Introduction:

Conditional Access allows (IT) to provide you (the end user) with access to corporate resources based on a set of conditions and if you meet those conditions I'll let you in. If you don't meet those conditions, or perhaps meet only one or two, I will have additional steps for you to take before I unlock the front door and invite you in for dinner. You can best think of Conditional Access as an "If/Then" statement. For example, if you are coming from a device that is un-managed (and using an un-approved application), then allow access but require you to enroll the device in MDM (i.e. managed) and download the approved application for accessing email ,more info graphical representation ,click here.

If you are financial or insurance or other organization that have lot of security requirements with data breach using Intune,then this post is for you.

At the time of writing this blog post ,Intune does not provide MAM (it is more about controlling the data DLP) to protect the data in the apps like team,onedrive,outlook etc on Mac Devices. If user using onedrive using work account on Mac device ,there is no way you can protect the data while on windows 10 ,you can use WIP (windows information protection).

Since there is no DLP policies to protect data on Mac Devices ,you will have to find way to block access to mac users trying to connect o365 applications. To block this ,you can use conditional Access (azure AD premium subscription is required). I recently blogged about how to block unsupported OS using conditional access http://eskonr.com/2018/01/how-to-restrict-to-access-to-o365-from-unsupported-os-like-ubuntu-centos-using-conditional-access/

But there are cases like i have got,that you will get request from your customer asking for ,hey ,we have few senior executives,directors,CTO,CEO who are using Mac devices and they want to access email,teams .Can you do something for these guys ?

hm...if you get request something like this ,you must tell customer about the DLP issues and intune support for Mac devices. If customer is happy with the security breach ,then you are ready to provide solution to mac users .

How do we allow set of users to access o365 using mac devices while blocking others ?

We are going to use conditional Access to accomplish this task.

To achieve this task ,you are required to create 3 different conditional access (yes it is 3 ,that is what i have got it worked ,if you have better thing,post it via comment section) .

First ,gather the list of users or create AD security group in your on-prem AD /azure AD . I would prefer to go with On-prem AD and easy to add users later who would access Mac devices.

Once you have user group (O365-Mac-users) ,we can start create Conditional Access.

1.Conditional access (Global-Block-UnSupprtOS-AllLoc-AllClouldApps)—This CA will block all users to access all cloud apps for mac devices except the mac users (AD sec groups).

2.Conditional access (Global-Block-UnsuppOSExceptMacOS-AllLoc-AllApps)—This CA will block all unsupported OS except windows,ios, android (these already in use so must exclude) and Mac OS (this is going be use in now)

3.Conditional Access (Global-Allow-MacOS-AllLoc-outlook-teams)—This CA will allow Mac users (AD group created above) to access teams and outlook (if you want all intune supported apps, you can do so in this CA).

Now ,lets look into the settings for each Conditional Access.

1.Conditional access (Global-Block-UnSupprtOS-AllLoc-AllClouldApps:

Users and groups: Include all users and exclude the Mac users (AD security group ) that we created earlier.

Cloud apps: Select All cloud apps

Conditions:

Device platform : All platforms (including unsupported) but exclude Android,iOS,Windows . if you don't exclude then you are blocking all these devices.

Grant : Block Access with required one of the controls.

2.Conditional access (Global-Block-UnapprovedOSExceptMacOS-AllLoc-AllApps:

Users and groups: Mac user group

Cloud apps: All cloud apps

Conditions:

Conditions:

Device platforms:  Include all platforms and in exclude ,select ios ,Andriod,Windows and Mac . This will allow all platform's except unsupported like Ubuntu ,Linux etc.

Access control:

Block access with require one o the controls.

3.Conditional Access (Global-Allow-MacOS-AllLoc-outlook-teams):

We have reached to the final CA that does the trick to allow Mac users to use cloud apps.

Users and groups : add Mac user group that we created earlier.

Cloud apps : choose apps that you want to give access like teams,exchange online etc.

Conditions: device plat form ,include Mac OS Only.

For client apps ,choose mobile apps and desktop clients

Access control ,grant with require device to be marked as compliant and require one of the selected controls.

With this ,users who are part of the AD security group that we created earlier can access teams ,outlook after they enrol Mac Device (due to compliant policy ,what ever policy you set).

You can also use what if  in Conditional access to verify what settings are applied to user .

Hope it helps!

Introduction:

Intune Managed Browser app lets you safely view and navigate web pages that might contain company information and provides a secure web-browsing experience for Microsoft office and other apps managed by Microsoft Intune. This browser help your IT administrator protect company information without restricting your regular web browsing or app experience.

Intune Managed Browser is not like other browsers (Chrome ,Firefox and other 3rd party browsers ) .This is unique browser that does not let you upload any files ,which means you can open gmail,onedrive or any cloud hosting provider in intune browser but cannot let you upload any files .How does it matter to me with this .? Well ,If you are using Microsoft Intune as mobile device management solution ,you must plan and configure the MAM policies (Data control) for Intune browser. 

Below is the scenario that will help you to understand about data leakage from intune browser and how it helps to avoid configuring  allow /block URL’s for end users from my experience.

If you configure MAM Policy (data control) with your required application settings for all intune supported applications including Intune Managed browser ,you will experience data leakage issues with managed browser unless you configure allow/block URL’s using App Configuration .Why do i hit DLP Issues with managed browser ? Ok, If you configure MAM policy with following setting (Policy managed apps or with past in),you are allowing data to copy from onedrive, teams,outlook etc to Intune managed browser .I can open intune managed browser ,open gmail/onedrive ,copy the data from intune apps to any of these un managed sites to leak the data.

OR you can configure allow or Block list of URL’s but how many URL’s do you configure ? There could be tons of URL’s which user might want to access which is impossible to configure with allow or block action.

So what is the solution then ? If you really care about DLP ,then i see  only 1 possible solution that can minimize/no DLP issues .

The solution which am going to talk about will eliminate the need of configuring allow/block list of URL and allow users to open all the links from the managed applications using browser automatically and decline copy/paste option from these managed apps to intune managed browser. I don't see a reason for user to copy the data from managed apps to intune managed browser except open the links. feedback via comments section.

Solution:

When you configure MAM policy for iOS ,Android, do not choose intune managed browser .We will create separate MAM policy for iOS and Android OS.

Create MAM policy for iOS/Andriod with following settings (MAM_iOS_IntuneBrowser) for Managed Browser application.

Targeted Apps ,choose Managed Browser

Policy Settings: Look out for the primary settings that are arrowed.

With this configuration ,we allow users to open any links from the managed applications to intune managed browser but restrict cut copy paste .

If you want to allow block list of URL’s ,i blogged about it previously here http://eskonr.com/2017/12/configure-bookmarks-allow-and-block-urls-for-the-managed-browser-using-intune/

Until Next!

Introduction:

Multi-factor authentication (MFA) is a method of confirming a user's claimed identity in which a user is granted access only after successfully presenting 2 or more pieces of evidence (or factors) to an authentication mechanism.

What is  Azure Multi-Factor Authentication ? Two-step verification is a method of authentication that requires more than one verification method and adds a critical second layer of security to user sign-ins and transactions.

Azure AD recommends that you require multi-factor authentication (MFA) for all your users, including administrators and all other users who would have a significant impact if their account was compromised (for example, financial officers). This reduces the risk of an attack due to a compromised password. For more information about Azure MFA,please refer https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication .

Problem:

I had requirement from customer to prompt for MFA only if user is trying to access o365 services from internet (un-trusted location) but supress the MFA if user connecting from on-prem network locations (LAN or WIFI ).

Solution:

In this blog post, we will see how to create conditional access to prompt for MFA, if user is coming from untrusted location to access any office 365 services.

How do i know the trusted locations ? how do i categorize the trusted vs untrusted locations ?

The Trusted IPs feature of Azure Multi-Factor Authentication is used by administrators of a managed or federated tenant. The feature bypasses two-step verification for users who sign in from the company intranet (LAN or WI-FI). The feature is available with the full version of Azure Multi-Factor Authentication, and not the free version for administrators

To know the IP subnet range of your office network locations, contact your network team who can help you to provide this information.

Once you have IP subnet information (ex: 202.50.14.96/27 ,202.60.196.192/28 etc) ,you need to define all these IP subnet information into MFA trusted IP’s.

To do this ,login to https://portal.azure.com , click on Azure Active Directory ,users blade. On the top ,you will see Multifactor authentication

Once the MFA portal opens, click on service settings

More information about the settings that you see in this page is given in Technet documentation  https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next#trusted-ips

Following are the settings that i would like to configure:

Once this is done ,we will now create conditional access policy to prompt for MFA if user trying to access o365 services from non-trusted location (not from intranet or IP subnet info that you define above).

Create New Conditional Access or use the existing one if you want. I would prefer new one only for MFA name it: Global-Allow-AllPlat-AllUnTrus-AllApps-ExtMFA

Assignments :

select users and groups that you want to apply this conditional access policy.

Cloud Apps:

Choose the apps that you want for MFA to be prompted

Conditions:

Device Platform: All Platform

Locations:

Include : any location

Exclude: selected locations and choose MFA trusted IPs that we added earlier with all ip subnets

All trusted locations , This option applies to:

All locations that have been marked as trusted location
MFA Trusted IPS (if configured)  For more information about all trusted locations and location evaluated ,read https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-locations

Client Apps: Select clients with browser ,mobile apps and desktop clients

Access Control: Require multi-factor authentication

With this ,we have completed setting up conditional access to prompt MFA from untrusted locations.

Evaluation results from the Conditional Access:

To check the conditional access results, you can use what if condition that was introduced recently.

On conditional access page ,click on What-If and enter the user name, choose cloud app ,choose device ,click on what if to see the evaluation results.

As you can see above, the conditional access with Grant controls ‘Require multi-factor authentication App’ is applied to the user.

Hope you enjoyed reading this article ,see you in next blog.

References: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next#trusted-ips

Introduction:

we are in process of migrating users (mailbox) from on-prem to office 365 (Cloud).As part of this project ,one of the requirement is to deploy office 365 proplus (C2R) application to all users replacing old version of Microsoft Office. We use Powershell Application deployment kit which simplifies the complex scripting challenges of deploying applications in the enterprise, provides a consistent deployment experience and improves installation success rates.

Once users have got office 365 proplus and other office 365 components like Microsoft Teams,yammer,Onedrive etc ,there will be final task to migrate user mailbox to cloud. Mailbox migration can be the first or middle or last ,no sequence as it is independent task.

Deployment of office proplus and other components are done by SCCM hence we can create some nice dashboard /reports to monitor the progress of the deployments, but for some reason ,we are missing the mailbox migration status which happens from on-prem exchange server to exchange online (EOL).

How do we get the status of mailbox migration from on-prem to exchange online using SCCM ?

I am not exchange guy, hence i may not be able to provide much information about the theory behind this and if any questions around exchange online or mailbox migration ,you can reach out to TechNet forums or contact Microsoft support.

when the mailbox is moved (sync and cutover) from on-prem to exchange online ,there are couple of attributes that are set in Active directory .some of them are listed below.

msExchVersion
msExchRecipientDisplayType
msExchRecipientTypeDetails
msExchRemoteRecipientType
targetAddress

By default, then the user mailbox is on-prem ,the targetAddress attribute is set to empty (it does not contain any value). Once the user mailbox is moved to cloud ,this attribute is set with username@yourtenantname.mail.onmicrosoft.com

For example ,user email address is Demo1@eskor.com and after the migration ,targetAddress is set to Demo1@koneti.mail.onmicrosoft.com (where koneti is my tenant name).

Once this attribute is stamped with cloud email ,we can use SCCM to discover this attribute using AD user discovery and put that info in SSRS report.

A quick way to view an objects Active Directory targetAddress attribute is through the Active Directory Users and Computers panel. In AD Users and Computers, ensure that Advanced Features has been enabled under the View menu.

Go to the OU,locate the object that you are looking for ,right click on user properties ,choose attribute Editor ,locate targetAddress

How do we discover this attribute into SCCM ?

Go to your SCCM console ,Administration,Hierarchy configuration ,discovery method and choose Active Directory User Discovery.

From the available attributes ,choose targetAddress and click on Add ,click Ok

Once this is done, you will need to wait for the user discovery happen (delta discovery ) or you can force the discovery cycle by right click on discovery method.

After the discovery runs, you will have targetaddress0 in v_r_user SQL view to create nice SSRS reports.

couple of SQL views that i used to create SSRS report with office 365 proplus installation ,user mail,user name,cloud information and user group are listed below.

v_r_user

v_GS_OFFICE365PROPLUSCONFIGURATIONS

v_RA_User_UserGroupName

v_R_System

and finally SSRS report:

Hope it helps!

Introduction:

This is going to be my 2nd or 3rd blog on Azure MFA (Multifactor authentication). Azure MFA is Two-step verification is a method of authentication that requires more than one verification method and adds a critical second layer of security to user sign-ins and transactions. It works by requiring any two or more of the verification methods.

You can take one of two approaches for requiring two-step verification. The first option is to enable each user for Azure Multi-Factor Authentication (MFA). When users are enabled individually, they perform two-step verification each time they sign in (with some exceptions, such as when they sign in from trusted IP addresses or when the remembered devices feature is turned on). The second option is to set up a conditional access policy that requires two-step verification under certain conditions.

By default,all users that are sync/created in azure AD have the MFA status in disabled state (user not enrolled in Azure MFA). When Admin enroll users in Azure MFA, their state changes to Enabled. When enabled users sign in and complete the registration process, their state changes to Enforced.

For more information about MFA refer https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states and pricing https://azure.microsoft.com/en-us/pricing/details/multi-factor-authentication/.

Problem:

Had a requirement from business to setup up MFA (force users to setup MFA) for all  users as 2nd factor authentication as part of their security requirement but they have condition that, MFA should not be prompted when user access cloud application who is on corporate network and allowed only for the first time (trusted IP Addresses). What is means is ,when user is trying to access all cloud applications ,it must prompt to setup MFA (if not set) ,once user setup MFA ,there should not be any MFA afterwards on corporate network but only from external network(untrusted ).

In this blog post ,we are going to see ,different options available for MFA registration and which method are we going to use for this requirement.

What are the method available for MFA registration / Configure Azure Multi-Factor Authentication settings ?

There are 3 methods for MFA registrations listed below.

1.Enable MFA for users individually/scripted (per user MFA)

2. Azure AD conditional access (application based  MFA)

3.Azure AD Identity Protection (AAD IP)

1.Enable MFA for users individually:

You can get list of users who need to be enabled MFA manually or scripted (change the status from disabled to enable) . This is more of manual method and not dynamic. Every time when you have new user ,you must go MFA portal and enable the MFA for the user .Once the MFA is enabled ,user can login (portal.office.com) and register for Azure MFA .Enabled users are automatically switched to Enforced when they register for Azure MFA. Do not manually change the user state to Enforced.

How to enable MFA for users manually  :

Go to https://account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx? 

Choose the account that you want to enable MFA and click enable.

For multiple users ,you can use PowerShell script.

PowerShell reporting:

Identify users who have registered for MFA using the PowerShell that follows.

Get-MsolUser -All | where {$_.StrongAuthenticationMethods -ne $null} | Select-Object -Property UserPrincipalName

Identify users who have not registered for MFA using the PowerShell that follows.

Get-MsolUser -All | where {$_.StrongAuthenticationMethods.Count -eq 0} | Select-Object -Property UserPrincipalName

Is this supported for business requirement : No

2. Azure AD conditional access:

Using this option,we don't have to go MFA portal like step 1 to configure MFA or run script  ,instead we can configure conditional access policy to prompt MFA for applications.

Create Azure AD conditional access with access control ,grant ‘Require Multi-factor authentication’ and applications you to be configured with MFA option.

When user try to access application ,it will challenge user to setup MFA. Once the user setup MFA ,the MFA status will be changed from Disabled to Enforced .

Microsoft recommends to use Azure conditional access which is app based MFA via Conditional Access.

Is this supported for customer requirement : No but why ?

If you see the problem description ,business requested to supress the MFA prompt when user try to access cloud applications on corporate network hence there will be conditional access to supress MFA while users on intranet (with list of trusted IP address) .

We cannot have a conditional access to supress MFA and other to setup MFA while users on corporate network.

For more information about ,prompt MFA if user coming from untrusted location a.k.a exclude MFA from company intranet  http://eskonr.com/2018/03/conditional-access-to-prompt-mfa-if-user-coming-from-untrusted-location-a-k-a-exclude-mfa-from-company-intranet/

3.Azure AD Identity Protection (AAD IP):

Now we have 3rd option which is called Azure AD Identity Protection .Azure AD Identity Protection helps you manage the roll-out of multi-factor authentication registration by configuring a policy that enables you to Set the users and groups .

We will use Identity protection to challenge MFA for users without using method 1 and method 2 and this is independent on above methods.

Though Identity protection has many other features ,we don't discuss all in this blog since our requirement is to setup MFA . You can read more about https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection

To configure You can either be a Security Reader, a Security Admin or a Global Admin to use Identity Protection.

Login to https://portal.azure.com 

Click on all services ,type Azure Identity

On the Azure AD Identity Protection blade, in the Configure section, click Multi-factor authentication registration

Under Multiple-factor authentication registration policy

Assignments:  Add users that you want to prompt to setup MFA and you also have option to exclude users and groups in case no MFA for users(super VIPs).

Controls access ,choose require Azure MFA registration.

Review is to view the current registration status in your infra .

Once all the settings are configured, choose enforce policy ON and save .

Once this is done, user will get prompt notifying to setup the MFA if not already done.

End user experience:

When user try to access applications hosted on cloud ,user will get following screen

Hope you enjoy reading this article. See you in next post.

References:

https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identity-protection-faqs

Quick blog post on how to get client count with active obsolete and missing status for collections in a nice tabular column.

I used 3 SQL views in this query V_r_system ,v_FullCollectionMembership  and v_Collection with sum and case statements.

You can use this SQL code in report creation with collection prompt and also create linked reports.

   select coll.Name [Collection Name],fcm.CollectionID,count(sys.name0) [Total clients],
SUM (CASE WHEN sys.Active0 = 1 THEN 1 ELSE 0 END) AS 'Active Clients',
SUM (CASE WHEN sys.Obsolete0 = 1 THEN 1 ELSE 0 END) AS 'Obsolete lients',
SUM(CASE WHEN sys.Client0 is NULL THEN 1 ELSE 0 END) AS 'Client Missing'
from v_r_system sys
inner join v_FullCollectionMembership fcm on fcm.ResourceID=sys.ResourceID
inner join v_Collection coll on coll.CollectionID=fcm.CollectionID
where fcm.CollectionID in ('PS1000DE','PS1000DF')
Group by fcm.CollectionID,coll.Name

SQL output:

For more information about SCCM client health dashboard ,refer https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-SSRS-2863c240

Microsoft released an updated version of System Center Updates Publisher (SCUP) version 6.0.278.0 is now available and can be downloaded here.

System Center Updates Publisher (Updates Publisher) is a stand-alone tool that enables independent software vendors or line-of-business application developers to manage custom updates.

Using Updates Publisher, you can:

• Import updates from external catalogs (non-Microsoft update catalogs).
• Modify update definitions including applicability, and deployment metadata.
• Export updates to external catalogs.
• Publish updates to an update server.

This released version of  SCUP adds support for Windows 10 and Windows Server 2016 including following improvements:

• Indexing for quicker imports of previously imported catalogs –  Catalog producers can now index their catalogs. This will allow users to more quickly import large catalogs containing few new updates.

• Inclusion of signing certificates within updates catalogs – Catalog producers can now include signing certificates with their updates catalogs.  This enables users to add the certificates to the trusted publishers list during import so that approval prompts will not block publish operations.

If you have installed SCUP preview 1 or SCUP Preview 2 ,you must manually upgrade the installation to this version.

How to upgrade SCUP from old version to new version ?

I have the following SCUP version in my lab (6.0.219.0) which will be migrating to new version (6.0.278.0)

Current version:

How to migrate to new version:

Since SCUP is stand alone tool and it doesn't require any database backup however ,i would like take the database file (scupdb.sdf) backup, incase of any issues after the migration. For more information about this database file refer this article

Close any existing SCUP Console (it doesnt allow more than one connection to open on the same machine for multiple users which i noticed).

If you did not close open SCUP console and proceed to install ,you will end up seeing below screen which will give you option to close and continue installation.

After the installation completed, you will see following screen

Now go to start menu and search for Update publisher and accept the license agreement

It will take few min to check the database availability and loan the console for you.

Now you should see the all the data and settings that were exist in previous version .

Go to about to check the SCUP Version.

All these settings like SCUP database and other settings in options will be retained from old version to new version.

If at all you don't see the configuration settings and catalogues ,you can load the database file that we taken backup in the first step.

Hope this helps to upgrade SCUP version from old to new and happy patching.

References:

http://eskonr.com/2017/08/sccm-configmgr-how-to-make-scup-console-settings-available-for-all-users-and-make-the-database-as-shared/

https://cloudblogs.microsoft.com/enterprisemobility/2018/03/21/system-center-updates-publisher-adds-support-for-new-oses/

https://docs.microsoft.com/en-us/sccm/sum/tools/updates-publisher

Microsoft released Configuration Manager Current Branch build version 1802 an in-console update. You can apply this update on sites that run version 1702, 1706, or 1710.

This build also available as baseline version which means, you can use this media to install new ConfigMgr sites.

With this version, there are almost 37 new capabilities and changes available which are listed below.

Reassign distribution point

Configure Windows Delivery Optimization to use Configuration Manager boundary groups

Support for Windows 10 ARM64 devices

Improved support for CNG certificates

Boundary group fallback for management points

Cloud distribution point site affinity

Management insights

Cloud management gateway support for Azure Resource Manager

Improvements to cloud management gateway

Configure hardware inventory to collect strings larger than 255 characters

Deprecation announcement for Linux and Unix client support

Surface device dashboard

Change in the Configuration Manager client install

Transition Endpoint Protection workload to Intune using co-management

Co-management dashboard in System Center Configuration Manager

Microsoft Edge browser policies

Allow user interaction when installing an application

Do not automatically upgrade superseded applications

Approve application requests for users per device

Run scripts improvements

Windows 10 in-place upgrade task sequence via cloud management gateway

Improvements to Windows 10 in-place upgrade task sequence

Improvements to operating system deployment

Deployment templates for task sequences

Phased deployments for task sequences

Install multiple applications in Software Center

Use Software Center to browse and install user-available applications on Azure AD-joined devices

Hide installed applications in Software Center

Hide unapproved applications in Software Center

Software Center shows user additional compliance information

Schedule automatic deployment rule evaluation to be offset from a base day.

Report for default browser counts

Report on Windows AutoPilot device information

Report on Windows 10 Servicing details for a specific collection

Improvements to Configuration Manager Policies for Windows Defender Exploit Guard

New host interaction settings for Windows Defender Application Guard

Improvements to the Configuration Manager console

How to get this update in your console to install ?

Currently this update is available only via fast ring which means, you need to run PowerShell script to get this update available in your Configmgr console.

download PowerShell script from TechNet gallery and run it https://gallery.technet.microsoft.com/ConfigMgr-1802-Enable-4c8c0003

Once you run the script ,Open console ,click on updates and servicing ,wait for the updates to show up.

If you do not see the updates in console, restart SMS_execution service ,refresh the node to see the updates.

Alternatively you can follow the log dmpdownloader.log

You can also use SQL query to check the list of available updates in updates and servicing node:

select * from vSMS_CM_UpdatePackages

Update will be downloading to easysetuppayload folder with GUID ID of the update.

Status in the console for the update 1802 will be changed to downloading.

After sometime ,state will be changed to ready to install

Choose the update and click on Install update pack OR recommended is ,check the prereq before installing update pack.

Click Next to continue .  Choose the new features that you are interested in. You can also enable these features after the update installed.

click next ,next to see last page

Once it is done, you can monitor the status.

I had failure because of low diskspace in Configmgr drive (<15GB ) so once I extended ,I reinitiate the job

It will take almost 30min+ to finish the job ,once it is done, you will be prompted to install new console .

Site version/console version:

Additional resources:

• What’s New in System Center Configuration Manager
• Get Ready for System Center Configuration Manager
• Start Using System Center Configuration Manager
• Upgrade to System Center Configuration Manager
• Documentation for System Center Configuration Manager
• System Center Configuration Manager Forums
• System Center Configuration Manager Support
• Report an issue
• Provide suggestions

With the release of SCCM Configmgr current branch 1802 ,there are some exciting features added from its previous version 1710. When there are new features released ,certainly there will be changes to the database hence sql views/tables created which will help us to create some nice SSRS reports for reporting.

So with this current branch version ,what's new in SQL for reporting ?

There has been around 1586 unique SQL views with lots of information that you can retrieve the data from SQL database help you to analyze the data.

Out of these SQL view,there are about 19 SQL views which are newly added from its previous configmgr version 1710 listed below. There could be some SQL views that are common in this new version and old versions but some new data fields added which are not listed here.

Some of newly added SQL views listed below ,you might have already seen in Configmgr Technical preview releases , however they are now into production release.

v_Default_Browser
v_GS_DEFAULT_BROWSER
v_GS_MDM_DEVDETAIL_EXT01
v_HS_DEFAULT_BROWSER
v_HS_MDM_DEVDETAIL_EXT01
v_LifecycleDetectedGroups
v_LifecycleDetectedProducts
v_LU_LifecycleProductGroups
v_LU_LifecycleProductHashes
vex_AI_LifecycleProductGroups
vex_AI_LifecycleProductHashes
vex_GS_DEFAULT_BROWSER
vex_GS_MDM_DEVDETAIL_EXT01
vSMS_Ao_ServerPrereqMonitoring
vSMS_AoSiteServerMonitoring
vSMS_ManagementInsightResultsList
vSMS_ManagementInsightRuleGroup
vSMS_PhasedDeployment
vSMS_ScriptsExecutionSummary

As usual ,you can download the SQL views documentation from ConfigMgr 2012 to Configmgr Current Branch 1802 from Technet here

Happy reporting !

Introduction:

With OneDrive, you can sync files between your computer and the cloud, so you can get to your files from anywhere. You can work with your synced files directly in File Explorer and access your files even when you’re offline. Whenever you’re online, any changes that you or others make will sync automatically. By default ,Onedrive client will be installed on windows 10 and you are required to install only on Windows 7 OS. How to install OneDrive on Windows 7 with detection method using SCCM ,read http://eskonr.com/2017/12/how-to-deploy-onedrive-for-business-using-configmgr/

You can download New OneDrive sync client from https://go.microsoft.com/fwlink/p/?linkid=844652

New OneDrive sync client release notes https://support.office.com/en-us/article/new-onedrive-sync-client-release-notes-845dcf18-f921-435e-bf28-4e24b95e5fc0

Problem:

We have conditional Access that is applied to cloud apps called SharePoint online .SharePoint is backbone for Onedrive and teams ,Conditional Access applied to these 2 applications.

The new OneDrive sync client works with the conditional access control policies to ensure syncing is only done with compliant/Hybrid Azure AD Joined devices.

If user trying to access Teams or Onedrive using windows 7 or windows 10 ,they must be either compliant (for windows 10) or Hybrid Azure AD Join.

We recently started seeing issue on windows 7 computers (which are hybrid azure AD join) with OneDrive sync client crashes, when user try to launch after entering the credentials.

These users who are affected with this issue recently were using OneDrive from very long and there were no changes to the infra with respect to Onedrive update or O365.

and

View Problem Details/Event viewer reveals the following details:

Faulting application name: OneDrive.exe, version: 17.3.7131.1115, time stamp: 0x5a0d0bd9
Faulting module name: KERNELBASE.dll, version: 6.1.7601.24000, time stamp: 0x5a4996d4
Exception code: 0x4000001f
Fault offset: 0x0001338d
Faulting process id: 0x202c
Faulting application start time: 0x01d3c57ede869140
Faulting application path: C:\Users\username\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Faulting module path: C:\Windows\syswow64\KERNELBASE.dll
Report Id: 206c675f-3172-11e8-b561-14abc5fc6f2e

Solution:

Have spend sometime troubleshooting the onedrive logs ,event viewer and also try to login to the laptop using different user ID if the problem repeats .The issue can be re-producible for different user as well.

After spending some time troubleshooting the issue using Onedrive logs, found out that ,the windows 7 computer is not compliant (not hybrid Azure AD Join) and also failed with modern authentication (ADAL).

When i check in Azure portal, the computer for the user shows as hybrid azure AD Join and user can access teams,outlook and other cloud apps except OneDrive.

Following is the error code from OneDrive Logs:

[9632][10948] 03-27-2018 09:05:55.470 oauthaadcredentialacquirer.cpp:839!OAuth::AADCredentialAcquirer::ParseTokenErrorResponse [1693] (INFORMATIONAL): Parsed error response. mapped value: DRX_E_AUTH_URL_ERROR_INTERACTION_REQUIRED, error: interaction_required, error_description: AADSTS53000: Windows device is not in required device state: compliant

[9632][9092] 03-27-2018 09:05:51.337 authplatform.cpp:729!AuthLibrary::AuthPlatform::IsADALEnabled [1754] (ERROR): Failed to query regkey: Software\Microsoft\OneDrive, keyname: EnableADAL with result: 2

Based on the logs, found that, Modern authentication (ADAL based) issue and is because of ADAL is not enabled for OneDrive.

Modern authentication by default is enabled for Sharepoint online which means ,client applications like OneDrive and Teams must be enabled to support ADAL .

Following are the registry keys must be created to support ADAL authentication for OneDrive:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive]
"EnableADAL"=dword:1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive]
"EnableTeamTier_Internal"=dword:1

you can use GPO to create these registry keys for your users.

This fix already documented in Technet support article with known issues Azure Active Directory conditional access with the OneDrive sync client on Windows 

After the registry changes applied ,issue fixed.

We are still trying to identify why did the issue reported recently even though user using the same onedrive sync client from few months and Conditional Access also applied way back.

If you hit this issue or not, you can apply the GPO changes to avoid ADAL issues with conditional Access.

will update the post with root cause.

Until next !

The Azure Information Protection client (AIP) for Windows helps you keep important documents and emails safe from people who shouldn't see them, even if your email is forwarded or your document is saved to another location. You can also use this client (AIP) to open documents that other people have protected by using the Rights Management protection technology from Azure Information Protection.  Read more information about requirements for AIP https://docs.microsoft.com/en-us/azure/information-protection/get-started/requirements

All you need is a computer that runs at least Windows 7 with Service Pack 1 ,then download and install this free AIP client from Microsoft.

Before you try to install AIP client ,there are few components as prerequisites that needs to be installed on the computer before AIP can process the policies for you.

In this blog post , we will see what are the prerequisites that are required to deploy AIP client and also their detection methods on computers that are running windows 7 SP1 and above.

Since AIP client has 4 prerequisites ,we will use task sequence to deploy AIP client instead of application deployment with dependencies.

Prerequisites:

1.Microsoft .NET Framework 4.6.2 : AIP Client requires a minimum version of Microsoft .NET Framework 4.6.2 and if this is missing, the installer tries to download and install this prerequisite. When this prerequisite is installed as part of the client installation, your computer must be restarted.

2.Windows PowerShell version 4.0: The PowerShell module for the client requires Windows PowerShell version 4.0, which might need to be installed on older operating systems. For more information, see How to Install Windows PowerShell 4.0. The installer does not check or install this prerequisite for you. To confirm the version of Windows PowerShell that you are running, type $PSVersionTable in a PowerShell session .

3.Visual C++ Redistributable for Visual Studio 2015 (32-bit version) : For computers running Windows 7 Service Pack 1, install vc_redist.x86.exe from the following download page: Visual C++ Redistributable for Visual Studio 2015

4.If you have Windows 7 SP1, the Azure Information Protection client requires a specific update, KB2533623. If your PC needs this update but it is not installed, installation completes but with a message that the Azure Information Protection client requires this update. Until this update is installed, you won't be able to use all features of the Azure Information Protection client.

In this post, i will not go step by step creation of all the prerequisites instead, will go with some important information like installation program ,detection method and requirements etc.

Note: All these prereq files require reboot including .net, PowerShell . Without reboot ,it will not install any further components hence i leave the reboot to configmgr based on the exit codes (3010 soft reboot,1641 hard reboot)

1.Microsoft .NET Framework 4.6.2 or above:

since there is newer version of .net framework 4.7.1 available ,i will go with this version instead of 4.6.2 (min version) but in detection method ,i will look for .net 4.6.2 and above. If 4.6.2 exist ,i will not do installation of this 4.7.1 and skip this install.

Installation program : "NDP471-KB4033342-x86-x64-AllOS-ENU" /q

Detection Rule: Setting type: Registry ,Hive: Software\Microsoft\NET Framework Setup\NDP\v4\Full ,Value:Release ,data type:Integer , Operator: greater than or equal to 461310 (this is .net 4.6.1 and above)

User experience: Install for system ,weather or not user logged in and determine the behaviour based on return codes.

Requirements: Free disk space: 5GB ,OS :Windows 7 and other OS if you have.

2. Windows PowerShell version 4.0: I am going create both powershell 4.0 and powershell 5.0 as some of the windows 7 machine that has version 2.0 ,cannot be upgraded to 5 directly (at least i have seen some failures)

Installation Program: wusa.exe Windows6.1-KB2819745-x64-MultiPkg.msu /quiet

Detection Method: Powershell

if (($PSVersionTable.PSVersion | Select-Object -ExpandProperty Major) -gt 4 )
{
Write-Host "Installed"
}
else
{
}

Requirement: Windows 7 (for windows 10 ,there will be powershell 5.0 so no need to install for windows 10).

Windows PowerShell version 5.1:

Installation Program: wusa.exe Win7AndW2K8R2-KB3191566-x64.msu /quiet

Detection Method: Powershell

if (($PSVersionTable.PSVersion | Select-Object -ExpandProperty Major) -gt 5 )
{
Write-Host "Installed"
}
else
{
}

Requirement: Windows 7 (for windows 10 ,there will be powershell 5.0 so no need to install for windows 10).

3.Visual C++ Redistributable for Visual Studio 2015 (32-bit version) :

Installation program: "vc_redist.x86.exe" /q

Requirement rule: Windows 7 and windows 10.

Detection Method: Powershell . If the client has VC++ 2015 then it will skip the installation .

function Get-InstalledApps
{
if ([IntPtr]::Size -eq 4) {
$regpath = 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*'
}
else {
$regpath = @(
'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*'
'HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
)
}
Get-ItemProperty $regpath | .{process{if($_.DisplayName -and $_.UninstallString) { $_ } }} | Select DisplayName, Publisher, InstallDate, DisplayVersion, UninstallString |Sort DisplayName
}

if (Get-InstalledApps | where {$_.DisplayName -like "Microsoft Visual C++ 2015 Redistributable*"})
{
Write-Host "Installed"
}
else
{
}

4. Azure Information Protection Client: Download AIP client (AzInfoProtection.exe) from https://portal.azurerms.com/#/download (this link has both viewer and client)

Also download the KB article as said in the prereq document .

Installation Program: Create a batch script and use the following code into it. (After the patch installation is done ,it will proceed to install AIP client and no reboot is required).

REM Install the KB article
wusa.exe "%~dp0Windows6.1-KB2533623-x64.msu" /quiet /norestart

sleep 10
REM Install Azure information protection client
AzInfoProtection.exe AllowTelemetry=0 /quiet /norestart

Detection Method: Windows installer: {30F836D2-A60B-4899-A369-B0FCA2884EAF}

Requirements : Windows 7 and windows 10.

If you are installing the AIP client on computers that run Office 2010 and your users are not local administrators on their computers or you do not want them to be prompted then you must supply ServiceLocation.

If the client was not installed with the ServiceLocation parameter, when you first open one of the Office applications that use the Azure Information Protection bar (for example, Word), you must confirm any prompts to update the registry for this first-time use. Service discovery is used to populate the registry keys.

Ex: AzInfoProtection.exe /quiet /norestart ServiceLocation=https://a44b2fd2-6a02-4d36-86b4-0017a1cede50.rms.eu.aadrm.com

How to get Service location ,please refer the document here

With this ,we have created 5 applications and now we can use task sequence to deploy these  applications in sequence given below.

1.Microsoft .Net Framework 4.6.2/4.7.1

2. Microsoft Powershell 4.0

3.Microsoft Powershell 5.1

4.Microsoft VC++ 2015

5.Microsoft AIP client

Troubleshooting:

Deploy the task sequence to collection (machine based) and follow the logs smsts.log,appenforce.log

 References:

https://docs.microsoft.com/en-us/information-protection/rms-client/client-user-guide

https://docs.microsoft.com/en-us/information-protection/rms-client/install-client-app

https://docs.microsoft.com/en-us/azure/information-protection/rms-client/client-admin-guide-install

https://github.com/MicrosoftDocs/Azure-RMSDocs/blob/master/Azure-RMSDocs/rms-client/client-admin-guide-install.md

Microsoft Intune helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.

Windows Information Protection (WIP), helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.

There is another data protection technology, Azure information protection (AIP) also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.

For more information about Windows information protection ,please read https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip

windows information protection (WIP) from the filed experience and test cases are explained in http://eskonr.com/2017/10/intune-windows-information-protection-wip-policies-test-cases-and-notes-from-the-field/

Recently ,i had requirement from business to protect applications that are published using Azure AD app proxy solution from BYOD windows 10 devices ,accessing users securely from internet.

By letting users to access these applications securely from iOS/Andriod and windows 10 ,you must have DLP solution in place to prevent accidental data leakage from corporate applications.

For iOS and Andriod ,you can refer this post for Azure AD App proxy with intune managed browser http://eskonr.com/2018/02/control-access-to-applications-published-via-azure-ad-app-proxy-and-manage-access-only-via-approved-client-aka-intune-managed-browser/

In this blog post,we are going to see how to protect the applications that are created/published via azure AD app proxy and OWA(outlook web access) on users BYOD windows 10 device using windows information protection (WIP) .

Note: I would recommend that you turn on Azure Active Directory Conditional Access, using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.

First, try to identify the azure AD app proxy application external URL that is being configured in Azure. If you don't have access to azure AD app proxy ,you can ask your GA (global admin) to provide the app formats that are configured.

In my case, all the external URL applications are in below format:

http://SCCMReports-koneti.msappproxy.net/ (Appname-tenantname.msappproxy.net) .

You might have app created in different format that ends with domain names instead of msapproxy.net like http://SCCMReports-eskonr.com/

After you identify the domain names (msappproxy.net or your domain name eskonr.com) ,we will now go to intune portal and create new WIP policy by selecting Edge/IE as allowed applications .

Follow the steps given in the TechNet article to create WIP policy https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure

In your WIP policy ,required settings ,choose windows protection mode as Block ,depends on your organisation policy.

Block : WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.

After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.

while you are on WIP policy ,click on advanced settings,click on cloud resources.

What ever the values you specify in proper format in cloud resources will be will be treated as corporate and protected by WIP based on your protection modes.

For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

For more information about cloud resource and format https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure#choose-where-apps-can-access-enterprise-data

Since we already collected the necessary information about azure AD app proxy external URL information  ,we will add the extension to this cloud resources tab.

In above snippet,I have added multiple cloud resources which includes sharepoint ,yammer ,excel,powerpoint, and finally my app proxy domain .koneti.msappproxy.net and .eskonr.com

Full list is given for you .

koneti.sharepoint.com|koneti.powerbi.com|koneti.visualstudio.com|
koneti.crm.dynamics.com|www.yammer.com|yammer.com|persona.yammer.com|
koneti-files.sharepoint.com|tasks.office.com|protection.office.com|
meet.lync.com|teams.microsoft.com|/*AppCompat*/|
southeastasia1-mediap.svc.ms|excel.officeapps.live.com|
word.officeapps.live.com|Powerpoint.officeapps.live.com|
outlook.office.com|login.microsoftonline.com|login.windows.net|
.koneti.msappproxy.net|.eskonr.com

Go to assignment tab and select groups that you want to assign this policy.

End user experience:

User can either open application using URL or connect to https://myapps.microsoft.com/ to see all azure AD App proxy applications ,will see URL protected right side on the corner .

From these protected URL’s ,if user try to copy the content to un protected apps that are not defined in your WIP policy ,access will be denied.

If user try to copy the content from these protected applications to un-enlighten applications like notepad etc ,the protection controls will be travelled with data and when user try to save the document ,it will be saved as work rather personnel.

List of enlightened Microsoft apps for use with Windows Information Protection (WIP) https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip

Hope you enjoyed reading this article.

Introduction:

If you want to allow corporate domain joined windows 7 computers (ONLY)to access  office 365 services and block personnel windows 7 devices ,you must implement Device based conditional access. Device based conditional access ensure that your users are accessing your resources from devices that meet your standards for security and compliance . Following is the screenshot from Device based conditional access with hybrid Azure AD joined devices.

To achieve hybrid azure AD Join (AAD),you need to use workplace join utility that help to perform registration of Windows domain joined computers with Azure AD .To register domain joined computers running Windows 7, Windows 8.0, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 or Windows Server 2012 R2, a Windows Installer package (.msi) is available for you. Download Microsoft Workplace Join for non-Windows 10 computers from https://www.microsoft.com/en-us/download/details.aspx?id=53554

For more information about How to configure hybrid Azure Active Directory joined devices https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup

Problem:

I am going to talk about issue that we hit on windows non-windows 10 computers recently. We got few incidents from users that cannot activate proplus ,access issue to teams,onedrive and other o365 applications, following error message appeared.

The following error message is very common .This occur If the device that user trying to access o365 do not pass conditional access.

Solution:

To get this issue solved, the first thing to do is ,is the workplace join successfully done or not .how do you check that ?

Open the command prompt ,change the directory to C:\Program Files\Microsoft Workplace Join and run AutoWorkplace.exe /i

if you see the following screen then the device is hybrid azure AD join or at least the workplace join did its job to create certificate and pass it over to azure AD . Even with the following screen ,if user unable to access the applications, then the issue could not be related to workplace join .

On the problem PC, user see this image with error code ‘an error occurred when trying to join your device to your organisation workplace’ with registration service authentication URL.

‘The registration service could not successfully authenticate your account. Please make sure you are logged in with your active directory domain account and try again.’

what could go wrong with above error message ? Following are the possible solutions i tried.

1. Check if user configured MFA (if enabled for user).If MFA enabled but not configured ,take the above URL and open it in IE that will help to give option ‘set up now’ .If you dont get MFA option ,then read the solution given below.

2.Is the device connected to corporate network

3.is SSL 2.0 and 3.0 disabled in IE advanced configuration (have seen issues with enabling ssl 2.0 and 3.0 hence i found disable these works fine).

User passed all above checks but still could not get it working.

After checking the IE configuration settings, found that, user has the following security setting in local intranet Zone.

When the workplace join tool runs ,it follow the above user authentication settings to create certificate which is failing here.

With above setting ,workplace join is expecting user to pass on the credentials which is silent in the background and is failing always.

Change the setting to  ‘Automatic logon only in internet Zone’ or ‘Automatic logon with current user name and password’

After you choose the setting ,click ok and close the IE .Now go back to command prompt and run the same command again ,this time it goes through without any error.

Why this setting is not set through GPO to solve issues with this type ? don't ask me this.

I will write another blog post to list down all possible workplace join related issues that i come across during the last few months ,will help you to get some insights.

Until next!

Introduction:

Office 365 ProPlus is one of the subscription service plans in the new Office. It is productivity software (including Word, PowerPoint, Excel, Outlook, OneNote, Publisher, Access, Skype for Business) that is installed on your desktop or laptop computer. Office 365 ProPlus is a user-based service that allows people to access Office experiences on up to 5 PCs or Macs and on their mobile devices. Traditional Office installations were tied to the computers they were installed on.

Few months ago ,we have started rolling out office 365 proplus (cloud version) using Configmgr Current Branch. I have created application using powershell app deployment toolkit in combination with offscrub scripts from Microsoft.   Using these 2 scripts,you can fully automate the installation office 365 proplus by removing the old versions (2007,2010,2013 and 2016 MSI based ) of office and install cloud version. I will write blog post on how to use these 2 scripts and create application to install proplus and what are the GPO settings you need to consider for this proplus for performance issues,patching mechanism etc.

Problem:

Coming to this blog post, we have mixed environment which includes laptops ,desktops and VDI (virtual desktop infra) machines. So proplus installed on all these machines using SCCM .Installation went smooth and users started using the office for their day to work.

All looks good from user point of view but when it comes to managing this office proplus with updates ,you need to understand how it works and what are the settings applied on the on PC for proplus.

After the proplus installed on many computers, we started noticing the office 365 update section in SCCM (software library –office 365 client management--office 365 updates ) for patching and found that, some of the clients are reporting update status but majority of them are reporting unknown as shown below.

By the way ,we are going with semi-annual channel as we do not want to update proplus every month hence we look at semi-annual channel updates only for deployment.

Solution:

After looking at the unknown status with bigger count ,i started looking at clients chassis type as some of them are working good but majority are not. This is because ,we have used same package for proplus and and one GPO with proplus settings and one client agent settings.

When am using one configuration for all ,why there is difference in update scan status for office 365 client updates ?

Use the default report Home > ConfigMgr_Sitecode > Software Updates - A Compliance > Compliance 6 - Specific software update states (secondary)  to know the unknown clients.

After reviewing the unknown client, found that,majority of the clients are VDI hence there is something on VDI machines.

Got one VDI assigned on my name so i can troubleshooting to find the root cause.

Following are the checklist perform on the VDI that is having issue:

1. Check if SCCM client is working good and healthy .How do you say it is healthy ? Check in SCCM console of policy request and its inventory .

2.Is the client receiving policies and what is the software updates status on this PC ? look at its last software update scan and also last patching status. If this is working fine then for sure ,something wrong with office 365 proplus application how it was installed or the configurations applied on VDI’s.

3. Verified in SCCM that ,client agent settings are configured correctly with ‘Enable management of the office 365 client agent’ to ‘Yes’ in software update section .This setting can also be enabled through GPO. This is one of the requirement as SCCM Client check Office COM interface to be enabled  as it act as communication between office and Configmgr. This functionality must be turn ON.You can check the registry key on client PC for officemgmtcom (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Office\16.0\common\officeupdate)

After all the above checklist, i could not find anything wrong .Everything seems to be good.

While am troubleshooting on this ,found a Microsoft article referring to Troubleshooting Office 365 ProPlus https://blogs.technet.microsoft.com/askpfeplat/2017/03/23/troubleshooting-office-365-proplus-patching-through-system-center-configuration-manager/

After reading the article,found that, there is one setting that i need to verify which i mentioned in the checklist above 3) Verify COM interface is registered or not .As we have enabled this through GPO and also using SCCM Client agent settings ,COM interface should be registered (officemgmtcom) . So how to verify if COM interface registered or not ?

You can do this by verifying existence of following registry key on the client. This registry is same for proplus on each PC.

[HKEY_CLASSES_ROOT\CLSID\{B7F1785F-D69B-46F1-92FC-D2DE9C994F13}\InProcServer32]

@=”C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeC2RCom.dll”

On the problem client ,i could not find this registry key ({B7F1785F-D69B-46F1-92FC-D2DE9C994F13})

As per the technet blog ,i suspect AV (antivirus ) on the client is blocking com interface , hence involved AV Team but there is nothing after troubleshooting and also tried disabling the AV on the client then start ,stop the Microsoft Office Click-to-Run Service service.

Issue did not resolve even after AV disable .What could go wrong ?

we talk few times about COM interface and must be registered for this process hence i started looking at component services that is where the COM object register as well.

From the run command ,type dcomcnfg to open MMC .Browse to component services –>computers –>My computer.

This is what i see with red arrow colour down arrow which means component services are disabled hence COM interface unable to register. Why is this disabled ? is this through GPO ? if so ,why not disabled for laptops and desktops but only for VDI ? This is offline topic to be discussed internally with respective teams who disabled it.

There is service that is responsible for it, which is ‘COM+ System Application’ .Start the service (must do with admin rights)

After you start the service,close component services MMC and reopen again.

Browse to COM+ Applications and see if there is any entry related to OfficeC2R.

How do we get OfficeC2R com object here ?

As a simple fix, i restarted Microsoft Office Click-to-Run Service (ClickToRunSvc) so the COM object will get created hence registry also created but that did not work.

so what  i have done is the following fix which worked and also created simple batch script applied to all computers that did not find the registry key.

How to get OfficeC2RCom Object ?

1. Open Regedit and change the value of the registry key HLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate  from 1 to 0

  2. Restart ‪Microsoft Office Click-to-Run Service

3. Open Regedit and change the value of the registry key HLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate  from 0 to 1

4. Restart ‪Microsoft Office Click-to-Run Service again.

5. Open dcomcnfg to check OfficeC2RCom object and go to Regedit and check the registry key [HKEY_CLASSES_ROOT\CLSID\{B7F1785F-D69B-46F1-92FC-D2DE9C994F13}\InProcServer32]

    Registry check

    COM object verification (OfficeC2RCom )

I did not find any reference link or i missed that says ,COM+ System Application service must be started for this proplus.

Conclusion to Restore OfficeC2RCom:

1. Start the COM+ System Application service
2. Open Regedit and change the value of the registry key HLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate  from 1 to 0
3. Restart ‪Microsoft Office Click-to-Run Service.
4. Open Regedit and change the value of the registry key HLM\SOFTWARE\Policies\Microsoft\office\16.0\common\officeupdate  from 0 to 1
5. Restart ‪Microsoft Office Click-to-Run Service again.
6. Open dcomcnfg to check OfficeC2RCom and go to Regedit and check the registry key [HKEY_CLASSES_ROOT\CLSID\{B7F1785F-D69B-46F1-92FC-D2DE9C994F13}\InProcServer32]

Though the root cause simple and because of the service disable ,but to get the COM interface back,went through lot of troubleshooting .

Hope it helps!

Recently i blogged about Hybrid Azure AD Workplace join issue that was causing because of internet explorer user authentication setting .For more information ,please read this article here

This week ,have got  another issue that was related to workplace join for windows 7. Users were unable to activate office proplus ,unable to access teams,onedrive and office 365 web portal as well.

User hit the following screen when they try to activate office 365 proplus .

You can’t get there from here , please contact your administrator.  This application contains sensitive information and can only be accessed from company domain joined devices.

This issue is because ,we had Azure AD Conditional access policy with ‘Hybrid Azure AD Join’ checked ,which allow only corporate domain join computers to access office 365 applications while blocking the access to personnel windows 7.

If you click on Ok , you will see full information about user identify ,what is the app name,device platform ,device state which is unregistered.

This is very generic and for anything ,if the computer is not hybrid azure AD join, then you will see same error .

So by looking at above error, how do we troubleshoot the issue ?

Like i said in my previous blog post here ,Hybrid Azure AD join will be performed by workplace join tool so we need to troubleshoot on this tool why did the issue happens.

As usual open cmd (command prompt) and change the directory to C:\Program Files\Microsoft Workplace Join (if not installed, install the tool ) and run AutoWorkplace.exe /i

With the above command line, i get error An error occurred while trying to join your device to your organisation’s workplace with details Unknown Error

you can also look at the event viewer for workplace join related issues by visiting event viewer—>applications and services logs –> Microsoft-workplace Join—Admin

Even here ,It doesn't reveal any information about why did it failed except unknown error.

This leads me to check on the Azure AD portal for this specific user related to license or any other devices registered or not. The intension by looking at azure portal is to verify only this computer had issue or user account had issue.

Go to https://portal.azure.com , click on Azure Active Directory ,Click on users,type the name of the user that had issue.

Click on devices on the left pane to see the devices registered under the name.

As you can see, user already had 20 devices and the limit that we have set is 20 hence the error code.

Now ,we have 2 options here, 1 ) delete (make sure you delete windows 7 rather mobile devices) some of the devices by sorting with activity and remove devices which are not connected recently or increase the limit count .

1.Deletion is very simple .Click on the dots (…) on the device and choose delete  (required enough permissions).

2.Increase the device count limit and how to do that ? If you are Global admin ,follow the steps listed below.

Visit https://portal.azure.com ,click on Azure Active Directory ,click on Devices ,click on Device settings

In this case, rather changing the count ,i simply deleted some devices (count <20) with old activity date . After the removal ,come back to the PC that had issue.

while on the CMD prompt ,rerun the command line AutoWorkplace.exe /i  ,this time ,the device is joined to organisation workplace which is Hybrid Azure AD join.

Deletion of the devices cannot be done by end users and if they go the URL  https://portal.fei.msuc05.manage.microsoft.com/Devices  ,they cannot see the Hybrid Azure AD joined devices ,it must be performed by Global Admin (GA) or user with enough permissions.

Hope it helps.

How do we make this report work on older version of reporting ? You need to make 2 changes in to the RDL file to get it working.

1. Open the RDL file using notepad or other editing tools ,you will find something like below in the beginning of the code.

change the version from 2016 to 2010 .

2. Search for "ReportParametersLayout" in file and remove the whole block (This code is created on 2016 version of visual studio) .

As shown below ,remove the whole block and save the report.

Now try to upload the RDL file into the reporting service ,change the data source and run the report.

Conclusion:

change the SQL version on the RDL file and remove the ReportParametersLayout to get the report working.

Being as Intune Administrator ,you create intune MAM (mobile application management) policy to protect company data at application level. This is independent of any mobile-device management (MDM) solution . For more information about App protection policies ,please refer https://docs.microsoft.com/en-us/intune/app-protection-policies.

Like others ,we created MAM policy and applied to all Microsoft/non-Microsoft (wrapped with intune SDK ) applications and data transfer to managed applications only. We have users who would like to transfer the data or open some of the links from managed applications especially webex etc ,RSA Token with unmanaged applications .Since webex application is not managed application (not wrapped with Intune SDK) ,users will not be able to open any webex links using webex application. In such scenarios, we may have to look for exceptions (iOS/Andriod) .

Microsoft recently introduced exceptions feature with MAM for iOS and Andriod polices.  An exception allows you to specifically choose which unmanaged apps can transfer data to and from managed apps. The unmanaged apps that you included in the exception list must be trusted by IT.

This feature applies when you create an Intune Application Protection Policy with data transfer set to Managed apps only like shown below. If you have chosen all apps then you need to create any exception policy since you allowed to open the links with un-managed apps or other apps as well.

In this blog post, we will see how to create exceptions for some of the applications which are required by IT to use on their day to day basis. Couple of applications are like Webex, GlobalMeet ,RSA Token etc.

You are responsible for making changes to the data transfer exception policy. Additions to this policy allow unmanaged apps (apps that are not managed by Intune) to access data protected by managed apps. This access to protected data may result in data security leaks. Only add data transfer exceptions for apps that your organization must use, but that do not support Intune APP (Application Protection Policies). Additionally, only add exceptions for apps that you do not consider to be data leak risks.

Before we try to configure these exceptions ,we need to find out the some information related to the applications that we are excluding from the MAM policies.

iOS data transfer exceptions
For iOS, we  can configure data transfer exceptions by URL protocol. To add an exception,you need to check the documentation provided by the developer of the app to find information about supported URL protocols.

This is little tricky to find the right URL protocol for all iOS applications however ,for webex, MS given in TechNet site. For webex ,URL protocol is wbx . For other applications that you would like to find the protocol ,you can contact the vendor .
By adding the Webex package as an exception to the MAM data transfer policy, Webex links inside a managed Outlook email message will be opened in intune browser and browser will let these exceptions allowed to open directly in the Webex application.

Android data transfer exceptions:

For Android, we  can configure data transfer exceptions by app package name. It is easy to identify the package name for android applications using Google play store.  The package ID is contained in the URL of the app's page

If i want to search the package ID for webex, RSA Token ID ,go to Google play store and search for Webex ,copy the content after ID= to get the package name.

In this case ,it is com.cisco.webex.meetings for webex . for RSA Token: com.rsa.securidapp

Once we got the necessary information ,we will go intune MAM policy that you have already configured with option ‘allow app to transfer data to other apps set to : policy managed apps’ and make these changes.

If you have not set the option to policy managed apps for Allow app to transfer data to other apps ,you will not see select apps to exempt .

Also make sure, you configure this setting on MAM policy with targeted apps select ‘Managed browser’

If you already created Intune MAM policy ,click on the policy ,go to policy settings, look for select apps to exempt ,click on select.

iOS:

Add custom with value: wbx;

Click ok to save the changes.

For Andriod:

For android, click on select in MAM policy ,add the required applications into the fields that we captured from Google play store.

How does it work?

When you get any link (ex: webex) from managed applications like teams,onedrive or outlook  ,you click on the link ,it will be opened in intune managed browser ,then browser will understand there is exceptions made to the URL to open with and intune managed browser will redirect the URL to open with webex or application that is already installed on the device based on the package ID.

I tested this feature and it works perfectly fine.

For more information about  create exceptions to the Intune Mobile Application Management (MAM) data transfer policy https://docs.microsoft.com/en-us/intune/app-protection-policies-exception

Hope it helps!

I am super excited and honoured to receive an email from Microsoft about my MVP award renewal for the year 2018-2019 in Enterprise Mobility . I receive the following email from Microsoft on 1st July 2018.

This is my 2nd year MVP award (First year 2017) and glad that, i am still part of great MVP community.

Dear Eswar Koneti,

We’re once again pleased to present you with the 2018-2019 Microsoft Most Valuable Professional (MVP) award in recognition of your exceptional technical community leadership. We appreciate your outstanding contributions in the following technical communities during the past year:

Enterprise Mobility
We are continuing to maintain MVP Award taxonomy to align with changes in technology. Following your award recognition, you may receive a notification regarding an update to your award category. Details will be shared with you very soon.

With this award ,there is a lot more responsibility on me to keep up this award and contribute more to the community in Enterprise Mobility (#intune #SCCM #Configmgr ) area.

I would like to thanks to my wife ,my family to get time for blogging,being on forums sharing technical information .

Thanks to my followers on linked ,twitter ,facebook and my blog readers who keep asking new things and allow me to find solutions for them.

I had request from security asking for updated intune App protection (MAM) policies . When the request come, i was trying to look for document in SharePoint portal if there any created .As part of intune implementation policy ,there should be a document that refers app protection policies according to the security requirement. In this case ,i don't have any document to provide to them (it was not created earlier).

How to create document with all Intune app protection policy settings configured ? Well ,you can go the intune app protection policies ,click on the policy and start noting down the policy settings .

Follow the TechNet guide below for iOS and Andriod  app protection policy settings :

https://docs.microsoft.com/en-us/intune/app-protection-policy-settings-ios

https://docs.microsoft.com/en-us/intune/app-protection-policy-settings-android

If you have only 2 policies created then it wouldn’t take long time to capture it manually but if you have more  ,manually going through the policy and start noting down is not good practice.

So the only way (at the time of writing this blog post) is using powershell that can automate for us . I started searching for API /powershell.

There is also user voice created for this request https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/9802914-there-needs-to-be-a-way-to-export-all-policies-to

While searching online ,found the intune powershell sample scripts by davefalkus on https://github.com/microsoftgraph/powershell-intune-samples/tree/master/AppProtectionPolicy.

Script name ManagedAppPolicy_Export.ps1

this script will export all intune app protection policies and export to JSON file  and then import to same tenant or different tenant.

Following are the settings ,script will export to .

Download the script .

run the powershell script ,it prompt for authentication (make sure your Global admin approve your request to run the scripts on the tenant).

It also ask for to create folder to store the settings.

After the script complete, it export al settings , which we will use get required information for us.

following are the app protection policies exported by script.

If you open the file using notepad,you will see all policy settings.

All the period /time mentioned in the file is seconds ( S ), minutes ( M ),Hours ( H ) and days ( D ) .

Description of each settings  that is exported  is available in github https://github.com/microsoftgraph/microsoft-graph-docs/blob/master/api-reference/beta/api/intune_mam_androidmanagedappprotection_create.md

Copy the information to excel and do some formatting and you are good with it.

You can tweak the script to export the settings into CSV file to read more appropriate and less formatting compared to JSON file.

Introduction:

This is quick post on Azure MFA (multi factor authentication) . Azure MFA is Two-step verification is a method of authentication that requires more than one verification method and adds a critical second layer of security to user sign-ins and transactions. It works by requiring any two or more of the verification methods.

To know more about different methods of setting up Azure MFA ,please read http://eskonr.com/2018/03/different-methods-to-setup-azure-mfa-registration-for-o365/

Problem:

We have enabled MFA for the whole organization (All users) using one step method (easy solution) with Azure Identity protection and also Conditional Access .This one step method help user to configure MFA when they hit o365 at first place. You can also configure MFA using MFA portal by enabling one by one or upload file with all user email address ,but this method is reactive approach (when new user on boarded ,you need to perform this manual step again and again).

Wit this one step solution,we have got all users configured their MFA and everything fine .But recently ,some of the users reported that ,when they login to office 365 portal to update their user settings and also read the activations ,devices etc, they found that, Additional security verification is not available .This Additional security verification option help users to update their MFA settings from the existing configuration what they have.

After looking at the user account MFA status in the azure MFA portal ,it was showing as disabled .So i used powershell to query the MFA status and script tell me ,MFA configured by user.

This happens because ,MFA option was forced by user using Azure Identity protection /Conditional Access but not through MFA portal . Even though MFA option configured by user, MFA portal still show it as disabled.

After enabling the user MFA in MFA portal ,user can see the additional security verification option through https://portal.office.com/

If users wanted to update the MFA settings ,you can guide them to visit https://aka.ms/mfasetup .This will help them to configure additional MFA option which is same as configuring it via office 365 portal.

Conclusion:

If users ask for how to configure/modify the MFA options, guide them to visit https://aka.ms/mfasetup rather spending time to enable the MFA accounts manually or scripted .

Hope it helps!