GIA - Get Intune Assignments Application
Hello Everyone, Some time ago I was struggling to get all Assignments Intune for a Specific Azure AD Group. This option does not exist at console, and we need to run a lot of queries at MS Graph and/or use PowerShell to retrieve. So, to help the community I started to create PowerShell scripts to help to query some of the Assignments but, still, I had a lot of scripts each one to retrieve a specific type of items (like profiles, conditional access, apps, etc). After a while I decide to develop a C# .NET Application to facilitate the process. Today I want to share with all you my GIA App (Get Intune Assignments). It's available on my gitHub page: https://github.com/sibranda/GetIntuneAssignments I hope this app can help you guys the same way is helping me and my customers. RegardsWindows office hours: June 17, 2021
Post your questions for our next office hours session, which will take place here in the Windows servicing community on Thursday, June 17th from 9:00-10:00 a.m. Pacific Time. Join us to get answers to any questions you may have around managing updates for the remote and onsite devices in your organization, help with specific issues, and tips on how to increase update velocity. We'll have members of the Windows and Microsoft Endpoint Manager product and engineering teams on hand, as well as the FastTrack team. Save the date and see the Windows IT Pro Blog for full details. Let's get started!Securing Windows devices away from the corporate network
During the current public health situation, ensuring that devices can still be effectively managed and secured in what can be called "the new normal" is of utmost priority. As a result, I wanted to share with you the first chapter in a new web series where we will discuss what you, as an IT professional, can do immediately, in the next few weeks, and over the next few months to properly maintain the security of your organization's devices while users are working away from your corporate networks. We will look at sample timelines for accelerated approaches, including ways to optimize the impact of virtual private networks (VPNs) and minimize overall workflow disruption. Learn more Here are links to the resources mentioned in this session. We've also included a list of frequently asked questions below. OSHA COVID19 guidance Configure and Deploy Security Baselines Setup/Configure Azure AD Connect Set up a Cloud Management Gateway Enable OneDrive for Business Switch to Split-Tunnel VPN Policies Enable ConfigMgr Co-Management Shift update and servicing workloads to the cloud (Windows Update for Business, Office 365 CDN) Begin OneDrive for Business Known Folder Migration Configure and Enable Azure AD Conditional Access Set up Azure App Proxy Replace Perimeter trust with Zero Trust Enhance MFA by issuing FIDO2 Keys Consider Further Advanced Cloud Security Solutions Leverage the power of Analytics: User Experience & Productivity Score Shift line of business (LOB) application workloads Configure and Deploy Security Baselines Begin piloting and shifting Policy, Compliance, and EP to the cloud Enable asset protection through Office ATP and MCAS Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager Azure Multi-Factor Authentication Conditional Access Data Leak Prevention Intune Migration Guide Zero Trust strategy—what good looks like How to implement Multi-Factor Authentication (MFA) Microsoft Cloud Security solutions provide comprehensive cross-cloud protection Blog: Brad Anderson Blog: Jared Spataro While not mentioned specifically in this session, here are some additional resources you might find helpful: Microsoft COVID-19 response site Enabling Remote Work Microsoft Endpoint Manager remote work blog Work remotely, stay secure 2 weeks in: what we’ve learned about remote work Frequently asked questions Q: How are others offloading patching traffic to Microsoft sources for full-VPN clients, like split tunneling (since Windows Update IPs aren’t clearly published)? A: We are seeing customers move all Internet traffic away from VPN and that’s what we do internally as well. There are a couple resources on this for WSUS (see 2.1.1) and Windows Update. Q: Are there instructions to shift Office updates from Configuration Manager to the cloud? A: Yes. Here's guidance on how to Manage Office 365 ProPlus with Configuration Manager. Q: Regarding disabling password expirations, do you have any formal documentation that can be provided for our security team? A: Here are some resources that are available on the topic: https://www.microsoft.com/security/blog/2019/07/11/preparing-your-enterprise-to-eliminate-passwords/ https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984 https://www.microsoft.com/en-us/security/business/identity/passwordless Q: Do you have any formal statements endorsing Split-Tunnel VPN? A: Statement below from: https://www.microsoft.com/en-us/itshowcase/enhancing-remote-access-in-windows-10-with-an-automatic-vpn-profile Split tunneling Split tunneling allows only the traffic destined for the Microsoft corporate network to be routed through the VPN tunnel, and all Internet traffic goes directly through the Internet without traversing the VPN tunnel. In the VPN connection profile, split tunneling is enabled by default. Q: How can we evaluate the potential cost of the cloud management gateway (CMG)? A: Refer to the Configuration Manager documentation here: https://docs.microsoft.com/en-us/configmgr/core/clients/manage/cmg/plan-cloud-management-gateway#cost Q: For split tunneling all Internet traffic out, how do you perform URL filtering for compliance? A: We use Microsoft Threat Protection across Office ATP and Microsoft Defender ATP. Specifically, the Endpoint Detection and Response (EDR) component. Feedback We hope you find this first session useful. We'd love your feedback and ideas for future sessions so please fill out this short survey. Thank you!Office hours are closed: December 17, 2020
Office hours are now closed. We hope we were able to answer your questions and provide tips and resources to help you more easily manage Windows 10 updates and your Windows device estate. The experts and engineers who supported today's session were: Windows as a service strategies, tactics, best practices: Dave Backman and James Bell Windows 10 deployment: Steve Thomas Cloud-based update management, Windows Update for Business: Aria Carley Microsoft Endpoint Manager: Joe Lurie Microsoft Endpoint Manager (public sector, CMG, etc.): Danny Guillory Configuration Manager: Rob York, Bruno Yoshioka Product feedback: Kevin Mineweaser FastTrack: Sean McLaren Save the date for future events We'll be back in 2021 every third Thursday. Save the date for our next office hours event -- Thursday, January 21st, 9:00-10:00 a.m. Pacific Time -- and see the Windows IT Pro Blog for an up-to-date list of future events. See you next time!Defender for macOS onboarding issue
I am trying to onboard macOS devices in my organization with Microsoft Defender via Intune, and facing multiple issues with it, the configuration profiles are applied successfully only on few devices, only the first (manually installed) macOS is properly onboarded in Defender, and all of the other ones are complaining about missing license. Could someone answer few questions and maybe give some tips on how can I troubleshoot and resolve this: We have Microsoft 365 Business Premium license, and according to Defender documentation this is a sufficient license to use it on any endpoint device. However the error message on macOS devices states that there is a missing Microsoft Enterprise license. Is there a special license needed or is this just the payload configuration profile issue? The kernel extension and onboarding profiles are generated in the Microsoft Defender Admin Center, however I did noticed that the OrgID in the onboarding profile file does not match my TenantID. Does that mean that those files are premade and I should adjust them to my organization details or it is simply a different ID assigned? The onboarding profile gets successfully applied on all devices however the kernel extension profile fails on almost every device, and the successful applications do not follow any pattern or macOS version. Can't really find any suggestions on the possible root cause of this issue. Did anyone had similar problems with the kext profile? The Microsoft Defender Admin Center does provide a installation package PKG file. However according to the Defender documentation I should use Microsoft Defender for Endpoint (macOS) application that is ready to be applied directly from Intune Management Portal. Which is it? Or maybe both? Thank you in advance for any tips and / or answers 🙂Mobile Application Management for Windows (NEW)
This newly released product is now available in Public Preview, and I'm excited to share my initial impressions. MAM enables users to stay productive on any device while ensuring the security of our data. Mobile Application Management for Windows enables us to; Apply policies to corporate applications on personal devices. No enrollment required, just an Azure AD (or MEID) registration. Place restrictions such as cut/copy/print and blocking incoming or outgoing data. Integration with the Mobile Threat Defense connector to detect local health threats. Block access or wipe corporate data based on specific conditions. In this blog post, I provide a first look at the configuration and user experience of MAM for Windows. https://myronhelgering.com/first-look-at-mam-for-windows/Reimagining IT to support the hybrid workforce: five months later
As I sit here in my home office, eight months into this new normal…wait, check that, that’s how I started the first in this series of blogs on Reimaging IT to support the hybrid workforce…five months ago. I have to admit that, as remote work scenarios have evolved over time, it would be a disservice if I didn’t discuss how things have evolved when it comes to supporting a hybrid workforce, or even my own remote work situation. Like many of you, I thought my remote work situation was temporary. I set up a makeshift office in my bonus room, which is now a permanent fixture. I thought I had a good work-life balance that included plans to get off the laptop periodically, but it just wasn’t enough. After five months of working from home, it was also evident that I was getting a little too sedentary, which caused some back issues. Fast forward to today. I now have a standing desk, something which I recently discovered, thanks to a team all-hands meeting, is a hot topic of discussion and has become the norm for many. I’m forcing myself to get outside on a more regular basis. I’ve also turned my dining room into a recording studio for the various presentations and sessions I deliver on a regular basis. In my first blog, I outlined Microsoft's internal business continuity framework, with its first two phases focused on “react” and “recover.” Based on customer engagements and conversations over the last three months, I can see that many organizations are starting to enter the final phase of the framework, or what we call “re-imagining IT.” I’ve received a lot of requests from customers to help address specific pain points, around patching and updating Windows, for example. From a timing perspective, I believe our first virtual Microsoft Ignite was a factor in organizations starting the process of moving into that final phase given all the announcements and discussions around embracing the hybrid workforce of the future. While Microsoft Ignite was a fantastic forum for new announcements, and there were many, each session was very solution-centric. I didn’t see anything pulling together a holistic and strategic discussion on supporting the hybrid workforce. With that in mind, my focus here will be on pulling together that holistic vision alongside recent announcements and new resources. Below you will find a high-level architectural view of how I see IT re-imagined and progress on the move towards cloud and modern management to support the hybrid workforce, which is what we’re doing today here at Microsoft. As a recap, whether it is an on-premises or remote worker endpoint, the goal is to keep devices in your organization safe, secure, and productive with minimal user impact. To achieve that goal, IT organizations need: Efficiency and regular rhythm when applying drivers and firmware Rhythm when deploying quality updates and OS feature updates Management and protection protocols when protecting data at rest and in transit Efficiency when access to Office, productivity tools, and updates Hands-off provisioning of hardware for remote workers and even internals Securing browser access by using the new https://blogs.windows.com/windowsexperience/2020/09/22/whats-new-in-web-experiences-ignite-2020-need-to-secure-your-remote-workers-choose-microsoft-edge-as-your-browser-for-business/?ocid=FY21_soc_omc_br_tw_Edge_security Prioritization of security and compliance Management of line-of-business (LOB) and other applications, including secure connectivity for mobile iOS and Android devices The foundation and success of this cloud and modern approach hinges on a zero-trust network and split tunnel capability to direct mission critical business traffic via VPN, all while pushing all other non-essential traffic directly to the internet, including Office and Windows updates coming from the Microsoft infrastructure, network, and CDNs. A recent blog on the Microsoft 365 Connectivity principles does a great job in outlining this recommended approach of managing the split tunnel concepts while the https://www.microsoft.com/en-us/itshowcase/transitioning-to-modern-access-architecture-with-zero-trust and https://www.microsoft.com/en-us/security/business/zero-trust can assist companies in adopting the concept. Certainly securing devices is at the core, but it’s also inclusive of securing and protecting the users https://www.microsoft.com/security/blog/2020/09/22/microsoft-identity-ignite-rising-challenges-secure-remote-access-employee-productivity/. Hot off the presses from Ignite, we also announced the Microsoft Tunnel Gateway, which closes the gap around secure LOB connectivity from your iOS and Android devices. While addressing the security topic, check out the latest release of the https://www.microsoft.com/en-us/download/details.aspx?id=101738, which outlines the latest threat intelligence and guidance, with a special section dedicated to securing the remote worker and endpoints. With security architecture in place, it covers the need to protect your company’s IP and data while in transit and at rest, assuming https://www.microsoft.com/en-us/itshowcase/microsoft-defender-atps-antivirus-capabilities-boost-malware-protection?elevate-lv&_lrsc=f626206a-fe85-4077-8108-e39909195a41 and a hearty https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-getting-started?view=o365-worldwide&WT.mc_id=linkedin are in place on the end point. As the Defense Report calls out, it’s important to realize that as company data is being stored off premises, a heightened awareness on endpoints is critical. I also recommend leveraging the security baselines that get published with every Windows 10 update and other solution releases to ensure that as they’re deployed, your policies either remain active or are incremental with the new feature and capabilities. Further, leverage the https://www.microsoft.com/security/blog/2020/09/22/enable-secure-remote-work-address-regulations-microsoft-compliance/#.X2o2A2n3TjE.linkedin to ensure security and compliance requirements are met within SLAs across the application portfolio. By leveraging https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor, it also gives you insights into our safeguard holds to assist you in place to minimizing user impacts to devices that may experience https://docs.microsoft.com/windows/deployment/update/safeguard-holds which may elicit an update failure. The other benefit of deploying https://www.microsoft.com/en-us/itshowcase/enhancing-remote-access-in-windows-10-with-an-automatic-vpn-profile?elevate-lv&_lrsc=b75faebe-8f05-4ba2-a1bf-8000bc6a748e is that it provides you flexibility of leveraging a number of different update solutions, whether it be Windows Update, https://docs.microsoft.com/mem/intune/, https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb or a combination of solutions that meet your needs and requirements. https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-vpn-split-tunnel?view=o365-worldwide also offers the same benefits as Windows and still allows for some configuration flexibility to meet your requirements. In addition, by leveraging Windows Update to manage Edge browser updates, you can also bypass the corporate VPN and push those updates directly to the internet as well. Making the move to the cloud Now that we’ve discussed the https://docs.microsoft.com/security/ciso-workshop/ciso-workshop, and one that can minimize bandwidth impacts on a corporate VPN solution, let’s look deeper at a model of modern and cloud management capabilities that allows everything to be managed on a remote endpoint. A good reference model would be our own internal IT approach to endpoint management, as shown here: Internally, it starts with the https://docs.microsoft.com/mem/endpoint-manager-overview solution. Microsoft Endpoint Manager brings that concept of a single pane of management glass to life. Not only does it fully integrate with your on-prem deployment of configuration manager so you can continue to leverage it to manage on-prem devices if you so choose, it also fully integrates with Intune for remote worker endpoint scenarios. Further, while it provides management capabilities, it also becomes that all important dashboard to help drive compliance, as well as provide you endpoint data that allow you to make data-driven decisions around improving device productivity via endpoint analytics, device health and upgrade readiness via https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview, and more. With Microsoft Endpoint Manager, you can then start managing remote worker scenario’s and endpoints via https://docs.microsoft.com/mem/intune/ as long as the devices are Azure AD joined. In our scenario, we https://www.microsoft.com/en-us/itshowcase/managing-windows-10-devices-with-microsoft-intune but leverage https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb to manage the https://www.microsoft.com/en-us/itshowcase/keeping-windows-10-devices-up-to-date-with-microsoft-intune-and-windows-update-for-business?elevate-lv&_lrsc=e34703f9-9a44-4854-952d-257ccb9ba332, with all still managed via Microsoft Endpoint Manager. This configuration keeps all the update traffic internet-centric, and pulls the content directly from the Microsoft Content Delivery Network (CDNs), thus eliminating impact on any corporate VPN solution. As a side note, the feature updates do not include the Windows 10 optional content such as features on demand (FODs), language packs (LPs) or the local experience packs (LXPs). In order to address that capability, a great post on Acquiring optional content was recently published that includes a highly comprehensive guide and how-to. The overall goal of this process is to ensure compliance, keep users and their devices secure and productive as possible. This requires setting up Windows Update for Business and optimizing updates in order to achieve the stated goals during any deployment to the remote worker. In the near future, we should be seeing more improvements in the ability to better support and deployments with greater granularity. This defined approach is great for supporting existing endpoints that are part of the estate. What it doesn’t do is address one of the biggest challenges of managing and supporting the hybrid workforce: the hands-off provisioning and deployment of newly purchased devices. Having said that, the foundation of supporting https://docs.microsoft.com/mem/autopilot/windows-autopilot is already in place via Microsoft Endpoint Manager, Intune and Azure AD. Windows Autopilot is exactly how we here at Microsoft address https://www.microsoft.com/itshowcase/blog/autopilot-speeds-up-windows-10-image-deployment-inside-microsoft/?_lrsc=a022715f-934b-4aec-82a9-dba6226ede8b for newly purchased devices. Devices are purchased and shipped directly to end users, who can connect to the internet, log into the machine and be fully functioning in roughly 10 minutes with out any intervention from IT. Certainly, having a light device footprint and primarily pushing down GPOs improves the user experience, so the balance becomes a decision on how many applications you may or may not want to include as part of the process. More apps mean more data to be pushed, and the greater the impact to getting the users into productive state. This segues into the application deployment discussion and challenge of how you can deploy LOB applications and manage updates to your applications. In many ways it boils down to approach: you can use a push or end user pull model. The push model is certainly one that’s supported by the aforementioned architecture, anchoring on Intune as the deployment mechanism. At the enterprise SKU level, Intune supports a broad array of https://docs.microsoft.com/mem/intune/apps/apps-windows-10-app-deploy that organizations can package up and push to remote worker endpoints efficiently with the new https://docs.microsoft.com/windows/msix/ packaging format being the recommended approach based on its flexibility. Given Intune is capable of supporting Android and iOS devices, in conjunction with MSIX, you can also deploy LOB to mobile devices. If you layer in the previously mentioned https://docs.microsoft.com/mem/intune/protect/microsoft-tunnel-overview solution, you can also provide secure mobile connectivity to those LOB applications. For the pull model, organizations have a number of options for users to pull applications including the https://docs.microsoft.com/mem/intune/apps/windows-store-for-business, a company supported portal that is externally facing. From my perspective, I would consider avoiding application deployment in the remote worker scenario, and instead leverage https://docs.microsoft.com/azure/virtual-desktop/overview as the most secure, robust and scalable approach that provides LOB application owners 100% control of delivery and support of applications in Windows Virtual Desktop including secure delivery, protecting data at rest and in transit. Optimizing delivery mechanisms With the technology foundation and architecture discussion under our belts, there is one final topic of supporting the hybrid workforce which is probably the most important: https://www.microsoft.com/en-us/download/details.aspx?id=101056 of the deployment of Windows updates. This goes beyond the technology necessary to drive deployment success, and instead covers other critical pieces of information you need to consider in the process. The first piece is to understand the best practices and considerations for the Microsoft-recommended policy considerations feature set over feature set. These are all outlined in the https://www.microsoft.com/en-us/download/details.aspx?id=101056, which, like the security baselines, represents a set of tools and guidelines that assist you in making important policy decisions to ensure deployments are optimized to their fullest. Next, ensuring the tools and guidelines for optimizing both feature updates and quality updates will ensure efficient delivery of the bits, minimize bandwidth impact and provide the greatest level of user experience. It is also important for any one in the position of deploying Windows updates, that you are fully educated on any issues Microsoft has surfaced during our normal course of business in servicing more than one billion devices worldwide via the Windows 10 release notes. Finally, leverage the Video Hub for technical deep dives on all of the aforementioned tech by leveraging the filters on your solution area of interest. Conclusion In closing, I hope this helps tie all of our solutions and services together into a cohesive storyline that provides you with that longer term, more strategic, and holistic picture of what it takes to “re-imagine IT” support for the hybrid workforce. At the end of the day, it’s all about embracing digital transformation in order to go towards cloud and modern management. This is not a technology discussion given that I believe this post shows that the technology is viable, but instead a cultural paradigm shift for many organizations with the current situation serving as a forcing function. Use the time to explore new opportunities in your estate that unlock new ways of servicing your remote endpoints and drive change in your organization that embrace service management maturity for the hybrid workforce, as it appears to be the new normal moving forward.
