This is a collection of aka.ms links that takes you straight to great Windows admin resources, which includes Windows, Cloud PC, Azure Virtual Desktop, Surface, and of course Intune. Enjoy! Use these links to quickly browse to more or less everyday admin tasks to save time.
This link guides you to enable Entra Kerberos for single-sign on to on-premises resources with modern authentication (passkeys and Windows Hello for Business).
Microsoft Defender for Endpoints Configuration Analyzer tool
Direct link to download the tool that let you check the configuration of Microsoft Defender for Endpoints agent on your Windows devices. More about the tool at Microsoft Learn.
This link takes you straight to the Windows Update for Business reports, which are actually not hosted inside Intune but in Azure > Monitor > Workbooks > Windows Update for Business report.
It is now almost 5 years since I got my current device, the ARM based Surface Pro X SQ1 device. I’ve been using it as my primary work device since then, although much work has also been conducted on other devices for the customers I work with. Still, I’ve used my Surface Pro X almost every day for soon 5 years.
This report is meant to help shed some light on the ARM platform, and aid in hopefully clearing out some questions marks for users or organizations looking to purchase ARM based devices, for instance any of the new Surface Pro or Surface Laptops devices with Snapdragon X Plus or Snapdragon X Elite processors released in 2024.
History – Windows 10 and ARM
When I got my Surface Pro X device back in the days, Windows 11 was not available, so I started out with Windows 10 on ARM. Back then, there were to be honest quite a few things that did not work, which hindered me in performing my work.
The biggest problem was that x64 applications did not run at all! That included the 64-bit Microsoft 365 Apps for Enterprise as well as 64-bit compiled PowerShell modules which are used to manage Microsoft 365 and Azure resources. Thankfully, these obstacles are since Windows 11 was released a memory of the past!
Windows 11 bring ARM devices to a useable level
As soon as I upgraded to Windows 11 on my Surface Pro X it was a new world opening – and the obstacles I previously had was long gone. With Windows 11, there is x64 emulation meaning basically any application will run without problems, including the PowerShell modules I previously had problems running and also running Microsoft 365 Apps for Enterprise on 64-bit.
Since the release of Windows 11, more and more features have been enabled over time, bringing Windows 11 on ARM to an almost feature-complete Windows if you compare it to the Windows 11 64-bit edition that is used on some 99%+ devices globally.
Limitations of Windows 11 on ARM
So, while there are no blockers for me to do my daily work, there are some limitations that you might want to be aware of.
Windows feature / component
Limitation / problem
Comments from the field
Drivers and hardware
Drivers for both hardware as well as software needs to have a driver compiled for the ARM64 platform. This might include printers, VPN software, antimalware applications and such.
The only application I personally have encountered problems with is the Camtasia screen recorder application. There are also quite a few vendors of third party antimalware solutions that do not (currently) support the ARM platform. Note: If you are invested on the Microsoft Defender platform, you are all good! For some more information on compatibility with antimalware and VPN solutions, scroll down to “A growing Arm ecosystem…” in this blog post Available today: Windows Dev Kit 2023 aka Project Volterra – Windows Developer Blog For hardware, the printers I have used have had ARM64 drivers (although they are not listed on the mopria.org site).
Hyper-V VMs
You can create and run Hyper-V virtual machines on Windows on ARM. However, you cannot run the x64 versions of Windows as guest OS in the VMs and are limited to Windows on ARM.
This is a rather small limitation for me, and typical end-users will not even know what Hyper-V is. Virtualization based security features in Windows is fully supported.
Except the limitations I mention above, I have not seen any of the other problem that Microsoft describe in the article over the almost five years that I have used my ARM device.
ARM platform is expanding
Over the last years we have seen more and more ARM compiled versions appearing, for instance of Microsoft Teams, Company Portal app and Adobe Photoshop.
Also, the number of devices based on ARM have increased over the years and most major computer manufacturers have ARM devices to choose from. With the introduction of Copilot+ devices in 2024 the ARM platform is expanding even more.
One of the biggest changes with Windows 11 was the introduction of x64 emulation for applications. This has been improved even further in Windows 11 24H2 with significant improvements to performance with the new Prism emulator.
Management, ISO files, installation and recovery of the devices
One the biggest limitations is the lack of official installation media (ISOs) for Windows on ARM. That means, every time I need to wipe my Surface Pro X I will have to download the 10GB recovery file, put it on a USB stick and recover.
After that I will be on Windows 10 1803 which means to get to Windows 11 24H2 I will have to run a number of Windows Update passes, with hours and hours to go until I am on the latest Windows release. This is the area where Microsoft can do a lot better! There are ISOs for Insider builds however.
When it comes to management of ARM based devices, there are some things to take into consideration, for instance regarding application deployment. Apart from that management of ARM devices are more or less the same as any Windows device, at least if you are managing them using Intune. If you are using Configuration Manager, have a look at this article. My strongest recommendation is though, to use Intune to manage your ARM devices!
One of the biggest advantages which I have not mentioned yet is that the device is completely silent, and it has not given away one slightest sound over these three years. Fan-less, yet still enough powerful to do information work and being very mobile with the built in support for 4G/LTE (and newer devices which support 5G).
Although the “no noise” thing is true for my Surface Pro X (SQ1) I recommend you look this up for the particular model you potentially will be purchasing as some ARM based devices do have a fan.
ARM based devices generally use little energy and thereby produce little heat and with that often do not need any fans that generate noise.
Summary and recommendation
The ARM platform is definitely mature enough to put in hands of end-users and have many advantages over traditional processor platforms. All the security features of Windows are there (and also Defender for Endpoints) and basically all applications work, especially if you are using the Microsoft 365 suite.
Will I choose an ARM based device again when the Surface Pro X support come to an end and the new Copilot+ devices are available with 5G? The answer to that question is “yes, absolutely!”. Do I recommend end-users or organizations to try or evaluate ARM based devices? Yes, you should start today! As always, you need to test and make sure everything the end-users needs is working, before you do any broader deployments of ARM based devices.
To summarize, an ARM based device is user friendly with typically no noise and long battery times due to low energy consumption, and can also be kept as secure as any other device.
It is now exactly 3 years since I got my current device, the ARM based Surface Pro X SQ1 device. I’ve been using it as my primary work device since then, although much work has also been conducted on other devices for the customers I work with. Still, I’ve used my Surface Pro X almost every day.
This report is meant to help shed some light on the ARM platform, and aid in hopefully clearing out some questions marks for users or organizations looking to purchase for instance the Surface Pro 9 which comes both with an Intel processor as well as a Microsoft SQ3 (ARM) processor.
Windows 10 and ARM
When I got my Surface Pro X device Windows 11 was not available, so I started out with Windows 10 on ARM. Back then, there were to be honest quite a few things that did not work, which hindered me in performing my work.
The biggest problem was that x64 applications did not run at all! That included the 64-bit Microsoft 365 Apps for Enterprise as well as 64-bi compiled PowerShell modules which is used to manage Microsoft 365 and Azure resources. Thankfully, these obstacles are now a memory of the past!
Windows 11 bring ARM devices to a useable level
As soon as I upgraded to Windows 11 on my Surface Pro X it was a new world opening – and the obstacles I previously had was long gone. With Windows 11, there is x64 emulation meaning basically any application will run without problems, including the PowerShell modules I previously had problems running and also running Microsoft 365 Apps for Enterprise on 64-bit.
Since the release of Windows 11, more and more features have been enabled over time, bringing Windows 11 on ARM to an almost feature-complete Windows if you compare it to Windows 11 the 64-bit edition that is used on some 99%+ devices globally.
Limitations of Windows 11 on ARM
So, while there are no blockers for me to do my daily work, there are some limitations that you might want to be aware of.
Windows feature / component
Limitation / problem
Comments from the field
Drivers (hardware and software)
Drivers for both hardware as well as software needs to have a driver compiled for the ARM64 platform. This might include printers, VPN software, antimalware applications and such.
The only application I have encountered problems with is Camtasia screen recorder application. However, there used to be some manual work needed to get Adobe Photoshop installed, manually uninstalling Visual C++ runtimes, and then installing the ARM based Visual C++ runtimes. For hardware, the printers I have used have had ARM64 drivers. Update March 14, 2023: For some more information on compatibility with antimalware and VPN solutions, scroll down to “A growing Arm ecosystem…” in this blog post Available today: Windows Dev Kit 2023 aka Project Volterra – Windows Developer Blog
Microsoft Defender Application Guard
This virtualization based feature of Windows is not available on Windows on ARM.
This is too bad as I really like having the Application Guard feature protecting Office documents that come from the internet zone. UpdateMarch 14, 2023: Since the blog post was written, David Weston announced on Twitter that Application Guard for ARM is here (unclear though what build you need to be on).
Hyper-V VMs
You can create and run Hyper-V virtual machines on Windows on ARM. However, you cannot run the x64 versions of Windows as guest OS in the VMs and are limited to Windows on ARM.
This is a limitation for me – but although the Surface Pro X can run not only Hyper-V but also Android apps via Android Subsystem, the performance of the devices is just not fitted for running all these performance-demanding virtualization stuff.
Except the limitations I mention above, I have not seen any of the other problem that Microsoft describe in the article over the three years that I have used my ARM device.
ARM platform is expanding
Over the last year or so we have seen ARM compiled versions of Microsoft Teams and then also Company Portal app appearing. There are probably more examples, but these are what comes to mind.
Also, the number of devices based on ARM have increased over the years and most major computer manufacturers have ARM devices to choose from.
Management, ISO files, installation and recovery of the devices
One the biggest limitations is the lack of installation media (ISOs) for Windows on ARM. That means, every time I need to wipe my Surface Pro X I will have to download the 10GB recovery file, put in on a USB stick and recover.
After that I will be on Windows 10 1803 which means to get to Windows 11 22H2 I will have to run a number of Windows Update passes, with hours and hours to go until I am on the latest Windows release. This is the area where Microsoft can do a lot better! There are ISOs for Insider builds however.
When it comes to management of ARM based devices, there are some things to take into consideration, for instance regarding application deployment. Apart from that management of ARM devices are more or less the same as any Windows device, at least if you are managing them using Intune. If you are using Configuration Manager, have a look at this article.
One of the biggest advantages which I have not mentioned yet is that the device is completely silent, and it has not given away one slightest sound over these three years. Fan-less, yet still enough powerful to do information work and being very mobile with the built in support for 4G/LTE.
Although the “no noise” thing is true for my Surface Pro X (SQ1) I recommend you look this up for the particular model you potentially will be purchasing.
ARM based devices generally use little energy and thereby produce little heat and with that often do not need any fans that generate noise.
Summary and recommendation
As I see it, the ARM platform is mature enough to put in hands of end-users. The security features of Windows are there (except for Application Guard which very few use) and basically all applications work, especially if you are using the Microsoft 365 suite.
Would/will I choose an ARM based device when the Surface Pro X support come to an end? The answer to that question is “yes, absolutely!”. Do I recommend end-users or organizations to try or evaluate ARM based devices? Yes, you should start today! As always, you need to test and make sure everything the end-users needs is working, before you do any broader deployments of ARM based devices.
I’ve got a myself s Surface Pro X, based on Windows 10 ARM-edition, and thought I’d share the solution to a problem that I suppose more will encounter. After configuring my Surface Pro X for Azure AD join and Intune I soon hit two major problems.
Problem description
OneDrive not starting at all, leaving a crash reference in Event Viewer with reference to PayloadRestrictions.dll.
The Office 365 ProPlus applications works until the device is restarted, then they refuse to start. To get them going again I had to do a repair and then they started working again. At least until the next restart.
Troubleshooting and
finding root cause
The Event Viewer
Application log show that OneDrive crashed with reference to
PayloadRestrictions.dll whenever trying to start it.
PayloadRestrictions.dll has been around for quite some time as a component of EMET (Enhanced Mitigation Experience Toolkit) which is nowadays integrated as the security feature Exploit Guard in Windows 10. With that as a first clue and some interaction with Robin Engström the troubleshooting process continued!
Knowing that Exploit
Guard is in play and mitigations seemed to be in play, looking at the Event
Viewer log Security-Mitigation > Operational log showed that OneDrive was
blocked due to ROP exploit indications:
Process 'C:\Users\<username>\AppData\Local\Microsoft\OneDrive\OneDrive.exe' (PID 12020) was blocked from calling the API 'LdrLoadDll' due to return-oriented programming (ROP) exploit indications.
So then the hunt for
where the configuration was coming from started and as the device is of course
Intune enrolled that’s were I started looking!
It rather quickly turned out to be caused by a Microsoft Defender ATP security baseline in Intune that was applied to my user account.
To be more explicit the Exploit Guard settings clearly state that OneDrive.exe is protected for a number of exploits, including ROP!
Resolution
The solution to both
problems described in the Problems section is to adjust the Exploit Guard XML
file to exclude OneDrive.exe and also the other Office applications to make the
Office applications work as expected.
You must be logged in to post a comment.