When dealing with modern management we always need some storage space to provide simple files like background images or other configuration files. This article will show an easy way to organize and provide files via a Azure Blob Storage for modern desktops managed by Intune.
I’m sure quite a lot of people have spotted this different settings when dealing with Windows 10 configurations in Intune. For example the locked screen picture URL:
The locked screen picture URL setting is set in most of the projects I’ve worked on and every time I wish, there were a simple upload button. So normally I create Azure Blob Storage account to host my background images and provide an URL for this setting.
The same applies to the Edge Browser setting for favorites list file:
and for the Enterprise mode site list file:
As already explained I solve this by creating a Azure blob storage in the customer tenant to host these files. The downside of this is that the Azure blob storage account doesn’t have a simple administration interface and these settings are often not maintained by third level admins. It is maintained by a different level of support staff. These files are not static and often have higher frequencies of changes (especially in larger organizations).
So the best solution would be to have a simple administration interface for this Azure blob storage. Then we could easily hand over the operation of these files (changes), for example to the service delivery teams.
This challenge can be addressed easily by a free Azure Marketplace solution called “M365 Workplace Cloud Storage | Easy Intune Storage“. The Azure resource used to run the solution are billed of course, but it has no additional licensing cost. It is free of charge and can be used by anyone.
The solution is quite simple as it will create an Azure blob storage and an App service to host a simple website to provide easy access to the Azure blob storage account to maintain your files. The solution covers all three areas, Wallpapers and Other Files, Favorites, and Enterprise Mode Site List files. It has an intuitive layout and is protected by Azure AD authentication. Here an example of the Wallpaper management interface:
Here it is easy to click on the [+] to add a new wallpaper image file. You will see a file dialog and be able to choose your picture for upload. As soon as the upload finished there are simple controls to download, delete, or copy the Azure blob storage file URL for the newly uploaded picture:
The generated link can be used in the device configuration profile for configuring of the locked screen picture URL. There is also a section for other files which is basically the same like the wallpaper section but the underlying container has a different naming, instead of wallpaper- it will group the files in files-.
The same simple approach is used to maintain your favorites. The favorites are provided as a simple .html file in a simple format which is needed for the configuration policy to successfully configure the Edge setting. The website has simple controls to build the favorites list and automatically creates the corresponding .html file in the Azure blob storage account:
Finally we have the Enterprise Mode Site List management, which does the same like the favorites. Simple controls to add your sites and define in which browser they should start and the Azure App Service will generate the correct sites.xml file (here the official tool to generate a xml file: EMSLM v2 schema) which can be used in the Intune configuration profile:
How can I deploy this solution now?
As I mentioned earlier it is an Azure Marketplace solution. Therefore we need an Azure Subscription to run Azure services like the underlying blob storage and the app service to host the small website. The prerequisite for this is an active Azure Subscription in your tenant. When available it is quite simple to setup the solution. Search for M365 Workplace and click on the Azure Marketplace link for the solution “M365 Workplace Cloud Storage | Easy Intune Storage” :
You will see the Azure Marketplace solution. Here click on Create:
You will see a simple wizard, follow the wizard and click OK:
Change the Azure blob storage account name to something unique as it is part of the Azure blob storage account URL later and click OK:
Wait for the validation and click OK:
Finally click on Create:
Wait until deployment is successful finished:
Check if the M365 Workplace Cloud Storage App Service is running by navigating in the Azure Portal to Azure AD > App services > m365wcs- and click on Browse to see the website:
Configuring Azure AD authentication
As shown in the Warning on the website, the website is running in anonymous access mode after deployment. This needs to be changed and reconfigured to require Azure AD authentication to access the website. To achieve this, we navigate in the Azure Portal to Azure AD > App services > m365wcs- and click on Authentication / Authorization under Settings and enable App Service Authentication, choose Login with Azure Active Directory and click on Azure Active Directory:
After clicking on Azure Active Directory click on Express and type in a meaningful name for the app registration and click OK:
back to the previous page click on Save:
When saved go back to the Overview and click on the Browse button to open the website again. If you encounter an error wait a few moments and try again. The registering process of the Azure AD app might not be completed. Finally on success you will see the consent dialog for your admin user. You can choose to consent this app for the whole organization or only for the current user and then click Accept:
After clicking Accept you will get to the website, logged on as the current user:
Finally we must authorize users or groups to allow others in our tenant to use the new M365 Workplace Cloud Storage website:
- Open Azure Portal and navigate to Azure Active Directory
- Click Enterprise applications from the blade
- Select the app you have created in the steps before, in this article I used M365 Workplace Cloud Storage as name
Now we grant specific users and groups access to M365 Workplace Cloud Storage. Click on User and groups from the Manage section and then click Add users to add and assign users or groups
That’s it, the solution is protected by Azure AD authentication and you are able to assign users for logon to the M365 Workplace Cloud Storage website.
To get continuous updates for the solution you can point a configuration variable to the maintained GitHub repository of the solution. During every restart, the Azure Web App will do a check and if necessary a copy-deployment of the new files. To configure this, go to the solution in Azure AD > App services > m365wcs- and click on Configuration:
Click on WEBSITE_RUN_FROM_PACKAGE and replace the URL with the GitHub URL:
If you like to hide one of the sections you can easily achieve this by adding the following configs in the Application settings and values of true or false:
AppConfig:NonSensitiveFilesEnabled AppConfig:FavoriteListsEnabled AppConfig:EnterpriseModeSiteListEnabled
Here an example to hide the Enterprise Site Mode section:
As the result the website will look like this, no Enterprise Site List section on the left anymore:
This way you can easily deploy the solution multiple times and provide different teams different websites. One team can manage the favorites, the other team the backgrounds. Or you just need the Non-Sensitive Files for management, then you can hide the other sections.
I demonstrated a small Azure marketplace solution to handle various files which are needed in modern managed client projects. It simplifies the handling in an operational perspective, especially when tasks are delegated in larger projects. Feel free to use and I hope it can address some challenges you might have in your modern management projects. Feel free to leave a comment.
Hi! Great article. Is it possible to create new folders in the blob, so you could transfer entire folders to Intune managed clients via Powershell?
Hi, first thanks :-)!
If you like to have something remote stored to be accessed by a local PowerShell script, I would recommend to create a zip archive of your files (remember the blob in this use case is accessible anonymously, that’s why the section is called non-sensitive files) and download the archive via your PowerShell script and proceed with your tasks. If you want to deal with files which can’t be public accessible, you should upload the archive to the blob storage via Azure Portal and generate a SAS signature for it to transfer it securely with your PowerShell script to the client.
I’m reading this late at night (my time) so please forgive me if I misunderstand (long day and suffering through hay fever as well). But will this method make files needed by Intune policies “secure”? So that they are not publicly accessible? If it does, how will policies that are aimed at the device access the file (e.g. the wallpaper or enterprise mode site list file?).
I’m very interested in this approach as I have some customers who don’t want to have their ‘config files’ available on a publicly accessible blob store, but would like the files to be able to be applied to PCs regardless of whether they are on the corporate LAN or not.
no they are not secure, it is basically just a nice front end for an Azure Blob storage. It is based on the problem, that we have customers which are globally dispersed and want simple management of these files without giving access to the Azure Portal. As these files often maintained by fist level support in that cases. So, not secure.
I deploy it and it looks good.
Just that I need one feature request
* ability to import existing bookmark – while it is great to maintain from the website, I found if I imported or modify the existing bookmark, the website will create a new one.