Skip to content

First Experience with Azure Information Protection

Last week I had the pleasure to do some experience with Azure Information Protection (Azure IP). Azure IP is now in Public Preview like Dan Plastina announced in his blog. Azure IP is based on two technologies. Azure Rights Management Service (Azure RMS) and the acquisition of Secure Islands. With the acquisition of Secure Islands it is now possible to work with classification labels. With these two technologies combined in Azure IP Microsoft is doing a great job because the user experience is much better. So how can we setup and use Azure Information Protection?


Before we start configuring Azure Information Protection there are some requirements.

  • A cloud subscription that includes Azure RMS
  • Azure AD directory
  • Client devices (with minimum .NET Framework version 4.6.5)
    • Windows 10 (x86, x64)
    • Windows 8.1 (x86, x64)
    • Windows 8 (x86, x64)
    • Windows 7 Service Pack 1 (x86, x64)
  • Applications in the following Office Suites support labeling (Word, Excel, PowerPoint and Outlook)
    • Office 2016
    • Office 2013 with Service Pack 1
    • Office 2010

More information can be find on the Microsoft site.

Configuring Azure Rights Management

First we’ve to configure Azure RMS with the right templates. These templates can be used in Azure Information Protection. Go to the old Azure AD Portal and select Active Directory, then Rights Management can be opened to configure the right templates. I’ve created a few templates for different usage. These templates will be used later on.

RMS Templates

Configuring Azure Information Protection

In the Azure Portal the option for Azure Information Protection can be added. When this has been done it can be configured. In the first view there is an overview of all classification labels. These labels can be enabled, disabled, edited or deleted. On this page it is also possible to set that all documents must have a label, the default classification label and if a justification must be provided when lowering the classification label.

Azure IP Config

When creating or editing a classification label the label can be enabled. A name must be provided and a tooltip can be provided. On this page also a visual marking can be enabled. A header, footer or watermark can be configured.

Azure IP Templates 1

In the classification label an Azure RMS or AD RMS templates can be used. This RMS template will be applied when the Classification Label is selected.

Azure IP Templates 2

Automatic classification rules can be created.

Azure IP Templates 3

The classification label can be applied automatically or it can be recommended to the user.

Azure IP Templates 4

After this setup the Classification Labels in Azure Information Protection can be used on the clients. So let’s see how we can use this.

User Experience

First install the Azure Information Protection Software. This can be downloaded here. Download and start the installation. The installation is really straight forward. Install, next and finish.

Azure IP Software 1Azure IP Software 2 Azure IP Software 3







After this we can open Word for example. When we open this we see a new toolbar appearing under the Ribbon.

Azure IP Usage 1

In this toolbar it is possible to classify the document. By default the document is classified as “Personal” and can be shared with everyone.

Also Financial Information can be detected. When financial information is in the document and the document is saved a new classification label and so a watermark is applied.

Azure IP Usage 2

When lowering the classification label there will be a windows where a reason must be given. Azure IP Usage 3


Azure Information Protection licenses will be available in Q4 of 2016. There will be a standalone license and en Azure IP will also be part of Enterprise Mobility Suite (EMS). Azure IP is available in two licenses, namely P1 and P2. The P1 is the Azure RMS license as we know it today with manual classification and labeling from the acquisition of Secure Islands and the P2 license is everything covered in the P1 license and automatic classification and labeling.

Azure IP license

The Enterprise Mobility Suite is also divided in two separate licenses. The EMS E3 license is the current EMS license as we know it today. The EMS E5 license will be the current EMS license with some new additions for security.


In this post I gave an overview of Azure Information Protection. Microsoft has done a great job by integrating Azure RMS and the technology of Secure Island with each other in Azure Ip. With this new product documents can be secured for unauthorized access. And that with a great user experience. It’s really easy to change the classification of documents. In the near future this technology will be more and more adopted so be prepared.


Intune/SCCM hybrid with NDES does not deploy any certificate (the hash value is not correct)

In an Intune / SCCM hybrid configuration with certificate deployment based on Network Device Enrollment Service (NDES) there are some issues. Installing the NDES environment can be done according to the blog of Pieter Wigleven. After this setup the deployment of the certificates did not work entirely. The configuration looks correct but on the mobile devices there are no certificates deployed. To troubleshoot this we’ve setup a Windows 10 desktop and did a MDM enrollment with the Intune / SCCM environment. Why enroll a desktop with MDM? This is because for troubleshooting we’ve more options to find errors, settings and logs in the event viewer, registry and more.

On the Windows 10 desktop we received an error in the event viewer. The error “SCEP: Certificate enroll failed. Result: (The hash value is not correct).” was found.


After this error we look into the config from front to end. First looking into the config in SCCM. We’ve added a Root CA for deployment. This one is deployed to the clients correctly. When opening this in SCCM we see a Certificate Thumbprint, keep this in mind.


We added also a SCEP profile and within this SCEP profile we select the created Root CA.


After this steps we try to deploy this certificates to the device. The Root CA was deployed correctly but the SCEP certificate was not created on the device. What we see is an error on the device. Event id 32 gives the error “SCEP: Certificate enroll failed. Result: (The hash value is not correct).”


On the Windows client we dive into the registry to find the settings which are applied for NDES. We open the registry to find the following key for the NDES policy “HKCU\SOFTWARE\Microsoft\SCEP\MS DM Server\ModelName_ScopeID_ID_ConfigurationPolicy_ID\Install”.


In this registry key the values for NDES server, Root CA Thumbprint and more are displayed. We see that the Root CA Thumbprint does not match the one used with the Root Certificate which is deployed with the Certificate Profile in SCCM. This Root CA Thumbprint is coming from the NDES Server. When looking into the Policy Module installation on the NDES server we discover the same thumbprint as on the client.


In this configuration we had two different Root Certificates and we used the wrong one with the installation of the NDES Policy Module of SCCM. To update the Root Certiciate in teh PolicyModule we did an uninstall of the SCCM PolicyModule for NDES on the NDES Server and reinstall it with the correct settings.

After re-enroll a mobile device there is another error on the client. Event id 32 with error “SCEP: Certificate enroll failed. Result: (Unknown Win32 Error code 0x87d00905).” appears.


And on the same time on the NDES Server we received the event id 29 with error “The password in the certificate request can not be verified. It may have been used already. Obtain a new password to submit with this request.“.


After searching for a while we found a solution for this issue. This issue is related to the settings on the NDES server. In the registry a value is not updated.


In the registry string HKLM\SOFTWARE\Microsoft\Cryptography\MSCEP\Modules\NDESPolicy the value for NDESCertThumbprint has not been updated automatically. This to be done manually. After setting up the correct thumbprint and resetting the IIS Service the certificate deployment is working correctly. Now it’s possible to request a certificate from a mobile device. This certificate can now be used for VPN profiles to connect to the company environment. .

Happy reading and till next time.



UPDATED: Intune WiFi profile for Windows Mobile generate error “0x87D1FDE8: Remediation failed” in the Console

Last week I’ve did an implementation of Microsoft Intune for managing mobile devices. In this setup I’ve configured several settings including a WiFi profile with Pre-Shared key. The WiFi profile generates a strange error in the Intune Console but it is working on the managed Windows 10 Mobile devices.

First of all i’ve created a .xml file which we can import as custom OMA URI. The .xml file for the WiFi profile with Pre-Shared key is created on a full Windows Machine. This can be done by adding the WiFi connection with the correct settings in the “Network and Sharing Center”. Use the “Set up a new connection or network” and create a new WiFi network manually.


Afer this has been done the xml find with the correct settings can be copied from the Windows  Machine and used in the Intune environment. The location for this xml file is “C:\programdata\Microsoft\Wlansvc\Profiles\Interfaces\SOME-GUID\”. With this file we create a custom policy with a custom OMA URI to add the settings for the WiFi profile. snip_20160718101526 snip_20160718101432

The settings are deployed to an user group and the settings are applied on the device of the user. The WiFi profile is added on the device and it’s working great but in the Intune console there appears an error.


One error is correct because I’ve setup device encryption and this device is not encrypted yet. The other error is a little bit strange.  It’s about the deployment of the WiFi profile. This WiFi profile is applied correctly on the device.


The error “0x87D1FDE8: Remediation failed” indicates that the settings in Intune are not matching with the settings on the device. On the device there are no errors related to the WiFi settings. The problem look like a incorrect hash value in the OMA URI. My colleague Ronny de Jong describes this in a blog post on technet. After double checking, this value is not the problem.

Because there are no events or errors on the device and the Intune console is only reporting an “0x87D1FDE8: Remediation failed” error with no further information we’ve create a support ticket with Microsoft Support. If there is an update about this issue I will update this blog post. Hopefully there will be an update soon.



Yesterday I received a conformation that there is a fix for this issue. This fix is marked to be deployed in a future update. Sadly, most of the update specificities have not been released to public knowledge. When there is a date when this fix will be deployed to the Intune environment I will update this post.

The validation for the update will take time and as a result it will take a while until it’s deployed to the live Intune tenants.

So keep you posted about this strange issue.


Intune/SCCM NDES Certificate deployment not working on IOS devices

I’ve deployed a NDES environment integrated with a hybrid Microsoft Intune and Configuration Manager configuration. In this environment certificate deployment to Android and Windows Phone/Mobile is working fine. But for IOS devices it’s not working.

When we dive into this problem we see errors in the CRP.log.

IOS Cert 3

With this error “key usage in CSR 160 and challenge 224 do not match” we know there is something with the certificate template on the CA Server.


I’ve found te solution on the Coretech Blog ->

After changing the Certificate property for the Key Usage Extension the problem was solved. Below the screenshots for the Certificate Template properties.

Managed Browser

Force URL to open in Managed Browser with Intune / SCCM hybrid

I’ve received a question how to force an URL to open in the Managed Browser. In the Intune Standalone configuration this is already possible for a while. But it’s also possible with the Intune hybrid configuration with Configuration Manager (SCCM). In this blogpost I will take you through the steps how to do this.

First of all we’ve to create an Application. In the SCCM console go to the Software Library and open Application Management and create an Application.


In the next window select “Web Application” and fill the “Location” with an URL. The format for this is not the normal http://<path to web app> but this must be http-intunemam://<path to web app> (http can also be https   ).


After this the application can be created with the defaults.

When the application is created deploy the application to an User Collection. When a Phone is enrolled and the Web Application is available you can install it from the company portal. When opening the Company Portal on the phone it looks like:


Screenshot_2016-07-21-10-56-02Install the Web Application and after this is done the Web Clip is available. For IOS it is available on your main screen. For Android you have to add the Web Widget on your screen to open the Web Applications. On an Android device it looks like:


When open this Web Application there is a message that the app is managed by your company.


When selecting “OK” the webpage will be opened in the Managed Browser.


Opening an Web Application (URL) is possible with Intune Standalone and also with Intune and SCCM in hybrid mode. This is working for Android and for IOS devices. In this short blogpost I’ve taken you through the steps how to do this.

The information about creating a Web Application and force it to the Managed Browser was shared on this Technet Article:

Logo Microsoft System Center Operations Manager

Test notification in Operations Manager 2012

Set notification settings on Operations Manager

In the Operations Manager Console go to the Administration Tab and select Notification. First we have to create a “Channel”, a “Subscriber” and a “Subscription”.



Channel Configuration

  • Create a new SMTP Channel;
  • Fill in the Channel Name and optional a description;
  • Add a SMTP server FQDN address and a return address for the email;
  • The format can be left default;

Subscriber Configuration

  • Create a new Subscriber ;
  • Fill in a Subscriber name;
  • Set the Schedule – Default is always send notifications;
  • Add the Subscriber address:
    • Fill in an Address Name;
    • Set Channel Type – this case SMTP Channel and the Delivery address for this channel is filled in automatically;
    • Schedule is default to send notifications always.

Subscription Configuration

  • Create a new Subscription;
  • Fill in the Subscription name;
  • Select the criteria for raising an event. In my case it is a specific Severity and a specific Priority. This is set to Critical and High;
  • Add the subscriber. To do this add and search for the created subscriber;
  • Add the Channel. To do this add and search for the created Channel;

Create a management pack and a monitor for event detection

First we create a new management pack for the notification test. In this MP we will create a monitor for event detection.

  • First create a new Management Pack (give it a name for example: Notification);
  • Go to “Authoring” tab and create a monitor in this Management Pack with the following settings:
    • Create a Monitor -> “New Unit Monitor”
    • Select the “Windows Event Reset” / “Simple Event Detection” / “Windows Event Reset”. Select correct Management Pack;
    • Give the monitor a name, select “Windows Server” as target and UnCheck “Monitor is Enabled”;
    • Unhealthy Event Log -> “Application”;
    • Unhealthy Event Expression -> ID = 100, Source = Dummy;
    • Healthy Event Log -> “Application”;
    • Healthy Event Expression -> ID = 101, Source = Dummy;
    • Health -> First Event Reaised – change to Critical;
    • Select “Generate Alerts for this monitor”. Change Priority to High

Enable the monitor for the test server

  • Override this Monitor for the server on which you want to test;
    • Search for the created monitor in the “Monitors” list;
    • Right click and override the monitor “For a specific object of Class: Windows Server”;
    • Search for the test server on which you want to test;
    • Enable the monitor for this server;

Test notification to create an alert on the test server.

  • Create an event to raise an alert:
    • Eventcreate /L Application /ID 100 /SO Dummy /T Error /D “Dummy Event”;
  • Create an event to solve the raised alert:
    • Eventcreate /L Application /ID 101 /SO Dummy /T Information /D “Dummy Event”;

The mail is generated if the mail settings are set as above.