How do you get smarter in MDM & Group Policy?

Upcoming Training Classes

With Jeremy Moskowitz

To consult about an on-site (Private) Group Policy class or the Group Policy Health Check, please call Laura Rubinstein at (720) 693-8144 or email laura[[att]]

To purchase seats in a LIVE or ONLINE training class, contact Laura Rubinstein at (720) 693-8144 or email laura[[att]]

Get serious, and perform “Best Practices” around Group Policy management. Take back control and get your IT life back!

Dates Class Actions
No Public Classes Scheduled

Call if you have 3 or more people to help us get started! In the meantime, click here to checkout our Online Class

How do you get smarter in MDM & Group Policy?

Oct 2022

How to Setup Printing in the Cloud Using Universal Print (Part 3)

So, in our last article, we talked about registering printers with the Universal Print portal. We registered a couple of printers using the Universal Print Connector and then shared them to designated users through group assignment. Users can then browse the list of shared printers that they have access to and pick the appropriate printer according to factors such as location or printing capabilities. While this is fine for users needing to send something to a printer they normally don’t use, it’s easier for users to directly install printers on client machines. This is done by creating an Intune policy.

Creating a Printer Policy

All users that will be receiving the printer policy must be assigned a universal print license as mentioned in Part 1 of this series.  You also need the Printer Administrator role to create the policies and the target computers must have Windows 10 or Windows 11.

Using MEM go to Intune > Devices > Configuration profiles and create a new profile. Choose Windows 10 and later as the platform and Settings catalog as the Profile type. Name the policy, click “Add settings” and do a search for the word “printer” as shown below. Scroll down and select Printer Provisioning and select Printer Shared ID User.

You will need three bits of information about each printer you want to install. You can access this information from the overview section of each printer in the Universal Print portal as shown below.

Next, Input the Printer ID, Printer Share Name and Share Id in their designated boxes as shown below.

The final step is to assign the profile to the designated users.  You can then monitor the status of the policy using Intune as shown below.

While Universal Print may not be a viable choice for large enterprises yet, it may be a good solution for SMBs that have moved to Azure AD in pursuit of a native cloud solution and want to deprecate their on-prem printing infrastructure.

Sep 2022

How to Setup Printing in the Cloud Using Universal Print (Part 2)

In my previous article I outlined the prerequisites for Universal Print, a Microsoft 365 subscription-based service that you can use to centrally mange your printers using Azure. As mentioned, most printers require the Universal Print Connector to be registered in Azure for universal printing. You can download the UP Connector here.

The prerequisites for the UP Connector are shown below.

  • You can install it on Windows Server 2016 64-bit but Windows Server 2019 is recommended.
  • You may also install it on Windows 10 64-bit Pro or Enterprise, version 1809 or later.
  • The host computer will also need .NET Framework 4.7.2 or later.
  • The host computer should have a permanent internet connection and have sleep/hibernate disabled

Once downloaded, simply run the installer

Once installed you will see the screen below. Here will need to sign onto your Azure portal using an Azure AD account that is assigned to the Printer Administrator role.

Once you are signed in, you will need to create a Connector Name as shown in the screenshot below. This could be the name of a building, a department, a site, or just about anything that has significance within your organization.

In this example I chose Central_Office. You will then register the Connector name.

Once registered, you will be able to see the connector in your Azure Universal Printer portal. If you can’t readily find the UP portal in Azure, you can do a search for “Universal Print” to navigate to it as shown below.

Then click connectors to see your newly registered connector.

Now it’s time to register for the printers. You need to install the printers onto the computer hosting your connector.  These printers will then be shown as available printers within the UP Connector admin console. Select the printer or printers you want from the list and click register.  The printer(s) will now move to the registered printer list as shown below. The printer is now registered in Azure.

Now we need to share the printer. Go to the Universal Print Portal and you will see that your printer is registered and ready but not shared.

To share, select the printer’s checkbox and click Share as shown below.

Now you will give the printer a share name and select the groups or users that can access the share as shown below.

You can then select Printer properties and provide descriptors so that users know where the printer is located within your enterprise. This allows them to search for printers according to location. I have filled out some of the properties in the screenshot below.

Now the printer is shared and ready and will show all green as shown in the screenshot below.

Registering Universal Printers Directly

Printers that natively support Universal Print can be registered with Azure without going through the UP Connector. Simply access the printer’s admin console through a web browser. Every vendor’s admin portal is different but essentially you will need to name the printer and configure its network properties so it can access the Internet. Usually in the advanced settings, there will be a way to register the printer. The registration process will require you to logon to Azure with the proper credentials. The printer will then be registered and assigned a registration code. Once registered, you will then log onto Azure in the same manner I did earlier and share the printer.

Next: Creating Intune Policies

In our third and final segment on Universal Print, we will review the process of installing registered universal printers on computers across the network.

Sep 2022

How to Setup Printing in the Cloud Using Universal Print (Part 1)

So, you’ve migrated your enterprise’s on prem AD presence to Azure AD and now and are thinking that everything will be native cloud from here on out. There’s just one problem. Your users are still printing stuff and those printers rely on on-prem infrastructure. While many consider printing to be a legacy technology, organizations still depend on it. The problem is that printer management can be a time consuming and manually intensive ordeal having to deal with so many different types of printers, associated drivers, and spoolers. What’s more, assigning printers using Intune can be challenging at best.

Fortunately, there is an option available from Microsoft that allows you to upgrade your printer environment to a cloud-based print solution. It’s called Universal Print, a subscription-based service that runs on Microsoft Azure, providing a centralized print management for print administrators. Some of the benefits of Universal Print include the following:

  • No need to install printer drivers on PCs as printing takes place using the Internet Printing Protocol (IPP). There’s also no need for print servers for supported printers.
  • Provides remote users the ability to print at the corporate office and integrates with Windows 365 virtual PCs.
  • Printers can be assigned end-user locations at a granular level so users can easily find the right printer for their location whether it be a country, town, site, building, floor, etc. You can also assign printers using Intune.
  • Extensive reporting is available to monitor your print capacity as well as obtain a daily aggregated job count for each printer or user, giving you the visibility to understand what is happening in your print environment each month.
  • Enhanced security as machines must be joined to Azure AD to print and printing takes place over encrypted connections while all print data is contained in the same secure platforms that Online Exchange and Teams utilizes.

There’s obviously a lot of benefits to Universal Print so let’s look at how to implement it.

Prerequisites for Universal Print

Let’s start with the printers themselves. Some printers can integrate directly with Universal Print out of the box. Here’s a list from Microsoft of Universal Print ready printers. Chances are, most of your printers don’t support Universal print. In that case, you need to download the Universal Print Connector to an on-prem machine and add your printers to it. The Connector will serve as the intermediary between Azure and legacy printers.

Next you will need the right subscription. Universal Print is included with multiple commercial and educational Windows 365 and Windows 10 subscriptions. You can also purchase a standalone subscription as well. Applicable licenses include the following:

  • Windows 365 Enterprise F3, E3, E5, A3, A5
  • Windows 10 Enterprise E3, E5, A3, A5
  • Microsoft 365 Business Premium
  • Universal Print (standalone)

You can confirm whether your current license provides Universal Print access by going to your Azure portal and navigating to Azure Active Directory > Licenses > All products. Select a product from your list and click on “Service plan details.”

Each print user will need an assigned license. A Universal Print license is also required for all print administrators regardless of whether they print or not. Keep in mind that the designated license doesn’t allot you unlimited printing. Universal Print uses the same OPEX model that is characteristic of cloud computing services in that you only pay for the resources that you use. Universal Print comes with a pool of print jobs that equates to 5 print jobs per user per month. That means that 100 licensed users will be able to print 500 print jobs each month. A print job constitutes a single printed document regardless of how many pages or the number of copies printed. A colored printed document counts the same as a standard print job and attributes such as single vs. double sided do not matter either. Note that there is currently no way to enforce a print quota on individual users. While the license allots 5 print jobs per user, one user can consume all the print jobs over the course of a month. It is believed that quota management will be introduced down the road.

To configure or manage Universal Print, an admin must be a global administrator or be assigned the Printer Administrator role. I had to assign myself the print administrator role even though I was a global administrator to complete the configuration steps for this article series.

Finally, client devices must be running Windows client OS, version 1903 or greater.

Next: Installation and Configuration

In the next article, I will show how to install the Universal Print Connector to an on-prem machine and configure the Universal Print service. We will then assign the printers using Intune.


Aug 2022

A Closer Look at Safeguard Holds

There are no guarantees in life. That’s certainly the case with software updates. Sometimes an update that offers a new operating system version just doesn’t’ work out due to compatibility issues with a particular device. This can cause the update to either fail or rollback. Even worse, it could result in data loss or a loss of connectivity or key functionality.  That’s why Microsoft monitors quality and compatibility data to identify issues before they can affect too many machines. Issues may also be reported from Microsoft partners and customers as well. Once these issues are identified, Microsoft enacts a Safeguard Hold to prevent other devices with this known compatibility issue from being offered the designated feature update. The safeguard hold is enforced long enough to give Microsoft ample time to address the issue. Once a fix is derived and verified, the hold is lifted, and the Windows update will once again be readily offered to devices.

Disabling Safeguards

While its not necessarily recommended, you can disable safeguards so that devices will ignore them. Keep in mind that the update may likely fail. If you want to take the chance, however, create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business and enable the “Disable safeguards for Feature Updates” setting as shown below.


You can also do this using an MDM such as Microsoft Endpoint Manager with the DisableWUfBSafeguards CSP. The required custom OMA-URI settings are as follows:

  • OMA-URI: ./Vendor/MSFT/Policy/Config/Update/DisableWUfBSafeguards
  • Data type: Select Integer
  • Value: 1

Safeguards for Two Types of Issues

New Windows feature updates that are deployed using either Windows Update service or Windows Update for Business are subject to Safeguard holds for a known issue.  A “known issue” is a confirmed problem that may occur after an upgrade for a specific set of devices. In addition to known issues, there are also “likely issues.” A likely issue means that the problem has not been confirmed by Microsoft but has been discovered through machine learning out in the ecosphere. Issues could involve rollbacks, connectivity issues, app or driver malfunction as well as problems with graphics and audio. Once identified, a temporary safeguard hold is enabled on the designated update until either the issue has been confirmed and upgraded to a known issue (in which the safeguard hold is continued) or it has been identified as a false positive, in which case the hold is removed.

The Windows Update for Business Deployment Service

The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It provides a next level of control concerning the approval, scheduling, and safeguarding of Windows updates. Here you can use safeguard holds against likely updates issues. You can also do things such as bypass preconfigured Windows Update for Business policies to manually deploy a security update on command across your organization should an emergency arise. To utilize this service, you must have one of the following subscriptions:

  • Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
  • Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
  • Windows Virtual Desktop Access E3 or E5
  • Microsoft 365 Business Premium

You can then do a search for it in MEM and configure as you need to.

To see if you are affected by a Safeguard hold you can use Update Compliance in MEM to run a Safeguard Holds report that can provide insights into existing holds that are preventing devices from updating or upgrading. You can get more information about these reports here.