Tag: Windows 10

Intune MDM Azure Portal Explained

Intune MDM Azure Portal Explained

MS Intune

Managing Windows 10 with Intune MDM

I am hoping this helps with the understanding of Intune (Azure Portal) and MDM.

 

There are 3 types of configurations for devices when connected to Intune (Azure Portal):

Intro:

Azure AD Registered devices: this allows a device to come into the realm of MDM. This is focused on BYOD. End users can bring their devices and Register them with Azure where they can be managed by adding a work/school account. Admins can push out policies. But nevertheless the end user can remove themselves from the MDM management, because this is their personal device.

Types of Azure AD Domain Joins:

Azure AD joined devices: this allows a device to join a Azure AD domain. Targeted for workplace devices that do not have an on-premise AD infrastructure or a cloud first/only approach. Benefits include:

  • Single-Sign-On (SSO) to your Azure managed SaaS apps and services. Your users don’t see additional authentication prompts when accessing work resources. The SSO functionality is even when they are not connected to the domain network available.
  • Enterprise compliant roaming of user settings across joined devices. Users don’t need to connect a Microsoft account (for example, Hotmail) to see settings across devices.
  • Access to Windows Store for Business using AD account. Your users can choose from an inventory of applications pre-selected by the organization.
  • Windows Hello support for secure and convenient access to work resources.
  • Restriction of access to apps from only devices that meet compliance policy.

 

Hybrid Azure AD Joined devices: this is for organisation who also have a on-premise footprint as well as cloud. Devices are joined to a local AD. These organisation would require the need for group policies or imaging devices or NTLM/Kerberos hence why they are not fully in Azure.

Rule of thumb:

A rule of a thumb, you should use:

  • Azure AD registered devices:
    • For personal devices
    • To manually register devices with Azure AD
  • Azure AD joined devices:
    • For devices that are owned by your organization
    • For devices that are not joined to an on-premises AD
    • To manually register devices with Azure AD
    • To change the local state of a device
  • Hybrid Azure AD joined devices for devices that are joined to an on-premises AD
    • For devices that are owned by your organization
    • For devices that are joined to an on-premises AD
    • To automatically register devices with Azure AD
    • To change the local state of a device

 

So what does this mean:

Well in a nutshell, you don’t need to use the old classic Intune portal!!! We can configure a on-premise domain joined machine to be managed by Azure Intune MDM (agentless MDM). The trouble you will find is that there is no clear documentation on how to configure this. My next post will discuss how to configure local AD domain joined device to be managed via Intune MDM using the Hybrid Azure AD Domain Join option.

DISM Injecting Windows 10 1709 Updates into a WIM Image

DISM Injecting Windows 10 1709 Updates into a WIM Image

Image File

Injecting Windows 10 1709 Updates into a WIM

 

The following guide outlines how to inject Windows Updates into a WIM file using DISM. This process can help ensure newly built machines are patched before being handed out to end users. In addition this can also speed up the process of building Windows 10 1709 as the Windows Update process during your task sequence will be relatively shortened.

  • Create a WIM file directory
Md C:\wim
  • Copy your original WIM to c:\wim
  • Create a Mount directory
md C:\mount
  • Create a temp directory
md C:\temp
  •     Create a update directory
md C:\msu
  • Find what index the Windows 10 Enterprise SKU is within the WIM File:
Dism /Get-ImageInfo /imagefile:C:\wim\install.wim
WIM index
WIM index
  • Mount the WIM file using the required Index number, I am using Index 3 Windows 10 Enterprise:
Dism /Mount-Image /ImageFile:"C:\wim\install.wim" /Index:3 /MountDir:C:\mount
Mount Windows 10 Image
Mount Windows 10 Image

You will notice the mount directory has all the extracted windows files/folders

  • Download the latest Windows 10 update package from Microsoft’s website and place it in the update folder C:\msu. I will be downloading the 4088776 update https://support.microsoft.com/en-us/help/4043454
  • Run the below code to inject your update

 

Dism /Add-Package /Image:C:\mount /PackagePath:C:\MSU\windows10.0-kb4088776-x64_55756340f1e2c2090f94de6d256eafd75e1cee9c.msu /LogPath:AddPackage.log

Inject Update into WIM File
Inject Update into WIM File
  • Lock in the Updates so they are restored during a recovery:
DISM /Cleanup-Image /Image:"C:\mount" /StartComponentCleanup /ResetBase /ScratchDir:C:\Temp
Lock Injected Updates into WIM File
Lock Injected Updates into WIM File
  • Unmount the image and commit the changes:
Dism /Unmount-Image /MountDir:"C:\mount" /Commit
Unmount WIM Image
Unmount WIM Image
  • Now upload your WIM to SCCM or MDT, deploy and test.
Always On VPN Device Tunnel with Windows 10 1709

Always On VPN Device Tunnel with Windows 10 1709

Always On VPN Device Tunnel with Windows 10 1709

Update 22/11/2017: Microsoft’s official guidance on Device Tunnel configuration is now available at https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config

A long awaited feature with the DirectAccess successor Always On VPN (Auto VPN) is the ability for clients to initiate an infrastructure tunnel to the corporate network without the user logging on. This feature named Device Pre-Logon is available in Windows 10 1709 update.

Over the last several years Microsoft’s VPN or remote connectivity solution has primarily been DirectAccess. Whilst DirectAccess provided seamless always on remote connectivity, it did however come with a few drawbacks. Originally released with Server 2008 it only supported IPv6 and utilised UAG. With Server 2012, 2012R2 Microsoft removed the need to utilise UAG and streamlined the installation and configuration. Still available in Server 2016 DirectAccess is not a technology that is obsolete but far from it with many organisation using it to provide users with remote connectivity. Once configured DIrectAccess…just works. For at least the short term DirectAccess is proven to be reliable and the remote connectivity solution of choice, as long as you can overcome single stack IPv6,  but if you want the latest and greatest then Always On VPN is the future.

However DirectAccess is a dark art and the solution can be difficult to install and configure to the novice professional. Always On VPN on the other hand has all the missing features and more that DirectAccess should have had. This not to to be taken lightly, as Always On VPN is also not a walk in the park to implement, away with the GUI, Always On VPN utilises configuration service provider (CSP’s) in order for implementation.

Always On VPN is the new kid on the block, released in Windows 10, the major benefit of a Device Pre-Logon tunnel has been released with 1709 Creators Update for Windows 10. This allows administrators to always have the ability to manage Windows 10 devices once they leave the corporate environment. When a device is connected to a known network, it will automatically initiate a VPN connection back to corporate environment where it can be managed. For example this can group policies, windows update or even configmgr.

The official statement from Microsoft is to deploy Always On VPN instead of DirectAccess, but many organisations would be very reluctant to deploy a solution which has just arrived on the market. The below outlines the benefits and drawbacks of DirectAccess:

DirectAccess

Benefits:

  1. Always On
  2. Seamless
  3. Infrastructure Tunnel for device management in addition to the User Tunnel
  4. Built into Windows 10 no additional clients needed
  5. Uses IPHTTPS tunneling protocol
  6. GUI for easy configuration
  7. Still supported and available in Server 2016

Drawbacks

  1. IPv6 only solution. Applications installed on the client must support IPv6, certain exception are made for example Office Communication Server 2007 does not work with DirectAccess
  2. No granular control
  3. Manage-Out not supported when more than 1 DirectAccess server is present in a configuration ( although it is possible to get Manage-Out working with multiple servers using a solution by Richard Hick’s)
  4. Limited access to End to End encryption to application servers
  5. No support for VPN gateways
  6. NAT64, DNS64 componets are utilised to transverse IPv6 to IPv4
  7. Teredo and 6to4 are not supported behind a NAT/Firewall
  8. Only Windows Domain joined devices are supported
  9. Network Access Protection deprecated in 2012R2

 

Always On VPN

Benefits:

  1. Uses industry standard IKEv2 tunneling protocol with the ability to fall back to SSTP when behind firewalls or proxy’s
  2. Dual stack support for IPv4 and IPv6
  3. Granular control for End to End encryption to application servers using policies
  4. Granular control over routing, specifically control routing behavior to define which traffic should only ever traverse the VPN and not go over the physical network interface
  5. Name based triggering allow specific domain name queries to trigger the VPN
  6. Application Triggering, when specified desktop and/or universal windows apps are, the VPN will automatically trigger
  7. Supports VPN gateways behind a NAT or edge device in addition Remote Access servers can be used
  8. No requirement for Active Directory or Windows domain joined devices, nor a requirement on an Enterprise version of Windows 10
  9. Application specific routing is supported (Managed tunnel)
  10. No requirement for Network Location Servers in order to determine if a client is within the corporate boundary or outside. Trusted Network Assessment is ustilised which assesses  the connection-specific DNS suffix assigned to network interfaces
  11. Ability to integrate with Azure Conditional Access Platform to enforce Device Compliance and/or multi-factor authentication
    1. Multi-factor authentication includes the ability to use Windows Hello for Business Certificate
  12. Support of RSA and ECC to meet specific cryptography requirements such as those set by the National Cyber Security Centre in the United Kingdom or other government/corporate organisations.

Drawbacks

  1. Can be difficult to configure using PowerShell, Intune, ConfigMgr or Windows Configuration Designer have to be used to configure Always On VPN
  2. Remediation’s or quarantining is not supported using Azure Conditional Access Platform
  3. New kid on the block and may require maturing, potential to have unknown bugs

 

Creating a Certificate Signing Request using Windows 10

Creating a Certificate Signing Request using Windows 10

Creating a Certificate Signing Request using Windows 10

certificateCreating Certificate Signing Requests or CSR’s can be a daunting task, you don’t want to get it wrong as it can costs you, literally. Usually many administrators head over to IIS and create a request using the IIS management console. This will of course work but you may end up creating a SHA1 request, with no option for SHA2

I have however noticed Windows 10 being able to create CSR’s with all the latest cryptography and key lengths, as well as it being a breeze to process.

To get started you need to open the Certificate management console. Hit “Windows Key” + “R” and type “MMC” into the run window, now hit enter. Alternatively if you click “Start” and search for “Certificates” and click on “Manage Computer Certificates

 

Once the certificate console has opened, expand the personal store and right click on Certificates. Click All Tasks > Advanced Operations > Create Custom Request.

 

In the window click Next

Now click Next

 

Choose Proceed without enrollment policy and click Next

 

Click Properties

 

Now enter a Friendly Name (this can be anything, but something that you can use t easily identify the certificate) and enter a description.

Click the Subject tab

Important!!!

If you fail to enter the basic information like the image on the left, your certificate request will be invalid. You must enter:

Common Name – (this is the URL)

Organisational Unit – Department

Locality – Area e.g. Westminster

State – Area e.g. London

Country – this must be the two letter abbreviation for the United Kingdom use GB

To find your 2 letter country code click here

Finally enter the Alternative name DNS. This should be exactly the same as your URL.

 

Under the Extensions tab, select Server Authentication and Client Authentication for Extended Key Usage.

 

Under Key Usage select Digital signature and Key enciphement

 

Click the Private Key tab, select 2048 for Key Options and check Make private key exportable

Under Hash Algorithm select SHA256

Click OK and Next

Save your file as a .req

Validate your CSR

That’s pretty much it. You can verify that your request file is valid by opening it, copying the data and pasting it into the Symantec Crypto Report validation site click here .

Once you receive your certificate file it MUST be imported onto the computer where the CSR file was created as the private key exists on this machine and is never transmitted within the CSR. You can then export the certificate to any machine as it’s private key was marked as exportable.