With Jeremy Moskowitz
To consult about an on-site (Private) Group Policy class or the Group Policy Health Check, please call Laura Rubinstein at 215-391-0096 or email laura[[att]]policypak.com
To purchase seats in a LIVE or ONLINE training class, contact Laura Rubinstein at 215-391-0096 or email laura[[att]]policypak.com
Get serious, and perform “Best Practices” around Group Policy management. Take back control and get your IT life back!
|09 / 16 / 2019||Chicago2019||Learn More|
I found this 200% by accident.. It's pretty interesting.. about Microsoft's own transition to Microsoft Management. What's going well, what isn't, and so on.
Someone dares to ask the question of "When will Microsoft completely walk away from traditional management?" The answer ... is toward the end ...
Spoiler alert: It's gonna be a while.
Still interesting, and they're putting one foot in front of the other.
Intune has come a long way since its inception and now offers a lot of great features to manage your organization’s mobile and Windows 10 devices. The MDM approach to device management is a real change from years ago in which computing devices were either managed through the traditional AD joined domain model or were simply allowed to operate independently at the discretion of the user.
Intune continues to introduce cloud based services that streamline and secure your devices, but users are often slow to accept changes into their environment. In order to better educate users about the importance and need for device management and mobile security, Microsoft just recently updated the Intune Customer Adaption Pack in order to make the change in approach more palatable and decrease the transition time of Intune enrollment. The adaption pack is especially valuable to organizations that previously did not require mobile devices to be enrolled for work access.
What’s in the Intune Customer Adaption Pack
The Adaption Pack is essentially a comprehensive communication plan that sets out to accomplish three objectives:
- Education users in how to enroll their particular devices in Intune
- Reassure users about their privacy concerning what type of device data is shared with IT
- Explains the safeguards in place to protect user privacy and company resources
The adaption kit is suited for IT admins, management and trainers to educate, prepare and guide their users for the enrollment process.
You can download the Intune Adaption Pack here.
IT admins, management, and trainers
The link downloads a zip file that includes a variety of documents, videos, posters and templates that can be leveraged to spread Intune adaption throughout your organization. The enclosed contents are shown in the screenshot below.
The Welcome document outlines what is in the adaption kit. The kit includes two email templates that can be used to communicate with your users about the coming transition to Intune. You can use them as written or customize them according to your needs. An example of email #1 is shown below.
As part of the , all employees worldwide will soon transition to Microsoft Intune, a unified mobile device management platform. Intune enables you to work productively and securely from anywhere, at any time and across all of your devices. All other mobile device management platforms used worldwide to secure documents, devices, and corporate data will be retired.
The email goes on to explain some of the benefits and expectations of Intune as well as a schedule of the coming steps that they will be asked to complete at the appropriate time. This opening email also provides an opportunity to showcase any other new services whose access will be granted on devices managed by Intune. These required actions are then outlined in the second email template that also reinforces the benefits and strategic reasons for the migration and provides users a timeline for the outlined process.
The Intune Deployment Guide provides a wealth of information for your users that is compressed into two palatable pages that they can quickly read and apprehend. The guide also includes a Word version that allows you to customize and include your internal resources and contact information. Some of the topics outlined include:
- How internal IT will use the company portal or app store to install work apps
- What users can do if their mobile device is lost or stolen
- Security steps IT can take to secure data residing on enrolled devices
- Intune enrollment links for each applicable operating system
An example of the guide is shown below.
If you’ve had concerns about how to train your users to complete the enrollment process, the enclosed videos in the Adaption Pack will be a welcome tool. The videos are step-by-step YouTube videos that show users how to easily enroll their devices in Intune. Below is a screenshot of the Windows 10 video.
Two videos demonstrate how to either enroll an Android device for full management or enroll for Work Profile management. An example of the Android device management is shown below.
The videos not only provide step-by-step directions on how to complete the enrollment process, but also summarizes again what information Intune has access to when it comes to user devices. An example of this is shown in the MacOS video. Note that there is also a separate video concerning iOS devices as well.
A Great Tool to Assure a Smooth Transition
The Intune Customer Adaption Kit gives you out-of-the-box training tools to educate your users about why Intune enrollment is so important. It can help ensure that all targeted devices are enrolled quickly without the constant prodding of your users asking “what to do.” By effectively communicating the necessary messages and information to your users, you will be able to begin enforcing compliance through conditional policies for all of your targeted devices.
First, I know in my last email I said writing my book took "none" months. I meant nine. Nine months.
These newsletters don't have an editor, or even a good spellchecker. So they're a bit off the cuff.
My book has eyeballs and eyeballs of real pros looking at it. Even THEN there will be errors, but, hey.. they're nicely shellacked !
Next, here's a bunch of items I've been sitting on for a bit.
Item 1: Windows 1903
I know you already know that Windows 1903 is out. Buuut.. it seems a little mysterious how to GET it and what's IN IT. Well, here's a blog which explains both. Be sure to click on "What's new for IT Pros in Windows 10, 1903" for all the best stuff.
Item 2: 1903 Baselines are out
So Baselines are preconfigured advice which can be delivered via Group Policy or an MDM service like Intune. (And, YES, of course with ALL CAPS I cover this in my "Group Policy (with a side of MDM)" training class, AND also in Chapter 10 of my new MDM/Intune/Autopilot/Azure book !)
And, here's the official blog entry on it:
But, it's Item #3, that's related to Item #2 that's the big interesting thing.
Item #3: Microsoft no longer recommends password rotation for regular users.
Yep, so inside the Baselines, Microsoft has taken a step back from requiring that users rotate their passwords. At first glance you might think "Wow, that really sounds like it LOWERS my security posture." But then, the real reason why this can be a good idea is found when you dig into Aaron Margosis' blog: "If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration?"
There you go. So, if you're already implementing password rotation.. I guess "keep doing it" if you haven’t implemented the other mentioned security functions; but STOP if you HAVE implemented these other security measures. I found a few other's takes on this advice:
Item #4: Windows 1903 and Blurred Backgrounds
What do you think of those Blurred Backgrounds in Windows 1903 at login time? Don't like them?
Computer | Admin Templates | System | Logon | Show Clear logon background and set it to ENABLED.
Ah.. but what if you don't have the Windows 1903 ADMX files?
Item #5: No Windows 1903 ADMX files yet.
They're not available yet for download. So you can always take a Windows 10 1903 machine and use the ADMX and ADML items from there if you're in a hurry. But I advise to wait for the download. I’ll let you know when that occurs.
Item #6: Super cool Windows 10 thing to broadcast your screen "over there."
This is one of those things I'm wondering if everyone on the planet knew, except maybe.. Me.
Basically, you can "project your whole screen" to an app .. "over there" on another Windows 10 machine. I tested this and it's so freeking cool. Just. So. Cool. My. Head. Exploded.
Tip: Both computers have to be on the same Wifi or Bluetooth network.
And now.. time for the plugs... :-)
- My CLASS (next Group Policy+ MDM class Chicago Sep 16 - 18th [three days].. Sign up today at www.MDMandGPanswers.com/class )
- Nor did I plug my new MDM: Intune, Autopilot and Azure book which is coming out in July (www.MDMandGPanswers.com/book)
No time like the present. Sign up for class and/or get your book. :-)
Happy Friday everyone !
While we used to actively block devices from registering with Intune and SCCM or Group Policy at the same time, we more than welcome this duality of management capabilities today. Outside of cloud-only enterprises, Microsoft not only allows, but encourages the practice of allowing settings management from multiple sources. Microsoft refers to this current practice as co-management.
The advantage of Hybrid MDM was that it allowed you to manage SCCM exclusive and MDM exclusive devices from a single console. Essentially it was a a product of convenience more than anything. With co-management, the two work in cohesion. Clients can now have the Configuration Manager client installed and be enrolled in Intune. For those organizations that have a considerable investment in time and resources in SCCM, Co-management adds greater functionality to your SCCM structure by incorporating cloud functionality.
Co-management requires version 1710 or later and requires all involved Windows 10 devices to be Azure AD-joined or joined to on-premise AD and registered with Azure AD. For new Windows 10 devices, you can simply join them to Azure AD, enroll them in Intune and install the Configuration Manager client for co-management ability. When it comes to Windows 10 devices that already have the Configuration Manager client installed the path is more complex, but basically requires you to setup hybrid Azure AD and enrolling them into Intune. Whichever way you get there; the end result is that you get the best of both worlds.
Co-management is about more than just increased functionality however. It gives IT administrators the flexibility to choose which management solution works best for their organization, devices and workloads they have to manage. This facility of choice is exemplified in the screenshot below that shows the workloads tab of the SCCM admin screen. As you can see, with co-ecomanagement you can switch the authority from Configuration Manager to Intune for select workloads. This puts the SCCM admin in charge of which tool will manage what policies by simply moving the slider to the selected choice.
Note the presence of the “Pilot Intune” option. As MDM is relatively new to most admins, Pilot Intune gives you the ability to pilot things first in order to ensure everything operates as expected. Once results are confirmed, you can throw the switch all the way. Eventually, Microsoft hopes that all the siders will be moved to the right, with everything hosted and managed in the cloud. Those who are intimidated by SCCM might say that’s not a bad thing.
After taking Jeremy’s Group Policy Class, my staff and I were able to reduce the number of help desk calls dramatically! Thank you Jeremy!
MCSE Systems Administrator, Royal Canin USA, Inc
If you want to learn everything about Group Policy, then you need to attend Jeremy’s training class, I came in as a novice and left an expert. Jeremy speaks to you, not above you.
Desktop Computing Specialist, Princeton University
Jeremy is absolutely the best presenter and instructor I have seen. I really would like to get the same type of instruction for other IT courses. He has a wonderful way of sharing his knowledge in a simple, effective way that leaves you thinking “Wow! That makes so much sense. ” After taking his “Group Policy Online University” courses and reading his books I feel like a pro — truly understanding Group Policy. And whenever I have a question, Jeremy is always there to help. I really liked the fact you can review the online course TWICE. It’s almost like getting TWO courses in one. Add in his weekly tips and simply you can’t go wrong. Thanks Jeremy — and your staff for creating a great learning experience that I benefit from every day.
Network Administrator, Mondial Assistance
I used the tools he demonstrated and those tools saved me a lot of time and money.
Senior Network Engineer, County of Orange, CA
After hearing Jeremy speak, I was immediately able to confidently use GPMC, and successfully deploy many GPO’s which have saved my sanity and added years to my life. Having a copy of Jeremy’s Group Policy, Profiles, and IntelliMirror book on hand has given me instant access to many of those “How does this work in the real world?” questions. Thanks Jeremy, You are awesome!
Lead Systems Administrator
After taking Jeremy’s class, I was able to create and troubleshoot Group Policy in our environment. Others tried to convince me that the “Microsoft Standard” is to have one huge policy, but troubleshooting that policy for them was a nightmare. After they saw how easy it was to create smaller, less complicated policies, troubleshooting became a piece of cake.
Server Administrator, University of Toledo
I was able to apply some of the Group Policy best practices that I had not already implemented. I am also looking forward to implementing the many new Vista/W2K8 GPOs.
Sr. Systems Administrator, Adventist Health Systems
I sincerely enjoyed the class in Boston and I learned a lot. Within two work days of coming back I had a major update to a core product piece of software that, because of your class, I knew to ask for an MSI file for the update and how to properly create a GPO to distribute to the appropriate users and make it do an install without interaction or granting them administrator rights. When they logged in this morning the update applied beautifully. This one process alone has made the whole class worth it to me. With the many other things I learned and will also put to use in the near future and I am extremely happy. Thanks again for coming to Boston.
Tech Support Specialist, Fidelity Bank
After listening to Jeremy, I felt much more confident in working with Group Policy and using it for many benefits in our Organization. The book was a great supplement, too.
Manager, IT Operations, Miller-Valentine Group
Jeremy has a way of explaining things that are down to earth. He takes a potentially dry subject and makes it more fun. These Group Policy courses are invaluable to help me in my job. As we transition to new machines and new operating systems, I can use the information and tools learned in class immediately. The pre-built virtual lab machines made it so I could focus on the labs right away. The hands-on labs are awesome! I am really glad I signed up for Jeremy’s online courses–even though I ended up taking them on my own after work. It was a really good investment.
ATK Launch Systems