olastrom.com

Author: Ola Ström

  • Keeping Windows up to date – 2024 edition

    Keeping Windows up to date – 2024 edition

    So back in 2019, when I first go back into blogging, I wrote a piece on how we at my former employer adopted a modern approach to digital workplace, transitioning into a more Windows as a service concept internally. If you have missed this post, please pause here and head over the post here and read it.

    Staying current in the new world – olastrom.com

    I wrote that post more than 5 years ago, in a world where Configuration Manager was still king and we were running Windows 10 in a large enterprise (over 35 000 managed Windows devices globally). We never ran the feature upgrades as projects, and neither should you!

    This post discussed they way Windows updates work for Windows 10, that we will see continuous innovation with several updates per year. Back then, Microsoft was still doing a spring and a fall release. This was a challenge to keep up with, and many reverted to “let’s at try to do one update per year” which for many was still a challenge. If you had this strategy, you usually went with the fall release since that was supported for longer than the spring release.

    Since 2021, Microsoft only does one update per year, which so far has always been a fall update. Each release is supported for 36 months, given that you run Windows Enterprise.

    But let’s talk about strategy to handle the Windows update cadence.

    Find your tools

    Since I’m a big cloud advocate, I will of course recommend to use Windows Update for Business to manage your Windows updates. This is also the recommended way by Microsoft, regardless if you are using Microsoft Intune or Configuration Manager to manage your devices. There is no reason to micro-manage the updates for the vast majority of your devices (there are of course exceptions), and since Windows 10 you cant really say no to update since they are all cumulative. If you skip the October patch, you will get them and bunch of more updates in November.

    So making use of the cloud and the smart logics actually built into these tools are great.

    If you really want to automate things, you can even move to Windows Autopatch which is almost like doing a set and forget setup. Microsoft will manage your whole setup and make sure your devices are kept up to date, and not updated all at once by using automated rings.

    But I really hope that you all have your monthly patching in order. Otherwise we have a different level of problem. So lets pivot and talk about the feature updates which is released once per year, what is often referred to as the 23h2 or 24h2 update by the IT community.

    What is a good practice?

    So if we look back at my old post, I actually talked about using deployment rings which is still a thing (if you look at how Autopatch configures it self, it will use rings).

    Whats important here is to devide this into several deployments, so we dont update everyone at the same time. A good practive could be:

    Ring 0: First evaluation group
    Ring 1: Second evaluation group/application testers
    Ring 2: Pilot group
    Ring 3: Broad deployment
    Ring 4: Devices which needs extra attention

    I think that in my original post I had 5 groups, but you can adopt this based on the size of your organization. The purpose of the first 3 groups in this scenario is validate and make sure we catch any compability issues. Any device you find that is cumbersome, or application which need additional testing or validation, you put in the last group to “buy time”. I By doing this, you don’t postpone the update for devices where this will work without any issues.

    But what if there are known issues with a certian device model? Well then Microsoft has implememnted something called safeguard hold which will pause the update for the affected devices, so we don’t brake devices and cause issues for the end user. If you want to read more about this, this is a great article covering this.

    Safeguard holds for Windows | Microsoft Learn

    By utilizing safeguard holds, we can increase the trust in that updates will work since the Windows Update service will block any devices with known issues from recieveing updates. This is also a strong argument to move towards Windows Update instead of using e.g. Windows Server Update Services (WSUS) to handle your updates since it will prevent those supprises. There are also a bunch of reports you can utilize to keep track of any safeguard holds you might be affected by.

    Setting up Windows Update for Business

    Windows Update for Business can be configured in a few different places. The best way, even if you are using Configuration Manager, is to utilize Microsoft Intune for this. If you are in a hybrid state, move the toggle in Configuration Manager to move the co-managed workload to for Windows Updates to Microsoft Intune. In Microsoft Intune, you then configure your different rings (the number depends on your needs, but at least three). There are many good guides around how to build this, even pre-made ones you can import from e.g. Open Intune Baseline.

    You can also enable Windows Autopatch which will create all the rings for you and populate all the groups.

    The important part is to create the rings and divide your devices amongst those rings, putting the correct devices in the correct rings. What is correct is based on your needs and your environment, there is no right or wrong here. In these rings you also define the amount of deferal days you want.

    Deferal days are the amount of days you want to postpone the update from the release date. There are a lot of different opinions on the cadence here, but it could be a good idea to aim to have ring 0 running the new update within the first two weeks to start evaluating. Then aim to have moved through the rings to your broad deployment within 3-4 months. There is usually no need to rush things, since we need to combine this with end-user communications to communicate any changes in the operating system. If you want to have broad deployments around 5-6 months later, that is perfectly fine to. This comes down to how fast you as an organization can move. But keep in mind that your “upgrade later” group, my ring 4, needs to be even further away. However, the ambition is that this ring should always be empty so as problems gets resolved you move those devices back to the earlier rings.

    What is important to keep in mind, is that you need to be able to repet this process every year on a 12 month cycle. So don’t build it to complex!

    What is the point behind this post?

    My idea behind revisiting this topic is that I still see a lot of companies struggle with this concept. Feature updates are handled as projects and treated as something that is scary.

    We have had great tools to manage this for several years now, and Microsoft has done a great job improving on these tools over the years, giving us more options and better reporting.

    It’s about time that we stop micro-manage our Windows updates and put out trust into the tools, so we can spend our time doing something more productive than running project to catch up with the feature updates. If we fall one or two versions behind, we all of a sudden need to catch up and then it becomes a project.

    I also want to highlight that I’m not just pushing the Microsoft message here. I have worked with several large customers who runs this smoothly as part of their daily operations. Once a Feature update is released, the process kicks in and ring 0 gets the update within a few days to validate that nothing breaks, and then it starts moving between the rings. Not everyone fully automates their rings, but the concept is still there and no internal projects to upgrade Windows is initiated. It’s all business as usual.

    So creating a great strategy to handle Windows updates going forward is key, envisioning that “Windows as a Service” which we talked about a few years back, where Windows just keeps evolving and we don’t have to spend that much time thinking about updates.

  • Windows 365 Link – What’s the fuzz all about?

    Windows 365 Link – What’s the fuzz all about?

    One of the things that it felt like a lot of people during Microsoft Ignite were really excited about, at least people working in the device management space, was the announcement of Windows 365 Link. A small black box with the Microsoft logo on it.

    Front and side view of Windows 365 Link device (cube shape)

    What I do think, after seeing a lot of posts on social media about it, is that some people didn’t exactly get what it is (but they were still excited). There were talk about “What’s the performance on this thing?”, “Can I use it as a media center?” and “Those are only legacy ports”.

    Well this isn’t your regular computer. This is what the IT business has defined as a thin client for several years, but done in a more Microsoft way! And that is actually the reason I’m excited. It’s a Microsoft device, running Windows, which we can use for ONLY connecting to the Windows 365.

    Let’s dig into what this device is, and what it isn’t!

    What it is and what it isn’t

    So let’s start of by talking about what this device is.

    This is a small, fanless, computer made out of 90-100% recycled material (90% recycled aluminum, 100% recycled copper and  96% recycled tin solder). It also runs Windows, but not your regular Windows 11. This runs a special version called Windows CPC which has been developed specifically for this device. The Windows CPC operating system is stripped of all things that are not needed to keep the device secure and being able to use Windows 365. So if you where hopeing that you would get the Microsoft version of a Mac Mini, I’m afraid you will be disapointed. If you had you hopes up that this would be your new NUC or media PC, you will have to rethink why you should get this device.

    It’s also has a lot of what some people would concider “legacy” ports. But imagine the usecase for this. Maybe a call center, hot desking scenario or maybe even a sales station. If we take an honest look at what our perifirals are using today out in the business, we will see a lot of USB type A cabels for our mouse, keyboards and headsets. So keeping in mind where this device belongs, it makes sense at least to me since we will see USB type A for a forseeable future in those scenarios.

    I think what is important to point out as well is that this device is secure by default. All applicable secuirut features (TPM, Bitlocker, SecureBoot, Hypervisor Code Integrity, Defender for Endpint) are enabled and CANNOT be turned off. This to make sure that this device is as secure as can be at all points. We can also use FIDO keys to easily sign into our Windows 365 session!

    But I want to manage this thing!

    Like I said, this is a purpose built device for Windows 365 and what makes it special is that its running a specialized version of Windows. This also means that we can manage it from Microsoft Intune. No need to have yet another tool to manage your thin clients. For me, not beeing a hardcore EUC person, this is a kille feature.

    In my experiance, a lot of device management teams always strive to minimize and optimize the amount of tools used to manage the workplace. If we can have everything in Microsoft Intune, that is a strong selling point in my book. I understand that others might not feel this way, but let’s face it, there are a lot of other great products that you can use in that case! Same thing goes for if you are looking to use this for Azure Virtual Desktop or DevBox. This is Windows 365 only.

    Given that it’s Windows based and we can manage it from Microsoft Intune, guess how we onboard this device? Ofcourse we will use Windows Autopilot. In the demos shown at Ignite, this process was very fast since not that much needs to happen. It will be very interesting seeing this one in live action when released!

    When can I get my hands on this device?

    Microsoft announced at Microsoft Ignite 2024 that this device will be launhed in public preview in January 2025, and to get in the preview you will need to talk to your Microsoft sales contacts. The launch of this device in general availability will be around April in 2025 and will cost $349.

    Screenshot of Windows 365 Link device (cube shape) between and connected to two monitors

    The announced countires which will initially be supported in the preview are United States, Canada, United Kingdom, Germany, Japan, Australia, and New Zealand.

    So getting your hands on this device might not be that easy, but worth a try if you have some awesome usecases you want to use this in. It has great potential, but for some really specific usecases. I’m not seeing this as the device for all information workers, but it could be a great fit for frontline workers who comes and goes, especially between different places.

    If you want to read more about the Windows 365 Link, check out the Microsoft blog post which was released during Microsoft Ignite.

    My thoughts on the Windows 365 Link

    So what are my thoughts on this device?

    In my world this will simplify the adoption of virtual clients even more for a lot of organizations. Organizations already running VDIs and have a big infrastructure in place around thin clients might just say that “we have been doing this for X amount of years, this isn’t new”. Then this device might not be for you initially to be honest.

    But if you are looking into moving into a virtualization space, or want to get rid of those dreadfull shared computers your frontline workers are using. This is a very easy way forward if you combine it with Windows 365 Frontline!

    Microsoft is also pushing a lot for sustainability with the Windows 365 Link, and it’s great that this has been a big part of the product development (I love it). But let’s face it, the best option from a sustainability perspective is to re-use old hardware that you already have, and there are great options to do this using e.g. IGEL OS or simply build a Windows based kiosk device.

    But if you want to keep everything in Microsoft Intune and don’t really have any old hardware you can repurpose, this is a great option. I’m really curious to see how this device performs out in the wild, and how the look and feel is.

    Oh and did you notice that I didn’t mention any hardware specs? Well since we will run everything in the cloud, that doesnt really matter to be honest as long as it’s powerfull enought. My guess is that the public preview being launched will show if that is the case or not!

  • Microsoft Ignite 2024 Recap

    Microsoft Ignite 2024 Recap

    Microsoft Ignite 2024 was once again back in Chicago, where it all started in 2015. I remeber having such FOMO not being able to go there, since one of my favourite bands at the time (the Chigaco band Fall Out Boy) played at Ignite.

    But it was great being back at a large event, and Microsoft does a good job running big events. This was still a “small” Ignite with about 10 000 participants, but that is still A LOT of people. I went there with my colleagues from Advania, which was a lot of fun!

    The red tread through Ignite 2024 was of course Copilot, “the UI of AI”. So it was Copilot everything, and you can really tell that this is the big bet going forward. So if you haven’t paied attention to Copilot yet, now is the time to start.

    But since that Copilot is the big thing, I decided to actually put Copilot into good use and help me find all the important updates around Windows, Windows 365 and Intune for this blog post. This is the prompt I used to create my draft, it did however miss a few important points so consider using this prompt for drafts.

    Can you help me gather all news around Windows, Windows 365 and Microsoft Intune from Microsoft Ignite 2024. I want to devided into each topic, with the topic stated as the H1 heading, and then each news per area as H2 headings.
for each news, write a short descriptive text.
make sure to only reference Microsoft sources

    Microsoft gathers all news from Ignite in the Book of News which was released on the first day of Microsoft Ignite. If you want to check out the full list, you can find the Book of News 2024 here.

    It was also great meeting all the community people which I haven’t seen in a while, both MVPs and Microsoft people.

    Windows

    Windows Resiliency Initiative

    Microsoft introduced the Windows Resiliency Initiative to enhance the reliability and security of Windows. This initiative aims to allow more applications to run without requiring admin privileges, implement stronger controls for apps and drivers, and improve identity protection. These measures are designed to make Windows more robust and secure for all users[1].

    Windows Hotpatching

    Windows 11 Enterprise, version 24H2, introduces hotpatch updates that apply security patches immediately without requiring a restart, reducing disruptions. Devices receive a standard monthly security update and restart in the first month of each quarter, followed by hotpatch updates in the next two months. Managed via Intune and Windows Autopatch, hotpatching can auto-detect eligible devices and streamline update deployment. The public preview invites user feedback to improve the service before general availability, with more information to be shared as the rollout continues.

    Read more here: Hotpatch for client comes to Windows 11 Enterprise

    Quick Machine Recovery

    This new feature allows IT administrators to remotely execute targeted fixes from Windows Update on PCs that are unable to boot. This capability is particularly useful for quickly resolving issues without needing physical access to the affected machines, thereby reducing downtime and improving efficiency[1].

    Collaboration with Endpoint Security Partners

    Microsoft is working closely with endpoint security partners to improve security and reliability. This collaboration includes new requirements for partners, such as controlled gradual rollouts and enhanced incident response processes. These efforts aim to ensure that security updates and patches are deployed smoothly and effectively[1].

    Windows Hello has been extended to support passkeys, offering a simpler and safer way to sign in. This enhancement aims to improve user convenience while maintaining high security standards[1].

    Administrator Protection

    This new feature allows employees to make system changes using temporary admin tokens. By granting temporary admin privileges, this feature enhances security by reducing the risk of unauthorized changes while still allowing necessary modifications[1].

    Read more about Administrator Protection here: Administrator protection on Windows 11

    Windows 365

    Windows 365 Link

    The Windows 365 Link is a new class of devices built to connect securely to Windows 365 in seconds. These devices are designed to provide a seamless and secure connection to the cloud, enabling users to access their Windows environment from anywhere[1].

    You can read more about the Windows 365 Link here: Windows 365 Link—the first Cloud PC device for Windows 365

    Windows 365 Frontline shared mode

    Windows 365 Frontline now supports shared mode for brief, ad-hoc tasks. This feature allows multiple users to share a single device for short-term tasks, improving flexibility and resource utilization[2].

    Want to read more? Check this official Microsoft blog post: Windows 365 Frontline shared mode now in public preview – Windows IT Pro Blog

    Windows in Mixed Reality

    Windows 11 capabilities are now available on mixed reality headsets like Meta Quest 3. This integration brings the power of Windows to the mixed reality space, enabling new immersive experiences and applications[2].

    Mobile Application Management (MAM)

    Enhanced device redirection and security features are now available on unmanaged devices. These improvements provide better control and security for mobile applications, even on devices that are not fully managed by IT[2].

    Microsoft Intune

    AI and Analytics

    Intune Enhanced device hardware inventory

    Intune now offers enhanced device hardware inventory, allowing administrators to query multiple devices and take remote actions based on the query results. This feature provides deeper insights and more control over the device fleet[3].

    You can read more here: Enhanced hardware inventory in Intune coming in December

    Security Copilot in Intune

    Security Copilot brings AI-powered endpoint security to Intune, offering real-time threat detection and response. This integration enhances the security posture of managed devices by leveraging advanced AI capabilities[3].

    Device Management

    Cross-Platform Device Inventory

    Intune’s device inventory capabilities are expanding to include iOS, Android, and macOS devices by early 2025. This expansion allows for comprehensive management of a diverse range of devices from a single platform[3].

    Enhanced macOS Management

    New options for certificate storage in the user keychain have been introduced for macOS devices. These enhancements improve the security and manageability of macOS devices within the Intune environment[3].

    Specialty Devices

    App Protection Policies for Apple Vision Pro

    Intune now supports configuring app protection policies and Conditional Access for Apple Vision Pro. This support ensures that these advanced devices can be securely managed and used within enterprise environments[3].

    EPM Support for ARM64

    Elevation requests from ARM64-based Windows devices are now supported in Intune. This feature allows for better management and security of ARM64 devices, which are becoming increasingly popular[3].

    References

    [1] Microsoft Ignite 2024: Embracing the future of Windows at work

    [2] Microsoft Ignite 2024 Book of News

    [3] Microsoft Intune news at Microsoft Ignite 2024

  • Let’s improve onboarding for Windows 365!

    Let’s improve onboarding for Windows 365!

    Through out the years, I’ve worked with a lot off different customers, and almost all of them use some kind of ITSM tool (such as Jira ServiceNow) to order new services and hardware for users. This is usually where Windows 365 is added as a service where I as an end user, or manager, can request it.

    But what if you don’t have an ITSM tool, but I still want to offer the self-service option?

    Well, in Entra ID there is something called “Access packages” which we can use for this puropse. If you want to read more about what that is, check out the Microsoft documentation here.

    With Access packages, we can create a self-service portal, where end-users can request memebership to a group. This group can then have a license tied to it, what is also known as Group Based Licensing. The user will then request membership to the group, you can add approvals and set a time frame that this membership should be valid. You can also add access reviews to check in with the user to see if they are still using the service.

    So let’s jump into how an easy setup of this would look like, and then have a look at the user experiance. However, this setup is assuming you have already setup group based licensing for Windows 365.

    This setup also assumes that you are targeting provisining policies to all users already (I’m using dynamic, country based groups as descibed in this post).

    Setting upp Access packages

    To set up access packages, we head into the Entra portal (https://entra.microsoft.com) and navigate to Identity > Identity Governance > Entitlement Management and then look for “Access packages” in the menu.

    We will just create a very basic setup for this, so lets go ahead and click on “+ New Access Package“. First step is to give your policy a name and descripton. Remeber, the description is a required field. We will leave the catalog to “General” which is the default value. When done, hit next on the bottom of the windows.

    Since we want to configure a memebership to a group, select the option “+ Groups and Teams” and find

    Since we are just going with default values, you might need to check the “See all Groups and Teams…” check-box in order to find your group. When you have found the group, click select. If you are not already targeting users with a provisioning group, you need to add that here as well.

    When you have added your group, remeber to change the Role to member before hitting next.

    In the next step, we will define our Request flow. In this example I will make this apply for all users in my tenant, and I will allow all users to place a request.

    The next part is to define the approval process. You can also remove approvals completely, but since Windows 365 comes with a cost we want a manager to approve this request. You can also add additional approvers if required. Default value is that manager will be the approved, and we will leave it to default. What you need to add is a “fallback” approver, and as you can see here I added my Help Desk team for this. Choose an approriate user/group for this task.

    Last step on this section, is to select how we will enable this request flow. I’ve also enabled the preview features for this example, but you dont need to do that. Just make sure to enable the top one since this is what makes this request available. We will skip the Verified ID part and press the Next button.

    On this step, we could add additional questions or justifications for the requestor, but we will leave this to default and press next. We will still get a question for business justification in the request.

    Next step is to set the lifecycle for this, which we in this case will set to 180 days since that is roughly 6 months. And just for the purpose of usign access reviews, we will enable that as well but leave all values to default. When you are done, press next until you reach “Review + Create“.

    On the last step, you can review all your settings before pressing Create. It will validate your configuration, and if you missed something or something is wrong it will ask you to correct this before moving forward.

    We have now successfully create a Access package for our Cloud PCs!

    Let’s have a look at what this looks like when a user requests this.

    The request flow

    The place where you need to direct your users for placing requests is https://myaccess.microsoft.com/ where they will see all available request packages for them. As you can see, I have three different access packages for Cloud PC I can request. To start a request, I simply click on “Request” on the service I want to request.

    This windows will then appear, and you just click continue.

    Next step is to add a business justification for my request, here I can also set it to a specific period if I like since we enabled that option when setting things up.

    I then submit the request and it is sent of to the approver, which in this case is the manager.

    Approver experiance

    When the request has been sent, the approved will recieve an email looking like this, where they are asked to approve the request. This email also contains the business justification added by the requestor.

    When the approver clicks the blue button in the email, they are redirected to the approval site on My Access.

    When the approved selects to approve the request, they will be asked to enter a justification before approval is sent.

    When the approver has approved the request, a confirmation email will be sent to the user. However, what is imporant to keep in mind is that this will initiate the provisioning of the Cloud PC.

    The process of provisioning will now start and the Cloud PC will be done within usually 30-40 minutes depending on how fast your provisining policy is!

    Key take aways

    Estalishing a good on- and off-boarding process is important in all IT organsations. This walk though shows you that you can establish this without setting up more advanced tools. However, this is not close to as powerful as proper ITSM tools, but you can build simpler request flows to suite your needs.

    This principle can also be applied to other things, not just Windows 365 and Cloud PCs.

  • Slimcore: Revolutionizing Teams for VDI Environments

    Slimcore: Revolutionizing Teams for VDI Environments

    Last week, Microsoft dropped a bombshell with the release of Slimcore for Teams, specifically designed for VDI environments. Let’s unpack what this means for us and how it can supercharge our virtual desktops.

    What is Slimcore?

    Slimcore is the new media engine for Teams, tailored for VDI setups like Azure Virtual Desktop and Windows 365. It’s packed with improvements that make Teams more efficient and user-friendly in virtual environments. No longer is the Teams client for VDI a long lost cousin of Teams, now we will see feature parity!

    Key Features and Benefits

    So what are the key features and benefits with moving to Slimcore from WebRTC?

    • Enhanced Performance: Slimcore cuts down on resource consumption, leading to faster call setup times and smoother performance. This is a game-changer for those of us juggling multiple virtual desktops.
    • High-Fidelity Media: Enjoy top-notch audio and 1080p video at up to 30fps. This ensures our meetings and presentations are crystal clear, even in a virtual setup.
    • Advanced Meeting Capabilities: Features like gallery view, custom backgrounds, and presenter mode are now available, making our virtual meetings more interactive and engaging.
    • Auto-Updates: The decoupled architecture allows for quicker feature rollouts without needing to overhaul the entire VDI infrastructure. Staying current with the latest features has never been easier.

    Installing Slimcore on Windows 365 Clients

    Prerequisites: Make sure you have the latest version of Microsoft Teams (version 24193.1805.3040.8975 or higher) and the Remote Desktop client (version 1.2.5405.0 or higher) or the new Windows app (version 1.3.252 or higher).

    Install the Plugin: The plugin (MsTeamsPluginAvd.dll) is bundled with both the Remote Desktop client and the new Windows app. It will automatically download and manage Slimcore. No admin rights or reboots are required.

    Verify Installation: After installation, the plugin will silently provision and register Slimcore for the user. You can verify this by check in the Teams client on the Cloud PC that the Slimcore client is being used by going to Settings – About Teams. Look for the text “AVD Slimcore Media Optimized”.

    User Experience Improvements

    One of the standout aspects of Slimcore is how it aligns the Teams experience between physical and virtual desktops. This consistency is crucial for user satisfaction and productivity. This gives the user a familiar experiance with the features they expect to find in Teams!

    Conclusion

    Slimcore is a significant step forward for Teams in VDI environments. It brings enhanced performance, high-fidelity media, and advanced meeting capabilities, all while simplifying updates and maintenance. If you haven’t tried it yet, now is the perfect time to explore what Slimcore can do for your virtual desktop setup.

  • Where is device heading

    Where is device heading

    I started a blogpost something like this about 4 years ago:

    “I’ve been thinking about this post for a long time, probably several years to be honest. What got me to get this done is something Microsoft released, the Windows 10 in cloud configuration, which is a configuration guide for how to move to cloud managed Windows 10 devices.

    This is great!

    This shows that managing Windows 10 purely from Microsoft Intune is not rocket science and it will make it easier for smaller companies especially to get going.

    BUT this is also showing what I’ve been expecting for a couple of years. “

    Let’s stop the tape right here. I’ve added to this post once back in 2022 but never finished it. And to be honest, this has been on my mind since 2016. I recall that this was planted in my head in a conference room at the Microsoft Madrid office at a meeting with my team back in the days.

    This post was initiated long before the release of Windows 11, and before the release of Windows 365. AI was still something that was being explored but not a massive thing, we were more focusing on machine learning than AI. It feels like ages ago, but it still makes sense to talk about this given what is currently happening with Cloud PCs, AI, and continuous innovation in Windows 11.

    This is probably to date the blogpost that has taken the longest to write, but it’s starting to make sense now.

    The change of device management

    When we talk about device management, and especially Windows, things tend to get technical and hard quite fast. Especially if we throw some on-premises things into the mix and talk about creating custom boot images (which is an artform in itself).

    Now we are in the age of AI and Copilots. Copilots showing up everywhere for everything. We have currently seen what is called the Microsoft Security Copilot where security admins can query the Copilot to find issues and even troubleshot device configurations. This is only the beginning of the AI transformation we are on. The Security Copilot also connects into Microsoft Intune, becoming Copilot in Intune.

    Looking at Microsoft Intune and how simple it is to get started with a surprisingly good baseline and basic device management, this is a fitting example of how this whole segment has evolved into something which does not need to be that complex anymore with servers, distribution points, image creation, OSD, GPOs. Using Intune, you can get a long way with the guided scenarios or the security baseline which are already existing in Intune today. You can even get suggestions on what to set using the Settings Insight feature in Intune which will give you recommendations on how to configure your security baseline using machine learning. And that is without any Copilots.

    AI will help us

    What has gotten me to finish this blogpost is the Copilot and Intune story that Microsoft is now telling, I attended WP Ninja Summit 2024 in Lucerne where Copilot was mentioned in a lot of sessions and showed real world value. Copilot can find issues with devices, or policies, which would take admins hours, or even days to find. If you get that in about a minute or two, that is an huge increase in productivity. Copilot is not yet in the state that it will suggest that “you should configure your setup like this”, it’s still learning Intune. But just putting the tools in the hands of admins simplifies their work… Wow.

    But there is also a conflict of interest here. If I can use Copilot to find that error in a few minutes… Why do I need to pay expensive consultants to do the work for me? Well, I think we who live and breath device management needs to raise our line of sight a little and find what the next big thing is and how we can stay relevant. This will be challenge for many, but this change will also take several years to complete.

    I would assume that this is just the start of a pretty epic journey in device management, making life easier and probably quite drastically changing how we work with device management. Microsoft has a lot of data of what “a good device management configuration” should look like. Even if most organisations think they are unique and have unique needs, most organisations share the same baseline needs but of course with their unique touch on-top of things. This is where the focus should be, not the baselines where we tend to spend way to much time on today.

    What about Windows?

    By listening to a lot of sessions around Windows 365 and looking at how Microsoft is positioning this as the future of Windows, I think we will see a shift in a few years. Not in the next one or two years, but looking at Windows 365 Boot, the new Windows 365 experience being released for Motorola Think Phone, and the general focus on sustainability I think we will see both a technical and culture shift in what a computer is in the next couple of years. Don’t get me wrong, we will still have some kind of device but it will probably be different to what we are used to today.

    Just imagine that you suddenly could access your computer from any device you have, only needing one device to both get a mobile och desktop experience depending on your context. If you are like me, someone who work a lot from places where you don’t have a external monitors, well maybe your device will not be a smartphone only. Or maybe you even have two devices but your “laptop” is something with focus on giving you optimal battery life and great longevity.

    One thing that sticks in my head right now though is “we are moving Windows to he cloud” and not just management with Windows 365. Windows as an operating system will still be the foundation of a lot of business work and applications, but how we consume it is where the difference will lie.

    My predictions

    So my big two predictions about where this whole area is heading, even if we are a few years out:

    • Intune management will drastically change once Copilot for Intune is more widely used, making device management in general a whole lot easier
    • Windows will be consumed for “a device” and that device might not have Windows installed on it. We will come back to the world of thin clients, but more optimized for the connected world.

    Of course, several years of experience will still be relevant, but doing the clicking and selecting what exact setting to accomplish the wanted state, that will not be a hard part.

  • Windows 11 – make the move!

    Windows 11 – make the move!

    As I hope ALL of you know, Windows 10 is reaching End of Service (EOS) on the 14th of October 2025. If you haven’t marked your calendars already, do so now! This date is even more important if you haven’t made the move over to Windows 11 yet. This does not affect the Windows 10 LTSC currently in support.

    The path to reaching Windows 11 can vary, and it’s hard to say that “this is how you should do it”. Some decide to combine this with their cloud journey, some simply just upgrades, and some haven’t really thought about it yet. This blogpost is aimed to inspire those of you who haven’t made the move yet for different reasons. And those of you who help others and need inspiration. So, less focus on tech and more focus on the reasoning to make the move.

    Why should you move to Windows 11?

    To be honest, the reason to move to Windows 11 is simple. Windows 10 will no longer receive updates unless you decide to pay for the Extended Security Updates (ESU). This will be a fairly expensive way to tackle staying up to date. Microsoft announced back in April that the first year will cost $61 per device the first year. Given that the Windows 11 upgrade is free, there are few reasons to not move. We also see over 99% application compability between Windows 10 and Windows 11. Looking at customers I’ve helped and talked about this with, the issue is rarely the applications anymore.

    If we disregard from that Windows 11 brings a whole lot of new security related features to the OS. But it also brings more simplicity to the end user. One thing I hear often is that “the start menu is in the middle, our users will never learn this”. It takes about a day to get used to it, so the problem is not really there. This has so far not been an issue with the customers I’ve helped. Howeber, IT has often thought this would be the number one support issue.

    What does Windows 11 bring to the table?

    What Windows 11 brings is, however, innovation. Like it or not, Copilot will be part of our everyday life. In Windows 11, you have it at your fingertips with the native Copilot app. Depending on where you live, the experience will vary. There is a native app, or you will have to get the app from the store. Since AI and Copilot are mentioned in almost every context and situation, giving your end users access to a powerful AI in Windows is a huge improvement.

    What is important with Windows 11 upgrades is communication to end-users so they know whats going on. Un-announced upgrades are rarley a good idea since it can potentially mess with people flows initially, or unexpected reboots. Teaching your users to make use of all the new and improved features of Windows 11. This is a great way to give the feeling that you from IT are proactive and offering them the latest and greatest.

    The downside of moving to Windows 11

    To be fair, downside is the wrong word. There is one potential problem with moving to Windows 11, which is that older hardware is not supported. We are talking about things released prior to 2017, creating a huge amount of e-waste. For many companies, this would not be a problem given that you have proper lifecycle management of your devices. But it creates a huge amount of devices which will not be feasable to use any more.

    However, there are some ways you can still make use of them. Being a Microsoft advocate, my favourite is running Windows 365 on them. If you run a Cloud PC from a Windows 10 machine, the ESU will be free of charge and you can keep using that machine going forward, but that means using it to access a Cloud PC which is running Windows 11. You can ofcourse also convert them to thin clients using something like IGEL and have their OS accessing the Cloud PC.

    But going back to the topic of e-waste. This will be a huge challange, not only from a corporate and logistic perspecitve. But from en environmental perspective. There will be A LOT of devices which needs to be recylced, and we must really hope that they will be recycled and not just thrown away or shreded.

    Get to Windows 11 fast

    So what is the fastest path to Windows 11? A lot of times when we talk about moving to Windows 11, we talk about going cloud native.

    I’m all for going cloud native and I would recomend it to everyone. But going cloud native if you are on-premises or hybrid today is timeconsuming, and not really needed.

    If you listen carefully how Microsoft talked about the journey, it’s rarely stated that you should re-install every device as cloud native. What they are talking about is moving to Intune, and that is a different thing since you can be Intune only but still being hybrid.

    So for most organisations, going hybrid for all exisiting devices is the fastest path to Intune only. But remeber that ALL new devices should be cloud native (since you wont really gain anything from new hybrid devices).

    But looping back to Windows 11 and getting there fast.

    Windows 10 have had a steady release cadence, even if it has shifted a bit over the years. You have moved from Windows 10 20h2, to Windows 10 21h2, to Windows 10 22h2 using either Windows Update or Configuration Manager. When looking to move to Windows 11, you can view this as “yet another update” and deploy it as such.

    You hopefully already have a working process for this in place, and if you are doing custom images this would apply to you imaging lifecycling as well.

    Since we have about a year left, this would be the fastest way to get there and move to Intune after that.

    Take aways

    The main take away from this is that dont make the Windows 11 journey harder than it has to be. Windows 11 is not that scary and it’s a great operating system regardless of what different internet forums says. From a business perspective, this shouldn’t be a discussion. Just a go do!

    We never discuss or get stuck on iOS versions in the same way, not wanting to move to the next version.

    A couple of years ago, in the begining of this blog, I wrote about consumerization of corporate IT and it’s still relevant. We as individuals are driving change. We are no longer in a world where IT can say “no, we wont give you the lastest version of this and that” since things will stop working. If you run an unsupported version of Windows you are not only facing potential security threats. You will also see that a lot of your business applications will stop working, since these has adapted to the Windows as a Service concept introduced with Windows 10.

    What is the biggest take away from this blog? If you haven’t set the plan to migrate to Windows 11, start now! You have less than a year left.

  • Improving Decision Making with Intune Advanced Analytics Data

    Improving Decision Making with Intune Advanced Analytics Data

    One thing that many IT administrators tackles every day is the discussion about “my computer feels slow” or “I need a faster computer”. Sometime the feeling of having a slow computer is legit, and sometimes it’s something else.

    There are numerous DEX (Digital Employee Experience) tools out there on the market. This can provide you with a great overview of your whole ecosystem, ranging from Teams call quality to desktop experience. However, even if those tools are great, they come with a new set of data to analyze in a new tool. And in bigger organizations, the complicated puzzle of “who owns this and who makes remediations?” arises.

    Since I write a lot about Microsoft stuff, we will dive into the Intune Advanced Analytics part of the Intune Suite.

    Intune Advanced Analytics is a native part of Intune, which gives you more extensive reporting on your Windows devices. I know Windows isn’t 100% of the fleet in modern organizations but we need to start somewhere.

    Setting up Intune Advanced Analytics

    To start using Intune Advanced Analytics, you will need these three things.

    • Intune environment
    • Intune Suite licenses or Intune Advanced Analytics stand-alone license (remember, this is user based)
    • Configuring Endpoint analytics in Intune

    I won’t go through how to obtain license, since this will vary from case to case depending on your setup.

    Configuring Endpoint Analytics

    The first thing you need to do is to configure Endpoint Analytics to receive data from your devices. Since I’m all in the cloud, we will look at how you do this for Intune managed devices. To do this, you need to have the Intune Service Administrator role, also known as Intune Administrator.

    Head over to the Endpoint Analytics blade in Intune (you can find it under Reports or at https://aka.ms/endpointanalytics). When in there, select the Settings blade.

    You can see that my tenant already uses the Intune data collection policy. This default policy exists in all tenants, but you need to make sure it’s assigned to your devices.

    Manually create the policy

    If you can’t find the policy in your environment, it’s no big deal. You just need create a new policy based on the template for Windows Health monitoring.

    If you are configuring this for the first time, make sure to switch Health monitoring to Enable and set the Scope to Endpoint analytics.

    Deploy this policy to your devices using either the built in “All devices” group or use a device group.

    When you set this up for the first time, it can take up to 24 hours for the data to populate. If you are looking to use Advanced Analytics, expect up to 48 hours.

    Allow access to URLs

    The last step to do is to make sure that your devices are allowed to reach the URL needed for Endpoint Analytics. This is important if you have a restrictive firewall or if you use a webfilter/proxy to run all your traffic through.

    For Intune, the needed URL is:

    https://*.events.data.microsoft.com

    If you want to read more about how to set this up for Configuration Manager managed devices, check out the Microsoft Learn page.

    Getting access to the data

    Now when 24 hours have passed, we should start seeing data being populated. If you have additional people who should not be admins who need to review the data. There are a few different built-in roles you can use, or create a custom role.

    These are the different options you have:

    Role nameMicrosoft Entra roleIntune roleEndpoint analytics permissions
    Global AdministratorYesRead/write
    Intune Service AdministratorYesRead/write
    School AdministratorYesRead/write
    Endpoint Security ManagerYesRead only
    Help Desk OperatorYesRead only
    Read Only OperatorYesRead only
    Reports ReaderYesRead only

    Once we have our roles in order, we can start looking at the data!

    Looking at the data

    The Endpoint Analytics feature consist of 6 different blades

    • Startup Performance
    • Application reliability
    • Work from anywhere
    • Resource performance
    • Remoting connection

    These features are available with the regular Intune license. With the Intune Advance Analytics license you will get a few more. And it’s automatically integrated into the Intune administrator experience.

    • Custom device scopes
    • Anomalies
    • Enhanced device timeline
    • Device query
    • Battery health

    If you want to read more about what’s included, I would suggest checking out this Microsoft Learn article.

    Reviewing my devices

    But as I stated in the beginning of the post, let’s talk about reviewing resource performance. With the regular Intune license, you will gain access to resource performance for your Cloud PCs. With this, I get insights which Cloud PCs are meeting my targets and what Cloud PCs I should investigate upgrading to a different SKU. This data can be broken down to a device or model. This gives me great data about my environment on CPU and RAM spikes when they are being used.

    All devices get a score based on their performance, and you can configure what your baseline is in the Endpoint Analytics settings.

    You can break the numbers down based on model or individual device performance to get a better understanding.

    With the 2408 Intune Service update, this was also made available for physical devices if you have the Intune Advance Analytics license enabled. This will provide me with insights on how my physical devices are performing when it comes to RAM and CPU. I can also learn if they have continuous spikes indicating that they need an upgrade.

    If we stand in the “Device performance” tab, we can see all Cloud PCs and physical PCs gathered in the same place. You can also compare Cloud PC and physical PC performance.

    Looking at specific devices

    If we click on the name of a device, you will be redirected to the blade “User experience” on the device itself. You can also find it if you search for a device in the device list and click in to view that device.

    From here, you can see a lot of data about the device around its performance.

    As you can see, my Surface Laptop Go 3 has had a few minor spikes in RAM the last 14 days but nothing major.

    And if we look at the overall score, it’s pretty okay.

    Device timeline

    There is one more really nice feature with the Intune Advanced Analytics we can see, and that is a Device Timeline (last tab on the top).

    In here, we can see historical data on events that has happened on the device which impact the user experience. As you can see on this device, I’m having a few issues with applications.

    And if we jump back and look at another device, a Cloud PC, we can see the same kind of data.

    One interesting thing I found while writing this blog post is that I compared my Surface Laptop Go 3 i5 with 16gb RAM with my 4vCPU/16GB Cloud PC. What I can see was that my Cloud PC scores higher. I would say that I use them in a similar way, the same amount of time. I do know that the Cloud PC has a little bit of a more powerfull CPU (being a cloud PC),

    The Cloud PC scores 98 in resource performance.

    While my Surface Laptop Go 3 scores 77.

    So performance wise, Cloud PCs are doing a lot better. However, the Surface Laptop Go 3 is not a fair comparance being a more “low tier” PC. However, they are still both performing really good for what I use them for. So this is important to take into considerations when looking at the data.

    Take away

    Knowing how the performance of the devices in your environment chelan p you figure out when devices needs to be replaces or upgraded. As you already know, backing your decisions using data is key! Intune can provide you with a lot of data on your device without the need to buy a third party tool and deploying/maintaining a client on the device.

    However, if we start looking at “real” DEX products, Intune Advanced Analytics does not provide the same level of data. You will also need to combine several parts of Intune to be able to perform e.g. remediations on the things you find. You still need to manually take actions or create remediation scripts on your findings.

    But if you are just getting started and need “something”, this will provide you with a great overview of your environment! This will help you make better decisions and help your end-users even better!

    I hope you liked this post and that it gave you some insights to what you can do with Intune Advanced Analytics!

  • Summer recap – what did we miss?

    Summer recap – what did we miss?

    Like all Swedes, summer means vacation mode for 4-5 weeks and that means not keeping up with what’s happening in the world.

    So here is a recap of what’s been happening during the summer months.

    MVP renewal

    In the begning of July, the MVP renewals where announced and I’m happy to announce that I’ve been renewed as a Windows and Devices MVP for the 3rd time.

    Big congratulation to all my fellow MVPs that got renewed for 2024!

    Windows 365 updates

    July was full of Windows 365 updates, there has been updates for Windows 365 each week since July 1st which is really awesome. A lot of great updates.

    Here are some highlights, but if you want to see the full list check it out here.

    Cross region disaster recovery

    Windows 365 cross region disaster recovery is an optional service for Windows 365 Enterprise which protects the Cloud PCs and data against regional outages. This is a seperatly licensed service which can be purchased as an add-on to your existing service.

    Cross region disaster recovery in Windows 365 | Microsoft Learn

    Windows 365 Cloud PC gallery images use new Teams VDI

    The new Teams for VDIs has been added to the Windows 365 image gallery, containing all the optimizations for Windows 365. All your newly previsioned Cloud PCs will containg the new optimizations.

    Microsoft Teams on Cloud PCs | Microsoft Learn

    Cloud PC support for FIDO devices and passkeys on macOS and iOS (preview)

    Windows 365 Cloud PCs now support FIDO devices and passkeys for Microsoft Entra ID sign in on macOS and iOS.

    Updated default settings for Windows 365 security baselines

    Microsoft has released an updated version of the security baseline for Windows 365. You can find a full list of the updated settings here: List of the settings in the Windows 365 Cloud PC security baseline in Intune.

    New GPU offerings for Cloud PCs are now generally available

    Microsoft has finally released the new GPU offering! The GPU offerings are suitable for graphical intense workloads requiring a more optimized performance. The offering consists of three different SKUs called Standard, Super and Max with different configurations for different kinds of workloads.

    GPU Cloud PCs in Windows 365 | Microsoft Learn

    Uni-directional clipboard support is now generally available

    The clipboard settings for Windows 365 and AVD has been in preview for a while, but have now been

    moved into general availability with some pretty nice added functionallity. You can configure a lot of new different content type, and you can select to allow which direction clipboard should be allowed. This applies to both Windows 365 and Azure Virtual Desktop.

    Configure the clipboard transfer direction in Azure Virtual Desktop | Microsoft Learn

    Intune updates

    The list for Windows 365 was long (in the aspect of Windows 365 updates), but there has been even more Intune updates.

    If you want to read the full list of updates during the summer months, check out the full list here.

    Update for Apple user and device enrollments with Company Portal

    Microsoft has updated the registration process for Apples devices using the Intune Company Portal. The main change is that now the Entra ID registration happens after the enrollment, instead of during the enrollment. This applies for both iOS/iPadOs devices and macOS devices.

    The change means that if you are using dynamic device Entra ID groups which rely on the device registration, you need to make sure that the users complete the whole process.

    iOS/iPadOS device enrollment guide for Microsoft Intune | Microsoft Learn

    New configuration capabilities for Managed Home Screen

    If you are using managed home screen for Android, you can now enable the virtual app-switcher button to allow users to switch between apps on a kiosk device.

    Configure the Microsoft Managed Home Screen app for Android Enterprise

    Copilot in Intune now has the device query feature using Kusto Query Language (KQL) (public preview)

    If you are using Copilot in Intune, you can now generate a KQL query using Copilot while asking in natural language. Great way to learn KQL or get inspiration for your querys!

    Microsoft Copilot in Intune

    New setting in the Device Control profile for Attack surface reduction policy

    Microsoft has added the “Allow Storage Card” setting to the Attack surface reduction policy, which can also be found in the settings catalog.

    AllowStorageCard 

    New operatingSystemVersion filter property with new comparison operators (preview)

    There is a new filter property for operatingSystemVersion, which is available in a public preview.

    This filter allows you to use operators like GreaterThan, GreaterThanOrEquals, LessThan and LessThanOrEquals to your oprating system version and is available for Android, iOS/iPadOS, macOS and Windows!

    Consolidation of Intune profiles for identity protection and account protection

    Microsoft has done some cleaning up around identity and account protection policies and added them all into a single profile called Account protection which can be found in the account protection policy node of endpoint security. This is the only template which will be available going forward for identity and account protection. The new profile also includes Windows Hello for Business and Windows Credential Guard.

    Account protection policy for endpoint security in Intune

    New Intune report and device action for Windows enrollment attestation (public preview)

    There is a new report in public preview for finding out if a device has attested and enrolled securly while being hardware-backed.

    Windows enrollment attestation

    New support for Red Hat Enterprise Linux

    Microsoft Intune now supports device management for Red Hat Enterprise Linux. You can enroll and manage Red Hat Enterprise Linux devices, and assign standard compliance policies, custom configuration scripts, and compliance scripts.

    Deployment guide: Manage Linux devices in Microsoft Intune 

    Newly available Enterprise App Catalog apps for Intune

    The Enterprise App Catalog has updated to include additional apps. For a complete list of supported apps.

    Apps available in the Enterprise App Catalog.

    New actions for Microsoft Cloud PKI

    The Microsoft Cloud PKI has been updated with some new features.

    • Delete: Delete a CA.
    • Pause: Temporarily suspend use of a CA.
    • Revoke: Revoke a CA certificate.

    Delete Microsoft Cloud PKI certification authority

    ACME protocol support for iOS/iPadOS and macOS enrollment

    Microsoft has started a phased rollout of the infrastructure change to support the Automated Certificate Management Environment (ACME) protocol. When a new Apple devices enroll, the management profile from Intune receives an ACME certificate instead of a SCEP certificate. Existing OS and hardware eligible devices do not get the ACME certificate unless they re-enroll. 

    Windows updates

    The realse of Windows 11 24h2 is getting closer and closer, and it could be guessed to be released in a September/October time frame looking at past releases.

    One thing that is also important to highlight is that we are getting closer and closer to the Windows 10 EOS, which means that we really need to focus on getting those devices migrated or removed.

  • Are the settings what you think they are?

    Are the settings what you think they are?

    Something I know a lot of Microsoft Intune admins have been frustrated about for a while, especially if you come from the GPO world, is making sure that the settings you applied are what you think they are on the device. I mean, things happen. Users can be local admins and change stuff, a support person could have changed something locally, or stuff just won’t work.

    As we all know, an up and running Intune Windows device will check in with Intune every 8 hours to see if the settings are still correct. 8 hours is quite a long time if you have a faulty configuration, and not all users know that they can manually synchronize their device with Intune (or an admin can do so).

    This is where the newly introduced Config Refresh enters the stage!

    What is Config Refresh?

    Config Refresh is a new setting in Windows 11 (23h2 or 22h2 with the 2024 June update) which lets you define the interval that the Windows device should refresh the configuration based on what is defined in Intune. In the GPO world, this happens automatically every 90 minutes, and in the Intune world this is 8 hours! But with Config Refresh we can squeeze this down as short as 30 minutes or push it all the way up to 24 hours (why someone would do that, I don’t know but I bet there are those scenarios).

    But this isn’t just changing the default 8 hour intervall, this actually brings some new stuff to the table:

    • A reset operation to reset any settings you manage which use the Policy CSP
    • Configuration options to allow reset of managed settings to take place as frequently as every 30 minutes
    • Offline functionality, not requiring connectivity to an MDM server
    • Ability to pause Config Refresh for troubleshooting purposes with automatic resume after 24 hours

    This means that we get a bunch of new features in the MDM world which we have not had before!

    How do I configure it?

    But how do I configure this in my environment? The Config Refresh policy is set in the settings catalog, so let’s jump straight into Devices – Windows – Configuration and add a new Settings Catalog policy.

    As usual, give your policy a name which makes sense to you in your environment and click next. I’m going for “Win – Config Refresh” in this example.

    Now let’s search for “Config Refresh” and add both the settings to our policy.

    Let’s go for a 30-minute interval in this example but set what makes sense to your environment (default value is 90 minutes). Also, make sure to enable the “Config Refresh” setting before clicking on next.

    If you are using scope tags, you can add that in the next step otherwise move on to assignment. Since this is a device scope setting, let’s target the device for this one so we can make sure that all our devices get this setting regardless of who signs in. If you want to filter our specific devices, add that as well here.

    On the last step, review your settings before clicking on “Create“.

    This will configure your devices to refresh their policies every 30 minutes!

    Bonus:

    If you for some reason want to prevent a device from doing a Config Refresh, you can find the device and press those three dots on the right side of the ribbon. You will then find “Pause config refresh”.

    You can then pause the refresh for up to 24 hours.

    Key take away

    Using the Config Refresh we can make sure that our device has the correct configuration with greater certainty, and we can adjust the intervall to fit our needs.

    This give us as admins a larger sence of control when managing devices and wanting to make sure that our devices has the correct settings. If you are coming from the GPO world you will be very familiar with this since GPOs refreshes every 90 minutes (default), and now you can make Intune work the same way! Yet one less thing that you will be missing from the old world!

    Hope you find this as usefull as I do, and happy clicking!