive .

Also note that , with this setting ,all the files in onedrive and files that you upload from outside one drive by default will be protected with file ownership as eskonr.microsoft.com ,which help to protect these files from anywhere even user tries to take it external disk.

3.If you have MAM and MDM settings enabled for windows 10 (azure active directory ,mobility (MAM and MDM, intune) for users , MAM will take precedence over MDM and why is this important ? Well ,when you create intune app protection policies (WIP) ,you must align the these policies with enrollment as  ‘With Enrollment’ or ‘without Enrollment’ .

What i have noticed in my testing is that ,if you have set managed type MDM in azure active directory and you create app protection policies for windows 10 with enrollment type ‘without enrollment’ ,these policies will not apply to end user.

After you create policy with enrollment type ‘with enrollment’ ,app protection policies will be applied which will protect your corporate data.

Now lets look at the outstanding issues:

1. I have copied word document or notepad (.docx,txt) from my onedrive which is protected with file ownership as ‘eskonr.microsoft.com’ to my BYOD desktop. This file is protected and i can see the briefcase icon on the file.

Since the file is protected ,if i open the document and try to do copy of the content from this doc file to any un-managed app ,it will block the paste action by saying the app can’t access content or paste action is blocked by your IT.

so far we talked about copy paste action which works only with managed apps which is good but now lets try to change the file ownership from work to personnel and see what happens. (I do not have azure RMS enabled with WIP policy).

Open the protected word document ,after it opens ,go to save as and in that, choose file name personal instead of work which allow to do it on windows 10 1703 and lower versions.

This way you can leak the corporate data .

What is the fix for this ? This issue is fixed in windows 10 1709 (Fall creators update) . In windows 10 1709 ,if you try to open corporate managed documents ,it will not allow you to save as personal .

2. Copy the data from protected app for ex: work1 from above notepad file ,paste it into run command ,explorer and cmd.exe which are un managed apps and from there i can save it personal.

Testing in progress ,please wait for more updates!

When you install configuration manager client to manage any windows device ,it will try to configure local group policy to set WSUS server settings (unless you have no GPO configured to set these settings) .If at all ,you have any GPO to configure the WSUS information ,local GPO that created by configmgr client will fail which will be logged in wuahandler.log,windowsupdate.log.

If you look at wuahandler.log, you will see error something like below. “Group policy settings were overwritten by a higher authority (domain controller) to server and policy not configured” .

So before you try to install SCCM client,it is always recommended  to disable GPO settings for windows update to avoid the conflict with local GPO created by Configmgr client .More information about software update troubleshooting http://eskonr.com/2015/04/sccm-2012-troubleshoot-client-software-update-issues/ 

If you want to know more about Configmgr software update management and group policy relation ,please read Jason Sandy's explanation https://home.configmgrftw.com/software-update-management-and-group-policy-for-configmgr-what-else/ 

https://home.configmgrftw.com/software-updates-management-and-group-policy-for-configmgr-cont/

In this blog post, we are going to see ,how to check 4 primarily used windows update policy settings the WSUS settings like USEWUServer,WUServer,NoAutoupdate and accept trusted publisher certs (for 3rd party patching) that are correctly configured or not before clients perform software update scan.

1.WUServer

2.UseWUServer

3.NoAutoUpdate

4.AcceptTrustedPublisherCerts

Although you can do SQL query to get the clients that are having issue with GPO conflict ,but it is always good to check the these registry keys to make sure clients are good .

AcceptTrustedPublisherCerts—> for trusting the 3rd party updates if you are using SCUP to trust adobe,flash ,java and other updates that are deployed via SCCM.

Location that store above policy settings in the client registry is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate (for both 32bit and 64bit OS)

NoAutoupdate –>is to disable auto windows update

Following is SQL query to get clients info that have issues with GPO conflict:

select distinct sys.name0 [Computer Name],os.caption0 [OS],convert(nvarchar(26),ws.lasthwscan,100) as [LastHWScan],convert(nvarchar(26),sys.Last_Logon_Timestamp0,100) [Last Loggedon time Stamp],
sys.user_name0 [Last User Name] ,uss.lasterrorcode,uss.lastscanpackagelocation from v_r_system sys
left join v_gs_operating_system os on os.resourceid=sys.resourceid
left join v_GS_WORKSTATION_STATUS ws on ws.resourceid=sys.resourceid
left join v_updatescanstatus uss on uss.ResourceId=sys.ResourceID
inner join v_FullCollectionMembership fcm on fcm.ResourceID=sys.ResourceID
where uss.lasterrorcode!='0'
--and fcm.CollectionID in('PS100140')
and sys.client0 is not NULL
and uss.LastErrorCode='-2016409966'
order by sys.name0

Now lets focus on the Configuration item/configuration baseline to create task and deploy to collection:

I have couple of blogs how to create configuration item with settings hence i am not going to show you step by step . I will go through the settings that are really important for this task.

At the end ,i also attach the exported version of configuration baseline however you might have to edit it after import due WSUS server information.

In new setting, provide the following information.

Name: WUServer (anything you like) , Setting Type Registry value .Data type: String , Hive Name:HKEY_Local_Machine ,Key Name:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

Click on browse to select the registry key

Registry key:  Choose the following settings.

Click Ok

Click on compliance Rules , you will see 2 conditions .

f you have multiple WSUS servers ,click on the wuserver one of ,click Edit rule,

Paste all the WSUS server locations into the one of field setting and click ok

How do you get list of all WSUS server locations ?

Run the following SQL query against your CM database.

select LastScanPackageLocation from v_UpdateScanStatus
where LastScanPackageLocation not like ''
group by LastScanPackageLocation

we now have created one setting for WUserver ,like this we need to create for 3 more entries .

For UseWUServer ,click on New ,follow the options listed below.

While you are at this page ,click on browse ,follow the path below to select the registry key

Click on Ok .

Under compliance rules ,select Report noncompliance if this setting instance is not found .

we will create the rest 2 conditions in similar way that we created for UseWUServer . All you need is point the registry key to respective value.

3.NoAutoUpdate –> SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

Under compliance rules ,select Report noncompliance if this setting instance is not found

4.AcceptTrustedPublisherCerts—>SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

Under compliance rules ,select Report noncompliance if this setting instance is not found

Click ok

we now set 4 conditions that required to check windows update policy settings

Click next to verify all compliance rules

Click next for the completion of configuration item wizard.

We can now create configuration baseline and deploy it to collection .

If any of the above setting is not found on the client computer, it will report as non-compliant which will help you to troubleshoot and fix software update scan issues.

Download the CB – Configuration baseline for Windows update policy settings here .

To import ,go to compliance settings – configuration baseline ,right click and import the cab file.

After you import the cab file ,don't forget to edit the configuration item and modify your WSUS server settings.

Hope this guide helps!

This blog post is going to be version 3 on the same topic (report for MS office versions) but with different requirements.My previous posts on ssrs report for count of MS office versions and drilled report to see client names etc will have some limitations like they will not give you bit type(architecture) like 32bit or 64bit of office installed on the client. They simply get the count of the MS office edition installed and then drill down further to get you the list of client computers with office edition,version,its OS and hardware scan date info.

Both the versions with ssrs report can be found on https://gallery.technet.microsoft.com/office/SCCM-Configmgr-Report-for-2c36f1b9 https://gallery.technet.microsoft.com/office/SCCM-Configmgr-2012-SSRS-c482cca2 and

https://support.microsoft.com/en-us/help/928516/description-of-product-code-guids-in-2007-office-suites-and-programs

After posting these 2 reports, blog viewers ,TechNet gallery and in forums have asked to get bit type (32bit or 64bit) information for the office product that is installed on the client.

I have lot of requests /posts in my To-DO list to blog about ,but due to time limitations ,i cannot bring all them.

So for this requirement to get 32bit and 64bit for MS office ,i found microsoft article to identify if the MS office is 32bit or 64bit. https://support.microsoft.com/en-us/help/928516/description-of-product-code-guids-in-2007-office-suites-and-programs and it is based on the product code.

This product is that we use to uninstall any software using msiexec /x {productID} /x

Below is the screenshot from the support article .

From the product code ,21st character from left (substring(productID,21,1) ) will tell you if it is 32bit or 64bit .

0 for x86

1 for x64

If you read support article ,there are lot of other information like release version (RTM,SP1,SP2 etc) ,release type (Volume,retail,trail) ,

This product ID is stored in different SQL views in CM database ,of which  we are going to utilize v_Add_Remove_Programs. For more information about SQL views in SCCM, please refer https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

Following are the office editions are added into the report . If you have any other office editions which are not in below list ,please edit the report and append it.

'Microsoft Office Personal 2007'
'Microsoft Office Professional 2007'
'Microsoft Office Professional 2007 Trial'
'Microsoft Office Professional Hybrid 2007'
'Microsoft Office Professional Plus 2007'
'Microsoft Office Professional Plus 2007 (Beta)'
'Microsoft Office Standard 2007'
'Microsoft Office Standard 2007 Trial'
'Microsoft Office Ultimate 2007'
'Microsoft Office Enterprise 2007'
'Microsoft Office Ultimate 2007'
'Microsoft Office Ultimate 2007'
'Microsoft Office 2010'
'Microsoft Office Professional Plus 2010'
'Microsoft Office Standard 2010'
'Microsoft Office Professional 2010'
'Microsoft Office Home and Student 2010'
'Microsoft Office Home and Business 2010'
'Microsoft Office Professional Plus 2010 (Beta)'
'Microsoft Office Starter 2010 - English'
'Microsoft Office 2013'
'Microsoft Office Professional Plus 2013'
'Microsoft Office Standard 2013'
'Microsoft Office Professional 2013'
'Microsoft Office Home and Student 2013'
'Microsoft Office Home and Business 2013'
'Microsoft Office Professional Plus 2013 (Beta)'
'Microsoft Office Starter 2013 - English'
'Microsoft Office 2016'
'Microsoft Office Professional Plus 2016'
'Microsoft Office Standard 2016'
'Microsoft Office Professional 2016'
'Microsoft Office Home and Student 2016'
'Microsoft Office Home and Business 2016'
'Microsoft Office Professional Plus 2016 (Beta)'
'Microsoft Office Starter 2016 - English'

As usual ,download the SSRS reports (rdl) files from Technet gallery here ,upload to your reporting folder in SCCM reports,change the data source and run the report.

Output:

Linked report:

This report supports RBA (role based administration) functionality.

Note that, 2nd report (drilled report) cannot be run individually and to run that, you must run the 1st report which is count of office versions and drill to 2nd report.

SQL code and parameter values for dataset (RBA): The following information is for your information only and no input required from you to run this report.

DataSetAdminID:select dbo.fn_rbac_GetAdminIDsfromUserSIDs(@UserTokenSIDs) as UserSIDs

Parameter for UserTokenSIDs: General—>Parameter visibility—>Internal, default values—>specify values—>=SrsResources.UserIdentity.GetUserSIDs(User!UserID)
Parameter for UserSIDs:General—>Parameter visibility—>Internal, default values—>Get values from a query and choose DatasetAdminID

you can always edit the RDL files ,customize it.

Happy reporting!

Using compliance settings in Configmgr, you can do many tasks as part of compliance. In the last couple of blogs, we have utilized compliance settings to identify WU settings,automatic update,trusted publisher settings etc. http://eskonr.com/2017/10/configmgr-how-to-use-compliance-settings-to-check-the-windows-update-policy-settings-like-wuserver-usewuservernoautoupdate-on-clients/

In this blog post ,we will see how to use compliance settings to check for Windows update agent version if it is older or latest one as per https://support.microsoft.com/en-us/help/949104/how-to-update-the-windows-update-agent-to-the-latest-version.

The Windows Update Agent runs on each client computer and checks for availability of updates. If you are using configmgr ,when the software update scan cycle runs ,a scan request is passed to the Windows Update Agent (WUA). This WUA then connects to the WSUS server location that is listed in the local policy (this policy will be created at the time of configmgr client installation), retrieves the software updates metadata (update catalog) that has been synchronized on the WSUS server, and scans the client computer for the updates. To read further on software updates https://docs.microsoft.com/en-us/sccm/sum/understand/software-updates-introduction

Daniel (PotentEngineer) has document all the versions of windows update agent on http://www.potentengineer.com/windows-update-agent-build-numbers-for-windows-7/

There are lot  cases on windows update issue which happened due to old version of windows update hence you need focus on brining the windows update agent to latest supported version.

I will not go in-detail (step by step) about how to create configuration Item and Configuration baseline instead ,i will guide you through the settings that you need configure for Windows update agent.

Though the configurations used in the settings/creation of rule in compliance setting is very simple ,i would like to get it in this blog post along with SQL Query and WQL collection to identify how many clients in your organisation are running older .

1.Define Compliance setting for the applicable OS (Windows update agent varies from OS to OS)  .This blog post focus on windows 7.

Once you deploy the configuration baseline to collection ,clients will perform the CI evaluation and send the results to Configmgr which will help you to create collection from the baseline results and deploy latest windows update agent.

Compliance Item :

New setting:

New Rule:  Replace the windows update agent that you are looking for.

Note: The above WUA agent is only for windows 7 hence you need to configure the OS while creation of CI or deploy this to only windows 7 collection.

If you want to create the rule for multiple OS to check WUA version ,you can try something like below (it is untested at the time of writing the blog post).

Make sure you add the latest version of windows update agent into the one of list.

2.WQL Query for collection:

Ronni has nice post on this ,please follow it https://www.ronnipedersen.com/2015/06/04/updating-the-windows-update-agent-on-windows-7-clients/

3.SQL Query:

Windows update agent version stored in v_GS_WINDOWSUPDATEAGENTVERSION  SQL view.

We will use this SQL view to find count of versions.

select a.version0 as 'WUA Version', count(*) as 'Total'
from v_GS_WINDOWSUPDATEAGENTVERSION as a
group by a.version0
order by 2 desc

More information http://eskonr.com/2010/02/sccm-collection-for-windows-update-agent/ 

Using this ,you can create nice SSRS report .you can also create drilldown report to find what are the machines that are running lower versions with computer name ,user name etc.

List of SCCM Configmgr SQL views documentation is available on TechNet https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

I had request to disable the setting ‘Allow the computer to turn off this device to save power’ in power management settings on network adaptor.

From the screenshot above,there are 3 settings that will help for wake on Lan .All these settings information stored in client WMI. we want to uncheck the first option (Allow the computer to turn off this device to save power’ ) by leaving the rest of the 2 controls as it is.

In this blog post ,we will see how to change the power management settings on client using configuration manager compliance settings.

Before i go into compliance settings, i will provide you the WMI class and instance that store the information about power management settings ,so we can make use of these options in compliance settings

1. Allow the computer to turn off this device to save power , wmi class: root\wmi , instance:MSPower_DeviceEnable , property:Enable
2. Allow this device to wake the computer ,wmi class:root\wmi  , instance: MSPower_DeviceWakeEnable , property:Enable
3.Only allow a magic packet to wake the computer ,wmi class:root\wmi  , instance: MSNdis_DeviceWakeOnMagicPacketOnly, property:Enable

After you have the information about wmi ,it is easy to create configuration item and configuration baseline.

Create configuration item with name: Disable ‘Allow the computer to turn off this device to save power’ ,leave the default settings ,click next,choose the operating system that you want to deploy this setting

Under settings, create new with following information:

Name:MSPower_DeviceEnable ,Setting Tpe: WQL Query ,Data Type: Boolean , wmi class: root\wmi , instance:MSPower_DeviceEnable , property:Enable ,WQL Query: InstanceName like 'PCI%'

For other 2 settings ,all you  need is ,change the class with information given above in point 2 and 3.

Click on Compliance Rule ,click New ,follow the below settings.

For other 2 settings point 2 and 3 ,you can either set to True or False as per your needs.

Click ok

We now created configuration item and ready to create configuration baseline and deploy to Device Collection.

When you deploy the configuration baseline, make sure you choose the following setting to remediate (Allow remediation outside maintenance window is upto you ,you can either for maintenance window or ignore the window and remediate the setting)

End user results:

Hope it helps!

Microsoft released December month ConfigMgr Technical Preview version (1712). It has been while since I look at my SCCM Tech preview lab. So I had chance to look at the new features that are released with this preview version and play around it in my lab.

Following are the new features released with this preview version (This is only for lab purpose,not for production release).

Do not automatically upgrade superseded applications

Install multiple applications in Software Center

Client-based PXE responder service

Change in the Configuration Manager client install

Change to the Surface device dashboard

Improvements to Office 365 Client Management dashboard

Improvements to the Configuration Manager console

Improvements to operating system deployment

Windows 10 Feedback Hub app integration

More information about these features and documentation,please refer https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1712 

As usual ,I open the console ,go to administration node, from updates and servicing ,click on check for updates .After a while (make sure you have internet connection for this to work) ,I saw Configuration manager technical preview 1712 but the state stuck at downloading for longer period . I looked at the internet connection if there is any outage ,internet connection looks good.Since my configmgr lab is running on virtual environment ,there is no AV (antivirus product running ). I went ahead to look at the log file that track the information about download of updates dmpdownloader.log . As you can see in the below snippet ,it throw different error codes.

Error in verifying the trust of file 'F:\ConfigMgr\EasySetupPayload\51d629d3-c355-4b80-ad6f-ba44b27f84ed.cab'.

after few lines later ,I can see the following error code.

Error in verifying the trust of file 'F:\ConfigMgr\EasySetupPayload\51d629d3-c355-4b80-ad6f-ba44b27f84ed.cab'.

WARNING: Failed to call IsFileTrusted

I tried the solution given in the TechNet article when  the update stuck with a state of Downloading in the Updates and Servicing node https://docs.microsoft.com/en-us/sccm/core/servers/deploy/install/release-notes but it doesn’t help for me ( I changed the registry key value ,stop the SMS_DMP_downloader component and start).

If you look at the folder F:\ConfigMgr\EasySetupPayload as per the log ,you will see cab file with hash ID:51d629d3-c355-4b80-ad6f-ba44b27f84ed and size is 0 bytes.

Usually this cab file should be of size around 600MB+ as this is set of installation files that will be used to update the configmgr to new version.

So I search in the log file using hash ID:51d629d3-c355-4b80-ad6f-ba44b27f84ed  ,I got URL http://download.microsoft.com/download/6/6/B/66B981F8-5740-4072-9B74-767541EA9915/51D629D3-C355-4B80-AD6F-BA44B27F84ED.cab

After I download the file manually ,put it in folder F:\ConfigMgr\EasySetupPayload  . Once you are done with it , open the configuration manager service manager ,stop SMS_DMP_DOWNLOADER ,start the component.

Monitor the log file dmpdownloader.log ,you will see the extraction of the cab file will be happening and after a while ,the cab file will disappear from F:\ConfigMgr\EasySetupPayload  folder.

If you did not notice any errors in the log file, you are good to install the update from console .Go back to your console and install the update ,monitor the status using cmupdate.log and ConfigMgrSetup.log.

At the end ,you will see the following screen to upgrade the existing console to new version.

Hope it helps!

Deploying Onedrive for Business is straight forward .The command line switches are very simple :"OneDriveSetup.exe" /silent ,but when you create application in Configmgr, there are couple of things that you need to focus on like detection method and install behaviour.

If you search online ,how to deploy onedrive for business using Configmgr, you will get various post however the following method is what i have been using and it works fine . I would like to share the solution in simple steps.

Create application that you do normally but use use the following information to fill detection method ,User experience and install command line .

Install command line:"OneDriveSetup.exe" /silent

Detection method : The version that i deployed to users (user based collection) is 17.3.7076.1026 hence my detection method will look for 17.3.7076.1026. (There is already latest version available yet to deploy )

Onedrive for Business will store the installation files in user profile (C:\Users\eswar.koneti\AppData\Local\Microsoft\OneDrive)

Registry key from user profile for uninstall:

Setting Type: Registry

Hive: HKCU

Key:Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe

Value:DisplayVersion

Date Type: String

User Experience:

Requirements:

Choose the OS that you want to install the application . Since this is user based deployment ,would recommended to limit this to workstation OS (windows 7,windows 8 and windows 10 but not to server operating system unless there is need to use onedrive on server OS)

On windows 7, there is no onedrive by default hence you need to install but on windows 10 ,there is onedrive comes with OS however you need to check if the installed onedrive is latest version or not ,if not ,then you can above method to install the latest version.

By installing the latest version (using above method) will remove the old version from user profile and install new version.

Before you use this solution on mass deployment ,deploy this to pilot users (few) and see how this works.

Deploy the application to user collection and you are good.

If you have any issues with this ,post via comment section.

If you are using Microsoft intune as MDM solution to manage mobile devices ,you will certainly hit the requirement of managing Internet access using Managed Browser policies with Microsoft Intune to allow or block,bookmark and set home page with certain URL’s.

Intune Managed Browser is a web browsing application that you can download from public app stores (apple store or Google play store) for use in your organization. Since this app has integration with the Intune SDK, you can also apply app protection policies like controlling cut ,copy,paste that comes with intune app protection policies.

If you are allowing end users to use managed browser for corporate use ,you must apply app protection policies and restrict managed apps to open the URL’s in intune browser .

In this blog post ,we will see how to bookmark ,set homepage ,allow and block certain URLs for the Managed Browser .

1. Login to www.portal.azure.com

2.Click on Intune node ,browse through Mobile apps ,App Configuration Policies (https://portal.azure.com/#blade/Microsoft_Intune_Apps/MainMenu/14/selectedMenuItem/Overview)

Or you can also click on Intune app Protection node (soon this node will be removed and you are required to use above option) ,under App management ,click on App Configuration (https://portal.azure.com/#blade/Microsoft_Intune/SummaryBlade/2)

3. Click on Add Config ,supply name and description

4. Under select required app ,choose Managed Browser (ManBro) for both iOS and Andriod,click Ok

5.Under Configuration ,first identify the URL’s that you want to allow .If you have requirement to block certain URL’s ,follow the steps above ,change the name to block.

You need to supply 2 values in the configuration 1.Name and 2.Value

Key Name to Allow URL’s:

Key Name to block URL’s:

I want to allow couple of URL’s that intune users access via browser are separated by (|)

http://eskonr.com/*|https://*.microsoft.com/*|https://expenses.contoso.com|http://www.eskonr.com:8080

http://eskonr.com/* –>Match all URL’s that begin with eskonr.com

https://*.microsoft.com/* –>Match all subdomains under

http://www.eskonr.com:8080 –>match single webpage that contains port number

To allow authentication, and access to Intune documentation, *.microsoft.com is exempt from the allow or block list settings. It is always allowed.

If you want to block any specific URL’s,add the above values in block list key value.

How to bookmarks specific URL’s ?

Key Name to bookmark:

microsoft.intune.mam.managedbrowser.homepage

Values:

Cyberark|https://cybr.intranet.asia/PasswordVault/default.aspx||Eswar Koneti Blog|http://www.eskonr.com

Each bookmark consists of the bookmark title, and the bookmark URL. Separate the title, and URL with the | character.

To configure multiple bookmarks, separate each pair with the double character, ||

6.Click Save,go to assignments and add group who should receive these settings.

References:

https://docs.microsoft.com/en-us/intune/app-configuration-managed-browser

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-get-started#how-to-get-started

If you are using o365 services ,you might hit requirement to block unsupported OS (Ubuntu,CentOS etc) accessing o365 resources . There are couple of ways that you can restrict unsupported using Azure Active Directory Conditional Access.

The only devices that are supported at the moment are iOS,Android,Mac and Windows. You can control these supported devices to protect the data without being leaked with combination of conditional access and intune ,however these unsupported OS cannot be managed hence you must block them to access o365 resources. For more information about conditional access ,have provided the links in reference section at the end of this post.

For this requirement, we can use conditional access to block all supported OS but exclude the supported OS.

If you are doing enrollment of devices (MDM for iOS,Android,windows (WIP) and Mac ) ,you can create Conditional access policy with selection of compliant and hybrid Azure AD Joined as shown below ,hence you don’t need to create restrict policy for other OS, but if you are using MAM-WE (without enrollment of devices) ,you need to create conditional policy which we are going to see now.

The below settings will help you to block access .If user is trying to access the o365 resources ,they must qualify one of the control that we selected .Ubuntu,CentOS and other unsupported OS cannot be compliant or hybrid azure AD join for now..

Access control—>Grant .

if no enrollment of devices (MAM-WE) ,then follow the below steps to block unsupported OS. For the supported OS to allow MAM-WE, you go as per your org policies.

1. Login to Azure Portal ,go to Intune blade (https://portal.azure.com/#blade/Microsoft_Intune_DeviceSettings/ExtensionLandingBlade/overview)

2.Click on Conditional Access,Policies ,New policy (https://portal.azure.com/#blade/Microsoft_Intune_DeviceSettings/ExchangeConnectorMenu/aad/connectorType/2)

3. Give it a name something like Global-Block-UnSuppOS-AllApps

4. Assignments ,include All Users

5. Cloud Apps ,include All cloud Apps

6.Conditions ,Device Platforms ,configure to Yes ,include all platforms (including unsupported)

7.While on same page ,click on Exclude and select supported OS that you have currently

8. Click on Done, Done

9.Access Control ,Grant ,select Block ,click on select

10. select Enable policy to ‘Yes’

11.Finally click on Save to apply the settings to all  users with block action.

References:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-faqs

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-best-practices

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-technical-reference

I was looking at the console other day and found that, there were many collections created in the root folder (device collection) with 0 count. So i looked at the collection properties ,i found empty there  (No direct or query based rule).

So i decided to write SQL query to identify the list of collections that have empty results with no query rules (Direct or query based) defined in it.

For this query ,i have used 2 SQL views (v_Collection and v_CollectionRuleQuery ) .

For full list of SQL views that exist in SCCM Configmgr ,please refer https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b .

Following is the SQL Code to identify empty collections with no query rule defined ,You can delete these collections to simplify the list of collections displayed when deploying objects as part of maintenance tasks ,unless there is a reason to be in the console.

You can use the following code to create SSRS report as well.

select coll.CollectionID,coll.Name,
case when coll.CollectionType='1' then 'User' else 'Device' end as 'Collection Type'
from v_Collection coll
where coll.collectionid not in (select CRQ.collectionid from v_CollectionRuleQuery CRQ)
and coll.MemberCount=0
group by coll.CollectionID,coll.Name,coll.CollectionType

Configuration manager Technical preview 1708 has ability to identify Applications without deployments and Empty collections as part of Management insights.  More information ,please read https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1708#management-insights

Hope it helps!

Introduction:

Boundaries for SCCM define network locations on your intranet that can contain devices that you want to manage. Boundary groups are logical groups of boundaries that you configure. For more information click here

Few days ago ,Jason Sandy’s has blogged about boundary group caching and missing boundaries ,more details ,read through https://home.configmgrftw.com/boundary-group-caching-and-missing-boundaries-in-configmgr .

This is one of the highly needed solution that everyone must implement in their environment to evaluate what is their accuracy of the boundaries /boundary groups defined. Boundaries play major role for site assignment and content download. If you do not define the boundaries correctly,client will not function as expected hence it take up lot of your time to troubleshoot and identify it is because of missing boundaries and it is recurring issue.

Jason has covered most of the part about missing boundaries,Boundary group caching ,wmi location and basic SQL query . In this blog post, i am going to show you how to get list of the clients devices that are missing in the boundaries/boundary groups using SSRS Report and troubleshoot these devices. Sometimes You may see something like ‘waiting for content download forever’ in software center and this is because of boundaries/boundary group are missing .

This blog post will help you to identify such client devices with its basic  inventory information like OS,hardware inventory ,software update scan,IP address, last reboot etc.

You can also use other methods to achieve this solution using Compliance Item/baseline but HINV method will give you more information and better reporting .

How to create report/upload report ?

Before you download the report ,please make the necessary changes as per the guideline from Jason Sandy's post.

Following are quick points to implement the changes:

1.Open SCCM console ,go to client settings, edit default client settings ,hardware inventory ,set classes,add,choose the wmi namespace and add ,once the boundary group cache added ,uncheck it from default settings and click ok. For more information ,how to add custom inventory ,you can refer guide here

2.Go to your custom client agent settings (if you have ,else you can make these changes in default client settings)

,hardware inventory ,set classes ,choose the class name that we added in default client agent settings.

3.Monitor dataldr.log to see if these changes are processing and view are created in SQL database (v_GS_BOUNDARYGROUPCACHE).

Once you are done with above steps ,download the SSRS report from Technet Gallary ,upload to your SCCM reports ,change the data source and run it.

Report will display the following information. This report is created with filter Client0='1' .I do not want to display the client information that do not have SCCM client .

Note: As of CB 1610, all clients that do not fall within the scope of a defined boundary group will be associated with the Default Boundary Group. This is not reflected in the BoundaryGroupCache class. Essentially, if the instance of the BoundaryGroupCache class contains no BoundaryGroupIDs, then the client is considered within the scope of the Default Boundary Group.

How to troubleshoot these missing boundaries that are displayed in report:

1. From the report, we see that ,it has one device with its IP address . So we can go back to SCCM console ,look at under boundaries if the this IP address is part of the specified boundaries or not (it is ALWAYS recommended go with IP address range while defining the boundaries unless you have any specific reason not to use it) .

2.Make sure the client device has sent the inventory report successfully after you have made changes in the HINV and they are deployed to collection.

3.If the IP address is defined in boundaries ,check for boundary group ,if it is not ,add to boundary group with site system role .

4.If the IP address is part of boundaries and boundary group .what else can cause the client device appear in this report ?

5. If boundaries and boundary groups are added correctly ,MP must have returned the list of the distribution points that are configured in boundary groups for client to pick for content download.

6.If all above points looks ok ,would suggest to take a look at the client device logs (clientlocation.log ,locationservices.log and ContentTransferManager.log that will help you to identify the DP details.

Happy troubleshooting!

After the release of Configmgr Current branch version 1710 ,one of the primary issue was that ‘clients are not upgraded on systems that are running Windows Server 2008 SP2’ ,installation terminates with error code

‘Faulting application ccmsetup.exe, version 5.0.8577.1000, time stamp 0x5a03cc4c, faulting module KERNEL32.dll!K32EnumProcessModules’

So Microsoft released hotfix rollup update for Configmgr 1710 that resolves above issue along with many other issues listed in the support document https://support.microsoft.com/help/4057517.

This update is available for installation in the Updates and Servicing node of the Configuration Manager console. It also applies to customers that are running Configuration Manager version 1710, first wave.

To install ,right click on the update and choose install update pack,next ,choose  pre-production collection to validate the client package (on collection) before updating the production client package ,accept the terms and conditions

Click next

Go to monitoring node ,updates and servicing status ,click on hotfix rollup ,click show status

you can also monitor the status using the log file ConfigMgrSetup.log located in the root of windows drive (C:\)

Once the installation is finished, you will be promoted to install new console version

Site Version:5.0.8577.1000

Console Version:5.0.8577.1108

Client Version:5.0.8577.1108

Once the installation is done on the primary site, you must manually update the secondary sites (if you have any). To update a secondary site, click Administration, click Site Configuration, click Sites, click Recover Secondary Site, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site are not affected by this reinstallation.

To know if all the secondary sites are in sync with primary site update ,you can run the following SQL code on primary site .

select dbo.fnGetSecondarySiteCMUpdateStatus ('SS1')

SS1: Site of secondary site.

• If a value of 1 is returned, the site is up-to-date and has all the hotfixes applied to its parent primary site.
• If a value of 0 is returned, the site has not installed all the fixes that were applied to the primary site, and you should use the Recover Secondary Site option to update the secondary site.

References:

https://support.microsoft.com/en-us/help/4057517/update-rollup-for-system-center-configuration-manager-current-branch-v

Microsoft released first ConfigMgr Technical preview version for this year 2018 with some exciting features.

To use the technical preview, you must first install a baseline version of the technical preview build i.e Technical Preview 1711. After installing a baseline version, you then use in-console updates to bring your installation up-to-date with the most recent preview version. Typically, new versions of the Technical Preview are available each month.

If you plan to build new lab ,download the preview baseline version 1711 is available from the TechNet Evaluation Center.

The following are new features you can try out with this version:

1.Phased deployments
2.Co-management reporting
3.Improvements to automatic deployment rule evaluation schedule
4.Reassign distribution point
5.Improvements to hardware inventory
6.Improvements to client settings for Software Center
7.New settings for Windows Defender Application Guard
8.Improvements to Run Scripts

To know more about these features ,Please read through https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1801

To see the updates ,open the console ,click check for updates ,follow the log dmpdownloader.log

You can monitor the configmgrsetup.log and also from monitor status.

With this new features ,there are couple of new SQL tables/Views created that help us to some nice SSRS reports .

vSMS_PhasedDeployment

SMS_ScriptsExecutionSummary

Happy exploring new features.

Yammer  is enterprise social networking service used for private communication within organizations. Access to a Yammer network is determined by a user's Internet domain so that only individuals with approved email addresses may join their respective networks.

Yammer can be used to discuss ideas, share updates, and crowd source answers from co-workers around the globe. Yammer gives you a faster, smarter way to connect and collaborate across your company.

If your organisation moved to O365 ,you will hit requirement to deploy O365 applications like Microsoft Teams,Onedrive,Yammer ,AIP etc. All of these applications (except AIP) are user specific and they will be installed in user profile (%AppData%) instead of %programfiles%

Deploying applications to computers would be straight forward but for applications that are user specific and installation does in %appdata% ,there will be little challenges for application detection method .

Application detection is one of the main criteria to identify if the application is installed correctly or not ,also it helps to reinstall the app if the app is removed on user machine (this happens with application deployment evaluation cycle ).

As i mentioned in my previous blog deploying Microsoft Onedrive using Configmgr , we will be similar method with detection rule for Yammer also.

Before we start of with this ,Download Yammer client (MSI) file from https://support.office.com/en-us/article/yammer-for-windows-and-mac-50920c05-cbfc-4f11-8503-e20fb2e623a5 .

Once the MSI file downloaded ,extract the file using 7zip or WinRAR to get the actual installer used to deploy to users. You will see something like below.

Copy the file to your SCCM source files ,start creating Application as you do for other EXE applications.

For Deployment Type ,choose script Installer

Installation Program:"yammerdesktop.exe" /s

Uninstallation Program:"%LocalAppData%\yammerdesktop\Update.exe" --uninstall -s

Detection Rule:

Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\yammerdesktop

Value:DisplayVersion

change the version value (1.3.1) name as per the application you are installing.

User Experience:

Requirements: Windows 7,windows 10 (based on where you need this to be installed).

Deploy the application to user collection .So when the user receive policy (user policy evaluation cycle) ,application will get install and shortcut icon will be created on users desktop.

Following is the registry location that application get installed.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\yammerdesktop

Hope it helps!

Month ago, user reported issue that , user could not able to access Microsoft Planner application (MAM) from their mobile device. Users are able to access applications like outlook ,onedrive,Microsoft Teams,word,excel etc but not Microsoft Planner.

Below is the error user get ,when they try to access planner from mobile device.

You can’t get there from here . It looks like you are trying to open this resource with app that hasn't been approved y your IT department.ask them for a list of approved applications.

The above clearly says ,microsoft planner is not approved app and this message is coming from conditional access.

I went to Microsoft Azure portal ,Azure Active Directory ,conditional access ,verified that ,the conditional access policy that is created and applied to users with client approved apps selected for iOS,android devices correctly.

Few months ago ,Microsoft added new access control in Azure AD conditional access (replacement for App based conditional access that is in Intune app protection policies)  called ‘Require approved client app’

New App based conditional access block O365 service access to apps that are not protected by Intune SDK.This allow us to block users accessing emails from unapproved (non intune SDK ) apps like native email app or any other unapproved app to access
We can use this to restrict access to o365 services ,exchange online and SharePoint online from these protected applications that have intune SDK. With this ,only Intune SDK enabled apps will be allowed to access.

For more information about client approved apps ,refer https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-technical-reference#approved-client-app-requirement

Even though we granted the access to client approved apps in in Conditional access ,user still still get the above error. After some time, identified that ,there is app-based conditional access policies set up and added users into restricted groups.

Below is what am referring to exchange online- allowed apps  (App based conditional access policy available in Microsoft Intune). Microsoft Planner is not in the intune supported application here but is available in Azure AD CA.

After removing the user group from this Exchange online restricted user groups,users are able to access Microsoft Planner.

Access control ‘Require approved client app’ in Azure AD conditional access is replacement for Intune app based conditional access and you no longer need to use App based CA.

Conclusion:

Remove the restricted users groups that is configured in app-based conditional access in intune app protection blade to fix the issue.

On this Valentine day (Feb 14,2018 ), Microsoft released Feb 2018 Technical preview version 1802 for Configuration Manager with large number of features (21) that ever released before. These monthly Tech previews generally will be released on Friday's but this time ,shipped few days earlier.

You can install this version to update and add new capabilities to your SCCM technical preview site. To use the technical preview version, you must first install a baseline version of the technical preview build i.e Technical Preview 1711. After installing a baseline version, you then use in-console updates to bring your installation up-to-date with the most recent preview version. Typically, new versions of the Technical Preview are available each month.

If you plan to build new lab  ,download the preview baseline version 1711 is available from the TechNet Evaluation Center.

The following are new features you can try out with this Tech Preview 1802 version (21 features/updates):

1. Transition Endpoint Protection workload to Intune using co-management
2. Configure Windows Delivery Optimization to use Configuration Manager boundary groups
3. Windows 10 in-place upgrade task sequence via cloud management gateway
4. Improvements to Windows 10 in-place upgrade task sequence
5. Improvements to PXE-enabled distribution points
6. Deployment templates for task sequences
7. Product lifecycle dashboard
8. Improvements to reporting
9. Improvements to Software Center
10. Improvements to Run Scripts
11. Boundary group fallback for management points
12. Improved support for CNG certificates
13. Cloud management gateway support for Azure Resource Manager
14. Approve application requests for users per device
15. Use Software Center to browse and install user-available applications on Azure AD-joined devices
16. Report on Windows AutoPilot device information
17. Improvements to Configuration Manager Policies for Windows Device Exploit Guard
18. Microsoft Edge browser policies
19. Report for default browser counts
20. Support for Windows 10 ARM64 devices
21. Changes to Phased Deployments

To know more about these features ,Please read through https://docs.microsoft.com/en-us/sccm/core/get-started/capabilities-in-technical-preview-1802

To install this tech preview ,login to your console ,Administration ,updates and servicing ,click on check for updates (make sure you have internet connection),wait for a while to see the entry in the console.

Right click on update and choose download

Downloading of the update can be monitored using the log file dmpdownloader.log

Right click on downloaded update and click install

Click next next next

Once the installation is done ,go to monitoring section to check the installation status .You can also monitor cmupdate.log and ConfigMgrSetup.log

Features are explored below

Boundary group fallback for management points:

Hide Installed Applications in Software Center:

Report for default browser counts:

Happy exploring !

Introduction:

Azure AD App proxy provide secure remote access to on-premises applications .Azure AD Application Proxy provides a simple, secure, and cost-effective remote access solution to all your on-premises applications .For more information about Azure AD proxy ,refer https://docs.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-get-started

Using Azure AD App proxy ,we can publish all our web applications hosted on-premises and allow users to access securely from internet.  Publishing the apps and letting users to access from internet is not enough .You must make sure these apps secure and there  should not be any DLP issues.

In this blog post, we are going to see  ,how to allow users to access these applications in secure manner and ensure there is no DLP issue.when i talk about DLP issues, it is more about restricting users to use Intune managed browser to access these applications and deny to other 3rd party browsers like Chrome,safari, Firefox etc and force them to use Intune Managed Browser.

More about Intune Managed browser:

Have gone through the Technet article about intune browser to see the difference between intune browser and 3rd party browser interms of behaviour, but but i could not get much information . So i started doing some basic testing using intune browser and 3rd party browsers . What i found is that ,Intune browser cannot be used like other browsers and it has lot of restrictions by default in the design .What it means is that ,i can open gmail/onedrive/dropbox using intune browser ,but i  cannot upload any files to it.

Intune Managed browser by default blocks the upload and download action for the websites.

You may see ‘attach’; ‘upload’ or download options on the sites however when you click on them to upload , nothing happens. This I believe is the unspoken/unwritten default behaviour of intune browser.

Back to publishing the apps and making them work via Only the Intune managed browser.

a) Publish an app using Azure AD App proxy. More reference refer to this link –> https://docs.microsoft.com/en-us/azure/active-directory/application-proxy-publish-azure-portal

b) Create a conditional access policy specific for the Azure AD App proxy published link and make sure condition has both “Browser” and “Mobile apps and desktop clients” selected and access is allowed only from “Approved Clients”. As of writing of this blog, Microsoft has made this available to access the app proxy applications only for iOS using Conditional access. Work on Android is in progress. Revisit this blog in March 2018 or talk to your Microsoft representative to get the latest on Android based access control.

For Android users, you have 2 options 1) block access to apps when user try to access using intune or other browser 2) let users to access these apps from any browser (you have DLP loss).

Conditional Access settings:

Cloud Apps:

Choose the applications that want to allow users to access

Device Platform:

Client Apps:

Access control:

c) Configure Managed Browser app to use app proxy redirection.Go to your Intune browser configuration and add a config  com.microsoft.intune.mam.managedbrowser.AppProxyRedirection= true. Refer to this link –> https://docs.microsoft.com/en-us/intune/app-configuration-managed-browser

What the setting does is it allows the internal links published via Azure AD App proxy and sent as links in emails or via “any intune approved client app” on the device to open directly in Intune Managed browser.

This way even if you cannot resolve internal links on the internet “any Intune approved client app” is smart enough to understand that these links are published via Azure AD App Proxy and should be opened in Intune Browser.

End User Experience:

On Android device ,if user try to access application using intune or 3rd party browser ,will see message with prompt ‘Action Blocked’ .This action is not allowed by your organization.

This action not allowed: Your organization only allows you to open work or school data in this app.

On iOS device ,if user try to access the application using 3rd party browser ,it fail with error code : You can’t get there from here and it direct to use intune managed browser.

Hope it helps.

Since i started working on office 365 ,have been getting many requests to automate some of the repetitive tasks such as o365 license report ,Off boarding process (when employee leave the company) ,enable MFA (this can be done using CA as well without script based), Get the MFA status for users etc and many other on intune related as well.

For All these scripts that we run from On-Prem(Trusted locations) ,i always find difficult to enter tenant ID and password every time when i run the script ,hence i have decided to supress the credential prompts and let script run without any manual intervention.

If you have enabled MFA for account that you use to run the scripts ,this method doesn't work.

we have MFA enabled for all the accounts but we define conditional access to supress MFA if user logged in from trusted location which is on-prem.

Below is the few liner code to store your credentials on encrypted format for the tenant user name and use this file to run the script in automated way using schedule tasks .

I strongly suggest to have access to the encrypted file for selected users on the PC that you place it on.

In this blog post, I will go with simple PowerShell script that will generate list users with their o365 license information and output into CSV file.

First decide location to store the encrypted file that store password ( I place it on server in D:\sources\scripts\PW.key)

We start with storing the password for the user name (tenant user name i.e eswar@eskonr.com is the user name who is Global administrator).

Read-Host -Prompt "Enter your tenant password" -AsSecureString | ConvertFrom-SecureString | Out-File "D:\sources\scripts\PW.key"

Once the password is entered, it store in PW.Key file. This is onetime task until the password for the tenant user changed .If you park accounts in cyberark, you might have to rerun the above command line so frequently.

Now ,we can use this file to run our scripts on o365 tenant.

I will now start with getting the script location as current directory to store the output file with today’s date.

$scriptPath = $script:MyInvocation.MyCommand.Path
$dir = Split-Path $scriptpath
$date = (get-date -f dd-MM-yyyy-hhmmss)

Next to import the required module

try {
    Import-Module -Name MSOnline -ErrorAction Stop
    }
catch {
       Write-Warning -Message "Failed to import module"
      }

Next is to define the tenant user name and tenant password file that we encrypted and later start running actual script.

$TenantUname = "eswar@eskonr5.com"
$TenantPass = cat "D:\sources\scripts\PW.key" | ConvertTo-SecureString
$TenantCredentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $TenantUname, $TenantPass

Finally we try to run the actual script that bring the results from o365.

Connect-MsolService -Credential $TenantCredentials
Get-MsolUser -All |Where {$_.IsLicensed -eq $true } |Select DisplayName,SigninName,Title,Department,UsageLocation,@{n="Licenses Type";e={$_.Licenses.AccountSKUid}} | Export-Csv -Path "$dir\O365UserLicenseInfo-$date.csv"  -NoTypeInformation

Full script is given below:

<#
Title:Get o365 user license information
Author:Eswar Koneti
Date:19-Feb-2018
#>

#Read-Host -Prompt "Enter your tenant password" -AsSecureString | ConvertFrom-SecureString | Out-File "D:\sources\scripts\PW.key"
#Get the script location path
$scriptPath = $script:MyInvocation.MyCommand.Path
$dir = Split-Path $scriptpath
$date = (get-date -f dd-MM-yyyy-hhmmss)

# Import required modules
try {
    Import-Module -Name MSOnline -ErrorAction Stop
    }
catch {
       Write-Warning -Message "Failed to import module"
      }
#Define tenant user details and to match with the password you entered above
$TenantUname = "eswar@eskonr5.com"
$TenantPass = cat "D:\sources\scripts\PW.key" | ConvertTo-SecureString
$TenantCredentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $TenantUname, $TenantPass

Connect-MsolService -Credential $TenantCredentials
Get-MsolUser -All |Where {$_.IsLicensed -eq $true } |Select DisplayName,SigninName,Title,Department,UsageLocation,@{n="Licenses Type";e={$_.Licenses.AccountSKUid}} | Export-Csv -Path "$dir\O365UserLicenseInfo-$date.csv"  -NoTypeInformation

Hope it helps!