olastrom.com

  • How to enable Recall and Click to do on a Copilot+ PC

    How to enable Recall and Click to do on a Copilot+ PC

    If you have a Copilot+ PC and you are running Windows Insider, you can now enable Recall.

    If you have totally missed what Recall is, the short story is that it’s a way to back-track what you have done earlier and move back to snapshots of your workdays to find things for example.

    Recall requires that you have Copilot+ PC, otherwise this is not available. So, if you don’t have a Copilot+ PC, you don’t have to worry about users getting this.

    Also, Recall is not enabled by default and on a managed PC, you as an admin need to enable it with e.g. Microsoft Intune for the users to even be able to opt-in. This also goes for the Click to Do feature.

    Enable Recall

    To enable Recall on the device, you need to set a policy using GPO or MDM policies. Since my go-to tool is Microsoft Intune, let’s dive into how to enable and control it.

    Head into the Microsoft Intune portal and navigate to Device – Windows -Configuration and create a new configuration profile. Select Windows 10 and later as platform and Settings catalog as profile type.

    Give your profile a good name based on your naming convention.

    Click the add settings button and search for “Windows AI”. Select all the settings you want to configure.

    There are a few settings you can set for Recall based on your needs.

    In this example I’ve let the OS define the storage and duration for my snapshots, but you can configure this based on your needs. You can also add exclusions for websites and applications if we need. I’ve added my blog and Teams as an example in the picture, but you can also skip this.

    Go thought the wizard and assign the policy toward the Copilot+ PCs you want to target.

    User experience

    Recall

    So how do you get started with Recall? Simply open the new Recall app in your start menu and authenticate with Windows Hello. The first time you start it, it will work a bit on some updates. This might take some time. Once that is done, you will be able to start using Recall.

    You can scroll back and forth on your timeline to go back and forth looking for what it was you wanted to find. Once you have found it, you can search the content of the snapshot or visit the app you had open. It even takes you to the exact spot you where in the app at the moment.

    Down in the taskbar, you will see a new Recall button. Once its active, it will be light blue, and will indicate if its paused or running. If you click the Recall icon, you will see some actions you can do, like pause Recall or filter the website/application you have opened.

    You can also go through settings and see some settings around Recall, such as storage or applications and website you want to filter (if you want to add some additional ones as a user which your admin did not add).

    Click to Do

    The second thing which get activated with Recall is Click to Do. This feature gives you the same posibilities as in your snapshot, you can search the whole screen for things or open it in specific apps. You can also have it summerizing long text or create a list. There are a bunch of actions here!

    To activate Click to Do, simple press the Window-button on your keyboard and click the screen!

    Key take aways

    I really think Recall anbd Click to Do are two great ways of improving the user experiance and taking advanatge of the NPU and AI functionallity in a Copilot+ PC. As of this blog post being written, this is still a preview feature and things might change when this is released in GA.

    I still think it’s a great way to explore how you can use Recall, and find out what limitaitons you need to set for your users. So as always, Windows Insider gives you a sneak peak of what’s to come and something you really should make use of.

    What I do want to point out is that all snapshots are processed and stored locally, protected by Windows Hello to limit unauthorized access to your snapshots. Even if they are protected, it could however be a good idea to think about what sites you should add to a filter.

  • Moving to cloud native

    Moving to cloud native

    Let’s imagine for a second that you are a large, global organization and you are managing the fleet of PCs.

    In a traditional setup you probably have a Configuration Manager server and probably a bunch of distribution points.

    On top of this, you each month must distribute security updates to all your global device estate. And make sure your golden image is patched. Not only this, you also need to maintain your infrastructure, keeping Configuration Manager up to date, the server it runs on and also all those distribution points. Not to forget troubleshooting when a distribution point stops and a region +8 hours from your time zone can’t PXE-boot computers.

    You have all heard the marketing pitch because cloud native is the future. But if we instead take an approach to discuss this from a business and operations perspective, we can find some other interesting angles.

    Background

    What I do in my professional life is mostly to advise and help customer moving to a cloud native platform for device management. I’ve been working with Microsoft Intune since 2013, so I’ve seen all the itterations of the platform. I’ve also seen what works and what didn’t work.

    Back in 2013, going cloud native was not a thing, even though Windows 8 acutally supported MDM enrollment. Back then we were more talking full management or light management. Intune was the light managed way doing things since there were simply not yet feature parity.

    Windows 10 brought a whole lot of new benefits to cloud. You could now argue that you could make the shift to Intune only and onboard using the new cool Windows Autopilot.

    Fast forward to 2025 and Windows 11. We now have feature parity in MDM polices vs GPOs (even if it’s not a 1:1 translation), and moving to the cloud is something everyone is talking about. Not everyone has moved, but from what you hear peers, customers and people within the community everyone is looking at “how should we do the transition”.

    Moving to cloud native is not only a “keeping up with the IT landscape”. It can also be a huge cost save for a lot of organizations. No more servers, no more imageing, no more maintaining images. It’s simply just more streamlined.

    Common pitfalls

    There are A LOT of pitfalls out there when it comes to moving to Intune. I thought I would cover a few which I tend to see more often. Not all of these are technical. Because to be 100% honest, the technology isn’t the biggest issue here.

    Doing things like we have always done

    Moving to cloud native means doing things in a new way. I’ve seen way to many attempts at moving to cloud native which fails because you don’t embrace change. An Entra ID/Intune managed device is not exactly the same as a Active Directory/ConfigMgr managed device. Gone are the days of imaging and GPupdate, we now have Windows Autopilot and syncing with Intune.

    Cloud native will mean that we will have to do things different, and it’s not bad. Just different. Many things we have done for the last 30 years with managing devices (yes, the first version of ConfigMgr called SMS 1.0 was release over 30 years ago in 1994).

    We need to embrace change and adopt the new ways of working. If we don’t do that, we will never reach all the way. This is where many project fails.

    Doing everything at once

    The cloud journey looks very different for all companies, even though we want to accomplish the same things. But doing big shift actually impacts user productivity and we need to be smart of what changes we introduce.

    Looking at Sweden, a lot of companies are combining their Windows 11 migrations project with a Cloud Native project. This is a great idea since we are doing a big shift in the client anyway. However, time is running out for Windows 10, so today we need to prioritize whats actually important.

    But splitting the cloud journey into smaller pieaces could be easier for many, but we can run a lot of these projects in parallel.

    Migrating everything

    Think about all your GPOs. You have built that over a larger number of years, probably mostly adding to it and never really done a cleanup. A lot of these policies might been configured for Windows 7, and operating system which was released in 2009. You probably don’t need to migrate those settings to your brand new Windows 11 platform since a lot does not apply in the cloud and many are even depricated.

    There is really no point in walking through each and everyone of your old setting, trying to find the Intune equalent for it. A much better idea is to look at what you had, implement either the Microsoft Security Baseline or the Open Intune Baseline. Then go look at your old environment or your security requirements and look for what is missing and what makes sense. There is a GPO analytics tool in Intune, but for experience I would say that starting over is a much better idea since you will leave all your Windows 7 and Windows XP settings behind!

    Setting the bar way to high

    One of the most common things I see when working with customers who are moving from ConfigMgr is like I mentioned, we don’t embrace change. But one more things is thinking that we need to make it perfect in our first Proof of Concept or Pilot, which isn’t really a realistic approach. You need to start somewhere, so find your minimum viable product (MVP). What do we need to have inplace to do a successfull pilot. What I’ve seen with the more successfull projects I’ve been involed in, this has been the MVP:

    • Windows Autopilot for onboarding
    • Security baseline
    • Wi-Fi
    • VPN
    • Base applications (the crucial ones for your pilot group)
    • Compliance policies

    One more thing to keep in mind when moving towards a cloud native client is that your pilot and initial rollout might not need to suite 100% of your users. You will have some more cumbersome scenarios like dependency on on-premises or problematic applications. Don’t let this stop you, instead have them in a later phase of your project. Put them on hold, just like you would do with Windows feature updates. Once you have completed your first scenario, move on to the next!

    Moving all extisting devices

    This is a controversial one. Eventhough it’s nice to have all your devices as cloud native, but the only way to migrate devices from hybrid to cloud native in a supported way is by resetting the device. And this might not be the most productive way of making this shift, since it means actuall downtime for the end-user.

    Microsoft recommends to keep hybrid devices in hybrid until they needs to be reinstalled or replaced. Since we can still move to a 100% Intune managed environment with hybrid devices, this could for larger organizations be a more cost efficient way of making the shift to Intune. Re-installting thousands of devices is time consuming.
    I’m not saying that you shouldn’t make the hard cut and re-install all your devices, but be aware of that there are alternatives eventhough it’s not a pure cloude native solution for all your exisiting devices going down this route.

    What’s your first action?

    But where should you get started? Well, making sure you have co-management/cloud attach enabled in Configuration Manager is a great first step, to enable the shift of workloads to the cloud.

    I would also recommend to start looking at setting up a small proof of concept or pilot in Intune, onboarding a few devices with the base applications and a first version of security baseline (use the Microsoft one or Open Intune Baseline mentioned earlier in the post). Register a few devices for Windows Autopilot manually and enroll them.

    Don’t make it to hard on your self, start small with the “simple” scenarios and let them test it. But set a strategy for this and make sure to track your progress and create a project of this. It’s a hard project to pull of as a line activity since there are a lot of moving parts, redesigning and new ways of working while you need to keep the light on for your production environment.

  • 5 reasons you should go cloud native with Windows 11

    5 reasons you should go cloud native with Windows 11

    Let’s talk about cloud-native management with Microsoft Intune and Windows 11 for a little while and dive into five reasons why you should make the move.

    In the endpoint management world, there are two major things we talk about right now: moving to Windows 11 (the deadline is getting closer and closer) and cloud-native.

    I’ve been an advocate for going cloud-native for about 10 years now, but it has changed names over the years from modern management, cloud-only, to cloud-native management.

    But let us first define what we mean by cloud-native.

    Definition

    By “cloud-native,” we mean a device that is 100% managed using cloud services, such as Microsoft Intune. We are not doing hybrid join; we are utilizing Entra ID (previously known as Azure AD). This means that we DO NOT have the computer object in the on-premises AD, and we need to use modern ways to authenticate. In a true cloud-native setup, we should not be reliant on any on-premises resources, but if we look at reality, we will most typically see that we have some connector for, e.g., certificates using SCEP/NDES.

    For cloud-native device management, we don’t need to consider where the user has their primary source, whether that is Entra ID or Active Directory. So if you want to go cloud-native, you don’t need to move your master data to Entra ID, but you need to make sure that you have your users in Entra ID (which you probably already have if you are using any Microsoft cloud services like Microsoft 365, Teams, or Intune).

    Reason #1 – Reduce complexity

    Managing IT infrastructure can often be a complex and time-consuming task. By leveraging cloud-native management with Microsoft Intune, organizations can streamline their processes and reduce the complexity associated with traditional IT management. This approach simplifies device provisioning, configuration, and maintenance, allowing IT teams to focus on more strategic initiatives.

    By moving to cloud-native device management, we can reduce the number of dependencies we have on our on-premises system, such as connectors for hybrid join. We can also reduce the total footprint for the service since we can decommission and repurpose servers previously used for, e.g., Configuration Manager services.

    Since we rely on a SaaS setup, we don’t need to think about keeping our management platform up to date; that will happen automatically on a weekly basis.

    Reason #2 – Increase security and compliance

    Security and compliance are critical concerns for any organization. Cloud-native management with Microsoft Intune provides robust security features and compliance tools that help protect sensitive data and ensure adherence to regulatory requirements. With advanced threat protection, automated policy enforcement, and real-time monitoring, organizations can safeguard their IT environment against potential threats.

    Since we have our management tool in the cloud, this also means that our devices do not have to “call home” to be able to talk to our services. Since Microsoft Intune talks through the internet, we can make sure that the users have the latest updates and security configurations regardless of whether they are working in the office or remotely. We can also measure device compliance to make sure that the device lives up to our requirements before accessing corporate resources.

    Reason #3 – Adopt to an ever-changing IT landscape

    The IT landscape is constantly evolving, and organizations need to be agile to keep up with these changes. Cloud-native management with Microsoft Intune enables businesses to quickly adapt to new technologies, software updates, and changing user needs. This flexibility ensures that organizations remain competitive and can efficiently respond to emerging trends and challenges.

    Utilizing cloud services for management means that you do not need to think about keeping your device management tool up to date; that is kept up to date for you since Microsoft Intune is a SaaS offering. This will make sure you get the latest features and tools faster, without needing to plan for maintenance windows. You can also more easily make sure to provide your users with the latest tools by utilizing faster and automated deployment flows for applications and the latest updates.

    Reason #4 – Improve user satisfaction

    User satisfaction is a key factor in the success of any IT initiative. Cloud-native management with Microsoft Intune enhances the user experience by providing seamless access to applications and resources, regardless of the device or location. With intuitive self-service options and consistent performance, users can enjoy a more productive and satisfying work experience.

    We should not forget about one of the most crucial elements of device management: the person who uses the device, the end-user.

    Hearing people complain about their work computer not working like they are expecting is outdated. You can remove the need to be at the office for updates or having to download applications through VPN. Using cloud-native device management, you can fully support the hybrid workplace, providing an excellent end-user experience regardless of whether the user is working at the office, from home, or in any other location.

    Reason #5 – Enhance scalability and flexibility

    With cloud-native management, organizations can easily scale their IT infrastructure up or down based on demand. This flexibility ensures that resources are used efficiently, and it allows businesses to quickly adapt to changing needs without significant downtime or additional costs.

    No need to think about if you need to scale up or down, outside of licenses. This means that your environment grows without, and all you need to do is make sure you have enough licenses. This frees up a lot of time for your system administrators who would otherwise also need to plan for scaling up or down based on what happens in your organization. This will also make it easier to grow at a lower cost since we do not need to think about setting up infrastructure in that new branch office on the other side of the world. All you need are licenses for your new users, and you are ready to go!

    Closing reflections

    I’ve been pushing for going cloud-native for almost the last 10 years, and I still strongly believe that this is the future for endpoint management. So far, I’ve helped a lot of larger companies make the shift, and it works really well. Sure, there are hiccups initially, but that goes for all new services, and we need to adapt the way we work as IT admins to make this a successful transformation. We cannot bring our old ways of doing things; we need to adapt to our new tools. As long as we try to work the old way with a new tool that was not built for doing it the same, it will be an uphill battle.

    But if we can see the new possibilities with cloud-native and what it brings us, things will get easier. And it’s a moving target. Microsoft Intune has developed tremendously over the last couple of years, and we will probably see even more improvements as we go.

    I will leave you with an interesting reflection I’ve made. Larger enterprises, at least in Sweden, are more keen on moving to cloud-native than smaller organizations. Sure, the IT organization of a large enterprise can take on a larger workload making the move, but the small IT organizations would benefit just as much from the lower running cost of being cloud-native.

  • Hide the shutdown button in Windows 365 after update to Win 11 24h2

    Hide the shutdown button in Windows 365 after update to Win 11 24h2

    Some of you might have noticed that when updating a Windows 365 Cloud PC to Windows 11 24H2, the shutdown button appears out of nowhere in the start menu, which can cause some weird behavior for the end-users.

    Shutting down the Cloud PC isn’t really anything you should be bothered with. Restarting, yes, but if you do a shutdown, it will boot back up again within a few minutes.

    With the Windows 11 24H2 update to Windows 365, if you upgrade from an earlier Windows 11 version, this registry value will be reset.

    While I still encourage you to provide feedback to Microsoft, the fix for this problem is fairly simple!

    There are two ways we could go about addressing this. We could either create a configuration using the Settings Catalog or use proactive remediation. We will get the same result in the end, so it depends on how you like to do it. I will show you both ways in this blog post, and how you can configure it.

    Settings catalog

    In Microsoft Intune, head into Devices > Windows > Configuration and create a new configuration profile by clicking “+ Create“. Select Settings catalog as the profile type and click create.

    Give the profile a good name which makes sense in your environment.

    Search for “Start” and find “Hide Shutdown” in the list, then check the checkbox next to it. Close the fly-out.

    Make sure to enable the setting before moving to the next step.

    In my case, I will skip scope tags and move straight to Assignments, where I select “All devices” and filter out Windows 365 with a filter.

    Last step is to review and create the policy. And then you just need to wait for the policy to apply.

    Proactive remediation

    The scripts

    The easiest way to deploy a scripted solution for this is to use remediation, since then we can also get feedback on how many devices had this issue. We can have it continuously checking or just run once.

    But in order to set up a remediation, we need a detection and a remediation script (you could run everything in the detection script, but you won’t get any feedback if you want to run it more than once).

    You can find the scripts either on my GitHub repository or just copy them from here.

    Detection script

    # Created by Ola Ström, olastrom.com
# Date: 2025-01-21
# Version: 1.0

# PowerShell script to update the registry value

# Define the registry path and value
$registryPath = "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown"
$valueName = "value"

# Check the current value
$currentValue = (Get-ItemProperty -Path $registryPath -Name $valueName).$valueName

# Check the value and set the appropriate exit code
if ($currentValue -eq 1) {
    Write-Output "Registry value is set to 1."
    exit 0
} else {
    Write-Output "Registry value is not set to 1."
    exit 1
}

    Remediation script

    # Created by Ola Ström, olastrom.com
# Date: 2025-01-21
# Version: 1.0

# PowerShell script to update the registry value
$registryPath = "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown"
$registryName = "value"
$registryValue = 1

# Set the registry value
Set-ItemProperty -Path $registryPath -Name $registryName -Value $registryValue

Write-Output "Registry value updated successfully."

    Intune part

    In Microsoft Intune, navigate to Devices > Scirpts and remediations.

    Select “+ Create” in the ribbon and give your remedation a good name, then press next.

    Now we will add the detection and remediation scripts, which you need to save as PowerShell scripts on your device to upload to Microsoft Intune. Change the “Run script in 64-bit PowerShell” to yes, but leave all the other options at their default values and press next.

    On the Assignment tab, select your target group. I’m using “All devices” with a filter for Windows 365.

    On this step, you also set the schedule by pressing on the text “Daily”, which is the default value. You can then choose if you want it to run once, hourly, or daily.

    When you have selected your schedule, press next to review your settings before pressing create.

    And now we wait until the remedation runs…

    Monitoring the remediation

    You can follow up the progress of your remediation by checking the device status on the remediation you just created.

    In this view, you can follow up on individual devices and see how many devices were affected.

    If the script detects that the value is set to anything other than “1”, it will run the script to fix it, and you can see here if the issue was fixed or not. This is not dependent on whether the script runs on a schedule or just once; you will still get feedback if any issues were found.

    What happens on the Cloud PC?

    Both ways will give the same end result for the end-user: the shutdown button will disappear, removing the option to shut down the Cloud PC (which is good).

    Take aways

    I’m not saying that one way or the other is the correct way; it’s just different ways to address the problem. Both of them have advantages, where the settings catalog will set the value and always keep it that way, and the remediation will check if the value is incorrect and change it if needed.

    You can also reuse this script for other registry entries you would like to change, so feel free to reuse it!

  • Master the Copilot button on Copilot+ PCs

    Master the Copilot button on Copilot+ PCs

    As you might know, there is a new category of PCs out there called Copilot+ PCs. These are defined by primarily two things, they have an NPU with over 40 TOPS (trillion operations per second), and they have the Copilot button on the keyboard. Of course they also run Windows 11.

    As per writing this blogpost, we have mainly seen ARM based Copilot+ PCs. But x86 based versions from AMD and Intel is around the corner!

    One thing that has gain a lot of attention is the Copilot button. When the first devices were released this opened the consumer version of Copilot, the Microsoft Copilot app. This app does not work corporate environment, since we don’t get the “correct” version of Copilot. The Copilot we want to use is the Microsoft 365 Copilot where you sign in with your corporate credentials.

    There has been changes

    Since the October patches 2024, Microsoft has altered the behavior of the Copilot button based how you sign into your computer.

    Another change that has happened is that the Copilot in Windows (preview) experience has been removed and is replaced by either Microsoft Copilot app or Microsoft 365 app based on your scenario (see the table below).

    The following table will show you that based on you you authenticated onto you computer, different things will happen.

    ConfigurationCopilot experienceCopilot key invokes
    Copilot not enabled in environmentNeither Copilot in Windows (preview) nor the Microsoft Copilot app are present.Windows Search
    Copilot enabled + do not authenticate with Microsoft EntraCopilot in Windows (preview) is removed and replaced by the Microsoft Copilot app, which is not pinned to the taskbar unless you elect to do so.Microsoft Copilot app
    Copilot enabled + authenticate with Microsoft Entra + new deviceCopilot in Windows (preview) is not present. Microsoft Copilot is accessed through the Microsoft 365 app (after post-setup update).Microsoft Copilot within the Microsoft 365 app (after post-setup update).
    Copilot enabled + authenticate with Microsoft Entra + existing deviceCopilot in Windows (preview) is removed. Existing users with Copilot enabled on their devices will still see the Microsoft Copilot app.IT admins should use policy to remap the Copilot key to the Microsoft 365 app, or prompt users to choose.
    Source: Updated Windows and Microsoft Copilot experience | Microsoft Learn

    In a corporate world, we strive to have the Microsoft 365 app launching when pressing the Copilot button on the keyboard, since that’s where we can use the Microsoft 365 Copilot. So let’s walk though the different scenarios.

    New Copilot+ PCs

    If you are setting up a new Copilot+ PC (or resetting an existing one), there isn’t that much you need to do. As long as you get the October 2024 monthly security update installed, the Copilot button will remap to the Microsoft 365 app if signed in with an Microsoft Entra account and you have Copilot enabled in your environment, and it doesn’t need to be the “fancy” $30 per month version. If you have disabled Copilot, the button will (as the table says) open Windows ´Search instead.

    Existing Copilot+ PCs

    For your existing Copilot+ PCs which were setup prior to the release of the October 2024 monthly security update, you as an admin have to take action since the default value for users would be to launch the Microsoft Copilot app. This can be done in two ways, either prompt the users to make the change them self in Settings or push out a new configuration for the computers using a GPO or Intune CSP policy.

    Setting
    CSP./User/Vendor/MSFT/Policy/Config/WindowsAI/SetCopilotHardwareKey
    Group policyUser Configuration > Administrative Templates > Windows Components > Windows Copilot > Set Copilot Hardware Key
    Source: Updated Windows and Microsoft Copilot experience | Microsoft Learn

    As of the latest service release of Microsoft Intune, you can now also do this usign Setting catalog, which is not yet reflected in the Microsoft documentation.

    Let’s have a look at how we set this up in Microsoft Intune. (UPDATED with settings catalog instructions)

    Navigate to the Microsoft Intune Admin Center and select Devices > Windows > Configuration and create a new policy. Select Windows 10 and later then Settings Catalog. Select it and click “Create“.

    We start by giving the new profile a name which makes sense in our environment. Then click Next.

    Next step is to add the setting by pressing +Add setting. Search for Windows AI and select the “Set Copilot Hardware Key (user)” setting.

    Close the flyout and enter the AUMID for the Microsoft 365 app.

    AUMID: Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe!Microsoft.MicrosoftOfficeHub

    If you are not using Copilot and want to disable the button, set the value to 0 instead of the AUMID of the Microsoft 365 app.

    Click though the wizard and assign the profile to an applicable group.

    Review your configuration before creating.

    We have now successfully changed the behavior of the Copilot button on our Copilot+ PCs!

  • Keeping Windows up to date – 2024 edition

    Keeping Windows up to date – 2024 edition

    So back in 2019, when I first go back into blogging, I wrote a piece on how we at my former employer adopted a modern approach to digital workplace, transitioning into a more Windows as a service concept internally. If you have missed this post, please pause here and head over the post here and read it.

    Staying current in the new world – olastrom.com

    I wrote that post more than 5 years ago, in a world where Configuration Manager was still king and we were running Windows 10 in a large enterprise (over 35 000 managed Windows devices globally). We never ran the feature upgrades as projects, and neither should you!

    This post discussed they way Windows updates work for Windows 10, that we will see continuous innovation with several updates per year. Back then, Microsoft was still doing a spring and a fall release. This was a challenge to keep up with, and many reverted to “let’s at try to do one update per year” which for many was still a challenge. If you had this strategy, you usually went with the fall release since that was supported for longer than the spring release.

    Since 2021, Microsoft only does one update per year, which so far has always been a fall update. Each release is supported for 36 months, given that you run Windows Enterprise.

    But let’s talk about strategy to handle the Windows update cadence.

    Find your tools

    Since I’m a big cloud advocate, I will of course recommend to use Windows Update for Business to manage your Windows updates. This is also the recommended way by Microsoft, regardless if you are using Microsoft Intune or Configuration Manager to manage your devices. There is no reason to micro-manage the updates for the vast majority of your devices (there are of course exceptions), and since Windows 10 you cant really say no to update since they are all cumulative. If you skip the October patch, you will get them and bunch of more updates in November.

    So making use of the cloud and the smart logics actually built into these tools are great.

    If you really want to automate things, you can even move to Windows Autopatch which is almost like doing a set and forget setup. Microsoft will manage your whole setup and make sure your devices are kept up to date, and not updated all at once by using automated rings.

    But I really hope that you all have your monthly patching in order. Otherwise we have a different level of problem. So lets pivot and talk about the feature updates which is released once per year, what is often referred to as the 23h2 or 24h2 update by the IT community.

    What is a good practice?

    So if we look back at my old post, I actually talked about using deployment rings which is still a thing (if you look at how Autopatch configures it self, it will use rings).

    Whats important here is to devide this into several deployments, so we dont update everyone at the same time. A good practive could be:

    Ring 0: First evaluation group
    Ring 1: Second evaluation group/application testers
    Ring 2: Pilot group
    Ring 3: Broad deployment
    Ring 4: Devices which needs extra attention

    I think that in my original post I had 5 groups, but you can adopt this based on the size of your organization. The purpose of the first 3 groups in this scenario is validate and make sure we catch any compability issues. Any device you find that is cumbersome, or application which need additional testing or validation, you put in the last group to “buy time”. I By doing this, you don’t postpone the update for devices where this will work without any issues.

    But what if there are known issues with a certian device model? Well then Microsoft has implememnted something called safeguard hold which will pause the update for the affected devices, so we don’t brake devices and cause issues for the end user. If you want to read more about this, this is a great article covering this.

    Safeguard holds for Windows | Microsoft Learn

    By utilizing safeguard holds, we can increase the trust in that updates will work since the Windows Update service will block any devices with known issues from recieveing updates. This is also a strong argument to move towards Windows Update instead of using e.g. Windows Server Update Services (WSUS) to handle your updates since it will prevent those supprises. There are also a bunch of reports you can utilize to keep track of any safeguard holds you might be affected by.

    Setting up Windows Update for Business

    Windows Update for Business can be configured in a few different places. The best way, even if you are using Configuration Manager, is to utilize Microsoft Intune for this. If you are in a hybrid state, move the toggle in Configuration Manager to move the co-managed workload to for Windows Updates to Microsoft Intune. In Microsoft Intune, you then configure your different rings (the number depends on your needs, but at least three). There are many good guides around how to build this, even pre-made ones you can import from e.g. Open Intune Baseline.

    You can also enable Windows Autopatch which will create all the rings for you and populate all the groups.

    The important part is to create the rings and divide your devices amongst those rings, putting the correct devices in the correct rings. What is correct is based on your needs and your environment, there is no right or wrong here. In these rings you also define the amount of deferal days you want.

    Deferal days are the amount of days you want to postpone the update from the release date. There are a lot of different opinions on the cadence here, but it could be a good idea to aim to have ring 0 running the new update within the first two weeks to start evaluating. Then aim to have moved through the rings to your broad deployment within 3-4 months. There is usually no need to rush things, since we need to combine this with end-user communications to communicate any changes in the operating system. If you want to have broad deployments around 5-6 months later, that is perfectly fine to. This comes down to how fast you as an organization can move. But keep in mind that your “upgrade later” group, my ring 4, needs to be even further away. However, the ambition is that this ring should always be empty so as problems gets resolved you move those devices back to the earlier rings.

    What is important to keep in mind, is that you need to be able to repet this process every year on a 12 month cycle. So don’t build it to complex!

    What is the point behind this post?

    My idea behind revisiting this topic is that I still see a lot of companies struggle with this concept. Feature updates are handled as projects and treated as something that is scary.

    We have had great tools to manage this for several years now, and Microsoft has done a great job improving on these tools over the years, giving us more options and better reporting.

    It’s about time that we stop micro-manage our Windows updates and put out trust into the tools, so we can spend our time doing something more productive than running project to catch up with the feature updates. If we fall one or two versions behind, we all of a sudden need to catch up and then it becomes a project.

    I also want to highlight that I’m not just pushing the Microsoft message here. I have worked with several large customers who runs this smoothly as part of their daily operations. Once a Feature update is released, the process kicks in and ring 0 gets the update within a few days to validate that nothing breaks, and then it starts moving between the rings. Not everyone fully automates their rings, but the concept is still there and no internal projects to upgrade Windows is initiated. It’s all business as usual.

    So creating a great strategy to handle Windows updates going forward is key, envisioning that “Windows as a Service” which we talked about a few years back, where Windows just keeps evolving and we don’t have to spend that much time thinking about updates.

  • Windows 365 Link – What’s the fuzz all about?

    Windows 365 Link – What’s the fuzz all about?

    One of the things that it felt like a lot of people during Microsoft Ignite were really excited about, at least people working in the device management space, was the announcement of Windows 365 Link. A small black box with the Microsoft logo on it.

    Front and side view of Windows 365 Link device (cube shape)

    What I do think, after seeing a lot of posts on social media about it, is that some people didn’t exactly get what it is (but they were still excited). There were talk about “What’s the performance on this thing?”, “Can I use it as a media center?” and “Those are only legacy ports”.

    Well this isn’t your regular computer. This is what the IT business has defined as a thin client for several years, but done in a more Microsoft way! And that is actually the reason I’m excited. It’s a Microsoft device, running Windows, which we can use for ONLY connecting to the Windows 365.

    Let’s dig into what this device is, and what it isn’t!

    What it is and what it isn’t

    So let’s start of by talking about what this device is.

    This is a small, fanless, computer made out of 90-100% recycled material (90% recycled aluminum, 100% recycled copper and  96% recycled tin solder). It also runs Windows, but not your regular Windows 11. This runs a special version called Windows CPC which has been developed specifically for this device. The Windows CPC operating system is stripped of all things that are not needed to keep the device secure and being able to use Windows 365. So if you where hopeing that you would get the Microsoft version of a Mac Mini, I’m afraid you will be disapointed. If you had you hopes up that this would be your new NUC or media PC, you will have to rethink why you should get this device.

    It’s also has a lot of what some people would concider “legacy” ports. But imagine the usecase for this. Maybe a call center, hot desking scenario or maybe even a sales station. If we take an honest look at what our perifirals are using today out in the business, we will see a lot of USB type A cabels for our mouse, keyboards and headsets. So keeping in mind where this device belongs, it makes sense at least to me since we will see USB type A for a forseeable future in those scenarios.

    I think what is important to point out as well is that this device is secure by default. All applicable secuirut features (TPM, Bitlocker, SecureBoot, Hypervisor Code Integrity, Defender for Endpint) are enabled and CANNOT be turned off. This to make sure that this device is as secure as can be at all points. We can also use FIDO keys to easily sign into our Windows 365 session!

    But I want to manage this thing!

    Like I said, this is a purpose built device for Windows 365 and what makes it special is that its running a specialized version of Windows. This also means that we can manage it from Microsoft Intune. No need to have yet another tool to manage your thin clients. For me, not beeing a hardcore EUC person, this is a kille feature.

    In my experiance, a lot of device management teams always strive to minimize and optimize the amount of tools used to manage the workplace. If we can have everything in Microsoft Intune, that is a strong selling point in my book. I understand that others might not feel this way, but let’s face it, there are a lot of other great products that you can use in that case! Same thing goes for if you are looking to use this for Azure Virtual Desktop or DevBox. This is Windows 365 only.

    Given that it’s Windows based and we can manage it from Microsoft Intune, guess how we onboard this device? Ofcourse we will use Windows Autopilot. In the demos shown at Ignite, this process was very fast since not that much needs to happen. It will be very interesting seeing this one in live action when released!

    When can I get my hands on this device?

    Microsoft announced at Microsoft Ignite 2024 that this device will be launhed in public preview in January 2025, and to get in the preview you will need to talk to your Microsoft sales contacts. The launch of this device in general availability will be around April in 2025 and will cost $349.

    Screenshot of Windows 365 Link device (cube shape) between and connected to two monitors

    The announced countires which will initially be supported in the preview are United States, Canada, United Kingdom, Germany, Japan, Australia, and New Zealand.

    So getting your hands on this device might not be that easy, but worth a try if you have some awesome usecases you want to use this in. It has great potential, but for some really specific usecases. I’m not seeing this as the device for all information workers, but it could be a great fit for frontline workers who comes and goes, especially between different places.

    If you want to read more about the Windows 365 Link, check out the Microsoft blog post which was released during Microsoft Ignite.

    My thoughts on the Windows 365 Link

    So what are my thoughts on this device?

    In my world this will simplify the adoption of virtual clients even more for a lot of organizations. Organizations already running VDIs and have a big infrastructure in place around thin clients might just say that “we have been doing this for X amount of years, this isn’t new”. Then this device might not be for you initially to be honest.

    But if you are looking into moving into a virtualization space, or want to get rid of those dreadfull shared computers your frontline workers are using. This is a very easy way forward if you combine it with Windows 365 Frontline!

    Microsoft is also pushing a lot for sustainability with the Windows 365 Link, and it’s great that this has been a big part of the product development (I love it). But let’s face it, the best option from a sustainability perspective is to re-use old hardware that you already have, and there are great options to do this using e.g. IGEL OS or simply build a Windows based kiosk device.

    But if you want to keep everything in Microsoft Intune and don’t really have any old hardware you can repurpose, this is a great option. I’m really curious to see how this device performs out in the wild, and how the look and feel is.

    Oh and did you notice that I didn’t mention any hardware specs? Well since we will run everything in the cloud, that doesnt really matter to be honest as long as it’s powerfull enought. My guess is that the public preview being launched will show if that is the case or not!

  • Microsoft Ignite 2024 Recap

    Microsoft Ignite 2024 Recap

    Microsoft Ignite 2024 was once again back in Chicago, where it all started in 2015. I remeber having such FOMO not being able to go there, since one of my favourite bands at the time (the Chigaco band Fall Out Boy) played at Ignite.

    But it was great being back at a large event, and Microsoft does a good job running big events. This was still a “small” Ignite with about 10 000 participants, but that is still A LOT of people. I went there with my colleagues from Advania, which was a lot of fun!

    The red tread through Ignite 2024 was of course Copilot, “the UI of AI”. So it was Copilot everything, and you can really tell that this is the big bet going forward. So if you haven’t paied attention to Copilot yet, now is the time to start.

    But since that Copilot is the big thing, I decided to actually put Copilot into good use and help me find all the important updates around Windows, Windows 365 and Intune for this blog post. This is the prompt I used to create my draft, it did however miss a few important points so consider using this prompt for drafts.

    Can you help me gather all news around Windows, Windows 365 and Microsoft Intune from Microsoft Ignite 2024. I want to devided into each topic, with the topic stated as the H1 heading, and then each news per area as H2 headings.
for each news, write a short descriptive text.
make sure to only reference Microsoft sources

    Microsoft gathers all news from Ignite in the Book of News which was released on the first day of Microsoft Ignite. If you want to check out the full list, you can find the Book of News 2024 here.

    It was also great meeting all the community people which I haven’t seen in a while, both MVPs and Microsoft people.

    Windows

    Windows Resiliency Initiative

    Microsoft introduced the Windows Resiliency Initiative to enhance the reliability and security of Windows. This initiative aims to allow more applications to run without requiring admin privileges, implement stronger controls for apps and drivers, and improve identity protection. These measures are designed to make Windows more robust and secure for all users[1].

    Windows Hotpatching

    Windows 11 Enterprise, version 24H2, introduces hotpatch updates that apply security patches immediately without requiring a restart, reducing disruptions. Devices receive a standard monthly security update and restart in the first month of each quarter, followed by hotpatch updates in the next two months. Managed via Intune and Windows Autopatch, hotpatching can auto-detect eligible devices and streamline update deployment. The public preview invites user feedback to improve the service before general availability, with more information to be shared as the rollout continues.

    Read more here: Hotpatch for client comes to Windows 11 Enterprise

    Quick Machine Recovery

    This new feature allows IT administrators to remotely execute targeted fixes from Windows Update on PCs that are unable to boot. This capability is particularly useful for quickly resolving issues without needing physical access to the affected machines, thereby reducing downtime and improving efficiency[1].

    Collaboration with Endpoint Security Partners

    Microsoft is working closely with endpoint security partners to improve security and reliability. This collaboration includes new requirements for partners, such as controlled gradual rollouts and enhanced incident response processes. These efforts aim to ensure that security updates and patches are deployed smoothly and effectively[1].

    Windows Hello has been extended to support passkeys, offering a simpler and safer way to sign in. This enhancement aims to improve user convenience while maintaining high security standards[1].

    Administrator Protection

    This new feature allows employees to make system changes using temporary admin tokens. By granting temporary admin privileges, this feature enhances security by reducing the risk of unauthorized changes while still allowing necessary modifications[1].

    Read more about Administrator Protection here: Administrator protection on Windows 11

    Windows 365

    Windows 365 Link

    The Windows 365 Link is a new class of devices built to connect securely to Windows 365 in seconds. These devices are designed to provide a seamless and secure connection to the cloud, enabling users to access their Windows environment from anywhere[1].

    You can read more about the Windows 365 Link here: Windows 365 Link—the first Cloud PC device for Windows 365

    Windows 365 Frontline shared mode

    Windows 365 Frontline now supports shared mode for brief, ad-hoc tasks. This feature allows multiple users to share a single device for short-term tasks, improving flexibility and resource utilization[2].

    Want to read more? Check this official Microsoft blog post: Windows 365 Frontline shared mode now in public preview – Windows IT Pro Blog

    Windows in Mixed Reality

    Windows 11 capabilities are now available on mixed reality headsets like Meta Quest 3. This integration brings the power of Windows to the mixed reality space, enabling new immersive experiences and applications[2].

    Mobile Application Management (MAM)

    Enhanced device redirection and security features are now available on unmanaged devices. These improvements provide better control and security for mobile applications, even on devices that are not fully managed by IT[2].

    Microsoft Intune

    AI and Analytics

    Intune Enhanced device hardware inventory

    Intune now offers enhanced device hardware inventory, allowing administrators to query multiple devices and take remote actions based on the query results. This feature provides deeper insights and more control over the device fleet[3].

    You can read more here: Enhanced hardware inventory in Intune coming in December

    Security Copilot in Intune

    Security Copilot brings AI-powered endpoint security to Intune, offering real-time threat detection and response. This integration enhances the security posture of managed devices by leveraging advanced AI capabilities[3].

    Device Management

    Cross-Platform Device Inventory

    Intune’s device inventory capabilities are expanding to include iOS, Android, and macOS devices by early 2025. This expansion allows for comprehensive management of a diverse range of devices from a single platform[3].

    Enhanced macOS Management

    New options for certificate storage in the user keychain have been introduced for macOS devices. These enhancements improve the security and manageability of macOS devices within the Intune environment[3].

    Specialty Devices

    App Protection Policies for Apple Vision Pro

    Intune now supports configuring app protection policies and Conditional Access for Apple Vision Pro. This support ensures that these advanced devices can be securely managed and used within enterprise environments[3].

    EPM Support for ARM64

    Elevation requests from ARM64-based Windows devices are now supported in Intune. This feature allows for better management and security of ARM64 devices, which are becoming increasingly popular[3].

    References

    [1] Microsoft Ignite 2024: Embracing the future of Windows at work

    [2] Microsoft Ignite 2024 Book of News

    [3] Microsoft Intune news at Microsoft Ignite 2024

  • Let’s improve onboarding for Windows 365!

    Let’s improve onboarding for Windows 365!

    Through out the years, I’ve worked with a lot off different customers, and almost all of them use some kind of ITSM tool (such as Jira ServiceNow) to order new services and hardware for users. This is usually where Windows 365 is added as a service where I as an end user, or manager, can request it.

    But what if you don’t have an ITSM tool, but I still want to offer the self-service option?

    Well, in Entra ID there is something called “Access packages” which we can use for this puropse. If you want to read more about what that is, check out the Microsoft documentation here.

    With Access packages, we can create a self-service portal, where end-users can request memebership to a group. This group can then have a license tied to it, what is also known as Group Based Licensing. The user will then request membership to the group, you can add approvals and set a time frame that this membership should be valid. You can also add access reviews to check in with the user to see if they are still using the service.

    So let’s jump into how an easy setup of this would look like, and then have a look at the user experiance. However, this setup is assuming you have already setup group based licensing for Windows 365.

    This setup also assumes that you are targeting provisining policies to all users already (I’m using dynamic, country based groups as descibed in this post).

    Setting upp Access packages

    To set up access packages, we head into the Entra portal (https://entra.microsoft.com) and navigate to Identity > Identity Governance > Entitlement Management and then look for “Access packages” in the menu.

    We will just create a very basic setup for this, so lets go ahead and click on “+ New Access Package“. First step is to give your policy a name and descripton. Remeber, the description is a required field. We will leave the catalog to “General” which is the default value. When done, hit next on the bottom of the windows.

    Since we want to configure a memebership to a group, select the option “+ Groups and Teams” and find

    Since we are just going with default values, you might need to check the “See all Groups and Teams…” check-box in order to find your group. When you have found the group, click select. If you are not already targeting users with a provisioning group, you need to add that here as well.

    When you have added your group, remeber to change the Role to member before hitting next.

    In the next step, we will define our Request flow. In this example I will make this apply for all users in my tenant, and I will allow all users to place a request.

    The next part is to define the approval process. You can also remove approvals completely, but since Windows 365 comes with a cost we want a manager to approve this request. You can also add additional approvers if required. Default value is that manager will be the approved, and we will leave it to default. What you need to add is a “fallback” approver, and as you can see here I added my Help Desk team for this. Choose an approriate user/group for this task.

    Last step on this section, is to select how we will enable this request flow. I’ve also enabled the preview features for this example, but you dont need to do that. Just make sure to enable the top one since this is what makes this request available. We will skip the Verified ID part and press the Next button.

    On this step, we could add additional questions or justifications for the requestor, but we will leave this to default and press next. We will still get a question for business justification in the request.

    Next step is to set the lifecycle for this, which we in this case will set to 180 days since that is roughly 6 months. And just for the purpose of usign access reviews, we will enable that as well but leave all values to default. When you are done, press next until you reach “Review + Create“.

    On the last step, you can review all your settings before pressing Create. It will validate your configuration, and if you missed something or something is wrong it will ask you to correct this before moving forward.

    We have now successfully create a Access package for our Cloud PCs!

    Let’s have a look at what this looks like when a user requests this.

    The request flow

    The place where you need to direct your users for placing requests is https://myaccess.microsoft.com/ where they will see all available request packages for them. As you can see, I have three different access packages for Cloud PC I can request. To start a request, I simply click on “Request” on the service I want to request.

    This windows will then appear, and you just click continue.

    Next step is to add a business justification for my request, here I can also set it to a specific period if I like since we enabled that option when setting things up.

    I then submit the request and it is sent of to the approver, which in this case is the manager.

    Approver experiance

    When the request has been sent, the approved will recieve an email looking like this, where they are asked to approve the request. This email also contains the business justification added by the requestor.

    When the approver clicks the blue button in the email, they are redirected to the approval site on My Access.

    When the approved selects to approve the request, they will be asked to enter a justification before approval is sent.

    When the approver has approved the request, a confirmation email will be sent to the user. However, what is imporant to keep in mind is that this will initiate the provisioning of the Cloud PC.

    The process of provisioning will now start and the Cloud PC will be done within usually 30-40 minutes depending on how fast your provisining policy is!

    Key take aways

    Estalishing a good on- and off-boarding process is important in all IT organsations. This walk though shows you that you can establish this without setting up more advanced tools. However, this is not close to as powerful as proper ITSM tools, but you can build simpler request flows to suite your needs.

    This principle can also be applied to other things, not just Windows 365 and Cloud PCs.

  • Slimcore: Revolutionizing Teams for VDI Environments

    Slimcore: Revolutionizing Teams for VDI Environments

    Last week, Microsoft dropped a bombshell with the release of Slimcore for Teams, specifically designed for VDI environments. Let’s unpack what this means for us and how it can supercharge our virtual desktops.

    What is Slimcore?

    Slimcore is the new media engine for Teams, tailored for VDI setups like Azure Virtual Desktop and Windows 365. It’s packed with improvements that make Teams more efficient and user-friendly in virtual environments. No longer is the Teams client for VDI a long lost cousin of Teams, now we will see feature parity!

    Key Features and Benefits

    So what are the key features and benefits with moving to Slimcore from WebRTC?

    • Enhanced Performance: Slimcore cuts down on resource consumption, leading to faster call setup times and smoother performance. This is a game-changer for those of us juggling multiple virtual desktops.
    • High-Fidelity Media: Enjoy top-notch audio and 1080p video at up to 30fps. This ensures our meetings and presentations are crystal clear, even in a virtual setup.
    • Advanced Meeting Capabilities: Features like gallery view, custom backgrounds, and presenter mode are now available, making our virtual meetings more interactive and engaging.
    • Auto-Updates: The decoupled architecture allows for quicker feature rollouts without needing to overhaul the entire VDI infrastructure. Staying current with the latest features has never been easier.

    Installing Slimcore on Windows 365 Clients

    Prerequisites: Make sure you have the latest version of Microsoft Teams (version 24193.1805.3040.8975 or higher) and the Remote Desktop client (version 1.2.5405.0 or higher) or the new Windows app (version 1.3.252 or higher).

    Install the Plugin: The plugin (MsTeamsPluginAvd.dll) is bundled with both the Remote Desktop client and the new Windows app. It will automatically download and manage Slimcore. No admin rights or reboots are required.

    Verify Installation: After installation, the plugin will silently provision and register Slimcore for the user. You can verify this by check in the Teams client on the Cloud PC that the Slimcore client is being used by going to Settings – About Teams. Look for the text “AVD Slimcore Media Optimized”.

    User Experience Improvements

    One of the standout aspects of Slimcore is how it aligns the Teams experience between physical and virtual desktops. This consistency is crucial for user satisfaction and productivity. This gives the user a familiar experiance with the features they expect to find in Teams!

    Conclusion

    Slimcore is a significant step forward for Teams in VDI environments. It brings enhanced performance, high-fidelity media, and advanced meeting capabilities, all while simplifying updates and maintenance. If you haven’t tried it yet, now is the perfect time to explore what Slimcore can do for your virtual desktop setup.