Cloud App Discovery–Cool tool, but is it ready for Primetime?

Joe Kuster

It’s no secret, I perfectly OK with the cloud. So when I heard about Cloud App Discovery back when it was released to preview, I immediately jumped on it, testing it out in my lab and doing a few demos. The idea is to provide a tool that identifies the unknown or hard to track down services that your users might be using (and leaking corporate data onto) as well as facilitating easy utilization numbers to SaaS tools. Microsoft put a lot of thought into solving this particular problem and it shows.

Cloud App Discovery and Azure AD Premium seem built for each other. Cloud App identifies workloads and data usage that IT doesn’t know about, kind of like the Application Compatibility Toolkit for cloud tools. The agent is installed on each system (silent deploy supported) and it sends the highlighted service access to Azure storage. Azure then does some analytics work on it and provides easy to read reports on your data, informing you which users are using 3rd party services, whether or not they are in your control and federated. In the event Cloud App doesn’t recognize the app (and it recognizes a very large number), it records the URLs, ports as well as the frequency of access and amount of data transmitted.

If it does recognize the service and it’s in the Azure AD Premium gallery, it guides me to making decisions on where to trust/federate I can enable SSO in a couple clicks.

Thanks to access to the Azure Storage blob, if I want to grab files and do my own analysis, like running it through a Security Information Monitoring tool, I’m able to. The raw logs look like this:

Machine Name    User Name    App Name    Category    Is Business App    Device Family    Requests    Bytes Sent    Bytes Received    Date Begin Window    Date End Window
X79    X79\Joe    google    noisecategory    False    Windows 8.1    0    5173    0    12/31/2014 12:00:00 AM    12/31/2014 12:01:00 AM
X79    X79\Joe    dropbox    collaboration    True        0    0    179    12/31/2014 12:00:00 AM    12/31/2014 12:01:00 AM
X79    X79\Joe    live    noisecategory    False    Windows 8.1    0    1567    0    12/31/2014 12:00:00 AM    12/31/2014 12:01:00 AM
X79    X79\Joe    live    noisecategory    False        0    0    662    12/31/2014 12:00:00 AM    12/31/2014 12:01:00 AM
X79    X79\Joe    google    noisecategory    False        0    0    783    12/31/2014 12:00:00 AM    12/31/2014 12:01:00 AM
X79    X79\Joe    dropbox    collaboration    True    Windows    1    352    0    12/31/2014 12:00:00 AM    12/31/2014 12:01:00 AM
X79    X79\Joe    othercategory    False        1    100    277    12/31/2014 12:01:00 AM    12/31/2014 12:02:00 AM

X79    X79\Joe    live    noisecategory    False    Windows 8.1    0    4637    0    12/31/2014 12:21:00 AM    12/31/2014 12:22:00 AM
X79    X79\Joe    google    productivity    False    Windows 8.1    2    4186    0    12/31/2014 12:21:00 AM    12/31/2014 12:22:00 AM
X79    X79\Joe    live    noisecategory    False        0    0    1986    12/31/2014 12:21:00 AM    12/31/2014 12:22:00 AM
X79    X79\Joe    othercategory    False        1    1481    10562    12/31/2014 12:21:00 AM    12/31/2014 12:22:00 AM

Pretty straight forward. Aside from the slightly annoying aspect of only being available in the “Preview” Azure portal, the finished reports however, are really nice and filter well. I can easily drill down and see who is using which apps, how much data, and how often they use it.


So that’s the good. What’s the not so good? The implementation of the Network listener. I haven’t ripped fully into it to understand how it interacts with the network stack, but my notes from the field have not been without issues. Big issues. On many types of hardware. On a disturbing percentage of the systems. Now is where I take long breath and have to tamp down my enthusiasm as I really wanted to like Cloud App Discovery. On my Hyper-V lab, it’s run for months without issue. On physical hardware though, there have been more systems with serious issues than systems without.

I really hope this gets fixed, and I’ll gladly update this post once the issues are resolved, but here’s the symptoms I’ve seen:

  • After reboot, it prevents all network access. Uninstallation immediately fixes.
  • After reboot, a sudden rash of blue screens when opening web browsers that clear up immediately after product is removed.
  • After reboot, most access works, but certain cloud services are completely inaccessibly including: OneDrive for Business, Dropbox and Crashplan. Uninstallation immediately resolves issue.

I’ve noted this behavior on Windows 7, 8.1 and 10.

If you have a fix, I’d love to hear it. Hit me up on twitter: @Joe_Kuster

Add Azure RMS License to Office 365 E1 Users

Joe Kuster

If you are like most companies looking to secure your data, and you happen to be on Office 365, it’s a pretty no-brainer to enable Azure RMS for item level protect (encryption + usage rights + user controls). If you have an E3 license, you already have rights to use RMS and I’ve covered how to enable Azure RMS before for your Office 365 tenant. However, what about your E1 users? Well, thankfully Azure RMS can be purchased stand alone and it’s pretty reasonably priced. Call up your LAR and one conversation later, your Azure RMS licenses appear in your Office 365 Portal.

Now, you could manually assign users, but around here, we’re fans of being lazy admins. I’m also a big fan of a single line of PowerShell where I can get away with it hence:

Note, that if you re-run this script, nothing bad happens. You will not accidently use multiple licenses, but you will see it complain about an “Invalid” license where it prevents assigning two of the same licenses to a user.

That error looks like:

If you see above on your first go and your portal does not show that you’ve consumed your licenses, you need to check your SKUs are available and that you are using the correct domain. Thankfully there’s a simple commandlet to display that information. Just run the following:


Getting license errors when using Office 365 Click to Run with Azure Remote App?

Joe Kuster

Today I had an interesting exchange with a Program Manager at Microsoft regarding Azure RemoteApp. There were some great nuggets in the back and forth about solving some of the issues and opportunities I’ve experienced with Azure RemoteApp that will be in a follow up blog, but for today I want to focus on installing Office 365. Previously, when I installed the click to run bits on my templates and published it out, users would encounter an error stating that the had the incorrect license and they needed a volume activation to run Office in what is essentially a VDI configuration. Turns out, there’s a simple fix. I had incorrectly assumed that it was RemoteApp process creating the issue and that a difference license for VDI was needed, not that I needed to adjust my Click to Run bits since it would be supporting multiple users. Install the click to run bits as normal then:

  1. Open RegEdit
  2. Navigate to: KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0\ClickToRun\Configuration
  3. Right click and add a new String
  4. Name the string value “SharedComputerLicensing” (without quotes)
  5. Double click on SharedComptuerLicensing and set the value to 1
  6. Complete the rest of your build as normal.


Thanks for the tip Eric!

Deploy OneDrive for Business via Click to Run

Joe Kuster

It’s been a busy week for Office 365 requests. Here’s some quick notes from the field on deploying OneDrive for Business. The below instructions create a completely silent installer, if you would like a graphical confirmation presented to the user, change the Display Level=”None” to Display Level=”Full” in the configuration.xml file.


  1. Create network share with read and execute permission to Everyone and Domain Computers
  2. Download Office Deployment Tool
  3. Unpack exe file to network share
  4. Edit configuration.xml file
  1. Change product ID to 32 or 64 as appropriate to match Office.
  2. Open command prompt or powershell window as Administrator
  3. Run command: setup.exe /download \\share\folder\configuration.xml
  4. Monitor taskmgr network activity to determine when download complete ~900mb for full, this should be less for ODFB only
  5. Run \\yourserver\share\folder\setup.exe /configure \\yourserver\share\folder\configuration.xml to install
  6. Check %temp%\Office2013ClicktoRunWindowsIntune.txt for errors or successful exit code
  7. Verify app is in add/remove programs

If prior versions of Office are also present, check for Interop Issues

If packaging for Configuration Manager, note that this installs from a static location, not the DPs. To localize on the DP, you’ll need to:

  1. Create a package with the sources files downloaded in step 7.
  2. Change the run command to %~dp0setup.exe /configure %~dp0configuration.xml

Compile Batch Files and Scripts for Intune Use

Joe Kuster

In a prior post, How to Customize Office with the Office 365 Click to Run Deployment Tools, I covered a few basics of customizing an Office 365 Click to Run install beyond what is supported in the standard configuration.xml file by using a simple Batch (.bat) file. Since Intune doesn’t support processing Batch files or VBS files, today I’m covering how to compile your scripts and batch files into a self contained executable.

There are hundreds of tools out there to compile executable, but we’re going to use the one Microsoft provided along with Windows, the Iexpress Wizard.

  1. Run iexpress.exe as an Administrator
  2. Use the default of “Create new Self Extraction Directive file.”
  3. Use the default of “Extract files and run an installation command”
  4. Name your project.
  5. Select if you want to provide a prompt.
  6. Provide a license prompt if desired.
  7. Add the customized batch file, setup.exe and the customized configuration.xml file. If other files are included, make sure they all have a unique files.
  8. Select the custom batch file for the installation command. Make sure to add the cmd.exe /c as below.

  9. Select the focus of the app, in this case we will be using Hidden.
  10. Provide a finished message if desired.
  11. Provide a path to save the executable. I’ve run into odd scenarios when saving outside of the work folder where the other files reside, as such I recommend saving the executable in the same folder and not using any spaces.
  12. Configure if a restart is desired.
  13. Save your Self Extraction Directive
  14. Click next to create the package.
  15. Done!

You now have a single .exe that can be run without parameters and can be delivered via Intune.

How to Customize Office with the Office 365 Click to Run Deployment Tools

Joe Kuster

If you are using Office 365 and are attempting to deploy Office to your users, chances are you’ve run across the Office Deployment Tool for Click-to-Run. With this tool, you may configure the setup to download the files files from a local share rather than slamming your WAN connection with numerous 900mb downloads. That said, the tool doesn’t offer the same flexibility that the Office Customization Tool has offered in the past. Below is a simple example of how to make friends with the new Click-to-Run tool.

First, download the Office Deployment Tool for Click-to-Run.

Second, we need to create a custom Configuration.xml file that fits our needs. Typically the default one gets close. Pay special attention to the SourcePath and commented out sections. By default, several items are commented out with the standard xml syntax such as

At it’s most basic, the following may fit your needs. You could even remove the Source path element entirely and it would just download from the web.

For more options, you may need to consult the Reference for Click-to-Run configuration.xml file.

If you have very special needs, such as only installing specific apps, you may use the ExcludeApp element. For instance, if you only wished to install Outlook and download directly from the web, not pre-staging content, your configuration file may look like:

Assuming you have a file share handy and would like to avoid unnecessary WAN traffic, the next step is to Download the Click to Run Office bits to the path mentioned in the Configuration.xml file. Doing so is pretty simple, dump the setup tool and your .xml file in the desired directory, open a command prompt in that share and  run:

At this point, the tool will process your Configuration.xml file and only download the files associated with that file. That means you may need more than one repository if you are installing different sets of applications on different computers.

We could wrap up at this step, but in the scenario above, the we have to leave Office 2007 installed and only upgrade to Outlook 2013. This means our old nemesis Interop Calls come into play. To fix the issue, we need to remove the 2013 interop registry keys for the applications which are not installed. Since Click-to-Run lacks OCT’s capability of customizing registry keys, we can simply run a batch file that calls the setup.exe and then cleans up the relevant registry keys.


If you want to get extra fancy, such as deploying this customized installer via Intune, you’d have to compile your .bat file to an executable via means such as iexpress.exe. Stay tuned for more on packaging scripts into Intune in a later post.

Microsoft App Links for Intune (iOS and Android)

Joe Kuster

Looking to save time in your Intune deployments? One of the most common requests is to install all of the “Office” apps. The next most common is the rest of the Microsoft RMS items if you are using EMS. Below I’ve included all of the Microsoft Mobile Application Management enabled apps as well as the most common requested apps by my clients:



Microsoft Word:

Microsoft Excel:

Microsoft PowerPoint:

Microsoft OneDrive:

Microsoft OneNote for iPhone:

Microsoft OneNote for iPad:

Microsoft Intune Managed Browser:

Work Folders:

OWA for iPhone:


RD Client:

Sunrise Calendar:

Office Lens:

OneDrive for Business:

Office 365 Admin:

Office 365 Message Encryption Viewer:

SharePoint Newsfeed:

Office Sway:

Dynamics CRM:

Azure Authenticator:



Office Delve:

RMS Sharing:

Office 365 Video:





Microsoft Word:

Microsoft Excel:

Microsoft PowerPoint:

Microsoft OneDrive:

Microsoft Intune Managed Browser:

Microsoft Intune PDF Viewer:

Microsoft Intune Image Viewer:

Microsoft Intune AV Player:

Microsoft Office Hub:

Office Lens:

Microsoft Account:

Sunrise Calendar:



Remote Desktop Client:

Lync 2013:

Office Remote:

Keyboard for Excel:

OWA for Android:

Office 365 Admin:



Have a life outside of work? No problem for this month’s Intune release.

Joe Kuster

This month Microsoft focused on handling the blindingly obvious situation where users want to use both company and personal Microsoft accounts with the same Office apps. Multi-Identity support has been added for Word, PowerPoint and OneDrive (Finally!).

In other big news, Microsoft continues to make use of their purchase of Accompli and it’s subsequent rebranding as Outlook for iOS and Android. Stand alone Intune now supports Outlook conditional access and MAM security rules (copy/paste protection for instance). You could do this before with the Android or iOS wrapping tools, but it’s nice to have out of the box support.

Additional updates include adding notifications in the Company Portal on iOS for new app versions, .appx app support for stand alone, fixing the issues in the last release of EndPoint Protection and some enhancements around malware reporting.

How to Easily Identify and Reinstall Software During Configuration manager OS Refresh Task Sequence without MDT

Joe Kuster

So you’ve been asked to reinstall all applications for users for the sake of reducing user impact? What do you do? Is this is a good idea? Read on:

One of the most commonly requested items that adds complexity to Operating System deployments is the topic of identifying and reinstalling applications. If MDT is in use, it supports Application Mapping, which must be configured, but is not always approachable by the novice. Should go you that route? Maybe. But what if MDT isn’t integrated or the Application Mapping is just a bit over your head? What I suggest below is simply one of the many ways of addressing this particular need.

But first:

As a best practice, a company should already have a baseline of applications provided for each unique role such as department or position and only deviate from that baseline where necessary, and ideally identify and automate those exceptions such as where special licensed software should be deployed. User deployments and self-service go a long way to making this an easier process. In reality, however, the situation is usually much less clear. Self-service isn’t always supported, there is expectation for 100% deployment before the user receives a system or the network simply may not handle deploying large apps to remote areas after the system is provisioned.

As a result, rather than spending the time to identify what the users should have, the decision makers often fall back on saying to re-install whatever the user had.

This approach presents many problems including:

  • It fails to consider updated versions or apply any nuance – Should the user receive the latest and greatest version of Java? What if it impacts their Line of business apps? Are there combinations of applications that must run at a downgraded version? Should some departments receive newer versions than others? Can IT actually support the numerous versions being asked of them? All of this would require business analysis on what apps should be deployed by role. Without it, the option is either to run obsolete and potentially insecure versions of software for the foreseeable future.
  • It’s a licensing headache – even if we can reinstall the application, carrying over a license key is often not supported and in some cases may not be allowed.
  • It’s a lot of work – Every version of every application must be identified, assessed if a substitution or reinstall is necessary and those to be reinstalled must be packaged. This can be hundreds or thousands of hours of work.
  • It needs kept up to date – As new versions or applications are added, the automated process must also be updated.


Ok, enough opinion piece, let’s get to reinstalling applications.


  • A OS deployment refresh task sequence must already exist, we are simply adding a few steps to it. It’s ok if you need to format the disk, but we do need to run the task sequence from within a working version of Windows first, not WinPE.
  • All apps or packages that you want to reinstall must be packaged, deployed to your DPs and you must have some way of identifying systems that should have it reinstalled. If you don’t know how to do this, Configuration Manager supports WQL to identify applications or even includes an MSI parser in the task sequence to get the unique GUID for the installation detection.


After ensuring you are booted into Windows OS (not PE), Create a Set a TS Variable step for each app you wish to reinstall:


Use a condition on that step that checks if the app is installed (WMI or the built in installed app check)


When reinstalling apps after OS Deployment.


How to update your Apple Push Network Certificate for Intune

Joe Kuster

Note: This post assumes you’re like most of my clients and no longer have your Push certificate request file. If you are on Windows, you will likely need both IE and Chrome as Chrome no longer supports Silverlight, but IE does not support Apple’s JSON uploader.


  1. Log into with your Intune administrator credentials
  2. Navigate to Admin > IOS > Upload an APNs Certificate
  3. Download the APNs Certificate Request, leaving this tab open
  4. Log into with your Apple Push Network credentials 
    (Use Chrome – Apple’s page is not IE friendly on the upload portion)
  5. Click Renew on the corresponding certificate for your Intune tenant
  6. Provide the CSR
  7. The certificate has been renewed.
  8. Download the certificate
  9. Return to the Intune APN Certificate section and click Upload the APNs Certificate
  10. A confirmation page will be displayed