Did you know that you can get automated alerts for certain events for your Cloud PC environment?
Microsoft released this feature back in February of 2023, and has added quite a few differents alerts by now, not only the network, provisioning, and image upload error alerts.
Today, you can find 6 different alerts you can setup:
Azure Network Connection failure
Cloud PC grace period
Cloud PCs that aren’t available (preview)
Frontline Cloud PCs near concurrency limit (preview)
Provisioning failure impacting Cloud PCs
Upload failure for custom images
You can select how you want to get notified in the event of something happening,
How to set up alerts?
To setup alerts, head into Microsoft Intune and navigate to Tenant Administration and find Alerts in the menu.
In this first view you will see any active alerts that you have in your environment. Like this alert that I have one Cloud PC in grace period.
If we move over to the second tab, that’s where we can configure our alerts.
As you can see, you have six different alerts you can enable. You don’t need them all, enable the ones which makes sense to you. as you can see I have not configured the “Azure Network Conneciton failure” nor “Upload custom image” in my tenant, since I don’t use these features at the moment. A sharp eye might notive that “Fronline Cloud PCs near concurrency limit” isn’t configure either, but we will do that now by clicking on the name of the alert.
This will take us to the configuration page.
If we start of with the conditions for the alert, these are a bit different depending on the alert, but for some you can select another value type. For this one, we will set this to 90% of instances, meaning that if 90% or more of our Frontline Cloud PCs are reaching their concurrency limit, we will get an alert.
Next up is the severity level of this alert. This is up to us to choose the correct level, and we will this at default as a warning.
The status part is defining if this alert should be active or not, so let’s go ahead and change this to ON.
The last part of this is how we want to get notified. We can select to either just get a pop-up in the Intune portal or if an email should be sent somewhere. This could be a great way to e.g. raise tickets in you ITSM tool without needing any additional integrations.
When I get the notification Intune, this is what it looks like:
And this is what the email looks like:
Why use alerts?
So why do we want to use alerts? Well it’s a really good way to get notified if something happens with the Windows 365 service you provide to your users, without you having to sit and look at everything all the time. You could even find issues before they arrise and your IT Helpdesk gets jammed with a lot of calls from end users.
Take a look at alerts if you are a Windows 365 administrator, this could really simplify your life!
I thought I would share a few things you might not know that you are able to do in Intune, small things that might not be related to device management itself but you might not be aware off!
As all of you know, Microsoft Intune is constantly changing, there are news and updates each week. This means that some of these things might change in the future, who knows!
But let’s kick it off. Here are 5 things you didnt know you could do in Intune.
Change language and region
You have probably seen the settings icon in the top of the Intune portal, this is where you can access the portal settings.
When you click the settings icon, you will be taken to the Portal settings pane of Microsoft Intune.
As you can see, there are a lot of different things you can modify and control. E.g. if you have multiple directories or subscriptions you can change which your default is. This is also where you enable darkmode (if you are like me and prefer darkmode). But I though we would focus on the language settings.
If we navigate to the “Language + region” pane, we can select which language we want the portal to be in. This settings is not a global setting, this only affect my session. Like many others, I prefer to use the English version of MS Intune (the translations in Swedish are a bit wild some times), but I still want my regional format to be Swedish. I can easily select my preferences here and just hit apply and it will refresh the session with a new language for me.
If you are familiar with Azure or Entra, this works the same way!
Modify the left side menu
We probably all know and love the left side navigation menu, this is where we can select if we want to access devices or apps for example.
But did you know you can customize this menu?
If you navigate to “All services“, you will see a table of all the available services within Microsoft Intune, and if you look closely you will notice that there is a small star next to each service.
By default today, all is marked except for “Surface Management Portal” and if you want easy access to that you can simply just star that one too and it will show up in the navigation menu.
But let’s say I’m only interested in seeing devices, apps and groups, I can simply just mark them with a star and they will be the only one displayed in the navigation menu alongside with reports which we cannot remove.
One other neat feature is that you can rearrange the order of the navigation menu by simply dragging the headings around if you want to sort the differently.
Easily change between accounts
If you are using multiple accounts in Microsoft Intune, there is a simple way to just change which account you are using. If you have ever worked in the Azure portal, this is the same functionality.
Simply click your profile picture in the top right corner and sign in with a diffetent user. When you have signed in with an additional user, you can easily just switch by selecting that account.
Access the PIM portal
For most administrational roles, you use Microsoft Entra Priviledge Identity Management, or simply PIM, to grant the priviledged role that you will use in order for your account not to have that role all the time.
This can be setup in many different ways, and you can even PIM Intune roles if you use group feature.
However, you don’t need to go through the Entra portal to access your PIM roles. Simply navigate to Tenant Administration > Microsoft Entra Privileged Identity Management and you will reach the same portal.
From here, you can simply activate your roles, or approve other requests.
Shortcut to the Entra portal
Last but not least, when we are on the topic of Microsoft Entra. Did you know that there is a shortcut to the Entra portal in Intune?
Just navigate to All services in the navigation menu, and under “Other consoles” you will find Microsoft Entra.
When you click that link, a new tab will open with the Entra portal!
Okay, something that has been around in Microsoft Intune for quite some time is Scope tags. You know that step before assignment when creating a policy or profile?
In this post, I was thinking we would talk through what it is and what you can use it for since it’s a quite power full tool and very useful if you are working in larger environments and want to delegate rights since you can combine it with the Intune roles to really have a granular setup when it comes to who can do what. If you want to read more about the Intune RBAC setup, have a look at this post I wrote a few years ago called RBAC in Intune- Who does what at the zoo.
What is even scope tags?
Scope tags is not something you use by itself, it is connected to the Intune RBAC setup, since you can control what you different administrators can see and do.
If I have a scope tag called Sweden which I use on my policies, I can create an Intune role granting only permission to see and administrate things related to that scope.
This means that I can grant access to only certain parts of Intune for my administrators, delegating the responsibility to the Swedish organisation to manage Sweden while Norway and Iceland only can manage their things.
How ever, this only applies to Intune roles, so if you use an EntraID role granting more access, like the Intune Administrator role, scopetags are not part of the solution.
In general, it’s a good idea NOT to use the Intune administrator for all your administrators since this is a very powerfull administrator role also outside Intune. It is the Global Admin of Intune almost (but not as power full).
Setting up Scope tags
To use scope tags, you need to define them which you do by navigating to Tenant Admin – Roles and select Scope tags. You will see that you have one default scope tag, but you can add more in here.
To create a Scope tag, you simply press “+ Create” and we will give our scope tag name, which will be the one used in the portal. We can also add a comment explaining what this scope tag is used for which can be a good idea. When done, click Next.
In the assignment step, we will add a group which contains all out Swedish devices. There are a lot of different ways you could set this group up given that you want to not only catch the Windows devices, you would also probably like to see their mobile devices. In this example, I have a dynamic group looking for all Windows devices tagged with the Autopilot group tag “SE” using this dynamic membership rule.
When I’ve added my group I will click Next to get to the last step in the scopetag creation.
On the last step you can review your settings before creating it. If everything looks like you want it to, click Create and your scope tag will be created.
Repeat this step for all the scope tags you need, as you can see in my lab I currently have 3 scope tags and the default one.
Using scope tags for roles in Intune
Now that we have create our scope tags, we can add them to a role in Intune as a first step.
Head into Tenant Admin – Roles and select “All roles“. Then find the role that you want to configure, we will use the “Help Desk Operator” as an example.
Click on the name of the role to configure it and you want to head into “Assignments” which is where we define who has this role.
In here, we will click on “+ Assign” to add a new assignment. Since we are setting this up for the Swedish help desk, we will call this “Sweden“. Click Next.
On the next step we will add the group of Swedish help desk operators by clicking on “Add group” and selecting our Help desk Sweden user group. Click Next.
Next step is to add the scope groups, which devices and user we want to be able to manage. This means that we can limit this even further. For now, we will select all users and all devices and click Next.
In the next and last configuration step we will select what scope tag this Help Desk Operator is allowed operate with, meaning what devices and other object can it interact with. In this step we will select our Sweden scope tag and click Next.
As usual, before creating the role assignment you can review you options. Then click Create.
How does it look for my Help Desk Operator in Sweden?
So, what does things now look like for my Swedish help desk operator which we can call Moltas? Well, Moltas can only see things which has the scope tag Sweden. He can see all user and all groups, but he can only see two devices in the environment, since these are part of the scope tag Sweden.
If we compare this to a user with the Intune administrator role, you can see that the view is limited in the amount of devices.
If we take a look at one of the devices Moltas can see, we can actually see that it automatciallu got the scope tag Sweden since it’s a part of the “All Sweden device” group mentioned further up in the post.
We can also add scope tags to profiles that we create, making it possible to grant permission to e.g. one business area to manage their on profiles, applications and so on.
Since I’ve added the scope tag to this profile, Moltas will be able to see this one but not the rest of my profiles, but given his role he will not be able to do any modifications to this profile (Help Desk Oprator does not allow that).
Worth mentioning is also that if this administrator would have the rights to create objects, all their objects would have the scope tag Sweden.
Key take aways
Using scope tags and combinding it with the Intune roles makes it really easy and power full to delegate access to local administrator or different business units to operate their own settings in a bigger tenant. You can e.g. make sure that the local IT support in Sweden cannot see or touch the Norweigan devices.
I really like this feature, and it’s really convinient in larger environments. You can off course limit the access even further by not granting access to all users and all devices, limiting it even further.
Okay so this is a blogpost I’ve been putting off for a long time without any good reason to be honest. I think I’m wanting this to be perfect since it’s a combination of several things I care deeply about. This will probably be like a part 1. So here we go.
TLDR;
One of the benefits of Windows 365 is that it can reduce the environmental footprint of IT operations by shifting the energy consumption and emissions from the end-user devices to the cloud servers. According to a study by Microsoft, the Microsoft cloud is between 22 and 93 percent more energy efficient than traditional enterprise datacenters, depending on the specific comparison being made. When taking into account Microsoft’s renewable energy purchases, the Microsoft cloud is between 72 and 98 percent more carbon efficient.
Microsoft has also committed to be a carbon negative, water positive, and zero waste company by 2030, and to protect more land than it uses by 2025. In its 2022 Environmental Sustainability Report, Microsoft shared its progress, challenges, and learnings on its journey to meet these goals. The report also showcases how Microsoft is delivering digital technology for net zero, such as Microsoft Cloud for Sustainability, which helps customers measure and manage their environmental impact.
What is Windows 365
If you have been reading my blog for a while, you are familiar with what Windows 365 is, but in case you have missed it let’s do a short intro.
Windows 365 is a cloud-based service to provide what Microsoft calls a Cloud PC. This is in fact a virtual computer based on the Azure Virtual Desktop (AVD) platform, but instead of you having to maintain any infrastructure, you consume it as a SaaS solution. The performance of the Cloud PC is based on what license you have purchased. Compared to AVD, you pay a fixed price per month for the license instead of paying for your consumption.
Since this is a cloud service, you can access it from whatever device you prefer, or even just a browser.
Since we can run a controlled and managed Windows device in a remote context, we are open to allowing more secure ways of working from a broader range of devices since we are in full control of the remote session.
The sad truth about hardware
One of the largest environmental impact we have within IT is our devices. Many companies replaces their computers on a ~3 year basis. For a larger company this is a huge amount of new devices being bought every year, and as many devices being decommissioned. The market for reselling computers are growing by the day and we see more and more companies offering this service to their customers, and even consumers.
Computers which are three years old aren’t that old to be fair. They are not the latest and greatest, but can still do a really good job for most usecases.
Reducing the need to renew hardware
By utilizing Windows 365, we can actually extend the life time of a computer since we can run Windows 365 on anything with Windows 10 or never. Windows 11 is one of the major reason hardware will need to be replaced, since there is a Windows 11 only supports Intel 8th generations processors and newer (let’s be fair, Intel is the most commonly used today). 8th generation means mid-2017 as earliest which is about six and a half year ago when this post is being written.
This is something that has been stuck in my head that we will see A LOT of computers being obsolete on the 14th of October 2024. Then Microsoft released a very interesting statement about end of service for Windows 10 and Extended Security Updates (ESUs). You will get the ESU included in the Windows 365 if you are accessing your Cloud PC from a Windows 10 host. This will extend the life of these computers another 3 years.
This means that you could move over to Windows 11 but keep some older hardware around for accessing Cloud PCs. Since there is no Windows 365 Boot for Windows 10, you could build a kiosk based on this post to make sure your users ONLY access their Windows 365 Cloud PC, which would be running Windows 11.
By utilizing Windows 365 and Cloud PCs, we can actually keep our computers current for a much longer time. Instead of getting a new computer with the latest, faster, processor and more memory we can utilize the server grade equipment in the Azure datacenters which are a lot more powerful than our laptops are anyways. Since Windows 365 is license based, this means that when we need more computing power on our Cloud PC, we can upgrade the license and after a reboot we have a more powerful PC.
Running workloads on shared resources, like in Azure, is much more energy efficient as well. However, lets not forget that data centers uses a lot of energy to be operate. But today Microsoft data centers are run on renewable energy improves this even further while Microsoft is also striving to be carbon negative by 2030.
If you are, just like me, a BIG Windows 365 fan you probably haven’t missed the news around Windows 365 Boot. There was an update released in the end of January which enabled what is called Windows 365 Boot Dedicated mode and Windows 365 Boot Shared mode.
There are a lot of awesome posts out there how to configure these, like these to from my fellow Windows 365 MVP Dominiek Verham, which I really recommend you to check out!
Two really awesome posts about how to get started.
But why should you use it and why should we pay attention to this?
In this post, I’ll discuss a little around my view on why these to features will play a crutial part in the Windows 365 journey and the future of Windows. These
And also let’s adress the elephant in the room. Windows 365 Boot is basically Microsofts take on thing clients on Windows. This has been done before by others, but never using the standard management tools. I think that is one of the key things with Windows 365 Boot, we manage a regular Windows installation with Microsoft Intune.
Windows 365 Boot Dedicated mode
Lets start of with what it is.
Windows 365 Boot Dedicated mode is a new Windows 365 feature which enables you to have a PC which is using Windows 365 Boot that is, just like the name says, is dedicated to one user. Right now, this feature is in public preview.
Previosuly when we have looked at Windows 365 Boot, you have not had a user assigned to the machine which meant that using passwordless solutions like e.g. Windows Hello for Business was not possible.
Now with Windows 365 Dedicated mode, I can have my PC setup as a Windows 365 machine and each time I sign in to my computer I will end up in my Cloud PC session using Windows Hello for Business.
This opens for a lot of new cool scenarios which we could do and I think this might be the bigger and maybe a scenario which is harder for many to related to. We are so used to having our “own” computer locally, and maybe connect out to a virtual session when ever we need to switch context to a different environment or such. This would make your primary device a cloud based computer, which in my world is kind of awesome.
Some scenarios I can think of top of mind where this could be usefull are:
Extend life of older hardware
Upgrade a PC to a higher spec without needing to have physcal access to the device
Provide cheaper hardware for certain scenarios
Ensure data is not lost when using devices in more extreme environments (hardware failure)
One kind of weird scenario that came to mind was also that you could by your self also switch between computers, by selecting in the Windows 365 web portal which device to connect to. This means that you could for extended times work from one typ och device, and then easliy change this through the webportal.
Why should we care?
To be honest, I think this scenario could potenitally be a hard sell to IT people, since we are very used to working with out operating system locally. The host machine would still require to run Windows 11, but you would never really see it and you would still need to patch the OS on a regular basis.
I think the biggest selling point here is that if you go with a Cloud PC in this way, you will always run on “hardware” which is preforming. No need to wory about disk crashes, slowness or anything like that. You will also gain insane traffic thorugh put, since your computer is not actually connected to your own network. It’s connected to the Microsoft network which is playing in a different legue when it comes to upload/download speeds then our usual home internet. This would actually benefit you if you work with a lot of large files, OneDrive and SharePoint syncs insanly fast. This is however a feature of Windows 365 as a service, not the dedicated mode.
In my mind, this is something we need to keep attention to how it develops, even if many of us are not ready to take the leap today. My bet is that THIS will be a big part of the future of Windows.
Windows 365 Boot Shared mode
Windows 365 Boot Shared mode is more like the Windows 365 Boot which went into GA last September, but with some updates. One of the major differences is that you can now add your company logo on the sign-in page to make it more relatable to your brand.
The concept behind this is to provide a shared workstation which many different users work from. Looking at different scenarios I’ve seen with customers, this could cover that “kiosk” computer in the break room in a workshop. Or maybe a good and simple way to provide a great experiance to personal working in a callcenter where you don’t have your own desk. And why not that sales station which is used by several people.
If you combine the Windows 365 Boot Shared mode with a Windows 365 Frontline license, you pretty much hit the sweet spot. Then you can sprinkle with a FIDO2 key (like Yubikey) and you even simplify the sign-in process and make it passwordless!
One big issue has always been “how do we provide a great experiance on a shared device”. Traiditionally, there has always been an issue with user profiles (if you have to many things break) but that can be addressed with the shared device policy in Microsoft Intune. However, you are still not giving a full computer experiance to the users, they are usually pretty limited and distributing applications is not as smooth as if you had a personal computer.
This would also mean that if you are working in a setup where you move around a lot, and maybe not always come back to the same computer, you can continue your work exactly where you left of but from a different computer.
Windows 365 Boot Shared mode gives you that personal experiance, but on a shared device.
Why should we care?
One thing that always seams to be a complex and tricky scenario to solve are those shared devices, especially if the user moves around a lot. Think clients of different sorts has always been a big thing here, but for many IT admins the thin clients means another tool to administrate in, instead of the tool they are spend most of their time in for managing the other devices. Using Windows 365 Boot we can leverage Microsoft Intune and bulding thin clients on Windows, by just deploying a set of policies from Microsoft Intune.
For many organization, intorducing a new management tool for thin clients is a little bit of a bump in the road since this means getting that tool approved, setup and educating the adminsitrators on how to use it if there is no pre-exisiting knowledge. It’s not necesserially a hard thing to learn a new tool, but it could slow down the implementation process for some organizations.
Key take aways
What I think we need to think about is that Windows as we know it is about to change, it won’t be over night but something is happening now. Imagine when we started seeinf Office 365 which later became Microsoft 365? That was a journey, and I think that right now we are seeing the start of this journey for Windows. I might be naive and sprinkled a little wishfull thinking over this whole thing, but I really think we will see a change over the next couple of years in what we think of as Windows and what we expect. Mind you, these are my personal thoughts and ideas.
However, the Windows 365 Boot features brings some really intersting things to the table. We can now easily deploy and manage thin clients without needing any additional tools or licenses. I think that is pretty sweet as someone who works with customers who hare heavily invested in the Microsoft echosystem. It might not be as far along and flexible as e.g. IGEL. But this would potentially get more companies started with thin clients since there really isn’t any roadblocks anymore like there used to.
Microsoft has now released all the parts they promised back in March of 2023. On the first of February, a lot of cool things saw the light of day without the preview label. We initially saw Endpoint Privilege Management and Remote Help as part of the Intune Suite, with Advanced Analytics, Cloud PKI, Enterprise App Management and Microsoft Tunnel for MAM.
In this post, we will focus on the Enterprise App Management feature which will help IT admins to keep their applications up to date by using a managed catalog of applications (much like SCAPMANN, PatchMyPC and such).
Before we begin. If you have never heard of the Intune Suite, it is a bundle of premium add-ons for Intune making it even more powerful by unlocking new functionality.
What is Enterprise App Management?
Enterprise App Management is a catalog of third-party applications, applications not developed by Microsoft, which is provided in a simple store-like manner in Intune. The catalog today consist of a little over 90 applications which are maintained by the Microsoft service, a list that will hopefully grow over time adding even more applications. The Enterprise App Management service takes care of both packaging the initial application but also managing any updates released fot the application, streamlining the work for the application team!
The concept behind this, is to ease the workload for application administrators not having to package all applications. The easiest way to position this is to think of it as a time saving tool, our packaging team won’t have to care about packaging the simpler applications which might be updated quite frequently. They can instead focus on the more unique and complex applications for the organisation.
Enterprise App Mangement comes in the Intune Suite bundle or can be purchased separately as a stand alone service. What is important to keep in mind here is to make sure you buy enough licenses to cover all your users since it’s licensed based on users in your environment.
How to get started?
Once you have made sure that you have the licenses for either the Intune Suite or Enterprise App Management (you can activate a 90 day trial in the licensing portal to test it out), you can use the new option in the App type for Windows in Microsoft Intune.
At the bottom you will see a new option, Enterprise App Catalog app, which is the Enterprise App Management service!
Once you have selected this as the app type, you will get a reminder that you need to obtain the correct licensing for the service.
When you add an application from the Enterprise App Catalog, it will be added as a Win32 app, but called Windows catalog app. To select your app, simply click “Search the Enterprise App Catalog“.
You will now see the full list of apps in a fly-out menu to the right where you can select the app you need.
In this example, we will select 7zip as the application we want to deploy. When we have chosen our app, we click “Next” at the bottom of the screen.
In the next step we can select which version of the app we need, for 7Zip there is only one version. Click “Select” at the bottom of the screen when you have chosen your version.
When we have chosen our application, the application information will be pre-populated. If you do not need to do any modifications to the app information, just click “Next” at the bottom of the screen.
You can now notice that the install- and uninstall command for the application has automatically been added, and also the return codes.
Next page is as always for Win32 apps the requirements where we can add any additional requirements we have identified. As you can see, the mandatory fields will be pre-populated and we can just move to the next step.
What I really like is that the service also add detections rules for the app. So just hit “Next” to move to the last step!
What is a bit different from adding your own applications is that you never add the assignments as part of this initial step. So last step is “Review and Create”. Once the application has been created, you will be able to add assignments to your app. Now click “Add app” to finish the process.
The app will now be created, which takes just a few seconds, not even enough time to go and refill that coffee cup you just finished!
Once the app has been added, you can add assignments just as any other app by going to Properties on the app and add your target groups.
Updating an application
Enterprise App Management is created to keep your applications updated. The service will utilize self-updating features of the applications where ever possible to minimize the effort from an admin side. If self-updating is enabled for the app, it will automatically be updated on the client.
If self-updating is not available for the app, a new version of the app will added with the needed superseedence relations for it to be replaced, mening that you will have both the new and the old version visible in Microsoft Intune.
Do you want to read more? Check out this Microsoft articles:
This will be a different post. But bare with me on this one, okay. It will make sense in the end (I hope).
My epiphany about hating computers happened when my lab machine all of a sudden decided that “I don’t have a bluetooth adapter anymore” after about 2 years of actually having one. I did about everything but reinstalling Windows on the machine, but the bluetooth adapter was not recognized by my computer. I even opened up the NUC to see if I could see if there was any obvious physical damage (I’m not an expert), but nothing.
THE DAY I decided that “fudge this, I’ll just reinstall it” it started working again. No new driver updates, no new patches. It just started working. I still have no clue what happened to be honest.
That was the moment I started hating computers.
I just want to be productive
Living without a functioning Bluetooth adapter in the computer meant that I needed to find the USB-receiver for ALL my wireless accessories (headset, mouse, keyboard) in order to even work from this machine.
This ment that I needed to take time out of my day (mostly late afternoons) and firstly try to figure out the issue and secondly since I suck at troubleshooting hardware, find all the USB receivers for all my stuff since I had of course also lost my USB Bluetooth receiver 🤦♂️.
I’m one of those computer guys who don’t really like troubleshooting, I just want stuff to work.
Reinstalling Windows is a breeze now adays, and it would have taken me an hour or two to be back up and running. I work from a strict policy to save EVERYTHING in the cloud so that wiping my computer isn’t an issue anymore, I will just lose what ever app I didn’t add to Intune. But it’s still a hick-up in my flow.
Automate drivers
This “incident” has gotten me thinking a bit. One thing I tend to hear with customers is that there is a fear to patch/update drivers for example, since we are afraid that it will break something in the OS or an application. I’ve been doing Intune work for the last 10 years, and I’ve strongly advocated to “maybe it’s time to also update drivers” for the past 7 years since it’s usually more risky to run pre-release versions of drivers than the latest. OEMs tend to also update drivers only when they have to, and the 700 million consumer Windows machines out there with the latest drivers seems to be working fine (don’t quote me on the numbers). One thing I’ve seen way to often is that an old driver breaks Microsoft Teams. The camera stops working usually and as soon as you install the latest driver. Poof! The camera works!
When you start think about it, what if we stopped caring so much about drivers and just automated it with Windows Autopatch? New drivers are installed when released and needed.
Windows 365 to the rescue?
Let’s take it one step further. What if we use Windows 365 to consume our apps and desktop experience instead and we only need to make sure that the OS and out applications are up to date. The hardware we are accessing through could be any kind of device, not neccesarily a Windows based device. Windows 365 makes it possible to actually be device independent. The bare minimum I need is something with a browser.
This is actually something which excites me a bit too much. I started my career in the mobile device management field, managing iPhone in the “mobile first” era when we though we would be able to do EVERYTHING from our mobile. If we can access a virtual desktop from our mobile, all of a sudden we actually can even consume those legacy Win32 apps from a mobile device.
I’m really excited about the Motorola ThinkPhone with the Windows 365 integration even though I don’t own one and I really don’t like Android since I’ve had an iPhone the last 15 years. But the idea of only having one device is something that excites me. Or at least in some situations only need one device. Still not enough to by the darn thing, but I love the concept of it.
So what is the point of this post?
Well, maybe we should start to rethink the workplace and what devices we need. Do I really need a desktop, a laptop, a phone and a tablet? Maybe not the reality for everyone but I know a lot of people running on such a setup. What if I just needed one or two devices, but I could still do all the stuff I need.
Looking at my current setup, I’ve downsized to one phone from two and I prioritized battery life over performance when getting a new laptop. I even went with an ARM-based Surface with the knowledge that “I can always use Windows 365 if I need more power” which is really comforting to know. This opens up that I can go for more slim formfactors and prioritize different aspects.
Moving the workloads to a Cloud PC would also reduce the need of getting the “latest and greatest” machine to do things. Our Cloud PC will be kept up to date since Microsoft is lifecycling the infrastructue in Azure, which for me as a user would mean that I always have “the best” configuration.
There are of course a lot of if’s and but’s around this, like the need for constant internet connetivity. But let’s face it, how often do we work without internet connectivity? You can even get some what reliable connectivity on an airplane today.
Problem with this appraoch is that this is how I reason, I still have way to many laptops on my desk for different customer engagements and testing things, since this is not the reality yet. But maybe it’s the future?
If you ever meet me and also hate computers, let me know and I’ll give you “I hate computers” sticker!
As everyone knows by now, Copilot is coming to Windows. For people in some parts of the world (e.g. USA) this is already a reality. But for us in Europe, we are still waiting for it to be made available.
I rarely write posts about how to disable things, I’m a fan of giving the power to the end-user to use the new awesome tools made available for them. But Copilot is a massive thing, and for many organizations this is both a legal/policy issue, and a technical readiness issue. We need to be able to provide our users with services in a controlled way.
Many of the larger organizations I’ve been working with over the years take this approach, enabling new services in a controlled way.
So, let’s look at how we can control this using Microsoft Intune. In this post, we will notdig into what Copilot for Windows is.
Creating a policy
As usual, my focus is on cloud solutions so we will look into how you can do this using Microsoft Intune and not GPOs.
Today, there is no Settings Catalog, so we need to rely on a Custom policy which we create by heading into the Device blade, choosing Windows > Configuration Profiles and select “+ Create” > “New policy“. Then we select Windows 10 and later as platform, and use Template > Custom as profile type.
As usual, start of by giving your profile a good name based on your naming convention.
Now, lets add a custom setting by pressing the “Add” button.
Add the following information to your custom entry:
Name: Disable Windows Copilot
Description: OMA-URI: ./User/Vendor/MSFT/Policy/Config/WindowsAI/TurnOffWindowsCopilot
Data type: Integer
Value: 1
Should look something like this and then hit save at the bottom of the fly out.
You have now successfully added a custom CSR setting.
Hit Next at the bottom of the screen and assign your policy to a user/device group. As always, if you are doing this in production, start with a test group before going for broad deployment.
For this demo purpose, I’ve added the built in “All users” group.
Skip the “Applicability rules” and head to “Review + Create” and review your profile before creating it. Once the profile has been created, the waiting game starts for the policy to apply. As usual, you can speed this up by pressing “Sync” on any of your devices that will be targeted.
When the policy has been applied, the Copilot icon will be removed from the task bar.
Doing a controlled roll-out
We have currently removed Copilot for all the users in your environment, but how do we start enabling it again?
Well, we need to do two things:
Create a group for our allowed users/devices
Exclude them from the policy we just created
Since the default value for the Windows Copilot feature is to be enabled, we don’t really need to add a new policy. We can just exclude our targeted users/devices. This also makes broad deployment easy since we can gradually just exclude users/devices until we want to enable it for everyone.
Please be aware that the change is not instant, the device needs to check-in before the policy is updated (but it’s fast when you do a forced sync).
Take away
So, would we disable this for all users and do a controlled roll-out? Well new features are not always easy for end-users to gasp or even understand that they have. People within IT tend to always want the latest and greatest and be early adopters. But “real” end-users are not always like that. We need to make sure that we can get information out to our end-users about this awesome new feature.
There might also be that we need to do some assessments around the service before we can enable it in our environment, this could be both legal and internal policy that is controlling this.
But as always, I really encourage you to enable this for your end-users once it’s available in your region. For us in Europe, we will have to wait a bit longer, but looking at the recent announcements around a Copilot-button on all Windows keyboards, I think we can really tell where we are heading with this.
So please, don’t just disable this for the sake of disabling. And if you do disable it, have a plan to enable it. It will bring awesome value to your end-users (especially if you have Microsoft 365 Copilot licenses).
We are right at the end of 2023, getting ready for the holidays which is a great moment to wind down and reflect a bit on the last year. And it’s been a year full of awesome things!
Conferences
I didn’t actually go to that many conferences this year, I focused on two which I found really interesting.
MVP Summit
Okay, this is not open to everyone but I was truly humbled to be invited to the MVP Summit, the infamous event all MVPs talk so much about. This time it was apparently smaller than previous years, but it was still an awesome event! Met a lot of people I’ve only seen on stage, in calls or in social media. It was a blast!
WP Ninja Summit
I was really excited to be selected as a speaker at the WP Ninja Summit 2023. I was not to happy with my own performance however since one of my two session got really really short. But I was nervous, talked fast and maybe I didnt have as much content as I anticipated. The other one went really well however, and we had great discussions in the room!
I’m really happy that we have such a great, quite large, device focused event in Europe and that it’s not only MMS that gets all the attention. Microsoft had a lot of great speakers flying in, and there were also a lot of great speakers from the community showing up.
Really hoping to go back in 2024!
Windows, Windows 365 & Intune
We have seen a lot of cool stuff during 2023, so many innovations and news that I honestly have a hard time remembering them all.
For Windows 365 I’ve been most excited about the switch and boot features. Switch makes life so much easier using Windows 365 in the everyday work, easily switching context with Win + tab.
Windows 365 Boot is another great feature that I think we will see grow as time goes. We are heading in to a more sustainability focused market, which will result in that devices will have longer life. Windows 365 Boot is a great way to extend the life of a computer!
Personal development
Leadership training
One thing that I have for many years now found interesting and want to develop my skills within is leadership. I’ve been part of one training at a previous company I worked for, targeted at leaders without direct reports which was really interesting.
I’m currently taking part in a leadership program at my current employer where 12 people have been hand picked as potential leaders in the organization based on nominations from their closest manager. I feel really fortunate that I can be a part of this, but it has also made me realize that maybe I should explore other things than just being a techie.
I’ve often gotten the feedback that “you would be such a great manager” and looking back at the trainee program I was a part during my time at Microsoft we did get a lot of leadership training (even if it was never called that).
It will be exciting to see where this takes me!
Looking forward to 2024
I’m really excited about what 2024 will bring, both from a technology perspective but almost more from a personal development perspective.
2024 will probably be the year of AI and I’m curious to see how that will actually impact the whole device management and workplace service business. I’m suspecting that it will impact it quite a lot…
Microsoft announced a new app to consume your Windows 365 Cloud PC, Azure Virtual Desktops, published apps and other remote desktop sessions. This app is simply called “Windows app”.
But we already have apps for this one might say, and that is true. But we need different apps for AVD and Windows 365 today. If you use the Microsoft Remote Desktop app you will be able to see and connect to both your Windows 365 Cloud PC, your Azure Virtual Desktops, and your published apps, but you will miss some key features to WIndows 365.
To get all those nice features for our Windows 365 Cloud PCs, we today must use the Windows 365 app.
If we look at how things are in many businesses, a lot of times we have a mix of Cloud PCs, AVDs and published apps. Today that means that we need to separate apps to get the full experience, which from a user perspective can be confusing since I will see my Cloud PCs in the Microsoft Remote Desktop app, but I won’t see my AVDs or published apps in the Windows 365 app.
The announcement at Microsoft Ignite around the new app is to bridge that gap and get everything into one app, the Windows app.
Before going forward, PLEASE be aware that this is still in preview. Things might change and be added/removed.
What is the Windows app?
Introducing the Windows app. This is your new place to consume all your remote desktop session!
The new Windows app brings all the awesome new features in Windows 365 and combines them with the Microsoft Remote Desktop features like support for AVD and published apps.
I think one of the killer features is also that now we will have the same app, across multiple platforms. Today you need to use one or two different apps on Windows, and a less full feature one on all the other platforms. But the new Windows app changes that!
The first thing you need to do, if you haven’t done so already, is to download the Windows 365 app from the Microsoft Store (or have it provisioned to you from e.g. Intune).
Once you are signed in, you will notice a small button in the top menu saying “Preview”. Click on that! If you cannot see the preview button, make sure your app is up to date!
Once you have enabled this, the app will close and the new one will launch (might take a second or two), and you will be asked to sign in again. Once you have signed in, you will now be in the new app experience!
Using the app
This is the new landing screen, to which you can pin your Cloud PCs, AVDs and published apps. And if I want to pin something to my home screen, I head into “Devices” and select the three dots on the resource I want to pin, then select “Pin to” and select “Pin to home“.
As you can see, all the other remote actions available in the Windows 365 app are also there so I can in the same menu do a restart, restore, inspect connection etc. And if I want to pin it to the task view or taskbar, I can do so from here.
But there is also a Microsoft Remote Desktop feature in this app which I was missing in the Windows 365 app; the possibility to not start the session in full screen. You find this by going to Settings on the machine in question and setting “Use default settings” to off. If you then select “Single display” in the Display configuration section, you will be able to turn off “Start in full screen“. If you jump back and forth or have a large screen, this is a really good feature.
You can of course also select your theme, if you want light mode or dark mode, or if you want the app to use whatever you are using in the operating system. Just click the settings icon in the lower left part of the app and select which mode!
And the last thing… The app supports multiple accounts so you can jump back and forth between tenants. Crucial feature for a consultant!
Other platform
Like I said, the app is today available for Windows, macOS, iOS/iPadOS and Android is still not yet released but it’s coming.
I’ve tested it on my iPhone, and to be honest the experience was way better than I anticipated.
One feature I really like is that when just leaving the app and having the desktop open, the session will continue when I come back without the need to re-connect.
The iOS app is a lot like the Microsoft Remote Desktop app in look and feel, but with a few improvements. I still can’t restart my Cloud PC from the app, but I can restore it if needed. However, it’s not a farfetched guess that it will come in a later release.
All the apps are still in preview, and if you want the iOS/iPadOS or macOS app, you will have to head over to Microsoft Learn and fins the links.
Bonus
What I haven’t covered is that there is also a new web portal, which has the same look and feel as the new Windows app.
The new address to the new web-app is https://windows.cloud.microsoft/. You can read more about it in the Microsoft Learn guide as well.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
