Selective Wipe is not working on Azure AD Joined device

Selective Wipe is not working on Azure AD Joined device

In our business I get frequently the question why it’s not possible to do a selective wipe on Azure AD Joined devices. For many of my customers this is an issue because a Windows 10 Mobile is Azure AD Joined when a Work account is added to the mobile device.  Let me describe the case.

Azure AD Join and MDM auto enrollment are enabled with Intune and Azure AD Premium. When a Windows 10 Mobile is started for the first time (OOBE) it is possible to “Sign in with a work account” to join Azure AD and auto enroll in Intune. (https://technet.microsoft.com/nl-nl/itpro/windows/manage/join-windows-10-mobile-to-azure-active-directory#how-to-join-windows-10-mobile-to-azure-ad). When a Windows Mobile device is configured this way Single Sign On works for Mail, Calendar, Edge and the Business Store, which is great. But when the Selective Wipe option is initiated from Intune it does nothing with the MDM registered device. Only a Full Wipe works.

On a personal device when adding a work/school account (Settings > Accounts > Your email and accounts > Add work or school account) it has the same behavior.

When first registering a device in Intune (Settings > Accounts > Work Access > Enroll into Device Management) and then add a Work/School account it is possible to do a selective wipe. In this scenario Single Sign On for Mail, Calender and the Business Store doesn’t work.

Above picture is the message when initiating a retire/wipe of a device.

This issue is by design, I know, however multiple customers would like a great user experience (Single Sign On) and the ability to have the management capabilities such as Selective Wipe. I would be very nice to add the possibility to do a selective wipe on Azure AD Joined devices. Many of our customers are ask for this feature because when a personal device is enrolled a full wipe is necessary to unroll the device in Intune.

 

Please vote up the User Voice Request –
https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/15931216-selective-wipe-for-azure-ad-joined-devices

Cloud App Security integration with Azure Information Protection

Cloud App Security integration with Azure Information Protection

Cloud App Security integration with Azure Information Protection

Last October I wrote a blog-post about Azure Information Protection and how to setup this. So we can use Azure Information Protection to secure documents. But if we have a document that is labeled with a secure or confidential label, it is possible that we do not want the user to share this outside the company. The question is can we detect this and possibly undo? The answer is YES we CAN.

In November there was an update of Azure Information Protection and Cloud App Security so that it has some integration. This two solutions are combined to “Extend control over your data to the cloud”. The announcement for this update was done by Dan Plastina in this blog. With the integration of Cloud App Security and Azure Information Protection it is now possible to secure your data when it leaves the company. In this blog post I will guide you through the configuration and show you the results of this integration.

The situation is as follow: A user creates a secure document, protected by Azure Information Protection, and shares this externally through a link. In this way there is no control over who has access to this document. Cloud App Security will disable this shared document, put it in quarantine and sends a message to the owner of the document.

Cloud App Security configuration

First we have to setup the Cloud App Security environment to get the information from Office365, OneDrive and SharePoint online. Go to the portal of Cloud App Security via https://portal.cloudappsecurity.com and logon with an user that has appropriate rights to configure the environment.After logon to the portal the following dashboard is shown.

Under the tab “Investigate” we can add another app. In the overview of all connected apps the current connected applications are showing up. You can see that OneDrive and SharePoint are connected. In this case we will use OneDrive to create and share a document.

We will now have to enable the integration of Azure Information Protection with Cloud App Security. This can be done by going to the settings menu and select General Settings.

In the Azure security connectors section we enable the option “Automatically scan new files for Azure Information Protection classifcation labels”. This will Cloud App Security scan all the files for classifcation labels of Information Protection.

After enabling the integration we can create policies. We have created a new policy that will check documents with an specific Azure Information Protection label. We’ve done this to go to “Control” and select “Policies”. After that we we’re able to create a new File Policy. We gave this policy the name “Files Shared – Block”. In this policy we create a filter based on two rules. First rule is “Access level” equals “Public, Public (Internet) and External”. Second rule is “Classification Label” equals “Secure Inovativ – Very Secure”.

When a file equals both rules what must Cloud App Security trigger as action? This is the second part of the policy. We configured for both OneDrive and SharePoint the same settings:

  • Send policy match digest to file owner (a mail message will be send to the owner)
  • Remove External Users (All shared members will be removed)
  • Put in user quarantine (the document will be moved to a quarantine folder)

User in action

Let’s see this in action.

We’ve logged in with a user named “Donald Duck” and opened Microsoft Word 2016 to create a new document. This document will get the label “Secure Inovativ – Very Secure”. This label does only some visual markings and no Rights Management template is attached.

After the creation of the document we save it to OneDrive for Business with the name “This Secure Document”

The document is not shared so we share the document and create a link that we can distribute to any recipient.

 


The document is now marked as shared in OneDrive

After some time we received a mail message that say that there is a Security notification from Cloud App Security. There is a document called “This secure Document.docx” that is blocked by a policy called “Files Shared – Block”.

When we look in OneDrive there is created a placeholder for the document that says the document is in quarantine.

When opening the quarantine folder the document appears, but this document has an ID in front of the document name. Cloud App Security has placed the document in quarantine so the owner (me) can take action. Also the sharing link is removed from this document so any external user can’t access the document anymore.

Admin in Action

When logging in to the Cloud App Security Portal as an Admin we can see the status of the files we used in OneDrive. Therefore go to “Investigate” and select “Files”.

In this overview we see there are some markers at the file we created and shared publicly.

When clicking the document we can see that this document is labeled with an Azure Information Protection label and that the document matches with a policy (red marker) and that it is in quarantine (grey marker).

For further investigation we open the policy “Files Shared – Block”. When opening the policy, the first tab is showing us all files that are matching now. Here can we see that our document is matching with this rule and that it is put in quarantine.

When looking at the second tab called “History” we see that our document was matched with this policy and some minutes later it was unmatched. This is because Cloud App Security removes the public shared link and because of this the file does not matched anymore with the policy. This is only for the quarantined file.

In above picture we can see there where three actions taken. When clicking on the actions we can see that all actions defined in the policy are taken.

The three action where Send a mail to the owner, put the file in quarantine and remove the sharing options.

Conclusion

In this blogpost I’ve let you seen how the integration between Cloud App Security and Azure Information Protection can be used to secure your data when it is shared externally. There are many ways to use Cloud App Security with or without Azure Information Protection to secure your environment but this can help your organization to secure your data when it has been shared.

See you next time.

 

Sources

https://docs.microsoft.com/en-us/cloud-app-security/azip-integration

https://blogs.technet.microsoft.com/enterprisemobility/2016/11/07/azure-information-protection-and-cloud-app-security-integration-extend-control-over-your-data-to-the-cloud/

 

First Experience with Azure Information Protection

First Experience with Azure Information Protection

Last week I had the pleasure to do some experience with Azure Information Protection (Azure IP). Azure IP is now in Public Preview like Dan Plastina announced in his blog. Azure IP is based on two technologies. Azure Rights Management Service (Azure RMS) and the acquisition of Secure Islands. With the acquisition of Secure Islands it is now possible to work with classification labels. With these two technologies combined in Azure IP Microsoft is doing a great job because the user experience is much better. So how can we setup and use Azure Information Protection?

Requirements

Before we start configuring Azure Information Protection there are some requirements.

  • A cloud subscription that includes Azure RMS
  • Azure AD directory
  • Client devices (with minimum .NET Framework version 4.6.5)
    • Windows 10 (x86, x64)
    • Windows 8.1 (x86, x64)
    • Windows 8 (x86, x64)
    • Windows 7 Service Pack 1 (x86, x64)
  • Applications in the following Office Suites support labeling (Word, Excel, PowerPoint and Outlook)
    • Office 2016
    • Office 2013 with Service Pack 1
    • Office 2010

More information can be find on the Microsoft site.

Configuring Azure Rights Management

First we’ve to configure Azure RMS with the right templates. These templates can be used in Azure Information Protection. Go to the old Azure AD Portal and select Active Directory, then Rights Management can be opened to configure the right templates. I’ve created a few templates for different usage. These templates will be used later on.

RMS Templates

Configuring Azure Information Protection

In the Azure Portal the option for Azure Information Protection can be added. When this has been done it can be configured. In the first view there is an overview of all classification labels. These labels can be enabled, disabled, edited or deleted. On this page it is also possible to set that all documents must have a label, the default classification label and if a justification must be provided when lowering the classification label.

Azure IP Config

When creating or editing a classification label the label can be enabled. A name must be provided and a tooltip can be provided. On this page also a visual marking can be enabled. A header, footer or watermark can be configured.

Azure IP Templates 1

In the classification label an Azure RMS or AD RMS templates can be used. This RMS template will be applied when the Classification Label is selected.

Azure IP Templates 2

Automatic classification rules can be created.

Azure IP Templates 3

The classification label can be applied automatically or it can be recommended to the user.

Azure IP Templates 4

After this setup the Classification Labels in Azure Information Protection can be used on the clients. So let’s see how we can use this.

User Experience

First install the Azure Information Protection Software. This can be downloaded here. Download and start the installation. The installation is really straight forward. Install, next and finish.

Azure IP Software 1Azure IP Software 2 Azure IP Software 3

 

 

 

 

 

 

After this we can open Word for example. When we open this we see a new toolbar appearing under the Ribbon.

Azure IP Usage 1

In this toolbar it is possible to classify the document. By default the document is classified as “Personal” and can be shared with everyone.

Also Financial Information can be detected. When financial information is in the document and the document is saved a new classification label and so a watermark is applied.

Azure IP Usage 2

When lowering the classification label there will be a windows where a reason must be given. Azure IP Usage 3

Licensing

Azure Information Protection licenses will be available in Q4 of 2016. There will be a standalone license and en Azure IP will also be part of Enterprise Mobility Suite (EMS). Azure IP is available in two licenses, namely P1 and P2. The P1 is the Azure RMS license as we know it today with manual classification and labeling from the acquisition of Secure Islands and the P2 license is everything covered in the P1 license and automatic classification and labeling.

Azure IP license

The Enterprise Mobility Suite is also divided in two separate licenses. The EMS E3 license is the current EMS license as we know it today. The EMS E5 license will be the current EMS license with some new additions for security.

Conclusion

In this post I gave an overview of Azure Information Protection. Microsoft has done a great job by integrating Azure RMS and the technology of Secure Island with each other in Azure Ip. With this new product documents can be secured for unauthorized access. And that with a great user experience. It’s really easy to change the classification of documents. In the near future this technology will be more and more adopted so be prepared.

Intune/SCCM hybrid with NDES does not deploy any certificate (the hash value is not correct)

Intune/SCCM hybrid with NDES does not deploy any certificate (the hash value is not correct)

In an Intune / SCCM hybrid configuration with certificate deployment based on Network Device Enrollment Service (NDES) there are some issues. Installing the NDES environment can be done according to the blog of Pieter Wigleven. After this setup the deployment of the certificates did not work entirely. The configuration looks correct but on the mobile devices there are no certificates deployed. To troubleshoot this we’ve setup a Windows 10 desktop and did a MDM enrollment with the Intune / SCCM environment. Why enroll a desktop with MDM? This is because for troubleshooting we’ve more options to find errors, settings and logs in the event viewer, registry and more.

On the Windows 10 desktop we received an error in the event viewer. The error “SCEP: Certificate enroll failed. Result: (The hash value is not correct).” was found.

snip_20160719090019

After this error we look into the config from front to end. First looking into the config in SCCM. We’ve added a Root CA for deployment. This one is deployed to the clients correctly. When opening this in SCCM we see a Certificate Thumbprint, keep this in mind.

snip_20160719090114

We added also a SCEP profile and within this SCEP profile we select the created Root CA.

snip_20160719090138

After this steps we try to deploy this certificates to the device. The Root CA was deployed correctly but the SCEP certificate was not created on the device. What we see is an error on the device. Event id 32 gives the error “SCEP: Certificate enroll failed. Result: (The hash value is not correct).”

snip_20160719090019

On the Windows client we dive into the registry to find the settings which are applied for NDES. We open the registry to find the following key for the NDES policy “HKCU\SOFTWARE\Microsoft\SCEP\MS DM Server\ModelName_ScopeID_ID_ConfigurationPolicy_ID\Install”.

snip_20160719105334

In this registry key the values for NDES server, Root CA Thumbprint and more are displayed. We see that the Root CA Thumbprint does not match the one used with the Root Certificate which is deployed with the Certificate Profile in SCCM. This Root CA Thumbprint is coming from the NDES Server. When looking into the Policy Module installation on the NDES server we discover the same thumbprint as on the client.

snip_20160719085939

In this configuration we had two different Root Certificates and we used the wrong one with the installation of the NDES Policy Module of SCCM. To update the Root Certiciate in teh PolicyModule we did an uninstall of the SCCM PolicyModule for NDES on the NDES Server and reinstall it with the correct settings.

After re-enroll a mobile device there is another error on the client. Event id 32 with error “SCEP: Certificate enroll failed. Result: (Unknown Win32 Error code 0x87d00905).” appears.

snip_20160719115953

And on the same time on the NDES Server we received the event id 29 with error “The password in the certificate request can not be verified. It may have been used already. Obtain a new password to submit with this request.“.

snip_20160719120032

After searching for a while we found a solution for this issue. This issue is related to the settings on the NDES server. In the registry a value is not updated.

snip_20160719115842

In the registry string HKLM\SOFTWARE\Microsoft\Cryptography\MSCEP\Modules\NDESPolicy the value for NDESCertThumbprint has not been updated automatically. This to be done manually. After setting up the correct thumbprint and resetting the IIS Service the certificate deployment is working correctly. Now it’s possible to request a certificate from a mobile device. This certificate can now be used for VPN profiles to connect to the company environment. .

Happy reading and till next time.

 

UPDATED: Intune WiFi profile for Windows Mobile generate error “0x87D1FDE8: Remediation failed” in the Console

UPDATED: Intune WiFi profile for Windows Mobile generate error “0x87D1FDE8: Remediation failed” in the Console

Last week I’ve did an implementation of Microsoft Intune for managing mobile devices. In this setup I’ve configured several settings including a WiFi profile with Pre-Shared key. The WiFi profile generates a strange error in the Intune Console but it is working on the managed Windows 10 Mobile devices.

First of all i’ve created a .xml file which we can import as custom OMA URI. The .xml file for the WiFi profile with Pre-Shared key is created on a full Windows Machine. This can be done by adding the WiFi connection with the correct settings in the “Network and Sharing Center”. Use the “Set up a new connection or network” and create a new WiFi network manually.

snip_20160727102208

Afer this has been done the xml find with the correct settings can be copied from the Windows  Machine and used in the Intune environment. The location for this xml file is “C:\programdata\Microsoft\Wlansvc\Profiles\Interfaces\SOME-GUID\”. With this file we create a custom policy with a custom OMA URI to add the settings for the WiFi profile. snip_20160718101526 snip_20160718101432

The settings are deployed to an user group and the settings are applied on the device of the user. The WiFi profile is added on the device and it’s working great but in the Intune console there appears an error.

snip_20160718101556

One error is correct because I’ve setup device encryption and this device is not encrypted yet. The other error is a little bit strange.  It’s about the deployment of the WiFi profile. This WiFi profile is applied correctly on the device.

snip_20160718101614

The error “0x87D1FDE8: Remediation failed” indicates that the settings in Intune are not matching with the settings on the device. On the device there are no errors related to the WiFi settings. The problem look like a incorrect hash value in the OMA URI. My colleague Ronny de Jong describes this in a blog post on technet. After double checking, this value is not the problem.

Because there are no events or errors on the device and the Intune console is only reporting an “0x87D1FDE8: Remediation failed” error with no further information we’ve create a support ticket with Microsoft Support. If there is an update about this issue I will update this blog post. Hopefully there will be an update soon.

 

UPDATE:

Yesterday I received a conformation that there is a fix for this issue. This fix is marked to be deployed in a future update. Sadly, most of the update specificities have not been released to public knowledge. When there is a date when this fix will be deployed to the Intune environment I will update this post.

The validation for the update will take time and as a result it will take a while until it’s deployed to the live Intune tenants.

So keep you posted about this strange issue.

Intune/SCCM NDES Certificate deployment not working on IOS devices

Intune/SCCM NDES Certificate deployment not working on IOS devices

I’ve deployed a NDES environment integrated with a hybrid Microsoft Intune and Configuration Manager configuration. In this environment certificate deployment to Android and Windows Phone/Mobile is working fine. But for IOS devices it’s not working.

When we dive into this problem we see errors in the CRP.log.

IOS Cert 3

With this error “key usage in CSR 160 and challenge 224 do not match” we know there is something with the certificate template on the CA Server.

 

I’ve found te solution on the Coretech Blog -> http://blog.coretech.dk/kea/troubleshooting-certificate-deployment-on-ios-devices-with-configmgr-intune/

After changing the Certificate property for the Key Usage Extension the problem was solved. Below the screenshots for the Certificate Template properties.

Force URL to open in Managed Browser with Intune / SCCM hybrid

Force URL to open in Managed Browser with Intune / SCCM hybrid

I’ve received a question how to force an URL to open in the Managed Browser. In the Intune Standalone configuration this is already possible for a while. But it’s also possible with the Intune hybrid configuration with Configuration Manager (SCCM). In this blogpost I will take you through the steps how to do this.

First of all we’ve to create an Application. In the SCCM console go to the Software Library and open Application Management and create an Application.

SCCM MAM 0

In the next window select “Web Application” and fill the “Location” with an URL. The format for this is not the normal http://<path to web app> but this must be http-intunemam://<path to web app> (http can also be https   ).

SCCM MAM 1

After this the application can be created with the defaults.

When the application is created deploy the application to an User Collection. When a Phone is enrolled and the Web Application is available you can install it from the company portal. When opening the Company Portal on the phone it looks like:

Screenshot_2016-07-21-10-55-47

Screenshot_2016-07-21-10-56-02Install the Web Application and after this is done the Web Clip is available. For IOS it is available on your main screen. For Android you have to add the Web Widget on your screen to open the Web Applications. On an Android device it looks like:

Screenshot_2016-07-21-10-48-37

When open this Web Application there is a message that the app is managed by your company.

Screenshot_2016-07-21-10-48-46

When selecting “OK” the webpage will be opened in the Managed Browser.

Conclusion

Opening an Web Application (URL) is possible with Intune Standalone and also with Intune and SCCM in hybrid mode. This is working for Android and for IOS devices. In this short blogpost I’ve taken you through the steps how to do this.

The information about creating a Web Application and force it to the Managed Browser was shared on this Technet Article: https://technet.microsoft.com/en-us/library/mt629356.aspx

Test notification in Operations Manager 2012

Test notification in Operations Manager 2012

Set notification settings on Operations Manager

In the Operations Manager Console go to the Administration Tab and select Notification. First we have to create a “Channel”, a “Subscriber” and a “Subscription”.

 

 

Channel Configuration

  • Create a new SMTP Channel;
  • Fill in the Channel Name and optional a description;
  • Add a SMTP server FQDN address and a return address for the email;
  • The format can be left default;

Subscriber Configuration

  • Create a new Subscriber ;
  • Fill in a Subscriber name;
  • Set the Schedule – Default is always send notifications;
  • Add the Subscriber address:
    • Fill in an Address Name;
    • Set Channel Type – this case SMTP Channel and the Delivery address for this channel is filled in automatically;
    • Schedule is default to send notifications always.

Subscription Configuration

  • Create a new Subscription;
  • Fill in the Subscription name;
  • Select the criteria for raising an event. In my case it is a specific Severity and a specific Priority. This is set to Critical and High;
  • Add the subscriber. To do this add and search for the created subscriber;
  • Add the Channel. To do this add and search for the created Channel;

Create a management pack and a monitor for event detection

First we create a new management pack for the notification test. In this MP we will create a monitor for event detection.

  • First create a new Management Pack (give it a name for example: Notification);
  • Go to “Authoring” tab and create a monitor in this Management Pack with the following settings:
    • Create a Monitor -> “New Unit Monitor”
    • Select the “Windows Event Reset” / “Simple Event Detection” / “Windows Event Reset”. Select correct Management Pack;
    • Give the monitor a name, select “Windows Server” as target and UnCheck “Monitor is Enabled”;
    • Unhealthy Event Log -> “Application”;
    • Unhealthy Event Expression -> ID = 100, Source = Dummy;
    • Healthy Event Log -> “Application”;
    • Healthy Event Expression -> ID = 101, Source = Dummy;
    • Health -> First Event Reaised – change to Critical;
    • Select “Generate Alerts for this monitor”. Change Priority to High

Enable the monitor for the test server

  • Override this Monitor for the server on which you want to test;
    • Search for the created monitor in the “Monitors” list;
    • Right click and override the monitor “For a specific object of Class: Windows Server”;
    • Search for the test server on which you want to test;
    • Enable the monitor for this server;

Test notification to create an alert on the test server.

  • Create an event to raise an alert:
    • Eventcreate /L Application /ID 100 /SO Dummy /T Error /D “Dummy Event”;
  • Create an event to solve the raised alert:
    • Eventcreate /L Application /ID 101 /SO Dummy /T Information /D “Dummy Event”;

The mail is generated if the mail settings are set as above.