Restrict OneDrive for Business to Domain-joined Computers

Conditional Access for OneDrive can be configured multiple ways, but it’s not a part of the new Azure AD Conditional Access experience, there’s also lacking an option to restrict devices that can synchronize files in the new OneDrive Admin Center (, but there are several other options worth looking into.

If you would like to restrict OneDrive to only synchronize files on Domain Joined computers you will either need Microsoft Intune with the classic portal, this feature does not exist in the new Azure Experience – or it can be configured with SharePoint Online Management Powershell module. In order to configure OneDrive for Business “Conditional Access” with PowerShell do the following:

Step 1:

Find your Domains ObjectGuid, if you have multiple domains make sure to include all ObjectGuids and separate by commas.

To find your Domains ObjectGuid run the following command in Powershell, specify your on-premise domain:

Get-ADDomain -Identity | Select-Object ObjectGuid


Step 2:

Install the SharePoint Online Management Shell

Run in PowerShell: Connect-SPOService -Url (make sure to replace Office365Tenant with your tenants name). You will then be prompted to specify Credentials. The least privileges required is Service Administrator for SharePoint Online.

Run: Set-SPOTenantSyncClientRestriction -Enable -DomainGuids <ObjectGuid>


Windows 10 Enterprise E3 on CSP

As Microsoft continues to move towards the “Windows as a Service” model they recently released Windows 10 as a part of the Cloud Service Provider program which makes Windows 10 available for organizations of any size as a monthly subscription, in addition I considered this another opportunity to increase the adoption of Windows 10. Espcially considering  Enterprise features such as Credential Guard and AppLocker are almost becoming mandatory for sufficient protection of Windows with the increased threat landscape.

The biggest disappointment with this license is that it requires an activated Windows 10 Professional License prior to activating, which means it can not be used for a cheaper upgrade to Windows 10. It also doesn’t include Software Assurance which I consider one of the bigger benefits with Enterprise license. Technical documentation can be found here:

Microsoft will likely introduce a new license called “Windows 10 Enterprise E5” which will include Windows Defender ATP, if Software Assurance will be a part of this E5 license is currently unknown.

Considering the deprecation of some Group Policies in Windows 10 Professional prior to the launch of this license it could seem like Microsoft is trying to force organizations to use Enterprise license, sources in Microsoft confirmed this is not the case and Professional will still be usable for business in the future.


Microsoft Intune: Troubleshooting Android Company Portal enrollment issues

In some cases users are unable to uninstall Company Portal application on their Android devices after unenrolling or while troubleshooting enrollment issues.


There are 2 ways this can be resolved:

The easiest way for end user is by having the administrator “Selectively wipe” the the device, this will in most cases resolve the problem as long as the device has established contact with Microsoft Intune.


The other scenario is when the device failed before establishing connection with Microsoft Intune, the user will  then have to manually remove Company Portal as a Device Administrator in order to uninstall the app.


Open Settings > Security > Device Administrator > Delete Company Portal from Device Administrators and reinstall the application.

The same instructions will resolve another problem you might encounter during enrollment: “Failed to activate Device Administrator”. This often occurs if a user had problems with the initial enrollment phase.



Customizing Bitlocker Unlock screen

With Windows 10 ADMX templates finally released I had a thorough search through every setting that was added and I found one of them very useful. Too see the full announcement from Microsoft: 

The specific setting I found very useful is found here: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\

“Configure pre-boot recovery message and URL” which lets you configure the default message that user get when they receive a Bitlocker Encryption while trying to enter Recovery Mode or sometimes appear when they attach their PC into a docking.

I tested it myself and it work just as described (I added an example text to show how useful it would be to configure it for enterprises):