Since we now have successfully set up and provisioned Windows 365 Frontline in our environment, we need to add some additional layers of configuration to make operations as smooth as possible, and especially to make sure that we use the licenses in the best way possible.
With Windows 365 Frontline, each license is reserved as long as the user has the session running. This means that users could potentially have active sessions but are idle which would result in them locking one license.
Since users might forget to end the session, you can configure a policy that will end idle sessions for the end-user.
Create the policy
To create the policy, head over to Intune (https://intune.microsoft.com) and navigate to Devices > Windows > Configuration profiles and select “+ Create profile“.
Select the profile type to be Settings catalog and press Create.
Give your profile a name that makes sense to you and your organisation, I will go with something that follow my name standard for my environment that indicates it’s for Windows 365 Frontline and what the profiles does. When you have given the profile a name, press Next.
Select “+ Add setting” to open the settings picker.
In the settings picker, search for session time limits and select the category for Session Time Limits.
In the settings name section, check the box for “End session when time limits are reached“ and “Set time limit for active but idle Remote Desktop Services sessions“, and your setting will appear in the policy. Once you have selected the setting name, close the fly-out settings picker.
Enable the settings and choose the time limit that matches your needs and corporate policies. In this example I’ve selected 1 hour, which is good value to start with. Once you have enabled these settings, press Next.
Unless you use Scope tags you can skip this section and move right to Assignments where we will deploy this towards all our Windows 365 Frontline devices. I’m doing this by assigning the policy to the built in All devices group and applying a filter I’ve created for Windows 365 Frontline.
The rule syntax you want to use when creating a filter for Windows 365 Frontline machines is at least this one, but it can of course have additional lines depending on your needs:
(device. Model -startsWith "Cloud PC Frontline")
Once you have made the assignments as needed, press Next and then Create.
Your policy will now assigned to all your Windows 365 Frontline Cloud PCs and you can track the progress in Intune by looking at the policy.
One question I get a lot from people that are fairly new to Microsoft Endpoint Manager is “which function should I use to reset a Windows device?” and what the different buttons actually do.
So here is a little cheat sheet what the different type of reset of a Windows device does. Some also applies for other platforms, which I will mention below.
One thing you will notice when clicking these options in the portal, you will always have to confirm your selection.
This is the first option you will glance at when looking at the remote actions available in the ribbon.
Retire is not a Windows unique feature and is maybe mostly used in a BYOD scenario, but could be applicable for some corporate scenarios as well.
Retire means that you will remove the connection to Microsoft Endpoint Manager and at the same time remove all data YOU put there through MEM, such as apps, profiles, policies etc. You could basically call this an “unenrollment” of the device.
A usefull scenario would be when a user is leaving the comapny and is keeping their iPhone which has been been enrolled through a more BYOD scenario. You will only remove corporate data, but leave all the users personal data.
This feature is maybe not that commonly used for Windows since these devices would typically be “locked” to the tenant using Autopilot. But for BYOD scenarios, this could be applicable.
Wipe is just what it sounds like. You will wipe all data from the device and put it back to factory defaults. This feature can be used on other platforms too. This is the feature I most frequently use, especially when testing things and needing to enroll things. This is equal to doing a factory reset from within the operating system. This is perfect for when a device is being decomissioned.
For Windows you get a few more options when triggering the option:
Wipe device, but keep enrollment state and associated user
Wipe decice and continue wipe even if device loses power
Typically, you dont need to select any of these but there are some cases where it could be usefull.
The wipe will also remove the device from Microsoft Endpoint Manager, IF not the first option is selected. The Azure AD object will remain and also the Windows Autopilot object, if you are using Windows Autopilot.
The “Wipe device, but keep enrollment state and associated user” will reset wipes all policies, but keeps user accounts and data, but not user files. It will reset user settings back to default. and resets the operating system to its default state and settings. This basically means that the device will be put back into the same state it was when it was first enrolled. If you are using Autopilot, use Autopilot reset instead.
The “Wipe decice and continue wipe even if device loses power” means that the device will continue to try to wipe untill its successfull. This is great for instance if the device is lost and you really want to make sure that the device is wiped for corporate data. This could in worse case leave the device unbootable if something happens. So use it with causion!
The delete option is exactly what it sounds like, you will delete the device form Microsoft Endpoint Manager. However, this will only remove the link and all data on the device will remain. However, the next time the device connects to Microsoft Endpoint Manager, corporate data will be removed.
This is mostly usefull when cleaning up any stale objects. Cleaning up stale object could with ease however we automated by using the automated clean-up rules in Microsoft Endpoint Manager found in Devices > Device clean-up rules.
Fresh start is a farily unknown feature in Windows which was introduced back in 2017.
What fresh start does is to remove any pre-installed software by the manufacturer (OEM) which is usally there. The computer will then run a more “Vanilla” version of Windows after the Fresh start.
When triggering this reset, there is an option to retain the user data, including enrollment, which would have little to no impact for the user. If this option is not selected, the device will be reseted and start up on the OOBE screen.
This could be usefull for cleaning out devices which has been delivered with an OEM image instead of a pure Windows image, or if the device is not purchased through your regular channels and getting the “wrong” image which includes pre-installed software.
Last out is the Autopilot reset, which is a really useful option if you are repurposing a computer from one user to another.
What Autopilot reset does is that it will restore the device back to a business ready state, meaning that all personal data is removed but all corporate settings are re-applied. All management information about the device is kept and so is the Azure AD object with all its device group memeberships. Doing this will also remove the primary user associated with the device.
When the device is handed to a new user, all they need to do is to sign in and the computer will finilize the setup for them. Users will not be able to use the device until the user enrollment parts are finilized, just like with any other Autopilot enrolled device.
Update: Got this pointed out to me by several people so I thought I would add this here as well. Autopilot Reset is NOT supported on Hybrid Azure AD Joined devices.
Key take aways
I hope this brings some clarity to the different remote actions and that you can figure out which to use when.
The ones I most commonly use are:
Wipe when testing things in my lab or completly changing what the device is used for, e.g. assigning a different Deployment Profile to the device.
Delete when I for some reason have ghost/stale objects
Autopilot reset when a device is being repurposed or changing user
The other ones are ofcourse useful, but maybe not something I frequently use.
Updated on the 29th of September 2022 due to changes in Quick Assist installation.
Like I mentioned in the blogpost about Remote Help, the build in Quick Assist tool in Windows 10 and Windows 11 is great for supporting friends and family. However, it’s not that great to support an organization since vital features are missing like handling UAC and logging. There is also a lot to wish for when it comes to how accounts are managed and the overall experience in a corporate setup using Quick Assist.
So, when we have deployed Remote Help to all our users, we want to remove Quick Assist to improve security (so unauthorized people cannot remotely connect) and to ease confusion about what remote support tool to use.
There are several ways of doing this, but I’m taking the approach that we don’t have a custom image since our devices has been enrolled through Windows Autopilot using vanilla images. So how can we remove the feature, and make sure that the end-user doesn’t get creative with enabling it again?
The answer to this is using proactive remediations.
What is proactive remediations?
Proactive remediations is a part of the Endpoint analytics section of Microsoft Endpoint Manager. You can find it by going to Reports > Endpoint Analytics > Proactive Remediations. By default you will have to script packages published by Microsoft.
Proactive Remediations is a script package where you can find and fix things on your clients, before this generates a ticket to your help desk.
However, since these are scripts running, you can do about anything to be honest. Each script package consists of a detection script and a remediation script. The scripts are then deployed to the devices through MEM and will report back. You can find reports on how many times a script has run, and how many times it has fixed an issue. Fixed and issue means that it has run the remediation script. You can read more about how they work and what you can do on e.g. Microsoft Docs.
One thing you could do is to detect if a Windows component is active, and if found active then disable it.
How do I remove new Quick Assist?
Due to an update, Quick Assist have now moved in to the Microsoft Store, meaning that we need a new way to remove the store app. Next chapter will cover the old application which was a Windows Capability.
There are several ways to remove pre-installed application from Windows, you could either get the application from the Business Store and assign it as “Uninstall” for all devices/users, or you could user PowerShell to remove applications.
For this, we will use Proactive Remediation to detect if the Quick Assist is installed, and if so we will remove it. This would remove the application even if the user installs it them self. There are other ways to do this as well, like only deploying the removal part and blocking the application with AppLocker.
Now all that we need to do is to make sure that we run the script in User Context, since the application is installed in the user context.
How do I remove old Quick Assist?
One way to disable Quick Assist, even if the user enables it again, I have found is to use a proactive remediation which checks if Quick Assist is enabled on the device, and if it finds that it is Quick Assist is disabled.
Quick Assist isn’t an app installed from the store, it’s a Windows capability which means that we cannot uninstall the app.
To do this, we firstly need a script which will identify if Quick Assist is enabled. One way of setting that up is like this, a simple PowerShell script that my college helped me create (thank you Daniel).
What could be good to keep in mind is that if the version of Quick Assist changes, this disable-part will stop working. I’ve’ tried using a more generic string, but I couldn’t get it to work. However, my PowerShell skills are quite limited.
This is a powerful way of gathering all devices imported to Autopilot into a single group to assign either enrollment profiles, configuration profiles or even applications without the need for any additional work or use of group tags.
However, this group being powerful makes things a bit harder when it comes to excluding devices that might need a different enrollment profile for testing, different device type or just a different use case.
There are different ways of doing this, but this is the way I found that works well and it assumes that you have another Azure AD group which you use to assign Enrollment Profiles, dynamic or assigned.
Let’s say we have two enrollment profiles:
The “Production profile” is assigned using a group called “All Autopilot devices” which gets devices using the “device.devicePhysicalIds -any (_ -contains “[ZTDId]”)” string to gather all devices which are imported to the environment.
We have also imported the HoloLens devices in to our device list for Autopilot, which we are using a group tag to populate our “HoloLens devices” group with which is then used to assign the HoloLens profile.
Now comes the tricky part. Since we have the “catch all” group already, that will include the HoloLens’s which means that we will assign configuration profiles and applications that are assigned using that group.
Since our HoloLens’s are a different type of devices, we want to assign a separate set of configuration profiles and applications towards them, meaning that we need to exclude them from the “All Autopilot devices” group and add them a HoloLens specific group to assign our HoloLens profile.
Creating out groups
To add them to the HoloLens deployment profile you can create a dynamic group which is using Group Tags to populate. This will require you to add this group tag to all your HoloLens’s. In this case, we will use the Group Tag “Hololens”.
This will assign the HoloLens specific deployment profile to the device.
However, we also want to make sure that we do not include these devices in the bigger group which is used to assign the “regular” Windows policies. This was a bit trickier than I thought to be honest.
After playing around with excluding the group tag, which for some reason didn’t work that great, the most effective way was to exclude devices from my big “All Autopilot devices” group by using the fact that it has a deployment profile assigned to it. This value can be used in the rules for the group by saying that we don’t want to include devices having a deployment profiled called “Autopilot HoloLens” assigned to them.
By changing the rule to say that in addition to “catch all” also no include anything that has the deployment profile “Autopilot HoloLens” assigned to it, we will now have a group which will exclude all HoloLens devices!
This can of course be used for other things than HoloLens, it applies for anything that has a deployment profile assigned to it.
There are other ways to accomplish this, but this is the easiest way I’ve found so far!
So, I’m about 10 months late on this topic now that we have all been from home for such a long time. The discussion is turning more towards how we can move BACK to the offices, how and when that can and will be done.
For me, this is an important topic and I thought I would share my learnings from the past 10 months regarding creating a workspace at home.
I really understand that not everyone has the living situation allowing them to set up a good working place. In our apartment we had to set up an extra workplace since both me and my girlfriend are working from home full time for a foreseeable future. This ment some compromises when it comes to optimal space since we only had one spare room, putting my workplace in the bedroom.
Please bear in mind that these are important to me and I totally understand if you don’t have the space, ambition, or willingness to go down this path.
A real desk and a chair you like
Even if it’s quite convenient to setup your office at the kitchen table, it’s far from optimal for several reason. Even though it’s nice to be close to the coffee maker, this is not good for your back and sholders.
Given that you have the space, getting a real desk and chair makes wonders. It doesn’t have to be one of those adjustable desks or expensive gaming chairs. Simple stuff from IKEA is a good start!
For me, this is the most important part. I can leave everything else out, but I need a decent desk and chair to work from home.
Having an external monitor is important from a whole lot of aspects. You get some extra real estate while working on those spreadsheets and most importantly you end up in a more ergonomic posture, raising your line of sight. Being someone who has worked extensively from only a laptop monitor in the past, this has become important. For me, it doesn’t have to be a fancy, top-of-the-line screen, even though it does have to have okay aesthetic since it becomes a part of the interior decoration for the room.
A keyboard and mouse you enjoy
This has been one of the bigger pet peeves for me. Finding a good keyboard and mouse. I’ve also discovered I’m fussy on this topic and I have quite specific expectations.
I’ve been using the Microsoft Arc Mouse for a long time, and I really enjoy it. However, that has always been more of a “travel mouse” for when on the go or not at a real desk. It’s a bit small and not to ergonomic for my taste. I was also using an old “all-in-one” Microsoft keyboard which had a bad typing experience.
Those are now replaced with new fancy stuff, Microsoft Compact Designer Keyboard, and a Microsoft Ergonomic Bluetooth Mouse which I really like.
Since I spend a lot of time typing, the keyboard experience is important, and this keyboard feels just like a laptop keyboard (I’m NOT a fan at all of mechanic keyboards).
This is something simple and for remote work important to have good Teams meetings. If your setup includes an external monitor, getting an external webcam will really increase your meeting experience. You will be facing the correct screen compared to using your built-in webcam from the laptop, which will not present you in profile and you will be perceived as more engaged in the meeting since you will be looking the in the correct direction.
Keep a clean desk policy
I’ve always been a fan of this, both at the office and at home. Getting stuff out of the way and de-clutter my workspace removes all distractions. It’s also nice to start the workday fresh and since my workplace is in the bedroom, clearing up the desk helps me disconnect.
This is the area I need to improve the most on. I’m bad at taking breaks. However, I do try to take at least one 20–30-minute walk everyday with our dog. But I tend to eat lunch in front of the computer and just go to the kitchen for refill of water or coffee, so more like micro breaks.
This is another area of improvement for me, I tend to not move around as much as I would like. But being flexible where you work from, just like you would at an office, makes you don’t have to stare at the same wall day in and day out. It could give you a sense of an activity-based office. My idea how I will handle 2021 is to start my day at the table dinner table in the living room and then move into my office space when I’ve finished my coffee. However, I still some way to go on that point.
For me, being flexible could also mean that you bring your workspace to new places, or even outside when winter is over. After working as a traveling consultant for several years, my essential office still fits in a backpack.
Evolve your workspace
My home workspace is always evolving and improving. As or right now I have to things I’m thinking about. Replacing the desk for an adjustable one and figure out a good lightning setup with a low fotprint to improve the lighting for Teams meetings.
I also have about a thousand ideas what I would like to do, which are not possible now due to room limitations. But I have dreams of what my home office should look like, and it doesn’t really include that much technology. It has more to do what I want my space to look like.
A bit of a different type of post this week, just in time for the weekend. Since I know for a fact there is an information overflow for everything right now, I thought I would share where I turn to stay up to date.
There are probably as many sources as there are IT-consultants, but these are my go-to’s. I thought I would share some of the pages I keep track of to stay up to date.
This is where probably my biggest source of news and generic IT information. Twitter is a really good place to consume a lot of information!
Who should you follow? That is a really good question. My feed contains a lot of people within IT, but I’ve found this Twitter-list with people at Microsoft in the Endpoint Manager team. So have a look at that list (you can follow a list).
You should of course follow this list as well containing all my colleges!
One of the big issues I hear people talk about when it comes to utilizing an image- and OSD less approach is “What if the hard drive breaks and we need to reinstall the machine?”. This is based on that assumption that we need to create a custom image with the drivers and such for recovery purpose. Disks do break, so this is a real problem.
You probably bought that computer from one of the big computer manufacturers out there meaning that they thought of this.
In this article I will post many bold and naive statements, which you might not agree with. I understand that, but we also need to challenge how we have done things for the last 15 years. I’m not saying this is the whole truth, but I want to challenge the way you operate!
What happens when a consumer computer breaks down? Your typical home user does not have a Windows Deployment Services server running in their home network.
Most of the big manufacturers provides you with a new, fresh image created for your computer from their website, often using their recovery tool. The process to obtain the recovery image is a bit different based on which manufacturer, but it’s an uncomplicated way to recover a broken machine without the need to creating custom images.
Making use of what has already been created (and probably covered by the support commitment) should make sense. If someone else that we know and trust already created this, why shouldn’t we utilize it?
At least Microsoft, Lenovo, Dell and HP offers this service in one way or another.
A second option to this, but less ideal, is to use a generic Windows 10 image downloaded from Microsoft (or your Microsoft Volume Licensing Service Centre). The device will be missing all drivers to start with, but that is usually addressed using either the Windows Update feature or the driver update tool for that particular vendor (which you should consider using anyways to keep your drivers up to date on all your machines).
Resetting the device
If you for some reason need to reset a computer, there is no need to use an external media source to re-install Windows 10. This is built into the operating system, just like on your phone.
In Windows 10, instead of injecting your custom image, you simply reset the computer. Depending on where you are coming at it from, you might have to do it in different approaches.
Microsoft have documented this process very well here, so I won’t dig into it further on a how-to level.
I’m going to make a bold statement that many of you might not agree with. But operating systems deployment and creating custom images are a thing of the past. It will still be around for years to come since change does not happen overnight, and most companies have invested heavily in this. But it will start to fade away as more and more companies dare to trust the OEMs that their images are good enough. This will not solve data-loss at all, but it will bring the device back up and running which is often just as important for the user. Creating a custom image is an artform, but soon that artform needs to evolve into something else. There is a shift happening and we need to find other approaches to the old problems when we use new tools.
Today, this will not fit all scenarios. But if you look at the big picture, this could probably cover 80-90% of your user-base. Heck, you could have your users replace disks them self and then recover the operating system (imagine that!).
I’ve tried this with several different types of machines and manufacturers, and it works really well. You can even reset a custom image using the built-in reset feature. The result, however, can be a bit strange if you have removed a lot of the built-in apps etc. But the machine will still work and the user might not notice (especially if you make sure to deploy the needed apps to the end-user using Intune).
Combine this with the power of Office 365 and the cloud for storing your documents and work and you will have a pretty sweet setup where the device isn’t that important anymore.
Do explore the different possibilities in using standardized recovery media, but I’m not saying it will solve all your problems but it will take away some headache and hours spent on creating and maintaining custom images.
When enrolling devices through Windows Autopilot and using Intune enabling Bitlocker without user interaction can be a little bit of a hassle since the default behavior is to ask the end-user to encrypt the device in runtime.
This pop-up can easily confuse end-users and the device is not really “ready to use” once the Enrollment Status Page (ESP) has closed.
There are several different solutions for this, where running a PowerShell-scrip as a Win32 app during enrollment is the most common one.
BUT I’ve found a way to skip this, but it does have some distinct limitations (except for all other Bitlocker requirements):
Use Intune for device management
Device can only be joined to the Azure AD
Running Windows 10 1809 or later
No third-party disk encryption services can be used
So how do you configure this?
In Microsoft Intune, go to Endpoint Security > Disk encryption and create a new profile:
Select “Windows 10 and later” as platform and choose the Bitlocker profile, then click create. Give your profile a name based on your naming convention and click next.
To enforce Bitlocker during enrollment, you need to
Set “Enable full disk encryption for OS and fixed drives” to Yes
Set “Hide prompt about third-party encryption” to Yes
Set “Allow standard users to enable encryption during Autopilot” to Yes
A heads up on these settings though, if you are using any third-party encryption, you might break the machine and you will have to re-install the machine. So be careful if applying to existing machines.
Then set your preferred settings for Bitlocker on OS and fixed drives, this is what I am running in this lab setup. One good setting to use is “Require device to back up recovery information to Azure AD” to ensure that you have the recovery information available for the machine. These settings might vary based on your organizational needs and requirements.
Click next until you end up on “Assignments” and select your targeted device group.
Click next and review your settings before hitting “Create” on the Review + Create page.
And that’s it! Your devices will now silently encrypt using Bitlocker during Autopilot enrollment.
Okay, so this isn’t a new feature in PowerPoint but it doesn’t make is less useful! (And I don’t think everyone knows about it).
There is a feature in PowerPoint called Design Ideas which helps you create better looking slides. It will give you several suggestions based on the content of you slide, like if you have bullet points you can show them in a more visually attractive way.
What I also really like, is that it will adapt to the template I user, like this one created with a corporate template. It will match the color scheme and not go to crazy with its suggestions.
The feature is called Design Ideas and you need to enable it in the ribbon. I use it quite frequently to make the PPTs a little more fun.
If you are not using a template, it will list some suggestions for you with more creative ideas then if you are using a corporate template.
What is your best PowerPoint tip? Share it in the comments!
However, sometimes you get weird suggestions like this GIF of water I got on a new slide. I´m guessing this is NOT what Microsoft meant by fluid framework…
Have you noticed that Windows 10 has a lot of built in features, some of them which are really good?
In this article my idea is to shed some light of two small ones which might not be known to everyone. These can be useful in an enterprise perspective and might even replace some other applications that you might have bought separate licenses for.
It might require that you be on Windows 10 1903 or higher.
Clipboard history (Win + V)
In the Windows 10 1809 release there was an improvement to the clipboard feature in Windows. You no longer need to go back and find that text or picture again that you copied earlier. By enabling and using Windows button + v you can retrieve old data that you have copied. You can also set it to synchronise between devices.
Screen Snip (Win + shift + s)
Did you know that there is an improved Snipping tool in Windows 10 called Screen Snip? This can be used to take screen shots or screen snippets and add annotations if needed. It’s easy to use. You can either find it in the pen icon in the task bar or use the shortcut windows button + shift + s. You can then select to either take a snippet, window or full screen shot.
If you want, you can also through Settings > Ease of Access > Keyboard set the Print Screen button to activate this instead.