Windows Hello came as a technology to replace password based authentication with biometrics and PIN. Even though initially Microsoft said that this satisfies the multi factor authentication requirements, it was doubtful. They initially stated that PIN or biometrics is local to the specific device. So as per Microsoft, 1st authentication factor is the device, 2nd authentication factor is PIN or fingerprint or facial recognition. And there was no capability to use both PIN and fingerprint or PIN and facial recognition.
Now, with Windows 10 Fall Creators Update (version 1709) it is possible to do above.
Sunday, October 29, 2017
Wednesday, August 30, 2017
Configure BitLocker on Intune Enrolled Windows 10 Devices
BitLocker can be managed in several ways in the enterprise. GPOs, MBAM, ConfigMgr are the most common methods. But what if you don't have Microsoft EA to bring in MBAM or you have Windows 10 Professional devices? And you have mobile Windows 10 devices that does not joined to ADDS. To overcome above issues, there's a possibility to manage BitLocker through Microsoft Intune and Azure AD. But to keep in mind this method does not provide funtionality as MBAM. In the end of this post I will describe limitations of this method.
Following are the steps to configure BitLocker through Intune and AAD. I have tested this on a Azure AD joined Windows 10 (1703) machine that directly enrolled in Intune as MDM.
Thursday, August 17, 2017
Block Apps on Intune Enrolled Samsung Devices through OMA-URI Settings
Recently one of our customers had a requirement to use Samsung Galaxy Tabs as Kiosk devices. These devices are shared devices that have enrolled to Intune using a Device Enrollment Manager (DEM) account which only used to run a specific LOB application.
The issue that we faced was this specific tab model, Samsung Galaxy Tab E 9.6 (SM-T561) does not have full KNOX capability baked into the OS. Simply there's no KNOX version information in Settings > About device. Because of this, none of the KNOX required policies didn't work on the device because Intune requires Samsung KNOX capable devices.
Since "Kiosk policy" didn't work on this device, the only method to achieve this was block apps from running through OMA-URI settings.
The issue that we faced was this specific tab model, Samsung Galaxy Tab E 9.6 (SM-T561) does not have full KNOX capability baked into the OS. Simply there's no KNOX version information in Settings > About device. Because of this, none of the KNOX required policies didn't work on the device because Intune requires Samsung KNOX capable devices.
Since "Kiosk policy" didn't work on this device, the only method to achieve this was block apps from running through OMA-URI settings.
Wednesday, July 12, 2017
Deploy ADMX-Backed Policies to Intune Managed Windows 10 Device
In the past, Intune was only able to deploy a given set of device configuration policies. So, if the company has Intune managed Windows devices, they missed the good old Group Policy functionality. Fortunately starting with Windows 10 version 1703 (= Creators Update) and the new MDM capabilities, now it is possible to deploy certain ADMX based group policies (ADMX-backed policies) to Intune managed devices with the aid of Policy CSP.
Sunday, June 11, 2017
Protect Corporate Apps & Data on devices with Intune Mobile Application Management (MAM) – Using Intune in Azure Portal
Mobile Application Management or simply MAM is a great feature that comes with Enterprise Mobility + Security suite. It helps to protect corporate apps and data by enforcing configurable policies. MAM policies can be deployed to employee-owned unmanaged devices, devices that are enrolled in Intune and devices managed by a third-party mobile device management (MDM) solution.
This article describes how to configure MAM policies on Android devices that are enrolled in Intune.
For this guide I am using a device which is enrolled in Intune.
This article describes how to configure MAM policies on Android devices that are enrolled in Intune.
For this guide I am using a device which is enrolled in Intune.
Tuesday, April 25, 2017
Upgrade to Internet Explorer 11 using System Center Configuration Manager - An Alternative Way
Recently one of our customer wanted to upgrade their Internet Explorer version to 11 in Windows 7 machines since Microsoft already stopped support for versions below Internet Explorer 11 long time back.
For the upgrade, most used methods are:
1. Task Sequence.
2. IEAK - Internet Explorer Administration Kit.
From above two, task sequence was the preferred method because, in that, it is possible to deploy prerequisites first and then deploy Internet Explorer 11 and also it can control restarts.
IEAK does not have many success rates.
But for me both of the above methods didn't work as it should. Task sequence gave errors.
So I used this method:
For the upgrade, most used methods are:
1. Task Sequence.
2. IEAK - Internet Explorer Administration Kit.
From above two, task sequence was the preferred method because, in that, it is possible to deploy prerequisites first and then deploy Internet Explorer 11 and also it can control restarts.
IEAK does not have many success rates.
But for me both of the above methods didn't work as it should. Task sequence gave errors.
So I used this method:
Tuesday, March 28, 2017
Error 0x00004005 While Running SCCM Capture Media in Windows 10
When you're creating a reference image for a specific laptop or desktop model using SCCM capture media, in the middle of the process (in sysprep stage) you might get 0x00004005.
Most common reason for this is, the store apps that comes with Windows 10.
You will able to find more details regarding this issue from log files in 2 locations.
Most common reason for this is, the store apps that comes with Windows 10.
You will able to find more details regarding this issue from log files in 2 locations.
- SCCM Task Sequence log (SMSTS.log) - on Run prompt type %temp% to go directly to log location.
- Sysprep Error Log (setuperr.log) - Go to C:\Windows\System32\Sysprep\Panther\.
Friday, January 27, 2017
Enable BitLocker Using SCCM OSD Task Sequence and MBAM
Few days ago I wanted to enable BitLocker as a part of OS deployment. With SCCM & MBAM this can be done in two ways.
FDE as the name suggests, encrypts the entire disk. Also it's a time consuming process even if configured as a part of OS deployment. It might take 2-3 hours or more depending on the size of the HDD and the size of the data on the HDD. But most people prefer this method.
I will share my experience & task sequences which worked for me to do above in both ways.
- Used Space Encryption or Pre-Provisioning BitLocker.
- Full Disk Encryption (FDE) or the normal way.
FDE as the name suggests, encrypts the entire disk. Also it's a time consuming process even if configured as a part of OS deployment. It might take 2-3 hours or more depending on the size of the HDD and the size of the data on the HDD. But most people prefer this method.
I will share my experience & task sequences which worked for me to do above in both ways.
Friday, January 6, 2017
Sri Lanka IT Pro Forum - December 2016
Last year (actually last week 😉) I got a chance to do a session with my colleague Muditha Jayath Chathuranga on the topic "Protecting Corporate Data with Microsoft Intune Conditional Access" at Sri Lanka IT Pro Forum December meetup. This was a good experience for me as this was my first time.
Sunday, January 1, 2017
Upgrading System Center Data Protection Manager (SCDPM) 2012 R2 to System Center Data Protection Manager 2016
Couple of days ago I did an upgrade of System Center DPM 2012 R2 to System Center DPM 2016 for one of our customers. This was carried out along with a cluster upgrade; Server 2012 R2 to Server 2016. And in here, I will only write about how I upgraded DPM. ;)
Our customer had System Center Data Protection Manager 2012 R2 UR4 and SQL Server 2012 SP1 installed on a HP StorSimple 1650 NAS box running Windows Storage Server 2012 R2. DPM was configured to backup 3 node Server 2012 R2 cluster to disk and online (Azure) backup.
Since the day we upgraded the cluster to 2016, they could not take backups. Why? because DPM 2012 R2 does not support backing up Server 2016. Wow..!! DPM 2012 support matrix So we decided to bring in System Center Data Protection Manager 2016.
This is how I did it.
Subscribe to:
Posts (Atom)