Preventing data leaks on non-managed Windows 10 devices

%3CLINGO-SUB%20id%3D%22lingo-sub-1329293%22%20slang%3D%22en-US%22%3EPreventing%20data%20leaks%20on%20non-managed%20Windows%2010%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1329293%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe're%20in%20the%20process%20of%20transitioning%20to%20Intune%20and%20Autopilot.%20We're%20unable%20to%20sign-in%20to%20the%20OneDrive%20sync%20app%20on%20our%20modern%20desktops%20that%20are%20AAD%20joined%20due%20to%20a%20Office%20365%20tenancy%20setting%20for%20OneDrive%20and%20SharePoint%20'Allow%20syncing%20only%20on%20PCs%20joined%20to%20specific%20domains'%20being%20enabled.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20understand%20an%20Azure%20conditional%20access%20policy%20is%20recommended%20to%20replace%20this%2C%20however%20we've%20had%20a%20number%20of%20issues%20with%20this.%20Errors%20are%20often%20seen%20when%20accessing%20Teams%20and%20accessing%20resources%20from%20within%20Teams%20(through%20tabs).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESummary%20of%20issues%20seen%3A%3C%2FP%3E%3CP%3E1)%20Newly%20built%20Autopilot%20workstations%20do%20not%20become%20immediately%20compliant%20in%20Intune.%20In%20testing%20the%20workstation%20appears%20to%20need%20a%20restart%20before%20encryption%20becomes%20compliant%20but%20even%20with%20a%20restart%20and%20allowing%20for%20a%20workstation%20to%20become%20'up%20to%20date%20with%20your%20organisation%E2%80%99s%20policies'%20it%20has%20taken%20from%202%20hours%20from%20the%20start%20of%20the%20AP%20build%20and%20the%20computer%20being%20compliant%2C%20and%20much%20longer%20if%20the%20computer%20is%20not%20restarted.%20Teams%20and%20OneDrive%20are%20not%20accessible%20until%20the%20device%20is%20compliant.%20Not%20a%20good%20user%20experience.%3CBR%20%2F%3E2)%20Website%20tabs%20to%20SharePoint%20sites%20or%20Forms%20will%20not%20load%20in%20Teams%20usually%20with%20error%20'You%20can't%20get%20there%20from%20here'.%20We%E2%80%99ve%20had%20to%20exclude%20entire%20offices%20from%20the%20CA%20policy%20because%20they%E2%80%99re%20big%20users%20of%20Forms%20in%20Teams.%3CBR%20%2F%3E3)%20We've%20found%20some%20of%20our%20W10%20domain%20joined%20computers%20are%20not%20registered%20as%20Hybrid%20joined%20because%20of%20an%20error%20or%20they%E2%80%99re%20out%20of%20the%20office%20long%20term%20without%20a%20VPN%20connection.%20As%20such%20they%20do%20not%20satisfy%20the%20conditional%20access%20policy%20and%20cannot%20access%20OneDrive%20and%20Teams%20until%20fixed.%20We%E2%80%99ve%20followed%20a%20process%20to%20leave%20and%20join%20these%20PCs%20when%20we%20find%20them%20but%20this%20can%20take%20a%20few%20hours.%3CBR%20%2F%3E4)%20Teams%20can%20show%20an%20error%20message%20implying%20that%20a%20chrome%20extension%20is%20needed%20when%20it%E2%80%99s%20already%20installed.%20It%20appears%20there%20is%20no%20check%20for%20default%20browser%20or%20if%20the%20extension%20is%20installed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20recently%20discovered%20the%20following%20article%2C%20and%20I%20wondered%20if%20the%20experts%20could%20advise%20if%20an%20Intune%20app%20protection%20policy%20would%20work%20better%20for%20preventing%20data%20leaks%2C%20or%20if%20they%20have%20other%20suggestions%3F%20It%20seemed%20like%20this%20was%20more%20aimed%20at%20mobile%20devices%3F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fdata-leak-prevention%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EPrevent%20data%20leaks%20on%20non-managed%20devices%20using%20Microsoft%20Intune%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EHeybobby%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1329785%22%20slang%3D%22en-US%22%3ERe%3A%20Preventing%20data%20leaks%20on%20non-managed%20Windows%2010%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1329785%22%20slang%3D%22en-US%22%3E%3CP%3EConditional%20access%20is%20certainly%20preferred.%26nbsp%3B%20There%20can%20be%20a%20lag%20before%20the%20device%20is%20considered%20compliant%2C%20so%20customers%20will%20often%20use%20a%20grace%20period%20to%20allow%20access%20until%20that%20happens.%26nbsp%3B%20(I%20think%20the%20UI%20lets%20you%20specify%20a%20grace%20period%20in%20days%2C%20but%20it%20is%20possible%20to%20configure%20one%20in%20hours%20via%20Graph.)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOn%20the%20Hybrid%20Azure%20AD%20Join%20point%2C%20if%20you%20aren't%20using%20ADFS%20the%20device%20will%20need%20to%20connect%20to%20the%20corporate%20network%20to%20locate%20the%20SCP%20that%20signals%20the%20Hybrid%20AADJ%20process%20is%20needed.%26nbsp%3B%20After%20that%2C%20the%20device%20updates%20a%20property%20on%20the%20computer%20object%20in%20AD%20and%20then%20the%20device%20object%20is%20synced%20to%20AAD%20via%20AAD%20Connect%20(which%20runs%20every%2030%20minutes%20to%20do%20a%20sync).%26nbsp%3B%20So%20this%20process%20can%20take%20a%20while.%26nbsp%3B%20(If%20you%20are%20using%20ADFS%2C%20this%20can%20be%20nearly%20instantaneous.)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'm%20not%20sure%20on%20the%20Teams%2FSharePoint%20items%2C%20probably%20best%20to%20open%20a%20case%20via%20the%20Intune%20%22Help%20and%20support%22%20node%20to%20discuss%20those%20further.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1357400%22%20slang%3D%22en-US%22%3ERe%3A%20Preventing%20data%20leaks%20on%20non-managed%20Windows%2010%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1357400%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20very%20much%20for%20your%20reply%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F21544%22%20target%3D%22_blank%22%3E%40Michael%20Niehaus%3C%2FA%3E.%20That's%20useful%20to%20know%20about%20the%20grace%20period%20option%20for%20Intune%20compliance.%20I'm%20having%20a%20bit%20of%20trouble%20finding%20how%20to%20configure%20this%20in%20hours%20using%20MS%20Graph%20but%20I'll%20keep%20looking.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERe%20the%20Conditional%20Access%20issues%20affecting%20the%20usability%20of%20Teams%2C%20we%20raised%20with%20MS%20Support%20about%20the%20issues%20with%20Forms%20in%20tabs%20and%20SharePoint%20URLs%20in%20Teams%20and%20they%20pointed%20us%20to%202%20known%20issues%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22heybobby_0-1588588239806.jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F188680iF4056302A9996A8E%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22heybobby_0-1588588239806.jpeg%22%20alt%3D%22heybobby_0-1588588239806.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22heybobby_1-1588588251092.jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F188681i0FACDAFFBB39899D%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22heybobby_1-1588588251092.jpeg%22%20alt%3D%22heybobby_1-1588588251092.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethese%20could%20still%20be%20found%20at%20the%20Teams%20known%20issues%20site%20in%20Jan%202020%20and%20Feb%202020%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FMicrosoftTeams%2Fknown-issues%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FMicrosoftTeams%2Fknown-issues%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20a%20blocker%20in%20us%20getting%20going%20with%20Intune%20and%20Autopilot%20right%20now%20as%20even%20in%20our%20limited%20roll%20out%20to%20one%20region%20it's%20caused%20a%20lot%20of%20helpdesk%20tickets.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EHeybobby%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hello,

 

We're in the process of transitioning to Intune and Autopilot. We're unable to sign-in to the OneDrive sync app on our modern desktops that are AAD joined due to a Office 365 tenancy setting for OneDrive and SharePoint 'Allow syncing only on PCs joined to specific domains' being enabled.

 

We understand an Azure conditional access policy is recommended to replace this, however we've had a number of issues with this. Errors are often seen when accessing Teams and accessing resources from within Teams (through tabs).

 

Summary of issues seen:

1) Newly built Autopilot workstations do not become immediately compliant in Intune. In testing the workstation appears to need a restart before encryption becomes compliant but even with a restart and allowing for a workstation to become 'up to date with your organisation’s policies' it has taken from 2 hours from the start of the AP build and the computer being compliant, and much longer if the computer is not restarted. Teams and OneDrive are not accessible until the device is compliant. Not a good user experience.
2) Website tabs to SharePoint sites or Forms will not load in Teams usually with error 'You can't get there from here'. We’ve had to exclude entire offices from the CA policy because they’re big users of Forms in Teams.
3) We've found some of our W10 domain joined computers are not registered as Hybrid joined because of an error or they’re out of the office long term without a VPN connection. As such they do not satisfy the conditional access policy and cannot access OneDrive and Teams until fixed. We’ve followed a process to leave and join these PCs when we find them but this can take a few hours.
4) Teams can show an error message implying that a chrome extension is needed when it’s already installed. It appears there is no check for default browser or if the extension is installed.

 

I recently discovered the following article, and I wondered if the experts could advise if an Intune app protection policy would work better for preventing data leaks, or if they have other suggestions? It seemed like this was more aimed at mobile devices? Prevent data leaks on non-managed devices using Microsoft Intune

 

Thanks

Heybobby

 

2 Replies
Highlighted

Conditional access is certainly preferred.  There can be a lag before the device is considered compliant, so customers will often use a grace period to allow access until that happens.  (I think the UI lets you specify a grace period in days, but it is possible to configure one in hours via Graph.)

 

On the Hybrid Azure AD Join point, if you aren't using ADFS the device will need to connect to the corporate network to locate the SCP that signals the Hybrid AADJ process is needed.  After that, the device updates a property on the computer object in AD and then the device object is synced to AAD via AAD Connect (which runs every 30 minutes to do a sync).  So this process can take a while.  (If you are using ADFS, this can be nearly instantaneous.)

 

I'm not sure on the Teams/SharePoint items, probably best to open a case via the Intune "Help and support" node to discuss those further.

Highlighted

Thanks very much for your reply @Michael Niehaus. That's useful to know about the grace period option for Intune compliance. I'm having a bit of trouble finding how to configure this in hours using MS Graph but I'll keep looking.

 

Re the Conditional Access issues affecting the usability of Teams, we raised with MS Support about the issues with Forms in tabs and SharePoint URLs in Teams and they pointed us to 2 known issues:

 

heybobby_0-1588588239806.jpeg

 

heybobby_1-1588588251092.jpeg

 

these could still be found at the Teams known issues site in Jan 2020 and Feb 2020 https://docs.microsoft.com/en-us/MicrosoftTeams/known-issues

 

This is a blocker in us getting going with Intune and Autopilot right now as even in our limited roll out to one region it's caused a lot of helpdesk tickets.

 

Thanks,

Heybobby