Intune: Upgrade Windows Pro to Enterprise AUTOMATICALLY!

Do you have a bunch of Windows 10 Pro devices and would like upgrade them to Windows 10 Enterprise? Microsoft 365 (specifically Microsoft Intune) can help you!

Note: For more information please reference Deploy Windows 10 Enterprise licenses. The following is an example on how to do this with Intune (assuming appropriate licenses have been purchased and assigned).

First, create a Microsoft Intune configuration policy. In the Azure Portal navigate to Microsoft Intune -> Device Configuration -> Profiles. Click Create Profile

Next, create a new Windows 10 and later profile, with a type of Edition Upgrade. Click Settings

 

 


Click Edition Upgrade

In the field Edition to upgrade to select Windows 10 Enterprise. In the Product Key field type in the product key (i.e. MAK). Then click OK


Click OK to save the Edition Upgrade. Click OK again then click Create


Next, click Assignments in the Assign to menu select All Users & Devices then click Save

Note: Your assignments may be different per your organization’s requirements. This is only an example. You could also assign only the machines in question, or use a dynamic security group that queries on the device serial number,etc.


On a virtual machine with Windows 10 1803, install Windows 10 Pro:

Note: I’m showing you this, to demonstrate the upgrade. Ideally you would sign in as an Organizational Account in the OOBE when installing Windows. However, if I did that here, you wouldn’t see that I’m coming from Pro 🙂

Notice it’s Windows 10 Pro:

 

Join the machine to Azure AD to receive the Intune policy:

Reboot the machine and sign in with the user’s Azure AD credentials. Once signed in, open System Information and notice that Windows has been upgraded to Enterprise!

This can be verified in the Intune portal under Device Status for the configuration policy that was previously created:

I hope you found this helpful. Questions? Please let me know in the comments below! Enjoy!

AIP: I know when you open my document, and I can revoke access! (Compliance + Sales = Seller Hero)

Have you sent an email to someone (perhaps a customer) that contained an important document and wish you could see if they have opened it? What if you accidently sent the document to the wrong audience, wouldn’t it be nice to revoke access? Perhaps it’s a sales quote and you want it to expire in 30 days? Well the future is here, and this is possible today using Azure Information Protection (AIP), included with Enterprise Mobility + Security, Microsoft 365, or a plan that includes AIP with Office 365. In this blog post we will explore from an end-user perspective how they can see if their recipient has opened the document, and how to revoke it’s access.

Azure Information Protection enables your organization to classify it’s data and apply security policy to that data, but more importantly gives the end-users visibility and control over how the data is consumed. This tool is extremely powerful for both IT and end-users, because it allows you to not only discover what data is in the organization, but classify it based on some criteria (i.e. Confidential, Secret, Top Secret and risk to organization) and apply policies that govern who can access what data based on the classification assigned.

This can be especially useful when you need help complying with regulations like GDPR. For more information about Azure Information Protection, I suggest reading the IT Pro documentation: What is Azure Information Protection? As I will not be covering full technical details here, such as how to configure the protection policy. I also highly suggest reviewing the AIP client user guide HERE.

You’re telling me I can see who has opened my document?

Yes! If I send you a document, spreadsheet, PDF, PowerPoint, etc – I can see if you have opened that file, doesn’t matter how it was sent either (email, file transfer over Skype, posted to Teams,etc). I can also see who has opened the file, by their identity, regardless if they were the intended recipient. I simply control this using the site https://track.azumrerms.com

When I browse to the site, and login, I can see a list of the documents I have protected using Azure Information Protection:


Clicking on one of the documents, I have access to see how many views (and by whom), how many (and by whom) were denied access to the document, among other controls. Let’s click on the list at the top menu


Here I can see who (by user identity, as signed into the Office applications) have attempted to access the document and whether or not they were successful. This is extremely useful!


Clicking on Map at the top menu I can see where in the world the document has been accessed. If all my users were accessing from the US, and then one user was from outside the US – this could indicate a stolen identity or data breach, and I may want to revoke access to the document.


Clicking on Settings from the top menu, allows me to do something REALLY COOL: Whenever the document is accessed – I can receive an email notification! Why is this really cool? I might be a salesperson and this document might be a proposal to a client. If I never receive an email indicating you never opened the document, then I know you may not be interested and I need to adjust my sales approach. This is one of the features of the product (in my opinion) that sells itself. Having that type of intelligence can be critical to the closure of a deal.


At the bottom of the page, I can revoke everyone’s access to the document by the clicking Revoke Access button:


At the bottom, I click Confirm:


All access to the document has now been revoked:


How does this work?

All roads lead to identity:

When a file is protected using Azure Information Protection (AIP), the file is actually encrypted at the file level, and the encryption travels with the file where ever it goes. This encryption is tied to the user’s identity in Azure Active Directory (AD). When the file is accessed, they are authenticating to Azure AD, and authorization is checked, the file is de-encrypted and the user can view the file. For more detailed technical information on how this encryption process works see How does Azure RMS work? Under the hood

So, if I give you a super sensitive file that has been protected using AIP, unless you have my identity – or have been granted authorization – you cannot open the file. This is (in my opinion) a game changer, as this means your organization’s data can travel from device to device (personal home computer, work computer, mobile devices, USB sticks, etc) and the data will stay encrypted. It doesn’t matter if the device is protected or not – because the file is already encrypted. It doesn’t matter if I accidently send the file to someone I shouldn’t have – because it’s already encrypted.

What’s required to do this? A few things as outlined in the technical documentation but most importantly: The recipient (inside or outside your organization) needs to have an identity account in Azure Active Directory.

What if the recipient does not have an Azure AD account?

If the file is being sent to someone outside your organization, and that recipient does not have an identity account in Azure Active Directory you have a few options:

  1. The recipient can signup for “Azure RMS for Individuals” by browsing to this website and going through the wizard. Microsoft will check the email address to see if it’s associated with an AIP subscription, or an Office 365 subscription that includes AIP. If it is not found, you can register and essentially an account in Azure Active Directory will be created for you. For more information about this process see: RMS for individuals and Azure Information Protection (Note, this DOES NOT sign your company up for anything, this is tied to a single identity so you can use the viewer or sign into a protected file)
  2. If you do not want to go with option 1 (although, it’s VERY easy!) then your second option is actually pretty interesting. When AIP is used with Exchange Online – and that document is sent using Office 365 Message Encryption, then you can sign in using a Gmail, Hotmail or Microsoft (Live) account! See New Capabilities Available in Office 365 Message Encryption
  3. The last option, uses the Azure Information Protection client. You can manually specify the recipients who are authorized to access the file (by email address) and their associated permissions using the AIP client:


IMPORTANT: All three options require the user to sign into Office on their device (or use the Azure AIP Viewer) with the identity that is associated with the AIP protected file. So, if I receive a spreadsheet from you sent to johndoe@gmail.com, I need to sign into Excel on my device as johndoe@gmail.com.

NOTE: Notice above, there is an option to Expire Access. I can have the file expire after say, 30 days and no one can open it afterwards. This is again another important feature that adds tremendous value (salesperson that wishes to expire a quote after 30 days).

Conclusion:

As you can see, Azure Information Protection can provide tremendous value back to your organization with empowering employees to take control over their data and ensure it’s security. However, this also enables them to be more productive through being able to seamlessly share the sensitive files outside the organization and track it’s usage. This used to require different 3rd party products and trying to get them integrated with the environment was a challenge.

It’s important to note, I have not shown all the back-end configuration that can be performed by IT to add additional value and to meet organizational requirements. Please review the technical documentation to learn more about the following: trusted domains, permissions based on classification type, Office 365 Message Encryption (and how typing the recipient’s email address in the To line in Outlook automatically grants them permissions, etc.)

If you own AIP through Microsoft 365, Office 365 or Enterprise Mobility and Security – give this a try and tell me about your success in the comments below!

Microsoft Teams: Restrict Usage with Azure AD Conditional Access

Introduction:
In this blog post I will discuss how to use Conditional Access in Azure Active Directory (Azure AD) to restrict how Microsoft Teams is accessed by employees. This blog post will cover how to configure Conditional Access, and what the experience is like for users.

What is Conditional Access? Conditional Access is a feature of Azure AD that enables organizations to define specific conditions for how users authenticate and gain access to applications and services. For more information, see the following resource Conditional access in Azure Active Directory. Note, Conditional Access requires Azure AD Premium P1 or above. For more information, see Azure Active Directory pricing (Note, a 30 day trial is also available).

Scenario:
The are many ways Conditional Access can be used. In this blog post, a fictitious company Contoso, would like to give their retail employees access to Microsoft Teams however they have requirements that must be met:

  • Retail employees are paid hourly and work at a company retail store. When the employee leaves work and is “off the clock”, they are not allowed to access Microsoft Teams.
  • When the employee leaves work, the app should not allow them to access data or services.
  • When the employee returns to work, the app should allow them to access to all data and services within the app.
  • These requirements will apply to all platforms where an employee can access Microsoft Teams (smartphone app, Windows, Mac, web browser, etc)

Based on these requirements and an understanding of the capabilities of Conditional Access, they came up with the following design and configuration:

Design notes:

  • All retail employees will be assigned to a security group titled Retail Staff. The Conditional Access policy will only be applied to employees that are a member of this security group.
  • The policy will only be applied to the Microsoft Teams append will include all platforms (Android, iOS, Windows Phone, Windows, Mac OS, etc.
  • The policy will apply to any location (IP address), but, locations with trusted IPs will be excluded. Contoso will add their public IP subnet to the list of trusted IPs.
  • The policy will apply to browser, mobile apps, and desktop clients.
  • Sign in risk will not be configured.
  • Access controls will be set to block. Require Multi-factor authentication, device compliance, etc will not be configured.
  • Session control will not be configured.
  • Employees will connect to a guest Wi-Fi network while in the store.

     
     


Let’s get started on how to deploy this design.

First, assign Azure Active Directory Premium P1 licenses to users:

As mentioned previously Azure AD Premium P1 is required. For this scenario, I’m going to assign the license to my retail employee Megan:


Note: You’ll see that I’m using AzureAD Premium P2, this is because I’m using a few additional features such as Privileged Identity Management and Identity Protection that I will blog about in the future.

Add employees to the Retail Employees security group:

Next, I will add Megan to the Retail Employees security group I created. This will make it easy to manage the Conditional Access policy and assign users later:


Launch the Azure Active Directory admin center:

Conditional Access is configured in the Azure Active Directory admin center. To launch this portal, on the left side of the Office 365 Admin Portal expand Admin centers and click Azure AD:

Note: A shortcut is to browse to aad.portal.azure.com


In the Azure Active Directory admin center, on the left side click Azure Active Directory:


Next, scroll down and find the Security category and click Conditional Access:


Create Conditional Access Policy:

Next, click Create Policy:


On the New blade, we will give the policy a name of Microsoft Teams for Retail Employees. Then click Users and Groups:


In the Users and groups blade, under the Include tab select the radio button for Select users and groups then click Select. On the Select blade, browse to the security group Retail Employees and place a check next to it. Then click the Select button at the bottom:

Note: If any employees should be exempt from the policy (i.e. the store manager) then the Exclude tab can be used.


On the Users and groups blade click Done:


On the New blade click Cloud apps;


On the Cloud apps blade, under the Include tab click the radio button for Select apps then click Select. On the Select blade, find Microsoft Teams, place a check mark next to it then click Select. On the Cloud Apps blade click Done:


Back on the New blade, click Conditions. On the Conditions blade click Device platforms. On the Device platforms bade click Yes and select All platforms (including unsupported). Then click Done:


One the Conditions blade, click Locations. Click Yes and on the Include tab click Any Location then click the Exclude tab:


On the Exclude tab click the check box All trusted IPs then click the hyperlink Configure all trusted locations:


A new browser tab will launch, and you will be taken to the mult-factor authentication page. In the trusted ips box, type the IP address subnets of the public IP address of the retail store. In my example below, when the employee is in the retail store and connected to the guest Wi-Fi network it will use a public IP in the subnet of 70.92.0.0/14 to access Microsoft Teams in Office 365. By adding this subnet, this tells Conditional Access to exclude any authentication attempts coming from this subnet from the Conditional Access policy. Click Save at the bottom of the page and close the browser tab when finished:

   
 


Back in the Azure Active Directory admin center, click Done on the Locations blade:


On the Conditions blade click Client Apps. On the Client Apps blade click Yes. Click the radio button Select Client Apps and select Browser and Mobile apps and desktop clients. Then click Done. Then on the Conditions blade click Done.

   
 


Back on the New blade, under Access controls click Grant. On the Grant blade click the radio button for Block access then at the bottom click Select:


On the New blade click On to enable the policy then click Create to create the policy. Notice in the upper right corner a new toast notification will appear, indicating the policy is in the process of being enabled.
Close the Azure Active Directory admin center tab:


Test Conditional Access while on-network:

Now that the policy has been configured and enabled, let’s test to see if the policy takes effect for a retail employee. I am going to connect an iPhone to the Wi-Fi network at the retail store, and launch the Microsoft Teams app.


I will be successfully authenticated and the app will load:


At this point, I can now use Microsoft Teams when on-network while connected to corporate guest Wi-Fi at the retail store. I will sign-out of the app when finished:


When accessing using a desktop web browser when on-network:


Test Conditional Access while off-network:

Next, I will turn off Wi-Fi on the iPhone so that I am connected to the cellular network to simulate leaving the retail store and disconnecting from the corporate guest Wi-Fi network.

IMPORTANT: The app will automatically re-authenticate every 60 minutes. So, if an employee leaves the store at 5pm, they may still have access to the app until 6pm when it re-authenticates and the Conditional Access policy kicks in.At that point, when they open the app again, they will receive an error due to the policy. I’ll show that in just a moment.

While disconnected from the Wi-Fi network, I’m going to attempt to sign-in to the Microsoft Teams app:


Next, after tapping Sign in will be challenged to enter my password. So, I’ll type in my password and tap Sign in


 The Conditional Access policy will kick in, and I am presented with the following message. Notice I cannot proceed with sign in:


When testing from the desktop web browser when off network:


User experience when app times out after 60 minutes:

When the app re-authenticates I will be challenged with an authentication prompt to re-enter my credentials:


Conclusion: Conditional Access is an effective way to enable access to resources after specific conditions have been met. In this scenario, we saw how this can be used to enable a retail employee to use Microsoft Teams while at work, but then not be allowed to use it after work. If you have questions, comments, or feedback on this blog post please don’t hesitate to post in the comments below. My top priority is to ensure the post is accurate and meets the needs of my readers. Enjoy! –Matt Soseman

P.S. Stay tuned for an additional blog post on using Intune Mobile Application Management (MAM) with Microsoft Teams.

How Microsoft 365 Enables Me to Rebuild My PC over Lunch

Introduction: 

I often get asked by my co-workers how I am able to rebuild (refresh or “re-image”) my PC in under an hour, and complete what some would call a very daunting and time consuming task over a lunch hour. This can be whenever I purchase a new PC and need to get it connected to my company, or when I periodically rebuild my existing PC. In this blog post I will explain the process I go thru and how Microsoft 365 (specifically Azure Active Directory, Office 365 and Windows 10) enable me to do this anywhere and anytime.

Note: This blog post applies to both purchasing a new PC, and for when re-installing Windows 10. For purposes of this blog, I will be re-installing Windows 10 Pro.

Important: In this post I will show you my experience when rebuilding, however, I will not explain technical concepts such as how Azure AD Join, Favorites Sync, or BitLocker key storage in AzureAD or how other technologies work. I will save those deep dives for future blog posts (promise those are coming soon!)

Machine Specs: The machine I will be using is a laptop with 8GB RAM, Core i5 processor and, 256GB SSD with a hard wired ethernet network connection.

High Level Summary of this Blog Post:

  • Install Windows 10 Pro
  • Choose “My Organization Owns this PC”
  • Authenticate and join PC to Azure Active Directory
  • Enable BitLocker
  • Install Office Pro Plus
  • Done!

Before we get started, it’s important I cover some key concepts of my work style:

  • Data Storage: All of my data is stored in Office 365 and not locally on my PC. Files in OneDrive for Business, SharePoint team sites, Office 365 Groups, Yammer,etc. I prefer not to sync data locally to my PC and prefer to always access the “online” version. This helps me to avoid complexity in my setup and enables me to work in a predictive manner.
  • Office Apps: I prefer to use Outlook Web App for email, Word, PowerPoint and Excel Online for productivity (web based). However, for more advanced tasks I will switch between the web app and the desktop version (i.e. large Excel spreadsheets or large PowerPoint presentations). This enables me to work in a more predictive manner and more efficiently.
  • Note: The one exception to this rule is Skype for Business, where I use both the mobile client for calls throughout the day, and the desktop client for meetings. Although with Microsoft Teams, my workflow is quickly changing to that application using both the web version and the mobile client.
  • Keep it Stock: I prefer to use Microsoft Edge as my web browser. As for all other apps in the OS, I prefer to use what comes as the factory defaults and don’t have a need to install any 3rd party apps. Regarding corporate apps I have a few Windows Store style apps I use, but the rest are all web based.
  • OS Customizations: While there’s many personalization I can make to Windows, I personally prefer (and discovered) I don’t need them to be productive.
  • Labs: I have a Office 365 tenant, and Azure tenant I use for my lab which is all accessible via a web browser and PowerShell.
  • Other: In my job duties, I mostly use Microsoft Office, Office 365 web apps and other corporate web applications on a daily basis. I am also highly mobile, and am often productive using a variety of Office, Microsoft Teams, Skype for Business, OneDrive, Yammer, and other Microsoft applications on my smartphone.

Of course, there’s more to my story of how I choose to work but this is the main concepts I follow. I may add more to this blog post on over time to discuss my work style in more detail. If you want to know more, please ask below in the comments and I’ll add it to the post.

Step 1: Install Windows 10 Pro:

Using a Windows 10 Pro UEFI USB drive or stick (or .ISO on a Hyper-V Virtual Machine), boot the machine from USB and proceed with the on-screen instructions for the Windows Installer.

 

Click Next


Click Install Now


Type in the Product Key and click Next


If you accept the license terms click Next


Click Custom: Install Windows only (advanced)


Click New


Click Apply


Click OK


Click Next


The install process took about 7 minutes to complete, including the actual install of Windows.

Step 2: Out of Box Experience in Windows 10

After installing Windows 10, or purchasing a new PC that has Windows 10 pre-loaded, you will be presented with the “Out of Box Experience” or “OOBE” wizard. In Windows 10, Cortana is available to walk you thru the process of configuring and customizing your PC. Once the PC is powered on, follow the instructions on screen:

Select your region and click Yes


Choose your keyboard layout and click Yes


Next, select a secondary keyboard layout or click Skip


Next, Windows will check for updates. If it discovers new updates it will automatically install and restart the computer:


Next after the PC has rebooted and the update process has completed, select Setup for an Organization and click Next:


On the Sign In with Microsoft screen, I will type my email address and click Next


It will then take me to the sign-in page for my company. Here I will type in my email address, password and click Sign In


My company requires Multifactor Authentication, here I will click Sign in with your phone


Using the phone authenticator app on my mobile device, I was prompted to authenticate and approve the request. Now, back on the laptop, I have authenticated and am now presented with customizing my privacy settings. Click Accept when ready.


Due to policy, I am required to configure Windows Hello for Business and am required to configure a PIN for the device. Click Set up PIN


Enter a PIN and click OK


Once the PIN is created click Finish


After a few moments, you will be automatically signed into Windows.


Now, let’s validate that my machine was successfully joined to Azure Active Directory and that I am pulling policy. Browse to Settings -> Accounts -> Your Info and notice my work email address is visible, my corporate photo from Azure AD and that I have been granted local administrator rights.


Next, on the left side click Access work or school. Click the Info button


Take note of the last attempted sync. Exit Settings.


To show that I am pulling policy, I will click on the network icon in the system tray, notice I am pulling the VPN profile for my company.


Within Microsoft Edge, notice my favorites are also synchronized:


Step 3: Enable BitLocker

I still need to Bitlocker enable my PC to safeguard it just in case it is lost or stolen. From Windows Explorer right click the hard disk and choose Turn on BitLocker


Click Save to your cloud domain account then click Next


Keep the defaults and click Next


Keep the defaults and click Continue


A new toast notification will appear in the system tray. Reboot the PC.


After reboot notice on the sign in screen, my username/password are my Azure AD credentials (email address and Windows Hello PIN)


Once logged back in, BitLocker encryption will start:


Step 4: Install Office Pro Plus

Open Microsoft Edge and browse to www.portal.office.com and login:


In the upper right corner, click the gear icon and click Office 365 under Your app settings:


Click Install Software:


Accept the defaults (32-bit) and click Install:


Click Run when prompted to run the installer:


The installer will execute – this process will take ~10-15 minutes (or longer) depending on network bandwidth available.

Important: Depending upon your Office 365 license SKU you subscribe to (i.e. E5) your users could be entitled to installation rights of Office Pro Plus on their PC, Mac and mobile devices.


Once the installer has completed click Close


Step 5: Windows Updates and Office Updates

At this point, ~35 minutes have passed. I am technically all setup and can begin working normally. However, I may want to go ahead and run thru Windows Updates and Office Updates (which could take some time) or let the system automatically update based on my schedule I have configured.

Conclusion:

As you can see, this complete rebuild was done in under an hour but was possible with the power of Microsoft 365 and a little bit of a paradigm shift of my workstyle (i.e. storing files in the cloud, not customizing the OS, etc). Enjoy!