Microsoft Endpoint Manager - Intune - Conditional Access

The Challenge

I was recently asked to create a simple process to change the primary language of Windows 10 during OS Deployment. Due to regional expectations we also had to be able to select a different keyboard layout based on user preferences. One of the challenges we face is that we have support personnel in different regions, but not in all offices. Our remote offices did not have a centralized imaging solution, which meant that we needed to provide a solution and streamline the process.

My goal was to provide a solution that would be easy to understand, simple to execute, and easy to maintain across different regions. My personal preference is a simple task sequence that minimizes the number of conditional steps needed to execute.

In this case I wanted to provide our technicians with a clean user interface. I wanted to avoid using DISM to inject languages during the task sequence, which in turn prevents me from having to manage additional content used in the task sequence. The task sequence should be lite-touch, prompting for basic information like site code, form factor, language settings, and additional applications.

Microsoft Endpoint Manager 1910 added support for language settings to the “Apply Windows Settings” step. This would be a great solution if you have a small number of configurations to support, but in an environment with a multitude of possibilities it could be difficult to manage. I will cover using these settings in a future blog post as I think they are an excellent addition to Configuration Manager, they just don’t meet my needs for this project.

Most of the other documentation that I found required integration of MDT with SCCM. The posts that did not use integrated MDT used some elements of MDT or other scripts to set these values. I considered that option but wanted to see if I could get by without the additional steps.
When I saw that language support had been added to the task sequence I decided to test whether or not I could set the language settings without the use of a script. This may have worked prior to version 1910, but I have not tested it. I suspect that this functionality is a direct result of the settings being added to the task sequence directly.

After looking at different possible solutions I determined that the best way to create a technician-facing UI was UI++ by Jason Sandys of ConfigMgrFTW. UI++ gives me the ability to create a simple UI that can be easily customized and ported to other locations. I can use one deployment package for all my locations and point to a different XML file based on the region.
​

This is my latest post on the challenges faced by IT pros in the Modern Workplace, where I examine how changes in technology and business impact Modern Endpoint Managers and other technical professionals. The first post in the series can be found here.

​“Hello … IT. Have you tried turning it off and on again?” Roy and Maurice from the IT Crowd earned a special place in pop culture as the nerdy but lovable IT duo who personified a stereotype in the early 2000s.

It wasn’t that long ago that the information technology field, particularly systems engineering and administration, were dominated by the Roys and Maurices of the world. We never would have expected that Cosmo would run a column titled, “FYI, there are some pretty cool IT jobs out there.” Jobs that were once stereotyped as being the realm of unkempt, socially awkward guys working in dark, cluttered offices are now in-demand and sought after.

In the article, “How the IT Guy Became the ‘It Guy’: The Evolving Portrayal of Tech Professionals in Movies and Television,” Christina Wang discusses the changing image of IT pros in pop culture. She tracks the changing image from Dennis Nedry in Jurassic Park, to Roy and Maurice, and finally to Felicity Smoak in Arrow. In a lot of ways, this evolution mirrors reality. In the mid-90s the typical systems admin was expected to be a jack-of-all-trades with deep technical skills. IT teams were leaner, so deeply technical admins were regularly called upon for end user support – which led to confrontation and the stereotype of the IT guy as impatient and aloof, talking down to end users.

Roy and Maurice marked the first major evolution in the changing face of the IT pro. Throughout the series of the IT Crowd, we saw them being called to the president’s office and interacting with end users. They were looked at as advisors – not just technical assets. Roy was still a bit impatient with end users, but he worked to understand their needs and requirements. Maurice tried hard to fit in, even if he really didn’t understand the pop culture topics of the day. This first evolution tracked closely with the advent of Windows Server. Systems administration became more accessible to more people. While sysadmins were still expected to have deep technical skills, they could specialize more in different areas. End users became more knowledgeable, but many still had to call support frequently as the technology was not as stable nor easily accessible.

Have you ever deployed a Conditional Access policy, only to later discover that users had found a way to circumvent it? It is surprising to discover that someone found a way around your carefully designed and tested policy.

Setting up Conditional Access policies can get confusing. If you don’t plan your policies carefully, you may end up with holes that you didn’t expect. Most of us start by thinking about the scenarios we want to allow. The problem with this approach is that if you only think about what you want to allow you may forget to block scenarios you don’t approve. Without a policy in place to block unapproved scenarios, a malicious actor can exploit those scenarios by simply providing a user’s compromised credentials.

For example, consider this scenario: You are asked to create a policy that will allow a user to access their email on an iPhone. You will allow a user to use the native mail application with ActiveSync or Outlook if the application is protected by a Mobile Application Management policy. The policy you create is applied to the user, targeted to Exchange Online, and applies to ActiveSync and Modern Authentication clients. Controls are set to grant access if the device is compliant or if a MAM policy is applied.
​
When you test the policy and the device is not registered you are blocked from accessing the application in the ActiveSync client. The Outlook application prompts you to install the Azure Authenticator to access the application. Once the Authenticator app is installed or it is enrolled the user can access their mail in the targeted applications. This policy works as designed; users must meet one of the controls in the policy to use their email as intended. You may consider the policy successful and move it into production. However, there’s just one problem…

This is the second post in a series on the principles behind the Modern Workplace. 
​
​The first can be found here: It's not you, It's me
​

“Change for the sake of change is frivolous. It must be avoided. I know what users want because I’ve been doing this for so long, I know what works!” For a guy who has loudly told the world that he has never read Harry Potter, my (former) coworker sure did an amazing Dolores Umbridge impersonation.

We are caught in a cultural tug-of-war in our technology departments. On one side we have legacy SysAdmins who believe that IT knows what’s best for our users. The other end is anchored by the Modern Workplace evangelists who preach a gospel of agility, data-driven decision making, and user empowerment. End users are caught in the middle, often to the detriment of our organizations.

Brad Anderson touched on this in his blog post announcing Modern Endpoint Manager. He cites a study by Enterprise Strategy Group that shows certain trends amongst end users. The study demonstrates the importance of moving towards modern endpoint solutions.