MDM & GP Tips Blog

Jan 2020
08

MSIX … What it means for you… and managing those Applications

MSIX … What it means for you… and managing those Applications

Do not be alarmed if you see a file with an .msix extension to it.  MSIX is the latest application installer for Windows applications.  Now that you know what it is, the next question is probably, why does the world need another application installer?

Good question.  After all, we already have three installer formats.


The current set of Installer Choices

The former trilogy of application installers include EXE, MSI and AppX packages.  EXE installers are the most recognized and best suited for manual installs.  They incorporate GUI driven wizards that guide users through the installation process.  This allows for customized options such as multiple languages, add-ons and selected file paths.  EXE installers can also detect previous installations.  Because they are so accommodative to customization, they are also complex.   This makes unattended installs challenging.  EXE files also make admins very nervous in a malware world. 

MSI installers are simple, which is why they are best-suited silent unattended installations.  They too use graphical interfaces but do not offer extras or customized options, nor can MSI installers detect prior installations.  Finally, there are AppX installers.  These are used for Universal Windows apps and have similar characteristics to MSI installers in that they are simple and straightforward.  One thing that sets them apart from the other two is that they rely on container technology.  This isolates them from the rest of the operating system.  This makes them much more secure.  Unfortunately, AppX packages can only be used for Windows 10 so legacy machines cannot utilize them.


The new alternative called MSIX

MSIX is the new kid in town.  It is not very popular as of yet as it was just released in 2018.  It is the alternative to the current three and Microsoft intends that the MSIX packaging solution to be the centerpiece of its deployment toolset eventually.  Like many great ideas from Microsoft, new tools and ways of doing things take time for organizations to digest them.  The MSIX installer platform does not have a great market presence as of yet.   That does not take away from its many benefits however.  MSIX has definite improvements over its predecessors as it combines the best features of MSI and APX into a single format.  Basically, it installs like an MSI file, but behind the scenes, installs like an AppX.  You can create MSIX packages with either an interactive user interface or command line sequence.  Let’s look at the advantages associated with this new installer format.


Advantages of the MSIX Installer

One thing common to traditional applications is that tend to leave a footprint.  This footprint consist of AppData files and registry entries that never seem to get deleted after the application is uninstalled.  This clutter then lives on for the lifetime of the hosted machine.  MSIX has alleviated this.  Like AppX, MSIX is based on a containerized model.  This simplifies both the install and uninstall processes.  Uninstalling an MSIX package will remove any files and registry entries created by the app within the AppData folder, reducing machined clutter.

Unlike AppX installers, MSIX installers work on more than just Windows 10 machines and they support 32-bit applications.  Microsoft has released an SDK, which provides all API’s necessary to unpack an app package on multiple platforms.  Its cross-platform compatibility includes iOS, MacOS, Android, Linux and Windows 7.  In addition, the process of converting older applications to the MSIX format is far easier than to AppX.  You can also convert AppX applications to MSIX as well.  MSIX package bundling allows a single package to contain multiple language or device specific items, except unlike EXE installs, they options can be automatically selected by Windows. 

MSIX can also hand over the updating process to the operating system.  This streamlines the updating process by making it more secure and reliable.

Security is at the epicenter of MSIX.  MSIX applications are tamper proof because they must be digitally signed regardless of how the packages are installed.  For software vendors creating MSIX packages to publish in the Microsoft Store, Microsoft will sign the package once the approval process has been is complete.  Organizations intending to publish MSIX for direct download or internal network distribution must sign it with a valid code-signing certificate purchased from a certificate authority.

 

The MSIX Packaging Tool

You can download the MSIX packaging tool from the Microsoft Store.  The package tool requires Windows 1809 and later.  Microsoft recommends that you create a clean VM for the conversion host.  Keep in mind that the MSIX Packaging Tool will assume the processor architecture of the Windows 10 OS version in which the conversion process is taking place. You must convert your installers in the same environment where you expect to deploy them.  Once installed, simply open the tool to begin the packaging wizard.  You will be first be asked to choose the selected task.  In this example, we are creating a new application package.

 

 

You will then choose the desired packaging method.

 

The packaging tool will perform an assessment of the machine that will handle the conversion process.

 

You will then set out to create the package.  You need to select the installer you want to package.  Then you must select a signing preference.  Your choices are as follows:

 

In the example below, we have selected an MSI installer with no arguments.  We are signing using a certificate from a certificate authority with the assigned password.

 

Next, fill out required packaging information.

 

Click “Next” and the installation process will begin. During this process, the packager will capture the registry or any files needed to install or configure the app.

 

At this point, the conversion process will listen for any executables that are triggered at the initial launch of the application.  This is why it is essential use a quiet machine for the conversion process.  Captured executables will be displayed on the screen.  It is here that you will manage any first launch tasks.  You should launch the application at least one time in order to capture any first launch tasks. 

 

Upon clicking “Next” you will asked to confirm that you wish to culminate the listening process.

 

Now choose a destination folder for the final package and click Create.

 

That completes the MSIX packaging process.  Be prepared to see MSIX packages a lot more down the road.  

 

Jan 2020
02

Two Worlds Unite to Form Microsoft Endpoint Manager

It is a wonderful thing when new initiatives benefit both the company behind the implementation and the customers they serve.  Such is the case with the announcement at Ignite 2019 that ConfigMgr and Intune are melding together to become one.  Together, the idea is that they will form a single management conglomerate tool called Microsoft Endpoint Manager. 

The MEM console will show a single view of all devices managed by either product through a single interface.  Here's an example.

So the idea is that you can now manage ConfigMgr devices through the MEM interface.  Of course, you can still manage through one or the other if you wish and there are some features that cannot be replicated amongst the two.  Separately, the two tools will be known as:

  • Microsoft Endpoint Manager Microsoft Intune (MEMMI)
  • Microsoft Endpoint Manager Configuration Manager (MEMCM)

The merging of these two management systems now forms a new modern device management system that is exactly what internal IT needs to manage the modern workplace of today.  Modern management for the modern workspace.  That was a common theme at Ignite.

Branding and Licensing Simplification

Some may say that the merging is a recognition by Microsoft that vast majority of companies continue to stick to ConfigMgr and Group Policy to manage enterprise desktop devices.  While Intune is capable of managing your entire Windows 10 environment, many companies continue to limit its management scope to mobile devices. 

For Microsoft, bringing the two management systems together under one roof allows them to simplify their branding under one incorporated name.  By integrating ConfigMgr into the Intune Portal itself, Microsoft is undoubtedly hoping that enterprises can better amalgamate themselves with the capabilities and functionality of MEMMI. 

Users will enjoy the simplification of both licensing and experience.  Those enterprises that currently have ConfigMgr licenses will automatically have Intune licenses too, allowing them to co-manage their desktop devices with both tools.  From a product perspective, admins will be able to view their mobile devices and ConfigMgr controlled PC’s from a single interface.  No more having to bounce repeatedly back and forth between interfaces throughout the course of the day.  Says Brad Anderson, Corporate Vice President at Microsoft, “It’s all about simplifying — and we’re taking that simplifying deep and broad from a branding, licensing and product perspective,”

By implementing the new co-existing licensing model, Microsoft is encouraging those companies that need to need leave existing systems in place to provision new machines as cloud-managed devices.  Regardless of how the device managed however, MEM provides a single view of all devices managed by either product.

Examining the Licensing Structure

So when you think of the new licensing model, think of the management scope of ConfigMgr.  ConfigMgr specializes in PC desktop management, so your PC devices are now automatically licensed for Intune as well so you can go ahead and enable co-management if you want. Note: Phones and non-Microsoft devices are still the exclusive domain of Intune (MEMMI) so those devices are not applicable to receive dual licensing.   Note you will still need Azure Active Directory P1 licensing for your users.  Mobile devices, iOS and Linux machines will remain exclusively licensed under MEMMI.

Intelligence Driven

Modern management systems must be intelligence based in order to maximize the user experience.  There are currently 190 million devices managed by either ConfigMgr or Intune.  The convergence of ConfigMgr and Intune greatly scales the potential use of telemetry power that Internal IT can utilize in its PC deployments and problem solving.  MEM will be introducing an array of intelligent actions that will give admins granular analysis as well as new comparative insights to their environments versus others. 

One example of this is Productivity Score.  Productivity Score will allow organizations to evaluate their employee and technology experiences into measurable metrics that Internal IT can use to justify the value that it brings to the organization.  From the perspective of the user experience, it will quantify how people are collaborating on content, developing a meeting culture and communicating with one another.  Real measured results concerning these types of user experiences can offer insights into how to enhance the user experience and increase productivity.    The technology experience will provide insights into assessing policies, device settings, device boot times, application performance and adherence to security compliances

MEM is an Endpoint

Many of us predicted this would happen one day.  As companies strive towards digitally transforming their organizations from the ground up, it was only a matter of time until something was done to streamline the management of on-premise and mobile desktops in scale.   One point that Anderson emphasized his Intune presentation MEM is that the merging of these two management system giants is not a temporary arrangement.  Says Anderson,

"Let me be very clear -- this vision includes both ConfigMgr and Intune.  Co-management isn't a bridge; it's a destination."

MEM allows you to start utilizing cloud intelligence without making a single change to your ConfigMgr policies.  Working collaboratively together, yet visible and accessible through a single interface, MEM provides the modern management system that Windows enterprises need. End-to-end management and automation is now available in a converged license package.  Look for the MEM transformation to emerge within your Intune environment. 

     

Nov 2019
21

How I scraped a device out of Autopilot (the hard way)

I have a few Azure + Intune tenants for testing. So I decided to take a laptop and move it from one tenant to another.

As you’ll recall from my book in Chapter 8, every device has a serial number and hardware ID. You manufacture this into a CSV file from a Powershell script. When I uploaded the CSV into my other tenant, I got this.

Okay. No problem. I’ll just… go to the original tenant where I know this device lives and find it and be on my merry way.

No. No. And no.

Let’s talk about what you should do, then I’ll explain what I had to do.

What you should do

The first thing to do is to look at the serial number in the CSV file from the machine you want to transfer over. In my case, the serial number was PC012345 (or something like that.) You can see that here.

What you’re supposed to do next is merely go to Intune | Device enrollment | Windows enrollment and see the list of Autopilot devices. There, you can search for the serial number.

Remember: My serial number was PC012345. But if you look below, there is no computer with that serial number. There’s PBW-something-something. But no PC0-something-something.

Note also that there is no other search possible; it’s serial number or nothing.

Ohhhkay. So maybe this is at least hanging out in Azure AD. Let’s check. Nope. No luck.

But I knew it was, in fact using Autopilot to get connected to my Fabrikam1000.com tenant. How do I know? Because I set up branding (also explained in Chapter 8 of my MDM book)! This is critical, so you know you’re not going crazy. Branding really helps you identify that your machine really is under your Autopilot control.

Then now in Azure AD, you can see the computer show up here.

But the darn computer still wasn’t in Windows Autopilot devices.

I was stumped.

I got some help from some fellow MVPs, the final “winner” being Sandy Zang, another Enterprise Mobility MVP.

Sandy suggested I click on every computer I have in Autopilot to see if something popped out. Because I didn’t have too, too many… I did just that, and found this.

Holy crap. What’s happening here?

What I needed to do...

Well somehow in Autopilot’s brain, my computer’s hardware ID is swapped with some other computer. I don’t claim to know how or why this happened. But at least I had a clue now!

So, okay.. Next would be to nuke that machine.. Which I attempted to, and this happened.

Then I remembered there’s another whole portal to check for Autopilot. In the Microsoft Store for Business. Those two records PBXXXX (not my computer) were indeed there. And, clicking on them and pressing delete made them vaporize !

I then went back to Intune and Autopilot and clicked Sync then Refresh.. and Bingo !! Phantom machines obliterated !

Kudos to Sandy for the thought. I wouldn’t have gotten there without the idea.

Nov 2019
18

Microsoft Endpoint Manager and Group Policy (or what I learned at Ignite 2019)

So Ignite 2019 is behind me (and us).  And I wanted to give you some of my insights into what I took away (and how I participated.)

First, Microsoft is such a huge company that this year, with all the new stuff coming out (or changes to existing products) Microsoft put out a “book of news” which is a giant PDF of all the what’s new. It’s only 85 pages. Ow ow ow ow ow.

https://news.microsoft.com/wp-content/uploads/prod/sites/563/2019/11/Ignite-2019-Book-of-News-2.pdf

That being said, I’m going to cut to the chase for what I specialize in and think most about: Windows desktop management with Group Policy and MDM.

It starts off with this announcement: Microsoft SCCM and Microsoft Intune are now under a unified product umbrella called “MEM”: Microsoft Endpoint Manager. With this, naturally, there are going to be some questions:

  • What does this mean for you?
  • What does this mean for on-prem (SCCM and Group Policy) worlds?
  • And what does this mean for existing SCCM and existing Intune customers?

Let me try to answer that in this blog. To do that, I want to quote Microsoft leadership (VP Brad Anderson) in his kickoff address:

"Modern management does not mean cloud-only.  It does not mean a migration away from ConfigMgr, or a migration to Intune.  Modern management puts the cloud intelligence that comes from organizations like Microsoft to work to automate  tasks,  prioritize your efforts, connect the IT and Security teams, and continually improve the user experience.  We do believe the destination many organizations will arrive at over time will be a cloud-only management solution with Intune and Microsoft 365 at the center, but we want to enable you to take advantage of our cloud capabilities incrementally at your own pace – without replacing infrastructure as some of you may not be ready for a full cloud migration.  This enables you to  get cloud value along with your on-prem deployments, on the road to full cloud/modern transformation."

Let’s break this down (my words interpreting Brad; this is not Brad himself):

  • “Hey Microsoft Customer”: what you’re doing now is okay. (SCCM & Group Policy still has a place, works as expected and continues to work for desktops, onprem servers, VDI etc.)
  • “Hey Microsoft Customer”: Cloud is great. If you’re ready for it, great. When you start to use it you’ll get added cloud benefits.
  • “Hey Microsoft Customer”: You don’t have to DUMP AND JUMP what you’ve built to cloudland. We think you’ll get there eventually.
  • "Hey Microsoft Customer": The tools you use today, like Group Policy and SCCM, aren’t going away.  In fact, they can't go away.

This is ALL good news. For all scenarios and customers: What you’re doing isn’t going away, but there’s options for you if you want to take advantage of the cloud. Indeed, the newest philosophy and guidance (which I took away from multiple sessions) appears to be:

  • Keep your PCs / servers / Citrix/ VDI / everything in Group Policy / SCCM land for now.
  • Cloud attach / Hybrid Azure AD join to gain some cloud attached features, increased security, reporting, and insights.
  • From a policy (and workload) management perspective: pick one. Group Policy or MDM or SCCM for the particular job.

On stage, at least two Microsoft-led sessions referenced my new MDM book (whoa! Thanks Microsoft friends!) and expressed (my sentiment) that trying to untangle a machine with both Group Policy **AND** MDM settings on the same box is a difficult problem. And one that should be avoided.

In Ghostbuster’s parlance:

“Don’t cross the streams…it would be bad. Try to imagine all life as you know it stopping instantaneously and every molecule in your body exploding at the speed of light.”

(Full scene here: https://www.youtube.com/watch?v=wyKQe_i9yyo )

Maybe not that bad, but.. in that ballpark.

So what does this mean for you? The “take away” advice I felt I got was: once you’re settled and have the cloud / Azure/ MDM  (Intune or other) reasonably handled, then NEW deployments of Windows 10 can be cloud only … from a management and policy perspective.

So how can Group Policy, Azure, MDM and SCCM be used at the same time… but take on different (non-conflicting) roles? Here’s an example:

  • Roll out a machine using Azure and Autopilot and perform a hybrid Azure AD join.
  • Machine gets on-prem Group Policy setting for Windows-y and security things.
  • Machine gets software deployment settings from MDM.
  • Machine gets patching and updates from SCCM.

Again: That’s just one way to slice it. There are surely others.

So… the message to customers from Microsoft would now be (again, my interpretation; not one person directly.):

  1. Get ready for, understand, and use the cloud when you can.
  2. Attach your on-prem universe to the cloud for cloud-attached benefits.
  3. Yes, we realize utilizing the cloud could actually be a long, long time before you get there and are comfortable. Perhaps many years.
  4. Once you’re there in cloudland, we recommend new PC deployments can be in the cloud.
  5. Even then, we realize Group Policy will always be used for some circumstances, and we’re cool with that. (So, once again, Group Policy isn’t somehow ‘going away.’). Indeed, even today Windows Virtual Desktop requires on-prem Active Directory and Group Policy even though the WVD machines are in Azure / the cloud. (You can see my walkthrough and gettings started with WVD here if you want to give it a try!)

That being said, Microsoft is trying to make it easier for you to take your existing Group Policy settings and see if it’s possible to use them in MDM-land if you choose to do it. Already, they have the MMAT tool which can analyze your existing Group Policy Objects (or an endpoint) and give you a report on what will, and what won’t transition to MDM-land. .. and I talk about it in my MDM book, chapter 5. Get your signed copy now.😊)

What was announced this week with regards to Group Policy and Intune are two items:

1. Microsoft is going to ship a “CSE TOOL” which customers can add-into Windows 10, when a machine is born, or after the fact. This CSE Tool will then be able accept some directives from your MDM service (like Intune or others) and poke at SOME Microsoft Group Policy  CSEs to instantiate some Group Policy functions. The first items that Microsoft is tackling are:

  1. Drive maps.
  2. NON “Microsoft policies keys” in Registry (think unusual ADM / ADMX files).
  3. Auditing.

These items are interesting if the idea is to stop using Group Policy for these items and then use MDM instead. (Again, don’t cross the streams.) What is interesting though is that (again) the MDM provider will have to call this CSE tool, which then actually performs the work in the Group Policy CSE. Which, once again, friends … means that Group Policy cannot die. This essentially guarantees it.

2. Microsoft also demonstrated a future feature in Intune, which is SIMILAR in practice to MMAT I mentioned above. The gist is that you can show Intune a GPO backup which Intune can now analyze. Then if the settings in the GPO exist, an Intune profile will be made (with    the equivalent settings in Intune land.)

That being said, as was repeated several times across multiple sessions: If you’re going to attempt a transition from Group Policy to MDM, don’t “lift and shift” over your settings without making proper decisions to keep or kill a setting.

Then, additionally, if you’ve now lifted and shifted Group Policy to MDM… here we go again… don’t cross the streams.

With any tool which makes things easier, use it wisely with a heap of planning to know what your destination should look like. Don’t just use the tool (any tool) because it’s there.

My little inner fear here is that many companies won’t heed this advice, and very quickly be in the same place like “I’ve got too many MDM profiles where I don’t know what they’re doing !!” as they already do in the “I’ve got too many GPOs where I don’t know what they’re doing!!place they are right now.

So in summary, here’s what I learned at Ignite 2019:

  • Intune and SCCM are now under one umbrella: Microsoft Endpoint Manager. Indeed, if you’re an existing SCCM customer, you now automatically get Windows Intune licenses for managing Windows devices via Intune. Note that this doesn’t mean you magically get, say, iOS or Mac or other non-Windows PC licenses. Also note this requires an Azure Active Directory P1 (at least) subscription  for your organization.
  • It’s okay to be on-prem, and it’s okay to be cloud. Cloud is a destination, but destinations take a long time to manifest.
  • Microsoft is increasing their tooling for Group Policy understanding and to take on some better Group Policy to MDM migration scenarios for those who feel they are ready to go there.
  • (once again) Group Policy isn’t dead.

So, take a deep breath. You’re doing fine. If you’ve got no toes in, or one toe in, or nine toes into the cloud… you’re doing fine. And, yes, I realize, you cannot put toes into cloud, but just  go with me here.

I hope this blog entry helps you out and you’ll share it with your friends, your boss, and anyone else who wants to learn what’s new in management this year from Ignite 2019.

PS: Here’s some pictures of me at Ignite:

Ignite 2019 was really bananas, and it was awesome seeing many of you in person !

Jul 2019
10

Two (not Jeremy) blog posts about Windows Update for Business' Rings

Windows Update for Business is the method where you can use Group Policy, SCCM or Intune to describe "rings" for your business. In these rings, you express "who is going to go first" to get updates.

Then, who will go next, and so on.

I explain these rings in details in my new MDM book.

But I wanted to share two Microsoft blog entries on this important topic, since it comes up from time to time. These are good extra sources of information.

https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Deployment-rings-The-hidden-strategic-gem-of-Windows-as-a/bc-p/664595

-https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Tactical-considerations-for-creating-Windows-deployment-rings/ba-p/746979

Hope these help you out!

Jun 2019
19

Interesting Microsoft Internal IT talk about their transition to Modern Management

I found this 200% by accident.. It's pretty interesting.. about Microsoft's own transition to Microsoft Management. What's going well, what isn't, and so on.

Someone dares to ask the question of "When will Microsoft completely walk away from traditional management?" The answer ... is toward the end ... 

Spoiler alert: It's gonna be a while. 

Still interesting, and they're putting one foot in front of the other.

https://www.microsoft.com/en-us/itshowcase/it-expert-roundtable-modern-desktop-and-device-management

 

Jun 2019
18

A Short Tour of the Intune Customer Adoption Pack

Intune has come a long way since its inception and now offers a lot of great features to manage your organization’s mobile and Windows 10 devices.  The MDM approach to device management is a real change from years ago in which computing devices were either managed through the traditional AD joined domain model or were simply allowed to operate independently at the discretion of the user. 

Intune continues to introduce cloud based services that streamline and secure your devices, but users are often slow to accept changes into their environment.  In order to better educate users about the importance and need for device management and mobile security, Microsoft just recently updated the Intune Customer Adaption Pack in order to make the change in approach more palatable and decrease the transition time of Intune enrollment.  The adaption pack is especially valuable to organizations that previously did not require mobile devices to be enrolled for work access.

What’s in the Intune Customer Adaption Pack

The Adaption Pack is essentially a comprehensive communication plan that sets out to accomplish three objectives:

  • Education users in how to enroll their particular devices in Intune
  • Reassure users about their privacy concerning what type of device data is shared with IT
  • Explains the safeguards in place to protect user privacy and company resources

The adaption kit is suited for IT admins, management and trainers to educate, prepare and guide their users for the enrollment process.

You can download the Intune Adaption Pack here.

IT admins, management, and trainers

The link downloads a zip file that includes a variety of documents, videos, posters and templates that can be leveraged to spread Intune adaption throughout your organization.   The enclosed contents are shown in the screenshot below.

The Welcome document outlines what is in the adaption kit.  The kit includes two email templates that can be used to communicate with your users about the coming transition to Intune.  You can use them as written or customize them according to your needs.  An example of email #1 is shown below.

As part of the , all employees worldwide will soon transition to Microsoft Intune, a unified mobile device management platform. Intune enables you to work productively and securely from anywhere, at any time and across all of your devices. All other mobile device management platforms used worldwide to secure documents, devices, and corporate data will be retired.

The email goes on to explain some of the benefits and expectations of Intune as well as a schedule of the coming steps that they will be asked to complete at the appropriate time.  This opening email also provides an opportunity to showcase any other new services whose access will be granted on devices managed by Intune.  These required actions are then outlined in the second email template that also reinforces the benefits and strategic reasons for the migration and provides users a timeline for the outlined process. 

The Intune Deployment Guide provides a wealth of information for your users that is compressed into two palatable pages that they can quickly read and apprehend.  The guide also includes a Word version that allows you to customize and include your internal resources and contact information.  Some of the topics outlined include:

  • What information about their personal devices can and cannot be seen by IT?  This includes a link to the Intune privacy policy. 
  • How internal IT will use the company portal or app store to install work apps
  • What users can do if their mobile device is lost or stolen
  • Security steps IT can take to secure data residing on enrolled devices
  • Intune enrollment links for each applicable operating system

An example of the guide is shown below.

 

Training Videos

If you’ve had concerns about how to train your users to complete the enrollment process, the enclosed videos in the Adaption Pack will be a welcome tool.  The videos are step-by-step YouTube videos that show users how to easily enroll their devices in Intune.  Below is a screenshot of the Windows 10 video.

Two videos demonstrate how to either enroll an Android device for full management or enroll for Work Profile management.  An example of the Android device management is shown below.

The videos not only provide step-by-step directions on how to complete the enrollment process, but also summarizes again what information Intune has access to when it comes to user devices.  An example of this is shown in the MacOS video.  Note that there is also a separate video concerning iOS devices as well.

A Great Tool to Assure a Smooth Transition

The Intune Customer Adaption Kit gives you out-of-the-box training tools to educate your users about why Intune enrollment is so important.  It can help ensure that all targeted devices are enrolled quickly without the constant prodding of your users asking “what to do.”  By effectively communicating the necessary messages and information to your users, you will be able to begin enforcing compliance through conditional policies for all of your targeted devices.

Jun 2019
14

Interesting Rando-News

Interesting Rando-News 

First, I know in my last email I said writing my book took "none" months. I meant nine. Nine months.
These newsletters don't have an editor, or even a good spellchecker. So they're a bit off the cuff.
My book has eyeballs and eyeballs of real pros looking at it. Even THEN there will be errors, but, hey.. they're nicely shellacked !

Next, here's a bunch of items I've been sitting on for a bit. 

Item 1: Windows 1903
---
I know you already know that Windows 1903 is out. Buuut.. it seems a little mysterious how to GET it and what's IN IT. Well, here's a blog which explains both. Be sure to click on "What's new for IT Pros in Windows 10, 1903" for all the best stuff.

https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#Sot6SPqZhUjM7lSa.97 

Item 2: 1903 Baselines are out
---
So Baselines are preconfigured advice which can be delivered via Group Policy or an MDM service like  Intune. (And, YES, of course with ALL CAPS I cover this in my "Group Policy (with a side of MDM)" training class, AND also in Chapter 10 of my new MDM/Intune/Autopilot/Azure book !)

Those baselines are here:  https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines

And, here's the official blog entry on it:
https://blogs.technet.microsoft.com/secguide/2019/05/23/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903/

But, it's Item #3, that's related to Item #2 that's the big interesting thing.

Item #3: Microsoft no longer recommends password rotation for regular users. 
--
Yep, so inside the Baselines, Microsoft has taken a step back from requiring that users rotate their passwords. At first glance you might think "Wow, that really sounds like it LOWERS my security posture." But then, the real reason why this can be a good idea is found when you dig into Aaron Margosis' blog: "If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration?"

There you go. So, if you're already implementing password rotation.. I guess "keep doing it" if you haven’t implemented the other mentioned security functions; but STOP if you HAVE implemented these other security measures. I found a few other's takes on this advice:

https://www.forbes.com/sites/daveywinder/2019/04/27/microsoft-confirms-change-to-windows-10-passwords-that-nobody-saw-coming/#4c0a682d7bf2

https://www.scmagazine.com/home/security-news/privacy-compliance/some-cybersecurity-experts-argue-this-may-be-one-of-the-last-global-password-days/?utm_source=newsletter&utm_medium=email&utm_campaign=SCUS_Newswire_20190502&hmSubId=c_Ol5WdI-AA1&email_hash=1640a0a38d3b4b638fd2beadfc5e9dc7&mpweb=1325-7621-514959

Item #4: Windows 1903 and Blurred Backgrounds
---
What do you think of those Blurred Backgrounds in Windows 1903 at login time? Don't like them?
Computer | Admin Templates | System | Logon | Show Clear logon background and set it to ENABLED.

Ah.. but what if you don't have the Windows 1903 ADMX files? 

Item #5: No Windows 1903 ADMX files yet.
---
They're not available yet for download. So you can always take a Windows 10 1903 machine and use the ADMX and ADML items from there if you're in a hurry. But I advise to wait for the download. I’ll let you know when that occurs.

Item #6: Super cool Windows 10 thing to broadcast your screen "over there." 
---
This is one of those things I'm wondering if everyone on the planet knew, except maybe.. Me. 
Basically, you can "project your whole screen" to an app .. "over there" on another Windows 10 machine. I tested this and it's so freeking cool. Just. So. Cool. My. Head. Exploded.  
Tip: Both computers have to be on the same Wifi or Bluetooth network. 
https://techcommunity.microsoft.com/t5/Core-Infrastructure-and-Security/How-to-Use-an-Additional-Computer-as-a-Secondary-Display/ba-p/681152

And now.. time for the plugs... :-)

- My CLASS (next Group Policy+ MDM class Chicago Sep 16 - 18th [three days].. Sign up today at www.MDMandGPanswers.com/class
- Nor did I plug my new MDM: Intune, Autopilot and Azure book which is coming out in July (www.MDMandGPanswers.com/book)

No time like the present. Sign up for class and/or get your book. :-)

Happy Friday everyone !

Mar 2019
21

Co-Management Today with SCCM and Intune

While we used to actively block devices from registering with Intune and SCCM or Group Policy at the same time, we more than welcome this duality of management capabilities today.  Outside of cloud-only enterprises, Microsoft not only allows, but encourages the practice of allowing settings management from multiple sources. Microsoft refers to this current practice as co-management. 

The advantage of Hybrid MDM was that it allowed you to manage SCCM exclusive and MDM exclusive devices from a single console.  Essentially it was a a product of convenience more than anything.  With co-management, the two work in cohesion.  Clients can now have the Configuration Manager client installed and be enrolled in Intune.  For those organizations that have a considerable investment in time and resources in SCCM, Co-management adds greater functionality to your SCCM structure by incorporating cloud functionality.

Co-management requires version 1710 or later and requires all involved Windows 10 devices to be Azure AD-joined or joined to on-premise AD and registered with Azure AD.  For new Windows 10 devices, you can simply join them to Azure AD, enroll them in Intune and install the Configuration Manager client for co-management ability.  When it comes to Windows 10 devices that already have the Configuration Manager client installed the path is more complex, but basically requires you to setup hybrid Azure AD and enrolling them into Intune. Whichever way you get there; the end result is that you get the best of both worlds. 

Co-management is about more than just increased functionality however.  It gives IT administrators the flexibility to choose which management solution works best for their organization, devices and workloads they have to manage.  This facility of choice is exemplified in the screenshot below that shows the workloads tab of the SCCM admin screen.  As you can see, with co-ecomanagement you can switch the authority from Configuration Manager to Intune for select workloads.  This puts the SCCM admin in charge of which tool will manage what policies by simply moving the slider to the selected choice.

Note the presence of the “Pilot Intune” option.  As MDM is relatively new to most admins, Pilot Intune gives you the ability to pilot things first in order to ensure everything operates as expected.  Once results are confirmed, you can throw the switch all the way.  Eventually, Microsoft hopes that all the siders will be moved to the right, with everything hosted and managed in the cloud.  Those who are intimidated by SCCM might say that’s not a bad thing. 

 

Mar 2019
13

Solving the Mystery of MDMWinsOverGP Basics with Intune

Surprises are great when you are engrossed in a captivating movie.  A good novel always has multiple twists that you don’t see coming.  For the most part though, the world prefers predictability, especially when it comes to managing corporate enterprises.  The whole purpose of deploying settings is to ensure conformity to your enterprise client devices.  Group Policy and MDM were made to deliver a level of certainty to the enterprise.  

So what happens when Group Policy Settings and MDM settings collide with one another?  Because Windows 10 can potentially be a member of an on-prem active directory domain and be MDM enrolled as well, that is a distinct possibility.  Starting with the 1709 release, Microsoft unveiled a GPO setting that allows hybrid joined devices to be automatically MDM enrolled.  So let’s say we have a hybrid environment of Windows 10 laptops and just for grins we disabled Cortana using an MDM policy setting and enabled it using a Group Policy Setting.  Which policy do you would win out?  

If you had to guess, you would probably say Group Policy since it is the elder of the two.  If you did, you would be sort of wrong.  You would also be sort of wrong if you said MDM. 

How can you be sort of wrong you ask? 

Because when MDM and GP settings conflict, we honestly have no idea which one is going to win out. 

In fact, that is the default, expected behavior.  Yes, the default behavior is uncertainty.  Just like the stock market doesn’t like uncertainty, neither do network admins.

So in order to add some stability to these conflicting scenarios, Microsoft introduced a Policy CSP called ControlPolicyConflict/MDMWinsOverGP.  It uses an integer based data type for which there are two supported values:

  • 0 (default state of uncertainty)
  • 1 - The MDM policy is used and the GP policy is blocked.

To enable this policy, we have to create a custom OMA-URI setting as shown in the screenshot below.

So if MDM and the same Group Policy setting are contending to assign the SAME value to the SAME setting .. then you can use MDMWinsOverGP to force the MDM to always regardless of what GP is trying to do.  

If you are managing a hybrid environment with MDM and GPO, it may in fact be good practice to enable this CSP for good measure just to ensure that certainty will always prevail.  In the IT world, certainty is a good thing.