Tag: windows

Intune

Where is device heading

I started a blogpost something like this about 4 years ago:

“I’ve been thinking about this post for a long time, probably several years to be honest. What got me to get this done is something Microsoft released, the Windows 10 in cloud configuration, which is a configuration guide for how to move to cloud managed Windows 10 devices.

This is great!

This shows that managing Windows 10 purely from Microsoft Intune is not rocket science and it will make it easier for smaller companies especially to get going.

BUT this is also showing what I’ve been expecting for a couple of years. “

Let’s stop the tape right here. I’ve added to this post once back in 2022 but never finished it. And to be honest, this has been on my mind since 2016. I recall that this was planted in my head in a conference room at the Microsoft Madrid office at a meeting with my team back in the days.

This post was initiated long before the release of Windows 11, and before the release of Windows 365. AI was still something that was being explored but not a massive thing, we were more focusing on machine learning than AI. It feels like ages ago, but it still makes sense to talk about this given what is currently happening with Cloud PCs, AI, and continuous innovation in Windows 11.

This is probably to date the blogpost that has taken the longest to write, but it’s starting to make sense now.

The change of device management

When we talk about device management, and especially Windows, things tend to get technical and hard quite fast. Especially if we throw some on-premises things into the mix and talk about creating custom boot images (which is an artform in itself).

Now we are in the age of AI and Copilots. Copilots showing up everywhere for everything. We have currently seen what is called the Microsoft Security Copilot where security admins can query the Copilot to find issues and even troubleshot device configurations. This is only the beginning of the AI transformation we are on. The Security Copilot also connects into Microsoft Intune, becoming Copilot in Intune.

Looking at Microsoft Intune and how simple it is to get started with a surprisingly good baseline and basic device management, this is a fitting example of how this whole segment has evolved into something which does not need to be that complex anymore with servers, distribution points, image creation, OSD, GPOs. Using Intune, you can get a long way with the guided scenarios or the security baseline which are already existing in Intune today. You can even get suggestions on what to set using the Settings Insight feature in Intune which will give you recommendations on how to configure your security baseline using machine learning. And that is without any Copilots.

AI will help us

What has gotten me to finish this blogpost is the Copilot and Intune story that Microsoft is now telling, I attended WP Ninja Summit 2024 in Lucerne where Copilot was mentioned in a lot of sessions and showed real world value. Copilot can find issues with devices, or policies, which would take admins hours, or even days to find. If you get that in about a minute or two, that is an huge increase in productivity. Copilot is not yet in the state that it will suggest that “you should configure your setup like this”, it’s still learning Intune. But just putting the tools in the hands of admins simplifies their work… Wow.

But there is also a conflict of interest here. If I can use Copilot to find that error in a few minutes… Why do I need to pay expensive consultants to do the work for me? Well, I think we who live and breath device management needs to raise our line of sight a little and find what the next big thing is and how we can stay relevant. This will be challenge for many, but this change will also take several years to complete.

I would assume that this is just the start of a pretty epic journey in device management, making life easier and probably quite drastically changing how we work with device management. Microsoft has a lot of data of what “a good device management configuration” should look like. Even if most organisations think they are unique and have unique needs, most organisations share the same baseline needs but of course with their unique touch on-top of things. This is where the focus should be, not the baselines where we tend to spend way to much time on today.

What about Windows?

By listening to a lot of sessions around Windows 365 and looking at how Microsoft is positioning this as the future of Windows, I think we will see a shift in a few years. Not in the next one or two years, but looking at Windows 365 Boot, the new Windows 365 experience being released for Motorola Think Phone, and the general focus on sustainability I think we will see both a technical and culture shift in what a computer is in the next couple of years. Don’t get me wrong, we will still have some kind of device but it will probably be different to what we are used to today.

Just imagine that you suddenly could access your computer from any device you have, only needing one device to both get a mobile och desktop experience depending on your context. If you are like me, someone who work a lot from places where you don’t have a external monitors, well maybe your device will not be a smartphone only. Or maybe you even have two devices but your “laptop” is something with focus on giving you optimal battery life and great longevity.

One thing that sticks in my head right now though is “we are moving Windows to he cloud” and not just management with Windows 365. Windows as an operating system will still be the foundation of a lot of business work and applications, but how we consume it is where the difference will lie.

My predictions

So my big two predictions about where this whole area is heading, even if we are a few years out:

Intune management will drastically change once Copilot for Intune is more widely used, making device management in general a whole lot easier
Windows will be consumed for “a device” and that device might not have Windows installed on it. We will come back to the world of thin clients, but more optimized for the connected world.

Of course, several years of experience will still be relevant, but doing the clicking and selecting what exact setting to accomplish the wanted state, that will not be a hard part.

Tags cloud endpoint, intune, windows

Digital Transformation

Windows 11 – make the move!

Post author By Ola Ström
Post date September 10, 2024
No Comments on Windows 11 – make the move!

As I hope ALL of you know, Windows 10 is reaching End of Service (EOS) on the 14th of October 2025. If you haven’t marked your calendars already, do so now! This date is even more important if you haven’t made the move over to Windows 11 yet. This does not affect the Windows 10 LTSC currently in support.

The path to reaching Windows 11 can vary, and it’s hard to say that “this is how you should do it”. Some decide to combine this with their cloud journey, some simply just upgrades, and some haven’t really thought about it yet. This blogpost is aimed to inspire those of you who haven’t made the move yet for different reasons. And those of you who help others and need inspiration. So, less focus on tech and more focus on the reasoning to make the move.

Why should you move to Windows 11?

To be honest, the reason to move to Windows 11 is simple. Windows 10 will no longer receive updates unless you decide to pay for the Extended Security Updates (ESU). This will be a fairly expensive way to tackle staying up to date. Microsoft announced back in April that the first year will cost $61 per device the first year. Given that the Windows 11 upgrade is free, there are few reasons to not move. We also see over 99% application compability between Windows 10 and Windows 11. Looking at customers I’ve helped and talked about this with, the issue is rarely the applications anymore.

If we disregard from that Windows 11 brings a whole lot of new security related features to the OS. But it also brings more simplicity to the end user. One thing I hear often is that “the start menu is in the middle, our users will never learn this”. It takes about a day to get used to it, so the problem is not really there. This has so far not been an issue with the customers I’ve helped. Howeber, IT has often thought this would be the number one support issue.

What does Windows 11 bring to the table?

What Windows 11 brings is, however, innovation. Like it or not, Copilot will be part of our everyday life. In Windows 11, you have it at your fingertips with the native Copilot app. Depending on where you live, the experience will vary. There is a native app, or you will have to get the app from the store. Since AI and Copilot are mentioned in almost every context and situation, giving your end users access to a powerful AI in Windows is a huge improvement.

What is important with Windows 11 upgrades is communication to end-users so they know whats going on. Un-announced upgrades are rarley a good idea since it can potentially mess with people flows initially, or unexpected reboots. Teaching your users to make use of all the new and improved features of Windows 11. This is a great way to give the feeling that you from IT are proactive and offering them the latest and greatest.

The downside of moving to Windows 11

To be fair, downside is the wrong word. There is one potential problem with moving to Windows 11, which is that older hardware is not supported. We are talking about things released prior to 2017, creating a huge amount of e-waste. For many companies, this would not be a problem given that you have proper lifecycle management of your devices. But it creates a huge amount of devices which will not be feasable to use any more.

However, there are some ways you can still make use of them. Being a Microsoft advocate, my favourite is running Windows 365 on them. If you run a Cloud PC from a Windows 10 machine, the ESU will be free of charge and you can keep using that machine going forward, but that means using it to access a Cloud PC which is running Windows 11. You can ofcourse also convert them to thin clients using something like IGEL and have their OS accessing the Cloud PC.

But going back to the topic of e-waste. This will be a huge challange, not only from a corporate and logistic perspecitve. But from en environmental perspective. There will be A LOT of devices which needs to be recylced, and we must really hope that they will be recycled and not just thrown away or shreded.

Get to Windows 11 fast

So what is the fastest path to Windows 11? A lot of times when we talk about moving to Windows 11, we talk about going cloud native.

I’m all for going cloud native and I would recomend it to everyone. But going cloud native if you are on-premises or hybrid today is timeconsuming, and not really needed.

If you listen carefully how Microsoft talked about the journey, it’s rarely stated that you should re-install every device as cloud native. What they are talking about is moving to Intune, and that is a different thing since you can be Intune only but still being hybrid.

So for most organisations, going hybrid for all exisiting devices is the fastest path to Intune only. But remeber that ALL new devices should be cloud native (since you wont really gain anything from new hybrid devices).

But looping back to Windows 11 and getting there fast.

Windows 10 have had a steady release cadence, even if it has shifted a bit over the years. You have moved from Windows 10 20h2, to Windows 10 21h2, to Windows 10 22h2 using either Windows Update or Configuration Manager. When looking to move to Windows 11, you can view this as “yet another update” and deploy it as such.

You hopefully already have a working process for this in place, and if you are doing custom images this would apply to you imaging lifecycling as well.

Since we have about a year left, this would be the fastest way to get there and move to Intune after that.

Take aways

The main take away from this is that dont make the Windows 11 journey harder than it has to be. Windows 11 is not that scary and it’s a great operating system regardless of what different internet forums says. From a business perspective, this shouldn’t be a discussion. Just a go do!

We never discuss or get stuck on iOS versions in the same way, not wanting to move to the next version.

A couple of years ago, in the begining of this blog, I wrote about consumerization of corporate IT and it’s still relevant. We as individuals are driving change. We are no longer in a world where IT can say “no, we wont give you the lastest version of this and that” since things will stop working. If you run an unsupported version of Windows you are not only facing potential security threats. You will also see that a lot of your business applications will stop working, since these has adapted to the Windows as a Service concept introduced with Windows 10.

What is the biggest take away from this blog? If you haven’t set the plan to migrate to Windows 11, start now! You have less than a year left.

Tags intune, windows, windows 10, windows 11

Intune

Copilot in Windows – How to turn it off using MS Intune

Post author By Ola Ström
Post date January 9, 2024
1 Comment on Copilot in Windows – How to turn it off using MS Intune

As everyone knows by now, Copilot is coming to Windows. For people in some parts of the world (e.g. USA) this is already a reality. But for us in Europe, we are still waiting for it to be made available.

I rarely write posts about how to disable things, I’m a fan of giving the power to the end-user to use the new awesome tools made available for them. But Copilot is a massive thing, and for many organizations this is both a legal/policy issue, and a technical readiness issue. We need to be able to provide our users with services in a controlled way.

Many of the larger organizations I’ve been working with over the years take this approach, enabling new services in a controlled way.

So, let’s look at how we can control this using Microsoft Intune. In this post, we will not dig into what Copilot for Windows is.

Creating a policy

As usual, my focus is on cloud solutions so we will look into how you can do this using Microsoft Intune and not GPOs.

Today, there is no Settings Catalog, so we need to rely on a Custom policy which we create by heading into the Device blade, choosing Windows > Configuration Profiles and select “+ Create” > “New policy“. Then we select Windows 10 and later as platform, and use Template > Custom as profile type.

As usual, start of by giving your profile a good name based on your naming convention.

Now, lets add a custom setting by pressing the “Add” button.

Add the following information to your custom entry:

Name: Disable Windows Copilot
Description: 
OMA-URI: ./User/Vendor/MSFT/Policy/Config/WindowsAI/TurnOffWindowsCopilot
Data type: Integer
Value: 1

Should look something like this and then hit save at the bottom of the fly out.

You have now successfully added a custom CSR setting.

Hit Next at the bottom of the screen and assign your policy to a user/device group. As always, if you are doing this in production, start with a test group before going for broad deployment.

For this demo purpose, I’ve added the built in “All users” group.

Skip the “Applicability rules” and head to “Review + Create” and review your profile before creating it. Once the profile has been created, the waiting game starts for the policy to apply. As usual, you can speed this up by pressing “Sync” on any of your devices that will be targeted.

When the policy has been applied, the Copilot icon will be removed from the task bar.

Doing a controlled roll-out

We have currently removed Copilot for all the users in your environment, but how do we start enabling it again?

Well, we need to do two things:

Create a group for our allowed users/devices
Exclude them from the policy we just created

Since the default value for the Windows Copilot feature is to be enabled, we don’t really need to add a new policy. We can just exclude our targeted users/devices. This also makes broad deployment easy since we can gradually just exclude users/devices until we want to enable it for everyone.

Please be aware that the change is not instant, the device needs to check-in before the policy is updated (but it’s fast when you do a forced sync).

Take away

So, would we disable this for all users and do a controlled roll-out? Well new features are not always easy for end-users to gasp or even understand that they have. People within IT tend to always want the latest and greatest and be early adopters. But “real” end-users are not always like that. We need to make sure that we can get information out to our end-users about this awesome new feature.

There might also be that we need to do some assessments around the service before we can enable it in our environment, this could be both legal and internal policy that is controlling this.

But as always, I really encourage you to enable this for your end-users once it’s available in your region. For us in Europe, we will have to wait a bit longer, but looking at the recent announcements around a Copilot-button on all Windows keyboards, I think we can really tell where we are heading with this.

So please, don’t just disable this for the sake of disabling. And if you do disable it, have a plan to enable it. It will bring awesome value to your end-users (especially if you have Microsoft 365 Copilot licenses).

Tags copilot, intune, windows, windows copilot

Modern Workplace

Microsoft Ignite 2023 recap

Post author By Ola Ström
Post date November 21, 2023
1 Comment on Microsoft Ignite 2023 recap

It’s that time of the year again. Not Christmas. Microsoft Ignite time!

This year I decided not to go to Seattle, but instead follow it virtually from home. I can say now when Microsoft Ignite is over that I’ve had a severe case of FOMO the last couple of days, by just seeing all the pictures it looked like it was a really awesome event!

But since MS Ignite is over, it means that it’s time for a recap. What did I find most interesting?

For starters. There was a clear theme this year. AI, AI, Copilot, Copilot and Copilot. 😂

Oh, and the picture in the top of this post is of course created using AI!

Windows 365

There was a bunch of new things released within Windows 365 at Ignite, and Windows 365 actually got time in the main keynotes!

New Windows app – A preview of a new app to support not only Windows 365 and Cloud PC, but to also give you all your Azure Virtual Desktops, DevBox and published apps in the same place. The cool thing is that it’s also platform independed so we will see the same experiance on all major platforms going forward. You be able to have a “Windows” app on your iPad.

Windows 365 GPU support – Microsoft announced that GPU support for graphic design work is coming to Windows 365, and this will really be great for a lot of customer scenarios! It will be really interesting to see the pricetag on the GPU SKU, I would kind of guess that you really need to have a good business case and not just have it’s because GPUs are cool…

Windows 365 AI capabilities – It was also announced that you as an IT admin will be able to get AI based recommendation on sizing the Cloud PCs. This to help improving cost efficiency and user sattisfaction. Preview will be released soon.

Single-sign on (SSO) and passwordless authentication – SSO and passwordless has for quite some time now been in preview in the Intune portal, but it’s not in general availability. This also applies to approved AVD providers!

Watermarking, screen capture protection, and tamper protection – in order to increase security and prevent dataloss, these features which have been in public preview for a while are now in general availablity on both Windows 365 and AVD.

Windows 365 Customer Lockbox – To ensure that Microsoft support engineers can’t access content to do service operations without explicit approval, you can use Customer Lockbox. This is similar to other Customer Lockbox within the Microsoft ecosystem. This is in public preview.

Windows 365 Customer Managed Keys – I think this is a pretty cool update. You will soon be able to use your own encryption keys for encrypting the Windows 365 Cloud PC disk.

Windows

Eventhough Microsoft Build is usually where we see most Windows news, there were a couple during Ignite this year.

Copilot in Windows – This was actually announced at the event earlier this fall and went in to public preview for selected markets on the 1st of November. During Ignite Microsot announced that it will go into general availablity in December, so let’s cross out fingers Europe is included!

Windows Autopatch for frontline workers– Windows Autopatch is not new, but Windows Autopatch is now included in the Microsoft 365 F3 subscription to ensure frontline workers are kept up to date.

Windows Autopilot and Windows Update for Business merging – Microsoft is streamlining the interface to handle updates

Microsoft Intune

There were a few big announcements for Microsoft Intune, and I would say the two biggest were around macOS management, Security Copilot in Intune and the Intune Suite.

MacOS management – Microsoft has for a while now been very loud about their story around macOS and Intune, and we are now starting to see the outcome of this. I wouldn’t say that there were that much news related to Ignite around this, but they were pushing for that Intune is now in the forefront of device management for Mac, which means that you no longer need to have Jamf or such to have extensive macOS management.

Security Copilot for Intune – As part of the Copilot and Ai journey we are on, Security Copilot will help you dentify annomolies or issues in your environment. It will help you analyze big chunks of data in no time to find security related events. But Security Copilot is more than that, it will also integrate in Microsoft Intune to help you create new policies or figure out how to solve issues that arrises. This will be such a great feature for many admins out there!

Microsoft Intune suite updates – Microsoft Intune Suite was announced back in March this year and has so far mostly been focues on Endpoint Privilegde Management and Remote Help. Microsoft has now announced three more features that are coming; Enterprise App Management, Advanced Analytics and Cloud PKI. These three additional services will make the Intune Suite bundle even better and are expected to all be available in February of 2024.

Summary

To be honest, this years focus at Ignite was Copilot. The word “Copilot” is mentioned 289 times in the book of news. That kind of set the tone for Ignite. Don’t get me wrong, I’m super excited for Copilot but this year was crazy!

Any how, lot of cool stuff coming out of Ignite this year and I think we will see things moving even faster now around AI since post-Ignite there has been some news around people from OpenAI joining Microsoft… What a time to be alive!

One thing that I take with me is that next year, I want to go to Seattle and be there in person. My feeds has been filled with Ignite related pictures and the FOMO has been real!

Tags cloud pc, copilot, ignite, intune, microsoft, microsoft Ignite, security copilot, windows, windows 365

Digital Transformation

Controlling your carbon footprint in Windows

Post author By Ola Ström
Post date March 17, 2023
No Comments on Controlling your carbon footprint in Windows

As many probably know, Microsoft released a bigger update to Windows 11 with the March Patch-Tuesday release. This patch was more than just patches, this included also some new features like the Windows 365 app which reached GA earlier this year, video recording in the Snipping tool and some pretty cool AI features from Bing.

But one of the better new features is, according to me, the new energy recommendations to help you decrease your carbon footprint. This new feature is just a set of recommended settings to set for your computer to be more energy efficiant.

The end-user could implement these settings themselves, but let’s face it, no one outside the IT department would look for that in the settings.

Since Windows does not enforce the policies to be changed, someone needs to make an active decision here.

This is what my device looked like when just jumping into the settings. What options you see might vary depending on what device you are using, and you can even get recommendations on a Cloud PC. In this example, I’m using a desktop PC. As you can see I have two settings which are not in line with Microsoft recommendations, and one which is managed by Intune. If I had a laptop, there would have been more options for me such as screen brightness and battery optimization.

Here I can select if I want to apply all or just a subset of actions. If I click on apply all, all settings will be updated to the recommended value.

I can also now see, if I step back in the settings menu, that I have enabled all available settings.

Conclusion

Even if this is a small update, I think it’s a good and important one to adopt. You can of course look into having these defined within your environment, which will mean that users cannot change these settings themself if they would like for some reason.

This is a balance between enforcement and spreading awareness amongst users. There might be reasons for users needing increased brightness on their screen as an example. But looking at this from a sustainability perspective, this is a great place to start working with your computers around this even more.

If you want to know more about the settings which is a part of this, have a look at this Microsoft support page: Learn more about energy recommendations – Microsoft Support

Tags Environmental footprint, windows, windows 11

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.