olastrom.com

Tag: intune

  • Moving to cloud native

    Moving to cloud native

    Let’s imagine for a second that you are a large, global organization and you are managing the fleet of PCs.

    In a traditional setup you probably have a Configuration Manager server and probably a bunch of distribution points.

    On top of this, you each month must distribute security updates to all your global device estate. And make sure your golden image is patched. Not only this, you also need to maintain your infrastructure, keeping Configuration Manager up to date, the server it runs on and also all those distribution points. Not to forget troubleshooting when a distribution point stops and a region +8 hours from your time zone can’t PXE-boot computers.

    You have all heard the marketing pitch because cloud native is the future. But if we instead take an approach to discuss this from a business and operations perspective, we can find some other interesting angles.

    Background

    What I do in my professional life is mostly to advise and help customer moving to a cloud native platform for device management. I’ve been working with Microsoft Intune since 2013, so I’ve seen all the itterations of the platform. I’ve also seen what works and what didn’t work.

    Back in 2013, going cloud native was not a thing, even though Windows 8 acutally supported MDM enrollment. Back then we were more talking full management or light management. Intune was the light managed way doing things since there were simply not yet feature parity.

    Windows 10 brought a whole lot of new benefits to cloud. You could now argue that you could make the shift to Intune only and onboard using the new cool Windows Autopilot.

    Fast forward to 2025 and Windows 11. We now have feature parity in MDM polices vs GPOs (even if it’s not a 1:1 translation), and moving to the cloud is something everyone is talking about. Not everyone has moved, but from what you hear peers, customers and people within the community everyone is looking at “how should we do the transition”.

    Moving to cloud native is not only a “keeping up with the IT landscape”. It can also be a huge cost save for a lot of organizations. No more servers, no more imageing, no more maintaining images. It’s simply just more streamlined.

    Common pitfalls

    There are A LOT of pitfalls out there when it comes to moving to Intune. I thought I would cover a few which I tend to see more often. Not all of these are technical. Because to be 100% honest, the technology isn’t the biggest issue here.

    Doing things like we have always done

    Moving to cloud native means doing things in a new way. I’ve seen way to many attempts at moving to cloud native which fails because you don’t embrace change. An Entra ID/Intune managed device is not exactly the same as a Active Directory/ConfigMgr managed device. Gone are the days of imaging and GPupdate, we now have Windows Autopilot and syncing with Intune.

    Cloud native will mean that we will have to do things different, and it’s not bad. Just different. Many things we have done for the last 30 years with managing devices (yes, the first version of ConfigMgr called SMS 1.0 was release over 30 years ago in 1994).

    We need to embrace change and adopt the new ways of working. If we don’t do that, we will never reach all the way. This is where many project fails.

    Doing everything at once

    The cloud journey looks very different for all companies, even though we want to accomplish the same things. But doing big shift actually impacts user productivity and we need to be smart of what changes we introduce.

    Looking at Sweden, a lot of companies are combining their Windows 11 migrations project with a Cloud Native project. This is a great idea since we are doing a big shift in the client anyway. However, time is running out for Windows 10, so today we need to prioritize whats actually important.

    But splitting the cloud journey into smaller pieaces could be easier for many, but we can run a lot of these projects in parallel.

    Migrating everything

    Think about all your GPOs. You have built that over a larger number of years, probably mostly adding to it and never really done a cleanup. A lot of these policies might been configured for Windows 7, and operating system which was released in 2009. You probably don’t need to migrate those settings to your brand new Windows 11 platform since a lot does not apply in the cloud and many are even depricated.

    There is really no point in walking through each and everyone of your old setting, trying to find the Intune equalent for it. A much better idea is to look at what you had, implement either the Microsoft Security Baseline or the Open Intune Baseline. Then go look at your old environment or your security requirements and look for what is missing and what makes sense. There is a GPO analytics tool in Intune, but for experience I would say that starting over is a much better idea since you will leave all your Windows 7 and Windows XP settings behind!

    Setting the bar way to high

    One of the most common things I see when working with customers who are moving from ConfigMgr is like I mentioned, we don’t embrace change. But one more things is thinking that we need to make it perfect in our first Proof of Concept or Pilot, which isn’t really a realistic approach. You need to start somewhere, so find your minimum viable product (MVP). What do we need to have inplace to do a successfull pilot. What I’ve seen with the more successfull projects I’ve been involed in, this has been the MVP:

    • Windows Autopilot for onboarding
    • Security baseline
    • Wi-Fi
    • VPN
    • Base applications (the crucial ones for your pilot group)
    • Compliance policies

    One more thing to keep in mind when moving towards a cloud native client is that your pilot and initial rollout might not need to suite 100% of your users. You will have some more cumbersome scenarios like dependency on on-premises or problematic applications. Don’t let this stop you, instead have them in a later phase of your project. Put them on hold, just like you would do with Windows feature updates. Once you have completed your first scenario, move on to the next!

    Moving all extisting devices

    This is a controversial one. Eventhough it’s nice to have all your devices as cloud native, but the only way to migrate devices from hybrid to cloud native in a supported way is by resetting the device. And this might not be the most productive way of making this shift, since it means actuall downtime for the end-user.

    Microsoft recommends to keep hybrid devices in hybrid until they needs to be reinstalled or replaced. Since we can still move to a 100% Intune managed environment with hybrid devices, this could for larger organizations be a more cost efficient way of making the shift to Intune. Re-installting thousands of devices is time consuming.
    I’m not saying that you shouldn’t make the hard cut and re-install all your devices, but be aware of that there are alternatives eventhough it’s not a pure cloude native solution for all your exisiting devices going down this route.

    What’s your first action?

    But where should you get started? Well, making sure you have co-management/cloud attach enabled in Configuration Manager is a great first step, to enable the shift of workloads to the cloud.

    I would also recommend to start looking at setting up a small proof of concept or pilot in Intune, onboarding a few devices with the base applications and a first version of security baseline (use the Microsoft one or Open Intune Baseline mentioned earlier in the post). Register a few devices for Windows Autopilot manually and enroll them.

    Don’t make it to hard on your self, start small with the “simple” scenarios and let them test it. But set a strategy for this and make sure to track your progress and create a project of this. It’s a hard project to pull of as a line activity since there are a lot of moving parts, redesigning and new ways of working while you need to keep the light on for your production environment.

  • Hide the shutdown button in Windows 365 after update to Win 11 24h2

    Hide the shutdown button in Windows 365 after update to Win 11 24h2

    Some of you might have noticed that when updating a Windows 365 Cloud PC to Windows 11 24H2, the shutdown button appears out of nowhere in the start menu, which can cause some weird behavior for the end-users.

    Shutting down the Cloud PC isn’t really anything you should be bothered with. Restarting, yes, but if you do a shutdown, it will boot back up again within a few minutes.

    With the Windows 11 24H2 update to Windows 365, if you upgrade from an earlier Windows 11 version, this registry value will be reset.

    While I still encourage you to provide feedback to Microsoft, the fix for this problem is fairly simple!

    There are two ways we could go about addressing this. We could either create a configuration using the Settings Catalog or use proactive remediation. We will get the same result in the end, so it depends on how you like to do it. I will show you both ways in this blog post, and how you can configure it.

    Settings catalog

    In Microsoft Intune, head into Devices > Windows > Configuration and create a new configuration profile by clicking “+ Create“. Select Settings catalog as the profile type and click create.

    Give the profile a good name which makes sense in your environment.

    Search for “Start” and find “Hide Shutdown” in the list, then check the checkbox next to it. Close the fly-out.

    Make sure to enable the setting before moving to the next step.

    In my case, I will skip scope tags and move straight to Assignments, where I select “All devices” and filter out Windows 365 with a filter.

    Last step is to review and create the policy. And then you just need to wait for the policy to apply.

    Proactive remediation

    The scripts

    The easiest way to deploy a scripted solution for this is to use remediation, since then we can also get feedback on how many devices had this issue. We can have it continuously checking or just run once.

    But in order to set up a remediation, we need a detection and a remediation script (you could run everything in the detection script, but you won’t get any feedback if you want to run it more than once).

    You can find the scripts either on my GitHub repository or just copy them from here.

    Detection script

    # Created by Ola Ström, olastrom.com
# Date: 2025-01-21
# Version: 1.0

# PowerShell script to update the registry value

# Define the registry path and value
$registryPath = "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown"
$valueName = "value"

# Check the current value
$currentValue = (Get-ItemProperty -Path $registryPath -Name $valueName).$valueName

# Check the value and set the appropriate exit code
if ($currentValue -eq 1) {
    Write-Output "Registry value is set to 1."
    exit 0
} else {
    Write-Output "Registry value is not set to 1."
    exit 1
}

    Remediation script

    # Created by Ola Ström, olastrom.com
# Date: 2025-01-21
# Version: 1.0

# PowerShell script to update the registry value
$registryPath = "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown"
$registryName = "value"
$registryValue = 1

# Set the registry value
Set-ItemProperty -Path $registryPath -Name $registryName -Value $registryValue

Write-Output "Registry value updated successfully."

    Intune part

    In Microsoft Intune, navigate to Devices > Scirpts and remediations.

    Select “+ Create” in the ribbon and give your remedation a good name, then press next.

    Now we will add the detection and remediation scripts, which you need to save as PowerShell scripts on your device to upload to Microsoft Intune. Change the “Run script in 64-bit PowerShell” to yes, but leave all the other options at their default values and press next.

    On the Assignment tab, select your target group. I’m using “All devices” with a filter for Windows 365.

    On this step, you also set the schedule by pressing on the text “Daily”, which is the default value. You can then choose if you want it to run once, hourly, or daily.

    When you have selected your schedule, press next to review your settings before pressing create.

    And now we wait until the remedation runs…

    Monitoring the remediation

    You can follow up the progress of your remediation by checking the device status on the remediation you just created.

    In this view, you can follow up on individual devices and see how many devices were affected.

    If the script detects that the value is set to anything other than “1”, it will run the script to fix it, and you can see here if the issue was fixed or not. This is not dependent on whether the script runs on a schedule or just once; you will still get feedback if any issues were found.

    What happens on the Cloud PC?

    Both ways will give the same end result for the end-user: the shutdown button will disappear, removing the option to shut down the Cloud PC (which is good).

    Take aways

    I’m not saying that one way or the other is the correct way; it’s just different ways to address the problem. Both of them have advantages, where the settings catalog will set the value and always keep it that way, and the remediation will check if the value is incorrect and change it if needed.

    You can also reuse this script for other registry entries you would like to change, so feel free to reuse it!

  • Master the Copilot button on Copilot+ PCs

    Master the Copilot button on Copilot+ PCs

    As you might know, there is a new category of PCs out there called Copilot+ PCs. These are defined by primarily two things, they have an NPU with over 40 TOPS (trillion operations per second), and they have the Copilot button on the keyboard. Of course they also run Windows 11.

    As per writing this blogpost, we have mainly seen ARM based Copilot+ PCs. But x86 based versions from AMD and Intel is around the corner!

    One thing that has gain a lot of attention is the Copilot button. When the first devices were released this opened the consumer version of Copilot, the Microsoft Copilot app. This app does not work corporate environment, since we don’t get the “correct” version of Copilot. The Copilot we want to use is the Microsoft 365 Copilot where you sign in with your corporate credentials.

    There has been changes

    Since the October patches 2024, Microsoft has altered the behavior of the Copilot button based how you sign into your computer.

    Another change that has happened is that the Copilot in Windows (preview) experience has been removed and is replaced by either Microsoft Copilot app or Microsoft 365 app based on your scenario (see the table below).

    The following table will show you that based on you you authenticated onto you computer, different things will happen.

    ConfigurationCopilot experienceCopilot key invokes
    Copilot not enabled in environmentNeither Copilot in Windows (preview) nor the Microsoft Copilot app are present.Windows Search
    Copilot enabled + do not authenticate with Microsoft EntraCopilot in Windows (preview) is removed and replaced by the Microsoft Copilot app, which is not pinned to the taskbar unless you elect to do so.Microsoft Copilot app
    Copilot enabled + authenticate with Microsoft Entra + new deviceCopilot in Windows (preview) is not present. Microsoft Copilot is accessed through the Microsoft 365 app (after post-setup update).Microsoft Copilot within the Microsoft 365 app (after post-setup update).
    Copilot enabled + authenticate with Microsoft Entra + existing deviceCopilot in Windows (preview) is removed. Existing users with Copilot enabled on their devices will still see the Microsoft Copilot app.IT admins should use policy to remap the Copilot key to the Microsoft 365 app, or prompt users to choose.
    Source: Updated Windows and Microsoft Copilot experience | Microsoft Learn

    In a corporate world, we strive to have the Microsoft 365 app launching when pressing the Copilot button on the keyboard, since that’s where we can use the Microsoft 365 Copilot. So let’s walk though the different scenarios.

    New Copilot+ PCs

    If you are setting up a new Copilot+ PC (or resetting an existing one), there isn’t that much you need to do. As long as you get the October 2024 monthly security update installed, the Copilot button will remap to the Microsoft 365 app if signed in with an Microsoft Entra account and you have Copilot enabled in your environment, and it doesn’t need to be the “fancy” $30 per month version. If you have disabled Copilot, the button will (as the table says) open Windows ´Search instead.

    Existing Copilot+ PCs

    For your existing Copilot+ PCs which were setup prior to the release of the October 2024 monthly security update, you as an admin have to take action since the default value for users would be to launch the Microsoft Copilot app. This can be done in two ways, either prompt the users to make the change them self in Settings or push out a new configuration for the computers using a GPO or Intune CSP policy.

    Setting
    CSP./User/Vendor/MSFT/Policy/Config/WindowsAI/SetCopilotHardwareKey
    Group policyUser Configuration > Administrative Templates > Windows Components > Windows Copilot > Set Copilot Hardware Key
    Source: Updated Windows and Microsoft Copilot experience | Microsoft Learn

    As of the latest service release of Microsoft Intune, you can now also do this usign Setting catalog, which is not yet reflected in the Microsoft documentation.

    Let’s have a look at how we set this up in Microsoft Intune. (UPDATED with settings catalog instructions)

    Navigate to the Microsoft Intune Admin Center and select Devices > Windows > Configuration and create a new policy. Select Windows 10 and later then Settings Catalog. Select it and click “Create“.

    We start by giving the new profile a name which makes sense in our environment. Then click Next.

    Next step is to add the setting by pressing +Add setting. Search for Windows AI and select the “Set Copilot Hardware Key (user)” setting.

    Close the flyout and enter the AUMID for the Microsoft 365 app.

    AUMID: Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe!Microsoft.MicrosoftOfficeHub

    If you are not using Copilot and want to disable the button, set the value to 0 instead of the AUMID of the Microsoft 365 app.

    Click though the wizard and assign the profile to an applicable group.

    Review your configuration before creating.

    We have now successfully changed the behavior of the Copilot button on our Copilot+ PCs!

  • Where is device heading

    Where is device heading

    I started a blogpost something like this about 4 years ago:

    “I’ve been thinking about this post for a long time, probably several years to be honest. What got me to get this done is something Microsoft released, the Windows 10 in cloud configuration, which is a configuration guide for how to move to cloud managed Windows 10 devices.

    This is great!

    This shows that managing Windows 10 purely from Microsoft Intune is not rocket science and it will make it easier for smaller companies especially to get going.

    BUT this is also showing what I’ve been expecting for a couple of years. “

    Let’s stop the tape right here. I’ve added to this post once back in 2022 but never finished it. And to be honest, this has been on my mind since 2016. I recall that this was planted in my head in a conference room at the Microsoft Madrid office at a meeting with my team back in the days.

    This post was initiated long before the release of Windows 11, and before the release of Windows 365. AI was still something that was being explored but not a massive thing, we were more focusing on machine learning than AI. It feels like ages ago, but it still makes sense to talk about this given what is currently happening with Cloud PCs, AI, and continuous innovation in Windows 11.

    This is probably to date the blogpost that has taken the longest to write, but it’s starting to make sense now.

    The change of device management

    When we talk about device management, and especially Windows, things tend to get technical and hard quite fast. Especially if we throw some on-premises things into the mix and talk about creating custom boot images (which is an artform in itself).

    Now we are in the age of AI and Copilots. Copilots showing up everywhere for everything. We have currently seen what is called the Microsoft Security Copilot where security admins can query the Copilot to find issues and even troubleshot device configurations. This is only the beginning of the AI transformation we are on. The Security Copilot also connects into Microsoft Intune, becoming Copilot in Intune.

    Looking at Microsoft Intune and how simple it is to get started with a surprisingly good baseline and basic device management, this is a fitting example of how this whole segment has evolved into something which does not need to be that complex anymore with servers, distribution points, image creation, OSD, GPOs. Using Intune, you can get a long way with the guided scenarios or the security baseline which are already existing in Intune today. You can even get suggestions on what to set using the Settings Insight feature in Intune which will give you recommendations on how to configure your security baseline using machine learning. And that is without any Copilots.

    AI will help us

    What has gotten me to finish this blogpost is the Copilot and Intune story that Microsoft is now telling, I attended WP Ninja Summit 2024 in Lucerne where Copilot was mentioned in a lot of sessions and showed real world value. Copilot can find issues with devices, or policies, which would take admins hours, or even days to find. If you get that in about a minute or two, that is an huge increase in productivity. Copilot is not yet in the state that it will suggest that “you should configure your setup like this”, it’s still learning Intune. But just putting the tools in the hands of admins simplifies their work… Wow.

    But there is also a conflict of interest here. If I can use Copilot to find that error in a few minutes… Why do I need to pay expensive consultants to do the work for me? Well, I think we who live and breath device management needs to raise our line of sight a little and find what the next big thing is and how we can stay relevant. This will be challenge for many, but this change will also take several years to complete.

    I would assume that this is just the start of a pretty epic journey in device management, making life easier and probably quite drastically changing how we work with device management. Microsoft has a lot of data of what “a good device management configuration” should look like. Even if most organisations think they are unique and have unique needs, most organisations share the same baseline needs but of course with their unique touch on-top of things. This is where the focus should be, not the baselines where we tend to spend way to much time on today.

    What about Windows?

    By listening to a lot of sessions around Windows 365 and looking at how Microsoft is positioning this as the future of Windows, I think we will see a shift in a few years. Not in the next one or two years, but looking at Windows 365 Boot, the new Windows 365 experience being released for Motorola Think Phone, and the general focus on sustainability I think we will see both a technical and culture shift in what a computer is in the next couple of years. Don’t get me wrong, we will still have some kind of device but it will probably be different to what we are used to today.

    Just imagine that you suddenly could access your computer from any device you have, only needing one device to both get a mobile och desktop experience depending on your context. If you are like me, someone who work a lot from places where you don’t have a external monitors, well maybe your device will not be a smartphone only. Or maybe you even have two devices but your “laptop” is something with focus on giving you optimal battery life and great longevity.

    One thing that sticks in my head right now though is “we are moving Windows to he cloud” and not just management with Windows 365. Windows as an operating system will still be the foundation of a lot of business work and applications, but how we consume it is where the difference will lie.

    My predictions

    So my big two predictions about where this whole area is heading, even if we are a few years out:

    • Intune management will drastically change once Copilot for Intune is more widely used, making device management in general a whole lot easier
    • Windows will be consumed for “a device” and that device might not have Windows installed on it. We will come back to the world of thin clients, but more optimized for the connected world.

    Of course, several years of experience will still be relevant, but doing the clicking and selecting what exact setting to accomplish the wanted state, that will not be a hard part.

  • Windows 11 – make the move!

    Windows 11 – make the move!

    As I hope ALL of you know, Windows 10 is reaching End of Service (EOS) on the 14th of October 2025. If you haven’t marked your calendars already, do so now! This date is even more important if you haven’t made the move over to Windows 11 yet. This does not affect the Windows 10 LTSC currently in support.

    The path to reaching Windows 11 can vary, and it’s hard to say that “this is how you should do it”. Some decide to combine this with their cloud journey, some simply just upgrades, and some haven’t really thought about it yet. This blogpost is aimed to inspire those of you who haven’t made the move yet for different reasons. And those of you who help others and need inspiration. So, less focus on tech and more focus on the reasoning to make the move.

    Why should you move to Windows 11?

    To be honest, the reason to move to Windows 11 is simple. Windows 10 will no longer receive updates unless you decide to pay for the Extended Security Updates (ESU). This will be a fairly expensive way to tackle staying up to date. Microsoft announced back in April that the first year will cost $61 per device the first year. Given that the Windows 11 upgrade is free, there are few reasons to not move. We also see over 99% application compability between Windows 10 and Windows 11. Looking at customers I’ve helped and talked about this with, the issue is rarely the applications anymore.

    If we disregard from that Windows 11 brings a whole lot of new security related features to the OS. But it also brings more simplicity to the end user. One thing I hear often is that “the start menu is in the middle, our users will never learn this”. It takes about a day to get used to it, so the problem is not really there. This has so far not been an issue with the customers I’ve helped. Howeber, IT has often thought this would be the number one support issue.

    What does Windows 11 bring to the table?

    What Windows 11 brings is, however, innovation. Like it or not, Copilot will be part of our everyday life. In Windows 11, you have it at your fingertips with the native Copilot app. Depending on where you live, the experience will vary. There is a native app, or you will have to get the app from the store. Since AI and Copilot are mentioned in almost every context and situation, giving your end users access to a powerful AI in Windows is a huge improvement.

    What is important with Windows 11 upgrades is communication to end-users so they know whats going on. Un-announced upgrades are rarley a good idea since it can potentially mess with people flows initially, or unexpected reboots. Teaching your users to make use of all the new and improved features of Windows 11. This is a great way to give the feeling that you from IT are proactive and offering them the latest and greatest.

    The downside of moving to Windows 11

    To be fair, downside is the wrong word. There is one potential problem with moving to Windows 11, which is that older hardware is not supported. We are talking about things released prior to 2017, creating a huge amount of e-waste. For many companies, this would not be a problem given that you have proper lifecycle management of your devices. But it creates a huge amount of devices which will not be feasable to use any more.

    However, there are some ways you can still make use of them. Being a Microsoft advocate, my favourite is running Windows 365 on them. If you run a Cloud PC from a Windows 10 machine, the ESU will be free of charge and you can keep using that machine going forward, but that means using it to access a Cloud PC which is running Windows 11. You can ofcourse also convert them to thin clients using something like IGEL and have their OS accessing the Cloud PC.

    But going back to the topic of e-waste. This will be a huge challange, not only from a corporate and logistic perspecitve. But from en environmental perspective. There will be A LOT of devices which needs to be recylced, and we must really hope that they will be recycled and not just thrown away or shreded.

    Get to Windows 11 fast

    So what is the fastest path to Windows 11? A lot of times when we talk about moving to Windows 11, we talk about going cloud native.

    I’m all for going cloud native and I would recomend it to everyone. But going cloud native if you are on-premises or hybrid today is timeconsuming, and not really needed.

    If you listen carefully how Microsoft talked about the journey, it’s rarely stated that you should re-install every device as cloud native. What they are talking about is moving to Intune, and that is a different thing since you can be Intune only but still being hybrid.

    So for most organisations, going hybrid for all exisiting devices is the fastest path to Intune only. But remeber that ALL new devices should be cloud native (since you wont really gain anything from new hybrid devices).

    But looping back to Windows 11 and getting there fast.

    Windows 10 have had a steady release cadence, even if it has shifted a bit over the years. You have moved from Windows 10 20h2, to Windows 10 21h2, to Windows 10 22h2 using either Windows Update or Configuration Manager. When looking to move to Windows 11, you can view this as “yet another update” and deploy it as such.

    You hopefully already have a working process for this in place, and if you are doing custom images this would apply to you imaging lifecycling as well.

    Since we have about a year left, this would be the fastest way to get there and move to Intune after that.

    Take aways

    The main take away from this is that dont make the Windows 11 journey harder than it has to be. Windows 11 is not that scary and it’s a great operating system regardless of what different internet forums says. From a business perspective, this shouldn’t be a discussion. Just a go do!

    We never discuss or get stuck on iOS versions in the same way, not wanting to move to the next version.

    A couple of years ago, in the begining of this blog, I wrote about consumerization of corporate IT and it’s still relevant. We as individuals are driving change. We are no longer in a world where IT can say “no, we wont give you the lastest version of this and that” since things will stop working. If you run an unsupported version of Windows you are not only facing potential security threats. You will also see that a lot of your business applications will stop working, since these has adapted to the Windows as a Service concept introduced with Windows 10.

    What is the biggest take away from this blog? If you haven’t set the plan to migrate to Windows 11, start now! You have less than a year left.

  • Improving Decision Making with Intune Advanced Analytics Data

    Improving Decision Making with Intune Advanced Analytics Data

    One thing that many IT administrators tackles every day is the discussion about “my computer feels slow” or “I need a faster computer”. Sometime the feeling of having a slow computer is legit, and sometimes it’s something else.

    There are numerous DEX (Digital Employee Experience) tools out there on the market. This can provide you with a great overview of your whole ecosystem, ranging from Teams call quality to desktop experience. However, even if those tools are great, they come with a new set of data to analyze in a new tool. And in bigger organizations, the complicated puzzle of “who owns this and who makes remediations?” arises.

    Since I write a lot about Microsoft stuff, we will dive into the Intune Advanced Analytics part of the Intune Suite.

    Intune Advanced Analytics is a native part of Intune, which gives you more extensive reporting on your Windows devices. I know Windows isn’t 100% of the fleet in modern organizations but we need to start somewhere.

    Setting up Intune Advanced Analytics

    To start using Intune Advanced Analytics, you will need these three things.

    • Intune environment
    • Intune Suite licenses or Intune Advanced Analytics stand-alone license (remember, this is user based)
    • Configuring Endpoint analytics in Intune

    I won’t go through how to obtain license, since this will vary from case to case depending on your setup.

    Configuring Endpoint Analytics

    The first thing you need to do is to configure Endpoint Analytics to receive data from your devices. Since I’m all in the cloud, we will look at how you do this for Intune managed devices. To do this, you need to have the Intune Service Administrator role, also known as Intune Administrator.

    Head over to the Endpoint Analytics blade in Intune (you can find it under Reports or at https://aka.ms/endpointanalytics). When in there, select the Settings blade.

    You can see that my tenant already uses the Intune data collection policy. This default policy exists in all tenants, but you need to make sure it’s assigned to your devices.

    Manually create the policy

    If you can’t find the policy in your environment, it’s no big deal. You just need create a new policy based on the template for Windows Health monitoring.

    If you are configuring this for the first time, make sure to switch Health monitoring to Enable and set the Scope to Endpoint analytics.

    Deploy this policy to your devices using either the built in “All devices” group or use a device group.

    When you set this up for the first time, it can take up to 24 hours for the data to populate. If you are looking to use Advanced Analytics, expect up to 48 hours.

    Allow access to URLs

    The last step to do is to make sure that your devices are allowed to reach the URL needed for Endpoint Analytics. This is important if you have a restrictive firewall or if you use a webfilter/proxy to run all your traffic through.

    For Intune, the needed URL is:

    https://*.events.data.microsoft.com

    If you want to read more about how to set this up for Configuration Manager managed devices, check out the Microsoft Learn page.

    Getting access to the data

    Now when 24 hours have passed, we should start seeing data being populated. If you have additional people who should not be admins who need to review the data. There are a few different built-in roles you can use, or create a custom role.

    These are the different options you have:

    Role nameMicrosoft Entra roleIntune roleEndpoint analytics permissions
    Global AdministratorYesRead/write
    Intune Service AdministratorYesRead/write
    School AdministratorYesRead/write
    Endpoint Security ManagerYesRead only
    Help Desk OperatorYesRead only
    Read Only OperatorYesRead only
    Reports ReaderYesRead only

    Once we have our roles in order, we can start looking at the data!

    Looking at the data

    The Endpoint Analytics feature consist of 6 different blades

    • Startup Performance
    • Application reliability
    • Work from anywhere
    • Resource performance
    • Remoting connection

    These features are available with the regular Intune license. With the Intune Advance Analytics license you will get a few more. And it’s automatically integrated into the Intune administrator experience.

    • Custom device scopes
    • Anomalies
    • Enhanced device timeline
    • Device query
    • Battery health

    If you want to read more about what’s included, I would suggest checking out this Microsoft Learn article.

    Reviewing my devices

    But as I stated in the beginning of the post, let’s talk about reviewing resource performance. With the regular Intune license, you will gain access to resource performance for your Cloud PCs. With this, I get insights which Cloud PCs are meeting my targets and what Cloud PCs I should investigate upgrading to a different SKU. This data can be broken down to a device or model. This gives me great data about my environment on CPU and RAM spikes when they are being used.

    All devices get a score based on their performance, and you can configure what your baseline is in the Endpoint Analytics settings.

    You can break the numbers down based on model or individual device performance to get a better understanding.

    With the 2408 Intune Service update, this was also made available for physical devices if you have the Intune Advance Analytics license enabled. This will provide me with insights on how my physical devices are performing when it comes to RAM and CPU. I can also learn if they have continuous spikes indicating that they need an upgrade.

    If we stand in the “Device performance” tab, we can see all Cloud PCs and physical PCs gathered in the same place. You can also compare Cloud PC and physical PC performance.

    Looking at specific devices

    If we click on the name of a device, you will be redirected to the blade “User experience” on the device itself. You can also find it if you search for a device in the device list and click in to view that device.

    From here, you can see a lot of data about the device around its performance.

    As you can see, my Surface Laptop Go 3 has had a few minor spikes in RAM the last 14 days but nothing major.

    And if we look at the overall score, it’s pretty okay.

    Device timeline

    There is one more really nice feature with the Intune Advanced Analytics we can see, and that is a Device Timeline (last tab on the top).

    In here, we can see historical data on events that has happened on the device which impact the user experience. As you can see on this device, I’m having a few issues with applications.

    And if we jump back and look at another device, a Cloud PC, we can see the same kind of data.

    One interesting thing I found while writing this blog post is that I compared my Surface Laptop Go 3 i5 with 16gb RAM with my 4vCPU/16GB Cloud PC. What I can see was that my Cloud PC scores higher. I would say that I use them in a similar way, the same amount of time. I do know that the Cloud PC has a little bit of a more powerfull CPU (being a cloud PC),

    The Cloud PC scores 98 in resource performance.

    While my Surface Laptop Go 3 scores 77.

    So performance wise, Cloud PCs are doing a lot better. However, the Surface Laptop Go 3 is not a fair comparance being a more “low tier” PC. However, they are still both performing really good for what I use them for. So this is important to take into considerations when looking at the data.

    Take away

    Knowing how the performance of the devices in your environment chelan p you figure out when devices needs to be replaces or upgraded. As you already know, backing your decisions using data is key! Intune can provide you with a lot of data on your device without the need to buy a third party tool and deploying/maintaining a client on the device.

    However, if we start looking at “real” DEX products, Intune Advanced Analytics does not provide the same level of data. You will also need to combine several parts of Intune to be able to perform e.g. remediations on the things you find. You still need to manually take actions or create remediation scripts on your findings.

    But if you are just getting started and need “something”, this will provide you with a great overview of your environment! This will help you make better decisions and help your end-users even better!

    I hope you liked this post and that it gave you some insights to what you can do with Intune Advanced Analytics!

  • Summer recap – what did we miss?

    Summer recap – what did we miss?

    Like all Swedes, summer means vacation mode for 4-5 weeks and that means not keeping up with what’s happening in the world.

    So here is a recap of what’s been happening during the summer months.

    MVP renewal

    In the begning of July, the MVP renewals where announced and I’m happy to announce that I’ve been renewed as a Windows and Devices MVP for the 3rd time.

    Big congratulation to all my fellow MVPs that got renewed for 2024!

    Windows 365 updates

    July was full of Windows 365 updates, there has been updates for Windows 365 each week since July 1st which is really awesome. A lot of great updates.

    Here are some highlights, but if you want to see the full list check it out here.

    Cross region disaster recovery

    Windows 365 cross region disaster recovery is an optional service for Windows 365 Enterprise which protects the Cloud PCs and data against regional outages. This is a seperatly licensed service which can be purchased as an add-on to your existing service.

    Cross region disaster recovery in Windows 365 | Microsoft Learn

    Windows 365 Cloud PC gallery images use new Teams VDI

    The new Teams for VDIs has been added to the Windows 365 image gallery, containing all the optimizations for Windows 365. All your newly previsioned Cloud PCs will containg the new optimizations.

    Microsoft Teams on Cloud PCs | Microsoft Learn

    Cloud PC support for FIDO devices and passkeys on macOS and iOS (preview)

    Windows 365 Cloud PCs now support FIDO devices and passkeys for Microsoft Entra ID sign in on macOS and iOS.

    Updated default settings for Windows 365 security baselines

    Microsoft has released an updated version of the security baseline for Windows 365. You can find a full list of the updated settings here: List of the settings in the Windows 365 Cloud PC security baseline in Intune.

    New GPU offerings for Cloud PCs are now generally available

    Microsoft has finally released the new GPU offering! The GPU offerings are suitable for graphical intense workloads requiring a more optimized performance. The offering consists of three different SKUs called Standard, Super and Max with different configurations for different kinds of workloads.

    GPU Cloud PCs in Windows 365 | Microsoft Learn

    Uni-directional clipboard support is now generally available

    The clipboard settings for Windows 365 and AVD has been in preview for a while, but have now been

    moved into general availability with some pretty nice added functionallity. You can configure a lot of new different content type, and you can select to allow which direction clipboard should be allowed. This applies to both Windows 365 and Azure Virtual Desktop.

    Configure the clipboard transfer direction in Azure Virtual Desktop | Microsoft Learn

    Intune updates

    The list for Windows 365 was long (in the aspect of Windows 365 updates), but there has been even more Intune updates.

    If you want to read the full list of updates during the summer months, check out the full list here.

    Update for Apple user and device enrollments with Company Portal

    Microsoft has updated the registration process for Apples devices using the Intune Company Portal. The main change is that now the Entra ID registration happens after the enrollment, instead of during the enrollment. This applies for both iOS/iPadOs devices and macOS devices.

    The change means that if you are using dynamic device Entra ID groups which rely on the device registration, you need to make sure that the users complete the whole process.

    iOS/iPadOS device enrollment guide for Microsoft Intune | Microsoft Learn

    New configuration capabilities for Managed Home Screen

    If you are using managed home screen for Android, you can now enable the virtual app-switcher button to allow users to switch between apps on a kiosk device.

    Configure the Microsoft Managed Home Screen app for Android Enterprise

    Copilot in Intune now has the device query feature using Kusto Query Language (KQL) (public preview)

    If you are using Copilot in Intune, you can now generate a KQL query using Copilot while asking in natural language. Great way to learn KQL or get inspiration for your querys!

    Microsoft Copilot in Intune

    New setting in the Device Control profile for Attack surface reduction policy

    Microsoft has added the “Allow Storage Card” setting to the Attack surface reduction policy, which can also be found in the settings catalog.

    AllowStorageCard 

    New operatingSystemVersion filter property with new comparison operators (preview)

    There is a new filter property for operatingSystemVersion, which is available in a public preview.

    This filter allows you to use operators like GreaterThan, GreaterThanOrEquals, LessThan and LessThanOrEquals to your oprating system version and is available for Android, iOS/iPadOS, macOS and Windows!

    Consolidation of Intune profiles for identity protection and account protection

    Microsoft has done some cleaning up around identity and account protection policies and added them all into a single profile called Account protection which can be found in the account protection policy node of endpoint security. This is the only template which will be available going forward for identity and account protection. The new profile also includes Windows Hello for Business and Windows Credential Guard.

    Account protection policy for endpoint security in Intune

    New Intune report and device action for Windows enrollment attestation (public preview)

    There is a new report in public preview for finding out if a device has attested and enrolled securly while being hardware-backed.

    Windows enrollment attestation

    New support for Red Hat Enterprise Linux

    Microsoft Intune now supports device management for Red Hat Enterprise Linux. You can enroll and manage Red Hat Enterprise Linux devices, and assign standard compliance policies, custom configuration scripts, and compliance scripts.

    Deployment guide: Manage Linux devices in Microsoft Intune 

    Newly available Enterprise App Catalog apps for Intune

    The Enterprise App Catalog has updated to include additional apps. For a complete list of supported apps.

    Apps available in the Enterprise App Catalog.

    New actions for Microsoft Cloud PKI

    The Microsoft Cloud PKI has been updated with some new features.

    • Delete: Delete a CA.
    • Pause: Temporarily suspend use of a CA.
    • Revoke: Revoke a CA certificate.

    Delete Microsoft Cloud PKI certification authority

    ACME protocol support for iOS/iPadOS and macOS enrollment

    Microsoft has started a phased rollout of the infrastructure change to support the Automated Certificate Management Environment (ACME) protocol. When a new Apple devices enroll, the management profile from Intune receives an ACME certificate instead of a SCEP certificate. Existing OS and hardware eligible devices do not get the ACME certificate unless they re-enroll. 

    Windows updates

    The realse of Windows 11 24h2 is getting closer and closer, and it could be guessed to be released in a September/October time frame looking at past releases.

    One thing that is also important to highlight is that we are getting closer and closer to the Windows 10 EOS, which means that we really need to focus on getting those devices migrated or removed.

  • Are the settings what you think they are?

    Are the settings what you think they are?

    Something I know a lot of Microsoft Intune admins have been frustrated about for a while, especially if you come from the GPO world, is making sure that the settings you applied are what you think they are on the device. I mean, things happen. Users can be local admins and change stuff, a support person could have changed something locally, or stuff just won’t work.

    As we all know, an up and running Intune Windows device will check in with Intune every 8 hours to see if the settings are still correct. 8 hours is quite a long time if you have a faulty configuration, and not all users know that they can manually synchronize their device with Intune (or an admin can do so).

    This is where the newly introduced Config Refresh enters the stage!

    What is Config Refresh?

    Config Refresh is a new setting in Windows 11 (23h2 or 22h2 with the 2024 June update) which lets you define the interval that the Windows device should refresh the configuration based on what is defined in Intune. In the GPO world, this happens automatically every 90 minutes, and in the Intune world this is 8 hours! But with Config Refresh we can squeeze this down as short as 30 minutes or push it all the way up to 24 hours (why someone would do that, I don’t know but I bet there are those scenarios).

    But this isn’t just changing the default 8 hour intervall, this actually brings some new stuff to the table:

    • A reset operation to reset any settings you manage which use the Policy CSP
    • Configuration options to allow reset of managed settings to take place as frequently as every 30 minutes
    • Offline functionality, not requiring connectivity to an MDM server
    • Ability to pause Config Refresh for troubleshooting purposes with automatic resume after 24 hours

    This means that we get a bunch of new features in the MDM world which we have not had before!

    How do I configure it?

    But how do I configure this in my environment? The Config Refresh policy is set in the settings catalog, so let’s jump straight into Devices – Windows – Configuration and add a new Settings Catalog policy.

    As usual, give your policy a name which makes sense to you in your environment and click next. I’m going for “Win – Config Refresh” in this example.

    Now let’s search for “Config Refresh” and add both the settings to our policy.

    Let’s go for a 30-minute interval in this example but set what makes sense to your environment (default value is 90 minutes). Also, make sure to enable the “Config Refresh” setting before clicking on next.

    If you are using scope tags, you can add that in the next step otherwise move on to assignment. Since this is a device scope setting, let’s target the device for this one so we can make sure that all our devices get this setting regardless of who signs in. If you want to filter our specific devices, add that as well here.

    On the last step, review your settings before clicking on “Create“.

    This will configure your devices to refresh their policies every 30 minutes!

    Bonus:

    If you for some reason want to prevent a device from doing a Config Refresh, you can find the device and press those three dots on the right side of the ribbon. You will then find “Pause config refresh”.

    You can then pause the refresh for up to 24 hours.

    Key take away

    Using the Config Refresh we can make sure that our device has the correct configuration with greater certainty, and we can adjust the intervall to fit our needs.

    This give us as admins a larger sence of control when managing devices and wanting to make sure that our devices has the correct settings. If you are coming from the GPO world you will be very familiar with this since GPOs refreshes every 90 minutes (default), and now you can make Intune work the same way! Yet one less thing that you will be missing from the old world!

    Hope you find this as usefull as I do, and happy clicking!

  • 5 things you didn’t know you could do in Microsoft Intune

    5 things you didn’t know you could do in Microsoft Intune

    I thought I would share a few things you might not know that you are able to do in Intune, small things that might not be related to device management itself but you might not be aware off!

    As all of you know, Microsoft Intune is constantly changing, there are news and updates each week. This means that some of these things might change in the future, who knows!

    But let’s kick it off. Here are 5 things you didnt know you could do in Intune.

    Change language and region

    You have probably seen the settings icon in the top of the Intune portal, this is where you can access the portal settings.

    When you click the settings icon, you will be taken to the Portal settings pane of Microsoft Intune.

    As you can see, there are a lot of different things you can modify and control. E.g. if you have multiple directories or subscriptions you can change which your default is. This is also where you enable darkmode (if you are like me and prefer darkmode). But I though we would focus on the language settings.

    If we navigate to the “Language + region” pane, we can select which language we want the portal to be in. This settings is not a global setting, this only affect my session. Like many others, I prefer to use the English version of MS Intune (the translations in Swedish are a bit wild some times), but I still want my regional format to be Swedish. I can easily select my preferences here and just hit apply and it will refresh the session with a new language for me.

    If you are familiar with Azure or Entra, this works the same way!

    Modify the left side menu

    We probably all know and love the left side navigation menu, this is where we can select if we want to access devices or apps for example.

    But did you know you can customize this menu?

    If you navigate to “All services“, you will see a table of all the available services within Microsoft Intune, and if you look closely you will notice that there is a small star next to each service.

    By default today, all is marked except for “Surface Management Portal” and if you want easy access to that you can simply just star that one too and it will show up in the navigation menu.

    But let’s say I’m only interested in seeing devices, apps and groups, I can simply just mark them with a star and they will be the only one displayed in the navigation menu alongside with reports which we cannot remove.

    One other neat feature is that you can rearrange the order of the navigation menu by simply dragging the headings around if you want to sort the differently.

    Easily change between accounts

    If you are using multiple accounts in Microsoft Intune, there is a simple way to just change which account you are using. If you have ever worked in the Azure portal, this is the same functionality.

    Simply click your profile picture in the top right corner and sign in with a diffetent user. When you have signed in with an additional user, you can easily just switch by selecting that account.

    Access the PIM portal

    For most administrational roles, you use Microsoft Entra Priviledge Identity Management, or simply PIM, to grant the priviledged role that you will use in order for your account not to have that role all the time.

    This can be setup in many different ways, and you can even PIM Intune roles if you use group feature.

    However, you don’t need to go through the Entra portal to access your PIM roles. Simply navigate to Tenant Administration > Microsoft Entra Privileged Identity Management and you will reach the same portal.

    From here, you can simply activate your roles, or approve other requests.

    Shortcut to the Entra portal

    Last but not least, when we are on the topic of Microsoft Entra. Did you know that there is a shortcut to the Entra portal in Intune?

    Just navigate to All services in the navigation menu, and under “Other consoles” you will find Microsoft Entra.

    When you click that link, a new tab will open with the Entra portal!

  • Intune Scope tags – What is it and what can we use it for?

    Intune Scope tags – What is it and what can we use it for?

    Okay, something that has been around in Microsoft Intune for quite some time is Scope tags. You know that step before assignment when creating a policy or profile?

    In this post, I was thinking we would talk through what it is and what you can use it for since it’s a quite power full tool and very useful if you are working in larger environments and want to delegate rights since you can combine it with the Intune roles to really have a granular setup when it comes to who can do what. If you want to read more about the Intune RBAC setup, have a look at this post I wrote a few years ago called RBAC in Intune- Who does what at the zoo.

    What is even scope tags?

    Scope tags is not something you use by itself, it is connected to the Intune RBAC setup, since you can control what you different administrators can see and do.

    If I have a scope tag called Sweden which I use on my policies, I can create an Intune role granting only permission to see and administrate things related to that scope.

    This means that I can grant access to only certain parts of Intune for my administrators, delegating the responsibility to the Swedish organisation to manage Sweden while Norway and Iceland only can manage their things.

    How ever, this only applies to Intune roles, so if you use an EntraID role granting more access, like the Intune Administrator role, scopetags are not part of the solution.

    In general, it’s a good idea NOT to use the Intune administrator for all your administrators since this is a very powerfull administrator role also outside Intune. It is the Global Admin of Intune almost (but not as power full).

    Setting up Scope tags

    To use scope tags, you need to define them which you do by navigating to Tenant Admin – Roles and select Scope tags. You will see that you have one default scope tag, but you can add more in here.

    To create a Scope tag, you simply press “+ Create” and we will give our scope tag name, which will be the one used in the portal. We can also add a comment explaining what this scope tag is used for which can be a good idea. When done, click Next.

    In the assignment step, we will add a group which contains all out Swedish devices. There are a lot of different ways you could set this group up given that you want to not only catch the Windows devices, you would also probably like to see their mobile devices. In this example, I have a dynamic group looking for all Windows devices tagged with the Autopilot group tag “SE” using this dynamic membership rule.

    (device.devicePhysicalIds -any _ -eq "[OrderID]:SE")

    When I’ve added my group I will click Next to get to the last step in the scopetag creation.

    On the last step you can review your settings before creating it. If everything looks like you want it to, click Create and your scope tag will be created.

    Repeat this step for all the scope tags you need, as you can see in my lab I currently have 3 scope tags and the default one.

    Using scope tags for roles in Intune

    Now that we have create our scope tags, we can add them to a role in Intune as a first step.

    Head into Tenant Admin – Roles and select “All roles“. Then find the role that you want to configure, we will use the “Help Desk Operator” as an example.

    Click on the name of the role to configure it and you want to head into “Assignments” which is where we define who has this role.

    In here, we will click on “+ Assign” to add a new assignment. Since we are setting this up for the Swedish help desk, we will call this “Sweden“. Click Next.

    On the next step we will add the group of Swedish help desk operators by clicking on “Add group” and selecting our Help desk Sweden user group. Click Next.

    Next step is to add the scope groups, which devices and user we want to be able to manage. This means that we can limit this even further. For now, we will select all users and all devices and click Next.

    In the next and last configuration step we will select what scope tag this Help Desk Operator is allowed operate with, meaning what devices and other object can it interact with. In this step we will select our Sweden scope tag and click Next.

    As usual, before creating the role assignment you can review you options. Then click Create.

    How does it look for my Help Desk Operator in Sweden?

    So, what does things now look like for my Swedish help desk operator which we can call Moltas? Well, Moltas can only see things which has the scope tag Sweden. He can see all user and all groups, but he can only see two devices in the environment, since these are part of the scope tag Sweden.

    If we compare this to a user with the Intune administrator role, you can see that the view is limited in the amount of devices.

    If we take a look at one of the devices Moltas can see, we can actually see that it automatciallu got the scope tag Sweden since it’s a part of the “All Sweden device” group mentioned further up in the post.

    We can also add scope tags to profiles that we create, making it possible to grant permission to e.g. one business area to manage their on profiles, applications and so on.

    Since I’ve added the scope tag to this profile, Moltas will be able to see this one but not the rest of my profiles, but given his role he will not be able to do any modifications to this profile (Help Desk Oprator does not allow that).

    Worth mentioning is also that if this administrator would have the rights to create objects, all their objects would have the scope tag Sweden.

    Key take aways

    Using scope tags and combinding it with the Intune roles makes it really easy and power full to delegate access to local administrator or different business units to operate their own settings in a bigger tenant. You can e.g. make sure that the local IT support in Sweden cannot see or touch the Norweigan devices.

    I really like this feature, and it’s really convinient in larger environments. You can off course limit the access even further by not granting access to all users and all devices, limiting it even further.