I noticed an interesting thing the other day when finalizing the annual MVP renewal stats for submission to Microsoft. One blog post, which I posted in October last year, stood out among all other posts on my blog. After looking into the stats for this specific blog post it turns out the number of views on this specific blog post has exploded in the last couple of weeks!

The blog post which has seen a huge increase in number of views recently is about remote controlling Windows computers and fixing the problem with not being able to elevate as administrator in the remote session. Specifically Fixing UAC elevation when remote controlling via Quick Assist or TeamViewer etc. As a side note, the number of views on my other blog posts remain pretty much the same the last month as before.

My interpretation of the increase for this particular blog post is the following. Many people are in a lockdown mode and working from home due to the coronavirus outbreak. IT personnel then need to support them while working remotely, and they encounter the issue of elevating as admin due to UAC and seek help fixing this problem.

Could it be a coincidence that this blog post has seen a huge increase in number of views the last couple of weeks? I think not. Stay safe and take care!

MSIX has been around for more than a year now and Microsoft is working hard with promoting and developing it. I consider this application packaging format to be the packaging format of the future as it has many benefits compared to traditional MSI packages.

However, in organizations you typically deploy applications using a deployment tool such as Intune or ConfigMgr. This is where the challenge lies today and to be very clear, this is a deployment blocker for starting to package and deploy line of business applications in MSIX format.

Problem

1. You package a line of business application in MSIX format. I use a couple of versions of 7-Zip in my testing.
2. You deploy the MSIX package via Intune (as a Line of Business app) as a required package to your end users. The app installs fine which is expected.
3. Now package a new version of the line of business app.
4. Deploy the package as required to your end users. The app installs fine, but the problem is that it is executed with the flag “ForceAppShutdown” meaning that the application while running is killed without warnings to the end user – This is not acceptable in any organization.

In the Event Viewer it is clear that the running app was shut down:

Microsoft > Windows > AppXDeploymentServer > Operational log
Event ID 646
The running app 7-Zip_8b28rabfxvc2a!SevenZFM was shut down for servicing (Priority=0x1).

Note: The problem is the same regardless if the app is targeted as required or available deploy and installed in user or device context.

Additional information

Since Windows 10 version 2004 there is a new switch to the PowerShell cmdlet Add-AppXPackage that will defer an app upgrade until the app is is closed, after which the update is installed on next start of the app.

The switch is DeferRegistrationWhenPackagesAreInUse which also works as you can expect when running the command manually on a Windows 10 v2004 machine. Source

Solution?

Microsoft, please make sure that Windows 10 utilize the switch “DeferRegistrationWhenPackagesAreInUse” when deploying custom packaged app updates to MSIX packages via Intune (and likely also ConfigMgr). An option in Intune to control how updates are handled would also be nice and there are probably other solutions as well.

If you also would like a change, vote on UserVoice!

Unfortunately, as it stands right now, this problem is a deployment blocker for using MSIX in organizations.

I’ve got a myself s Surface Pro X, based on Windows 10 ARM-edition, and thought I’d share the solution to a problem that I suppose more will encounter. After configuring my Surface Pro X for Azure AD join and Intune I soon hit two major problems.

Problem description

1. OneDrive not starting at all, leaving a crash reference in Event Viewer with reference to PayloadRestrictions.dll.
2. The Office 365 ProPlus applications works until the device is restarted, then they refuse to start. To get them going again I had to do a repair and then they started working again. At least until the next restart.

Troubleshooting and finding root cause

The Event Viewer Application log show that OneDrive crashed with reference to PayloadRestrictions.dll whenever trying to start it.

Faulting application name: OneDrive.exe, version: 19.232.1124.5, time stamp: 0xc2fada7d
Faulting module name: PayloadRestrictions.dll, version: 10.0.18362.1, time stamp: 0x77901827
Exception code: 0xc0000409
Fault offset: 0x0006e6bd
Faulting process id: 0x2ef4
Faulting application start time: 0x01d5e8bd4968fce4
Faulting application path: C:\Users\<username>\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Faulting module path: C:\WINDOWS\SYSTEM32\PayloadRestrictions.dll

PayloadRestrictions.dll has been around for quite some time as a component of EMET (Enhanced Mitigation Experience Toolkit) which is nowadays integrated as the security feature Exploit Guard in Windows 10. With that as a first clue and some interaction with Robin Engström the troubleshooting process continued!

Knowing that Exploit Guard is in play and mitigations seemed to be in play, looking at the Event Viewer log Security-Mitigation > Operational log showed that OneDrive was blocked due to ROP exploit indications:

Process 'C:\Users\<username>\AppData\Local\Microsoft\OneDrive\OneDrive.exe' (PID 12020) was blocked from calling the API 'LdrLoadDll' due to return-oriented programming (ROP) exploit indications.

So then the hunt for where the configuration was coming from started and as the device is of course Intune enrolled that’s were I started looking!

It rather quickly turned out to be caused by a Microsoft Defender ATP security baseline in Intune that was applied to my user account.

To be more explicit the Exploit Guard settings clearly state that OneDrive.exe is protected for a number of exploits, including ROP!

Resolution

The solution to both problems described in the Problems section is to adjust the Exploit Guard XML file to exclude OneDrive.exe and also the other Office applications to make the Office applications work as expected.

A problem since Windows Vista was launched is that when you remote control another user and try to elevate to Administrator, using for instance Quick Assist which is built into Windows 10 or TeamViewer, the screen on the admin side will freeze. This is due to UAC Secure Desktop feature kicking in.

The solution is to turn this secure desktop feature off, lowering security a little but at hardly no risk.

Configuration via Intune (MDM)

Create a Configuration Policy > Endpoint Protection and go to Local device security options > User account control. Set the setting Route elevation prompts to user’s interactive desktop to Enabled.

Configuration via Group Policy (GPO)

In the GPO editor, go to Security Settings > Local Policies > Security Options > User Account Control: Switch to the secure desktop when prompting for elevation to Disabled

Forget AppLocker and all its weaknesses and start using Microsoft Defender Application Control for superior application whitelisting in Windows 10 1903 and later.

This is a guide to get you started within an hour or two with what I call “AppLocker Deluxe” and that is Microsoft Defender Application Control, formerly known as Device Guard and up until recently Windows Defender Application Control (WDAC).

Most customers that did not use AppLocker before Wannacry and other types of ransomware attacks are now using AppLocker to prevent malicious software to run on their Windows devices. As many security specialists have shown, there are numerous ways to bypass AppLocker and still get code to execute. One of them being using regsvr32 to download and execute script directly from the internet for instance.

What is superior to AppLocker is Microsoft Defender Application Guard (MDAC). This takes application whitelisting to a new level and with Windows 10 version 1903 it becomes the first time since Windows 10 launched that it is actually usuable in many common day scenarios as the administration can now be on a level which is really to manage. The reason for this it being rather easy to manage now is primarily:

• Multiple policies. You can have multiple policies complementing each other so that you do not have to sign everything nor have to create an entirely new baseline each time you want to allow new things to run.
• Path rules. You can use path rules as of Windows 10 version 1903. As always, this is a balance between security and useability and administration so bear in mind and use this with caution. What is good is that MDAC comes with a use writable protection.

Pre-reqs for getting started

So to get started in something that looks like a real world scebario you need this:

• 2 physical machines, different hardware models, that run Windows 10 version 1903 or preferably 1909 or later as that gives you some better insights.
• A couple of hours of your time to get going!

High level steps

1. Create a baseline on each hardware model.
2. Merge the baselines into one general baseline.
3. Create a supplemental policy.
4. Deploy the two policies.
5. Start the testing.
6. Switch from Audit to Enforced mode!

1. Create a baseline on each hardware model

Let’s start with creating a baseline policy from two different machines, which will later be merged to one baseline policy. We will start with auditing, and eventually in the end of this guide switch to enforced mode.

$CIPolicyfileXML = "C:\temp\CIpolicy_model.xml"
New-CIPolicy -MultiplePolicy -filePath $CIPolicyfileXML -ScanPath C: -level FilePublisher -UserPEs -Fallback Hash

Now we set the necessary options for the code integrity policy, which is to use Microsofts Intelligent Security Graph for whitelisting (option 14), to allow supplemental policies to be used (option 17) and then we set Hardware Virtualized Code Integrity (HVCI) to Enabled.

#Automatically trust what Microsoft has deemed trustworthy using the Intelligent Security Graph
Set-RuleOption -FilePath $CIPolicyfileXML -Option 14
#Set the following option to make sure the policy can be applied without reboot
Set-RuleOption -FilePath $CIPolicyfileXML -Option 16
#Set this policy to allow supplemental policies, otherwise we can't supplement this basepolicy
Set-RuleOption -FilePath $CIPolicyfileXML -Option 17
#Now activating Hardware Virtualized Code Integrity (HVCI) and set it to enabled
Set-HVCIOptions -Enabled -FilePath $CIPolicyfileXML

Repeat the above process for at least two models, but preferably for each model you have in your environment (or at least the top five mot used models).

Note: Enabling the Intelligent Security Graph option will white list the installer for 7-Zip for instance. It will then also white list all executables that the 7-Zip installer puts on your system.

2. Merge the baselines into one general baseline

We will now merge the baselines from the two models (or more) and create one single baseline policy.

#When done collecting CIPolicies, merge them to create a common baseline
$CIPolicyfileXMLMerged = "C:\temp\Merged.xml"
$CIPolicyfileBin = "c:\temp\Merged.cip"
Merge-CIPolicy -OutputFilePath C:\temp\merged.xml -PolicyPaths "C:\temp\CIPolicy_modelX.xml","C:\temp\CIPolicy_modellY.xml"
#Then convert to binary format
ConvertFrom-CIPolicy -XmlfilePath $CIPolicyfileXMLMerged -BinaryFilePath $CIPolicyfileBin

Last but not least you must change the name of the Merged.cip file to match the Policy ID of the file which can be found at the bottom in the Merged.xml file, see the <PolicyID> section. The end result should look like {76300157-42A0-4A2D-A383-AF140D64AAE0}.cip.

3. Create a supplemental policy

Now we will create the first supplemental policy to supplement the baseline policy created in step 1 and 2. This is using path rules which is something that was added with Windows 10 version 1903.

#Now create a supplemental policy with file path rules
$CIPolicyfileXMLSupplemental = "C:\temp\Supplemental.xml"
$rules = New-CIPolicyRule -FilePathRule "C:\Program files\*"
$rules += New-CIPolicyRule -FilePathRule "C:\Program files (x86)\*"
$rules += New-CIPolicyRule -FilePathRule "\\server1\installation\*"
New-CIPolicy -FilePath $CIPolicyfileXMLSupplemental -Rules $rules -UserPEs
Set-CIPolicyIdInfo -FilePath $CIPolicyfileXMLSupplemental -BasePolicyToSupplementPath $CIPolicyfileXMLMerged
#now lookup the PolicyGUID from the bottom of the Supplemental.xml file.
ConvertFrom-CIPolicy -XmlFilePath $CIPolicyfileXMLSupplemental -Binary Supplemental.cip

You must change the name of the Supplemental.cip file to match the Policy ID of the supplemental file which can be found at the bottom in the Supplemental.xml file, see the <PolicyID> section. The end result should look like {56B75B7A-06D3-49EF-BCF8-8FC47C6ADA20}.cip.

4. Deploy the two policies

Now, lets deploy the two policies by copying them to C:\Windows\System32\CodeIntegrity\CIPolicies\Active.

For the sake of it, restart the machine. You could also use the below PowerShell command to refresh the policy without reboot:

Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = 'C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{GUID}.cip'}

5. Start the testing

Now you can start the testing and see what is blocked by fetching the log files which are located in Event Viewer under Applications and Services Logs > Microsoft > Windows > Code Integrity > Operational.

6. Switch from audit mode to enforced mode!

Out of everything that would have been blocked by fetching the logs as mentioned in step 5, create additional supplemental policies and deploy until everything you need to run is white listed. Then, switch from audit mode to enforced!

Set-RuleOption -FilePath $CIPolicyfileXML -Delete -Option 3

Deploying via Intune

Even though there are existing configuration settings for enabling Microsoft Defender Application Control in an Intune endpoint restrictions policy, enabling it via those settings will mean very limited control and you cannot use supplemental policies. So, therefore you need to deploy these control policies in another way.

1. Create a source folder in C:\ named MDAC, in which you create a folder named Source, where you copy the .CIP files.

2. Create a textfile named SchTask.ps1 and add the following content.

New-Item -Path "c:\" -Name "CI" -ItemType "directory"
Copy-Item -Path ".\{76300157-42A0-4A2D-A383-AF140D64AAE0}.cip" -Destination "C:\CI" -Force
Copy-Item -Path ".\{56B75B7A-06D3-49EF-BCF8-8FC47C6ADA20}.cip" -Destination "C:\CI" -Force
Copy-Item -Path ".\MDAC.ps1" -Destination "C:\CI" -Force
$Time = New-ScheduledTaskTrigger -Once -At 12:00
$User = "SYSTEM"
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ex bypass -file `"C:\CI\MDAC.ps1`""
Register-ScheduledTask -TaskName "CI" -Trigger $Time -User $User -Action $Action -Force
Start-ScheduledTask -TaskName "CI"
Return 0

3. Create a textfile named MDAC.ps1 and add the following content.

Copy-Item -Path "C:\CI\{56B75B7A-06D3-49EF-BCF8-8FC47C6ADA20}.cip" -Destination "C:\Windows\System32\CodeIntegrity\CiPolicies\Active" -Force
Copy-Item -Path "c:\CI\{76300157-42A0-4A2D-A383-AF140D64AAE0}.cip" -Destination "C:\Windows\System32\CodeIntegrity\CiPolicies\Active" -Force
Return 0

4. As we will deploy this using a Win32 app, download the Intune content prep tool and run the following command from the extracted IntuneWinAppUtil.exe.

IntuneWinAppUtil.exe -c C:\MDAC\Source -s SchTask.ps1 -o C:\MDAC

5. Create a new Win32 app in Intune and use the following parameters when adding it:

Program install and uninstall command:
powershell.exe -ExecutionPolicy Bypass .\SchTask.ps1
Running as System.

Detection rules:
Type: File
Path: C:\Windows\System32\CodeIntegrity\CiPolicies\Active
File or folder: {GUID}.cip
Detection method: file or folder exists

6. Assign the app and wait for the MDAC policy to apply. This can be verified by running msinfo32.exe and watching the status for Windows Defender Application Control.

Next steps: Looking at the CSP for Application Control for even smoother deploying via Intune.

It’s a fact that the world is constantly changing and with it we can choose if we want to tag along or continue doing what we’ve been doing forever. This blog post is about shifting the mindset and daily work from traditional patch management and creating time to make efforts in other security related areas that matters. Change management at its finest!

Fundamental idea: We all know that we need Windows patches, and if you have made the move to Office 365 ProPlus the principle is the same, you need to deploy and install the patches that are released. It really is as simple as that. Testing is a must of course but the fact remains, you need those patches.

Traditional vs modern patch management

A discussion I have with many customers is the patching story around Windows 10 devices. The benefits of using Windows Update for Business (WUfB) are many although leaves less control. What matters in the end is that the Windows 10 devices are patched, and that it is done in a user-friendly manner.

If you compare all the components and the flow that needs to be in place for patching to work all the way in ConfigMgr, you realize there are quite a few things that can go wrong. And in my experience, things do go wrong far too often.

High level overview of all the steps and components in the patch flow using ConfigMgr

High level flow overview of patching using Windows Update for Business

By looking at the above comparisons it’s clear that there are a lot more to manage and a lot more can and more often so do go wrong when patching via ConfigMgr.

Maintaining and fixing the infrastructure or doing more valuable things?

With ConfigMgr you must spend significant time managing and making sure that infrastructure is up to date and working (orange colored bar below). The green colored bar illustrates how much time you typically spend on patch follow-up and fixing patches that could not be installed correctly etc.

With Windows Update for Business, you can focus almost entirely on follow-up and hopefully by doing so also shifting your security work to other areas patching other stuff such as insecure firmware, applications and drivers, so that it makes your environment safer overall.

Pros and cons for using Windows Update for Business

Here is my list of pros and cons of using Windows Update for Business, if you are still not convinced Windows Update for Business is the natural way to go.

• User friendly restart prompts. ConfigMgr isn’t exactly known for its user-unfriendly restart prompts. Using WUfB you get the built-in Windows 10 restart features which gives your end users more control, postponing and picking a time that suits them.
• Get control over devices away from office network. Many organizations have little, less or no control or possibility to patch devices that are solely on the internet or away from the network office. With WUfB that is not an issue as you can not only patch but also follow-up on each and every Windows device that has a working internet connection.
• Less error prone = higher patch level. By cutting all the steps and infrastructure components that need to be in place for patching via ConfigMgr you get a higher success rate of patching your Windows 10 devices.
• Timesaving for IT admins. No more spending time on approving patches and dealing with distribution and install problems. Instead leaves time to focus on other more relevant security work.
• Fully automatic. Well, you can achieve fully automation in ConfigMgr as well but not many do that as they want to stay in control. With WUfB everything is automatic and only if problems during the multiple testing phases are discovered is the flow paused.
• Less control. Yes, on the negative side, you lose control as you cannot really choose which Windows patches you deploy. This revolves back to the question which there is typically only one answer to: Do you really need this control as you need to have all Windows (and Office) patches?

Summary

By shifting to modern patch management using Windows Update for Business you can free time and put that time on patching other stuff, for example insecure firmware, applications or device drivers.

You can also focus on activating Windows features that raise security, such as the Windows Defender technologies Exploit Guard and Application Guard, or Microsoft Defender ATP which can take your security work to a level you could only dream of.

As with all new Windows 10 releases, there are a bunch of new features and bells and whistles. To the business and end-users this can mean great benefits. Here are the business values of upgrading to Windows 10 version 1903 (also referred to as 19H1), from a business, security and IT perspective.

Note: Windows 10 v1903 / 19H1 is not yet released, the features exist only in current Insider builds, which are possible to try out if you opt your organization into Windows Insider for Business.

The business case

By deploying the Windows 10 v1903/19H1 update your organization can:

• Save many minutes for each user in your entire organization
  Potentially you can save a few minutes times the X number of users per month in your organization, when your Windows devices are updated with new Windows updates. This is possible as the user login is done automatically after restart (with the screen locked of course), meaning your end users do not have to stare at the login screen waiting to start LOB apps.
• End-user improvements for finding relevant resources
  Chrome integration with Timeline feature is added and improvements to searching and finding stuff is improved. This means that users can find relevant resources they are working on or have worked on faster than before. 
• Reduction in help desk calls
  With the new features added in Windows 10 v1903/19H1 you can see a reduction of ~5%* or more help desk incidents and support calls. This is thanks to automated troubleshooters, disk space reservation changes and fixes that previously caused help desk calls.

Let’s break this down and go into more details!

Increase in user productivity

There are several new features and design changes that will increase user productivity.

• Automatic sign-on after restart and updating saves many minutes!
  This time-saving feature is to this date only available for cloud-only domain joined Windows 10 devices, not domain joined, nor Hybrid Azure AD joined (although GPO configuration tend to state otherwise). What it means is that the end-user will save many minutes after each update and restart!
  The requirements for this is (except for cloud domain joined Windows 10 device): BitLocker enabled which is not suspended during upgrade, which in itself requires a TPM 2.0 chip and Secure Boot to be enabled.
• Chrome Timeline extension
  The Timeline was introduced in Windows 10 v1803 and is a great way for the user to have all history of documents you worked on, sites you browsed etc. within a few clicks! With the Chrome Timeline extension (named Web Activities), the end-user will also see browsing history from Chrome in their Timeline.
• Enhanced search and indexing
  The search feature in Windows 10 v1903/19H1 is now listing top used apps and recent activities (i.e. opened documents) providing easier and quicker access to recently used files and apps. At the same time, for power users, there is now an option to index the entire C: drive and not only what is available in the user data folder. The settings for this are found in Settings > Search > Searching Windows.
• Restart without updating or upgrading 
  This feature has come and gone over the Windows 10 lifetime, but now it works as expected. Whenever a quality update or a feature update is installed, the user can now choose to shut down or restart without having to be forced to install the update. This is a real time-saver and can save the user quite some time and hassle as a forced updating of the device now has become optional.
• Windows Light Theme
  This is not really something you can consider time or cost-saving but has the potential to really impact the end user. For the first time since Windows 10 launched in 2015, there is a new theme that means a better user experience if you prefer light colors and not dark. Switch to the Windows Light Theme by going to Settings > Personalization > Colors and choose Light in the drop down.

Reduction in support costs

Microsoft are adding new feature and have made design changes that will reduce support for Windows 10 starting with Windows 10 v1903/19H1.

• Automated troubleshooters
  Ever since Windows 7 there are built in troubleshooters which can be used to ease the troubleshooting of Windows problems. Starting with Windows 10 v1903/19H1, Windows has the possibility to detect problems and prompt to run troubleshooters to fix problems, instead of the user having to call help desk.
• WWAN connections for built-in SIM improvements
  If you have devices with built-in SIMs, now this works much more stable than ever. First, there has been a problem with if the connection is lost, it was impossible to re-connect without disabling the device from Device Manager. Now, if the connection is lost you can simply re-connect as expected. Another important change is that now you can via the UI change the WWAN connection to not be metered network, meaning everything will from an end-user perspective work as usual (thus with the impact that it will generate more data).
• Reserved disk space minimizing problems
  With Windows as a Service it is imperative that the Windows device has enough disk space. With Windows 10 v1903/19H1 Microsoft has made the decision to reverse 7GB to be able to update itself. I think everyone can agree that a Windows device with 0 bytes left on the disk will with 100% certainty result in a help desk incident. This decision by Microsoft will not only reduce general support calls due to “out of disk space” issues, but also raise the possibilities that updates go well, which also reduces work load for IT.

Security

As with all new Windows 10 release, Windows 10 v1903/19H1 is no different. Security is a baseline pillar of the modern desktop and modern workplace, and with modern threats you cannot overlook this. Here are a couple of 

• Complete secure browser experience, with Chrome, Edge and IE11
  Windows Defender Application Guard (WDAG) has been available for a few versions now and really provides a super secure browsing environment. As many organizations use Chrome (and some Firefox), now you can “tie up the sack” so to say and make sure that Chrome and Firefox also adhere to WDAG, using the WDAG extension for Chrome and Firefox. This way, you can use IE11 for the old legacy web apps, while using Chrome or Firefox for other internal or external apps and then Edge for creating an extremely secure browsing experience on the web. Of course, you can use only Edge and IE11 together as well, but many users tend to want to use Chrome after all. The dependency for using WDAG with Chrome and Firefox is to use the Windows Defender Application Guard Companion app (this is not needed if only using Edge and IE11).
• Protection history for Windows Defender Exploit Guard features etc.
  Having history of protections for antivirus is something everyone expects and have solutions for, but what I want to highlight is that now you can find Exploit Guard protections here as well, meaning you can follow-up on actions related to Controlled Folders and Attack Surface Reduction. Go to Windows Security > Virus & threat protection > Protection history to find the history.

For IT

• Windows Sandbox
  The Windows Sandbox is a container solution where you quickly can get an isolated Windows 10 instance running, for testing stuff out. The use cases for this solution becomes a lot more when you consider there are config file possibilities!
• A bunch of new MDM possibilities…
  Many new MDM policies are added, and to be more precise 70** MDM settings are new for Windows 10 v1903/19H1. A few of them are listed in Changes in MDM enrollment documentation. You can also see all possible settings by taking an MDM enrolled device, go to Settings > Accounts > Access work or school > <click your join and then click the Info button> > Export results, and look at the last section which lists all possible settings which can then be referenced and investigated for options.
• …as well as new GPO settings
  In general we don’t see as many GPO settings added as MDM settings to each new Windows release, but some new GPO settings are for Storage Sense and Specifying deadlines for Windows Update restarts after quality or feature updates have been installed. 

Modern management and deployment

Note: The below is not related nor dependent on Windows 10 v1903/19H1 release and applies to previous Windows versions as well.

• Some highlights of Intune improvements since last Windows release:
  • BitLocker encryption status and TPM version reports.
  • Win32 app deployment feature is now General Availability – plus troubleshooting possibilities are added.
  • Rename a device from the Intune console – pushed to the device.
  • Security baselines so that you can secure your Windows devices easily.
  • ADMX templates adding some additional hundreds of settings that you can configure on your Windows devices!

Summary

With the changed support statement detailed by Microsoft last summer, many organizations decided to skip the spring releases and only deploy the fall releases of Windows 10.

With the above I think you have a good understanding on how your organization can benefit of deploying Windows 10 v1903/19H1 in many ways, and you can make a qualified decision on whether or not you will deploy the spring/H1 release of Windows 10. 

—————————————

Foot note:

* Very rough estimation based on my soon four year-experience with Windows 10 in multiple organizations.
** Based on Insider build 18356 compared to Windows 10 v1809. This number can change.

Vision

The idea for this blog post was born during the week of MVP Summit at Microsoft in Redmond (March 5-9). I realize that depending on who you talk to they have different point of views on things. The view on “co-management” is a great example.

The purpose of this blog post is to present the options that exist for organizations moving to modern management. “Co-management” is the door opener and path for moving to modern management.

Why modern management?

Modern management is what I would say moving away from on-premise dependencies, creating a more flexible and mobile workplace and more cost-efficient management of Windows devices. This means doing things in new smart ways rather than keep doing them as you’ve done them for the last “100 years” or so. Why would you stop doing what you are doing and start doing things in new ways? Well, one is to save time for IT as well as end users and as time is money, you will be able to reduce costs in your organization. It’s also about not reinventing the wheel, which is what basically every organization is doing today in some sense.

Some practical examples is doing a F12/PXE deployment of machines as soon as they come in to the organization. Think new, and stop doing reference image building and stop certifying hardware and use modern deployment tools such as AutoPilot and Intune to save time and modernize the deployment process.

Another example is that you can reduce complexity and remove infrastructure, say for instance patching. Dismantle old WSUS servers and do patching via Windows Update for Business, which means relying on existing Microsoft infrastructure rather than downloading everything from Microsoft, approving patches, distributing patches etc. Again, do not reinvent the wheel and repeat what Microsoft is already offering in terms of infrastructure.

There are many more examples but I think you get the idea of modern deployment and management, stop doing things the way you’ve always done them and think new.

Introduction and definition of “co-management”

At the Microsoft Ignite conference in September 2017, Microsoft announced what is called “co-management”. “Co-management” is the first and fundamental step on the way to modern management to be able to use existing Windows devices and configuration “as is” but at the same time add a modern management tool. After doing that you can start the switch to modern management, as the switch to the modern world will not be done overnight for most organizations.

Now, “co-management” means different things to different people. My view on “co-management”, regardless if the customer is using ConfigMgr or not, is to keep your Windows client “as is”. With that I mean Active Directory joined and configured via GPOs and then adding MDM-enrollment to that to be able to start doing new configuration via MDM. For the sake of making “co-management” clear I’ve chosen to divide the customers into two, the ones with ConfigMgr and the ones without it.

And as a note, the MDM tool to use for modern management is preferably Microsoft Intune (part of the Enterprise Mobility+Security suite).

Fundamental thoughts

My idea is that once you’ve decided to go down the path to modern management – no more and I mean no more work whatsoever should be put into adding new stuff to your legacy solutions. That includes not making scripts, configuration and applications deployed or configured via on-premise Active Directory or ConfigMgr. Instead, you do this in the modern management tool (if possible). Focus one hundred percent on moving the current resources to the modern management world instead!

Goals

The ultimate goal which is something to strive for, is fulfilled when configuration, patching and applications are managed by a modern management solution, and there are no dependencies to on-premise resources such as ConfigMgr, distributions points, GPOs etc.

Do I believe this goal can be achieved regardless of organization and size? Yes. However, there are many challenges on the way and it will for sure not be easy nor quick for many organizations. For many organizations, it’s going to take years but for smaller organizations I see great possibilities to reach the goal on a much shorter period of time.

Applications

One of the biggest challenges in the modern world lies with applications. In the best of worlds, applications are moving away from using Kerberos or other traditional authentication mechanisms, as well as legacy code or runtime requirements. Instead rely on modern authentication and preferably OAuth 2.0, providing means to further remove dependencies to on-premise Active Directory at the same time enabling possibilities to use conditional access for instance.

Application strategy moving forward is a separate chapter and I will not cover that more in this blog post. I will solely focus on the deployment of the applications, as this is very much relevant in the various “co-management” scenarios.

Current applications, that is traditional and legacy applications packaged as MSI or in EXE format, needs to be replaced, reworked or repackaged. Today, repackaging can be done by repackaging to the AppX format. Popular packaging software like AdminStudio has had this capability for several years but if you want a free option look at Advanced Installer which also has the capability to package apps in the AppX format.

Regardless of the option you choose below for “co-management”, moving to this new packaging format is the way to move forward. At least for the option which is customers with no ConfigMgr, moving to this new package format is a requirement because there is no good way of deploying the applications unless you move to this new package format.

Note: MSIX is a new packaging format to come, as published on GitHub: MSIX Packaging recently, but for the moment AppX is the way to proceed until Microsoft eventually publish more information on MSIX.

Deployment Options

Customers without ConfigMgr

Option 1 (the only option for customers without ConfigMgr): Hybrid joined machines

(on-premise Active Directory joined + Azure AD registered/joined + GPO to set MDM auto enrollment)

If you do not use ConfigMgr, to activate “co-management” all you have to do is to make sure that your Windows 10 clients (1709 and later) are configured with the GPO setting to enable automatic MDM enrollment.

After that, start to move the GPO configuration over and add new configuration to MDM instead of using GPOs. Dismantle local infrastructure such as WSUS and start relying on Windows Update for Business. Also, look into AutoPilot.

Note: For hybrid joined machines it seems that Microsoft has not yet made (as of March 2018) it possible to be able to run PowerShell scripts via the Intune Management Extension. This is a very sad limitation because that means you have no way of deploying scripts for filling in the gap on current limitations of MDM, as you move to modern management.

Customers with ConfigMgr

Option 2: Hybrid joined machines (with Co-management in ConfigMgr unconfigured)

(on-premise Active Directory joined + Azure AD registered/joined + GPO to set MDM auto enrollment + ConfigMgr-agent installed via ConfigMgr)

This option mean you just connect your Windows 10 clients to your MDM solution with the GPO setting to enable automatic MDM enrollment, then stop doing what you are doing with GPOs and ConfigMgr today and instead do that in the MDM solution. This is the least effort option where you try to touch the ConfigMgr solution as little as possible and instantly just start the move away from ConfigMgr. This option is more suitable for smaller and rather simple ConfigMgr environments.

Option 3: Hybrid joined machines (with Co-management in ConfigMgr activated)

(on-premise Active Directory joined + Azure AD registered/joined + co-management activated in ConfigMgr + ConfigMgr-agent installed via ConfigMgr)

I suppose you can say that this is the true “co-management” in terms of what Microsoft would describe it as. This is the recommended way for most organizations that want to start the journey to modern management.

Option 4: Cloud joined machines (with Co-management in ConfigMgr activated)

(Azure AD joined + MDM joined + ConfigMgr-agent deployed via Intune)

Well this option is a good one but as the devices are not connected to an on-premise Active Directory, it requires that you have moved all GPOs and have managed to provide access to all on-premise resources for users when they are outside the company network. This option is more for future use, although this option might be good for some customers already.

Note: Even though devices are not connected to the on-premise Active Directory, they are able to use single sign on to access recourses on the internal network such as printers, network shares and other resources in the Active Directory domain. This is true as long as the device is on an internal network and has contact with an on-premise domain controller, where a Kerberos TGT is issued for accessing on-premise resources.

How to activate “co-management”

Option 1 and 2

For options 1 and 2 you configure your Windows devices and set the GPO “Enable automatic MDM enrollment using default Azure AD credentials” to Enabled. The GPO setting is located in Computer Configuration > (Policies) > Administrative Templates > Windows Components > MDM.

Option 3 and 4

The Microsoft Docs is the place to go to activate “co-management” in ConfigMgr. This includes the optional agent deployment via Intune.

Verify MDM connectivity and that your Windows clients are being “co-managed”

1. Dsregcmd command line

Run the following command to see if your devices are connected to Azure AD:

dsregcmd /status

The value for AzureAdJoined should read YES and MdmUrl should be set to for instance https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc

2. Modern control panel “Access work or school”

To check if the device has registered properly with the MDM tool you can also look in the modern control panel “Access work or school” (located in Accounts). Click any of the Windows logos or the briefcase and if you have the Info button you know that you have an active MDM enrollment for this device.

3. In the GUI of the MDM tool

Of course, the device should also pop up in your MDM solution and in Intune it will display as “MDM” is the device is Azure AD joined with MDM enrollment and it will show “MDM/ConfigMgr” if you are using ConfigMgr (or using option 1, that is not using ConfigMgr but still activating MDM enrollment for hybrid joined machines).

Troubleshooting

AzureAdJoined = NO

If AzureAdJoined is NO when you run “dsregcmd /status” then your devices have not registered with Azure AD which is required to be using “co-management”. Check the following:

1. Check Event Viewer and the log Applications and Services Logs > Microsoft > Windows > AAD > Operational. Optionally go to View and click Show Analytic and Debug Logs to get additional logs, and in AAD get the Analytic log which you must Enable before it will start logging.

No automatic MDM enrollment is made

If the MdmUrl is empty when you run “dsregcmd /status” and there is no “Info” button in Access work or school, then verify the following:

1. Make sure that you are using Windows 10 v1709 or later.
2. (Option 1 and 2) Verify that the GPO with MDM enrollment applies to the device.
3. (Option 3 and 4) Verify in the CoManagementHandler.log that CoManagementSettings_AutoEnroll equals True.
4. Verify that MDM automatic enrollment is configured in Azure AD, i.e. Azure Portal > Azure AD > Mobility (MDM and MAM). Also check that the user is covered by the MDM User Scope.
5. Verify that the user logging into the machine has an Azure AD Premium license assigned.
6. Check Event Viewer and the log Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin. Optionally go to View and click Show Analytic and Debug Logs to get additional logs, and in DeviceManagement-Enterprise-Diagnostics-Provider get the Debug log which you must Enable before it will start logging.

Just adding this quick blog post as there is nothing available on the Internet on this particular error, at least not what I could find or see at a first glance.  

UE-V problems in Windows 10 v1709 and looking in the Event log showed warnings events with ID 13008 and the text (for example): 

“Error 4 was returned while initializing sync provider for template MicrosoftInternetExplorer.Version11” 

As usual one of my favorite tools Process Monitor came to the rescue and quickly helped identify the problem: ACCESS DENIED when monitoring read/write access to the settings storage location. Turned out the owner of the folder was incorrectly set, adjusting that and everything got back to a working state.