About Thomas.Marcussen

Technology Architect & Evangelist, Microsoft Trainer and Everything System Center Professional with a passion for Technology

Unleashing The Power of Device Management with Intune and Declarative Management

Many businesses are increasingly adopting mobile devices, such as phones and tablets, as standard tools for their employees. As these devices become more powerful and technologies like 5G become more available, it makes perfect sense for businesses to take advantage if it makes their employees more productive. That’s where device management comes into play.

This has seen many organizations start to implement bring-your-own-device (BYOD) policies as the changes to traditional workplaces pick up momentum. However, there will be a need for effective device management solutions that can reduce the burden on IT staff while simultaneously enhancing the end-user experience.

Solutions such as Apple’s new approach to device management called Declarative Device Management (DDM). Products like these are heralding the future of device management by offering a great array of new features.

What is Declarative Device Management?

Declarative management represents the future of device management. As a relatively new offering from Apple, Declarative Device Management is a transformative update to the protocol. And it brings policy management to devices.

This solution enables devices to be autonomous and proactive. It can also be used together with the existing MDM protocol capabilities. One of the main advantages of having autonomous devices is that they can react to state changes. They then apply management logic to themselves without needing action from the server.

As a result of all this, you’ll get greater performance and increased scalability, which will help keep your organization’s devices running at optimum levels. The ability for devices to be autonomous as well as proactive are the key elements that make declarative management the ideal solution going forward.

Furthermore, declarative management works in a way that keeps devices in the best possible state. It does so, keeping important data secure, regardless of whether or not you have an internet connection. This allows users to have a more responsive experience that can help improve their efficiency.

And to assuage any concerns customers may have, Apple assures clients that although this may be a new offering, the protocol is not. The declarative functionality that is being offered has been built into existing MDM protocols.

Therefore, customers can expect to have access to a device management service that will streamline all management processes. And it improves the experience not only for end-users but for IT admins as well.

Requirements

As with any product, there are minimum requirements to consider if your organization wants to have access to Declarative Device Management.

Operating SystemVersions Supported
macOSVentura 13 and later
iOS15 for user enrollment only and 16 and later for all enrollment types
iPadOS15 and later
tvOS16 and later
watchOS10 and later

Advantages of DDM

Probably the biggest benefit that users stand to gain from DDM is the improvement in device performance. With the main features on offer, devices can act proactively and more autonomously. This means that any actions requiring implementation will execute faster because there is no waiting for the server. Because of this efficiency, you should expect to have far more accurate device information that will also report back much faster.

This improvement in how devices run will also be a welcome change for IT admins. With certain actions being automated, administrators will have more time to prioritize and focus on more productive tasks. And all of this happens in a highly secure environment meaning taking advantage of these benefits will not come at the cost of data and device security.

Core data models

Declarative management comes with three main core data models, and these are as follows:

DECLARATIONS

Declarations refer to the payloads that servers define, forward to devices, and represent the state or behavior that businesses want for their devices. There are four types of declarations:

Declaration TypeDescription
ConfigurationsNot dissimilar to what we’ve already been using for the application of settings and restrictions on devices.
AssetsRefers to the reference data that configurations need for large data items and per-user data.
ActivationsGroup of configurations that are automatically applied to a device. Activations and configurations have a many-to-many type of relationship. Another thing to note is that activations can support complex predicate expressions using an extended predicate syntax.
ManagementThe role of management is to transmit to the device key information about the organization as well as details about the MDM solutions.

STATUS CHANNEL

The status channel is a key means of communication in declarative management. And it is responsible for conveying information when the state of the device changes. When these changes occur, the device will proactively update the server via status reports containing details of the update. An important thing to note is that the server can be configured to subscribe only to specific status items meaning it will receive only the updates it considers necessary.

EXTENSIBILITY

Extensibility enables organizations to better tailor declarative management to meet their business needs. This feature gives you the flexibility of integrating with other products so that end-users have the best possible options available. What this gives you is a platform that enables both devices and MDM servers the ability to support new features as and when they release.

Introducing DDM to your organization

How to manage the transition to DDM

One of the goals with tech products and services is that the companies developing them should design them to be relatively easy to use if you want to draw in customers. To that end, the transition to declarative device management is much easier because the MDM protocol has various functions.

For instance, you will be able to embed existing profiles into a legacy profile declaration. Another good example would be how you can have an MDM solution take ownership of a profile that has already been deployed and subsequently migrate it into a legacy configuration declaration. The advantage of this action is that it eliminates the need to remove an existing profile to replace it with a configuration that may not be suitable for the user.

Integration of declarative management within the MDM protocol

Part of what makes Declarative Device Management such a great option is how it integrates into the MDM protocol. Not only that, but existing MDM vendors already have access to the features that are on offer.

The significance of integration within the MDM protocol is that declarative management will leverage it for the management of key areas including both enrollment and unenrollment, HTTP transport, as well as device and user authentication.

Moreover, DDM intends to make the transition from existing MDM products as seamless as possible. This means that you don’t have to worry about dealing with disruptive changes to adopt new protocols.

To add to the convenience, you’ll also find that declarations and the status channel will coexist with your existing MDM commands and profiles. By setting it up this way, DDM gives organizations the flexibility to adopt declarative management features at their own pace.

Because of this, you won’t need to immediately update all of your MDM workflows. Another very important thing to note is that declarative management will not affect existing MDM behaviors. What you’ll actually find is that declarative management utilizes existing MDM behaviors using an MDM command for activation and an MDC CheckIn request for synchronization and status reports.

Activating declarative management

We’ll start with a DeclarativeManagement command addition to MDM. This command has two roles that it will play. Firstly, it will activate the declarative management features on a device. Before proceeding with this, however, you need to know that you won’t be able to turn off declarative management once you’ve turned it on. But, you do get a way out of this if the need arises. By having the server remove all declarations, this action will, for all intents and purposes, disable declarative management.

The second thing the command can do is include a payload containing synchronization tokens that will initiate a synchronization flow if necessary. Additionally, there is a new CheckIn request type that devices use to synchronize declarations and send status reports to the server. And the server will give you a response when you use the CheckIn request to synchronize declarations. You can get two types of responses which are:

  • A manifest that lists the identifier and server token properties of all declarations defined by the server.
  • Single declarations for the device to apply.

Improved management enhances BYOD

Most of us may have noticed over the last few years that Bring-Your-Own-Device (BYOD) policies are growing in popularity across various business sectors. Similar to declarative management, BYOD can help organizations make better use of the technology available to them and improve the efficiency of their employees.

But, one thing you’ll be quick to notice about employees using their personal devices to connect to enterprise networks is that it can drastically reduce an organization’s capital outlay for devices. And as management solutions continue to get better, the security concerns that you might have about personal devices accessing sensitive corporate data are being addressed.

However, even with the potential financial gains, adopting BYOD policies would still be a difficult sell without effective management services available. This is why services such as Microsoft Intune’s web-based device enrolment for iOS/iPadOS are bringing new features to the table.

What this service will do is eliminate the need for the Company Portal app thereby providing a faster enrollment process that also delivers an improved user experience. Your life as an MDM admin should get somewhat more comfortable given that you’ll now be able to enroll personal devices in Microsoft Intune without users having to first install additional apps.

App or webbased enrollment

Microsoft Intune simplifies device enrollment for Apple users through the availability of Apple device enrollment. This service provides key iOS/iPadOS management capabilities for users in the Microsoft Intune admin center without compromising the security of personal data. When it comes to device enrollment, there are two options: app-based enrollment and web-based enrollment. So, if you navigate to the Intune admin center, the device enrollment options you’ll see are:

  • Device enrollment with the Company Portal
  • Web-based device enrollment

You’ll need to create an enrollment profile in the admin center to select and configure enrollment types. To do that:

  • Navigate to Devices > iOS/iPadOS > iOS/iPadOS enrollment
  • Select Enrollment types.

To simplify the process of Microsoft Entra registration within the employee’s work apps and reduce the number of times they have to authenticate, web-based enrollment will leverage just-in-time (JIT) registration with the Apple single sign-on. JIT registration in enrollments can be enabled by creating a device configuration profile with an SSO app extension policy. But, Intune clarifies that using JIT registration with web-based enrollment is not mandatory but it is highly recommended if you want a better experience for end-users.

EXPLAINING JUST-IN-TIME REGISTRATION

According to Microsoft Intune:

Just in Time registration within the enrollment flow is an improvement to the Setup Assistant with a modern authentication enrollment method since it no longer requires the Company Portal app for Azure Active Directory (Azure AD) registration or compliance checking.”

The overall goal of JIT registration is to streamline the process for users by eliminating the Company Portal requirement which by extension removes some of the complex steps that users have had to deal with. By using JIT registration, all users will need to do to enroll their iOS devices is sign in with their corporate credentials.

To successfully complete the enrollment process, users must sign in with their corporate credentials. Doing this will authenticate them via Entra ID and automatically register their device with Intune. Setting up just-in-time registration requires your business to have an active Apple Business Manager or Apple School Manager account as well as devices that are eligible for JIT registration. Additionally, network settings will need configuration accordingly for enrolled devices and Intune to communicate. In the table below, you’ll find the details concerning web and app enrollment:

SpecificationApp-based enrollmentWeb-based enrollment
Supported versioniOS/iPadOS 14 and lateriOS/iPadOS 15 and later
BYOD and personal devicesYesYes
Device associated with a single userYesYes
Device reset requiredNoNo
Enrollment initiated by the device userYesYes
SupervisionNoNo
Just-In-Time registrationNoYes
Required appsIntune Company Portal app for iOS Microsoft AuthenticatorMicrosoft Authenticator
Enrollment locationApp-based enrollment takes place in the Company Portal app, Safari, and device settings app.Web-based enrollment takes place in Safari and the device settings app.

Setting up web-based enrollment

Web-based enrollment is designed to speed up the enrollment process and give users a more user-friendly experience. Because users can do all they need to in Safari and in their device settings, the Company Portal app will no longer be required.

Furthermore, once you have enabled JIT registration, Intune can use it with the Microsoft Authenticator app for registration of the device and SSO thus eliminating the need for users to sign in constantly during enrollment and when accessing work apps. To set up web-based enrollment, you’ll need to follow the steps below:

Set up just-in-time registration

Before proceeding, you’ll need to verify that you meet the requirements:

  • Apple user enrollment: Account-driven user enrollment
  • Apple device enrollment: Web-based device enrollment
  • Apple automated device enrollment: For enrollments that use Setup Assistant with modern authentication as the authentication method.

Once you’ve checked the requirements, you can now proceed to create an SSO app extension policy that uses the Apple SSO extension to enable JIT registration. With that done, follow the steps below:

  • Sign in to the Microsoft Intune admin center.
  • Navigate to Device features > Category > Single sign-on app extension. Here you need to create an iOS/iPadOS device configuration policy.
  • Select Microsoft Entra ID for SSO app extension type.
  • For any non-Microsoft apps using SSO, you must add the app bundle IDs. Because the SSO extension is automatically applied to all Microsoft apps, it’s better not to add Microsoft apps to your policy. This way you can stay away from authentication issues. Also, note that the Microsoft Authenticator app will be later added in an app policy so you should avoid adding it to the SSO extension as well.
  • Under Additional configuration, add the required key-value pair. For JIT to work properly, you must eliminate trailing spaces before and after the value and key.
Key: device_registration Type: String Value: {{DEVICEREGISTRATION}}
  • Microsoft Intune also recommends that you add the key-value pair that enables SSO in the Safari browser for all apps in the policy. And similar to the previous step, you’ll need to eliminate trailing spaces before and after the value and key for JIT to work properly.
Key: browser_sso_interaction_enabled Type: Integer Value: 1
  • Select Next.
  • For Assignments, you must assign the profile to all users (or designate specific groups), then select Next.
  • You can now go and review your choices on the Review + create page. With everything done, select Create to finish creating the profile.
  • Lastly, you need to head over to Apps > All apps and assign Microsoft Authenticator to groups as a required app.

Create enrollment profile

An enrollment profile is necessary for all devices enrolling via web-based device enrollment. Once created, this profile will initiate the device user’s enrollment experience thereby allowing them to begin enrollment in Safari.

  • Navigate to Devices > Enrollment in the Intune admin center. Select the Apple tab.
  • Select Enrollment types (preview) under Enrollment Options.
  • Select Create profile > iOS/iPadOS.
  • Go to the Basics page and type in a name and description for the profile. This allows you to distinguish this profile from others in the admin center. Select Next.
  • Navigate to the Settings page, for Enrollment type, select Web based device enrollment. Select Next.
  • Head over to the Assignments page and assign the profile to all users or a group of users. Select Next.
  • You can now go and review your choices on the Review + create page. With everything done, select Create to finish creating the profile.

PREPARING EMPLOYEES FOR ENROLLMENT

Employees will be alerted by the app as to the enrollment requirements when they try to sign in to work apps on their personal devices. They will then be redirected to the Company Portal website for enrollment. The other option would involve you giving users an URL that opens the Company Portal website. For those not using Conditional Access, you’ll need to remember to share the enrollment link with device users so that they know how to initiate enrollment. The enrollment steps for device users are as follows:

  • Open Safari and sign in to your Company Portal website with your work or school account.
  • Next, you should get a prompt to download the management profile and this will be downloaded by the Company Portal while you wait in Safari.
  • Navigate to your device settings app to view and install the management profile.
  • Signing in to a work or school app can only happen after the Microsoft Authenticator is installed. The device will only be ready for use after this installation.
  • Now you can use your work account to sign in to a work app, such as Microsoft Teams.
  • You’ll then need to wait while the app identifies the required setting updates.

Wrap up

The future of device management lies in the integration of the best products and services that are available to customers. Often, we can get caught up debating which tech company offers the best services to meet our needs. But, as we are seeing with Microsoft Intune and Apple device management solutions, bringing together great products to coexist can deliver far more for the end-users.

Declarative management looks like a brilliant solution that is going to deliver a seamless user experience that could improve productivity. It’s therefore no surprise that when combined with what Microsoft Intune has to offer, businesses can look forward to better, faster, and more efficient device management.

Troubleshooting Tenant Attach and Device Action Issues

Microsoft has given us countless different products and services over the last few decades. Undoubtedly, we know the important role they have played for individuals and businesses on the journey towards utilizing technology to better our lives. When looking at the Microsoft ecosystem, one of the best examples of undeniable excellence is the Microsoft Intune family of products.

With this product, Microsoft gives you an integrated solution that enables you to seamlessly manage all your devices. Central to this solution is the single console that we know as the Microsoft Intune admin center which brings together Intune and Configuration Manager.

The capabilities of this platform can offer your organization a premium device-management solution like no other. The area that we want to focus on today will have to do with the troubleshooting of tenant attach and device actions.

Comparing Tenant Attach to Co-management

For a lot of people, it may be difficult to distinguish between these two. So, let’s start by looking at where these two options differ. Both of these make up two of the three primary cloud attach features. For a Configuration Manager environment to be cloud-attached, it has to use at least one of the three primary cloud attach features.

Tenant Attach gives you the advantage of having your device records in the cloud as well as the ability to take actions on these devices from the cloud-based console. IT admins can perform remote actions on tenant-attached devices such as sync machine policy, sync user policy, run scripts on clients, deploy applications, and much more.

Furthermore, users will be able to manage endpoint security for the attached devices from the Intune admin center for both Windows Servers and Client devices.

On the other hand, Co-management is going to modify your on-premises Configuration Manager environment without the need for a significant migration effort.

One of the more attractive features of Co-management is how it allows you to easily switch workloads such as compliance policies from SCCM to Intune. By enabling you to manage workloads from the cloud, your organization gets to benefit from a simpler device management experience.

Tenant Attach prerequisites

To make use of Tenant Attach, you will need to meet the following requirements:

  • When you decide to apply this onboarding change, you’ll need to sign in using an account that is a Global Administrator.
  • An Azure cloud environment.
  • With version 2107, United States Government customers will be able to use tenant attach features in the US Government cloud such as account onboarding, tenant sync to Intune, device sync to Intune, and device actions in the Microsoft Intune admin center.
  • The Azure tenant and the service connection point must have the same geographic location.
  • To access the Microsoft Intune admin center, there needs to be at least one Intune license for the administrator.
  • The administration service in Configuration Manager needs to be functional.
  • If your central administration site has a remote provider, you need to follow the instructions for the CAS has a remote provider scenario in the CMPivot article.

PERMISSIONS

In addition to the above, there will also be a few requirements for the user accounts performing device actions and these include:

  • The user account should be a synced user object in Microsoft Entra ID (hybrid identity).
  • The Initiate Configuration Manager action permission under Remote tasks in the Microsoft Intune admin center.

The troubleshooting process

Now and again, all of us will encounter issues with the products and services we use. That’s why it’s important to work with providers that offer great support services so that we avoid downtime. Microsoft puts a lot of effort into ensuring that customers get as much support as they need for the various products in its ecosystem. Understandably, tenant attach is no different.

At this point, most admins should be aware that you can sync Configuration Manager clients to the Microsoft Intune admin center. And from that admin center, some client actions can run on the synchronized clients.

These available actions include the sync user policy, sync machine policy, and app evaluation cycle. After an administrator runs an action from the Microsoft Intune admin center, the notification request will forward to the Configuration Manager site. And from there, it will forward to the client.

LOG FILES

The logs you need to use will be found on the service connection point and these are:

  • CMGatewaySyncUploadWorker.log
  • CMGatewayNotificationWorker.log

You should also use the logs located on the management point:

  • BgbServer.log

Lastly, there are other logs that will be found on the client:

  • CcmNotificationAgent.log

Review your upload

You’ll need to follow the steps given below:

  • Open CMGatewaySyncUploadWorker.log from <ConfigMgr install directory>\Logs.
  • You will see the next sync time recorded in a log entry similar to this format Next run time will be at approximately: 02/28/2024 10:15:30.
  • The log entries that you should look at for device uploads should be something like this Batching N Records. In this instance, N represents the number of changed devices uploaded since the last upload.
  • Admins should expect uploads every 15 minutes for changes. However, once that is done, they will probably need to wait up to 10 minutes to view the client changes appearing in the Microsoft Intune admin center.

Configuration Manager components and log flow

SMS_SERVICE_CONNECTOR: Will utilize the Gateway Notification Worker to process the notification from the Microsoft Intune admin center.

SMS_NOTIFICATION_SERVER: Receives the notification and subsequently creates a client notification.

BgbAgent: The client gets the task and runs the requested action.

SMS SERVICE CONNECTOR

Following the initiation of an action from the Microsoft Intune admin center, the CMGatewayNotificationWorker.log will process the request.

Received new notification. Validating basic notification details…

Validating device action message content…

Authorized to perform client action. TemplateID: RequestMachinePolicy TenantId: a1b2c3a1-b2c3-d4a1-b2c3-d4a1b2c3a1b2 AADUserID:     a1b2c3a1-b2c3-d4a1-b2c3-d4a1b2c3a1b2

Forwarded BGB remote task. TemplateID: 1 TaskGuid: a43dd1b3-a006-4604-b012-5529380b3b6f TaskParam: TargetDeviceIDs: 1

A notification is received from the Microsoft Intune admin center.

Received new notification. Validating basic notification details..

Validation of user and device actions is carried out.

Validating device action message content…

Authorized to perform client action. TemplateID: RequestMachinePolicy TenantId: a1b2c3a1-b2c3-d4a1-b2c3-d4a1b2c3a1b2 AADUserID:     a1b2c3a1-b2c3-d4a1-b2c3-d4a1b2c3a1b2

Forwarding of the remote task to the SMS NOTIFICATION SERVER.

Forwarded BGB remote task. TemplateID: 1 TaskGuid: a43dd1b3-a006-4604-b012-5529380b3b6f TaskParam: TargetDeviceIDs: 1

SMS NOTIFICATION SERVER

At this point, you should be expecting a task to be sent from the management point to the corresponding client as soon as the message has been forwarded to the SMS NOTIFICATION SERVER. In the BgbServer.log, which is on the management point, you should see the following:

Get one push message from database.

Starting to send push task (PushID: 7 TaskID: 8 TaskGUID: A43DD1B3-A006-4604-B012-5529380B3B6F TaskType: 1 TaskParam: ) to 1 clients  with throttling (strategy: 1 param: 42)

BgbAgent

The last step will occur on the client and you can view it in the CcmNotificationAgent.log. As soon as the task has been received, it will then request the scheduler to carry out the action. And once the action has been carried out, a confirmation message will appear:

Receive task from server with pushid=7, taskid=8, taskguid=A43DD1B3-A006-4604-B012-5529380B3B6F, tasktype=1 and taskParam=

Send Task response message <BgbResponseMessage TimeStamp=”2020-01-21T15:43:43Z”><PushID>8</PushID><TaskID>9</TaskID><ReturnCode>1</ReturnCode></BgbResponseMessage> successfully.

Common issues

In this section, we’ll take a look at some of the issues that admins may often encounter.

Unauthorized to perform client action

For whatever reason, there may be situations where administrators may not have the required permissions in Configuration Manager. If that happens, you’ll see an Unauthorized response in the CMGatewayNotificationWorker.log.

Received new notification. Validating basic notification details..

Validating device action message content…

Unauthorized to perform client action. TemplateID: RequestMachinePolicy TenantId: a1b2c3a1-b2c3-d4a1-b2c3-d4a1b2c3a1b2 AADUserID: 3a1e89e6-e190-4615-9d38-a208b0eb1c78

Administrators should verify that the user running the action from the Microsoft Intune admin center has all the necessary permissions on the Configuration Manager site.

Known issues

Data synchronization failures

When there are issues with the hierarchy onboarding configuration, you may end up facing challenges with viewing the tenant attach details in the Microsoft Intune admin center. This could potentially happen in situations where onboarding a hierarchy that has already been onboarded occurs. However, you may also detect this issue from entries in the GenericUploadWorker.log and CMGatewayNotificationWorker.log files.

Workaround for data synchronization failures

Resetting the tenant attach configuration will require you to follow the steps below:

  • Offboard the hierarchy. If the tenant attach is already enabled, you need to disable device upload and offboard by editing the co-management properties.
  • In the Configuration Manager admin console, go to Administration > Overview > Cloud Services > Cloud Attach. (Select the Co-management node if it is version 2103 and earlier)
  • In the ribbon, select Properties for your co-management production policy.
  • Next, you need to remove the Upload to Microsoft Endpoint Manager admin center selection from the Configure upload tab.
  • Once everything’s completed, select Apply.

You need to give the service about 2 hours to clean up the existing record. Once the above has been completed, you can onboard the hierarchy again.

Example errors in log files that require resetting the tenant attach configuration

Errors for AccountOnboardingInfo and DevicePost requests in GenericUploadWorker.log

[GetNotifications] Response from https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification is: 401 (Unauthorized)

Response status code: 401 (Unauthorized) Activity ID: 4c536a72-fd7f-4d08-948a-3e65d2129e44

Web exception when getting new notification

Exception details:

[Warning][CMGatewayNotificationWorker][0][System.Net.WebException][0x80131509]

The remote server returned an error: (401) Unauthorized.    at Microsoft.ConfigurationManager.ServiceConnector.ExtensionMethods.<GetResponseAsync>d__13.MoveNext()

Response in the web exception: {“Message”:”An error has occurred.”}

Errors for device actions in CMGatewayNotificationWorker.log

[GetNotifications] Response from https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification is: 401 (Unauthorized)

Response status code: 401 (Unauthorized) Activity ID: 4c536a72-fd7f-4d08-948a-3e65d2129e44

Web exception when getting new notification

Exception details:

[Warning][CMGatewayNotificationWorker][0][System.Net.WebException][0x80131509]

The remote server returned an error: (401) Unauthorized.    at Microsoft.ConfigurationManager.ServiceConnector.ExtensionMethods.<GetResponseAsync>d__13.MoveNext()

Response in the web exception: {“Message”:”An error has occurred.”}

Specific devices don’t synchronize

Another issue that you may need to deal with has to do with specific devices, which also happen to be Configuration Manager clients, not being uploaded to the service. So, what devices should you expect to be potentially affected by this issue?

In scenarios where a device is a distribution point that uses the same PKI certificate for both the distribution point functionality and its client agent, then the device won’t be included in the tenant attach device sync.

Furthermore, administrators should look out for the behavior that is typical in such instances. During the on-boarding phase as you are going through the tenant attach process, a full sync will be carried out the first time.

You should be aware that any other sync cycles after this one will be delta synchronizations. If the impacted devices are updated in any way, that update will result in the device being removed from the sync.

When the Configuration Manager site is configured to require multi-factor authentication, most tenant attach features don’t work

More troubleshooting

If you find yourself in a situation where the SMS provider machine that communicates with the service connection point is configured to use multi-factor authentication, you won’t be able to install applications, run CMPivot queries, and perform other actions from the admin console.

Instead, you will get a 403 error code, forbidden. What you would normally do to address this is to configure the on-premises hierarchy to the default authentication level of Windows authentication.

The platform is designed to enable you to determine what the minimum authentication level should be for admins to access Configuration Manager sites. You should view this as a great feature for enhancing security because it means that admins have to sign in to Windows with the appropriate level before they can access Configuration Manager.

Authentication

Furthermore, this applies to all components that access the SMS provider. Configuration Manager supports a handful of authentication levels and these are as follows:

  • Windows authentication: Authentication with Active Directory domain credentials is necessary. Note that this setting represents the previous behavior, as well as the current default setting.
  • Certificate authentication. Authentication with a valid certificate that has been issued by a trusted PKI certificate authority is necessary. You also need to know that you don’t configure this certificate in Configuration Manager. Configuration Manager requires the admin to be signed into Windows using PKI.
  • Windows Hello for Business authentication: In this case, you need a strong two-factor authentication that’s linked to a device and also uses a PIN or biometrics. Before choosing this particular setting, you need to note that the SMS Provider and administration service will require the user’s authentication token to contain a multi-factor authentication (MFA) claim from Windows Hello for Business. In simple terms, all this means is that users of the console, SDK, PowerShell, or administration service are required to authenticate to Windows with their Windows Hello for Business PIN or biometric. If not done this way, the site rejects the user’s action. Another key thing to also remember is that this behavior is specific to Windows Hello for Business and does not apply to Windows Hello.

What to do when Configuration Manager components for tenant attach fail to connect to the backend cloud service

Another issue that some have encountered concerns the failure of Configuration Manager components for tenant attach to connect to the backend cloud service when you run a client action from the Microsoft Intune admin center. In those instances, you may see the error given below:

Failed to check and load service signing certificate. System.ArgumentException: Mismatch certificate subject name

According to the information available from Microsoft, this problem occurs in versions earlier than the Configuration Manager version 2203 hotfix rollup after a change in public certificates on July 27, 2022. The reason for this has to do with the change that came about in public certificates on July 27, 2022, where OU=Microsoft Corporation was removed from the public certificate.

Even though this change was carried out, the configuration manager database still retained the old subject name and this then caused the load check failure. Below are some example entries in the CMGatewayNotificationWorker.log file in the top-level site in the hierarchy:

Error occured when process notification with notification Id <notification Id>. Ignore the notification. SMS_SERVICE_CONNECTOR_CMGatewayNotificationWorker

Exception details: SMS_SERVICE_CONNECTOR_CMGatewayNotificationWorker

[Warning][CMGatewayNotificationWorker][0][System.IO.InvalidDataException][0x80131501]

Failed to check and load service signing certificate. System.ArgumentException: Mismatch certificate subject name at Microsoft.ConfigurationManager.ManagedBase.CertificateUtility.ServiceCertificateUtility.VerifyCertificate(X509Certificate2 certificate, Boolean crlCheck, X509Chain& certificateChain, X509Certificate2Collection extraStore)

and at Microsoft.ConfigurationManager.ManagedBase.CertificateUtility.ServiceCertificateUtility.Reload()

at Microsoft.ConfigurationManager.ManagedBase.CertificateUtility.ServiceCertificateUtility.Exists(String thumbprint)

and at Microsoft.ConfigurationManager.ServiceConnector.AccountOnboardingWorker.\<RefreshServiceSigningCertificateIfNotExistsAsync>d__19.MoveNext()

ADDRESSING THE ISSUE

To address this challenge, there are a couple of methods that you can employ. The first thing you can do is to install the Configuration Manager version 2203 hotfix rollup if you happen to be running Configuration Manager version 2203.

However, if your version of Configuration Manager is a previously supported one, you’ll first need to upgrade to Configuration Manager version 2203. After doing that, you can proceed with the installation of the Configuration Manager version 2203 hotfix rollup.

In the update rollup for Microsoft Endpoint Configuration Manager current branch, version 2203, the following issues have been addressed:

  • Application approvals through email not working with a cloud management gateway due to a missing Microsoft Entra token.
  • Metadata revisions to previously published metadata-only updates not being synchronized to Windows Server Update Services (WSUS) as expected.
  • If a window happens to be left open for a few minutes, the task Sequence Editor running on Windows Server 2022 would fail to apply changes to a task sequence. After this happens, you would see the following message:

Error connecting to provider, smsprov.log may show more details.

  • In situations where the Client checking status frequency (minutes) value has been set below 60, the BitLocker compliance status will be temporarily inaccurate.
  • Admins have also experienced the incorrect removal of some users and their group memberships by the SMS_AZUREAD_DISCOVERY_AGENT thread of the SMA_Executive service in cases when the site server is configured with a non-US English locale. You’ll have have noticed the removals occurring when the discovery cycle runs after the 12th day of the month. Errors will be recorded in the SMS_AZUREAD_DISCOVERY_AGENT.log file at various times during the discovery cycle and they will be similar to the following:
  1. ERROR: Encountered SqlException The conversion of a nvarchar data type to a datetime data type resulted in an out-of-range value.

2. ERROR: Exception message: [The conversion of a nvarchar data type to a datetime data type resulted in an out-of-range value.]

3. ERROR: Group full sync request failed. Exception: System.NullReferenceException: Object reference not set to an instance of an object.

More troubleshooting

  • When adding a CMPivot query as a favorite, it is split into two lines and characters are removed.
  • When searching Software Update Groups in the Configuration Manager console, the Name criteria is not an option.
  • Instead of the value you may have previously noticed, the Browse button for Content location in the properties for a deployment would return an empty location.
  • The implicit uninstall setting won’t be respected by an application that is targeted to a device collection but deployed in the context of the user.
  • Typing a Name value in the Create Orchestration Group wizard occurs at a below normal speed.
  • A misleading error message (false negative) is generated on a target distribution point that is co-located with a site server. You could expect to see this during content distribution from a parent site to a child site. In the distmgr.log, the false negative will appear in this format:

~RDC:Failed to set access security on \\<SiteServerFQDN>\SMSSIG$\<PkgID>.1.tar for package <PkgID> signature file

Conclusion

In some cases, unfortunately, both options involving installation of the Configuration Manager version 2203 hotfix rollup may not work to fix the above issues. For those situations, you’ll need to open a support ticket with the Configuration Manager support team.

From there, you’ll be able to get the appropriate assistance to resolve the problem in the supported version of Configuration Manager in your environment.

Windows 365 Cloud PC and Microsoft Dev Box – A Detailed Comparison

Every business is constantly looking for ways to improve operations, maximize efficiency, and as a result increase revenues. These are precisely the kinds of objectives that cloud solutions can help you meet. They enable businesses to access the computing resources they need when they need them.

Not only do you get excellent computing resources but it also allows you to work remotely whenever it’s convenient for you. In a world where cybercrime is on the rise and physical devices are at risk, cloud services offer an excellent solution that is always available.

With the Windows 365 Cloud PC and the Microsoft Dev Box, Microsoft offers businesses powerful virtual workstations that employees can access from anywhere on any device. These two, however, have their similarities as well as differences. In this article, we shall be doing a comparison of these two services to help you decide which one is most ideal for your business.

Introduction

WINDOWS 365 CLOUD PC

Let’s start with an introduction to both of these services so that we know exactly what they are. The first service is Windows 365 Cloud PC, a virtualization service introduced by Microsoft in 2021. This platform enables individuals to stream their Windows 10 or 11 desktop, applications, various settings, and content from the Microsoft Cloud to any chosen device they prefer.

As an organization, this means that your workers can experience the full Windows ecosystem using personal or corporate devices. Cloud PCs offer a secure environment to store apps, files, and documents. Users can access them anytime and on any device with an internet connection. These kinds of features bring a whole new meaning to the term “portable device.”

The service is easy enough to use. Just purchase a subscription to begin. You can then remotely access a Windows desktop in any modern web browser. Once you have your subscription, you can link Windows 365 to an existing Microsoft account. From there, all your apps, tools, data, and settings will become readily accessible at any time.

Cloud PCs provide you with a consistent experience across any device. This thereby helps users to maintain work efficiency even when working remotely. So, imagine you are working on a project with several application windows open and you suddenly disconnect. The exact same state will restore when you reconnect, regardless of whether you’re using the same device.

MICROSOFT DEV BOX

The Microsoft Dev Box is another virtual computing service from the same tech giant that became generally available in 2023. This particular service was built on the foundation of Windows 365 and was designed specifically with developers in mind. It is meant to help them become more productive by giving them speed and productivity.

What developers get with this solution is access to ready-to-code cloud workstations called dev boxes. These workstations deal with the hardware and onboarding challenges that developers have had to deal with for years.

Dev boxes are configurable with tools, source code, and prebuilt binaries. These are specific to a project, thereby allowing developers to start work as soon as they want.

Comparing cloud services

When trying to decide which cloud solution your business should opt for, it can be a little tricky. First, you need to fully understand what you get from the Windows 365 Cloud PC as well as the Microsoft Dev Box. These two options have several similarities. However, they present different design features for unique user bases.

Again, dev boxes are powerful, pre-configured workstations that allow developers to tackle their tasks almost immediately. Because they are self-service and come ready-to-code, dev boxes eliminate the usual delays that you often face with onboarding.

On the other hand, Windows 365 targets multiple different users and allows them to stream a personalized Windows experience to any device.

Although Dev Box has been built specifically for developers, dev teams are not obliged to use it. Additionally, they can opt for the Windows 365 Cloud PC if they want. Regardless of which you select, you’ll still benefit from the use of Microsoft Endpoint Manager and Intune. And expect to maximize security, compliance, and cost efficiency.

But, the high-performance aspect of dev boxes, among other features, means they will be the ideal option for developer teams. This doesn’t take anything away from the Cloud PC. It still offers businesses virtual desktops that can be set up quickly. Also, they have multiple configurations and can handle various scenarios and workloads.

The multitude of features that Cloud PCs offer mean that businesses can also use them for development purposes. So, if high-performance and self-service access are not prerequisites for your dev teams’ purposes, then Windows 365 could work just fine for you.

Pricing

Another point in favor of Windows 365 is that it will give you predictable per-user/per-month pricing as we can see in the tables given below.

 Windows 365 BusinessWindows 365 Enterprise
Basic$31/month and provides support for up to 300 users. This option allows you to run light productivity tools and web browsers. Clients will get 2vCPU, 4GB RAM, and 128 GB Storage.$31/month and provides support for unlimited users. This option allows you to run light productivity tools and web browsers. Clients will get 2vCPU, 4GB RAM, and 128 GB Storage.
Standard$41/month and also supports up to 300 users. Clients will get 2vCPU, 8GB, and 128 GB of storage allowing you to run a full range of productivity tools and line-of-business apps.$41/month and also supports an unlimited number of users. Clients will get 2vCPU, 8GB, and 128 GB of storage allowing you to run a full range of productivity tools and line-of-business apps.
Premium$66/month and comes with access to 4vCPU, 16 GB of RAM, and 128 GB of storage. With this option, you get support for up to 300 users and can run high-performance workloads and heavier data processing.$66/month and gives you access to 4vCPU, 16 GB of RAM, and 128 GB of storage. With this option, you get support for an unlimited number of users and can run high-performance workloads and heavier data processing.

Sku

    SKUPricing per Dev Box instance   Max Monthly Price    Hourly Compute    Monthly Storage
8 vCPU, 32 GB RAM, 256 GB Storage    $138.20$1.49$19
8 vCPU, 32 GB RAM, 512 GB Storage$157.20          $1.49$38
8 vCPU, 32 GB RAM, 1024 GB Storag$195.20$1.49$76
8 vCPU, 32 GB RAM, 2048 GB Storage$271.20$1.49$152
16 vCPU, 64 GB RAM, 256 GB Storage$257.40$2.98$19
16 vCPU, 64 GB RAM, 512 GB Storage        $276.40$2.98$38
16 vCPU, 64 GB RAM, 1024 GB Storage$314.40$2.98$76
16 vCPU, 64 GB RAM, 2048 GB Storage$390.40$2.98$152
32 vCPU, 128 GB RAM, 512 GB Storage$514.80$5.96$38
32 vCPU, 128 GB RAM, 1024 GB Storage$552.80$5.96$76
32 vCPU, 128 GB RAM, 2048 GB Storage$628.80$5.96$152

Having gone over all the above information, however, Dev Box remains unquestionably the best option. This is especially true for development teams that require high-performance workstations. Also, it’s great for teams who need solutions tailored to their specific projects, self-deployed by developers, and ready-to-code on deployment.

Requirements

For businesses intending to use Windows 365, they will need Intune licenses if they want to manage their devices using Intune. If you’re signing up for Windows 365 Enterprise, then the users should have licenses for Windows E3, Intune, Microsoft Entra ID P1, and Windows 365 to use their Cloud PC.

Alternatively, if you’re signing up for Windows 365 Frontline, users must have licenses for Windows E3, Intune, and Microsoft Entra ID P1. This is in addition to being added to the Microsoft Entra security group in the provisioning policy to use their Cloud PC.

Those interested in using Microsoft Dev Box will also need to meet certain requirements. Each user needs to be licensed for Windows 11 Enterprise or Windows 10 Enterprise, Microsoft Endpoint Manager, and Azure Active Directory P1.

Although clients can obtain these independently, you will also find these licenses included in Microsoft 365 F3, Microsoft 365 E3, Microsoft 365 E5, Microsoft 365 A3, Microsoft 365 A5, Microsoft 365 Business Premium, and Microsoft 365 Education Student Use Benefit subscriptions.

Common features

Remote access

A lot of organizations are adapting to the idea of a more hybrid workforce because of the increased convenience and access that cloud services can offer. With workstations being hosted on the Microsoft Cloud, workers can access their PCs from anywhere. And it’s brilliantly efficient, as long as they have an internet connection.

Cloud PCs and dev boxes utilize the same infrastructure, enabling users to enjoy excellent remote accessibility. This level of access can revolutionize virtualization technology by freeing workers from being limited to their workstations or specific locations and devices.

This is great development for both businesses and workers alike. Especially if we consider a Microsoft survey that showed that 73% of workers would be interested in working remotely if the option was available. So, if Windows 365 and Dev Box can provide the platform to do that then it would be well worth adopting.

QUICK SETUP

When Windows 365 was first announced, one of the biggest features was ease of use and setup. Businesses don’t need to bring in additional or specialist IT professionals to configure their Cloud PC environments. In-house IT departments can take won’t need days to have users set up with Cloud PCs.

Therefore, once a new employee starts, they will have access to a Cloud PC almost as soon as they need it. Because Dev Box is built on the foundation of Windows 365, it follows the same concept of simplicity and ease of use. Microsoft is offering developer teams ready-to-code workstations, enabling them to start work immediately.

Developers will get the full complement of tools, source code, and prebuilt binaries. As a result, you won’t need to wait weeks or more to begin contributing to the projects that your colleagues are working on.

SECURITY

Keeping data secure is a very high priority for Windows 365. And this is why Cloud PCs are kept up to date with the latest cumulative updates. Wherever an individual may be working, data security exists. Microsoft also recommends using Conditional Access to secure end user access to Windows 365.

If businesses use this as well as multi-factor authentication for all their users, then it becomes significantly less likely that nefarious actors could gain access to organizational resources. Similarly, Microsoft has ensured that robust security measures are extended to the Dev Box. Businesses can enhance security by joining dev boxes natively to their Azure Active Directory, or even to a hybrid Azure Active Directory domain.

Additionally, they can utilize features such as conditional access and multi-factor authentication in the same way they have been doing with other products and services in the Microsoft ecosystem.

COMPATIBILITY

Another thing that was crucial for Microsoft to attract clients to the Cloud PC was compatibility. Oftentimes, new services will come with strict hardware requirements that can necessitate significant spending on new devices. Not so with Windows 365. Users can comfortably access their Cloud PCs using whatever devices they prefer.

Although you will get the best experience from using a PC, the choice remains yours whether you use a Windows device or a Mac, an Android device or one running iOS. Developer teams that want to use Dev Box will also benefit from similar compatibility. Businesses don’t need to furnish employees with new devices or worry about changing operating systems.

Dev Box users can get all their favorite productivity software and custom line-of-business tools regardless of the platform they are working on. Not only will this feature help minimize hardware expenditure, but it could potentially improve productivity because developers can use the devices and other tools they are most comfortable with.

SUSTAINABILITY

Plenty of businesses are putting in place measures to help them operate more sustainably and do what they can for the betterment of the planet. As a responsible organization, Microsoft has committed to becoming carbon negative by the year 2030 as well as putting in place measures to eliminate all the carbon that the organization has emitted directly or by electricity consumption since its foundation by the year 2050.

Services like Windows 365 and Dev Box can play a mission-critical role in achieving these goals. With workstations that run on the cloud, users can keep their devices for longer which is something that can contribute to a reduction in e-waste.

Moreover, using cloud solutions can do even more for long-term sustainability with some research suggesting that migrating to the cloud can reduce CO2 emissions by nearly 60 million tons per year.

Access simplified

Arguably the biggest goal of cloud-based solutions has been to facilitate easier access for clients using various devices and operating systems. Windows 365 and Dev Box are at the forefront of what Microsoft has been doing in the cloud technology space. But, it doesn’t simply end with these solutions.

Microsoft has just recently announced the Windows App which is going to be the gateway to many Windows services that are available to businesses. This new offering has been designed to allow the use of almost any device on any platform.

Not surprisingly, this will be the source of great excitement for a lot of Cloud PC and Dev Box users. If you happen to be one of the unfortunate people who till now have been forced to use certain devices or operating systems, then Windows App will give you the freedom many sorely desire. Because of the way it has been designed, users will be able to run Windows on their devices of choice.

So, whether we’re talking Macs, devices running Linux, Android, etc, the beauty of this service is that it will still give you secure access to Microsoft’s remote services. And something that we are all going to enjoy is using web browsers to connect to remote services.

CONNECTING TO YOUR CLOUD PC

If you want to use a web browser to connect to your Cloud PC from Windows 365, all you have to do is:

  • Open your web browser and navigate to https://windows.cloud.microsoft.
  • Sign in with your user account.
  • If it’s your first time using Windows App, navigate through the tour to learn more about Windows App, then select Done, or select Skip.
  • From the Home tab, select Go to devices.
  • At this stage, you are going to see all the Cloud PCs you have from Windows 365 as well as all the other remote resources you have access to. If no Cloud PCs are appearing then you’ll want to contact your administrator.
  • Next, locate the Cloud PC you want to connect to. You can use the available filters to help you find exactly what you need to connect to.
  • Select Connect. A new tab or browser window opens for that device or app.
  • You’re going to see a prompt displaying In Session Settings that will ask you to confirm which local devices or features to use with your Cloud PC. After making your decision, select Connect. You can avoid seeing this prompt every time you connect by checking the Don’t show again box
  • As soon as the connection to your Cloud PC is complete, you can start using it.

CONNECTING TO YOUR DEV BOX

If you want to use a web browser to connect to your dev box from Microsoft Dev Box, all you have to do is:

  • Open your web browser and navigate to https://windows.cloud.microsoft.
  • Sign in with your user account.
  • If it’s your first time using Windows App, navigate through the tour to learn more about Windows App, then select Done, or select Skip.
  • From the Home tab, select Go to devices.
  • At this stage, you are going to see all the dev boxes you have from Microsoft Dev Box as well as all the other remote resources you have access to. If no dev boxes are appearing then you’ll want to contact your administrator.
  • Next, locate the dev box you want to connect to. You can use the available filters to help you find exactly what you need to connect to.
  • Select Connect. A new tab or browser window opens for that dev box.
  • You’re going to see a prompt displaying In Session Settings that will ask you to confirm which local devices or features to use with your Dev box. After making your decision, select Connect. You can avoid seeing this prompt every time you connect by checking the Don’t show again box.
  • As soon as the connection to your dev box is complete, you can start using it.

Wrap up

The future of cloud-based services is bound to have plenty of innovative solutions that will help enhance even further the way businesses interact with technology. Businesses can already benefit from the convenience of having access to powerful virtual workstations without the need to set up their own in-house servers. Microsoft Cloud services provide businesses with solutions such as Windows 365 Cloud PC and Microsoft Dev Box that offer exceptional performance as well as high availability.

Additionally, these cloud services can meet you wherever you are in your journey. There are options available that are tailored to smaller businesses just like you have options for larger businesses. And as you continue to grow, you’ll have the flexibility to scale at a rate that is ideal for your business. So, whether it’s the Cloud PC or the Dev Box that fits your business model better, you can be certain that both will deliver industry-leading technology and world-class service.

Microsoft Intune: Management and Security

The way businesses utilize technology has changed significantly over the last few decades. No longer are individuals confined to their desks so that they can use physical desktops for work. With the advent of Bring-Your-Own-Device (BYOD) policies, plenty of organizations are now having employees use personal devices to do their work as well. This gives individuals greater flexibility regarding when, where, and how they can complete their work-related tasks.

However, despite the countless benefits this scenario presents, there is still the issue of organizations securing their data. This is why Microsoft Intune is so important as a cloud-based device and application management solution that gives the organization control over who can access its resources and how. Following on from the previous blogs on planning and designing your Intune environment, today I’ll be continuing our look into Intune.

Identity management

One of the most important areas that your organization should be looking at is identity management. Without this, your organizational security will not be as strong as it should be. When we talk about identity management, this will also refer to all the various user accounts and groups that will be able to access the organization’s resources. It is the role of admins to ensure that identity management is done properly and the responsibilities will include:

  • Management of account memberships.
  • Management of settings that affect user identities.
  • Authorizing as well as authenticating access to resources.
  • Securing and protecting the identities from actors with nefarious intentions.

The advantage that comes with using Microsoft Intune is that it will carry out all these tasks for you and plenty more. Because it’s a cloud-based platform, Intune can use policies such as security and authentication policies for identity management.

Scenario with existing users and groups

Management of users and groups forms a significant part of endpoint management and if you already have some existing then Intune can help. For organizations with on-premises environments, your user accounts and groups are created and managed in an on-prem Active Directory. And by using any domain controller in the domain, you can quite easily update the users and groups.

When it comes to Intune, you’ll find a central location for user and group management within the Endpoint Manager admin center. Since this admin center is web-based, access to it can be obtained through any device connected to the internet. As an admin, all you need is to sign in with your Intune administrator account. Getting the user accounts and groups into Intune can be done via several methods:

  • For users of Microsoft 365 with users and groups in the Microsoft 365 admin center, you’ll also find the users and groups in the Endpoint Manager admin center. For users that may have multiple tenants, you’ll need to sign in to the Endpoint Manager admin center, And you’ll do so in the same Microsoft 365 tenant as your existing users and groups.
  • Those with on-prem Active Directory can use Azure AD Connect to synchronize on-prem AD accounts to Azure AD. And then once these accounts are in Azure AD, you’ll also find them in the Endpoint Manager admin center.
  • Users and groups can also be imported into the Endpoint Manager admin center from a CSV file. Alternatively, you have the option of creating users and groups from scratch. To create a more structured situation, you can add users and devices to the groups that you add and organize them according to your chosen criteria, for example, location, hardware, department, etc.

Move from machine accounts

A computer account is automatically created every time a Windows endpoint joins an on-premises AD domain. This account can then be used for authenticating on-premises programs, services, and apps. However, you should note that machine accounts are strictly local and so you cannot use them on Azure AD-joined devices. So, in such a case, you would have to opt for user-based authentication to authenticate to on-premises programs, services, and apps.

Roles and permissions control access

Role-based access control (RBAC) is the feature that is used in Intune and the selection of who will have access to what resources is determined by the roles you assign. This will also set the rules clarifying what users can do with those resources. There are some built-in roles that you can find in the Endpoint Manager admin center whose focus is endpoint management. Among these are Policy and Profile Manager, Application, etc.

If necessary, roles will have their read, update, create, or delete permissions but in cases where admins may need specific permissions, custom roles can be created.

Create user affinity when devices enroll

Devices will become associated with a particular user the first time they sign in and this feature is what is known as affinity. This is particularly convenient because users will have available on all their devices all the policies assigned or deployed to their user identities.

Therefore, once associated with a device users will have access to their files, apps, email accounts, and more. Without this association, devices will be categorized as having no user which is often the case with kiosk devices that are focused on specific tasks as well as devices that are used by multiple individuals.

Regardless of which scenario you are dealing with, Intune allows for the creation of the appropriate policies on Windows, macOS, Android, and iOS. So, you’ll need to first establish the intended purpose of a device before proceeding with placing it under management so that you’ll have all the necessary information during enrollment.

Policy assignment with Microsoft Intune

On-premises and cloud-based scenarios have a few differences when it comes to policies. For on-premises scenarios, there are both domain and local accounts, and these accounts will then have group policies and permissions deployed to them at the local, site, domain, or OU level (LSDOU). There is a hierarchy that is followed with OU policies overwriting domain policies, and then domain policies overwriting site policies, and so on.

Alternatively, when it comes to Intune, any policies created therein will have settings for controlling security rules, device features, etc. Users and groups will have these policies assigned to them and unlike with LSDOU, there is no hierarchy.

Management of Windows, macOS, and iOS devices is simplified by the availability of the thousands of management settings that you get in the Intune settings catalogue. Using this settings catalogue will prove to be a relatively easy transition for those using on-premises Group Policy Objects (GPOs).

Securing identities

User identities need to maintain the highest level of security because they are used to access your organization’s resources. Therefore, you need to have measures in place to reduce the risk of unwanted actors potentially accessing these identities. Some of the things you can look at include:

  • Options that promote a password-less strategy such as Windows Hello for Business that does away with username and password sign-in. This will improve security because by entering a password on your device it will then be transmitted over a network where it can be vulnerable to interception. Not only that but if certain servers are compromised countless stored credentials can be exposed.

Windows Hello for Business

With Windows Hello for Business users have the option of signing in and then authenticating using biometrics. The advantage that this method gives you is that all this information will be stored locally on the device thus eliminating the risk of transmitted data being intercepted. Once you have Windows Hello for Business deployed to your environment, you can now use Intune to create the necessary policies for your devices to configure PIN settings, allow biometrics, and more.

  • Another option in the password-less strategy category is certificate-based authentication. By using certificates, you can authenticate users to apps and organization resources via Wi-Fi, a VPN, or email profiles. Therefore, certificates offer great simplicity by eliminating the need for entering usernames and passwords.
  • Next on the list is multi-factor authentication (MFA) which is a feature that you get with Azure AD. As the name suggests, this is an option that will require at least two different verification methods for successful authentication. Once you have MFA deployed to your environment, you could also make it a requirement for enrolling devices into Intune.
  • Lastly, you can also consider Zero Trust which is a feature that will verify all endpoints, devices, and apps included. By leveraging this option, organizations can significantly reduce the chances of data leaving the organization whether intentionally or by accident. The objective here is to ensure that your organization’s data remains internal.

Device management with Microsoft Intune

Microsoft Intune gives organizations a cloud-based service that is designed to make the colossal task of device management something that is much. Otherwise, you may look at all the laptops, tablets, and mobile phones in your environment and it may be daunting to even think about where to start.

Fortunately, with Intune, you get several policies that enable you to control your organization’s devices. These will help you to manage both organization-owned and personal devices in such a way as to ensure that the organization’s data remains secure. There are several elements that you need to consider when looking at your device management strategy.

Management of personal and organization-owned devices

Plenty of organizations nowadays have embraced Bring-Your-Own-Device policies as part of their overall IT strategies going forward. And allowing employees to access organizational resources using personal devices gives them greater flexibility in how they conduct their work.

Also, it can help the organization save money on purchasing devices for employees. To ensure the security of your organization you can request users to enroll their devices in the organization’s device management services. Admins can then deploy policies and configure device features among other things on these devices.

Alternatively, you can protect app data by leveraging app protection policies like SharePoint and Outlook. Another option you could consider is to combine both of these solutions. When it comes to organization-owned devices it’s a completely different situation because they should be fully managed by the organization.

New and existing devices

Intune allows you to use both new and existing devices. In addition, there is support for multiple platforms including Windows, macOS, Linux, Android, and iOS/iPadOS. However, a few changes could be necessary such as in the case of devices that have another MDM provider which may need a factory reset. Another concern could be that of devices that are still running older OS versions as they may not be supported.

Compliance health status

You need to verify the compliance health of your devices because it is a very important part of managing devices. For your organization to maintain high levels of security it needs to enforce the use of password/PIN rules as well as verify security features on devices.

The role of compliance is to evaluate which devices are compliant with your requirements and which are not. Your organization will be responsible for creating compliance policies that enforce your minimum requirements. This can include ensuring that there is a minimum OS version, blocking simple passwords, etc.

And when you combine these policies with built-in reporting, you’ll not only see which devices are falling under the non-compliant category but which settings exactly are causing them to be non-compliant. What this will do is give you a clear picture of the status of the devices that have access to organizational resources. With Azure AD you also get conditional access which is a solution that enables you to enforce compliance as well as block access to any non-compliant devices.

Controlling device features and assignment of policies

The policies that you can create with Microsoft Intune enable you to control any number of device features. You can also have device groups and with these, your organization can create policies targeted at the device experience or task.

Additionally, you may also create policies with settings that you want to be permanently established on a particular device regardless of the user. Devices can be placed in groups that you can differentiate based on any chosen criteria. These can be things like OS platform, location, function, etc.

Furthermore, groups may contain devices that are shared by multiple users and thus are not associated with one specific user. Generally, we find these dedicated or kiosk devices being targeted at frontline staff but they can also be managed by Intune. Assignment of policies to device groups can be carried out as soon as the groups are ready.   

Securing your devices with Microsoft Intune

There are several measures you can take to secure your devices against attacks. These measures can include enabling security features and installing tools like antivirus solutions. Intune can offer your organization additional features to further enhance your security.

Mobile Threat Defense integration

To increase security for both organization-owned and personal devices, Intune enables integration with Mobile Threat Defense (MTD) partners. MTD services operate by scanning your devices and then assisting in addressing any detected vulnerabilities. And these MTD partners will also support the same platforms that are supported by Intune including Windows, macOS, Android, and iOS/iPadOS.

Using security baselines

Another thing that you should be doing is using security baselines on your Windows devices. These pre-configured Windows settings enable you to secure and protect your users and devices by giving you more granular control over security configurations. Not only will you get better overall control but each baseline that you deploy can be customized to apply the settings and values that you want. Therefore, you can take advantage of this to configure your settings specifically for your organization.

Built-in policy settings

You can also leverage built-in policy settings to perform several tasks such as encrypting hard disks, managing software updates, configuring built-in firewalls, etc. Furthermore, you can take advantage of the cloud service known as Windows Autopatch to enhance the security and productivity of your organization. It does this by automating aspects such as the patching of Windows and the updating of Microsoft 365 Apps for enterprise, Windows, Microsoft Teams, and Microsoft Edge.

Endpoint Manager

Lastly, you can use the Endpoint Manager admin center to manage your devices remotely. There are plenty of actions that can be performed remotely and these include locating lost devices, locking or restarting devices, restoring devices to factory settings, and more. Having the option of remote management can be very useful, especially in instances where devices are lost, stolen, or need remote troubleshooting.

App management

We cannot talk about securing an organization’s data if we don’t first address the issue of protecting apps and the data they contain. App management often comes with significant challenges because of where users may source apps that they use to access your organization’s resources. Not to mention LOB apps that need careful management to help secure company data. And this is where Intune can play a key role in facilitating the management of these apps and thus improving your overall security.

App deployment

Your organization can use several different types of apps such as LOB apps, web apps, store apps, etc. Intune makes life easier for you by enabling you to add apps and then deploy them to your devices using the app management policy. The Endpoint Manager admin center has app features that are designed to simplify the process of deploying various types of apps across multiple platforms such as:

Android devices

Through the Endpoint Manager admin center, you’ll get an automatic connection to the Play Store where you can search for apps. Additionally, you can sync with your Managed Google Play account thus gaining access to your Android Enterprise apps. There’s plenty you can deploy on Android devices such as custom LOB apps, public and retail apps from the Play Store, Android Enterprise system apps, and more.

iOS/iPadOS devices

Through the Endpoint Manager admin center, you’ll get an automatic connection to the Play Store where you can search for apps. Additionally, you can sync with your Apple Business Manager/Apple School Manager account thus gaining access to your volume-licensed apps. After syncing, you can expect to find the apps you purchase automatically appearing in the admin center. Similar to Android devices, you can deploy plenty of apps such as custom LOB apps, public and retail apps from the App Store, built-in apps, and more.

macOS devices

You’ll find built-in features in the Endpoint Manager admin center that have apps that plenty of users deploy to macOS. Additionally, you can sync with your Apple Business Manager/Apple School Manager account thus gaining access to your volume-licensed apps. After syncing, you can expect to find the apps you purchase automatically appearing in the admin center. For macOS devices, you can deploy custom LOB apps, Microsoft Defender for Endpoint, Apple disk image apps, Microsoft 365 apps, volume-licensed apps, and more.

Windows devices

Through the Endpoint Manager admin center, you’ll get an automatic connection to the public Microsoft Store where you can search for apps. Furthermore, you can sync with your Microsoft Store for Business account thus gaining access to your volume-licensed apps. After syncing, you can expect to find the apps you purchase automatically appearing in the admin center. When it comes to Windows devices, you can deploy custom LOB apps, volume-licensed apps, Win32 apps, public and retail apps in the Microsoft Store, and more.

App configuration

In an ideal scenario, you want to configure apps before they are installed as this will allow you to set them up the way your organization wants. Otherwise, if apps are deployed to users and devices and then they are required to enter configuration information it may end up creating problems.

So, the best thing for you to do may be to leverage app configuration policies that enable the automatic configuration of apps. You can even make your policies such that users won’t need to enter any information. Moreover, with app configuration policies you get the flexibility to deploy them at any time.

So, something you can do is to include the app configuration policy when users enroll their devices thus allowing you to complete the configuration of apps before users open them the first time.

App security

Another key part of your organization’s security is ensuring that apps are protected on both organization-owned and personal devices. The data in apps that have access to your organization’s data needs to be secured from malicious activity. With this in mind, we can easily see the importance of app protection policies that will help you to secure shared files, email, access to meetings, etc.

App protection policies can be created, configured, and deployed to your users and devices using Microsoft Intune. And this applies not only to personal devices but to devices that may be under the management of another MDM provider as well. As far as organization-owned devices are concerned, they are commonly managed by the organization so app security is not an issue.

However, when these devices may have certain apps that require additional security, app protection policies can also be used. These policies also come in handy when it comes to separating users’ personal data from the organization’s data. Therefore, you’ll have the option to set up policies that require a PIN for opening apps, prevent copy-and-paste between apps, and any other features you may deem necessary.     

Updating apps

We all know about the importance of updating our apps for maintaining security standards and improving performance. To make things simpler, when using Intune most apps will get an automatic update if one happens to be available. As already mentioned earlier, Windows Autopatch is another solution that you can use for the automatic patching of Microsoft Edge, Microsoft 365 Apps for enterprise, and Microsoft Teams.

Whenever users install apps themselves, they will need to assume the responsibility of ensuring that these apps are manually updated. And this includes apps that they install from a public app store.

Your organization will want to protect its data and so the best solution, in this case, maybe to use app protection policies. By using these policies, you can enforce minimum app versions as well as wipe the organization’s data from any devices that do not comply with your requirements.

Endpoint security

Next, I want to look at the measures available in Intune to enhance your organization’s endpoint security. Security admins will find in Intune an Endpoint security node that can be used for configuring device security as well as managing security tasks for devices at risk. The comprehensive Endpoint security policies that you get will help you to enhance device security and mitigate risk. Admins will also get via Intune several tools designed for securing devices:

  • You can use the All devices view to verify the status of all managed devices and assess compliance.
  • You can utilize security baselines to implement standard security configurations for devices.
  • The management of security configurations on devices can be done through strict policies.
  • By using compliance policies, you can set the requirements for your devices and users. And this means that you determine the rules that users and devices need to follow for them to be compliant.
  • If you integrate Intune with Microsoft Defender for Endpoint this will allow you access to security tasks. The link that exists between Intune and Microsoft Defender for Endpoint due to these security tasks will enable your security team to detect at-risk devices. Subsequently, your Intune admins will then get the necessary information to implement remediation measures.

Device management

There is an All devices view section in the Endpoint security node that has a list of all devices from your Azure AD that are available in Microsoft Endpoint Manager. Using this section can allow you to review the status of devices for information such as the policies that they are not compliant with. Additionally, there are several actions that you can take from this view to remediate various device issues and this can include restarting devices, scanning for malware, and more.

Manage security baselines

Using security baselines is a great way to implement best practice recommendations from the relevant Microsoft security teams. The security baselines for Microsoft Edge, Windows 10/11 device settings, and Microsoft Defender for Endpoint Protection among others are supported by Intune. Leveraging security baselines enables you to quickly deploy the most ideal configuration of device and application settings to improve the security of users and devices.

However, it’s important to note that these baselines are for devices running Windows 10 version 1809 and later, as well as Windows 11. Another thing to note is that you can have several different methods in your environment for device configuration. So, when looking at the management of settings, you need to first establish what other methods may be in use to prevent problems.

Defender for Endpoint tasks

If you have integrated Intune with Microsoft Defender for Endpoint, you’ll have the option to assess Security tasks in Intune to identify devices that are at risk. With that done, you’ll have the information necessary to mitigate the risk. And then after you have successfully mitigated the risks, these tasks can be used to report back to Microsoft Defender for Endpoint.

  • The Defender for Endpoint team begins by reviewing which devices are at risk and then sends that information along to your Intune team as a security task. The process is a relatively simple one that will see a security task being created to identify the at-risk devices and their vulnerabilities, as well as provide the information necessary to mitigate the risk.
  • Once the information is passed along, the Intune Admins will review the security tasks before implementing actions within Intune to begin remediating the tasks. After the mitigation has been carried out, the task is set as complete and this will report the update back to the Defender for Endpoint team.

Using policies to manage device security

In the Endpoint security node under the Manage section, you will find security policies. If you are a security admin, these are policies that you will want to consider using to simplify the process of configuring device security. Otherwise, the process can involve a lot more work. For example, you may need to go through the vast number of settings in device configuration profiles or security baselines.

It’s also worth noting that these Endpoint security policies are only one of several methods in Intune that can be used for configuring settings on devices. So you’ll need to first verify what other methods may be in use to prevent problems.

Furthermore, under the same Manage section, you’ll also find Conditional Access and Device compliance policies. These two types of policies aren’t involved in the configuration of endpoints. But they do play a key role in device management and controlling access to your organization’s resources.

Use device compliance policy

These policies set the conditions for users and devices to have access to your organization’s resources. Common policy rules include, enforcing password requirements and requiring specific OS versions, among others. These policies also carry out various actions against non-compliant devices. For example, they’ll notify device users and going as far as retiring non-compliant devices. Also, just like other policies, you’ll want to verify what other methods may be in use in your environment so you can avoid policy conflicts.

Configuration of conditional access

Using Azure AD Conditional Access policies with Intune can enable you to enhance security for your devices and your organization’s resources. After an assessment of your environment has been carried out, Intune will then forward a report concerning device compliance policies to Azure AD.

The latter will then use conditional access policies to determine which devices and apps will be granted access to your organization’s resources. Conditional access policies may also be used to control access for devices that are not under Intune management. You will most likely be using device-based conditional access or app-based conditional access with Intune.

Set up Integration with Microsoft Defender for Endpoint

If you want to improve how your organization identifies risks and responds to them then integrating Microsoft Defender for Endpoint would be ideal. There are several MTD partners that Intune can integrate with to improve security.

However, by integrating Intune and Defender for Endpoint, you get additional benefits. These include access to Tamper Protection capabilities, security tasks, and streamlined onboarding for Defender for Endpoint on clients. Additionally, you’ll have access to Defender for Endpoint device risk signals in Intune compliance policies and app protection policies.

Pre-requisites for role-based access control

The management of tasks in the Endpoint security node of the Intune admin center requires you to have an account that has a license for Intune. In addition, the account should also have RBAC permissions that are equal to the permissions that you find in the built-in Intune role of Endpoint Security Manager. Access to the Intune admin center is something that you’ll obtain because of the Endpoint Security Manager role. Anyone responsible for the management of security and compliance features can utilize this role.

Permissions granted by the Endpoint Security Manager role

Android FOTARead
Android for workRead
Audit dataRead
Certificate connectorRead
Corporate device identifiersRead
Derived credentialsRead
Device compliance policiesAssignCreateDeleteReadUpdate View reports
Device configurationsReadView reports
Device enrollment managersRead
Endpoint protection reportsRead
Enrollment programsRead deviceRead profileRead token
FiltersRead
Intune data warehouseRead
Managed appsRead
Managed devicesDeleteReadSet primary userUpdateView reports
Microsoft Defender ATPRead
Microsoft Store for BusinessRead
Mobile Threat DefenseModifyRead
Mobile appsRead
OrganizationRead
Partner device managementRead
PolicySetsRead
Remote assistance connectorsReadView reports
Remote tasksGet FileVault keyInitiate Configuration Manager actionReboot nowRemote lockRotate BitLockerKeys (Preview)Rotate FileVault keyShut downSync devicesWindows defender
RolesRead
Security baselinesAssignCreateDeleteReadUpdate
Security tasksReadUpdate
Telecom expensesRead
Terms and conditionsRead
Windows Enterprise CertificateRead

Avoid Policy Conflicts

In Microsoft Intune, what you’ll find out is that plenty of the configurable settings for the various devices can also be managed by different features. Some of the features on this list include device configuration policies, security baselines, Windows enrollment policies, and endpoint security policies among others.

A scenario that you can consider is that of Endpoint security policies with settings that are a subset of the settings that you’ll also find in endpoint protection and device restriction profiles in the device configuration policy. You should keep in mind that they are managed through various security baselines.

So, if you want to steer clear of conflicts then you must avoid using different baselines, instances of the same baseline, or different policy types and instances to manage the same settings on a device. Achieving this will require meticulous planning so that you clearly determine which methods will be used for configuration deployment. Fortunately, however, if you do encounter conflicts Intune has built-in tools that enable you to identify and resolve those conflicts.            

Wrap up

The modern work environment has a lot going on in the IT department and this can be overwhelming for IT staff. With the advent of Bring-Your-Own-Device policies, no longer are you only concerned about physical desktops in the office. Employees have tablets, mobile devices, and personal laptops that can be used for work-related tasks. With that being the case, it means that these devices need to have access to organizational resources. And this is when security concerns become an issue.

This is why it’s important to have management solutions such as Microsoft Intune. Using this cloud-based platform gives you a solution that simplifies the management of the vast number of devices that have access to your organization’s data.

Additionally, you benefit from numerous management policies that ensure that all those devices are compliant with company regulations thus maintaining a high level of security for your company’s data. So, whether or not you already have a management solution in place, Intune is certainly worth considering.  

User is required to permit SSO

Getting January sign in issues ?

Recently i’ve been getting SSO sign in issues in Microsoft Teams, Outlook and Remote Desktop App.

Error code: CAA2000C
Server message: User is required to permit SSO.

I’m running Windows 11 and it seems to be caused by: 2024-01 Cumulative Update Preview for Windows 11 Version 23H2 for x64-based Systems (KB5034204)

Uninstall the KB, restart and everthing is back to working again.

it may be related to: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/upcoming-changes-to-windows-single-sign-on/ba-p/4008151

AVD – The Flexible Solution for Remote Work and Business Continuity

One thing that we cannot deny is that remote work is a huge topic in business circles everywhere. It’s something that plenty are trying to evaluate so they can see whether it would be good for them or not. Although opinions and experiences may vary, there’s no denying the potential advantages that remote work could offer businesses. But, for you to get the most out of it, you need solutions with a proven track record. This includes Azure Virtual Desktop (AVD). It’s a solution that can offer employees greater flexibility in how they do their work. Additionally, it provides you with a solid business continuity strategy. Today, we’ll be discussing AVD and what you need to know about it.

Azure Virtual Desktop

A virtual desktop offers you the full desktop experience while running on a remote server. This means that you can access work applications and other organizational resources while working remotely. Azure Virtual Desktop is an app and virtualization service that runs on the cloud.

With this Azure cloud-based service, businesses can offer their employees an efficient and secure way of working remotely. It also allows for capabilities to deploy and manage desktops without too much difficulty. Some of the things you’ll get when running AVD include the following:

  • The ability to set up a multi-session Windows 11 or Windows 10 deployment that can give you the full Windows experience and scalability.
  • Presenting Microsoft 365 Apps for enterprise and optimizing it to run across multi-user virtual scenarios.
  • Bringing your existing Remote Desktop Services (RDS) and Windows Server desktops along with apps to any computer.
  • The ability to virtualize not only desktops but apps as well.
  •  Provides you with a unified management experience that simplifies the management of desktops and apps from different Windows and Windows Server operating systems.

Importance of remote work

Understandably, plenty of businesses may ask themselves why they would even need to be considering remote work. If what you’re currently doing is working well, then why change it right? Although this assertion may be true, we only have to look back a couple of years to a situation where people couldn’t go to work and were required to stay home.

In these kinds of scenarios, being able to leverage virtual desktop services means employees can remain productive, and your business suffers significantly less.

In addition, the greater flexibility that remote work can offer employees is something that can contribute to increased job satisfaction. Employees who have the option for a better work/life balance are likely to be more efficient in how they do their jobs.

Furthermore, this can also change the way businesses operate for the better. You can have the option of hiring people from anywhere, giving you access to the best talent available.

Features of Azure Virtual Desktop

There’s no question that there are several benefits that businesses can gain from utilizing virtual desktop services. But why pick Azure Virtual Desktop? After all, it’s not even the only option that Microsoft offers.

However, AVD does have several features that can make it the remote work solution of choice for many businesses. It’s going to provide you with the following capabilities:

  • It allows you to create a full desktop virtualization environment in your Azure subscription. And you won’t need to run any gateway servers to do it.
  • You can accommodate your diverse workloads by publishing host pools as and when you need them.
  • Bring along your own images for production workloads or test from the Azure Gallery.
  • The option to have pooled, multi-session resources is going to enable you to cut down on costs. Clients will benefit from Windows 11 and Windows 10 Enterprise multi-session capabilities, exclusive to Azure Virtual Desktop or Windows Server. By giving you this option, AVD allows you to massively reduce the number of virtual machines and operating system overhead. Additionally, it continues to provide the same resources to your user.
  • You’ll also get personal (persistent) desktops, and this will provide you with individual ownership.
  • There is an auto-scale feature that allows you to automatically increase or decrease the capacity based on variable factors. These include changing certain days of the week or a specific time of day. And all of which can help you keep expenditures under control.

DEPLOYMENT AND THE MANAGEMENT OF VIRTUAL DESKTOPS AND APPLICATIONS

  • You can create application groups, assign users, and publish resources by using the Azure portal, Azure CLI, PowerShell, and REST API for configuring the host pools.
  • Reduce the number of images by publishing a full desktop or individual apps from a single host pool, creating individual application groups for different sets of users, or even assigning users to multiple application groups.
  • In addition, Azure Virtual Desktop also recommends the use of built-in delegated access to assign roles and collect diagnostics to understand various configurations or user errors.
  • Another recommendation for environment management requires the use of built-in delegated access. This assigns roles and collects diagnostics to understand various configurations or user errors.
  • Whenever issues arise, and you need to troubleshoot errors, you can use the new diagnostics service.
  • Lastly, only the image and virtual machines should be managed and not the infrastructure. It’s not going to be necessary to personally manage the Remote Desktop roles as you do with Remote Desktop Services. Instead, just manage the virtual machines in your Azure subscription.

CONNECTED USERS

  • As soon as users have been assigned, they can launch any AVD client to connect to their published Windows desktops and applications. This scenario allows you to connect from any device using either a native application on your device or the Azure Virtual Desktop HTML5 web client.
  •  Furthermore, you can eliminate the need for opening inbound ports by securely establishing users through reverse connections to the service.

Why choose Azure Virtual Desktop?

As previously mentioned, AVD is not the only virtual desktop solution available for businesses to choose from. We’ve already discussed what AVD is and what features it can bring to your organization. But some may still be asking why this particular solution. The reality is, there are several reasons why you may want to choose AVD as your flexible remote work solution of choice.

SEVERAL USE CASES

AVD allows you to take advantage of several use cases to get the most out of your subscription. Arguably, the biggest of these benefits is that remote workers will get virtual desktops that they can securely access from anywhere using your existing Active Directory for authentication.

Additionally, if you want to publish legacy applications to certain users, you can install them on an AVD host and publish them to those users. To ensure a truly comprehensive remote working experience, you can deploy an AVD host in various regions across the world, thus enabling you to support your users globally.

DEVICE REFRESH EXPENDITURE

From our experiences of using personal devices, most of us are already aware that every few years, we’ll need to upgrade our devices. At a certain point, our devices will stop getting updates, the hardware will slow down, the battery may need replacing, etc. As one can imagine, the cost of refreshing devices for a business is going to be significant.

This is why taking advantage of solutions like AVD and shifting your computing model to the cloud can help businesses start reducing the money spent on hardware. With this solution, your business can use any number of devices, from tablets, laptops, and other mobile devices, for work-related purposes. Not only that, but even some so-called outdated devices may potentially be used to access virtual desktops.

Additionally, Azure Virtual Desktop is a cost-effective alternative to scaling a traditional virtual desktop environment within your own data center. This reduction in expenses leads to better ROI.

AVD can be an invaluable tool as well for companies because of how it lets organizations control various apps and data while still allowing employees access to those resources on their own unique devices. This means that you can also offer your workers greater flexibility in how they work. And you can still retain overall control and keeping security standards high.

Although you could expect some of these benefits from a traditional VDI environment. The service you get from Microsoft comes at a better price point with better security.

IMPROVED SECURITY

Anyone looking to migrate to the cloud will want to know how secure the platform is going to be. Fortunately, for Azure Virtual Desktop clients, you can rest assured that you’ll get the identity management, backup, and database security benefits that the Microsoft Cloud provides.

We already know that Microsoft spends over a billion dollars a year in developing its industry-leading security measures and has a few thousand security experts working hard to enhance the security of the Microsoft ecosystem. As a result, employees will get to have virtual desktops that they can access in a highly secure manner, regardless of where they’re working.

SIMPLIFIED MANAGEMENT

Another great reason to choose Azure Virtual Desktop is that it will allow IT admins to only manage users, applications, and virtual machines without having to worry about the RDS infrastructure. This is because the latter will be managed by the AVD service.

Therefore, since RDS components like Gateways, Brokers, and Licenses are provided by the AVD service, the task of managing them is undertaken by AVD.

Furthermore, clients will be happy to learn that the AVD infrastructure is set up in such a way as to provide a simplified experience, with everything being centrally stored, managed, and secured.

So, what the virtual desktop environment gives you is an easier management system where there is no need to install, update, and patch applications. In addition to the above, the need for backing up files or scanning for malware on individual client devices is negated.

Multi-session attraction

One of the great features of WVD infrastructure is its multi-session environment. This is something that goes a long way in drastically reducing the resources that are required when using single-user methods. With single-user sessions, there are two main disadvantages that can arise.

Firstly, when the machine is not running at peak, a lot of resources are going to waste, and secondly, when multiple users are working on single-user sessions, this is going to be extremely demanding in terms of resources. 

Getting set up

As we look at setting up Azure Virtual Desktop for your business, there are few requirements that you’ll need to consider before proceeding:

  • You need to have an active Azure account and subscription.
  • You need access to a global administrator Azure AD role within the Azure tenant that you plan on using.
  • Lastly, for your Azure subscription, you need to have a contributor and a user access administrator.

DEPLOYMENT STEPS

  • Log in with your administrator account in the Azure portal. Then, search for Azure Virtual Desktop and select it.
  • Proceed to set up host pools that contain virtual machines, application groups to assign the Remote Apps to users, the workspaces as logical groupings of application groups, scaling plans, and users to scope access to running AVD resources.

PROVISIONING

  • Select ‘Getting started‘ in the top left area and then check that the correct subscription is selected.
  • Then, for the identity provider, you’ll find that using an existing on-premises active directory or an existing Azure AD Domain Services instance is something that will be presented as a different option.
  • Select Azure AD domain services for identity service type.
  • Create a resource group with a unique name.
  • For the location, select a region that is closest to your users.
  • You can use your account for the Azure admin username if it has the necessary permissions to deploy resources and to grant access to them.
  • Enter a password for the account.
  • Use the next account to join virtual machines to the domain.
  • Go to the virtual machines tab and create your first session hosts.
  • The users for each virtual machine will determine whether you want more than one user simultaneously logged into a single VM. The multi-session capability, unique to Azure Virtual Desktop, is going to help you save costs and is compatible with both Windows 11 or Windows 10 client operating systems.
  • You also have the option of a single dedicated virtual machine for one user at a time.
  • Next, from Image, you can select from a number of supported Windows client and server virtual machine images for AVD.
  • In addition, you have the option to create and manage your own virtual machine images. You can also choose them in addition to the standard gallery images.
  • When it comes to virtual machine size, you can choose from hundreds of supported VM sizes in Azure.
  • Once you have configured host pool VMs, create an initial user assignment for this host pool in the assignments tab.
  • Once the core steps have been completed, the user will validate everything. You can then create all the necessary resources for AVD.
  • With this done, several resources and services will deploy including:
  • * 4 new Azure resource groups.
  • * Azure AD domain service that will be used for authentication.
  • * Storage account to store data.
  • * FSLogix profile containers to support multi-session environments.
  • * Host pool and virtual machines.

Accessing your virtual desktop

Once your virtual desktops have been set up, users will want to know how they can access them. For virtual desktop services to provide an attractive option, they need to be easy to access. Azure Virtual Desktop allows users additional access their virtual desktops with any modern device as long they have internet access.

This also means that it won’t matter what operating system you are using. Users can stick with the devices they prefer and don’t need to purchase new devices to access AVD.

For the best experience, however, Microsoft recommends using the Remote Desktop client app. Fortunately, this app is available on multiple platforms, including Windows, macOS, iOS, and Android. Apart from this app, users may also access their virtual desktops using any modern HTML5-compatible browser. 

Using the web client, users can access any session desktop or remote application inside of a browser window or tab. Also, be aware that the app you use to access RDS is a different one from the AVD remote desktop client. All this means is that you need to verify that you download the right version of the app.

Furthermore, users can access full desktop sessions and individual published applications when using the Remote Desktop client. This will be in addition to the automatic addition of remote apps and desktops to the local computer’s Start Menu for easier access.  

Enhance your business operations

Azure Virtual Desktop will not only give you an alternative technology solution. But it can also enhance the way your company operates. Plenty of businesses are looking at ways to increase revenue streams. And virtual desktops can help you achieve that by extending productivity to employees’ PCs, phones, tablets, or browsers. These devices might not be under the direct control of the IT team. Moreover, of the measures that Azure puts in place, users will have highly secure access to organizational resources from their various devices.

Another great thing that AVD will help you with is the level of support that end users will receive. When businesses are migrating workloads to the cloud, users are going to need increased support for a low-latency, optimized experience.

Fortunately, with AVD, you get a business-critical platform, and a cloud adoption plan can directly or indirectly impact cloud adoption for all the concerned workloads.

Run a greener operation

In today’s marketplace, it should not be news to anyone that our environment has suffered significantly. All of us to pitch in to start addressing the issues. Regardless of where you may stand on the matter, eco-friendly operations matter. One thing you can’t deny is that plenty of people are now choosing which businesses they deal with based on how sustainable they are.

We’ve already talked about how using virtual desktops will impact your device refresh cycle. However, needing to purchase fewer devices also means that your business will produce less electronic waste.

Because of the use of Microsoft’s highly efficient data centers, your business can potentially cut down massively on energy consumption. Coupled with the fact that you can have some employees working remotely, the total energy savings will be significant, especially when you also factor in commuting to work.

With virtual desktop users being able to work remotely, your business can improve productivity and efficiency. Users can access their virtual desktops wherever they are, allowing your business to run more sustainably while simultaneously increasing productivity.

Wrap up

When looking at remote work, we need to consider that there are plenty of advantages that both employer and employee can gain from this. Considering how virtual desktop services have grown in popularity over the last few years, businesses should at least be looking at these solutions to see what they can bring to their organizations. If there’s anything we’ve learned in that time, it’s that we need to be prepared for the worst. Otherwise, businesses may be forced to shut down.

The freedom and flexibility that a service like Azure Virtual Desktop can offer employees is something that can massively boost staff morale. Virtual Desktop users can maintain high levels of productivity whether they are in the office or working remotely.

In addition, Azure guarantees you industry-leading security measures, meaning that businesses don’t need to worry about where their employees are working. Ultimately, AVD can be the solution to take your business to the next level.

SMS_EXECUTIVE crashes on Hyper-V due to UserShadowStack

Introduction

In the realm of systems management, maintaining the stability and reliability of essential services is crucial for uninterrupted operations. A notable challenge that has emerged in this context involves the SMS_EXECUTIVE service, a vital component of the Configuration Manager, which is experiencing unexpected terminations shortly after startup. This issue not only hampers the functionality of the Configuration Manager but also poses significant concerns for system administrators who rely on this service for managing networked systems efficiently.

Overview of the Issue

The SMS_EXECUTIVE service, responsible for executing several critical tasks within the Configuration Manager infrastructure, including processing incoming data, executing administrative actions, and managing component threads, has been reported to crash moments after it is initiated. This abrupt termination of the service disrupts the normal workflow, leading to a series of operational challenges.

Scope of the Investigation

This post aims to delve into the potential causes of this issue, examining various aspects such as system logs, configuration settings, recent updates, and environmental factors that might contribute to the instability of the SMS_EXECUTIVE service. The primary objective is to isolate the root cause of the crash and provide a comprehensive analysis that can guide towards effective troubleshooting and resolution strategies.

Importance of Addressing the Issue

The stability of the SMS_EXECUTIVE service is paramount for the seamless operation of the Configuration Manager. Its failure not only impacts the efficiency of system management tasks but also poses risks related to security, compliance, and overall network health. Addressing this issue is thus critical for ensuring that the Configuration Manager continues to function as a robust and reliable tool for system administrators.

In the following sections, we will explore the technical details of the issue, outline the methodologies employed in the investigation, and discuss potential solutions to restore the functionality of the SMS_EXECUTIVE service effectively.

Identifying Potential Causes for the SMS_EXECUTIVE Service Crash


In order to effectively address the issue of the SMS_EXECUTIVE service crashing, it is essential to systematically identify and evaluate potential causes. This section outlines a structured approach for investigating various factors that could contribute to this problem.

1. System and Application Logs Analysis

  • Event Viewer Logs: A thorough examination of the Windows Event Viewer logs, specifically focusing on the Application and System logs around the time of the crash, can provide critical insights. Error messages or warnings preceding the crash are often indicative of underlying issues.
  • SMS_EXECUTIVE Logs: The Configuration Manager logs, particularly those related to SMS_EXECUTIVE, should be scrutinized for any unusual entries or error codes that could point towards the cause of the crash.

2. Configuration and Environment Review

  • Recent Changes: Any recent changes made to the system or the Configuration Manager settings could be a contributing factor. This includes updates, patches, or modifications in the configuration.
  • System Resources: Insufficient system resources, such as memory or CPU, can lead to service instability. Monitoring resource usage patterns around the time of the crash is crucial.
  • Network and Connectivity Issues: Network problems or connectivity interruptions can impact the functionality of the SMS_EXECUTIVE service, especially if it relies on remote components or databases.

3. Component Dependencies and Interactions

  • Dependent Services: Understanding the dependencies of the SMS_EXECUTIVE service, such as other Configuration Manager components or Windows services, is vital. If a dependent service is failing or unstable, it can cascade to the SMS_EXECUTIVE service.
  • Inter-Service Communication: Analyzing how SMS_EXECUTIVE interacts with other services and components within the Configuration Manager ecosystem can reveal potential points of failure.

4. Software Updates and Compatibility

  • Update History: Reviewing the history of updates applied to the Configuration Manager and the underlying operating system can help identify if a recent update might be causing compatibility issues.
  • Third-Party Software: The presence of third-party software or add-ons, particularly those that interface with the Configuration Manager, should be evaluated for compatibility and stability concerns.

5. Security and Access Control

  • Security Software Interference: Security solutions such as antivirus or firewall settings might be interfering with the operation of the SMS_EXECUTIVE service.
  • Permissions and Access Rights: Ensuring that the SMS_EXECUTIVE service has appropriate permissions to execute its tasks is crucial. Incorrect permissions can lead to service failures.

The specific issue identified from Event viewer:

Faulting application name: smsexec.exe, version: 0.0.0.0, time stamp: 0x00000000
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000409
Fault offset: 0x00007ffa5dc03d86
Faulting process id: 0x530
Faulting application start time: 0x01da4ae272f45384
Faulting application path: F:\Program Files\Microsoft Configuration Manager\bin\X64\smsexec.exe
Faulting module path: unknown
Report Id: 6463f350-fe42-4528-8849-c2489e6d558d
Faulting package full name:
Faulting package-relative application ID:

The issue is caused by UserShadowStack

UserShadowStack is a security feature introduced in Windows Server 2022, designed to enhance the protection against return-oriented programming (ROP) attacks, which are a common method used in exploiting software vulnerabilities.

Understanding UserShadowStack:

  1. Concept of Shadow Stack: At its core, UserShadowStack implements a ‘shadow stack’, which is a secondary, protected stack that keeps track of the intended return addresses for each function call in a program. When a function is called, its return address is stored both on the regular stack and the shadow stack. When the function returns, the return address from the regular stack is compared with the one in the shadow stack. If they match, the program continues as normal; if not, it indicates potential tampering, likely due to an attempted ROP attack, and the system can take appropriate action, such as terminating the process.
  2. Protection Mechanism: By ensuring the integrity of return addresses, UserShadowStack helps prevent attackers from hijacking the control flow of a program, which is a common technique in many sophisticated cyber attacks.

UserShadowStack in the Context of Hyper-V on Windows Server 2022:

Hyper-V is Microsoft’s hardware virtualization product, allowing users to create and run virtual machines. Each virtual machine runs its own operating system and is isolated from the host system. In this context, UserShadowStack can provide the following benefits:

  1. Enhanced Security for Virtual Machines: When running on Windows Server 2022 with Hyper-V, UserShadowStack can be used to protect the virtual machines from ROP attacks. This is particularly important as virtual machines often run critical or sensitive applications, and their security is paramount.
  2. Isolation and Containment: With Hyper-V, if an attack occurs within a virtual machine, it is typically contained within that VM, protecting the host system and other VMs. UserShadowStack adds an extra layer of defense within each VM, further reducing the risk of successful exploits.
  3. Compatibility and Performance: UserShadowStack is designed to work seamlessly with Hyper-V, ensuring that the additional security does not significantly impact the performance or compatibility of the virtual machines.

In summary, UserShadowStack in Windows Server 2022 provides a robust mechanism to thwart ROP attacks by validating return addresses. When integrated with Hyper-V, it ensures that both the host environment and the virtual machines benefit from enhanced security without compromising performance or compatibility.

Run the following command and start your service again: Set-ProcessMitigation -Name smsexec.exe -Disable UserShadowStack

Key Things To Know About Windows Safeguard Holds

Updating your computers and mobile devices is something that requires regular attention. Indeed this is rather important for a few reasons. For example, there are security updates to enhance your security posture and reduce the risk of breaches. Another important reason is to fix problems with applications. Additionally, updates can remedy issues with the operating system itself. This is where Windows safeguard holds come into play.

But, even though we perform updates expecting to improve the user experience, it doesn’t always work out that way. There are compatibility issues with particular devices sometimes. And in the worst of scenarios, you might lose connectivity, key functionality, or data. This is why Microsoft has systems in place to try and limit any problems to as few devices as possible.

What are Windows safeguard holds?

By leveraging data on compatibility and quality, Microsoft can identify issues that may cause a Windows client feature update to fail or rollback. In the instances where such issues arise, applying safeguard holds to update service helps.

Consequently, this action will prevent the affected devices from installing the update. It thereby protects them from any issues. Microsoft can also employ safeguard holds when clients, partners, or Microsoft internal validation find issues. It’s helpful for those issues that cause severe problems and there is no immediate solution available. Examples of possible events include loss of key functionality, rollback of update, and data loss.

With the use of safeguard holds, devices with known issues won’t be offered new versions of an operating system. However, once a fix has been found and verified, the update will become available.

Microsoft’s objective with safeguard holds is to enable clients to have a flawless experience when their devices are updating to new versions of Windows client. Those that use the Windows Update service for the deployment of new versions of Windows to their devices would already have benefited from the use of holds for known issues. These clients include all those using Windows Update for Business.

Looking at issues

When Microsoft describes how safeguard holds work, there is a lot of mention of the issues for which holds apply. But, what exactly are these issues? There are known issues. These are problems that can manifest after an upgrade is discovered by Microsoft or reported by clients or partners. Only after assessment and confirmation of an issue, for a specific set of devices, can it fall under known issues.

The next type are likely issues. As the name suggests, these issues are suspected, but not yet confirmed. What we have here are issues that have been picked up by the machine learning service across millions of unmanaged devices, corporate or personal. The service performs daily scans. And it searches for app or driver malfunctions, rollback during setup, connectivity issues, and more.

Subsequently, the machine learning service then looks for links among device hardware and software characteristics. This will then help to identify a larger set of devices yet to perform any updates to protect them. Basically what goes on in these instances is that there are issues that are yet to be confirmed. However, because they are likely it’s good practice to safeguard the at-risk devices.

How does it work?

Here are additional aspects to understand when recognizing how Windows safeguard holds work.

Identification of known issues

As one would expect, the process would naturally start by identifying the relevant issues. Microsoft has a setup that allows for the collection of feedback from various channels. This information is regarding known issues about a Windows update, now collected for your review.

Although there is an internal testing process, Microsoft also requires feedback from Windows Insiders, clients, and partners. And then, as issues are identified, device-specific criteria develop and for application to affected devices as a safeguard hold. These devices will no longer have access to updates until a fix is found and implemented.

Identification of likely issues

For the safeguarding of likely issues, Microsoft can use data obtained across millions of daily devices. Unmanaged by IT, these devices are installing the upgrade from the Windows Update.

All the diagnostic data that Microsoft has from the millions of client devices feeds into the machine learning system. From this, identity patterns associated with update-related disruptions can then be automatically identified. All data usage follows Microsoft’s privacy policy.

Safeguarding of devices

The actual safeguarding of devices can begin once the machine learning algorithm picks up a pattern. After this happens, a temporary safeguard hold for a likely issue is implemented. How long this hold remains in place can vary. But the priority will be device protection rather than progress.

This means the user experience can be preserved and IT staff can have fewer things to worry about. Because of the resultant delay, the few weeks you get can be used to decide how to proceed with the update in a way that keeps your devices protected and productive. The system intends to address the temporary hold for a likely issue in a matter of four to six weeks. This can be done in one of two ways:

  • Confirmation of the likely issue which consequently sees it transitioned to a known issue and thus sees the safeguard hold maintained.
  • In the second scenario, the issue is deemed to be a false positive and therefore the hold will be removed and devices can therefore begin updating.

Known and Unknown Issues

In the first option mentioned where the issue has been confirmed meaning the device is not in a position to update, the classification changes to a known issue. What this does is that it will continue to delay the upgrading of the device until a fix has been found and implemented.

When the system determines that the issue was actually a false positive, all unaffected devices will have the safeguard hold removed. In that case, any upgrades that are approved by the IT team may proceed as normal. According to information from Microsoft, two main criteria are used to determine whether to implement automatic safeguard holds for likely issues. These are:

  • In cases where deployment to consumer devices that are likely exposed to the issue has been paused.
  • The second criterion concerns situations where there are issues that are under active investigation by Microsoft engineers.

When it comes to Windows Update, Windows safeguard holds will be kept in place until the Microsoft investigation has been completed and a fix has been developed and verified. Only then will the solution be made available to the affected devices and update deployment restored.

So devices can only resume being offered updates after a fix has been delivered by Windows Update or a third party thereby lifting the safeguard hold. Under those circumstances, customers can be offered a seamless protection experience.

Taking advantage of Windows safeguard holds

Making use of the features that Microsoft has put in place can go a long way in improving the security posture of your organization. Leveraging safeguard holds will help you to get a better update deployment experience. These features will be available to you via the likes of Microsoft Intune, PowerShell SDK, Update Compliance, and Microsoft Graph.

You’ll find that deployment scheduling controls are consistently available. But, you need to, first of all, configure your devices to share diagnostic data with Microsoft and leverage available reporting tools. Without performing this action you won’t be able to benefit from the unique deployment protections tailored to devices under your management.

§  Pre-requisites

Before you can start benefiting from everything that safeguard holds have to offer, you need to meet a few requirements. These are:

Something that you do need to be aware of is that safeguards holds are applied to Windows Update for Business deployments by default. This is to ensure that your environment can benefit from optimal user experience and so opting out or doing manual updates is not recommended. However, in strict IT environments and for validation purposes you may still do that.

Keep track of safeguard holds reporting

One thing that you’ll want to do to stay up to date is to be meticulous about verifying safeguard hold records. When a safeguard hold is put in place, you can go to the M365 Admin Center or the Known Issues sections of the Windows release health dashboard online to get more information about the issue in question. The system also allows you to keep track of all the devices in your environment through up-to-date reporting.

For those that use Update Compliance, you can access information regarding which devices under your management are affected by which specific safeguard holds. To do this, you’ll have to check your safeguard hold report. For those who use Intune, on the other hand, safeguard holds are now visible in the Feature Update Failures Report.

How to opt-out

If you decide to opt-out, you can do so using the Local Group Policy Editor. This can be done by following the steps given below:

  • Navigate to the Open the Local Group Policy Editor (gpedit.msc).
  • In that section, look for the policy location in the left pane of the Local Group Policy Editor.
  • Next, head over to the right pane of Manage updates in the Windows Updates section of the Local Group Policy Editor. Proceed to tap on Disable safeguards for Feature Updates.

Microsoft recommendations

Until a solution has been developed and implemented and the safeguard hold has been released, Microsoft strongly cautions against performing manual updates. If you choose to opt-out of a safeguard hold, you should do so knowing that the concerned devices will be at risk of being affected by known performance issues.

So if you have made the decision that you still want to opt out despite the risk, you should make sure that you perform rigorous tests that will help you to verify the degree of the potential impact.

There is a way, however, for you to reduce your risk of being affected by issues and still opt-out. This can be possible as long as your IT admins check in regularly with Update Compliance and the Windows release health dashboard. If you’re in this position, you can have a greater degree of security when temporarily opting out so that you can enable an update to proceed.

As mentioned previously, this is still only recommended when in strict IT environments and for validation purposes. Furthermore, you should be aware that even if you do opt out, this will be temporary and only lasts the time it takes to complete the update. So as soon as that is done, the safeguard hold is automatically reapplied.

Wrap up about Windows safeguard holds

Compatibility issues are nothing new and we’ve all probably encountered them at one point or another. The frustration that this can cause as well as the cost in productivity terms can be immense. Loss of data or connectivity from an update that hasn’t worked out can mean downtime for the affected users.

That is why Microsoft has developed a service that is capable of monitoring quality and compatibility. Having this data means that issues can be swiftly identified and thus limit the number of devices that are affected.

In addition, the fact that this data is obtained from various sources including clients and Microsoft partners enables the creation of a very comprehensive compilation of information. Once issues are identified, safeguard holds are applied to allow for an investigation to take place, and a solution to be developed and applied. I think it’s pretty safe to say that safeguard holds can go a long way in giving users a streamlined experience and IT greater peace of mind.

Run Legacy Applications with Ease using Windows 365

Businesses tend not to want to implement too many changes to the way they do things when they are already doing very well. As such, this can pose a major stumbling block to the adoption of new products and services.

Migrating to the cloud is something that raises several concerns for businesses. So Windows 365 wants to offer a secure and reliable experience that can alleviate those concerns. It is an easy-to-use virtual desktop environment that also supports legacy applications ensuring that you won’t need to make changes that you are unwilling to make.

You can continue running your preferred applications without worrying about compatibility issues. With that in mind, let’s go over some of those legacy application support features.

Legacy Application Support Features of Windows 365

To allow businesses to use the legacy applications that have been most effective for them, Windows 365 provides users with several legacy application support features. Below are some of these key features:

Compatibility with Older Operating Systems

Newer and more advanced products and services can have significant benefits for most businesses. However, many are not always open to change for plenty of reasons. The potential cost of implementing new systems is one of the main reasons why companies may be hesitant.

But, Windows 365 is built to try and reduce IT expenditure by offering features such as compatibility with older operating systems. This means that your business can continue to use the software programs that you are comfortable with and that brings the most productivity.

Additionally, you don’t need to worry about the time that may be required to train your staff to use new applications. So, what Windows 365 can then offer you are all the benefits of running your desktops on the cloud. And you can do so without completely overhauling everything you currently use.

Another great thing about the compatibility feature is how it means that already overloaded IT departments will not have to deal with additional tasks. Once Cloud PCs have been set up, employees will have available to them the software programs they are familiar with so work can continue as normal.

Integration with Existing Infrastructure

As well as providing compatibility for applications that were running on older operating systems, Windows 365 also seamlessly integrates with existing infrastructure. The benefit of this is that you can continue with some of your legacy applications, without losing access to some of the more modern ones, as well.

As a result, you get the software programs you want and simultaneously benefit from the features of newer applications. Needless to say, the potential of such a setup is not only immense but very cost-effective.

Employees don’t need to have multiple devices running different operating systems to have all the applications they need. Even more importantly, however, this integration allows businesses that want to switch to newer applications to have sufficient time to make the transition.

Cloud PC users can use the software programs that they are familiar with while simultaneously learning about the newer versions. This will provide businesses with considerable flexibility to make gradual changes as they update their virtual desktop environment.

Compatibility with Older Hardware

Hardware limitations can be a massive factor that hinders businesses from migrating to the cloud. So, in some cases, if employees don’t have the latest, most powerful devices, they may not be able to use certain products and services. With Windows 365, this is not an issue because there is support for multiple devices and operating systems.

Consequently, Cloud PC users can stick with their current devices whenever they want to access their virtual desktops. They don’t necessarily need to worry about the specifications of their devices or the operating systems they are running.

As long as the device has either the Microsoft Remote Desktop app or an HTML5-capable browser to access the web, you can access your Cloud PC with no problems. Although Microsoft does clarify that Windows devices will provide the best experience, clients remain free to choose a platform of their choice.

Accordingly, businesses can immediately start preparing to set up their Windows 365 environment. And they can do so without the added concern about first furnishing employees with new devices. Undoubtedly this is something that has been designed to perfectly illustrate how easy using Windows 365 is meant to be.

Support for Multiple Environments

At this point, it’s becoming pretty clear that compatibility is a pretty big issue for Windows 365. Along with older operating systems and hardware, clients also get support for multiple environments. Naturally, you can expect a lot of businesses to have different setups that are tailored to their unique needs.

Therefore, it really should come as no surprise that Windows 365 supports various environments, including cloud, on-premises, and hybrid setups. This gives your business the flexibility to design a virtual desktop environment that can adequately meet the needs of your operations.

Something like a hybrid setup can be hugely beneficial to businesses that are not willing as yet to migrate their entire environment to the cloud. It gives you the time to assess whether or not full cloud migration is the right thing for you. In addition to these different environments, Windows 365 is also compatible with multiple operating systems. It works with Windows, macOS, iOS, and Android, among others.

It’s for this reason that most businesses can have access to the Windows 365 environment. Limitations are relatively few concerning the platforms that you may want to use. And there is great flexibility in how you operate.

Benefits of Windows 365’s Legacy Application Support

The features that we have discussed above have plenty of benefits that businesses can get concerning legacy application support. Some of these benefits are given below.

Cost Savings

Unquestionably, one of the biggest advantages that come with using Windows 365, is the potential to cut down on IT expenditure. From the get-go, Microsoft presents Windows 365 as a virtual desktop environment that you can set up on your own without additional IT personnel. This reduces the costs that you face when setting up your employees with Cloud PCs.

Also, maintaining the environment and handling any of the tasks will be easy enough for your in-house IT department. This means less time wasted waiting for IT support services, thus potentially increasing productivity.

Features like compatibility with older operating systems are also going to minimize your costs by eliminating the need to immediately change your OS. And the same thing will apply to the devices that Cloud PC users can utilize to access their virtual desktops.

As long as you have the appropriate application or browser, you can easily access your Cloud PC on your device of choice. Because employees can use any of the devices they already have, this can go a long way in reducing the cost of purchasing devices for new employees or refreshing devices now and again.

Improved Compatibility

Microsoft wants Windows 365 to be a solution that can assure clients they’re getting a product that fits seamlessly with their existing infrastructure. Businesses can leverage all the best that the Cloud PC has to offer without having to completely do away with the systems that have brought them this far.

It’s for this reason that Windows 365 provides compatibility on several different levels to address the concerns that you may currently have. And this helps provide employees with an easier transition to the new infrastructure.

So, whether you’re looking at hardware or software, Windows 365 gives you a level of compatibility that caters to your goals. You can get to have the Windows 365 experience with your Windows, Apple, or Android devices, among many others.

This is something that can be an excellent tool in enhancing how employees work and how IT departments increase efficiency. Additionally, businesses can expect to see fewer downtime issues from problems that may otherwise arise from compatibility challenges.

Greater Flexibility

In the same way that Windows legacy application support features can help you reduce IT expenditure, they will also improve flexibility. And this is vitally important considering how remote work and distributed workforces have become integral to the operations of a lot of businesses.

Many now want to have the flexible working conditions that they are now accustomed to as a permanent solution. Hence the need for platforms like Windows 365 that enable you to easily run legacy applications using your current devices.

Coupled with what employees stand to gain, the business as a whole has the flexibility to choose what devices or operating systems are best for improving efficiency. Windows 365 does not have stringent restrictions concerning which devices or operating systems you can use. So, you can choose the best devices on the market to suit the needs of your business. And you’ll be able to use them to access your virtual desktops without any problems.

Enhanced Productivity

Cloud computing presents businesses with a solution that aims to help improve productivity. With Windows 365, you are getting virtual desktops that are easily accessible from remote locations and facilitate collaboration among colleagues.

This means that employees can work from anywhere, making sure that projects are completed on time, even with people collaborating from different countries. Because of the support for multiple environments, operating in this manner becomes very easy to achieve. Not only that, but Windows 365 ensures that all communication and collaboration are extremely secure.

Something else that will help enhance productivity is the fact that Windows 365 can integrate with your existing infrastructure. Doing so enables you to adopt this solution without it costing you unacceptable amounts of downtime that could be used more productively. And we can say the same thing about the compatibility with older hardware.

Cloud PCs are easy to set up and deploy so that work continues seamlessly while simultaneously increasing efficiency. Furthermore, these features also help your business to swiftly adapt to any changes in the market. The regular updates that Windows 365 receives are perfect for ensuring that you always have the best features to potentially give you an edge over other businesses.

Increased Security

Most people will agree that plenty of businesses are reluctant to make the migration to the cloud because of a lack of trust in the security measures. There is a tendency to want to keep all data in-house so that it is kept secure.

And this is precisely why Windows 365 utilizes industry-leading security measures to keep clients’ data as secure as possible. Because of the support availed for multiple platforms, Windows 365 offers regular updates and security patches to maintain high levels of security.

And this, in turn, allows you to run your legacy applications easily with minimal concern about your data being compromised. Moreover, Windows 365 has several redundancies in the system. These ensure that regardless of what disaster you may encounter, your data should remain secure and accessible. Therefore, whether employees are in the office or working from remote locations, you can conduct business operations reliably and securely.

Conclusion

Arguably one of the biggest things that service providers would want to offer clients is a solution that can improve the ease of doing business. It’s these kinds of considerations that have brought about the legacy application support features that Windows 365 offers. They aim to improve accessibility and flexibility for businesses by enabling support for older software run on modern hardware without compatibility issues.

Because of this level of support as well as integration with existing infrastructure, businesses can boost productivity, improve security and efficiency, as well as minimize expenditure. All of these benefits should provide you with more than enough reason to think about making the migration to the cloud.

Microsoft Intune – A Comprehensive Design Guide

So much technological innovation is going on all around us that it can at times be overwhelming to keep up with everything. And mobile device management solutions are no different. Which of the solutions do you pick to ensure that your organization is using the best management solution? Difficult to say.

In fact, plenty of organizations opt for using multiple device management solutions at the same time. Although, there may be advantages to that, finding a single comprehensive solution to provide you with everything you need in a single package offers greater convenience. This is why I’ve decided to write this guide on Microsoft Intune, a solution that can optimize your IT operations to perform at unprecedented levels.

Before you begin

In the first blog of this Microsoft Intune series, I looked at the different stages of planning that you’ll have to go through if you want to have a seamless adoption of Microsoft Intune in your organization. As one would expect, adopting any new technology will bring with it a few teething problems hence the need for a plan that covers as many potential scenarios as possible.

Getting started

Some of the key areas of consideration include:

  • Have your goals clearly itemized. This includes concerns about data security, device protection, access to organizational resources, and other objectives.
  • Creating a complete inventory of all the devices in your organization that will have access to company resources. So, this would include both organization-owned and personal devices as well as information about the platforms they are running.
  • You’ll also need to look at all potential costs and licensing. There will probably be some additional services and programs that you’ll need so all these will need consideration.
  • You probably already have existing policies and infrastructure that your organization relies on. However, all these will require reviewing when thinking of moving to Intune. This is because you may need to develop some new policies.
  • With the above in place, you need to determine a rollout plan that has pre-defined objectives and can ensure that the rollout proceeds as smoothly as possible.
  • As you introduce Intune to your organization, you cannot ignore the value of communicating with your users. People in your organization need to understand what Intune is, what value it will bring to your organization, and what they should expect.
  • Lastly, it’s crucial that you fully equip your IT support and helpdesk staff. You can do this by involving them in the adoption process from the early stages. Therefore, it enables them to learn more about Intune and gain invaluable experience. With the skills that they acquire, they’ll be able to play important roles in the full rollout of Microsoft Intune as well as help in the swift addressing of any potential issues that arise.

Design creation

After you go through your planning phase, you can start to look at creating a specific design for your organization’s Microsoft Intune setup. Coming up with a design will require you to review all the information already collected throughout the planning phase.

This is going to allow you to put together information on your existing environment. This includes the Intune deployment options, the identity requirements for external dependencies, the various device platform considerations, as well as the delivery requirements. One of the great things about Microsoft Intune is that you don’t need to worry about significant on-premises requirements to use the service.

However, having a design plan is still a good idea because it allows you to have a clear outline of the objectives that you want to achieve so that you can be certain about choosing the management solution.

Assessing your current environment

A logical place for you to begin your planning is with your current environment. Having a record of this environment can help to further clarify where you currently are and what the ultimate vision is. This record can also serve you well during the implementation and testing phases. There you can make numerous changes to the design.

Recording the environment

There are several methods for recording your existing environment such as:

  • Identity in the cloud – you can note if your environment is federated. Additionally, you can determine MFA enabling. Also, which of Azure AD Connect or DirSync do you use?
  • Email environment – you need to record what email platform you currently use. Also consider if it is on-premises or on the cloud. And if you’re using Exchange, for instance, are there any plans for migrating to the cloud?
  • Mobile device management solutions – you’ll need to go over all the mobile device management solutions (MDM) currently in use. Also consider what platforms they support. It’s also important to note down which solutions you’re using for corporate as well as BYOD use-case scenarios. Additionally, it’s useful to have a record of who in your organization is using these solutions, their groups, and even their use patterns.
  • Certificate solution – note whether or not you have implemented a certificate solution, including the certificate type.
  • Systems management – have a detailed record of how you manage your PC and server management. This, means you have to note what management platform you are using, whether it’s Microsoft Endpoint Configuration Manager or some other third-party solution.
  • VPN solution – you should note what you’re currently using as your VPN solution of choice. And if you’re using it for both personal devices and organization-issued devices.

Note to consider

In addition to having a detailed record of your current environment, it’s also important to not forget any other plans in the works. Or consider those on the docket for implementation. Especially if they could affect what you have already noted down in the record of your environment. For instance, your record could show that multi-factor authentication is off. Still, you could be planning to turn it on in the near future so you’ll want to highlight this coming change.

Intune tenant location

The location where your tenant will reside is extremely important to decide before making the decision to subscribe to Microsoft Intune. And this is especially so for organizations that operate across different continents. The reason why it’s so important to carefully think this through, is that you’ll need to choose the country/region when you are signing up for Intune for the first time. After you have made your selection, you won’t have the option to change your decision later on. The regions that are currently available for selection include North America, Europe, the Middle East, Africa, as well as Asia and Pacific.  

External dependencies

When we talk about external dependencies, we are referring to products and services that are not part of the Intune package. But they may be part of the prerequisites to use Intune. In addition, they could also be elements that can integrate with Intune. Given how integral external dependencies may be to your use of Intune, you’ll need to have a comprehensive list of any and all requirements. Make sure they’re for these products and services as well as the instructions for their configuration.

Below we’ll look at some of the more common examples of external dependencies that you will encounter:

Identity

Simply put, identity gives us the element through which we can recognize all the various users that belong to your organization as well as those enrolling devices. If you want to use Intune then you’ll need to be using Azure AD as your user identity provider. This comes with several advantages. One such benefit is enabling IT admins to enhance organizational security by controlling access to apps and app resources. Therefore, it’s easier to meet your access governance requirements. App developers will also benefit from the ability to leverage Azure AD APIs for creating personalized experiences using organizational data.

For those that are already using Azure AD, you’ll get the added convenience of continuing with the current identity that you have in the cloud. Not only that, but you also get the added benefit of Azure AD Connect. This happens to be the ideal solution for synchronizing your on-prem user identities with Microsoft cloud services. For organizations that already have an Office 365 subscription, the best scenario would be to ensure that Intune also uses the same Azure AD environment.

User and device groups

These groups play an important role as they are responsible for defining who exactly the target of a deployment will be. This will also include profiles, apps, and policies. It’s therefore important to come up with the user and device groups that your organization will need. And the best way to go about this may be for you to start by creating these groups in the on-premises Active Directory. And then once you have done this you can proceed to synchronize to Azure AD.

Public key infrastructure (PKI)

The role of PKI is to provide users or devices with certificates that will enable secure authentication to various services. So, when considering adopting Microsoft Intune you should be aware that it supports a Microsoft PKI infrastructure. Mobile devices can provide device and user certificates, so you meet all certificate-based authentication requirements. However, before you proceed with the use of certificates, you’ll need to verify a few things first:

  • Check whether or not you even need the certificates.
  • Check if certificate-based authentication provides support by the network infrastructure.
  • Lastly, you need to verify whether there are any certificates already in use in the existing environment. 

For some, they may need to use these certificates with VPN, Wi-Fi, or e-mail profiles with Intune. But to do that, you first need to check if you have a supported PKI infrastructure in place. It needs to be ready for the creation and deployment of certificate profiles. Furthermore, when it comes to the use of SCEP certificate profiles, you have to decide how to host the Network Device Enrollment Service feature. Not only that, but you also need to determine how to carry out any communication.

Pre-requisites for devices

As you proceed with your design plan for Microsoft Intune, you’ll also need to turn your focus over to devices and the requirements. Expectedly, as with any management solution, there will be devices to consider. But there will also be platform considerations that will determine suitability for Intune management.

Device platforms and Microsoft Intune

One of the most important parts of the design plan is to consider the device platforms that will be supported by your chosen management solution. Therefore, before making the final decision about whether or not to go with Intune, you should create a complete inventory of the devices that will be in your environment. Then crosscheck whether or not they have proper support by Intune.

Understanding systems

The table below contains the supported configurations.

Operating systemsAndroid iOS/iPadOS Linux macOS Windows
Chrome OS  
Apple (For device enrollment scenarios and app configuration that you get via Managed devices app configuration policies, Intune will require iOS 14.x or later. The same requirement also applies to Intune app protection policies and app configuration.)Apple iOS 14.0 and later   Apple iPadOS 14.0 and later   macOS 11.0 and later  
Android (For device enrollment scenarios and app configuration that you get via Managed devices app configuration policies, Intune will require Android 8.x or later. However, for Microsoft Teams Android devices, support will continue so this requirement does not apply. And then for Intune app protection policies and app configuration delivered via Managed devices app configuration policies, the requirement is for Android 9.0 or higher.)Android 8.0 and later (including Samsung KNOX Standard 3.0 and higher: requirements)   Android enterprise: requirements   Android open source project devices (AOSP) supported devices RealWear devices (Firmware 11.2 or later)HTC Vive Focus 3  
Linux (It’s to be noted that Ubuntu Desktop already has a GNOME graphical desktop environment installed)Ubuntu Desktop 22.04.1 LTS with a GNOME graphical desktop environment.   Ubuntu Desktop 20.04 LTS with a GNOME graphical desktop environment.  
Microsoft (Microsoft Endpoint Manager can still be used for the management of devices running Windows 11 the same as with Windows 10. Unless explicitly stated otherwise, assume that feature support that only mentions Windows 10 also extends to Windows 11. In addition, you should also note that configuring the available operating system features through MDM is not something that is supported by all Windows editions.)Windows 10/11 (Home, S, Pro, Education, Enterprise, and IoT Enterprise editions) Windows 10/11 Cloud PCs on Windows 365 Windows 10 LTSC 2019/2021 (Enterprise and IoT Enterprise editions) Windows 10 version 1709 (RS3) and later, Windows 8.1 RT, PCs running Windows 8.1 (Sustaining mode) Windows Holographic for Business Surface Hub Windows 10 Teams (Surface Hub)    
Microsoft Intune-supported web browsersMicrosoft Edge (latest version)   Safari (latest version, Mac only)   Chrome (latest version)   Firefox (latest version)  

Devices

By using Microsoft Intune, organizations can manage mobile devices more efficiently in a way that can enhance the security of organizational data. This means that the risk of malicious activity is reduced. And users can thus work from a greater number of locations. One of the greatest benefits of device management solutions such as these is that they can be both cost-efficient and convenient. This is because they support a wide variety of device types and platforms.

As a result of this, organizations are less likely to need to invest in new devices. And users can utilize the personal devices they already own in BYOD scenarios. With all this, however, it’s even more important for you to come up with a comprehensive template detailing what device types, OS platforms, and versions you will allow to have access to your organization’s resources.

Device ownership

As already mentioned, Microsoft Intune offers support for a wide variety of devices. And these devices can either be personal or organization-owned. When devices are enrolled via a device enrollment manager or a device enrollment program, they fall under the category of organization-owned devices. So, for instance, all devices that you enroll using the Apple Device Enrollment Program will categorize as organizational devices. Subsequently they will add to the device group, which will receive organizational policies and applications.

Bulk enrollment

As an organization, when enrolling a large number of devices into Intune, the process is simplified by the availability of a bulk enrollment feature. This feature provides you with a quick and easy way of setting up a large number of devices for management. A few use case examples. These include setting up devices for large organizations, setting up school computers, and setting up industrial machinery, among others. Intune has different ways to process the bulk enrollment of devices so you’ll need to determine which method fits best with your Intune design plan.  

Design requirements and Microsoft Intune

When making the design considerations, there are specific requirements you’ll need to look at for the Intune environment that you want to establish. There may be instances that require you to make adjustments to the general advice that you get concerning Intune deployment.

It’s essential to ensure that certain capabilities will meet the requirements for the use cases needed for your organization. These features include configuration policies, compliance policies, conditional access, terms and conditions policies, resource profiles, and apps.

Microsoft Intune Configuration policies

You can use configuration policies for the management of the security settings on devices in Intune in addition to the features, as well. It’s important that you design configuration policies that follow the configuration requirements by Intune devices. And the necessary information to design your configuration policies in this manner are in the use case requirements section. This enables you to note the settings and their configurations. Not only that, but you’ll need to make sure to verify to which users or device groups to apply certain configuration policies. The various device platforms that you use will need to have at least one configuration policy assigned to them or even several whenever the situation calls for it.

Compliance policies and Microsoft Intune

These types of policies are responsible for establishing whether devices are complying with the necessary requirements. Therefore, determining whether or not a device is compliant becomes a significantly easier matter for Intune. And this is very important because it allows for devices to categorize as either compliant or non-compliant. And that status can then determine which devices are given access to the organization’s network and which ones to restrict.

Furthermore, if you intend on using Conditional Access, then it will probably be in your best interests to create a device compliance policy. Before you can decide on your device compliance policies, you may again want to refer to the use cases and requirements section. This will provide you with the necessary information concerning the number of device compliance policies you’ll require. It will also help you decide which user groups you’ll be applying them. Lastly, you need to have clearly defined rules. These will detail how long devices are allowed to remain offline before they move to the non-compliant list.

Conditional Access for Microsoft Intune

Conditional access plays the role of enforcer for your organization’s policies on all devices. That means that if any device fails to comply with your requirements, conditional access measures can implement. They will prevent them from accessing organizational resources such as email. When it comes to Intune, you’ll also benefit from its integration with Enterprise Mobility + Security. This will give your organization better protocols to control access to organizational resources. So, when it comes to your design plan you still need to look at Conditional Access. You’ll also decide whether or not you need it and what you’d want to secure with it. 

Terms and conditions

Terms and conditions are essential for determining your organization’s requirements for any users that want access to the network. This is especially important in BYOD scenarios where some users may not be willing to meet those conditions. So, by establishing terms and conditions, your organization can give users an ultimatum if they want to access the organization’s resources. With Intune, you also get the option to add and deploy several terms and conditions to your user groups.

Profiles

Profiles play a key role by enabling the end user to connect to company data. To cater to the multiple scenarios that your organization may encounter, Intune provides several types of profiles. The information that you need, concerning the timeline for the configuration of the profiles, is obtainable by going through the section on use cases and requirements. Planning is easier because you’ll find all the device profiles grouped according to platform type. Profile types that you need to know about include email profiles, certificate profiles, VPN profiles, and Wi-Fi profiles.

Email profile

Email profiles are responsible for several capabilities. These include reducing the workload of support staff and enabling end-users with access to company email on their personal devices. Email clients will automatically set up with connection information and email configuration. Moreover, all this can be done without users having to perform any setup tasks. So this will ultimately improve consistency. However, not all of these email profiles will have support, on all devices.

Certificate profiles

Certificate profiles are the elements that enable Microsoft Intune to provide certificates to users or devices. The certificates that Intune supports include Trusted Root Certificate, PFX certificate, and Simple Certificate Enrollment Protocol (SCEP). For SCEP, all users who will receive it are going to need a trusted root certificate. This is because the latter is a requirement for SCEP certificate profiles. So, before you proceed make sure to have a clear idea of the SCEP certificate templates that you’d like to use. Your design plan should include a record of the user groups that require certificates. It should also include the number of certificate profiles needed, and to which user groups they’ll be targeted.

VPN profiles

Virtual private networks enable internet users to have secure access from almost any location across the globe. And using VPN profiles achieves the same thing for your organization’s users. They will be able to have secure access to the organization’s networks even from remote locations. Furthermore, Intune widens the options available to you by supporting VPN profiles from native mobile VPN connections and third-party vendors.

WiFi profiles

Wi-Fi profiles are important tools that enable your mobile devices to automatically connect to wireless networks. Using Intune, you can deploy Wi-Fi profiles to the various supported platforms. The device platforms that Wi-Fi profiles support include Android 5 and newer, Android Enterprise and kiosk, Android (AOSP), iOS 11.0 and newer, iPadOS 13.0 and newer, macOS X 10.12 and newer, Windows 11, Windows 10, and Windows Holographic for Business.

Microsoft Intune Apps

When using Intune, you’ll have the option to deliver apps to users or devices using any number of different ways. The apps that you can deliver cover a wide range including apps from public app stores, managed iOS apps, software installer apps, as well as external links. Moreover, this capability extends beyond individual app deployments. You’ll also be able to manage and deploy volume-purchased apps that you may have obtained from volume-purchase programs for both Windows and iOS.

App type requirements

Your design plan needs to include clear details regarding the types of apps that you will allow Intune to manage. This is especially necessary when you consider how apps deploy to users and devices. Information that you should consider for your criteria includes whether or not these apps will require integration with cloud services as well as the deployment measures you’d like to use.

You also need to decide if you’ll be availing these apps to employees using their personal devices and if users will need to have internet access to use the apps. Additionally, you need to verify if your organization’s partners will require you to provide them with Software-As-A-Service (SaaS) app data. Lastly, you need to check the availability of these apps to see if they will be available publicly in app stores or if they will be uniquely custom line-of-business apps.   

App protection policies

These policies intend to safeguard your organization’s data by keeping it secure or contained in a managed app. Generally, these policies are rules that go into play when users try to access or move your organization’s data. These rules may also be enforced if users try to engage in actions that are prohibited or monitored when users are inside the app.

Therefore, you can reduce the risk of data loss because of how apps are set up to manage organizational data. Any app that can function with mobile app management will receive app protection policy support from Intune. It will be up to the organization and the team of admins to determine what restrictions you’d like to place on your organization’s data within certain apps.

Setting up Microsoft Intune

When you have your design plan in place, then you can begin looking at setting up Microsoft Intune for your environment. To do that, there will be a few things that you need to consider.

Requirements for Microsoft Intune

The first thing you need to have is an Intune subscription and the license for this is offered as a stand-alone Azure service. It is a part of Enterprise Mobility + Security (EMS) and is included with Microsoft 365. From your design plan, you’ll have a better idea of what the goals of your organization are and you may end up choosing Microsoft 365 because it comes with all of Microsoft Intune, EMS, and Office 365 apps.

Current status

If your organization doesn’t have any MDM or MAM solutions that it is currently using then Intune is probably the best choice for you. Especially if a cloud solution is what you want and then you’ll also benefit from features like Windows Update, configuration, compliance, and app features in Intune.

You can add Endpoint Manager admin center as well to the list of benefits that will be availed to you. Something that does need to be mentioned is that organizations that use more than one device management solution should consider using only a single one.

And if you’ve been using MDM providers such as MobileIron, Workspace ONE, and MaaS360 you’ll still have the option to move to Intune. This will come with a significant inconvenience, however, because before users can enroll their devices in Intune, they will have to unenroll their devices from the current management platform.

Before you make the move to Intune, you’ll need to note in your design plan all the tasks you’ve been running and the features you need so that you know how to proceed with setting up Intune. Unenrolling devices from your current MDM solution not only presents a challenge but makes devices temporarily vulnerable.

This is because while they are in that unenrolled state, they stop receiving all your policies thus security is compromised. By using conditional access, you can block unenrolled devices until they complete their enrollment in Intune.

You should plan to implement your deployment in phases that start with small pilot groups so that you can monitor the success of your approach. If all goes well you can then proceed with a full-scale deployment. Furthermore, those who currently use Configuration Manager and would like to move to Intune can use the options below:

Add tenant attach

This option offers you the simplest way to integrate Intune with your on-prem Configuration Manager setup. By leveraging this option, you can upload your Configuration Manager devices to your organization in Intune. And then once your devices are attached, you’ll be able to use Microsoft Endpoint Manager admin center to run remote actions including user policy and sync machine.

Set up co-management

With this option, Intune will be used for some workloads and Configuration Manager for others. You need to first navigate to Configuration Manager and then set up co-management. And then you proceed to deploy Intune and that also includes setting the MDM Authority to Intune. Once all this is done, devices will now be ready to be enrolled and receive the necessary policies.

Moving to Microsoft Intune from Configuration Manager

This may not happen often because Configuration Manger users tend to want to stay on this platform. However, making the move is possible if you decide that a 100% cloud solution is what you are looking for. You’ll need to first register existing on-prem Active Directory Windows client devices as devices in Azure AD. Then, you proceed to move your existing on-prem Configuration Manager workloads to Intune. Using this method would be good for providing you with a more seamless experience for existing Windows client devices but the downside is that it will be more labor-intensive for your admins.

And if we’re looking at new Windows client devices then you would be better off starting from scratch with Microsoft 365 and Intune:

  • Start by setting up hybrid Active Directory and Azure AD for the devices. Devices that are Hybrid Azure AD joined will be joined to your on-prem Active Directory as well as registered with your Azure AD. Having devices in Intune helps to safeguard your organization from malicious activity because these devices can receive your Intune-created policies and profiles.
  • Go to Configuration Manager and set up co-management.
  • Next, you need to deploy Intune and that includes setting the MDM Authority to Intune.
  • You’ll also need shift all workloads from Configuration Manager to Intune in the Configuration Manager section.
  • With all this done, you can go ahead and uninstall the Configuration Manager client on the concerned devices. This is something that can be done by creating an Intune app configuration policy that can perform the uninstallation once Intune has been set up.

Start from scratch with Microsoft 365 and Microsoft Intune

You can only use this approach for Windows client devices, so for those Windows Server OSs, Configuration Manager will be the option you have.

  • Deploy Microsoft 365, including creating users and groups.
  • Next, you need to deploy Intune and that includes setting the MDM Authority to Intune.
  • The Configuration Manager client will need to be uninstalled on all existing devices.

Microsoft Intune Deployment

The steps to follow for your Microsoft Intune deployment are given below:

  • Navigate to Endpoint Manager admin center and sign up for Intune.
  • Set Intune Standalone as the MDM authority.
  • Next, you need to add your domain account because if you don’t your-domain.onmicrosoft.com is what will be used as the domain.
  • Add users and groups that will receive the policies you create in Intune.
  • Users will then need to be assigned licenses and once that is done, devices can enroll in Intune.
  • The default setting allows all device platforms to enroll in Intune so if there are platforms that you’d like to block you’ll need to create a restriction.
  • You need to customize the Company Portal app so that it has your company details.
  • Come up with your administrative team and assign roles as necessary. 

Windows 365 management and Microsoft Intune

Microsoft Intune not only manages your physical devices but will also play a key role in the management of your Windows 365 Cloud PCs. All you need to sign in is to head over to the Microsoft Intune admin center. This is where you’ll find the landing page for managing your Cloud PCs which is known as the Overview tab. Once signed in, go to Devices > Windows 365 (under Provisioning). In this section, you get a quick overview of the state of your Cloud PCs including the Provisioning status which summarizes the state of Cloud PCs in your organization, and the Connection health which summarizes the health of the Azure network connection in your organization.

All Cloud PCs page

On this page, you’re going to find a summary as well as a list view that will give you all the necessary information you need to know about the status of all the Cloud PCs in your organization. To make the task easier for you, the list view is refreshed every five minutes and allows you to search, filter, and sort. Additionally, there will be multiple Cloud PCs given to those users that have been assigned multiple Windows 365 SKUs. And what this means is that in the All Cloud PCs list view you will see multiple rows dedicated to a single user.

Column details

NameA combination of the assigned provisioning policy and the assigned user’s name will provide the name of the Cloud PC.
Device nameWindows computer name.
ImageSame image used during provisioning.
PC typeThe user’s assigned Windows 365 SKU.
StatusProvisioned: provisioning successful and user can sign in. Provisioning: still in progress. Provisioned with warning: warning is flagged in case of failure of a non-critical step in the provisioning process. Not provisioned: user has been assigned a Windows 365 license but not a provisioning policy. Deprovisioning: Cloud PC going through active deprovisioning. Failed: provisioning failed. In grace period: users with current Cloud PCs are placed in this state when a license/assignment change occurs for them. Pending: this happens when a provisioning request cannot be processed because of a lack of available licenses.
SUserUser assigned to the Cloud PC.
Date modifiedTime when last change of state of the Cloud PC occurred.
Third-party connectorWhen you have third-party connectors installed and currently in use on Cloud PCs, the connector provider is displayed as well as the connector status.

Remote management

Your organization can take advantage of the Microsoft 365 admin center to remotely manage your Windows 365 Business Cloud PCs. There will be several remote actions available to you but to access them you need Azure AD role-based access roles, either Global administrator or Windows 365 administrator. Once you have one of those two roles assigned, you’ll have several methods you can use for Cloud PC management including:

  • Windows365.microsoft.com
  • Microsoft 365 admin center
  • Microsoft Intune (on condition that you have all the necessary licenses)
  • Microsoft Graph

Cloud PC management design options

When it comes to the design options for Cloud PC management, there will be three options that we are going to look at:

Option 1 (Windows 365 Azure AD Joined + hosted in Microsoft Network)

Microsoft Intune

  • Cloud PCs are hosted in the cloud (Microsoft Hosted Network) and managed in the cloud (Intune)
  • Cloud PCs are enrolled as Azure AD joined and managed out-of-the-box by Intune
  • Eliminates customer constraints
  • Cloud PCs will get a unified endpoint management integration from the Microsoft Endpoint Manager admin portal
  • Simplifies Cloud PC management workloads such as app delivery and endpoint security among others
  • Comfortably address Cloud PC remote management needs

Co-Management

  • This is optional and allows you to bring your on-premises device management solution MECM for Option 1
  • Requires MECM + Cloud Management Gateway
  • Depends on customer device management on-premises environment
  • Some considerations before managing Cloud PCs include: Azure subscription and on-premises infrastructure, deployment and configuration of a CMG as well as a public SSL certificate for this CMG, enable Co-Management in Configuration Manager, and more. 

Option 2 (Windows 365 Azure AD Joined + hosted in Customer Network)

Microsoft Intune:

  • Cloud PCs are hosted in the Customer Network and managed in the cloud
  • Cloud PCs are enrolled as Azure AD joined and managed out-of-the-box by Intune
  • Eliminates customer constraints
  • Cloud PCs will get a unified endpoint management integration from the Microsoft Endpoint Manager admin portal
  • Simplifies Cloud PC management workloads such as app delivery and endpoint security among others
  • Comfortably address Cloud PC remote management needs

Co-Management

  • This is optional and allows you to bring your on-premises device management solution MECM for Option 2
  • Requires MECM. Cloud Management Gateway is optional
  • Depends on customer device management on-premises environment
  • Some considerations before managing Cloud PCs include: on-premises infrastructure, configuration of Intune to deploy the CM client for your Cloud PCs, enable Co-Management in Configuration Manager.  

Option 3 (Windows 365 Hybrid Azure AD Joined + hosted in Customer Network)

Co-management:

  • Cloud PCs are hosted in the Customer Network and managed by the customer (Co-Management)
  • Cloud PCs are enrolled as Hybrid Azure AD joined and managed by Co-Management
  • Requires MECM
  • Depends on customer device management on-premises environment
  • Cloud PCs will get a unified endpoint management integration from the Microsoft Endpoint Manager admin portal
  • Simplifies Cloud PC management workloads such as app delivery and endpoint security among others
  • Comfortably address Cloud PC remote management needs
  • Some considerations before managing Cloud PCs include: on-premises infrastructure, configuration of MECM to deploy the CM client for your Cloud PCs, enable Co-Management in Configuration Manager.  

Microsoft Intune

  • This is optional and if you don’t have a MECM environment you can use Intune as your Cloud PC device management solution for Option 3          
  • Some considerations for this option include: configuration of Azure AD Connect for Hybrid Domain Joined, Hybrid Azure AD Joined Cloud PCs need to be directly attached to an on-premises AD environment, for device management the Active Directory environment will depend on Group Policy Objects.

Wrap Up About Microsoft Intune

Device and application management can prove to be a very challenging task to get right for a lot of organizations. Finding the right solution that can streamline application use across your organization’s devices without breaking the bank would be a dream for any organization. You also want a platform that can increase the productivity levels of your IT staff by minimizing the complexity of device management and by extension reducing the time spent on device management.

With Microsoft Intune, you can get this and plenty more. This MDM and MAM solution will enhance the security of your organization by establishing strict access protocols for your organization’s resources. This means greater protection at a time when endpoints are increasingly a vulnerable point for malicious attacks. Intune can provide you with peace of mind while providing an effective management platform that can vastly improve the way your organization operates.