About Thomas.Marcussen

Technology Architect & Evangelist, Microsoft Trainer and Everything System Center Professional with a passion for Technology

Managed Home Screen: A Configuration Guide

Posted on July 18, 2024 by Thomas.Marcussen

As a business, it’s important to always be on the lookout for devices and applications that can improve the way you carry out your business operations. With platforms such as Managed Home Screen (MHS), the benefits to your business will be clear to see for everyone.

What MHS offers is an application for corporate Android Enterprise devices. This works for those enrolled via Intune and running in multi-app kiosk mode. Once installed on these devices, MHS will function as a launcher for other approved apps to run on top of it.

In previous articles, we have gone over the new features that Microsoft has added to MHS. We’ve also covered their benefits to your organization. In this article, we’ll be discussing some of the key configuration aspects of the Managed Home Screen platform.

When do you configure the Managed Home Screen app?

Start by verifying if your devices meet the prerequisites. This is because Intune only supports the enrollment of Android Enterprise dedicated devices for Android devices running OS version 8.0. In addition, these devices should be able to connect to Google Mobile Services.

Likewise, MHS only supports Android devices running OS version 8.0 and above. If you find that the settings are available through device configuration profiles, then you should configure the settings there. This will be faster, limit errors, and give you a better Intune-support experience.

Also, note that there are some MHS settings only available via the App configuration policies pane in the Intune admin center. When using App configuration:

Head over to the Microsoft Intune admin center and select Apps > App configuration policies.
Add a configuration policy for Managed devices running Android.
Select Managed Home Screen as the associated app
To configure the different available MHS settings, select Configuration settings.

Selecting a Configuration Settings Format

To define configuration settings for MHS, there are two methods available:

Configuration designer – enables you to configure settings with an easy-to-use UI. It allows you to toggle features on or off and set values. With this method, you’ll find a few disabled configuration keys with the value type BundleArray. The only way to configure these keys is by entering JSON data.
JSON data – with this option, you can define all possible configuration keys using a JSON script.

Moreover, by adding properties with Configuration Designer, you can automatically convert these properties to JSON. Do so by selecting Enter JSON data from the Configuration settings format dropdown.

Using Configuration Designer

Configuration designer will enable you to select pre-populated settings and their associated values. In the table below, you’ll find a list of the MHS available configuration keys, value types, default values, and descriptions. The description gives you the expected device behavior based on selected values. Note that the BundleArray type of configuration keys disable in the Configuration Designer.

Configuration to customize applications, folders, and general appearance of Managed Home Screen

Configuration Key	Value Type	Default Value	Description	Available in device configuration profile
Set allow-listed applications	bundleArray	You can find it under the Enter JSON Data section	Enables you to define the set of apps you see on the home screen form along with the apps installed on the device. Entering the app package name of the apps that you want visible allows you to define the apps. Any app that you choose to allow-list in this section needs to be already installed on the device to be visible on the home screen.	Yes
Set pinned web links	bundleArray	You can find it under the Enter JSON Data section	Enables you to pin websites as quick launch icons on the home screen. Using this configuration allows you to define the URL and add it to the home screen for the end-user to launch in the browser with a single tap.	Yes
Create a Managed Folder for grouping apps	bundleArray	You can find it under the Enter JSON Data section	Enables you to create and name folders and group apps within these folders. End-users can’t rename or move folders and neither can they move the apps within the folders. Folders will appear according to the order of creation and apps according to alphabetical order. If you have apps that you want to group into folders, they must first be assigned as required to the device and must have been added to the Managed Home Screen.	Yes
Set Grid Size	string	Auto	Enables you to set the grid size for apps to be positioned on the managed home screen. Use the format “columns ; rows ” to set the number of app rows and columns to define grid size. When defining grid size, the maximum number of apps visible in a row on the home screen is the number of rows you set. Likewise, the maximum number of apps visible in a column on the home screen is the number of columns you set.	Yes
Lock Home Screen	bool	TRUE	Eliminates the ability of the end-user to move around app icons on the home screen. Enabling this configuration key locks the app icons on the home screen. End-users can’t drag and drop to different grid positions on the home screen. When turned to false, end-users will be able to move around the app and weblink icons on the Managed Home Screen.	Yes
Application Order Enabled	bool	FALSE	Turning this setting to True will enable you to set the order of apps, weblinks, and folders on the Managed Home Screen. After it’s enabled, you can set the ordering with app_order.	Yes
Application Order	bundleArray	You can find it under the Enter JSON Data section	Enables you to set the order of apps, weblinks, and folders on the Managed Home Screen. You can only use this setting if Lock Home Screen is enabled, the grid size is defined, and the Application Order enabled is set to True.	Yes
Applications in folder are ordered by name	bool	TRUE	False enables items in a folder to appear in the order they’re specified. If not for this, they will be displayed in alphabetical order.	No
Set app icon size	integer	2	With this, you can define the icon size for apps displayed on the home screen. Below are the values that you can use in this configuration for different sizes: 0 (Smallest),1 (Small), 2 (Regular), 3 (Large)4 (Largest).	Yes
Set app folder icon	integer	0	With this, you can define the appearance of app folders displayed on the home screen. The appearance can be selected from the values below: Dark Square(0)Dark Circle(1)Light Square(2)Light Circle(3)	Yes
Set screen orientation	integer	1	Using this, you can set the orientation of the home screen to portrait mode, landscape mode, or allow auto rotate. The orientation can be set by entering the values below: 1 (for portrait mode),2 (for Landscape mode),3 (for Autorotate).	Yes
Set device wall paper	string	Default	By using this, you can select a wall paper of your choice. All you need to do is enter the URL of the image that you want to set as a wallpaper.	Yes
Define theme color	string	light	Decide whether you want Managed Home Screen app to run in “light” or “dark” mode.	No
Block pinning browser web pages to MHS	bool	FALSE	By turning this restriction to True, you can prevent users from pinning web pages from any browser onto Managed Home Screen.	No
Enable updated user experience	bool	FALSE	Switching to True will enable the updated app design to be displayed along with the improvements to user workflows for usability and supportability, for MHS. However, if you keep it as False, users will continue to see previous workflows on the app An important thing to note here is that from August 2024 onwards, previous Managed Home Screen workflows will no longer be available and all devices will need to use the updated app design.	No
Top Bar Primary Element	choice		This key helps you choose whether the primary element of the top bar will be the device Serial Number, Device Name, or Tenant Name. You can only use this setting when the Enable sign in key is set to false. Otherwise, the user’s name will be shown as the primary element when the key is set to True. If you want the top bar to be visible on users’ devices, you must set Enable updated user experience to true.	No
Top Bar Secondary Element	choice		This key helps you choose whether the secondary element of the top bar will be the device Serial Number, Device Name, or Tenant Name. If you want the top bar to be visible on users’ devices, you must set Enable updated user experience to true.	No
Top Bar User Name Style	choice		This setting enables you to select the style of the user’s name in the top bar based on the following list: display name last name, first name first name, last name first name, last initial You can only use this setting when the Enable sign in key is set to True. If you want the top bar to be visible on users’ devices, you must set Enable updated user experience to true.	No

Key things to note

Ensure the Managed Home Screen app seamlessly meets Google Play Store’s requirements. This is contingent on the app’s available update at the API level. However, doing it this way translates to a few changes to how Wi-Fi configuration works from Managed Home Screen. So, some of the changes you should expect to encounter include:

Users won’t be able to change the Wi-Fi connection for the device, whether it be enabling or disabling the connection. However, despite not being able to turn the Wi-Fi on or off, users can still switch between networks.
In addition, users also won’t be able to automatically connect to a configured Wi-Fi network with a first-time password requirement. Instead, after entering the password for the first time, the configured network will then automatically connect.

ANDROID DEVICES RUNNING OS 11

All those who are using Android devices running OS 11 should note another aspect. Whenever an end-user tries to connect to a network via the Managed Home Screen app, a consent pop-up prompt will appear. This pop-up is from the Android platform itself and therefore not specific to the Managed Home Screen app.

Furthermore, users will see a request to enter a password. This happens when attempting to connect to a password-protected network via the Managed Home Screen app.

You’ll notice that the network will only change if the device does not have a connection to a network. This includes instance when you have input the right password. All devices already connected to a stable network won’t connect to a password-protected network via the Managed Home Screen app.

ANDROID DEVICES RUNNING OS 10

For individuals using Android devices running OS 10, there’s another consideration. When an end-user tries to connect to any network using the Managed Home Screen app, they will receive a prompt with a consent via notifications.

Because of this prompt, users whose devices are running OS 10 must have access to the status bar. Also, notifications to be able to complete the consent step. Therefore, IT admins may need to use General settings for dedicated devices to avail the status bar. They’ll also do so for notifications to the appropriate end-users whenever necessary.

Furthermore, users will see a request to enter a password. This happens when attempting to connect to a password-protected network via the Managed Home Screen app. You’ll notice that the network will only change if the device does not have a connection to a network. This applies even if you have input the right password.

BLUETOOTH CONSIDERATIONS

If a device is running Android 10+ and using Managed Home Screen, successful Bluetooth pairing on devices that require a pairing key requires certain conditions. IT admins will need to enable a few Android system apps and these are as follows:

Android System Bluetooth
Android System Settings
Android System UI

Managing troubleshooting issues

One of the best updates that Microsoft brought to Managed Home Screen is the introduction of enhanced troubleshooting features. Users now get access to a debug menu, which includes the pages for Get Help, Exit Kiosk Mode, and About.

This access aims to simplify the troubleshooting process for device users which can reduce downtime and thereby increase productivity. To help even further, you’ll find configurations in the table below. These help troubleshoot various problems that users can encounter on their devices:

Configuration Key	Value Type	Default Value	Description	Available in device configuration profile
Exit lock task mode password	string		Input a 4-6-digit code to use to temporarily drop out of lock-task mode for troubleshooting.	Yes
Enable easy access debug menu	bool	FALSE	Switch this setting to True and you can access the debug menu from the Managed Settings menu while in Managed Home Screen. If you want to exit kiosk mode, you’ll need to go to the debug menu to find the capability. With that done, you need to click the back button about 15 times. Alternatively, if you want to keep the entry point to the debug menu only accessible via the back button, you should keep the setting switched to False.	Yes
Enable MAX inactive time outside of MHS	bool	FALSE	If you want to automatically re-launch Managed Home Screen after a set period of inactivity, you’ll need to switch this setting to True. Note that the timer will only count inactive time and, upon configuration, will reset each time the user interacts with the device while outside of MHS. To set the inactivity timer, use Max inactive time outside MHS. This setting is kept off by default. You can only access this setting if Exit lock task mode password has been configured.	No
MAX inactive time outside MHS	integer	180	Specify the maximum amount of inactive time (in seconds) that a user can spend outside of MHS before it is automatically re-launched. Users will find this configuration set to 180 seconds by default. If you want to use this setting, Enable MAX inactive time outside of MHS must be set to true.	No
Enable MAX time outside MHS	bool	FALSE	If you want to automatically re-launch MHS after a set period of time, you must set this setting to True. The timer considers both active and inactive time spent outside of MHS. You need to use MAX time outside MHS to set the inactivity timer. This setting is kept off by default. You can only use this setting after Exit lock task mode password has been configured.	No
MAX time outside MHS	integer	600	You must specify the maximum amount of absolute time (in seconds) that a user can spend outside of MHS before it is automatically re-launched. Users will find this configuration set to 600 seconds by default. You can only use this setting if Enable MAX time outside of MHS is set to true.	No

Microsoft ecosystem provides Android users with an optimal experience

Managed Home Screen and all its features are helping to enhance the user experience. MHHS supports Android users who rely on the Microsoft ecosystem for business purposes. For years, the relationship between Microsoft and Android has allowed for a better integration between the concerned platforms. It also provides end-users a better overall experience. All of this fits in perfectly with the evolution we have witnessed in the development of excellent mobility solutions.

Over the last few years, there has been a significant increase in those who appreciate the possibility of remote work. Plenty are enjoying the option of being able to work from home. There are additional benefits, including creating their own schedules. But they can also maintain or even increase their productivity levels.

Android users make up a decent portion of Microsoft clients. So, it’s not surprising that Microsoft aims to provide users with all the solutions they need. And Microsoft outfits users to be successful in their business operations. And with Managed Home Screen, Android users get an app that can further enhance their interaction with the Microsoft ecosystem.

The ability for organizations to customize and control user experiences is paramount. It enables them to ensure that end-users will have access to everything they need while simultaneously putting in certain restrictions.

Additionally, end-users can enjoy a much-improved experience. This is because MHS enables businesses to create consistent and simplified experiences across device types and OEMs.

End-users can expect continued innovations and improved features thanks to the global network of experts established by Microsoft and Google. These client specialists, with deep knowledge of Android devices and services, significantly contribute to the ongoing development of services. They will also further enhance the user experience.

It’s because of collaborations like these and the expertise obtained that MHS users can access features that address issues on-device. It’s also how they painlessly equip Microsoft support to troubleshoot issues on-device. So, as the improvements continue to roll out, businesses and individuals will take a keen interest. All of these changes can improve how they do business.

Wrap up

If there is anything that we can expect with regard to technology, it’s that we will continue to see changes. Most intend to improve the end-user experience. The features that Managed Home Screen offers, as well as the available improvements, are a testament to Microsoft’s goal. Microsoft continuously aims to create the optimal experience for Android users.

With feedback from Android experts being a key part of development, end-users can expect ongoing improvements. They can also expect to reap the many benefits of an ever-improving Microsoft ecosystem. One only has to take a look at the depth of products and services available to Android device users. It’s then evident that businesses have plenty to benefit from with these programs and features.

Managed Home Screen: What Your Should Know

Posted on July 3, 2024 by Thomas.Marcussen

It doesn’t take too long as you go through the latest tech news and updates to realize just how badly lax security could affect your organization. All nefarious actors need is a small opportunity. And your business may end up paying dearly. This is where Managed Home Screen comes into play.

Hence the need to implement the best possible security measures that you can. And when you use platforms such as Managed Home Screen (MHS), you’ll get excellent features that will help you enhance your overall security.

The platform will give your organization the ability to customize and control Android Enterprise dedicated devices. This allow for restricted access to only what a user may require. As we continue our deep dive into Managed Home Screen, we will end up with a clearer idea of how this platform can best serve your interests.

What to know about general availability

In a previous article, we discussed the updated features that Microsoft introduced to the Managed Home Screen experience. There are a few things that businesses should know about general availability.

To begin, you should be aware that with the general availability of the updated MHS experience, all previous MHS workflows will be obsolete. Not only that, but support will no longer be available for these previous workflows. The new updated features will not be added to previous workflows, as well.

However, admins can still move to the updated experience by setting Enable updated user experience to “true” for 90 days. But, after the 90 days, the app configuration will be removed, and all devices will need to start using the updated MHS experience.

Below are some of the new capabilities recently added for the updated experience:

Brightness Slider and Adaptive Brightness – with this tool, IT admins will be able to expose a setting that enables users to access a brightness slider to adjust the device screen brightness. Moreover, IT admins can also expose a setting that allows users to turn adaptive brightness on and off on the device.
Autorotation – this next tool helps IT admins expose a setting that is designed to enable users to turn on and off the device’s autorotation.
Domain-less Login and Custom Login Hint Text – another feature coming to the updated experience will be support for domain-less sign-in. Admins can configure domain names which will then be automatically added to usernames when signing in. In addition, MHS will begin providing users with a custom login hint string on the sign-in screen.
Session PIN Inactivity Timer – in scenarios where a device has been inactive for a specified period of time, IT admins can leverage this feature to demand users to enter their session PIN to resume activity on Managed Home Screen.

Why is Managed Home Screen making changes?

With the updates that have been made to Managed Home Screen, one may be wondering what’s behind all the changes. And the simple reality is that the new features were needed. Applications need to keep improving if they are to meet the ever-evolving needs of businesses.

It goes without saying, but the competition among players in the tech space is brutal. A new application or service can be introduced to the market, and if it can do the job far more efficiently, then you may find yourself losing clients.

Moreover, organizations are now acutely aware that there are nefarious actors constantly looking for vulnerabilities in their systems and if they find any it can be catastrophic for their businesses. Updates can address any existing performance issues and vulnerabilities that may potentially exist.

In addition, new features will also address productivity issues that your business has to deal with. As technology continues to evolve, organizations like yours will be looking to improve their products and services. Updates allow you to harness the latest and very best features for your applications. This will also give your team a better user experience overall. And ultimately, your business can operate more efficiently.

Furthermore, newer updates can help you get even better performances from your devices. At one point or another, we’ve all probably had the frustrating experience of an app crashing. It’s never a pleasant experience and can result in some lost work progress. By updating your applications, you can significantly reduce the chances of these occurrences.

Benefits of Managed Home Screen’s new features

The improvements that Managed Home Screen has made will have benefits for both IT admins as well as end users. These advantages include:

Closing the security gap – enhancing your security features means that you reduce potential attack areas. Also, it’s significantly harder for hackers to carry out successful attacks. This is something that will complete by requiring end users to enter their session PIN to resume activity on Managed Home Screen. This is after the device has been inactive for a specified period. Having this feature reduces the risk of unauthorized personnel gaining access to a device when the user is not using it. To set it up, you need to set the “Minimum inactive time before session PIN is required” setting to the number of seconds the device is inactive before the end user must input their session PIN.
Quicker resolution of issues – if the troubleshooting process is ineffective, it can cause endless downtime and that’s not good for business. MHS improved that process by introducing a feature that will give users access to a debug menu. This includes the pages for Get Help, Exit Kiosk Mode, and About. What this does is give users the ability to go to the Get Help page and easily upload logs. Moreover, users will be able to view Management Resources. It allows them to launch adjacent management apps whenever necessary. With the appropriate support available, your organization can quickly address any performance issues. You can also ensure productivity levels remain optimal.
Improve ease of use – one of the best ways to help users work more efficiently is to enable them to have the option to customize certain settings to their liking. Undoubtedly, the immediate concern would be about the risk of increasing vulnerabilities. But, the solution to that is to restrict what users can customize. This provides that they still get the benefits of personalized apps and devices while maintaining high security standards. One of those settings that users can now change is device screen brightness.

Additional benefits of Managed Home Screen

With the updated features, you can expose settings in the Managed Home Screen app to adjust screen brightness for Android Enterprise devices. You’ll have the option of exposing a setting in the app to allow end users to access a convenient brightness slider to adjust the device screen brightness. Furthermore, you’ll now also be able to expose a setting to allow end users to toggle adaptive brightness.

Simplified setup – few things can help users be more productive than using an application with a clean look and access to everything you need. This is what MHS is aiming for with the addition of a top bar. Users will now have quick access to device-identifying information. You get the option to configure this top bar as you see fit. And there will be two descriptive elements available for display. IT admins get to select between serial number, device name, and tenant name for the top and bottom elements in situations where the device is not configured with sign-in.

The top bar will also give quick access to settings as well as the sign-out button. The settings wheel icon sits in the upper right-hand of the top bar. And tapping this icon will display the settings that the IT administrator has selected to reveal to users within MHS settings. Another advantage you can expect is that this settings icon will be located on the top bar by default. And to avoid compromising security, IT admins still get to pick which settings a user can configure. Or they can disable it altogether by enabling or disabling the configuration key “Show managed settings”.

Enhanced security measures for dedicated devices

As we know by now, Managed Home Screen works on devices enrolled into Intune as Android Enterprise dedicated devices. With the increasing sophistication of today’s cyber attacks, organizations need to ensure that their security is of the highest standard.

Bearing that in mind, in this section, let’s take a look at some of the settings that can improve security for fully managed, dedicated, and corporate-owned work profile devices.

Screen capture (work profile-level)

Enabling “Block” will not only stop you from taking screenshots, but will also prevent content from being shown on display devices without a secure video output. However, you should be aware that this setting is set to “Not configured” by default, and Intune doesn’t modify it. You should also know that if the default settings allow, the OS might let users capture the screen contents as an image.

Camera (work profile-level)

Enabling “Block” will prevent access to the device’s camera. Again, you should note that this setting is set to “Not configured” by default and Intune doesn’t change it. Another thing that is important for security is that Intune only manages camera access but doesn’t have access to pictures or videos. The OS may also, by default, allow access to the camera.

Default permission policy (work profile-level)

The objective of this setting is to define the default permission policy for requests for runtime permissions, and the options you have are the following:

Default (default) – Use the device’s default setting.
Prompt – Users see a prompt to approve the permission.
Auto grant – Permissions grant automatically.
Auto deny – Permissions are automatically denied.

Date and Time changes

Enabling “Block” will stop users from manually setting the date and time. Additionally, you should note that this setting is set to “Not configured” by default, and Intune doesn’t change it. This will also mean that if the OS default settings permit, users may be able to set the date and time.

Roaming data services

Enabling “Block” will prevent data roaming over the cellular network. And as before, this setting defaults to “Not configured,” and Intune doesn’t change it.

Wi-Fi access point configuration

Enabling “Block” will stop users from creating or changing any Wi-Fi configurations. Additionally, you should note that this setting defaults to “Not configured” and Intune doesn’t change it. As we’ve also seen before, if the OS default settings permit, users may be able to change the Wi-Fi settings on the device.

Bluetooth configuration

Enabling “Block” will stop users from configuring Bluetooth on the device. Additionally, you should note that this setting defaults to “Not configured,” and Intune doesn’t change it. As we’ve also seen before, if the OS default settings permit, using Bluetooth on the device may be possible.

Tethering and access to hotspots

Enabling “Block” will prevent tethering and access to portable hotspots. And again, this setting defaults to “Not configured,” and Intune doesn’t change or update it. Take note that the OS might allow tethering and access to portable hotspots by default.

USB file transfer

Enabling “Block” will prevent transferring files over USB. And again, this setting defaults to “Not configured,” and Intune doesn’t change or update it.

External media

Enabling “Block” will prevent using or connecting any external media on the device. And again, this setting defaults to “Not configured,” and Intune doesn’t change or update it. Take note that the OS might allow file transfers by default.

Beam data using NFC (work-profile level)

Enabling “Block” is going to prevent the use of Near Field Communication (NFC) technology to beam data from apps. On the other hand, if set to “Not configured“, which is the default setting, Intune will not change or update the setting. However, you should not forget that the OS might allow using NFC to share data between devices by default.

Developer settings

Enabling “Allow” will let users access developer settings on the device. On the other hand, if set to “Not configured,” which is the default setting, Intune will not change or update the setting.

Microphone adjustment

Enabling “Block” will stop users from unmuting the microphone and adjusting the microphone volume. However, if set to “Not configured,” which is the default setting, Intune will not change or update the setting.

Factory reset protection emails

You need to select Google account email addresses. Then, you need to provide the email addresses of device admins who can unlock the device after it’s wiped. When entering the email addresses, make sure to separate them with a semi-colon e.g., adminA@gmail.com;adminB@gmail.com. Note that these emails will only apply in scenarios during a non-user factory reset, like running a factory reset using the recovery menu. And as with previous settings, if set to “Not configured,” which is the default setting, Intune will not change or update the setting.

System update

To determine how the device handles over-the-air updates, you’ll need to pick from the following options:

Device Default (default) – stick to the device’s default setting, meaning that when the device connects to Wi-Fi, is charging, and is idle, the OS updates automatically. For app updates, the OS first checks that the app is not running in the foreground.
Automatic – implements an automatic update process without user involvement.
Postponed – updates postpone for a period of 30 days, at the end of which users receive a prompt to install the update. For critical security updates, however, device manufacturers or carriers may block their postponement.
Maintenance Window – also provides an automatic update process but that occurs during a daily maintenance window that you set in Intune. If the installation tries and fails for 30 days, you will subsequently see a prompt to perform the installation. This setting will apply to OS and Play Store app updates.

Freeze periods for system updates

This one is optional. If you are going to set the System update setting to Automatic, Postponed, or the Maintenance window, then you must use this setting to create a freeze period:

Start date – provide a start date using the MM/DD format and it can be up to 90 days long.
End date – provide an end date using the same MM/DD format and it can be up to 90 days long.

Take note that all incoming system updates and security patches will be blocked during the freeze period. And this also includes manually checking for updates.

Location

Enabling “Block” will disable the Location setting on the device and prevent users from turning it on. However, it’s worth noting that disabling this setting will affect every setting that also relies on device location. This includes the Locate device remote action that admins use. On the other hand, if set to “Not configured,” which is the default setting, Intune will not change or update the setting.

When to enroll devices as dedicated devices

One of the things that may have a lot of people wondering is the issue of when exactly you should be looking at enrolling a device as a dedicated device. According to the information available from Microsoft, Intune’s Android Enterprise dedicated device solution is for clients who want their Android devices enrolled with no user-affinity.

On top of that, this device solution requires that the device runs Android OS 8+ and should be able to connect directly to Google Mobile Services (GMS). Below are the three main scenarios that Intune envisions for dedicated devices:

AS A DIGITAL SIGN

Typically locked into one application that shows viewers desired information. A good example of this would be the train schedules or flight schedules that you may see at the train station or airport respectively. In these particular situations, there will be zero-to-minimal physical user interaction.

TASK-BASED DEVICES

In this case, we’ll be looking at a situation of locked into a single application or multiple applications and used for specific tasks. What you then have is a setup where the device is not privy to who is using it or where. We can see an example of how this would work with package delivery drivers.

As they clock into their shift, the delivery driver receives a device. This devices helps to navigate to their location, scan packages, and complete other role-based tasks. Once the driver completes their tasks, the device can then be returned for the next delivery driver to use.

MULTI-USER, TASK DEVICES

In the third scenario, we’re looking at locked into a single app or a set of apps, and used for specific tasks. Users need to sign in on at least a single application on the device and unlike the previous scenario, the apps in this case will need to know who is using the device and when.

The general recommendation for this scenario is to enable Shared Device mode. For instance, you can look at a factory setup where a device may used by multiple people, such as shift workers, maintenance staff, delivery drivers, etc.

So, every individual using the device will get the same apps and policies, but the key difference is that the relevant information displayed by the apps will vary from person to person, depending on their sign-in information.

Wrap up

As a business, it’s crucially important to always be on the lookout for applications and services that can give you an advantage. Something that can improve the quality of what your organization is producing by enhancing worker efficiency. For Managed Home Screen clients, the platform improvements can offer such benefits.

You get features that help you maintain high security standards by allowing IT admins to put in place any necessary restrictions. But, even with these restrictions, end users will still get quicker access to what they need, faster resolution of issues, and a more streamlined workflow.

Enhancing the Intune Experience With Managed Home Screen

Posted on June 11, 2024 by Thomas.Marcussen

All the devices and applications that we use need both security and feature updates now and again to ensure that we always get the best possible performance. Whether these are personal or work devices, without regular improvements, the performances will eventually not be good enough to meet our requirements.

One of the platforms that helps to optimize the user experience is Managed Home Screen. Using this feature can deliver a better experience. Within the Intune environment, all users with enrolled devices as Android Enterprise dedicated devices can benefit.

In this article, we’ll be taking a look at what Managed Home Screen is and how it can improve workflows.

What is Managed Home Screen?

With Managed Home Screen, users get an Android application that is compatible on devices enrolled into Intune as Android Enterprise dedicated devices. The application means to cover corporate-owned devices that are running in multi-app kiosk mode.

On these devices, Managed Home Screen acts as the launcher for other approved apps to run on top of it. The benefit to IT admins is greater control over the customization of devices, as well as being able to restrict the capabilities that the end user can access. The availability of these features means that your business can:

Easily maintain control over how these devices work. The customization and control you have over the Android devices allows you to determine specifically what users can access.
Enhance the user experience by establishing a consistent and simplified experience across device types and OEMs that makes it significantly easier to perform all tasks to a high standard.
Gain access to all the relevant troubleshooting workflows that one would need to fix issues on-device. Or provide Microsoft support with the necessary tools to troubleshoot issues on-device.
Utilize an improved sign-in and sign-out experience with a device configured with Shared device mode.

Customization benefits

Additionally, the availability of customization will allow you to completely modify the overall appearance and feel of your home screen.

You can do things such as:

Set a custom wallpaper that can truly bring your branding to the fore. Or, you could use the custom wallpaper as a visual indicator to distinguish various devices.
You can relocate applications to the home screen so you have your important and most frequently used apps in a place that facilitates easy access. Not only that, but this can help you design a setup that is consistent across devices for your users.
Those who may have plenty of apps on the home screen can easily simplify things by categorizing apps into specific folders.
Because devices can have varying screen sizes, you’ll also get the option to modify the size of apps and folders appearing on the home screen.
To get even quicker access to vital app data, you can add custom widgets to the home screen.
When a device is inactive, you can set a screen saver to hide the home screen.

Dedicated devices

We just mentioned that Managed Home Screen is usable on devices enrolled into Intune as Android Enterprise dedicated devices. But, what exactly are ‘dedicated devices’? This term simply refers to corporate-owned devices not associated with a particular user. Additionally, these devices will normally be in use for performing specific tasks.

So, if you want to enroll Android devices with no user-affinity then this option will suit you. However, it’s also important to note that Intune’s Android Enterprise dedicated device solution will require that the devices run Android OS 8+ and be able to connect to Google Mobile Services (GMS).

Setting up Managed Home Screen

Setting up your device with Managed Home Screen is a process that will take several steps. But, once you have a device that meets the requirements, you can begin.

Setting up an Intune enrollment profile and device group

Start by creating an enrollment profile to generate an enrollment token first, and attach it to a device group. In the Endpoint Manager admin center, navigate over to  Devices > Android > Android enrollment > Corporate-owned dedicated devices. You’ll need to fill in the Name but filling in the Description is optional. After this, select Type. Be sure to select Corporate owned dedicated device with Azure AD shared mode if you expect that your devices may require users to access M365 applications, other App Protection Policies, or Conditional Access policies. When everything’s done, click Create.

CREATING A DEVICE GROUP

Head over to Groups > All groups > New group. You’ll need to fill in the Group Name but filling in the Group Description is optional. Make sure that the Group type is set to “security”. Then, proceed to change Membership type to Dynamic device, after which you need to Add a dynamic query. By using dynamic queries, you can have your device automatically added to a group based on the property of your choice.

Approve and assign Managed Home Screen and MORE Managed Google Play apps

This next step will ensure that the Managed Home Screen successful downloads and installs on your enrolled devices. It should also automatically launch. You’ll find Managed Home Screen already synced in the console when you venture over to navigate Apps > All apps as soon as you have linked your Intune and Managed Google Play accounts. After that, you can:

Click Managed Home Screen.
Select Properties > Assignments (edit).
Add your device group from Step 2 officially to the Required assignments.
Save.

If you want to add public, private, or web applications, go ahead and stay in Apps > All apps and choose “add.” Navigate to Select app type and choose Managed Google Play app.

Manage Android Enterprise system apps

One thing that you will notice is that system applications will often disable by default upon enrollment. To enable these applications and show the icon on the device, you start by heading back to Apps > All apps in Intune and selecting Add in the top left corner. After choosing Select, proceed to fill out the App information, and assign it as “Required” or “Uninstall” to the group that you created in Step 2. At this point, you can select “Required” if you want the application to be available on the device or “Uninstall” if you prefer that it remain hidden on the device.

Creating a device configuration profile

Having this profile is crucial because it enables you to not only configure device-level behavior but to configure kiosk mode as well. To begin the process, navigate to Devices > Configuration profiles > Create profile. Next, go to Platform, and select “Android Enterprise.” With that done, head to Profile and  select “Device restrictions” beneath “Fully Managed, Dedicated, and Corporate-Owned Work Profile.”

After this, select Create, and then you need to fill in the Name of your profile but filling in the Description is optional. Once everything is ready you can select Next.

Creating an app configuration profile

Be mindful that this step is completely optional. Once you have completed the steps already given above, you will be ready to enroll your devices. So, this step is ideal for those who want to learn how to utilize all the available Managed Home Screen features. Additionally, this step will help you to configure the complete list of features that Managed Home Screen has to offer.

In the Endpoint Management admin center, head over to Apps > App configuration policies > Add > Managed devices. Then, you need to fill in the Name and as with other sections, the Description is optional. Select Android Enterprise for platform, Fully Managed, Dedicated, and Corporate-Owned Work Profile Only for profile type, and Managed Home Screen for targeted app. As soon as you are ready to continue, select Next.

A. Using configuration designer to setup Managed Home Screen features

Choose Use configuration designer from the Configuration settings format drop-down menu. Select Add to open a panel with all the available Managed Home Screen configuration keys. Choose the configuration keys that you want to edit and then click OK. All the configuration keys have default values and if you want to modify a configuration value, hover over and then interact with each row under the “Configuration value” column. Click Next as soon as all the necessary changes have been made.

Navigate to the Assignments page under Included groups, choose Select groups to include, next  and pick the device group you created in the second step. You can review by clicking Next, and once set, click Create.

B. Using JSON data to setup Managed Home Screen features

You can complete the configuration of the home screen by using JSON to create your folders, add widgets, and order items. If you need to edit your existing app configuration profile, you can do so by clicking on the policy you just created in Apps > App configuration policies. After that, select Properties > Settings (Edit). Choose Enter JSON data from the Configuration settings format drop-down menu. You should be able to see all your existing configurations in JSON format.

B.1. Add a managed folder to your home screen

You can organize your home screen better by creating a folder that you get to manage. This is something that you can only do using JSON data format in an app configuration policy. You’ll need to add the JSON snippet below in where feature configurations go:

Replace “PLACEHOLDER_FOLDER-NAME” with a name of your choice.
Replace “PLACEHOLDER_APP-PACKAGE-NAME” with the package name of the app that you want to put inside your folder. You have the option to add as many apps as you want.
B.2. Configure custom ordering of items on the home screen

A few things will happen if you want to create a custom ordering of items on the home screen. These include:

Apps, widgets, and folders should already be added to your home screen allow-list.
The home screen should be locked because this ensures that a user cannot make changes by moving things around themselves.
A grid size for all your home screen pages should be set.
App ordering mode should be enabled.

At this point, you can set the position of an item to an assigned grid position. Note that the positions will read from smallest to largest from left to right and then top-to-bottom.

DEVICE ENROLLMENT

As already alluded to earlier, devices should be running Android OS 8+ and run with Google Mobile Services (GMS). As soon as a device is ready, you can enroll from a factory-reset state using:

Near Field Communication
Token entry
QR code scanning
Google’s Zero Touch Enrollment
Samsung’s Knox Mobile Enrollment

User credentials are not necessary during enrollment or provisioning because these dedicated devices are not user-associated. Select the type of enrollment that you want and follow the instructions given in this section.

COMPLETION OF SETUP

After the setup process finalizes, you’ll find yourself on the device’s home screen. Then, the device will proceed to sync policies with Intune after which apps will begin to download and install on the device. And after Managed Home Screen has been installed, it will auto-launch and show you all your configurations.

Improvements to Managed Home Screen

Pursuant to the feedback that Microsoft received from its clients, some eye-catching new design changes have been made to the app to optimize usability. However, these new features are only available on the updated experience.

Although, you can look forward to an improved user experience, Microsoft has not made any intentional changes to feature support and you can expect only minor changes in current functionality such as:

You’ll no longer see the company logo on the Session PIN screen, but you will still have it on the home screen.
Swiping down will no longer give you access to the Managed Home Screen settings.

Addition of the top bar

A top bar is now available to the Managed Home Screen page with the intention of simplifying access as well as to enable quick access to device-identifying information. This top bar can configure as necessary and thus allows for the display of two descriptive elements.

IT administrators can decide between serial number, device name, and tenant name for the top and bottom element in situations where the device is not configured with sign-in. On the other hand, if the device is configured with sign-in, the top element will display the signed in user’s name.

Easily discoverable settings and sign out button

Another benefit of the top bar is that it enables quick navigation to settings as well as the sign-out button. However, for the latter, this is only possible when sign-in is configured. If you go to the upper right-hand corner of the top bar, you’ll now find a settings wheel icon.

When a user taps this icon, they’ll see which settings the IT administrator has selected to reveal to them within MHS settings. One thing to note with the updated experience is that swiping down on the device will no longer give you access to settings.

You can now find the Settings icon located on the top bar by default. IT admins get to decide which settings a user can configure or disable it altogether by enabling or disabling the configuration key “Show managed settings”. There are a couple of situations in which the Settings icon will still display, and these are:

When a user is signed in, the Settings icon is available to view the user’s profile information.
When device permissions are required but no user is signed in, the Settings icon will be available for the user to grant permissions. Moreover, you won’t see any additional settings unless configured.

Updated permissions flow

Updating the permissions granting flow has been necessitated by the desire to ensure that device users do not miss essential permissions. Upon launching MHS initially, a dialogue will appear requesting users to grant any required permissions. Users can get to the settings screen where the required settings will be clearly laid out by tapping either the message or the settings wheel.

By tapping on the message, users will be redirected to the correct page in the Android settings page to grant the permission that is needed for the functionality of all configurations that are set by the IT administrator for Managed Home Screen.

In the event a user rejects the permission, a message will then be displayed on the screen and a red dot will appear on the settings app icon. Ultimately, this update to the permissions flow has been designed to prevent permissions from being missed and to optimize the functions of Managed Home Screen.

Enhanced troubleshooting features

Managed Home Screen is helping to simplify the process of troubleshooting device issues. The new features that have been introduced will give users access to a debug menu, which includes the pages for Get Help, Exit Kiosk Mode, and About.

Users can now go to the Get Help page and easily upload logs. In addition, users can also view Management Resources, allowing them to launch adjacent management apps whenever necessary.

And if you want important information on Managed Home Screen, including the privacy statements, accessibility statements, and third-party configurable compliance links, if enabled, you’ll easily find it on the About page.

The updated debug menu can only appear within settings after an IT admin has configured easy access to the debug menu. Without this action, users will need to tap the back button 15 times to unhide the debug menu.

Start using the updated experience

To begin using the updated experience, you need to follow the steps given below:

Start by verifying that the target devices are running version 2.2.0.91169 or higher of Managed Home Screen.
Within the Intune admin center, head over to Apps > App configuration policies > Add > Managed devices. (And if you already have an app configuration policy in place for the target devices, you can skip the next step)
Filling in the Name will be required, but the Description is optional. Select Android Enterprise for platform, Fully Managed, Dedicated, and Corporate-Owned Work Profile Only for profile type, and Managed Home Screen for targeted app. When everything’s done, click Next.
To configure your settings, you can use either configuration designer or JSON data. Navigate to the Configuration settings format drop-down menu, and select Use configuration designer . Choose Add and this will open the panel with the available Managed Home Screen configuration keys.
Next, you need to choose the configuration key Enable updated user experience and switch it to True. For those using JSON data, they need to add the key and value below:

“key”: “enable_updated_user_experience”,

“valueBool”: true

Lastly, head over to the Assignments page and look under Included groups. Then, you need to choose Select groups to include and select the device group that you want to include in the public preview. You can review by clicking Next, and once all is set, click Create.

Another important thing to note is that this updated experience only works on the newest version of the Managed Home Screen application. So, you need to turn on the updated app experience and then verify that your devices are running the latest version of Managed Home Screen. If everything is in order, you should expect to see the updated workflows on the device.

Wrap up

Technology has been improving at a lightning speed and an ever-increasing pace for a long time now. The devices available to us, the operating systems, as well as the countless applications, have all gotten significantly better. So, it’s not surprising that businesses want platforms that can empower their workers to operate more efficiently and thus be more productive.

With Managed Home Screen, Microsoft offers its clients a tool that will do that and more. Businesses can get a tool with a lot of great features that will help users to get more from the available technology while eliminating time-consuming distractions.

And as updates like the ones we discussed today continue to be developed, MHS users can look forward to even more improvements that will optimize workflows and enhance their interaction with Intune.

How to Install Printer Drivers and Printers from Intune using Win32

Posted on May 29, 2024 by Thomas.Marcussen

The printing solution that a business uses is integral to its operations and can either positively or negatively affect productivity. It’s important to ensure that you can get the maximum benefits from your IT infrastructure. A key component of any printing solution requires proper printing setup.

But it’s not always as easy as we’d like it to be, especially with so many different products and services available on the market. IT admins need to choose wisely so that businesses can implement tailor-made solutions to address the needs of their employees.

Today, we’ll be going over how you can take advantage of Win32 for the installation of Printer Drivers and Printers, making light work of printing setup and execution.

Importance of printing solutions

Technology has come on in leaps and bounds over the last few decades and has made a massive impact on how companies do business. A lot of the products and services we now have allow us to conduct business in ways that most people couldn’t imagine just a decade ago.

But, even with all our mobile devices and remote working solutions, the simple printer still plays a very big role for most businesses. Plenty of business deals and various transactions still require us to have physical documents, and these can include contracts, proposals, various legal documents, and more. Although businesses can do their printing elsewhere, it’s easier and more cost-effective to have in-house printing solutions. This, of course, requires printing setup and ongoing infrastructure maintenance.

It also offers greater security for highly sensitive documents. Another potential benefit is increased productivity. With the capabilities of modern printing setup and solutions, anyone needing to print documents can do so from anywhere in the office using their PC or even mobile device. This cuts down on time that could otherwise be wasted going to print documents.

Furthermore, having your own in-house printing solution helps you to create a reproducible standard for all materials that your business needs to print. So, all your letterheads, business cards, contracts, etc., will all have a standard look and feel that every professional business wants to have. With that said, let’s look at how you’ll be able to add printers and printer drivers to your business.

Adding a Printer to Windows

When trying to add a new printer to your Windows setup, you’ll need to follow a few steps to ensure that the installation is seamless. Admins may often encounter issues, such as failing to remove the printer from the system, incomplete uninstallation, and failure to install new drivers, among other things.

You may also experience errors like “This driver is not fully installed”. By utilizing certain commands, you can make your printing setup task a bit easier and reduce the chances of facing these problems. In this section, we’ll be going over the steps that you need to follow.

WHAT IS POWERSHELL?

Let’s start by going over what PowerShell is before discussing the steps for adding a printer to Windows. According to Microsoft:

“PowerShell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework.”

Just about anyone who wants to use this solution can since it was built to run on Windows, macOS, and Linux, as well. By using this tool, administrators, developers, and DevOps professionals will be able to use code to easily automate tasks and configurations. Moreover, you can use it either as an open-source shell or a scripting language.

PowerShell offers you the following areas of functionality:

Command-line interface – accepts and returns .NET objects, unlike other shells that will only accept and return text. This interface enables PC users to directly interact with the computer through text, unlike the GUI most others use.
Scripting language – PowerShell is not just a scripting engine. It’s also a fully functional scripting language that you can use to automate various tasks for DevOps, user management, continuous integration/continuous development, and many other system administrator tasks.
Automation platform – because of how extensible PowerShell is by design, this allows an ecosystem of PowerShell modules to deploy and manage almost any technology you work with. And these cover a wide range of Microsoft services, such as Azure and Windows, as well as third-party services, such as Google Cloud and AWS.

POWERSHELL REQUIREMENTS

As with any product or service that you may want to use, there are a few requirements to know. Before you can deploy PowerShell scripts in Intune, be sure to follow the necessary requirements. Below is a list of these requirements:

The devices that you’ll be working on must have Windows 10 1709 or later.
Additionally, they should also be Azure AD Joined devices or Hybrid Azure AD Joined devices.
These devices will need to be enrolled in Intune. And this can be via MDM Auto Enrollment, GPO enrollment, or Manual enrollment.
Lastly, we’ll mention co-managed devices that use both Microsoft Intune and Configuration Manager.

Identification of Printer Driver source files

To begin the process of adding a printer to Windows and printing setup, we’ll need to identify all the required printer driver source files. The driver package is extremely important because it contains everything necessary for a device to work correctly with Windows.

A driver package will typically have an INF file, Catalog files, Driver files, and other files. Before you can build a Win32 app, you need to ensure that you know which specific files you’ll need to complete the Printer Driver installation. After deciding which printer you’ll be using, you can proceed as follows:

Navigate to the printer manufacturer’s website, where you can download the appropriate Printer Driver software.
To guide you through a UI for the installation of the driver package, you will use the Setup.exe installer. Because this installer doesn’t run silently, you should go to the Driver folder to prepare for driver installation using a PowerShell script.
Next, open the INF file to see the files needed for driver installation.
Windows then proceeds to leverage a catalog file to check that the files can be trusted. This will be in addition to noting any of the required source files using the INF file.

Windows Driver Store

Most people would probably find it far more convenient if their computers had the necessary driver files for printer installation. This would make the printing setup significantly easier. Fortunately, however, the process of adding drivers to the Driver Store is not an overly difficult one. When we say Driver Store, we are simply referring to the trusted location of inbox and third-party driver packages. The only drivers that you can install on a device are those found in this secure location.

A common way that admins will use for staging drivers into the Windows Driver Store involves the use of pnputil. Some would probably raise their eyebrows at this because pnputil is not actually a PowerShell command. But it does get the job done. And admins can run it from a Powershell console. You can pass various commands to the pnputil.exe command line tool. This command is going to require the directory path of the INF driver file for your particular printer:

Pnputil /add-driver <“inf_path”>

Admins should make sure they note the Printer Driver Name because it’s a requirement for the installation of the Printer Driver in Windows. This is something that you can also find in the INF file. After you have completed the staging of the drivers to the Driver Store, you can now Install a printer in Windows using PowerShell cmdlets such as Add-PrinterPort, Add-PrinterDriver, and Add-Printer.

ADD-PRINTER PORT

Those who will be deploying new Network Printers will need to use the Add-PrinterPort cmdlet to create the Printer Port. Upon completion, you can then run the Add-Printer cmdlet. And this will require passing the DriverName and PortName parameters. So, before you begin trying to install the printer, make sure that the Printer Port is available.

ADD-PRINTER DRIVER

Verify that the Printer Driver has been installed before printer installation with the Add-Printer cmdlet can proceed. You can find the name of the Print Driver in the Driver Store within the INF file. So, you can now go ahead and open this INF file, find the appropriate driver name, and then save it. When using the Add-PrinterDriver cmdlet, IT admins should check that they are using the same Driver Name. To install the Printer Driver directly in Windows from the Driver Store, you can use the Add-PrinterDriver cmdlet.

Add-PrinterDriver -DriverName <“driver_name”> -InfPath <“driver_path”>

ADD-PRINTER

After performing all the above steps, you’ll now get to the last one, which is the actual installation of the printer. Here, we’ll basically be putting together everything that’s already come before so we can have that great result we’ve been wanting. Admins will be able to install the printer using the Add-Printer cmdlet. But, this can only happen after the installation of the printer driver and creation of the printer port. After all this is done, you can check the printer installation using printmanagement.msc.

Add-Printer -DriverName <“driver_name”> -PrinterName <“printer_name”> -PortName <“port_name”>

How to build your Win32 App

WHAT IS A WIN32 APP?

When we talk of Win32 applications, we’ll be referring to programs that have been built for the Windows operating system. They have been written to use the Win32 Application Programmer Interface (API). The latter is a set of program functions that can enable a program to trigger just about every action in the operating system such as opening a file.

This 32-bit Windows API has been around for a few decades and was first availed back in 1993 when Windows NT was released. The early APIs would become known as Win16 and Win32 to distinguish between 16-bit and 32-bit programs. The Win32 APIs carry the following responsibilities:

Administration and management – both play a key role in the installation, configuration, and servicing of apps as well as systems.
Diagnostics – involved in the remediation of problems through the troubleshooting of both system and application problems. Also responsible for monitoring performance.
Graphics and multimedia – incorporation of various components such as video, audio, graphics, and text.
Security – ensures high-level security by implementing measures such as password protection, privileged access, rights management, security auditing, and more.
System Services – allows for access to computing resources and the operating system. This will include things such as devices, memory, processes, file system, and threads.
Windows User Interface – enables not only the creation but the management of a user interface as well. This is for things like display output, user interaction support, and prompts for input from users.

Win32 App Management Capabilities

Win32 app management capabilities will be fully allowed in Microsoft Intune. In addition, Intune also offers support for 32-bit and 64-bit operating system architecture for Windows applications. There are several different types of files that you can manage using the Win32 App, and these include the very well-known .exe, .msi, and .msix, among others. IT admins will need to know, however, that before they can create a Win32 App in Intune, they will need to package it.

Microsoft Intune has become increasingly important in recent years because more and more businesses are migrating to the cloud. As this trend continues, businesses are looking for a solution like Intune that can help with the management of Win32 apps from the cloud. So, with an Intune subscription, administrators will be able to manage and distribute Win32 apps to your Windows 10 or Windows 11 devices.

WIN32 APP REQUIREMENTS

To deploy Win32 apps with Microsoft Intune, there are several requirements that need to be met. These include:

Before you can start deploying Win32 apps, you need to have an active Microsoft Intune subscription. This can be purchased from the Microsoft 365 admin center if you don’t already have one.
Your devices must meet all the Microsoft Intune prerequisites, including having Windows devices enrolled in Intune as well as having the Intune Company Portal app installed.
The devices you’ll be working on should be enrolled in Intune. They also need to be either Azure AD joined, Azure AD registered, or Hybrid Azure AD joined.
The Windows application size must also be no more than 8GB per app.
The Win32 apps will need to be prepared for deployment. This can be done by leveraging the Intune Win32 app packaging tool to create an installation package for your app. The conversion of your app into an Intune-compatible format will be facilitated by this package tool, and the reason for this action is to simplify both deployment and management.

BUILDING THE APP

Now that we have gone over what the Win32 App actually is and the steps you need for printing setup, we can start looking at how we are going to build a Win32 App. To build this Win32 App, we will need a few source files: cnlb0m.cat, CNLB0MA64.INF, and gpb0.cab. IT admins are also going to need a few other things to create the Win32 App:

Driver package source files.
Specify an Install command.
Specify an uninstall command.

INSTALL COMMAND

Administrators will need to have several conditions that they need to pass to the script:

PortName – Provide the name of the port that you need to create.
PrinterIP – Provide the network IP address of the relevant printer.
PrinterName – Provide the name of the printer that is going to be created. Admins should be aware that this name is used in the Detection Method as well.
DriverName – Provide the name of the printer driver that will need to be installed. Earlier, we mentioned noting down this name so that when it comes to this point, our parameters are as they should be.
INF file – Provide the name of the INF file for the printer driver.

UNINSTALL COMMAND

With this option, you’ll get the convenience of uninstalling a Win32 application via the Company Portal. This means that your IT can run a lot more efficiently and get things done quickly rather than waiting around for help desk support to address their issues. It’s no surprise then that this was a highly requested feature by users of Microsoft Intune.

If you no longer want a program or perhaps you need the space, uninstallation is going to be a simple and straightforward affair. Because with this particular command, you will only need to pass a single condition to the script. So, as long as you have a valid command line with the correct input, you shouldn’t have any difficulties. A good example of this would be:

powershell.exe -executionpolicy bypass -file Remove-Printer .ps1 -PrinterName “Generic Printer Office1”

DETECTION METHOD

Another element that the Win32 App is going to require is a detection method. Using a detection method is meant to help administrators verify that an application has not already been installed. By detecting the presence of a Win32 App, this will create a scenario where the installation can only proceed if the check proves that the app has not yet been installed.

IT admins can use the printer’s own registry key for this detection. The PrinterName that we mentioned above (the one that will be used during the installation of the printer) will also be the name of the key.

CREATING THE .INTUNEWIN FILE

To begin, both the scripts and the source files must be copied to the same folder.
Then, you can proceed to create the .intunewin file using Win32ContentPrepTool.
Next, navigate to the Microsoft Endpoint Manager admin center.
Create a new Win32 App.
You’ll now be required to select an .intunewin file so you choose the one you’ve just created.
Provide all the app information necessary without leaving out any details.
Now, you can add both the Install and Uninstall commands.

Install command: powershell.exe -executionpolicy bypass -file Install-Printer .ps1 -PortName “IP_10.10.1.1” -PrinterIP “10.1.1.1” -PrinterName “Generic Printer Office1” -DriverName “Generic Driver ABC” -INFFile “CNLB0MA64.INF”

UNINSTALL command: powershell.exe -executionpolicy bypass -file Remove-Printer .ps1 -PrinterName “Generic Printer Office1”

Provide all the necessary information in the app requirements section.
Under Detection, select Manually configure detection rules and then select Add.
Next, for the detection method, you can use the values listed below. Just ensure the Key/Name accordingly.
Rule Type Registry
Key path

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion\ Print \ Printers \ Generic Printer Office1

Value Name Name
Detection method String comparison
Operator Equals
Value Generic Printer Office1
The last thing you’ll need to do is make sure that the app is assigned to the correct Users/Devices Group.

INSTALLATION MONITORING

Admins who have created an “Available” assignment for a user group can perform the installation of the Win32 App from the Company Portal. To view the generated log file, you can look in the systemroot %temp% folder. After all this is done, you can check the Printer, Driver, and Port installation using printmanagement.msc.

Wrap up

Having a modern printing setup and solution is something that can be extremely beneficial for your business. It can help your employees work more efficiently, increase productivity levels, safeguard sensitive documents from prying eyes, and many other benefits. A great way to install your Printer Drivers and Printers from Microsoft Intune is by using Win32.

This method, as described in this article, is not as complicated as you may imagine and can simplify the process of modernizing your printing setup and solutions. As long as you meet a few of the requirements that are listed, then your IT admins won’t face too many difficulties. So, if you’re looking for ways to upgrade the way your business operates, then you could hardly go trying by trying this method for your organization.

Enhancing Apple Device Management With Microsoft Intune

Posted on May 16, 2024 by Thomas.Marcussen

The technology that we have available to us today intends to make the user experience as smooth as possible. With increasing cybercrime causing headaches for plenty of businesses, the need to constantly improve continues. Security protocols and device management are very high priorities for every organization.

One area that plays a significant role in improving any organization’s security posture is identity management. The best solutions on the market offer a seamless user experience that can improve how users interact with their devices.

It’s always interesting to look at how products and services from different organizations can combine. Ideally, separate brands fuse the best of what they each have for the benefit of their customers. It’s with this in mind that we want to look at how Microsoft Intune and Apple Identity Services do something similar. Both are bringing great solutions to their clients to improve security, as well as secure the user experience.

Microsoft Intune has a lot to offer

As we all know, Intune is a fantastic endpoint management solution. It simplifies app and device management across your various devices. This can include mobile devices, desktop computers, and virtual workstations.

So, it’s perfectly understandable why Intune is such a popular solution for many organizations. It’s a platform that is not only for Windows devices, but it also works brilliantly to improve Apple device management.

Your security will immediately improve because Intune ensures your macOS software is up to date. It then minimizes vulnerabilities by reducing manual tasks. Customers can expect a native macOS software update client experience, as well. This is because of how system update policies for macOS in Intune are built on Apple’s MDM commands. By implementing measures such as these, Intune helps you to reduce the overall attack surface of your business.

SIMPLIFIED APP MANAGEMENT

Another thing you can look forward to is doing away with the trouble of app conversion. This is because Intune is introducing a new application deployment service. Additionally, this new service leverages the Intune MDM agent to install, monitor, and report DMG-type applications. This ability will enable you to deploy in-place DMG app upgrades. It’s also capable of reducing some of the burden on IT staff while also making tasks easier.

In addition to this, Microsoft has been working on a solution that will simplify the deployment of apps. It will do so with custom scripts and apps that are unsigned. This new option, which leverages the Intune MDM agent to deploy PKG-type installers, is going to improve flexibility and customization. But, even with these changes being made, Microsoft has assured its customers that support for the native PKG-type app management experiences for macOS will continue.

ENHANCED USER EXPERIENCE

The provision of a consistent onboarding experience for all Apple devices is a top priority to enhance the experience for all users. Intune will be leaning on the Just-In-Time (JIT) macOS/iPadOS enrollment experience. This simplifies the Mac device onboarding process for users with corporate-owned devices.

Once enrollment finalizes, users can log in on the Enterprise Single Sign-On extension. From there, you can establish SSO across Azure AD-enabled apps and use their Azure AD password to log on to their Mac.

Coupled with the consistent onboarding experience, Intune is also determined to speed up the iOS enrollment process. Because of what the JIT functionality can offer, the iOS Company Portal app will no longer be necessary for AAD registration.

We’ll see a move towards web-based device enrollment, which is going to offer a swifter end-to-end enrollment process. This is a result of the reduced need to switch back and forth between the apps in addition to fewer authentication steps.

EFFICIENT DEVICE MANAGEMENT

Microsoft has also been working on a solution that supports local administrator account and local primary account creation during macOS ADE. This will allow customization of local administrator settings within new and existing macOS enrollment profiles for devices enrolling with user-device affinity.

A couple of years back, Microsoft Intune announced support for Declarative Device Management (DDM). Intune also extended DDM to the macOS settings catalog.

Arguably, one of the best things about DDM is how it can easily co-exist with the standard MDM protocol. It does so without negatively affecting the end-user experience. Customers can send the policies they have created in the settings catalog as well as DDM-based policies to DDM-enabled devices. They can also send the standard MDM-based policy to those devices using the older protocol.

Apple Identity Services

One of the things that have helped Apple distinguish itself over the years is excellent data and device security. In a world where nefarious actors are constantly attempting to exploit device vulnerabilities, businesses need solutions to safeguard their data. With Apple Identity services, your organization will get a product that can securely manage usernames and passwords.

The first measure we’ll talk about is authentication. This action refers to the process of verifying the identity of a user. Apple uses several authentication methods, such as single sign-on. Apple also provides for services, like personal Apple ID, Managed Apple ID, iCloud, iMessage, and FaceTime.

Once authentication measures verify the identity of a user, you then have authorization. This determines precisely what users are allowed to do. For this process, you need to provide a username and a password to an identity provider (IdP).

Essentially, what you have is an identity provider that functions as the authority. The username and password are also the assertion. Together with authentication and authorization, we can also talk about identity federation.

This process will establish trust between two parties and authenticate users. The result enables the linking of a user’s identity across multiple separate identity management systems. The identity federation process can only work effectively if admins set up domains that trust each other. And there also needs to be a single method to identify users.

Enhancing Authentication with Platform Single Sign-On

Users constantly need the services they use to improve so that they can better interact with technology and work more efficiently. In light of this, Apple saw it fit to introduce Platform Single Sign-On, which represents the evolution of authentication protocols.

This solution is replacing Active Directory, binding and simplifying life for users by requiring them to sign in only once. This is possible because, upon a successful user login, the local account credentials synchronize with the IdP. And it allows the user access to various other resources without needing to enter their password again. Platform SSO supports several authentication methods with an identity provider (IdP):

Password and encrypted password
Password with WS-Trust
User secure enclave key
SmartCard

New local user accounts are set up on demand by Platform SSO (PSSO) at the login window using IdP credentials. The service can also integrate IdP group membership with macOS. And in addition to this, network accounts can be used for authorization, and groups may also authorize network accounts.

Authentication

As new users go through the authentication process using credentials from their organization’s IdP, they can now have new local user accounts automatically created by macOS. The benefits of this to your organization are several, including:

Better user experience – time is of the essence. And with a setup like this, new users won’t require pre-configured accounts, therefore allowing them a much swifter start. As one can imagine, this makes it an excellent solution in environments where device sharing is required.
More robust security – the use of user-unique credentials helps to significantly strengthen your organization’s security when users access their devices. Not only that, but the uniqueness of these credentials makes it easier to keep track of all users’ access and activities.
Lighten the burden on IT – most of us are aware of how taxing the manual tasks that IT staff have to undertake can be. So, this solution brings automation to the user creation process will undoubtedly be gladly welcomed by IT staff. No longer will IT pros have to go through the tedious process of manually setting up accounts for each new user.

REQUIREMENTS FOR LOCAL ACCOUNT CREATION

But, before moving ahead, you should know that there are a few requirements. Your organization needs to meet the following for you to take advantage of local account creation.

UseSharedDeviceKeys – to enable this, you’ll need to use a shared device key that enables the device to have a trusted connection to the Entra ID, regardless of the user.
Connectivity with the Identity Provider – your device should be able to connect to your Entra ID. Without this connection being established, authentication of user credentials won’t be possible neither will the user be able to be authorized to access the device.
Device State – Login Window with FileVault Unlocked – the device in question should be at the login window, and you also need to ensure that the FileVault is unlocked. The importance of this state is that it establishes that the device is secure while simultaneously verifying its readiness to set up a new user account when authentication has been successfully completed.
MDM Support for Bootstrap Tokens – ensure that Bootstrap Tokens are supported by the MDM system. These tokens are integral to the delivery of a seamless user experience within a highly secure environment. This becomes even more evident in situations that require the creation of new user accounts on macOS devices.
User Authentication – as soon as you have met all the requirements, users can then begin the authentication process using their Entra ID username and password or a SmartCard.
Assignment of User Permissions – the Identity Provider groups will determine the assignment of post-authentication, user permissions.
Defining Access Levels through MDM Profiles – to ensure organizational security of the highest standard, all newly created accounts should have their access levels carefully defined. Intune profiles will play a central role during this process and are responsible for determining which users have standard user permissions, administrator privileges, or permissions based on their group membership in Entra ID.

Creating extensions that support platform SSO

Performing single sign-on with an identity provider requires the creation of an SSO extension to support PSSO and implement the required functionality. Additionally, you need to specify the grant types that the extension and IdP support. In macOS 14.0 and later, implement supportedGrantTypes() and return:

Password: password

Secure enclave key, SmartCard, and encrypted password: jwtBearer

WS-Trust: saml1_1 or saml2_0

For PSSO 2.0, there will be a new key service for SSO extensions and IdPs. This is going to allow for an alternative registration flow and additional login configuration. Before you can use it, however, there is a need to implement protocolVersion() in the extension and return ASAuthorizationProviderExtensionPlatformSSOProtocolVersion.version2_0 to indicate that the extension and the IdP server support PSSO 2.0. To complete this section, you need to enable a ticket-granting ticket with Kerberos SSO extension, as well as use diagnostics to iterate on the configuration during development.

REGISTRATION OF USERS AND DEVICES

After creating an SSO extension, there are a few steps to follow to register devices and users with an identity provider, and it’s the PSSO that calls the extension to perform these steps. The extension will first register a device before registering users on that same device. Your SSO extension needs to implement the ASAuthorizationProviderExtensionRegistrationHandler protocol to support registration.

Device registration

The SSO extension will use the following to register a device:

beginDeviceRegistration(loginManager:options:completion:)

Furthermore, the extension will need to:

Register the device with its associated IdP.
Provide the login configuration to Platform SSO.
Execute the completion handler.
User registration

Successful device registration completes with the following result:

ASAuthorizationProviderExtensionRegistrationResult.success

Once complete, the SSO extension should then proceed with user registration through:

beginUserRegistration(loginManager:userName:method:options:completion:)

The system is designed such that all users on a device will need to use the login configuration, and this also includes when the system creates new users during login. In situations where shared keys are being used, user registration will only begin for each subsequent user on the device. Therefore, when new users are created during login, they will be prompted to start registration when they reach the desktop.

After completion of the registration process, the SSO extension is required to call the completion handler. Following this, the users need to authenticate using the new configuration, which can use platform SSO immediately.

Finally, if the extension supports the PSSO 2.0 protocol methods and the system uses password authentication, a new key will be provisioned by the key service and linked to the user account.

Microsoft introduces Platform SSO for macOS

In 2023, Microsoft announced Platform SSO for macOS. This feature is meant to be an enhancement that will give users of macOS devices a more seamless experience with even better security. What users can expect from this is a solution that enables them to use Touch ID to unlock their device and thereby eliminate the need to enter a password.

Users will then be signed into Entra ID under the hood with a device-bound cryptographic key. Because of the use of phishing-resistant credentials, your business can save money by removing the need for security keys or other hardware.

Adding to user convenience will be the fact that after signing in, the existing Microsoft Enterprise SSO plug-in ensures that you remain signed into the apps you use for work.

However, there is an alternative for those who may not yet be ready to completely remove passwords from Entra ID sign-ins. In this scenario, Platform SSO for macOS allows you to synchronize local account passwords with Entra ID passwords so that users can use one credential across their macOS devices. Furthermore, Platform SSO for macOS will enable administrators to configure the end-user authentication method.

The admins can then set up a phishing-resistant credential or a traditional password as the authentication method. You can easily prepare your business for Platform SSO for macOS by taking the steps given below:

Deploy the Microsoft Enterprise SSO plug-in.
Ensure that users are registered for Microsoft Entra ID multifactor authentication, and for the best experience, Microsoft Authenticator is recommended for this process.
Update macOS devices to macOS 13 (Ventura) or later.

Microsoft Enterprise SSO plug-in for Apple devices

Using the Microsoft Enterprise SSO plug-in for Apple devices, clients will get single sign-on for Microsoft Entra accounts on macOS, iOS, and iPadOS. And they can do so across all applications that support Apple’s enterprise single sign-on feature. Probably the biggest advantage of this plug-in is that it enables SSO for older applications that are integral to your business operations but don’t have support for the latest identity protocols.

To ensure that users would get the best possible experience, the final product that we get resulted from the efforts of both Microsoft and Apple working together. At the moment, you can get the Enterprise SSO plug-in as a built-in feature of Microsoft Authenticator (iPadOS, iOS) and Microsoft Intune Company Portal (macOS).

WHAT FEATURES DO YOU GET?

The Microsoft Enterprise SSO plug-in for Apple devices comes with several attractive features, including:

Single sign-on for Microsoft Entra accounts for all apps that support the Apple Enterprise SSO feature
Supported in both device and user enrollment, and you can use any mobile device management service of your choice to enable it.
Available for applications that don’t yet use the Microsoft Authentication Library (MSAL).
Also offers SSO to apps that use OAuth 2, OpenID Connect, and SAML.
End-users can be assured of a smooth experience when the Microsoft Enterprise SSO plug-in is enabled because of how it is integrated with the MSAL.

REQUIREMENTS

Device Requirements	iOS Requirements	macOS Requirements
The device must support and have an installed app that has the Microsoft Enterprise SSO plug-in for Apple devices: iOS 13.0 and later: Microsoft Authenticator appiPadOS 13.0 and later: Microsoft Authenticator appmacOS 10.15 and later: Intune Company Portal app Devices should be enrolled in MDM. Because Apple requires this security measure, configuration needs to be pushed to the device to enable the Enterprise SSO plug-in	Devices need to have iOS 13.0 or higher. Devices will also require a Microsoft application that provides the Microsoft Enterprise SSO plug-in for Apple. The app in question is the Microsoft Authenticator app.	Devices need to have macOS 10.15 or higher. Devices will also require a Microsoft application that provides the Microsoft Enterprise SSO plug-in for Apple. The app in question is the Intune Company Portal app.

HOW DOES THE SSO PLUG-IN WORK?

As mentioned before, this plug-in came about because of the efforts of both Microsoft and Apple. So, it’s not too surprising that the plug-in is reliant on the Apple Enterprise SSO framework. Once an identity provider has joined this framework, it can intercept network traffic for its domain as well as modify how those requests are managed. Native applications will also be able to implement custom operations and communicate directly with the SSO plug-in.

Wrap up

The integration of products and services from different tech companies can provide countless benefits for customers. End-user experiences will improve, businesses will get better value for their investment, and tech companies can ensure that their customers get the best possible solutions.

This is why Microsoft Intune has been working with Apple to improve the user experience for Apple device users. Intune wants to be able to offer organizations excellent device management solutions across all devices regardless of preferences.

So, whether you want to use Windows devices or Apple devices, you should be getting great device management options. We all know about Apple Identity Services and how those protocols have given Apple devices the high-level security they have.

Therefore, the fact that Intune measures can co-exist with Apple Identity Services can only be a good thing for customers because this will ultimately strengthen overall security even further, as well as provide a better user experience.

Microsoft Dev Box – Optimizing Developer Productivity

Posted on May 1, 2024 by Thomas.Marcussen

We have all witnessed the impressive speed at which software has been developing during the last few decades. Businesses and individuals alike now have multiple solutions available to them enabling them to enhance productivity in ways that were previously not possible.

As one would expect, this can only mean great things for the future. Developers, however, have dealt with tremendous hardware challenges and onboarding issues creating stumbling blocks for the work they are trying to do. These problems are precisely what Microsoft is trying to address with the introduction of the Microsoft Dev Box.

By providing high-powered workstations in the cloud, developers can up their game and produce better work. In this article, we’ll go over what this product is and why it’s a potential game-changer.

Introducing Microsoft Dev Box

The Microsoft Dev Box is a new Microsoft product that utilizes the existing Windows 365 infrastructure to stream secure and ready-to-code developer workstations on demand. By now, most will be familiar with the Windows 365 Cloud PC. Additionally, most appreciate how it enables businesses to optimize their operations using highly secure virtual PCs.

So, it makes perfect sense that Microsoft Dev Box would leverage the infrastructure that has already proven successful. The cloud workstations that developers will get are what are known as dev boxes.

You can easily use tools, source coding, and prebuilt binaries specific to a project to configure these dev boxes. And it is because of this type of functionality that users can begin work as quickly as possible.

As far as images go, you’ll have the option of creating a customized one or using a preconfigured one from Azure Marketplace, complete with Visual Studio already installed. Depending on the unique needs of developers, they can use multiple dev boxes for their day-to-day workflows. Accessing these dev boxes is easy and similar to other virtual desktops such as the Cloud PC. So, all you need is a remote desktop client or a web browser.

Requirements

As with any other product or service, those interested in using Microsoft Dev Box will need to meet a few requirements. Each user needs to have a license for Windows 11 Enterprise or Windows 10 Enterprise, Microsoft Endpoint Manager, and Azure Active Directory P1.

Although clients can obtain these independently, you will also find these licenses included in Microsoft 365 F3, Microsoft 365 E3, Microsoft 365 E5, Microsoft 365 A3, Microsoft 365 A5, Microsoft 365 Business Premium, and Microsoft 365 Education Student Use Benefit subscriptions.

Key Components of Dev Box

In this section, we’ll be going over the key components of Microsoft Dev Box that you should know. These will help you to set up Dev Box correctly, allowing you to get the best out of it.

DEV CENTER

When we talk of a dev center, we are referring to a set of projects that will all need the same settings. Dev centers enable platform engineers to use dev box definitions for the effective management of the images and the SKUs available to the projects.

Furthermore, these engineers will be able to use network connections to configure the networks that the development teams consume. Dev centers are also used by Azure Deployment Environments to organize resources. Your business can use the same dev center for both services.

PROJECT

When it comes to the Dev Box service, a project is a team function within the organization. And each project is a collection of pools. Moreover, each pool represents a region or workload.

Once a dev center and a project link, all the settings at the dev center level apply to the project automatically. It’s important to note, however, that a project can only be linked to a single dev center.

Dev managers can configure the dev boxes available for any project by specifying the dev box definitions that are appropriate for their workloads. For developers to create their own dev boxes, they need access to projects for developers.

And you can do this by assigning the Dev Box User role. The projects for Deployment Environments, as well as those for Dev Box resources, can be configurable in the same dev center.

DEV BOX DEFINITION

A dev box definition suggests a source image and size, including both compute size and storage size. It’s here you’ll have the freedom to select a source image from Azure Marketplace. Or choose a custom image from your own Azure Compute Gallery instance. Additionally, you’ll be able to use dev box definitions from across multiple projects in a dev center.

NETWORK CONNECTION

IT admins and platform engineers will need to configure the preferred network they use for dev box creation with their organization’s various policies as a guideline. Network connections store configuration information, such as Active Directory join type and virtual network. The dev boxes use the network to connect to network resources. You will also need to choose an Active Directory join type when creating a network connection and the options are as follows:

Use native Microsoft Entra ID for scenarios, where your dev boxes only need to connect to cloud-based resources.
Alternatively, use hybrid Microsoft Entra ID, when your dev boxes seek to connect to on-premises resources and cloud-based resources.

AZURE REGIONS FOR DEV BOX

Every business needs to start by selecting the most ideal region before proceeding with setting up Dev Box. In cases when your region of choice may not be available for Dev Box, it would be a good idea to select a region within 500 miles. You must specify a region for your dev center and projects. You’ll mostly realize that these resources are in the same region as your primary office or IT management center.

The region for a dev box will be determined by the region of the virtual network specified in a network connection. The service allows you to create multiple network connections, based on the areas where you support developers.

After doing that, you can leverage those connections when you’re creating dev box pools so that dev box users create dev boxes in a region close to them. According to Microsoft, opting for a region close to the dev box user is what will allow you to get the best experience.

DEV BOX POOL

A dev box pool simply refers to a group of dev boxes that are going to be managed together and to which similar settings will be applied. To enhance productivity, as well as working conditions, your business can create multiple dev box pools. These support the needs of hybrid teams that work in different regions or on different workloads.

DEV BOX

Dev boxes are preconfigured workstations that have been designed to be created through the self-service developer portal. Getting set up and starting work can happen immediately. This is because new dev boxes come with all the tools, binaries, and configurations that developers need.

And for those looking to work on multiple workstreams, you can easily create and manage multiple dev boxes. Users will have control over their own dev boxes. And if the need arises they can create more. But, once you’re done using them, you can then delete them.

Pricing table

SKU	Pricing per Dev Box instance Max Monthly Price	Hourly Compute	Monthly storage
8 vCPU, 32 GB RAM, 256 GB Storage	$138.20	$1.49	$19
8 vCPU, 32 GB RAM, 512 GB Storage	$157.20	$1.49	$38
8 vCPU, 32 GB RAM, 1024 GB Storage	$195.20	$1.49	$76
8 vCPU, 32 GB RAM, 2048 GB Storage	$271.20	$1.49	$152
16 vCPU, 64 GB RAM, 256 GB Storage	$257.40	$2.98	$19
16 vCPU, 64 GB RAM, 512 GB Storage	$276.40	$2.98	$38
16 vCPU, 64 GB RAM, 1024 GB Storage	$314.40	$2.98	$76
16 vCPU, 64 GB RAM, 2048 GB Storage	$390.40	$2.98	$152
32 vCPU, 128 GB RAM, 512 GB Storage	$514.80	$5.96	$38
32 vCPU, 128 GB RAM, 1024 GB Storage	$552.80	$5.96	$76
32 vCPU, 128 GB RAM, 2048 GB Storage	$628.80	$5.96	$152

Why should you consider Dev Box?

SIMPLIFIED INTEGRATION

One concern that organizations may rightly have involves integration. Companies want to know how they will integrate Dev Box into their already existing infrastructure. However, there should be no cause for concern. Microsoft’s design allows the Dev Box to fit seamlessly with whatever development infrastructure your business may be using.

Your development teams can deploy dev boxes perfectly tailored to the precise and unique needs of your business. If you’re already familiar with the Microsoft ecosystem, and are using tools such as Microsoft Intune or Azure, then Dev Box will be an excellent addition. It will fit well into your workflow.

EASY TO SET UP

Again, on-boarding issues and hardware limitations often pose a problem for developers. This is why the convenience that Dev Box offers can make such a profound impact. Microsoft gives you pre-configured workstations that are available on-demand to meet your needs for various projects.

Dev boxes are configurable with all the key tools that developers need. This enables them to immediately begin work on assigned projects while foregoing the often time-consuming task of setting up a development environment.

ACCESSIBILITY

Cloud-based solutions enable businesses with staff all across the globe to maintain high levels of productivity. Dev Box can offer region-specific workstations that give developers a high-level experience wherever they may be.

Any new developers you want to bring on can onboard in minutes, rather than days because of project-based configurations. And this can be done on any device, running on just about any operating system. This level of accessibility can raise the ceiling for what your organization may have previously considered possible.

COMPATIBILITY

The ease of setting up dev boxes will also make it a cost-effective solution. Similar to using Windows 365 Cloud PCs, users don’t need to purchase new devices or worry about the operating systems they use. Therefore, whether you are on a PC or tablet, you’ll still get to use your favorite productivity software and custom line-of-business tools.

HIBERNATION

Every business wants to ensure that it can get the most from the available products and services while minimizing costs. Therefore, one of the most common things you’ll see businesses do to keep costs down is to shut down idle VMs to avoid paying for unused compute.

While this may help to reduce operating expenses, it has the disadvantage of shutting down developers’ workstation VMs overnight meaning that when they begin work in the morning they need to start by reopening all their tools. Fortunately, this is one of the issues that Dev Box is addressing

The availability of a hibernation feature will enable you to hibernate 8 and 16 core dev boxes so that when you resume a dev box, your apps, and work are exactly as you left them. This feature is designed to enable admins to schedule hibernations for the end of the work day in a specific region as well as be able to configure dev boxes to hibernate after a user disconnects. To provide greater control, a dev box can always skip an upcoming hibernation from the notifications that appear.

Using Microsoft Dev Boxes

There are various scenarios that Microsoft has provided for which businesses can use their dev boxes. These scenarios are as follows:

PLATFORM ENGINEERING SCENARIOS

With Dev Box, platform engineering teams can allocate the appropriate dev boxes according to the various users’ workloads. The platform engineers can:

Create dev box pools, add appropriate dev box definitions, and ensure that access is offered only to dev box users who are working on those specific projects.
Leverage auto-stop schedules to control costs.
Define the network configuration, which is responsible for determining the region where the dev box is created.
Assign the built-in Dev Box User role to grant access to development teams and enable them to self-serve dev boxes.

IT ADMIN SCENARIOS

Here IT admins will be able to manage dev boxes similar to other devices on your network:

There is automatic enrollment of Dev boxes in Intune. Management of dev boxes can be done through the Microsoft Intune admin center.
Keep all Windows devices up-to-date by using expedited quality updates within Intune to deploy zero-day patches across your organization.
Users can minimize downtime because they can be helped to get back up and running on new dev boxes if their dev boxes get compromised and need isolation.

With cloud solutions, security is always of great concern and so Dev Box offers access in a secure environment. Access controls in Microsoft Entra ID organize access by project or user type:

Join dev boxes natively to a Microsoft Entra ID or Active Directory domain.
Ensure that users are required to connect via compliant devices by setting conditional access policies.
Requires multifactor authentication at sign-in.
Configures risk-based sign-in policies for dev boxes that access sensitive source code and customer data.

DEVELOPER TEAM LEAM SCENARIOS

Developer lead teams can begin to help with the management of the project once they have been assigned the DevCenter Project admin role. Project admins can create dev box pools as well as add appropriate dev box definitions. Additionally, they can also leverage auto-stop schedules to control costs.

DEVELOPER SCENARIOS

If your business has development teams spread across the globe then Dev Box can enable them to create their own dev boxes within their closest region. Developers don’t need to wait for admin teams meaning that they can create dev boxes at their convenience.

And once that’s done, users can access their workstations on any device regardless of operating system. Dev Box offers support to any developers who may be working on several projects. To efficiently handle multiple workloads, projects, or tasks, developers can create and utilize separate dev boxes.

From a predefined pool, developers can take advantage and create multiple dev boxes if the need arises and they can later delete them when the work is complete. Not only that, but the service allows your business to define dev boxes for different roles on a team. So for instance, you can enable full-time developers to have greater control by setting up dev boxes with admin rights while simultaneously restricting permissions for contractors.

The developer experience

One of the best things about the Dev Box experience is how developers can take advantage of the available tools to better streamline their work processes. Because of the ease with which you can create secure, ready-to-code workstations, users can easily move between their primary, secondary, and tertiary machines.

When starting on a new project, developers will often want to quickly get up to speed without wasting time waiting on configuration processes. Dev boxes can be preloaded with settings, tools, source binaries, as well as caches that you need.

Moreover, running in Azure also comes with its own benefits. Not only can you access the resources and services that are needed in the cloud, but you’ll also have the option to connect on-premises resources such as file shares and databases.

Handling various tasks and workloads doesn’t have to be so difficult when you can switch between dev boxes allowing you to work more efficiently. Most of us have strong preferences when it comes to the devices we use so developers will certainly like the fact that they can use any device.

You’ll find that there are native clients for Windows and macOS and to mobile platforms like Android and iOS. And when it comes to which browsers you can use for access, most people with modern browsers should have no issues. Your IT admins will also be happy that Dev Box enables them to easily manage their environments while keeping them secure and up-to-date.

What about security?

The information we’ve gone over tells us that Microsoft Dev Box has a lot to offer businesses. But, if you’re an IT admin, you’ll probably be wondering about security measures to protect your organization. Not surprisingly, this is well covered by Microsoft.

The management of dev boxes will be similar to that of any other cloud-to-PC that uses Windows 365 or any other device that uses Microsoft Endpoint Manager. Admins can maintain the standards that their organization requires by ensuring that all standard apps and management tools are installed like any other enrolled device.

All your company’s policy settings will get deployed, meaning that they constantly receive Windows updates that keep them up-to-date.

As you develop your network connections, you can join dev boxes natively, right to your Azure Active Directory, or even to a hybrid Azure Active Directory domain. You can leverage the tools that you’re already familiar with and set up conditional access policies such as MFA.

Admins can also set it up such that all users can only access the service when using devices that comply with the standards that have been put in place by the organization. Additionally, all traffic when connecting to your dev boxes will be encrypted similarly to what you experience with Windows 365.

Wrap up

Developers have had to contend with frustrating challenges that hinder their productivity for years. These challenges also create unnecessary delays for businesses especially when working with deadlines.

In some cases, you hear of instances where it takes well over a week to onboard a new developer. As we can all imagine, this is far from ideal. When looking at the feedback from various organizations, it’s clear to see why Microsoft sees the need for Dev Box.

With the service offering secure, preconfigured, and ready-to-code workstations, the time to productivity is drastically reduced. Developers can be ready to go almost as soon as an assignment is given without having to be burdened with laborious onboarding processes.

You also have the advantage of using devices you’re comfortable with regardless of what operating system is running. Furthermore, as the service continues to improve, we can expect Dev Box to help optimize the work of developers even more.

Windows 365 Boot and Windows 365 Switch: Latest Features

Posted on April 9, 2024 by Thomas.Marcussen

New features and updates are something that we have become accustomed to and regularly expect for several reasons. Take the mobile devices that we carry with us everywhere. When you purchase a new one, one of the most important things you want to know is how many years of support you will receive.

This is because we all want to ensure that our devices can perform to their maximum capabilities for years to come. With this in mind, Microsoft ensures that products like Windows 365 regularly receive new features and updates that will improve the end-user experience.

As a result of this, businesses can expect the Cloud PC environment to often provide them with new and improved functionality. They’ll also address any issues or bugs that need dealing with. For this particular article, our focus will be the new features of Windows 365 Boot and Windows 365 Switch.

Review of Windows 365 Boot

For those who may not be familiar with Windows 365 Boot, let’s start with a review of what it is. Windows 365 Boot improves the overall experience by helping administrators make it easier to sign in for users on physical Windows 11 devices. Administrators can do this by configuring these devices such that:

Users won’t need to sign in to their physical devices.
Users can sign in directly to their Windows 365 Cloud PC on their physical devices.

Simply, this means is that Windows 365 Boot enables users of Windows 11 (version 22H2 or 23H2) to directly log into their Windows 365 Cloud PC and as the primary Windows experience on the device. Additionally, when single sign-on is turned on for your Cloud PC, you won’t need to sign in again to sign in to your Cloud PC.

This feature speeds up the signing-in process. It also cuts down on the time spent. Moreover, your business should find this to be an excellent solution for shared devices. Logging in with a unique user identity can take you to your personal and secure Cloud PC.

SHARED PC SCENARIO

This capability allows multiple users to use the same physical device to sign in to their own personal Cloud PCs. It’s design is such that whenever you sign in to the physical device, your unique identity will take you to your assigned and secure Cloud PC.

It’s great for an organization, such as a hospital or call center where people share physical devices then Windows 365 Boot provides you with an excellent solution. It gives employees added convenience by helping them bypass the often tedious startup process.

Consequently, whenever you want to get back to your device, you can boot directly into your secure Cloud PC. From there, you can pick up right where you left off. Colleagues can:

Sign out from their Cloud PC on the physical device. Once you sign out, the device reverts back to the Windows 11 login screen.
Hand over the physical device to another colleague at the end of your shift.
The individual starting their shift can then use the device to sign in to their Cloud PC.

ACCESSING PHYSICAL DEVICES

The objective of Windows 365 Boot physical devices is to enable users to interact with their Cloud PCs without the ability to interact with the physical device. However, to achieve this, you need to set some configuration service provider (CSP) policies.

Administrators should be aware that Windows 365 won’t automatically set these policies to fully restrict end-users from accessing certain resources on the physical device. Therefore, you need to thoroughly review the configuration policies. Understand what applies to your Windows 365 Boot devices. You need to verify that these policies will meet your organization’s security needs for preventing access to the physical device.

PROCESS OVERVIEW

The first step will involve configuring the physical device for Windows 365 Boot. To do this, use the Microsoft 365 Boot guided scenario in the Microsoft Intune admin center. The next step, which is optional, would require you to consider restricting access to Windows 365 Boot physical devices.

And then you’ll need to set up each physical device for Windows 365 Boot configuration. Once the device configuration is complete, multiple users will be able to access their dedicated Cloud PCs from the same Windows 365 Boot physical device.

Windows 365 Switch

When working on your desktop, you want to have an ergonomic working environment where everything you need is easily within reach. To achieve that goal, Windows 365 Switch offers users a feature that makes it a lot easier to move between a Windows 365 Cloud PC and your local desktop. The process is even easier by the fact that you’ll get to use the same familiar keyboard commands, as well as a mouse click or a swipe gesture.

From within Windows, 11 using the Task view feature, users will benefit from the seamless experience, too. Windows 365 delivers by optimizing the way you work. As long as you have a Windows 365 Cloud PC on your device, Windows 365 Switch will pop up automatically inside the Task view feature. But, before we discuss pushing Windows 365 Switch feature components to your Windows 11 endpoints, you will need to meet the following requirements:

Windows 11-based endpoints (both Windows 11 Pro and Enterprise)
Update to the latest Windows OS Build on your Cloud PC Windows 11 Enterprise or Professional, version 22621.2361 or later
Update to the latest Windows OS Build on your physical device Windows 11 Enterprise or Professional, version 22621.2361 or later
Windows 365 Cloud PC license.

DEPLOYING WINDOWS 365 SWITCH

You’ll first need to ensure that your Cloud PC is updated to the latest Windows OS build on your Cloud PC. Having done that, under Settings, head over to the Windows Update page. Switch on the Get the latest updates as soon as they are available toggle to get the latest Windows OS updates. You can then restart your PC after you get the updates.

Next up, you’ll want to ensure that your physical device is updated to the latest Windows OS build. Then, you’ll head over to the Windows Update page, which is found under Settings, and switch on the Get the latest updates as soon as they are available toggle to get the latest Windows OS updates. After you get the updates, restart your PC.

Once you’ve taken care of all the above, you now have to install the Windows 365 app. Users can download this app from the Microsoft Store on Windows. And you need to verify that it’s version 1.3.185.0 or newer. The Microsoft Store will be extremely helpful to administrators because it’s going to keep the Windows 365 app up to date.

This will reduce the burden on IT admins because they don’t have to worry about maintaining the app. Depending on what is more convenient for your organization, you can have IT admins use Microsoft Intune to download the app for your end-users. Alternatively, these same end-users can follow the steps below to download the app themselves:

Navigate to the Microsoft Store for Windows and look up Windows 365.
Select Get to install Windows 365.
Select Open.

Another option would be to download the Windows 365 app directly from windows365.microsoft.com. After you’ve completed all the given instructions, you’ll still need to wait a few hours. Then, Switch is fully enabled on your device.

Introducing the new updates

Anyone planning on using the new updates needs to ensure that they are enrolled on the Windows Insider Dev Channel. To do that, you need to follow the steps given below:

Under Settings, go to Windows Update > Windows Insider Program. Select Get Started and this will initiate the enrollment process.
Sign in with your Microsoft account.
Select Dev Channel and Continue.
To complete the enrollment process, you need to restart the device.
Next, you need to navigate to the Windows Update Settings page and select Check for updates. Here you should select Install all until all the latest Windows updates have been installed.

Your organization can also use Microsoft Intune to enroll endpoints on a larger scale into the Windows Insider Program. To do that, pre-release builds for Windows updates must be enabled. And you must select Dev Channel as the pre-release channel.

What has been added to Windows 365 Boot?

Dedicated mode for Windows 365 Boot

According to the recent announcement, Microsoft is launching a new dedicated mode for Windows 365 Boot. This option, which is now in public preview, allows you to log in to your Windows 365 Cloud PC from your designated company-owned device.

It helps simplify the login process by enabling users. It provides easy log ins to their Cloud PCs from the Windows 11 login screen using password-less authentication methods such as Windows Hello for Business.

Additionally, the new dedicated mode comes with a fast account-switching experience. With this, users can seamlessly switch profiles to log in. They can also personalize the experience with their usernames and passwords, display a picture on the lock and log in screen, and remember their usernames, among other things.

New Microsoft Intune integration for Windows 365 Boot dedicated mode

Going forward, customers will be able to enable the Windows 365 Boot dedicated mode via Microsoft Intune. The integration of Windows 365 with Microsoft Intune allows everyone from IT admins to end-users to have an overall improved experience.

This is because the Microsoft design of both these products is such that they complement each other perfectly. This integration offers multiple benefits that would be pretty difficult to ignore such as:

Familiarity with how Microsoft Intune works and the ability to leverage this knowledge to give you an even better Windows 365 experience.
Your organization can potentially reduce expenses because of supporting only a single platform regardless of department.
IT admins will also get the convenience of using existing profiles as well as deploying existing apps that you already have in your Microsoft Intune inventory.
Your organization can benefit from the industry-leading security protocols that Intune uses because it can easily integrate with how the Cloud PC operates.

Among the newly added features, we can find an option to configure that will add Windows Hello support to Windows 365 Boot. You can use the Intune guided flow scenario to access Windows 365 Boot as follows:

Go to Devices > Windows 365
Under Windows 365 Guides, select Windows 365 Boot or Windows 365 Boot – Public Preview.

New Microsoft Intune integration

When in shared mode, your business can customize the login page to feature your company branding by using Microsoft Intune. If you want to enable customized company logo and name branding in Microsoft Intune:

Go to Home > Devices > Windows 365 Boot.
In the Settings menu, search for Personalization.

Fail fast mechanism for Windows 365 Boot

I’m sure that many have been frustrated by the experience of having to wait for the sign-in process to the Cloud PC to complete. And then finding out that Windows 365 Boot failed due to network issues or incomplete setup. It’s not exactly the most pleasant way for you to get started on an urgent project.

Fortunately, this issue is being addressed so that you won’t have to wait for the sign-in process to complete. Because of the introduction of the new smart logic, users will be given timely instructions to address any network issues or complete app setup. Doing so will enable you to have a seamless login experience to your Cloud PC.

Manage local PC settings through Windows 365 Boot

From the beginning, the goal with Windows 365 has been ease of use. Microsoft wants to ensure that using the Cloud PC is a comfortable experience that allows users to work at maximum efficiency and thus improve productivity. Something as simple as managing your local PC settings can end up frustrating, especially if you need to make regular changes.

This is why a newly added feature will simplify matters by making it easier to access and manage sound, display, and other device-specific settings of your local PC directly from your Cloud PC in Windows 365 Boot. So, from now on, anything that Cloud PC users need, will not be more than a few clicks away.

New Capabilities for Windows 365 Switch

In addition to the above, there are also a few new features added to Windows 365 Switch. In this section, we’ll be going over what those new capabilities are.

Improved disconnect experience for Windows 365 Switch

Users will now be able to disconnect from their Cloud PCs directly from the local PC. As you would expect, this adds immensely to the concept of ease of use. Cloud PC users gain additional convenience that further simplifies the process of signing in and out. To disconnect from your Cloud PC directly from the local PC, all you have to do is:

Navigate to Local PC > Task view.
Right-click on the Cloud PC button. Select Disconnect.

To make this even easier for users, Windows 365 also has tool tips that show on disconnect and sign out options in the Cloud PC Start menu. This means they can differentiate between these functionalities.

Desktop indicators differentiate between Cloud PC and local PC for Windows 365 Switch

In an effort to make things easier to see and manage, Windows 365 now has indicators to differentiate between Cloud PC and local PC. So, from now on, when you switch between your respective PCs, you should see Cloud PC and Local PC on the desktop indicator.

Gracefully handling increased connection time for Windows 365 Switch to Frontline Cloud PCs

Another new addition will be the capability to view the updates concerning the Cloud PC connection status and the connection timeout indicator while waiting on the connection screen. If you encounter any error, you can quickly resolve it by copying the correlation ID. Do so by using the new copy button in the error screen. Yet again, adding simplicity will serve to be a great tool for admins and end-users. And everyone can work even more efficiently and improve their productivity.

Windows 365 offers an always up-to-date environment

AUTOMATION OF UPDATES

All the new capabilities we have discussed show that Windows 365 is very much committed to ensuring that customers have a service that is constantly improving. They can depend on this service to get even better to improve the end-user experience.

One of the most important things in this respect is to provide automated updates. This is because it can help minimize disruptions. No one wants to interrupt their workday to deal with updates, especially not knowing how long the update process could take. Even while being aware of the security risks of ignoring updates, people can still continue without actually installing them.

This inspires the need for automated updates. Windows 365 can ensure that your devices remain up-to-date at a time that is convenient and doesn’t cause downtime.

This gives you the scheduling flexibility to plan. Coordinate the installation of automated updates for both the operating system and applications working on your Cloud PCs. And schedule them to occur during non-working hours.

Also, since these updates are automatic, it helps reduce the workload for your IT staff for eliminating those manual tasks. All this while your business gets to leverage the latest features and maintain high security levels.

AUTOMATIC PATCHING

To complement the automatic update feature that Windows 365 uses, clients will also get a patch management service that can scan and detect security patches before they’re downloaded and installed.

This feature further helps to optimize the Cloud PC environment by enabling IT admins to keep devices that are under their control and constantly up-to-date with the latest security patches. Leveraging the patch management capabilities that Windows 365 provides. It eliminates the overall need for IT admins to manually check each device to see if the necessary patches are applied.

Having automatic feature updates and security patches applied means that you reduce the risk of hacking. Would-be hackers won’t have sufficient time to exploit any known vulnerabilities and security threats. The last thing any organization wants is to give nefarious actors all the time they need to take advantage of weaknesses in your security.

You need features that can help your business significantly reduce attack surfaces. And you need to keep employee productivity levels unaffected by potential security breaches. Additionally, businesses will get to reap the benefits from reduced expenses for device lifecycle management and repairs.

Wrap up

If you talk to any IT professional about updates, you’ll probably get a very long discussion about keeping your devices secure and optimized. Whether we’re talking about the PC you use at work or your personal mobile device, regular software and security updates are extremely important to ensure that these devices perform at optimum levels.

In this article, we’ve been discussing the new capabilities that have been added to Windows 365 Boot and Windows 365 Switch to make the Cloud PC an even better product.

We all know of the long list of great features that were built into the Windows 365 Cloud PC when it was first introduced. In spite of that, however, any device or service needs constant improvement if it’s to keep up with all the innovation that we are witnessing year after year.

This is why features such as the ones we have gone over today are so vitally important for improving the experience for Cloud PC users. And as we move forward, we should only expect even greater features for Windows 365.

Unleashing The Power of Device Management with Intune and Declarative Management

Posted on March 26, 2024 by Thomas.Marcussen

Many businesses are increasingly adopting mobile devices, such as phones and tablets, as standard tools for their employees. As these devices become more powerful and technologies like 5G become more available, it makes perfect sense for businesses to take advantage if it makes their employees more productive. That’s where device management comes into play.

This has seen many organizations start to implement bring-your-own-device (BYOD) policies as the changes to traditional workplaces pick up momentum. However, there will be a need for effective device management solutions that can reduce the burden on IT staff while simultaneously enhancing the end-user experience.

Solutions such as Apple’s new approach to device management called Declarative Device Management (DDM). Products like these are heralding the future of device management by offering a great array of new features.

What is Declarative Device Management?

Declarative management represents the future of device management. As a relatively new offering from Apple, Declarative Device Management is a transformative update to the protocol. And it brings policy management to devices.

This solution enables devices to be autonomous and proactive. It can also be used together with the existing MDM protocol capabilities. One of the main advantages of having autonomous devices is that they can react to state changes. They then apply management logic to themselves without needing action from the server.

As a result of all this, you’ll get greater performance and increased scalability, which will help keep your organization’s devices running at optimum levels. The ability for devices to be autonomous as well as proactive are the key elements that make declarative management the ideal solution going forward.

Furthermore, declarative management works in a way that keeps devices in the best possible state. It does so, keeping important data secure, regardless of whether or not you have an internet connection. This allows users to have a more responsive experience that can help improve their efficiency.

And to assuage any concerns customers may have, Apple assures clients that although this may be a new offering, the protocol is not. The declarative functionality that is being offered has been built into existing MDM protocols.

Therefore, customers can expect to have access to a device management service that will streamline all management processes. And it improves the experience not only for end-users but for IT admins as well.

Requirements

As with any product, there are minimum requirements to consider if your organization wants to have access to Declarative Device Management.

Operating System	Versions Supported
macOS	Ventura 13 and later
iOS	15 for user enrollment only and 16 and later for all enrollment types
iPadOS	15 and later
tvOS	16 and later
watchOS	10 and later

Advantages of DDM

Probably the biggest benefit that users stand to gain from DDM is the improvement in device performance. With the main features on offer, devices can act proactively and more autonomously. This means that any actions requiring implementation will execute faster because there is no waiting for the server. Because of this efficiency, you should expect to have far more accurate device information that will also report back much faster.

This improvement in how devices run will also be a welcome change for IT admins. With certain actions being automated, administrators will have more time to prioritize and focus on more productive tasks. And all of this happens in a highly secure environment meaning taking advantage of these benefits will not come at the cost of data and device security.

Core data models

Declarative management comes with three main core data models, and these are as follows:

DECLARATIONS

Declarations refer to the payloads that servers define, forward to devices, and represent the state or behavior that businesses want for their devices. There are four types of declarations:

Declaration Type	Description
Configurations	Not dissimilar to what we’ve already been using for the application of settings and restrictions on devices.
Assets	Refers to the reference data that configurations need for large data items and per-user data.
Activations	Group of configurations that are automatically applied to a device. Activations and configurations have a many-to-many type of relationship. Another thing to note is that activations can support complex predicate expressions using an extended predicate syntax.
Management	The role of management is to transmit to the device key information about the organization as well as details about the MDM solutions.

STATUS CHANNEL

The status channel is a key means of communication in declarative management. And it is responsible for conveying information when the state of the device changes. When these changes occur, the device will proactively update the server via status reports containing details of the update. An important thing to note is that the server can be configured to subscribe only to specific status items meaning it will receive only the updates it considers necessary.

EXTENSIBILITY

Extensibility enables organizations to better tailor declarative management to meet their business needs. This feature gives you the flexibility of integrating with other products so that end-users have the best possible options available. What this gives you is a platform that enables both devices and MDM servers the ability to support new features as and when they release.

Introducing DDM to your organization

How to manage the transition to DDM

One of the goals with tech products and services is that the companies developing them should design them to be relatively easy to use if you want to draw in customers. To that end, the transition to declarative device management is much easier because the MDM protocol has various functions.

For instance, you will be able to embed existing profiles into a legacy profile declaration. Another good example would be how you can have an MDM solution take ownership of a profile that has already been deployed and subsequently migrate it into a legacy configuration declaration. The advantage of this action is that it eliminates the need to remove an existing profile to replace it with a configuration that may not be suitable for the user.

Integration of declarative management within the MDM protocol

Part of what makes Declarative Device Management such a great option is how it integrates into the MDM protocol. Not only that, but existing MDM vendors already have access to the features that are on offer.

The significance of integration within the MDM protocol is that declarative management will leverage it for the management of key areas including both enrollment and unenrollment, HTTP transport, as well as device and user authentication.

Moreover, DDM intends to make the transition from existing MDM products as seamless as possible. This means that you don’t have to worry about dealing with disruptive changes to adopt new protocols.

To add to the convenience, you’ll also find that declarations and the status channel will coexist with your existing MDM commands and profiles. By setting it up this way, DDM gives organizations the flexibility to adopt declarative management features at their own pace.

Because of this, you won’t need to immediately update all of your MDM workflows. Another very important thing to note is that declarative management will not affect existing MDM behaviors. What you’ll actually find is that declarative management utilizes existing MDM behaviors using an MDM command for activation and an MDC CheckIn request for synchronization and status reports.

Activating declarative management

We’ll start with a DeclarativeManagement command addition to MDM. This command has two roles that it will play. Firstly, it will activate the declarative management features on a device. Before proceeding with this, however, you need to know that you won’t be able to turn off declarative management once you’ve turned it on. But, you do get a way out of this if the need arises. By having the server remove all declarations, this action will, for all intents and purposes, disable declarative management.

The second thing the command can do is include a payload containing synchronization tokens that will initiate a synchronization flow if necessary. Additionally, there is a new CheckIn request type that devices use to synchronize declarations and send status reports to the server. And the server will give you a response when you use the CheckIn request to synchronize declarations. You can get two types of responses which are:

A manifest that lists the identifier and server token properties of all declarations defined by the server.
Single declarations for the device to apply.

Improved management enhances BYOD

Most of us may have noticed over the last few years that Bring-Your-Own-Device (BYOD) policies are growing in popularity across various business sectors. Similar to declarative management, BYOD can help organizations make better use of the technology available to them and improve the efficiency of their employees.

But, one thing you’ll be quick to notice about employees using their personal devices to connect to enterprise networks is that it can drastically reduce an organization’s capital outlay for devices. And as management solutions continue to get better, the security concerns that you might have about personal devices accessing sensitive corporate data are being addressed.

However, even with the potential financial gains, adopting BYOD policies would still be a difficult sell without effective management services available. This is why services such as Microsoft Intune’s web-based device enrolment for iOS/iPadOS are bringing new features to the table.

What this service will do is eliminate the need for the Company Portal app thereby providing a faster enrollment process that also delivers an improved user experience. Your life as an MDM admin should get somewhat more comfortable given that you’ll now be able to enroll personal devices in Microsoft Intune without users having to first install additional apps.

App or web–based enrollment

Microsoft Intune simplifies device enrollment for Apple users through the availability of Apple device enrollment. This service provides key iOS/iPadOS management capabilities for users in the Microsoft Intune admin center without compromising the security of personal data. When it comes to device enrollment, there are two options: app-based enrollment and web-based enrollment. So, if you navigate to the Intune admin center, the device enrollment options you’ll see are:

Device enrollment with the Company Portal
Web-based device enrollment

You’ll need to create an enrollment profile in the admin center to select and configure enrollment types. To do that:

Navigate to Devices > iOS/iPadOS > iOS/iPadOS enrollment
Select Enrollment types.

To simplify the process of Microsoft Entra registration within the employee’s work apps and reduce the number of times they have to authenticate, web-based enrollment will leverage just-in-time (JIT) registration with the Apple single sign-on. JIT registration in enrollments can be enabled by creating a device configuration profile with an SSO app extension policy. But, Intune clarifies that using JIT registration with web-based enrollment is not mandatory but it is highly recommended if you want a better experience for end-users.

EXPLAINING JUST-IN-TIME REGISTRATION

According to Microsoft Intune:

“Just in Time registration within the enrollment flow is an improvement to the Setup Assistant with a modern authentication enrollment method since it no longer requires the Company Portal app for Azure Active Directory (Azure AD) registration or compliance checking.”

The overall goal of JIT registration is to streamline the process for users by eliminating the Company Portal requirement which by extension removes some of the complex steps that users have had to deal with. By using JIT registration, all users will need to do to enroll their iOS devices is sign in with their corporate credentials.

To successfully complete the enrollment process, users must sign in with their corporate credentials. Doing this will authenticate them via Entra ID and automatically register their device with Intune. Setting up just-in-time registration requires your business to have an active Apple Business Manager or Apple School Manager account as well as devices that are eligible for JIT registration. Additionally, network settings will need configuration accordingly for enrolled devices and Intune to communicate. In the table below, you’ll find the details concerning web and app enrollment:

Specification	App-based enrollment	Web-based enrollment
Supported version	iOS/iPadOS 14 and later	iOS/iPadOS 15 and later
BYOD and personal devices	Yes	Yes
Device associated with a single user	Yes	Yes
Device reset required	No	No
Enrollment initiated by the device user	Yes	Yes
Supervision	No	No
Just-In-Time registration	No	Yes
Required apps	Intune Company Portal app for iOS Microsoft Authenticator	Microsoft Authenticator
Enrollment location	App-based enrollment takes place in the Company Portal app, Safari, and device settings app.	Web-based enrollment takes place in Safari and the device settings app.

Setting up web-based enrollment

Web-based enrollment is designed to speed up the enrollment process and give users a more user-friendly experience. Because users can do all they need to in Safari and in their device settings, the Company Portal app will no longer be required.

Furthermore, once you have enabled JIT registration, Intune can use it with the Microsoft Authenticator app for registration of the device and SSO thus eliminating the need for users to sign in constantly during enrollment and when accessing work apps. To set up web-based enrollment, you’ll need to follow the steps below:

Set up just-in-time registration

Before proceeding, you’ll need to verify that you meet the requirements:

Apple user enrollment: Account-driven user enrollment
Apple device enrollment: Web-based device enrollment
Apple automated device enrollment: For enrollments that use Setup Assistant with modern authentication as the authentication method.

Once you’ve checked the requirements, you can now proceed to create an SSO app extension policy that uses the Apple SSO extension to enable JIT registration. With that done, follow the steps below:

Sign in to the Microsoft Intune admin center.
Navigate to Device features > Category > Single sign-on app extension. Here you need to create an iOS/iPadOS device configuration policy.
Select Microsoft Entra ID for SSO app extension type.
For any non-Microsoft apps using SSO, you must add the app bundle IDs. Because the SSO extension is automatically applied to all Microsoft apps, it’s better not to add Microsoft apps to your policy. This way you can stay away from authentication issues. Also, note that the Microsoft Authenticator app will be later added in an app policy so you should avoid adding it to the SSO extension as well.
Under Additional configuration, add the required key-value pair. For JIT to work properly, you must eliminate trailing spaces before and after the value and key.

Key: device_registration Type: String Value: {{DEVICEREGISTRATION}}

Microsoft Intune also recommends that you add the key-value pair that enables SSO in the Safari browser for all apps in the policy. And similar to the previous step, you’ll need to eliminate trailing spaces before and after the value and key for JIT to work properly.

Key: browser_sso_interaction_enabled Type: Integer Value: 1

Select Next.
For Assignments, you must assign the profile to all users (or designate specific groups), then select Next.
You can now go and review your choices on the Review + create page. With everything done, select Create to finish creating the profile.
Lastly, you need to head over to Apps > All apps and assign Microsoft Authenticator to groups as a required app.

Create enrollment profile

An enrollment profile is necessary for all devices enrolling via web-based device enrollment. Once created, this profile will initiate the device user’s enrollment experience thereby allowing them to begin enrollment in Safari.

Navigate to Devices > Enrollment in the Intune admin center. Select the Apple tab.
Select Enrollment types (preview) under Enrollment Options.
Select Create profile > iOS/iPadOS.
Go to the Basics page and type in a name and description for the profile. This allows you to distinguish this profile from others in the admin center. Select Next.
Navigate to the Settings page, for Enrollment type, select Web based device enrollment. Select Next.
Head over to the Assignments page and assign the profile to all users or a group of users. Select Next.
You can now go and review your choices on the Review + create page. With everything done, select Create to finish creating the profile.

PREPARING EMPLOYEES FOR ENROLLMENT

Employees will be alerted by the app as to the enrollment requirements when they try to sign in to work apps on their personal devices. They will then be redirected to the Company Portal website for enrollment. The other option would involve you giving users an URL that opens the Company Portal website. For those not using Conditional Access, you’ll need to remember to share the enrollment link with device users so that they know how to initiate enrollment. The enrollment steps for device users are as follows:

Open Safari and sign in to your Company Portal website with your work or school account.
Next, you should get a prompt to download the management profile and this will be downloaded by the Company Portal while you wait in Safari.
Navigate to your device settings app to view and install the management profile.
Signing in to a work or school app can only happen after the Microsoft Authenticator is installed. The device will only be ready for use after this installation.
Now you can use your work account to sign in to a work app, such as Microsoft Teams.
You’ll then need to wait while the app identifies the required setting updates.

Wrap up

The future of device management lies in the integration of the best products and services that are available to customers. Often, we can get caught up debating which tech company offers the best services to meet our needs. But, as we are seeing with Microsoft Intune and Apple device management solutions, bringing together great products to coexist can deliver far more for the end-users.

Declarative management looks like a brilliant solution that is going to deliver a seamless user experience that could improve productivity. It’s therefore no surprise that when combined with what Microsoft Intune has to offer, businesses can look forward to better, faster, and more efficient device management.

Troubleshooting Tenant Attach and Device Action Issues

Posted on February 20, 2024 by Thomas.Marcussen

Microsoft has given us countless different products and services over the last few decades. Undoubtedly, we know the important role they have played for individuals and businesses on the journey towards utilizing technology to better our lives. When looking at the Microsoft ecosystem, one of the best examples of undeniable excellence is the Microsoft Intune family of products.

With this product, Microsoft gives you an integrated solution that enables you to seamlessly manage all your devices. Central to this solution is the single console that we know as the Microsoft Intune admin center which brings together Intune and Configuration Manager.

The capabilities of this platform can offer your organization a premium device-management solution like no other. The area that we want to focus on today will have to do with the troubleshooting of tenant attach and device actions.

Comparing Tenant Attach to Co-management

For a lot of people, it may be difficult to distinguish between these two. So, let’s start by looking at where these two options differ. Both of these make up two of the three primary cloud attach features. For a Configuration Manager environment to be cloud-attached, it has to use at least one of the three primary cloud attach features.

Tenant Attach gives you the advantage of having your device records in the cloud as well as the ability to take actions on these devices from the cloud-based console. IT admins can perform remote actions on tenant-attached devices such as sync machine policy, sync user policy, run scripts on clients, deploy applications, and much more.

Furthermore, users will be able to manage endpoint security for the attached devices from the Intune admin center for both Windows Servers and Client devices.

On the other hand, Co-management is going to modify your on-premises Configuration Manager environment without the need for a significant migration effort.

One of the more attractive features of Co-management is how it allows you to easily switch workloads such as compliance policies from SCCM to Intune. By enabling you to manage workloads from the cloud, your organization gets to benefit from a simpler device management experience.

Tenant Attach prerequisites

To make use of Tenant Attach, you will need to meet the following requirements:

When you decide to apply this onboarding change, you’ll need to sign in using an account that is a Global Administrator.
An Azure cloud environment.
With version 2107, United States Government customers will be able to use tenant attach features in the US Government cloud such as account onboarding, tenant sync to Intune, device sync to Intune, and device actions in the Microsoft Intune admin center.
The Azure tenant and the service connection point must have the same geographic location.
To access the Microsoft Intune admin center, there needs to be at least one Intune license for the administrator.
The administration service in Configuration Manager needs to be functional.
If your central administration site has a remote provider, you need to follow the instructions for the CAS has a remote provider scenario in the CMPivot article.

PERMISSIONS

In addition to the above, there will also be a few requirements for the user accounts performing device actions and these include:

The user account should be a synced user object in Microsoft Entra ID (hybrid identity).
The Initiate Configuration Manager action permission under Remote tasks in the Microsoft Intune admin center.

The troubleshooting process

Now and again, all of us will encounter issues with the products and services we use. That’s why it’s important to work with providers that offer great support services so that we avoid downtime. Microsoft puts a lot of effort into ensuring that customers get as much support as they need for the various products in its ecosystem. Understandably, tenant attach is no different.

At this point, most admins should be aware that you can sync Configuration Manager clients to the Microsoft Intune admin center. And from that admin center, some client actions can run on the synchronized clients.

These available actions include the sync user policy, sync machine policy, and app evaluation cycle. After an administrator runs an action from the Microsoft Intune admin center, the notification request will forward to the Configuration Manager site. And from there, it will forward to the client.

LOG FILES

The logs you need to use will be found on the service connection point and these are:

CMGatewaySyncUploadWorker.log
CMGatewayNotificationWorker.log

You should also use the logs located on the management point:

BgbServer.log

Lastly, there are other logs that will be found on the client:

CcmNotificationAgent.log

Review your upload

You’ll need to follow the steps given below:

Open CMGatewaySyncUploadWorker.log from <ConfigMgr install directory>\Logs.
You will see the next sync time recorded in a log entry similar to this format Next run time will be at approximately: 02/28/2024 10:15:30.
The log entries that you should look at for device uploads should be something like this Batching N Records. In this instance, N represents the number of changed devices uploaded since the last upload.
Admins should expect uploads every 15 minutes for changes. However, once that is done, they will probably need to wait up to 10 minutes to view the client changes appearing in the Microsoft Intune admin center.

Configuration Manager components and log flow

SMS_SERVICE_CONNECTOR: Will utilize the Gateway Notification Worker to process the notification from the Microsoft Intune admin center.

SMS_NOTIFICATION_SERVER: Receives the notification and subsequently creates a client notification.

BgbAgent: The client gets the task and runs the requested action.

SMS SERVICE CONNECTOR

Following the initiation of an action from the Microsoft Intune admin center, the CMGatewayNotificationWorker.log will process the request.

Received new notification. Validating basic notification details…

Validating device action message content…

Authorized to perform client action. TemplateID: RequestMachinePolicy TenantId: a1b2c3a1-b2c3-d4a1-b2c3-d4a1b2c3a1b2 AADUserID: a1b2c3a1-b2c3-d4a1-b2c3-d4a1b2c3a1b2

Forwarded BGB remote task. TemplateID: 1 TaskGuid: a43dd1b3-a006-4604-b012-5529380b3b6f TaskParam: TargetDeviceIDs: 1

A notification is received from the Microsoft Intune admin center.

Received new notification. Validating basic notification details..

Validation of user and device actions is carried out.

Validating device action message content…

Authorized to perform client action. TemplateID: RequestMachinePolicy TenantId: a1b2c3a1-b2c3-d4a1-b2c3-d4a1b2c3a1b2 AADUserID: a1b2c3a1-b2c3-d4a1-b2c3-d4a1b2c3a1b2

Forwarding of the remote task to the SMS NOTIFICATION SERVER.

Forwarded BGB remote task. TemplateID: 1 TaskGuid: a43dd1b3-a006-4604-b012-5529380b3b6f TaskParam: TargetDeviceIDs: 1

SMS NOTIFICATION SERVER

At this point, you should be expecting a task to be sent from the management point to the corresponding client as soon as the message has been forwarded to the SMS NOTIFICATION SERVER. In the BgbServer.log, which is on the management point, you should see the following:

Get one push message from database.

Starting to send push task (PushID: 7 TaskID: 8 TaskGUID: A43DD1B3-A006-4604-B012-5529380B3B6F TaskType: 1 TaskParam: ) to 1 clients with throttling (strategy: 1 param: 42)

BgbAgent

The last step will occur on the client and you can view it in the CcmNotificationAgent.log. As soon as the task has been received, it will then request the scheduler to carry out the action. And once the action has been carried out, a confirmation message will appear:

Receive task from server with pushid=7, taskid=8, taskguid=A43DD1B3-A006-4604-B012-5529380B3B6F, tasktype=1 and taskParam=

Send Task response message <BgbResponseMessage TimeStamp=”2020-01-21T15:43:43Z”><PushID>8</PushID><TaskID>9</TaskID><ReturnCode>1</ReturnCode></BgbResponseMessage> successfully.

Common issues

In this section, we’ll take a look at some of the issues that admins may often encounter.

Unauthorized to perform client action

For whatever reason, there may be situations where administrators may not have the required permissions in Configuration Manager. If that happens, you’ll see an Unauthorized response in the CMGatewayNotificationWorker.log.

Received new notification. Validating basic notification details..

Validating device action message content…

Unauthorized to perform client action. TemplateID: RequestMachinePolicy TenantId: a1b2c3a1-b2c3-d4a1-b2c3-d4a1b2c3a1b2 AADUserID: 3a1e89e6-e190-4615-9d38-a208b0eb1c78

Administrators should verify that the user running the action from the Microsoft Intune admin center has all the necessary permissions on the Configuration Manager site.

Known issues

Data synchronization failures

When there are issues with the hierarchy onboarding configuration, you may end up facing challenges with viewing the tenant attach details in the Microsoft Intune admin center. This could potentially happen in situations where onboarding a hierarchy that has already been onboarded occurs. However, you may also detect this issue from entries in the GenericUploadWorker.log and CMGatewayNotificationWorker.log files.

Workaround for data synchronization failures

Resetting the tenant attach configuration will require you to follow the steps below:

Offboard the hierarchy. If the tenant attach is already enabled, you need to disable device upload and offboard by editing the co-management properties.
In the Configuration Manager admin console, go to Administration > Overview > Cloud Services > Cloud Attach. (Select the Co-management node if it is version 2103 and earlier)
In the ribbon, select Properties for your co-management production policy.
Next, you need to remove the Upload to Microsoft Endpoint Manager admin center selection from the Configure upload tab.
Once everything’s completed, select Apply.

You need to give the service about 2 hours to clean up the existing record. Once the above has been completed, you can onboard the hierarchy again.

Example errors in log files that require resetting the tenant attach configuration

Errors for AccountOnboardingInfo and DevicePost requests in GenericUploadWorker.log

[GetNotifications] Response from https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification is: 401 (Unauthorized)

Response status code: 401 (Unauthorized) Activity ID: 4c536a72-fd7f-4d08-948a-3e65d2129e44

Web exception when getting new notification

Exception details:

[Warning][CMGatewayNotificationWorker][0][System.Net.WebException][0x80131509]

The remote server returned an error: (401) Unauthorized. at Microsoft.ConfigurationManager.ServiceConnector.ExtensionMethods.<GetResponseAsync>d__13.MoveNext()

Response in the web exception: {“Message”:”An error has occurred.”}

Errors for device actions in CMGatewayNotificationWorker.log

[GetNotifications] Response from https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification is: 401 (Unauthorized)

Response status code: 401 (Unauthorized) Activity ID: 4c536a72-fd7f-4d08-948a-3e65d2129e44

Web exception when getting new notification

Exception details:

[Warning][CMGatewayNotificationWorker][0][System.Net.WebException][0x80131509]

The remote server returned an error: (401) Unauthorized. at Microsoft.ConfigurationManager.ServiceConnector.ExtensionMethods.<GetResponseAsync>d__13.MoveNext()

Response in the web exception: {“Message”:”An error has occurred.”}

Specific devices don’t synchronize

Another issue that you may need to deal with has to do with specific devices, which also happen to be Configuration Manager clients, not being uploaded to the service. So, what devices should you expect to be potentially affected by this issue?

In scenarios where a device is a distribution point that uses the same PKI certificate for both the distribution point functionality and its client agent, then the device won’t be included in the tenant attach device sync.

Furthermore, administrators should look out for the behavior that is typical in such instances. During the on-boarding phase as you are going through the tenant attach process, a full sync will be carried out the first time.

You should be aware that any other sync cycles after this one will be delta synchronizations. If the impacted devices are updated in any way, that update will result in the device being removed from the sync.

When the Configuration Manager site is configured to require multi-factor authentication, most tenant attach features don’t work

More troubleshooting

If you find yourself in a situation where the SMS provider machine that communicates with the service connection point is configured to use multi-factor authentication, you won’t be able to install applications, run CMPivot queries, and perform other actions from the admin console.

Instead, you will get a 403 error code, forbidden. What you would normally do to address this is to configure the on-premises hierarchy to the default authentication level of Windows authentication.

The platform is designed to enable you to determine what the minimum authentication level should be for admins to access Configuration Manager sites. You should view this as a great feature for enhancing security because it means that admins have to sign in to Windows with the appropriate level before they can access Configuration Manager.

Authentication

Furthermore, this applies to all components that access the SMS provider. Configuration Manager supports a handful of authentication levels and these are as follows:

Windows authentication: Authentication with Active Directory domain credentials is necessary. Note that this setting represents the previous behavior, as well as the current default setting.
Certificate authentication. Authentication with a valid certificate that has been issued by a trusted PKI certificate authority is necessary. You also need to know that you don’t configure this certificate in Configuration Manager. Configuration Manager requires the admin to be signed into Windows using PKI.
Windows Hello for Business authentication: In this case, you need a strong two-factor authentication that’s linked to a device and also uses a PIN or biometrics. Before choosing this particular setting, you need to note that the SMS Provider and administration service will require the user’s authentication token to contain a multi-factor authentication (MFA) claim from Windows Hello for Business. In simple terms, all this means is that users of the console, SDK, PowerShell, or administration service are required to authenticate to Windows with their Windows Hello for Business PIN or biometric. If not done this way, the site rejects the user’s action. Another key thing to also remember is that this behavior is specific to Windows Hello for Business and does not apply to Windows Hello.

What to do when Configuration Manager components for tenant attach fail to connect to the backend cloud service

Another issue that some have encountered concerns the failure of Configuration Manager components for tenant attach to connect to the backend cloud service when you run a client action from the Microsoft Intune admin center. In those instances, you may see the error given below:

Failed to check and load service signing certificate. System.ArgumentException: Mismatch certificate subject name

According to the information available from Microsoft, this problem occurs in versions earlier than the Configuration Manager version 2203 hotfix rollup after a change in public certificates on July 27, 2022. The reason for this has to do with the change that came about in public certificates on July 27, 2022, where OU=Microsoft Corporation was removed from the public certificate.

Even though this change was carried out, the configuration manager database still retained the old subject name and this then caused the load check failure. Below are some example entries in the CMGatewayNotificationWorker.log file in the top-level site in the hierarchy:

Error occured when process notification with notification Id <notification Id>. Ignore the notification. SMS_SERVICE_CONNECTOR_CMGatewayNotificationWorker

Exception details: SMS_SERVICE_CONNECTOR_CMGatewayNotificationWorker

[Warning][CMGatewayNotificationWorker][0][System.IO.InvalidDataException][0x80131501]

Failed to check and load service signing certificate. System.ArgumentException: Mismatch certificate subject name at Microsoft.ConfigurationManager.ManagedBase.CertificateUtility.ServiceCertificateUtility.VerifyCertificate(X509Certificate2 certificate, Boolean crlCheck, X509Chain& certificateChain, X509Certificate2Collection extraStore)

and at Microsoft.ConfigurationManager.ManagedBase.CertificateUtility.ServiceCertificateUtility.Reload()

at Microsoft.ConfigurationManager.ManagedBase.CertificateUtility.ServiceCertificateUtility.Exists(String thumbprint)

and at Microsoft.ConfigurationManager.ServiceConnector.AccountOnboardingWorker.\<RefreshServiceSigningCertificateIfNotExistsAsync>d__19.MoveNext()

ADDRESSING THE ISSUE

To address this challenge, there are a couple of methods that you can employ. The first thing you can do is to install the Configuration Manager version 2203 hotfix rollup if you happen to be running Configuration Manager version 2203.

However, if your version of Configuration Manager is a previously supported one, you’ll first need to upgrade to Configuration Manager version 2203. After doing that, you can proceed with the installation of the Configuration Manager version 2203 hotfix rollup.

In the update rollup for Microsoft Endpoint Configuration Manager current branch, version 2203, the following issues have been addressed:

Application approvals through email not working with a cloud management gateway due to a missing Microsoft Entra token.
Metadata revisions to previously published metadata-only updates not being synchronized to Windows Server Update Services (WSUS) as expected.
If a window happens to be left open for a few minutes, the task Sequence Editor running on Windows Server 2022 would fail to apply changes to a task sequence. After this happens, you would see the following message:

Error connecting to provider, smsprov.log may show more details.

In situations where the Client checking status frequency (minutes) value has been set below 60, the BitLocker compliance status will be temporarily inaccurate.
Admins have also experienced the incorrect removal of some users and their group memberships by the SMS_AZUREAD_DISCOVERY_AGENT thread of the SMA_Executive service in cases when the site server is configured with a non-US English locale. You’ll have have noticed the removals occurring when the discovery cycle runs after the 12th day of the month. Errors will be recorded in the SMS_AZUREAD_DISCOVERY_AGENT.log file at various times during the discovery cycle and they will be similar to the following:

ERROR: Encountered SqlException The conversion of a nvarchar data type to a datetime data type resulted in an out-of-range value.

2. ERROR: Exception message: [The conversion of a nvarchar data type to a datetime data type resulted in an out-of-range value.]

3. ERROR: Group full sync request failed. Exception: System.NullReferenceException: Object reference not set to an instance of an object.

More troubleshooting

When adding a CMPivot query as a favorite, it is split into two lines and characters are removed.
When searching Software Update Groups in the Configuration Manager console, the Name criteria is not an option.
Instead of the value you may have previously noticed, the Browse button for Content location in the properties for a deployment would return an empty location.
The implicit uninstall setting won’t be respected by an application that is targeted to a device collection but deployed in the context of the user.
Typing a Name value in the Create Orchestration Group wizard occurs at a below normal speed.
A misleading error message (false negative) is generated on a target distribution point that is co-located with a site server. You could expect to see this during content distribution from a parent site to a child site. In the distmgr.log, the false negative will appear in this format:

~RDC:Failed to set access security on \\<SiteServerFQDN>\SMSSIG$\<PkgID>.1.tar for package <PkgID> signature file

Conclusion

In some cases, unfortunately, both options involving installation of the Configuration Manager version 2203 hotfix rollup may not work to fix the above issues. For those situations, you’ll need to open a support ticket with the Configuration Manager support team.

From there, you’ll be able to get the appropriate assistance to resolve the problem in the supported version of Configuration Manager in your environment.

Windows 365 Cloud PC and Microsoft Dev Box – A Detailed Comparison

Posted on February 13, 2024 by Thomas.Marcussen

Every business is constantly looking for ways to improve operations, maximize efficiency, and as a result increase revenues. These are precisely the kinds of objectives that cloud solutions can help you meet. They enable businesses to access the computing resources they need when they need them.

Not only do you get excellent computing resources but it also allows you to work remotely whenever it’s convenient for you. In a world where cybercrime is on the rise and physical devices are at risk, cloud services offer an excellent solution that is always available.

With the Windows 365 Cloud PC and the Microsoft Dev Box, Microsoft offers businesses powerful virtual workstations that employees can access from anywhere on any device. These two, however, have their similarities as well as differences. In this article, we shall be doing a comparison of these two services to help you decide which one is most ideal for your business.

Introduction

WINDOWS 365 CLOUD PC

Let’s start with an introduction to both of these services so that we know exactly what they are. The first service is Windows 365 Cloud PC, a virtualization service introduced by Microsoft in 2021. This platform enables individuals to stream their Windows 10 or 11 desktop, applications, various settings, and content from the Microsoft Cloud to any chosen device they prefer.

As an organization, this means that your workers can experience the full Windows ecosystem using personal or corporate devices. Cloud PCs offer a secure environment to store apps, files, and documents. Users can access them anytime and on any device with an internet connection. These kinds of features bring a whole new meaning to the term “portable device.”

The service is easy enough to use. Just purchase a subscription to begin. You can then remotely access a Windows desktop in any modern web browser. Once you have your subscription, you can link Windows 365 to an existing Microsoft account. From there, all your apps, tools, data, and settings will become readily accessible at any time.

Cloud PCs provide you with a consistent experience across any device. This thereby helps users to maintain work efficiency even when working remotely. So, imagine you are working on a project with several application windows open and you suddenly disconnect. The exact same state will restore when you reconnect, regardless of whether you’re using the same device.

MICROSOFT DEV BOX

The Microsoft Dev Box is another virtual computing service from the same tech giant that became generally available in 2023. This particular service was built on the foundation of Windows 365 and was designed specifically with developers in mind. It is meant to help them become more productive by giving them speed and productivity.

What developers get with this solution is access to ready-to-code cloud workstations called dev boxes. These workstations deal with the hardware and onboarding challenges that developers have had to deal with for years.

Dev boxes are configurable with tools, source code, and prebuilt binaries. These are specific to a project, thereby allowing developers to start work as soon as they want.

Comparing cloud services

When trying to decide which cloud solution your business should opt for, it can be a little tricky. First, you need to fully understand what you get from the Windows 365 Cloud PC as well as the Microsoft Dev Box. These two options have several similarities. However, they present different design features for unique user bases.

Again, dev boxes are powerful, pre-configured workstations that allow developers to tackle their tasks almost immediately. Because they are self-service and come ready-to-code, dev boxes eliminate the usual delays that you often face with onboarding.

On the other hand, Windows 365 targets multiple different users and allows them to stream a personalized Windows experience to any device.

Although Dev Box has been built specifically for developers, dev teams are not obliged to use it. Additionally, they can opt for the Windows 365 Cloud PC if they want. Regardless of which you select, you’ll still benefit from the use of Microsoft Endpoint Manager and Intune. And expect to maximize security, compliance, and cost efficiency.

But, the high-performance aspect of dev boxes, among other features, means they will be the ideal option for developer teams. This doesn’t take anything away from the Cloud PC. It still offers businesses virtual desktops that can be set up quickly. Also, they have multiple configurations and can handle various scenarios and workloads.

The multitude of features that Cloud PCs offer mean that businesses can also use them for development purposes. So, if high-performance and self-service access are not prerequisites for your dev teams’ purposes, then Windows 365 could work just fine for you.

Pricing

Another point in favor of Windows 365 is that it will give you predictable per-user/per-month pricing as we can see in the tables given below.

	Windows 365 Business	Windows 365 Enterprise
Basic	$31/month and provides support for up to 300 users. This option allows you to run light productivity tools and web browsers. Clients will get 2vCPU, 4GB RAM, and 128 GB Storage.	$31/month and provides support for unlimited users. This option allows you to run light productivity tools and web browsers. Clients will get 2vCPU, 4GB RAM, and 128 GB Storage.
Standard	$41/month and also supports up to 300 users. Clients will get 2vCPU, 8GB, and 128 GB of storage allowing you to run a full range of productivity tools and line-of-business apps.	$41/month and also supports an unlimited number of users. Clients will get 2vCPU, 8GB, and 128 GB of storage allowing you to run a full range of productivity tools and line-of-business apps.
Premium	$66/month and comes with access to 4vCPU, 16 GB of RAM, and 128 GB of storage. With this option, you get support for up to 300 users and can run high-performance workloads and heavier data processing.	$66/month and gives you access to 4vCPU, 16 GB of RAM, and 128 GB of storage. With this option, you get support for an unlimited number of users and can run high-performance workloads and heavier data processing.

Sku

SKU	Pricing per Dev Box instance Max Monthly Price	Hourly Compute	Monthly Storage
8 vCPU, 32 GB RAM, 256 GB Storage	$138.20	$1.49	$19
8 vCPU, 32 GB RAM, 512 GB Storage	$157.20	$1.49	$38
8 vCPU, 32 GB RAM, 1024 GB Storag	$195.20	$1.49	$76
8 vCPU, 32 GB RAM, 2048 GB Storage	$271.20	$1.49	$152
16 vCPU, 64 GB RAM, 256 GB Storage	$257.40	$2.98	$19
16 vCPU, 64 GB RAM, 512 GB Storage	$276.40	$2.98	$38
16 vCPU, 64 GB RAM, 1024 GB Storage	$314.40	$2.98	$76
16 vCPU, 64 GB RAM, 2048 GB Storage	$390.40	$2.98	$152
32 vCPU, 128 GB RAM, 512 GB Storage	$514.80	$5.96	$38
32 vCPU, 128 GB RAM, 1024 GB Storage	$552.80	$5.96	$76
32 vCPU, 128 GB RAM, 2048 GB Storage	$628.80	$5.96	$152

Having gone over all the above information, however, Dev Box remains unquestionably the best option. This is especially true for development teams that require high-performance workstations. Also, it’s great for teams who need solutions tailored to their specific projects, self-deployed by developers, and ready-to-code on deployment.

Requirements

For businesses intending to use Windows 365, they will need Intune licenses if they want to manage their devices using Intune. If you’re signing up for Windows 365 Enterprise, then the users should have licenses for Windows E3, Intune, Microsoft Entra ID P1, and Windows 365 to use their Cloud PC.

Alternatively, if you’re signing up for Windows 365 Frontline, users must have licenses for Windows E3, Intune, and Microsoft Entra ID P1. This is in addition to being added to the Microsoft Entra security group in the provisioning policy to use their Cloud PC.

Those interested in using Microsoft Dev Box will also need to meet certain requirements. Each user needs to be licensed for Windows 11 Enterprise or Windows 10 Enterprise, Microsoft Endpoint Manager, and Azure Active Directory P1.

Common features

Remote access

A lot of organizations are adapting to the idea of a more hybrid workforce because of the increased convenience and access that cloud services can offer. With workstations being hosted on the Microsoft Cloud, workers can access their PCs from anywhere. And it’s brilliantly efficient, as long as they have an internet connection.

Cloud PCs and dev boxes utilize the same infrastructure, enabling users to enjoy excellent remote accessibility. This level of access can revolutionize virtualization technology by freeing workers from being limited to their workstations or specific locations and devices.

This is great development for both businesses and workers alike. Especially if we consider a Microsoft survey that showed that 73% of workers would be interested in working remotely if the option was available. So, if Windows 365 and Dev Box can provide the platform to do that then it would be well worth adopting.

QUICK SETUP

When Windows 365 was first announced, one of the biggest features was ease of use and setup. Businesses don’t need to bring in additional or specialist IT professionals to configure their Cloud PC environments. In-house IT departments can take won’t need days to have users set up with Cloud PCs.

Therefore, once a new employee starts, they will have access to a Cloud PC almost as soon as they need it. Because Dev Box is built on the foundation of Windows 365, it follows the same concept of simplicity and ease of use. Microsoft is offering developer teams ready-to-code workstations, enabling them to start work immediately.

Developers will get the full complement of tools, source code, and prebuilt binaries. As a result, you won’t need to wait weeks or more to begin contributing to the projects that your colleagues are working on.

SECURITY

Keeping data secure is a very high priority for Windows 365. And this is why Cloud PCs are kept up to date with the latest cumulative updates. Wherever an individual may be working, data security exists. Microsoft also recommends using Conditional Access to secure end user access to Windows 365.

If businesses use this as well as multi-factor authentication for all their users, then it becomes significantly less likely that nefarious actors could gain access to organizational resources. Similarly, Microsoft has ensured that robust security measures are extended to the Dev Box. Businesses can enhance security by joining dev boxes natively to their Azure Active Directory, or even to a hybrid Azure Active Directory domain.

Additionally, they can utilize features such as conditional access and multi-factor authentication in the same way they have been doing with other products and services in the Microsoft ecosystem.

COMPATIBILITY

Another thing that was crucial for Microsoft to attract clients to the Cloud PC was compatibility. Oftentimes, new services will come with strict hardware requirements that can necessitate significant spending on new devices. Not so with Windows 365. Users can comfortably access their Cloud PCs using whatever devices they prefer.

Although you will get the best experience from using a PC, the choice remains yours whether you use a Windows device or a Mac, an Android device or one running iOS. Developer teams that want to use Dev Box will also benefit from similar compatibility. Businesses don’t need to furnish employees with new devices or worry about changing operating systems.

Dev Box users can get all their favorite productivity software and custom line-of-business tools regardless of the platform they are working on. Not only will this feature help minimize hardware expenditure, but it could potentially improve productivity because developers can use the devices and other tools they are most comfortable with.

SUSTAINABILITY

Plenty of businesses are putting in place measures to help them operate more sustainably and do what they can for the betterment of the planet. As a responsible organization, Microsoft has committed to becoming carbon negative by the year 2030 as well as putting in place measures to eliminate all the carbon that the organization has emitted directly or by electricity consumption since its foundation by the year 2050.

Services like Windows 365 and Dev Box can play a mission-critical role in achieving these goals. With workstations that run on the cloud, users can keep their devices for longer which is something that can contribute to a reduction in e-waste.

Moreover, using cloud solutions can do even more for long-term sustainability with some research suggesting that migrating to the cloud can reduce CO2 emissions by nearly 60 million tons per year.

Access simplified

Arguably the biggest goal of cloud-based solutions has been to facilitate easier access for clients using various devices and operating systems. Windows 365 and Dev Box are at the forefront of what Microsoft has been doing in the cloud technology space. But, it doesn’t simply end with these solutions.

Microsoft has just recently announced the Windows App which is going to be the gateway to many Windows services that are available to businesses. This new offering has been designed to allow the use of almost any device on any platform.

Not surprisingly, this will be the source of great excitement for a lot of Cloud PC and Dev Box users. If you happen to be one of the unfortunate people who till now have been forced to use certain devices or operating systems, then Windows App will give you the freedom many sorely desire. Because of the way it has been designed, users will be able to run Windows on their devices of choice.

So, whether we’re talking Macs, devices running Linux, Android, etc, the beauty of this service is that it will still give you secure access to Microsoft’s remote services. And something that we are all going to enjoy is using web browsers to connect to remote services.

CONNECTING TO YOUR CLOUD PC

If you want to use a web browser to connect to your Cloud PC from Windows 365, all you have to do is:

Open your web browser and navigate to https://windows.cloud.microsoft.
Sign in with your user account.
If it’s your first time using Windows App, navigate through the tour to learn more about Windows App, then select Done, or select Skip.
From the Home tab, select Go to devices.
At this stage, you are going to see all the Cloud PCs you have from Windows 365 as well as all the other remote resources you have access to. If no Cloud PCs are appearing then you’ll want to contact your administrator.
Next, locate the Cloud PC you want to connect to. You can use the available filters to help you find exactly what you need to connect to.
Select Connect. A new tab or browser window opens for that device or app.
You’re going to see a prompt displaying In Session Settings that will ask you to confirm which local devices or features to use with your Cloud PC. After making your decision, select Connect. You can avoid seeing this prompt every time you connect by checking the Don’t show again box
As soon as the connection to your Cloud PC is complete, you can start using it.

CONNECTING TO YOUR DEV BOX

If you want to use a web browser to connect to your dev box from Microsoft Dev Box, all you have to do is:

Open your web browser and navigate to https://windows.cloud.microsoft.
Sign in with your user account.
If it’s your first time using Windows App, navigate through the tour to learn more about Windows App, then select Done, or select Skip.
From the Home tab, select Go to devices.
At this stage, you are going to see all the dev boxes you have from Microsoft Dev Box as well as all the other remote resources you have access to. If no dev boxes are appearing then you’ll want to contact your administrator.
Next, locate the dev box you want to connect to. You can use the available filters to help you find exactly what you need to connect to.
Select Connect. A new tab or browser window opens for that dev box.
You’re going to see a prompt displaying In Session Settings that will ask you to confirm which local devices or features to use with your Dev box. After making your decision, select Connect. You can avoid seeing this prompt every time you connect by checking the Don’t show again box.
As soon as the connection to your dev box is complete, you can start using it.

Wrap up

The future of cloud-based services is bound to have plenty of innovative solutions that will help enhance even further the way businesses interact with technology. Businesses can already benefit from the convenience of having access to powerful virtual workstations without the need to set up their own in-house servers. Microsoft Cloud services provide businesses with solutions such as Windows 365 Cloud PC and Microsoft Dev Box that offer exceptional performance as well as high availability.

Additionally, these cloud services can meet you wherever you are in your journey. There are options available that are tailored to smaller businesses just like you have options for larger businesses. And as you continue to grow, you’ll have the flexibility to scale at a rate that is ideal for your business. So, whether it’s the Cloud PC or the Dev Box that fits your business model better, you can be certain that both will deliver industry-leading technology and world-class service.