Search

Håvard Siegel Haukeberg

Paste life: Ctrl+C -> Ctrl+V

Open Search
Category

Windows

Conditional Access Behavior on Outlook 2016

If you enable conditional Access in Intune then Your devices will have to be enrolled with Intune in order to read mail. If they are not enrolled or otherwise compliant they will be blocked.

-You can relax these demands as you see fit, but that would kinda defeat its purpose.

This is how Outlook behaves

1 - autodiscover
Add Your account as usual
2 - modern auth prompt
Modern Auth Prompt
4 - conditional access required
Conditional Access checkpoint

This user will not be allowed to Complete the mail setup.
Note that you have to enable ADAL on Exchange Online and use Outlook 2013-2016 With ADAL in order for this to work. Click here to se how to set up Exchange Online with ADAL

How to enroll Your Windows 10 Machine in Intune to get back mail?

Click here for the MDM enrollment instructions without Azure AD join.

or here

for MDM enrollment instructions with Azure AD Join

0

Azure MFA on Windows 10 Native Mail Client

If you enable Azure MFA in Office 365 and try to sync mail using the native Windows 10 Mail client, this is what the user will see:

(Sorry for the Language. Just the buttons and boxes are all the same)

1 - add mail account
User needs to Select Office 365 for Azure MFA
2 - add user
User needs just now to enter his UPN, it can not be username
3 - autodiscover looks for your account
If it fails here then Autodiscover is broken.
4 - enter password
Observe that the mail app has pulled Down my Company details including logo and custom text
5 - Azure AD MFA calls
Right now yor phone would ring or you would get a sms/app challenge
6 - account added
Thats it
7 - policies
Your Company Security settings will now be Applied. Usually you get this Box regardless just to tell you that it might tighten security
8 - mail recieved
You recieve mail. If you do not see mail, mabye the mail is older than a month. Then you need to change the sync settings to enable all mail to sync down

 

 

0

Add my Machine to Azure AD out of the box

If you are setting up a new machine and you have Office 365, Azure AD, Intune or CRM why not Azure AD join it and get all the benefits!?10 - Azure AD Enrollment

9 - Azure AD Enrollment

8 - Azure AD Enrollment
or who manages your PC?

7 - Azure AD Enrollment

6 - Azure AD Enrollment
Supports ADFS ofcourse

5 - Azure AD Enrollment

4 - Azure AD Enrollment

3 - Azure AD Enrollment2 - Azure AD Enrollment1 - Azure AD Enrollment

11 - Azure AD Enrollment
notice here who Printer, Network Drives and WiFi settings have been pushed!

Here is the whole thing in a Sway:

 

 

 

4

How to sign a MSI file for deployment with Microsoft Intune

If you want to use Microsoft Intune to deploy a MSI file it needs to be signed by a Code Signing Certificate. Most MSI’s from software vendors are signed already, but if you created a custom MSI (e.g. Office 365) by wrapping an EXE then you need to sign that MSI.

Using a MSI will enable Intune to push that software using the MDM channel. All MDM joined PC’s will be able to recieve this software.

Scenario this covers: I want to use Microsoft Intune to deploy apps and exe files to PC’s e.g. Office 2016/Custom Software

Step 1 – Buy or get a code certificate. If you do not have it, buy it here: https://www.digicert.com/code-signing/

Step 2 – Download and Install Windows 7 SDK to get the signtool.exe get the SDK from here: https://www.microsoft.com/en-us/download/confirmation.aspx?id=8279
->Accept all defaults and do not change anything. It will prompt errors
->Check that you have the signtool.exe in this folder: C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin

Step 3 – Get your certificate exported in a PXF file. and put it in the same folder as your MSI file.

Step 4 – Run CMD as administrator and input this command:

“C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe” sign /v /f “c:\exemsi\HaukebergCert.pfx” /p “PASSWORD” /t http://timestamp.digicert.com /v “C:\exemsi\OfficeProPlus.msi

sign ok
The password has been removed

 

Now you are ready to deploy this MSI file through the MDM channel

Follow this guide to deploy the MSI file in Microsoft Intune MDM channel

 

IT DEV Connections
We are covering MDM channel here

Adapted from these posts:
http://www.identityfinder.com/kb/Enterprise-Documentation/823571
https://www.digicert.com/code-signing/signcode-signtool-command-line.htm

0

Forgot login credentials and need to reset Windows 10 – Use Advanced Startup

If you are stuck on this screen and forgot your login there is a simple way to reset your device.

IMG_20160229_094507
Logon screen and you can not log in.

 

 

IMG_20160229_094527
Hold the “SHIFT” key and keep holding it while tapping/clicking on the power button and select restart

 

 

IMG_20160229_095023
Advanced startup. Press troubleshoot and then press “Reset this PC” 

Thanks to: http://www.tenforums.com/tutorials/2294-advanced-startup-options-boot-windows-10-a.html

 

 

0

Configuring Conditional Access to Exchange Online (365) with Intune

You can configure Microsoft Intune to block devices that do not comply with a “standard” access to Office 365 Exchange Online email.

Here is how:

  1. http://manage.microsoft.com in a silverlight browser.
  2. Create a Compliance Policy
  3. Policy->Compliance Policy->Create New
compliance policy
I will demand a password of minimum 6 digits and 1 minutes before screenlock.
Setting the Conditional Access and blocking Exchange Active Sync
  1. Policy->Conditional Acces->Exchange Online Policy
  2. Click following:
    • Activate Policy for Conditional Access
    • Select Specific Platforms
    • Check iOS (my rules will now only apply here, rest can read email.
    • Check: Require Compliance for Mobile Device
    • Select “Block access to e-mail for devices not supported by Intune”
    • Select “All users”
    • Select “No exception users”

The iOS users will now have to enroll in order to read email and when they do they need to set a 6 digit password.

Caution with using Active Sync only:

  1. If the user has allready configured email, he might not be blocked.
  2. If the user has been associated with that device earlier, he might not be blocked.

Enrollment procedure:

  1. Enter Your email in the native mail client by going to settings
  2. You recive an email with instructions on how to get access to your mail.
Follow that instruction.

 

0

Azure Active Directory and Roaming Profiles

In Windows 10 you can join a machine to Azure AD instead of a local domain.

But

When you join Azure AD your account is given administrator privileges automatically. If you switch users by Ctrl+Alt+Del and Switch user, that user is set as a Standard user.

IMG_20160115_093848

If you do not know who will use the computer, only the first user will be administrator, the rest will be standard users and can not install programs.

IMG_20160115_092644

This action is default and can not be changed. Simply giving machines out to students will result in the first users becoming administrators. If you boot all machines before deployment and log in with your user, that user will be blocked after about 20 devices.

IMG_20160115_091519

 

How to fix this? Take a look at this post: https://haukeberg.wordpress.com/2016/01/18/shared-devices-roaming-profiles-with-microsoft-intune/

 

 

0

Surface Pro 4 Backward Compatibility and Out of The Box

Thinking about the new Surface Pro 4? Cool. It’s a very well built device with a even better pen!

However these are some things you might want to think about before you buy.

  1. The Surface Pro 4 will fit in the old Surface Pro 3 dock, but not 100% More like 90%. It will charge but it sits wrong, a bit tilted to one side due to its thinner design.
    • EDIT: There is a free adapter which you can order from Microsoft to fix this. Get it here
  2. The Surface Pro 3 Keyboard fits the new SP4 but not 100% more like 90% as the new SP4 has a smaller bezel the keyboard overlaps the screen area. The magnet also will not clip on as tight.
    WP_20151208_23_01_18_Pro
    Magnet not 100% on

    WP_20151208_23_01_51_Pro
    Keyboard overlapping
  3. pdates, then updates, and some more updates. When you Buy a SP4 you have to update the device for at least 1-2 hours before its “done”
  4. Windows Hello, is not supported out of the Box and you need to run that 1-2 hours of update and then update again to receive the necessary firmware update for Windows Hello to work.
  5. Screen bleeding, the screen is not perfect black. There are some edge bleeding.

    WP_20151208_23_03_15_Pro
    Some minor bleeding of the light on the bottom
But you know what. Despite all this, the device is awsome and I love Windows Hello!
I just sit down in front of the camera and “whosh” it logs me in, every time!
I would recommend this device to all my family members and my business associates!
3

Why you should have the taskbar on top

If you are getting or own a Surface Pro 3 or Surface 3 its much better to have the taskbar on top.

Here are the two reasons I do it:

  1. Better Ergonomics – You lift your gaze instead of looking down you look up.
  2. (Most important) Easier to touch the taskbar when the keyboard is clipped on

WP_20150911_20_35_20_Pro

0

Blog at WordPress.com.

Up ↑