Tag: Intune

The business values of upgrading to Windows 10 v1903 / 19H1

As with all new Windows 10 releases, there are a bunch of new features and bells and whistles. To the business and end-users this can mean great benefits. Here are the business values of upgrading to Windows 10 version 1903 (also referred to as 19H1), from a business, security and IT perspective.

Note: Windows 10 v1903 / 19H1 is not yet released, the features exist only in current Insider builds, which are possible to try out if you opt your organization into Windows Insider for Business.

The business case

By deploying the Windows 10 v1903/19H1 update your organization can:

  • Save many minutes for each user in your entire organization
    Potentially you can save a few minutes times the X number of users per month in your organization, when your Windows devices are updated with new Windows updates. This is possible as the user login is done automatically after restart (with the screen locked of course), meaning your end users do not have to stare at the login screen waiting to start LOB apps.
  • End-user improvements for finding relevant resources
    Chrome integration with Timeline feature is added and improvements to searching and finding stuff is improved. This means that users can find relevant resources they are working on or have worked on faster than before. 
  • Reduction in help desk calls
    With the new features added in Windows 10 v1903/19H1 you can see a reduction of ~5%* or more help desk incidents and support calls. This is thanks to automated troubleshooters, disk space reservation changes and fixes that previously caused help desk calls.

Let’s break this down and go into more details!

Increase in user productivity

There are several new features and design changes that will increase user productivity.

  • Automatic sign-on after restart and updating saves many minutes!
    This time-saving feature is to this date only available for cloud-only domain joined Windows 10 devices, not domain joined, nor Hybrid Azure AD joined (although GPO configuration tend to state otherwise). What it means is that the end-user will save many minutes after each update and restart!
    The requirements for this is (except for cloud domain joined Windows 10 device): BitLocker enabled which is not suspended during upgrade, which in itself requires a TPM 2.0 chip and Secure Boot to be enabled.
  • Chrome Timeline extension
    The Timeline was introduced in Windows 10 v1803 and is a great way for the user to have all history of documents you worked on, sites you browsed etc. within a few clicks! With the Chrome Timeline extension (named Web Activities), the end-user will also see browsing history from Chrome in their Timeline.
  • Enhanced search and indexing
    The search feature in Windows 10 v1903/19H1 is now listing top used apps and recent activities (i.e. opened documents) providing easier and quicker access to recently used files and apps. At the same time, for power users, there is now an option to index the entire C: drive and not only what is available in the user data folder. The settings for this are found in Settings > Search > Searching Windows.
  • Restart without updating or upgrading 
    This feature has come and gone over the Windows 10 lifetime, but now it works as expected. Whenever a quality update or a feature update is installed, the user can now choose to shut down or restart without having to be forced to install the update. This is a real time-saver and can save the user quite some time and hassle as a forced updating of the device now has become optional.
  • Windows Light Theme
    This is not really something you can consider time or cost-saving but has the potential to really impact the end user. For the first time since Windows 10 launched in 2015, there is a new theme that means a better user experience if you prefer light colors and not dark. Switch to the Windows Light Theme by going to Settings > Personalization > Colors and choose Light in the drop down.

Reduction in support costs

Microsoft are adding new feature and have made design changes that will reduce support for Windows 10 starting with Windows 10 v1903/19H1.

  • Automated troubleshooters
    Ever since Windows 7 there are built in troubleshooters which can be used to ease the troubleshooting of Windows problems. Starting with Windows 10 v1903/19H1, Windows has the possibility to detect problems and prompt to run troubleshooters to fix problems, instead of the user having to call help desk.
  • WWAN connections for built-in SIM improvements
    If you have devices with built-in SIMs, now this works much more stable than ever. First, there has been a problem with if the connection is lost, it was impossible to re-connect without disabling the device from Device Manager. Now, if the connection is lost you can simply re-connect as expected. Another important change is that now you can via the UI change the WWAN connection to not be metered network, meaning everything will from an end-user perspective work as usual (thus with the impact that it will generate more data).
  • Reserved disk space minimizing problems
    With Windows as a Service it is imperative that the Windows device has enough disk space. With Windows 10 v1903/19H1 Microsoft has made the decision to reverse 7GB to be able to update itself. I think everyone can agree that a Windows device with 0 bytes left on the disk will with 100% certainty result in a help desk incident. This decision by Microsoft will not only reduce general support calls due to “out of disk space” issues, but also raise the possibilities that updates go well, which also reduces work load for IT.

Security

As with all new Windows 10 release, Windows 10 v1903/19H1 is no different. Security is a baseline pillar of the modern desktop and modern workplace, and with modern threats you cannot overlook this. Here are a couple of 

  • Complete secure browser experience, with Chrome, Edge and IE11
    Windows Defender Application Guard (WDAG) has been available for a few versions now and really provides a super secure browsing environment. As many organizations use Chrome (and some Firefox), now you can “tie up the sack” so to say and make sure that Chrome and Firefox also adhere to WDAG, using the WDAG extension for Chrome and Firefox. This way, you can use IE11 for the old legacy web apps, while using Chrome or Firefox for other internal or external apps and then Edge for creating an extremely secure browsing experience on the web. Of course, you can use only Edge and IE11 together as well, but many users tend to want to use Chrome after all. The dependency for using WDAG with Chrome and Firefox is to use the Windows Defender Application Guard Companion app (this is not needed if only using Edge and IE11).
  • Protection history for Windows Defender Exploit Guard features etc.
    Having history of protections for antivirus is something everyone expects and have solutions for, but what I want to highlight is that now you can find Exploit Guard protections here as well, meaning you can follow-up on actions related to Controlled Folders and Attack Surface Reduction. Go to Windows Security > Virus & threat protection > Protection history to find the history.

For IT

  • Windows Sandbox
    The Windows Sandbox is a container solution where you quickly can get an isolated Windows 10 instance running, for testing stuff out. The use cases for this solution becomes a lot more when you consider there are config file possibilities!
  • A bunch of new MDM possibilities…
    Many new MDM policies are added, and to be more precise 70** MDM settings are new for Windows 10 v1903/19H1. A few of them are listed in Changes in MDM enrollment documentation. You can also see all possible settings by taking an MDM enrolled device, go to Settings > Accounts > Access work or school > <click your join and then click the Info button> > Export results, and look at the last section which lists all possible settings which can then be referenced and investigated for options.
  • …as well as new GPO settings
    In general we don’t see as many GPO settings added as MDM settings to each new Windows release, but some new GPO settings are for Storage Sense and Specifying deadlines for Windows Update restarts after quality or feature updates have been installed. 

Modern management and deployment

Note: The below is not related nor dependent on Windows 10 v1903/19H1 release and applies to previous Windows versions as well.

  • Some highlights of Intune improvements since last Windows release:
    • BitLocker encryption status and TPM version reports.
    • Win32 app deployment feature is now General Availability – plus troubleshooting possibilities are added.
    • Rename a device from the Intune console – pushed to the device.
    • Security baselines so that you can secure your Windows devices easily.
    • ADMX templates adding some additional hundreds of settings that you can configure on your Windows devices!

Summary

With the changed support statement detailed by Microsoft last summer, many organizations decided to skip the spring releases and only deploy the fall releases of Windows 10.

With the above I think you have a good understanding on how your organization can benefit of deploying Windows 10 v1903/19H1 in many ways, and you can make a qualified decision on whether or not you will deploy the spring/H1 release of Windows 10. 

—————————————

Foot note:

* Very rough estimation based on my soon four year-experience with Windows 10 in multiple organizations.
** Based on Insider build 18356 compared to Windows 10 v1809. This number can change.

Accelerate your modern desktop journey – get started with a boom!

The benefits of a modern workplace and modern desktop are many. Users and companies now more than ever need to be ready for a mobile world. A user expects to be able to work from anywhere and many organizations needs to be prepared for changes such as scaling in terms of growth, acquisitions or even in the worst-case downsizing.

The road to a modern desktop the Microsoft way is to activate and use co-management to take it in baby steps. My philosophy is to build a use case without co-management using a cloud-only solution and use that to showcase what can be done in your organization. The idea is to accelerate the journey to the modern desktop as it will be a great example of what can be achieved and how well it works.

Vision

Do “deployment” of a new Windows 10 device or reset your existing Windows 10 device and have in mind that everything you need should be available to you automatically! That means settings, applications and documents and files so that you can start working immediately.

The goal is to setup an environment where you can join any Windows 10 device to your environment, letting it be totally agnostic from your physical network.

License pre-reqs

  • Azure AD Premium P1 (or P2) or EM+S E3 or E5 or Microsoft 365 E3, E5 or any other license including Azure AD P1 (or the automatic MDM enrollment feature).
  • Intune licenses as part of EM+S or Microsoft 365 or standalone Intune licenses.
  • Windows 10 Pro or Enterprise.

AutoPilot as the modern “deployment solution”

Deployment in the new world is not done image based with certification of drivers and network PXE boot. Instead you (or preferably the vendor or a partner) register devices you need to deploy using the AutoPilot service that Microsoft provide.

When the device is booted for the first time, it fetches the AutoPilot profile and applies it, and when your user login using their email address the Windows 10 device is joined to Azure AD and at the same time enrolled into Intune (requires Azure AD Premium P1 license).

By activating the Intune Enrollment Status page, you can also see the progress and making sure that the device is (almost) ready when the user´s logged in.

Actions:

OneDrive Known Folder Move is the modern folder redirection

One of the most important things I want available on any device I use is my files and documents. By activating and using OneDrive Known Folder Move, I can get my Desktop, Documents and Pictures folders redirected to my OneDrive for Business.

This is just like good old folder redirection where you redirect these folders to the network with offline files (yikes!), but now you do it for OneDrive where you also get a better sync than with offline files.

Actions:

MSIX is the future

Repackaging packages to MSIX is the future. Why? Because there are several benefits over traditional MSI packaging and distribution. Delta updates of apps is one advantage, another big advantage is how the updates of apps work, which is a huge problem today in many enterprises.

But wait, did not Microsoft release Win32 app support in Intune? Yeah, they did, but why on earth would you want to put makeup on the pig? By moving your existing Win32 app packages to a modern management solution is like moving to a new house and bringing everything with you, not only your stuff and furniture but also the dust and dirt.

Actions:

Enterprise state roaming

To get some basic sync of settings such as background image and other customizations as well as favorites in Edge, saved credentials in Windows and more you activate Enterprise State Roaming so that the settings roam with you. This feature has a lot to wish for but at least provides basic profile roaming.

Actions:

Follow up using Windows Analytics

As all your clients are disconnected from your infrastructure in our scenario you need to be able to followup important things such as patch status, and this can be done using Windows Analytics and Update Compliance specifically.

Actions:

Helping your users remotely

When your Windows 10 devices are basically anywhere in the world you must be able to remote control them to provide support whenever needed. You can do this using Quick Assist which has been with Windows 10 since 1607. It works just like TeamViewer, which is very popular, in the sense that Quick Assist works basically anywhere if you have a working internet connection.

Worth noting is that in Windows 10 v1809 you will learn that the person giving assist is signed on to the Quick Assist app when providing support, so all you must do is to provide the connection ID to the end user and off you go!

Key fact – access to on-premise recourses!

Well, I think most can agree on that they few organizations have no moved or migrated all on-premise resources to the cloud. Therefore, most users still need to access resources only available on-premise.

A magic feature exists thanks to Azure AD Connect, which means that whenever your Azure AD joined Windows 10 devices is on your corporate network and has contact with a domain controller you get a Kerberos ticket for that user! This can be used to access any on-premise resources although the device is not part of the on-premise domain at all!

Read more about how this works from Michael Niehaus.

Summary

With all these steps you have a quick way of getting started with a top modern workplace which works anywhere in the world. And, to add to that, whenever their devices are in the corporate network, the user gets access to any internal resources such as files, printers and applications the user have access to.

If you want to deep dive into this, contact either Addskills Cornerstone Group or Lexicon group for a 3-day training on managing and deploying Windows 10 in a new modern way.

Version mismatch in custom iOS app causes reporting back to be unsuccessful in ConfigMgr and Intune

I’ve encountered quite an interesting issue when deploying a custom iOS (IPA) app using System Center Configuration Manager and Intune. The problem is that the deployment status for the app never reports as “Success” and is hung at “In progress”. As it turns out there is a mismatch in the version info that exist within the IPA file and the plist file that is included when deploying the IPA.

The CFBundleVersion listed within the IPA in the file info.plist

<key>CFBundleVersion</key>
<string>1.2.3</string>

must match the bundle-version found in the plist file that is used when creating the app deployment in Configuration Manager.

<key>bundle-version</key>
<string>1.2.3</string>

If these values do not match the status will never be reported as successful in the ConfigMgr console. After the September 2014 maintenance window for Intune I also suspect that this version mismatch is causing the app to be re-deployed over and over again, however this has yet to be confirmed.

Note: You can easily check the content of info.plist within the IPA by renaming the IPA to ZIP and extract its contents. Use a plist viewer of your choice (there are several free for trial) to check the CFBundleVersion.

Feature deploying email profiles to iOS using Intune/ConfigMgr

There is something fishy going on when deploying email profiles to iOS devices using Windows Intune and ConfigMgr 2012 R2. When you have deployed an email profile to an iOS (7.1) device you cannot choose to send pictures from that email account, as the account is then missing from the drop down menu when choosing “From”.

If you go into the Mail app in iOS and then write a new mail then you can choose the deployed email account, the problem is just related to sharing pictures (possibly also other stuff) via the  “Share button” > Mail feature in iOS.

Note: If you go to Settings > Mail, Contacts, Calendars you cannot see the email account listed in “Default account”.

UPDATE: Turns out that this is indeed not a bug but a feature. You must activate “Allow email to be sent from third-party applications” in the email policy.

Related article: Notes from the field – iOS device management using ConfigMgr 2012 and Windows Intune

Notes from the field: iOS device management using ConfigMgr 2012 R2 and Windows Intune

There are not that much real world info on managing iOS devices using Windows Intune and ConfigMgr. I am talking about managing iOS devices, not settings up iOS enrollment or the tons of guides on how to publish and deploy a web link to the App Store. This blog post was born to give some deeper level of insight into iOS management using Windows Intune together with System Center Configuration Manager 2012 R2.

UPDATE March 18 2014: Bug deploying email profiles to iOS using ConfigMgr / Intune

Troubleshoot MDM in Intune / ConfigMgr

The biggest challenge as I have learnt is that troubleshooting mobile device management using ConfigMgr and Intune leaves a lot to wish for. There really are not that much you can see in terms of what is going on between ConfigMgr, Intune cloud service and the mobile device itself. There are no force buttons to push or pull stuff so you are pretty much left in the dark many times. Apparently there is only one action you can take to force all policies (compliance settings and email profiles for instance) to the iOS device and that is to install an app from the Company Portal iOS app or from the web interface at m.manage.microsoft.com. Apart from that you just have to wait, wait and wait for things to happen.

Custom iOS app deployment options and important knowledge

One of the most not so much talked about feature is the ability to sideload an in-house or custom developed iOS app (IPA file). It is easily done as any other application deployment by adding the IPA and the PLIST file, then distributing it to the cloud distribution point. Although the plist manifest file is required to add the application for deployment it seems to be of no use as the plist file is not distributed with the IPA file itself to the distribution point. I suppose it is more of a way of knowing that you are not deploying apps from the App Store (IPA files, not the web links).

When deploying an IPA you have three options:

1. Deploy it as Available to Users
This will make the app published and available for install, but only in the web interface, i.e. “m.manage.microsoft.com”. For some reason which I do not know you will not see this app if you are using the Company Portal app. Once again I do not know the background for this but it is really inconsistent behavior and makes the iOS Company Portal app more or less unusable. I have filed a Design Request Change for this at Microsoft Connect.

UPDATE: This is an Apple “feature” and a limitation in what they allow the MDM vendors to do.

2. Deploy it as Required to Users
This will install the app automatically for targeted users. A note will pop up on the screen of the iOS device asking if “m.manage05sub.microsoft.com want to install the following app, is that OK”? After clicking OK/yes the app is installed (or should we say sideloaded to be correct).

3. Deploy it as Required to Devices
This will install the app automatically for targeted devices. A note will pop up on the screen of the iOS device asking if “m.manage05sub.microsoft.com want to install the following app, is that OK”? After clicking OK/yes the app is installed (or should we say sideloaded to be correct).

Log files – shake it baby!

Well, there are a few log files on the CM side but I have not found any relevant information in them, all you can see is that there is some kind of communication with Intune but that’s about it. So basically there are no logs to turn to when troubleshooting. There is however one log file and that can be accessed from an iOS device by logging into the Company Portal app. After login, shake the phone. Yes, you heard me, shake the phone and you will see options to send the log file via email for further analysis. However, although I have read many log files over the years this log file is among the more hard to interpret. They will however likely be more useful to Intune technical support technicians (more on that later). I have filed a DCR for more insight into Intune or the communication via ConfigMgr at Microsoft Connect.

iPad and iPhone collections

Divide iOS devices into collections for iPads and iPhones which is good if you for instance want to target different compliance settings to iPads and iPhones. Create a collection based on “Mobile Device Computer System” where the “Device Model” is like %ipad% and %iphone%.

The query to list all iPhones in a collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "%iphone%"

The query to list all iPads in a collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "%ipad%"

Email profiles be aware

Do not let the official ConfigMgr blog screenshots fool you. When creating an email profile the Exchange ActiveSync Host should be entered without http:// or https:// as mistakenly demonstrated in the screenshot.

UserLicenseTypeInvalid error message

The error UserLicenseTypeInvalid when trying to enroll an iOS device. Most likely this is due to users not being synced to the Intune service because they are missing from the “Intune users” collection or that there is a problem with actually syncing from CM to Intune. More about that in this blog post.

The Intune Support

Do not hesitate to contact the Intune technical support whenever you encounter a problem. As you have no insight into Intune contacting support is many times the only way to figure it what is or what is not going on with your mobile device management.  Support phone numbers for Intune specifically are listed at the Microsoft Support web site.