olastrom.com

Category: Intune

  • I took Windows 365 Link for a test drive

    I took Windows 365 Link for a test drive

    At Microsoft Ignite last year (2024), Microsoft release a small black computer called Windows 365 Link which I wrote a post about which you can find here.

    In the first release wave, only a few countries were included. When this post is being written, the second wave has just been announced and we now have the Link available in the following countires:

    • Australia
    • Canada
    • Denmark
    • France
    • Germany
    • India
    • Japan
    • Netherlands
    • New Zealand
    • Sweden
    • Switzerland
    • UK
    • USA

    And since I’m based in Sweden, we were included in the second wave so I just got my hands on a test unit!

    What is the Windows 365 Link and first impressions

    So the Windows 365 Link is a small computer, which is surprisingly heavy given it being a little bigger than an Apple TV. It’s a compact device and it feels sturdy. It has a matt black plastic casing and a non-slip bottom.

    The concept of Windows 365 Link is to be 100% honest not new on the market. Thin clients have been around for a long time. But this is like Windows 365 in general, it’s just made way simpler. It’s your link to Windows 365 and built for Windows 365 and not to work with any virtual environment. For what it’s built for, it’s an awesome device. Oh, and the best part (in my opinion) is that it runs Windows, and you manage it from Microsoft Intune. This means that your device management team can just treat it like any Windows device.

    When I first setup the device, I thought I did something wrong because I just booted it up, connected to a Wi-Fi and signed in. Then I was done. It was super fast and I was sure that something went wrong since I hadn’t added it to the corporate device identifier list for device preparation. Turns out I had enabled personal devices for testing something a while back and hence it went straight through!

    Before we start

    One thing you will learn either the hard way or if you read the Microsoft documentation, is that it’s recommended to supress the SSO prompt you get when you sign into a Cloud PC the first time. Using SSO with your Cloud PC is a requirement in order to use the Link.

    You will do this in two steps and I found the Microsoft documentation fairly easy to follow along. What you need to initially do is to create a Entra ID group where you place all your Cloud PCs (dynamic group would be preferred). You can use a dynamic device group query like this one:

    (device.deviceModel -startsWith "Cloud PC")

    When you have created your group, follow these two steps.

    1. Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID | Microsoft Learn
    2. Configure single sign-on for Azure Virtual Desktop using Microsoft Entra ID | Microsoft Learn

    What this does is to supress the SSO pop-up which will prohibit you from actually signing in to your Cloud PC on a Windows 365 Link since the Link does not support this interaction at this point in time.

    Setting up the device

    But how would we set up the device in a proper way?

    To be honest, Microsoft own guide for this is so good and easy to follow so I won’t even try to recreate it. You can find it here!

    In order to successfully enroll the device, you also need a Device Preparation Policy which is not described in the guide. If you have been playing around with this for physical devices (often called Autopilot V2), you can re-use the one you have. Otherwise, here is a guide to create one.

    Since most companies does not allow personal devices to be enrolled, you got two options. Create a new enrollment restriction policy targeting ONLY your Windows 365 Link devices (this is described in the Microsoft guide), or you need to add them to the “Corporate Device Identifier” list. You need to upload a CSV with all your Windows 365 Link device you want to enroll. The format should be something like this:

    Microsoft Corporation,Windows 365 Link,[DEVICE SERIAL NUMBER]

    What this does, is to allow you to enroll devices which are pre-registered using Device Preparation.

    When you have gone through all the preparations, you are now ready to go!

    Just plug it in to a monitor, connect keyboard and mouse!

    When enrolling the device, you can either join it as a personal device or as a shared device using a Device Enrollment Manager (DEM) account (we haven’t seen the need for those in a while). Depending on your usage scenario, you choose one of those, but the enrollment will happen in the same way.

    The OOBE is a lot slimmed down compared to a normal PC. You basically miss the enrollment if you blink. Enrollment is done with a personal user if this will be a user’s primary device, your you can enroll it using Device Enrollment Manager (DEM) account if it’s a shared device.

    When the enrollment is done when you are asked to sign in to your Cloud PC, and this means that you are ready to go!

    Using the Link

    I’ve been forcing myself to use the Link as my daily driver when working from home. Just to get sense of what the experience is. My experience with using thin clients is quite limited, so I might be blown away by obvious things here. But then you need to take into consideration that I come from a pure Intune background and my experience with the virtualization space is Windows 365.

    I’m really impressed by the responsiveness and how smooth the user experience is. When using it as my daily driver, I sometime forgot that I was using Windows 365. The experience is that good!

    What I do miss however is to be able to use Windows Hello for Business to sign in. I can use a FIDO2-key (like a Yubikey which I’m using) which works really well. But I can’t use my fancy Logitech camera with support for Hello. I kind of get it since this device has been positioned for hot desking. So, it makes sense from that aspect.

    What I do miss however is a USB-C port on the front. There are a few ports, including one USB-C port on the back. But on the front, we only get a USB-A. If you have gone for a more future proof FIDO2-key with USB-C, this gets a little bit more complicated to use since that port is on the back.

    I think one thing that becomes important as well might be to have a screen with a built in USB-hub. If you have a headset, mouse/keyboard and a web camera, you are missing one USB-port (if not one of these are USB-C).

    What I like and don’t like

    Overall, I really like the simplicity of the Windows 365.My “home office test” is probably not the ideal use case for this device. It makes more sense in shared office space to be honest.

    What I did like:

    • The simplicity.
    • The esthetics. It’s sleek and pretty discreate.
    • The “like local experience”. It makes Windows 365 feels like a physical PC.

    What I think could be improved:

    • The number of ports.
    • The lack of a dedicated user mode. (I get why though).
    • No way to control sound output source.

    My two cents

    Should you buy one for your personal office space? Probably not. It’s a nice device. But you kind of notice from the experience that maybe this is not really ment for personal use.

    Should you buy it for a shared workspace or hot desking? Absolutely! A great way to create a simplified shared environment.

    The more hardcore virtualization people will claim that “this is nothing new, it’s just a Microsoft thin client” and that is true. But what I really love about this is that your device team can deploy this by using the tools they already have. Sure, you don’t get the perks that e.g. IGEL brings, and you are locked into Windows 365 only (no AVD). But if you are looking to make a move to simplify your setup and use the “Windows 365 mindset” this device makes perfect sense.

    One thing I’ve heard people comment on is that: “there is no way to install agents on it, we require a webfilter/proxy agent for all our devices on the network”. To be honest, this device should live on the internet and not corp-net. All user traffic happen from the Cloud PC where you can have this agent installed. There is no way the end-user can browse the internet from the Link it-self. If you look at the documentation Microsoft specify which ports and URLs needs to be allowed in your firewall/proxy. I know we are not in a world where we put our devices on a pure internet connection yet (the zero trust way of doing things). Maybe this could be the driving factor to re-think how we are using devices in the office?

    Is it the perfect device? Probably not. Can you buy something else and get the same user experience? For sure.

    But can you buy something else and have such a simple end-to-end solution? No!

    I think this is where the Link fits into the puzzle. It’s simple and if you are just entering the world of Windows in the Cloud, this is a great entry ticket! It’s not just about the Link as a standalone device. You need to look at it as a part of a bigger picture and a key player in the Windows 365 eco system.

    After using it for a few days, I’m even more convinced that Windows in the Cloud is the future for Windows. Sure, you can close your laptop and just return to where you left of. But imagine being able to just leave the laptop and keep working from whatever device you have at hand, where you left of. We are only in the beginning of a reinvention of how we use Windows in our day-to-day life!

  • Summer recap – 2025 edition!

    Summer recap – 2025 edition!

    Living in the Nordics means that from around mid-June to mid-August everything basically is put on halt due to summer vacations. And that means that more time is spent away from the computer than at the computer for me.

    So let’s do a recap of what did we miss during the summer vacation period. Here are the stuff that I found most interesting which were announced during the summer!

    I’m on purpose leaving out all the community updates and things which were released during the summer. Let’s focus on what Microsoft put out there!

    What I’m personally most hyped about is that I’m going to Berlin in September to talk at AVD TechFest where I will talk about how you manage your Cloud PCs and also some sustainability aspects of using Windows 365!

    I hope to see you all there.

    Windows news!

    Windows 2030 vision – Security

    Microsoft has released the first part of a series with the vision for what Windows will be in 2030. Really interesting video and concept, given that we are only 5 years away.

    Security leadership in the age of constant disruption | Windows Experience Blog

    Windows 11 25h2 information!

    As we all know, Windows 11 will get its annual update during the fall. Microsoft has released more information about the update, and we are looking at a smaller update compared to the 24h2 one.

    Get ready for Windows 11, version 25H2 – Windows IT Pro Blog

    Windows 11 cloud-native migration with Microsoft Intune

    Are you looking to move to cloud native? This article from Microsoft gives some great guidance.

    Windows 11 cloud-native migration with Microsoft Intune

    Microsoft Connected Cache in GA

    Want to save some bandwidth when deploying updates? Have a look at Microsoft Connected Cache which when into GA during the summer!

    Microsoft Connected Cache is now generally available – Windows IT Pro Blog

    Resilience in action for Windows devices and Quick Machine Recovery

    Microsoft is committed to increase the resilience in Windows and have put out a blog post talking about what investment they are doing. One of these things is the Quick Machine Recovery feature which will enable you to restore a broken computer faster!

    Resilience in action for Windows devices

    Hotpatching for ARM64

    If you have been using Windows Hotpatching you might have noticed that ARM64 devices was not included. During the summer, Microsoft announced that ARM64 devices will now be able to utilize this feature as well!

    Hotpatching now available for 64-bit Arm architecture – Windows IT Pro Blog

    Windows release information toolbox

    Are you struggling with finding where you can find all the release information you need for Windows can be found? Microsoft has created a one-stop-shop for you over at https://aka.ms/WindowsReleaseHealth and you can read more about it here:

    Your Windows release information toolbox – Windows IT Pro Blog

    Upgrade to Windows 11 with Autopatch – Playbook

    Are you looking to move faster to Windows 11 since Windows 10 is going out of support on October 14th this year? Did you know you could utilize Windows Autopatch to do the upgrade for you? Check out this playbook from Microsoft how to use it!

    Upgrade to Windows 11 with Windows Autopatch groups – Windows IT Pro Blog

    Windows 365 news!

    Intelligent pre-start for Windows 365 Frontline in dedicated mode (preview)

    Microsoft has released a preview of intelligent pre-start for your Frontline Cloud PCs in dedicated mode, making the start-up time even faster. It has to learn the users behaviour, but will improve the user experience!

    Intelligent pre-start for Windows 365 Frontline in dedicated mode (preview)

    Select redirections disabled for newly provisioned and reprovisioned Cloud PCs

    Windows 365 is enhancing Cloud PC security by having clipboard, drive, opaque low-level USB, and printer redirections disabled by default for all newly provisioned and reprovisioned Cloud PCs. 

    Windows 365 Reserve

    This one is one of my favourite news. The Windows 365 Reserve feature which was announced and put into limited preview during the summer. The concept around Windows 365 Reserve is to offer a way to get productive if your computer fails for some reason. You can quickly get a Windows 365 machine up and running which you can use for up to 10 days while your computer is being fixed or restored from ANY device (since you can use Windows 365 from any device you like).

    Enhancing business continuity: Windows 365 Reserve is now in limited public preview! | Microsoft Community Hub

    RDP Multipath is now generally available 

    Improving on user experience and performance, RPD Multipath will improve your connection reliability by evaluating multiple network paths between your physical and Cloud PC/session host. This went into GA during the summer!

    RDP Multipath is now generally available for Azure Virtual Desktop and Windows 365 – Windows IT Pro Blog

    Whats new in Windows 365

    There was also a bunch more news around Windows 365 which you can find here: What’s new in Windows 365 Enterprise | Microsoft Learn

    Intune news!

    Security Copilot for Intune GA

    Security Copilot for Intune has been in preview for a while now been released as GA. It still requires you to have SCUs deployed in your environment and that you are using Security Copilot.

    Microsoft Copilot in Intune features overview | Microsoft Learn

    Platform SSO for macOS GA

    After being in preview for quite some time, platfrom SSO for macOS has now been moved to GA!

    Now Generally Available: Platform SSO for macOS with Microsoft Entra ID

    Whats new in Intune

    There was also a bunch of other Intune news during the summer, which you can find here: What’s new in Microsoft Intune | Microsoft Learn

    Other news!

    Edge got a new Copilot feature, and the Copilot button moved a bit. A new interesting way of browsing the web and using Copilot to assist you!

    Introducing Copilot Mode in Edge: A new way to browse the web – Microsoft Edge Blog

  • I messed up Teams so you don’t have to!

    I messed up Teams so you don’t have to!

    For the last two months I’ve had a weird error on my Copilot+ PC. When ever I try to join a Teams-meeting, nothing happens. It just kills the process. I’ve spend a few minutes here and there trying to figure out what the problem was, but never really found anything (troubleshooting is not my favorite topic). Since it only affected my ARM-based device and none of the X86-based devices nor my Cloud PC, I could still work.

    But then I enrolled a second ARM-based device, and it got the same problem. So I decided to actually put some time into it.

    Where did I start?

    Initially I was really convinced that “okay Defender is blocking this” since I found that Defender flagged some Teams meeting links as malicious. But turns out, it didn’t actually block it. How did I come to this conclusion?

    Well, Teams worked as intended if the PC was unmanaged, leading me to think that “yes its Defender for Endpoint” until I enrolled the device again and excluded ALL policies and never onboarded it to Defender for Endpoint.

    And guess what? Still same issue… Teams would start meetings and webcam and microphone was grayed out.

    So what next?

    Teams logs

    This is probably where any sane person would start, but I didn’t.

    After exporting the Teams logs and getting some help from ChatGPT, I found that Teams is trying to load a component called VDIBridge, but it fails. And it was not just once. This lead me to research that a bit, and it turns out that this is a server-side channel module, which among other things redirects media to the local endpoint. The VDIBridge is bundled with the VDI version on Teams.

    Okay, so Teams on my ARM based Windows PC thinks it’s a virtual device. That is VERY strange!

    I compared it to X86 device which had all the policies from my tenant, but with Teams that works, and found that it does not have this error.

    So for some reason, on my ARM device, Teams is convinced it’s a VDI and not a physical PC.

    Trying workarounds

    This lead me into researching why my ARM device would identify as a VDI in Teams eyes.

    The internet told me that “there might be variables added by Intune” and “delete the ¨’IsWVDEnvironment’ if it’s set to 1 registry key”.

    But I didn’t have any variables in my Intune environment which got added not did I have that registry key, and I even tried creating it and setting it to 0. But it didn’t help.

    How ever. I found one thing that planted a thought in my head, that if you have some Citrix registry keys or applications installed on the device, this COULD happen on ARM based devices. But I don’t have any Citrix software deployed to my machines.

    But I do have Microsoft software assigned to my devices…

    Looking through what apps are being pushed from Intune

    Since unmanaged devices didn’t have this issue, but managed had, I decided to have a look at what applications I install on all my devices.

    I had the usual stuff, Microsoft 365 Apps for Enterprise, Teams, Spotify, the Windows app. And then I found two weird ones:

    • Remote Desktop Multimedia Redirection Service
    • Remote Desktop Services Infrastructure Agent

    These are two applications that are used within virtual environments, and especially the first one, Remote Desktop Multimedia Redirection Service, is telling the VDI to redirect things like Teams meeting audio/video to the local device. The other one is used to communicate with the Remote Desktop Service from the session host.

    These are two applications you install on virtual machines, not on physical machine.

    Turns out, I for some reason had assigned it to all my Windows based devices, not only Cloud PCs.

    What now?

    So first action, remove these from the assignment from my physical devices in Intune and make sure we uninstall it from all the physical machines.

    In order to make sure this was actually what caused it, I manually uninstalled both of the applications from my ARM device and then I re-installed Teams.

    And Teams worked.

    Leason learned

    So what did we learn from this?

    Well don’t assign applications built for virtual clients to redirect things on physical machines.

    For some reason, it works without any issues on X86 machines, hence me not realizing initially that there was an issue. On ARM devices, it all of a sudden tells Teams that “hey, I’m a VDI! Let’s try to redirect the media onto the local device” and fails.

    This also means that if you are deploying applications meant for VDIs, make sure not to deploy them to your physical machines. Use filters or dedicated groups and don’t do like I had apparently done. Deploy it to all devices.

    And this is again why I hate computers!

  • Making changes to existing Cloud PCs

    Making changes to existing Cloud PCs

    Since Windows 365 and Cloud PCs is a service which is constantly being updated with new feature and available regions, making updates to an existing provisioning policy and all your existing Cloud PCs.

    A while back, Microsoft introduced the possibility to apply the updates provisioning policy to all existing Cloud PC, but this will not cover all modifications, some need a re-provisioning. But if we look at things we can update without re-provisioning the Cloud PC, we have three things:

    • Changes to Entra single sign-on for all devices
    • Changes to region or Azure network connection for all devices
    • Changes to region or Azure network connection for a single device

    For enabling single sign-on (SSO), the Cloud PC will not need to be restarted unless it was provisioned prior to April 2023. For changes to the region or Azure Network, the Cloud PC will be shut down during the move and unavailable to the end-user, meaning that this needs to be planned and users will lose any unsaved data when they are disconnected due to the move.

    But let’s look at each one of these and see how they work.

    Changes to Entra single sign-on

    Back in 2023, Microsoft finally made the move to put the single sign-on as generally available after having been in preview for quite some time. This is, when I’m writing this, about 2 years ago meaning that a lot of organizations might have already enabled this. But if you haven’t this is how its done.

    In Microsoft Intune, navigate to Devices and Windows 365 and select the Provisioning policy tab to view all your policies. Find the policy you want to update and select it. Click on “Edit” next to General to edit the part where SSO is located.

    At the bottom of the page, find “Use Microsoft Entra single sign-on” and check the check-box next to it. Then press Next then Update at the bottom of the screen to update the policy.

    You have now successfully updated the policy for all NEW Cloud PCs being created with this policy. But what about the existing ones?

    Well, back at the policy overview page, you have an option to select “Apply this configuration”, which makes it possible to update existing Cloud PCs with some of your updated configuration.

    When you click the “Apply this configuration” button, you will get three options where you select “Microsoft Entra single sign-on for all devices“, since we want to update the SSO settings.

    When you click this option, you will get a notification that the update has started.

    If your Cloud PCs where provisioned before April 2023, the Cloud PC will shut down during the update. Please notice that this does not happen instantly, it can take a while to apply for all machines in a larger environment.

    Changes to Region or Azure network connection

    The other change you can do is to move the Cloud PC to a new region. This could be due to that the user has moved location or due to new regions opening up and you want to move the Cloud PC closer to the end-user. Or you want to move it to a different Azure network.

    Please be aware that you CANNOT move from Entra join to Hybrid join using using this method. This will require a re-provisioning. You can however move a Cloud PC from an Azure Network Connection (ANC) to a Microsoft hosted network and vice versa given that they are Entra ID joined. For Hybrid joined you can move them between different ANCs

    Supported move scenarios

    Given that our move scenario is supported, we can go a head and update our provisioning policy by navigating to Devices and Windows 365 and select the Provisioning policy. Then open the provisioning policy you want to update and select Edit on the General section.

    Scroll to down to the bottom and find the Join type details section.

    In this example I want to update the policy to use a Azure Network Connection instead of a Microsoft hosted network. But you can just as well update to another region if you are using Microsoft hosted networks, or update to another ANC.

    When I’m done I click Next then Update on the bottom of the screen.

    We once again select the “Apply this configuration” option, but we select the Region or Azure network connection option.

    As you can see, we have the option to either update ALL Cloud PCs related to this policy or we can update selected devices. If you select the bottom one (to update selected devices), you will get the option to select which devices when you press Apply.

    PLEASE BE AWARE that this action will disconnect and shutdown the Cloud PCs fot the end-users, so it’s a good idea to do this change in a controlled manner and make user aware of that the change will happen before you click apply. It’s a good idea to do this during a weekend or other time frame when users are not expected to use these machines.

    Intune will give you a notification that the process has started, and this process will take a several hours to complete.

    Take away

    Using these features, you can update your Cloud PC configuration to some extent if you e.g. didn’t enable SSO when you initially configured your device.

    It’s also great to optimize the use of regions and move users between networks for different reason.

    But as I mentioned, we cannot move from Hybrid join to Entra join using these features. For that scenario a full reprovisioning is needed for the Cloud PC since the join type cannot be changed in a easy way.

  • How to enable Recall and Click to do on a Copilot+ PC

    How to enable Recall and Click to do on a Copilot+ PC

    If you have a Copilot+ PC and you are running Windows Insider, you can now enable Recall.

    If you have totally missed what Recall is, the short story is that it’s a way to back-track what you have done earlier and move back to snapshots of your workdays to find things for example.

    Recall requires that you have Copilot+ PC, otherwise this is not available. So, if you don’t have a Copilot+ PC, you don’t have to worry about users getting this.

    Also, Recall is not enabled by default and on a managed PC, you as an admin need to enable it with e.g. Microsoft Intune for the users to even be able to opt-in. This also goes for the Click to Do feature.

    Enable Recall

    To enable Recall on the device, you need to set a policy using GPO or MDM policies. Since my go-to tool is Microsoft Intune, let’s dive into how to enable and control it.

    Head into the Microsoft Intune portal and navigate to Device – Windows -Configuration and create a new configuration profile. Select Windows 10 and later as platform and Settings catalog as profile type.

    Give your profile a good name based on your naming convention.

    Click the add settings button and search for “Windows AI”. Select all the settings you want to configure.

    There are a few settings you can set for Recall based on your needs.

    In this example I’ve let the OS define the storage and duration for my snapshots, but you can configure this based on your needs. You can also add exclusions for websites and applications if we need. I’ve added my blog and Teams as an example in the picture, but you can also skip this.

    Go thought the wizard and assign the policy toward the Copilot+ PCs you want to target.

    User experience

    Recall

    So how do you get started with Recall? Simply open the new Recall app in your start menu and authenticate with Windows Hello. The first time you start it, it will work a bit on some updates. This might take some time. Once that is done, you will be able to start using Recall.

    You can scroll back and forth on your timeline to go back and forth looking for what it was you wanted to find. Once you have found it, you can search the content of the snapshot or visit the app you had open. It even takes you to the exact spot you where in the app at the moment.

    Down in the taskbar, you will see a new Recall button. Once its active, it will be light blue, and will indicate if its paused or running. If you click the Recall icon, you will see some actions you can do, like pause Recall or filter the website/application you have opened.

    You can also go through settings and see some settings around Recall, such as storage or applications and website you want to filter (if you want to add some additional ones as a user which your admin did not add).

    Click to Do

    The second thing which get activated with Recall is Click to Do. This feature gives you the same posibilities as in your snapshot, you can search the whole screen for things or open it in specific apps. You can also have it summerizing long text or create a list. There are a bunch of actions here!

    To activate Click to Do, simple press the Window-button on your keyboard and click the screen!

    Key take aways

    I really think Recall anbd Click to Do are two great ways of improving the user experiance and taking advanatge of the NPU and AI functionallity in a Copilot+ PC. As of this blog post being written, this is still a preview feature and things might change when this is released in GA.

    I still think it’s a great way to explore how you can use Recall, and find out what limitaitons you need to set for your users. So as always, Windows Insider gives you a sneak peak of what’s to come and something you really should make use of.

    What I do want to point out is that all snapshots are processed and stored locally, protected by Windows Hello to limit unauthorized access to your snapshots. Even if they are protected, it could however be a good idea to think about what sites you should add to a filter.

  • Moving to cloud native

    Moving to cloud native

    Let’s imagine for a second that you are a large, global organization and you are managing the fleet of PCs.

    In a traditional setup you probably have a Configuration Manager server and probably a bunch of distribution points.

    On top of this, you each month must distribute security updates to all your global device estate. And make sure your golden image is patched. Not only this, you also need to maintain your infrastructure, keeping Configuration Manager up to date, the server it runs on and also all those distribution points. Not to forget troubleshooting when a distribution point stops and a region +8 hours from your time zone can’t PXE-boot computers.

    You have all heard the marketing pitch because cloud native is the future. But if we instead take an approach to discuss this from a business and operations perspective, we can find some other interesting angles.

    Background

    What I do in my professional life is mostly to advise and help customer moving to a cloud native platform for device management. I’ve been working with Microsoft Intune since 2013, so I’ve seen all the itterations of the platform. I’ve also seen what works and what didn’t work.

    Back in 2013, going cloud native was not a thing, even though Windows 8 acutally supported MDM enrollment. Back then we were more talking full management or light management. Intune was the light managed way doing things since there were simply not yet feature parity.

    Windows 10 brought a whole lot of new benefits to cloud. You could now argue that you could make the shift to Intune only and onboard using the new cool Windows Autopilot.

    Fast forward to 2025 and Windows 11. We now have feature parity in MDM polices vs GPOs (even if it’s not a 1:1 translation), and moving to the cloud is something everyone is talking about. Not everyone has moved, but from what you hear peers, customers and people within the community everyone is looking at “how should we do the transition”.

    Moving to cloud native is not only a “keeping up with the IT landscape”. It can also be a huge cost save for a lot of organizations. No more servers, no more imageing, no more maintaining images. It’s simply just more streamlined.

    Common pitfalls

    There are A LOT of pitfalls out there when it comes to moving to Intune. I thought I would cover a few which I tend to see more often. Not all of these are technical. Because to be 100% honest, the technology isn’t the biggest issue here.

    Doing things like we have always done

    Moving to cloud native means doing things in a new way. I’ve seen way to many attempts at moving to cloud native which fails because you don’t embrace change. An Entra ID/Intune managed device is not exactly the same as a Active Directory/ConfigMgr managed device. Gone are the days of imaging and GPupdate, we now have Windows Autopilot and syncing with Intune.

    Cloud native will mean that we will have to do things different, and it’s not bad. Just different. Many things we have done for the last 30 years with managing devices (yes, the first version of ConfigMgr called SMS 1.0 was release over 30 years ago in 1994).

    We need to embrace change and adopt the new ways of working. If we don’t do that, we will never reach all the way. This is where many project fails.

    Doing everything at once

    The cloud journey looks very different for all companies, even though we want to accomplish the same things. But doing big shift actually impacts user productivity and we need to be smart of what changes we introduce.

    Looking at Sweden, a lot of companies are combining their Windows 11 migrations project with a Cloud Native project. This is a great idea since we are doing a big shift in the client anyway. However, time is running out for Windows 10, so today we need to prioritize whats actually important.

    But splitting the cloud journey into smaller pieaces could be easier for many, but we can run a lot of these projects in parallel.

    Migrating everything

    Think about all your GPOs. You have built that over a larger number of years, probably mostly adding to it and never really done a cleanup. A lot of these policies might been configured for Windows 7, and operating system which was released in 2009. You probably don’t need to migrate those settings to your brand new Windows 11 platform since a lot does not apply in the cloud and many are even depricated.

    There is really no point in walking through each and everyone of your old setting, trying to find the Intune equalent for it. A much better idea is to look at what you had, implement either the Microsoft Security Baseline or the Open Intune Baseline. Then go look at your old environment or your security requirements and look for what is missing and what makes sense. There is a GPO analytics tool in Intune, but for experience I would say that starting over is a much better idea since you will leave all your Windows 7 and Windows XP settings behind!

    Setting the bar way to high

    One of the most common things I see when working with customers who are moving from ConfigMgr is like I mentioned, we don’t embrace change. But one more things is thinking that we need to make it perfect in our first Proof of Concept or Pilot, which isn’t really a realistic approach. You need to start somewhere, so find your minimum viable product (MVP). What do we need to have inplace to do a successfull pilot. What I’ve seen with the more successfull projects I’ve been involed in, this has been the MVP:

    • Windows Autopilot for onboarding
    • Security baseline
    • Wi-Fi
    • VPN
    • Base applications (the crucial ones for your pilot group)
    • Compliance policies

    One more thing to keep in mind when moving towards a cloud native client is that your pilot and initial rollout might not need to suite 100% of your users. You will have some more cumbersome scenarios like dependency on on-premises or problematic applications. Don’t let this stop you, instead have them in a later phase of your project. Put them on hold, just like you would do with Windows feature updates. Once you have completed your first scenario, move on to the next!

    Moving all extisting devices

    This is a controversial one. Eventhough it’s nice to have all your devices as cloud native, but the only way to migrate devices from hybrid to cloud native in a supported way is by resetting the device. And this might not be the most productive way of making this shift, since it means actuall downtime for the end-user.

    Microsoft recommends to keep hybrid devices in hybrid until they needs to be reinstalled or replaced. Since we can still move to a 100% Intune managed environment with hybrid devices, this could for larger organizations be a more cost efficient way of making the shift to Intune. Re-installting thousands of devices is time consuming.
    I’m not saying that you shouldn’t make the hard cut and re-install all your devices, but be aware of that there are alternatives eventhough it’s not a pure cloude native solution for all your exisiting devices going down this route.

    What’s your first action?

    But where should you get started? Well, making sure you have co-management/cloud attach enabled in Configuration Manager is a great first step, to enable the shift of workloads to the cloud.

    I would also recommend to start looking at setting up a small proof of concept or pilot in Intune, onboarding a few devices with the base applications and a first version of security baseline (use the Microsoft one or Open Intune Baseline mentioned earlier in the post). Register a few devices for Windows Autopilot manually and enroll them.

    Don’t make it to hard on your self, start small with the “simple” scenarios and let them test it. But set a strategy for this and make sure to track your progress and create a project of this. It’s a hard project to pull of as a line activity since there are a lot of moving parts, redesigning and new ways of working while you need to keep the light on for your production environment.

  • 5 reasons you should go cloud native with Windows 11

    5 reasons you should go cloud native with Windows 11

    Let’s talk about cloud-native management with Microsoft Intune and Windows 11 for a little while and dive into five reasons why you should make the move.

    In the endpoint management world, there are two major things we talk about right now: moving to Windows 11 (the deadline is getting closer and closer) and cloud-native.

    I’ve been an advocate for going cloud-native for about 10 years now, but it has changed names over the years from modern management, cloud-only, to cloud-native management.

    But let us first define what we mean by cloud-native.

    Definition

    By “cloud-native,” we mean a device that is 100% managed using cloud services, such as Microsoft Intune. We are not doing hybrid join; we are utilizing Entra ID (previously known as Azure AD). This means that we DO NOT have the computer object in the on-premises AD, and we need to use modern ways to authenticate. In a true cloud-native setup, we should not be reliant on any on-premises resources, but if we look at reality, we will most typically see that we have some connector for, e.g., certificates using SCEP/NDES.

    For cloud-native device management, we don’t need to consider where the user has their primary source, whether that is Entra ID or Active Directory. So if you want to go cloud-native, you don’t need to move your master data to Entra ID, but you need to make sure that you have your users in Entra ID (which you probably already have if you are using any Microsoft cloud services like Microsoft 365, Teams, or Intune).

    Reason #1 – Reduce complexity

    Managing IT infrastructure can often be a complex and time-consuming task. By leveraging cloud-native management with Microsoft Intune, organizations can streamline their processes and reduce the complexity associated with traditional IT management. This approach simplifies device provisioning, configuration, and maintenance, allowing IT teams to focus on more strategic initiatives.

    By moving to cloud-native device management, we can reduce the number of dependencies we have on our on-premises system, such as connectors for hybrid join. We can also reduce the total footprint for the service since we can decommission and repurpose servers previously used for, e.g., Configuration Manager services.

    Since we rely on a SaaS setup, we don’t need to think about keeping our management platform up to date; that will happen automatically on a weekly basis.

    Reason #2 – Increase security and compliance

    Security and compliance are critical concerns for any organization. Cloud-native management with Microsoft Intune provides robust security features and compliance tools that help protect sensitive data and ensure adherence to regulatory requirements. With advanced threat protection, automated policy enforcement, and real-time monitoring, organizations can safeguard their IT environment against potential threats.

    Since we have our management tool in the cloud, this also means that our devices do not have to “call home” to be able to talk to our services. Since Microsoft Intune talks through the internet, we can make sure that the users have the latest updates and security configurations regardless of whether they are working in the office or remotely. We can also measure device compliance to make sure that the device lives up to our requirements before accessing corporate resources.

    Reason #3 – Adopt to an ever-changing IT landscape

    The IT landscape is constantly evolving, and organizations need to be agile to keep up with these changes. Cloud-native management with Microsoft Intune enables businesses to quickly adapt to new technologies, software updates, and changing user needs. This flexibility ensures that organizations remain competitive and can efficiently respond to emerging trends and challenges.

    Utilizing cloud services for management means that you do not need to think about keeping your device management tool up to date; that is kept up to date for you since Microsoft Intune is a SaaS offering. This will make sure you get the latest features and tools faster, without needing to plan for maintenance windows. You can also more easily make sure to provide your users with the latest tools by utilizing faster and automated deployment flows for applications and the latest updates.

    Reason #4 – Improve user satisfaction

    User satisfaction is a key factor in the success of any IT initiative. Cloud-native management with Microsoft Intune enhances the user experience by providing seamless access to applications and resources, regardless of the device or location. With intuitive self-service options and consistent performance, users can enjoy a more productive and satisfying work experience.

    We should not forget about one of the most crucial elements of device management: the person who uses the device, the end-user.

    Hearing people complain about their work computer not working like they are expecting is outdated. You can remove the need to be at the office for updates or having to download applications through VPN. Using cloud-native device management, you can fully support the hybrid workplace, providing an excellent end-user experience regardless of whether the user is working at the office, from home, or in any other location.

    Reason #5 – Enhance scalability and flexibility

    With cloud-native management, organizations can easily scale their IT infrastructure up or down based on demand. This flexibility ensures that resources are used efficiently, and it allows businesses to quickly adapt to changing needs without significant downtime or additional costs.

    No need to think about if you need to scale up or down, outside of licenses. This means that your environment grows without, and all you need to do is make sure you have enough licenses. This frees up a lot of time for your system administrators who would otherwise also need to plan for scaling up or down based on what happens in your organization. This will also make it easier to grow at a lower cost since we do not need to think about setting up infrastructure in that new branch office on the other side of the world. All you need are licenses for your new users, and you are ready to go!

    Closing reflections

    I’ve been pushing for going cloud-native for almost the last 10 years, and I still strongly believe that this is the future for endpoint management. So far, I’ve helped a lot of larger companies make the shift, and it works really well. Sure, there are hiccups initially, but that goes for all new services, and we need to adapt the way we work as IT admins to make this a successful transformation. We cannot bring our old ways of doing things; we need to adapt to our new tools. As long as we try to work the old way with a new tool that was not built for doing it the same, it will be an uphill battle.

    But if we can see the new possibilities with cloud-native and what it brings us, things will get easier. And it’s a moving target. Microsoft Intune has developed tremendously over the last couple of years, and we will probably see even more improvements as we go.

    I will leave you with an interesting reflection I’ve made. Larger enterprises, at least in Sweden, are more keen on moving to cloud-native than smaller organizations. Sure, the IT organization of a large enterprise can take on a larger workload making the move, but the small IT organizations would benefit just as much from the lower running cost of being cloud-native.

  • Hide the shutdown button in Windows 365 after update to Win 11 24h2

    Hide the shutdown button in Windows 365 after update to Win 11 24h2

    Some of you might have noticed that when updating a Windows 365 Cloud PC to Windows 11 24H2, the shutdown button appears out of nowhere in the start menu, which can cause some weird behavior for the end-users.

    Shutting down the Cloud PC isn’t really anything you should be bothered with. Restarting, yes, but if you do a shutdown, it will boot back up again within a few minutes.

    With the Windows 11 24H2 update to Windows 365, if you upgrade from an earlier Windows 11 version, this registry value will be reset.

    While I still encourage you to provide feedback to Microsoft, the fix for this problem is fairly simple!

    There are two ways we could go about addressing this. We could either create a configuration using the Settings Catalog or use proactive remediation. We will get the same result in the end, so it depends on how you like to do it. I will show you both ways in this blog post, and how you can configure it.

    Settings catalog

    In Microsoft Intune, head into Devices > Windows > Configuration and create a new configuration profile by clicking “+ Create“. Select Settings catalog as the profile type and click create.

    Give the profile a good name which makes sense in your environment.

    Search for “Start” and find “Hide Shutdown” in the list, then check the checkbox next to it. Close the fly-out.

    Make sure to enable the setting before moving to the next step.

    In my case, I will skip scope tags and move straight to Assignments, where I select “All devices” and filter out Windows 365 with a filter.

    Last step is to review and create the policy. And then you just need to wait for the policy to apply.

    Proactive remediation

    The scripts

    The easiest way to deploy a scripted solution for this is to use remediation, since then we can also get feedback on how many devices had this issue. We can have it continuously checking or just run once.

    But in order to set up a remediation, we need a detection and a remediation script (you could run everything in the detection script, but you won’t get any feedback if you want to run it more than once).

    You can find the scripts either on my GitHub repository or just copy them from here.

    Detection script

    # Created by Ola Ström, olastrom.com
# Date: 2025-01-21
# Version: 1.0

# PowerShell script to update the registry value

# Define the registry path and value
$registryPath = "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown"
$valueName = "value"

# Check the current value
$currentValue = (Get-ItemProperty -Path $registryPath -Name $valueName).$valueName

# Check the value and set the appropriate exit code
if ($currentValue -eq 1) {
    Write-Output "Registry value is set to 1."
    exit 0
} else {
    Write-Output "Registry value is not set to 1."
    exit 1
}

    Remediation script

    # Created by Ola Ström, olastrom.com
# Date: 2025-01-21
# Version: 1.0

# PowerShell script to update the registry value
$registryPath = "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown"
$registryName = "value"
$registryValue = 1

# Set the registry value
Set-ItemProperty -Path $registryPath -Name $registryName -Value $registryValue

Write-Output "Registry value updated successfully."

    Intune part

    In Microsoft Intune, navigate to Devices > Scirpts and remediations.

    Select “+ Create” in the ribbon and give your remedation a good name, then press next.

    Now we will add the detection and remediation scripts, which you need to save as PowerShell scripts on your device to upload to Microsoft Intune. Change the “Run script in 64-bit PowerShell” to yes, but leave all the other options at their default values and press next.

    On the Assignment tab, select your target group. I’m using “All devices” with a filter for Windows 365.

    On this step, you also set the schedule by pressing on the text “Daily”, which is the default value. You can then choose if you want it to run once, hourly, or daily.

    When you have selected your schedule, press next to review your settings before pressing create.

    And now we wait until the remedation runs…

    Monitoring the remediation

    You can follow up the progress of your remediation by checking the device status on the remediation you just created.

    In this view, you can follow up on individual devices and see how many devices were affected.

    If the script detects that the value is set to anything other than “1”, it will run the script to fix it, and you can see here if the issue was fixed or not. This is not dependent on whether the script runs on a schedule or just once; you will still get feedback if any issues were found.

    What happens on the Cloud PC?

    Both ways will give the same end result for the end-user: the shutdown button will disappear, removing the option to shut down the Cloud PC (which is good).

    Take aways

    I’m not saying that one way or the other is the correct way; it’s just different ways to address the problem. Both of them have advantages, where the settings catalog will set the value and always keep it that way, and the remediation will check if the value is incorrect and change it if needed.

    You can also reuse this script for other registry entries you would like to change, so feel free to reuse it!

  • Master the Copilot button on Copilot+ PCs

    Master the Copilot button on Copilot+ PCs

    As you might know, there is a new category of PCs out there called Copilot+ PCs. These are defined by primarily two things, they have an NPU with over 40 TOPS (trillion operations per second), and they have the Copilot button on the keyboard. Of course they also run Windows 11.

    As per writing this blogpost, we have mainly seen ARM based Copilot+ PCs. But x86 based versions from AMD and Intel is around the corner!

    One thing that has gain a lot of attention is the Copilot button. When the first devices were released this opened the consumer version of Copilot, the Microsoft Copilot app. This app does not work corporate environment, since we don’t get the “correct” version of Copilot. The Copilot we want to use is the Microsoft 365 Copilot where you sign in with your corporate credentials.

    There has been changes

    Since the October patches 2024, Microsoft has altered the behavior of the Copilot button based how you sign into your computer.

    Another change that has happened is that the Copilot in Windows (preview) experience has been removed and is replaced by either Microsoft Copilot app or Microsoft 365 app based on your scenario (see the table below).

    The following table will show you that based on you you authenticated onto you computer, different things will happen.

    ConfigurationCopilot experienceCopilot key invokes
    Copilot not enabled in environmentNeither Copilot in Windows (preview) nor the Microsoft Copilot app are present.Windows Search
    Copilot enabled + do not authenticate with Microsoft EntraCopilot in Windows (preview) is removed and replaced by the Microsoft Copilot app, which is not pinned to the taskbar unless you elect to do so.Microsoft Copilot app
    Copilot enabled + authenticate with Microsoft Entra + new deviceCopilot in Windows (preview) is not present. Microsoft Copilot is accessed through the Microsoft 365 app (after post-setup update).Microsoft Copilot within the Microsoft 365 app (after post-setup update).
    Copilot enabled + authenticate with Microsoft Entra + existing deviceCopilot in Windows (preview) is removed. Existing users with Copilot enabled on their devices will still see the Microsoft Copilot app.IT admins should use policy to remap the Copilot key to the Microsoft 365 app, or prompt users to choose.
    Source: Updated Windows and Microsoft Copilot experience | Microsoft Learn

    In a corporate world, we strive to have the Microsoft 365 app launching when pressing the Copilot button on the keyboard, since that’s where we can use the Microsoft 365 Copilot. So let’s walk though the different scenarios.

    New Copilot+ PCs

    If you are setting up a new Copilot+ PC (or resetting an existing one), there isn’t that much you need to do. As long as you get the October 2024 monthly security update installed, the Copilot button will remap to the Microsoft 365 app if signed in with an Microsoft Entra account and you have Copilot enabled in your environment, and it doesn’t need to be the “fancy” $30 per month version. If you have disabled Copilot, the button will (as the table says) open Windows ´Search instead.

    Existing Copilot+ PCs

    For your existing Copilot+ PCs which were setup prior to the release of the October 2024 monthly security update, you as an admin have to take action since the default value for users would be to launch the Microsoft Copilot app. This can be done in two ways, either prompt the users to make the change them self in Settings or push out a new configuration for the computers using a GPO or Intune CSP policy.

    Setting
    CSP./User/Vendor/MSFT/Policy/Config/WindowsAI/SetCopilotHardwareKey
    Group policyUser Configuration > Administrative Templates > Windows Components > Windows Copilot > Set Copilot Hardware Key
    Source: Updated Windows and Microsoft Copilot experience | Microsoft Learn

    As of the latest service release of Microsoft Intune, you can now also do this usign Setting catalog, which is not yet reflected in the Microsoft documentation.

    Let’s have a look at how we set this up in Microsoft Intune. (UPDATED with settings catalog instructions)

    Navigate to the Microsoft Intune Admin Center and select Devices > Windows > Configuration and create a new policy. Select Windows 10 and later then Settings Catalog. Select it and click “Create“.

    We start by giving the new profile a name which makes sense in our environment. Then click Next.

    Next step is to add the setting by pressing +Add setting. Search for Windows AI and select the “Set Copilot Hardware Key (user)” setting.

    Close the flyout and enter the AUMID for the Microsoft 365 app.

    AUMID: Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe!Microsoft.MicrosoftOfficeHub

    If you are not using Copilot and want to disable the button, set the value to 0 instead of the AUMID of the Microsoft 365 app.

    Click though the wizard and assign the profile to an applicable group.

    Review your configuration before creating.

    We have now successfully changed the behavior of the Copilot button on our Copilot+ PCs!

  • Keeping Windows up to date – 2024 edition

    Keeping Windows up to date – 2024 edition

    So back in 2019, when I first go back into blogging, I wrote a piece on how we at my former employer adopted a modern approach to digital workplace, transitioning into a more Windows as a service concept internally. If you have missed this post, please pause here and head over the post here and read it.

    Staying current in the new world – olastrom.com

    I wrote that post more than 5 years ago, in a world where Configuration Manager was still king and we were running Windows 10 in a large enterprise (over 35 000 managed Windows devices globally). We never ran the feature upgrades as projects, and neither should you!

    This post discussed they way Windows updates work for Windows 10, that we will see continuous innovation with several updates per year. Back then, Microsoft was still doing a spring and a fall release. This was a challenge to keep up with, and many reverted to “let’s at try to do one update per year” which for many was still a challenge. If you had this strategy, you usually went with the fall release since that was supported for longer than the spring release.

    Since 2021, Microsoft only does one update per year, which so far has always been a fall update. Each release is supported for 36 months, given that you run Windows Enterprise.

    But let’s talk about strategy to handle the Windows update cadence.

    Find your tools

    Since I’m a big cloud advocate, I will of course recommend to use Windows Update for Business to manage your Windows updates. This is also the recommended way by Microsoft, regardless if you are using Microsoft Intune or Configuration Manager to manage your devices. There is no reason to micro-manage the updates for the vast majority of your devices (there are of course exceptions), and since Windows 10 you cant really say no to update since they are all cumulative. If you skip the October patch, you will get them and bunch of more updates in November.

    So making use of the cloud and the smart logics actually built into these tools are great.

    If you really want to automate things, you can even move to Windows Autopatch which is almost like doing a set and forget setup. Microsoft will manage your whole setup and make sure your devices are kept up to date, and not updated all at once by using automated rings.

    But I really hope that you all have your monthly patching in order. Otherwise we have a different level of problem. So lets pivot and talk about the feature updates which is released once per year, what is often referred to as the 23h2 or 24h2 update by the IT community.

    What is a good practice?

    So if we look back at my old post, I actually talked about using deployment rings which is still a thing (if you look at how Autopatch configures it self, it will use rings).

    Whats important here is to devide this into several deployments, so we dont update everyone at the same time. A good practive could be:

    Ring 0: First evaluation group
    Ring 1: Second evaluation group/application testers
    Ring 2: Pilot group
    Ring 3: Broad deployment
    Ring 4: Devices which needs extra attention

    I think that in my original post I had 5 groups, but you can adopt this based on the size of your organization. The purpose of the first 3 groups in this scenario is validate and make sure we catch any compability issues. Any device you find that is cumbersome, or application which need additional testing or validation, you put in the last group to “buy time”. I By doing this, you don’t postpone the update for devices where this will work without any issues.

    But what if there are known issues with a certian device model? Well then Microsoft has implememnted something called safeguard hold which will pause the update for the affected devices, so we don’t brake devices and cause issues for the end user. If you want to read more about this, this is a great article covering this.

    Safeguard holds for Windows | Microsoft Learn

    By utilizing safeguard holds, we can increase the trust in that updates will work since the Windows Update service will block any devices with known issues from recieveing updates. This is also a strong argument to move towards Windows Update instead of using e.g. Windows Server Update Services (WSUS) to handle your updates since it will prevent those supprises. There are also a bunch of reports you can utilize to keep track of any safeguard holds you might be affected by.

    Setting up Windows Update for Business

    Windows Update for Business can be configured in a few different places. The best way, even if you are using Configuration Manager, is to utilize Microsoft Intune for this. If you are in a hybrid state, move the toggle in Configuration Manager to move the co-managed workload to for Windows Updates to Microsoft Intune. In Microsoft Intune, you then configure your different rings (the number depends on your needs, but at least three). There are many good guides around how to build this, even pre-made ones you can import from e.g. Open Intune Baseline.

    You can also enable Windows Autopatch which will create all the rings for you and populate all the groups.

    The important part is to create the rings and divide your devices amongst those rings, putting the correct devices in the correct rings. What is correct is based on your needs and your environment, there is no right or wrong here. In these rings you also define the amount of deferal days you want.

    Deferal days are the amount of days you want to postpone the update from the release date. There are a lot of different opinions on the cadence here, but it could be a good idea to aim to have ring 0 running the new update within the first two weeks to start evaluating. Then aim to have moved through the rings to your broad deployment within 3-4 months. There is usually no need to rush things, since we need to combine this with end-user communications to communicate any changes in the operating system. If you want to have broad deployments around 5-6 months later, that is perfectly fine to. This comes down to how fast you as an organization can move. But keep in mind that your “upgrade later” group, my ring 4, needs to be even further away. However, the ambition is that this ring should always be empty so as problems gets resolved you move those devices back to the earlier rings.

    What is important to keep in mind, is that you need to be able to repet this process every year on a 12 month cycle. So don’t build it to complex!

    What is the point behind this post?

    My idea behind revisiting this topic is that I still see a lot of companies struggle with this concept. Feature updates are handled as projects and treated as something that is scary.

    We have had great tools to manage this for several years now, and Microsoft has done a great job improving on these tools over the years, giving us more options and better reporting.

    It’s about time that we stop micro-manage our Windows updates and put out trust into the tools, so we can spend our time doing something more productive than running project to catch up with the feature updates. If we fall one or two versions behind, we all of a sudden need to catch up and then it becomes a project.

    I also want to highlight that I’m not just pushing the Microsoft message here. I have worked with several large customers who runs this smoothly as part of their daily operations. Once a Feature update is released, the process kicks in and ring 0 gets the update within a few days to validate that nothing breaks, and then it starts moving between the rings. Not everyone fully automates their rings, but the concept is still there and no internal projects to upgrade Windows is initiated. It’s all business as usual.

    So creating a great strategy to handle Windows updates going forward is key, envisioning that “Windows as a Service” which we talked about a few years back, where Windows just keeps evolving and we don’t have to spend that much time thinking about updates.