Tag: endpoint management

  • Improving Decision Making with Intune Advanced Analytics Data

    Improving Decision Making with Intune Advanced Analytics Data

    One thing that many IT administrators tackles every day is the discussion about “my computer feels slow” or “I need a faster computer”. Sometime the feeling of having a slow computer is legit, and sometimes it’s something else.

    There are numerous DEX (Digital Employee Experience) tools out there on the market. This can provide you with a great overview of your whole ecosystem, ranging from Teams call quality to desktop experience. However, even if those tools are great, they come with a new set of data to analyze in a new tool. And in bigger organizations, the complicated puzzle of “who owns this and who makes remediations?” arises.

    Since I write a lot about Microsoft stuff, we will dive into the Intune Advanced Analytics part of the Intune Suite.

    Intune Advanced Analytics is a native part of Intune, which gives you more extensive reporting on your Windows devices. I know Windows isn’t 100% of the fleet in modern organizations but we need to start somewhere.

    Setting up Intune Advanced Analytics

    To start using Intune Advanced Analytics, you will need these three things.

    • Intune environment
    • Intune Suite licenses or Intune Advanced Analytics stand-alone license (remember, this is user based)
    • Configuring Endpoint analytics in Intune

    I won’t go through how to obtain license, since this will vary from case to case depending on your setup.

    Configuring Endpoint Analytics

    The first thing you need to do is to configure Endpoint Analytics to receive data from your devices. Since I’m all in the cloud, we will look at how you do this for Intune managed devices. To do this, you need to have the Intune Service Administrator role, also known as Intune Administrator.

    Head over to the Endpoint Analytics blade in Intune (you can find it under Reports or at https://aka.ms/endpointanalytics). When in there, select the Settings blade.

    You can see that my tenant already uses the Intune data collection policy. This default policy exists in all tenants, but you need to make sure it’s assigned to your devices.

    Manually create the policy

    If you can’t find the policy in your environment, it’s no big deal. You just need create a new policy based on the template for Windows Health monitoring.

    If you are configuring this for the first time, make sure to switch Health monitoring to Enable and set the Scope to Endpoint analytics.

    Deploy this policy to your devices using either the built in “All devices” group or use a device group.

    When you set this up for the first time, it can take up to 24 hours for the data to populate. If you are looking to use Advanced Analytics, expect up to 48 hours.

    Allow access to URLs

    The last step to do is to make sure that your devices are allowed to reach the URL needed for Endpoint Analytics. This is important if you have a restrictive firewall or if you use a webfilter/proxy to run all your traffic through.

    For Intune, the needed URL is:

    https://*.events.data.microsoft.com

    If you want to read more about how to set this up for Configuration Manager managed devices, check out the Microsoft Learn page.

    Getting access to the data

    Now when 24 hours have passed, we should start seeing data being populated. If you have additional people who should not be admins who need to review the data. There are a few different built-in roles you can use, or create a custom role.

    These are the different options you have:

    Role nameMicrosoft Entra roleIntune roleEndpoint analytics permissions
    Global AdministratorYesRead/write
    Intune Service AdministratorYesRead/write
    School AdministratorYesRead/write
    Endpoint Security ManagerYesRead only
    Help Desk OperatorYesRead only
    Read Only OperatorYesRead only
    Reports ReaderYesRead only

    Once we have our roles in order, we can start looking at the data!

    Looking at the data

    The Endpoint Analytics feature consist of 6 different blades

    • Startup Performance
    • Application reliability
    • Work from anywhere
    • Resource performance
    • Remoting connection

    These features are available with the regular Intune license. With the Intune Advance Analytics license you will get a few more. And it’s automatically integrated into the Intune administrator experience.

    • Custom device scopes
    • Anomalies
    • Enhanced device timeline
    • Device query
    • Battery health

    If you want to read more about what’s included, I would suggest checking out this Microsoft Learn article.

    Reviewing my devices

    But as I stated in the beginning of the post, let’s talk about reviewing resource performance. With the regular Intune license, you will gain access to resource performance for your Cloud PCs. With this, I get insights which Cloud PCs are meeting my targets and what Cloud PCs I should investigate upgrading to a different SKU. This data can be broken down to a device or model. This gives me great data about my environment on CPU and RAM spikes when they are being used.

    All devices get a score based on their performance, and you can configure what your baseline is in the Endpoint Analytics settings.

    You can break the numbers down based on model or individual device performance to get a better understanding.

    With the 2408 Intune Service update, this was also made available for physical devices if you have the Intune Advance Analytics license enabled. This will provide me with insights on how my physical devices are performing when it comes to RAM and CPU. I can also learn if they have continuous spikes indicating that they need an upgrade.

    If we stand in the “Device performance” tab, we can see all Cloud PCs and physical PCs gathered in the same place. You can also compare Cloud PC and physical PC performance.

    Looking at specific devices

    If we click on the name of a device, you will be redirected to the blade “User experience” on the device itself. You can also find it if you search for a device in the device list and click in to view that device.

    From here, you can see a lot of data about the device around its performance.

    As you can see, my Surface Laptop Go 3 has had a few minor spikes in RAM the last 14 days but nothing major.

    And if we look at the overall score, it’s pretty okay.

    Device timeline

    There is one more really nice feature with the Intune Advanced Analytics we can see, and that is a Device Timeline (last tab on the top).

    In here, we can see historical data on events that has happened on the device which impact the user experience. As you can see on this device, I’m having a few issues with applications.

    And if we jump back and look at another device, a Cloud PC, we can see the same kind of data.

    One interesting thing I found while writing this blog post is that I compared my Surface Laptop Go 3 i5 with 16gb RAM with my 4vCPU/16GB Cloud PC. What I can see was that my Cloud PC scores higher. I would say that I use them in a similar way, the same amount of time. I do know that the Cloud PC has a little bit of a more powerfull CPU (being a cloud PC),

    The Cloud PC scores 98 in resource performance.

    While my Surface Laptop Go 3 scores 77.

    So performance wise, Cloud PCs are doing a lot better. However, the Surface Laptop Go 3 is not a fair comparance being a more “low tier” PC. However, they are still both performing really good for what I use them for. So this is important to take into considerations when looking at the data.

    Take away

    Knowing how the performance of the devices in your environment chelan p you figure out when devices needs to be replaces or upgraded. As you already know, backing your decisions using data is key! Intune can provide you with a lot of data on your device without the need to buy a third party tool and deploying/maintaining a client on the device.

    However, if we start looking at “real” DEX products, Intune Advanced Analytics does not provide the same level of data. You will also need to combine several parts of Intune to be able to perform e.g. remediations on the things you find. You still need to manually take actions or create remediation scripts on your findings.

    But if you are just getting started and need “something”, this will provide you with a great overview of your environment! This will help you make better decisions and help your end-users even better!

    I hope you liked this post and that it gave you some insights to what you can do with Intune Advanced Analytics!

  • Summer recap – what did we miss?

    Summer recap – what did we miss?

    Like all Swedes, summer means vacation mode for 4-5 weeks and that means not keeping up with what’s happening in the world.

    So here is a recap of what’s been happening during the summer months.

    MVP renewal

    In the begning of July, the MVP renewals where announced and I’m happy to announce that I’ve been renewed as a Windows and Devices MVP for the 3rd time.

    Big congratulation to all my fellow MVPs that got renewed for 2024!

    Windows 365 updates

    July was full of Windows 365 updates, there has been updates for Windows 365 each week since July 1st which is really awesome. A lot of great updates.

    Here are some highlights, but if you want to see the full list check it out here.

    Cross region disaster recovery

    Windows 365 cross region disaster recovery is an optional service for Windows 365 Enterprise which protects the Cloud PCs and data against regional outages. This is a seperatly licensed service which can be purchased as an add-on to your existing service.

    Cross region disaster recovery in Windows 365 | Microsoft Learn

    Windows 365 Cloud PC gallery images use new Teams VDI

    The new Teams for VDIs has been added to the Windows 365 image gallery, containing all the optimizations for Windows 365. All your newly previsioned Cloud PCs will containg the new optimizations.

    Microsoft Teams on Cloud PCs | Microsoft Learn

    Cloud PC support for FIDO devices and passkeys on macOS and iOS (preview)

    Windows 365 Cloud PCs now support FIDO devices and passkeys for Microsoft Entra ID sign in on macOS and iOS.

    Updated default settings for Windows 365 security baselines

    Microsoft has released an updated version of the security baseline for Windows 365. You can find a full list of the updated settings here: List of the settings in the Windows 365 Cloud PC security baseline in Intune.

    New GPU offerings for Cloud PCs are now generally available

    Microsoft has finally released the new GPU offering! The GPU offerings are suitable for graphical intense workloads requiring a more optimized performance. The offering consists of three different SKUs called Standard, Super and Max with different configurations for different kinds of workloads.

    GPU Cloud PCs in Windows 365 | Microsoft Learn

    Uni-directional clipboard support is now generally available

    The clipboard settings for Windows 365 and AVD has been in preview for a while, but have now been

    moved into general availability with some pretty nice added functionallity. You can configure a lot of new different content type, and you can select to allow which direction clipboard should be allowed. This applies to both Windows 365 and Azure Virtual Desktop.

    Configure the clipboard transfer direction in Azure Virtual Desktop | Microsoft Learn

    Intune updates

    The list for Windows 365 was long (in the aspect of Windows 365 updates), but there has been even more Intune updates.

    If you want to read the full list of updates during the summer months, check out the full list here.

    Update for Apple user and device enrollments with Company Portal

    Microsoft has updated the registration process for Apples devices using the Intune Company Portal. The main change is that now the Entra ID registration happens after the enrollment, instead of during the enrollment. This applies for both iOS/iPadOs devices and macOS devices.

    The change means that if you are using dynamic device Entra ID groups which rely on the device registration, you need to make sure that the users complete the whole process.

    iOS/iPadOS device enrollment guide for Microsoft Intune | Microsoft Learn

    New configuration capabilities for Managed Home Screen

    If you are using managed home screen for Android, you can now enable the virtual app-switcher button to allow users to switch between apps on a kiosk device.

    Configure the Microsoft Managed Home Screen app for Android Enterprise

    Copilot in Intune now has the device query feature using Kusto Query Language (KQL) (public preview)

    If you are using Copilot in Intune, you can now generate a KQL query using Copilot while asking in natural language. Great way to learn KQL or get inspiration for your querys!

    Microsoft Copilot in Intune

    New setting in the Device Control profile for Attack surface reduction policy

    Microsoft has added the “Allow Storage Card” setting to the Attack surface reduction policy, which can also be found in the settings catalog.

    AllowStorageCard 

    New operatingSystemVersion filter property with new comparison operators (preview)

    There is a new filter property for operatingSystemVersion, which is available in a public preview.

    This filter allows you to use operators like GreaterThan, GreaterThanOrEquals, LessThan and LessThanOrEquals to your oprating system version and is available for Android, iOS/iPadOS, macOS and Windows!

    Consolidation of Intune profiles for identity protection and account protection

    Microsoft has done some cleaning up around identity and account protection policies and added them all into a single profile called Account protection which can be found in the account protection policy node of endpoint security. This is the only template which will be available going forward for identity and account protection. The new profile also includes Windows Hello for Business and Windows Credential Guard.

    Account protection policy for endpoint security in Intune

    New Intune report and device action for Windows enrollment attestation (public preview)

    There is a new report in public preview for finding out if a device has attested and enrolled securly while being hardware-backed.

    Windows enrollment attestation

    New support for Red Hat Enterprise Linux

    Microsoft Intune now supports device management for Red Hat Enterprise Linux. You can enroll and manage Red Hat Enterprise Linux devices, and assign standard compliance policies, custom configuration scripts, and compliance scripts.

    Deployment guide: Manage Linux devices in Microsoft Intune 

    Newly available Enterprise App Catalog apps for Intune

    The Enterprise App Catalog has updated to include additional apps. For a complete list of supported apps.

    Apps available in the Enterprise App Catalog.

    New actions for Microsoft Cloud PKI

    The Microsoft Cloud PKI has been updated with some new features.

    • Delete: Delete a CA.
    • Pause: Temporarily suspend use of a CA.
    • Revoke: Revoke a CA certificate.

    Delete Microsoft Cloud PKI certification authority

    ACME protocol support for iOS/iPadOS and macOS enrollment

    Microsoft has started a phased rollout of the infrastructure change to support the Automated Certificate Management Environment (ACME) protocol. When a new Apple devices enroll, the management profile from Intune receives an ACME certificate instead of a SCEP certificate. Existing OS and hardware eligible devices do not get the ACME certificate unless they re-enroll. 

    Windows updates

    The realse of Windows 11 24h2 is getting closer and closer, and it could be guessed to be released in a September/October time frame looking at past releases.

    One thing that is also important to highlight is that we are getting closer and closer to the Windows 10 EOS, which means that we really need to focus on getting those devices migrated or removed.

  • Are the settings what you think they are?

    Are the settings what you think they are?

    Something I know a lot of Microsoft Intune admins have been frustrated about for a while, especially if you come from the GPO world, is making sure that the settings you applied are what you think they are on the device. I mean, things happen. Users can be local admins and change stuff, a support person could have changed something locally, or stuff just won’t work.

    As we all know, an up and running Intune Windows device will check in with Intune every 8 hours to see if the settings are still correct. 8 hours is quite a long time if you have a faulty configuration, and not all users know that they can manually synchronize their device with Intune (or an admin can do so).

    This is where the newly introduced Config Refresh enters the stage!

    What is Config Refresh?

    Config Refresh is a new setting in Windows 11 (23h2 or 22h2 with the 2024 June update) which lets you define the interval that the Windows device should refresh the configuration based on what is defined in Intune. In the GPO world, this happens automatically every 90 minutes, and in the Intune world this is 8 hours! But with Config Refresh we can squeeze this down as short as 30 minutes or push it all the way up to 24 hours (why someone would do that, I don’t know but I bet there are those scenarios).

    But this isn’t just changing the default 8 hour intervall, this actually brings some new stuff to the table:

    • A reset operation to reset any settings you manage which use the Policy CSP
    • Configuration options to allow reset of managed settings to take place as frequently as every 30 minutes
    • Offline functionality, not requiring connectivity to an MDM server
    • Ability to pause Config Refresh for troubleshooting purposes with automatic resume after 24 hours

    This means that we get a bunch of new features in the MDM world which we have not had before!

    How do I configure it?

    But how do I configure this in my environment? The Config Refresh policy is set in the settings catalog, so let’s jump straight into Devices – Windows – Configuration and add a new Settings Catalog policy.

    As usual, give your policy a name which makes sense to you in your environment and click next. I’m going for “Win – Config Refresh” in this example.

    Now let’s search for “Config Refresh” and add both the settings to our policy.

    Let’s go for a 30-minute interval in this example but set what makes sense to your environment (default value is 90 minutes). Also, make sure to enable the “Config Refresh” setting before clicking on next.

    If you are using scope tags, you can add that in the next step otherwise move on to assignment. Since this is a device scope setting, let’s target the device for this one so we can make sure that all our devices get this setting regardless of who signs in. If you want to filter our specific devices, add that as well here.

    On the last step, review your settings before clicking on “Create“.

    This will configure your devices to refresh their policies every 30 minutes!

    Bonus:

    If you for some reason want to prevent a device from doing a Config Refresh, you can find the device and press those three dots on the right side of the ribbon. You will then find “Pause config refresh”.

    You can then pause the refresh for up to 24 hours.

    Key take away

    Using the Config Refresh we can make sure that our device has the correct configuration with greater certainty, and we can adjust the intervall to fit our needs.

    This give us as admins a larger sence of control when managing devices and wanting to make sure that our devices has the correct settings. If you are coming from the GPO world you will be very familiar with this since GPOs refreshes every 90 minutes (default), and now you can make Intune work the same way! Yet one less thing that you will be missing from the old world!

    Hope you find this as usefull as I do, and happy clicking!

  • 5 things you didn’t know you could do in Microsoft Intune

    5 things you didn’t know you could do in Microsoft Intune

    I thought I would share a few things you might not know that you are able to do in Intune, small things that might not be related to device management itself but you might not be aware off!

    As all of you know, Microsoft Intune is constantly changing, there are news and updates each week. This means that some of these things might change in the future, who knows!

    But let’s kick it off. Here are 5 things you didnt know you could do in Intune.

    Change language and region

    You have probably seen the settings icon in the top of the Intune portal, this is where you can access the portal settings.

    When you click the settings icon, you will be taken to the Portal settings pane of Microsoft Intune.

    As you can see, there are a lot of different things you can modify and control. E.g. if you have multiple directories or subscriptions you can change which your default is. This is also where you enable darkmode (if you are like me and prefer darkmode). But I though we would focus on the language settings.

    If we navigate to the “Language + region” pane, we can select which language we want the portal to be in. This settings is not a global setting, this only affect my session. Like many others, I prefer to use the English version of MS Intune (the translations in Swedish are a bit wild some times), but I still want my regional format to be Swedish. I can easily select my preferences here and just hit apply and it will refresh the session with a new language for me.

    If you are familiar with Azure or Entra, this works the same way!

    Modify the left side menu

    We probably all know and love the left side navigation menu, this is where we can select if we want to access devices or apps for example.

    But did you know you can customize this menu?

    If you navigate to “All services“, you will see a table of all the available services within Microsoft Intune, and if you look closely you will notice that there is a small star next to each service.

    By default today, all is marked except for “Surface Management Portal” and if you want easy access to that you can simply just star that one too and it will show up in the navigation menu.

    But let’s say I’m only interested in seeing devices, apps and groups, I can simply just mark them with a star and they will be the only one displayed in the navigation menu alongside with reports which we cannot remove.

    One other neat feature is that you can rearrange the order of the navigation menu by simply dragging the headings around if you want to sort the differently.

    Easily change between accounts

    If you are using multiple accounts in Microsoft Intune, there is a simple way to just change which account you are using. If you have ever worked in the Azure portal, this is the same functionality.

    Simply click your profile picture in the top right corner and sign in with a diffetent user. When you have signed in with an additional user, you can easily just switch by selecting that account.

    Access the PIM portal

    For most administrational roles, you use Microsoft Entra Priviledge Identity Management, or simply PIM, to grant the priviledged role that you will use in order for your account not to have that role all the time.

    This can be setup in many different ways, and you can even PIM Intune roles if you use group feature.

    However, you don’t need to go through the Entra portal to access your PIM roles. Simply navigate to Tenant Administration > Microsoft Entra Privileged Identity Management and you will reach the same portal.

    From here, you can simply activate your roles, or approve other requests.

    Shortcut to the Entra portal

    Last but not least, when we are on the topic of Microsoft Entra. Did you know that there is a shortcut to the Entra portal in Intune?

    Just navigate to All services in the navigation menu, and under “Other consoles” you will find Microsoft Entra.

    When you click that link, a new tab will open with the Entra portal!

  • Ignite 2022 – live in Seattle!

    Ignite 2022 – live in Seattle!

    So, 2022 was the year Microsoft Ignite was FINALLY a physical event again, and for the first time on Microsoft home turf in Seattle.

    Being an ex-Microsoft FTE, this gave me major flashbacks to TechReady, which was an internal training event Microsoft used to host in Seattle. Same location as Ignite, just no hilarious videos with Norm Judah encouraging everyone to fill out the evaluations.

    Ignite was different this year since it’s a hybrid event, and the first big such for Microsoft which means that they are still trying out the concept.

    Overall, I had a lot of fun. For me, meeting up with peers and having the time to focus on the content is important, if sessions are digital or physical doesn’t really matter. Some sessions made more sense virtually. But in-person sessions are usually the best, and you could really tell that people wanted this. Especially the big keynotes are always more fun in-person.

    But I was missing the expo where you can meet vendors or just mingle with Microsoft people, there wasn’t really any space for this, except for an awesome Surface expo.

    However, the width that the “old” Ignite had was missing and the break-down sessions were missing. The feeling was that this hybrid thing was more focused on people attending remote, and people on site were more the live audience.

    There was a lot of news and I’ve picked out the ones I found most interesting.

    Windows

    Just before Ignite kicked off, there was a Surface event where some news around Windows 11 was released. Check it out here:

    Introducing new Surface devices that take the Windows PC into the next era of computing | Microsoft Devices Blog

    If you want to read more about all the Windows 365 news, check this out: What’s new in Windows 365: Microsoft Ignite 2022 edition – Microsoft Community Hub

    Microsoft 365 and Windows 365 in the Metaverse

    This was released a few days prior to Microsoft Ignite, but Microsoft 365 and Windows 365 will be supported on Meta Quest devices, providing a new kind of experience for productivity in the Metaverse.

    This means that you will be able to run a fully supported productivity setup in the Metaverse with e.g., Microsoft Teams and Windows 365. Windows 365 is not yet released for Metaverse, but this indicates strongly which direction VR is heading now.

    On top of Microsoft 365 apps being supported, you will also be able to manage the Meta Quest and Meta Quest 2 using Azure Active Directory and Microsoft Intune, which would provide IT admins with a whole new option of what a PC or workstation is for their end-users. You can read more on this blogpost by Microsoft: Microsoft and Meta partner to deliver immersive experiences for the future of work and play – The Official Microsoft Blog

    The new Windows 365 app (preview)

    The Remote Desktop app has for long been the go-to application for your VDIs, but now for Windows 365 you can use the brand-new Windows 365 app which is now in public preview. This app aligns more with the Windows 365 features found on the web portal but with the advantages of the desktop app! Read more here:

    Experience the Windows 365 app: public preview available now – Microsoft Community Hub

    Organizational messages

    Getting messages out to end-users is always a struggle within IT. There is a new feature for Windows 11 where you can send organizational messages, natively in Windows, to your users instead of sending them email using Microsoft Intune coming in November to Windows 11 22h2. Read more here:

    Deliver organizational messages with Windows 11 and Microsoft Intune – Microsoft Community Hub

    Microsoft Intune

    No more MEM…

    The brand Microsoft Endpoint Manager or MEM is going away. The new product-family name will be Microsoft Intune where a bunch of things will be included, Configuration Manager amongst others. You can read more about the anoncment here:

    Introducing the Microsoft Intune product family – Microsoft Community Hub

    Add-ons for Microsoft Intune

    Add-ons for Microsoft Intune is obviously here to stay, and it’s also growing bigger than just Remote Help which has been an add-on for a while now.

    Out of the list of new add-ons coming, what caught my eye especially was these two which I think will solve a lot of headaches for a lot of IT admins.

    You can read more here about all new add-ons:

    Reduce your overall TCO with a new Microsoft Intune plan – Microsoft Community Hub

    Endpoint privilege management in preview

    Enabling local admin for users on a temporary basis has been a struggle with Intune managed devices. Old solutions relying on attributes in the on-premises AD do not work and there aren’t really any “best practices” established around this yet.

    However, Microsoft is looking to solve this with the Endpoint Privilege Management which is in public preview. Read more in the link above.

    Automated app patching as add-on

    Keeping applications up to date is something that many stuggles with, and there are products around to solve that. Now Microsoft are throwing themselves into this game as well, which makes a lot of sense. This is just briefly mentioned in the “Further value and looking forward” part of the article, but if they are able to deliver on a native Microsoft Intune feature for this, that would simplify things a lot!

  • Remove Quick Assist

    Updated on the 29th of September 2022 due to changes in Quick Assist installation.

    Like I mentioned in the blogpost about Remote Help, the build in Quick Assist tool in Windows 10 and Windows 11 is great for supporting friends and family. However, it’s not that great to support an organization since vital features are missing like handling UAC and logging. There is also a lot to wish for when it comes to how accounts are managed and the overall experience in a corporate setup using Quick Assist.

    So, when we have deployed Remote Help to all our users, we want to remove Quick Assist to improve security (so unauthorized people cannot remotely connect) and to ease confusion about what remote support tool to use.

    There are several ways of doing this, but I’m taking the approach that we don’t have a custom image since our devices has been enrolled through Windows Autopilot using vanilla images. So how can we remove the feature, and make sure that the end-user doesn’t get creative with enabling it again?

    The answer to this is using proactive remediations.

    What is proactive remediations?

    Proactive remediations is a part of the Endpoint analytics section of Microsoft Endpoint Manager. You can find it by going to Reports > Endpoint Analytics > Proactive Remediations. By default you will have to script packages published by Microsoft.

    Proactive Remediations is a script package where you can find and fix things on your clients, before this generates a ticket to your help desk.

    However, since these are scripts running, you can do about anything to be honest. Each script package consists of a detection script and a remediation script. The scripts are then deployed to the devices through MEM and will report back. You can find reports on how many times a script has run, and how many times it has fixed an issue. Fixed and issue means that it has run the remediation script. You can read more about how they work and what you can do on e.g. Microsoft Docs.

    One thing you could do is to detect if a Windows component is active, and if found active then disable it.

    How do I remove new Quick Assist?

    Due to an update, Quick Assist have now moved in to the Microsoft Store, meaning that we need a new way to remove the store app. Next chapter will cover the old application which was a Windows Capability.

    There are several ways to remove pre-installed application from Windows, you could either get the application from the Business Store and assign it as “Uninstall” for all devices/users, or you could user PowerShell to remove applications.

    For this, we will use Proactive Remediation to detect if the Quick Assist is installed, and if so we will remove it. This would remove the application even if the user installs it them self. There are other ways to do this as well, like only deploying the removal part and blocking the application with AppLocker.

    I’ve put these scripts in my GitHub repository, for this part use the *_app files.

    First we will do detection:

    WinCap = Get-AppxPackage -name "MicrosoftCorporationII.QuickAssist"
    
    try {
    If ($WinCap.Name -like "*MicrosoftCorporationII.QuickAssist"){
    Write-Warning "Quick Assist installed - running remediation script"
    Exit 1
    }
    Else{
    Write-Host "Quick Assist missing - exiting"
    Exit 0
    }
    }
    catch {
    Write-Host "Quick Assist missing - exiting"
    Exit 0
    }

    If our detection script finds the application, we will run a remediation script to uninstall it, just two lines of simple PowerShell code (thanks @LasseiLarod for the contribution to this).

    $WinCap = Get-AppxPackage -name "MicrosoftCorporationII.QuickAssist"
    Remove-AppxPackage -package $WinCap.PackageFullName

    Now all that we need to do is to make sure that we run the script in User Context, since the application is installed in the user context.

    How do I remove old Quick Assist?

    One way to disable Quick Assist, even if the user enables it again, I have found is to use a proactive remediation which checks if Quick Assist is enabled on the device, and if it finds that it is Quick Assist is disabled.

    Quick Assist isn’t an app installed from the store, it’s a Windows capability which means that we cannot uninstall the app.

    To do this, we firstly need a script which will identify if Quick Assist is enabled. One way of setting that up is like this, a simple PowerShell script that my college helped me create (thank you Daniel).

    I’ve put these scripts in my GitHub repository.

    $WinCap = Get-WindowsCapability -online -name App.Support.QuickAssist*
    
    If ($WinCap.State -match "NotPresent"){
        Write-Warning "Windows Capability - Quick Assist missing - exiting"
        Exit 0
    }
    else {
        Write-Host "Windows Capability - Quick Assist installed, Running Remediation script"
        Exit 1
    }

    This simple script will check if the Windows capability is enabled, if enabled it will run the remediation script which disables Quick Assist. It’s a one-liner:

    Remove-WindowsCapability -online -name App.Support.QuickAssist~~~~0.0.1.0

    What could be good to keep in mind is that if the version of Quick Assist changes, this disable-part will stop working. I’ve’ tried using a more generic string, but I couldn’t get it to work. However, my PowerShell skills are quite limited.

  • Exclude devices from profile

    One of the most common ways to assign Windows Autopilot profiles is to use the wildcard argument for Autopilot devices in an dynamic Azure AD group:

    device.devicePhysicalIds -any (_ -contains "[ZTDId]")

    This is a powerful way of gathering all devices imported to Autopilot into a single group to assign either enrollment profiles, configuration profiles or even applications without the need for any additional work or use of group tags.

    However, this group being powerful makes things a bit harder when it comes to excluding devices that might need a different enrollment profile for testing, different device type or just a different use case.

    There are different ways of doing this, but this is the way I found that works well and it assumes that you have another Azure AD group which you use to assign Enrollment Profiles, dynamic or assigned.

    Let’s say we have two enrollment profiles:

    • Production profile
    • HoloLens profile

    The “Production profile” is assigned using a group called “All Autopilot devices” which gets devices using the “device.devicePhysicalIds -any (_ -contains “[ZTDId]”)” string to gather all devices which are imported to the environment.

    We have also imported the HoloLens devices in to our device list for Autopilot, which we are using a group tag to populate our “HoloLens devices” group with which is then used to assign the HoloLens profile.

    Now comes the tricky part. Since we have the “catch all” group already, that will include the HoloLens’s which means that we will assign configuration profiles and applications that are assigned using that group.

    Since our HoloLens’s are a different type of devices, we want to assign a separate set of configuration profiles and applications towards them, meaning that we need to exclude them from the “All Autopilot devices” group and add them a HoloLens specific group to assign our HoloLens profile.

    Creating out groups

    To add them to the HoloLens deployment profile you can create a dynamic group which is using Group Tags to populate. This will require you to add this group tag to all your HoloLens’s. In this case, we will use the Group Tag “Hololens”.

    (device.devicePhysicalIds -any _ -eq "[OrderID]:Hololens")

    This will assign the HoloLens specific deployment profile to the device.

    However, we also want to make sure that we do not include these devices in the bigger group which is used to assign the “regular” Windows policies. This was a bit trickier than I thought to be honest.

    After playing around with excluding the group tag, which for some reason didn’t work that great, the most effective way was to exclude devices from my big “All Autopilot devices” group by using the fact that it has a deployment profile assigned to it. This value can be used in the rules for the group by saying that we don’t want to include devices having a deployment profiled called “Autopilot HoloLens” assigned to them.

    device.enrollmentProfileName -ne "Autopilot HoloLens"

    The outcome

    By changing the rule to say that in addition to “catch all” also no include anything that has the deployment profile “Autopilot HoloLens” assigned to it, we will now have a group which will exclude all HoloLens devices!

    This can of course be used for other things than HoloLens, it applies for anything that has a deployment profile assigned to it.

    There are other ways to accomplish this, but this is the easiest way I’ve found so far!

  • CloudLAPS on CloudPC?

    So I’ve been playing around a bit with Windows 365 Enterprise and thinking about “okay, what cool things should we try?”.

    First step is of course to set it up and I thought about writing a guide about that. Halfway through my guide I realised that the one written by Christiaan Brinkhoff was far superior to mine, so go check his guide out!

    One thing came to mind however, could you get CloudLaps to work on a Cloud PC?

    Of course, we needed to try this even though I’m not a 100% sure that you need it.

    What CloudLaps does it that it provides your PCs with a unique, randomized password for the local admin account on the machines which is rotated on a given interval (default is every 3 days). By using this functionality, all your PCs will have unique passwords for their local admin accounts meaning that if this is handed out to an end-user or support personal, the password will stop working when the password is updated.

    The Cloud PC configuration

    If you have not yet implemented CloudLaps, have a look at the guide in the link above, but if you have it in place, you are ready to go.

    Since CloudLaps is built on proactive remediations in Microsoft Intune, you will need to make sure that the Cloud PCs are included in the assignment by using (or adding) a group containing all your Cloud PCs. Windows 365 Enterprise gives you the benefit that Cloud PCs are being automatically enrolled into Microsoft Intune which gives you the possibility to manage them directly without any further actions!

    In this example, all the Cloud PCs are included in the same group as all other PCs since we want all these PCs to have the same settings. This was done by adding an extra rule to our Dynamic Group.

    device.deviceModel -contains "Cloud PC Enterprise"

    No additional configuration needed!

    The outcome

    The outcome of this test was as expected, worked perfectly fine!

    A local admin password is populated in the CloudLaps portal, and I can use it on the machine to elevate my rights on the Cloud PC.

    Since you can use the exact same configuration for Cloud PCs as physical PCs, you will not need to separate how you manage the Cloud PCs. They are just another PC, but in the cloud!

  • Intune for noobs – Intro

    I’ve been thinking about doing something more educational for a while now and I think this will be a great start to that. Writing a guide on how to setup your own Microsoft Intune lab. We will take shortcuts and do dirty tricks, just to get going. So please don’t use this as an implementation guide in a real environment. We will also skip all fancy steps as getting a real domain name and having an on-premises AD. But if you already have those in your lab, that’s great!

    Here are the links to each part, and they are also published in the blog further down in the feed.

    Sharing is caring, so my idea about this guide is to simply help you get started on your own Microsoft Intune journey and learn what it is and what it can do!

    With this base, you can build further on your lab environment as you grow with the concept!

    Enjoy!

  • Intune lab for noobs – part 1 // Pre reqs

    I’ve been thinking about doing something more educational for a while now and I think this will be a great start to that. Writing a guide on how to setup your own Microsoft Intune lab. We will take shortcuts and do dirty tricks, just to get going. So please don’t use this as an implementation guide in a real environment. We will also skip all fancy steps as getting a real domain name and having an on-premises AD. But if you already have those in your lab, that’s great!

    What do I need?

    There are a few things you will need in order to get started:

    • An Azure AD tenant
    • Microsoft 365 or EMS licenses (E3 or E5)
    • Hyper-V or some other virtualization platform
    • A Windows image
    • A mobile device or two
    • A Google account
    • An Apple ID

    There are more things, but this is a good start.

    Getting a tenant

    This can sound like the most cumbersome and expensive part, but it doesn’t have to be. Depending on your level of commitment, there are different ways to go at this. The Azure AD itself is free of charge, but you will need licenses to run Microsoft Intune. You could either buy these or get a test tenant for free from Microsoft. You can either get a one-month free trial from the Microsoft 365 info page which isn’t persistent if you don’t buy the license once it has expired. You can also sign up for a free trial of Microsoft Intune from Microsoft Docs, then enable a 90-day free trial of Enterprise Mobility + Security E5 if you go to Devices > Enroll Devices > Windows Enrollment > Automatic Enrollment. This will include everything you need to test Intune, but no Microsoft 365 services.

    The best option is to sign up for the Microsoft 365 Developer program and get a tenant and licenses which will be renewed every 90 days if you sign in at least once.

    My recommendation for your lab is to get the later one. You will want something that sticks around for more than 30 or 90 days.

    By using the Microsoft 365 Developer program, you can also get sample data (users, generated emails, SharePoint sites) to make the environment more realistic with minimal effort.

    The setup process is simple, you will need to register with Microsoft and then you will be able to create your tenant. Microsoft has a good step by step guide which you can find here!

    Give your tenant a cool name (or just something you remember) and you are ready to go!

    Once you have your tenant setup, use your admin account to sign in to endpoint.microsoft.com and BAAAM, you are now in the Intune portal!

    Hyper-V or another virtualization platform

    The reason we want a virtualization platform is to spin up some virtual test clients. There are numerous ways of doing this, but for small scale this is the simplest way.

    If you are using a Windows based machine, you can enable in different ways. Easiest way is to simply run the PowerShell console as admin and run the following command (something I learned by writing this post):

    Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All

    When the command is successful, reboot the machine.

    If you are not comfortable with PowerShell, you can simply enable it in the “Turn Windows Features on or off” section of Programs and Features in the Settings app.

    We will come back to how to use Hyper-V in a later section were we setup Windows management.

    Getting a Windows image

    There are a lot of different ways of getting a Windows image for testing purposes. If you have an MSDN/Visual Studio subscription, you can download this from your subscription repository of download. But if you don’t have that, the easiest way of getting a Windows image is to simply download it from Microsoft using the Media Creation Tool found here.

    Once you have downloaded and started the tool, you can follow the on-screen wizard to obtain the image.

    First, accept the terms and conditions page, then make sure to select “Create installation media”.

    Select the language you require and make sure you get the 64-bit version (you don’t need 32 bit).

    Select that you want this as an ISO-file

    When you press next, it will ask you where you want to save the file and the download will start.

    Mobile devices

    Depending on what you want to do with your lab, I suggest you get at least one mobile phone. This could be any phone which is fairly up to date (iOS 12 and higher or Android 6.0 or higher).

    For my lab, I’m using a cheap Samsung Galaxy A20 that I got on a sale which is running Android 10 and an iPhone X (which is my primary personal device). However, if possible, I strongly recommend using secondary devices for your lab, at least if you want the wipe features.

    Google Account

    Why do we need a Google account in the Microsoft world? It’s simply to activate and be able to use the Managed Google Play store and activate enterprise features. This can be a regular Google account; I’m using one that I’ve had for ages (in the real world make sure to use a dedicated which is NOT personal). If you already have a Gmail account, that will do just fine!

    If you plan on sharing this environment with more people, use a dedicated account.

    Apple ID

    To enroll Apple devices in Microsoft Intune, we need to obtain a certificate from Apple. For that, we need an Apple ID.

    Same goes here, for your personal lab you can use an already existing Apple ID which is not dedicated for the purpose (for real world use, setup a dedicated account). We will use this account later when we configure iOS/iPadOS management!

    Ending notes…

    And that’s about it for pre-reqs to setup your own Microsoft Intune lab!

    In the next step, we will do some basic configuration of your brand-new Microsoft Intune tenant!