Nerdio: Enhancing the Windows 365 Experience

For years now, many organizations have been looking at remote work situations to assess just how feasible this can be for their operations. Undoubtedly, businesses would want to know the cost implications of establishing such a setup. They’d also want to know the difficulties involved and how security issues are addressed, among other things.

This is why Windows 365 has garnered plenty of interest in recent years. With the Windows 365 Cloud PC, businesses can expect to get powerful virtual PCs that are easy to set up, cost-efficient to run, and highly secure. And when you bring a service such as Nerdio into the mix, you can offer clients an even better experience.

Explaining Windows 365

Let’s start by going over what exactly this product is. The Windows 365 Cloud PC is a virtualization service that Microsoft introduced to businesses a few years ago in 2021. The service’s design enables users to stream their Windows 10 or 11 desktop, its settings, any applications, and content from the Microsoft Cloud to any of their devices.

As a business, this means that your workers can experience the full Windows ecosystem whether someone is using a personal or corporate-owned device. Regardless of where they are working, Microsoft aims to take the cloud computing experience to a higher level.

Having an option like this opens up vast possibilities for businesses. Workers no longer need to be restricted to the physical confines of their office buildings and can work from anywhere. Some surveys show that as much as 73% of today’s workers want to have the option to work remotely. We can see why a lot of organizations show a growing interest in this service.

So, with essentially what is an Operating System-As-A-Service solution, Windows 365 offers virtual desktops that can be accessed in any modern web browser. And with a large number of available features, businesses can get the digital solutions necessary to bring about technological transformation.

Benefits of Windows 365

Windows 365 has plenty of great features that make it an attractive option for many businesses. Among some of them, organizations can expect:

IMPROVED FLEXIBILITY

As a virtual workstation with access from anywhere, the Windows 365 Cloud PC gives users increased flexibility regarding where they can work. With an internet connection and a modern work browser, you can access your Cloud PC wherever you are. Additionally, you have the freedom to use any device, be it your PC, Mac, iPad, Android device, etc.

This simplifies working outside the office even more. You don’t necessarily have to go out and purchase new devices that would enable you to access your Cloud PC. Moreover, if individuals get to use the devices that they are most comfortable with, this may potentially increase productivity for some.

GREAT SECURITY

With all the flexibility and remote access that Windows 365 offers, it is imperative that the security measures be of the highest standard. Fortunately, as data is stored on a Microsoft Cloud, clients enjoy guarantees that their data is extremely secure. And this can be further enhanced by using Zero Trust principles.

Features including strict authentication of all users and use of just-in-time and just-enough-access, among others, provides you with the kind of cyber security needed for the complexities of today’s modern environment and the hybrid workplace. Therefore, admins will have less to worry about regardless of whether people are in the office or working remotely.

COST-EFFECTIVE

Hardware costs can be prohibitive for businesses, especially for those that have just started operations. By using Windows 365, organizations can pour their finances into other critical areas because hardware expenditure is significantly reduced.

And since heavy computing is being carried out on the cloud, you won’t need to worry about having the latest, most powerful devices. This is something that benefits even the more established organizations as well.

Using Windows 365 can help to reduce the costs of regularly refreshing your hardware. As long as your devices meet the minimum requirements, you can use them just fine.

REDUCE YOUR CARBON FOOTPRINT

Data centers can be the cause of significant carbon emissions. As such, considering options like Windows 365 for virtual workstations can go a long way in reducing an organization’s carbon footprint. Especially when the Microsoft Cloud operates far more efficiently than traditional data centers.

Some have even stated that it may operate up to 93% more efficiently. And when you combine that with reduced hardware refresh cycles, your organization can potentially make huge strides toward achieving a green operation. Any organization attempting to achieve net-zero emissions may find using Windows 365 to be hugely beneficial towards achieving that goal.

ACCESSIBILITY

One of the best features of Windows 365 is that it’s not a service that targets only big businesses. From massive organizations to smaller ones with less than 300 users, most can find an option that can meet their unique needs.

Microsoft offers two core subscription models, Windows 365 Business for smaller enterprises and Windows 365 Enterprise for the larger ones. Arguably, the best thing about these options is that they share the same range of features. They also provide several Cloud PC configurations from which to choose.

What is Nerdio?

After going over what Windows 365 is and what it offers, one may naturally wonder what Nerdio is and why you would need it. By definition, Nerdio is a deployment, management, and optimization platform for Managed Service Providers (MSPs.) It’s a solution for those using Azure Virtual Desktop and Windows 365.

Its design helps users simplify the use of their virtual workstations by addressing challenges that clients may often encounter. For instance, people who have previously had issues with storage management in the native solutions will get the assistance they need with managing storage.

In addition to increasing user efficiency, one of the most attractive features of Nerdio for businesses is that it aims to help enterprises with native Microsoft Cloud technologies to run more cost-efficiently.

Tools like the Cost Estimator provide precise information that will help you plan accordingly for the technologies you intend to use. Therefore, not only will virtual desktop users be empowered, but organizations will have a tool that can minimize costs.

Prerequisites

Before your organization can deploy Nerdio Manager for Enterprise (NME), you will need to meet several requirements, including the following:

VNET AND SUBNET

You’ll first need to pre-create a VNET as well as a SUBNET. If your environment is Active Directory-joined, then you need to have connectivity to Active Directory or Microsoft Entra Domain Services domains. You should also verify that DNS and any peerings or WAN connections have been established and are working. Before you can deploy NME, you need to check the following:

  • AVD and Azure should have several necessary URLs and ports available.
  • Tasks in NME will require additional URLs, which must be accessible for the successful completion of the provisioning process.

DIRECTORY CREDENTIALS AND SERVICE ACCOUNT

To join host virtual machines to the domain, there will be directory credentials required. Additionally, you’ll need a service account with delegated privileges to join computers to the domain. You should note that a domain account could be suitable but is not necessarily required.

ADMINISTRATOR PRIVILEGES

The administrator responsible for carrying out the NME deployment must have the necessary privileges for Microsoft Entra ID and the Azure subscription. Nerdio recommends the Global Admin and Owner privileges as the best option for simplifying the deployment process. Admins should be aware that NME is not assigned as Global Admin or Owner on the subscription.

Despite that, you still need these permissions to complete the setup. Furthermore, if you have access to another Global Admin user capable of granting consent to the required permissions for NME, the Global Admin privilege becomes unnecessary. However, subscription owner privileges still remain necessary.

FUNDED AZURE SUBSCRIPTION

This subscription is another requirement, and it must have the following resource providers:

  • Microsoft.DesktopVirtualization
  • Microsoft.Compute
  • Microsoft.Storage
  • Microsoft.Automation
  • Microsoft.RecoveryServices
  • Microsoft.SQL
  • Microsoft.Insights

Most of these resource providers should be automatically enabled by the deployment from the Microsoft Azure Marketplace. Not only that, but NME needs to validate if any resource providers are missing during the initial configuration.

Reasons to choose Nerdio

It’s also important to know that there is far more to Nerdio than just simplifying virtual desktop use or increasing cost efficiency. In this section, we’ll be going over why your organization needs to consider Nerdio as a potentially essential tool for your business operations. According to information provided by Nerdio, there is far more on offer than just cost-savings, and this includes:

AUTOMATION AND REPEATABILITY

Most businesses can appreciate how automation can significantly improve efficiency and minimize human error. This means that certain, often mundane, tasks can be carried out with a greater degree of consistency as well as accuracy.

By providing automation, Nerdio can help you optimize workflows and reduce time wastage. And with almost everything you can do within Nerdio automation, this places the service at least a notch above similar products.

It’s not rare to find management tasks within Windows 365 that some may find too complex or time-consuming. This is precisely why Nerdio would be the ideal solution for handling such issues. The ability to automate some of these repetitive tasks will not only save time but also contribute to cost efficiency.

Furthermore, IT teams will be glad for the help that Nerdio offers them as it reduces their burden by automating routine processes such as on-demand desktop provisioning, desktop (image) management, and software deployment.

DISASTER MANAGEMENT

One of the unfortunate things that businesses need to prepare for is system outages. Whether it be due to software/hardware faults or some cyber security event, every organization needs to have a plan in place to handle disruptions. Without the capabilities to swiftly identify and rectify the problem, productivity will grind to a halt, and businesses can suffer massive financial losses.

Ideally, you would want to minimize downtime as much as possible to prevent prolonged customer dissatisfaction. Here is where Nerdio can come through for organizations with excellent tools:

Proactive MeasureService
Automated regular critical data and system backupsMost people will appreciate the need for having secure data backups in case the unexpected ever happens. So, in the event of a cyber attack, or hardware failure, etc, you can quickly have your system restored. With Nerdio automating this process, you can expect swift, consistent backups with the risk of suffering data loss reduced to a minimum.
Disaster recovery as a service (DRaaS)This unique solution gives organizations a reliable backup in the event of a systems failure. Having your data and systems replicated to an alternative region safeguards against prolonged downtime in case of disaster. In some cases, your system may be back up in under 30 minutes.
Specified alternative VM sizes and typesSometimes, organizations may encounter resource shortages in Azure regions. When facing such situations, Nerdio has the capabilities to help you resolve Azure compute capacity limits by providing fallback VM sizes. Therefore, even if your preferred VM size in the region is unavailable, you can still continue with operations such as host creation, auto-scale, auto-grow, and auto-heal.

MANAGEMENT MADE SIMPLER

Nerdio offers clients a great solution to simplify management that comes in the form of three-click management. This service provides your Help Desk with a powerful and user-friendly portal that enables you to manage all aspects of Windows 365.

By using this feature, your organization can easily manage multiple features from one place, including RBAC with an end-user portal, performance and utilization monitoring, alerts and notifications, and MSIX AppAttach, among many others.

DYNAMIC SCALING

Most people can probably agree that manually handling the scaling up and down of resources during traffic spikes can be a burdensome task. This is why organizations with regularly fluctuating workloads can leverage dynamic scaling to minimize time wastage while optimizing resource usage. Nerdio monitors various aspects, such as CPU and RAM, that provide essential data that can be used to determine the actions that need to be implemented.

Additionally, to ensure an even better experience, this service extends to storage as well, and this includes attached disks, Azure files, and more. Ultimately, this service ensures that your business runs as efficiently as possible by helping to allocate resources accordingly. Whenever traffic spikes occur, those who require greater access to resources will get what they need when they need it.

UPDATES AND PATCHING

Keeping up with routine updates can be a hassle for a lot of people. Whether it’s for personal or corporate devices, sometimes people won’t implement the necessary actions to ensure that their devices maintain high levels of security and performance. Most of the time, the reason for this is simple – performing these processes manually can be labor-intensive and thus time-consuming.

Also, recognize the errors that one could easily make. With a lot of IT teams already burdened with a never-ending list of tasks, many virtual machines under their control may end up not getting necessary updates and patches, leaving them vulnerable.

More

Fortunately, Nerdio has a solution for this by offering automation for the update and patching process, thus lightening the load on IT departments. One of the ways you can take advantage of this is by setting up recurring schedules within Nerdio that will automatically install updates a pre-determined number of days after Patch Tuesday. Once this is set up, Nerdio will update your chosen image with the latest patches and the sys prepping process. All this while removing the complexities that the administrator may otherwise have to deal with.

After the update process is complete, you can choose a host pool to test the updates. By doing so, you can verify that all apps are working as they should and that you don’t have any driver or performance issues. Another thing that Nerdio will handle is backing up critical components and integrating them with the Azure Computer Gallery.

With a safety net in place, you can easily go back to your previous versions if the situation ever calls for it. This means that you get to roll out the updated image to your production host pools using the same automated mechanisms only after you’ve satisfactorily tested that everything works as you want it to.

PROOF OF BUSINESS VALUE

The process of establishing an entire AVD environment can potentially be such a massive task that few would envy taking on. Nerdio can help you make this task a lot more manageable by enabling you to provision multiple host pools and machines that can be availed to users within a couple of hours.

Similarly, when a client wants to start a Proof of Value, Nerdio uses this same mechanism. Leveraging the same mechanism helps to maximize efficiency for your organization. Moreover, this can also be combined with scaling profiles.

Nerdio enhances the Windows 365 experience

Nerdio already has a great setup with AVD, so it should come as no surprise that it can also offer services to improve the Windows 365 experience. Moreover, Nerdio Manager starts by providing additional management capabilities for users in addition to what they already get with the native Windows 365 service. Those familiar with the excellent image management options that Nerdio provides for AVD will be glad to know that this will be extended to Windows 365 as well. Not only that, but you’ll be getting it in a single management interface, side-by-side.

With everything being automated and scheduled according to your convenience, image-based software deployments, as well as updating and patching MEM-managed Windows 365 machines, should become much easier.

More

Those who may find themselves in need of a File Server or an Azure Files file share will benefit immensely from the auto-scaling, auto-provisioning, and fine-tuning that Nerdio Manager can deliver. However, this only applies to Enterprise Windows 365 because it has the same network flexibility as AVD. Some of the options you can look forward to are listed below:

  • Readying your environment with the necessary prerequisites for Windows 365.
  • Creation and management of on-prem network connections and provisioning policies.
  • Creation and management of desktop images, including backups and versioning.
  • Management of Active Directory profiles.
  • Assignment of licenses, groups, and users.
  • Cloud PC provisioning as well as re-provisioning.
  • Cloud PC machine restarting.
  • Leveraging a single interface to manage multiple environments.
  • Management of Cloud PC user settings.
  • Providing a comprehensive overview of all provisioned Cloud PCs and their status.
  • There is an audit of everything, and this can be viewed in detail.

But, before you can enable Windows 365, you need to know a few things. If you are going to successfully complete the process, the individual who wants to enable Windows 365 must be a global administrator. You also need to verify that an Intune license is available in the Entra ID tenant where Nerdio Manager is installed.

Furthermore, you should ensure that the Entra ID has the requisite approval on an application permission request consent page. If you are presented with an option to “grant consent on behalf of my organization“, you must approve.

Wrap up

Cloud computing has evolved to a point where it can offer businesses exceptional computing abilities that are difficult to ignore. By working with services such as Windows 365, organizations can take advantage of very powerful virtual workstations regardless of their choice of physical devices.

Users will have excellent accessibility with great security measures in place to ensure business networks are well protected. And if you want to enhance the experience even more, then partnering up with Nerdio can help you do just that. It provides you with tools that will make setting up and managing your virtual desktops a far simpler task. By doing so, you can lighten the burden for admins and potentially improve overall productivity.

Exciting New Features Coming To Windows 365 and Microsoft Intune

When it comes to which tech products and services to use, businesses certainly have plenty of choices. There are so many players in the tech landscape that winning over new clients is often a huge challenge. With this in mind, tech companies need to go above and beyond to retain the customers they already have. For Microsoft, this means ensuring its Windows 365 and Intune offerings continuously update and offer new features.

Doing this helps these services continue to deliver the exceptional quality that customers expect. But more importantly, these services want to enhance the experience even more so that they remain the best in class. With that said, what can we expect from these products in the near future?

What’s coming to Microsoft Intune?

Intune is one of the leading endpoint management platforms available. It is constantly pushing the boundaries of what it can offer to customers. Especially now, with the growing interest in hybrid and remote workforces.

Microsoft Intune is helping companies better manage access to organizational resources. It’s also simplifying app and device management across various devices. With this in mind, new features are consistently in development to improve management. And some of those upcoming features to be excited about include:

Microsoft Intune: On-Demand remediations – single device

We should expect the rollout for this one to begin in December 2024. Remediations are excellent tools that help you address problems a lot faster. These script packages will detect and resolve common support issues on a user’s device. And they’ll do so before they even realize there’s a problem. By running remediations on-demand on a single device, you can immediately start resolving issues. Find resolution without waiting for the predetermined remediation schedule.

Microsoft Intune: Enrollment time grouping for iOS/iPadOS automated device enrollment

Enrollment time grouping (ETG) for iOS/iPadOS automated device enrollment (ADE) is another feature. It will support targeted apps and policies in reaching devices faster. This helps minimize delays, common with device setup.

However, it’s only going to be part of the new iOS/iPadOS enrollment policies. For devices to be part of that group upon enrollment, admins need to add a static Entra ID group into the enrollment policy. This will also reduce the latency of targeted apps and policies. The rollout is on the schedule for October 2024.

Microsoft Intune: Scoped and targeted device clean-up rule

The preview will be available in November 2024, with the rollout starting the following month. With this rollout, admins will be able to clean up inactive devices from their tenant by providing capabilities of running these rules at a platform level. I’m sure we can all attest to the need for a clean environment.

Microsoft Intune: Security Baselines for HoloLens 2

To get the best level of security for your organizational resources, it is advisable to use the security baselines that Microsoft considers the best practice guidelines. This should enhance your security and improve the experience in deploying and supporting HoloLens 2 devices to customers in various industries. The rollout will be coming in October 2024.

Microsoft Intune: SCEP certificate delivery

With the rollout scheduled to begin in October 2024, Microsoft Intune is offering this solution to its customers as well as other external partners. This feature’s design can deliver SCEP certificates with all the necessary security requirements to devices to mitigate the KFC issue.

Microsoft Intune: Enhanced device inventory for Windows devices

Few things can increase work efficiency the way that easily having access to all the information you need when you need it can. This is what businesses will get when this service rolls out in October 2024. And it will enable them to obtain more inventory information about their Windows devices. You get to specify which device properties you need to collect as well as from which devices. With this done, you can view that information for your devices.

Microsoft Intune: Simplified App Control policy creation experience (curated workflow)

In keeping in line with the need to increase efficiency, this solution’s upcoming October 2024 update rollout will do a lot to make life easier for IT admins. This capability will help you configure App Control policies with built-in toggles in the console that expose all App Control for Business capabilities.

Microsoft Intune: Work-hour access controls for Front-Line Workers

This solution can contribute significantly to simplifying workforce management as well as enhancing your overall security posture. Coming in October 2024, this feature will help IT admins with work-hour access controls for front-line workers. Once workers have clocked out, admins can swiftly put in place measures to prevent Teams access or notifications.

Microsoft Intune: Endpoint Privilege Management on single session Azure Virtual Desktop

Anything that can simplify user management will be a welcome addition to the tools that IT admins already have. With this in mind, admins will be happy, as it enables them to use Privilege Management elevation rules and policies to simplify how they manage standard users on Azure Virtual Desktop. The rollout for this one is on the schedule for September 2024.

Microsoft Intune: Endpoint Privilege Management rules support specifying allowable command arguments

Similar to the previous solution, this one is also coming to market in September 2024. This will give admins Endpoint Privilege Management rules support that can specify a list of allowable command parameters. Consequently, this will restrict elevation to only the allowed or mandatory arguments.

Microsoft Intune: New design for Windows Company Portal app

This new and updated design should give users a platform that is easier to use and streamline workflow. You should expect to see changes in the Home, Devices, and Downloads & updates pages. These intend to enhance the overall user experience. Additionally, this updated design will be very simple to understand and thus use. It will clearly highlight any areas that require action from the user.

Windows 365 features in development

For Windows 365, Microsoft has provided us with information about the exciting new features that are currently in development but not yet released. These should help improve the security posture of organizations and enhance the end-user experience. We haven’t found any release dates as of yet. It would be useful for planning purposes to look at what we could soon see coming to our Cloud PCs.

DEVICE MANAGEMENT

FeaturesWhat to expect
Support for symmetric NAT with RDP ShortpathThe goal is to develop an RDP Short path in Windows 365 such that it can support setting up an indirect UDP connection using Traversal Using Relays around NAT (TURN) for symmetric NAT. Most are probably aware that TURN is a widely accepted standard for device-to-device networking for low latency, high-throughput data transmission.
Chroma subsampling default change to 4:2:0Both Intune and Windows 365 want to help enterprises operate more efficiently. And in this case, that can be achieved by reducing monitor support issues. The Windows 365 service will be able to do so by defaulting the chroma subsampling at 4:2:0 (instead of the previous 4:4:4).
Cloud PC gallery images update to Microsoft Teams 2.1Another feature that we should expect to see in the future is Windows 365 Cloud PC gallery images with Microsoft 365 applications being updated to use Microsoft Teams 2.1. These images will include: Windows 11 Enterprise + Microsoft 365 Apps 21H2Windows 10 Enterprise + Microsoft 365 Apps 22H2Windows 10 Enterprise + Microsoft 365 Apps 21H2
Windows 365 support for HEVC video codingWindows 365 is also working on providing support for Hardware High Efficiency Video Coding (HEVC) h.265 4:2:0 on compatible GPU-enabled Cloud PCs.
Azure network connections inactive stateIn the future, some Azure network connections will start getting marked as inactive under some conditions. These conditions are as follows: ANCs not associated with provisioning policies for more than four weeks, ANCs with provisioning policies that have no Cloud PCs associated with them for more than four weeks. IT administrators need to be aware that inactive ANCs will be skipped during health checks and cannot be assigned to provisioning policies. However, if need be, you can reactivate these ANCs.

DEVICE SECURITY

FeaturesWhat to expect
Cloud PC support for FIDO devices and passkeys on macOS and iOSMany consider Fast Identity Online (FIDO) to be the future of authentication measures. These protocols allow you to swiftly and securely authenticate to various services without the need for a password. Because of the ease of deployment, convenience, and extremely high security, it’s no surprise that FIDO is now widely supported and used. Therefore, macOS and iOS users will be glad to know that Windows 365 is working on enabling Cloud PCs to support FIDO devices and passkeys for Microsoft Entra ID sign-in on their devices.

MONITOR AND TROUBLESHOOT

FeaturesWhat to expect
End user manual connectivity checkI’m sure we’ve all experienced the frustrations that always come with faulty connections. All one wants in that instance is to quickly figure out what’s wrong and resolve it. Currently, connectivity health checks are run on individual Cloud PCs, but in the future, end-users will have the tools to manually run connectivity checks on their Cloud PCs from windows365.microsoft.com.
Update to Cloud PC action status reportThe Cloud PC action status report officially allows you to view the actions that admins have taken as well as on which Cloud PCs these actions have been taken. In addition, you get to see the status of these actions. To access this report, you need to sign in to the Microsoft Intune admin center. Once there, select Devices > Monitor > Cloud PC actions (preview). With the update that is soon to come to the Cloud PC action status report, you will be able to view batches of devices in which actions have been activated. Furthermore, customers will be able to see the batch current progress.

PROVISIONING

FeaturesWhat to expect
New health check: UDP TURN (preview)The Azure network connection (ANC) health checks are one of the more unique features that Windows 365 provides. These health checks, which are run regularly, help to ensure that the provisioning of Cloud PCs is successful in addition to verifying that end-users are getting the best possible Cloud PC experience. The update that Windows 365 has mentioned, will see a new UDP TURN being added to the Azure Network Connections health checks.

SECURITY

FeaturesWhat to expect
New settings for Windows 365 security baselinesIn the near future, customers should expect to receive new configuration settings for the Windows 365 security baseline. These Windows 365 security baselines provide customers with a set of policy templates that are founded on security best practices and experience from real-life situations. By using these baselines, customers can obtain security recommendations that will improve their cyber security and reduce the risks facing their networks. With these security baselines, security configurations for Windows 11, Windows 10, Microsoft Edge, and Microsoft Defender for Endpoint will be enabled. Before fully implementing any Configuration changes, however, it’s always safer to first test the security baseline on a pilot group of Cloud PCs.

Wrap up

Getting updates and new features is always an important part of keeping our apps and devices performing at optimum levels. Technology is constantly evolving. And without regular updates, the user experience can suffer negative impacts within a short space of time. Devices can slow down, apps can develop issues that hinder productivity, and security can become compromised.

This is why Microsoft works hard to stay ahead of the issues with a stream of new features and services frequently released to Microsoft Intune and Windows 365. These upgrades guarantee end-users that they will continue to receive industry-leading quality of service, enabling their user experience to improve even further.

Microsoft Ignite 2024: An Event Not To Miss

The impact that AI is having on businesses has been growing steadily for several years now. With its integration into key software and applications that many companies use, AI can offer many advantages. These include automation of certain processes, minimizing human error, greater operational efficiency, and more.

Hence, it’s not a surprise that this year’s Microsoft Ignite will be placing its focus on the power of AI. There will be much for attendees to learn that will enable them to modernize their businesses and optimize productivity. For those still considering attending, there are plenty of reasons to convince you to make the trip.

What is Microsoft Ignite?

Before we get into what you can look forward to at Microsoft Ignite 2024, let’s go over what exactly Microsoft Ignite is. Simply put, it is an annual conference hosted by Microsoft that targets developers, IT professionals, and partners. Attendees of these annual events will learn plenty about the latest Microsoft innovations. There are countless exciting sessions as well as hands-on events.

However, the conference is not just about Microsoft’s latest technologies. Attendees also get the opportunity to network and collaborate with other professionals.

This means that in addition to picking up new skills and techniques, you get to expand both your professional and social networks. And those planning on attending this year will be heading to the McCormick Place Convention Center in Chicago, Illinois. The event is scheduled to run from November 18 – 22, 2024.

Microsoft Ignite 2024

This year’s event certainly appears to be one that will be well worth attending. With a key focus on taking full advantage of the power of AI and the Microsoft Cloud, there should be plenty to learn that will benefit businesses.

Unlike before, the technology that we now have available can provide people in just about any industry with the expertise they need whenever they need it. Microsoft wants to enable clients to fully appreciate what they have available to them. The Microsoft team also wants to make sure everyone gets the best out of it.

At the Microsoft Ignite 2024 conference, you can expect to learn about solutions that can modernize your organization and manage your own apps.

In addition, these solutions will improve business and data security, optimize productivity, and help expand key networks that your organization depends on to thrive. Going through this learning experience can massively impact how businesses enhance their work operations.

Trying to keep up with all the technological innovation can be a massive task when you consider everything else you need to get done.

So, taking a few days to attend a conference will help. It’s where you can tailor your experience to learn what’s most important to you and can be a great way to sift through the huge amounts of information we constantly deal with.

Things To Look Forward To

Kicking off the conference, attendees can expect inspiring and informative keynote sessions. These are delivered by Microsoft executives as well as other special guests. These sessions are eye-opening in covering all that’s going on in the tech space and all the innovations that people can look forward to. In addition to keeping up with what’s going on through various tech platforms, the keynote sessions can help to provide an even more comprehensive overview of benefits.

Expectedly, Microsoft CEO Satya Nadella will take the lead. On opening the event, he will be sharing what we should expect from Microsoft both in the short and long term. Expect to hear about groundbreaking work that is taking place to optimize the use of AI. There will be insights into all brilliant technologies that are on the horizon, set to bring about great change in business as well as personal lives.

TECH-RICH CONTENT

Anyone who previously attended Ignite will confirm. There is so much to learn from the sessions that Microsoft has planned for the conference. All the developers and IT professionals can find something that they will enjoy partaking in, and that draws their interest.

To further enrich the experience, attendees will get more than just experts in certain areas appearing on a podium to give a presentation. You get to participate in hands-on sessions as well as immersive workshops that offer an in-depth look at technological development across various areas of interest.

ADVANCED AI AND MACHINE LEARNING

Advanced AI and machine learning have the potential to bring about huge positive changes for enterprises. By leveraging the emerging power of AI, organizations can benefit from the automation of cumbersome manual processes dealing with data and decision-making processes.

Integrating AI and machine learning into an organization’s processes can create a far more efficient system that utilizes data-driven insights. As most will be aware, this is the era of big data. And we need technologies that help to analyze that data, allowing us to take swift action when required.

Part of the key focus of Microsoft Ignite 2024 will be to thoroughly examine cutting-edge techniques. Moreover, there will be a focus on the potential for positive transformation in various areas of industry. Because of the learning capabilities of machine learning models, predictions and decision-making processes are always improving.

By extension, this means that we should also expect business environments to change in a way that can improve operational efficiency. One of the main areas of interest is the raft of machine learning services that Azure is bringing to the table. The applications of these services can enable better data analysis, improved decision-making, and increased productivity.

THE LATEST AZURE INNOVATIONS

Microsoft Azure is one of those platforms where so much innovation is happening that it would not be difficult to miss some things. So, when you look at it from that perspective, you can appreciate the value of attending the conference.

There will be much to learn regarding areas such as making the most of on-premises, multi-cloud, and edge environments to give your organization countless advantages. The additional skills you can pick up can enable you to simplify business operations and implement measures that can increase productivity.

FORTIFYING BUSINESS NETWORKS

All of us are aware of the security risks that all businesses have to deal with as the sophistication of cyberattacks continues to grow. No organization can afford to be relaxed when it comes to security protocols. Without adequate security measures in place, you simplify the task of nefarious actors out there who are looking to compromise your networks. And if they manage to achieve that, the cost to your organization may potentially leave your business crippled.

At Ignite 2024, attendees will get the opportunity to learn about the best available cybersecurity measures. Enterprises need to start using enhanced defense mechanisms and zero-trust principles to strengthen their data security. Putting in place such measures while also leaning on the invaluable insights you constantly receive will enable you to not just defend yourself but be proactive in how you go about it. Microsoft can provide you with just the right tools to ensure that your IT professionals have all they need to safeguard their networks.

EXPANDING YOUR NETWORKS

Regardless of which industry you work in, networking can be a key part of implementing successful strategies. Meeting the right people can enable you to develop mutually beneficial relationships that could ultimately take your business to entirely new levels. For IT professionals, developers, and even IT enthusiasts, events such as Ignite 2024 can put you in contact with countless like-minded individuals whose expertise you can tap into. You will meet people from not only the U.S. but other countries as well.

The great thing about networking is that it’s far more than just taking from others. But your skills and expertise may be of great value to other professionals. You never know how raising your profile in this manner may help you in the future. Such a network may give you access to unparalleled expertise that could bode well for some of your current and future projects.

Not to mention the opportunities that may be available to you simply because someone put your name forward in a meeting. And if nothing else, meeting new people may enrich your social life and allow you to enjoy the conference beyond the learning sessions.

Attending workshops and hands-on sessions is one thing, but another thing that attendees will appreciate is the opportunity to meet some of the experts. This can be hugely beneficial in helping you get a more comprehensive understanding of the material that may have been discussed in a workshop. I’m sure we’ve all probably been in a situation where we still had a ton of questions after a workshop, but there just wasn’t enough time to address them all.

Fortunately, at the conference, Microsoft addresses that with an “Ask the Experts” zone. This will give attendees the chance to further interact with Microsoft engineers as well as other experts. By creating such an opportunity, attendees will be given any further information they need, and may potentially help them add a few more valuable IT professionals to their networks.

Online attendance

Now, at this point, you may be thinking to yourself that if you can’t make it to Chicago, then the Ignite conference is not for you. However, you would be wrong. Microsoft appreciates that there are plenty of folks in the U.S. and across the globe who would love to attend the event but can’t make it for one reason or another. To ensure that all guests and anyone who wants to participate in Ignite 2024 can do so, Microsoft is offering interested parties the option to attend the conference online.

Undoubtedly, this is wonderful news for anyone who cannot physically travel to Chicago. You can attend the conference comfortably from wherever you may be. The best part of this is that you can get involved at no cost. So, prepare yourself to learn plenty from keynotes and breakout sessions and even participate in live discussions. All those connecting online can join in:

  • Live-stream keynotes
  • Live-stream breakout sessions
  • Live hybrid discussion sessions
  • Digital swag
  • Microsoft Cloud Skills Challenge

In addition to what you get with the online experience, you can access features such as attendee and featured partner directory, attendee networking, session scheduler, on-demand access to keynotes, breakouts, and discussion sessions.

Enjoy the city

Apart from attending the conference, you can also take advantage of this opportunity to enjoy the city. Chicago, being a place that is rich in culture and has countless activities that you can partake in, can be a great place to relax and refresh while away from the office. You can take the popular Chicago Architecture River Cruise as a great way to explore the incredible architecture of this city.

And once you are done marveling at the city’s architecture, you can move on to a walking and food tour that will take you to must-see landmarks while also enjoying the culinary skills at various eateries. Once your day’s activities are done, you can continue your good time by checking out the vibrant after-hours scene. Whether you are looking for live music, shows to attend, or just a nice restaurant, there’s bound to be something for you.

Wrap up

Development in the AI and machine learning space is coming on in leaps and bounds. There is plenty of innovation going on all around us, and Microsoft is right in the middle of it. We are seeing better solutions for the analysis of big data, improvement of decision-making, and productivity tools.

At the Ignite 2024 conference, there will be sessions on all this from Microsoft personnel and other experts. Regardless of which industry you work in, this event will have plenty on the schedule that can impact you. So, whether you are traveling to Chicago or attending online, this event is one that you should not miss.

Microsoft Intune: The Key to Enhancing Endpoint Management

As technology continues to evolve, businesses like yours are constantly looking for solutions that can give them that little bit extra. What may appear to be small innovations will eventually add up to give you significant advantages over other organizations.

One area where businesses stand to gain massively concerns cloud-based management solutions. The potential benefits of using solutions like Microsoft Intune include getting access to excellent features, enhanced security, and improved endpoint management among others.

IT admins will get to work better because they have the flexibility to oversee users and their various devices, even if they are personally owned. Considering all there is to gain, we need to take a look at why and how your organization should be migrating to the cloud.

Why Microsoft Intune?

If your organization has a well-run IT infrastructure, why should you even consider Microsoft Intune? What do you stand to gain? The most obvious answer would be that if your organization wants the best in endpoint management, then you would be hard-pressed to find a better solution than Intune.

Over time, Intune has firmly established itself as a leading device management solution that will offer you seamless application integration for all your various devices. It gives your IT admins the capability to ensure that all the devices and apps that employees are using are fully compliant with your organization’s security requirements.

Mobile devices have evolved to the point where they are now very much capable of performing most and in some cases all of the functions needed to do our jobs. This has inevitably created the need for the mobile device management features that Intune can offer. IT admins can monitor these devices and thus enforce organizational security policies.

This gives businesses the flexibility to empower their employees to use their respective mobile devices for work-related purposes without compromising the security of their networks. Such policies can potentially increase productivity by enabling employees to use the devices of their choice as well as work remotely.

It would be hard to advocate for Microsoft Intune without mentioning the issue of cost-effectiveness. We can go on and on about all the benefits that Intune can offer, but cost can ultimately decide for you.

Fortunately, choosing Intune is a decision that could help you reduce IT costs. Switching to a cloud-native management system will mean your business spends less on physical hardware as well as on-premises IT management systems.

This reduction in physical infrastructure will allow your organization to reallocate resources elsewhere and therefore operate with even greater efficiency.

Preparing for the future

Considering the changes we have witnessed in the tech landscape in just the last fifteen years alone, we should always be looking to future innovations. Organizations need to be in a position to take full advantage as each next big innovation rolls out.

To do that, going cloud-native would offer you the best approach. By fully transitioning to the cloud, you can put your organization in a position to fully benefit from better insights, AI analytics, as well as the multitude of other capabilities that AI can deliver.

Furthermore, using a cloud-native approach can help you centralize data which in turn will make it easier for AI to manage this data and produce actionable insights. This may help organizations enhance their security by getting a better grasp of potential future threats.

Considering new possibilities

Getting someone to change the way they do things can often be an incredibly difficult challenge. And this applies to both personal and professional life. Regardless of the benefits to gain from migrating to the cloud, it may be difficult to inspire change. If an IT team has put in the effort to create a well-designed and efficient IT infrastructure, it’s going to be hard to convince them to consider alternative solutions.

At this point, businesses will need to evangelize users who can truly highlight the beauty of the changing tech landscape and encourage their IT teams to expand their visions.

It’s going to take more than a simple presentation to convince people that they are potentially missing out on some significant innovations. Rather than simply forcing change on people, proving to them how they stand to benefit from the changes a solution like Microsoft Intune can bring, may work a lot better.

As individuals grow more familiar with the amazing endpoint management capabilities that Intune can offer, you may start to see a greater willingness to change their mindset.

Of great importance, however, is to exercise patience and not expect to see an immediate change in how people approach things. Let them experience for themselves the value that going cloud-native will give them.

Implementing changes

Once you get the ball rolling concerning changing the mindset, it’s important to start looking at how exactly you can start making the necessary changes. Even as more and more recognize the benefits of making the transition, the pathway to achieving that may still cause some trepidation.

Fortunately, the feedback that Intune receives from its clients will go a long way in helping others move forward. IT professionals need to realize that the dependable key information flow processes they use will remain intact.

According to those who have successfully migrated, one of the best ways to smoothen the transition is by establishing small pilot programs and then rolling out changes incrementally. With that done, you can place at the forefront of the project individuals who have fully bought in and are willing to help bring others to a similar vision.

Doing it this way enables you to minimize any negative outcomes while simultaneously maximizing the effect that the small wins give your organization. As long as your advocates continue to communicate clearly every step of the way, you should have a much easier time implementing changes.

Working together

An important reason why Microsoft Intune has taken its capabilities to another level over the last decade can probably tie to the constant back and forth with clients. The team at Intune embarked on a process of trying to simplify things for users. They did so after discovering the challenges presented by the power and flexibility of Intune.

The various options and configurations available may be difficult for clients to master and what they often want are simple instructions telling them exactly what they need to do.

To address the concerns that clients have raised, the support team has offered what they are calling a one-size-fits-most guidance. This system provides organizations with the necessary tools to configure the basic settings required to make endpoints more secure and productive with Intune.

Clients will also be happy to discover that the Microsoft Intune documentation hub has been streamlined. There is a focus on highlighting the guidance system thereby further simplifying the implementation process.

Additionally, even more support is available from the Intune Tech Community. This team consists of fellow IT admins and support professionals.

Integration with other services

Microsoft offers its clients a wide array of products and services that enable organizations to provide their employees with the best possible tools. Having such an ecosystem means that end-users can produce to the best of their abilities with everything they need availed to them. Microsoft Intune plays a key role in this through its integration with other products and services that aim to help in endpoint management such as:

Configuration manager

This platform is ideal for on-premises end-point management and Windows Server. It’s a service that will help you increase the productivity and efficiency of your IT teams, maximize both software and hardware investments, and empower your end-users by ensuring they get what they need when they need it.

Configuration Manager offers you a powerful management application that will help you better manage every device in your organization. Using both Intune and Configuration Manager together can be a great way for those who are still hesitant about going fully cloud-native to gradually make the transition at their own pace.

Windows autopilot

Windows Autopilot gives you a service developed to eliminate the provisioning challenges that have plagued organizations in the past. With Autopilot, you can provision new devices and send them directly to users from an OEM or device provider.

Thus, what you will get is a greatly simplified deployment and provisioning process that can deliver a custom out-of-the-box experience with an easy self-service configuration process. Not to mention how features like zero-touch, self-service deployments can make life easier for IT admins.

Endpoint analytics

Endpoint Analytics delivers valuable insights that enable your business to assess how it is operating as well as evaluate the quality of the experience that users are getting. By going over this data, your organization can quickly identify policies or hardware issues that are negatively impacting end-users. Doing this allows you to be proactive in dealing with problem areas and thus maintain consistent productivity levels.

Additionally, this service will give your organization better visibility concerning frequently encountered problems such as long boot times. Often, these issues tend to persist unnecessarily simply because IT doesn’t have the necessary insights.

Microsoft 365

Microsoft 365 is undoubtedly one of the best cloud-powered productivity platforms that you can get. Signing up for this service will give you excellent end-user productivity Office apps such as Outlook, Teams, Sharepoint, OneDrive, and more. And one of its most attractive features is that you can use it anywhere.

You can easily install it on PCs, Macs, tablets, and phones. You can easily use Microsoft Intune to deploy Microsoft 365 apps to the users and devices in your organization. Furthermore, the continuous support that you get means that you will always have the most up-to-date modern productivity tools that Microsoft offers.

Microsoft defender for Endpoint

All of the services we have gone over in this section will require excellent security features and that is what Defender for Endpoint offers. It gives your organization the capabilities to prevent, detect, investigate, and respond to threats. By going through Intune, you get the option of creating a service-to-service connection between Intune and Defender for Endpoint. Each organization can customize the compliance policies it uses to ensure that it establishes what it considers to be an appropriate level of risk. And when you combine this with Conditional Access features, you can prevent access to organizational resources by any devices that fall short of your compliance regulations.

Expanding the vision

As we’ve already discussed, there are plenty of benefits that you can gain from using Microsoft Intune. But, what’s even better is that within the Microsoft ecosystem, there is so much that your organization can take advantage of. And one of the solutions that has been growing in popularity over the last few years is the Windows 365 Cloud PC.

Clients will be able to leverage the Microsoft Intune admin center to use their Cloud PCs. The latter provides the opportunity to stream Windows 10 or Windows 11 onto almost any device, thereby offering users the ability to take their desktops anywhere.

In a world where the attraction of remote work is constantly growing, having the option of the Windows 365 Cloud PC can be key to bringing in top talent to your organization. Following the pandemic a few years ago, once business operations started to normalize, there were plenty of people who realized that they would actually prefer having the option to work part-time or even full-time from home.

For organizations that have decided that this is something they can do, leveraging Microsoft Intune to go cloud-native would offer arguably the best way to do it. From there, you can tap into the Cloud PC environment and offer your employees powerful, secure desktops they can use from anywhere.

What does the Cloud PC do for your organization?

We’ve talked a bit about Intune and why your organization should consider going for a cloud-native approach. But, what about the Windows 365 Cloud PC? In addition to what you get with Intune, the Cloud PC offers plenty of benefits that will enhance work solutions in the cloud.

One that most businesses will appreciate is the flexibility that is provided allowing organizations to select a plan that is most ideal for them. Not only that, but you are not permanently stuck with the option that you pick. Depending on the needs of end-users, you’ll be able to scale your operations up or down as you see fit.

ENHANCED SECURITY

Whenever the issue of remote work comes up, security is going to be a massive concern for businesses. This is why the Windows 365 team has gone to great lengths to ensure maximum data protection for end-users and their organizations.

The Cloud PC takes full advantage of Zero Trust principles to assure clients that their data will have very high-level security. To further strengthen the security of the platform, clients are recommended Conditional Access as well as Azure AD Multi-Factor Authentication.

FEW TO NO COMPATIBILITY ISSUES

Another concern that clients would understandably have has to do with integrating specific applications with the Cloud PC. For IT admins in particular, losing control over how they manage devices is a real concern. Fortunately, when it comes to Windows 365, compatibility with your existing applications should not be a problem.

It’s because the Cloud PC’s design supports any apps you may have been using on Windows 7, Windows 8.1, and Windows 10, should work on Windows 365 as well. And in case you encounter any challenges, you will be able to get assistance via the Fast Track App Assure program.

EASE-OF-USE

If you’re trying to convince people about a new service, your job will be significantly harder if the platform is complex and therefore difficult to navigate. With the Windows 365 Cloud PC, however, the platform aims to ensure simplicity. Even from the initial setting up, organizations won’t need to bring in specialist IT personnel to configure their Cloud PCs.

And once that’s done, IT admins can continue to manage and deploy endpoints similarly to how they’ve been doing all along. End-users as well won’t face any huge challenges because they will continue using the same applications.

Enrolling devices in Microsoft Intune

Having looked at what Intune can offer your organization, the next step is to go over what you need to know about enrolling devices. Together with Microsoft Entra ID, Intune will facilitate a secure, streamlined process for the registration and enrolment of all devices that require access to your organization’s resources. You can start using Intune for endpoint management once users and devices have been registered within your Microsoft Entra ID (tenant).

During the enrolment process, Intune will install a Mobile Device Management (MDM) certificate on the enrolling device. It’s this certificate that will handle communication with the Intune service and thus enable Intune to begin enforcing organizational policies such as:

  • Compliance policies designed to help users and devices meet the organization’s rules.
  • Enrollment policies that determine the number or types of devices someone can enroll.
  • Configuration profiles that configure work-appropriate features and settings on the devices.

Policy details

Generally, you should expect policies to deploy during the enrolment process. However, certain groups that may have more sensitive roles within the organization will often require stricter policies.

So, what a lot of organizations will first do is create a baseline of required policies for users and devices. Once you’ve established this baseline, you can start building on it depending on the use cases as well as the needs of various groups.

Devices running Android, iOS/iPadOS, Linux, MacOS, and Windows will all be eligible for enrolment in Intune as long they are running a supported version of the OS. By default, you’ll find that enrolment is enabled for all platforms.

But, if the need arises, you can use an Intune enrolment restriction policy to restrict certain platforms. Microsoft Intune enables mobile device management for both personal devices and corporate-owned devices.

Personal devices

In this category, the devices being referred to are personally owned PCs, tablets, and mobile phones. In bring-your-own-device (BYOD) scenarios, these personal devices can be MDM enrolled in Intune. Because of the supported enrollment methods, employees or students can use personal devices for work or school tasks.

IT admins will need to add device users in the Microsoft Intune admin center, configure their enrollment experience, and then set up Intune policies. Once that’s done, the device user needs to navigate to the Intune Company Portal app to start and complete the enrolment.

Corporate-owned devices

This category includes the same type of devices – PCs, tablets, and mobile phones. Except in this case, these devices are owned by the organization and then given out to employees or students for use at work or school.

For these types of devices, Intune offers organizations more granular settings and policies. You should expect to find more password settings for corporate-owned devices thus enabling you to enforce stricter password requirements. Devices that meet specific criteria will be automatically marked by Intune as corporate-owned.

Wrap up

At this point, we have all witnessed the increase in cloud usage by companies of all sizes. The various platforms available have been able to offer businesses an increasing array of capabilities that are constantly improving.

Solutions like Microsoft Intune can now provide powerful endpoint management systems that allow organizations exceptional flexibility and scalability. These capabilities will allow businesses to operate their IT infrastructure more efficiently and provide end-users with the tools to thrive.

To cater to different businesses and where they may be on their journey, Intune gives you pathways that you can take as you migrate to the cloud. You can choose what works for you from co-management until you get to full cloud-native. There is much to be gained from leveraging the cloud not only right now but as we look at all the future innovations currently in development.

Optimizing Software Packaging – What To Know About Advanced Installer

One of the best tools that IT professionals can have in their arsenal is a packaging tool. This simplifies their tasks and saves them time. Businesses need to provide their IT teams with comprehensive packaging tools that are easy to deploy and highly compatible.

One such product that has garnered a significant amount of interest is Advanced Installer. What you get with this powerful packaging tool for developers, businesses, and ISVs, among others, is an advanced application packaging software. It simplifies software deployment in a big way.

And before fully committing, organizations can try out the trial version. It comes with full features allowing them to make a more informed decisions. To help you with that task, let’s go over what you have to look forward to with Advanced Installer.

Introduction

As already mentioned, Advanced Installer is a software packaging and deployment tool designed to eliminate the challenges often encountered with packaging and updating software.

Clients get an all-in-one packaging tool that can create, edit, update, and repackage MSI, EXE, App-V, APPX, and MSIX. Because of the user-friendly and intuitive design as well as the plethora of features and capabilities, IT professionals should expect an application that optimizes the packaging process.

Businesses will also appreciate how easy the integration will be. They’ll also enjoy the compatibility that provides support for various platforms and formats. In addition, IT professionals can easily create customizable and visually appealing installers. They can also benefit from the integration of Advanced Installer with popular development tools and environments.

Ultimately, using Advanced Installer gives your organization a product that enables you to build reliable MSI packages. These meet the latest Microsoft Windows logo certification requirements and generally follow the recommended Windows Installer best practices.

Requirements

Before proceeding with the purchase and installation of Advanced Installer, it’s also important to be aware of the specific requirements that the application demands. In the table below, you’ll find both the hardware and software requirements that you need to know.

HardwareSoftware
Required minimum: Core 2 class CPU1GB RAM1366 × 768 screen resolution 2GB hard drive spaceAdvanced Installer IDE – for Advanced Installer to run properly on a system, you will need: Windows 7 or newer. The latest Windows Platform SDK. However, this is optional as it will only be required when building certain types of packages.
What is recommended: i5 class CPU4GB RAM1920 × 1200 screen resolution 10GB hard drive spaceCreate Install Packages – Advanced Installer produces MSI or EXE install files that are designed to run on: Windows 7 or newer Windows Server 2008 R2 or newer.  
 Create MSIX Packages – Advanced Installer produces MSIX packages that are designed to run on: Windows 10 version 1507 or newer Windows Server 2016 (Long Term Servicing Channel) or newer.
 For Java – Advanced Installer for Java can create install bundles to install Java programs on these versions of MacOS: Mac OS 10.x Power PC Mac OS 10.x Intel.
 Windows 10/11 Compatibility – Advanced Installer and the EXE/MSI install packages it generates have been shown to work on Windows 10 and Windows 11.

Latest upgrades

Some new, recently announced updates for Advanced Installer are available. One in particular of great interest is the new nested Context Menus for File Associations in MSIX. The goal of this feature is to give organizations a more organized and efficient user interface. It ultimately streamlines the management of file associations.

As a result of this, you should have improved navigation and better usability. Moreover, clients will now also find a reboot option for NewPrerequisite and UpdatePrerequisite command lines coupled with support for Java versions 19 through 22.

The above improvements combine with new translations for default strings, a refactored build log for improved clarity, and an AppInstaller theme that is now supporting BrowseDlg dialog for a better user experience. More than just the new features, however, Advanced Installer has addressed challenges that clients were facing, including:

  • Fix EXE icon issue in non-English language projects.
  • Addressing the problem of the “Install side-by-side” option not always preserved on upgrades.
  • Fixing the reboot prompt issues during uninstallation.
  • Resolved the issue that was causing files to be digitally signed twice in an MSIX build.
  • Address the problem causing the description field to fail to set MSI name in UAC using trusted signing.
  • Corrected the issue causing the system to not prompt for the certificate password when the entered password was incorrect.
  • Resolved the problem of scheduled tasks failing if they were scheduled to run at task creation.

Available features

In the table below, you’ll find a few of the wide range of features that Advanced Installer has to offer.

ArchitectEnterpriseProfessionalFreeware
Repackager – seamlessly capture, customize, and repackage existing installations into MSI packages. Upgrade legacy setups to Windows Installer technology.Updater – checking for downloads and installation of patches and updates is done automatically.IIS – Web Sites, Virtual Directories and Web Applications, App-Pools, User Accounts.MSI – create valid MSI setups for your applications that meet all the written and unwritten Windows Installer rules.
MSI Quick-Edit – enables you to create, transform, or edit existing MSI packages directly from the Advanced Installer GUI.JSON Files Updates – without writing any code, you can manage JSON files that are part of the installation package or present on the target machine.Multilingual and Localized – get over 30 translations that are all ready to use, as well as easy to modify and create.UAC – build installers that will run seamlessly on Windows 10/8.1/8/7/Vista supporting the security model.
MSIX Custom Scripts – use PowerShell scripts to resolve any of the compatibility issues of your application after you create an MSIX.Installer Continuous Integration – provides built-in support for integration with Azure DevOps, GitHub Actions, Jenkins, TeamCity, and Bamboo.Themes – also get over 50 built-in beautiful themes to give your installer a professional look.Imports – bring in relevant imports from Visual Studio, InstallShield LE, Inno Setup, WiX, Eclipse, NSIS, and regular MSI/MSM packages.
MSIX Package Editor – can offer an immediate view of your package content, enabling you to customize anything from Advanced Installer’s user interface.Dialog Editor – enables you to visually customize existing installer dialogs or create new ones entirely from scratch.Custom Actions – if you execute your code during installation, you can extend your installer’s capabilities.32-bit or 64-bit – provides the option to build setups that both run and install on 32-bit processors and/or the latest 64-bit Intel and AMD CPUs.
MSIX Modification Packages – enables you to extend and update your MSIX packages. You’ll also be able to separate your main application package from its updates, thus speeding up Windows 10 updates.Convert EXE installers to MSIs – an extremely capable wizard that converts any EXE setup into an MSI ready for network deployment through Active Directory.Native Launcher – create a native launcher for your Java applications and customize the process name, file name, icon, version, splash-screen, JRE/JDK detection and selection, user-friendly error handling.Side-by-side – if you have different versions of your application and want to not only install them simultaneously but have them running side by side, you can easily create packages for all the different versions.
Package Support Framework – the capabilities of the PSF integration for MSIX packages will allow you to minimize any AppCompat issues without writing any code.Office Add-ins – leverage the included specialized templates to greatly simplify the creation of installers for popular software platform extensions, plug-ins, and add-ins.Prerequisites – search for, download, and install prerequisite applications, frameworks, and run-times.Upgrades – older versions of your product installed on the user’s machine will be detected and upgraded. Additionally, installation over newer ones will be blocked.

Pricing and Licensing

Once you have decided to use Advanced Installer, you can go ahead and start the purchase from the purchase page. For those who may need additional clarification on any issue, they can quickly find assistance with the support team. Once completed, you can start planning to deploy the package you choose on certain machines.

Fortunately, there is no limit to the number of machines you can deploy a package. As long as you have a licensed version of Advanced Installer, you can successfully create an unlimited number of install packages. You can then distribute these packages royalty-free to any number of users

When it comes to the issue of upgrades, you can purchase your subscription/license upgrade from the upgrades page. After upgrading your subscription, you’ll need to log out before logging in again. Once logged into Advanced Installer, you can refresh your subscription details. For clients with perpetual licenses, their license keys won’t change.

All they have to do is run the registration wizard once more in Advanced Installer. You can get access to the features from the new edition to which you upgraded by opening the project in Advanced Installer. In the toolbar, go to Home > Options > Project Type tab, and choose the desired project type.

The table below contains information regarding the pricing structure.

 ArchitectEnterpriseProfessional
Cost$359 per user per month. The option for a team subscription is available.$139 per user per month. The option for a team subscription is available.$39 per user per month. The option for a team subscription is available.
What you getIn addition to everything that Enterprise offers, you will also get Repackager, MSI Quick-Edit, Reports Generator, App-V, MSIX (Re)packaging, MSIX Package Editor, SCCM, and Intune.In addition to everything you get in Professional, you also get CI/CD Integration, Dialog Editor, Updater, XML Patching, Databases, Trial and Licensing, Merge Modules Authoring, EXE to MSI (wrapper), Automated VM Testing, and Drivers.The main features available include Trusted Signing Native Integration, Visual Studio Extension, PowerShell Automation, MSIX, Themes, Services, Prerequisites, IIS, .NET, COM, ODBC, Internationalisation, Java Native Launcher, and Installer Analytics.

Registration process

After purchasing Advanced Installer, you can now begin the registration process. However, if you are using the Freeware version, registration is not necessary. Clients that opt for the Professional, Enterprise, and Architect versions will require a valid registration to continue use after the trial period has lapsed. All you need to do is navigate to the File > Help > Register menu.

ONLINE REGISTRATION

If you want to download the license online, then the first thing you’ll need is an internet connection. With that established, Advanced Installer will connect to the appropriate server and download the license file to your device.

REGISTRATION BY EMAIL

In this case, an internet connection is not a requirement for the device in question. Once you have noted your Computer ID, you can email it in using any other device connected to the internet. Coupled with the valid License Key, you should forward these details to support at advancedinstaller.com. You can also expect to receive your response within 48 hours. The response will contain your license file as well as additional instructions.

LICENSE SERVER REGISTRATION

This method of registration by using a license server is only a valid option for owners with floating licenses. You’ll need to verify that your network administrator has correctly installed and configured the License Server. You won’t be able to complete the registration if you don’t have both the server’s host name and the port number.

Wrap up

Organizations are constantly searching for productivity tools that can empower their teams and increase operational efficiency. Tools such as Advanced Installer are ideal in that they can simplify tasks such as packaging and deployment of software. The capabilities of this application will deliver a faster overall process and a seamless installation experience that minimizes headaches. And as we move forward Advanced Installer will only get better as the development team leverages the feedback from clients.

Managed Home Screen: A Configuration Guide

As a business, it’s important to always be on the lookout for devices and applications that can improve the way you carry out your business operations. With platforms such as Managed Home Screen (MHS), the benefits to your business will be clear to see for everyone.

What MHS offers is an application for corporate Android Enterprise devices. This works for those enrolled via Intune and running in multi-app kiosk mode. Once installed on these devices, MHS will function as a launcher for other approved apps to run on top of it.

In previous articles, we have gone over the new features that Microsoft has added to MHS. We’ve also covered their benefits to your organization. In this article, we’ll be discussing some of the key configuration aspects of the Managed Home Screen platform.

When do you configure the Managed Home Screen app?

Start by verifying if your devices meet the prerequisites. This is because Intune only supports the enrollment of Android Enterprise dedicated devices for Android devices running OS version 8.0. In addition, these devices should be able to connect to Google Mobile Services.

Likewise, MHS only supports Android devices running OS version 8.0 and above. If you find that the settings are available through device configuration profiles, then you should configure the settings there. This will be faster, limit errors, and give you a better Intune-support experience.

Also, note that there are some MHS settings only available via the App configuration policies pane in the Intune admin center. When using App configuration:

  • Head over to the Microsoft Intune admin center and select Apps > App configuration policies.
  • Add a configuration policy for Managed devices running Android.
  • Select Managed Home Screen as the associated app
  • To configure the different available MHS settings, select Configuration settings.

Selecting a Configuration Settings Format

To define configuration settings for MHS, there are two methods available:

  • Configuration designer – enables you to configure settings with an easy-to-use UI. It allows you to toggle features on or off and set values. With this method, you’ll find a few disabled configuration keys with the value type BundleArray. The only way to configure these keys is by entering JSON data.
  • JSON data – with this option, you can define all possible configuration keys using a JSON script.

Moreover, by adding properties with Configuration Designer, you can automatically convert these properties to JSON. Do so by selecting Enter JSON data from the Configuration settings format dropdown.

Using Configuration Designer

Configuration designer will enable you to select pre-populated settings and their associated values. In the table below, you’ll find a list of the MHS available configuration keys, value types, default values, and descriptions. The description gives you the expected device behavior based on selected values. Note that the BundleArray type of configuration keys disable in the Configuration Designer.

Configuration to customize applications, folders, and general appearance of Managed Home Screen

Configuration KeyValue TypeDefault ValueDescriptionAvailable in device configuration profile
Set allow-listed applicationsbundleArrayYou can find it under the Enter JSON Data sectionEnables you to define the set of apps you see on the home screen form along with the apps installed on the device. Entering the app package name of the apps that you want visible allows you to define the apps. Any app that you choose to allow-list in this section needs to be already installed on the device to be visible on the home screen.Yes
Set pinned web linksbundleArrayYou can find it under the Enter JSON Data section  Enables you to pin websites as quick launch icons on the home screen. Using this configuration allows you to define the URL and add it to the home screen for the end-user to launch in the browser with a single tap.Yes
Create a Managed Folder for grouping appsbundleArrayYou can find it under the Enter JSON Data sectionEnables you to create and name folders and group apps within these folders. End-users can’t rename or move folders and neither can they move the apps within the folders. Folders will appear according to the order of creation and apps according to alphabetical order. If you have apps that you want to group into folders, they must first be assigned as required to the device and must have been added to the Managed Home Screen.Yes
Set Grid SizestringAutoEnables you to set the grid size for apps to be positioned on the managed home screen. Use the format “columns ; rows ” to set the number of app rows and columns to define grid size. When defining grid size, the maximum number of apps visible in a row on the home screen is the number of rows you set. Likewise, the maximum number of apps visible in a column on the home screen is the number of columns you set.           Yes
Lock Home ScreenboolTRUEEliminates the ability of the end-user to move around app icons on the home screen. Enabling this configuration key locks the app icons on the home screen. End-users can’t drag and drop to different grid positions on the home screen. When turned to false, end-users will be able to move around the  app and weblink icons on the Managed Home Screen.Yes
Application Order EnabledboolFALSETurning this setting to True will enable you to set the order of apps, weblinks, and folders on the Managed Home Screen. After it’s enabled, you can set the ordering with app_order.Yes
Application OrderbundleArrayYou can find it under the Enter JSON Data sectionEnables you to set the order of apps, weblinks, and folders on the Managed Home Screen. You can only use this setting if Lock Home Screen is enabled, the grid size is defined, and the Application Order enabled is set to True.Yes
Applications in folder are ordered by nameboolTRUEFalse enables items in a folder to appear in the order they’re specified. If not for this, they will be displayed in alphabetical order.No
Set app icon sizeinteger2With this, you can define the icon size for apps displayed on the home screen. Below are the values that you can use in this configuration for different sizes:   0 (Smallest),1 (Small), 2 (Regular), 3 (Large)4 (Largest).Yes
Set app folder iconinteger0With this, you can define the appearance of app folders displayed on the home screen. The appearance can be selected from the values below:   Dark Square(0)Dark Circle(1)Light Square(2)Light Circle(3)Yes
Set screen orientationinteger1Using this, you can set the orientation of the home screen to portrait mode, landscape mode, or allow auto rotate. The orientation can be set by entering the values below:   1 (for portrait mode),2 (for Landscape mode),3 (for Autorotate).  Yes
Set device wall paperstringDefaultBy using this, you can select a wall paper of your choice. All you need to do is enter the URL of the image that you want to set as a wallpaper.Yes
Define theme colorstringlightDecide whether you want Managed Home Screen app to run in “light” or “dark” mode.No
Block pinning browser web pages to MHSboolFALSEBy turning this restriction to True, you can prevent users from pinning web pages from any browser onto Managed Home Screen.No
Enable updated user experience     boolFALSESwitching to True will enable the updated app design to be displayed along with the improvements to user workflows for usability and supportability, for MHS. However, if you keep it as False, users will continue to see previous workflows on the app   An important thing to note here is that from August 2024 onwards, previous Managed Home Screen workflows will no longer be available and all devices will need to use the updated app design.No
Top Bar Primary Elementchoice This key helps you choose whether the primary element of the top bar will be the device Serial Number, Device Name, or Tenant Name. You can only use this setting when the Enable sign in key is set to false. Otherwise, the user’s name will be shown as the primary element when the key is set to True. If you want the top bar to be visible on users’ devices, you must set Enable updated user experience to true.  No
Top Bar Secondary Elementchoice This key helps you choose whether the secondary element of the top bar will be the device Serial Number, Device Name, or Tenant Name.  If you want the top bar to be visible on users’ devices, you must set Enable updated user experience to true.  No
Top Bar User Name Stylechoice This setting enables you to select the style of the user’s name in the top bar based on the following list: display name last name, first name first name, last name first name, last initial You can only use this setting when the Enable sign in key is set to True. If you want the top bar to be visible on users’ devices, you must set Enable updated user experience to true.No

Key things to note

Ensure the Managed Home Screen app seamlessly meets Google Play Store’s requirements. This is contingent on the app’s available update at the API level. However, doing it this way translates to a few changes to how Wi-Fi configuration works from Managed Home Screen. So, some of the changes you should expect to encounter include:

  • Users won’t be able to change the Wi-Fi connection for the device, whether it be enabling or disabling the connection. However, despite not being able to turn the Wi-Fi on or off, users can still switch between networks.
  • In addition, users also won’t be able to automatically connect to a configured Wi-Fi network with a first-time password requirement. Instead, after entering the password for the first time, the configured network will then automatically connect.

ANDROID DEVICES RUNNING OS 11

All those who are using Android devices running OS 11 should note another aspect. Whenever an end-user tries to connect to a network via the Managed Home Screen app, a consent pop-up prompt will appear. This pop-up is from the Android platform itself and therefore not specific to the Managed Home Screen app.

Furthermore, users will see a request to enter a password. This happens when attempting to connect to a password-protected network via the Managed Home Screen app.

You’ll notice that the network will only change if the device does not have a connection to a network. This includes instance when you have input the right password. All devices already connected to a stable network won’t connect to a password-protected network via the Managed Home Screen app.

ANDROID DEVICES RUNNING OS 10

For individuals using Android devices running OS 10, there’s another consideration. When an end-user tries to connect to any network using the Managed Home Screen app, they will receive a prompt with a consent via notifications.

Because of this prompt, users whose devices are running OS 10 must have access to the status bar. Also, notifications to be able to complete the consent step. Therefore, IT admins may need to use General settings for dedicated devices to avail the status bar. They’ll also do so for notifications to the appropriate end-users whenever necessary.

Furthermore, users will see a request to enter a password. This happens when attempting to connect to a password-protected network via the Managed Home Screen app. You’ll notice that the network will only change if the device does not have a connection to a network. This applies even if you have input the right password.

BLUETOOTH CONSIDERATIONS

If a device is running Android 10+ and using Managed Home Screen, successful Bluetooth pairing on devices that require a pairing key requires certain conditions. IT admins will need to enable a few Android system apps and these are as follows:

  • Android System Bluetooth
  • Android System Settings
  • Android System UI

Managing troubleshooting issues

One of the best updates that Microsoft brought to Managed Home Screen is the introduction of enhanced troubleshooting features. Users now get access to a debug menu, which includes the pages for Get Help, Exit Kiosk Mode, and About.

This access aims to simplify the troubleshooting process for device users which can reduce downtime and thereby increase productivity. To help even further, you’ll find configurations in the table below. These help troubleshoot various problems that users can encounter on their devices:

Configuration KeyValue TypeDefault ValueDescriptionAvailable in device configuration profile
Exit lock task mode passwordstring Input a 4-6-digit code to use to temporarily drop out of lock-task mode for troubleshooting.Yes
Enable easy access debug menuboolFALSESwitch this setting to True and you can access the debug menu from the Managed Settings menu while in Managed Home Screen. If you want to exit kiosk mode, you’ll need to go to the debug menu to find the capability. With that done, you need to click the back button about 15 times. Alternatively, if you want to keep the entry point to the debug menu only accessible via the back button, you should keep the setting switched to False.Yes
Enable MAX inactive time outside of MHSboolFALSEIf you want to automatically re-launch Managed Home Screen after a set period of inactivity, you’ll need to switch this setting to True. Note that the timer will only count inactive time and, upon configuration, will reset each time the user interacts with the device while outside of MHS. To set the inactivity timer, use Max inactive time outside MHS. This setting is kept off by default. You can only access this setting if Exit lock task mode password has been configured.No
MAX inactive time outside MHSinteger180Specify the maximum amount of inactive time (in seconds) that a user can spend outside of MHS before it is automatically re-launched. Users will find this configuration set to 180 seconds by default. If you want to use this setting, Enable MAX inactive time outside of MHS must be set to true.No
Enable MAX time outside MHSboolFALSEIf you want to automatically re-launch MHS after a set period of time, you must set this setting to True. The timer considers both active and inactive time spent outside of MHS. You need to use MAX time outside MHS to set the inactivity timer. This setting is kept off by default. You can only use this setting after Exit lock task mode password has been configured.No
MAX time outside MHSinteger600You must specify the maximum amount of absolute time (in seconds) that a user can spend outside of MHS before it is automatically re-launched. Users will find this configuration set to 600 seconds by default. You can only use this setting if Enable MAX time outside of MHS is set to true.No

Microsoft ecosystem provides Android users with an optimal experience

Managed Home Screen and all its features are helping to enhance the user experience. MHHS supports Android users who rely on the Microsoft ecosystem for business purposes. For years, the relationship between Microsoft and Android has allowed for a better integration between the concerned platforms. It also provides end-users a better overall experience. All of this fits in perfectly with the evolution we have witnessed in the development of excellent mobility solutions.

Over the last few years, there has been a significant increase in those who appreciate the possibility of remote work. Plenty are enjoying the option of being able to work from home. There are additional benefits, including creating their own schedules. But they can also maintain or even increase their productivity levels.

Android users make up a decent portion of Microsoft clients. So, it’s not surprising that Microsoft aims to provide users with all the solutions they need. And Microsoft outfits users to be successful in their business operations. And with Managed Home Screen, Android users get an app that can further enhance their interaction with the Microsoft ecosystem.

The ability for organizations to customize and control user experiences is paramount. It enables them to ensure that end-users will have access to everything they need while simultaneously putting in certain restrictions.

Additionally, end-users can enjoy a much-improved experience. This is because MHS enables businesses to create consistent and simplified experiences across device types and OEMs.

End-users can expect continued innovations and improved features thanks to the global network of experts established by Microsoft and Google. These client specialists, with deep knowledge of Android devices and services, significantly contribute to the ongoing development of services. They will also further enhance the user experience.

It’s because of collaborations like these and the expertise obtained that MHS users can access features that address issues on-device. It’s also how they painlessly equip Microsoft support to troubleshoot issues on-device. So, as the improvements continue to roll out, businesses and individuals will take a keen interest. All of these changes can improve how they do business.

Wrap up

If there is anything that we can expect with regard to technology, it’s that we will continue to see changes. Most intend to improve the end-user experience. The features that Managed Home Screen offers, as well as the available improvements, are a testament to Microsoft’s goal. Microsoft continuously aims to create the optimal experience for Android users.

With feedback from Android experts being a key part of development, end-users can expect ongoing improvements. They can also expect to reap the many benefits of an ever-improving Microsoft ecosystem. One only has to take a look at the depth of products and services available to Android device users. It’s then evident that businesses have plenty to benefit from with these programs and features.

Managed Home Screen: What Your Should Know

It doesn’t take too long as you go through the latest tech news and updates to realize just how badly lax security could affect your organization. All nefarious actors need is a small opportunity. And your business may end up paying dearly. This is where Managed Home Screen comes into play.

Hence the need to implement the best possible security measures that you can. And when you use platforms such as Managed Home Screen (MHS), you’ll get excellent features that will help you enhance your overall security.

The platform will give your organization the ability to customize and control Android Enterprise dedicated devices. This allow for restricted access to only what a user may require. As we continue our deep dive into Managed Home Screen, we will end up with a clearer idea of how this platform can best serve your interests.

What to know about general availability

In a previous article, we discussed the updated features that Microsoft introduced to the Managed Home Screen experience. There are a few things that businesses should know about general availability.

To begin, you should be aware that with the general availability of the updated MHS experience, all previous MHS workflows will be obsolete. Not only that, but support will no longer be available for these previous workflows. The new updated features will not be added to previous workflows, as well.

However, admins can still move to the updated experience by setting Enable updated user experience to “true” for 90 days. But, after the 90 days, the app configuration will be removed, and all devices will need to start using the updated MHS experience.

Below are some of the new capabilities recently added for the updated experience:

  • Brightness Slider and Adaptive Brightness – with this tool, IT admins will be able to expose a setting that enables users to access a brightness slider to adjust the device screen brightness. Moreover, IT admins can also expose a setting that allows users to turn adaptive brightness on and off on the device.
  • Autorotation – this next tool helps IT admins expose a setting that is designed to enable users to turn on and off the device’s autorotation.
  • Domain-less Login and Custom Login Hint Text – another feature coming to the updated experience will be support for domain-less sign-in. Admins can configure domain names which will then be automatically added to usernames when signing in. In addition, MHS will begin providing users with a custom login hint string on the sign-in screen.
  • Session PIN Inactivity Timer – in scenarios where a device has been inactive for a specified period of time, IT admins can leverage this feature to demand users to enter their session PIN to resume activity on Managed Home Screen.

Why is Managed Home Screen making changes?

With the updates that have been made to Managed Home Screen, one may be wondering what’s behind all the changes. And the simple reality is that the new features were needed. Applications need to keep improving if they are to meet the ever-evolving needs of businesses.

It goes without saying, but the competition among players in the tech space is brutal. A new application or service can be introduced to the market, and if it can do the job far more efficiently, then you may find yourself losing clients.

Moreover, organizations are now acutely aware that there are nefarious actors constantly looking for vulnerabilities in their systems and if they find any it can be catastrophic for their businesses. Updates can address any existing performance issues and vulnerabilities that may potentially exist.

In addition, new features will also address productivity issues that your business has to deal with. As technology continues to evolve, organizations like yours will be looking to improve their products and services. Updates allow you to harness the latest and very best features for your applications. This will also give your team a better user experience overall. And ultimately, your business can operate more efficiently.

Furthermore, newer updates can help you get even better performances from your devices. At one point or another, we’ve all probably had the frustrating experience of an app crashing. It’s never a pleasant experience and can result in some lost work progress. By updating your applications, you can significantly reduce the chances of these occurrences.

Benefits of Managed Home Screen’s new features

The improvements that Managed Home Screen has made will have benefits for both IT admins as well as end users. These advantages include:

  • Closing the security gap – enhancing your security features means that you reduce potential attack areas. Also, it’s significantly harder for hackers to carry out successful attacks. This is something that will complete by requiring end users to enter their session PIN to resume activity on Managed Home Screen. This is after the device has been inactive for a specified period. Having this feature reduces the risk of unauthorized personnel gaining access to a device when the user is not using it. To set it up, you need to set the “Minimum inactive time before session PIN is required” setting to the number of seconds the device is inactive before the end user must input their session PIN.
  • Quicker resolution of issues – if the troubleshooting process is ineffective, it can cause endless downtime and that’s not good for business. MHS improved that process by introducing a feature that will give users access to a debug menu. This includes the pages for Get Help, Exit Kiosk Mode, and About. What this does is give users the ability to go to the Get Help page and easily upload logs. Moreover, users will be able to view Management Resources. It allows them to launch adjacent management apps whenever necessary. With the appropriate support available, your organization can quickly address any performance issues. You can also ensure productivity levels remain optimal.
  • Improve ease of use – one of the best ways to help users work more efficiently is to enable them to have the option to customize certain settings to their liking. Undoubtedly, the immediate concern would be about the risk of increasing vulnerabilities. But, the solution to that is to restrict what users can customize. This provides that they still get the benefits of personalized apps and devices while maintaining high security standards. One of those settings that users can now change is device screen brightness.

Additional benefits of Managed Home Screen

With the updated features, you can expose settings in the Managed Home Screen app to adjust screen brightness for Android Enterprise devices. You’ll have the option of exposing a setting in the app to allow end users to access a convenient brightness slider to adjust the device screen brightness. Furthermore, you’ll now also be able to expose a setting to allow end users to toggle adaptive brightness.

  • Simplified setup – few things can help users be more productive than using an application with a clean look and access to everything you need. This is what MHS is aiming for with the addition of a top bar. Users will now have quick access to device-identifying information. You get the option to configure this top bar as you see fit. And there will be two descriptive elements available for display. IT admins get to select between serial number, device name, and tenant name for the top and bottom elements in situations where the device is not configured with sign-in.

The top bar will also give quick access to settings as well as the sign-out button. The settings wheel icon sits in the upper right-hand of the top bar. And tapping this icon will display the settings that the IT administrator has selected to reveal to users within MHS settings. Another advantage you can expect is that this settings icon will be located on the top bar by default. And to avoid compromising security, IT admins still get to pick which settings a user can configure. Or they can disable it altogether by enabling or disabling the configuration key “Show managed settings”.

Enhanced security measures for dedicated devices

As we know by now, Managed Home Screen works on devices enrolled into Intune as Android Enterprise dedicated devices. With the increasing sophistication of today’s cyber attacks, organizations need to ensure that their security is of the highest standard.

Bearing that in mind, in this section, let’s take a look at some of the settings that can improve security for fully managed, dedicated, and corporate-owned work profile devices.

Screen capture (work profile-level)

Enabling “Block” will not only stop you from taking screenshots, but will also prevent content from being shown on display devices without a secure video output. However, you should be aware that this setting is set to “Not configured” by default, and Intune doesn’t modify it. You should also know that if the default settings allow, the OS might let users capture the screen contents as an image.

Camera (work profile-level)

Enabling “Block” will prevent access to the device’s camera. Again, you should note that this setting is set to “Not configured” by default and Intune doesn’t change it. Another thing that is important for security is that Intune only manages camera access but doesn’t have access to pictures or videos. The OS may also, by default, allow access to the camera.

Default permission policy (work profile-level)

The objective of this setting is to define the default permission policy for requests for runtime permissions, and the options you have are the following:

  • Default (default) – Use the device’s default setting.
  • Prompt – Users see a prompt to approve the permission.
  • Auto grant – Permissions grant automatically.
  • Auto deny – Permissions are automatically denied.

Date and Time changes

Enabling “Block” will stop users from manually setting the date and time. Additionally, you should note that this setting is set to “Not configured” by default, and Intune doesn’t change it. This will also mean that if the OS default settings permit, users may be able to set the date and time.

Roaming data services

Enabling “Block” will prevent data roaming over the cellular network. And as before, this setting defaults to “Not configured,” and Intune doesn’t change it.

Wi-Fi access point configuration

Enabling “Block” will stop users from creating or changing any Wi-Fi configurations. Additionally, you should note that this setting defaults to “Not configured” and Intune doesn’t change it. As we’ve also seen before, if the OS default settings permit, users may be able to change the Wi-Fi settings on the device.

Bluetooth configuration

Enabling “Block” will stop users from configuring Bluetooth on the device. Additionally, you should note that this setting defaults to “Not configured,” and Intune doesn’t change it. As we’ve also seen before, if the OS default settings permit, using Bluetooth on the device may be possible.

Tethering and access to hotspots

Enabling “Block” will prevent tethering and access to portable hotspots. And again, this setting defaults to “Not configured,” and Intune doesn’t change or update it. Take note that the OS might allow tethering and access to portable hotspots by default.

USB file transfer

Enabling “Block” will prevent transferring files over USB. And again, this setting defaults to “Not configured,” and Intune doesn’t change or update it.

External media

Enabling “Block” will prevent using or connecting any external media on the device. And again, this setting defaults to “Not configured,” and Intune doesn’t change or update it. Take note that the OS might allow file transfers by default.

Beam data using NFC (work-profile level)

Enabling “Block” is going to prevent the use of Near Field Communication (NFC) technology to beam data from apps. On the other hand, if set to “Not configured“, which is the default setting, Intune will not change or update the setting. However, you should not forget that the OS might allow using NFC to share data between devices by default.

Developer settings

Enabling “Allow” will let users access developer settings on the device. On the other hand, if set to “Not configured,” which is the default setting, Intune will not change or update the setting.

Microphone adjustment

Enabling “Block” will stop users from unmuting the microphone and adjusting the microphone volume. However, if set to “Not configured,” which is the default setting, Intune will not change or update the setting.

Factory reset protection emails

You need to select Google account email addresses. Then, you need to provide the email addresses of device admins who can unlock the device after it’s wiped. When entering the email addresses, make sure to separate them with a semi-colon e.g., [email protected];[email protected]. Note that these emails will only apply in scenarios during a non-user factory reset, like running a factory reset using the recovery menu. And as with previous settings, if set to “Not configured,” which is the default setting, Intune will not change or update the setting.

System update

To determine how the device handles over-the-air updates, you’ll need to pick from the following options:

  • Device Default (default) – stick to the device’s default setting, meaning that when the device connects to Wi-Fi, is charging, and is idle, the OS updates automatically. For app updates, the OS first checks that the app is not running in the foreground.
  • Automatic – implements an automatic update process without user involvement.
  • Postponed – updates postpone for a period of 30 days, at the end of which users receive a prompt to install the update. For critical security updates, however, device manufacturers or carriers may block their postponement.
  • Maintenance Window – also provides an automatic update process but that occurs during a daily maintenance window that you set in Intune. If the installation tries and fails for 30 days, you will subsequently see a prompt to perform the installation. This setting will apply to OS and Play Store app updates.

Freeze periods for system updates

This one is optional. If you are going to set the System update setting to Automatic, Postponed, or the Maintenance window, then you must use this setting to create a freeze period:

  • Start date – provide a start date using the MM/DD format and it can be up to 90 days long.
  • End date – provide an end date using the same MM/DD format and it can be up to 90 days long.

Take note that all incoming system updates and security patches will be blocked during the freeze period. And this also includes manually checking for updates.

Location

Enabling “Block” will disable the Location setting on the device and prevent users from turning it on. However, it’s worth noting that disabling this setting will affect every setting that also relies on device location. This includes the Locate device remote action that admins use. On the other hand, if set to “Not configured,” which is the default setting, Intune will not change or update the setting.

When to enroll devices as dedicated devices

One of the things that may have a lot of people wondering is the issue of when exactly you should be looking at enrolling a device as a dedicated device. According to the information available from Microsoft, Intune’s Android Enterprise dedicated device solution is for clients who want their Android devices enrolled with no user-affinity.

On top of that, this device solution requires that the device runs Android OS 8+ and should be able to connect directly to Google Mobile Services (GMS). Below are the three main scenarios that Intune envisions for dedicated devices:

AS A DIGITAL SIGN

Typically locked into one application that shows viewers desired information. A good example of this would be the train schedules or flight schedules that you may see at the train station or airport respectively. In these particular situations, there will be zero-to-minimal physical user interaction.

TASK-BASED DEVICES

In this case, we’ll be looking at a situation of locked into a single application or multiple applications and used for specific tasks. What you then have is a setup where the device is not privy to who is using it or where. We can see an example of how this would work with package delivery drivers.

As they clock into their shift, the delivery driver receives a device. This devices helps to navigate to their location, scan packages, and complete other role-based tasks. Once the driver completes their tasks, the device can then be returned for the next delivery driver to use.

MULTI-USER, TASK DEVICES

In the third scenario, we’re looking at locked into a single app or a set of apps, and used for specific tasks. Users need to sign in on at least a single application on the device and unlike the previous scenario, the apps in this case will need to know who is using the device and when.

The general recommendation for this scenario is to enable Shared Device mode. For instance, you can look at a factory setup where a device may used by multiple people, such as shift workers, maintenance staff, delivery drivers, etc.

So, every individual using the device will get the same apps and policies, but the key difference is that the relevant information displayed by the apps will vary from person to person, depending on their sign-in information.

Wrap up

As a business, it’s crucially important to always be on the lookout for applications and services that can give you an advantage. Something that can improve the quality of what your organization is producing by enhancing worker efficiency. For Managed Home Screen clients, the platform improvements can offer such benefits.

You get features that help you maintain high security standards by allowing IT admins to put in place any necessary restrictions. But, even with these restrictions, end users will still get quicker access to what they need, faster resolution of issues, and a more streamlined workflow.

Enhancing the Intune Experience With Managed Home Screen

All the devices and applications that we use need both security and feature updates now and again to ensure that we always get the best possible performance. Whether these are personal or work devices, without regular improvements, the performances will eventually not be good enough to meet our requirements.

One of the platforms that helps to optimize the user experience is Managed Home Screen. Using this feature can deliver a better experience. Within the Intune environment, all users with enrolled devices as Android Enterprise dedicated devices can benefit.

In this article, we’ll be taking a look at what Managed Home Screen is and how it can improve workflows.

What is Managed Home Screen?

With Managed Home Screen, users get an Android application that is compatible on devices enrolled into Intune as Android Enterprise dedicated devices. The application means to cover corporate-owned devices that are running in multi-app kiosk mode.

On these devices, Managed Home Screen acts as the launcher for other approved apps to run on top of it. The benefit to IT admins is greater control over the customization of devices, as well as being able to restrict the capabilities that the end user can access. The availability of these features means that your business can:

  • Easily maintain control over how these devices work. The customization and control you have over the Android devices allows you to determine specifically what users can access.
  • Enhance the user experience by establishing a consistent and simplified experience across device types and OEMs that makes it significantly easier to perform all tasks to a high standard.
  • Gain access to all the relevant troubleshooting workflows that one would need to fix issues on-device. Or provide Microsoft support with the necessary tools to troubleshoot issues on-device.
  • Utilize an improved sign-in and sign-out experience with a device configured with Shared device mode.

Customization benefits

Additionally, the availability of customization will allow you to completely modify the overall appearance and feel of your home screen.

You can do things such as:

  • Set a custom wallpaper that can truly bring your branding to the fore. Or, you could use the custom wallpaper as a visual indicator to distinguish various devices.
  • You can relocate applications to the home screen so you have your important and most frequently used apps in a place that facilitates easy access. Not only that, but this can help you design a setup that is consistent across devices for your users.
  • Those who may have plenty of apps on the home screen can easily simplify things by categorizing apps into specific folders.
  • Because devices can have varying screen sizes, you’ll also get the option to modify the size of apps and folders appearing on the home screen.
  • To get even quicker access to vital app data, you can add custom widgets to the home screen.
  • When a device is inactive, you can set a screen saver to hide the home screen.

Dedicated devices

We just mentioned that Managed Home Screen is usable on devices enrolled into Intune as Android Enterprise dedicated devices. But, what exactly are ‘dedicated devices’? This term simply refers to corporate-owned devices not associated with a particular user. Additionally, these devices will normally be in use for performing specific tasks.

So, if you want to enroll Android devices with no user-affinity then this option will suit you. However, it’s also important to note that Intune’s Android Enterprise dedicated device solution will require that the devices run Android OS 8+ and be able to connect to Google Mobile Services (GMS).

Setting up Managed Home Screen

Setting up your device with Managed Home Screen is a process that will take several steps. But, once you have a device that meets the requirements, you can begin.

Setting up an Intune enrollment profile and device group

Start by creating an enrollment profile to generate an enrollment token first, and attach it to a device group. In the Endpoint Manager admin center, navigate over to  Devices > Android > Android enrollment > Corporate-owned dedicated devices. You’ll need to fill in the Name but filling in the Description is optional. After this, select Type. Be sure to select Corporate owned dedicated device with Azure AD shared mode if you expect that your devices may require users to access M365 applications, other App Protection Policies, or Conditional Access policies. When everything’s done, click Create.

CREATING A DEVICE GROUP

Head over to Groups > All groups > New group. You’ll need to fill in the Group Name but filling in the Group Description is optional. Make sure that the Group type is set to “security”. Then, proceed to change Membership type to Dynamic device, after which you need to Add a dynamic query. By using dynamic queries, you can have your device automatically added to a group based on the property of your choice.

Approve and assign Managed Home Screen and MORE Managed Google Play apps

This next step will ensure that the Managed Home Screen successful downloads and installs on your enrolled devices. It should also automatically launch. You’ll find Managed Home Screen already synced in the console when you venture over to navigate Apps > All apps as soon as you have linked your Intune and Managed Google Play accounts. After that, you can:

  • Click Managed Home Screen.
  • Select Properties>Assignments (edit).
  • Add your device group from Step 2 officially to the Required assignments.
  • Save.

If you want to add public, private, or web applications, go ahead and stay in Apps > All apps and choose “add.” Navigate to Select app type and choose Managed Google Play app.

Manage Android Enterprise system apps

One thing that you will notice is that system applications will often disable by default upon enrollment. To enable these applications and show the icon on the device, you start by heading back to Apps > All apps in Intune and selecting Add in the top left corner. After choosing Select, proceed to fill out the App information, and assign it as “Required” or “Uninstall” to the group that you created in Step 2. At this point, you can select “Required” if you want the application to be available on the device or “Uninstall” if you prefer that it remain hidden on the device.

Creating a device configuration profile

Having this profile is crucial because it enables you to not only configure device-level behavior but to configure kiosk mode as well. To begin the process, navigate to Devices>Configuration profiles>Create profile. Next, go to Platform, and select “Android Enterprise.” With that done, head to Profile and  select “Device restrictions” beneath “Fully Managed, Dedicated, and Corporate-Owned Work Profile.”

After this, select Create, and then you need to fill in the Name of your profile but filling in the Description is optional. Once everything is ready you can select Next.

Creating an app configuration profile

Be mindful that this step is completely optional. Once you have completed the steps already given above, you will be ready to enroll your devices. So, this step is ideal for those who want to learn how to utilize all the available Managed Home Screen features. Additionally, this step will help you to configure the complete list of features that Managed Home Screen has to offer.

In the Endpoint Management admin center, head over to Apps>App configuration policies>Add>Managed devices. Then, you need to fill in the Name and as with other sections, the Description is optional. Select Android Enterprise for platform, Fully Managed, Dedicated, and Corporate-Owned Work Profile Only for profile type, and Managed Home Screen for targeted app. As soon as you are ready to continue, select Next.

A. Using configuration designer to setup Managed Home Screen features

Choose Use configuration designer from the Configuration settings format drop-down menu. Select Add to open a panel with all the available Managed Home Screen configuration keys. Choose the configuration keys that you want to edit and then click OK. All the configuration keys have default values and if you want to modify a configuration value, hover over and then interact with each row under the “Configuration value” column. Click Next as soon as all the necessary changes have been made.

Navigate to the Assignments page under Included groups, choose Select groups to include, next  and pick the device group you created in the second step. You can review by clicking Next, and once set, click Create.

B. Using JSON data to setup Managed Home Screen features

You can complete the configuration of the home screen by using JSON to create your folders, add widgets, and order items. If you need to edit your existing app configuration profile, you can do so by clicking on the policy you just created in Apps > App configuration policies. After that, select Properties > Settings (Edit). Choose Enter JSON data from the Configuration settings format drop-down menu. You should be able to see all your existing configurations in JSON format.

B.1. Add a managed folder to your home screen

You can organize your home screen better by creating a folder that you get to manage. This is something that you can only do using JSON data format in an app configuration policy. You’ll need to add the JSON snippet below in where feature configurations go:

  • Replace “PLACEHOLDER_FOLDER-NAME” with a name of your choice.
  • Replace “PLACEHOLDER_APP-PACKAGE-NAME” with the package name of the app that you want to put inside your folder. You have the option to add as many apps as you want.
  • B.2. Configure custom ordering of items on the home screen

A few things will happen if you want to create a custom ordering of items on the home screen. These include:

  • Apps, widgets, and folders should already be added to your home screen allow-list.
  • The home screen should be locked because this ensures that a user cannot make changes by moving things around themselves.
  • A grid size for all your home screen pages should be set.
  • App ordering mode should be enabled.

At this point, you can set the position of an item to an assigned grid position. Note that the positions will read from smallest to largest from left to right and then top-to-bottom.

DEVICE ENROLLMENT

As already alluded to earlier, devices should be running Android OS 8+ and run with Google Mobile Services (GMS). As soon as a device is ready, you can enroll from a factory-reset state using:

  • Near Field Communication
  • Token entry
  • QR code scanning
  • Google’s Zero Touch Enrollment
  • Samsung’s Knox Mobile Enrollment

User credentials are not necessary during enrollment or provisioning because these dedicated devices are not user-associated. Select the type of enrollment that you want and follow the instructions given in this section.

COMPLETION OF SETUP

After the setup process finalizes, you’ll find yourself on the device’s home screen. Then, the device will proceed to sync policies with Intune after which apps will begin to download and install on the device. And after Managed Home Screen has been installed, it will auto-launch and show you all your configurations.

Improvements to Managed Home Screen

Pursuant to the feedback that Microsoft received from its clients, some eye-catching new design changes have been made to the app to optimize usability. However, these new features are only available on the updated experience.

Although, you can look forward to an improved user experience, Microsoft has not made any intentional changes to feature support and you can expect only minor changes in current functionality such as:

  • You’ll no longer see the company logo on the Session PIN screen, but you will still have it on the home screen.
  • Swiping down will no longer give you access to the Managed Home Screen settings.

Addition of the top bar

A top bar is now available to the Managed Home Screen page with the intention of simplifying access as well as to enable quick access to device-identifying information. This top bar can configure as necessary and thus allows for the display of two descriptive elements.

IT administrators can decide between serial number, device name, and tenant name for the top and bottom element in situations where the device is not configured with sign-in. On the other hand, if the device is configured with sign-in, the top element will display the signed in user’s name.

Easily discoverable settings and sign out button

Another benefit of the top bar is that it enables quick navigation to settings as well as the sign-out button. However, for the latter, this is only possible when sign-in is configured. If you go to the upper right-hand corner of the top bar, you’ll now find a settings wheel icon.

When a user taps this icon, they’ll see which settings the IT administrator has selected to reveal to them within MHS settings. One thing to note with the updated experience is that swiping down on the device will no longer give you access to settings.

You can now find the Settings icon located on the top bar by default. IT admins get to decide which settings a user can configure or disable it altogether by enabling or disabling the configuration key “Show managed settings”. There are a couple of situations in which the Settings icon will still display, and these are:

  • When a user is signed in, the Settings icon is available to view the user’s profile information.
  • When device permissions are required but no user is signed in, the Settings icon will be available for the user to grant permissions. Moreover, you won’t see any additional settings unless configured.

Updated permissions flow

Updating the permissions granting flow has been necessitated by the desire to ensure that device users do not miss essential permissions. Upon launching MHS initially, a dialogue will appear requesting users to grant any required permissions. Users can get to the settings screen where the required settings will be clearly laid out by tapping either the message or the settings wheel.

By tapping on the message, users will be redirected to the correct page in the Android settings page to grant the permission that is needed for the functionality of all configurations that are set by the IT administrator for Managed Home Screen.

In the event a user rejects the permission, a message will then be displayed on the screen and a red dot will appear on the settings app icon. Ultimately, this update to the permissions flow has been designed to prevent permissions from being missed and to optimize the functions of Managed Home Screen.

Enhanced troubleshooting features

Managed Home Screen is helping to simplify the process of troubleshooting device issues. The new features that have been introduced will give users access to a debug menu, which includes the pages for Get Help, Exit Kiosk Mode, and About.

Users can now go to the Get Help page and easily upload logs. In addition, users can also view Management Resources, allowing them to launch adjacent management apps whenever necessary.

And if you want important information on Managed Home Screen, including the privacy statements, accessibility statements, and third-party configurable compliance links, if enabled, you’ll easily find it on the About page.

The updated debug menu can only appear within settings after an IT admin has configured easy access to the debug menu. Without this action, users will need to tap the back button 15 times to unhide the debug menu. 

Start using the updated experience

To begin using the updated experience, you need to follow the steps given below:

  • Start by verifying that the target devices are running version 2.2.0.91169 or higher of Managed Home Screen.
  • Within the Intune admin center, head over to Apps > App configuration policies > Add > Managed devices. (And if you already have an app configuration policy in place for the target devices, you can skip the next step)
  • Filling in the Name will be required, but the Description is optional. Select Android Enterprise for platform, Fully Managed, Dedicated, and Corporate-Owned Work Profile Only for profile type, and Managed Home Screen for targeted app. When everything’s done, click Next.
  • To configure your settings, you can use either configuration designer or JSON data. Navigate to the Configuration settings format drop-down menu, and select Use configuration designer . Choose Add and this will open the panel with the available Managed Home Screen configuration keys.
  • Next, you need to choose the configuration key Enable updated user experience and switch it to True. For those using JSON data, they need to add the key and value below:

“key”: “enable_updated_user_experience”,

valueBool: true

  • Lastly, head over to the Assignments page and look under Included groups. Then, you need to choose Select groups to include and select the device group that you want to include in the public preview. You can review by clicking Next, and once all is set, click Create.

Another important thing to note is that this updated experience only works on the newest version of the Managed Home Screen application. So, you need to turn on the updated app experience and then verify that your devices are running the latest version of Managed Home Screen. If everything is in order, you should expect to see the updated workflows on the device.

Wrap up

Technology has been improving at a lightning speed and an ever-increasing pace for a long time now. The devices available to us, the operating systems, as well as the countless applications, have all gotten significantly better. So, it’s not surprising that businesses want platforms that can empower their workers to operate more efficiently and thus be more productive.

With Managed Home Screen, Microsoft offers its clients a tool that will do that and more. Businesses can get a tool with a lot of great features that will help users to get more from the available technology while eliminating time-consuming distractions.

And as updates like the ones we discussed today continue to be developed, MHS users can look forward to even more improvements that will optimize workflows and enhance their interaction with Intune.

How to Install Printer Drivers and Printers from Intune using Win32

The printing solution that a business uses is integral to its operations and can either positively or negatively affect productivity. It’s important to ensure that you can get the maximum benefits from your IT infrastructure. A key component of any printing solution requires proper printing setup.

But it’s not always as easy as we’d like it to be, especially with so many different products and services available on the market. IT admins need to choose wisely so that businesses can implement tailor-made solutions to address the needs of their employees.

Today, we’ll be going over how you can take advantage of Win32 for the installation of Printer Drivers and Printers, making light work of printing setup and execution.

Importance of printing solutions

Technology has come on in leaps and bounds over the last few decades and has made a massive impact on how companies do business. A lot of the products and services we now have allow us to conduct business in ways that most people couldn’t imagine just a decade ago.

But, even with all our mobile devices and remote working solutions, the simple printer still plays a very big role for most businesses. Plenty of business deals and various transactions still require us to have physical documents, and these can include contracts, proposals, various legal documents, and more. Although businesses can do their printing elsewhere, it’s easier and more cost-effective to have in-house printing solutions. This, of course, requires printing setup and ongoing infrastructure maintenance.

It also offers greater security for highly sensitive documents. Another potential benefit is increased productivity. With the capabilities of modern printing setup and solutions, anyone needing to print documents can do so from anywhere in the office using their PC or even mobile device. This cuts down on time that could otherwise be wasted going to print documents.

Furthermore, having your own in-house printing solution helps you to create a reproducible standard for all materials that your business needs to print. So, all your letterheads, business cards, contracts, etc., will all have a standard look and feel that every professional business wants to have. With that said, let’s look at how you’ll be able to add printers and printer drivers to your business.

Adding a Printer to Windows

When trying to add a new printer to your Windows setup, you’ll need to follow a few steps to ensure that the installation is seamless. Admins may often encounter issues, such as failing to remove the printer from the system, incomplete uninstallation, and failure to install new drivers, among other things.

You may also experience errors like “This driver is not fully installed”. By utilizing certain commands, you can make your printing setup task a bit easier and reduce the chances of facing these problems. In this section, we’ll be going over the steps that you need to follow.

WHAT IS POWERSHELL?

Let’s start by going over what PowerShell is before discussing the steps for adding a printer to Windows. According to Microsoft:

PowerShell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework.”

Just about anyone who wants to use this solution can since it was built to run on Windows, macOS, and Linux, as well. By using this tool, administrators, developers, and DevOps professionals will be able to use code to easily automate tasks and configurations. Moreover, you can use it either as an open-source shell or a scripting language.

PowerShell offers you the following areas of functionality:

  • Command-line interface – accepts and returns .NET objects, unlike other shells that will only accept and return text. This interface enables PC users to directly interact with the computer through text, unlike the GUI most others use.
  • Scripting language – PowerShell is not just a scripting engine. It’s also a fully functional scripting language that you can use to automate various tasks for DevOps, user management, continuous integration/continuous development, and many other system administrator tasks.
  • Automation platform – because of how extensible PowerShell is by design, this allows an ecosystem of PowerShell modules to deploy and manage almost any technology you work with. And these cover a wide range of Microsoft services, such as Azure and Windows, as well as third-party services, such as Google Cloud and AWS.

POWERSHELL REQUIREMENTS

As with any product or service that you may want to use, there are a few requirements to know. Before you can deploy PowerShell scripts in Intune, be sure to follow the necessary requirements. Below is a list of these requirements:

  • The devices that you’ll be working on must have Windows 10 1709 or later.
  • Additionally, they should also be Azure AD Joined devices or Hybrid Azure AD Joined devices.
  • These devices will need to be enrolled in Intune. And this can be via MDM Auto Enrollment, GPO enrollment, or Manual enrollment.
  • Lastly, we’ll mention co-managed devices that use both Microsoft Intune and Configuration Manager.

Identification of Printer Driver source files

To begin the process of adding a printer to Windows and printing setup, we’ll need to identify all the required printer driver source files. The driver package is extremely important because it contains everything necessary for a device to work correctly with Windows.

A driver package will typically have an INF file, Catalog files, Driver files, and other files. Before you can build a Win32 app, you need to ensure that you know which specific files you’ll need to complete the Printer Driver installation. After deciding which printer you’ll be using, you can proceed as follows:

  • Navigate to the printer manufacturer’s website, where you can download the appropriate Printer Driver software.
  • To guide you through a UI for the installation of the driver package, you will use the Setup.exe installer. Because this installer doesn’t run silently, you should go to the Driver folder to prepare for driver installation using a PowerShell script.
  • Next, open the INF file to see the files needed for driver installation.
  • Windows then proceeds to leverage a catalog file to check that the files can be trusted. This will be in addition to noting any of the required source files using the INF file.

Windows Driver Store

Most people would probably find it far more convenient if their computers had the necessary driver files for printer installation. This would make the printing setup significantly easier. Fortunately, however, the process of adding drivers to the Driver Store is not an overly difficult one. When we say Driver Store, we are simply referring to the trusted location of inbox and third-party driver packages. The only drivers that you can install on a device are those found in this secure location.

A common way that admins will use for staging drivers into the Windows Driver Store involves the use of pnputil. Some would probably raise their eyebrows at this because pnputil is not actually a PowerShell command. But it does get the job done. And admins can run it from a Powershell console. You can pass various commands to the pnputil.exe command line tool. This command is going to require the directory path of the INF driver file for your particular printer:

Pnputil /add-driver <“inf_path”>

Admins should make sure they note the Printer Driver Name because it’s a requirement for the installation of the Printer Driver in Windows. This is something that you can also find in the INF file. After you have completed the staging of the drivers to the Driver Store, you can now Install a printer in Windows using PowerShell cmdlets such as Add-PrinterPort, Add-PrinterDriver, and Add-Printer.

ADD-PRINTER PORT

Those who will be deploying new Network Printers will need to use the Add-PrinterPort cmdlet to create the Printer Port. Upon completion, you can then run the Add-Printer cmdlet. And this will require passing the DriverName and PortName parameters. So, before you begin trying to install the printer, make sure that the Printer Port is available.

ADD-PRINTER DRIVER

Verify that the Printer Driver has been installed before printer installation with the Add-Printer cmdlet can proceed. You can find the name of the Print Driver in the Driver Store within the INF file. So, you can now go ahead and open this INF file, find the appropriate driver name, and then save it. When using the Add-PrinterDriver cmdlet, IT admins should check that they are using the same Driver Name. To install the Printer Driver directly in Windows from the Driver Store, you can use the Add-PrinterDriver cmdlet.

Add-PrinterDriver -DriverName <“driver_name”> -InfPath <“driver_path”>

ADD-PRINTER

After performing all the above steps, you’ll now get to the last one, which is the actual installation of the printer. Here, we’ll basically be putting together everything that’s already come before so we can have that great result we’ve been wanting. Admins will be able to install the printer using the Add-Printer cmdlet. But, this can only happen after the installation of the printer driver and creation of the printer port. After all this is done, you can check the printer installation using printmanagement.msc.

Add-Printer  -DriverName <“driver_name”> -PrinterName <“printer_name”> -PortName <“port_name”>

How to build your Win32 App

WHAT IS A WIN32 APP?

When we talk of Win32 applications, we’ll be referring to programs that have been built for the Windows operating system. They have been written to use the Win32 Application Programmer Interface (API). The latter is a set of program functions that can enable a program to trigger just about every action in the operating system such as opening a file.

This 32-bit Windows API has been around for a few decades and was first availed back in 1993 when Windows NT was released. The early APIs would become known as Win16 and Win32 to distinguish between 16-bit and 32-bit programs. The Win32 APIs carry the following responsibilities:

  • Administration and management – both play a key role in the installation, configuration, and servicing of apps as well as systems.
  • Diagnostics – involved in the remediation of problems through the troubleshooting of both system and application problems. Also responsible for monitoring performance.
  • Graphics and multimedia – incorporation of various components such as video, audio, graphics, and text.
  • Security – ensures high-level security by implementing measures such as password protection, privileged access, rights management, security auditing, and more.
  • System Services – allows for access to computing resources and the operating system. This will include things such as devices, memory, processes, file system, and threads.
  • Windows User Interface – enables not only the creation but the management of a user interface as well. This is for things like display output, user interaction support, and prompts for input from users.

Win32 App Management Capabilities

Win32 app management capabilities will be fully allowed in Microsoft Intune. In addition, Intune also offers support for 32-bit and 64-bit operating system architecture for Windows applications. There are several different types of files that you can manage using the Win32 App, and these include the very well-known .exe, .msi, and .msix, among others. IT admins will need to know, however, that before they can create a Win32 App in Intune, they will need to package it.

Microsoft Intune has become increasingly important in recent years because more and more businesses are migrating to the cloud. As this trend continues, businesses are looking for a solution like Intune that can help with the management of Win32 apps from the cloud. So, with an Intune subscription, administrators will be able to manage and distribute Win32 apps to your Windows 10 or Windows 11 devices.

WIN32 APP REQUIREMENTS

To deploy Win32 apps with Microsoft Intune, there are several requirements that need to be met. These include:

  • Before you can start deploying Win32 apps, you need to have an active Microsoft Intune subscription. This can be purchased from the Microsoft 365 admin center if you don’t already have one.
  • Your devices must meet all the Microsoft Intune prerequisites, including having Windows devices enrolled in Intune as well as having the Intune Company Portal app installed.
  • The devices you’ll be working on should be enrolled in Intune. They also need to be either Azure AD joined, Azure AD registered, or Hybrid Azure AD joined.
  • The Windows application size must also be no more than 8GB per app.
  • The Win32 apps will need to be prepared for deployment. This can be done by leveraging the Intune Win32 app packaging tool to create an installation package for your app. The conversion of your app into an Intune-compatible format will be facilitated by this package tool, and the reason for this action is to simplify both deployment and management.

BUILDING THE APP

Now that we have gone over what the Win32 App actually is and the steps you need for printing setup, we can start looking at how we are going to build a Win32 App. To build this Win32 App, we will need a few source files: cnlb0m.cat, CNLB0MA64.INF, and gpb0.cab. IT admins are also going to need a few other things to create the Win32 App:

  • Driver package source files.
  • Specify an Install command.
  • Specify an uninstall command.

INSTALL COMMAND

Administrators will need to have several conditions that they need to pass to the script:

  • PortName – Provide the name of the port that you need to create.
  • PrinterIP – Provide the network IP address of the relevant printer.
  • PrinterName – Provide the name of the printer that is going to be created. Admins should be aware that this name is used in the Detection Method as well.
  • DriverName – Provide the name of the printer driver that will need to be installed. Earlier, we mentioned noting down this name so that when it comes to this point, our parameters are as they should be.
  • INF file – Provide the name of the INF file for the printer driver.

UNINSTALL COMMAND

With this option, you’ll get the convenience of uninstalling a Win32 application via the Company Portal. This means that your IT can run a lot more efficiently and get things done quickly rather than waiting around for help desk support to address their issues. It’s no surprise then that this was a highly requested feature by users of Microsoft Intune.

If you no longer want a program or perhaps you need the space, uninstallation is going to be a simple and straightforward affair. Because with this particular command, you will only need to pass a single condition to the script. So, as long as you have a valid command line with the correct input, you shouldn’t have any difficulties. A good example of this would be:

powershell.exe -executionpolicy bypass -file Remove-Printer .ps1 -PrinterName “Generic Printer Office1”

DETECTION METHOD

Another element that the Win32 App is going to require is a detection method. Using a detection method is meant to help administrators verify that an application has not already been installed. By detecting the presence of a Win32 App, this will create a scenario where the installation can only proceed if the check proves that the app has not yet been installed.

IT admins can use the printer’s own registry key for this detection. The PrinterName that we mentioned above (the one that will be used during the installation of the printer) will also be the name of the key.

CREATING THE .INTUNEWIN FILE

  • To begin, both the scripts and the source files must be copied to the same folder.
  • Then, you can proceed to create the .intunewin file using Win32ContentPrepTool.
  • Next, navigate to the Microsoft Endpoint Manager admin center.
  • Create a new Win32 App.
  • You’ll now be required to select an .intunewin file so you choose the one you’ve just created.
  • Provide all the app information necessary without leaving out any details.
  • Now, you can add both the Install and Uninstall commands.

Install command: powershell.exe -executionpolicy bypass -file Install-Printer .ps1 -PortName “IP_10.10.1.1” -PrinterIP “10.1.1.1” -PrinterName “Generic Printer Office1”  -DriverName “Generic Driver ABC” -INFFile “CNLB0MA64.INF”

UNINSTALL command: powershell.exe -executionpolicy bypass -file Remove-Printer .ps1 -PrinterName “Generic Printer Office1”

  • Provide all the necessary information in the app requirements section.
  • Under Detection, select Manually configure detection rules and then select Add.
  • Next, for the detection method, you can use the values listed below. Just ensure the Key/Name accordingly.
  • Rule Type Registry
  • Key path

            HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion\ Print \ Printers \ Generic Printer Office1

  • Value Name Name
  • Detection method String comparison
  • Operator Equals
  • Value Generic Printer Office1
  • The last thing you’ll need to do is make sure that the app is assigned to the correct Users/Devices Group.

INSTALLATION MONITORING

Admins who have created an “Available” assignment for a user group can perform the installation of the Win32 App from the Company Portal. To view the generated log file, you can look in the systemroot %temp% folder. After all this is done, you can check the Printer, Driver, and Port installation using printmanagement.msc.

Wrap up

Having a modern printing setup and solution is something that can be extremely beneficial for your business. It can help your employees work more efficiently, increase productivity levels, safeguard sensitive documents from prying eyes, and many other benefits. A great way to install your Printer Drivers and Printers from Microsoft Intune is by using Win32.

This method, as described in this article, is not as complicated as you may imagine and can simplify the process of modernizing your printing setup and solutions. As long as you meet a few of the requirements that are listed, then your IT admins won’t face too many difficulties. So, if you’re looking for ways to upgrade the way your business operates, then you could hardly go trying by trying this method for your organization.

Enhancing Apple Device Management With Microsoft Intune

The technology that we have available to us today intends to make the user experience as smooth as possible. With increasing cybercrime causing headaches for plenty of businesses, the need to constantly improve continues. Security protocols and device management are very high priorities for every organization.

One area that plays a significant role in improving any organization’s security posture is identity management. The best solutions on the market offer a seamless user experience that can improve how users interact with their devices.

It’s always interesting to look at how products and services from different organizations can combine. Ideally, separate brands fuse the best of what they each have for the benefit of their customers. It’s with this in mind that we want to look at how Microsoft Intune and Apple Identity Services do something similar. Both are bringing great solutions to their clients to improve security, as well as secure the user experience.

Microsoft Intune has a lot to offer

As we all know, Intune is a fantastic endpoint management solution. It simplifies app and device management across your various devices. This can include mobile devices, desktop computers, and virtual workstations.

So, it’s perfectly understandable why Intune is such a popular solution for many organizations. It’s a platform that is not only for Windows devices, but it also works brilliantly to improve Apple device management.

Your security will immediately improve because Intune ensures your macOS software is up to date. It then minimizes vulnerabilities by reducing manual tasks. Customers can expect a native macOS software update client experience, as well. This is because of how system update policies for macOS in Intune are built on Apple’s MDM commands. By implementing measures such as these, Intune helps you to reduce the overall attack surface of your business.

SIMPLIFIED APP MANAGEMENT

Another thing you can look forward to is doing away with the trouble of app conversion. This is because Intune is introducing a new application deployment service. Additionally, this new service leverages the Intune MDM agent to install, monitor, and report DMG-type applications. This ability will enable you to deploy in-place DMG app upgrades. It’s also capable of reducing some of the burden on IT staff while also making tasks easier.

In addition to this, Microsoft has been working on a solution that will simplify the deployment of apps. It will do so with custom scripts and apps that are unsigned. This new option, which leverages the Intune MDM agent to deploy PKG-type installers, is going to improve flexibility and customization. But, even with these changes being made, Microsoft has assured its customers that support for the native PKG-type app management experiences for macOS will continue.

ENHANCED USER EXPERIENCE

The provision of a consistent onboarding experience for all Apple devices is a top priority to enhance the experience for all users. Intune will be leaning on the Just-In-Time (JIT) macOS/iPadOS enrollment experience. This simplifies the Mac device onboarding process for users with corporate-owned devices.

Once enrollment finalizes, users can log in on the Enterprise Single Sign-On extension. From there, you can establish SSO across Azure AD-enabled apps and use their Azure AD password to log on to their Mac.

Coupled with the consistent onboarding experience, Intune is also determined to speed up the iOS enrollment process. Because of what the JIT functionality can offer, the iOS Company Portal app will no longer be necessary for AAD registration.

We’ll see a move towards web-based device enrollment, which is going to offer a swifter end-to-end enrollment process. This is a result of the reduced need to switch back and forth between the apps in addition to fewer authentication steps.

EFFICIENT DEVICE MANAGEMENT

Microsoft has also been working on a solution that supports local administrator account and local primary account creation during macOS ADE. This will allow customization of local administrator settings within new and existing macOS enrollment profiles for devices enrolling with user-device affinity.

A couple of years back, Microsoft Intune announced support for Declarative Device Management (DDM). Intune also extended DDM to the macOS settings catalog.

Arguably, one of the best things about DDM is how it can easily co-exist with the standard MDM protocol. It does so without negatively affecting the end-user experience. Customers can send the policies they have created in the settings catalog as well as DDM-based policies to DDM-enabled devices. They can also send the standard MDM-based policy to those devices using the older protocol.

Apple Identity Services

One of the things that have helped Apple distinguish itself over the years is excellent data and device security. In a world where nefarious actors are constantly attempting to exploit device vulnerabilities, businesses need solutions to safeguard their data. With Apple Identity services, your organization will get a product that can securely manage usernames and passwords.

The first measure we’ll talk about is authentication. This action refers to the process of verifying the identity of a user. Apple uses several authentication methods, such as single sign-on. Apple also provides for services, like personal Apple ID, Managed Apple ID, iCloud, iMessage, and FaceTime.

Once authentication measures verify the identity of a user, you then have authorization. This determines precisely what users are allowed to do. For this process, you need to provide a username and a password to an identity provider (IdP).

Essentially, what you have is an identity provider that functions as the authority. The username and password are also the assertion. Together with authentication and authorization, we can also talk about identity federation.

This process will establish trust between two parties and authenticate users. The result enables the linking of a user’s identity across multiple separate identity management systems. The identity federation process can only work effectively if admins set up domains that trust each other. And there also needs to be a single method to identify users.

Enhancing Authentication with Platform Single Sign-On

Users constantly need the services they use to improve so that they can better interact with technology and work more efficiently. In light of this, Apple saw it fit to introduce Platform Single Sign-On, which represents the evolution of authentication protocols.

This solution is replacing Active Directory, binding and simplifying life for users by requiring them to sign in only once. This is possible because, upon a successful user login, the local account credentials synchronize with the IdP. And it allows the user access to various other resources without needing to enter their password again. Platform SSO supports several authentication methods with an identity provider (IdP):

  • Password and encrypted password
  • Password with WS-Trust
  • User secure enclave key
  • SmartCard

New local user accounts are set up on demand by Platform SSO (PSSO) at the login window using IdP credentials. The service can also integrate IdP group membership with macOS. And in addition to this, network accounts can be used for authorization, and groups may also authorize network accounts.

Authentication

As new users go through the authentication process using credentials from their organization’s IdP, they can now have new local user accounts automatically created by macOS. The benefits of this to your organization are several, including:

  • Better user experience – time is of the essence. And with a setup like this, new users won’t require pre-configured accounts, therefore allowing them a much swifter start. As one can imagine, this makes it an excellent solution in environments where device sharing is required.
  • More robust security – the use of user-unique credentials helps to significantly strengthen your organization’s security when users access their devices. Not only that, but the uniqueness of these credentials makes it easier to keep track of all users’ access and activities.
  • Lighten the burden on IT – most of us are aware of how taxing the manual tasks that IT staff have to undertake can be. So, this solution brings automation to the user creation process will undoubtedly be gladly welcomed by IT staff. No longer will IT pros have to go through the tedious process of manually setting up accounts for each new user.

REQUIREMENTS FOR LOCAL ACCOUNT CREATION

But, before moving ahead, you should know that there are a few requirements. Your organization needs to meet the following for you to take advantage of local account creation.

  • UseSharedDeviceKeys – to enable this, you’ll need to use a shared device key that enables the device to have a trusted connection to the Entra ID, regardless of the user.
  • Connectivity with the Identity Provider – your device should be able to connect to your Entra ID. Without this connection being established, authentication of user credentials won’t be possible neither will the user be able to be authorized to access the device.
  • Device State – Login Window with FileVault Unlocked – the device in question should be at the login window, and you also need to ensure that the FileVault is unlocked. The importance of this state is that it establishes that the device is secure while simultaneously verifying its readiness to set up a new user account when authentication has been successfully completed.
  • MDM Support for Bootstrap Tokens – ensure that Bootstrap Tokens are supported by the MDM system. These tokens are integral to the delivery of a seamless user experience within a highly secure environment. This becomes even more evident in situations that require the creation of new user accounts on macOS devices.
  • User Authentication – as soon as you have met all the requirements, users can then begin the authentication process using their Entra ID username and password or a SmartCard.
  • Assignment of User Permissions – the Identity Provider groups will determine the assignment of post-authentication, user permissions.
  • Defining Access Levels through MDM Profiles – to ensure organizational security of the highest standard, all newly created accounts should have their access levels carefully defined. Intune profiles will play a central role during this process and are responsible for determining which users have standard user permissions, administrator privileges, or permissions based on their group membership in Entra ID.

Creating extensions that support platform SSO

Performing single sign-on with an identity provider requires the creation of an SSO extension to support PSSO and implement the required functionality. Additionally, you need to specify the grant types that the extension and IdP support. In macOS 14.0 and later, implement supportedGrantTypes() and return:

Password: password

Secure enclave key, SmartCard, and encrypted password: jwtBearer

WS-Trust: saml1_1 or saml2_0

For PSSO 2.0, there will be a new key service for SSO extensions and IdPs. This is going to allow for an alternative registration flow and additional login configuration. Before you can use it, however, there is a need to implement protocolVersion() in the extension and return ASAuthorizationProviderExtensionPlatformSSOProtocolVersion.version2_0 to indicate that the extension and the IdP server support PSSO 2.0. To complete this section, you need to enable a ticket-granting ticket with Kerberos SSO extension, as well as use diagnostics to iterate on the configuration during development.

REGISTRATION OF USERS AND DEVICES

After creating an SSO extension, there are a few steps to follow to register devices and users with an identity provider, and it’s the PSSO that calls the extension to perform these steps. The extension will first register a device before registering users on that same device. Your SSO extension needs to implement the ASAuthorizationProviderExtensionRegistrationHandler protocol to support registration.

  • Device registration

The SSO extension will use the following to register a device:

beginDeviceRegistration(loginManager:options:completion:)

Furthermore, the extension will need to:

  • Register the device with its associated IdP.
  • Provide the login configuration to Platform SSO.
  • Execute the completion handler.
  • User registration

Successful device registration completes with the following result:

ASAuthorizationProviderExtensionRegistrationResult.success

Once complete, the SSO extension should then proceed with user registration through:

beginUserRegistration(loginManager:userName:method:options:completion:)

The system is designed such that all users on a device will need to use the login configuration, and this also includes when the system creates new users during login. In situations where shared keys are being used, user registration will only begin for each subsequent user on the device. Therefore, when new users are created during login, they will be prompted to start registration when they reach the desktop.

After completion of the registration process, the SSO extension is required to call the completion handler. Following this, the users need to authenticate using the new configuration, which can use platform SSO immediately.

Finally, if the extension supports the PSSO 2.0 protocol methods and the system uses password authentication, a new key will be provisioned by the key service and linked to the user account.

Microsoft introduces Platform SSO for macOS

In 2023, Microsoft announced Platform SSO for macOS. This feature is meant to be an enhancement that will give users of macOS devices a more seamless experience with even better security. What users can expect from this is a solution that enables them to use Touch ID to unlock their device and thereby eliminate the need to enter a password.

Users will then be signed into Entra ID under the hood with a device-bound cryptographic key. Because of the use of phishing-resistant credentials, your business can save money by removing the need for security keys or other hardware.

Adding to user convenience will be the fact that after signing in, the existing Microsoft Enterprise SSO plug-in ensures that you remain signed into the apps you use for work.

However, there is an alternative for those who may not yet be ready to completely remove passwords from Entra ID sign-ins. In this scenario, Platform SSO for macOS allows you to synchronize local account passwords with Entra ID passwords so that users can use one credential across their macOS devices. Furthermore, Platform SSO for macOS will enable administrators to configure the end-user authentication method.

The admins can then set up a phishing-resistant credential or a traditional password as the authentication method. You can easily prepare your business for Platform SSO for macOS by taking the steps given below:

  • Deploy the Microsoft Enterprise SSO plug-in.
  • Ensure that users are registered for Microsoft Entra ID multifactor authentication, and for the best experience, Microsoft Authenticator is recommended for this process.
  • Update macOS devices to macOS 13 (Ventura) or later.

Microsoft Enterprise SSO plug-in for Apple devices

Using the Microsoft Enterprise SSO plug-in for Apple devices, clients will get single sign-on for Microsoft Entra accounts on macOS, iOS, and iPadOS. And they can do so across all applications that support Apple’s enterprise single sign-on feature. Probably the biggest advantage of this plug-in is that it enables SSO for older applications that are integral to your business operations but don’t have support for the latest identity protocols.

To ensure that users would get the best possible experience, the final product that we get resulted from the efforts of both Microsoft and Apple working together. At the moment, you can get the Enterprise SSO plug-in as a built-in feature of Microsoft Authenticator (iPadOS, iOS) and Microsoft Intune Company Portal (macOS).

WHAT FEATURES DO YOU GET?

The Microsoft Enterprise SSO plug-in for Apple devices comes with several attractive features, including:

  • Single sign-on for Microsoft Entra accounts for all apps that support the Apple Enterprise SSO feature
  • Supported in both device and user enrollment, and you can use any mobile device management service of your choice to enable it.
  • Available for applications that don’t yet use the Microsoft Authentication Library (MSAL).
  • Also offers SSO to apps that use OAuth 2, OpenID Connect, and SAML.
  • End-users can be assured of a smooth experience when the Microsoft Enterprise SSO plug-in is enabled because of how it is integrated with the MSAL.

REQUIREMENTS

Device RequirementsiOS RequirementsmacOS Requirements
The device must support and have an installed app that has the Microsoft Enterprise SSO plug-in for Apple devices:   iOS 13.0 and later: Microsoft Authenticator appiPadOS 13.0 and later: Microsoft Authenticator appmacOS 10.15 and later: Intune Company Portal app   Devices should be enrolled in MDM.   Because Apple requires this security measure, configuration needs to be pushed to the device to enable the Enterprise SSO plug-inDevices need to have iOS 13.0 or higher.   Devices will also require a  Microsoft application that provides the Microsoft Enterprise SSO plug-in for Apple. The app in question is the Microsoft Authenticator app.Devices need to have macOS 10.15 or higher.   Devices will also require a  Microsoft application that provides the Microsoft Enterprise SSO plug-in for Apple. The app in question is the Intune Company Portal app.

HOW DOES THE SSO PLUG-IN WORK?

As mentioned before, this plug-in came about because of the efforts of both Microsoft and Apple. So, it’s not too surprising that the plug-in is reliant on the Apple Enterprise SSO framework. Once an identity provider has joined this framework, it can intercept network traffic for its domain as well as modify how those requests are managed. Native applications will also be able to implement custom operations and communicate directly with the SSO plug-in.

Wrap up

The integration of products and services from different tech companies can provide countless benefits for customers. End-user experiences will improve, businesses will get better value for their investment, and tech companies can ensure that their customers get the best possible solutions.

This is why Microsoft Intune has been working with Apple to improve the user experience for Apple device users. Intune wants to be able to offer organizations excellent device management solutions across all devices regardless of preferences.

So, whether you want to use Windows devices or Apple devices, you should be getting great device management options. We all know about Apple Identity Services and how those protocols have given Apple devices the high-level security they have.

Therefore, the fact that Intune measures can co-exist with Apple Identity Services can only be a good thing for customers because this will ultimately strengthen overall security even further, as well as provide a better user experience.