Tag: intune

Categories
Intune

Intune Scope tags – What is it and what can we use it for?

Okay, something that has been around in Microsoft Intune for quite some time is Scope tags. You know that step before assignment when creating a policy or profile?

In this post, I was thinking we would talk through what it is and what you can use it for since it’s a quite power full tool and very useful if you are working in larger environments and want to delegate rights since you can combine it with the Intune roles to really have a granular setup when it comes to who can do what. If you want to read more about the Intune RBAC setup, have a look at this post I wrote a few years ago called RBAC in Intune- Who does what at the zoo.

What is even scope tags?

Scope tags is not something you use by itself, it is connected to the Intune RBAC setup, since you can control what you different administrators can see and do.

If I have a scope tag called Sweden which I use on my policies, I can create an Intune role granting only permission to see and administrate things related to that scope.

This means that I can grant access to only certain parts of Intune for my administrators, delegating the responsibility to the Swedish organisation to manage Sweden while Norway and Iceland only can manage their things.

How ever, this only applies to Intune roles, so if you use an EntraID role granting more access, like the Intune Administrator role, scopetags are not part of the solution.

In general, it’s a good idea NOT to use the Intune administrator for all your administrators since this is a very powerfull administrator role also outside Intune. It is the Global Admin of Intune almost (but not as power full).

Setting up Scope tags

To use scope tags, you need to define them which you do by navigating to Tenant Admin – Roles and select Scope tags. You will see that you have one default scope tag, but you can add more in here.

To create a Scope tag, you simply press “+ Create” and we will give our scope tag name, which will be the one used in the portal. We can also add a comment explaining what this scope tag is used for which can be a good idea. When done, click Next.

In the assignment step, we will add a group which contains all out Swedish devices. There are a lot of different ways you could set this group up given that you want to not only catch the Windows devices, you would also probably like to see their mobile devices. In this example, I have a dynamic group looking for all Windows devices tagged with the Autopilot group tag “SE” using this dynamic membership rule.

(device.devicePhysicalIds -any _ -eq "[OrderID]:SE")

When I’ve added my group I will click Next to get to the last step in the scopetag creation.

On the last step you can review your settings before creating it. If everything looks like you want it to, click Create and your scope tag will be created.

Repeat this step for all the scope tags you need, as you can see in my lab I currently have 3 scope tags and the default one.

Using scope tags for roles in Intune

Now that we have create our scope tags, we can add them to a role in Intune as a first step.

Head into Tenant Admin – Roles and select “All roles“. Then find the role that you want to configure, we will use the “Help Desk Operator” as an example.

Click on the name of the role to configure it and you want to head into “Assignments” which is where we define who has this role.

In here, we will click on “+ Assign” to add a new assignment. Since we are setting this up for the Swedish help desk, we will call this “Sweden“. Click Next.

On the next step we will add the group of Swedish help desk operators by clicking on “Add group” and selecting our Help desk Sweden user group. Click Next.

Next step is to add the scope groups, which devices and user we want to be able to manage. This means that we can limit this even further. For now, we will select all users and all devices and click Next.

In the next and last configuration step we will select what scope tag this Help Desk Operator is allowed operate with, meaning what devices and other object can it interact with. In this step we will select our Sweden scope tag and click Next.

As usual, before creating the role assignment you can review you options. Then click Create.

How does it look for my Help Desk Operator in Sweden?

So, what does things now look like for my Swedish help desk operator which we can call Moltas? Well, Moltas can only see things which has the scope tag Sweden. He can see all user and all groups, but he can only see two devices in the environment, since these are part of the scope tag Sweden.

If we compare this to a user with the Intune administrator role, you can see that the view is limited in the amount of devices.

If we take a look at one of the devices Moltas can see, we can actually see that it automatciallu got the scope tag Sweden since it’s a part of the “All Sweden device” group mentioned further up in the post.

We can also add scope tags to profiles that we create, making it possible to grant permission to e.g. one business area to manage their on profiles, applications and so on.

Since I’ve added the scope tag to this profile, Moltas will be able to see this one but not the rest of my profiles, but given his role he will not be able to do any modifications to this profile (Help Desk Oprator does not allow that).

Worth mentioning is also that if this administrator would have the rights to create objects, all their objects would have the scope tag Sweden.

Key take aways

Using scope tags and combinding it with the Intune roles makes it really easy and power full to delegate access to local administrator or different business units to operate their own settings in a bigger tenant. You can e.g. make sure that the local IT support in Sweden cannot see or touch the Norweigan devices.

I really like this feature, and it’s really convinient in larger environments. You can off course limit the access even further by not granting access to all users and all devices, limiting it even further.

Categories
Intune

Copilot in Windows – How to turn it off using MS Intune

As everyone knows by now, Copilot is coming to Windows. For people in some parts of the world (e.g. USA) this is already a reality. But for us in Europe, we are still waiting for it to be made available.

I rarely write posts about how to disable things, I’m a fan of giving the power to the end-user to use the new awesome tools made available for them. But Copilot is a massive thing, and for many organizations this is both a legal/policy issue, and a technical readiness issue. We need to be able to provide our users with services in a controlled way.

Many of the larger organizations I’ve been working with over the years take this approach, enabling new services in a controlled way.

So, let’s look at how we can control this using Microsoft Intune. In this post, we will not dig into what Copilot for Windows is.

Creating a policy

As usual, my focus is on cloud solutions so we will look into how you can do this using Microsoft Intune and not GPOs.

Today, there is no Settings Catalog, so we need to rely on a Custom policy which we create by heading into the Device blade, choosing Windows > Configuration Profiles and select “+ Create” > “New policy“. Then we select Windows 10 and later as platform, and use Template > Custom as profile type.

As usual, start of by giving your profile a good name based on your naming convention.

Now, lets add a custom setting by pressing the “Add” button.

Add the following information to your custom entry:

Name: Disable Windows Copilot
Description: 
OMA-URI: ./User/Vendor/MSFT/Policy/Config/WindowsAI/TurnOffWindowsCopilot
Data type: Integer
Value: 1

Should look something like this and then hit save at the bottom of the fly out.

You have now successfully added a custom CSR setting.

Hit Next at the bottom of the screen and assign your policy to a user/device group. As always, if you are doing this in production, start with a test group before going for broad deployment.

For this demo purpose, I’ve added the built in “All users” group.

Skip the “Applicability rules” and head to “Review + Create” and review your profile before creating it. Once the profile has been created, the waiting game starts for the policy to apply. As usual, you can speed this up by pressing “Sync” on any of your devices that will be targeted.

When the policy has been applied, the Copilot icon will be removed from the task bar.

Doing a controlled roll-out

We have currently removed Copilot for all the users in your environment, but how do we start enabling it again?

Well, we need to do two things:

  • Create a group for our allowed users/devices
  • Exclude them from the policy we just created

Since the default value for the Windows Copilot feature is to be enabled, we don’t really need to add a new policy. We can just exclude our targeted users/devices. This also makes broad deployment easy since we can gradually just exclude users/devices until we want to enable it for everyone.

Please be aware that the change is not instant, the device needs to check-in before the policy is updated (but it’s fast when you do a forced sync).

Take away

So, would we disable this for all users and do a controlled roll-out? Well new features are not always easy for end-users to gasp or even understand that they have. People within IT tend to always want the latest and greatest and be early adopters. But “real” end-users are not always like that. We need to make sure that we can get information out to our end-users about this awesome new feature.

There might also be that we need to do some assessments around the service before we can enable it in our environment, this could be both legal and internal policy that is controlling this.

But as always, I really encourage you to enable this for your end-users once it’s available in your region. For us in Europe, we will have to wait a bit longer, but looking at the recent announcements around a Copilot-button on all Windows keyboards, I think we can really tell where we are heading with this.

So please, don’t just disable this for the sake of disabling. And if you do disable it, have a plan to enable it. It will bring awesome value to your end-users (especially if you have Microsoft 365 Copilot licenses).

Categories
Modern Workplace

Microsoft Ignite 2023 recap

It’s that time of the year again. Not Christmas. Microsoft Ignite time!

This year I decided not to go to Seattle, but instead follow it virtually from home. I can say now when Microsoft Ignite is over that I’ve had a severe case of FOMO the last couple of days, by just seeing all the pictures it looked like it was a really awesome event!

But since MS Ignite is over, it means that it’s time for a recap. What did I find most interesting?

For starters. There was a clear theme this year. AI, AI, Copilot, Copilot and Copilot. 😂

Oh, and the picture in the top of this post is of course created using AI!

Windows 365

There was a bunch of new things released within Windows 365 at Ignite, and Windows 365 actually got time in the main keynotes!

New Windows app – A preview of a new app to support not only Windows 365 and Cloud PC, but to also give you all your Azure Virtual Desktops, DevBox and published apps in the same place. The cool thing is that it’s also platform independed so we will see the same experiance on all major platforms going forward. You be able to have a “Windows” app on your iPad.

Windows 365 GPU support – Microsoft announced that GPU support for graphic design work is coming to Windows 365, and this will really be great for a lot of customer scenarios! It will be really interesting to see the pricetag on the GPU SKU, I would kind of guess that you really need to have a good business case and not just have it’s because GPUs are cool…

Windows 365 AI capabilities – It was also announced that you as an IT admin will be able to get AI based recommendation on sizing the Cloud PCs. This to help improving cost efficiency and user sattisfaction. Preview will be released soon.

Single-sign on (SSO) and passwordless authentication – SSO and passwordless has for quite some time now been in preview in the Intune portal, but it’s not in general availability. This also applies to approved AVD providers!

Watermarking, screen capture protection, and tamper protection – in order to increase security and prevent dataloss, these features which have been in public preview for a while are now in general availablity on both Windows 365 and AVD.

Windows 365 Customer Lockbox – To ensure that Microsoft support engineers can’t access content to do service operations without explicit approval, you can use Customer Lockbox. This is similar to other Customer Lockbox within the Microsoft ecosystem. This is in public preview.

Windows 365 Customer Managed Keys – I think this is a pretty cool update. You will soon be able to use your own encryption keys for encrypting the Windows 365 Cloud PC disk.

Windows

Eventhough Microsoft Build is usually where we see most Windows news, there were a couple during Ignite this year.

Copilot in Windows – This was actually announced at the event earlier this fall and went in to public preview for selected markets on the 1st of November. During Ignite Microsot announced that it will go into general availablity in December, so let’s cross out fingers Europe is included!

Windows Autopatch for frontline workers– Windows Autopatch is not new, but Windows Autopatch is now included in the Microsoft 365 F3 subscription to ensure frontline workers are kept up to date.

Windows Autopilot and Windows Update for Business merging – Microsoft is streamlining the interface to handle updates

Microsoft Intune

There were a few big announcements for Microsoft Intune, and I would say the two biggest were around macOS management, Security Copilot in Intune and the Intune Suite.

MacOS management – Microsoft has for a while now been very loud about their story around macOS and Intune, and we are now starting to see the outcome of this. I wouldn’t say that there were that much news related to Ignite around this, but they were pushing for that Intune is now in the forefront of device management for Mac, which means that you no longer need to have Jamf or such to have extensive macOS management.

Security Copilot for Intune – As part of the Copilot and Ai journey we are on, Security Copilot will help you dentify annomolies or issues in your environment. It will help you analyze big chunks of data in no time to find security related events. But Security Copilot is more than that, it will also integrate in Microsoft Intune to help you create new policies or figure out how to solve issues that arrises. This will be such a great feature for many admins out there!

Microsoft Intune suite updates – Microsoft Intune Suite was announced back in March this year and has so far mostly been focues on Endpoint Privilegde Management and Remote Help. Microsoft has now announced three more features that are coming; Enterprise App Management, Advanced Analytics and Cloud PKI. These three additional services will make the Intune Suite bundle even better and are expected to all be available in February of 2024.

Summary

To be honest, this years focus at Ignite was Copilot. The word “Copilot” is mentioned 289 times in the book of news. That kind of set the tone for Ignite. Don’t get me wrong, I’m super excited for Copilot but this year was crazy!

Any how, lot of cool stuff coming out of Ignite this year and I think we will see things moving even faster now around AI since post-Ignite there has been some news around people from OpenAI joining Microsoft… What a time to be alive!

One thing that I take with me is that next year, I want to go to Seattle and be there in person. My feeds has been filled with Ignite related pictures and the FOMO has been real!

Categories
Digital Transformation Intune Windows 365

Back from vacation – what did we miss?

Like the swede I am, I’ve been off work for the last 4 weeks to get my summer vacation. I’ve actually done my best to try to stay away from IT stuff this summer, to disconnect and focus on other things (like golf and getting our house in order).

But the world of IT does not slow down just because of summer, so here is a summary of some of the highlights that I missed during my time off!

I got renewed as MVP

Okay, this I already knew before the summer. But I was awarded for my 2nd year as an MVP within Windows and Devices for IT. I’m truly honored to be awarded for yet another year and being part of such a cool community of awesome people!

Ola Ström | Most Valuable Professionals (microsoft.com)

I will be speaking at WPNinja Summit

I was picked to do two session at the WPNinja Summit in Baden, Switzerland, the 27th to 29th of September.

I will do one session about Windows 365 networks and one about how to do better deployments of Windows 365.

I’m really looking forward to this and I hope to see you all there!

Windows 365 Switch in public preview

At Microsoft Ignite 2022, Microsoft introduced three big new features coming to Windows 365. In May, Windows 365 Boot reached public preview as the first of the three. Now in August, the second and maybe my favorite, Windows 365 Switch reached public preview!

Windows 365 Switch lets you switch between your physical PC and your Cloud PC through the task viewer, just like the other desktops you can have. It’s a really cool feature and I will cover this in a blogpost the upcoming weeks!

You can read more about it in the official Microsoft blogpost found here: Windows 365 Switch now available in public preview – Microsoft Community Hub

Windows 365 Frontline released

This was actually announced before I left for summer vacation, but Windows 365 Frontline finally reached general availability!

For those of you not familiar with this concept, this is a different licensing modell designed for scenarios where the users are not using their device all the time, user who work in shift where you have users coming an going. The concept is that you buy one license, but you get three Cloud PCs but only one can be used at the time.

It sounds a little bit tricky, I know, but I covered this in an earlier blog post which you can have a look at.

Read more about it in the Microsoft blogpost: Windows 365 Frontline is now generally available | Windows IT Pro Blog (microsoft.com)

What’s new in Windows 365?

Windows 365 got some other great updates during the summer as well as Microsoft released a lot of new features in both July and August.

Some of the new features released was:

  • Move Cloud PC is now generally available
  • New setting to allow users to reprovision their own Cloud PC
  • Azure network connection (ANC) least privilege update
  • Provide feedback button for admins is now generally available
  • Windows 365 web client camera support (preview)
  • Group-based license support for Cloud PC resizing
  • Windows 365 app update notifications for users

You can read more in details here about the new features: What’s new in Windows 365 Enterprise | Microsoft Learn

Windows 11 23h2 release update

Microsoft released new information about the Windows 11 23h2 update coming later this year. It is currently scheduled to be released in Q4 and will be released as an enablement package. This means that there are no big changes coming to the code base of Windows 11, and you can keep doing you testing on Windows 11 22h2 if you are still transitioning over to Windows 11.

Microsoft also mentions a Windows 11 LTSC version in this update, which means that if you are waiting for that release, you can start preparing.

Windows client roadmap update: July 2023 – Microsoft Community Hub

What’s new in Intune?

As per usual, Microsoft Intune has gotten it’s weekly updates during the summer. I think the most impactful update was the fact that uninstalling applications as an end-user in Company Portal is FINNALLY available! I know this has been something a lot of IT Pros has been waiting for. There are also a lot of new stuff in the 2307 Service release.

Some highlights:

  • Uninstall Win32 and Microsoft store apps using the Windows Company Portal
  • Use the Turn off the Store application setting to disable end user access to Store apps, and allow managed Intune Store apps
  • New BitLocker profile for Intune’s endpoint security Disk encryption policy
  • Intune supports new Google Play Android Management API
  • Change to default settings when adding Windows PowerShell scripts
  • New settings available for the iOS/iPadOS web clip app type
  • Settings insight within Intune Security Baselines is generally available
  • Tamper protection support for Windows on Azure Virtual Desktop
  • Endpoint Privilege Management support to manage elevation rules for child processes

What’s new in Microsoft Intune | Microsoft Learn

Screen capture protection and watermark

During the summer Microsoft updated how you can enable screen captrue protection and watermarks for Windows 365 (and Azure Virtual Desktop).

Previously, you had to upload a custom ADMX template to enable these settings (or GPO), but they have now been made available in the built-in ADMX profile in Intune, making this setting much more accessible.

I will cover this more in a future blog post

Azure Virtual Desktop Watermarking Support – Microsoft Community Hub

Screen capture protection in Azure Virtual Desktop – Azure | Microsoft Learn

Microsoft Inspire 2023

During the summer, Microsoft also held their Inspire conference which is usually more targeted towards partners, but there was a lot of good stuff announced and shared during the conference.

Check out the main keynote here: Microsoft Inspire Keynote

Any also the rest of the sessions: Session catalog (microsoft.com)

Categories
Tips & Tricks Windows 365

Session time limit for Windows 365 Frontline

Since we now have successfully set up and provisioned Windows 365 Frontline in our environment, we need to add some additional layers of configuration to make operations as smooth as possible, and especially to make sure that we use the licenses in the best way possible.

With Windows 365 Frontline, each license is reserved as long as the user has the session running. This means that users could potentially have active sessions but are idle which would result in them locking one license.

Since users might forget to end the session, you can configure a policy that will end idle sessions for the end-user.

Create the policy

To create the policy, head over to Intune (https://intune.microsoft.com) and navigate to Devices > Windows > Configuration profiles and select “+ Create profile“.

Select the profile type to be Settings catalog and press Create.

Give your profile a name that makes sense to you and your organisation, I will go with something that follow my name standard for my environment that indicates it’s for Windows 365 Frontline and what the profiles does. When you have given the profile a name, press Next.

Select “+ Add setting” to open the settings picker.

In the settings picker, search for session time limits and select the category for Session Time Limits.

In the settings name section, check the box for “End session when time limits are reached and “Set time limit for active but idle Remote Desktop Services sessions“, and your setting will appear in the policy. Once you have selected the setting name, close the fly-out settings picker.

Enable the settings and choose the time limit that matches your needs and corporate policies. In this example I’ve selected 1 hour, which is good value to start with. Once you have enabled these settings, press Next.

Unless you use Scope tags you can skip this section and move right to Assignments where we will deploy this towards all our Windows 365 Frontline devices. I’m doing this by assigning the policy to the built in All devices group and applying a filter I’ve created for Windows 365 Frontline.

The rule syntax you want to use when creating a filter for Windows 365 Frontline machines is at least this one, but it can of course have additional lines depending on your needs:

(device. Model -startsWith "Cloud PC Frontline")

Once you have made the assignments as needed, press Next and then Create.

Your policy will now assigned to all your Windows 365 Frontline Cloud PCs and you can track the progress in Intune by looking at the policy.

Categories
Intune

Intune Suite – What’s in it for me?

Microsoft finally released the long-awaited Intune Suite, or as it is called in Intune “add-ons”.

But what is the Intune Suite and why should I even care? That’s what I’m set out to cover in this blog post, and we will take a look at what there is right now and what’s to come.

One major change happened when this was introduced, and that is how Intune is licensed. Or at least it got some new names. Microsoft Intune Plan 1 is what previously was just called Intune and is included in the Microsoft 365 and EMS plans. This will give you the core Intune features as you have been using them today (with some exceptions).

Then we have Microsoft Intune Plan 2 which are some add-ons to plan 1 including Microsoft Intune Tunnel for Mobile Application Management, which will give you an option to use Intune Tunnel together with your MAM enabled applications. And then we also have Microsoft Intune management of specialty devices, which enables you to manage specialty devices in Intune such as AR/VR devices, conference room meeting devices and large smart screen devices.

For Plan 1, there is also a possibility to buy Remote Help, Endpoint Privilege Management, Advanced Endpoint Analtics and the other upcoming features as standalone services to your Plan 1.

Intune Suite – premium features for Intune

The Intune Suite is a packaged deal which includes all the bells and whistles. You get Plan 1 and Plan 2, but also all the nice extra add-ons. Today, this list is quite limited since it will only get you Plan 2, MS Intune Tunnel for MAM and Remote Help on-top of your Plan 1 licens (which you got from your M365 license anyway). BUT, and this is the selling point, you will get all the upcoming features once they are released.

The two already released premium features (if we disregard the Plan 2 features), are by them self really good products. I’ve previously covered the Remote Help app which since then has been refined even further.

Microsoft has further announced that they will release Endpoint Privilege Management (which is currently in public preview) and Advanced Endpoint Analytics as a start, but there are more things coming which will make this suite even better!

Why should I consider this?

Should you consider the Microsoft Intune suite? Well, that depends on your needs. For some, it certanly makes sense to consider it given that they are interested in a lot of the listed features. For others, maybe just one is interesting which then makes more sense to buy as add-ons on it’s on rather than buying the whole suite.

I think, as of right now, Remote Help and the upcoming Endpoint Privilege Management is what will be most useful for many companies as it solves two major headaches: A remote support tool integrated to Intune and a first party solution to manage local administrator. There are a lot of other good tools out there to manage both remote support and local administrator but having a first party tool comes with advantages such as good integrations to Intune for e.g. reporting.

I will in feature post dig in more to the features of the Intune Suite, but for now we have set the scene!

Categories
Intune Windows 365

Can we build a Windows 365 kiosk for shared use?

Once every now and then you get one of those weird and maybe a bad ideas and ask yourself:

What if I have a Windows 10 computer which cannot run Windows 11, but I really want to run Windows 11 on it in a supported way?

That was what I asked myself when realizing my old Surface Laptop (first generation) does not support Windows 11.

Putting this in maybe a more real-life like scenario “we have some old hardware and Windows 365. We want to keep using the hardware for a few more years but run Windows 11” or something like that.

This gave me an idea. Can we create a kiosk that runs the Windows 365 app only on a managed Windows 10 computer? And to make it more special, let’s make it as a shared device so that I get MY Cloud PC and you get YOUR Cloud PC! 😊

Since Windows 365 Boot is not coming to Windows 10, we need another solution. This solution could be using kiosk mode and shared mode for Windows.

Pre-reqs

What do we need for this to work?

  • Intune managed Windows 10 computer
  • Computer registered for Windows Autopilot
  • Self-deploying deployment profile for Windows Autopilot
  • Shared device policy
  • Windows 365 license of some sort
  • All other licenses required to use Intune
  • The Remote Desktop application installed on a device
  • An Azure AD group containing out kiosk PCs

And that is about it.

My thought is to use the old school ShellLauncher method for this, not the fancy assigned app setup since we can make this more dynamic if we want to re-purpose this for another application. This means that we could also use Win32 applications and not only UWP apps.

Using the ShellLauncher method in Intune has gotten really easy, it’s just one custom policy and we are set.

Creating the ShellLauncher script

When looking around for a good source, and inspiration, for this setup I came across this post by Michael Niehaus which is really good and even provides a sample script we can use (why re-invent the wheel?).

Using the script example in the blog above, I came up with this script which you can download from my Github repo.

Basically, what you need to update, is the <Shell> section of this part to the path for your application (Win32) or the AUMID (UWP). In this case, the Windows 365 app for Windows 10 which is a UWP app (as stated in the V2:AppType attribute).

If the remote desktop session is closed, the application will restart.

Creating the ShellLauncher policy

For this, we need to create a custom policy in Intune.

First step is to go to Intune (https://endpoint.microsoft.com) and navigate to Devices > Windows > Configuration profiles and select “+ Create profile“. Select Windows 10 and later as platform, Template as profile type and then the Custom template.

Next, we will give our profile a good name so that we know what the profile does. This should be based on your name standard and naming convention for policies. Then hit next at the bottom of the window.

On the “Configuration settings” tab, select “Add” and give the configuration a name (e.g., ShellLauncher V2). As OMA-URI, enter:

./Device/Vendor/MSFT/AssignedAccess/ShellLauncher

As data type, select “String (XML file)” and upload your XML file. When this is completed, press Save at the bottom of the screen.

You will now see that your setting has been added as a row to this configuration setting and you can press Next at the bottom of the screen.

On the Assignment tab, select the group where you have put you targeted kiosk devices and press Next at the bottom of the screen.

You can skip the “Applicability rules” tab and jump straight to the “Review + create” tab to view a summary of your configuration.

Once you have reviewed your settings, you can press Create and your profile will be created.

Shared device policy

The other profile we need to create is a profile for Shared device. This is done by going to Devices > Windows > Configuration profiles and select “+ Create profile“. Select “Windows 10 and later” as platform, “Templates” as Profile type and find and select “Shared multi-user device” and click create.

Give your profile a name, I will call mine “Win365 Shared Kiosk“. When you have given your profile a name, press next.

On the Configuration settings tab, enable the Shared PC mode and add the settings you need based on your requirements. I will use Domain as Guest account type to ensure that only users from my organization will be allowed to sign in. I will also add some additional settings as you can see from the screen. When you have added your settings, hit next.

Assign your policy to the group you created and used for the ShellLauncher policy and press next.

On the last step, review your settings and click create!

Self-deploying enrollment profile

To have this as a zero-touch installation, which would require zero input from an IT person, we can use the self-deploying deployment profile in Windows Autopilot, which means that we need to create a new profile.

In Intune, head to Devices > Windows > Windows Enrollment > Deployment profiles and select “+ Create profile” and select Windows PC.

First step is as always to give you profile a name, I will call mine “Self deployed Kiosk” and then press next.

On the next tab, select “Self-Deploying (preview)” as Deployment mode. You will then see that almost all fields are grayed out. You can leave all values as default, or choose to change the Language, if keyboard should be automatically configured and if a name template should be used.

Notice: If you are to use this on a virtual machine, you will need to use the user-driver deployment mode since self-deploying requires physical hardware.

For this demo, I will leave everything set to default and press next.

The next step is to set assignments, we will select the Azure AD group we created for the policy for this, but you could also use another group. The important part is that the device is in this group.

Press next and you will end up on the review + create tab where you can review your settings before pressing create.

Once the profile is created, it will take around 15 minutes or so for the enrollment profile to be applied to your device, given that it’s not already included in another active assignment. If that is the case, you need to either add an exclusion group or remove it from the other group before the profile will be assigned.

If you navigate to Devices > Windows > Windows Enrollment > Devices you can look at your device and make sure the correct enrollment profile is assigned.

Deploying our kiosk

This is where the fun begins. Let’s deploy our kiosk to our device!

My device needed to be reset, since it’s already managed by Intune, I can simply just use the wipe command and the device will reset. Since I’ve already added it to the target group for my deployment profile, the enrollment will kick off automatically once the device has been reset. However, if you are connecting using Wi-Fi, you will need to select region, keyboard and Wi-Fi network.

Once the Windows Autopilot enrollment process has completed, my Windows 365 kiosk device is ready, and I can now only run the Windows 365 app on my device.

NOTICE!

There is a big flaw in this design at the moment, and that is the fact that we cannot deploy the W365 application during the ESP at this stage, this means that we need to ensure that the application is installed BEFORE we apply the kiosk profile. If and when we can install the application from the “new store” during ESP, this will not be an issue.

This means that we currently need to wait until the W365 app has been deployed before we assign our kiosk profile.

Additional reading:

Awesome post by a fellow W365 MVP Dominiek: Windows 11 Kiosk With The Windows 365 App – techlab.blog

Post by Michael Niehaus how to create a kiosk using ShellLauncher: Creating a kiosk or digital sign using Windows Autopilot, Intune, and Edge (Chromium) – Out of Office Hours (oofhours.com)

Categories
Windows 365

Deploying Cloud PCs in different regions

Windows 365 and Cloud PCs are as you know PCs running in Azure somewhere. But what if you want to control this “somewhere” and pinpoint the region they are running in? You might have noticed that spinning up a Cloud PC in e.g., Western Europe gives you Google and all web-based things in Dutch. This isn’t too convenient for the end-users who doesn’t speak Dutch. So, let’s try to address that and give a more “local” experience.

I’m thinking of putting users in a Windows 365 region as close as possible to them, hopefully even within the same country. And to top it off, let’s provide them with a Windows experience in their local language, just for the sake of it.

How can we achieve this?

Well, we need two things, we need a provisioning profile per country and an Azure AD group which has been populated with users for each country. The region selected in the network for Windows 365 decides in which region the Cloud PC is hosted.

Setting up Azure AD groups

There are as many ways to do this as there are IT pros, but I decided to make this easy and just look at three things for my groups, attributes that I know all my users have.

What I decided to look at is that:

  • The account is enabled
  • Usage location for the user is set to Sweden
  • And the country for the user is set to Sweden

That got me the following query for my dynamic group.

(user.accountEnabled -eq True) and (user.usageLocation -eq "SE") and (user. Country -eq "Sweden")

To create a new group, head to Groups in the Intune portal and create a new group by pressing “New group“.

Give your group a name, in my case I’ve called it “All users Sweden” since we will gather all Swedish users in this group. Also make sure to set “Membership type” to Dynamic User so that we can create a query to automatically populate the group based on user attributes.

Add your query to your group by pressing “Add dynamic query” and enter your rule. You can take my example and modify it if you like, copy the rule syntax above and press “Edit” on the rule syntax windows and paste it there. This will populate the fields for you, and you can modify them to suit your needs. Or create your own! Keep in mind that the usage location uses the two-letter country code e.g., Sweden is SE, Norway is NO, Netherlands is NL, USA is US.

Press Save when you have created, and validated, your rule and press Create.

We have now successfully created a dynamic group which will be populated with all active accounts which has their country and usage location set to Sweden.

Creating provisioning policies

Now that we have our groups, we want to put them to effective use. Let’s head into the Windows 365 pane in Microsoft Intune by navigating to Devices > Windows 365 and selecting the “Provisioning policies” tab. To create a new policy, click the “+ Create policy” button on the ribbon.

First off, as always, we will give our policy a name, in my case I’m giving it a name indicating that this is a Windows 11 image, Azure AD joined and running on Microsoft hosted network. And this is for my Swedish users.

The next step is to select what kind of join type you will use and which network. In this example, I will use Azure AD join and using the Microsoft hosted network. The dreadful thing about using Sweden as an example here is that we don’t have Windows 365 in Sweden Central, so we will use the next best thing. Norway East!

You can do this for Azure v-nets, but then you need to set the region stuff when setting up the Azure v-net. There is a limit to the amount of how many Azure Network Connections (ANC) you can define per tenant, you can find out more here. If you know that you have multiple locations and want to put the service as close as possible to the end-user, it’s much easier to use the Microsoft hosted network.

The next step is to select an image, I will go with a gallery Windows 11 image since this will reduce the amount of maintenance I need to do since Microsoft is curating the image. Press next when you have selected your image.

Next, we will configure language and region settings. Like I said, the ambition here is to provide the Windows 365 experience in the user’s local language. So, for this I will select Swedish for this policy.

In this section, you can also choose to opt-in to Windows Autopatch straight away if you have this enabled in your tenant. If you do not wish to do so, just leave it to the default value. But since I have it activated in my tenant, I will add this as well and then press next.

The next step is to assign this policy to our group created in the first part. If you wish, you can add multiple groups to the same provisioning profile. But I only have one which will be used for this one, so I will select my group with all Swedish users and press next.

Final step is to review the settings we have selected and then press “Create“.

Conclusion

Now when a Windows 365 license is assigned to a user, their Cloud PC will be provisioned in the region based on which provisioning policy they are assigned to using our dynamic Azure AD group.

The groups don’t need to be dynamic and you could just as easily accomplish this using assigned groups. Also, you could utilize this setup to also include e.g., your developers who need access to a specific Azure v-net for example. In this case you would have provisioning profiles connected to those networks instead of the Microsoft hosted network, giving those users access to that network.

Categories
Intune Windows 365

Ignite 2022 – live in Seattle!

So, 2022 was the year Microsoft Ignite was FINALLY a physical event again, and for the first time on Microsoft home turf in Seattle.

Being an ex-Microsoft FTE, this gave me major flashbacks to TechReady, which was an internal training event Microsoft used to host in Seattle. Same location as Ignite, just no hilarious videos with Norm Judah encouraging everyone to fill out the evaluations.

Ignite was different this year since it’s a hybrid event, and the first big such for Microsoft which means that they are still trying out the concept.

Overall, I had a lot of fun. For me, meeting up with peers and having the time to focus on the content is important, if sessions are digital or physical doesn’t really matter. Some sessions made more sense virtually. But in-person sessions are usually the best, and you could really tell that people wanted this. Especially the big keynotes are always more fun in-person.

But I was missing the expo where you can meet vendors or just mingle with Microsoft people, there wasn’t really any space for this, except for an awesome Surface expo.

However, the width that the “old” Ignite had was missing and the break-down sessions were missing. The feeling was that this hybrid thing was more focused on people attending remote, and people on site were more the live audience.

There was a lot of news and I’ve picked out the ones I found most interesting.

Windows

Just before Ignite kicked off, there was a Surface event where some news around Windows 11 was released. Check it out here:

Introducing new Surface devices that take the Windows PC into the next era of computing | Microsoft Devices Blog

If you want to read more about all the Windows 365 news, check this out: What’s new in Windows 365: Microsoft Ignite 2022 edition – Microsoft Community Hub

Microsoft 365 and Windows 365 in the Metaverse

This was released a few days prior to Microsoft Ignite, but Microsoft 365 and Windows 365 will be supported on Meta Quest devices, providing a new kind of experience for productivity in the Metaverse.

This means that you will be able to run a fully supported productivity setup in the Metaverse with e.g., Microsoft Teams and Windows 365. Windows 365 is not yet released for Metaverse, but this indicates strongly which direction VR is heading now.

On top of Microsoft 365 apps being supported, you will also be able to manage the Meta Quest and Meta Quest 2 using Azure Active Directory and Microsoft Intune, which would provide IT admins with a whole new option of what a PC or workstation is for their end-users. You can read more on this blogpost by Microsoft: Microsoft and Meta partner to deliver immersive experiences for the future of work and play – The Official Microsoft Blog

The new Windows 365 app (preview)

The Remote Desktop app has for long been the go-to application for your VDIs, but now for Windows 365 you can use the brand-new Windows 365 app which is now in public preview. This app aligns more with the Windows 365 features found on the web portal but with the advantages of the desktop app! Read more here:

Experience the Windows 365 app: public preview available now – Microsoft Community Hub

Organizational messages

Getting messages out to end-users is always a struggle within IT. There is a new feature for Windows 11 where you can send organizational messages, natively in Windows, to your users instead of sending them email using Microsoft Intune coming in November to Windows 11 22h2. Read more here:

Deliver organizational messages with Windows 11 and Microsoft Intune – Microsoft Community Hub

Microsoft Intune

No more MEM…

The brand Microsoft Endpoint Manager or MEM is going away. The new product-family name will be Microsoft Intune where a bunch of things will be included, Configuration Manager amongst others. You can read more about the anoncment here:

Introducing the Microsoft Intune product family – Microsoft Community Hub

Add-ons for Microsoft Intune

Add-ons for Microsoft Intune is obviously here to stay, and it’s also growing bigger than just Remote Help which has been an add-on for a while now.

Out of the list of new add-ons coming, what caught my eye especially was these two which I think will solve a lot of headaches for a lot of IT admins.

You can read more here about all new add-ons:

Reduce your overall TCO with a new Microsoft Intune plan – Microsoft Community Hub

Endpoint privilege management in preview

Enabling local admin for users on a temporary basis has been a struggle with Intune managed devices. Old solutions relying on attributes in the on-premises AD do not work and there aren’t really any “best practices” established around this yet.

However, Microsoft is looking to solve this with the Endpoint Privilege Management which is in public preview. Read more in the link above.

Automated app patching as add-on

Keeping applications up to date is something that many stuggles with, and there are products around to solve that. Now Microsoft are throwing themselves into this game as well, which makes a lot of sense. This is just briefly mentioned in the “Further value and looking forward” part of the article, but if they are able to deliver on a native Microsoft Intune feature for this, that would simplify things a lot!

Categories
Intune

Autopilot registering for non admins

Windows Autopilot is a really nice thing, I think you all are familiar with this by now. But the process to add devices, and adding devices without being an administrator, isn’t really that straightforward with exporting CSV’s and such. The way I usually import the hardware IDs is by using the Get-WindowsAutopilotInfo.ps1 PowerShell script.

The built-in roles in Microsoft Endpoint Manager do not give you rights to add or remove devices, you need to create a custom role for this.

There are two options here, you could either duplicate an existing role such as the Help Desk Operator role and add the Enrollment Programs rights which you will need, or you can create a new custom role.

Creating a custom role for this could be very useful if you want to provide the possibility for your e.g. deskside support personal or a hardware coordinator to upload hardware IDs if this was not done by your hardware vendor.

In this example, I’ve created a new role called “Windows Autopilot Operator”.

Create a new role

Head to the Microsoft Endpoint Manager portal and navigate to Tenant Administration > Roles and click “+ Create” (or mark the role you want to duplicate and click the duplicate button).

Give your new role a name such as “Windows Autopilot Operator”.

Click next and find the heading “Enrollment programs” and enable:

  • Sync device
  • Delete device
  • Create device
  • Read device

Click through the wizard and create the new role.

We now need to assign this to a group of users. When the role is created, click on the role and go to Assignments.

Click “+ Assign” and give your assignment a name, such as Deskside Support or something describing what kind of users will be in this assignment.

Click next and add a group containing your users.

On “Scope groups”, add all users and all devices.

Complete the wizard and you have now created an assignment. If you wish to add more assignments, you can just click the “+ Assign” button again and repeat the steps.

Importing the hardware ID

We can now get started with importing the hardware ID into our tenant! You can do this either from the Out of Box Experiance (OOBE) process or in runtime. Since I think we all know how it works in run time, let’s have a look at what it looks like during OOBE.

In this example I’m using a virtual machine, but you need to have passed the Wi-Fi selection part if you are doing this on Wi-Fi since we need internet connectivity.

During the OOBE process, press SHIFT + F10 (don’t forget FN if you have such keyboard). Type powershell and hit enter.

You have now launched PowerShell in your terminal, and we can get going with executing the following three lines. You will during the have to confirm that you want to install the script, just press “y” and enter when asked to.

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutoPilotInfo
Get-WindowsAutoPilotInfo.ps1 -online

When you run the third line of PowerShell code, you will be prompted to sign in with you account. If this is the first time you are running the online version, you will need to consent the sign in first (it will show up on the screen).

Once signed in, the process will start and the Hardware ID will be harvested and uploaded to your tenant.

This process usually takes a few minutes. Once completed, turn off the computer.

If you have a look in your Windows Autopilot devices list in the Microsoft Endpoint Manager by going to Devices > Windows > Windows Enrollment > Devices you can see that the devices has been uploaded.

Depending on how you are assigning deployment profiles, this will usually be assigned within 15 minutes. Once the profile has been assigned, you can start the computer again and enroll it!

Bonus tip

If you are using group tags to assign profiles like I do in my lab, you can actually do this while running the script by adding “-GroupTag ‘[YourTag]'” at the end of the script. 

Get-WindowsAutopilotInfo.ps1 -online -GroupTag '[YOUR TAG]'

This will automatically add the group tag to the device entry, and if your automated profiles assignment is depending on this everything will happen automatically!