Intune Compilation - Recast Software https://www.recastsoftware.com/resources-category/intune/ Empowering IT at Every Endpoint Fri, 30 Aug 2024 14:43:34 +0000 en-US hourly 1 https://wordpress.org/?v=6.6.1 https://www.recastsoftware.com/wp-content/uploads/2022/05/favicon-32x32-1.png Intune Compilation - Recast Software https://www.recastsoftware.com/resources-category/intune/ 32 32 How to Create and Provision Liquit Deployments through Intune  https://www.recastsoftware.com/resources/how-to-create-and-provision-liquit-deployments-through-intune/ Tue, 27 Aug 2024 16:08:36 +0000 https://www.recastsoftware.com/?post_type=resources&p=682863 In this guide, we’ll explore how to use Liquit Deployments […]

The post How to Create and Provision Liquit Deployments through Intune  appeared first on Recast Software.

]]>
In this guide, we’ll explore how to use Liquit Deployments during Autopilot on Windows devices, enabling your end users to access all necessary applications through the Liquit platform. While this process is tailored for Autopilot, with a few modifications, you can deploy the Liquit agent and its deployments via other deployment mechanisms. 

Prerequisites

Before proceeding, ensure that Entra ID is configured as your Identity Source. If not, please follow the instructions at Microsoft Entra ID – Identity Sources to set it up. The steps outlined here were derived from both trial and error and Liquit documentation, particularly the Liquit Agent Bootstrapper deployment with Intune. While these are the steps I followed, your environment may require different settings and customizations. Please consult the documentation for a complete list of settings for your JSON file.  

Note: This guide focuses on configuring the Liquit bootstrapper and agent settings, not Autopilot. 

The term ‘Deployments’ can be ambiguous in IT contexts. For this guide, ‘Deployments’ refers specifically to the section in the Liquit server labeled ‘Deployments.’ 

Step-by-Step Guide to Liquit Deployments through Intune 

Begin by logging into your Liquit portal. We’ll start by configuring and downloading the necessary components. First, create your deployment, which is a collection of packages you intend to deploy to a machine during agent installation. 

  • Create your deployment in Liquit. 
    • In Liquit > Manage > Deployments. 
      • Click Create. 
      • Enter a name for your deployment and Click Next. 
Liquit Deployments through Intune - create deployment
  • Click Finish
  • Once the properties load, proceed with the following steps. 
    • Click Packages. 
    • Search for and add any packages that you would like for this deployment, be sure to specify the “Install” action.
Liquit Deployments through Intune - add packages
  • Click Assignments.
  • Be sure to add an assignment for All Devices and the Production Stage.
Add assignments

Now we will move on to getting the certificates needed for the agent installation. 

Certificates for Liquit Deployments

  • Certificate-based registration is recommended for optimal device registration. The following steps ensure a smooth process. 
    • In Liquit < Manage < Device Registration, follow the below steps: 
      • Click Create. 
      • Keep the “Certificate” section highlighted and click Next. 
Liquit Deployments through Intune - create certificates
  • Name your Certificate and click Next.
Liquit deployments through Intune - Name certificate
  • Select the box for Use a self-signed certificate for device registration and click Next.
Use a self-signed certificate

Give your certificate a name, validity period, and key size. If desired, add a description, then click Next.

Name certificate
  • Click Finish. 
  • When the properties come up, click on Settings. 
  • On the right-hand side, click the button for Download for agent registration button.
Download certificate
  • Save this file for use when creating the Intunewin file. 
  • Export out the three certificates from the Liquit Server and Certificate Management. This may be different from your environment. We need to establish that trust chain between your client and our Liquit server. 
    • IIS Cert you used. 
    • CA Cert for that IIS Cert. 
    • Liquit Self-Signed Cert. 
  • Create three profiles in Intune, one that pushes out the above three certs to devices in their root store Create trusted certificate profiles in Microsoft Intune | Microsoft Learn. 

Download and Create Required Files

  • Create a folder on your C:\ drive (or any folder you choose) to store all the downloaded files. 
  • Navigate to Support – Liquit and download the Agent Bootstrapper and save it in the above folder. 
  • Log in to your Liquit server and click on your user picture in the right-hand corner and click the link to download the agent. Once downloaded, save to above folder, and rename to Agent.exe. 
  • Copy the downloaded certificate file from above to the same folder. 
  • Use Notepad++ (or your choice of editor) to create a Json file named “agent.json” and save it to that same folder. 
  • Create your Json file. At the end of this document is the Json file that I used that you could copy and modify according to your own settings. I’ve highlighted the areas that require modification. Review the remaining settings to determine if further customization is needed. 
    • The Zone will be your zone that you have created. 
    • The certificate thumbprint will be from the certificate you downloaded in Step 1. 
    • The deployment will be the name of the deployment you created in Step 2. 
    • The identity source will be the name of the Identity source you have created for SSO.  
    • The trusted zone is where you would enter your zone name. This can be multiple zones if you have more than one. 
  • Create your IntuneWin file and create your app in Intune. 
    • Follow the documentation guide from Liquit Agent Bootstrapper deployment with Intune to create and upload your package to Intune. 
    • Add ‘/certificate=”AgentRegistration.cer”’ to the install command line so that it copies the certificate you uploaded into the right location so that agent can register correctly with Liquit. 
    • Change the command line for the log to a location that is easily accessible. I used C:\Windows\Temp as my log file location. 
    • Modify the detection method so that instead of using the provided script, you hard code it to look in c:\Program Files\Liquit Universal Agent. 
    • Deploy as required to your autopilot or other devices. 

Achieving a Functional Autopilot Deployment with Liquit Deployments through Intune 

By following these instructions, you should achieve a fully functional Autopilot deployment of applications during device provisioning or initial agent installation.

Note: Ensure port 443 is open on your Liquit server to facilitate communication with clients. After deployment, a device reboot is required to allow the agent to exit deployment mode and restart as a normal process. 

Additional Note: This guide focuses on deploying Liquit on Windows devices. A separate guide for deploying on macOS devices will be published soon.

Happy deploying! 


{ 
    "zone":"https://liquit.corp.viamonstra.com", 
	"promptZone": "Disabled", 
    "registration": { 
        "type": "Certificate", 
		"certificateThumbprint": "1f319334a7357653ded039659953e600e31e6d0f" 
    }, 
    "log": { 
        "level": "Debug", 
		"agentPath": "C:\\Windows\\Temp\\Agent.log", 
		"userHostPath": "C:\\Windows\\Temp\\UserHost.log", 
		"rotateCount": 5, 
		"rotateSize": 1048576 
    }, 
    "deployment": { 
        "enabled": true, 
        "start": true, 
        "context": "device", 
        "cancel": true, 
        "triggers": false, 
        "autoStart": { 
            "enabled": true, 
            "deployment": "Autopilot", 
            "timer": 0 
        } 
    }, 
	"login": { 
		"enabled": true, 
		"sso": true, 
		"identitySource": "MadduxConsulting", 
		"timeout": 4 
	}, 
	"icon": { 
		"enabled": true, 
		"exit": false, 
		"timeout": 30 
	}, 
	"launcher": { 
		"enabled": true, 
		"state": "Default", 
		"start": "Auto", 
		"tiles": true, 
		"minimal": false, 
		"contextMenu": false, 
		"sideMenu": "Tags", 
		"close": true 
	}, 
	"restrictZones": true, 
	"trustedZones": [ 
		"liquit.corp.viamonstra.com" 
	] 
} 

The post How to Create and Provision Liquit Deployments through Intune  appeared first on Recast Software.

]]>
How to Synchronize a SharePoint Site Library to File Explorer with Microsoft Intune https://www.recastsoftware.com/resources/synchronize-sharepoint-site-library-to-file-explorer-with-microsoft-intune/ Mon, 26 Aug 2024 13:57:29 +0000 https://www.recastsoftware.com/?post_type=resources&p=682846 Have you ever received a service desk ticket asking how […]

The post How to Synchronize a SharePoint Site Library to File Explorer with Microsoft Intune appeared first on Recast Software.

]]>
Have you ever received a service desk ticket asking how to add a SharePoint site to File Explorer? This can be time-consuming for new hires on their first day and for your help desk team. Let’s explore how to automate this process using Microsoft Intune. By leveraging Dynamic Groups, you can automatically configure team SharePoint sites in File Explorer via OneDrive. 

Requirements  

  • OneDrive Files On-Demand enabled 
  • Windows 10 (1709) Fall Creators Update or later 
  • SharePoint Library ID  

Step-by-Step Process 

First, let’s go to your SharePoint site that we want to setup for automatic sync, in my case I’m going to use the Marketing site that I have created in SharePoint.  

Synchronize SharePoint Site Library to File Explorer with Microsoft Intune

Copy the Library ID. Click on the Documents sections on the left-hand side.

Synchronize SharePoint Site Library to File Explorer with Microsoft Intune - Library ID - Documents

Sync and Copy Library ID

In the Documents section, click the Sync button. When prompted to Open Microsoft OneDrive, click Cancel. In the pop-up option, click on Copy Library ID to copy the Library ID.  

Synchronize SharePoint Site Library to File Explorer with Microsoft Intune - Documents - click Sync

Open OneDrive - Cancel

Synchronize SharePoint Site Library to File Explorer with Microsoft Intune - Copy library ID

Configure in Intune

Now go to https://intune.microsoft.com/ > Devices > under the Manage devices section, click on Configuration.

Intune - Devices - Configuration

In the Configuration page, click on + Create. Select ‘Windows 10 and later’ under Platform and choose Settings Catalog under Profile type. Click Next.

Name and description for profile

Give your Profile a Name and Description. Click Next once complete.

Give profile a name and description

Next, you’ll be directed to the Configuration settings to pick your settings. Search for Configure team site libraries to sync automatically. Then click on OneDrive under Browser by category. Next, under the OneDrive Category, select the Configure team site libraries to sync automatically (user).

Synchronize SharePoint Site Library to File Explorer with Microsoft Intune - Settings picker

Once that is selected, close out of the screen to setup your settings on the backscreen. On this page, you’ll want to give your Libraries a name and a value. Remember the Library ID we copied from earlier? You will need to add that to the Value section. Click Next when ready to move forward.  

Synchronize SharePoint Site Library to File Explorer with Microsoft Intune - Enter Library ID

I skipped Scope tags, but you can adjust those settings if needed.

Next, we’ll assign this library to our users. In my case, I will select a dynamic group for the Marketing team so that all our Global Marketing users will get this SharePoint library automatically.

Assign group

Review and Create

Review and then create your profile. Then, verify on your device that this policy has successfully synced the Marketing SharePoint documents to the end user’s File Explorer.

Before the policy is enabled, the user does not see any SharePoint site libraries available in their File Explorer.

No visible folders or files

After the policy is applied, we can now see those SharePoint files sync through to the File Explorer.

Files now synced

Verify inside of the Marketing SharePoint as well. 

Verify online in SharePoint

Conclusion: Streamline SharePoint Site Library Access with Microsoft Intune

Automating the synchronization of a SharePoint Site Library to File Explorer with Microsoft Intune not only saves valuable time but also ensures consistency across your organization. By leveraging Intune’s management capabilities, you can seamlessly integrate SharePoint libraries into your users’ workflows, reducing help desk requests and improving productivity. Implementing this solution helps your teams have quick and reliable access to the files they need directly from File Explorer, streamlining operations and enhancing the overall user experience.

Check out additional Intune content here.

The post How to Synchronize a SharePoint Site Library to File Explorer with Microsoft Intune appeared first on Recast Software.

]]>
Azure Services to Enhance Intune Automation https://www.recastsoftware.com/resources/azure-services-to-enhance-intune-automation/ Mon, 15 Jul 2024 16:58:05 +0000 https://www.recastsoftware.com/?post_type=resources&p=682482 Microsoft Intune provides a robust set of features to automate […]

The post Azure Services to Enhance Intune Automation appeared first on Recast Software.

]]>
Microsoft Intune provides a robust set of features to automate various tasks on workplace devices and in backend processes. However, there are times when you need to automate specific tasks, such as cleaning up objects or switching device classes, for which there might not be a built-in feature. In this post, I will introduce you to several Azure services that can help you automate these tasks and offer some ideas on how to build your custom solutions. 

Using Logic Apps for Intune Automation 

Azure Logic Apps allow you to build automations without writing any real code. Logic Apps is very similar to Power Automate but is more targeted towards infrastructure automation and does not run in the context of a user. 

Key Features of Logic Apps

  • No-Code Automation: Create workflows using a visual designer without writing code. 
  • Connectors: There are a wide range of connectors to integrate with different services, including Microsoft services and third-party applications. While there is no native connector for Intune, you can run native Graph API calls
  • Scheduled Workflows: Automate tasks based on specific schedules or trigger them based on events. 
Logic Apps for Intune Automation

Leveraging Azure Automation  

Azure Automation is another powerful service for automating tasks. It is particularly useful for automating repetitive processes and managing updates across your infrastructure. Unlike Logic Apps, Azure Automation supports full code solutions, including PowerShell and Python. Authenticating with services and installing modules is straightforward. It also offers hybrid runbook workers that allow automation to run in your on-premises network. 

Key Features of Azure Automation

  • Runbooks: Create and manage PowerShell, Python, or graphical runbooks to automate tasks. 
  • Update Management: Automate the deployment of updates and patches across your VMs. 
  • Desired State Configuration (DSC): Ensure that your infrastructure is configured correctly and remains in the desired state. You can find here also a full library 
  • Scheduled Workflows: Same as logic apps you can automate tasks based on specific schedules or trigger them based on events. 
Azure automation - PowerShell Runbook

Implementing Azure Functions for Intune Automation 

Azure Functions allows you to run small pieces of code (functions) in the cloud without worrying about the infrastructure. This service is ideal for automating lightweight tasks and integrating different services. You can build a microservice architecture with various APIs using functions, providing a highly scalable and flexible solution. 

Key Features of Azure Functions

  • Serverless Computing: Run your code without provisioning or managing servers. 
  • Event-Driven: Trigger functions based on events, such as HTTP requests, timers, or messages from other Azure services. 
  • Scalability: Automatically scale based on demand to handle varying workloads. 
Azure functions for Intune

Building Custom Solutions 

Combining these Azure services allows you to create sophisticated automation solutions tailored to your specific needs. Here are a few ideas to get you started: 

  • Maintain Attributes in Your Asset System: Integrate with systems like ServiceNow to update asset attributes based on live data or return values from proactive remediations. 
  • Intelligent Reporting and Alerting Solutions: Build solutions to monitor and report on metrics, such as an increase in app installation errors. 
  • Custom Inventory Solutions: Develop tools to collect and manage inventory data for more effective resource management. 

Enhancing Intune Capabilities with Azure Services 

By leveraging Azure Logic Apps, Azure Automation, and Azure Functions, you can extend Intune’s capabilities and automate tasks that are not natively supported. These services provide a flexible and scalable way to enhance your device management processes and improve operational efficiency. 

The post Azure Services to Enhance Intune Automation appeared first on Recast Software.

]]>
How to Manage Browser Extensions via Intune https://www.recastsoftware.com/resources/how-to-manage-browser-extensions-via-intune/ Tue, 14 May 2024 17:54:25 +0000 https://www.recastsoftware.com/?post_type=resources&p=681566 Managing browser extensions effectively is crucial for maintaining the security […]

The post How to Manage Browser Extensions via Intune appeared first on Recast Software.

]]>
Managing browser extensions effectively is crucial for maintaining the security and productivity of any organization. Microsoft Intune provides powerful tools to enforce policies on browser extensions, particularly for Google Chrome. This guide will walk you through the steps to force install specific extensions and block unwanted ones using Intune. 

Step 1: Obtain Browser Extension IDs 

Each Chrome extension has a unique ID that can be found in the Chrome Web Store URL or by inspecting the extension details in Chrome. Refer to the screenshot below on how to find it. In this example, we will be forcing the “Google Translate” extension and blocking the “ChatGPT” extension on Google Chrome. 

Browser Extensions via Intune - extension ID

Browser Extensions via Intune - extension ID for ChatGPT

Step 2: Create a Configuration Profile 

In the Intune admin center, navigate to Devices > Configuration > Create > New policy.

Browser Extensions via Intune - Device - Configuration - New Policy

Choose Windows 10 and later as the platform and Settings catalog as the profile type and click Create. 

Give your policy a Name and click Description and hit Next

Browser Extensions via Intune - name and description

Select Add settings button under Configuration Settings. Search for keyword “Extensions”. Then pick Google Chrome Extensions and select the settings to be configured. In this case, we will pick “Configure extension installation blocklist” and “Configure the list of force-installed apps and extensions.” 

Configure extension installation blocklist

Enable both the settings and add your Extension IDs into the fields. You will notice that for the force installation settings, it asks for an ‘Update URL’ along with the extension ID. For that we will use this format <ExtensionID>;<UpdateURL>. 

Example: “aapbdbdomjkkjkaonfhkkikfgjllcleb;https://clients2.google.com/service/update2/crx“ 

Add extension IDs

Note: All Chrome web store apps will have the same update URL: https://clients2.google.com/service/update2/crx 

For more information, refer to the Google documentation

Finally, click Next > Next, select the groups where this policy should be deployed, and then click Next and Create

Once the devices check in, you will notice that “Google Translate” has been installed and cannot be removed, while the “ChatGPT” extension is fully blocked. 

Google Translate extension

Browser Extensions via Intune - ChatGPT extension blocked

Conclusion: Efficiently Manage Browser Extensions via Intune

Managing Chrome extensions via Intune allows administrators to ensure that only safe and necessary extensions are used, while preventing potentially harmful ones. By following these steps, you can effectively enforce extension policies across your organization, enhancing both security and operational efficiency. 

Find other helpful Intune content here.

The post How to Manage Browser Extensions via Intune appeared first on Recast Software.

]]>
How to Enable Known Folder Move with Intune https://www.recastsoftware.com/resources/how-to-enable-known-folder-move-with-intune/ Fri, 10 May 2024 13:27:15 +0000 https://www.recastsoftware.com/?post_type=resources&p=681543 What is Known Folder Move (KFM)?   Known Folder Move […]

The post How to Enable Known Folder Move with Intune appeared first on Recast Software.

]]>
What is Known Folder Move (KFM)?  

Known Folder Move (KFM) is a feature within OneDrive that enables the backup of important folders, such as Documents, Desktop, and Pictures, directly to OneDrive. By syncing these folders to OneDrive, users gain seamless access to their files across multiple devices. This post will demo how to enable Known Folder Move with Intune.

Why Should I Enable Known Folder Move with Intune?  

There are several compelling reasons to enable KFM: 

  1. Protection Against Data Loss: It offers peace of mind for end users by ensuring that crucial files are accessible even if their devices crash or are lost. They can maintain their regular habits of saving files without interruption. 
  2. Business Continuity: For IT admins, enabling KFM ensures productivity isn’t disrupted during unexpected device issues. It’s not a matter of if it will be needed, but when. 
  3. Simplified Migrations: KFM streamlines transitions from one system management platform to another, eliminating concerns about data stored on physical hard drives. 

      To leverage these benefits, we’ll walk through the steps of enabling KFM with Microsoft Intune. This guide will show you how to automatically sign users into OneDrive with their Windows credentials and silently enable KFM. 

      Silently Sign Users into OneDrive with Windows Credentials 

      Create a New Policy. Go to Microsoft Intune > click on Devices > Configuration > + New Policy.

      Enable Known Folder Move with Intune - new policy

      Next, choose the appropriate settings. Select Windows 10 and later for Platform > Settings catalog under Profile type > Click Create.  

      Enable Known Folder Move with Intune - create profile

      In the Basics page add the Name and Description for your policy.  

      Enable Known Folder Move with Intune - name and description

      Add OneDrive Settings 

      Click on + Add settings > search for OneDrive > Select OneDrive under Browse by category.  

      Enable Known Folder Move with Intune - add settings

      Enable Silent Sign-In 

      Under OneDrive categories, search for and click on the radio button and then select Enabled to silently sign in users to OneDrive sync app with their windows credentials. Click Next.  

      Enable silent sign-in

      Silently Move Windows Known Folders to OneDrive with Intune  

      Create a New Policy. Go to Microsoft Intune > click on Devices > Configuration > + New Policy.  

      Create new policy

      Select Windows 10 and later for Platform > Settings catalog under Profile type > Click Create.  

      In the Basics page, add the Name and Description for your policy.  

      Enable Known Folder Move with Intune - name and description

      Add OneDrive Settings 

      Click on + Add settings > search for OneDrive > Select OneDrive under Browse by category.  

      Enable Known Folder Move with Intune - add setting

      Under Setting name, enable the following policies: 

      • Prevent users from redirecting their Windows known folders to their PC 
      • Prompt users to move Windows known folders to OneDrive 
      • Silently move Windows known folders to OneDrive 
      Enable Known Folder Move with Intune - Setting name - select

      Once you select those settings, you’ll want to enable all the radio buttons and add your Tenant ID. Optionally, choose Yes to notify users of the silent folder move. Click Next after adding the required information. 

      Enable Known Folder Move with Intune - Tenant ID

      Next, assign the policy. Define the assignments to determine which devices will be targeted by this policy. Select All Devices if you intend to apply it universally. 

      Enable Known Folder Move with Intune - define assignments

      Review and create your policy.  

      User Experience After You Enable Known Folder Move with Intune 

      Before enabling Known Folder Move: No OneDrive Sync and OneDrive is not signed in.  

      Enable Known Folder Move with Intune - before Known Folder Move

      After Enabling Known Folder Move: User gets notified of Known Folder move redirect.  

      Enable Known Folder Move with Intune - after enabling Known Folder Move

      In the section, we see the user’s Documents, Pictures, and Desktop Folders are automatically backed up with Known Folder Move and they also cannot stop the folder backup. The user did not have to login or create any backups; the IT admin took care of that by following the steps above.  

      which folders

      Enable Known Folder Move with Intune - all silently synced

      Conclusion: Empower Your Team by Enabling Known Folder Move with Intune 

      By enabling Known Folder Move with Microsoft Intune, IT administrators can efficiently safeguard critical user data and ensure the smooth user experience. This seamless setup simplifies migrations and minimizes disruptions, letting users focus on their work without worrying about data loss. Empower your team with streamlined, secure backups that happen silently and automatically, providing peace of mind for everyone involved. 

      Check out more Intune content here.

      The post How to Enable Known Folder Move with Intune appeared first on Recast Software.

      ]]>
      How to Remove Personal Teams Chat from Windows 11 Devices Using Intune  https://www.recastsoftware.com/resources/remove-personal-teams-chat-from-windows-11-devices-using-intune/ Fri, 03 May 2024 14:44:49 +0000 https://www.recastsoftware.com/?post_type=resources&p=681506 Have you recently upgraded to Windows 11 and noticed two […]

      The post How to Remove Personal Teams Chat from Windows 11 Devices Using Intune  appeared first on Recast Software.

      ]]>
      Have you recently upgraded to Windows 11 and noticed two Microsoft Teams on your devices? They’re likely referring to the Teams client for personal accounts and Microsoft Teams for work or school. The version intended for personal use with a Microsoft account is installed by default when you upgrade to Windows 11. In contrast, the Microsoft Teams designed for enterprises is labeled as “Microsoft Teams (work or school)” and must be installed separately through your preferred method. It’s understandable that this situation can cause confusion.  

      In this guide, we’ll focus on removing the Chat Icon from the personal Teams app using Microsoft Intune, streamlining the user experience and avoiding potential complications. 

      Note

      Teams for Personal use: Appears as ‘Microsoft Teams’ when searched.  

      Teams for Enterprise users: Labeled as ‘Microsoft Teams (work or school).’ 

      Consider the scenario where you inadvertently click on the initial option (Microsoft Teams) and attempt to log in with your enterprise account, rushing to join a meeting scheduled to start in just one minute. 

      Remove Personal Teams Chat from Windows 11 Devices

      Looking at the error message, we cannot sign in with a work or school account and it asks for our personal account instead. Now, not only is the user delayed for their meeting, but they’re also faced with the dilemma of choosing the correct Microsoft Teams application. Let’s explore how to prevent such issues for our future users. 

      Remove Personal Teams Chat from Windows 11 Devices - error message

      Removing Personal Teams Chat from Windows 11 

      Requirements:  

      • Devices: Windows 11  
      • Administrator Role: Intune Administrator  

      Method 1: Remove Personal Teams Icon with Intune – Custom OMA-URI 

      • Let’s go to Microsoft Intune > Devices > Configuration > + Create > + New Policy.  
      Remove Personal Teams Chat from Windows 11 Devices - new policy

      We can now specify the platform for this policy. In our case, we’re targeting Windows 10 and later. Select the profile type as Templates and name the template as Custom.

      Remove Personal Teams Chat from Windows 11 Devices - template - custom

      Go ahead through your Basics setup. Give your policy a name and description.

      Remove Personal Teams Chat from Windows 11 Devices - name and description

      Now, let’s delve into the Configuration settings where we’ll add the necessary information to remove the chat icon. 

      • Name: Remove Teams Chat Icon 
      • Description: n/a 
      • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Experience/ConfigureChatIcon 
      • Data Type: Integer 
      • Value: 3 
      Configuration settings

      Now let’s set our assignments. While I’ve targeted all devices, I’ve implemented a filter to exclusively target Windows 11 devices.

      Remove Personal Teams Chat from Windows 11 Devices - filter Windows 11 devices

      Review and Create your CSP.

      Method 2: Remove the Personal Chat Icon with Intune – Settings Catalog  

      Go to Microsoft Intune > Devices > Configuration > + Create > + New Policy.  

      Remove Personal Teams Chat from Windows 11 Devices - New Policy

      We can now specify the platform for this policy. In our case, we’re targeting Windows 10 and later. Choose Settings Catalog as the Profile type.

      Profile type - Settings catalog

      Run through the basics again and add the proper Name and Description.  

      Remove Personal Teams Chat from Windows 11 Devices - name description

      In the configuration settings, click on + Add settings > Search for Experience under category, and search for the setting name Configure Chat Icon.

      Remove Personal Teams Chat from Windows 11 Devices - Configure Chat Icon

      After clicking on Configure Chat Icon, you will be prompted with a drop-down menu to select how you want it configured. In our case we are going to use Disabled.

      Disable chat icon

      Proceed to the next steps, including assigning Scope tags if necessary and setting up your assignment group. Once finished, review and create your policy.

      Remove Personal Teams Chat from Windows 11 Devices - Assignment Groups

      Testing the Removal of Personal Teams Chat from Windows 11

      It’s time to test the policy you’ve created to ensure it meets your requirements. Verify that Personal Teams Chat has been successfully removed, leaving only Microsoft Teams for work or school operational. 
       
      Before running Method 2, Microsoft Teams is still available. 

      before

      After running Method 2: Let’s run the policy and check back later. 

      Now we can see that Microsoft Teams is no longer shown. We can also see the Intune results work as intended.

      after - work and school

      Remove Personal Teams Chat from Windows 11 Devices - test succeeded

      Conclusion: Streamlining Your Windows 11 Environment 

      Removing Personal Teams Chat from Windows 11 devices optimizes the user experience and improves productivity. By following the outlined methods using Intune, IT administrators can manage Teams applications, ensuring users have access to the appropriate platform for work use. Streamlining this process not only resolves confusion but also enhances overall system efficiency. 

      Check out more Intune content here.

      The post How to Remove Personal Teams Chat from Windows 11 Devices Using Intune  appeared first on Recast Software.

      ]]>
      How to Block Apps with Intune https://www.recastsoftware.com/resources/how-to-block-apps-with-intune/ Thu, 02 May 2024 14:15:09 +0000 https://www.recastsoftware.com/?post_type=resources&p=681488 Managing app installations is a vital aspect of IT administration […]

      The post How to Block Apps with Intune appeared first on Recast Software.

      ]]>
      Managing app installations is a vital aspect of IT administration for any organization, helping to improve security and ensure compliance with internal policies.  

      Why Block Apps with Intune? 

      With recent legislative actions, such as the US House of Representatives and the President moving toward a potential ban of TikTok, compliance with new regulations may become mandatory for many US organizations. This guide will walk you through the steps to block specific apps, such as TikTok, within the Microsoft Store using Microsoft Intune by leveraging the AppLocker functionality in Windows. 

      Blocking specific apps is important for several reasons: 

      • Security Considerations: Preventing installations of apps that could pose security risks. 
      • Enhancing Productivity: Limiting access to apps that might distract employees. 
      • Compliance and Regulatory Requirements: Ensuring only approved apps are used in regulated environment 

      Step-by-Step Guide to Blocking Apps with Intune 

      Section 1: Creating an AppLocker Policy in Windows 

      • On your test machine, visit the Microsoft Store and install “TikTok.” 
      • Go to the Start Menu, type “Local Security Policy,” right-click on it, and run as Administrator. 
      • Navigate to Application Control Policies > AppLocker > Package App Rules. 
      Block Apps with Intune - local security policy
      • Right click on “Package App Rules” and select “Create New Rule.” Hit “Next” in the dialog box. 
      • Select “Deny” as the action and hit “Next.” 
      Block Apps with Intune - permissions - deny
      • Keep the default option selected. Click the “Select” button, choose “TikTok” from the list, and press “OK.” 
      Create packaged app rules

      Block Apps with Intune - select TikTok
      • Once “TikTok” is selected, adjust the slider from “Package Version” to “Package Name” to specify that the policy should block all versions of TikTok. 
      Package version - Package name
      • Click “Next” several times, name your policy, provide a description, and then click “Create” to finalize your “Block” Policy. 
      • Right click on “Package App Rules” again and select “Create Default Rules” to ensure that the policy does not block any unintended applications. 
      Block Apps with Intune - deny everyone

      Completing the AppLocker Configuration 

      • Now that rules are created, Right click on “Applocker” on left blade and select “Properties.”  
      • Check “Configured” under Packaged App Rules, select “Enforce Rules,” and hit OK. 
      Block Apps with Intune - AppLocker properties

      Exporting the AppLocker Policy 

      • Right click on “AppLocker” on the left blade again and select “Export Policy.” Save the XML file to your desktop. We will need this file later in the Intune section. 
      • Open the XML file. You will notice that the rule configuration starts with <RuleCollection> and ends with </RuleCollection>. Copy this highlighted text within your XML file to your clipboard. 

      Section 2: Implementing the Block Policy in Intune

      • Login to intune.microsoft.com.  
      • Navigate to Devices > Configuration Profiles
      • Click on Create Profile and choose New Policy. Select Windows 10 and later for platform. 
      • Profile type should be Templates with Custom as the Template name. Hit create. 
      • Give your policy a name and description that reflects its purpose, e.g., “Block Tiktok,” and Hit Next. 
      • Under “Configuration settings”, click on “Add” next to OMA-URI settings. 
      • Name the setting, provide a description, select “String” as the “Data Type,” and paste the content from the XML file into the “Value” section. 
      • For “OMA-URI,” use the following string: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/StoreApps/Policy 
      Block Apps with Intune - OMA-URI
       
      For more information on Applocker CSPs, refer to this article AppLocker CSP – Windows Client Management | Microsoft Learn 
      • Click “Save” and continue to assign the Intune group where you want to apply this profile. Follow the prompts to finish creating the profile. 

      Section 3: Monitor and Manage App Blocking with Intune

      After deploying the policy, monitor its impact through the View reports button. Once the policy is successfully applied on devices, TikTok will be blocked on the Microsoft Store. 

      Block Apps with Intune - view reports

      app blocked succesfully

      Appendix: Extending App Blocking to Other File Types 

      Just like blocking Microsoft Store apps, we can also block unapproved exe, msi, and script files using AppLocker and Intune. The process remains largely the same, with only two changes required: 

      • In Section 1, steps 5 and 10, instead of clicking on “Packaged app rules,” we will right click on Executable rules (for exe) and Windows Installer Rules (for msi). 
      • The OMA-URI will also change as mentioned below. 
        • For exe files: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/EXE/Policy 
        • For msi: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/MSI/Policy 

      Conclusion: Enhancing Security and Compliance with Intune

      By utilizing Microsoft Intune and AppLocker, organizations can effectively block unauthorized apps, enhancing security and ensuring compliance. This guide demonstrates a straightforward method to manage applications and maintain control over your IT environment. As you adapt and refine your endpoint management strategies, Intune’s capabilities support a secure, productive, and compliant workplace. Continuous monitoring and updating of these policies are essential to address the evolving challenges that inevitably arise.  

      Check out additional Intune content here.

      The post How to Block Apps with Intune appeared first on Recast Software.

      ]]>
      How to Build Compliance Baselines in Intune to Determine the Compliance Status of Devices  https://www.recastsoftware.com/resources/build-compliance-baselines-in-intune-to-determine-compliance-status/ Thu, 18 Apr 2024 13:27:56 +0000 https://www.recastsoftware.com/?post_type=resources&p=681441 Establishing robust mechanisms for assessing and enforcing compliance is crucial. […]

      The post How to Build Compliance Baselines in Intune to Determine the Compliance Status of Devices  appeared first on Recast Software.

      ]]>
      Establishing robust mechanisms for assessing and enforcing compliance is crucial. Microsoft Intune provides a valuable tool in this regard with its compliance baselines. This blog will guide you on how to leverage these baselines in Intune to maintain your device fleet’s compliance with your organization’s security and compliance standards

      Introduction to Compliance Baselines in Intune

      Compliance baselines in Intune are predefined sets of compliance policies that help determine the compliance status of devices across your organization. These baselines provide a benchmark for security and configuration settings, making it easier for IT administrators to identify and remediate non-compliant devices. By leveraging these baselines, organizations can automate the process of compliance assessment, ensuring devices adhere to corporate security policies and regulatory standards. 

      Step 1: Understanding Your Compliance Requirements 

      The initial step in constructing compliance baselines is to comprehensively understand your organization’s compliance needs. This involves pinpointing the regulatory standards you must comply with—such as GDPR, HIPAA, or PCI-DSS—and translating these into specific device configuration settings. Key aspects to consider include encryption standards, password policies, and software versions to compile a detailed checklist of compliance criteria. 

      Step 2: Creating a Compliance Baseline in Intune 

      Once you’ve identified your compliance requirements, the next step is to create a compliance baseline in Intune. In in this blog, we are building compliance baselines around these settings: 

      • BitLocker 
      • Secure Boot 
      • Code Integrity 
      • Firewall 
      • TPM 
      • Antivirus 
      • Antispyware 

      A device lacking any of these enabled settings and tools will be considered “non-compliant.” 

      Steps to Establish Your Compliance Baseline in Intune

      Navigate to the Intune Admin Console: Log in to the Microsoft Intune admin center at intune.microsoft.com 

      Create a New Compliance Policy: Go to Devices > Compliance > Policies > Create Policy. Select the platform relevant to your devices, such as Windows 10 and later and hit “Create”. 

      Compliance -> create policy

      Name and Description: Give you compliance policy a name and description and hit next. 

      Compliance policy name and description

      Configure Compliance Settings: Use the ‘Create a Compliance Policy’ wizard to set the compliance settings based on your organization’s requirements. Intune provides various settings including device health, device properties, system security, and custom configuration settings.  

      Compliance Baselines in Intune - settings
      Compliance Baselines in Intune - more settings

      Define Actions for Non-compliance: Decide the actions to take if a device fails compliance checks. Options include sending an email notification, marking the device as non-compliant, or adding the device to a retirement list. For our example, I have marked the device as non-compliant after three days. 

      Actions for noncompliance settings

      Note

      Sending an email to an end user for non-compliance is not recommended. Per a zero trust framework, most users will not have admin privileges to perform any remediations themselves. If you do decide to send an email, make sure to create a “group” of your sysadmins/helpdesk and have them added in “additional recipients” sections. For the email body/content, we will need to create a “notification” beforehand. To do that, go to Devices > Compliance > Notification > Create notification. 

      Device compliance in Intune notifications

      Assignments: Assign the group to apply this compliance policy. I would recommend creating a “Dynamic group” that hosts all the Windows devices and then applying it on that group. Hit next and “Create”. 

      Devices with no assigned compliance policy: Ideally there should be no device without any compliance policy assigned. We can build one policy for Mac devices, one for Windows, so on and so forth. But we can specify behavior on a device who have no policy assigned. Go to Devices > Compliance > Compliance settings. Make sure you specify the compliance behavior on devices who have no policy assigned. I would recommend setting it to “non-compliant”. 

      Compliance settings --> validity period

      Step 4: Monitoring and Reporting 

      With your compliance baselines in place, it’s essential to continuously monitor the compliance status of devices and take remedial actions if necessary. 

      Use Intune’s Built-in Reports: Intune provides detailed reports on the compliance status of devices, highlighting deviations from the baseline. 

      Compliance Baselines in Intune - reports

      Compliance Baselines in Intune - report details

      Act on Non-compliant Devices: Use the information from the reports to address non-compliance issues. This may involve updating device settings, installing necessary updates, or retiring devices that can no longer meet compliance standards. 

      Ensuring Optimal Security with Compliance Baselines in Intune

      Building compliance baselines in Intune is a proactive way to maintain the security and integrity of your device fleet. By setting clear benchmarks for compliance, automating the assessment process, and taking swift action on non-compliant devices, organizations can enhance their security posture and ensure that they meet regulatory requirements.  

      By IT, for IT.

      We are a dedicated group of Systems Administrators and tech-savvy product experts that love what we do and the IT community we do it with.

      The post How to Build Compliance Baselines in Intune to Determine the Compliance Status of Devices  appeared first on Recast Software.

      ]]>
      How to Build PPPC Profiles within Intune for MacOS Devices https://www.recastsoftware.com/resources/how-to-build-pppc-profiles-within-intune-for-macos-devices/ Wed, 10 Apr 2024 16:35:58 +0000 https://www.recastsoftware.com/?post_type=resources&p=681385 Greetings, fellow Intune and Mac admins! Welcome to our guide […]

      The post How to Build PPPC Profiles within Intune for MacOS Devices appeared first on Recast Software.

      ]]>
      Greetings, fellow Intune and Mac admins! Welcome to our guide on configuring PPPC profiles within Intune for MacOS devices. MacOS is known for its strict security measures, which, while ensuring safety, can restrict basic functionalities without local admin rights. Lacking local admin rights restricts users from basic tasks, such as enabling screen sharing or allowing remote control through applications like Zoom or Teams. Ever wondered how to mass-enable screen sharing, remote control (Accessibility), or full disk access for approved applications through Intune? If you answered yes, then you are in luck. In this guide, we’ll show you how to configure Privacy Preference Policy Control (PPPC) permissions within Intune. 

      Understanding PPPC Profiles 

      Privacy Preferences Policy Control (PPPC) profiles allow administrators to manage privacy access controls for macOS 10.14 and later. These profiles are crucial for granting or denying access to sensitive user data and hardware resources for apps and system services. By pre-configuring these settings, organizations can ensure compliance with privacy policies and streamline the user experience by reducing the number of permission prompts. 

      Step 1: Identify Your Requirements 

      Begin by determining your application’s permission requirements. For example, Zoom requires “Screen Record” for sharing screens and “Accessibility” permission for letting other people control your screen. Similarly, some applications like an Antivirus or DLP tool may require “Full Disk” access. 

      Step 2: Creating and Deploying PPPC Profile within Intune 

      Navigate to intune.microsoft.com and log in with your administrator credentials. 

      Once logged in, go to “Devices” > “macOS” > “Configuration profiles” > “Create” > “New Policy.” 

      PPPC Profiles within Intune for MacOS - create new policy

      “macOS” should already be selected for the Platform. Choose “Settings Catalog” for the “Profile type”. Hit the “Create” button at the bottom of the page.

      Give your profile a name, write a description, and hit next.

      PPPC Profiles within Intune for MacOS - name

      In the “Configuration settings” section, click on the “Add Settings” button. You will see the “Settings picker” section on the right side of the page. Search and pick “Privacy Preference Policy Control”. Now pick the permissions that you need to set. In the example below, we are picking “Accessibility” and “Screen Capture.”

      New settings will appear on the left side. Now we need to provide the “Identifier”, “Code Requirement”, and authorization info. Simply hit the “Edit Instance” button to get started.

      PPPC Profiles within Intune for MacOS - settings picker

      Privacy Preferences Policy Control

      privacy preferences authorization

      Important Notes

      • In the ‘Configure Instance’ section, you can select either an ‘Allowed’ key or an ‘Authorization’ key. Hit the “-” button next to the key to remove one or the other. 
      • I would recommend using the “Authorization” key only for all permissions. Also note that for screen share/record and microphone permissions, Apple doesn’t let sysadmins preset “Allow” these permissions due to privacy reasons. So, the “Allow” option will not work. Hence, the only option to be used for these permissions is “Allow Standard User to Set System Service”. This will still show users the authorization prompt, but a standard user will now have access to enable the permissions. For “Accessibility” or “Full Disk Access” we can still use “Allow”. 

      To retrieve the “Code Requirement” and “Identifier”, install the application on a test Mac. Open “Terminal” and run the following command. Replace “Zoom.us.app” with the name of your app. 

      codesign -dr- /Applications/Zoom.us.app 

      For “Microsoft Teams classic” it will look like this:  

      codesign -dr- /Applications/Microsoft Teams Classic.app 

      Note: In MacOS terminal, spaces are represented by backslash so “Microsoft Teams Classic.app” will be represented as “Microsoft Teams Classic.app” 

      You will see the output as below. Copy everything after “designated =>”. This string is your code requirement. You will notice that identifier is also mentioned in the code requirement.  

      code requirement

      For example, using Zoom as our application: 

      Identifier = “us.zoom.xos” 

      Code Requirement = “identifier “us.zoom.xos” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = BJ4HAAB9B3” 

      Paste the code requirement and Identified information and hit save. Do the same thing for “Screen Capture” instance.  

      PPPC Profiles within Intune for MacOS - code requirement and ID type

      PPPC Profiles within Intune for MacOS - screen capture

      Configuration settings

      Finally, click ‘Next’ twice, add your MacOS device group to the assignments, click ‘Next’ again, and then click ‘Create.’ 

      Step 3: Monitoring and Testing 

      Now that we have deployed the profile to devices, you will notice that the next time devices check in to Intune, our endpoint will have a new profile added in the “Profiles” section within “System Settings.” 

      PPPC Profiles within Intune for MacOS - testing

      Note: If you go to System Settings > Privacy and Security > Accessibility on the Mac, you will notice that there is no entry for Zoom even though we had this permission enabled via Intune. Note that this is by design and is not a cause for concern. Standard users will still be able permit remote control via Zoom. You would notice similar behavior if you enabled “Full Disk access.” 

      However, for “Screen Record/share” permission, we do see an entry for Zoom. The reason is because we used the option “Allow Standard user to set system service”, which prompts user to see prompt and allow the permission. Hence it shows up in the “System Settings” > Privacy and Security > Screen Record section. 

      Optimizing MacOS Security and Productivity with PPPC Profiles within Intune 

      Creating custom PPPC profiles in Intune for macOS devices is a powerful way to manage application permissions efficiently. By following the steps outlined above, you can ensure that your macOS devices are both secure and user-friendly, with minimal interruptions to productivity. 

      This process can be adapted and expanded based on your organization’s specific needs and the evolving landscape of macOS security and privacy features. This guide was built on MacOS Ventura version 14.4.1. The steps outlined may change in future versions. Always keep abreast of the latest developments from both Apple and Microsoft to refine and enhance your privacy controls. 

      Remember, this guide offers a foundation for PPPC profile creation, but specific configurations will vary based on your organization’s applications and resources. Always test your profiles in a controlled environment before widespread deployment to ensure they perform as expected. 


      Additional macOS post

      The post How to Build PPPC Profiles within Intune for MacOS Devices appeared first on Recast Software.

      ]]>
      How to Manually Register Devices with Windows Autopilot https://www.recastsoftware.com/resources/how-to-manually-register-devices-with-windows-autopilot/ Wed, 03 Apr 2024 15:03:22 +0000 https://www.recastsoftware.com/?post_type=resources&p=681328 In this guide, we will learn how to manually register […]

      The post How to Manually Register Devices with Windows Autopilot appeared first on Recast Software.

      ]]>
      In this guide, we will learn how to manually register devices with Windows Autopilot, a critical process for situations where automatic registration does not meet specific needs or when greater control over device enrollment is required. Whether you’re running a pilot program to evaluate Autopilot’s capabilities within your Intune-managed environment, or you seek a deeper understanding of how Windows Autopilot can be leveraged for precise device management, this tutorial is tailored for you.  

      If you collaborate with your OEM providers, they can assist you in importing the hardware hash of the devices into your Intune tenant by providing the required information.  

      Note: For this example, we are going to assume that you have a Windows virtual machine or Windows device available to collect its hardware hash for import into the Microsoft Intune Admin Center. 

      Prerequisites  

      • An active Microsoft Intune subscription 
      • Enabled Windows automatic enrollment in Intune 
      • Microsoft Entra ID P1 or P2 subscription 

      Step-by-Step: Manually Generating Hardware Hash for Windows Autopilot Registration 

      Go to your device > search for Windows PowerShell ISE > Run as administrator

      Manually Register Devices with Windows Autopilot - PowerShell Run as Admin

      Run the following command in PowerShell to collect the device’s hardware hash, a unique identifier required for registering with Autopilot: 

      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 
      
      New-Item -Type Directory -Path "C:\HWID" 
      
      Set-Location -Path "C:\HWID" 
      
      $env:Path += ";C:\ProgramFiles\WindowsPowerShell\Scripts" 
      
      Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned 
      
      Install-Script -Name Get-WindowsAutopilotInfo 
      
      Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv 

      Note: The Hardware hash will be located at C:HWID  

      Manually Register Devices with Windows Autopilot - PowerShell command

      When running the command, you’ll be prompted with an alert about an execution policy change—it’s a security feature to help prevent malicious code from running on your system. Please accept at your own risk. In this case, I will select Yes to All.  

      execution policy change - yes to all

      When running the command, let’s double check that we do indeed have the necessary .csv file with the appropriate information.  
       

      Go to File Explorer and go to the C:HWID path (or wherever you pointed it to).  

      C:HWID path

      We can see that the AutopilotHWID.csv file itself does have the information we need, such as the Device Serial Number, Windows Product ID, and Hardware Hash. We will import this information into the Microsoft Intune admin center.  

      Manually Register Devices with Windows Autopilot - Notepad csv file

      Importing Your Device’s Hardware Hash into Microsoft Intune Admin Center

      Let’s go ahead and add that .csv file inside of Microsoft Intune admin center to add those Windows Autopilot devices.

      Go to Microsoft Intune admin center > select Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program)  

      Manually Register Devices with Windows Autopilot - Intune admin center --> devices

      Devices --> Windows

      Windows devices --> Windows enrollment

      Manually Register Devices with Windows Autopilot - Windows Autopilot --> Devices

      Click on ‘Import’ to be prompted to select the .csv file we have at the ready. Navigate to the file’s location, select ‘AutopilotHWID.csv’, and click ‘Open’. 

      import --> select a file

      After clicking on the Select a file option, your File Explorer will be prompted. Head to the .csv file that you created. In this case, it is located under C:HWID. Click on the AutopilotHWID.csv and select Open. 

      AutopilotHWID.csv --> Open

      Intune confirms that our row formatting is set up correctly to allow us to import the devices. Go ahead and click on Import. You can see in the top right of the screen that Microsoft Intune is importing the devices.

      csv format confirmed

      Manually Register Devices with Windows Autopilot - Importing devices

      Finalizing Device Registration: What to Do After Importing to Windows Autopilot 

      Let’s confirm that the device is inside of Windows Autopilot devices. Within the same Windows Autopilot devices screen used to import the .csv file, check for the imported devices. If you go to the top of the .csv file, see that the first device’s serial number was 8091-1174-9759-9458-5971-7248-98.  

      Confirmed: 8091-1174-9759-9458-5971-7248-98 is now imported.  

      However, there is no profile assigned to it. Check out this blog to learn how to set up devices with a profile. For this post, I have set that up myself.   

      Windows Autopilot profile status

      I had an Autopilot profile assigned to my device and I can now see that the device is ready to rock and roll.  

      Windows Autopilot profile status assigned

      Streamlining Your IT Management with Manual Windows Autopilot Registration

      In summary, mastering the manual registration process for Windows Autopilot devices equips you with the flexibility to tailor device enrollment to your organization’s specific needs, ensuring a smooth integration into the Microsoft Intune environment. By following the steps outlined in this guide, you have laid the groundwork for enhanced device management.

      Check out this YouTube video for a step-by-step video tutorial of this process:


      Additional Intune Posts

      The post How to Manually Register Devices with Windows Autopilot appeared first on Recast Software.

      ]]>