Windows 10 Azure Domain Join

March 19, 2015 at 4:37 pm in Uncategorized by nsienaert



Hi All,

Next month I’m presenting for Microsoft a TechNet webcast about Windows 10.

You can registere here:

As a kind of teaser for this webcast I wrote this blog talking about Azure Domain Join in Windows 10.

Azure Domain Join is the possibility to “domain join” via the cloud.

You have an out-of-the-box experience when you boot the machine for the first time, this can be interesting in CYOD scenarios more on that in the webcast.

Let’s focus for now on Azure Domain Join in the GUI of a running Windows 10 machine.

I assume you have Azure AD up and running? The only thing you need to pay attention to is that “Device Registration” is enabled into your Azure Directory.


Now on the Windows 10 device go to Settings \ System \ About and click “Connect to Cloud”


Information dialog…  as you can see I do suffer a bit with the screen size as I don’t see my “next” button, it’s a Preview right!


I need to enter my Azure AD credentials, notice as I have Azure AD Premium enabled my Branding shows up. Cool!


I have enabled Azure MFA within Azure AD Premium, so I enter PIN that I receive via SMS.


After that I can see that I’m joined!


Now I can log off and sign in with my AD Credentials. You notice that my logon server is “AzureAD”


Back to Azure AD I can find my registered device back.


Best place to troubleshoot is the Event Viewer where you can find the most relevant logs under “User Device Registration”


So why do we all do this?

Well as you could see my device is now registered into Azure AD so as from now I can set some Conditional Access rules as I do know the device.

If you want more, you know what to do! See you at the webinar!



Azure Application Proxy: Notes from the field

March 10, 2015 at 11:54 am in Uncategorized by nsienaert

Hi All,


Microsoft released recently as part of Azure AD Premium the Application Proxy. (AP)

With Windows Server 2012 R2 Microsoft released the Web Application Proxy (WAP) which is the new reverse proxy component that you can use to publish internal resources to the internet. The WAP you will typically place on the DMZ which is most of the time an extra complexity. Because of that Microsoft has released AP into Azure to easy integrate the same service without the need of putting a component on your DMZ.

Be aware that AP only supports http(s) applications today.

I’m not gonna explain how you need to set this up and what the requirements are. This is already explained here:

In this blog I will focus more on troubleshooting.

The problem

The issue I was facing was the following. I publish an internal application into Azure but when I tried to open the Application from “”  I saw an error page like this.


The troubleshooting steps

Connection to Azure Service OK?

As described in the article above some firewall ports needs to be opened to make sure the AP Connector can talk correctly with the Azure Service.

So that’s the first thing to check, can we access the Azure Service correctly? To verify that use the following URLs to see if the required communication ports are open and if you can reach the Azure Service. Open this URL from the browser on the machine where you have installed the AP Connector. (you should be prompted for a certificate) (you should see green check marks)

What is the Event Viewer telling you?

The best logging of Azure Application Proxy you can find the in the eventvwr. As you can see some dedicated folders are created.

I saw the error below, where the AP has problems to download the latest configuration.


So despite of the fact my firewall ports were OK I still had an issue with the communication between the AP Connector and the Azure Service.

The AP Service

If you install the AP Connector two services are installed. Of course you check if these are running correctly.


The ROOT Cause

My customer had a PROXY Configuration that only allowed internet traffic generated by domain accounts. I didn’t notice that by testing the two URLs above because I was a domain user at that time entering the URLs into a browser. So the traffic that the connector is generating between the Azure Service is working via the Network Service Account…

The Solution

Make sure the Connector Ignores proxy Settings! So how do you that?

1) Go the installation path of your AP Connector –> C:\Program Files\Microsoft AAD App Proxy Connector.
2) Edit the follwing file: ApplicationProxyConnectorService.exe.config

3) Add the following (in bold) at the end of the file:

<?xml version=”1.0″ encoding=”utf-8″ ?>
<add key=”TraceFilename” value=”AadAppProxyConnector.log” />
<defaultProxy enabled=”false”>

4) Restart the Microsoft AAD Application Proxy Connector Service

You should see immediately that errors are disappearing in your Event Viewer:


As from now your application should be reachable from “”


Actually nothing new, be careful with Proxy Servers!

Till next time!


MVP Small

Microsoft Intune Mobile Application Management

December 22, 2014 at 9:18 am in Uncategorized by nsienaert

Hi All,


Containerization is one of the typical terms that are coming back all the time when talking about Mobile Device Management.

Competitors of Microsoft are working with these typical containers where they collect all Corporate Data and Applications into a separate container.

A user has to log into that container and needs to work as from there with for instance email container apps.

This is typically not a very nice experience and that’s why Microsoft has another vision on that. With Intune you will not see that typical container approach. What Microsoft will do is building that “Containerization” intelligence directly in their products.

Coincidently Microsoft Office is one of the most used piece of Software on the world, so by adding this intelligence into the Suite Microsoft is covering already quite some scenarios.

This is also aligned with Microsoft’s strategy to deliver Office to iOS and Android.

Further they have also released Secured Browsers (my next blog), AVI Players and PDF Readers.

OK so let’s have a look how this works as this new feature is added in the latest December release.

Microsoft Intune Console:

If you go to “Policies” you will see new Software Templates


If you select one for iOS you can configure the typical MAM settings like Data Relocation and Access behavior.


Once you created such a policy you will see that these kind of policies differ from other policies. You cannot really deploy the polices directly, you need to link them to a managed Application.


So let’s create a Deep Link to the iOS store, in this case to Microsoft Word and link the appropriate policy.


Now deploy the policy to the user or device of your choice.

The experience:

If you open your Self-Service Portal on an iOS after the December release you will see the following message.

An update of your SSP will be installed (you don’t need to do anything for this) to make sure you have the latest bits and bytes regarding MAM.

Photo 17-12-14 15 45 22  Photo 17-12-14 15 46 01

Also notice the new Sync button, to force a policy lookup.

Photo 17-12-14 16 00 45

As explained before I have deployed Word (with the policy linked to it), so let’s install it.

Photo 17-12-14 16 04 54

Thanks to my policy Word gets considered as a Managed App where I decided to use a PIN

Photo 17-12-14 16 12 10

Let’s open a document and try to copy\paste some text…

Photo 17-12-14 16 14 27

… to an Application outside the Office Suite

Photo 17-12-14 16 13 58

That is not working as expected. Let’s Paste it now into Excel…

Photo 17-12-14 16 46 07

That works!


This is again a major feature released into the service to control your corporate data. If you extend this with Azure RMS (part of the Enterprise Mobility Suite) you have a high enterprise-grade security solution delivered by One Vendor, Microsoft.

If you look into competitors you will end-up in a multiple vendor-approach.

Till next time!

Nico Sienaert (@nsienaert)


Assigned Access \ Kiosk Mode with Microsoft Intune

December 8, 2014 at 8:54 am in Uncategorized by nsienaert

Hi All,

Let’s talk today about Assigned Access, Kiosk Mode, Device LockDown,… whatever you want to call it.

This scenario will be typically used in scenarios where devices are located in a public spot (Kiosk) or for certain Task Work scenarios where only specific Settings or Application(s) are required to be available.

Let’s have a look how this reflects within the Intune Console en let’s discuss per Platform.


Start an “iOS Configuration Policy”, and go to the “Kiosk” section. Notice that you have choice between a “Managed” or a “Store” App.

You can also set a bunch of Device Settings.


Important to realize before you start deploying these kind of policies is the following:

– Make sure your device is in Supervised Mode otherwise Kiosk Policies will be rejected. This prevents a personal device from getting these kind of restrictions. To put an iOS in Supervised Mode you need Apple Configurator which you can only install on a MAC. This is immediately the reason why I cannot show you the experience as I currently don’t have a MAC. :-)

– Make sure the particular Application that you want to allow is installed BEFORE you apply the Kiosk settings.

– To get the device out of the Kiosk state put it back through the Apple Configurator.

Android (KNOX):

Start an “Android Configuration Policy”, and go to the “Kiosk” section. Notice that you have NO choice between a “Managed” or a “Store” App.

You can also set some policies but with compared to iOS you have less choice.


Important to realize before you start deploying these kind of policies is the following:

-KNOX does not know a concept of Supervised Mode, so you have to be careful when deploying Kiosk policies. The danger exists that you can lock down a personal device through Kiosk mode. For that it’s important that consider well the way how you will deploy these kind of policies for instance by creating a Device Enrollment Manager and add it to a User Group which has been created specifically for Kiosk policies.

– Make sure the the particular Application that you want to allow is installed BEFORE you apply the Kiosk settings.

-By retiring from management you can take an Android device out of Kiosk mode.

Windows Phone:

For similar settings Windows Phones works with OMA-URI, as I mentioned in my previous blog this will be supported in the December release.

How that will look like in the console cannot be demonstrated yet but the OMA-URI XML piece you will need for sure. Hereby an example of controlling “Settings”.

<?xml version=”1.0″ encoding=”utf-8″?> <HandheldLockdown version=”1.0″ > <Default> <Buttons> <ButtonLockdownList> <!– Lockdown all buttons –> <Button name=”Search”> </Button> <Button name=”Camera”> <ButtonEvent name=”Press” /> <ButtonEvent name=”PressAndHold” /> </Button> </ButtonLockdownList> <ButtonRemapList> <Button name=”Search”> <ButtonEvent name=”Press”> <!– Settings –> <Application productId=”{5B04B775-356B-4AA0-AAF8-6491FFEA5601}” parameters=”” /> </ButtonEvent> </Button> </ButtonRemapList> </Buttons> </Default> </HandheldLockdown>

More you can find in the PDF.

The result might look like something like this:


Important to realize before you start deploying these kind of policies is the following:

– Windows Phone does not know a concept of Supervised Mode, so be careful! Certainly if you will read the 3rd bullet.

– Make sure your Apps are deployed first

– Once an Assigned Access has been provisioned to a device, the only way to remove this functionality will    be to Factory Reset the device.

– Look into the PDF for more interesting “Notes” about Assigned Access & Windows Phone


Kiosk Mode is a cool feature which can help you in typical scenarios. When starting to use this, it’s very important to realize that provisioning and de-provisioning are differing from OS platform. This is not caused by Microsoft Intune, this is just how these OS’es are designed. And yes currently only support in the Cloud-Only mode except for Windows Phone, because of the OMA-URI you can use that already in the Hybrid Solution.

Till next time!

Nico Sienaert (Twitter: @nsienaert)

8637_Microsoft_MVP_logo .

Allow \ Deny of iOS and Android Applications

December 3, 2014 at 1:13 pm in Uncategorized by nsienaert


Hi All,

Earlier this year I wrote a blog about Allow and Deny applications on Windows Phone Devices, we can do this by leveraging OMA-URI.

In that particular blog I wrote about the Hybrid mode (integration with ConfigMgr) but since the new Intune releases of last week you have also similar capabilities in the Cloud-Only, standalone mode. Actually today there is support for iOS and Android. Windows Phone support (with OMA-URI) will come in the release of December (if I’m not mistaken).

Allow and Deny Application support for iOS and Android in the Hybrid model will be something for 2015.

So back to the Cloud-Only model, let’s discover how Black and White Listing is possible today on iOS and Android.

Like any other feature within the Intune console most features are fairly simple to configure. This also applies for this subject.

Under policies you select an iOS or Android Configuration Policy and in this wizard you can Allow or Deny Applications based on their URL.

Let’s take Flappy World again as an example. :-)


Deploy this to the required Users or Devices.


After a few minutes go to your Reports and open the “non-compliance” report.


The Result should look like this.


Important 1: Yes indeed, today Allow & Deny App for iOS and Android is a reporting feature. In the future this will probably change meaning you will able to real block an App from installation OR usage on a device like you can do already today with Windows Phone (cf other Blog that was mentioned before).

So today there is no experience on the device.

Important 2: Notice the App Name in the report. That is not really user friendly right? The list of installed apps comes from issuing an InstalledApplicationList command, which then responds back with a list of entries that includes BundleID, Version, App Name, … It seems that only the BundleID in the reporting gets showed. This is not really nice to read as there is no mapping between the BundleID and the App Name. I have discussed this with the Prod Team and a DCR is filed for that.

Important 3: Windows Phone will be supported soon. The way you will do it is very similar as with the Hybrid model (with OMA-URI) but I’ll write a blog about that once that is released.

Till next time!

Nico Sienaert (Twitter: @nsienaert)


Required install of iOS Store Apps

December 1, 2014 at 8:24 am in Uncategorized by nsienaert


Hi All,

Hereby another post where we discover a new Microsoft Intune capability.

One of these new features in the November release is the possibility to create a Required Deployment for iOS Store Apps.

Store Apps were already supported in the past but only by making them “Available” meaning provision them via the Self-Service Portal.

This is also called “deep-links”, supported for iOS, Android and Windows Phone.

In the Intune console (Standalone-mode) you will see a new “Deployment Type” called, “Managed iOS App from the App Store”.

Today the “Required” part is not supported for Android and WP yet.

But it’s clear that Microsoft will introduce a lot of new capabilities with the new Store that will ship with Windows 10 so certainly more to come.

Before we have look into the experience, just note that this feature only works for FREE apps from the Apple Store AND an Apple ID is still required to start the installation.

Let’s have a look.

Start the “Add Software” wizard and select the new Deployment Type which we have discussed before.

Copy \ Paste the URL of your App and finish the wizard.


Start the “Manage Deployment” wizard and mark the deployment as a “Required Install”.


Within a few minutes you will see the following on your iOS device.

Lock Screen:


The typical Information Message + a pop-up to enter the password of your Apple ID.


So in case you have some favorite Store Apps that you want to provision to your users you have now the capability to push the installation instead of making it available in the Self-Service Portal.

Till next time!

Nico Sienaert (@nsienaert)


Remote Lock and Pin Reset on Windows Phone

November 27, 2014 at 9:27 am in Uncategorized by nsienaert

Hi All,

One of the many new features released this month in Microsoft Intune is support for Remote Lock & Pin Reset on Windows Phone.

In some scenarios this might be interesting to consider before you initiate a wipe and give the user a chance to find his device back.

Another applicable scenario is of course when the user has forgotten his PIN which makes the device inaccessible.

This feature was already supported for iOS and Android in the earlier release, the user experience differs a bit from platform though.

For iOS you can clear the PIN but there is no auto-create of a temporary PIN. With Android a temporary PIN gets created.

Let’s have a look what the experience is with Windows Phone.

Initiate a Pin Reset on the Windows Phone:


In Remote Tasks the process can be monitored


Experience on the device


Look up the temporary Temp Pin in the console


If the user does not change his password the screen will lock again depending on the time frame you have set in your MDM policy.
If that happens the user needs to enter again the temporary password. The temporary password stays valid until the user has changed his password.

A user needs to navigate manually to the “Lock Screen” area to change his password. Jumping automatically to the Lock Screen window once the temporary password has been added could be a possible improvement.

WP  wp1

Another interesting security feature enabled on Windows Phone!

Till next time!

Nico Sienaert (@nsienaert)



Windows Updates node not available in Windows Intune Admin Console

November 24, 2014 at 10:41 am in Uncategorized by nsienaert


Hi All,

Under the moto, “not all blog posts must be long to be useful” :-)

As you know Microsoft released last week new Windows Intune features. Together with this new release a new layout of the Admin Console was released as well.

When starting the new Admin Console you might see that configuration options you would expect are not visible.

The idea of the Product Team is. “We only show what is relevant”

An example of this is Windows Updates. In the screenshot below you can see that the Configuration Tile \ Node is not available.

Windows Intune 1

The reason for this is that my tenant is not configured for PC Management yet. Windows Updates is a “PC thing” right, not Mobile Devices.

So once I have enrolled a PC into my Intune Service, I will see that my Admin Console is adjusting.

Windows Intune 2

Till next time!

Nico Sienaert (@nsienaert)


Deny Windows Phone Apps with Configuration Manager \ Intune

May 22, 2014 at 7:53 am in Uncategorized by nsienaert

Hi All,


Exciting times for Windows Phone are coming with the Enterprise Feature Pack aka Windows Phone 8.1 that is coming soon.

As you might now you can test already the beta version of WP8.1 if you register with a Developer Account.

That being said also the support for Windows Phone 8.1 is getting released. Normally by the end of the week you should all have received the new Windows Phone 8.1 Extension.


It’s time now to explore some new capabilities. The one that I personally was interested in was black & white listing of Applications.

Besides the settings you can manage via the GUI of ConfigMgr, Windows Phone also supports OMA-DM standard which offers quite some extra management capabilities. Fellow MVP Kenny Buntinx explained already in an earlier blog how you an use these OMA-DM to prevent un-enroll of Corporate devices.

Well guess what we need to Deny Applications on Windows Phone…

For the sake of demo I want Deny the not so business critical app Flappy World.

Let’s Configure it

As you know all MDM Settings are stored under the Settings Management node.

Because we will use OMA-DM we need to create a custom setting


You give it a name, eg. “Deny Windows Phone Apps”, you select “OMA URI” as Setting Type and “String” as Data Type:


You type the following path into the OMA-URI field:


This is the path where the specific OMA-DM settings are stored.

Once that is done, it’s time to create a Compliancy Rule where we will define that “Flappy World” is a denied app. Ooh I will miss it :-)


You see that the rule is based on some XML code. Hereunder you can find an example:

<AppPolicy Version=”1″ xmlns=””><Deny><App ProductId=”{2e59d843-22e4-4df1-869e-22adadb8005b}”/></Deny></AppPolicy>

The ProductID is of course the important variable, this is where you define which App you want to deny.

Now, how do you find the Product ID of your App?

Well, if you go the Windows Phone Store via a browser and you select the App you want to deny, you will be able to see the ID in the URL. Just grab it over there.

IMPORTANT: as with all MDM Settings, make sure your “Remediate” check box is checked.

Thanks to the Windows Phone 8.1 Extension we are able to limit this setting to WP8.1.


OK, we are almost there. Next step is to add the CI into a Baseline and deploy it to a User or Device Collection. (Check the ACTION = Remediate!!)


The Experience

Let’s refresh the policy on the phone and see what happens…


My “Flappy World” tile is grayed out, so OK let’s try to use it.


The App is refusing to open because it’s disabled via Company Policy!

That’s all for now, happy Blacklisting!

Till next time,

Nico Sienaert

MVP Small imagesCAIOYXPP

Windows Intune: unable to remove verified domain

May 13, 2014 at 7:56 am in Uncategorized by nsienaert


Hi all,

This might probably an issue where some of you bump into if you have a Windows Intune trial running. That’s why I decided to write this quickly down.

As you probably know you can link your public domain name into Windows Intune mainly to improve the Single-Sign on experience of your users.

Imaging that you have a verified domain linked to your trial tenant and for some reason you will not extend the trial or you want to link your domain to another tenant. In that case you need to remove your domain from the Intune tenant as you cannot link your public domain name to different tenants.

The first thing you need to do is delete all your Users and Security Groups that you have synced into Microsoft Azure Active Directory (so the new acronym will be MAAD :-)) with DirSync, so you have no associations anymore between your domain and MAAD.

If your try to remove your domain then it might happen that you receive following error:


So for some reason there is apparently still an association which you need to “disconnect” before you can remove the domain.

As always these days Powershell can help us to have a look more under the hood.

First step is to download and install the O365 Powershell CMD lets.

Secondly execute the following Powershell commands:

Connect-Msolservice (Provide your credentials)
Get-MsolGroup  (Interesting is that this command shows mail-enabled Security Groups which apparently are not visible in the Intune interface)
Remove-MsolGroup -ObjectID <ObjectID> The Object ID is shown during Get-Msolgroup, this command will remove the  mail-enabled Security Groups

If everything goes well you should be able now to remove your domain from the Windows Intune tenant.

I can case you still have issues you can execute the following command.

Get-MsolUser -ReturnDeletedUsers -All | foreach { Remove-MsolUser -ObjectId $_.ObjectId -RemoveFromRecycleBin -Force }

If you delete Users and Security Groups, you will notice that they are still listed under “Deleted” items. So actually they are dropped in a kind of Recycle Bin. If you still encounter issues it might help that you execute a “shift-delete” with the -ReturnDeletedUsers switch.


I never had to use this last command but it might be your plan B.

Till next time!

Nico Sienaert


MVP Small imagesCAIOYXPP