Introduction: The Challenge of Managing Microsoft Teams Rooms
Microsoft Teams Rooms (MTR) are purpose-built devices that bring seamless Teams meetings into physical conference rooms. However, if you’re an IT admin or consultant trying to manage these devices with Microsoft Intune, you may have already hit a major wall: you can’t deploy standard applications like Win32 or MSI packages.
In this post, I’ll walk you through:
Why app deployment fails on MTRs
How to use Intune Proactive Remediation Scripts to install apps anyway
A real-world script-based workaround you can implement today
This article is especially useful for IT administrators, Microsoft 365 consultants, and organizations managing MTR on Windows devices using Microsoft Intune.
What Are Microsoft Teams Rooms (MTR) Devices?
Microsoft Teams Rooms are specialized endpoints running Windows or Android, designed to facilitate video conferencing in meeting spaces.
This article focuses on MTR on Windows, which:
Boots into a kiosk-like shell
Uses a locked-down local user account (usually “Skype”)
Automatically launches the Teams Rooms app
Is managed differently from typical Windows endpoints
Why Are MTRs So Locked Down?
Because they’re designed to do one thing very well: run meetings reliably and securely. That means:
Minimal background processes
No user distractions
Reduced vulnerability footprint
Unfortunately, this also means limited support for app deployment using traditional Microsoft Intune methods.
Why Standard App Deployment Doesn’t Work on MTR
Let’s quickly review how app deployment in Intune normally works:
You upload a Win32 or MSI app
Intune pushes it to the device
The app installs silently in the background
But MTRs are a special case:
Issue
Description
Kiosk Shell
MTR devices run a locked-down shell that prevents user interaction.
Limited Admin Access
The logged-in “Skype” user doesn’t have full local admin rights.
Silent Installs Often Fail
Even SYSTEM-context installs can hang or fail silently.
Win32 App Deployment Not Supported
MTRs are excluded from full app deployment via Intune.
TL;DR: Intune treats MTRs like they’re manageable—but for apps, they’re basically off-limits.
What Can You Manage on MTR with Intune?
Feature
MTR Support?
Enroll in Intune
✅ Yes
Configuration Profiles (Wi-Fi, Certificates)
✅ Yes
Compliance Policies
✅ Yes
PowerShell Scripts
⚠️ Limited
Win32/MSI App Deployment
❌ Not Supported
Store App Deployment
❌ Not Supported
Remediation Scripts
✅ Yes — this is our workaround!
The Workaround: Use Proactive Remediation Scripts
What Are Proactive Remediations in Intune?
Proactive Remediations are part of Endpoint Analytics in Microsoft Intune. They allow you to:
Detect issues on endpoints (e.g., missing apps or settings)
Run scripts in the SYSTEM context to remediate them
And because these scripts run as SYSTEM, they can bypass the user restrictions imposed by the MTR shell. That’s the secret sauce here.
Step-by-Step: Deploy Apps to MTR Devices Using Remediation Scripts
Step 1: Choose an Application
Pick an application with a silent installer. Examples include:
Zoom Rooms Plugin
Custom certificate tools
Remote support agents
Pro tip: Avoid apps that require UI interaction or restart the system.
Step 2: Host the Installer
Since you can’t upload Win32 apps, host the installer externally:
Azure Blob Storage with SAS token
SharePoint Online
A secure HTTPS server
Step 3: Write the Detection Script
This script checks whether the app is already installed.
For complex applications, consider a manual install window, or coordinate with the OEM.
Alternatives to Intune Remediation Scripts
Method
Notes
Manual Deployment
Good for one-off fixes
OEM Management Tools
Logitech Sync, Poly Lens, etc.
Group Policy
Works for Hybrid AAD Join MTRs
Teams Pro Management
Useful for Teams config, not apps
Conclusion: MTR App Deployment is Possible—With the Right Tools
Deploying applications to Microsoft Teams Rooms using Intune isn’t supported natively—but that doesn’t mean it’s impossible. With a bit of scripting and smart use of Proactive Remediation, you can achieve automated, scalable, and relatively safe application installs.
This method:
Uses supported Intune features (Endpoint Analytics)
Microsoft is offering clients an updated Intune Connector for Active Directory and this connector is what Intune will be using starting from Intune 2501. This connector uses Windows Autopilot to deploy devices that are Microsoft Entra hybrid joined.
The updated version of the connector aims to enhance security and will be using a Managed Service Account (MSA) instead of a SYSTEM account. Customers currently using the old version of the Intune Connector for Active Directory (that uses the local SYSTEM account) should know that this connector will no longer have support, starting in late June 2025.
Therefore, it’s important to start planning for the update because once support ends, enrollments from the old connector build will no longer be acceptable.
Key Features of the Intune Connector
The main role of the Intune Connector for Active Directory is to join computers to an on-premises domain and add them to an organizational unit (OU) allowing for central management and policies.
The Intune Connector also places joined computers within a specific OU, something that helps establish granular control over device configurations and settings. Furthermore, customers will also benefit from hybrid enrollment of devices which offers the convenience of device management by both on-premises AD and Intune.
The Intune Connector plays a key role in leveraging Windows Autopilot to set up and deploy devices. And for all those already using Autopilot, they will know that this feature will have a huge impact in making life easier for customers by simplifying deployment processes.
In addition to all the above, the Intune Connector ensures that the policies defined in both AD and Intune continue to enforce, thus offering compliance and consistency.
Why Switch to Managed Service Accounts?
As the new version of the Intune Connector for Active Directory makes the change to using Managed Service Accounts, it’s important to understand why they are important. The use of MSAs will enable the new connector to follow least privilege principles and thereby strengthen security.
With MSAs, clients enjoy managed domain accounts that have automatic password management. They are also generally permissible with privileges to perform their duties. With such measures in place, there is a reduction in the risk of compromise, intentional or otherwise.
You can only use standalone MSAs on one domain-joined machine and can thus only access resources within that domain. MSAs can easily and securely run services on a computer while simultaneously maintaining the capability to connect to network resources as a specific user principal. When taking all of this into account, it’s not difficult to see why Microsoft views the use of MSAs as better for the Intune Connector moving forward.
Securing The Future
The security update to the Intune Connector for Active Directory fits in seamlessly with Microsoft’s Secure Future Initiative. Microsoft is uniquely ideal within the tech industry to play a key role in safeguarding the future for all its clients.
As such, the tech giant is taking a comprehensive approach to cybersecurity with a key focus on certain areas that are critical to enhancing security across the board. There continues to be substantial progress in these areas:
identity and secret protection
Updates to Entra ID and Microsoft Account (MSA) are live for both public and U.S government clouds to generate, store, and automatically rotate access token signing keys using the Azure Managed Hardware Security Module (HSM) service.
Microsoft has continued to drive broad adoption of its standard identity SDKs, which provide consistent validation of security tokens. As a result, we now see this standardized validation covering more than 73% of tokens issued by Microsoft Entra ID for Microsoft owned applications.
Tenant Protection and Isolation of Production Systems
A full iteration of app lifecycle management for all production and productivity tenants has been performed. This has resulted in the elimination of 730,000 unused apps. Additionally, because of the elimination of 5.75 million inactive tenants, the potential cyberattack surface has become significantly smaller.
Not only that, but a new system to streamline the creation of testing and experimentation tenants with secure defaults is available. It also enforces a strict lifetime management.
Protect networks
More than 99% of physical assets on the production network record in a central inventory system. This enriches asset inventory with ownership and firmware compliance tracking. Virtual networks with backend connectivity are isolated from the Microsoft corporate network, as well. They are additionally subject to complete security reviews to reduce lateral movement.
With the expansion of platform capabilities such as Admin Rules to ease the network isolation of platform as a service (PaaS) resources such as Azure Storage, SQL, Cosmos DB, and Key Vault, Microsoft has made it easier for customers to secure their own deployments.
Protection of engineering systems
We are now experiencing more consistent, efficient, and trustworthy deployments because 85% of production build pipelines for the commercial cloud are now using centrally governed pipeline templates.
Other notable changes include shortening the lifespan of Personal Access Tokens to seven days, disabling Secure Shell (SSH) protocol access for all Microsoft internal engineering repos, and massively reducing the number of elevated roles with access to engineering systems.
Moreover, proof of presence checks for critical chokepoints in software development code flow are now available.
THREAT DETECTION AND MONITORING
A lot of progress continues toward the goal of pushing all Microsoft production infrastructure and services to adopt standard libraries for security audit logs. Additional efforts include those to emit relevant telemetry and to retain logs for a minimum of two years.
A good example is the establishment of central management and a two-year retention period for identity infrastructure security audit logs, including all security audit events throughout the lifecycle of current signing keys. Add to this the fact, that no less than 99% of network devices now have enablement with centralized security log collection and retention.
Accelerate response and remediation
We can now observe improved time to mitigate for critical cloud vulnerabilities because of the recent process updates across Microsoft. Customers will also appreciate the greater transparency provided by the publishing of critical cloud vulnerabilities as common vulnerability and exposures (CVEs). This is especially helpful even when there are no direct customer action requirements.
In addition to this, the establishment of the Customer Security Management Office (CSMO) will go a long way to improve public messaging and customer engagement for security incidents.
Required Permissions
As we look at the new version of the Intune Connector for Active Directory, one of the key areas that can help us distinguish this new connector from its previous version is doing a comparison of account permissions:
Create Computer Object Rights (required for hybrid Autopilot scenario)
Unlimited if connector is on the same machine as domain controller. Delegation is required if connector is not on the domain controller.
Explicit delegation required
Pre-requisites
As with any product or application, there are certain requirements that all customers intending to use the Intune Connector for Active Directory will need to meet. So, before proceeding with the set up of the new Intune Connector, you need to verify that you can meet all the pre-requisites. These requirements include:
The computer you’re installing Intune Connector for Active Directory to must be running Windows Server 2016 or later.
You should also verify that you have .NET Framework version 4.7.2 or later installed.
To facilitate communication with Microsoft’s Intune service, the server hosting the Intune Connector should have internet access.
The Intune Connector will need standard domain client access to domain controllers.
Customers must verify that they have a Microsoft Entra account with Intune Service Administrator permissions, as this is a requirement to download and manage the connector.
Also needed will be a domain account with local administrator privileges and the ability to create msDS-ManagedServiceAccount objects.
Verify that the Windows Server configuration aligns with the Desktop Experience and, for versions 2019 or earlier, install the Microsoft Edge browser manually before connector setup.
The Microsoft Entra account should have an Intune license assigned to it.
For those that will be using Hybrid Azure AD Join, they should check that it’s configured via Azure AD Connect tool.
Lastly, the Intune Connector machine must have the appropriate delegated permissions to create computer objects in the target OU.
Setting Up The Connector
To setup the new Intune Connector for Active Directory, you need to start by uninstalling the existing connector. You can do this by uninstalling from the Settings app on Windows and then, uninstalling using the ODJConnectorBootstrapper.exe (select Uninstall). With that done, you can download the connector build from Intune and then perform the installation (as described in detail in my previous blog).
Configuring organizational units (OUs) for domain join
Customers should be aware that by default MSAs won’t have access to create computer objects in any Organizational Unit (OU). Thus, if you intend to use a custom OU for domain join, you’ll need to update the ODJConnectorEnrollmentWiazard.exe.config file. Fortunately, this is something you can do before or after connector enrollment:
Update ODJConnectorEnrollmentWizard.exe.config:
Default location is “C:\Program Files\Microsoft Intune\ODJConnector\ODJConnectorEnrollmentWizard”
Add all the OUs required in OrganizationalUnitsUsedForOfflineDomainJoin
OU name should be the distinguished name.
You need to be aware that the MSA is only granted access to the OUs configured in this file (and the default Computer’s container). This means that if any OUs are removed from this list, completing the rest of the steps will revoke access.
Open ODJConnectorEnrollmentWizard (or restart it if it was open) and select the “Configure Managed Service Account” button.
If successful, a pop up will appear showing success.
Using the Intune Connector with multiple domains
For those who are already using the connector with more than one domain, they will be able to use the new connector by setting up a separate server per domain and installing a separate connector build for each domain.
Configuring the connector
Customers should install the Intune Connector for Active Directory on each of the domains that they want to use for domain join. In case a second account redundancy is required, customers must install the connector on a different server (in the same domain).
Go through the connector configuration steps meticulously and verify that everything has been done correctly. Also check that the MSA has the appropriate permissions on the desired OUs.
Verify that all connectors are present in the in the Microsoft Intune admin center (Devices > Enrollment > Windows > under Windows Autopilot, select Intune Connector for Active Directory) and that the version is greater than 6.2501.2000.5.
Configure Domain Join profile
Follow the steps given below.
Start by creating a domain join profile for each domain that you want to use for hybrid joining devices during Autopilot.
Target the domain join profile to the appropriate device groups.
Wrap Up
The Intune Connector for Active Directory provides an essential tool for managing hybrid devices in an Intune environment. With its many available features, customers will get centralized management capabilities for their environments thus allowing businesses to operate more efficiently.
But, with security having been a big concern for many, Microsoft has made the switch to using a Managed Service Account instead of a SYSTEM account. This action has effectively tightened security in customers’ environments. Going forward, the previous version of the Intune Connector will no longer be supported. Therefore, if you are yet to download and set up the new Intune Connector for Active Directory, the sooner you do the better.
As hackers get more daring and attacks more sophisticated, organizations need to continuously look at how they can enhance their security protocols. Concerning statistics show that the cost of cybercrime, already well into the trillions, could surpass $23 trillion by 2027.
Faced with the reality that cybercrime is unquestionably on the rise, a proactive approach is now necessary to lessen the risk of attack. One of the best ways to achieve that is by utilizing the indicators that Microsoft Defender for Endpoint has.
By using these, IT admins can preemptively block malicious entities and prevent them from accessing the organization’s resources. With this in mind, the focus for this blog will be to provide you with detailed information concerning indicators.
Explaining Microsoft Defender for EndpointIndicators
Indicators provide IT administrators with certain data that can help identify individuals with nefarious intentions. This data can enable organizations to pinpoint malicious IP addresses, untrusted certificates, suspicious URLs, and more. Moreover, an organization can then set up its indicators accordingly thereby enabling a proactive approach to dealing with threats.
In Microsoft Defender for Endpoint, the indicators operate by applying specific rules to endpoint devices. These rules will use predetermined criteria to govern whether or not devices allow or block certain types of activity. A good example of this would be blocking all traffic to and from IP addresses that have been determined to be carrying out malicious activities.
Importance of Indicators
Indicators play a major role in improving organizational security by enabling businesses to take a proactive approach and block malicious actors before they can do any damage. And if an incident does occur, indicators will help you to quickly identify threats and implement a swift response. Additionally, using indicators allows you to customize your security to effectively meet the specific needs of your organization.
These tools are invaluable for intercepting attacks. Once it has been determined that an attack is ongoing, the malicious entities can be immediately blocked therefore limiting the impact from affecting the entire organization.
Types of Indicators with Microsoft Defender for Endpoint
In this section, we’re going to look at four types of indicators that Microsoft Defender for Endpoint supports. These indicators are essential for responding to different threats.
IP ADDRESS INDICATORS
This type is used for preventing access to IP addresses suspected of malicious activities. Once a specific IP address has been determined, an action is implemented that blocks all devices within an organization from connecting to that IP address. To do this, you need to navigate to Microsoft 365 Defender portal > Settings > Indicators. Next, you’ll need to add a new indicator and then select IP Address. With this done, you can now set up the action as Block and specify devices affected.
URL AND DOMAIN INDICATORS
These indicators are used to block access to malicious domains and phishing sites. After you’ve specified the URL concerned, you can then implement an action blocking all devices within your organization from connecting to that particular URL. Microsoft Defender for DNS is recommended if you want to have DNS-level protection.
FILE HASH INDICATORS
These will enable you to block access to known malicious files based on their hash (MD5, SHA-1, or SHA-256). You can use Advanced Hunting in Microsoft Defender or third-party threat intelligence sources to get the necessary file hashes.
CERTIFICATE INDICATORS
With this fourth type, you can block executables signed by untrusted certificates.
How to Set Up Microsoft Defender for Endpoint Indicators
The process of setting up indicators is not an overly complicated one. You start by navigating to the Microsoft 365 Defender portal where you need to sign in with your administrator account. Following this, you can then begin creating an indicator.
CREATION PROCESS
Head over to Settings > Indicators.
Click on Add Indicator.
Select the type of indicator required.
Provide the necessary information:
Indicator Type: IP Address, URL, File Hash, or Certificate.
Action: Block or Allow
Scope: Specify which devices/groups will be affected by the action to be performed.
Expiration Date: Provide an expiration date for temporary indicators (this is optional).
Description: For documentation purposes, a description will be required.
COMPLETING THE PROCESS
After you’ve completed the creation process, you can click Create to save the indicator. You’ll also have the capability to monitor the indicator’s impact by taking advantage of Reports and Advanced Hunting. Advanced Hunting offers a powerful, query-based tool that helps you track threats and evaluate how effectively the indicators are working. Hunting works best if you use filters to get more specific results, as well as if you save and reuse queries during the monitoring processes.
Using Indicators Effectively
Like most other apps and services, you can’t set up indicators once and forget about them. You need to constantly review them and update them when necessary so your security remains strong.
As already mentioned, some indicators are temporary and so you need to remember to set expiration dates for these so that you avoid cluttering your environment. Not only that, but you should ensure that indicators are targeting the specific devices or groups they are created for.
Furthermore, IT admins should continuously evaluate the information obtained from Advanced Hunting and reports so that they are always aware of whether or not the indicators are performing to expectations. And then to enhance your security posture even more, you can combine indicators with Conditional Access policies for better results.
Wrap up
The staggering figures that we hear being thrown around when discussing cybercrime are almost beyond belief. But, the reports about cybercrime provide a lot of insights that enable organizations to take the necessary steps to improve their security. Leveraging the indicators available in Microsoft Defender for Endpoint goes a long way in securing your network and reducing the risk of attack. If applied correctly and used as recommended, indicators can be some of the best tools in an organization’s cybersecurity arsenal.
Windows Autopilot is a set of technologies that is built to simplify the process of deploying, setting up, and configuring new devices. By using this technology, users can avoid going through the traditional imaging process and save countless productive hours.
However, Autopilot is not without its faults. One of the more common instances of running into problems occurs when using Managed Installer policies with Win32 app deployment during the Autopilot device preparation phase. As an issue that can cause quite a headache, this blog will help you better understand this problem as well as provide you with solutions for addressing it.
Windows Autopilot Explained
Windows Autopilot gives organizations a solution that eliminates the challenges that come with building, maintaining, and generally applying custom images. IT admins can use this service to set up new desktops to join pre-existing configuration groups and apply profiles to the desktops. What this does is give users the opportunity to access fully functional desktops from their first login.
Importance of Managed Installer Policies
Managed Installer policies are useful for dictating which applications can be installed on your organization’s devices. Once enabled, Managed Installer uses a special rule collection in AppLocker to designate binaries. These are trusted by your organization as an authorized source for application installation.
The problem IT admins will run into is that currently Windows Autopilot device preparation doesn’t guarantee the delivery of the Managed Installer policy before trying to install Win32 apps. Because of this, you may end up with deployment failures during the App Installation phase of Autopilot.
INVESTIGATING THE PROBLEM
A regular deployment scenario follows a series of steps that begins with the launch of the Autopilot Device Preparation process. Following this, Win32 apps are then scheduled for installation as part of the device preparation policy.
At this point, the Managed Installer policy won’t yet have been installed. The reason why you may see the Win32 app installations failing is because the policy is set up to block apps from unverified sources.
WHAT TO EXPECT With Windows Autopilot
One of the things you can expect to see because of this issue is the Autopilot deployment process stopping at the app installation phase. You will also get error messages showing application deployment failures. Another thing to expect is that deployment reports will show failed Win32 app installations. Lastly, end-users may receive incomplete or improperly configured devices.
How has Microsoft addressed the issue?
Microsoft is fully aware of the issue at hand and has offered some recommendations that provide a temporary solution. IT admins can start by removing Win32 apps from all Autopilot device preparation policies.
Also, devices should be left to complete Autopilot and reach the desktop. Furthermore, Win32 apps and Managed Installer policies need to be applied after the user gets to the desktop.
In October 2024, Microsoft announced service release 2410 that introduced some new changes that will see Win32 and Microsoft Store apps being automatically skipped during device preparation and instead continuing to the desktop. To implement these solutions, you’ll need to follow the steps below:
AUDIT YOUR EXISTING Windows AUTOPILOT DEVICE PREPARATION POLICIES
For this process, organizations need to identify all device preparation policies configured in Intune. You’ll also need to verify any Win32 apps included in these policies. With all this done, make sure to document these apps as well as their purpose.
REMOVE WIN32 APPS FROM DEVICE PREPARATION POLICIES
Navigate to Microsoft Intune and edit your existing device preparation policies. Then, proceed to remove all Win32 apps from these policies. Once these tasks are complete, save and apply the updated policies.
MONITOR DEPLOYMENT STATUS
Use the updated policies to deploy your devices. You can track the progress of this process using the Autopilot Deployment Report. Make sure that you check that devices reach the desktop without app installation failures.
DEPLOY WIN32 APPS POST-ENROLLMENT
Once a device has reached the desktop, you can reassign your Win32 apps to deploy. You’ll need to use Required or Available for enrolled devices deployment settings in Intune. The success of app installation can be monitored using Intune’s reporting tools.
Alternative Options
In addition to the recommendations by Microsoft, there are other options that organizations can consider to address the above-mentioned issue. These include:
PRE-STAGE CRITICAL APPLICATIONS
One thing that organizations can consider doing is pre-staging key apps that are required to be on the device at deployment. This can be done using offline methods such as:
Injecting apps into the Windows image using tools like OSDCloud or Configuration Manager.
App deployment using PowerShell scripts post-Autopilot.
CONDITIONAL ACCESS AND APP PROTECTION POLICIES
If your organization is worried about security, then using Conditional Access policies will help block access to corporate resources until the necessary apps have been installed. An example of this would be enforcing Conditional Access policies to ensure that non-compliant devices are prevented from accessing the organization’s resources.
Optimize Enrollment Status Page (ESP) Configuration
The Enrollment Status Page plays a key role in controlling app deployment during Windows Autopilot. This is done by dividing the deployment into several stages, thus allowing you to prioritize the apps you consider more important.
USER VS DEVICE ASSIGNMENTS
With device-based deployments, there is a greater likelihood of encountering problems with Managed Installer policies. Because of this, it’s worth considering changing your app deployment from device-based to user-based assignments.
PILOT AND TEST NEW CONFIGURATIONS
Before rolling out new deployment configurations to the entire organization, it’s always wise to test them on a small pilot group. Doing it this way gives you the opportunity to identify problems and address them early.
Monitoring and Troubleshooting
The availability of Autopilot Deployment Reports in Microsoft will provide organizations with key information concerning the deployment process. This allows them to evaluate skipped apps, failed deployments, and device readiness status.
Additionally, organizations should also use Intune Diagnostics and Event Viewer to analyze deployment logs. By evaluating these logs, IT admins can pinpoint specific app failures and then determine whether they’re related to the Managed Installer policy.
If all else fails and your deployment issues are still yet to be resolved, you’ll have the option of reaching out to Microsoft Support for any help you need. Alternatively, engaging with the Intune community on X may yield assistance from those who have dealt with the issues you may be confronting.
Wrap Up
Windows Autopilot offers organizations a powerful tool to help simplify the process of deploying and setting up devices. Processes are made simpler and faster, thus helping businesses operate more efficiently. And although there may be issues with Wind32 app deployment during device preparation, there are ways to deal with it.
But, in addition to the workaround, we can look forward to Microsoft developing a more permanent solution to this challenge. Updates are sure to be forthcoming and we will be keeping an eye on what Autopilot will bring us next.
New features and updates are paramount to improving the functionality of the various devices and applications that businesses use. This is necessary, especially if companies expect high levels of performance. It’s also essential as the tasks that we deal with grow more complex.
Not only do companies want to maintain performance but they also need tech companies to address any existing issues. As a result, organizations like Microsoft will offer many new features. These updates are for services like Microsoft Intune and Windows 365.
Because of the updates, released in 2024, overall user experiences will greatly improve. Let’s discuss the recent additions and explore how they might help elevate, simplify, and improve your business operations.
Improvements to Microsoft Intune
2024 has been a year with a lot of innovation from Microsoft across its various products and services. Plenty of this effort prioritizes Microsoft Intune improvements, bringing us features such as:
New capabilities for Windows Autopilot
Windows Autopilot is a service that makes the device deployment process faster and less complex. Companies benefit immensely from Autopilot’s ability to do away with the labor-intensive process previously necessary to provision new devices. And, Microsoft has additional service improvements to share.
Earlier this year, an announcement introduced an exciting new release – device preparation. This brilliant new innovation will enable the accommodation of more devices and delivery of more efficient results. Moreover, it will allow for the provisioning of cloud instances such as Windows 365.
Still, Microsoft ensures customers that the original, existing Windows Autopilot architecture is still in place. Because of this, you still have access to all your favorite features. IT admins can now enjoy a faster and simpler addition of groups to devices. This is due to enrollment time grouping, which replaces dynamic grouping. This creates a process that assigns app policies and scripts to devices more efficiently.
NEW SECURITY BASELINE
A key reason for updating devices and applications is to strengthen security and address vulnerabilities. Companies want to make sure that their security measures can stay ahead of the methods being employed by cybercriminals.
Hence the introduction of an update to the Microsoft Defender for Endpoint security baseline. These one-click collections of policies can be applied to devices (and device groups) in Intune. They also provide you with a way to configure all your organization’s devices with the same security policies.
Setting up your security measures in this way makes it’s easier to maintain the same security levels across the entire enterprise. This particular update offers a much better way of implementing the configuration recommendations made by the Microsoft Defender for Endpoint team. Furthermore, because it’s based on the Windows unified settings platform, you also get:
Quicker turnaround for updates.
Improved reporting, including per-setting status reports.
Assignment filter support.
Improved UI.
Consistent names across Intune.
Platform single sign-on (SSO) has arrived for macOS device enrollment
Signing in to multiple applications and websites using different credentials can be a tedious task. It can also be difficult for many people to keep up with all their sign-in information and passwords. This is why Platform Single Sign On (SSO) is a wonderful solution for streamlining the authentication process.
Because of how local account credentials synchronize with an individual’s IdP, one will only need to log in once. Platform SSO can help your company improve its security posture and enhance productivity.
Owing to the integration of SSI with Apple’s Secure Enclave technology, your organization can enable phishing-resistant, hardware-bound, passwordless authentication on Mac through Intune. In addition to better security, end-users can enjoy a less complex and faster out-of-the-box experience. This is possible because all they’ll need to set up their devices are their Entra ID passwords.
End-users also get to work more efficiently. This SSO experience, unique to Intune, enables them to sign in to their Outlook, Teams, and other Microsoft 365 apps simultaneously.
Installation of macOS apps on demand via Intune
Microsoft has done plenty of work to develop systems that can provide more capable Mac management. Intune has made providing IT admins and end-users a better, more efficient platform one of its key objectives. And one of the main reasons they’ve been able to achieve that is by leveraging feedback from customers.
Of note among the latest developments, are options that admins can provide to users for downloading unmanaged applications. These specifically apply in PKG and DMG format via the Intune Company Portal app.
Furthermore, to reduce the reliance on line-of-business app workflow or third-party tools to deploy optional applications, Intune added the “available” assignment type to the well-known “required” type. As one of the most requested features by Mac device administrators, this should be a well-received development as it will help both end-users and admins save time.
Expanded support for Microsoft Managed Home Screen
Microsoft Managed Home Screen (MHS) is an enterprise launcher application that enables IT admins to customize their devices and restrict the capabilities that a user can access. If you configure in multi-kiosk mode in Intune, MHS launches automatically as the default home screen on the device. This customizable launcher serves as a key tool for IT admins to better manage devices. It also ensures that users are performing at the expected levels.
As organizations provide users with increasingly more powerful devices, they need to make sure that business operations improve accordingly. The availability of Managed Home Screen is expanding from just user-less kiosks or shared devices to corporate-owned, fully managed devices associated with a specific user as well. As a result, this means capabilities are will extend to a wider range of use cases and applications.
BitLocker RECOVERY KEY
Having access to a BitLocker recovery key allows you to unlock an Intune-enrolled PC if you have the misfortune of forgetting your sign-in password and getting locked out. The stored recovery key is accessible from the Intune Company Portal website. It’s also accessible in the Intune Company Portal app.
Without this key, users would typically need to contact the Help Desk for assistance. As one can imagine, it’s easy to see why this option is better. It offers greater support to users while lightening the load on IT professionals.
Going forward, this update will enable end-users to access their BitLocker recovery key directly from the Company Portal website. Because of this, your organization can expect to benefit from a more intuitive and streamlined path to recovery.
This should also help improve productivity because end-users won’t need to wait for the delays that sometimes occur while waiting for IT support to assist them. And with IT having this task taken care of for them, they will have more time to dedicate to more productive endeavors.
CORPORATE IDENTIFIERS
This feature aims to verify that corporate devices are labeled as corporate-owned as soon as they enroll. It does so by adding their corporate identifiers ahead of time in the Microsoft Intune admin center.
For businesses, corporate device management provides you with more capabilities than that for personal devices. This new change will help organizations restrict the application of the corporate-owned devices label only to authorized devices.
Adding corporate identifiers to Intune requires you to upload a file of corporate identifiers in the admin center or enter each identifier separately. Also important to note is the fact that you don’t need to add corporate identifiers for all deployments. During enrollment, Intune automatically assigns corporate-owned status to devices that join to Microsoft Entra via:
Device enrollment manager account (all platforms)
An Apple device enrollment program such as Apple School Manager, Apple Business Manager, or Apple Configurator (iOS/iPadOS only)
Windows Autopilot
Co-management with Microsoft Intune and group policy (GPO)
Azure Virtual Desktop
Automatic mobile device management (MDM) enrollment via provisioning package
Knox Mobile Enrollment
Android Enterprise management:
Corporate-owned devices with work profile.
Fully managed devices.
Dedicated devices.
Android Open Source Project (AOSP) management:
Corporate-owned user-associated devices
Corporate-owned userless devices
Google Zero Touch
Windows 365 Cloud PC security baseline updates
From the new, additional features and updates to Microsoft Intune, it’s clear to see that increasing efficiency matters. Strengthening security is also of utmost importance. And the same applies here.
Configuring security settings can often be a complex, time-consuming task that few will enjoy especially if you are still a novice. These deployed policy templates with Intune aim to establish Microsoft Security–recommended settings are central to the security strategies employed by Intune.
To ensure that you get the most from these measures, Intune has set it up such that these baselines can be tailored to your unique needs. Additionally, this particular update requires you to manually update your customizations, if any, from the previous baseline. This baseline, which comes highly recommended, will also give you:
Faster deployment of baseline version updates
Improved user interface and reporting experience (such as per-setting status reports)
More consistent naming across the Intune portal
Elimination of setting “tattooing”
Ability to use assignment filters for profiles
New updates and features for Windows 365
Similar to Microsoft Intune, Windows 365 has also introduced several updates to the Cloud PC service. Some of these include:
ADDITIONS TO DEVICE MANAGEMENT CAPABILITIES
Update
What it offers
Windows 11 Cloud PCs now support EN-NZ
As of September 2024, Windows 11 Cloud PCs now support EN-NZ.
Support for symmetric NAT with RDP Shortpath
The goal is to develop an RDP Short path in Windows 365 such that it can support setting up an indirect UDP connection using Traversal Using Relays around NAT (TURN) for symmetric NAT. Most are probably aware that TURN is a widely accepted standard for device-to-device networking for low latency, high-throughput data transmission.
Uni-directional clipboard support is now generally available
With service release 2407 in July 2024, came the release of uni-directional clipboard support into general availability.
Closing port 3389 by default for newly provisioned and reprovisioned Cloud PCs
Going forward, expect to find the inbound port 3389 closed by default. This update has come about as a means to further safeguard your Windows 365 environment.
Chroma subsampling default change to 4:2:0
This change has been made to help reduce monitor support issues. The Windows 365 service will now default to the chroma subsampling at 4:2:0. instead of the previous 4:4:4.
Windows 365 Boot and Windows 365 Switch now support battery status redirection
In a move that should be welcomed by users, Windows 365 Boot and Windows 365 Switch will now offer support for battery status redirection. Therefore, you can now view your local PCs battery status on a Cloud PC.
Upgrade Windows 365 licenses in Microsoft admin center
All clients with Modern Microsoft Cloud Agreements can now upgrade their existing Windows 365 licenses in the Microsoft Admin Center.
New Windows 365 Cloud PC images available in the gallery
As of May 2024, you can now access new Cloud PC gallery images for Windows 10 and Windows 11. These improved images have harmonized optimizations with Windows 365 apps images for better policy management: Win 10 Enterprise Cloud PC: 21H2, 22H2,Win 11 Enterprise Cloud PC: 21H2, 22H2, 23H2
Manage redirections for Cloud PCs on iOS/iPadOS devices
The Intune admin center can now be used to handle redirections for iOS/iPadOS users who access their Cloud PCs using Microsoft Remote Desktop and Windows App.
DEVICE SECURITY UPDATES
Update
What it offers
Session lock experience configuration for single sign-on
This new update offers clients the ability to configure the remote session lock experience when single sign-on (SSO) is enabled between the default disconnect behavior and showing the remote lock screen. Enabling SSO allows you to use passwordless authentication and third-party Identity Providers that federate with Microsoft Entra ID to sign in to your Cloud PC. This tool offers an SSO experience when authenticating to the Cloud PC and inside the session when accessing Microsoft Entra ID-based apps and websites.
Windows 365 support for Microsoft Purview Customer Key
Windows 365 clients are also being given a feature that supports the encryption of Cloud PCs by setting up Microsoft Purview Customer Key.
Customer Lockbox
With service release 2407 is new Windows 365 Government support for Microsoft Purview Customer Lockbox. The Customer Lockbox prevents Microsoft from accessing your content without explicit approval. This feature gets you integrated into the approval workflow process that Microsoft uses thereby restricting access to your content only to authorized requests.
Single sign-on Windows 365 clients authentication change
Single sign-on for Windows 365 is switching to the use of the Windows Cloud Login Entra ID cloud app for Windows authentication. This change will begin with the Windows and Web clients.
FQDNs removed from requirement list
Several of the required FQDNs have in the past been moved to the *.infra.windows365.microsoft.com wildcard FQDN. This move reduces the initial configuration requirements and the change rate of connectivity requirements. As of May 2024, the old FQDNs have been removed from the requirement list.
Microsoft Purview Data Loss Prevention
In March 2024 (service release 2403), it was announced that Microsoft Purview Data Loss Prevention (DLP) will now support Windows 365 Enterprise. Getting access to DLP means that you can now monitor the actions that are being taken on items you’ve determined to be sensitive. Moreover, this also helps you block unintentional sharing of these items. As soon as you onboard devices into the Microsoft Purview solutions, data concerning what users are doing with sensitive items becomes available in activity explorer.
Windows 365 Boot shared mode supports FIDO
This change can help your business strengthen the security of your Windows 365 environment. Because Windows 365 Boot shared mode now supports FIDO, enterprises can leverage hardened authentication measures that minimize the risk of successful attacks.
MONITOR AND TROUBLESHOOT
Update
What it offers
New Intune report and device action for Windows enrollment attestation (public preview)
The device status attestation report gives you information about devices that have either Completed, Failed,or Not started enrollment attestation. With the new device attestation status report in Microsoft Intune, you can find out if a device has attested and enrolled securely while being hardware-backed.
Cloud PC utilization report for Windows 365 Government
The Cloud PC utilization report offers you a useful tool for monitoring and optimizing Cloud PC usage in your organization. You can glean from it information such as how much time users are spending on their Cloud PCs or when they last connected. As of June 2024, support for this feature is now available to Windows 365 Government.
Cloud PC size recommendations report
This Cloud PC recommendations report is now out of preview and generally available. The report is an AI-powered feature that enables administrators to determine the correct size for Cloud PCs. By assessing data such as end-user Cloud PC usage patterns, platform level resource utilization data, and performance needs, you can work out the best Cloud PC configuration for your users.
Cloud PCs that aren’t available report
Generally available as of May 2024 (service release 2404). Simplifies the task for admins by helping them identify Cloud PCs that may be currently unavailable. The report will give you information concerning conditions up to 5 to 15 minutes ago. As a result, you could potentially find Cloud PCs in the report that have already recovered.
Improvements to Cloud PC connection quality report
Several upgrades to the Cloud PC connection quality report became generally available in March. The improvements that you can look forward to include: A more comprehensive view of the overall performance of your Cloud PCs.A more detailed view of devices when they are in a state of poor performance due to high round trip times.Tenant level visibility to most recent/current for:Round Trip Time.Bandwidth.Connection Time.UDP Utilization.Connection specific detail on client IP and associated CPC Gateway.Filters for all columns.
Alerts for Windows 365 Frontline maximum concurrent Cloud PCs
Windows 365 administrators will be getting even more information to help them better manage their Cloud PC environments. With this update, admins receive alerts notifying them when the maximum concurrent Cloud PCs are active for Windows 365 Frontline subscriptions.
Device action data kept for 90 days
You get to view actions performed within the last 90 days. To access this information, navigate to the Overview page for individual Cloud PCs.
UPDATES TO WINDOWS 365 BOOT
Update
What it offers
Shared and dedicated Windows 365 Boot device
Using Windows 365 Boot, admins can configure Windows 11 physical devices so that users can: Avoid signing in to their physical device.Sign in directly to their Windows 365 Cloud PC on their physical device. To add to the flexibility, Windows 365 Boot now supports both dedicated and shared PC scenarios.
Windows 365 Boot sign-in page customization
Another update for Windows 365 Boot is the availability of sign-in page customization. Previously in preview, this feature became generally available in February.
Windows 365 Boot fail fast notifications
Adding to the previous new updates is fail fast notifications. Beginning in February as well, Windows 365 Boot detection and notification of network or application setup issues transitioned to general availability.
Management of local PC settings
The last update for February allowed for changes regarding the management of local PC settings. Going forward, users will be able to manage local PC settings through their Windows 365 Boot Cloud PC.
Wrap up
Ensuring that your IT environment is operating at peak efficiency is a goal that every company should have. Optimizing the functions of applications and devices is integral to maintaining elevated productivity levels. This is why one cannot overstate the importance of the new features and updates. It’s why we regularly see them from Microsoft Intune and Windows 365.
Not only do they keep your business running smoothly. They constantly address any issues that may arise. As a business, your needs change as the operating environment evolves. Therefore, there is a need for services like Intune and the Cloud PC that can keep up with those changes.
As 2024 is drawing to a close, we can start to look back at the features that have been added to Microsoft Intune and Windows 365. These upgrades have enhanced the user experience, strengthened security measures, and enabled users to operate more efficiently.
As such, it will be exciting to look at what Microsoft could potentially add to these platforms in 2025. Businesses will be interested in seeing what Microsoft has on the horizon. They will also be eager to see what will improve these platforms even further while simultaneously addressing some common concerns they may have.
With this in mind, in this article, we’ll be going over the information Microsoft has released concerning features scheduled to be released in 2025.
What does 2025 hold for Intune?
Microsoft Intune: Managed device attestation for iOS/iPadOS and macOS device enrollment and ADE
When we consider the threat landscape that organizations constantly have to deal with, it’s easy to see why there is a great need for continually improving security measures. Hence why bringing ACME and managed device attestation support for eligible Apple devices to GA is a great move on Intune’s part. It should enable you to have better control over the verification processes of various devices.
Included in this update are device enrollment and ADE enrollments, notably AC2. Admins should note that this will apply to new enrollments with device enrollment (BYOD) and new enrollments with ADE or Apple Configurator tool. We can expect to see the rollout of this feature beginning in April 2025.
Microsoft Intune: Windows enrollment attestation
Staying with the same theme of enhancing security measures, businesses will also be getting this feature beginning in March 2025. You can expect to have physical devices attested at enrollment and enrollment credentials storage in the hardware of the device.
This can provide administrators with an extra bit of convenience. It will allow them to view device attestations in the new Device attestation status report. Additionally, they can force attestation from that report when necessary.
Microsoft Intune: Enhanced device inventory for Windows devices
Few things can increase work efficiency the way that easily having access to all the information you need when you need it can. This is what businesses will be getting when this service is rolled out in February 2025 enabling them to obtain more inventory information about their Windows devices. You get to specify which device properties you need to collect as well as from which devices. With this, you can view that information for your devices.
Microsoft Intune: Hardware-backed attestation – enhanced for Windows 11
This feature, which will be coming to you in January 2025, seeks to improve the Windows compliance policy. You should expect an improvement in device health due to the addition of five additional hardware attestation settings. These settings are specific to Windows 11 using advanced platform security features. The latter will include features such as firmware protection, virtualization-based security, Memory Integrity and Access Protection, and Early Launch Antimalware protection.
Microsoft Intune: macOS Platform SSO Support
Intune is constantly looking for ways to enhance the user experience for customers that use the macOS platform. To this end, features like this one in particular will give you better security and increase convenience. With the release planned for January 2025, customers should soon be able to log in on a managed Mac using their Entra ID password.
Microsoft Intune: Multiple managed accounts
Adding to the convenience that the upcoming Intune features will bring is this feature. As of January 2025, Microsoft plans on enabling users to use a single device with multiple company accounts to access company information through specific managed applications.
Microsoft Intune: Enrollment time grouping for Android Enterprise Corporate devices
Enrollment time grouping (ETG) for Android Enterprise Corporate devices is a feature that will help targeted apps and policies reach devices faster thus minimizing delays common with device setup. The rollout is slated for January 2025.
AI to boost the capabilities of the Cloud PC
Businesses cannot deny the immense potential that AI can offer them. This technology has vast applications that can positively impact business operations at just about every level. It’s therefore no surprise that Windows 365 is working on taking advantage of AI to improve the user experience for Cloud PC users. Already, Windows 365 can use AI to provide you with Cloud PC resizing recommendations that can help minimize costs and increase efficiency.
Windows 365 does this and more by leveraging AI to evaluate Cloud PC deployment and utilization. With this information in hand, companies can better plan their Cloud PC environments thus maximizing the value of their investment. These tailored, AI-powered insights will help you avoid several issues including:
Complex purchase discussions – when you lack specific information, your organization could spend vast amounts of time bogged down in discussions with vendors trying to figure out what’s most suitable for your needs.
Low productivity levels – if your environment operates with incorrect configurations, employees cannot perform at optimum levels and their output will be lower than it should be.
Fluctuations in usage and license churn – any discrepancies between your purchased licenses and actual use may cause irregular usage patterns which in turn negatively impacts cost management.
Wrap up
The various development teams at Microsoft appreciate the need to keep expanding the capabilities of the products and services they offer. As the modern work environment evolves, so too should the tools available to us. Companies need technologies that empower their employees, strengthen their security, and inspire business innovation.
Fortunately, the new features and capabilities that Microsoft Intune and Windows 365 are working on promise to deliver. Customers can plan excitedly for the future knowing that their platforms of choice will keep them ahead of the curve.
When it comes to which tech products and services to use, businesses certainly have plenty of choices. There are so many players in the tech landscape that winning over new clients is often a huge challenge. With this in mind, tech companies need to go above and beyond to retain the customers they already have. For Microsoft, this means ensuring its Windows 365 and Intune offerings continuously update and offer new features.
Doing this helps these services continue to deliver the exceptional quality that customers expect. But more importantly, these services want to enhance the experience even more so that they remain the best in class. With that said, what can we expect from these products in the near future?
What’s coming to Microsoft Intune?
Intune is one of the leading endpoint management platforms available. It is constantly pushing the boundaries of what it can offer to customers. Especially now, with the growing interest in hybrid and remote workforces.
Microsoft Intune is helping companies better manage access to organizational resources. It’s also simplifying app and device management across various devices. With this in mind, new features are consistently in development to improve management. And some of those upcoming features to be excited about include:
Microsoft Intune: On-Demand remediations – single device
We should expect the rollout for this one to begin in December 2024. Remediations are excellent tools that help you address problems a lot faster. These script packages will detect and resolve common support issues on a user’s device. And they’ll do so before they even realize there’s a problem. By running remediations on-demand on a single device, you can immediately start resolving issues. Find resolution without waiting for the predetermined remediation schedule.
Microsoft Intune: Enrollment time grouping for iOS/iPadOS automated device enrollment
Enrollment time grouping (ETG) for iOS/iPadOS automated device enrollment (ADE) is another feature. It will support targeted apps and policies in reaching devices faster. This helps minimize delays, common with device setup.
However, it’s only going to be part of the new iOS/iPadOS enrollment policies. For devices to be part of that group upon enrollment, admins need to add a static Entra ID group into the enrollment policy. This will also reduce the latency of targeted apps and policies. The rollout is on the schedule for October 2024.
Microsoft Intune: Scoped and targeted device clean-up rule
The preview will be available in November 2024, with the rollout starting the following month. With this rollout, admins will be able to clean up inactive devices from their tenant by providing capabilities of running these rules at a platform level. I’m sure we can all attest to the need for a clean environment.
Microsoft Intune: Security Baselines for HoloLens 2
To get the best level of security for your organizational resources, it is advisable to use the security baselines that Microsoft considers the best practice guidelines. This should enhance your security and improve the experience in deploying and supporting HoloLens 2 devices to customers in various industries. The rollout will be coming in October 2024.
Microsoft Intune: SCEP certificate delivery
With the rollout scheduled to begin in October 2024, Microsoft Intune is offering this solution to its customers as well as other external partners. This feature’s design can deliver SCEP certificates with all the necessary security requirements to devices to mitigate the KFC issue.
Microsoft Intune: Enhanced device inventory for Windows devices
Few things can increase work efficiency the way that easily having access to all the information you need when you need it can. This is what businesses will get when this service rolls out in October 2024. And it will enable them to obtain more inventory information about their Windows devices. You get to specify which device properties you need to collect as well as from which devices. With this done, you can view that information for your devices.
Microsoft Intune: Simplified App Control policy creation experience (curated workflow)
In keeping in line with the need to increase efficiency, this solution’s upcoming October 2024 update rollout will do a lot to make life easier for IT admins. This capability will help you configure App Control policies with built-in toggles in the console that expose all App Control for Business capabilities.
Microsoft Intune: Work-hour access controls for Front-Line Workers
This solution can contribute significantly to simplifying workforce management as well as enhancing your overall security posture. Coming in October 2024, this feature will help IT admins with work-hour access controls for front-line workers. Once workers have clocked out, admins can swiftly put in place measures to prevent Teams access or notifications.
Microsoft Intune: Endpoint Privilege Management on single session Azure Virtual Desktop
Anything that can simplify user management will be a welcome addition to the tools that IT admins already have. With this in mind, admins will be happy, as it enables them to use Privilege Management elevation rules and policies to simplify how they manage standard users on Azure Virtual Desktop. The rollout for this one is on the schedule for September 2024.
Microsoft Intune: Endpoint Privilege Management rules support specifying allowable command arguments
Similar to the previous solution, this one is also coming to market in September 2024. This will give admins Endpoint Privilege Management rules support that can specify a list of allowable command parameters. Consequently, this will restrict elevation to only the allowed or mandatory arguments.
Microsoft Intune: New design for Windows Company Portal app
This new and updated design should give users a platform that is easier to use and streamline workflow. You should expect to see changes in the Home, Devices, and Downloads & updates pages. These intend to enhance the overall user experience. Additionally, this updated design will be very simple to understand and thus use. It will clearly highlight any areas that require action from the user.
Windows 365 features in development
For Windows 365, Microsoft has provided us with information about the exciting new features that are currently in development but not yet released. These should help improve the security posture of organizations and enhance the end-user experience. We haven’t found any release dates as of yet. It would be useful for planning purposes to look at what we could soon see coming to our Cloud PCs.
DEVICE MANAGEMENT
Features
What to expect
Support for symmetric NAT with RDP Shortpath
The goal is to develop an RDP Short path in Windows 365 such that it can support setting up an indirect UDP connection using Traversal Using Relays around NAT (TURN) for symmetric NAT. Most are probably aware that TURN is a widely accepted standard for device-to-device networking for low latency, high-throughput data transmission.
Chroma subsampling default change to 4:2:0
Both Intune and Windows 365 want to help enterprises operate more efficiently. And in this case, that can be achieved by reducing monitor support issues. The Windows 365 service will be able to do so by defaulting the chroma subsampling at 4:2:0 (instead of the previous 4:4:4).
Cloud PC gallery images update to Microsoft Teams 2.1
Another feature that we should expect to see in the future is Windows 365 Cloud PC gallery images with Microsoft 365 applications being updated to use Microsoft Teams 2.1. These images will include: Windows 11 Enterprise + Microsoft 365 Apps 21H2Windows 10 Enterprise + Microsoft 365 Apps 22H2Windows 10 Enterprise + Microsoft 365 Apps 21H2
Windows 365 support for HEVC video coding
Windows 365 is also working on providing support for Hardware High Efficiency Video Coding (HEVC) h.265 4:2:0 on compatible GPU-enabled Cloud PCs.
Azure network connections inactive state
In the future, some Azure network connections will start getting marked as inactive under some conditions. These conditions are as follows: ANCs not associated with provisioning policies for more than four weeks, ANCs with provisioning policies that have no Cloud PCs associated with them for more than four weeks. IT administrators need to be aware that inactive ANCs will be skipped during health checks and cannot be assigned to provisioning policies. However, if need be, you can reactivate these ANCs.
DEVICE SECURITY
Features
What to expect
Cloud PC support for FIDO devices and passkeys on macOS and iOS
Many consider Fast Identity Online (FIDO) to be the future of authentication measures. These protocols allow you to swiftly and securely authenticate to various services without the need for a password. Because of the ease of deployment, convenience, and extremely high security, it’s no surprise that FIDO is now widely supported and used. Therefore, macOS and iOS users will be glad to know that Windows 365 is working on enabling Cloud PCs to support FIDO devices and passkeys for Microsoft Entra ID sign-in on their devices.
MONITOR AND TROUBLESHOOT
Features
What to expect
End user manual connectivity check
I’m sure we’ve all experienced the frustrations that always come with faulty connections. All one wants in that instance is to quickly figure out what’s wrong and resolve it. Currently, connectivity health checks are run on individual Cloud PCs, but in the future, end-users will have the tools to manually run connectivity checks on their Cloud PCs from windows365.microsoft.com.
Update to Cloud PC action status report
The Cloud PC action status report officially allows you to view the actions that admins have taken as well as on which Cloud PCs these actions have been taken. In addition, you get to see the status of these actions. To access this report, you need to sign in to the Microsoft Intune admin center. Once there, select Devices > Monitor > Cloud PC actions (preview). With the update that is soon to come to the Cloud PC action status report, you will be able to view batches of devices in which actions have been activated. Furthermore, customers will be able to see the batch current progress.
PROVISIONING
Features
What to expect
New health check: UDP TURN (preview)
The Azure network connection (ANC) health checks are one of the more unique features that Windows 365 provides. These health checks, which are run regularly, help to ensure that the provisioning of Cloud PCs is successful in addition to verifying that end-users are getting the best possible Cloud PC experience. The update that Windows 365 has mentioned, will see a new UDP TURN being added to the Azure Network Connections health checks.
SECURITY
Features
What to expect
New settings for Windows 365 security baselines
In the near future, customers should expect to receive new configuration settings for the Windows 365 security baseline. These Windows 365 security baselines provide customers with a set of policy templates that are founded on security best practices and experience from real-life situations. By using these baselines, customers can obtain security recommendations that will improve their cyber security and reduce the risks facing their networks. With these security baselines, security configurations for Windows 11, Windows 10, Microsoft Edge, and Microsoft Defender for Endpoint will be enabled. Before fully implementing any Configuration changes, however, it’s always safer to first test the security baseline on a pilot group of Cloud PCs.
Wrap up
Getting updates and new features is always an important part of keeping our apps and devices performing at optimum levels. Technology is constantly evolving. And without regular updates, the user experience can suffer negative impacts within a short space of time. Devices can slow down, apps can develop issues that hinder productivity, and security can become compromised.
This is why Microsoft works hard to stay ahead of the issues with a stream of new features and services frequently released to Microsoft Intune and Windows 365. These upgrades guarantee end-users that they will continue to receive industry-leading quality of service, enabling their user experience to improve even further.
As technology continues to evolve, businesses like yours are constantly looking for solutions that can give them that little bit extra. What may appear to be small innovations will eventually add up to give you significant advantages over other organizations.
One area where businesses stand to gain massively concerns cloud-based management solutions. The potential benefits of using solutions like Microsoft Intune include getting access to excellent features, enhanced security, and improved endpoint management among others.
IT admins will get to work better because they have the flexibility to oversee users and their various devices, even if they are personally owned. Considering all there is to gain, we need to take a look at why and how your organization should be migrating to the cloud.
Why Microsoft Intune?
If your organization has a well-run IT infrastructure, why should you even consider Microsoft Intune? What do you stand to gain? The most obvious answer would be that if your organization wants the best in endpoint management, then you would be hard-pressed to find a better solution than Intune.
Over time, Intune has firmly established itself as a leading device management solution that will offer you seamless application integration for all your various devices. It gives your IT admins the capability to ensure that all the devices and apps that employees are using are fully compliant with your organization’s security requirements.
Mobile devices have evolved to the point where they are now very much capable of performing most and in some cases all of the functions needed to do our jobs. This has inevitably created the need for the mobile device management features that Intune can offer. IT admins can monitor these devices and thus enforce organizational security policies.
This gives businesses the flexibility to empower their employees to use their respective mobile devices for work-related purposes without compromising the security of their networks. Such policies can potentially increase productivity by enabling employees to use the devices of their choice as well as work remotely.
It would be hard to advocate for Microsoft Intune without mentioning the issue of cost-effectiveness. We can go on and on about all the benefits that Intune can offer, but cost can ultimately decide for you.
Fortunately, choosing Intune is a decision that could help you reduce IT costs. Switching to a cloud-native management system will mean your business spends less on physical hardware as well as on-premises IT management systems.
This reduction in physical infrastructure will allow your organization to reallocate resources elsewhere and therefore operate with even greater efficiency.
Preparing for the future
Considering the changes we have witnessed in the tech landscape in just the last fifteen years alone, we should always be looking to future innovations. Organizations need to be in a position to take full advantage as each next big innovation rolls out.
To do that, going cloud-native would offer you the best approach. By fully transitioning to the cloud, you can put your organization in a position to fully benefit from better insights, AI analytics, as well as the multitude of other capabilities that AI can deliver.
Furthermore, using a cloud-native approach can help you centralize data which in turn will make it easier for AI to manage this data and produce actionable insights. This may help organizations enhance their security by getting a better grasp of potential future threats.
Considering new possibilities
Getting someone to change the way they do things can often be an incredibly difficult challenge. And this applies to both personal and professional life. Regardless of the benefits to gain from migrating to the cloud, it may be difficult to inspire change. If an IT team has put in the effort to create a well-designed and efficient IT infrastructure, it’s going to be hard to convince them to consider alternative solutions.
At this point, businesses will need to evangelize users who can truly highlight the beauty of the changing tech landscape and encourage their IT teams to expand their visions.
It’s going to take more than a simple presentation to convince people that they are potentially missing out on some significant innovations. Rather than simply forcing change on people, proving to them how they stand to benefit from the changes a solution like Microsoft Intune can bring, may work a lot better.
As individuals grow more familiar with the amazing endpoint management capabilities that Intune can offer, you may start to see a greater willingness to change their mindset.
Of great importance, however, is to exercise patience and not expect to see an immediate change in how people approach things. Let them experience for themselves the value that going cloud-native will give them.
Implementing changes
Once you get the ball rolling concerning changing the mindset, it’s important to start looking at how exactly you can start making the necessary changes. Even as more and more recognize the benefits of making the transition, the pathway to achieving that may still cause some trepidation.
Fortunately, the feedback that Intune receives from its clients will go a long way in helping others move forward. IT professionals need to realize that the dependable key information flow processes they use will remain intact.
According to those who have successfully migrated, one of the best ways to smoothen the transition is by establishing small pilot programs and then rolling out changes incrementally. With that done, you can place at the forefront of the project individuals who have fully bought in and are willing to help bring others to a similar vision.
Doing it this way enables you to minimize any negative outcomes while simultaneously maximizing the effect that the small wins give your organization. As long as your advocates continue to communicate clearly every step of the way, you should have a much easier time implementing changes.
Working together
An important reason why Microsoft Intune has taken its capabilities to another level over the last decade can probably tie to the constant back and forth with clients. The team at Intune embarked on a process of trying to simplify things for users. They did so after discovering the challenges presented by the power and flexibility of Intune.
The various options and configurations available may be difficult for clients to master and what they often want are simple instructions telling them exactly what they need to do.
To address the concerns that clients have raised, the support team has offered what they are calling a one-size-fits-most guidance. This system provides organizations with the necessary tools to configure the basic settings required to make endpoints more secure and productive with Intune.
Clients will also be happy to discover that the Microsoft Intune documentation hub has been streamlined. There is a focus on highlighting the guidance system thereby further simplifying the implementation process.
Additionally, even more support is available from the Intune Tech Community. This team consists of fellow IT admins and support professionals.
Integration with other services
Microsoft offers its clients a wide array of products and services that enable organizations to provide their employees with the best possible tools. Having such an ecosystem means that end-users can produce to the best of their abilities with everything they need availed to them. Microsoft Intune plays a key role in this through its integration with other products and services that aim to help in endpoint management such as:
Configuration manager
This platform is ideal for on-premises end-point management and Windows Server. It’s a service that will help you increase the productivity and efficiency of your IT teams, maximize both software and hardware investments, and empower your end-users by ensuring they get what they need when they need it.
Configuration Manager offers you a powerful management application that will help you better manage every device in your organization. Using both Intune and Configuration Manager together can be a great way for those who are still hesitant about going fully cloud-native to gradually make the transition at their own pace.
Windows autopilot
Windows Autopilot gives you a service developed to eliminate the provisioning challenges that have plagued organizations in the past. With Autopilot, you can provision new devices and send them directly to users from an OEM or device provider.
Thus, what you will get is a greatly simplified deployment and provisioning process that can deliver a custom out-of-the-box experience with an easy self-service configuration process. Not to mention how features like zero-touch, self-service deployments can make life easier for IT admins.
Endpoint analytics
Endpoint Analytics delivers valuable insights that enable your business to assess how it is operating as well as evaluate the quality of the experience that users are getting. By going over this data, your organization can quickly identify policies or hardware issues that are negatively impacting end-users. Doing this allows you to be proactive in dealing with problem areas and thus maintain consistent productivity levels.
Additionally, this service will give your organization better visibility concerning frequently encountered problems such as long boot times. Often, these issues tend to persist unnecessarily simply because IT doesn’t have the necessary insights.
Microsoft 365
Microsoft 365 is undoubtedly one of the best cloud-powered productivity platforms that you can get. Signing up for this service will give you excellent end-user productivity Office apps such as Outlook, Teams, Sharepoint, OneDrive, and more. And one of its most attractive features is that you can use it anywhere.
You can easily install it on PCs, Macs, tablets, and phones. You can easily use Microsoft Intune to deploy Microsoft 365 apps to the users and devices in your organization. Furthermore, the continuous support that you get means that you will always have the most up-to-date modern productivity tools that Microsoft offers.
Microsoft defender for Endpoint
All of the services we have gone over in this section will require excellent security features and that is what Defender for Endpoint offers. It gives your organization the capabilities to prevent, detect, investigate, and respond to threats. By going through Intune, you get the option of creating a service-to-service connection between Intune and Defender for Endpoint. Each organization can customize the compliance policies it uses to ensure that it establishes what it considers to be an appropriate level of risk. And when you combine this with Conditional Access features, you can prevent access to organizational resources by any devices that fall short of your compliance regulations.
Expanding the vision
As we’ve already discussed, there are plenty of benefits that you can gain from using Microsoft Intune. But, what’s even better is that within the Microsoft ecosystem, there is so much that your organization can take advantage of. And one of the solutions that has been growing in popularity over the last few years is the Windows 365 Cloud PC.
Clients will be able to leverage the Microsoft Intune admin center to use their Cloud PCs. The latter provides the opportunity to stream Windows 10 or Windows 11 onto almost any device, thereby offering users the ability to take their desktops anywhere.
In a world where the attraction of remote work is constantly growing, having the option of the Windows 365 Cloud PC can be key to bringing in top talent to your organization. Following the pandemic a few years ago, once business operations started to normalize, there were plenty of people who realized that they would actually prefer having the option to work part-time or even full-time from home.
For organizations that have decided that this is something they can do, leveraging Microsoft Intune to go cloud-native would offer arguably the best way to do it. From there, you can tap into the Cloud PC environment and offer your employees powerful, secure desktops they can use from anywhere.
What does the Cloud PC do for your organization?
We’ve talked a bit about Intune and why your organization should consider going for a cloud-native approach. But, what about the Windows 365 Cloud PC? In addition to what you get with Intune, the Cloud PC offers plenty of benefits that will enhance work solutions in the cloud.
One that most businesses will appreciate is the flexibility that is provided allowing organizations to select a plan that is most ideal for them. Not only that, but you are not permanently stuck with the option that you pick. Depending on the needs of end-users, you’ll be able to scale your operations up or down as you see fit.
ENHANCED SECURITY
Whenever the issue of remote work comes up, security is going to be a massive concern for businesses. This is why the Windows 365 team has gone to great lengths to ensure maximum data protection for end-users and their organizations.
The Cloud PC takes full advantage of Zero Trust principles to assure clients that their data will have very high-level security. To further strengthen the security of the platform, clients are recommended Conditional Access as well as Azure AD Multi-Factor Authentication.
FEW TO NO COMPATIBILITY ISSUES
Another concern that clients would understandably have has to do with integrating specific applications with the Cloud PC. For IT admins in particular, losing control over how they manage devices is a real concern. Fortunately, when it comes to Windows 365, compatibility with your existing applications should not be a problem.
It’s because the Cloud PC’s design supports any apps you may have been using on Windows 7, Windows 8.1, and Windows 10, should work on Windows 365 as well. And in case you encounter any challenges, you will be able to get assistance via the Fast Track App Assure program.
EASE-OF-USE
If you’re trying to convince people about a new service, your job will be significantly harder if the platform is complex and therefore difficult to navigate. With the Windows 365 Cloud PC, however, the platform aims to ensure simplicity. Even from the initial setting up, organizations won’t need to bring in specialist IT personnel to configure their Cloud PCs.
And once that’s done, IT admins can continue to manage and deploy endpoints similarly to how they’ve been doing all along. End-users as well won’t face any huge challenges because they will continue using the same applications.
Enrolling devices in Microsoft Intune
Having looked at what Intune can offer your organization, the next step is to go over what you need to know about enrolling devices. Together with Microsoft Entra ID, Intune will facilitate a secure, streamlined process for the registration and enrolment of all devices that require access to your organization’s resources. You can start using Intune for endpoint management once users and devices have been registered within your Microsoft Entra ID (tenant).
During the enrolment process, Intune will install a Mobile Device Management (MDM) certificate on the enrolling device. It’s this certificate that will handle communication with the Intune service and thus enable Intune to begin enforcing organizational policies such as:
Compliance policies designed to help users and devices meet the organization’s rules.
Enrollment policies that determine the number or types of devices someone can enroll.
Configuration profiles that configure work-appropriate features and settings on the devices.
Policy details
Generally, you should expect policies to deploy during the enrolment process. However, certain groups that may have more sensitive roles within the organization will often require stricter policies.
So, what a lot of organizations will first do is create a baseline of required policies for users and devices. Once you’ve established this baseline, you can start building on it depending on the use cases as well as the needs of various groups.
Devices running Android, iOS/iPadOS, Linux, MacOS, and Windows will all be eligible for enrolment in Intune as long they are running a supported version of the OS. By default, you’ll find that enrolment is enabled for all platforms.
But, if the need arises, you can use an Intune enrolment restriction policy to restrict certain platforms. Microsoft Intune enables mobile device management for both personal devices and corporate-owned devices.
Personal devices
In this category, the devices being referred to are personally owned PCs, tablets, and mobile phones. In bring-your-own-device (BYOD) scenarios, these personal devices can be MDM enrolled in Intune. Because of the supported enrollment methods, employees or students can use personal devices for work or school tasks.
IT admins will need to add device users in the Microsoft Intune admin center, configure their enrollment experience, and then set up Intune policies. Once that’s done, the device user needs to navigate to the Intune Company Portal app to start and complete the enrolment.
Corporate-owned devices
This category includes the same type of devices – PCs, tablets, and mobile phones. Except in this case, these devices are owned by the organization and then given out to employees or students for use at work or school.
For these types of devices, Intune offers organizations more granular settings and policies. You should expect to find more password settings for corporate-owned devices thus enabling you to enforce stricter password requirements. Devices that meet specific criteria will be automatically marked by Intune as corporate-owned.
Wrap up
At this point, we have all witnessed the increase in cloud usage by companies of all sizes. The various platforms available have been able to offer businesses an increasing array of capabilities that are constantly improving.
Solutions like Microsoft Intune can now provide powerful endpoint management systems that allow organizations exceptional flexibility and scalability. These capabilities will allow businesses to operate their IT infrastructure more efficiently and provide end-users with the tools to thrive.
To cater to different businesses and where they may be on their journey, Intune gives you pathways that you can take as you migrate to the cloud. You can choose what works for you from co-management until you get to full cloud-native. There is much to be gained from leveraging the cloud not only right now but as we look at all the future innovations currently in development.
As a business, it’s important to always be on the lookout for devices and applications that can improve the way you carry out your business operations. With platforms such as Managed Home Screen (MHS), the benefits to your business will be clear to see for everyone.
What MHS offers is an application for corporate Android Enterprise devices. This works for those enrolled via Intune and running in multi-app kiosk mode. Once installed on these devices, MHS will function as a launcher for other approved apps to run on top of it.
In previous articles, we have gone over the new features that Microsoft has added to MHS. We’ve also covered their benefits to your organization. In this article, we’ll be discussing some of the key configuration aspects of the Managed Home Screen platform.
When do you configure the Managed Home Screen app?
Start by verifying if your devices meet the prerequisites. This is because Intune only supports the enrollment of Android Enterprise dedicated devices for Android devices running OS version 8.0. In addition, these devices should be able to connect to Google Mobile Services.
Likewise, MHS only supports Android devices running OS version 8.0 and above. If you find that the settings are available through device configuration profiles, then you should configure the settings there. This will be faster, limit errors, and give you a better Intune-support experience.
Also, note that there are some MHS settings only available via the App configuration policies pane in the Intune admin center. When using App configuration:
Head over to the Microsoft Intune admin center and select Apps > App configuration policies.
Add a configuration policy for Managed devices running Android.
Select Managed Home Screen as the associated app
To configure the different available MHS settings, select Configuration settings.
Selecting a Configuration Settings Format
To define configuration settings for MHS, there are two methods available:
Configuration designer – enables you to configure settings with an easy-to-use UI. It allows you to toggle features on or off and set values. With this method, you’ll find a few disabled configuration keys with the value type BundleArray. The only way to configure these keys is by entering JSON data.
JSON data – with this option, you can define all possible configuration keys using a JSON script.
Moreover, by adding properties with Configuration Designer, you can automatically convert these properties to JSON. Do so by selecting Enter JSON data from the Configuration settings format dropdown.
Using Configuration Designer
Configuration designer will enable you to select pre-populated settings and their associated values. In the table below, you’ll find a list of the MHS available configuration keys, value types, default values, and descriptions. The description gives you the expected device behavior based on selected values. Note that the BundleArray type of configuration keys disable in the Configuration Designer.
Configuration to customize applications, folders, and general appearance of Managed Home Screen
Configuration Key
Value Type
Default Value
Description
Available in device configuration profile
Set allow-listed applications
bundleArray
You can find it under the Enter JSON Data section
Enables you to define the set of apps you see on the home screen form along with the apps installed on the device. Entering the app package name of the apps that you want visible allows you to define the apps. Any app that you choose to allow-list in this section needs to be already installed on the device to be visible on the home screen.
Yes
Set pinned web links
bundleArray
You can find it under the Enter JSON Data section
Enables you to pin websites as quick launch icons on the home screen. Using this configuration allows you to define the URL and add it to the home screen for the end-user to launch in the browser with a single tap.
Yes
Create a Managed Folder for grouping apps
bundleArray
You can find it under the Enter JSON Data section
Enables you to create and name folders and group apps within these folders. End-users can’t rename or move folders and neither can they move the apps within the folders. Folders will appear according to the order of creation and apps according to alphabetical order. If you have apps that you want to group into folders, they must first be assigned as required to the device and must have been added to the Managed Home Screen.
Yes
Set Grid Size
string
Auto
Enables you to set the grid size for apps to be positioned on the managed home screen. Use the format “columns ; rows ” to set the number of app rows and columns to define grid size. When defining grid size, the maximum number of apps visible in a row on the home screen is the number of rows you set. Likewise, the maximum number of apps visible in a column on the home screen is the number of columns you set.
Yes
Lock Home Screen
bool
TRUE
Eliminates the ability of the end-user to move around app icons on the home screen. Enabling this configuration key locks the app icons on the home screen. End-users can’t drag and drop to different grid positions on the home screen. When turned to false, end-users will be able to move around the app and weblink icons on the Managed Home Screen.
Yes
Application Order Enabled
bool
FALSE
Turning this setting to True will enable you to set the order of apps, weblinks, and folders on the Managed Home Screen. After it’s enabled, you can set the ordering with app_order.
Yes
Application Order
bundleArray
You can find it under the Enter JSON Data section
Enables you to set the order of apps, weblinks, and folders on the Managed Home Screen. You can only use this setting if Lock Home Screen is enabled, the grid size is defined, and the Application Order enabled is set to True.
Yes
Applications in folder are ordered by name
bool
TRUE
False enables items in a folder to appear in the order they’re specified. If not for this, they will be displayed in alphabetical order.
No
Set app icon size
integer
2
With this, you can define the icon size for apps displayed on the home screen. Below are the values that you can use in this configuration for different sizes: 0 (Smallest),1 (Small), 2 (Regular), 3 (Large)4 (Largest).
Yes
Set app folder icon
integer
0
With this, you can define the appearance of app folders displayed on the home screen. The appearance can be selected from the values below: Dark Square(0)Dark Circle(1)Light Square(2)Light Circle(3)
Yes
Set screen orientation
integer
1
Using this, you can set the orientation of the home screen to portrait mode, landscape mode, or allow auto rotate. The orientation can be set by entering the values below: 1 (for portrait mode),2 (for Landscape mode),3 (for Autorotate).
Yes
Set device wall paper
string
Default
By using this, you can select a wall paper of your choice. All you need to do is enter the URL of the image that you want to set as a wallpaper.
Yes
Define theme color
string
light
Decide whether you want Managed Home Screen app to run in “light” or “dark” mode.
No
Block pinning browser web pages to MHS
bool
FALSE
By turning this restriction to True, you can prevent users from pinning web pages from any browser onto Managed Home Screen.
No
Enable updated user experience
bool
FALSE
Switching to True will enable the updated app design to be displayed along with the improvements to user workflows for usability and supportability, for MHS. However, if you keep it as False, users will continue to see previous workflows on the app An important thing to note here is that from August 2024 onwards, previous Managed Home Screen workflows will no longer be available and all devices will need to use the updated app design.
No
Top Bar Primary Element
choice
This key helps you choose whether the primary element of the top bar will be the device Serial Number, Device Name, or Tenant Name. You can only use this setting when the Enable sign in key is set to false. Otherwise, the user’s name will be shown as the primary element when the key is set to True. If you want the top bar to be visible on users’ devices, you must set Enable updated user experience to true.
No
Top Bar Secondary Element
choice
This key helps you choose whether the secondary element of the top bar will be the device Serial Number, Device Name, or Tenant Name. If you want the top bar to be visible on users’ devices, you must set Enable updated user experience to true.
No
Top Bar User Name Style
choice
This setting enables you to select the style of the user’s name in the top bar based on the following list: display name last name, first name first name, last name first name, last initial You can only use this setting when the Enable sign in key is set to True. If you want the top bar to be visible on users’ devices, you must set Enable updated user experience to true.
No
Key things to note
Ensure the Managed Home Screen app seamlessly meets Google Play Store’s requirements. This is contingent on the app’s available update at the API level. However, doing it this way translates to a few changes to how Wi-Fi configuration works from Managed Home Screen. So, some of the changes you should expect to encounter include:
Users won’t be able to change the Wi-Fi connection for the device, whether it be enabling or disabling the connection. However, despite not being able to turn the Wi-Fi on or off, users can still switch between networks.
In addition, users also won’t be able to automatically connect to a configured Wi-Fi network with a first-time password requirement. Instead, after entering the password for the first time, the configured network will then automatically connect.
ANDROID DEVICES RUNNING OS 11
All those who are using Android devices running OS 11 should note another aspect. Whenever an end-user tries to connect to a network via the Managed Home Screen app, a consent pop-up prompt will appear. This pop-up is from the Android platform itself and therefore not specific to the Managed Home Screen app.
Furthermore, users will see a request to enter a password. This happens when attempting to connect to a password-protected network via the Managed Home Screen app.
You’ll notice that the network will only change if the device does not have a connection to a network. This includes instance when you have input the right password. All devices already connected to a stable network won’t connect to a password-protected network via the Managed Home Screen app.
ANDROID DEVICES RUNNING OS 10
For individuals using Android devices running OS 10, there’s another consideration. When an end-user tries to connect to any network using the Managed Home Screen app, they will receive a prompt with a consent via notifications.
Because of this prompt, users whose devices are running OS 10 must have access to the status bar. Also, notifications to be able to complete the consent step. Therefore, IT admins may need to use General settings for dedicated devices to avail the status bar. They’ll also do so for notifications to the appropriate end-users whenever necessary.
Furthermore, users will see a request to enter a password. This happens when attempting to connect to a password-protected network via the Managed Home Screen app. You’ll notice that the network will only change if the device does not have a connection to a network. This applies even if you have input the right password.
BLUETOOTH CONSIDERATIONS
If a device is running Android 10+ and using Managed Home Screen, successful Bluetooth pairing on devices that require a pairing key requires certain conditions. IT admins will need to enable a few Android system apps and these are as follows:
Android System Bluetooth
Android System Settings
Android System UI
Managing troubleshooting issues
One of the best updates that Microsoft brought to Managed Home Screen is the introduction of enhanced troubleshooting features. Users now get access to a debug menu, which includes the pages for Get Help, Exit Kiosk Mode, and About.
This access aims to simplify the troubleshooting process for device users which can reduce downtime and thereby increase productivity. To help even further, you’ll find configurations in the table below. These help troubleshoot various problems that users can encounter on their devices:
Configuration Key
Value Type
Default Value
Description
Available in device configuration profile
Exit lock task mode password
string
Input a 4-6-digit code to use to temporarily drop out of lock-task mode for troubleshooting.
Yes
Enable easy access debug menu
bool
FALSE
Switch this setting to True and you can access the debug menu from the Managed Settings menu while in Managed Home Screen. If you want to exit kiosk mode, you’ll need to go to the debug menu to find the capability. With that done, you need to click the back button about 15 times. Alternatively, if you want to keep the entry point to the debug menu only accessible via the back button, you should keep the setting switched to False.
Yes
Enable MAX inactive time outside of MHS
bool
FALSE
If you want to automatically re-launch Managed Home Screen after a set period of inactivity, you’ll need to switch this setting to True. Note that the timer will only count inactive time and, upon configuration, will reset each time the user interacts with the device while outside of MHS. To set the inactivity timer, use Max inactive time outside MHS. This setting is kept off by default. You can only access this setting if Exit lock task mode password has been configured.
No
MAX inactive time outside MHS
integer
180
Specify the maximum amount of inactive time (in seconds) that a user can spend outside of MHS before it is automatically re-launched. Users will find this configuration set to 180 seconds by default. If you want to use this setting, Enable MAX inactive time outside of MHS must be set to true.
No
Enable MAX time outside MHS
bool
FALSE
If you want to automatically re-launch MHS after a set period of time, you must set this setting to True. The timer considers both active and inactive time spent outside of MHS. You need to use MAX time outside MHS to set the inactivity timer. This setting is kept off by default. You can only use this setting after Exit lock task mode password has been configured.
No
MAX time outside MHS
integer
600
You must specify the maximum amount of absolute time (in seconds) that a user can spend outside of MHS before it is automatically re-launched. Users will find this configuration set to 600 seconds by default. You can only use this setting if Enable MAX time outside of MHS is set to true.
No
Microsoft ecosystem provides Android users with an optimal experience
Managed Home Screen and all its features are helping to enhance the user experience. MHHS supports Android users who rely on the Microsoft ecosystem for business purposes. For years, the relationship between Microsoft and Android has allowed for a better integration between the concerned platforms. It also provides end-users a better overall experience. All of this fits in perfectly with the evolution we have witnessed in the development of excellent mobility solutions.
Over the last few years, there has been a significant increase in those who appreciate the possibility of remote work. Plenty are enjoying the option of being able to work from home. There are additional benefits, including creating their own schedules. But they can also maintain or even increase their productivity levels.
Android users make up a decent portion of Microsoft clients. So, it’s not surprising that Microsoft aims to provide users with all the solutions they need. And Microsoft outfits users to be successful in their business operations. And with Managed Home Screen, Android users get an app that can further enhance their interaction with the Microsoft ecosystem.
The ability for organizations to customize and control user experiences is paramount. It enables them to ensure that end-users will have access to everything they need while simultaneously putting in certain restrictions.
Additionally, end-users can enjoy a much-improved experience. This is because MHS enables businesses to create consistent and simplified experiences across device types and OEMs.
End-users can expect continued innovations and improved features thanks to the global network of experts established by Microsoft and Google. These client specialists, with deep knowledge of Android devices and services, significantly contribute to the ongoing development of services. They will also further enhance the user experience.
It’s because of collaborations like these and the expertise obtained that MHS users can access features that address issues on-device. It’s also how they painlessly equip Microsoft support to troubleshoot issues on-device. So, as the improvements continue to roll out, businesses and individuals will take a keen interest. All of these changes can improve how they do business.
Wrap up
If there is anything that we can expect with regard to technology, it’s that we will continue to see changes. Most intend to improve the end-user experience. The features that Managed Home Screen offers, as well as the available improvements, are a testament to Microsoft’s goal. Microsoft continuously aims to create the optimal experience for Android users.
With feedback from Android experts being a key part of development, end-users can expect ongoing improvements. They can also expect to reap the many benefits of an ever-improving Microsoft ecosystem. One only has to take a look at the depth of products and services available to Android device users. It’s then evident that businesses have plenty to benefit from with these programs and features.
It doesn’t take too long as you go through the latest tech news and updates to realize just how badly lax security could affect your organization. All nefarious actors need is a small opportunity. And your business may end up paying dearly. This is where Managed Home Screen comes into play.
Hence the need to implement the best possible security measures that you can. And when you use platforms such as Managed Home Screen (MHS), you’ll get excellent features that will help you enhance your overall security.
The platform will give your organization the ability to customize and control Android Enterprise dedicated devices. This allow for restricted access to only what a user may require. As we continue our deep dive into Managed Home Screen, we will end up with a clearer idea of how this platform can best serve your interests.
What to know about general availability
In a previous article, we discussed the updated features that Microsoft introduced to the Managed Home Screen experience. There are a few things that businesses should know about general availability.
To begin, you should be aware that with the general availability of the updated MHS experience, all previous MHS workflows will be obsolete. Not only that, but support will no longer be available for these previous workflows. The new updated features will not be added to previous workflows, as well.
However, admins can still move to the updated experience by setting Enable updated user experience to “true” for 90 days. But, after the 90 days, the app configuration will be removed, and all devices will need to start using the updated MHS experience.
Below are some of the new capabilities recently added for the updated experience:
Brightness Slider and Adaptive Brightness – with this tool, IT admins will be able to expose a setting that enables users to access a brightness slider to adjust the device screen brightness. Moreover, IT admins can also expose a setting that allows users to turn adaptive brightness on and off on the device.
Autorotation – this next tool helps IT admins expose a setting that is designed to enable users to turn on and off the device’s autorotation.
Domain-less Login and Custom Login Hint Text – another feature coming to the updated experience will be support for domain-less sign-in. Admins can configure domain names which will then be automatically added to usernames when signing in. In addition, MHS will begin providing users with a custom login hint string on the sign-in screen.
Session PIN Inactivity Timer – in scenarios where a device has been inactive for a specified period of time, IT admins can leverage this feature to demand users to enter their session PIN to resume activity on Managed Home Screen.
Why is Managed Home Screen making changes?
With the updates that have been made to Managed Home Screen, one may be wondering what’s behind all the changes. And the simple reality is that the new features were needed. Applications need to keep improving if they are to meet the ever-evolving needs of businesses.
It goes without saying, but the competition among players in the tech space is brutal. A new application or service can be introduced to the market, and if it can do the job far more efficiently, then you may find yourself losing clients.
Moreover, organizations are now acutely aware that there are nefarious actors constantly looking for vulnerabilities in their systems and if they find any it can be catastrophic for their businesses. Updates can address any existing performance issues and vulnerabilities that may potentially exist.
In addition, new features will also address productivity issues that your business has to deal with. As technology continues to evolve, organizations like yours will be looking to improve their products and services. Updates allow you to harness the latest and very best features for your applications. This will also give your team a better user experience overall. And ultimately, your business can operate more efficiently.
Furthermore, newer updates can help you get even better performances from your devices. At one point or another, we’ve all probably had the frustrating experience of an app crashing. It’s never a pleasant experience and can result in some lost work progress. By updating your applications, you can significantly reduce the chances of these occurrences.
Closing the security gap – enhancing your security features means that you reduce potential attack areas. Also, it’s significantly harder for hackers to carry out successful attacks. This is something that will complete by requiring end users to enter their session PIN to resume activity on Managed Home Screen. This is after the device has been inactive for a specified period. Having this feature reduces the risk of unauthorized personnel gaining access to a device when the user is not using it. To set it up, you need to set the “Minimum inactive time before session PIN is required” setting to the number of seconds the device is inactive before the end user must input their session PIN.
Quicker resolution of issues – if the troubleshooting process is ineffective, it can cause endless downtime and that’s not good for business. MHS improved that process by introducing a feature that will give users access to a debug menu. This includes the pages for Get Help, Exit Kiosk Mode, and About. What this does is give users the ability to go to the Get Help page and easily upload logs. Moreover, users will be able to view Management Resources. It allows them to launch adjacent management apps whenever necessary. With the appropriate support available, your organization can quickly address any performance issues. You can also ensure productivity levels remain optimal.
Improve ease of use – one of the best ways to help users work more efficiently is to enable them to have the option to customize certain settings to their liking. Undoubtedly, the immediate concern would be about the risk of increasing vulnerabilities. But, the solution to that is to restrict what users can customize. This provides that they still get the benefits of personalized apps and devices while maintaining high security standards. One of those settings that users can now change is device screen brightness.
Additional benefits of Managed Home Screen
With the updated features, you can expose settings in the Managed Home Screen app to adjust screen brightness for Android Enterprise devices. You’ll have the option of exposing a setting in the app to allow end users to access a convenient brightness slider to adjust the device screen brightness. Furthermore, you’ll now also be able to expose a setting to allow end users to toggle adaptive brightness.
Simplified setup – few things can help users be more productive than using an application with a clean look and access to everything you need. This is what MHS is aiming for with the addition of a top bar. Users will now have quick access to device-identifying information. You get the option to configure this top bar as you see fit. And there will be two descriptive elements available for display. IT admins get to select between serial number, device name, and tenant name for the top and bottom elements in situations where the device is not configured with sign-in.
The top bar will also give quick access to settings as well as the sign-out button. The settings wheel icon sits in the upper right-hand of the top bar. And tapping this icon will display the settings that the IT administrator has selected to reveal to users within MHS settings. Another advantage you can expect is that this settings icon will be located on the top bar by default. And to avoid compromising security, IT admins still get to pick which settings a user can configure. Or they can disable it altogether by enabling or disabling the configuration key “Show managed settings”.
Enhanced security measures for dedicated devices
As we know by now, Managed Home Screen works on devices enrolled into Intune as Android Enterprise dedicated devices. With the increasing sophistication of today’s cyber attacks, organizations need to ensure that their security is of the highest standard.
Bearing that in mind, in this section, let’s take a look at some of the settings that can improve security for fully managed, dedicated, and corporate-owned work profile devices.
Screen capture (work profile-level)
Enabling “Block” will not only stop you from taking screenshots, but will also prevent content from being shown on display devices without a secure video output. However, you should be aware that this setting is set to “Not configured” by default, and Intune doesn’t modify it. You should also know that if the default settings allow, the OS might let users capture the screen contents as an image.
Camera (work profile-level)
Enabling “Block” will prevent access to the device’s camera. Again, you should note that this setting is set to “Not configured” by default and Intune doesn’t change it. Another thing that is important for security is that Intune only manages camera access but doesn’t have access to pictures or videos. The OS may also, by default, allow access to the camera.
Default permission policy (work profile-level)
The objective of this setting is to define the default permission policy for requests for runtime permissions, and the options you have are the following:
Default (default) – Use the device’s default setting.
Prompt – Users see a prompt to approve the permission.
Auto grant – Permissions grant automatically.
Auto deny – Permissions are automatically denied.
Date and Time changes
Enabling “Block” will stop users from manually setting the date and time. Additionally, you should note that this setting is set to “Not configured” by default, and Intune doesn’t change it. This will also mean that if the OS default settings permit, users may be able to set the date and time.
Roaming data services
Enabling “Block” will prevent data roaming over the cellular network. And as before, this setting defaults to “Not configured,” and Intune doesn’t change it.
Wi-Fi access point configuration
Enabling “Block” will stop users from creating or changing any Wi-Fi configurations. Additionally, you should note that this setting defaults to “Not configured” and Intune doesn’t change it. As we’ve also seen before, if the OS default settings permit, users may be able to change the Wi-Fi settings on the device.
Bluetooth configuration
Enabling “Block” will stop users from configuring Bluetooth on the device. Additionally, you should note that this setting defaults to “Not configured,” and Intune doesn’t change it. As we’ve also seen before, if the OS default settings permit, using Bluetooth on the device may be possible.
Tethering and access to hotspots
Enabling “Block” will prevent tethering and access to portable hotspots. And again, this setting defaults to “Not configured,” and Intune doesn’t change or update it. Take note that the OS might allow tethering and access to portable hotspots by default.
USB file transfer
Enabling “Block” will prevent transferring files over USB. And again, this setting defaults to “Not configured,” and Intune doesn’t change or update it.
External media
Enabling “Block” will prevent using or connecting any external media on the device. And again, this setting defaults to “Not configured,” and Intune doesn’t change or update it. Take note that the OS might allow file transfers by default.
Beam data using NFC (work-profile level)
Enabling “Block” is going to prevent the use of Near Field Communication (NFC) technology to beam data from apps. On the other hand, if set to “Not configured“, which is the default setting, Intune will not change or update the setting. However, you should not forget that the OS might allow using NFC to share data between devices by default.
Developer settings
Enabling “Allow” will let users access developer settings on the device. On the other hand, if set to “Not configured,” which is the default setting, Intune will not change or update the setting.
Microphone adjustment
Enabling “Block” will stop users from unmuting the microphone and adjusting the microphone volume. However, if set to “Not configured,” which is the default setting, Intune will not change or update the setting.
Factory reset protection emails
You need to select Google account email addresses. Then, you need to provide the email addresses of device admins who can unlock the device after it’s wiped. When entering the email addresses, make sure to separate them with a semi-colon e.g., [email protected];[email protected]. Note that these emails will only apply in scenarios during a non-user factory reset, like running a factory reset using the recovery menu. And as with previous settings, if set to “Not configured,” which is the default setting, Intune will not change or update the setting.
System update
To determine how the device handles over-the-air updates, you’ll need to pick from the following options:
Device Default (default) – stick to the device’s default setting, meaning that when the device connects to Wi-Fi, is charging, and is idle, the OS updates automatically. For app updates, the OS first checks that the app is not running in the foreground.
Automatic – implements an automatic update process without user involvement.
Postponed – updates postpone for a period of 30 days, at the end of which users receive a prompt to install the update. For critical security updates, however, device manufacturers or carriers may block their postponement.
Maintenance Window – also provides an automatic update process but that occurs during a daily maintenance window that you set in Intune. If the installation tries and fails for 30 days, you will subsequently see a prompt to perform the installation. This setting will apply to OS and Play Store app updates.
Freeze periods for system updates
This one is optional. If you are going to set the System update setting to Automatic, Postponed, or the Maintenance window, then you must use this setting to create a freeze period:
Start date – provide a start date using the MM/DD format and it can be up to 90 days long.
End date – provide an end date using the same MM/DD format and it can be up to 90 days long.
Take note that all incoming system updates and security patches will be blocked during the freeze period. And this also includes manually checking for updates.
Location
Enabling “Block” will disable the Location setting on the device and prevent users from turning it on. However, it’s worth noting that disabling this setting will affect every setting that also relies on device location. This includes the Locate device remote action that admins use. On the other hand, if set to “Not configured,” which is the default setting, Intune will not change or update the setting.
When to enroll devices as dedicated devices
One of the things that may have a lot of people wondering is the issue of when exactly you should be looking at enrolling a device as a dedicated device. According to the information available from Microsoft, Intune’s Android Enterprise dedicated device solution is for clients who want their Android devices enrolled with no user-affinity.
On top of that, this device solution requires that the device runs Android OS 8+ and should be able to connect directly to Google Mobile Services (GMS). Below are the three main scenarios that Intune envisions for dedicated devices:
AS A DIGITAL SIGN
Typically locked into one application that shows viewers desired information. A good example of this would be the train schedules or flight schedules that you may see at the train station or airport respectively. In these particular situations, there will be zero-to-minimal physical user interaction.
TASK-BASED DEVICES
In this case, we’ll be looking at a situation of locked into a single application or multiple applications and used for specific tasks. What you then have is a setup where the device is not privy to who is using it or where. We can see an example of how this would work with package delivery drivers.
As they clock into their shift, the delivery driver receives a device. This devices helps to navigate to their location, scan packages, and complete other role-based tasks. Once the driver completes their tasks, the device can then be returned for the next delivery driver to use.
MULTI-USER, TASK DEVICES
In the third scenario, we’re looking at locked into a single app or a set of apps, and used for specific tasks. Users need to sign in on at least a single application on the device and unlike the previous scenario, the apps in this case will need to know who is using the device and when.
The general recommendation for this scenario is to enable Shared Device mode. For instance, you can look at a factory setup where a device may used by multiple people, such as shift workers, maintenance staff, delivery drivers, etc.
So, every individual using the device will get the same apps and policies, but the key difference is that the relevant information displayed by the apps will vary from person to person, depending on their sign-in information.
Wrap up
As a business, it’s crucially important to always be on the lookout for applications and services that can give you an advantage. Something that can improve the quality of what your organization is producing by enhancing worker efficiency. For Managed Home Screen clients, the platform improvements can offer such benefits.
You get features that help you maintain high security standards by allowing IT admins to put in place any necessary restrictions. But, even with these restrictions, end users will still get quicker access to what they need, faster resolution of issues, and a more streamlined workflow.
