MEM: Bypassing iOS activation lock on supervised devices

While it’s not supposed to be possible, I have seen iPads which were added to DEP/Apple School Manager/Apple Business Manager and supervised allow the user to turn on ‘Find my iPad’ which creates an activation lock when the device is reset. Unfortunately your only clue is the first letter of the email address, and the first letter and TLD of the domain, e.g. a*****@a*****.com – not much use if you can’t figure out who that is to recover it via resetting the account password. Luckily you can bypass this if the device is registered to DEP and enrolled in MDM.

In the case I had this week, the iPad had already been reset via ‘Erase all content and settings’, so there was no longer an MDM profile installed. The MDM it used to be connected to has not been used for 3 years (the APNS certificate expired and wasn’t renewed, as we were migrating to Intune. Some devices were missed and remained on the old MDM but in an unmanageable state). Most MDMs will allow you to generate or view the activation lock bypass code. The MDM can generate this without needing to contact Apple – in my case the APNS certificate was expired – and without needing to talk to the iPad. Continue reading “MEM: Bypassing iOS activation lock on supervised devices”

MEM: Setting Client Registry Keys

With domain joined clients we’ve been able to push out registry setting changes with things like Group Policy Preferences. Unfortunately there isn’t an equivalent to this in MEM. While your best plan here would be to find the setting within the Settings Catalog or Templates in a configuration profile, or even look for an OMA-URI which can be set, there will always be some tasks which can only be achieved by directly setting a registry key.

Within MEM we can create PowerShell scripts which run once per user/device. We can specify whether we want these to run in user context or system context. The scripts are downloaded to the device by the Intune Management Extension (IME) and run once per user. If the script is running under the system context then the user does not need to be logged in for the script to execute. If you update the script, it will run again. If it is set to run in user context, and the user is a local administrator, it will run with administrative privileges.

This seems perfect for any registry keys we may wish to change once only. We can of course use Proactive Remediation instead (part of Endpoint Analytics, mentioned briefly in this post however I do plan a detailed look at Proactive Remediation soon) which would allow us to schedule the script to run frequently, as a detect/remediate script pair. Continue reading “MEM: Setting Client Registry Keys”

MEM: Updating to Windows 11

Updating devices to Windows 11 is fairly simple through Intune, using the Feature Updates settings. To get this working you’ll need Intune licences (…obviously) along with one of the following:

  • Windows Enterprise E3/E5, included in Microsoft 365 E3/E5/F3
  • Windows Education A3/A5 (M365 A3/A5)
  • Windows VDA per user
  • Microsoft 365 Business Premium

You’ll also need the devices to be on a supported version of Windows 10, enrolled in Intune and either Hybrid or Azure AD joined. Telemetry will need to be enabled – this can be enforced with a Device Restriction policy.

Continue reading “MEM: Updating to Windows 11”

Project: Certificate Expiry Notification Tool

Application screenshot
Certificate Expiry Notification Tool main screen

I’ve always hated having to set calendar reminders whenever an SSL certificate or Azure AD App Registration certificate expired. What if you forget to set the reminder? What if you’re off sick and miss it? In most cases missing it means disruption of service for a while, but in some cases – for example some of the Apple certificates/tokens used when managing Apple devices in Intune – missing the renewal means you need to re-enroll all your devices. If you’ve restricted profile removal then you’ll have to factory reset them all too.

I had an idea a while ago for a system to track these, and send reminders, and recently I’ve been working on a system to do just this. There’s many different ways I could have gone about this – PowerShell script, or maybe something in PowerApps/Flow, but I wanted a nice web interface, and my weapon of choice for web development is PHP. 

This project will show you a list of certificates and secrets, along with their expiry date and a status indicator (Expired/Warning/Okay). It will automatically pull any Azure AD App Registrations secrets and certificates, and the Intune Apple VPP tokens, Push Notification and Enrollment Program tokens from the Microsoft Graph API. Email alerts can be configured, which will also use the Graph API to send the mail. Continue reading “Project: Certificate Expiry Notification Tool”

MEM: Managing Android Devices

I’ve been putting this off for almost a year but finally thought it was time I wrote a post about managing Android devices in Microsoft Endpoint Manager (aka Intune). It’s no secret that I absolutely hate Android devices, which is probably why it’s taken so long to do this, but we have a few at work which need managing so here we are.

I’m going to go through this using a standard g-mail account to link Google to Intune, into something called “Managed Google Play”. From what I can work out, you don’t need to set up anything fancy to do this, you just need the standard g-mail account (using an account tied to G-Suite or Google Workspace does not work for this). In this post I’ll go through the various profile types – e.g. personally owned, corporate owned, fully managed, dedicated device (kiosk) and have a look on rolling out restrictions/certificates/profiles etc, along with some apps.

Continue reading “MEM: Managing Android Devices”

Azure AD and Windows Hello: SSO to on-premise resources

One of the main reasons people might choose a hybrid Azure AD joined configuration for their devices is that they still want to be able to access on-premises resources, for example a file server, or printers. In my opinion, hybrid join should be avoided and it is usually worth the extra work required on the infrastructure to support your devices being Azure AD joined and having no relationship to the AD domain.

In this post I’ll look at how SSO to on-premise resources actually works, when you are logged on to an Azure AD joined device, with a user account which is synced from your on-premise AD. I’ll also look at how you can configure this so that users logging on using Windows Hello for Business can also SSO. Continue reading “Azure AD and Windows Hello: SSO to on-premise resources”

Intune: 802.1x Wi-Fi, NPS and user PKCS certificates

One of the things I dislike the most about Azure AD joined devices on our enterprise wireless (using NPS on Windows Server for authentication) is that having to put my credentials in whenever I connect is poor usability compared to, say, a traditional domain joined device which can authenticate by device, or user, seamlessly. While there isn’t really a way to replicate device based authentication with Azure AD joined devices (to cut a long story short – there is no computer object in AD for NPS to look for), you can configure things so that you can use a user certificate.

There’s a few pre-requisites for this:

  • Wireless network using WPA2-Enterprise (or any flavour that uses 802.1x)
  • Active Directory domain already set up
  • AD Certification Authority already set up (Enterprise CA)
  • User accounts synced to Azure AD
  • NPS installed and configured
  • Devices Azure AD joined and enrolled in Intune

As part of this process we will be configuring a certificate template, installing the Intune Certificate Connector for Intune onto a server of your choosing and creating some configuration profiles. Continue reading “Intune: 802.1x Wi-Fi, NPS and user PKCS certificates”

Windows 365 Cloud PC

Windows 365 Cloud PC

Windows 365 Cloud PC is Microsoft’s latest addition to the VDI scene. Announced at Inspire back in July, and then released General Availability on 2nd August 2021. On a basic level, you provision a Windows 10 (or 11) VM to a user, and it’s dedicated to that user – so effectively the same as a standard PC in that you’re not sharing resources in a multi-user environment as you may do with Azure Virtual Desktop. Licensing is made simple as it’s a fixed price per user, per month, regardless of how much usage they make. There’s a variety of different SKUs which correspond to different VM specifications.

Windows 365 comes in two versions – Business and Enterprise. Business is limited to 300 users and designed to be much simpler to set up and configure. Enterprise does not have a user limit and integrates with Endpoint Manager (Intune). The core difference here is Business could be implemented by anyone at the company, Enterprise will most likely require an IT department to manage it.

This does not replace Azure Virtual Desktop – it runs along side it. Azure Virtual Desktop requires more technical expertise to set up and manage, and can be more expensive or less expensive than Windows 365 depending on your host sizes, whether you share devices with Windows 10 multi-user, and whether you shut them down or not. Windows 365 is a fixed price with no knowledge of Azure Virtual Desktop and RDS required.

I’m going to look at the setup process for Business and Enterprise and give my thoughts.

Continue reading “Windows 365 Cloud PC”

WUfB and Update Compliance

Windows Update for Business (WUfB) is a free service which allows you a level of control over Windows Update on certain SKU of Windows 10 – Pro/Enterprise/Education/Pro for Workstation – basically everything except Home edition. You can select which types of updates you would like – Feature updates, Quality (security) updates, Driver updates and Microsoft Product updates. Product updates are for other Microsoft products, but not Office if you used the Click-to-Run installer.

Whilst you don’t approve/deny each update as you’d have done in the past with WSUS, you can specify update deferral periods. For Quality updates this is 30 days or less, and for Feature updates it’s 365 days or less. You can create multiple policies, for example one targeting a pilot group with 0 day deferral, one with 5 day for a wider group, and a 10 day deferral for the rest of your devices. If you find an issue with an update installed by the pilot group, you can pause updates for up to 35 days on the other policies. The devices should then resume at the end of the 35 days and skip the missed update, moving on to the next cumulative update.

Device driver updates are enabled by default, but can be turned off, and Microsoft Product updates are disabled by default, but can be turned on. I tend to leave these at the default settings – as the trend with recent Microsoft products has been for them to look after the updating process themselves (e.g. Office 365 Click-to-Run, Edge etc) rather than using Windows Update.

You don’t need Intune or Config Manager for this, and you don’t need your devices to be Azure AD joined – it can even be a PC in a workgroup – although it’s a lot easier to manage if you have some central control over the client side settings.

Continue reading “WUfB and Update Compliance”

Intune: Introducing Filters

Endpoint Manager/Intune Filters is a new feature which is currently (at time of writing) in public preview. This gives you advanced targeting for things like compliance policies, configuration profiles and app assignment by adding filters.

At a basic level, you apply a filter over the top of an included device or user group, with two modes to either include or exclude devices from the assignment. For this kind of thing I currently use dynamic device groups, and set assignments to these groups. Going forward I can change this to using filters, and assigning to larger (perhaps assigned membership) groups. The benefit to doing this is that you no longer have to wait for dynamic group membership to update, which can take a while – especially on larger environments.

Continue reading “Intune: Introducing Filters”