Categories
other

Use your webcam!

We are about a year in to Covid-19 and remote work has been introduced to a whole lot more people. It has also proven that remote work is possible even for people who were really sceptic about the concept pre-covid.

One thing that has really blossomed during this pandemic is remote meetings, using tools such as Microsoft Teams. Many of you were pretty used to having online-meetings even before this pandemic, but not to the extent we see today.

Enhance your meetings

Given that you are by now probably quite used to online meetings, it’s time to take the next step in your meeting experience and turn on that webcam.

For some strange reason, it seems like we in IT are particular hesitant towards using the webcam during meetings. We are the ones that should lead by example, and we probably encourage others to use their webcam during meetings.

By turning on your webcam you will increase the experience not only for you, but for everyone in the meeting. The feeling of presence will increase and getting a face on whom ever is speaking is making it a lot easier to follow along and will decrease the interruptions.

What if your hair is not on point?

My hair is not on point either, but if you are dressed you are good to go! It’s okay to not be comfortable with how you look today, but imaging that you are at the office, then you would meet people non the less.

Also, we are all in the same situation at the moment.

But the room I’m sitting in is such a mess!

If you are using Teams (or Zoom for that matter) you can use custom backgrounds or just blur the background. It’s perfect for situations when your background is not on point. I regularly use it if I’m sitting at a café or such, to not get people walking behind me. One of my favourite background to use is however the Ollivianders store background from Harry Potter.

My point is…

What is the point I’m trying to get at?

Make the effort to show up to meetings using the webcam. I do that all the time. Sometimes I’m the only one with my webcam on, but I leave it on. It also makes others turn on their camera (without asking).

Let’s all make it a custom to turn on that webcam when we join a meeting to increase the experience for everyone!

Categories
Microsoft 365 Modern Workplace

The road to productivity

Since you read my blog, my guess is that you are in the Microsoft ecosystem. That could be running a Windows computer, using Microsoft 365, or administrating 35 000 devices in Microsoft Endpoint Manager.

But let’s talk about Microsoft 365, or Office 365 as we can also call it. Because this post will focus more on productivity tools rather than devices.

Transitioning to modern tools

My hope is that you are already today using the Office 365 suite, which could be Outlook, Word, Excel, and PowerPoint. I hope all of you are already made the transition over to Teams or have at least planned what your journey will look like moving away from Skype for Business. But Office 365 contains so much more than just these six usual suspects. Office 365 is a suite packed with a lot of different productivity and collaboration tools.

What you can access depends of course on what licenses you have bought, but you will have a tool for basically every situation.

File sharing – OneDrive for Business. Collaboration – SharePoint. Project management – Projects. Kanban boards – Planner. Corporate videos – Stream. Big all company meetings – Teams Live Event. Note taking – OneNote. Digital whiteboards – Whiteboard. Personal to-do lists – To Do.

You get the point. There are a lot of often unknown and unused potential in your Office 365 suite. Microsoft provides a bunch of modern tools which becomes disposable for you and your users when you adopt Office 365, providing you with modern tools from the same eco system.

Spread awareness

I way to often stumble across customers, friends and even co-workers who are not aware of the power of Office 365. Instead they turn to well-known consumer products, e.g. Trello or DropBox which lives completely outside the corporate sphere. Not only does corporate data live in a place you don’t control, the free-to-use service does usually only apply for consumer usage, which means that you could be asked to pay for a corporate license for your rouge users.

Historically, these have been quite common as a solution on the problem that the employer does not provide sufficient tools. But that is no longer the case if you have the Microsoft 365 services. The problem might be that your users does not know this yet. Or simply doesn’t care, that is absolutely a possibility as well.

Since you are already paying for the Office 365 suite and Microsoft 365 services, you should really encourage your users to do and use the right things. Spread awareness about all the great tools that they have at their disposal!

Conclusion

If you have spent the time and money to move to Office 365, make sure that you make the most out of it. You invested a lot in the transition, but that doesn’t mean that the work stops there. The Microsoft services are constantly evolving, and you need make sure you keep up in some way or another and keep deploying new tools and services to your users.

Another aspect of this is securing your corporate data. If you use tools within the product suite you have decided to work with, this applies not only to the Microsoft world, the data will live in a place which you control and govern. If you start using other services, especially consumer services, that data might not be yours anymore and you can’t apply retention policies and data leak prevention policies to that service nor data. This is a big problem when your corporate data lives on places it shouldn’t. However, that’s a completely different topic which I could dedicate a complete post to.

But I hope you get where I’m coming from and there are a few takeaways from this.

  1. Make the most of the productivity suite you have bought
  2. Don’t use consumer versions for corporate use
  3. Protect the data by keeping it within the corporate sphere

Given the development Microsoft have done with the Office 365 suite the last couple of years, most of the tools you need for productivity can be found there. Make sure you tell your users and make the most of the investment you have already made!

And to be clear, I’m not saying that you shouldn’t go buy other productivty tools. But before you do, make sure you don’t already have what your users are asking for within your exisiting tools.

Categories
Digital Transformation Intune Tips & Tricks

Recovery in a world without OSD

One of the big issues I hear people talk about when it comes to utilizing an image- and OSD less approach is “What if the hard drive breaks and we need to reinstall the machine?”. This is based on that assumption that we need to create a custom image with the drivers and such for recovery purpose. Disks do break, so this is a real problem.

However…

You probably bought that computer from one of the big computer manufacturers out there meaning that they thought of this.

In this article I will post many bold and naive statements, which you might not agree with. I understand that, but we also need to challenge how we have done things for the last 15 years. I’m not saying this is the whole truth, but I want to challenge the way you operate!

Disk failure

What happens when a consumer computer breaks down? Your typical home user does not have a Windows Deployment Services server running in their home network.

Most of the big manufacturers provides you with a new, fresh image created for your computer from their website, often using their recovery tool. The process to obtain the recovery image is a bit different based on which manufacturer, but it’s an uncomplicated way to recover a broken machine without the need to creating custom images.

Making use of what has already been created (and probably covered by the support commitment) should make sense. If someone else that we know and trust already created this, why shouldn’t we utilize it?

At least Microsoft, Lenovo, Dell and HP offers this service in one way or another.

A second option to this, but less ideal, is to use a generic Windows 10 image downloaded from Microsoft (or your Microsoft Volume Licensing Service Centre). The device will be missing all drivers to start with, but that is usually addressed using either the Windows Update feature or the driver update tool for that particular vendor (which you should consider using anyways to keep your drivers up to date on all your machines).

Resetting the device

If you for some reason need to reset a computer, there is no need to use an external media source to re-install Windows 10. This is built into the operating system, just like on your phone.

In Windows 10, instead of injecting your custom image, you simply reset the computer. Depending on where you are coming at it from, you might have to do it in different approaches.

Microsoft have documented this process very well here, so I won’t dig into it further on a how-to level.

Conclusion

I’m going to make a bold statement that many of you might not agree with. But operating systems deployment and creating custom images are a thing of the past. It will still be around for years to come since change does not happen overnight, and most companies have invested heavily in this. But it will start to fade away as more and more companies dare to trust the OEMs that their images are good enough. This will not solve data-loss at all, but it will bring the device back up and running which is often just as important for the user. Creating a custom image is an artform, but soon that artform needs to evolve into something else. There is a shift happening and we need to find other approaches to the old problems when we use new tools.

Today, this will not fit all scenarios. But if you look at the big picture, this could probably cover 80-90% of your user-base. Heck, you could have your users replace disks them self and then recover the operating system (imagine that!).

I’ve tried this with several different types of machines and manufacturers, and it works really well. You can even reset a custom image using the built-in reset feature. The result, however, can be a bit strange if you have removed a lot of the built-in apps etc. But the machine will still work and the user might not notice (especially if you make sure to deploy the needed apps to the end-user using Intune).

Combine this with the power of Office 365 and the cloud for storing your documents and work and you will have a pretty sweet setup where the device isn’t that important anymore.

Do explore the different possibilities in using standardized recovery media, but I’m not saying it will solve all your problems but it will take away some headache and hours spent on creating and maintaining custom images.

Categories
Digital Transformation Modern Workplace

Providing a modern workplace

This is a topic I’ve covered in some earlier article from the aspect of how we did it at my former employer. This time my idea is to cover this in a broader and more generic sense.

Living in 2020, IT is more than ever a big part and an enormous influence on your work environment and how productive you are.

IT is shifting from being a “technical” topic to be more of an HR topic, since it influences so many parts of your employment, a poor IT experience will heavily influence how happy you are with your employer. However, IT are still the ones responsible for it.

From talking with friends, peers, former co-workers, and customers there are a few things that tends to come back when it comes to IT in bigger organizations. And that is the lack of trust in that end-users knows what tools they need to perform their work and expects to get tools that support them in their daily work. There are of course exceptions to this but speaking in general terms I’m guessing that you don’t ask IT what tools you need to do your job; you ask your peers. Well unless you work in IT, then I guess you would ask IT… You get the point!

Users has diverse needs

We need to start considering our computers and mobile devices as tools, not “toys” in lack of better words.

If you think about it, if you were left one day at work without a computer and/or mobile device, would you be productive? Probably not. This means that these are crucial tools for our work since you are doing your business through them. Giving you something that is not fit for purpose would eventually be a bad investment, or not the correct tool. Still, computers and mobile devices are rarely considered business critical from an IT Service Management perspective.

If you think about it, your company spends a lot of time finding the right machinery, servers etc. for your business needs, but what about that computer you spend your day in front of doing business? Was that selected based on what your needs are or where you given the “corporate computer”?

Trying to stick to a “one size fits all” setup is deemed to fail eventually in a modern workplace. I have different needs for my computer/phone than people working as e.g. a communications professional. Also, a manager has different needs than the peers in their team.

I’m not saying that you should buy all the shiny things people points at and don’t standardize. What I’m saying is be smart in what you are buying. You have a diverse team with diverse needs, make sure you can full fill them!

For whom are IT working?

One thing that is extremely important, but sometimes forgotten, is for WHOM IT exist.

IT does not exist to provide IT with work tasks. IT exists to enable the employees of the company with tools fit for their needs to do their job in the best feasible way.

This is something we shall never forget. This is important. This is the sole purpose of an IT department. To be a support function to the core business.

At the same time, end-users need to understand that there is reason behind why things are done in a certain way. If they don’t know, it’s time to tell them!

Set goals and visions

To combat this, listen to what your end-users wants and communicate with them. Set clear roadmaps and vision for where you should be in let’s say five years. This will give you a goal to work towards and a roadmap to share.

By listening to your end-users, I’m not saying that they should dictate your every move. Be coherent in what their pain-points are and strive to minimize them. Thas how you can add real value and build trust in the organization.

I far to often hear “those people at IT have no idea what they are doing”. That shouldn’t be true. We should be the best at providing the services for OUR users. We should be the ones knowing their needs and strive to meet them.

Categories
Microsoft 365 Modern Workplace

Key take-aways from Ignite 2020

Ignite 2020 was a bit different from previous Ignite to say non the less. Instead of having an in-person event in New Orleans, the experience this year was a 100% digital.

It was as always, a bit overwhelming with a lot of interesting sessions, but you didn’t have to walk between sessions. Oh, and the coffee was really good this year!

Looking at what was covered from the modern workplace at Ignite this year there was one common theme. Remote working and the new normal that Covid-19 creates. There was a lot of talk about how the world has changed the playing field for remote work and that we might never go back completely to how it was before. Something that I find very intriguing since this is an areas I’m passionate about.

If you would only watch two of the sessions from Ignite 2020, I would really recommend that you watch Satya Nadella’s keynote on Building Digital Resilience and Jared Spataro’s keynote on The Future of Work. Those two were really good!

This was a year for refinements from device management. New options for what you can do during Windows Autopilot and Co-management/tenant attach. A lot of new things which will help a lot of companies on the road to transition from traditional management to modern management! If you want to geek out, here are all the Endpoint Manager related sessions, all the Teams sessions and all the Office 365 sessions.

Microsoft Tunnel

On of the things that really cought my eye on an early stage was Microsoft Tunnel, which is a Microsoft VPN solution without the need for any third party licenses. I think this will be very beneficial for scenarios where you are utilizing Microsoft solutions for VPN for Windows and don’t want to invest in additional services for your mobile devices.

Microsoft Tunnel is in public preview and is available on iOS and Android. You can read all about it here.

Microsoft Edge

Microsoft has been pushing the new Edge for a while now, and for a good reason too!

It’s a really good browser, built on Chromium but with Microsoft integrations. I’ve been using this browser since it first came out, and it’s really good now.

Microsoft is pushing it even more now and was also highlighting the Internet Explorer compatibility mode.

BUT the big thing for Ignite was Application Management for Edge on Windows 10 which brings the Application Protection Policy features from the mobile platforms to the desktop Edge browser. This means that you can manage just the application instead of the whole device. Additionally, Microsoft Edge will support the new Microsoft Endpoint Data Loss Prevention (DLP) service which will be launched in October from day one.

There were a bunch of other improvements to Edge presented as well, you can read all about it here.

Microsoft Teams

If you think there were a lot of new improvements introduced for Microsoft Endpoint Manager, it was nothing compared to Microsoft Teams.

It’s becoming increasingly clear that Microsoft Teams should not be considered a product, it’s a platform.

There were so many new things ranging from power platform and low-code solution for automated workflows to improved meeting experiences and wellbeing.

A few of the highlights that caught my attention were:

  • Breakout sessions
  • Custom layouts and new together scenes
  • Wellbeing and productivity insights
  • Improved first-line workers functionallity

You can read more in details here.

Categories
Digital Transformation Modern Workplace

What is Windows Autopilot – management edition

There are A LOT of misconceptions what Windows Autopilot is. Today I will try to sort those misconceptions out.

You have already heard a lot of different presentations about Windows Autopilot, why you should use it and why it’s so great. Because of that, I’ll leave most of those things out. This wont a technical post about what Windows Autopilot is, this will be more of the management edition of this.

Windows Autopilot – the concept

The basic theory behind Windows Autopilot is to streamline and take away time-consuming phases in the setup process of a corporate computer.

In the “traditional world” you would need to be on the corporate network and press F12 on the computer to initiate the installation of your custom image, that your IT-guys built. This custom image of Windows contains all your customizations, drivers and settings are pushed through Group Policy Objects, also called GPO. Many companies requires the computer to be “known” before it’s installed and you do what is called a pre-stage where you create the computer account in the active directory (AD) and assign group memberships. This process can take from an hour up to a few hours based on your connection and size of image (it’s usually pretty big).

In the world of Windows Autopilot, you take advantage of that the hardware manufacturer has already put a Windows 10 installation on the computer, with drivers installed from the factory (this is actually how computers are shipped even if you don’t use Windows Autopilot). Your vendor/partner/IT-department registers the computer hardware ID, which is unique to each computer, with your Microsoft tenant. Computer can also be joined to Azure AD groups based on this hardware ID.

When the computer is launched the first time, the user will be greeted with “Welcome to Contoso” and then asked to sign in. When sign in is completed, the computer is registered in Microsoft Intune and settings and customizations are applied.

This process is A LOT faster than traditional OS-deployment. The entire process and the computer are ready to use in 30-60 minutes (based on connectivity). All traffic is routed through the internet during setup and any connectivity to the corporate infrastructure can be routed through VPN if needed.

If you do the math, you can deploy a whole lot of more computer for a lower cost using Windows Autopilot.

Windows Autopilot – the reality

This sounds pretty neat huh?

But what is Windows Autopilot? Is it a completely new tool? Will it replace Microsoft Intune? What will my IT-technicians do, they spend 80% of the time installing computers today?

Without getting to technical about this, Windows Autopilot is a new name on a bunch of things that has been around for a while. And some new features.

Windows Autopilot is utilizing a lot of different technologies and should be viewed more as a workflow or a process rather than a technical feature. It combines the power of Azure AD, Microsoft Intune, and Microsoft Store for Business to provide a streamlined process for installing new computers. That’s about it.

This means that Windows Autopilot is nothing else than an automated and standardized process of setting up computers for your company.

However, from a technical point of view, there is a lot more things going on though. But this is the simple version.

Key take-away

The key take-away, and the thing to consider, around Windows Autopilot is if you need all the fancy switches and total customization you have with the traditional approach. Or would a lighter weight management do the trick for you? It probably will…

There are of course some if’s and but’s around this, but in general there aren’t that much. Your users could get their computer delivered straight to them and set them up by login in, given that they have internet access at their location.

There are options to prepare the computer for the user by having a technician do half the registration and setup to then re-seal the computer and ship it off to the user, if you want to minimize the amount of work being done by the end-user. This way, initial setup will be shorter for the end-user.

If you view Windows Autopilot as an automated process to setup computers in your organization and not a technology, things get a lot easier. With that said, it won’t suite all your special situations for computers, but you will cover most cases for office-based work!

Categories
Digital Transformation

Expectation management and communications

Before we get started, I’m in no way pretending to be a communications professional. These are just my experiences and learnings down the road.

Let’s face it, and we all know this. In general, we in IT are not great in end-user communication and expectation management. We live and breathe technology, and somewhere we sometimes forget that someone is supposed to use our fancy-best-of-breed-solution.

Okay, a bit over generalizing but if you have worked in IT, I think you might recognize this. We often forget about the end-user and we fail to tell them about all the wonderful things we do, but also what they can expect from us.

I will try to provide you with a high-level view, to help YOU take the decisions what to do and why, not really the HOW in this post.

Now that we have managed the expectations, let’s get into this.

Expectations management

Since you are reading this, I assume that you are in some way involved in the end-user service area and are either providing or helping to provide services to end users. You are operating in the layer where most users interact.

But what have you promised your end users? What are they buying from you? Do they know or are they just “paying the bill”? This is something that varies between organizations, depending on size, location, culture, and previous structures of the IT department.

But what are you selling to your end users? Are they just buy “a computer” or are there more services attached like deskside support and a helpdesk?

There are a lot of questions related to this, and hence one of the themes for this post.

What do your users THINK that they are buying and what are you delivering?

This is the most important part which is also the trickiest one. To set an expectation with your users (which are your customers) on what they will receive buying the service from you. It might be that you are the only one that are allowed to provide this service within you organization, or that you are the preferred one but they could operate it them self or turn to a third party to provide this.

None the less, making it clear for the end users on what to expect from your service is increasingly important. Especially since enabling new services is three clicks and a credit card away…

What value are you adding to the equation?

End-user communications

Enter end-user communications. This is a hard area and there is a reason that organizations hire communications professionals. They might not know all about fancy IT stuff (that’s not why they were hired), but you can make sure that they know all about getting your message out there!

From my experience by working in the end-user area, this is something that is super important but also, very often forgotten about. We tend to update something we consider as small, but it might have huge end-user impact. If we don’t successfully inform our users about this, we might cause unnecessary frustrations. Even though we need to adopt an Evergreen mindset, we need to make sure that our users know what’s going on. Keep them in the loop.

I’m no communications expert, but I’ve seen and delivered the outcome from projects where there were a lot of end-user communications and less communication. What do you think where the most successful, in the aspect of user adoption?

Yes, the projects where extensive end-user communications were performed.

However, you always need to adopt amount/channels/information to whomever is the target for the change. Some information might only be needed by your support people, other information might be of more value to your end-users.

The go-do / take away

So, what is the takeaway from this?

Try to define your services for your end-users possible and communicate these. A PDF hidden away on a SharePoint site will never be found, putting it on some sort of intranet site might be a better idea to clearly state to your end-users what they can expect by buying the service from you and what value you add to them.

This is of course something that varies between businesses, but defining services is a crucial step to set the expectations right with your users.

I would also really encourage you to reach out to your communications professionals within your business for advice and work together with them. They can really help you get you message out there, making sure that your end-users (customers) understand why things are happening and changing in the way they are. But don’t expect them to do your work for you. You will still need to put in the effort but getting their advice and/or input might change the success rate of your project.

Categories
Intune Modern Workplace

Why managed Android matters

Looking at the Swedish market, most of the companies I meet are managing their devices. These devices are usually iOS/iPadOS devices since, let’s face it, iOS has been superior in the Mobile Device Management segment throughout the years since they have had more settings exposed to MDM than Android. This has however changed over the years and the difference is not at all the same as of let’s say 3-5 years ago.

We can always discuss why platform A is better than platform B, but let’s not get into that. Everyone will have a separate opinion on this.

Looking at where we are today, many companies I meet manage their iPhones and iPads but haven’t really gotten around to Android yet. It’s still in some sense viewed as a secondary platform and not something that is wanted (it’s one more platform to provide end-user support on for one thing).

I fully respect this. However….

Looking back at my previous posts about what tools people to expect to use in the workplace, we are seeing a lot of growing demand for Android devices.

This could be out of personal preferences, the fact that the device is cheaper or the iPhone not being available in the market where the user lives. But this means that dodging the question of Android becomes harder and harder. And the later you get on top of Android, the harder the transition will be since Android is a lot different to manage compared to iOS/iPadOS.

For Android, you have to options depending on your wants and needs. You have Work Profile and Device Owner.

Management methods for Android

You should AT ALL COST avoid using Device Administrator since this is a legacy protocol which will be decommissioned by Google.

In this post I will not cover the dedicated devices method since this is meant for special adoptions and not regular end-users.

Work Profile

Work Profile is the most basic version of Android management and it has the least impact on already existing phones. Your users must download the Company Portal to enroll into Intune. This will create a separate “work sphere” where all corporate data will live.

This is the easiest form of Android management and you can deploy applications, configurations, and compliance policies. The work data will be separated from the personal data, but there are some limitations around management. This is the easiest way to start managing your Android devices without too much user impact.

Device Owner

Device owner or fully managed is the full feathered version of Android management where Intune takes total control of the device. This is more like how the iOS devices would be in a supervised mode. This management method also enabled Google Zero Touch enrollment (or Samsung Knox) for easier user onboarding. But you can of course have your users scan a QR code on first launch.

A huge benefit with this from a corporate perspective is that the user won’t need a Google account to enroll and download corporate applications. They can add a personal Google account, but it’s not needed to use it as a corporate device. Google accounts can otherwise be a hassle for less experienced user.

Company-owned work enabled

This version of Android management is when this blogpost is being written to officially launched, it’s still in preview.

This is however a combination of Work Profile and Device owner management where you as an organization gains full control over the device (giving you more management capabilities) but corporate data and personal data is separated.

This requires a device reset, just as device owner, but the user will get one corporate sphere and one personal sphere. The data is managed in the corporate sphere and left to the end users’ privacy in the personal sphere.

In my view, this will be the more attractive version of Android management overall since you can have a separation between personal and corporate data.

This method works extra smooth if you combine it with Google Zero Touch or Samsung Knox. If you don’t see a possibility to have this in place, you can of course have your users scan a QR code on first launch.

Where should you start?

Start small and start easy. If you have a lot of Android devices today, Work Profile is the best place to start. Having users reset their devices containing photos, apps etc. is not a popular thing to do. You could argue that it’s a corporate device and your users must comply, but this is not an effective way to build trust and getting the devices into management.

If you have just a few devices and looking to introduce Android into your environment, Device owner or the new Corporate-owned work enabled method is the way to go. You will have fresh devices going in and the need for a reset doesn’t exist. Combine this with Google Zero Touch or Samsung Knox and you will have a killer user on-boarding experience!

What are your thoughs on Android and where do you stand today? Comment below!

Categories
Intune Modern Workplace

What is the difference between a user and a device?

As I’m browsing through the Microsoft Q&A forum for Intune related question, there is one thing that I see which seems to be a quite common misconception. That misconception is the difference between what a user is and what a device is.

It’s not that people don’t know the physical difference between what a user (a person) and a device (an object) is, it’s in the sense of how they differ in Intune management and the cloud world.

Let’s try to sort this out, shall we?

Definitions:
  • User noun – “A person who uses or operates something.”
  • Device noun – “A thing made or adapted for a particular purpose, especially a piece of mechanical or electronic equipment”

Disclaimer: I’m trying to wright this extremely simple and basically assuming that the term user and device is not known.

Who is the user?

The user is the person who in your organization is consuming the services and using devices. Users are usually a 1:1 scenario, but you might also have service users and group users. Behind a user there is in most cases ONE person (the Microsoft license structure kind of assumes this as well).

In an Intune context, the user is the person who uses the device. The user is in a the most common context tied to a specific device where the user is the primary user and owner of the device.

A user might have multiple devices such as a computer, a phone, and a tablet.

An Azure AD user

What is the device?

The device is the piece hardware which the services are consumed on. This can be a computer, tablet, or phone. The device must, in an Intune context, run any of the supported operating systems:

  • iOS
  • iPadOS
  • macOS
  • Windows 10
  • Android

The device usually has one main user and owner, which is the one tied to the device in Intune and Azure AD.

An Intune enrolled device

What is the difference and why does it matter?

But why does this all matter?

The reason this is important is in how you in Intune would distribute configurations, compliance policies, applications and so on.

When you distribute any of these in Intune, you get to select whether you want to assign this to users or devices. Without knowing the difference, knowing which option to select is hard.

However, the item itself is never applied to the user. It is ALWAYS applied to the device. The assignment only decides on what devices to apply the item in question.

If you assign to a device

If you assign your e.g. configuration with a device centric approach, this means that the configuration will only follow that device. If the user uses another device, the configuration will not be present on the second device.

If you assign to a user

If you assign your e.g. configuration with a user centric approach, this means that the configuration will follow the user. If the user uses another device, the configuration will apply also to that device (given it’s applicable for the device type).

The key take away

It pretty much defines how your configurations, policies and applications are distributed and utilized.

The conclusion of this is that, depending on what scenario you want to fulfill, you might have to assign things in different ways. There are also a few things that might make more sense in distributing in one way or another.

One thing that is important to keep in mind around applications is however the fun topic of licensing. Depending on how you have licensed an application, you might have to distribute in a certain way. So that is something that is important to think about when purchasing applications.

Categories
Intune Tips & Tricks

Silent Bitlocker in Windows Autopilot

When enrolling devices through Windows Autopilot and using Intune enabling Bitlocker without user interaction can be a little bit of a hassle since the default behavior is to ask the end-user to encrypt the device in runtime.

This pop-up can easily confuse end-users and the device is not really “ready to use” once the Enrollment Status Page (ESP) has closed.

There are several different solutions for this, where running a PowerShell-scrip as a Win32 app during enrollment is the most common one.

BUT I’ve found a way to skip this, but it does have some distinct limitations (except for all other Bitlocker requirements):

  • Use Intune for device management
  • Device can only be joined to the Azure AD
  • Running Windows 10 1809 or later
  • No third-party disk encryption services can be used

So how do you configure this?

In Microsoft Intune, go to Endpoint Security > Disk encryption and create a new profile:

Select “Windows 10 and later” as platform and choose the Bitlocker profile, then click create. Give your profile a name based on your naming convention and click next.

To enforce Bitlocker during enrollment, you need to

  • Set “Enable full disk encryption for OS and fixed drives” to Yes
  • Set “Hide prompt about third-party encryption” to Yes
  • Set “Allow standard users to enable encryption during Autopilot” to Yes

A heads up on these settings though, if you are using any third-party encryption, you might break the machine and you will have to re-install the machine. So be careful if applying to existing machines.

Then set your preferred settings for Bitlocker on OS and fixed drives, this is what I am running in this lab setup. One good setting to use is “Require device to back up recovery information to Azure AD” to ensure that you have the recovery information available for the machine. These settings might vary based on your organizational needs and requirements.

Click next until you end up on “Assignments” and select your targeted device group.

Click next and review your settings before hitting “Create” on the Review + Create page.

And that’s it! Your devices will now silently encrypt using Bitlocker during Autopilot enrollment.