Using Microsoft Intune for Local Administrator Password Management
As you may have heard; Windows LAPS feature is released to Public Preview in the last week of April. It has support for two main scenarios for backing up local administrator password such as storing passwords in Azure AD and Windows Server AD. It also has interoperability with legacy LAPS solution. This article on the other hand; will focus on native cloud deployment for Windows 10/11 clients that does not have legacy LAPS client installed, managed through Intune and either Hybrid Azure AD Joined or Azure AD Joined. In this blog post, I’ll walk you through basic policy configuration and core Windows LAPS functionalities such as accessing local administrator passwords from different consoles and manually triggering password rotation. Pre-requisites for enabling Windows LAPS may change in the future, so it is always a good idea to check online documentation first; but the tasks we will cover in this post are as follows: Enabling local administrator password feature on tenant level Creating a Windows LAPS Policy Monitoring policy application Accessing local administrator passwords that are backed up Rotating local administrator passwords manuallyEnabling Remote Help and Supporting Users with Intune
A couple of months ago, Microsoft has announced an add-on to Intune service that helps enterprises to support remote workers with a familiar experience to both helpers and sharers. The solution is designed to be secure with RBAC, requiring organizational login, easy to use by helpers in a way that possible compliance issues would be highlighted, allowing elevation of privilege when needed and if permitted by role-based access controls and having flexibility so that it would be possible to support devices that are not enrolled to Intune. In this post we will do the basic configuration needed to have Remote Help service up and running on our tenant and look at the experience from both sides of the table.How to Manage Microsoft Defender Policies with Intune on Non-Managed Devices
In one of the previous posts, we have discussed how to utilize Intune to deploy AV policies to on-prem servers and clients by using Configuration Manager integration. In this post, I’ll try to elaborate on another configuration that would help to deploy AV policies to on-premises resources, utilizing Intune with no Configuration Manager hierarchy. This feature extends Microsoft Defender for Endpoint security management capabilities to the scenarios which may require a lightweight but a fundamental security management; workgroup devices which could be enrolled to Microsoft Defender for Endpoint service or to the companies that do not have a Configuration Manager infrastructure in place.Moving a Windows 365 Cloud PC From One DC Region to Another - MS Hosted Network
UPDATE: Capability to move Windows 365 Cloud PCs from one datacenter region to another is introduced in Summer 2023 and is in public preview by June 2023. A new blog post has been written to reflect this behavior that can be viewed here. Rest of the article is kept for archiving purposes as well as it demonstrates behavior of a policy targeting change. ---- From time to time, your employees may need to relocate from a location to another. Or more often, a new Microsoft Datacenter might pop on a location that is nearer to your employees. Those are some of the examples when you need to move your Windows 365 Cloud PC from one Microsoft Datacenter to another. In this blog post, we will take a look at the steps required to move your Cloud PC workload in a Microsoft Hosted Network configuration.Creating MFA Policies with Zero Trust Advanced Deployment Guide in Microsoft 365
As you most probably know, there are Advanced deployment guides available for you on your Microsoft 365 tenant. These are basically deployment guides that help you to configure different settings and onboard services based on your requirements and scenarios. Advanced deployment guides are accessible from Training, guides & assistance card on the Microsoft 365 tenant. & assistance snippet from Microsoft 365 tenantMobile Application Management on Windows 11
Intune is very well known for its ability to manage both devices (aka. MDM) and applications (aka.MAM). The core difference between these two options lies back to the level of management that companies require, or employees accept. While MDM is seen an appropriate way to manage company-owned devices or a full zero trust environment; MAM is useful when a company wants to make sure employees can use their personal devices to run applications that access to company data, and limit what can be done with that data. From that perspective, it can improve zero trust posture of a company as well; making sure that applications used to access certain data such as the company data complies with certain criteria, that is defined in the application protection policy.Moving Cloud PC from One Datacenter Region to Another - Summer 2023 Edition
As i have mentioned in an earlier post, moving a cloud pc from one datacenter location from another was not possible. This activity was basically a deprovisioning and reprovisioning of the existing cloud pc in the target datacenter. However, due to increasing customer demand, this behavior is being changed right now. Moving cloud pc from one datacenter location to another is currently in preview (June 2023) and probably it will be GA in the coming fall. Let’s take a look at how it is done.Supporting Users with Remote Help on Personal Devices: Unenrolled Device Scenario
There are some scenarios where a user is using their corporate managed device and needs assistance. That is covered in a previous blog pos titled Enabling Remote Help and Supporting Users with Intune | Microsoft Community Hub. However, it is possible that some of these users may need assistance while working on their personal devices. Which is also possible by using Microsoft Intune and Remote Help. This blog will focus on what is needed in Intune configuration to support unenrolled devices with Remote Help capability, and possible experiences on the helper side with different configurations in place. Configuring Remote Help Feature By default, Remote Help feature is not allowed to work with unenrolled devices. However, from the Tenant Configuration – Remote Help – Configure task, it is possible to enable remote help for unenrolled devices. Image 1: Remote Help Configuration If the configuration in the tenant does not allow Remote Help for unenrolled devices, the Sharer will experience a message stating the organization does not allow Remote Help to be used on unenrolled devices. Image 2: Sharer View – Org. does not allow Remote Help on Unenrolled Devices In this case, what needs to be done from the Intune service is allowing the Remote Help to be used with unenrolled devices. The configuration is done from Tenant Administration – Remote Help – Settings section utilizing “Configure” task. Image 3: Remote Help Configuration – Allow Remote Help to unenrolled devices Once Remote Help is configured properly to work with unenrolled devices, the helper will be able to start supporting those users. However, experience on helper’s side may change based on helper being a global admin or not. Now, let’s take a look at two different scenarios and experiences. Helper Being a Global Administrator During configuration of the Remote Help service, we need to scope the operator’s role. Usually configuration is made to cover “All devices” of the organization. It is also possible to add groups and have different helpers cover different users / devices in the company. Image 4: Helpdesk Operator Role Assignment – All Devices Let’s assume a scenario where the helper user also assumes a global administrator role as well. In this case, the helper will start the helping process by sharing their Security Code as seen below. Image 5: Global Admin starts remote help The user will enter the security code to Remote Help application in their personal device. Note that the device is a personal unmanaged device. Image 6: User Enters Security Code Following the approval process, remote help sharing starts. The only difference from helping a managed device is the warning helper gets highlighting that the device is not enrolled in Microsoft Endpoint Manager and the helper must be careful while entering sensitive data on the endpoint. Image 7: Remote Help on Unenrolled Endpoint This is a quite streamlined experience for a helper who is also a global admin. However, it is a bit different for a helper who is only a Helpdesk Operator. Let’s take a look at that scenario and what needs to be done in order to make it happen. Helper being a non-Global Administrator In a more likely scenario where the helper is not a Global Administrator, helper will see an error message when they initiate a connection. Image 8: Remote Help Permission Error Reason behind this issue is the fact that role assignment is done on device level, while the device sharer is using can not be found in the tenant – as this is an unenrolled device. In order to support this scenario, role assignments for helpdesk operators should be done at a user level. This is detailed in a note for assign users to roles section of configure remote help for your tenant documentation available here. Image 9: Helpdesk Operators Assignment Properties Once we edit the scope and add the user’s group to the assignment, the helper role will be able to start evaluating users instead of devices and will be able to access unenrolled device. Image 10: Helpdesk Operator Assignment Properties From the experience perspective, helper user (Atil) shared their security key with the sharer user (Yaz Ece); sharer user enters the security key to their remote help application and following the approval procedures, helper will be able to view or control sharer’s screen. Image 11: Sharer Experience – Security Code Entry Since the device is an unenrolled device which is not managed by Microsoft Endpoint Manager, helpers will see the warning message stating that the security of this device is not guaranteed and needs caution while entering or accessing sensitive information. Image 12: Remote Help on Unenrolled Endpoint Wrap Up Microsoft Intune Remote Help can be used to support users’ personal devices as needed. In order to do that, remote help should be configured in order to allow access to unenrolled devices, also role scope should be set to include users instead of devices. As “All Devices” security principal does not include unenrolled devices by definition.
