There’s a growing push to shift towards cloud-based management for devices, a change that many IT professionals find daunting. Transitioning to the cloud often means overhauling established processes that have been refined over many years. Consider the time required, the considerable learning curve, and the uncertainty of the outcome—factors that necessitate extensive training, meticulous planning, and thorough testing to ensure a successful rollout. It’s a significant amount of work, especially in an environment where SysAdmins are already expected to do more with fewer resources.  

The Shift Toward Cloud Management: Challenges and Considerations  

In my previous role as a manager and owner of a ConfigMgr environment, I kept asking myself questions like: 

• Where am I going to find the time to learn this or do this?  
• If it’s not broken, why fix it?  

Yes, I am talking about Microsoft Configuration Manager (ConfigMgr), also known as SCCM, MECM, etc. ConfigMgr is a powerful tool that many have already invested significant time and training into. It also continues to perform well.  

So, let’s explore why ConfigMgr is still valuable today. 

The Value of Configuration Manager in On-Premises Environments 

Firstly, many organizations continue to rely on on-prem Active Directory (AD) and on-premises resources. This dependency is a primary reason why ConfigMgr remains essential. It integrates with our AD environments seamlessly, allowing us to gather valuable information about users and devices, as well as allow us further controls for those devices. ConfigMgr puts a lot of information about those objects in AD at our fingertips, allowing us easy access to the information. 

Server Management: Where Configuration Manager Shines  

For those familiar with Intune or other MDM solutions for Windows, it’s well known that server management is not their strongest suit. Even in organizations that have shifted workstation management to the cloud, server management often stays on-premises due to the different requirements involved. You can manage them with Azure Arc, but it is different from using Intune. In most scenarios, it is just easier to leave them and manage them on-premises, further bolstering the need for ConfigMgr. 

Application Delivery with Configuration Manager 

If you’ve used Intune for any length of time, you’ve likely encountered its limitations in application delivery. Yes, it can deploy applications, but there really isn’t any control as to when devices get those applications or logging around the installation of that application. ConfigMgr provides a more refined application delivery system, allowing users to get the applications they need when they need them while allowing the admins to monitor and diagnose issues easily. 

Along these same lines, if you enable Software Metering, ConfigMgr provides statistics on which applications are used most often, allowing you to determine future behaviors and make informed decisions. 

Compliance and Configuration

Another area where ConfigMgr has more flexibility than Intune is in its Compliance Baselines with Configuration Items. Yes, there are compliance and configuration items in Intune, but your configuration items won’t apply if your devices aren’t compliant for some reason. This results in you having to try and troubleshoot the compliance before verifying the configuration items are working as expected. In ConfigMgr, this is easier and more reliable with accessible results. 

Granular Control Over Windows Updates

SysAdmins are also tasked with ensuring that our devices are secure, managing Windows Updates with ConfigMgr gives more granular control over what and when updates are deployed. If you’ve used Windows Update for Business, you know that while it works well, it doesn’t offer control over which updates are applied or when they’re installed. There are settings to control when updates are applied, but none to control what gets deployed. However, when ConfigMgr is integrated with WSUS (Windows Server Update Services), it provides granular control over what updates are applied to which devices and when, even allowing you to patch servers on the same schedule. 

Enhanced Reporting Capabilities in Configuration Manager 

ConfigMgr outperforms Intune significantly in reporting capabilities. While Intune offers limited built-in reports, ConfigMgr, with the installation of the Reporting Services point, provides a wealth of readily accessible reports. It’s also much easier to create or install additional reports, giving you deeper insights from the data you’re already collecting. This is particularly valuable for managing Windows updates, an area where comprehensive reporting is essential and where Intune falls short. ConfigMgr comes with a wide range of pre-built reports covering all aspects of your environment and offers flexibility by supporting both SQL Server Reporting Services (SSRS) and Power BI Report Server. 

The Role of Configuration Manager in Operating System Deployment (OSD) 

While ConfigMgr excels in many areas, one critical aspect worth highlighting is Operating System Deployment (OSD). Although Intune can “provision” a computer, it doesn’t offer the same capabilities as performing a full OSD. Intune is designed to manage computers with an existing operating system, but it lacks the tools to easily deploy a new OS. If you need to reinstall an OS due to corruption or other issues, you’d typically have to create a bootable thumb drive, manually install the OS, and then go through the provisioning process with Intune. This process is time-consuming. In contrast, ConfigMgr’s OSD allows you to fully configure devices for end users much more efficiently, using a combination of task sequences, application deployments, and configuration items tailored for on-premises or hybrid environments. 

Conclusion: Configuration Manager is Still a Critical Tool for IT Teams 

As discussed in this article, Microsoft Configuration Manager (ConfigMgr) continues to be a valuable tool for managing IT environments, especially those with on-premises or hybrid setups. It offers reliable control and flexibility for server management, application delivery, and compliance monitoring. 

If you’re looking to improve your existing processes, need assistance with IT management, or need help transitioning to the cloud with less stress, Recast Software is here to help. We offer tools and expertise that can integrate seamlessly with your current setup. 

The post Why Microsoft Configuration Manager Endures in a Cloud-First World   appeared first on Recast Software.

Prerequisites

Before proceeding, ensure that Entra ID is configured as your Identity Source. If not, please follow the instructions at Microsoft Entra ID – Identity Sources to set it up. The steps outlined here were derived from both trial and error and Liquit documentation, particularly the Liquit Agent Bootstrapper deployment with Intune. While these are the steps I followed, your environment may require different settings and customizations. Please consult the documentation for a complete list of settings for your JSON file.  

Note: This guide focuses on configuring the Liquit bootstrapper and agent settings, not Autopilot. 

The term ‘Deployments’ can be ambiguous in IT contexts. For this guide, ‘Deployments’ refers specifically to the section in the Liquit server labeled ‘Deployments.’ 

Step-by-Step Guide to Liquit Deployments through Intune 

Begin by logging into your Liquit portal. We’ll start by configuring and downloading the necessary components. First, create your deployment, which is a collection of packages you intend to deploy to a machine during agent installation. 

• Create your deployment in Liquit. 
  • In Liquit > Manage > Deployments. 
    • Click Create. 
    • Enter a name for your deployment and Click Next. 

• Click Finish
• Once the properties load, proceed with the following steps. 
  • Click Packages. 
  • Search for and add any packages that you would like for this deployment, be sure to specify the “Install” action.

• Click Assignments.
• Be sure to add an assignment for All Devices and the Production Stage.

Now we will move on to getting the certificates needed for the agent installation. 

Certificates for Liquit Deployments

• Certificate-based registration is recommended for optimal device registration. The following steps ensure a smooth process. 
  • In Liquit < Manage < Device Registration, follow the below steps: 
    • Click Create. 
    • Keep the “Certificate” section highlighted and click Next. 

• Name your Certificate and click Next.

• Select the box for Use a self-signed certificate for device registration and click Next.

Give your certificate a name, validity period, and key size. If desired, add a description, then click Next.

• Click Finish. 
• When the properties come up, click on Settings. 
• On the right-hand side, click the button for Download for agent registration button.

• Save this file for use when creating the Intunewin file. 
• Export out the three certificates from the Liquit Server and Certificate Management. This may be different from your environment. We need to establish that trust chain between your client and our Liquit server. 
  • IIS Cert you used. 
  • CA Cert for that IIS Cert. 
  • Liquit Self-Signed Cert. 
• Create three profiles in Intune, one that pushes out the above three certs to devices in their root store Create trusted certificate profiles in Microsoft Intune | Microsoft Learn. 

Download and Create Required Files

• Create a folder on your C:\ drive (or any folder you choose) to store all the downloaded files. 
• Navigate to Support – Liquit and download the Agent Bootstrapper and save it in the above folder. 
• Log in to your Liquit server and click on your user picture in the right-hand corner and click the link to download the agent. Once downloaded, save to above folder, and rename to Agent.exe. 
• Copy the downloaded certificate file from above to the same folder. 
• Use Notepad++ (or your choice of editor) to create a Json file named “agent.json” and save it to that same folder. 
• Create your Json file. At the end of this document is the Json file that I used that you could copy and modify according to your own settings. I’ve highlighted the areas that require modification. Review the remaining settings to determine if further customization is needed. 
  • The Zone will be your zone that you have created. 
  • The certificate thumbprint will be from the certificate you downloaded in Step 1. 
  • The deployment will be the name of the deployment you created in Step 2. 
  • The identity source will be the name of the Identity source you have created for SSO.  
  • The trusted zone is where you would enter your zone name. This can be multiple zones if you have more than one. 
• Create your IntuneWin file and create your app in Intune. 
  • Follow the documentation guide from Liquit Agent Bootstrapper deployment with Intune to create and upload your package to Intune. 
  • Add ‘/certificate=”AgentRegistration.cer”’ to the install command line so that it copies the certificate you uploaded into the right location so that agent can register correctly with Liquit. 
  • Change the command line for the log to a location that is easily accessible. I used C:\Windows\Temp as my log file location. 
  • Modify the detection method so that instead of using the provided script, you hard code it to look in c:\Program Files\Liquit Universal Agent. 
  • Deploy as required to your autopilot or other devices. 

Achieving a Functional Autopilot Deployment with Liquit Deployments through Intune 

By following these instructions, you should achieve a fully functional Autopilot deployment of applications during device provisioning or initial agent installation.

Note: Ensure port 443 is open on your Liquit server to facilitate communication with clients. After deployment, a device reboot is required to allow the agent to exit deployment mode and restart as a normal process. 

Additional Note: This guide focuses on deploying Liquit on Windows devices. A separate guide for deploying on macOS devices will be published soon.

Happy deploying! 

{ 
    "zone":"https://liquit.corp.viamonstra.com", 
	"promptZone": "Disabled", 
    "registration": { 
        "type": "Certificate", 
		"certificateThumbprint": "1f319334a7357653ded039659953e600e31e6d0f" 
    }, 
    "log": { 
        "level": "Debug", 
		"agentPath": "C:\\Windows\\Temp\\Agent.log", 
		"userHostPath": "C:\\Windows\\Temp\\UserHost.log", 
		"rotateCount": 5, 
		"rotateSize": 1048576 
    }, 
    "deployment": { 
        "enabled": true, 
        "start": true, 
        "context": "device", 
        "cancel": true, 
        "triggers": false, 
        "autoStart": { 
            "enabled": true, 
            "deployment": "Autopilot", 
            "timer": 0 
        } 
    }, 
	"login": { 
		"enabled": true, 
		"sso": true, 
		"identitySource": "MadduxConsulting", 
		"timeout": 4 
	}, 
	"icon": { 
		"enabled": true, 
		"exit": false, 
		"timeout": 30 
	}, 
	"launcher": { 
		"enabled": true, 
		"state": "Default", 
		"start": "Auto", 
		"tiles": true, 
		"minimal": false, 
		"contextMenu": false, 
		"sideMenu": "Tags", 
		"close": true 
	}, 
	"restrictZones": true, 
	"trustedZones": [ 
		"liquit.corp.viamonstra.com" 
	] 
} 

The post How to Create and Provision Liquit Deployments through Intune  appeared first on Recast Software.

Requirements  

• OneDrive Files On-Demand enabled 
• Windows 10 (1709) Fall Creators Update or later 
• SharePoint Library ID  

Step-by-Step Process 

First, let’s go to your SharePoint site that we want to setup for automatic sync, in my case I’m going to use the Marketing site that I have created in SharePoint.  

Copy the Library ID. Click on the Documents sections on the left-hand side.

Sync and Copy Library ID

In the Documents section, click the Sync button. When prompted to Open Microsoft OneDrive, click Cancel. In the pop-up option, click on Copy Library ID to copy the Library ID.  

Configure in Intune

Now go to https://intune.microsoft.com/ > Devices > under the Manage devices section, click on Configuration.

In the Configuration page, click on + Create. Select ‘Windows 10 and later’ under Platform and choose Settings Catalog under Profile type. Click Next.

Give your Profile a Name and Description. Click Next once complete.

Next, you’ll be directed to the Configuration settings to pick your settings. Search for Configure team site libraries to sync automatically. Then click on OneDrive under Browser by category. Next, under the OneDrive Category, select the Configure team site libraries to sync automatically (user).

Once that is selected, close out of the screen to setup your settings on the backscreen. On this page, you’ll want to give your Libraries a name and a value. Remember the Library ID we copied from earlier? You will need to add that to the Value section. Click Next when ready to move forward.  

I skipped Scope tags, but you can adjust those settings if needed.

Next, we’ll assign this library to our users. In my case, I will select a dynamic group for the Marketing team so that all our Global Marketing users will get this SharePoint library automatically.

Review and Create

Review and then create your profile. Then, verify on your device that this policy has successfully synced the Marketing SharePoint documents to the end user’s File Explorer.

Before the policy is enabled, the user does not see any SharePoint site libraries available in their File Explorer.

After the policy is applied, we can now see those SharePoint files sync through to the File Explorer.

Verify inside of the Marketing SharePoint as well. 

Conclusion: Streamline SharePoint Site Library Access with Microsoft Intune

Automating the synchronization of a SharePoint Site Library to File Explorer with Microsoft Intune not only saves valuable time but also ensures consistency across your organization. By leveraging Intune’s management capabilities, you can seamlessly integrate SharePoint libraries into your users’ workflows, reducing help desk requests and improving productivity. Implementing this solution helps your teams have quick and reliable access to the files they need directly from File Explorer, streamlining operations and enhancing the overall user experience.

Check out additional Intune content here.

The post How to Synchronize a SharePoint Site Library to File Explorer with Microsoft Intune appeared first on Recast Software.

Using Logic Apps for Intune Automation 

Azure Logic Apps allow you to build automations without writing any real code. Logic Apps is very similar to Power Automate but is more targeted towards infrastructure automation and does not run in the context of a user. 

Key Features of Logic Apps

• No-Code Automation: Create workflows using a visual designer without writing code. 
• Connectors: There are a wide range of connectors to integrate with different services, including Microsoft services and third-party applications. While there is no native connector for Intune, you can run native Graph API calls. 
• Scheduled Workflows: Automate tasks based on specific schedules or trigger them based on events. 

Leveraging Azure Automation  

Azure Automation is another powerful service for automating tasks. It is particularly useful for automating repetitive processes and managing updates across your infrastructure. Unlike Logic Apps, Azure Automation supports full code solutions, including PowerShell and Python. Authenticating with services and installing modules is straightforward. It also offers hybrid runbook workers that allow automation to run in your on-premises network. 

Key Features of Azure Automation

• Runbooks: Create and manage PowerShell, Python, or graphical runbooks to automate tasks. 
• Update Management: Automate the deployment of updates and patches across your VMs. 
• Desired State Configuration (DSC): Ensure that your infrastructure is configured correctly and remains in the desired state. You can find here also a full library 
• Scheduled Workflows: Same as logic apps you can automate tasks based on specific schedules or trigger them based on events. 

Implementing Azure Functions for Intune Automation 

Azure Functions allows you to run small pieces of code (functions) in the cloud without worrying about the infrastructure. This service is ideal for automating lightweight tasks and integrating different services. You can build a microservice architecture with various APIs using functions, providing a highly scalable and flexible solution. 

Key Features of Azure Functions

• Serverless Computing: Run your code without provisioning or managing servers. 
• Event-Driven: Trigger functions based on events, such as HTTP requests, timers, or messages from other Azure services. 
• Scalability: Automatically scale based on demand to handle varying workloads. 

Building Custom Solutions 

Combining these Azure services allows you to create sophisticated automation solutions tailored to your specific needs. Here are a few ideas to get you started: 

• Maintain Attributes in Your Asset System: Integrate with systems like ServiceNow to update asset attributes based on live data or return values from proactive remediations. 
• Intelligent Reporting and Alerting Solutions: Build solutions to monitor and report on metrics, such as an increase in app installation errors. 
• Custom Inventory Solutions: Develop tools to collect and manage inventory data for more effective resource management. 

Enhancing Intune Capabilities with Azure Services 

By leveraging Azure Logic Apps, Azure Automation, and Azure Functions, you can extend Intune’s capabilities and automate tasks that are not natively supported. These services provide a flexible and scalable way to enhance your device management processes and improve operational efficiency. 

The post Azure Services to Enhance Intune Automation appeared first on Recast Software.

Step 1: Obtain Browser Extension IDs 

Each Chrome extension has a unique ID that can be found in the Chrome Web Store URL or by inspecting the extension details in Chrome. Refer to the screenshot below on how to find it. In this example, we will be forcing the “Google Translate” extension and blocking the “ChatGPT” extension on Google Chrome. 

Step 2: Create a Configuration Profile 

In the Intune admin center, navigate to Devices > Configuration > Create > New policy.

Choose Windows 10 and later as the platform and Settings catalog as the profile type and click Create. 

Give your policy a Name and click Description and hit Next. 

Select Add settings button under Configuration Settings. Search for keyword “Extensions”. Then pick Google Chrome Extensions and select the settings to be configured. In this case, we will pick “Configure extension installation blocklist” and “Configure the list of force-installed apps and extensions.” 

Enable both the settings and add your Extension IDs into the fields. You will notice that for the force installation settings, it asks for an ‘Update URL’ along with the extension ID. For that we will use this format <ExtensionID>;<UpdateURL>. 

Example: “aapbdbdomjkkjkaonfhkkikfgjllcleb;https://clients2.google.com/service/update2/crx“ 

Note: All Chrome web store apps will have the same update URL: https://clients2.google.com/service/update2/crx 

For more information, refer to the Google documentation. 

Finally, click Next > Next, select the groups where this policy should be deployed, and then click Next and Create. 

Once the devices check in, you will notice that “Google Translate” has been installed and cannot be removed, while the “ChatGPT” extension is fully blocked. 

Conclusion: Efficiently Manage Browser Extensions via Intune

Managing Chrome extensions via Intune allows administrators to ensure that only safe and necessary extensions are used, while preventing potentially harmful ones. By following these steps, you can effectively enforce extension policies across your organization, enhancing both security and operational efficiency. 

Find other helpful Intune content here.

The post How to Manage Browser Extensions via Intune appeared first on Recast Software.

Known Folder Move (KFM) is a feature within OneDrive that enables the backup of important folders, such as Documents, Desktop, and Pictures, directly to OneDrive. By syncing these folders to OneDrive, users gain seamless access to their files across multiple devices. This post will demo how to enable Known Folder Move with Intune.

Why Should I Enable Known Folder Move with Intune?  

There are several compelling reasons to enable KFM: 

1. Protection Against Data Loss: It offers peace of mind for end users by ensuring that crucial files are accessible even if their devices crash or are lost. They can maintain their regular habits of saving files without interruption. 
2. Business Continuity: For IT admins, enabling KFM ensures productivity isn’t disrupted during unexpected device issues. It’s not a matter of if it will be needed, but when. 
3. Simplified Migrations: KFM streamlines transitions from one system management platform to another, eliminating concerns about data stored on physical hard drives. 

To leverage these benefits, we’ll walk through the steps of enabling KFM with Microsoft Intune. This guide will show you how to automatically sign users into OneDrive with their Windows credentials and silently enable KFM. 

Silently Sign Users into OneDrive with Windows Credentials 

Create a New Policy. Go to Microsoft Intune > click on Devices > Configuration > + New Policy.

Next, choose the appropriate settings. Select Windows 10 and later for Platform > Settings catalog under Profile type > Click Create.  

In the Basics page add the Name and Description for your policy.  

Add OneDrive Settings 

Click on + Add settings > search for OneDrive > Select OneDrive under Browse by category.  

Enable Silent Sign-In 

Under OneDrive categories, search for and click on the radio button and then select Enabled to silently sign in users to OneDrive sync app with their windows credentials. Click Next.  

Silently Move Windows Known Folders to OneDrive with Intune  

Create a New Policy. Go to Microsoft Intune > click on Devices > Configuration > + New Policy.  

Select Windows 10 and later for Platform > Settings catalog under Profile type > Click Create.  

In the Basics page, add the Name and Description for your policy.  

Add OneDrive Settings 

Click on + Add settings > search for OneDrive > Select OneDrive under Browse by category.  

Under Setting name, enable the following policies: 

• Prevent users from redirecting their Windows known folders to their PC 
• Prompt users to move Windows known folders to OneDrive 
• Silently move Windows known folders to OneDrive 

Once you select those settings, you’ll want to enable all the radio buttons and add your Tenant ID. Optionally, choose Yes to notify users of the silent folder move. Click Next after adding the required information. 

Next, assign the policy. Define the assignments to determine which devices will be targeted by this policy. Select All Devices if you intend to apply it universally. 

Review and create your policy.  

User Experience After You Enable Known Folder Move with Intune 

Before enabling Known Folder Move: No OneDrive Sync and OneDrive is not signed in.  

After Enabling Known Folder Move: User gets notified of Known Folder move redirect.  

In the section, we see the user’s Documents, Pictures, and Desktop Folders are automatically backed up with Known Folder Move and they also cannot stop the folder backup. The user did not have to login or create any backups; the IT admin took care of that by following the steps above.  

Conclusion: Empower Your Team by Enabling Known Folder Move with Intune 

By enabling Known Folder Move with Microsoft Intune, IT administrators can efficiently safeguard critical user data and ensure the smooth user experience. This seamless setup simplifies migrations and minimizes disruptions, letting users focus on their work without worrying about data loss. Empower your team with streamlined, secure backups that happen silently and automatically, providing peace of mind for everyone involved. 

Check out more Intune content here.

The post How to Enable Known Folder Move with Intune appeared first on Recast Software.

In this guide, we’ll focus on removing the Chat Icon from the personal Teams app using Microsoft Intune, streamlining the user experience and avoiding potential complications. 

Note

Teams for Personal use: Appears as ‘Microsoft Teams’ when searched.  

Teams for Enterprise users: Labeled as ‘Microsoft Teams (work or school).’ 

Consider the scenario where you inadvertently click on the initial option (Microsoft Teams) and attempt to log in with your enterprise account, rushing to join a meeting scheduled to start in just one minute. 

Looking at the error message, we cannot sign in with a work or school account and it asks for our personal account instead. Now, not only is the user delayed for their meeting, but they’re also faced with the dilemma of choosing the correct Microsoft Teams application. Let’s explore how to prevent such issues for our future users. 

Removing Personal Teams Chat from Windows 11 

Requirements:  

• Devices: Windows 11  
• Administrator Role: Intune Administrator  

Method 1: Remove Personal Teams Icon with Intune – Custom OMA-URI 

• Let’s go to Microsoft Intune > Devices > Configuration > + Create > + New Policy.  

We can now specify the platform for this policy. In our case, we’re targeting Windows 10 and later. Select the profile type as Templates and name the template as Custom.

Go ahead through your Basics setup. Give your policy a name and description.

Now, let’s delve into the Configuration settings where we’ll add the necessary information to remove the chat icon. 

• Name: Remove Teams Chat Icon 
• Description: n/a 
• OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Experience/ConfigureChatIcon 
• Data Type: Integer 
• Value: 3 

Now let’s set our assignments. While I’ve targeted all devices, I’ve implemented a filter to exclusively target Windows 11 devices.

Review and Create your CSP.

Method 2: Remove the Personal Chat Icon with Intune – Settings Catalog  

Go to Microsoft Intune > Devices > Configuration > + Create > + New Policy.  

We can now specify the platform for this policy. In our case, we’re targeting Windows 10 and later. Choose Settings Catalog as the Profile type.

Run through the basics again and add the proper Name and Description.  

In the configuration settings, click on + Add settings > Search for Experience under category, and search for the setting name Configure Chat Icon.

After clicking on Configure Chat Icon, you will be prompted with a drop-down menu to select how you want it configured. In our case we are going to use Disabled.

Proceed to the next steps, including assigning Scope tags if necessary and setting up your assignment group. Once finished, review and create your policy.

Testing the Removal of Personal Teams Chat from Windows 11

It’s time to test the policy you’ve created to ensure it meets your requirements. Verify that Personal Teams Chat has been successfully removed, leaving only Microsoft Teams for work or school operational. 
 
Before running Method 2, Microsoft Teams is still available. 

After running Method 2: Let’s run the policy and check back later. 

Now we can see that Microsoft Teams is no longer shown. We can also see the Intune results work as intended.

Conclusion: Streamlining Your Windows 11 Environment 

Removing Personal Teams Chat from Windows 11 devices optimizes the user experience and improves productivity. By following the outlined methods using Intune, IT administrators can manage Teams applications, ensuring users have access to the appropriate platform for work use. Streamlining this process not only resolves confusion but also enhances overall system efficiency. 

Check out more Intune content here.

The post How to Remove Personal Teams Chat from Windows 11 Devices Using Intune  appeared first on Recast Software.

Why Block Apps with Intune? 

With recent legislative actions, such as the US House of Representatives and the President moving toward a potential ban of TikTok, compliance with new regulations may become mandatory for many US organizations. This guide will walk you through the steps to block specific apps, such as TikTok, within the Microsoft Store using Microsoft Intune by leveraging the AppLocker functionality in Windows. 

Blocking specific apps is important for several reasons: 

• Security Considerations: Preventing installations of apps that could pose security risks. 
• Enhancing Productivity: Limiting access to apps that might distract employees. 
• Compliance and Regulatory Requirements: Ensuring only approved apps are used in regulated environment 

Step-by-Step Guide to Blocking Apps with Intune 

Section 1: Creating an AppLocker Policy in Windows 

• On your test machine, visit the Microsoft Store and install “TikTok.” 
• Go to the Start Menu, type “Local Security Policy,” right-click on it, and run as Administrator. 
• Navigate to Application Control Policies > AppLocker > Package App Rules. 

• Right click on “Package App Rules” and select “Create New Rule.” Hit “Next” in the dialog box. 
• Select “Deny” as the action and hit “Next.” 

• Keep the default option selected. Click the “Select” button, choose “TikTok” from the list, and press “OK.” 

• Once “TikTok” is selected, adjust the slider from “Package Version” to “Package Name” to specify that the policy should block all versions of TikTok. 

• Click “Next” several times, name your policy, provide a description, and then click “Create” to finalize your “Block” Policy. 
• Right click on “Package App Rules” again and select “Create Default Rules” to ensure that the policy does not block any unintended applications. 

Completing the AppLocker Configuration 

• Now that rules are created, Right click on “Applocker” on left blade and select “Properties.”  
• Check “Configured” under Packaged App Rules, select “Enforce Rules,” and hit OK. 

Exporting the AppLocker Policy 

• Right click on “AppLocker” on the left blade again and select “Export Policy.” Save the XML file to your desktop. We will need this file later in the Intune section. 
• Open the XML file. You will notice that the rule configuration starts with <RuleCollection> and ends with </RuleCollection>. Copy this highlighted text within your XML file to your clipboard. 

Section 2: Implementing the Block Policy in Intune

• Login to intune.microsoft.com.  
• Navigate to Devices > Configuration Profiles. 
• Click on Create Profile and choose New Policy. Select Windows 10 and later for platform. 
• Profile type should be Templates with Custom as the Template name. Hit create. 

• Give your policy a name and description that reflects its purpose, e.g., “Block Tiktok,” and Hit Next. 
• Under “Configuration settings”, click on “Add” next to OMA-URI settings. 
• Name the setting, provide a description, select “String” as the “Data Type,” and paste the content from the XML file into the “Value” section. 
• For “OMA-URI,” use the following string: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/StoreApps/Policy 

• Click “Save” and continue to assign the Intune group where you want to apply this profile. Follow the prompts to finish creating the profile. 

Section 3: Monitor and Manage App Blocking with Intune

After deploying the policy, monitor its impact through the View reports button. Once the policy is successfully applied on devices, TikTok will be blocked on the Microsoft Store. 

Appendix: Extending App Blocking to Other File Types 

Just like blocking Microsoft Store apps, we can also block unapproved exe, msi, and script files using AppLocker and Intune. The process remains largely the same, with only two changes required: 

• In Section 1, steps 5 and 10, instead of clicking on “Packaged app rules,” we will right click on Executable rules (for exe) and Windows Installer Rules (for msi). 
• The OMA-URI will also change as mentioned below. 
  • For exe files: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/EXE/Policy 
  • For msi: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/MSI/Policy 

Conclusion: Enhancing Security and Compliance with Intune

By utilizing Microsoft Intune and AppLocker, organizations can effectively block unauthorized apps, enhancing security and ensuring compliance. This guide demonstrates a straightforward method to manage applications and maintain control over your IT environment. As you adapt and refine your endpoint management strategies, Intune’s capabilities support a secure, productive, and compliant workplace. Continuous monitoring and updating of these policies are essential to address the evolving challenges that inevitably arise.  

Check out additional Intune content here.

The post How to Block Apps with Intune appeared first on Recast Software.

Introduction to Compliance Baselines in Intune

Compliance baselines in Intune are predefined sets of compliance policies that help determine the compliance status of devices across your organization. These baselines provide a benchmark for security and configuration settings, making it easier for IT administrators to identify and remediate non-compliant devices. By leveraging these baselines, organizations can automate the process of compliance assessment, ensuring devices adhere to corporate security policies and regulatory standards. 

Step 1: Understanding Your Compliance Requirements 

The initial step in constructing compliance baselines is to comprehensively understand your organization’s compliance needs. This involves pinpointing the regulatory standards you must comply with—such as GDPR, HIPAA, or PCI-DSS—and translating these into specific device configuration settings. Key aspects to consider include encryption standards, password policies, and software versions to compile a detailed checklist of compliance criteria. 

Step 2: Creating a Compliance Baseline in Intune 

Once you’ve identified your compliance requirements, the next step is to create a compliance baseline in Intune. In in this blog, we are building compliance baselines around these settings: 

• BitLocker 
• Secure Boot 
• Code Integrity 
• Firewall 
• TPM 
• Antivirus 
• Antispyware 

A device lacking any of these enabled settings and tools will be considered “non-compliant.” 

Steps to Establish Your Compliance Baseline in Intune

Navigate to the Intune Admin Console: Log in to the Microsoft Intune admin center at intune.microsoft.com 

Create a New Compliance Policy: Go to Devices > Compliance > Policies > Create Policy. Select the platform relevant to your devices, such as Windows 10 and later and hit “Create”. 

Name and Description: Give you compliance policy a name and description and hit next. 

Configure Compliance Settings: Use the ‘Create a Compliance Policy’ wizard to set the compliance settings based on your organization’s requirements. Intune provides various settings including device health, device properties, system security, and custom configuration settings.  

Define Actions for Non-compliance: Decide the actions to take if a device fails compliance checks. Options include sending an email notification, marking the device as non-compliant, or adding the device to a retirement list. For our example, I have marked the device as non-compliant after three days. 

Note

Sending an email to an end user for non-compliance is not recommended. Per a zero trust framework, most users will not have admin privileges to perform any remediations themselves. If you do decide to send an email, make sure to create a “group” of your sysadmins/helpdesk and have them added in “additional recipients” sections. For the email body/content, we will need to create a “notification” beforehand. To do that, go to Devices > Compliance > Notification > Create notification. 

Assignments: Assign the group to apply this compliance policy. I would recommend creating a “Dynamic group” that hosts all the Windows devices and then applying it on that group. Hit next and “Create”. 

Devices with no assigned compliance policy: Ideally there should be no device without any compliance policy assigned. We can build one policy for Mac devices, one for Windows, so on and so forth. But we can specify behavior on a device who have no policy assigned. Go to Devices > Compliance > Compliance settings. Make sure you specify the compliance behavior on devices who have no policy assigned. I would recommend setting it to “non-compliant”. 

Step 4: Monitoring and Reporting 

With your compliance baselines in place, it’s essential to continuously monitor the compliance status of devices and take remedial actions if necessary. 

Use Intune’s Built-in Reports: Intune provides detailed reports on the compliance status of devices, highlighting deviations from the baseline. 

Act on Non-compliant Devices: Use the information from the reports to address non-compliance issues. This may involve updating device settings, installing necessary updates, or retiring devices that can no longer meet compliance standards. 

Ensuring Optimal Security with Compliance Baselines in Intune

Building compliance baselines in Intune is a proactive way to maintain the security and integrity of your device fleet. By setting clear benchmarks for compliance, automating the assessment process, and taking swift action on non-compliant devices, organizations can enhance their security posture and ensure that they meet regulatory requirements.  

By IT, for IT.

We are a dedicated group of Systems Administrators and tech-savvy product experts that love what we do and the IT community we do it with.

Learn More

The post How to Build Compliance Baselines in Intune to Determine the Compliance Status of Devices  appeared first on Recast Software.

Understanding PPPC Profiles 

Privacy Preferences Policy Control (PPPC) profiles allow administrators to manage privacy access controls for macOS 10.14 and later. These profiles are crucial for granting or denying access to sensitive user data and hardware resources for apps and system services. By pre-configuring these settings, organizations can ensure compliance with privacy policies and streamline the user experience by reducing the number of permission prompts. 

Step 1: Identify Your Requirements 

Begin by determining your application’s permission requirements. For example, Zoom requires “Screen Record” for sharing screens and “Accessibility” permission for letting other people control your screen. Similarly, some applications like an Antivirus or DLP tool may require “Full Disk” access. 

Step 2: Creating and Deploying PPPC Profile within Intune 

Navigate to intune.microsoft.com and log in with your administrator credentials. 

Once logged in, go to “Devices” > “macOS” > “Configuration profiles” > “Create” > “New Policy.” 

“macOS” should already be selected for the Platform. Choose “Settings Catalog” for the “Profile type”. Hit the “Create” button at the bottom of the page.

Give your profile a name, write a description, and hit next.

In the “Configuration settings” section, click on the “Add Settings” button. You will see the “Settings picker” section on the right side of the page. Search and pick “Privacy Preference Policy Control”. Now pick the permissions that you need to set. In the example below, we are picking “Accessibility” and “Screen Capture.”

New settings will appear on the left side. Now we need to provide the “Identifier”, “Code Requirement”, and authorization info. Simply hit the “Edit Instance” button to get started.

Important Notes

• In the ‘Configure Instance’ section, you can select either an ‘Allowed’ key or an ‘Authorization’ key. Hit the “-” button next to the key to remove one or the other. 
• I would recommend using the “Authorization” key only for all permissions. Also note that for screen share/record and microphone permissions, Apple doesn’t let sysadmins preset “Allow” these permissions due to privacy reasons. So, the “Allow” option will not work. Hence, the only option to be used for these permissions is “Allow Standard User to Set System Service”. This will still show users the authorization prompt, but a standard user will now have access to enable the permissions. For “Accessibility” or “Full Disk Access” we can still use “Allow”. 

To retrieve the “Code Requirement” and “Identifier”, install the application on a test Mac. Open “Terminal” and run the following command. Replace “Zoom.us.app” with the name of your app. 

codesign -dr- /Applications/Zoom.us.app 

For “Microsoft Teams classic” it will look like this:  

codesign -dr- /Applications/Microsoft Teams Classic.app 

Note: In MacOS terminal, spaces are represented by backslash so “Microsoft Teams Classic.app” will be represented as “Microsoft Teams Classic.app” 

You will see the output as below. Copy everything after “designated =>”. This string is your code requirement. You will notice that identifier is also mentioned in the code requirement.  

For example, using Zoom as our application: 

Identifier = “us.zoom.xos” 

Code Requirement = “identifier “us.zoom.xos” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = BJ4HAAB9B3” 

Paste the code requirement and Identified information and hit save. Do the same thing for “Screen Capture” instance.  

Finally, click ‘Next’ twice, add your MacOS device group to the assignments, click ‘Next’ again, and then click ‘Create.’ 

Step 3: Monitoring and Testing 

Now that we have deployed the profile to devices, you will notice that the next time devices check in to Intune, our endpoint will have a new profile added in the “Profiles” section within “System Settings.” 

Note: If you go to System Settings > Privacy and Security > Accessibility on the Mac, you will notice that there is no entry for Zoom even though we had this permission enabled via Intune. Note that this is by design and is not a cause for concern. Standard users will still be able permit remote control via Zoom. You would notice similar behavior if you enabled “Full Disk access.” 

However, for “Screen Record/share” permission, we do see an entry for Zoom. The reason is because we used the option “Allow Standard user to set system service”, which prompts user to see prompt and allow the permission. Hence it shows up in the “System Settings” > Privacy and Security > Screen Record section. 

Optimizing MacOS Security and Productivity with PPPC Profiles within Intune 

Creating custom PPPC profiles in Intune for macOS devices is a powerful way to manage application permissions efficiently. By following the steps outlined above, you can ensure that your macOS devices are both secure and user-friendly, with minimal interruptions to productivity. 

This process can be adapted and expanded based on your organization’s specific needs and the evolving landscape of macOS security and privacy features. This guide was built on MacOS Ventura version 14.4.1. The steps outlined may change in future versions. Always keep abreast of the latest developments from both Apple and Microsoft to refine and enhance your privacy controls. 

Remember, this guide offers a foundation for PPPC profile creation, but specific configurations will vary based on your organization’s applications and resources. Always test your profiles in a controlled environment before widespread deployment to ensure they perform as expected. 

Additional macOS post

• Application Management for Windows and macOS

The post How to Build PPPC Profiles within Intune for MacOS Devices appeared first on Recast Software.