Adding Acrobat Reader as an Allowed app

When you set up an Intune App Protection Policy for Windows 10 you are effectively enabling Windows Information Protection (WIP). This is designed to protect your business information being shared with non-business approved applications. This means there are a range of standard business ‘approved’ applications that are enabled by default. These are typically ‘enlightened’ apps that can differentiate between corporate and personal data. This allows them to abide by the policies set in the Intune App Protection policy you create. Applications that are not ‘enlightened’ are typically blocked from working with corporate data.

In a previous article:

Intune App Protection Policy blocking browser

I detailed how this could affect third party, non-Microsoft browsers, like Chrome, accessing the Internet. That article, also showed you how to easily overcome that issue with some minor configuration changes.

In this article I’ll look another way that ‘non-enlightened’ apps get blocked and how you can easily enable them.


So, let’s say that you have created an Intune Windows 10 App Protection policy like that shown above. When you do you configure a number of Protected apps as you can see. Typically, these a Microsoft products like Office, Internet Explorer, Edge and so on.


With that default protection policy successfully applied to a Windows 10 machine you can then see the data identified as personal or business on that machine now. The above shows you some files in OneDrive for Business, which is considered a business location. You can tell they are business files by the little brief case in the upper right of the file icon. Thus, all these files are considered to be business and are protected by WIP.


Let’s say that I now want to open the business PDF file with Adobe Acrobat Reader.


The result is, you are unable to do this because Acrobat Reader is not an ‘enlightened’ app. Thus, it is considered a personal app and is therefore denied access to business information.


To rectify this situation we need to return to the Protected apps section of the Intune App Protection policy and select the Add apps button as shown.


You then need to select the option Desktop apps from the pull down at the top of the screen. When you do so, you will probably see no apps listed below.


You should now enter the following information into the fields:

Name = Acrobat Reader DC
Publisher = *
Product Name = Acrobat Reader
File = acrord32.exe
Min version = *
Max version = *
Action = Allow

The most important item here is the filename for the program is entered correctly, (without any path) into the File field. In this case, the executable for Acrobat Reader is acrord32.exe.

Select Ok, once you are entered all the file details correctly here. Basically we are creating an exception for this app with WIP.


You should now see the program you just added in the list as shown above. Make sure you also Save your changes so they get applied to the policy.

Now with the policy updated, and the exemption for your app created, (in this case Acrobat Reader), you just need to wait a short time until the policy is applied to your machines.


With a few minutes, you should be able to repeat the process of opening that same business file and find that you can now view the file as shown above is the program that you couldn’t before.

You can now basically repeat the same process for any other custom applications you have that are ‘non-enlightened’ and you wish to have open business information saved in Microsoft 365 protected with WIP.

Intune App Protection Policy blocking browser


Within Intune I went and created a Windows 10 App Protection Policy.


I defined my Protected apps as you see above.


So the Required settings are as shown and utilise Windows Information protection (WIP). The idea is WIP is:

“Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.”

according to Protect your enterprise data using Windows Information Protection (WIP).

After creating the policy I applied it to a test machine.


Most things worked as expected EXCEPT that I couldn’t use non-Microsoft browsers like Chrome! I kept getting a block message as shown above. if I removed the Application Protection policy then I could browse fine on non-Microsoft apps again. Clearly something to do with the policy was blocking Chrome browsing!

The root cause is the concept of enlightened apps in WIP.

“Windows Information Protection (WIP) classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies.”

from Unenlightended and enlightended app behavior while using Windows Information Protection (WIP).

As it turns out, third party browsers like Chrome are considered unenlightened apps. If you read a little bit further down that article you find the following table:


This explains why Chrome (unenlightened app) is being blocked because it is trying to connect via an IP address effectively. Ok, so now we know why, how do we fix the problem?


Turns out the fix is in the last column as highlighted above. We need to use the /*AppCompat*/ string!


To do this navigate to Advanced settings from the menu on the left. Then select the entry you should have there called Cloud resources as shown above.


Here you should see your Microsoft 365 SharePoint and OneDrive sites as shown above.


Add the string


to the end of the line. Ensure the little green tick appears on the right hand side. Select OK to close that blade and the Save to update the Advanced settings page.


If you now look closely on the Advanced settings page you will see the above information box alerting you to the need for the /*AppCompat*/ string if you want TLS by personal apps that connect directly to cloud resources via an IP. You can consider a third party browser unenlightened and therefore a personal app. Thus, it is telling us to do what we just did to allow third party browsers to connect to the Internet on machines where the policy is applied. Always read the configuration page eh?

Once you have saved the updated App Protection Policy and it has been applied to the devices, you should no longer be blocked when using third party browsers like Chrome and Firefox.

Scheduling compliance reports


If you go into the Microsoft 365 Security portal and locate the Reports option from the menu on the left and expand it, you should find the Dashboard option. This option, when selected, will show a range of reports like that shown above. You can get more details by simply selecting the body of the tile you wish to view. Here, I’ll select the Spam detections tile to get further information.


You’ll now see a more focused report but you’ll also notice that many graphs have the Create schedule in the top right hand corner as shown. Selecting this allows you to schedule a report to be delivered via email.


By selecting Create schedule you should see a tile appear from the right with the above options that you can configure.


If you scroll down to the bottom of the window you will see that there is a Customize schedule option as shown above.


Selecting this will give you much greater options as shown above.


Once you have saved your schedule, you will then receive a regular email like that show above with the report you configured. You’ll note that there is also a CSV file attached that you can use for further analysis.


You can adjust the schedules you have configured via the Manage schedules option as shown above.

As yet, I haven’t found an easy way to configure these using PowerShell. There is way using the Microsoft Graph but that requires some setup so I’m trying to find a way just to use a pure script. If I work that out, I’ll post an article on how to do it. Till then, you’ll just have to manually go in a select and configure the reports you wish to receive regularly.

Azure Public DNS costs

I have previously written about:

Using Azure DNS with Office 365

and in my experience it works really, really well. What I like about it is mainly the fact that I can implement and manage the whole thing via PowerShell. I run up a lot of demo environments and have an automated script that adds a custom domain to Office 365 and then adds the required DNS records to Azure. All that happens at the touch of a button, consistently. Brilliant stuff.

However, Azure DNS is a paid service, it isn’t free. So what does it cost? Well, the place to start is the Azure pricing calculator where we see:


that the total estimated cost for 1 DNS zone with 1 million queries is AU$1.24 and I will note , also includes support!

So how does such an estimate translate into the real world? Well, I host a number of domains in Azure DNS but the most active one would be The DNS records for this very blog are there.


So the next really cool thing that Azure gives you is the ability to drill down into your services, like Azure DNS, and produce information like what you see above, which is the total queries against the domain in Azure DNS. The amount for the last 30 days was 204,210 requests, well below the initial one million estimate. Clearly that amount will vary for different domains based on popularity, but remember that not every DNS request for your domain will hit the root DNS servers for the domain, especially if the records don’t change that much.


So I then used Azure to show me the actual cost for this previous 30 day period and you can see that the grand total was AU$0.37.

Sure Azure DNS is not free, but it might as well be! So, if you are looking to get started with Azure, I’d suggest that you start with Azure DNS as being the cheapest, quickest and easiest way to dip your toe in. That will provide you some familiarity and from there you can start scaling up.

Looks like Office 365 ATP is splitting in two

Seen some chatter here in Australia about there now being two Office 365 ATP SKUs (it appeared on a pricing sheet). Everything I could find suggested that this was not the case, however a US contact pointed out to me the following web site:

That clearly shows 2 x Office 365 ATP SKUs.


There is not as yet an equivalent AU page.

The main things that Plan 2 adds according to that page are:


Even the services descriptions for Office 365 ATP here:

don’t talk about there being two plans. Thus, I (and others) are somewhat confused as to which version will be included in suites like Microsoft 365 Business. My guess is that most plans that have Office 365 ATP will get Plan 1, with Plan 2 going for higher end enterprise plans. However, that is all here say for now.

So, it looks like are going to get a new ‘advanced’ Office 365 ATP plan soon (Plan 2) but we are unsure in which suites it will be available. More as it becomes available.

Updated script to now check for Sweep


The bad actors out there are clever and they’ll use any means at their disposal. Normally, when a user is successfully phished the first thing bad actors do is manipulate the email handling rules of the mailbox to hide their activity.

Unfortunately, there are quite a lot of different ways to forward email in Office 365 including via the mailbox and via Outlook client rules. It was brought to my attention that there is in fact another way that forwarding can be done, using the Sweep function. You can read more about this ability at:

Organize your inbox with Archive, Sweep and other tools in

Sweep rules only run once a day but do provide a potential way for bad actors to hide their activity, however as it turned out Sweep was in fact being exploited by bad actors inside a compromised mailbox.

I have therefore updated my publicly available PowerShell script at:

That will now also check and report on any Sweep rules in finds in mailboxes as well as any other forwards configured in the tenant.

Let me know if you find any other methods that this doesn’t cover and I’ll look at incorporating those as well.

CIAOPS Techwerks whiteboard training–Brisbane 21 Brisbane


I’ll be hosting an all day focused, hands on, technical whiteboard training session on Microsoft Cloud technologies (Office 365, Microsoft 365, Azure, etc) in Brisbane on Thursday February the 21st 2019. The course is limited to 15 people and there are still a few places available if you wish to attend.

The content of these events is driven by the attendees. That means we cover exactly what people want to see and focus on doing hands on, real world scenarios. Attendees can vote on topics they’d like to see covered prior to the day and we continue to target exactly what the small group of attendees wants to see. Thus, this is an excellent way to get really deep into the technology and have all the questions you’ve been dying to know answered. Typically, the event produces a number of best practice take aways for each attendee. So far, the greatest votes are for deeper dives into Intune, security and PowerShell configuration and scripts, however that isn’t finalised until the day.

The CIAOPS Techwerks events are run regularly in major Australian capital cities, so if you can’t make this one or you aren’t in Brisbane on that date, stay tuned for more details and announcements soon. If you are interested in signing up please contact me via emails ( and I can let you know all the details as well as answer any questions you may have about the event.

I hope to see you there.