Removing the need for Windows Group Policies using the capability of the Microsoft Cloud.

Removing the need for Windows Group Policies using the capability of the Microsoft Cloud.

Back in July Microsoft announced that it is now possible to configure enrolled Windows 10 devices with Administrator templates that are very similar to Windows Group Policies. Since this announcement Microsoft has made further progress introducing administrative templates for Windows, Office and most recently Edge.

Microsoft Endpoint Manager is becoming more common as businesses around the globe adapt, adopt and migrate more of their workloads to the Microsoft Cloud.

Let’s dive into the reasoning for removing Windows 10 Group Policies and adopting Administrative Templates from Microsoft Intune. One of the most valuable things that any business can do is enrol their Windows 10 devices in Microsoft Endpoint Manager as it provides a lot of additional functionality which cannot be deployed using the conventional on-premises infrastructure.

This modern management of Windows 10 allows businesses to apply policies to devices that may not be connected to the corporate LAN but have an internet connection. This provides the protection, configuration and compliance to the end-user device whether they are in or out of network.

I have been working with several customers recently who have seen huge value from moving their group policy objects (GPO) to Administrative Templates. Many of the organisations deployed legacy or out of date group polices to their end-users which are not needed and in some cases cause a security hole within their Windows 10 build.

Adopting Microsoft Endpoint Manager allows businesses to evaluate their GPO structure and condense their requirements. Condensing your GPO’s with administrative templates is just the start of the journey to modern management.

  • Do you deploy applications via GPOs?
  • Do you deploy registry keys via GPOs?

If you do, these can also be delivered using the power of the Microsoft Cloud and specifically Microsoft Endpoint Manager. I have recently been deploying a large number of core applications to Windows 10 including reg key modifications using a PowerShell script from within the MEM portal. So as soon as the Windows 10 device is enrolled and has an internet connection, all applications and policies are configured with the devices regularly poling for any updates/changes made within the Intune portal.

So isnt time you investigated what Microsoft Endpoint Manager can do for you today?

Regards,
The Author – Blogabout.Cloud

Do you have Device Writeback enabled on Azure Active Directory Connect? Do you know how to check if a device has been written back?

Do you have Device Writeback enabled on Azure Active Directory Connect? Do you know how to check if a device has been written back?

I have been recently working with a customer and errors within AAD look which pointed to an issue with Device Writeback not being enabled on Azure Active Directory Connect.

But how do you check if the device is writing back? Well, I’m glad you asked. First of all, we need the Device ID which is obtain running a cmd via command prompt.

dsregcmd /status

Once you have this information you will need to run the following command using PowerShell on one of your domain controllers.

$deviceid = “Enter ID here”
Get-ADObject -LDAPFilter “(cn=$deviceid)” -SearchBase = “CN=RegisteredDevices,DC=OfficeC2R,DC=com,”

If you are returned an error i.e Directory Object Not Found. It is safe to say the device hasnt been registered yet.

And its as simple as that

Regards
The Author – Blogabout.Cloud

Isn’t it time you switch gears into Windows Autopilot

Isn’t it time you switch gears into Windows Autopilot

Windows Autopilot has increased popularity over the past 3 years since its release in 2017. As a consultant within the Microsoft Cloud space, I had more conversations with customers about how Autopilot can change who they deploy Windows 10 devices to their end-users.

Being able to deliver a brand new Windows 10 device from the OEM Factory to the end-users desk that is already configured with all the required security policies and applications has to be the biggest selling point.

This post is how we can move to Windows Autopilot in 3 easy steps;

Step 1 – Register Devices

Option 1 – (Recommended) Have devices registered automatically;

– Request clean images, choice of Windows 10 version at the same time (if available) not all OEM vendors are able to provide clean images. A useful workaround for this is getting a Windows 10 script I have seen available to remove bloatware. If you haven’t seen it I have dropped a copy on GitHub.
– Specify group tag to help segment device by purpose (depending on the size of your organisation this may not be a requirement)
-Device are automatically tagged with purchase order ID

Option 2 – (Recommended for Piloting) Register devices yourself via Intune for testing and evaluation using Get-WindowsAutopilotInfo PowerShell script created by Microsoft.

Once you have the required CSV file from executing the script you can manually register the device.

Option 3 – Register (harvest) existing Intune-managed devices automatically. If you are an organisation that has already enrolled your Windows 10 devices into Microsoft Intune you can register all devices for Windows Autopilot.

Step 2 – Assign a profile

Use Intune;
– Select profile scenario (user-driven or self-deploying)
– Configure required settings
-Assign to Azure AD group so Intune will automatically assign to all devices in that group. (I am a big fan of dynamic groups)

Use a dynamic Azure AD group to automate this step
– Consider static Azure AD groups for exceptions

Here are the deployment profiles that can be configured today.

Coming soon

Azure Hybrid AD join for devices that dont have line of sight to a domain controller, this is currently in testing and will use a VPN to call home. The support has been built into Windows 10 1909.

Step 3 – Deploy

Boot up the device or devices

Connect to a network either wired or wireless

Enter credentials if required (credentials not required for self-deployment profiles)

The device will now go away and provision based on your configuration within Microsoft Endpoint Manager, once complete all that is left to say is…

Welcome to Windows Autopilot!!! I will be writing a more in-depth post about Autopilot soon because off the configuration I am currently using for my home devices.

Image result for Welcome computer

Regards
The Author – Blogabout.Cloud

Topology Builder encountered an issue and cannot publish this topology.

Topology Builder encountered an issue and cannot publish this topology.

Note from the field

Recently I encountered the following issue when trying to publish a Skype for Business 2019 topology. Thankfully, this is the first or maybe the last time I have seen this issue.

Error Message

Topology Builder encountered an issue and cannot publish this topology.

Topology Builder has encountered an unexecpted error from Skype for Business Server 2019 Management Shell.

Error Details:
Get-CsManagementStoreLocation did not return a valid connection

To resolve this issue launch Skype for Business Management Shell and run the following cmdlet;

Remove-CSConfigurationStoreLocation

You will now be able to successfully publish your Skype for Business topology without receiving the error you encountered earlier.

Regards
The Author – Blogabout.Cloud

Understanding ProPlus Servicing Models

Understanding ProPlus Servicing Models

Office 365 ProPlus has adopted a servicing model for client updates, allowing new features, non-security updates, and security updates to be released on a regular basis, ensuring your users are always up to date with the latest functionality and improvements.

The client servicing model for Office 365 ProPlus provides options that allow organizations to manage the frequency at which features and updates are deployed using multiple release channels which can be configured for all users or a specific set of users within the organization allowing IT to manage update deployment.

Monthly Channel

The Monthly Channel is made available every month and is targetted to users that want the latest features and updates as soon as they are available.

The Semi-Annual Channel

The Semi-Annual Channel is made available every 6 months, in January/July and is best for organizations that don’t want to deploy the latest features of Office right away or that have a significant number of LOB applications, add-ins, or macros that need to be tested prior to broad deployment. This approach helps to avoid compatibility issues that can potentially stall deployments.

This channel has 18 months of support before the version will need to upgrade to the latest release of ProPlus.

The Semi-Annual Channel (Targeted)

The Semi-Annual Channel (Targeted) enables a group of early adopters who get the latest and greatest features four months in advance of a Semi-Annual release, allowing time for organizations to test the new features and updates. This is available every 6 months, in March and September.

This channel has 14 months of support before the version will need to upgrade to the latest release of ProPlus.

Below is a diagram about how the “Update Model” works.

The three primary Office 365 update channels, showing the relationship between the update channels and the release cadence

Check out my Office Pro Plus Tool Kit script designed to assist with testing and deployments.

https://github.com/TheWatcherNode/blogaboutcloud/blob/master/Get-OfficeProPlusToolKit.ps1

Regards,
The Author – Blogabout.Cloud

iOS deployment scenarios with Microsoft Endpoint Manager

iOS deployment scenarios with Microsoft Endpoint Manager

Microsoft has been working with the iOS ecosystem and continues to work with Apple to provide the best possible platform for users and enterprises to work hand in hand. Microsoft has ensured their flagship products are available through the Apple Store as shown below

With Microsoft Intune we have 4 methods of deployment;

iOS App Protection Policies (APP) Managed

This solution is targeted for BYOD devices that are not enrolled but access corporate data from the approved corporate apps, for example; Outlook, Word and Excel. App Protection Policies are placed on the applications that are accessing corporate data to ensure the security requirements are met.

More information can be found via the following url about App Protection Policies. https://docs.microsoft.com/en-us/intune/apps/app-protection-policy

User Enrollment

User Enrollment has been designed with the BYOD user in mind, this enrollment allows administrators enforce Password Restrictions, restrict viewing non-corporate documents in corporate apps, restrict viewing corporate documents in unmanaged apps, require encrypted backup and automatically removed apps if the device is unenrolled.

Device Enrollment

Device enrollment is user-initiated through the company portal and is the most common method of enrolling corporate devices. This option provides the largest range of MDM capabilities available within Microsoft Endpoint Manager.

Automated Device Enrollment

Automated device enrollment is designed for corporate-owned devices synced to Microsoft Endpoint Manager via Apple Business Manager. This enrolled provides supervised-mode MDM capabilities, Secure Kiosk, Classroom device and Lock management to a device.

Regards,
The Author – Blogabout.Cloud

Android deployment scenarios with Microsoft Endpoint Manager

Android deployment scenarios with Microsoft Endpoint Manager

Microsoft has heavily invested in the Android ecosystem and continues to work with Google to provide the best possible platforms for users and enterprises to work hand in hand. Microsoft has ensured their flagship products are available through the Google Play Store as shown below

With Microsoft Intune we have 4 methods of deployment;

Andriod App Protection Policies (APP) Managed

This solution is targeted for BYOD devices that are not enrolled but access corporate data from the approved corporate apps, for example; Outlook, Word and Excel. App Protection Policies are placed on the applications that are accessing corporate data to ensure the security requirements are met.

More information can be found via the following url about App Protection Policies. https://docs.microsoft.com/en-us/intune/apps/app-protection-policy

Android Enterprise Work Profile

This solution is targeted for BYOD devices that are enrolled to define a clear boundary between personal and corporate data. As all corporate data is stored within its own encrypted container whereby settings can be defined to control cross-profile contacts, sharing app push, certificate deployment, resource access configuration. This is the most common approach for handling BYOD devices within businesses around the globe.

More information about enrollment for Work Profile can be found via the following url https://docs.microsoft.com/en-us/intune/enrollment/android-work-profile-enroll

Andriod Enterprise dedicated (kiosk)

This solution is targeted for corporate-owned devices that are designed for a particular task. The easy way to describe this would be;

The Android device(s) are owned by an event management company, they loan out the devices to Exhibitors for lead retrieval. As they only need to access one application the device(s) are locked down to this single app. This solution provides a highly configurable home screen experience with “Managed Home Screen” app and following new capabilities have been launched by Microsoft

  • SCEP certificate-based Wi-Fi (November release)
  • System app support
  • Home screen branding customization
  • Wi-Fi and Bluetooth user controls
  • Kiosk drop-out code

Android Enterprise Fully Managed

This solution is targeted for corporate-owned devices which will be completely managed by the organization but used by one of their members of staff. This scenario provides a fully secure corporate device that the user is unable to tamper with or modify. The Google Play Store is locked down to only applications approved by the organization, this is my personal preference for only corporate devices.

Coming in 2020: Fully Managed with Work Profile

Expected this year, once more information is available. I will be doing into detail about how to leverage a fully managed with work profile 🙂

Regards,
The Author – Blogabout.Cloud

Common PowerShell modules using by IT Pro within Office 365 space

Common PowerShell modules using by IT Pro within Office 365 space

One of my pet hates when receiving a new laptop or device is reinstalling all the common modules that I use to complete my work. So in good old Blogabout.Cloud fashion I have created a script that installs the following

  • Azure
  • AzureAD
  • Microsoft Teams
  • MSOnline
  • SharePoint Online
  • CloudConnect
  • ORCA

This script will also check if the module installed and if a newer version is available within the PSGallery. I have made this script available on GitHub for your downloading pleasure;

https://github.com/TheWatcherNode/blogaboutcloud/blob/master/Get-CommonModules.ps1

Regards
The Author – Blogabout.Cloud

Office 365 ATP Recommended Configuration Analyzer Report

Office 365 ATP Recommended Configuration Analyzer Report

The ORCA module is your friend when it comes to reporting on the configuration of ATP. This module makes recommendations on where improvements can be made. So how does it work?

Well I have made this process as simple as it gets

– Download PowerShell Script
– Run PowerShell Script
– Open HTML page

Done

I have made the script intelligent to check for module updates to ensure you are running the latest and greatest.

Head over to my GitHub repo to download the script today 🙂

https://github.com/TheWatcherNode/blogaboutcloud/blob/master/Get-ATPReport.ps1

Regards,
The Author – Blogabout.Cloud

Delivering your applications to Windows 10 Clients using Azure Blob Storage and Intune

Delivering your applications to Windows 10 Clients using Azure Blob Storage and Intune

Delivering your corporate applications can be a nightmare if you dont have a enterprise delivery solution like System Center or 3rd party mechanism.

So let’s see how Azure Blob Storage and Microsoft Intune can address this issue by using a storage location and PowerShell script.

Azure Storage Account

One of the requirements for this solution is an Azure Storage Account within your Azure subscription, this account will be used for storing the applications which you would like to roll out to your Windows 10 desktops that are managed using Microsoft Intune.

Storage Account

Specify the required settings within the Basic tab for creating a Storage Account.

Basic Properties

Using the default settings as shown below

Advanced Properties

Click Review and Create
Click Create

Configuring Storage Account with required Applications

Click Container
Specify the Name
Select Conditioner (anonymous read access for containers and blobs) under Public Access Level

Blob – Container

Select your container
Select Upload
Select the files you want to upload
Modify the block size if it’s less than the size of the files you are uploading
Select Upload

Once the files are upload they all have a unique url which is used to identify the file as shown below.

The PowerShell Script!!!

I have created a PowerShell script that is available on GitHub and should be self-explanatory.

Step 1 – Download all the required files into C:\_Build
Step 2 – Run installer files
Step 3 – Run additional Powershell scripts (Optional)
Step 4 – Remove C:\_Build
Step 5 – Create RegKeys (Optional)

https://github.com/TheWatcherNode/blogaboutcloud/blob/master/Get-AppsfromBlobStorage.ps1

Publish script via Intune

If you are having issues with script not executing, please visit this URL to ensure you met all the Microsoft pre-requisites.

https://docs.microsoft.com/en-us/intune/apps/intune-management-extension

Regards
The Author – Blogabout.Cloud