One of the best tools that IT professionals can have in their arsenal is a packaging tool. This simplifies their tasks and saves them time. Businesses need to provide their IT teams with comprehensive packaging tools that are easy to deploy and highly compatible.
One such product that has garnered a significant amount of interest is Advanced Installer. What you get with this powerful packaging tool for developers, businesses, and ISVs, among others, is an advanced application packaging software. It simplifies software deployment in a big way.
And before fully committing, organizations can try out the trial version. It comes with full features allowing them to make a more informed decisions. To help you with that task, let’s go over what you have to look forward to with Advanced Installer.
Introduction
As already mentioned, Advanced Installer is a software packaging and deployment tool designed to eliminate the challenges often encountered with packaging and updating software.
Clients get an all-in-one packaging tool that can create, edit, update, and repackage MSI, EXE, App-V, APPX, and MSIX. Because of the user-friendly and intuitive design as well as the plethora of features and capabilities, IT professionals should expect an application that optimizes the packaging process.
Businesses will also appreciate how easy the integration will be. They’ll also enjoy the compatibility that provides support for various platforms and formats. In addition, IT professionals can easily create customizable and visually appealing installers. They can also benefit from the integration of Advanced Installer with popular development tools and environments.
Ultimately, using Advanced Installer gives your organization a product that enables you to build reliable MSI packages. These meet the latest Microsoft Windows logo certification requirements and generally follow the recommended Windows Installer best practices.
Requirements
Before proceeding with the purchase and installation of Advanced Installer, it’s also important to be aware of the specific requirements that the application demands. In the table below, you’ll find both the hardware and software requirements that you need to know.
Hardware
Software
Required minimum: Core 2 class CPU1GB RAM1366 × 768 screen resolution 2GB hard drive space
Advanced Installer IDE – for Advanced Installer to run properly on a system, you will need: Windows 7 or newer. The latest Windows Platform SDK. However, this is optional as it will only be required when building certain types of packages.
What is recommended: i5 class CPU4GB RAM1920 × 1200 screen resolution 10GB hard drive space
Create Install Packages – Advanced Installer produces MSI or EXE install files that are designed to run on: Windows 7 or newer Windows Server 2008 R2 or newer.
Create MSIX Packages – Advanced Installer produces MSIX packages that are designed to run on: Windows 10 version 1507 or newer Windows Server 2016 (Long Term Servicing Channel) or newer.
For Java – Advanced Installer for Java can create install bundles to install Java programs on these versions of MacOS: Mac OS 10.x Power PC Mac OS 10.x Intel.
Windows 10/11 Compatibility – Advanced Installer and the EXE/MSI install packages it generates have been shown to work on Windows 10 and Windows 11.
Latest upgrades
Some new, recently announced updates for Advanced Installer are available. One in particular of great interest is the new nested Context Menus for File Associations in MSIX. The goal of this feature is to give organizations a more organized and efficient user interface. It ultimately streamlines the management of file associations.
As a result of this, you should have improved navigation and better usability. Moreover, clients will now also find a reboot option for NewPrerequisite and UpdatePrerequisite command lines coupled with support for Java versions 19 through 22.
The above improvements combine with new translations for default strings, a refactored build log for improved clarity, and an AppInstaller theme that is now supporting BrowseDlg dialog for a better user experience. More than just the new features, however, Advanced Installer has addressed challenges that clients were facing, including:
Fix EXE icon issue in non-English language projects.
Addressing the problem of the “Install side-by-side” option not always preserved on upgrades.
Fixing the reboot prompt issues during uninstallation.
Resolved the issue that was causing files to be digitally signed twice in an MSIX build.
Address the problem causing the description field to fail to set MSI name in UAC using trusted signing.
Corrected the issue causing the system to not prompt for the certificate password when the entered password was incorrect.
Resolved the problem of scheduled tasks failing if they were scheduled to run at task creation.
Available features
In the table below, you’ll find a few of the wide range of features that Advanced Installer has to offer.
Architect
Enterprise
Professional
Freeware
Repackager – seamlessly capture, customize, and repackage existing installations into MSI packages. Upgrade legacy setups to Windows Installer technology.
Updater – checking for downloads and installation of patches and updates is done automatically.
IIS – Web Sites, Virtual Directories and Web Applications, App-Pools, User Accounts.
MSI – create valid MSI setups for your applications that meet all the written and unwritten Windows Installer rules.
MSI Quick-Edit – enables you to create, transform, or edit existing MSI packages directly from the Advanced Installer GUI.
JSON Files Updates – without writing any code, you can manage JSON files that are part of the installation package or present on the target machine.
Multilingual and Localized – get over 30 translations that are all ready to use, as well as easy to modify and create.
UAC – build installers that will run seamlessly on Windows 10/8.1/8/7/Vista supporting the security model.
MSIX Custom Scripts – use PowerShell scripts to resolve any of the compatibility issues of your application after you create an MSIX.
Installer Continuous Integration – provides built-in support for integration with Azure DevOps, GitHub Actions, Jenkins, TeamCity, and Bamboo.
Themes – also get over 50 built-in beautiful themes to give your installer a professional look.
Imports – bring in relevant imports from Visual Studio, InstallShield LE, Inno Setup, WiX, Eclipse, NSIS, and regular MSI/MSM packages.
MSIX Package Editor – can offer an immediate view of your package content, enabling you to customize anything from Advanced Installer’s user interface.
Dialog Editor – enables you to visually customize existing installer dialogs or create new ones entirely from scratch.
Custom Actions – if you execute your code during installation, you can extend your installer’s capabilities.
32-bit or 64-bit – provides the option to build setups that both run and install on 32-bit processors and/or the latest 64-bit Intel and AMD CPUs.
MSIX Modification Packages – enables you to extend and update your MSIX packages. You’ll also be able to separate your main application package from its updates, thus speeding up Windows 10 updates.
Convert EXE installers to MSIs – an extremely capable wizard that converts any EXE setup into an MSI ready for network deployment through Active Directory.
Native Launcher – create a native launcher for your Java applications and customize the process name, file name, icon, version, splash-screen, JRE/JDK detection and selection, user-friendly error handling.
Side-by-side – if you have different versions of your application and want to not only install them simultaneously but have them running side by side, you can easily create packages for all the different versions.
Package Support Framework – the capabilities of the PSF integration for MSIX packages will allow you to minimize any AppCompat issues without writing any code.
Office Add-ins – leverage the included specialized templates to greatly simplify the creation of installers for popular software platform extensions, plug-ins, and add-ins.
Prerequisites – search for, download, and install prerequisite applications, frameworks, and run-times.
Upgrades – older versions of your product installed on the user’s machine will be detected and upgraded. Additionally, installation over newer ones will be blocked.
Pricing and Licensing
Once you have decided to use Advanced Installer, you can go ahead and start the purchase from the purchase page. For those who may need additional clarification on any issue, they can quickly find assistance with the support team. Once completed, you can start planning to deploy the package you choose on certain machines.
Fortunately, there is no limit to the number of machines you can deploy a package. As long as you have a licensed version of Advanced Installer, you can successfully create an unlimited number of install packages. You can then distribute these packages royalty-free to any number of users
When it comes to the issue of upgrades, you can purchase your subscription/license upgrade from the upgrades page. After upgrading your subscription, you’ll need to log out before logging in again. Once logged into Advanced Installer, you can refresh your subscription details. For clients with perpetual licenses, their license keys won’t change.
All they have to do is run the registration wizard once more in Advanced Installer. You can get access to the features from the new edition to which you upgraded by opening the project in Advanced Installer. In the toolbar, go to Home > Options > Project Type tab, and choose the desired project type.
The table below contains information regarding the pricing structure.
Architect
Enterprise
Professional
Cost
$359 per user per month. The option for a team subscription is available.
$139 per user per month. The option for a team subscription is available.
$39 per user per month. The option for a team subscription is available.
What you get
In addition to everything that Enterprise offers, you will also get Repackager, MSI Quick-Edit, Reports Generator, App-V, MSIX (Re)packaging, MSIX Package Editor, SCCM, and Intune.
In addition to everything you get in Professional, you also get CI/CD Integration, Dialog Editor, Updater, XML Patching, Databases, Trial and Licensing, Merge Modules Authoring, EXE to MSI (wrapper), Automated VM Testing, and Drivers.
The main features available include Trusted Signing Native Integration, Visual Studio Extension, PowerShell Automation, MSIX, Themes, Services, Prerequisites, IIS, .NET, COM, ODBC, Internationalisation, Java Native Launcher, and Installer Analytics.
Registration process
After purchasing Advanced Installer, you can now begin the registration process. However, if you are using the Freeware version, registration is not necessary. Clients that opt for the Professional, Enterprise, and Architect versions will require a valid registration to continue use after the trial period has lapsed. All you need to do is navigate to the File > Help > Register menu.
ONLINE REGISTRATION
If you want to download the license online, then the first thing you’ll need is an internet connection. With that established, Advanced Installer will connect to the appropriate server and download the license file to your device.
REGISTRATION BY EMAIL
In this case, an internet connection is not a requirement for the device in question. Once you have noted your Computer ID, you can email it in using any other device connected to the internet. Coupled with the valid License Key, you should forward these details to support at advancedinstaller.com. You can also expect to receive your response within 48 hours. The response will contain your license file as well as additional instructions.
LICENSE SERVER REGISTRATION
This method of registration by using a license server is only a valid option for owners with floating licenses. You’ll need to verify that your network administrator has correctly installed and configured the License Server. You won’t be able to complete the registration if you don’t have both the server’s host name and the port number.
Wrap up
Organizations are constantly searching for productivity tools that can empower their teams and increase operational efficiency. Tools such as Advanced Installer are ideal in that they can simplify tasks such as packaging and deployment of software. The capabilities of this application will deliver a faster overall process and a seamless installation experience that minimizes headaches. And as we move forward Advanced Installer will only get better as the development team leverages the feedback from clients.
Microsoft has given us countless different products and services over the last few decades. Undoubtedly, we know the important role they have played for individuals and businesses on the journey towards utilizing technology to better our lives. When looking at the Microsoft ecosystem, one of the best examples of undeniable excellence is the Microsoft Intune family of products.
With this product, Microsoft gives you an integrated solution that enables you to seamlessly manage all your devices. Central to this solution is the single console that we know as the Microsoft Intune admin center which brings together Intune and Configuration Manager.
The capabilities of this platform can offer your organization a premium device-management solution like no other. The area that we want to focus on today will have to do with the troubleshooting of tenant attach and device actions.
Comparing Tenant Attach to Co-management
For a lot of people, it may be difficult to distinguish between these two. So, let’s start by looking at where these two options differ. Both of these make up two of the three primary cloud attach features. For a Configuration Manager environment to be cloud-attached, it has to use at least one of the three primary cloud attach features.
Tenant Attach gives you the advantage of having your device records in the cloud as well as the ability to take actions on these devices from the cloud-based console. IT admins can perform remote actions on tenant-attached devices such as sync machine policy, sync user policy, run scripts on clients, deploy applications, and much more.
Furthermore, users will be able to manage endpoint security for the attached devices from the Intune admin center for both Windows Servers and Client devices.
On the other hand, Co-management is going to modify your on-premises Configuration Manager environment without the need for a significant migration effort.
One of the more attractive features of Co-management is how it allows you to easily switch workloads such as compliance policies from SCCM to Intune. By enabling you to manage workloads from the cloud, your organization gets to benefit from a simpler device management experience.
Tenant Attach prerequisites
To make use of Tenant Attach, you will need to meet the following requirements:
When you decide to apply this onboarding change, you’ll need to sign in using an account that is a Global Administrator.
An Azure cloud environment.
With version 2107, United States Government customers will be able to use tenant attach features in the US Government cloud such as account onboarding, tenant sync to Intune, device sync to Intune, and device actions in the Microsoft Intune admin center.
The Azure tenant and the service connection point must have the same geographic location.
To access the Microsoft Intune admin center, there needs to be at least one Intune license for the administrator.
The administration service in Configuration Manager needs to be functional.
If your central administration site has a remote provider, you need to follow the instructions for the CAS has a remote provider scenario in the CMPivot article.
PERMISSIONS
In addition to the above, there will also be a few requirements for the user accounts performing device actions and these include:
The user account should be a synced user object in Microsoft Entra ID (hybrid identity).
The Initiate Configuration Manager action permission under Remote tasks in the Microsoft Intune admin center.
The troubleshooting process
Now and again, all of us will encounter issues with the products and services we use. That’s why it’s important to work with providers that offer great support services so that we avoid downtime. Microsoft puts a lot of effort into ensuring that customers get as much support as they need for the various products in its ecosystem. Understandably, tenant attach is no different.
At this point, most admins should be aware that you can sync Configuration Manager clients to the Microsoft Intune admin center. And from that admin center, some client actions can run on the synchronized clients.
These available actions include the sync user policy, sync machine policy, and app evaluation cycle. After an administrator runs an action from the Microsoft Intune admin center, the notification request will forward to the Configuration Manager site. And from there, it will forward to the client.
LOG FILES
The logs you need to use will be found on the service connection point and these are:
CMGatewaySyncUploadWorker.log
CMGatewayNotificationWorker.log
You should also use the logs located on the management point:
BgbServer.log
Lastly, there are other logs that will be found on the client:
CcmNotificationAgent.log
Review your upload
You’ll need to follow the steps given below:
Open CMGatewaySyncUploadWorker.log from <ConfigMgr install directory>\Logs.
You will see the next sync time recorded in a log entry similar to this format Next run time will be at approximately: 02/28/2024 10:15:30.
The log entries that you should look at for device uploads should be something like this Batching N Records. In this instance, N represents the number of changed devices uploaded since the last upload.
Admins should expect uploads every 15 minutes for changes. However, once that is done, they will probably need to wait up to 10 minutes to view the client changes appearing in the Microsoft Intune admin center.
Configuration Manager components and log flow
SMS_SERVICE_CONNECTOR: Will utilize the Gateway Notification Worker to process the notification from the Microsoft Intune admin center.
SMS_NOTIFICATION_SERVER: Receives the notification and subsequently creates a client notification.
BgbAgent: The client gets the task and runs the requested action.
SMS SERVICE CONNECTOR
Following the initiation of an action from the Microsoft Intune admin center, the CMGatewayNotificationWorker.log will process the request.
Received new notification. Validating basic notification details…
At this point, you should be expecting a task to be sent from the management point to the corresponding client as soon as the message has been forwarded to the SMS NOTIFICATION SERVER. In the BgbServer.log, which is on the management point, you should see the following:
Get one push message from database.
Starting to send push task (PushID: 7 TaskID: 8 TaskGUID: A43DD1B3-A006-4604-B012-5529380B3B6F TaskType: 1 TaskParam: ) to 1 clients with throttling (strategy: 1 param: 42)
BgbAgent
The last step will occur on the client and you can view it in the CcmNotificationAgent.log. As soon as the task has been received, it will then request the scheduler to carry out the action. And once the action has been carried out, a confirmation message will appear:
Receive task from server with pushid=7, taskid=8, taskguid=A43DD1B3-A006-4604-B012-5529380B3B6F, tasktype=1 and taskParam=
In this section, we’ll take a look at some of the issues that admins may often encounter.
Unauthorized to perform client action
For whatever reason, there may be situations where administrators may not have the required permissions in Configuration Manager. If that happens, you’ll see an Unauthorized response in the CMGatewayNotificationWorker.log.
Received new notification. Validating basic notification details..
Administrators should verify that the user running the action from the Microsoft Intune admin center has all the necessary permissions on the Configuration Manager site.
Known issues
Data synchronization failures
When there are issues with the hierarchy onboarding configuration, you may end up facing challenges with viewing the tenant attach details in the Microsoft Intune admin center. This could potentially happen in situations where onboarding a hierarchy that has already been onboarded occurs. However, you may also detect this issue from entries in the GenericUploadWorker.log and CMGatewayNotificationWorker.log files.
Workaround for data synchronization failures
Resetting the tenant attach configuration will require you to follow the steps below:
Offboard the hierarchy. If the tenant attach is already enabled, you need to disable device upload and offboard by editing the co-management properties.
In the Configuration Manager admin console, go to Administration > Overview > Cloud Services > Cloud Attach. (Select the Co-management node if it is version 2103 and earlier)
In the ribbon, select Properties for your co-management production policy.
Next, you need to remove the Upload to Microsoft Endpoint Manager admin center selection from the Configure upload tab.
Once everything’s completed, select Apply.
You need to give the service about 2 hours to clean up the existing record. Once the above has been completed, you can onboard the hierarchy again.
Example errors in log files that require resetting the tenant attach configuration
Errors for AccountOnboardingInfo and DevicePost requests in GenericUploadWorker.log
[GetNotifications] Response from https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification is: 401 (Unauthorized)
Response status code: 401 (Unauthorized) Activity ID: 4c536a72-fd7f-4d08-948a-3e65d2129e44
The remote server returned an error: (401) Unauthorized. at Microsoft.ConfigurationManager.ServiceConnector.ExtensionMethods.<GetResponseAsync>d__13.MoveNext()
Response in the web exception: {“Message”:”An error has occurred.”}
Errors for device actions in CMGatewayNotificationWorker.log
[GetNotifications] Response from https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification is: 401 (Unauthorized)
Response status code: 401 (Unauthorized) Activity ID: 4c536a72-fd7f-4d08-948a-3e65d2129e44
The remote server returned an error: (401) Unauthorized. at Microsoft.ConfigurationManager.ServiceConnector.ExtensionMethods.<GetResponseAsync>d__13.MoveNext()
Response in the web exception: {“Message”:”An error has occurred.”}
Specific devices don’t synchronize
Another issue that you may need to deal with has to do with specific devices, which also happen to be Configuration Manager clients, not being uploaded to the service. So, what devices should you expect to be potentially affected by this issue?
In scenarios where a device is a distribution point that uses the same PKI certificate for both the distribution point functionality and its client agent, then the device won’t be included in the tenant attach device sync.
Furthermore, administrators should look out for the behavior that is typical in such instances. During the on-boarding phase as you are going through the tenant attach process, a full sync will be carried out the first time.
You should be aware that any other sync cycles after this one will be delta synchronizations. If the impacted devices are updated in any way, that update will result in the device being removed from the sync.
When the Configuration Manager site is configured to require multi-factor authentication, most tenant attach features don’t work
More troubleshooting
If you find yourself in a situation where the SMS provider machine that communicates with the service connection point is configured to use multi-factor authentication, you won’t be able to install applications, run CMPivot queries, and perform other actions from the admin console.
Instead, you will get a 403 error code, forbidden. What you would normally do to address this is to configure the on-premises hierarchy to the default authentication level of Windows authentication.
The platform is designed to enable you to determine what the minimum authentication level should be for admins to access Configuration Manager sites. You should view this as a great feature for enhancing security because it means that admins have to sign in to Windows with the appropriate level before they can access Configuration Manager.
Authentication
Furthermore, this applies to all components that access the SMS provider. Configuration Manager supports a handful of authentication levels and these are as follows:
Windows authentication: Authentication with Active Directory domain credentials is necessary. Note that this setting represents the previous behavior, as well as the current default setting.
Certificate authentication. Authentication with a valid certificate that has been issued by a trusted PKI certificate authority is necessary. You also need to know that you don’t configure this certificate in Configuration Manager. Configuration Manager requires the admin to be signed into Windows using PKI.
Windows Hello for Business authentication: In this case, you need a strong two-factor authentication that’s linked to a device and also uses a PIN or biometrics. Before choosing this particular setting, you need to note that the SMS Provider and administration service will require the user’s authentication token to contain a multi-factor authentication (MFA) claim from Windows Hello for Business. In simple terms, all this means is that users of the console, SDK, PowerShell, or administration service are required to authenticate to Windows with their Windows Hello for Business PIN or biometric. If not done this way, the site rejects the user’s action. Another key thing to also remember is that this behavior is specific to Windows Hello for Business and does not apply to Windows Hello.
What to do when Configuration Manager components for tenant attach fail to connect to the backend cloud service
Another issue that some have encountered concerns the failure of Configuration Manager components for tenant attach to connect to the backend cloud service when you run a client action from the Microsoft Intune admin center. In those instances, you may see the error given below:
Failed to check and load service signing certificate. System.ArgumentException: Mismatch certificate subject name
According to the information available from Microsoft, this problem occurs in versions earlier than the Configuration Manager version 2203 hotfix rollup after a change in public certificates on July 27, 2022. The reason for this has to do with the change that came about in public certificates on July 27, 2022, where OU=Microsoft Corporation was removed from the public certificate.
Even though this change was carried out, the configuration manager database still retained the old subject name and this then caused the load check failure. Below are some example entries in the CMGatewayNotificationWorker.log file in the top-level site in the hierarchy:
Error occured when process notification with notification Id <notification Id>. Ignore the notification. SMS_SERVICE_CONNECTOR_CMGatewayNotificationWorker
Failed to check and load service signing certificate. System.ArgumentException: Mismatch certificate subject nameat Microsoft.ConfigurationManager.ManagedBase.CertificateUtility.ServiceCertificateUtility.VerifyCertificate(X509Certificate2 certificate, Boolean crlCheck, X509Chain& certificateChain, X509Certificate2Collection extraStore)
and at Microsoft.ConfigurationManager.ManagedBase.CertificateUtility.ServiceCertificateUtility.Reload()
at Microsoft.ConfigurationManager.ManagedBase.CertificateUtility.ServiceCertificateUtility.Exists(String thumbprint)
and at Microsoft.ConfigurationManager.ServiceConnector.AccountOnboardingWorker.\<RefreshServiceSigningCertificateIfNotExistsAsync>d__19.MoveNext()
ADDRESSING THE ISSUE
To address this challenge, there are a couple of methods that you can employ. The first thing you can do is to install the Configuration Manager version 2203 hotfix rollup if you happen to be running Configuration Manager version 2203.
However, if your version of Configuration Manager is a previously supported one, you’ll first need to upgrade to Configuration Manager version 2203. After doing that, you can proceed with the installation of the Configuration Manager version 2203 hotfix rollup.
In the update rollup for Microsoft Endpoint Configuration Manager current branch, version 2203, the following issues have been addressed:
Application approvals through email not working with a cloud management gateway due to a missing Microsoft Entra token.
Metadata revisions to previously published metadata-only updates not being synchronized to Windows Server Update Services (WSUS) as expected.
If a window happens to be left open for a few minutes, the task Sequence Editor running on Windows Server 2022 would fail to apply changes to a task sequence. After this happens, you would see the following message:
Error connecting to provider, smsprov.log may show more details.
In situations where the Client checking status frequency (minutes) value has been set below 60, the BitLocker compliance status will be temporarily inaccurate.
Admins have also experienced the incorrect removal of some users and their group memberships by the SMS_AZUREAD_DISCOVERY_AGENT thread of the SMA_Executive service in cases when the site server is configured with a non-US English locale. You’ll have have noticed the removals occurring when the discovery cycle runs after the 12th day of the month. Errors will be recorded in the SMS_AZUREAD_DISCOVERY_AGENT.log file at various times during the discovery cycle and they will be similar to the following:
ERROR: Encountered SqlException The conversion of a nvarchar data type to a datetime data type resulted in an out-of-range value.
2. ERROR: Exception message: [The conversion of a nvarchar data type to a datetime data type resulted in an out-of-range value.]
3. ERROR: Group full sync request failed. Exception: System.NullReferenceException: Object reference not set to an instance of an object.
More troubleshooting
When adding a CMPivot query as a favorite, it is split into two lines and characters are removed.
When searching Software Update Groups in the Configuration Manager console, the Name criteria is not an option.
Instead of the value you may have previously noticed, the Browse button for Content location in the properties for a deployment would return an empty location.
The implicit uninstall setting won’t be respected by an application that is targeted to a device collection but deployed in the context of the user.
Typing a Name value in the Create Orchestration Group wizard occurs at a below normal speed.
A misleading error message (false negative) is generated on a target distribution point that is co-located with a site server. You could expect to see this during content distribution from a parent site to a child site. In the distmgr.log, the false negative will appear in this format:
~RDC:Failed to set access security on \\<SiteServerFQDN>\SMSSIG$\<PkgID>.1.tar for package <PkgID> signature file
Conclusion
In some cases, unfortunately, both options involving installation of the Configuration Manager version 2203 hotfix rollup may not work to fix the above issues. For those situations, you’ll need to open a support ticket with the Configuration Manager support team.
From there, you’ll be able to get the appropriate assistance to resolve the problem in the supported version of Configuration Manager in your environment.
Updating your computers and mobile devices is something that requires regular attention. Indeed this is rather important for a few reasons. For example, there are security updates to enhance your security posture and reduce the risk of breaches. Another important reason is to fix problems with applications. Additionally, updates can remedy issues with the operating system itself. This is where Windows safeguard holds come into play.
But, even though we perform updates expecting to improve the user experience, it doesn’t always work out that way. There are compatibility issues with particular devices sometimes. And in the worst of scenarios, you might lose connectivity, key functionality, or data. This is why Microsoft has systems in place to try and limit any problems to as few devices as possible.
What are Windows safeguard holds?
By leveraging data on compatibility and quality, Microsoft can identify issues that may cause a Windows client feature update to fail or rollback. In the instances where such issues arise, applying safeguard holds to update service helps.
Consequently, this action will prevent the affected devices from installing the update. It thereby protects them from any issues. Microsoft can also employ safeguard holds when clients, partners, or Microsoft internal validation find issues. It’s helpful for those issues that cause severe problems and there is no immediate solution available. Examples of possible events include loss of key functionality, rollback of update, and data loss.
With the use of safeguard holds, devices with known issues won’t be offered new versions of an operating system. However, once a fix has been found and verified, the update will become available.
Microsoft’s objective with safeguard holds is to enable clients to have a flawless experience when their devices are updating to new versions of Windows client. Those that use the Windows Update service for the deployment of new versions of Windows to their devices would already have benefited from the use of holds for known issues. These clients include all those using Windows Update for Business.
Looking at issues
When Microsoft describes how safeguard holds work, there is a lot of mention of the issues for which holds apply. But, what exactly are these issues? There are known issues. These are problems that can manifest after an upgrade is discovered by Microsoft or reported by clients or partners. Only after assessment and confirmation of an issue, for a specific set of devices, can it fall under known issues.
The next type are likely issues. As the name suggests, these issues are suspected, but not yet confirmed. What we have here are issues that have been picked up by the machine learning service across millions of unmanaged devices, corporate or personal. The service performs daily scans. And it searches for app or driver malfunctions, rollback during setup, connectivity issues, and more.
Subsequently, the machine learning service then looks for links among device hardware and software characteristics. This will then help to identify a larger set of devices yet to perform any updates to protect them. Basically what goes on in these instances is that there are issues that are yet to be confirmed. However, because they are likely it’s good practice to safeguard the at-risk devices.
How does it work?
Here are additional aspects to understand when recognizing how Windows safeguard holds work.
Identification of known issues
As one would expect, the process would naturally start by identifying the relevant issues. Microsoft has a setup that allows for the collection of feedback from various channels. This information is regarding known issues about a Windows update, now collected for your review.
Although there is an internal testing process, Microsoft also requires feedback from Windows Insiders, clients, and partners. And then, as issues are identified, device-specific criteria develop and for application to affected devices as a safeguard hold. These devices will no longer have access to updates until a fix is found and implemented.
Identification of likely issues
For the safeguarding of likely issues, Microsoft can use data obtained across millions of daily devices. Unmanaged by IT, these devices are installing the upgrade from the Windows Update.
All the diagnostic data that Microsoft has from the millions of client devices feeds into the machine learning system. From this, identity patterns associated with update-related disruptions can then be automatically identified. All data usage follows Microsoft’s privacy policy.
Safeguarding of devices
The actual safeguarding of devices can begin once the machine learning algorithm picks up a pattern. After this happens, a temporary safeguard hold for a likely issue is implemented. How long this hold remains in place can vary. But the priority will be device protection rather than progress.
This means the user experience can be preserved and IT staff can have fewer things to worry about. Because of the resultant delay, the few weeks you get can be used to decide how to proceed with the update in a way that keeps your devices protected and productive. The system intends to address the temporary hold for a likely issue in a matter of four to six weeks. This can be done in one of two ways:
Confirmation of the likely issue which consequently sees it transitioned to a known issue and thus sees the safeguard hold maintained.
In the second scenario, the issue is deemed to be a false positive and therefore the hold will be removed and devices can therefore begin updating.
Known and Unknown Issues
In the first option mentioned where the issue has been confirmed meaning the device is not in a position to update, the classification changes to a known issue. What this does is that it will continue to delay the upgrading of the device until a fix has been found and implemented.
When the system determines that the issue was actually a false positive, all unaffected devices will have the safeguard hold removed. In that case, any upgrades that are approved by the IT team may proceed as normal. According to information from Microsoft, two main criteria are used to determine whether to implement automatic safeguard holds for likely issues. These are:
In cases where deployment to consumer devices that are likely exposed to the issue has been paused.
The second criterion concerns situations where there are issues that are under active investigation by Microsoft engineers.
When it comes to Windows Update, Windows safeguard holds will be kept in place until the Microsoft investigation has been completed and a fix has been developed and verified. Only then will the solution be made available to the affected devices and update deployment restored.
So devices can only resume being offered updates after a fix has been delivered by Windows Update or a third party thereby lifting the safeguard hold. Under those circumstances, customers can be offered a seamless protection experience.
Taking advantage of Windows safeguard holds
Making use of the features that Microsoft has put in place can go a long way in improving the security posture of your organization. Leveraging safeguard holds will help you to get a better update deployment experience. These features will be available to you via the likes of Microsoft Intune, PowerShell SDK, Update Compliance, and Microsoft Graph.
You’ll find that deployment scheduling controls are consistently available. But, you need to, first of all, configure your devices to share diagnostic data with Microsoft and leverage available reporting tools. Without performing this action you won’t be able to benefit from the unique deployment protections tailored to devices under your management.
§ Pre-requisites
Before you can start benefiting from everything that safeguard holds have to offer, you need to meet a few requirements. These are:
You need to verify that diagnostic data is set to Required or Optional.
Something that you do need to be aware of is that safeguards holds are applied to Windows Update for Business deployments by default. This is to ensure that your environment can benefit from optimal user experience and so opting out or doing manual updates is not recommended. However, in strict IT environments and for validation purposes you may still do that.
Keep track of safeguard holds reporting
One thing that you’ll want to do to stay up to date is to be meticulous about verifying safeguard hold records. When a safeguard hold is put in place, you can go to the M365 Admin Center or the Known Issues sections of the Windows release health dashboard online to get more information about the issue in question. The system also allows you to keep track of all the devices in your environment through up-to-date reporting.
For those that use Update Compliance, you can access information regarding which devices under your management are affected by which specific safeguard holds. To do this, you’ll have to check your safeguard hold report. For those who use Intune, on the other hand, safeguard holds are now visible in the Feature Update Failures Report.
How to opt-out
If you decide to opt-out, you can do so using the Local Group Policy Editor. This can be done by following the steps given below:
Navigate to the Open the Local Group Policy Editor (gpedit.msc).
In that section, look for the policy location in the left pane of the Local Group Policy Editor.
Next, head over to the right pane of Manage updates in the Windows Updates section of the Local Group Policy Editor. Proceed to tap on Disable safeguards for Feature Updates.
Microsoft recommendations
Until a solution has been developed and implemented and the safeguard hold has been released, Microsoft strongly cautions against performing manual updates. If you choose to opt-out of a safeguard hold, you should do so knowing that the concerned devices will be at risk of being affected by known performance issues.
So if you have made the decision that you still want to opt out despite the risk, you should make sure that you perform rigorous tests that will help you to verify the degree of the potential impact.
There is a way, however, for you to reduce your risk of being affected by issues and still opt-out. This can be possible as long as your IT admins check in regularly with Update Compliance and the Windows release health dashboard. If you’re in this position, you can have a greater degree of security when temporarily opting out so that you can enable an update to proceed.
As mentioned previously, this is still only recommended when in strict IT environments and for validation purposes. Furthermore, you should be aware that even if you do opt out, this will be temporary and only lasts the time it takes to complete the update. So as soon as that is done, the safeguard hold is automatically reapplied.
Wrap up about Windows safeguard holds
Compatibility issues are nothing new and we’ve all probably encountered them at one point or another. The frustration that this can cause as well as the cost in productivity terms can be immense. Loss of data or connectivity from an update that hasn’t worked out can mean downtime for the affected users.
That is why Microsoft has developed a service that is capable of monitoring quality and compatibility. Having this data means that issues can be swiftly identified and thus limit the number of devices that are affected.
In addition, the fact that this data is obtained from various sources including clients and Microsoft partners enables the creation of a very comprehensive compilation of information. Once issues are identified, safeguard holds are applied to allow for an investigation to take place, and a solution to be developed and applied. I think it’s pretty safe to say that safeguard holds can go a long way in giving users a streamlined experience and IT greater peace of mind.
So much technological innovation is going on all around us that it can at times be overwhelming to keep up with everything. And mobile device management solutions are no different. Which of the solutions do you pick to ensure that your organization is using the best management solution? Difficult to say.
In fact, plenty of organizations opt for using multiple device management solutions at the same time. Although, there may be advantages to that, finding a single comprehensive solution to provide you with everything you need in a single package offers greater convenience. This is why I’ve decided to write this guide on Microsoft Intune, a solution that can optimize your IT operations to perform at unprecedented levels.
Before you begin
In the first blog of this Microsoft Intune series, I looked at the different stages of planning that you’ll have to go through if you want to have a seamless adoption of Microsoft Intune in your organization. As one would expect, adopting any new technology will bring with it a few teething problems hence the need for a plan that covers as many potential scenarios as possible.
Getting started
Some of the key areas of consideration include:
Have your goals clearly itemized. This includes concerns about data security, device protection, access to organizational resources, and other objectives.
Creating a complete inventory of all the devices in your organization that will have access to company resources. So, this would include both organization-owned and personal devices as well as information about the platforms they are running.
You’ll also need to look at all potential costs and licensing. There will probably be some additional services and programs that you’ll need so all these will need consideration.
You probably already have existing policies and infrastructure that your organization relies on. However, all these will require reviewing when thinking of moving to Intune. This is because you may need to develop some new policies.
With the above in place, you need to determine a rollout plan that has pre-defined objectives and can ensure that the rollout proceeds as smoothly as possible.
As you introduce Intune to your organization, you cannot ignore the value of communicating with your users. People in your organization need to understand what Intune is, what value it will bring to your organization, and what they should expect.
Lastly, it’s crucial that you fully equip your IT support and helpdesk staff. You can do this by involving them in the adoption process from the early stages. Therefore, it enables them to learn more about Intune and gain invaluable experience. With the skills that they acquire, they’ll be able to play important roles in the full rollout of Microsoft Intune as well as help in the swift addressing of any potential issues that arise.
Design creation
After you go through your planning phase, you can start to look at creating a specific design for your organization’s Microsoft Intune setup. Coming up with a design will require you to review all the information already collected throughout the planning phase.
This is going to allow you to put together information on your existing environment. This includes the Intune deployment options, the identity requirements for external dependencies, the various device platform considerations, as well as the delivery requirements. One of the great things about Microsoft Intune is that you don’t need to worry about significant on-premises requirements to use the service.
However, having a design plan is still a good idea because it allows you to have a clear outline of the objectives that you want to achieve so that you can be certain about choosing the management solution.
Assessing your current environment
A logical place for you to begin your planning is with your current environment. Having a record of this environment can help to further clarify where you currently are and what the ultimate vision is. This record can also serve you well during the implementation and testing phases. There you can make numerous changes to the design.
Recording the environment
There are several methods for recording your existing environment such as:
Identity in the cloud – you can note if your environment is federated. Additionally, you can determine MFA enabling. Also, which of Azure AD Connect or DirSync do you use?
Email environment – you need to record what email platform you currently use. Also consider if it is on-premises or on the cloud. And if you’re using Exchange, for instance, are there any plans for migrating to the cloud?
Mobile device management solutions – you’ll need to go over all the mobile device management solutions (MDM) currently in use. Also consider what platforms they support. It’s also important to note down which solutions you’re using for corporate as well as BYOD use-case scenarios. Additionally, it’s useful to have a record of who in your organization is using these solutions, their groups, and even their use patterns.
Certificate solution – note whether or not you have implemented a certificate solution, including the certificate type.
Systems management – have a detailed record of how you manage your PC and server management. This, means you have to note what management platform you are using, whether it’s Microsoft Endpoint Configuration Manager or some other third-party solution.
VPN solution – you should note what you’re currently using as your VPN solution of choice. And if you’re using it for both personal devices and organization-issued devices.
Note to consider
In addition to having a detailed record of your current environment, it’s also important to not forget any other plans in the works. Or consider those on the docket for implementation. Especially if they could affect what you have already noted down in the record of your environment. For instance, your record could show that multi-factor authentication is off. Still, you could be planning to turn it on in the near future so you’ll want to highlight this coming change.
Intune tenant location
The location where your tenant will reside is extremely important to decide before making the decision to subscribe to Microsoft Intune. And this is especially so for organizations that operate across different continents. The reason why it’s so important to carefully think this through, is that you’ll need to choose the country/region when you are signing up for Intune for the first time. After you have made your selection, you won’t have the option to change your decision later on. The regions that are currently available for selection include North America, Europe, the Middle East, Africa, as well as Asia and Pacific.
External dependencies
When we talk about external dependencies, we are referring to products and services that are not part of the Intune package. But they may be part of the prerequisites to use Intune. In addition, they could also be elements that can integrate with Intune. Given how integral external dependencies may be to your use of Intune, you’ll need to have a comprehensive list of any and all requirements. Make sure they’re for these products and services as well as the instructions for their configuration.
Below we’ll look at some of the more common examples of external dependencies that you will encounter:
Identity
Simply put, identity gives us the element through which we can recognize all the various users that belong to your organization as well as those enrolling devices. If you want to use Intune then you’ll need to be using Azure AD as your user identity provider. This comes with several advantages. One such benefit is enabling IT admins to enhance organizational security by controlling access to apps and app resources. Therefore, it’s easier to meet your access governance requirements. App developers will also benefit from the ability to leverage Azure AD APIs for creating personalized experiences using organizational data.
For those that are already using Azure AD, you’ll get the added convenience of continuing with the current identity that you have in the cloud. Not only that, but you also get the added benefit of Azure AD Connect. This happens to be the ideal solution for synchronizing your on-prem user identities with Microsoft cloud services. For organizations that already have an Office 365 subscription, the best scenario would be to ensure that Intune also uses the same Azure AD environment.
User and device groups
These groups play an important role as they are responsible for defining who exactly the target of a deployment will be. This will also include profiles, apps, and policies. It’s therefore important to come up with the user and device groups that your organization will need. And the best way to go about this may be for you to start by creating these groups in the on-premises Active Directory. And then once you have done this you can proceed to synchronize to Azure AD.
Public key infrastructure (PKI)
The role of PKI is to provide users or devices with certificates that will enable secure authentication to various services. So, when considering adopting Microsoft Intune you should be aware that it supports a Microsoft PKI infrastructure. Mobile devices can provide device and user certificates, so you meet all certificate-based authentication requirements. However, before you proceed with the use of certificates, you’ll need to verify a few things first:
Check whether or not you even need the certificates.
Check if certificate-based authentication provides support by the network infrastructure.
Lastly, you need to verify whether there are any certificates already in use in the existing environment.
For some, they may need to use these certificates with VPN, Wi-Fi, or e-mail profiles with Intune. But to do that, you first need to check if you have a supported PKI infrastructure in place. It needs to be ready for the creation and deployment of certificate profiles. Furthermore, when it comes to the use of SCEP certificate profiles, you have to decide how to host the Network Device Enrollment Service feature. Not only that, but you also need to determine how to carry out any communication.
Pre-requisites for devices
As you proceed with your design plan for Microsoft Intune, you’ll also need to turn your focus over to devices and the requirements. Expectedly, as with any management solution, there will be devices to consider. But there will also be platform considerations that will determine suitability for Intune management.
Device platforms and Microsoft Intune
One of the most important parts of the design plan is to consider the device platforms that will be supported by your chosen management solution. Therefore, before making the final decision about whether or not to go with Intune, you should create a complete inventory of the devices that will be in your environment. Then crosscheck whether or not they have proper support by Intune.
Understanding systems
The table below contains the supported configurations.
Operating systems
Android iOS/iPadOS Linux macOS Windows Chrome OS
Apple (For device enrollment scenarios and app configuration that you get via Managed devices app configuration policies, Intune will require iOS 14.x or later. The same requirement also applies to Intune app protection policies and app configuration.)
Apple iOS 14.0 and later Apple iPadOS 14.0 and later macOS 11.0 and later
Android (For device enrollment scenarios and app configuration that you get via Managed devices app configuration policies, Intune will require Android 8.x or later. However, for Microsoft Teams Android devices, support will continue so this requirement does not apply. And then for Intune app protection policies and app configuration delivered via Managed devices app configuration policies, the requirement is for Android 9.0 or higher.)
Android 8.0 and later (including Samsung KNOX Standard 3.0 and higher: requirements) Android enterprise: requirements Android open source project devices (AOSP) supported devices RealWear devices (Firmware 11.2 or later)HTC Vive Focus 3
Linux (It’s to be noted that Ubuntu Desktop already has a GNOME graphical desktop environment installed)
Ubuntu Desktop 22.04.1 LTS with a GNOME graphical desktop environment. Ubuntu Desktop 20.04 LTS with a GNOME graphical desktop environment.
Microsoft (Microsoft Endpoint Manager can still be used for the management of devices running Windows 11 the same as with Windows 10. Unless explicitly stated otherwise, assume that feature support that only mentions Windows 10 also extends to Windows 11. In addition, you should also note that configuring the available operating system features through MDM is not something that is supported by all Windows editions.)
Windows 10/11 (Home, S, Pro, Education, Enterprise, and IoT Enterprise editions) Windows 10/11 Cloud PCs on Windows 365 Windows 10 LTSC 2019/2021 (Enterprise and IoT Enterprise editions) Windows 10 version 1709 (RS3) and later, Windows 8.1 RT, PCs running Windows 8.1 (Sustaining mode) Windows Holographic for Business Surface Hub Windows 10 Teams (Surface Hub)
MicrosoftIntune-supported web browsers
Microsoft Edge (latest version) Safari (latest version, Mac only) Chrome (latest version) Firefox (latest version)
Devices
By using Microsoft Intune, organizations can manage mobile devices more efficiently in a way that can enhance the security of organizational data. This means that the risk of malicious activity is reduced. And users can thus work from a greater number of locations. One of the greatest benefits of device management solutions such as these is that they can be both cost-efficient and convenient. This is because they support a wide variety of device types and platforms.
As a result of this, organizations are less likely to need to invest in new devices. And users can utilize the personal devices they already own in BYOD scenarios. With all this, however, it’s even more important for you to come up with a comprehensive template detailing what device types, OS platforms, and versions you will allow to have access to your organization’s resources.
Device ownership
As already mentioned, Microsoft Intune offers support for a wide variety of devices. And these devices can either be personal or organization-owned. When devices are enrolled via a device enrollment manager or a device enrollment program, they fall under the category of organization-owned devices. So, for instance, all devices that you enroll using the Apple Device Enrollment Program will categorize as organizational devices. Subsequently they will add to the device group, which will receive organizational policies and applications.
Bulk enrollment
As an organization, when enrolling a large number of devices into Intune, the process is simplified by the availability of a bulk enrollment feature. This feature provides you with a quick and easy way of setting up a large number of devices for management. A few use case examples. These include setting up devices for large organizations, setting up school computers, and setting up industrial machinery, among others. Intune has different ways to process the bulk enrollment of devices so you’ll need to determine which method fits best with your Intune design plan.
Design requirements and Microsoft Intune
When making the design considerations, there are specific requirements you’ll need to look at for the Intune environment that you want to establish. There may be instances that require you to make adjustments to the general advice that you get concerning Intune deployment.
It’s essential to ensure that certain capabilities will meet the requirements for the use cases needed for your organization. These features include configuration policies, compliance policies, conditional access, terms and conditions policies, resource profiles, and apps.
Microsoft Intune Configuration policies
You can use configuration policies for the management of the security settings on devices in Intune in addition to the features, as well. It’s important that you design configuration policies that follow the configuration requirements by Intune devices. And the necessary information to design your configuration policies in this manner are in the use case requirements section. This enables you to note the settings and their configurations. Not only that, but you’ll need to make sure to verify to which users or device groups to apply certain configuration policies. The various device platforms that you use will need to have at least one configuration policy assigned to them or even several whenever the situation calls for it.
Compliance policies and Microsoft Intune
These types of policies are responsible for establishing whether devices are complying with the necessary requirements. Therefore, determining whether or not a device is compliant becomes a significantly easier matter for Intune. And this is very important because it allows for devices to categorize as either compliant or non-compliant. And that status can then determine which devices are given access to the organization’s network and which ones to restrict.
Furthermore, if you intend on using Conditional Access, then it will probably be in your best interests to create a device compliance policy. Before you can decide on your device compliance policies, you may again want to refer to the use cases and requirements section. This will provide you with the necessary information concerning the number of device compliance policies you’ll require. It will also help you decide which user groups you’ll be applying them. Lastly, you need to have clearly defined rules. These will detail how long devices are allowed to remain offline before they move to the non-compliant list.
Conditional Access for Microsoft Intune
Conditional access plays the role of enforcer for your organization’s policies on all devices. That means that if any device fails to comply with your requirements, conditional access measures can implement. They will prevent them from accessing organizational resources such as email. When it comes to Intune, you’ll also benefit from its integration with Enterprise Mobility + Security. This will give your organization better protocols to control access to organizational resources. So, when it comes to your design plan you still need to look at Conditional Access. You’ll also decide whether or not you need it and what you’d want to secure with it.
Terms and conditions
Terms and conditions are essential for determining your organization’s requirements for any users that want access to the network. This is especially important in BYOD scenarios where some users may not be willing to meet those conditions. So, by establishing terms and conditions, your organization can give users an ultimatum if they want to access the organization’s resources. With Intune, you also get the option to add and deploy several terms and conditions to your user groups.
Profiles
Profiles play a key role by enabling the end user to connect to company data. To cater to the multiple scenarios that your organization may encounter, Intune provides several types of profiles. The information that you need, concerning the timeline for the configuration of the profiles, is obtainable by going through the section on use cases and requirements. Planning is easier because you’ll find all the device profiles grouped according to platform type. Profile types that you need to know about include email profiles, certificate profiles, VPN profiles, and Wi-Fi profiles.
Email profile
Email profiles are responsible for several capabilities. These include reducing the workload of support staff and enabling end-users with access to company email on their personal devices. Email clients will automatically set up with connection information and email configuration. Moreover, all this can be done without users having to perform any setup tasks. So this will ultimately improve consistency. However, not all of these email profiles will have support, on all devices.
Certificate profiles
Certificate profiles are the elements that enable Microsoft Intune to provide certificates to users or devices. The certificates that Intune supports include Trusted Root Certificate, PFX certificate, and Simple Certificate Enrollment Protocol (SCEP). For SCEP, all users who will receive it are going to need a trusted root certificate. This is because the latter is a requirement for SCEP certificate profiles. So, before you proceed make sure to have a clear idea of the SCEP certificate templates that you’d like to use. Your design plan should include a record of the user groups that require certificates. It should also include the number of certificate profiles needed, and to which user groups they’ll be targeted.
VPN profiles
Virtual private networks enable internet users to have secure access from almost any location across the globe. And using VPN profiles achieves the same thing for your organization’s users. They will be able to have secure access to the organization’s networks even from remote locations. Furthermore, Intune widens the options available to you by supporting VPN profiles from native mobile VPN connections and third-party vendors.
Wi–Fi profiles
Wi-Fi profiles are important tools that enable your mobile devices to automatically connect to wireless networks. Using Intune, you can deploy Wi-Fi profiles to the various supported platforms. The device platforms that Wi-Fi profiles support include Android 5 and newer, Android Enterprise and kiosk, Android (AOSP), iOS 11.0 and newer, iPadOS 13.0 and newer, macOS X 10.12 and newer, Windows 11, Windows 10, and Windows Holographic for Business.
Microsoft Intune Apps
When using Intune, you’ll have the option to deliver apps to users or devices using any number of different ways. The apps that you can deliver cover a wide range including apps from public app stores, managed iOS apps, software installer apps, as well as external links. Moreover, this capability extends beyond individual app deployments. You’ll also be able to manage and deploy volume-purchased apps that you may have obtained from volume-purchase programs for both Windows and iOS.
App type requirements
Your design plan needs to include clear details regarding the types of apps that you will allow Intune to manage. This is especially necessary when you consider how apps deploy to users and devices. Information that you should consider for your criteria includes whether or not these apps will require integration with cloud services as well as the deployment measures you’d like to use.
You also need to decide if you’ll be availing these apps to employees using their personal devices and if users will need to have internet access to use the apps. Additionally, you need to verify if your organization’s partners will require you to provide them with Software-As-A-Service (SaaS) app data. Lastly, you need to check the availability of these apps to see if they will be available publicly in app stores or if they will be uniquely custom line-of-business apps.
App protection policies
These policies intend to safeguard your organization’s data by keeping it secure or contained in a managed app. Generally, these policies are rules that go into play when users try to access or move your organization’s data. These rules may also be enforced if users try to engage in actions that are prohibited or monitored when users are inside the app.
Therefore, you can reduce the risk of data loss because of how apps are set up to manage organizational data. Any app that can function with mobile app management will receive app protection policy support from Intune. It will be up to the organization and the team of admins to determine what restrictions you’d like to place on your organization’s data within certain apps.
Setting up Microsoft Intune
When you have your design plan in place, then you can begin looking at setting up Microsoft Intune for your environment. To do that, there will be a few things that you need to consider.
Requirements for Microsoft Intune
The first thing you need to have is an Intune subscription and the license for this is offered as a stand-alone Azure service. It is a part of Enterprise Mobility + Security (EMS) and is included with Microsoft 365. From your design plan, you’ll have a better idea of what the goals of your organization are and you may end up choosing Microsoft 365 because it comes with all of Microsoft Intune, EMS, and Office 365 apps.
Current status
If your organization doesn’t have any MDM or MAM solutions that it is currently using then Intune is probably the best choice for you. Especially if a cloud solution is what you want and then you’ll also benefit from features like Windows Update, configuration, compliance, and app features in Intune.
You can add Endpoint Manager admin center as well to the list of benefits that will be availed to you. Something that does need to be mentioned is that organizations that use more than one device management solution should consider using only a single one.
And if you’ve been using MDM providers such as MobileIron, Workspace ONE, and MaaS360 you’ll still have the option to move to Intune. This will come with a significant inconvenience, however, because before users can enroll their devices in Intune, they will have to unenroll their devices from the current management platform.
Before you make the move to Intune, you’ll need to note in your design plan all the tasks you’ve been running and the features you need so that you know how to proceed with setting up Intune. Unenrolling devices from your current MDM solution not only presents a challenge but makes devices temporarily vulnerable.
This is because while they are in that unenrolled state, they stop receiving all your policies thus security is compromised. By using conditional access, you can block unenrolled devices until they complete their enrollment in Intune.
You should plan to implement your deployment in phases that start with small pilot groups so that you can monitor the success of your approach. If all goes well you can then proceed with a full-scale deployment. Furthermore, those who currently use Configuration Manager and would like to move to Intune can use the options below:
Add tenant attach
This option offers you the simplest way to integrate Intune with your on-prem Configuration Manager setup. By leveraging this option, you can upload your Configuration Manager devices to your organization in Intune. And then once your devices are attached, you’ll be able to use Microsoft Endpoint Manager admin center to run remote actions including user policy and sync machine.
Set up co-management
With this option, Intune will be used for some workloads and Configuration Manager for others. You need to first navigate to Configuration Manager and then set up co-management. And then you proceed to deploy Intune and that also includes setting the MDM Authority to Intune. Once all this is done, devices will now be ready to be enrolled and receive the necessary policies.
Moving to Microsoft Intune from Configuration Manager
This may not happen often because Configuration Manger users tend to want to stay on this platform. However, making the move is possible if you decide that a 100% cloud solution is what you are looking for. You’ll need to first register existing on-prem Active Directory Windows client devices as devices in Azure AD. Then, you proceed to move your existing on-prem Configuration Manager workloads to Intune. Using this method would be good for providing you with a more seamless experience for existing Windows client devices but the downside is that it will be more labor-intensive for your admins.
And if we’re looking at new Windows client devices then you would be better off starting from scratch with Microsoft 365 and Intune:
Start by setting up hybrid Active Directory and Azure AD for the devices. Devices that are Hybrid Azure AD joined will be joined to your on-prem Active Directory as well as registered with your Azure AD. Having devices in Intune helps to safeguard your organization from malicious activity because these devices can receive your Intune-created policies and profiles.
Go to Configuration Manager and set up co-management.
Next, you need to deploy Intune and that includes setting the MDM Authority to Intune.
You’ll also need shift all workloads from Configuration Manager to Intune in the Configuration Manager section.
With all this done, you can go ahead and uninstall the Configuration Manager client on the concerned devices. This is something that can be done by creating an Intune app configuration policy that can perform the uninstallation once Intune has been set up.
Start from scratch with Microsoft 365 and Microsoft Intune
You can only use this approach for Windows client devices, so for those Windows Server OSs, Configuration Manager will be the option you have.
Next, you need to deploy Intune and that includes setting the MDM Authority to Intune.
The Configuration Manager client will need to be uninstalled on all existing devices.
Microsoft Intune Deployment
The steps to follow for your Microsoft Intune deployment are given below:
Navigate to Endpoint Manager admin center and sign up for Intune.
Set Intune Standalone as the MDM authority.
Next, you need to add your domain account because if you don’t your-domain.onmicrosoft.com is what will be used as the domain.
Add users and groups that will receive the policies you create in Intune.
Users will then need to be assigned licenses and once that is done, devices can enroll in Intune.
The default setting allows all device platforms to enroll in Intune so if there are platforms that you’d like to block you’ll need to create a restriction.
You need to customize the Company Portal app so that it has your company details.
Come up with your administrative team and assign roles as necessary.
Windows 365 management and Microsoft Intune
Microsoft Intune not only manages your physical devices but will also play a key role in the management of your Windows 365 Cloud PCs. All you need to sign in is to head over to the Microsoft Intune admin center. This is where you’ll find the landing page for managing your Cloud PCs which is known as the Overview tab. Once signed in, go to Devices > Windows 365 (under Provisioning). In this section, you get a quick overview of the state of your Cloud PCs including the Provisioning status which summarizes the state of Cloud PCs in your organization, and the Connection health which summarizes the health of the Azure network connection in your organization.
All Cloud PCs page
On this page, you’re going to find a summary as well as a list view that will give you all the necessary information you need to know about the status of all the Cloud PCs in your organization. To make the task easier for you, the list view is refreshed every five minutes and allows you to search, filter, and sort. Additionally, there will be multiple Cloud PCs given to those users that have been assigned multiple Windows 365 SKUs. And what this means is that in the All Cloud PCs list view you will see multiple rows dedicated to a single user.
Column details
Name
A combination of the assigned provisioning policy and the assigned user’s name will provide the name of the Cloud PC.
Device name
Windows computer name.
Image
Same image used during provisioning.
PC type
The user’s assigned Windows 365 SKU.
Status
Provisioned: provisioning successful and user can sign in. Provisioning: still in progress. Provisioned with warning: warning is flagged in case of failure of a non-critical step in the provisioning process. Not provisioned: user has been assigned a Windows 365 license but not a provisioning policy. Deprovisioning: Cloud PC going through active deprovisioning. Failed: provisioning failed. In grace period: users with current Cloud PCs are placed in this state when a license/assignment change occurs for them. Pending: this happens when a provisioning request cannot be processed because of a lack of available licenses.
SUser
User assigned to the Cloud PC.
Date modified
Time when last change of state of the Cloud PC occurred.
Third-party connector
When you have third-party connectors installed and currently in use on Cloud PCs, the connector provider is displayed as well as the connector status.
Remote management
Your organization can take advantage of the Microsoft 365 admin center to remotely manage your Windows 365 Business Cloud PCs. There will be several remote actions available to you but to access them you need Azure AD role-based access roles, either Global administrator or Windows 365 administrator. Once you have one of those two roles assigned, you’ll have several methods you can use for Cloud PC management including:
Windows365.microsoft.com
Microsoft 365 admin center
Microsoft Intune (on condition that you have all the necessary licenses)
Option 1 (Windows 365 Azure AD Joined + hosted in Microsoft Network)
Microsoft Intune
Cloud PCs are hosted in the cloud (Microsoft Hosted Network) and managed in the cloud (Intune)
Cloud PCs are enrolled as Azure AD joined and managed out-of-the-box by Intune
Eliminates customer constraints
Cloud PCs will get a unified endpoint management integration from the Microsoft Endpoint Manager admin portal
Simplifies Cloud PC management workloads such as app delivery and endpoint security among others
Comfortably address Cloud PC remote management needs
Co-Management
This is optional and allows you to bring your on-premises device management solution MECM for Option 1
Requires MECM + Cloud Management Gateway
Depends on customer device management on-premises environment
Some considerations before managing Cloud PCs include: Azure subscription and on-premises infrastructure, deployment and configuration of a CMG as well as a public SSL certificate for this CMG, enable Co-Management in Configuration Manager, and more.
Option 2 (Windows 365 Azure AD Joined + hosted in Customer Network)
Microsoft Intune:
Cloud PCs are hosted in the Customer Network and managed in the cloud
Cloud PCs are enrolled as Azure AD joined and managed out-of-the-box by Intune
Eliminates customer constraints
Cloud PCs will get a unified endpoint management integration from the Microsoft Endpoint Manager admin portal
Simplifies Cloud PC management workloads such as app delivery and endpoint security among others
Comfortably address Cloud PC remote management needs
Co-Management
This is optional and allows you to bring your on-premises device management solution MECM for Option 2
Requires MECM. Cloud Management Gateway is optional
Depends on customer device management on-premises environment
Some considerations before managing Cloud PCs include: on-premises infrastructure, configuration of Intune to deploy the CM client for your Cloud PCs, enable Co-Management in Configuration Manager.
Option 3 (Windows 365 Hybrid Azure AD Joined + hosted in Customer Network)
Co-management:
Cloud PCs are hosted in the Customer Network and managed by the customer (Co-Management)
Cloud PCs are enrolled as Hybrid Azure AD joined and managed by Co-Management
Requires MECM
Depends on customer device management on-premises environment
Cloud PCs will get a unified endpoint management integration from the Microsoft Endpoint Manager admin portal
Simplifies Cloud PC management workloads such as app delivery and endpoint security among others
Comfortably address Cloud PC remote management needs
Some considerations before managing Cloud PCs include: on-premises infrastructure, configuration of MECM to deploy the CM client for your Cloud PCs, enable Co-Management in Configuration Manager.
Microsoft Intune
This is optional and if you don’t have a MECM environment you can use Intune as your Cloud PC device management solution for Option 3
Some considerations for this option include: configuration of Azure AD Connect for Hybrid Domain Joined, Hybrid Azure AD Joined Cloud PCs need to be directly attached to an on-premises AD environment, for device management the Active Directory environment will depend on Group Policy Objects.
Wrap Up About Microsoft Intune
Device and application management can prove to be a very challenging task to get right for a lot of organizations. Finding the right solution that can streamline application use across your organization’s devices without breaking the bank would be a dream for any organization. You also want a platform that can increase the productivity levels of your IT staff by minimizing the complexity of device management and by extension reducing the time spent on device management.
With Microsoft Intune, you can get this and plenty more. This MDM and MAM solution will enhance the security of your organization by establishing strict access protocols for your organization’s resources. This means greater protection at a time when endpoints are increasingly a vulnerable point for malicious attacks. Intune can provide you with peace of mind while providing an effective management platform that can vastly improve the way your organization operates.
Can Microsoft’s Delivery Optimization and Configuration Manager help solve enterprise network efficiency problems supercharged by the coronavirus pandemic?
The COVID-19 pandemic has forced numerous companies to adopt hybrid working models. This has seen demand for bandwidth capacity increase considerably.
Couple bandwidth-busting traffic connecting from all over with spiraling data costs and network administrators have something to worry about. With no end in sight of this global pandemic, enterprises are now looking for solutions to counter these issues.
As a result, the question that’s now at the fore for many network administrators is how to improve network efficiency as cost-effectively as possible in the New Year.
COVID-19 and Network Efficiency
Pre-COVID,17% of the American workforce worked remotely at least 5 days per week. Since the onset of the pandemic, this number has increased to 44%.
With nearly6% of the population (i.e. 21 million people) having no high-speed connection, enterprises have begun to ask questions such as how best can they keep all their employees connected to their networks?
A range of solutions has been proposed in order to modernize the existing mainframes including the adoption of key technologies such as Microsoft’s Delivery Optimization, Connected Cache, and Configuration Manager.
Let’s examine each of these in greater detail.
What is Delivery Optimization
Delivery Optimization is an inbuilt Windows component. It’s distributed cache technology which means that it is software designed to act as an intermediary between an enterprise’s primary storage solutions and remote employees’ computer.
The benefits that Delivery Optimization provides include optimizing cloud download efficiency, minimizing internet bandwidth, and lowering the latency in data access.
This is excellent because you want to keep your internet bandwidth high. It translates to a faster and better experience for employees, particularly those working remotely.
What is Microsoft Connected Cache?
Microsoft Connected Cache is an application installed on a Windows Server 2012 or later. It is also a high-speed data storage function that works hand-in-hand with Delivery Optimization to reduce latency and improve efficiency.
Connected Cache acts as a dedicated cache on your enterprise network. This server-based solution caches the managed downloads that Delivery Optimization extracts from the Cloud.
It’s ideal for companies because it serves as a local cache on your on-premise network.
What is Microsoft Endpoint Configuration Manager
Microsoft Endpoint Configuration Manager, formerly known as System Center Configuration Manager (SCCM) or Systems Management Server (SMS) is a full-feature systems management software. It sets out to manage computers on a larger and streamlined scale.
Configuration Manager works by providing patch management, remote control, operating system deployment, software inventory, software distribution, and network access protection capabilities.
Now that we’re up to speed about what each of these features are and what they do, let’s look at the advantages and disadvantages of Delivery Optimization.
Delivery Optimization Pros
No Upfront Costs
For enterprises already encumbered by high remote operating costs, this is a welcome reprieve. There are no upfront costs because Delivery Optimization exists as part of Windows 10. Therefore, it’s a feature that’s paid for through your regular Windows 10 license.
Leverages Peer-to-Peer Efficiency
Delivery Optimization enables PCs connected to your network and to download updates in a more streamlined manner from other peers within the network that have already downloaded the content. In this way, there’s an overall reduction in bandwidth. This also mitigates update-related traffic.
Same Time Send/Reception of Update Files
Gone are the old days of having to wait long periods of time while update files sent and received in succession. Today, Delivery Optimization facilitates simultaneous sending and receiving of update files. This allows updates to easily and seamlessly take place.
Can Resume Interrupted Downloads
Do you remember the times when downloads would interrupt because of a network glitch and had to restart? This meant updating PCs across company networks took longer and sometimes pushed up data costs for enterprises. Thankfully, one of the perks of Delivery Optimization is the ability to resume downloads should they experience an interruption.
Load Balancing Capabilities
Network administrators can use all the help they can get to distribute workloads in a uniform manner across enterprise servers and employee PCs.
Load balancing is an incredibly important process as it promotes more efficient processing. It provides balance, so there are no uneven overloads on individual computer nodes. Delivery Optimization presents itself as a tool that expedites this distribution of network traffic.
Windows Native and Cumulative Updates Enabled
As a Windows 10 native feature, Delivery Optimization is Cumulative Updates enabled. This means that on all the PCs equipped with the DO feature, updates – both old and new – these can be bundled together into a single update package.
But it’s not all fun and games with Delivery Optimization. Here are a couple of disadvantages network administrators have to also contend with.
Delivery Optimization Cons
No Analytics and or Reporting
In Deloitte’sThe Analytics Advantage report, analytics are highlighted as important as they enable companies to drive business strategy and facilitate data-driven decisions. Thus, it comes as a big disappointment that Delivery Optimization provides no such insights neither in the form of analytics nor reports.
No Content Control
Being able to control both the content that’s being downloaded and transmitted across networks is imperative for network safety. The fact that Delivery Optimization doesn’t give network administrators such control is frustrating.
No Support for Windows 7/10 Migration
Are you thinking of migrating from Windows 7 to Windows 10? Well, unfortunately, you’ll have no help from Delivery Optimization. It’s not clear as to why the developers over at Microsoft thought it was a good idea to complicate migration in this way.
No Support Packages and App Deployment
That’s not all, but Delivery Optimization also offers no support for Packages and Application with Configuration Manager stand-alone deployments. This greatly hampers the standardization and streamlining process of installing software on employees’ work devices.
No Smart Agent
Delivery Optimization is a tool full of potential. However, it is baffling trying to understand why this supposed network optimizing resource has no smart agent to facilitate Optimal Source Selection.
No SCCM Support
Microsoft’s System Center Configuration Manager (SCCM) is integral in the management, deployment, and security of connected enterprise devices as well as apps within the network. However, this Windows product doesn’t receive any support which is a major disadvantage.
Needs Manual Boundary Definition
Boundaries, according to Microsoft, are network-specific locations on enterprise intranets that can contain your PCs or other devices making them easier to manage. When using Delivery Optimization, boundaries aren’t automatic, you have to take time to manually define each boundary you want to be created.
Needs Substantial Boundary Configuration
It’s not enough to manually define the boundaries required either, you also need to make sure that each boundary is properly configured. This additional work can be automated so it’s a wonder why Delivery Optimization doesn’t come with boundary configuration pre-set.
5 Steps to Improving Network Efficiency with Delivery Optimization
Faced with hybrid work models and more employees working remotely, enterprises must be smart about network management. Here are the top 5 ways to improve network efficiency using Delivery Optimization, Configuration Manager, and Microsoft Connected Cache in 2022.
When it comes to network efficiency, congestion in the network is one of the major network problems that most enterprises face. There are many causes of bottlenecks in your network which you will need to remove in order to improve network efficiency. These range from:
a) Network Overload
Network overload happens when you have numerous hosts within your broadcast domain. Delivery Optimization can aid in this particular case by allowing optimized cloud-managed downloads which reduce network pressure.
b) Broadcast Storms
Broadcast storms occur when you receive more requests on the network than it can handle.
c) Low Bandwidth
This occurs when there are too many people connected to the network at once. Delivery Optimization and Connected Cache are peer-to-peer cache technology and significantly help to lower the latency and minimize internet bandwidth.
d) Not Enough Retransmitting Hubs
Failure to have sufficient retransmitting hubs slows down your network. Retransmitting hubs are necessary in order to make data transmission across the network easier.
e) Multicasting
While created to help ease congestion, multicasting can in fact cause bottlenecks when two packets transferred simultaneously collide leading to congestion
f) Old Hardware
Technology is changing so fast and hardware components need to be routinely upgraded otherwise servers, routers, and switches can inadvertently lead to network congestion
g) Poor Configuration Management
When scripts are one-off or repetitive, they can introduce bugs that cause congestion. Thankfully Delivery Optimization and Configuration Manager can help to get rid of this issue.
h) Foreign Adapter Broadcasts
When rogue adapters connect to your network, this can increase the network load leading to bottlenecks. A rogue adapter is any device that connects oftentimes illegally onto your network and exists like a parasite until it’s removed. These foreign devices also pose a security threat.
Fortunately, network monitoring tools like Configuration Manager make it possible to handle the life cycle of all the devices and configurations within your network. Such visibility can assist in identifying slow traffic and congestion so you can eliminate it.
It doesn’t matter if it’s an installation of cumulative updates or new hardware, every element joining the company network must be properly configured. Failure to do so can lead to poor network efficiency.
When devices are incorrectly configured, they can’t communicate with their peers effectively. This will lead to routing problems and or increase latency.
Network administrators must ensure that each time a device is configured or reconfigured the network is tested to check network performance. Configuration Manager can be used to see whether the new configuration/reconfiguration is affecting the network negatively.
Improve Network Efficiency Step# 3.Educate Employees on Correct Network Usage
Now with more employees working remotely, it can be difficult to control what people do on the company network. However, it is pivotal to educate them on avoiding applications that are bandwidth-heavy and engaging in activities that consume a lot of data such as downloading movies, music videos, and other large files.
The more bandwidth employees are using in non-work-related activities, the less will be available for work slowing down the entire network. Configuration Manager can be used to curb non-work-related activities if necessary by blocking certain devices.
Improve Network Efficiency Step# 4.Consider Creating a Guest Network
Have you ever thought of creating a separate guest network for people visiting your company?
You don’t want strangers and outsiders to be able to connect to your enterprise network. This is a major security threat. By creating a disparate guest network they will have their own distinct network to connect to.
In this way, guests’ activities don’t interfere with enterprise bandwidth and security threats are reduced.
Improve Network Efficiency Step# 5.Compress Network Traffic and Data
Every day, colossal amounts of data are transmitted across enterprise networks. More so now, in a world where virtual meetings are the order of the day. These data-heavy online activities necessitate data compression and compression of network traffic.
By compressing enterprise data, companies get more out of their internet packages. And with Windows components like Delivery Optimization, you get to stretch your data out more.
You see, Delivery Optimization extracts content from the cloud, stores it in a temporary cache, where peer PCs/devices can easily access said files in smaller, minute data-friendly sizes without having to download all the large files for each connected device.
Wrap up
2020 and 2021 have disrupted the way business is done. With more companies eager to try out hybrid work models that allow employees to work remotely with some days in the office, network administrators have their work cut out for them in terms of making sure networks are efficient and running at optimal round the clock.
And with so much uncertainty about when things will return to normal, enterprises need to get comfortable with the idea of remote work. Resources such as Delivery Optimization and Configuration Manager will prove to be more and more important in 2022 and beyond.
Relying on such Windows features, organizations can rest easy knowing that there are tools to help with improving network efficiency in a cost-effective manner.
As people get access to more and more devices, the way that businesses operate has been rapidly evolving to keep up with the technology. And with more of these devices having access to a business’ data, this can help to improve productivity. Microsoft Endpoint Manager may have been designed with these dynamics in mind.
The problem, however, is that this can easily create a situation that puts the entire organization’s network at risk. So, a solution is necessary.
One that can enable a business to get the most it can from the devices that are available to its employees without compromising data security. This is why you need a platform like Microsoft Endpoint Manager that can bring together the most effective device management tools.
Creating the solution
Microsoft already had plenty of products available to help businesses with device management. And these products included the two that we’ll be focusing on today: Intune and Configuration Manager. So why did they feel the need to change things, to add yet another product?
What Microsoft Endpoint Manager (MEM) seeks to address is the need for a comprehensive management solution. MEM can help to reduce client confusion over the multiple products that are available by giving you a unified platform for all your devices including Windows 10, macOS, iOS, and Android. By using MEM, businesses can among other things:
proactively manage all of their devices,
maintain systems and software,
limit exposure and respond to security threats,
distribute settings, and much more.
Microsoft Intune
With Intune, what you are getting is a 100% cloud-based mobile device management (MDM) and mobile application management (MAM) provider for your apps and devices. Using it enables you to have control over the features and settings on Windows 10, Apple, and Android devices.
Also, if you have on-prem infrastructure, there will be Intune connectors available. Namely the Intune Connector for Active Directory and the Intune certificate connector.
And by making it a part of MEM, Microsoft allows you to use Intune to create and check for compliance, as well as deploy apps, features, and settings to your devices using the cloud.
Configuration Manager
Whereas Intune is a 100% cloud-based solution, Configuration Manager gives you the on-premises management solution. With this, businesses can manage desktops, servers, and laptops that are on their network or internet-based. It is a flexible solution that you can cloud-enable if you want to integrate with Intune, Azure Active Directory (AD), Microsoft Defender for Endpoint, and other cloud services.
Furthermore, Configuration Manager gives you a great tool for the deployment of apps, software updates, and operating systems. Not only that, but you can also stay on top of queries and compliance issues so that you can act in real-time.
What are the requirements for Microsoft Endpoint Manager?
The beauty of Microsoft Endpoint Manager is that there is no complicated configuration or migration that you need to worry about. And this goes for the licensing as well.
If you have an existing Configuration Manager license then you can continue to use it, while simultaneously taking advantage of the Microsoft cloud-based security and compliance benefits of Intune.
Combining these two solutions has allowed Microsoft to avail Configuration Manager to clients with Intune licenses and vice versa. All of this without the usual roadblocks that you previously had to deal with.
This simplifies the process of giving clients a more comprehensive management platform. For management of non-Windows devices, however, you will need an Intune license, an Enterprise Mobility & Security (EMS) license, or a Microsoft 365 E3 or higher license
Taking advantage of MEM
There are plenty of reasons why any business should consider using MEM to improve the way it operates. As mentioned above, people now have access to plenty of different devices and businesses should benefit from that.
But, with the complexities that are involved in device management, there is no single tool that can meet all the requirements.
This is why bringing together Intune and Configuration Manager can work so well. By supporting a diverse BYOD ecosystem, MEM makes it easy to manage all endpoints. Whether they are on-premises and remote, corporate-owned and personal, desktop and mobile, MEM can handle them.
In addition, MEM is flexible enough to meet you where you are in your cloud journey and will not disrupt your existing processes. Your business can also leverage the integrations with other platforms such as Microsoft 365 and Azure AD to enhance productivity.
Combining products gives clients a lot to look forward to. Especially when you consider the simplified licensing arrangement. Overall, this combination will vastly improve the end-user experience and also allow IT teams to save costs and function more efficiently.
Addressing concerns about Microsoft Endpoint Manager
We all have our preferred tools that we use and that enable our businesses to operate optimally. So naturally, there will be concerns about combining Intune and Configuration Manager. What exactly does it mean for these products?
By bringing these products together under one umbrella, Microsoft is not doing away with Configuration Manager as many think. And the choice of name allows Microsoft to keep adding features to the platform.
Therefore if you have solutions that are built on Configuration Manager and want to continue using it, you are free to do so. But, the difference is that you’ll also get to leverage the intelligence of the Microsoft 365 cloud.
Basically, starting in version 1910 Configuration Manager now falls under the Microsoft Endpoint Manager branding. And as for the other components of the System Center suite, there are no changes to report.
Wrap up & Microsoft Endpoint Manager
The solutions that businesses use need to continuously evolve to allow us to boost productivity and enhance data security. We need solutions that can offer the deployment of a seamless, end-to-end management solution.
And by combining Microsoft Intune and Configuration Manager into Microsoft Endpoint Manager, we can get just that. A solution that gives clients modern management and security while integrating with other Microsoft products in a way that optimizes device management.
End-users commonly experience challenges such as long boot times, application crashes, and so on. These problems may be the result of a lack of optimized software configurations, legacy hardware, and issues that may arise due to configuration changes and updates. Enters Microsoft Endpoint Manager and the solution businesses need.
You’ll be able to improve user productivity as well as reduce IT costs because of the insights that you’ll receive. The latter will give you information about device setup, startup and sign-in times, and overall system performance.
Not only that, but the introduction of new features can enhance the user experience even more.
Benefits of Microsoft Endpoint Manager Analytics
Introduced in September 2020, Endpoint Analytics is the tool that can help your organization to gather significant amounts of data and thus help you to view and understand the performance of your managed Windows 10 estate. At the initial release, Microsoft Endpoint Manager Analytics had three main areas of focus:
Startup performance: the insights provided help you understand your devices’ reboot and sign-in times and this enables IT to get users from power-on to productivity quickly without lengthy boot and sign-in delays.
Proactive remediation scripting: swiftly fix common issues before they become problematic for end-users.
Recommended software: recommendations for providing the best user experience.
To make the product even better, Microsoft has added two new features to give IT greater visibility in order to enhance the overall end-user experience.
The application reliability report
The first of the two new features is called the application reliability report (APR). This is something that will provide you with insights into potential issues for desktop applications on managed devices.
Utilizing this feature helps you to quickly identify the top applications that are impacting end-user productivity. Moreover, it also enables you to view aggregate app usage along with app failure metrics for these applications.
To take advantage of this feature, devices should be enrolled in Endpoint Analytics. And for devices enrolled from Configuration Manager, they’ll need client version 2006 or later installed.
To view the APR, you won’t need to do anything if your devices are Intune managed or co-managed. You’ll easily locate it beside the rest of the Endpoint Analytics reports in the Microsoft Endpoint Manager admin center console.
On the other hand, if you have devices enrolled through tenant attach, you need to upgrade to Configuration Manager 2006 for this report to populate.
How Microsoft Endpoint Manager works
To find your app reliability score, head over to the overview page. Here, you’ll also get the baseline score which is the median across all organizations. Below that you get a list of the apps most likely to have reduced user productivity during the previous 14 days. And then on the right column are app reliability Insights and Recommendations prioritized by which are most likely to boost your score.
To view the list of all your company’s apps, you can go to the App performance tab. You can sort out these apps according to various criteria such as name, publisher, active devices, and app reliability score. In addition, you may also sort apps out using the mean time to failure, which is the average number of times the app can be used across the organization between crashes.
In order to see your business’ application reliability performance, you can also leverage other pivots like the model, and OS version deployed, as well as troubleshoot application reliability issues with individual devices.
Devices will be given a device app health score that you find in device performance. This score is determined by the frequency of app crashes on a particular device during the last 14 days. To help you with troubleshooting, you can view a timeline of app crash and app hang events by clicking into each device.
Restart frequency feature of Microsoft Endpoint Manager
The second of the two recent additions to Endpoint Analytics is the restart frequency feature. This tool provides you with information regarding when devices are being rebooted and why.
You also see improvement for the existing startup performance report thus helping to improve the user experience even further. All of this should enable operational and helpdesk departments to be more proactive and provide insights on end-user devices.
The data provided aims to clarify the type of reboots that occur. To achieve that, these reboots will be classified as either normal or abnormal. When we talk of normal restarts, this refers to restarts that go through the normal Windows shutdown processes such as Windows update installations.
And when we talk about abnormal restarts, this refers to those that don’t follow normal Windows shutdown processes. Because abnormal restarts can be problematic they need to be looked into further. There are three categories of them:
Blue screens: This type of abnormal restart type is also a stop error. On average, one may expect no more than two stop errors per device per year.
Long power button press: Occurs when you hold down the power button to force a restart. This type happens less frequently than blue screens.
Unknown: The last category is for shutdowns that don’t align in either of the two previous categories.
Wrap up
Deployment of new laptops and desktops to users in an organization is a constantly ongoing process for a lot of businesses. As such, IT departments need efficient ways of managing devices and ensuring the optimization of the end-user experience.
And this is why if you’re not already enrolled you should be considering Endpoint Analytics.
End-users may face various issues in their day-to-day work that they will not report. Because of this, the user experience suffers and this will inevitably affect productivity. But, by utilizing Endpoint Analytics and its great new features, organizations can get high-level visibility into these various issues enabling them to address them quickly and efficiently.
Every business needs to be on top of its game when it comes to matters of the security of its IT infrastructure. Because even the smallest of vulnerabilities can be exploited to devastating effect. And Microsoft Defender ATP is ready to mitigate those risks.
Not recognizing these risks can potentially cause the shutting down of a business, at best temporarily. And research has shown that the cost of downtime to a company can quite easily run into hundreds of thousands of dollars.
As we can all imagine, the losses that a business would suffer would be colossal, to say the least. Hence the need to enhance one’s security to keep bad actors at bay. By using Tamper Protection, you immediately strengthen the security of your business.
Why Tamper Protection?
Arguably the greatest challenges to an organization’s IT infrastructure come in the form of malware or malicious apps that tamper with your security settings and potentially create vulnerabilities in your system.
With these changes having been made, your organization becomes a significantly easier target for cybercriminals. It is with this in mind that Microsoft introduced Tamper Protection two years ago.
Simply put, and as the name itself implies, the Microsoft Defender ATP feature essentially locks Microsoft Defender thus preventing anyone from tampering with your security settings. Including modifications that may be made by administrators.
As a key element of Microsoft’s security strategy, Tamper Protection helps to ensure that Windows 10 clients do not need third-party anti-virus software.
However, Tamper Protection does not have an impact on third-party antivirus registration. So this means that third-party antivirus offerings will still register with the Windows Security application. By using Tamper Protection, you can prevent the following:
Deactivation of virus and threat protection.
Deactivation of real-time protection.
Disabling of behavior monitoring.
Disabling antivirus (such as IOfficeAntivirus (IOAV))
Blocking of cloud-delivered protection.
Removal of security intelligence updates.
Extending client coverage
With the obvious benefits that Tamper Protection brings to any organization, it only makes sense to try and extend coverage wherever possible. And this is what Microsoft did with their announcement in September last year.
This feature was extended to cover ConfigMgr 2006-only clients on both Windows 10 and Windows Server 2019, delivered via Tenant Attach. To enable Tenant Attach, the process is fairly straight forward and you can find the instructions provided here.
Having done that, you can then go to Endpoint security > Antivirus in the MEM admin center. From there you can proceed to create and deploy the Tamper Protection setting. After that, you’ll then need to configure the aforementioned setting.
This you will then deploy to a Configuration Manager collection of devices. If you want to view the policy status, go to the Monitoring >Deployments section which you find in ConfigMgr. However, you can also find it in the policy status in the Endpoint Manager Admin center
Utilizing Tenant Attach
Tenant Attach provides a method for attaching your ConfigMgr hierarchy to your tenant and leverages the capabilities available from the cloud. This includes things such as discovering cloud users and groups, synchronizing Azure AD groups from a device collection, etc.
Moreover, you can sync your on-prem only ConfigMgr clients into the MEM admin center thus enabling the delivery of Endpoint security configuration policies to your on-prem clients.
With this tool, a device does not necessarily have to be enrolled in Intune. In fact, it can be managed by either ConfigMgr or Intune. Alternatively, devices can also be co-managed.
Management of Tamper Protection
In addition to managing Tamper Protection using tenant attach as described above, there are a few other management options available. These are:
Management of Tamper Protection using the Microsoft Defender Security Center. You can turn Tamper Protection on or off for your tenant via the Microsoft Defender Security Center. This option is on by default for all new deployments and the setting is applied tenant-wide. So it affects all devices that are running Windows 10 or Windows Server 2016 or Windows Server 2019.
Management of Tamper Protection using Intune. If your organization’s subscription includes Intune then Tamper Protection can be turned on or off in the Microsoft Endpoint Manager admin center.
Management of Tamper Protection on an individual device. Tamper Protection can be managed via the Windows Security app by individuals who are either home users or are not under settings managed by a security team. To do this, however, you need to have the appropriate admin permissions on your device to change security settings.
Keeping track of security data
Having preventive measures in place does not negate the need for constantly reviewing the security information.
You need to regularly check what is going on within your system so that you can stay on top of things because several tampering attempts are usually a sign of something bigger. And that may potentially be a bigger cyberattack.
Cybercriminals can attempt to alter your organization’s security settings as a way to persist and stay undetected.
Therefore, in every business, security teams should review information about such attempts, and then take the appropriate actions to mitigate threats.
The system is designed to raise alerts in the Microsoft Defender Security Center when tampering attempts are made. By utilizing tools such as endpoint detection and response and advanced hunting capabilities, you can investigate further and then implement the necessary measures to address the problem/s.
Wrap up
Microsoft is looking to tackle the surge in cybercrime head-on. Bad actors are constantly seeking out weaknesses in organizations’ systems and occasionally they find them. This is why businesses need to leverage the next-gen security strategies that Microsoft can offer.
With features like Tamper Protection, you get additional security to help your organization block nefarious elements from altering your security settings and leaving you vulnerable. Advanced breaches and increasing incidences of ransomware campaigns need all businesses to start getting proactive about their security. Otherwise, the consequences could prove to be very costly.
When it comes to Microsoft Endpoint Manager (MEM), there’s always a steady stream of new features that clients should be paying attention to.
Technology is constantly changing and the products that we use need to improve as well. Especially if we consider the recent surge in cybercrime as seen in the FBI’s 2020 internet crime report.
No business is immune and as such, technology companies have to consistently enhance their products to ensure that clients’ data is secure. With security in mind, let’s take a look at the exciting new features that Microsoft is bringing to the MEM platform.
Enhancing security through Microsoft Endpoint Manager filters
Microsoft Endpoint Manager has now made it possible for IT admins to use filters to target apps, policies, and other workload types to specific devices.
By utilizing these filters, IT admins get more flexibility and can better protect data within applications, simplify app deployments, and speed up software updates.
Furthermore, it is now easier for admins to comply with their organizational policies and compliance requirements by deploying:
A Windows 10 device restriction policy only to the corporate devices of users in a particular department without including personal devices,
An iOS app to only the iPad devices for users in another department,
An Android compliance policy for mobile phones to all users in the company but exclude Android-based meeting room devices that don’t support the settings in that mobile phone policy.
Windows 10 Enterprise multi-session is a new Remote Desktop Session Host exclusive to Windows Virtual Desktop on Azure which allows multiple concurrent user sessions. Additionally, with this feature, users get the benefit of a familiar Windows 10 experience. In addition, IT can benefit from the cost savings that a multi-session allows and use existing per-user Microsoft 365 licensing.
By leveraging Intune, you can manage multi-session remote desktops with device-based configurations like a shared, user-less Windows 10 client. Moreover, you can enroll Hybrid Azure AD joined VMs in Intune automatically and target with OS scope policies and apps.
This means that now you can:
Host multiple concurrent user sessions using the Windows 10 Enterprise multi-session SKU exclusive to Windows Virtual Desktop on Azure.
Manage multi-session remote desktops with device-based configurations like a shared, user-less Windows 10 Enterprise client.
Automatically enroll Hybrid Azure AD-joined virtual machines in Intune and target them with device scope policies and apps.
Policy management made simpler
Using the settings catalog simplifies the process of customizing, setting, and managing device and user policy settings. Remember, managing policy configuration through custom Open Mobile Alliance Uniform Resource Identifier (OMA-URI) policy is not the easiest of tasks to undertake.
Moreover, what the 2105 service release does is support your move from Group Policy Objects (GPO) or custom OMA-URI to cloud-based consolidated policies.
Clients will be happy to note that 5,000 settings have been added to the settings catalog for Edge, Office, and OneDrive, including additional settings for macOS and Windows.
Microsoft Tunnel Gateway changes
There are a couple of changes to note for the Microsoft Tunnel Gateway:
Microsoft Tunnel Gateway (MTG) is now out of preview and thus is generally available. However, while the MTG server component is out of preview, the following Microsoft Tunnel apps are not – Microsoft Tunnel standalone app (for both Android and iOS) and Microsoft Defender for Endpoint with support for Microsoft Tunnel for Android.
Custom setting support in VPN profiles for Microsoft Tunnel for Microsoft Defender for Endpoint for Android. New changes here mean that you can now use custom settings in the VPN Profile for Microsoft Tunnel to configure Microsoft Defender for Endpoint when using the Microsoft Defender for Endpoint as your Microsoft Tunnel client app for Android and as an MTD app.
Device security with Microsoft Endpoint Manager
Another update that is certain to make MEM clients happy is that conditional access on Jamf-managed macOS devices for Government Cloud is now available.
By using Intune’s compliance engine, you can now evaluate Jamf-managed macOS devices for Government Cloud.
All one has to do to achieve this is to activate the compliance connector for Jamf. The steps on how to do that can be found here.
New Microsoft Endpoint Manager settings available
There are new settings now available when creating a device restrictions policy for iOS/iPadOS (14.5 devices and newer). Moreover, these are the updates that have been introduced:
Block Apple Watch auto unlock: You can set this to Yes and this will prevent users from unlocking their device with Apple Watch.
Allow users to boot devices into recovery mode with unpaired devices: If you want to allow users to boot their device into recovery with an unpaired device, you can set this one to Yes.
Block Siri for dictation: To disable connections to Siri servers so that users can’t use Siri to dictate text, set to Yes.
Clients will now get new tiles that show the number of app installation failures for the tenant. You can find these in the Home, Dashboard, and Apps Overview panes. All one has to do is follow a few simple steps:
Alternatively, if you want to view the Dashboard pane select Dashboard.
And to view the Apps Overview pane, select Apps > Overview.
Wrap up
Microsoft Endpoint Manager has many different ways that various companies can use it. It gives you a fantastic platform to gather end-point information. Also, it gives you the ability to push out Microsoft Desktop apps, Microsoft Edge as well as several other apps. And by consistently updating the features, Microsoft can help your business to operate more efficiently and enhance your data security and privacy.
With the prevailing global situation requiring more and more people to work from home, businesses need to ensure that productivity does not suffer. And to do that, you need to effectively manage remote devices. Hence the need for technology such as the Cloud Management Gateway (CMG).
By utilizing the CMG, your business has an alternative to IBCM that most would consider a significant upgrade. This creates a favorable environment that allows your organization to eliminate the obstacles of having a remote workforce. Needless to say but the CMG can play a massive role in your organization and its importance is certainly worth discussing.
Requirements
Before you can use the Cloud Management Gateway you need to meet the following requirements:
An Azure subscription to host the CMG,
You need a Full administrator or Infrastructure administrator user account in Configuration Manager,
During the initial creation of certain components, the participation of an Azure admin is needed,
You need at least one on-premises Windows server to host the CMG connection point,
A server authentication certificate for the CMG,
There needs to be an integration of the site with Azure AD to deploy the service with Azure Resource Manager,
Depending on your client OS version and authentication model, other certificates may be required,
Clients are required to use IPv4.
When is it useful?
There are several scenarios where the CMG could come in handy and they include the following:
For management of traditional Windows 10 clients using modern identity which can either be hybrid or pure cloud domain-joined with Azure AD.
For management of traditional Windows clients with Active Directory domain-joined identity. The clients included are Windows 8.1 and Windows 10.
For installation of the Configuration Manager client on Windows 10 devices over the internet.
For new device provisioning with co-management.
Benefits to your business
CMG enables your Enterprise admins to perform several actions. Among the things they can do, they can manage the following over the internet:
Push software updates and enable endpoint protection,
Inventory and client status,
Compliance settings,
Software distribution,
Windows 10 in-place upgrades,
Manage branch office devices over less expensive internet instead of across expensive WAN or VPN connections.
Eliminates complications
Although Internet-based client management (IBCM) has been around for years, a lot of users tend to find it complicated. CMG aims to be a simpler solution. It is an Azure-hosted service that manages internet-based clients through a new role called the cloud management gateway connector point.
By adding the CMG to your environment, you’ll get an intermediary cloud solution. And this can be your bridge to a full cloud management solution of your Windows 10 devices through Microsoft Intune.
Also, your organization doesn’t need to expose on-premises infrastructure to the internet and neither will you require additional infrastructure. So by using the CMG, you get rid of a lot of what users don’t like about IBCM.
Manage internet clients
Cloud Management Gateway helps you to easily and effectively manage clients that are on the internet. Often, there are going to be events in your environment that will require a swift response.
However, previously this was problematic for clients that would not be currently on-premises. By leveraging the CMG, you can manage clients all over the world as long as they have an internet connection.
Furthermore, it doesn’t require you to buy any additional IT infrastructure. So unlike IBCM that would need additional hardware that you need to maintain, for the CMG you just need to have Azure.
Strengthen your security
The moment you have systems that are not directly connected to your IT infrastructure, your data security is at an increased risk. This is particularly evident with remote work.
Although a lot of businesses have responded by using VPNs, you cannot adequately protect workstations through VPN channels. Hence the importance of the Cloud Management Gateway.
With it, you can better manage devices connected to the Internet and thus improve your corporate security posture. This is further enhanced by the fact that you can leverage Microsoft Azure services so that there is no need to expose your infrastructure to the internet.
Cost management
Whenever you use cloud services, you will incur costs associated with your usage. And the Cloud Management Gateway is no exception. Fortunately for clients, Microsoft intends to help you to keep those costs under control. You can do this through client settings, for instance, where you can determine which clients can access the CMG.
Another feature you can leverage is virtual machine configuration. The latter enables you to choose between 1 and 16 virtual machines per instance of Cloud Management Gateway. Also, if you want to, you can stop the CMG so that it’s no longer serving clients.
Therefore, to optimize user experience for all clients, the CMG helps to reduce the unavoidable costs that come with cloud services.
Constantly evolving
Another reason why the CMG is so important is how the technology is constantly evolving. There has been a lot of innovation taking place such as the ability to automatically do a client install through the CMG.
This is a great option to have because it eliminates the need for the client to be on the intranet. In addition, the platform is adaptable to your organization’s needs. So it can handle several scenarios such as:
Traditional PC management (Windows 7, 8.1, 10),
Modern PC management (Windows 10 with modern identity),
Internet client installs.
Wrap up
Every organization should be looking for ways to make the most of its IT investments. Thus from the information available, we can see that every environment that uses ConfigMgr can benefit from using the Cloud Management Gateway. And you can leverage the CMG for clients all across the globe. The convenience that this provides you cannot be overstated. As the world changes and technology evolves, we need platforms that can help organizations to become more efficient and enhance productivity.