Do you have a bunch of Windows 10 Pro devices and would like upgrade them to Windows 10 Enterprise? Microsoft 365 (specifically Microsoft Intune) can help you!
Note: For more information please reference Deploy Windows 10 Enterprise licenses. The following is an example on how to do this with Intune (assuming appropriate licenses have been purchased and assigned).
First, create a Microsoft Intune configuration policy. In the Azure Portal navigate to Microsoft Intune -> Device Configuration -> Profiles. Click Create Profile
Next, create a new Windows 10 and later profile, with a type of Edition Upgrade. Click Settings
Click Edition Upgrade
In the field Edition to upgrade to select Windows 10 Enterprise. In the Product Key field type in the product key (i.e. MAK). Then click OK
Click OK to save the Edition Upgrade. Click OK again then click Create
Next, click Assignments in the Assign to menu select All Users & Devices then click Save
Note: Your assignments may be different per your organization’s requirements. This is only an example. You could also assign only the machines in question, or use a dynamic security group that queries on the device serial number,etc.
On a virtual machine with Windows 10 1803, install Windows 10 Pro:
Note: I’m showing you this, to demonstrate the upgrade. Ideally you would sign in as an Organizational Account in the OOBE when installing Windows. However, if I did that here, you wouldn’t see that I’m coming from Pro 🙂
Notice it’s Windows 10 Pro:
Join the machine to Azure AD to receive the Intune policy:
Reboot the machine and sign in with the user’s Azure AD credentials. Once signed in, open System Information and notice that Windows has been upgraded to Enterprise!
This can be verified in the Intune portal under Device Status for the configuration policy that was previously created:
I hope you found this helpful. Questions? Please let me know in the comments below! Enjoy!
In this blog post I will discuss how to use Conditional Access in Azure Active Directory (Azure AD) to restrict how Microsoft Teams is accessed by employees. This blog post will cover how to configure Conditional Access, and what the experience is like for users.
What is Conditional Access? Conditional Access is a feature of Azure AD that enables organizations to define specific conditions for how users authenticate and gain access to applications and services. For more information, see the following resource Conditional access in Azure Active Directory. Note, Conditional Access requires Azure AD Premium P1 or above. For more information, see Azure Active Directory pricing (Note, a 30 day trial is also available).
The are many ways Conditional Access can be used. In this blog post, a fictitious company Contoso, would like to give their retail employees access to Microsoft Teams however they have requirements that must be met:
- Retail employees are paid hourly and work at a company retail store. When the employee leaves work and is “off the clock”, they are not allowed to access Microsoft Teams.
- When the employee leaves work, the app should not allow them to access data or services.
- When the employee returns to work, the app should allow them to access to all data and services within the app.
- These requirements will apply to all platforms where an employee can access Microsoft Teams (smartphone app, Windows, Mac, web browser, etc)
Based on these requirements and an understanding of the capabilities of Conditional Access, they came up with the following design and configuration:
- All retail employees will be assigned to a security group titled Retail Staff. The Conditional Access policy will only be applied to employees that are a member of this security group.
- The policy will only be applied to the Microsoft Teams append will include all platforms (Android, iOS, Windows Phone, Windows, Mac OS, etc.
- The policy will apply to any location (IP address), but, locations with trusted IPs will be excluded. Contoso will add their public IP subnet to the list of trusted IPs.
- The policy will apply to browser, mobile apps, and desktop clients.
- Sign in risk will not be configured.
- Access controls will be set to block. Require Multi-factor authentication, device compliance, etc will not be configured.
- Session control will not be configured.
Employees will connect to a guest Wi-Fi network while in the store.
Let’s get started on how to deploy this design.
First, assign Azure Active Directory Premium P1 licenses to users:
As mentioned previously Azure AD Premium P1 is required. For this scenario, I’m going to assign the license to my retail employee Megan:
Note: You’ll see that I’m using AzureAD Premium P2, this is because I’m using a few additional features such as Privileged Identity Management and Identity Protection that I will blog about in the future.
Add employees to the Retail Employees security group:
Next, I will add Megan to the Retail Employees security group I created. This will make it easy to manage the Conditional Access policy and assign users later:
Launch the Azure Active Directory admin center:
Conditional Access is configured in the Azure Active Directory admin center. To launch this portal, on the left side of the Office 365 Admin Portal expand Admin centers and click Azure AD:
Note: A shortcut is to browse to aad.portal.azure.com
In the Azure Active Directory admin center, on the left side click Azure Active Directory:
Next, scroll down and find the Security category and click Conditional Access:
Create Conditional Access Policy:
Next, click Create Policy:
On the New blade, we will give the policy a name of Microsoft Teams for Retail Employees. Then click Users and Groups:
In the Users and groups blade, under the Include tab select the radio button for Select users and groups then click Select. On the Select blade, browse to the security group Retail Employees and place a check next to it. Then click the Select button at the bottom:
Note: If any employees should be exempt from the policy (i.e. the store manager) then the Exclude tab can be used.
On the Users and groups blade click Done:
On the New blade click Cloud apps;
On the Cloud apps blade, under the Include tab click the radio button for Select apps then click Select. On the Select blade, find Microsoft Teams, place a check mark next to it then click Select. On the Cloud Apps blade click Done:
Back on the New blade, click Conditions. On the Conditions blade click Device platforms. On the Device platforms bade click Yes and select All platforms (including unsupported). Then click Done:
One the Conditions blade, click Locations. Click Yes and on the Include tab click Any Location then click the Exclude tab:
On the Exclude tab click the check box All trusted IPs then click the hyperlink Configure all trusted locations:
A new browser tab will launch, and you will be taken to the mult-factor authentication page. In the trusted ips box, type the IP address subnets of the public IP address of the retail store. In my example below, when the employee is in the retail store and connected to the guest Wi-Fi network it will use a public IP in the subnet of 126.96.36.199/14 to access Microsoft Teams in Office 365. By adding this subnet, this tells Conditional Access to exclude any authentication attempts coming from this subnet from the Conditional Access policy. Click Save at the bottom of the page and close the browser tab when finished:
Back in the Azure Active Directory admin center, click Done on the Locations blade:
On the Conditions blade click Client Apps. On the Client Apps blade click Yes. Click the radio button Select Client Apps and select Browser and Mobile apps and desktop clients. Then click Done. Then on the Conditions blade click Done.
Back on the New blade, under Access controls click Grant. On the Grant blade click the radio button for Block access then at the bottom click Select:
On the New blade click On to enable the policy then click Create to create the policy. Notice in the upper right corner a new toast notification will appear, indicating the policy is in the process of being enabled.
Close the Azure Active Directory admin center tab:
Test Conditional Access while on-network:
Now that the policy has been configured and enabled, let’s test to see if the policy takes effect for a retail employee. I am going to connect an iPhone to the Wi-Fi network at the retail store, and launch the Microsoft Teams app.
I will be successfully authenticated and the app will load:
At this point, I can now use Microsoft Teams when on-network while connected to corporate guest Wi-Fi at the retail store. I will sign-out of the app when finished:
When accessing using a desktop web browser when on-network:
Test Conditional Access while off-network:
Next, I will turn off Wi-Fi on the iPhone so that I am connected to the cellular network to simulate leaving the retail store and disconnecting from the corporate guest Wi-Fi network.
IMPORTANT: The app will automatically re-authenticate every 60 minutes. So, if an employee leaves the store at 5pm, they may still have access to the app until 6pm when it re-authenticates and the Conditional Access policy kicks in.At that point, when they open the app again, they will receive an error due to the policy. I’ll show that in just a moment.
While disconnected from the Wi-Fi network, I’m going to attempt to sign-in to the Microsoft Teams app:
Next, after tapping Sign in will be challenged to enter my password. So, I’ll type in my password and tap Sign in
The Conditional Access policy will kick in, and I am presented with the following message. Notice I cannot proceed with sign in:
When testing from the desktop web browser when off network:
User experience when app times out after 60 minutes:
When the app re-authenticates I will be challenged with an authentication prompt to re-enter my credentials:
Conclusion: Conditional Access is an effective way to enable access to resources after specific conditions have been met. In this scenario, we saw how this can be used to enable a retail employee to use Microsoft Teams while at work, but then not be allowed to use it after work. If you have questions, comments, or feedback on this blog post please don’t hesitate to post in the comments below. My top priority is to ensure the post is accurate and meets the needs of my readers. Enjoy! –Matt Soseman
P.S. Stay tuned for an additional blog post on using Intune Mobile Application Management (MAM) with Microsoft Teams.
I often get asked by my co-workers how I am able to rebuild (refresh or “re-image”) my PC in under an hour, and complete what some would call a very daunting and time consuming task over a lunch hour. This can be whenever I purchase a new PC and need to get it connected to my company, or when I periodically rebuild my existing PC. In this blog post I will explain the process I go thru and how Microsoft 365 (specifically Azure Active Directory, Office 365 and Windows 10) enable me to do this anywhere and anytime.
Note: This blog post applies to both purchasing a new PC, and for when re-installing Windows 10. For purposes of this blog, I will be re-installing Windows 10 Pro.
Important: In this post I will show you my experience when rebuilding, however, I will not explain technical concepts such as how Azure AD Join, Favorites Sync, or BitLocker key storage in AzureAD or how other technologies work. I will save those deep dives for future blog posts (promise those are coming soon!)
Machine Specs: The machine I will be using is a laptop with 8GB RAM, Core i5 processor and, 256GB SSD with a hard wired ethernet network connection.
High Level Summary of this Blog Post:
- Install Windows 10 Pro
- Choose “My Organization Owns this PC”
- Authenticate and join PC to Azure Active Directory
- Enable BitLocker
- Install Office Pro Plus
Before we get started, it’s important I cover some key concepts of my work style:
- Data Storage: All of my data is stored in Office 365 and not locally on my PC. Files in OneDrive for Business, SharePoint team sites, Office 365 Groups, Yammer,etc. I prefer not to sync data locally to my PC and prefer to always access the “online” version. This helps me to avoid complexity in my setup and enables me to work in a predictive manner.
- Office Apps: I prefer to use Outlook Web App for email, Word, PowerPoint and Excel Online for productivity (web based). However, for more advanced tasks I will switch between the web app and the desktop version (i.e. large Excel spreadsheets or large PowerPoint presentations). This enables me to work in a more predictive manner and more efficiently.
- Note: The one exception to this rule is Skype for Business, where I use both the mobile client for calls throughout the day, and the desktop client for meetings. Although with Microsoft Teams, my workflow is quickly changing to that application using both the web version and the mobile client.
- Keep it Stock: I prefer to use Microsoft Edge as my web browser. As for all other apps in the OS, I prefer to use what comes as the factory defaults and don’t have a need to install any 3rd party apps. Regarding corporate apps I have a few Windows Store style apps I use, but the rest are all web based.
- OS Customizations: While there’s many personalization I can make to Windows, I personally prefer (and discovered) I don’t need them to be productive.
- Labs: I have a Office 365 tenant, and Azure tenant I use for my lab which is all accessible via a web browser and PowerShell.
- Other: In my job duties, I mostly use Microsoft Office, Office 365 web apps and other corporate web applications on a daily basis. I am also highly mobile, and am often productive using a variety of Office, Microsoft Teams, Skype for Business, OneDrive, Yammer, and other Microsoft applications on my smartphone.
Of course, there’s more to my story of how I choose to work but this is the main concepts I follow. I may add more to this blog post on over time to discuss my work style in more detail. If you want to know more, please ask below in the comments and I’ll add it to the post.
Step 1: Install Windows 10 Pro:
Using a Windows 10 Pro UEFI USB drive or stick (or .ISO on a Hyper-V Virtual Machine), boot the machine from USB and proceed with the on-screen instructions for the Windows Installer.
Click Install Now
Type in the Product Key and click Next
If you accept the license terms click Next
Click Custom: Install Windows only (advanced)
The install process took about 7 minutes to complete, including the actual install of Windows.
Step 2: Out of Box Experience in Windows 10
After installing Windows 10, or purchasing a new PC that has Windows 10 pre-loaded, you will be presented with the “Out of Box Experience” or “OOBE” wizard. In Windows 10, Cortana is available to walk you thru the process of configuring and customizing your PC. Once the PC is powered on, follow the instructions on screen:
Select your region and click Yes
Choose your keyboard layout and click Yes
Next, select a secondary keyboard layout or click Skip
Next, Windows will check for updates. If it discovers new updates it will automatically install and restart the computer:
Next after the PC has rebooted and the update process has completed, select Setup for an Organization and click Next:
On the Sign In with Microsoft screen, I will type my email address and click Next
It will then take me to the sign-in page for my company. Here I will type in my email address, password and click Sign In
My company requires Multifactor Authentication, here I will click Sign in with your phone
Using the phone authenticator app on my mobile device, I was prompted to authenticate and approve the request. Now, back on the laptop, I have authenticated and am now presented with customizing my privacy settings. Click Accept when ready.
Due to policy, I am required to configure Windows Hello for Business and am required to configure a PIN for the device. Click Set up PIN
Enter a PIN and click OK
Once the PIN is created click Finish
After a few moments, you will be automatically signed into Windows.
Now, let’s validate that my machine was successfully joined to Azure Active Directory and that I am pulling policy. Browse to Settings -> Accounts -> Your Info and notice my work email address is visible, my corporate photo from Azure AD and that I have been granted local administrator rights.
Next, on the left side click Access work or school. Click the Info button
Take note of the last attempted sync. Exit Settings.
To show that I am pulling policy, I will click on the network icon in the system tray, notice I am pulling the VPN profile for my company.
Within Microsoft Edge, notice my favorites are also synchronized:
Step 3: Enable BitLocker
I still need to Bitlocker enable my PC to safeguard it just in case it is lost or stolen. From Windows Explorer right click the hard disk and choose Turn on BitLocker
Click Save to your cloud domain account then click Next
Keep the defaults and click Next
Keep the defaults and click Continue
A new toast notification will appear in the system tray. Reboot the PC.
After reboot notice on the sign in screen, my username/password are my Azure AD credentials (email address and Windows Hello PIN)
Once logged back in, BitLocker encryption will start:
Step 4: Install Office Pro Plus
Open Microsoft Edge and browse to www.portal.office.com and login:
In the upper right corner, click the gear icon and click Office 365 under Your app settings:
Click Install Software:
Accept the defaults (32-bit) and click Install:
Click Run when prompted to run the installer:
The installer will execute – this process will take ~10-15 minutes (or longer) depending on network bandwidth available.
Important: Depending upon your Office 365 license SKU you subscribe to (i.e. E5) your users could be entitled to installation rights of Office Pro Plus on their PC, Mac and mobile devices.
Once the installer has completed click Close
Step 5: Windows Updates and Office Updates
At this point, ~35 minutes have passed. I am technically all setup and can begin working normally. However, I may want to go ahead and run thru Windows Updates and Office Updates (which could take some time) or let the system automatically update based on my schedule I have configured.
As you can see, this complete rebuild was done in under an hour but was possible with the power of Microsoft 365 and a little bit of a paradigm shift of my workstyle (i.e. storing files in the cloud, not customizing the OS, etc). Enjoy!