MDM & GP Tips Blog

Microsoft Endpoint Manager (the Intune part), is a powerful device management and endpoint security system that is constantly evolving.  What began as a portal to manage and secure mobile devices can now manage desktop computers, virtual machines and even servers.  It can now deliver a broad spectrum of configuration and security settings as well as intelligent cloud actions.  Because of this, it’s hard to keep abreast of all of the changes and informational resources are perpetually outdated. 

Microsoft Endpoint offers multiple policy types.  With so much confusion out there concerning which policies do what, I thought it might be a good time to take a snapshot of the state of Microsoft Endpoint as it is today.  This two-part series will cover a quick review, (or for some an introduction), on the various parts of this rapidly expanding management ecosphere.

Configuration Profiles

This has long been the bread and butter of Intune.  Configuration policies are the equivalent of Group Policy Objects.  A configuration profile is created to deploy managed settings to targeted devices or users.  Like other MDM solutions, Microsoft Endpoint supports more than just Windows.  When you go about creating a configuration profile, you can choose between multiple platforms including Android, iOS, iPadOS, macOS and Windows as is shown in the screenshot below.

For the sake of this article, we will focus on Windows 10.  You then select which profile type you want to configure settings for.  The list of profiles has greatly expanded over the years.  Some of the profiles available at this time include:

• Device Restrictions (Think Group Policy restrictions)
• Edition upgrade and mode switch
• Endpoint Protection
• VPN
• Wi-Fi

Below is an example of the available Control Panel Settings than you can block within the Device Restrictions policy.

A wizard then guides you through the process of configuring your desired settings and deploying them to the applicable targets.  While the number of available settings offered within Microsoft Endpoint has exponentially grown over the years, it still doesn’t come close to the more than 10,000 settings offered by the culmination of Group Policy and Group Policy Preferences combined.  While its capabilities and offerings may fall short for on-prem AD enterprises, it does provide ample coverage for many mobile and non domain-joined devices. 

Administrative Templates

Administrative Templates is one of the available Configuration profiles but I want to focus on it separately.  These are ADMX settings, some of the same ones you are accustomed to configuring in Group Policy Administrative Templates that includes both Computer and User side settings.  Here you can configure settings for things such as Microsoft Edge, One Drive, Word, Excel, etc.  In the screenshot below you will notice the same hierarchical structure you are familiar with in Group Policy Administrative Templates.  Again, while the list of available ADMX settings has grown substantially, it still falls far short of what is currently available in native Group Policy. (Hint: Use PolicyPak MDM to take 100% of real on-prem GPO settings and use them with Intune.)

Custom Profiles

One more Configuration Profile type I want to focus on is Custom Profiles because a lot of people find them confusing.  Windows 10 devices contain Configuration Service Provider (CSP) settings and it is these settings that MDM solutions actually manage.  MDM has the ability to manage any CSP setting, but not all of these settings are currently built into the Microsoft Endpoint interface.  That is where custom profiles come into play.  If you want to deliver settings to an available CSP that isn’t accessible within the Microsoft Endpoint, you can create a custom profile which does require some input the following settings:

• Name:  The name is for your own reference to help you identify it.  Use any name you wish.

• Description:  Enter a short summary of what the profile does and any other pertinent details

• OMA-URI:  The OMA-URI settings are unique for each platform be it Android, iOS, Windows, etc.    It is also case sensitive so be careful to type in the setting path correctly.  To configure settings for a Windows 10 device you would type the path: Vendor/MSFT/Policy/Config/AreaName/PolicyName

• Data type:  The data type will vary based on the OMA-URI setting.  The options are String, String (XML file), Date and time, Integer, Floating point, Boolean and Base 64 (file)

• Value: Here is where you associate the OMA-URI value you wish to enforce.

Below is what the Custom Profile creation process looks like in Microsoft Endpoint.

So that sums up our look at Configuration Profiles. 

In case you want a more in-depth view of these, I suggest you check out my MDM book.... www.MDMandGPanswers.com/book where I give more details and examples.

In Part 2 of this series, we will look at the other policy types such as security and conditional access.

Group Policy admins have been blocking access to command prompt for standard users since the beginning.  That is why it is frustrating for MDM admins having no native way in Intune to block it in the same fashion of Group Policy.  Well in actuality, you can block the cmd prompt, it just takes a custom profile, which is something that not everyone likes to do much.  Below is how you set it up so feel free to use the settings.  

OMA-URI:  ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/IntuneEdu/EXE/Policy

Data Type:  String (XML file)

Here is the XML code to paste in:

<RuleCollection Type="Exe" EnforcementMode="NotConfigured">

        <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">

          <Conditions>

            <FilePathCondition Path="*" />

          Conditions>

        FilePathRule>

        <FilePathRule Id="ce9d9fd5-d765-48df-b87b-e1bafd5653ed" Name="All files" Description="Allows members of the Everyone group to run applications that are located in any folder." UserOrGroupSid="S-1-1-0" Action="Allow">

          <Conditions>

            <FilePathCondition Path="*" />

          Conditions>

                        <Exceptions>

                    <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® WINDOWS® OPERATING SYSTEM" BinaryName="CMD.EXE">

          <BinaryVersionRange LowSection="*" HighSection="*" />

        FilePublisherCondition>

                Exceptions>

        FilePathRule>

     RuleCollection>

It is a wonderful thing when new initiatives benefit both the company behind the implementation and the customers they serve.  Such is the case with the announcement at Ignite 2019 that ConfigMgr and Intune are melding together to become one.  Together, the idea is that they will form a single management conglomerate tool called Microsoft Endpoint Manager. 

The MEM console will show a single view of all devices managed by either product through a single interface.  Here's an example.

So the idea is that you can now manage ConfigMgr devices through the MEM interface.  Of course, you can still manage through one or the other if you wish and there are some features that cannot be replicated amongst the two.  Separately, the two tools will be known as:

• Microsoft Endpoint Manager Microsoft Intune (MEMMI)
• Microsoft Endpoint Manager Configuration Manager (MEMCM)

The merging of these two management systems now forms a new modern device management system that is exactly what internal IT needs to manage the modern workplace of today.  Modern management for the modern workspace.  That was a common theme at Ignite.

Branding and Licensing Simplification

Some may say that the merging is a recognition by Microsoft that vast majority of companies continue to stick to ConfigMgr and Group Policy to manage enterprise desktop devices.  While Intune is capable of managing your entire Windows 10 environment, many companies continue to limit its management scope to mobile devices. 

For Microsoft, bringing the two management systems together under one roof allows them to simplify their branding under one incorporated name.  By integrating ConfigMgr into the Intune Portal itself, Microsoft is undoubtedly hoping that enterprises can better amalgamate themselves with the capabilities and functionality of MEMMI. 

Users will enjoy the simplification of both licensing and experience.  Those enterprises that currently have ConfigMgr licenses will automatically have Intune licenses too, allowing them to co-manage their desktop devices with both tools.  From a product perspective, admins will be able to view their mobile devices and ConfigMgr controlled PC’s from a single interface.  No more having to bounce repeatedly back and forth between interfaces throughout the course of the day.  Says Brad Anderson, Corporate Vice President at Microsoft, “It’s all about simplifying — and we’re taking that simplifying deep and broad from a branding, licensing and product perspective,”

By implementing the new co-existing licensing model, Microsoft is encouraging those companies that need to need leave existing systems in place to provision new machines as cloud-managed devices.  Regardless of how the device managed however, MEM provides a single view of all devices managed by either product.

Examining the Licensing Structure

So when you think of the new licensing model, think of the management scope of ConfigMgr.  ConfigMgr specializes in PC desktop management, so your PC devices are now automatically licensed for Intune as well so you can go ahead and enable co-management if you want. Note: Phones and non-Microsoft devices are still the exclusive domain of Intune (MEMMI) so those devices are not applicable to receive dual licensing.   Note you will still need Azure Active Directory P1 licensing for your users.  Mobile devices, iOS and Linux machines will remain exclusively licensed under MEMMI.

Intelligence Driven

Modern management systems must be intelligence based in order to maximize the user experience.  There are currently 190 million devices managed by either ConfigMgr or Intune.  The convergence of ConfigMgr and Intune greatly scales the potential use of telemetry power that Internal IT can utilize in its PC deployments and problem solving.  MEM will be introducing an array of intelligent actions that will give admins granular analysis as well as new comparative insights to their environments versus others. 

One example of this is Productivity Score.  Productivity Score will allow organizations to evaluate their employee and technology experiences into measurable metrics that Internal IT can use to justify the value that it brings to the organization.  From the perspective of the user experience, it will quantify how people are collaborating on content, developing a meeting culture and communicating with one another.  Real measured results concerning these types of user experiences can offer insights into how to enhance the user experience and increase productivity.    The technology experience will provide insights into assessing policies, device settings, device boot times, application performance and adherence to security compliances

MEM is an Endpoint

Many of us predicted this would happen one day.  As companies strive towards digitally transforming their organizations from the ground up, it was only a matter of time until something was done to streamline the management of on-premise and mobile desktops in scale.   One point that Anderson emphasized his Intune presentation MEM is that the merging of these two management system giants is not a temporary arrangement.  Says Anderson,

"Let me be very clear -- this vision includes both ConfigMgr and Intune.  Co-management isn't a bridge; it's a destination."

MEM allows you to start utilizing cloud intelligence without making a single change to your ConfigMgr policies.  Working collaboratively together, yet visible and accessible through a single interface, MEM provides the modern management system that Windows enterprises need. End-to-end management and automation is now available in a converged license package.  Look for the MEM transformation to emerge within your Intune environment. 

Windows Update for Business is the method where you can use Group Policy, SCCM or Intune to describe "rings" for your business. In these rings, you express "who is going to go first" to get updates.

Then, who will go next, and so on.

I explain these rings in details in my new MDM book.

But I wanted to share two Microsoft blog entries on this important topic, since it comes up from time to time. These are good extra sources of information.

https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Deployment-rings-The-hidden-strategic-gem-of-Windows-as-a/bc-p/664595

-https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Tactical-considerations-for-creating-Windows-deployment-rings/ba-p/746979

Hope these help you out!

I stumbled across this awesome ilst of MDM registration errors.

If you're seeing enrollment problems with MDM, check out this error list.

Bonzer !

https://docs.microsoft.com/en-us/windows/desktop/mdmreg/mdm-registration-constants

When it comes to Mobile Device Management, it can be a little confusing keeping all the various MDM offerings straight.  For many organizations that utilize Office 365 for their email and/or other office suite applications, O365 MDM may be quite appealing due to one captivating detail…its free!  Yes, MDM for O365 is included with many Office 365 commercial subscriptions.  Free is indeed a good thing.

Free of course usually denotes some limitations and shortcomings.  This is the case with O365 MDM as it does not have near the feature rich options nor device coverability of Intune.  Intune either requires a paid subscription or can be purchased with Enterprise Mobility Suite.  Cost is one of the main differences between the two.

Mobile Device Management for Office 365 is designed for securing and managing mobile devices.  This includes such things as iPhones, iPads, Android devices, Windows Phones and tablets that are connected to Exchange Online.  You can create MDM policies to secure these devices by remotely wiping them or removing sensitive information.  This is one of the most important security management features for corporate mobile devices.  Other functions of O365 MDM include:

• Remotely wipe emails from any device
• Set up device policies like password requirements and security settings
• Ensure email and documents can only be accessed by company managed mobile devices
• Access reports and alerts concerning the jailbreaking of devices
• Review reports concerning which devices are not compliant

O365 MDM is a good fit for a company that fully utilizes domain joined services to manage their traditional workstations and laptops and need to manage and secure mobile devices as well.  For those organizations that want to go all in and manage all of their Windows 10 computer devices (including traditional PCs) using an MDM solution, Intune is the only choice between the two.  With Intune, it is possible to manage your devices without any on premise infrastructure as long as they are all Azure joined.

Another key difference is how you access each of the CSP interfaces.  O365 MDM is accessed using the Security and Compliance Center as is shown below.

Intune on the other hand is accessed through the Azure portal.

Intune has a lot more functionality than O365 MDM such as the following:

• You can integrate Intune with System Center Configuration Manager to coincidingly manage both on and off prem devices
• Supports Mac OS X as well as Linux and Unix servers
• Deploy your internal line-of-business apps and apps in stores to users
• Provide additional security for web browsing
• Implement Mobile Application Management policies for all your users

Which one is best depends on the needs of your organization. 

Microsoft puts a lot of emphasis on the education market.  In an effort to cater to the K12 educational organizations, Microsoft offers a separate product called Intune for Education.  While large metro school districts that have students numbering in the tens of thousands or more will most likely opt for the full Intune Console, Intune for Education is a very attractive alternative for private schools and public schools with a student body of less than 10,000 students. 

First off, Intune for Education is simpler.  Smaller school systems often lack high level fulltime inhouse IT staff with the knowledge base to granularly administer advanced settings for their enterprise.  Often a single staff member is assigned the duty of supporting everything.  In some cases, schools may rely on teachers themselves to manage their classroom students and devices.  This is where Intune for Education comes in.  It has a simplified management interface that is inviting and extremely user.  Task creation is wizard driven so that the user is guided through the setup process.  The interface makes use of graphical icons that make it less intimidating for teachers and non-technical staff.  Below is an example of the Express Configuration area that is designed to quickly achieve a desired task.

Simplicity does come at a cost.  Intune for Education lacks the advanced configuration functionality that the full console version boasts.  It does do a great job of the essentials however such as the basic management of users and devices (both Windows 10 and iOS), deploying mobile apps and ensuring basic security compliance.  It is a simplified Windows 10 experience, but for many schools, that is all that is needed.

Intune for Education is designed for the modern day educational organizations.  For instance, teachers can create “Take a Test” profiles.  These test profiles secure the browser during an online testing experience.  These secure testing profiles prevent students from using other computer or internet resources during a test.  Intune for Education also integrates with other Microsoft products such as School Data Sync and Minecraft Education Edition.

Screenshot originally from: https://docs.microsoft.com/en-us/education/windows/take-tests-in-windows-10

And then of course, there is cost.  Intune for Education is affordable for smaller school systems that face challenging budgets.  Currently, educational customers have two options.  The first is a “one and done” per device fee at the time of the device’s enrollment.  This license is good for the life cycle of the product.  The other option is to license it per user on an annual basis.  The good news here is that student account are free.  School administrators will have to run the numbers to decide which option is best for them.

Keep in mind that Intune for Education is for “schools” only and Microsoft does verify this.  While Intune for Education isn’t for everyone in education, it certainly makes sense for some.