Managed Home Screen: A Configuration Guide

Posted on July 18, 2024 by Thomas.Marcussen

As a business, it’s important to always be on the lookout for devices and applications that can improve the way you carry out your business operations. With platforms such as Managed Home Screen (MHS), the benefits to your business will be clear to see for everyone.

What MHS offers is an application for corporate Android Enterprise devices. This works for those enrolled via Intune and running in multi-app kiosk mode. Once installed on these devices, MHS will function as a launcher for other approved apps to run on top of it.

In previous articles, we have gone over the new features that Microsoft has added to MHS. We’ve also covered their benefits to your organization. In this article, we’ll be discussing some of the key configuration aspects of the Managed Home Screen platform.

When do you configure the Managed Home Screen app?

Start by verifying if your devices meet the prerequisites. This is because Intune only supports the enrollment of Android Enterprise dedicated devices for Android devices running OS version 8.0. In addition, these devices should be able to connect to Google Mobile Services.

Likewise, MHS only supports Android devices running OS version 8.0 and above. If you find that the settings are available through device configuration profiles, then you should configure the settings there. This will be faster, limit errors, and give you a better Intune-support experience.

Also, note that there are some MHS settings only available via the App configuration policies pane in the Intune admin center. When using App configuration:

Head over to the Microsoft Intune admin center and select Apps > App configuration policies.
Add a configuration policy for Managed devices running Android.
Select Managed Home Screen as the associated app
To configure the different available MHS settings, select Configuration settings.

Selecting a Configuration Settings Format

To define configuration settings for MHS, there are two methods available:

Configuration designer – enables you to configure settings with an easy-to-use UI. It allows you to toggle features on or off and set values. With this method, you’ll find a few disabled configuration keys with the value type BundleArray. The only way to configure these keys is by entering JSON data.
JSON data – with this option, you can define all possible configuration keys using a JSON script.

Moreover, by adding properties with Configuration Designer, you can automatically convert these properties to JSON. Do so by selecting Enter JSON data from the Configuration settings format dropdown.

Using Configuration Designer

Configuration designer will enable you to select pre-populated settings and their associated values. In the table below, you’ll find a list of the MHS available configuration keys, value types, default values, and descriptions. The description gives you the expected device behavior based on selected values. Note that the BundleArray type of configuration keys disable in the Configuration Designer.

Configuration to customize applications, folders, and general appearance of Managed Home Screen

Configuration Key	Value Type	Default Value	Description	Available in device configuration profile
Set allow-listed applications	bundleArray	You can find it under the Enter JSON Data section	Enables you to define the set of apps you see on the home screen form along with the apps installed on the device. Entering the app package name of the apps that you want visible allows you to define the apps. Any app that you choose to allow-list in this section needs to be already installed on the device to be visible on the home screen.	Yes
Set pinned web links	bundleArray	You can find it under the Enter JSON Data section	Enables you to pin websites as quick launch icons on the home screen. Using this configuration allows you to define the URL and add it to the home screen for the end-user to launch in the browser with a single tap.	Yes
Create a Managed Folder for grouping apps	bundleArray	You can find it under the Enter JSON Data section	Enables you to create and name folders and group apps within these folders. End-users can’t rename or move folders and neither can they move the apps within the folders. Folders will appear according to the order of creation and apps according to alphabetical order. If you have apps that you want to group into folders, they must first be assigned as required to the device and must have been added to the Managed Home Screen.	Yes
Set Grid Size	string	Auto	Enables you to set the grid size for apps to be positioned on the managed home screen. Use the format “columns ; rows ” to set the number of app rows and columns to define grid size. When defining grid size, the maximum number of apps visible in a row on the home screen is the number of rows you set. Likewise, the maximum number of apps visible in a column on the home screen is the number of columns you set.	Yes
Lock Home Screen	bool	TRUE	Eliminates the ability of the end-user to move around app icons on the home screen. Enabling this configuration key locks the app icons on the home screen. End-users can’t drag and drop to different grid positions on the home screen. When turned to false, end-users will be able to move around the app and weblink icons on the Managed Home Screen.	Yes
Application Order Enabled	bool	FALSE	Turning this setting to True will enable you to set the order of apps, weblinks, and folders on the Managed Home Screen. After it’s enabled, you can set the ordering with app_order.	Yes
Application Order	bundleArray	You can find it under the Enter JSON Data section	Enables you to set the order of apps, weblinks, and folders on the Managed Home Screen. You can only use this setting if Lock Home Screen is enabled, the grid size is defined, and the Application Order enabled is set to True.	Yes
Applications in folder are ordered by name	bool	TRUE	False enables items in a folder to appear in the order they’re specified. If not for this, they will be displayed in alphabetical order.	No
Set app icon size	integer	2	With this, you can define the icon size for apps displayed on the home screen. Below are the values that you can use in this configuration for different sizes: 0 (Smallest),1 (Small), 2 (Regular), 3 (Large)4 (Largest).	Yes
Set app folder icon	integer	0	With this, you can define the appearance of app folders displayed on the home screen. The appearance can be selected from the values below: Dark Square(0)Dark Circle(1)Light Square(2)Light Circle(3)	Yes
Set screen orientation	integer	1	Using this, you can set the orientation of the home screen to portrait mode, landscape mode, or allow auto rotate. The orientation can be set by entering the values below: 1 (for portrait mode),2 (for Landscape mode),3 (for Autorotate).	Yes
Set device wall paper	string	Default	By using this, you can select a wall paper of your choice. All you need to do is enter the URL of the image that you want to set as a wallpaper.	Yes
Define theme color	string	light	Decide whether you want Managed Home Screen app to run in “light” or “dark” mode.	No
Block pinning browser web pages to MHS	bool	FALSE	By turning this restriction to True, you can prevent users from pinning web pages from any browser onto Managed Home Screen.	No
Enable updated user experience	bool	FALSE	Switching to True will enable the updated app design to be displayed along with the improvements to user workflows for usability and supportability, for MHS. However, if you keep it as False, users will continue to see previous workflows on the app An important thing to note here is that from August 2024 onwards, previous Managed Home Screen workflows will no longer be available and all devices will need to use the updated app design.	No
Top Bar Primary Element	choice		This key helps you choose whether the primary element of the top bar will be the device Serial Number, Device Name, or Tenant Name. You can only use this setting when the Enable sign in key is set to false. Otherwise, the user’s name will be shown as the primary element when the key is set to True. If you want the top bar to be visible on users’ devices, you must set Enable updated user experience to true.	No
Top Bar Secondary Element	choice		This key helps you choose whether the secondary element of the top bar will be the device Serial Number, Device Name, or Tenant Name. If you want the top bar to be visible on users’ devices, you must set Enable updated user experience to true.	No
Top Bar User Name Style	choice		This setting enables you to select the style of the user’s name in the top bar based on the following list: display name last name, first name first name, last name first name, last initial You can only use this setting when the Enable sign in key is set to True. If you want the top bar to be visible on users’ devices, you must set Enable updated user experience to true.	No

Key things to note

Ensure the Managed Home Screen app seamlessly meets Google Play Store’s requirements. This is contingent on the app’s available update at the API level. However, doing it this way translates to a few changes to how Wi-Fi configuration works from Managed Home Screen. So, some of the changes you should expect to encounter include:

Users won’t be able to change the Wi-Fi connection for the device, whether it be enabling or disabling the connection. However, despite not being able to turn the Wi-Fi on or off, users can still switch between networks.
In addition, users also won’t be able to automatically connect to a configured Wi-Fi network with a first-time password requirement. Instead, after entering the password for the first time, the configured network will then automatically connect.

ANDROID DEVICES RUNNING OS 11

All those who are using Android devices running OS 11 should note another aspect. Whenever an end-user tries to connect to a network via the Managed Home Screen app, a consent pop-up prompt will appear. This pop-up is from the Android platform itself and therefore not specific to the Managed Home Screen app.

Furthermore, users will see a request to enter a password. This happens when attempting to connect to a password-protected network via the Managed Home Screen app.

You’ll notice that the network will only change if the device does not have a connection to a network. This includes instance when you have input the right password. All devices already connected to a stable network won’t connect to a password-protected network via the Managed Home Screen app.

ANDROID DEVICES RUNNING OS 10

For individuals using Android devices running OS 10, there’s another consideration. When an end-user tries to connect to any network using the Managed Home Screen app, they will receive a prompt with a consent via notifications.

Because of this prompt, users whose devices are running OS 10 must have access to the status bar. Also, notifications to be able to complete the consent step. Therefore, IT admins may need to use General settings for dedicated devices to avail the status bar. They’ll also do so for notifications to the appropriate end-users whenever necessary.

Furthermore, users will see a request to enter a password. This happens when attempting to connect to a password-protected network via the Managed Home Screen app. You’ll notice that the network will only change if the device does not have a connection to a network. This applies even if you have input the right password.

BLUETOOTH CONSIDERATIONS

If a device is running Android 10+ and using Managed Home Screen, successful Bluetooth pairing on devices that require a pairing key requires certain conditions. IT admins will need to enable a few Android system apps and these are as follows:

Android System Bluetooth
Android System Settings
Android System UI

Managing troubleshooting issues

One of the best updates that Microsoft brought to Managed Home Screen is the introduction of enhanced troubleshooting features. Users now get access to a debug menu, which includes the pages for Get Help, Exit Kiosk Mode, and About.

This access aims to simplify the troubleshooting process for device users which can reduce downtime and thereby increase productivity. To help even further, you’ll find configurations in the table below. These help troubleshoot various problems that users can encounter on their devices:

Configuration Key	Value Type	Default Value	Description	Available in device configuration profile
Exit lock task mode password	string		Input a 4-6-digit code to use to temporarily drop out of lock-task mode for troubleshooting.	Yes
Enable easy access debug menu	bool	FALSE	Switch this setting to True and you can access the debug menu from the Managed Settings menu while in Managed Home Screen. If you want to exit kiosk mode, you’ll need to go to the debug menu to find the capability. With that done, you need to click the back button about 15 times. Alternatively, if you want to keep the entry point to the debug menu only accessible via the back button, you should keep the setting switched to False.	Yes
Enable MAX inactive time outside of MHS	bool	FALSE	If you want to automatically re-launch Managed Home Screen after a set period of inactivity, you’ll need to switch this setting to True. Note that the timer will only count inactive time and, upon configuration, will reset each time the user interacts with the device while outside of MHS. To set the inactivity timer, use Max inactive time outside MHS. This setting is kept off by default. You can only access this setting if Exit lock task mode password has been configured.	No
MAX inactive time outside MHS	integer	180	Specify the maximum amount of inactive time (in seconds) that a user can spend outside of MHS before it is automatically re-launched. Users will find this configuration set to 180 seconds by default. If you want to use this setting, Enable MAX inactive time outside of MHS must be set to true.	No
Enable MAX time outside MHS	bool	FALSE	If you want to automatically re-launch MHS after a set period of time, you must set this setting to True. The timer considers both active and inactive time spent outside of MHS. You need to use MAX time outside MHS to set the inactivity timer. This setting is kept off by default. You can only use this setting after Exit lock task mode password has been configured.	No
MAX time outside MHS	integer	600	You must specify the maximum amount of absolute time (in seconds) that a user can spend outside of MHS before it is automatically re-launched. Users will find this configuration set to 600 seconds by default. You can only use this setting if Enable MAX time outside of MHS is set to true.	No

Microsoft ecosystem provides Android users with an optimal experience

Managed Home Screen and all its features are helping to enhance the user experience. MHHS supports Android users who rely on the Microsoft ecosystem for business purposes. For years, the relationship between Microsoft and Android has allowed for a better integration between the concerned platforms. It also provides end-users a better overall experience. All of this fits in perfectly with the evolution we have witnessed in the development of excellent mobility solutions.

Over the last few years, there has been a significant increase in those who appreciate the possibility of remote work. Plenty are enjoying the option of being able to work from home. There are additional benefits, including creating their own schedules. But they can also maintain or even increase their productivity levels.

Android users make up a decent portion of Microsoft clients. So, it’s not surprising that Microsoft aims to provide users with all the solutions they need. And Microsoft outfits users to be successful in their business operations. And with Managed Home Screen, Android users get an app that can further enhance their interaction with the Microsoft ecosystem.

The ability for organizations to customize and control user experiences is paramount. It enables them to ensure that end-users will have access to everything they need while simultaneously putting in certain restrictions.

Additionally, end-users can enjoy a much-improved experience. This is because MHS enables businesses to create consistent and simplified experiences across device types and OEMs.

End-users can expect continued innovations and improved features thanks to the global network of experts established by Microsoft and Google. These client specialists, with deep knowledge of Android devices and services, significantly contribute to the ongoing development of services. They will also further enhance the user experience.

It’s because of collaborations like these and the expertise obtained that MHS users can access features that address issues on-device. It’s also how they painlessly equip Microsoft support to troubleshoot issues on-device. So, as the improvements continue to roll out, businesses and individuals will take a keen interest. All of these changes can improve how they do business.

Wrap up

If there is anything that we can expect with regard to technology, it’s that we will continue to see changes. Most intend to improve the end-user experience. The features that Managed Home Screen offers, as well as the available improvements, are a testament to Microsoft’s goal. Microsoft continuously aims to create the optimal experience for Android users.

With feedback from Android experts being a key part of development, end-users can expect ongoing improvements. They can also expect to reap the many benefits of an ever-improving Microsoft ecosystem. One only has to take a look at the depth of products and services available to Android device users. It’s then evident that businesses have plenty to benefit from with these programs and features.

Managed Home Screen: What Your Should Know

Posted on July 3, 2024 by Thomas.Marcussen

It doesn’t take too long as you go through the latest tech news and updates to realize just how badly lax security could affect your organization. All nefarious actors need is a small opportunity. And your business may end up paying dearly. This is where Managed Home Screen comes into play.

Hence the need to implement the best possible security measures that you can. And when you use platforms such as Managed Home Screen (MHS), you’ll get excellent features that will help you enhance your overall security.

The platform will give your organization the ability to customize and control Android Enterprise dedicated devices. This allow for restricted access to only what a user may require. As we continue our deep dive into Managed Home Screen, we will end up with a clearer idea of how this platform can best serve your interests.

What to know about general availability

In a previous article, we discussed the updated features that Microsoft introduced to the Managed Home Screen experience. There are a few things that businesses should know about general availability.

To begin, you should be aware that with the general availability of the updated MHS experience, all previous MHS workflows will be obsolete. Not only that, but support will no longer be available for these previous workflows. The new updated features will not be added to previous workflows, as well.

However, admins can still move to the updated experience by setting Enable updated user experience to “true” for 90 days. But, after the 90 days, the app configuration will be removed, and all devices will need to start using the updated MHS experience.

Below are some of the new capabilities recently added for the updated experience:

Brightness Slider and Adaptive Brightness – with this tool, IT admins will be able to expose a setting that enables users to access a brightness slider to adjust the device screen brightness. Moreover, IT admins can also expose a setting that allows users to turn adaptive brightness on and off on the device.
Autorotation – this next tool helps IT admins expose a setting that is designed to enable users to turn on and off the device’s autorotation.
Domain-less Login and Custom Login Hint Text – another feature coming to the updated experience will be support for domain-less sign-in. Admins can configure domain names which will then be automatically added to usernames when signing in. In addition, MHS will begin providing users with a custom login hint string on the sign-in screen.
Session PIN Inactivity Timer – in scenarios where a device has been inactive for a specified period of time, IT admins can leverage this feature to demand users to enter their session PIN to resume activity on Managed Home Screen.

Why is Managed Home Screen making changes?

With the updates that have been made to Managed Home Screen, one may be wondering what’s behind all the changes. And the simple reality is that the new features were needed. Applications need to keep improving if they are to meet the ever-evolving needs of businesses.

It goes without saying, but the competition among players in the tech space is brutal. A new application or service can be introduced to the market, and if it can do the job far more efficiently, then you may find yourself losing clients.

Moreover, organizations are now acutely aware that there are nefarious actors constantly looking for vulnerabilities in their systems and if they find any it can be catastrophic for their businesses. Updates can address any existing performance issues and vulnerabilities that may potentially exist.

In addition, new features will also address productivity issues that your business has to deal with. As technology continues to evolve, organizations like yours will be looking to improve their products and services. Updates allow you to harness the latest and very best features for your applications. This will also give your team a better user experience overall. And ultimately, your business can operate more efficiently.

Furthermore, newer updates can help you get even better performances from your devices. At one point or another, we’ve all probably had the frustrating experience of an app crashing. It’s never a pleasant experience and can result in some lost work progress. By updating your applications, you can significantly reduce the chances of these occurrences.

Benefits of Managed Home Screen’s new features

The improvements that Managed Home Screen has made will have benefits for both IT admins as well as end users. These advantages include:

Closing the security gap – enhancing your security features means that you reduce potential attack areas. Also, it’s significantly harder for hackers to carry out successful attacks. This is something that will complete by requiring end users to enter their session PIN to resume activity on Managed Home Screen. This is after the device has been inactive for a specified period. Having this feature reduces the risk of unauthorized personnel gaining access to a device when the user is not using it. To set it up, you need to set the “Minimum inactive time before session PIN is required” setting to the number of seconds the device is inactive before the end user must input their session PIN.
Quicker resolution of issues – if the troubleshooting process is ineffective, it can cause endless downtime and that’s not good for business. MHS improved that process by introducing a feature that will give users access to a debug menu. This includes the pages for Get Help, Exit Kiosk Mode, and About. What this does is give users the ability to go to the Get Help page and easily upload logs. Moreover, users will be able to view Management Resources. It allows them to launch adjacent management apps whenever necessary. With the appropriate support available, your organization can quickly address any performance issues. You can also ensure productivity levels remain optimal.
Improve ease of use – one of the best ways to help users work more efficiently is to enable them to have the option to customize certain settings to their liking. Undoubtedly, the immediate concern would be about the risk of increasing vulnerabilities. But, the solution to that is to restrict what users can customize. This provides that they still get the benefits of personalized apps and devices while maintaining high security standards. One of those settings that users can now change is device screen brightness.

Additional benefits of Managed Home Screen

With the updated features, you can expose settings in the Managed Home Screen app to adjust screen brightness for Android Enterprise devices. You’ll have the option of exposing a setting in the app to allow end users to access a convenient brightness slider to adjust the device screen brightness. Furthermore, you’ll now also be able to expose a setting to allow end users to toggle adaptive brightness.

Simplified setup – few things can help users be more productive than using an application with a clean look and access to everything you need. This is what MHS is aiming for with the addition of a top bar. Users will now have quick access to device-identifying information. You get the option to configure this top bar as you see fit. And there will be two descriptive elements available for display. IT admins get to select between serial number, device name, and tenant name for the top and bottom elements in situations where the device is not configured with sign-in.

The top bar will also give quick access to settings as well as the sign-out button. The settings wheel icon sits in the upper right-hand of the top bar. And tapping this icon will display the settings that the IT administrator has selected to reveal to users within MHS settings. Another advantage you can expect is that this settings icon will be located on the top bar by default. And to avoid compromising security, IT admins still get to pick which settings a user can configure. Or they can disable it altogether by enabling or disabling the configuration key “Show managed settings”.

Enhanced security measures for dedicated devices

As we know by now, Managed Home Screen works on devices enrolled into Intune as Android Enterprise dedicated devices. With the increasing sophistication of today’s cyber attacks, organizations need to ensure that their security is of the highest standard.

Bearing that in mind, in this section, let’s take a look at some of the settings that can improve security for fully managed, dedicated, and corporate-owned work profile devices.

Screen capture (work profile-level)

Enabling “Block” will not only stop you from taking screenshots, but will also prevent content from being shown on display devices without a secure video output. However, you should be aware that this setting is set to “Not configured” by default, and Intune doesn’t modify it. You should also know that if the default settings allow, the OS might let users capture the screen contents as an image.

Camera (work profile-level)

Enabling “Block” will prevent access to the device’s camera. Again, you should note that this setting is set to “Not configured” by default and Intune doesn’t change it. Another thing that is important for security is that Intune only manages camera access but doesn’t have access to pictures or videos. The OS may also, by default, allow access to the camera.

Default permission policy (work profile-level)

The objective of this setting is to define the default permission policy for requests for runtime permissions, and the options you have are the following:

Default (default) – Use the device’s default setting.
Prompt – Users see a prompt to approve the permission.
Auto grant – Permissions grant automatically.
Auto deny – Permissions are automatically denied.

Date and Time changes

Enabling “Block” will stop users from manually setting the date and time. Additionally, you should note that this setting is set to “Not configured” by default, and Intune doesn’t change it. This will also mean that if the OS default settings permit, users may be able to set the date and time.

Roaming data services

Enabling “Block” will prevent data roaming over the cellular network. And as before, this setting defaults to “Not configured,” and Intune doesn’t change it.

Wi-Fi access point configuration

Enabling “Block” will stop users from creating or changing any Wi-Fi configurations. Additionally, you should note that this setting defaults to “Not configured” and Intune doesn’t change it. As we’ve also seen before, if the OS default settings permit, users may be able to change the Wi-Fi settings on the device.

Bluetooth configuration

Enabling “Block” will stop users from configuring Bluetooth on the device. Additionally, you should note that this setting defaults to “Not configured,” and Intune doesn’t change it. As we’ve also seen before, if the OS default settings permit, using Bluetooth on the device may be possible.

Tethering and access to hotspots

Enabling “Block” will prevent tethering and access to portable hotspots. And again, this setting defaults to “Not configured,” and Intune doesn’t change or update it. Take note that the OS might allow tethering and access to portable hotspots by default.

USB file transfer

Enabling “Block” will prevent transferring files over USB. And again, this setting defaults to “Not configured,” and Intune doesn’t change or update it.

External media

Enabling “Block” will prevent using or connecting any external media on the device. And again, this setting defaults to “Not configured,” and Intune doesn’t change or update it. Take note that the OS might allow file transfers by default.

Beam data using NFC (work-profile level)

Enabling “Block” is going to prevent the use of Near Field Communication (NFC) technology to beam data from apps. On the other hand, if set to “Not configured“, which is the default setting, Intune will not change or update the setting. However, you should not forget that the OS might allow using NFC to share data between devices by default.

Developer settings

Enabling “Allow” will let users access developer settings on the device. On the other hand, if set to “Not configured,” which is the default setting, Intune will not change or update the setting.

Microphone adjustment

Enabling “Block” will stop users from unmuting the microphone and adjusting the microphone volume. However, if set to “Not configured,” which is the default setting, Intune will not change or update the setting.

Factory reset protection emails

You need to select Google account email addresses. Then, you need to provide the email addresses of device admins who can unlock the device after it’s wiped. When entering the email addresses, make sure to separate them with a semi-colon e.g., adminA@gmail.com;adminB@gmail.com. Note that these emails will only apply in scenarios during a non-user factory reset, like running a factory reset using the recovery menu. And as with previous settings, if set to “Not configured,” which is the default setting, Intune will not change or update the setting.

System update

To determine how the device handles over-the-air updates, you’ll need to pick from the following options:

Device Default (default) – stick to the device’s default setting, meaning that when the device connects to Wi-Fi, is charging, and is idle, the OS updates automatically. For app updates, the OS first checks that the app is not running in the foreground.
Automatic – implements an automatic update process without user involvement.
Postponed – updates postpone for a period of 30 days, at the end of which users receive a prompt to install the update. For critical security updates, however, device manufacturers or carriers may block their postponement.
Maintenance Window – also provides an automatic update process but that occurs during a daily maintenance window that you set in Intune. If the installation tries and fails for 30 days, you will subsequently see a prompt to perform the installation. This setting will apply to OS and Play Store app updates.

Freeze periods for system updates

This one is optional. If you are going to set the System update setting to Automatic, Postponed, or the Maintenance window, then you must use this setting to create a freeze period:

Start date – provide a start date using the MM/DD format and it can be up to 90 days long.
End date – provide an end date using the same MM/DD format and it can be up to 90 days long.

Take note that all incoming system updates and security patches will be blocked during the freeze period. And this also includes manually checking for updates.

Location

Enabling “Block” will disable the Location setting on the device and prevent users from turning it on. However, it’s worth noting that disabling this setting will affect every setting that also relies on device location. This includes the Locate device remote action that admins use. On the other hand, if set to “Not configured,” which is the default setting, Intune will not change or update the setting.

When to enroll devices as dedicated devices

One of the things that may have a lot of people wondering is the issue of when exactly you should be looking at enrolling a device as a dedicated device. According to the information available from Microsoft, Intune’s Android Enterprise dedicated device solution is for clients who want their Android devices enrolled with no user-affinity.

On top of that, this device solution requires that the device runs Android OS 8+ and should be able to connect directly to Google Mobile Services (GMS). Below are the three main scenarios that Intune envisions for dedicated devices:

AS A DIGITAL SIGN

Typically locked into one application that shows viewers desired information. A good example of this would be the train schedules or flight schedules that you may see at the train station or airport respectively. In these particular situations, there will be zero-to-minimal physical user interaction.

TASK-BASED DEVICES

In this case, we’ll be looking at a situation of locked into a single application or multiple applications and used for specific tasks. What you then have is a setup where the device is not privy to who is using it or where. We can see an example of how this would work with package delivery drivers.

As they clock into their shift, the delivery driver receives a device. This devices helps to navigate to their location, scan packages, and complete other role-based tasks. Once the driver completes their tasks, the device can then be returned for the next delivery driver to use.

MULTI-USER, TASK DEVICES

In the third scenario, we’re looking at locked into a single app or a set of apps, and used for specific tasks. Users need to sign in on at least a single application on the device and unlike the previous scenario, the apps in this case will need to know who is using the device and when.

The general recommendation for this scenario is to enable Shared Device mode. For instance, you can look at a factory setup where a device may used by multiple people, such as shift workers, maintenance staff, delivery drivers, etc.

So, every individual using the device will get the same apps and policies, but the key difference is that the relevant information displayed by the apps will vary from person to person, depending on their sign-in information.

Wrap up

As a business, it’s crucially important to always be on the lookout for applications and services that can give you an advantage. Something that can improve the quality of what your organization is producing by enhancing worker efficiency. For Managed Home Screen clients, the platform improvements can offer such benefits.

You get features that help you maintain high security standards by allowing IT admins to put in place any necessary restrictions. But, even with these restrictions, end users will still get quicker access to what they need, faster resolution of issues, and a more streamlined workflow.

Enhancing the Intune Experience With Managed Home Screen

Posted on June 11, 2024 by Thomas.Marcussen

All the devices and applications that we use need both security and feature updates now and again to ensure that we always get the best possible performance. Whether these are personal or work devices, without regular improvements, the performances will eventually not be good enough to meet our requirements.

One of the platforms that helps to optimize the user experience is Managed Home Screen. Using this feature can deliver a better experience. Within the Intune environment, all users with enrolled devices as Android Enterprise dedicated devices can benefit.

In this article, we’ll be taking a look at what Managed Home Screen is and how it can improve workflows.

What is Managed Home Screen?

With Managed Home Screen, users get an Android application that is compatible on devices enrolled into Intune as Android Enterprise dedicated devices. The application means to cover corporate-owned devices that are running in multi-app kiosk mode.

On these devices, Managed Home Screen acts as the launcher for other approved apps to run on top of it. The benefit to IT admins is greater control over the customization of devices, as well as being able to restrict the capabilities that the end user can access. The availability of these features means that your business can:

Easily maintain control over how these devices work. The customization and control you have over the Android devices allows you to determine specifically what users can access.
Enhance the user experience by establishing a consistent and simplified experience across device types and OEMs that makes it significantly easier to perform all tasks to a high standard.
Gain access to all the relevant troubleshooting workflows that one would need to fix issues on-device. Or provide Microsoft support with the necessary tools to troubleshoot issues on-device.
Utilize an improved sign-in and sign-out experience with a device configured with Shared device mode.

Customization benefits

Additionally, the availability of customization will allow you to completely modify the overall appearance and feel of your home screen.

You can do things such as:

Set a custom wallpaper that can truly bring your branding to the fore. Or, you could use the custom wallpaper as a visual indicator to distinguish various devices.
You can relocate applications to the home screen so you have your important and most frequently used apps in a place that facilitates easy access. Not only that, but this can help you design a setup that is consistent across devices for your users.
Those who may have plenty of apps on the home screen can easily simplify things by categorizing apps into specific folders.
Because devices can have varying screen sizes, you’ll also get the option to modify the size of apps and folders appearing on the home screen.
To get even quicker access to vital app data, you can add custom widgets to the home screen.
When a device is inactive, you can set a screen saver to hide the home screen.

Dedicated devices

We just mentioned that Managed Home Screen is usable on devices enrolled into Intune as Android Enterprise dedicated devices. But, what exactly are ‘dedicated devices’? This term simply refers to corporate-owned devices not associated with a particular user. Additionally, these devices will normally be in use for performing specific tasks.

So, if you want to enroll Android devices with no user-affinity then this option will suit you. However, it’s also important to note that Intune’s Android Enterprise dedicated device solution will require that the devices run Android OS 8+ and be able to connect to Google Mobile Services (GMS).

Setting up Managed Home Screen

Setting up your device with Managed Home Screen is a process that will take several steps. But, once you have a device that meets the requirements, you can begin.

Setting up an Intune enrollment profile and device group

Start by creating an enrollment profile to generate an enrollment token first, and attach it to a device group. In the Endpoint Manager admin center, navigate over to  Devices > Android > Android enrollment > Corporate-owned dedicated devices. You’ll need to fill in the Name but filling in the Description is optional. After this, select Type. Be sure to select Corporate owned dedicated device with Azure AD shared mode if you expect that your devices may require users to access M365 applications, other App Protection Policies, or Conditional Access policies. When everything’s done, click Create.

CREATING A DEVICE GROUP

Head over to Groups > All groups > New group. You’ll need to fill in the Group Name but filling in the Group Description is optional. Make sure that the Group type is set to “security”. Then, proceed to change Membership type to Dynamic device, after which you need to Add a dynamic query. By using dynamic queries, you can have your device automatically added to a group based on the property of your choice.

Approve and assign Managed Home Screen and MORE Managed Google Play apps

This next step will ensure that the Managed Home Screen successful downloads and installs on your enrolled devices. It should also automatically launch. You’ll find Managed Home Screen already synced in the console when you venture over to navigate Apps > All apps as soon as you have linked your Intune and Managed Google Play accounts. After that, you can:

Click Managed Home Screen.
Select Properties > Assignments (edit).
Add your device group from Step 2 officially to the Required assignments.
Save.

If you want to add public, private, or web applications, go ahead and stay in Apps > All apps and choose “add.” Navigate to Select app type and choose Managed Google Play app.

Manage Android Enterprise system apps

One thing that you will notice is that system applications will often disable by default upon enrollment. To enable these applications and show the icon on the device, you start by heading back to Apps > All apps in Intune and selecting Add in the top left corner. After choosing Select, proceed to fill out the App information, and assign it as “Required” or “Uninstall” to the group that you created in Step 2. At this point, you can select “Required” if you want the application to be available on the device or “Uninstall” if you prefer that it remain hidden on the device.

Creating a device configuration profile

Having this profile is crucial because it enables you to not only configure device-level behavior but to configure kiosk mode as well. To begin the process, navigate to Devices > Configuration profiles > Create profile. Next, go to Platform, and select “Android Enterprise.” With that done, head to Profile and  select “Device restrictions” beneath “Fully Managed, Dedicated, and Corporate-Owned Work Profile.”

After this, select Create, and then you need to fill in the Name of your profile but filling in the Description is optional. Once everything is ready you can select Next.

Creating an app configuration profile

Be mindful that this step is completely optional. Once you have completed the steps already given above, you will be ready to enroll your devices. So, this step is ideal for those who want to learn how to utilize all the available Managed Home Screen features. Additionally, this step will help you to configure the complete list of features that Managed Home Screen has to offer.

In the Endpoint Management admin center, head over to Apps > App configuration policies > Add > Managed devices. Then, you need to fill in the Name and as with other sections, the Description is optional. Select Android Enterprise for platform, Fully Managed, Dedicated, and Corporate-Owned Work Profile Only for profile type, and Managed Home Screen for targeted app. As soon as you are ready to continue, select Next.

A. Using configuration designer to setup Managed Home Screen features

Choose Use configuration designer from the Configuration settings format drop-down menu. Select Add to open a panel with all the available Managed Home Screen configuration keys. Choose the configuration keys that you want to edit and then click OK. All the configuration keys have default values and if you want to modify a configuration value, hover over and then interact with each row under the “Configuration value” column. Click Next as soon as all the necessary changes have been made.

Navigate to the Assignments page under Included groups, choose Select groups to include, next  and pick the device group you created in the second step. You can review by clicking Next, and once set, click Create.

B. Using JSON data to setup Managed Home Screen features

You can complete the configuration of the home screen by using JSON to create your folders, add widgets, and order items. If you need to edit your existing app configuration profile, you can do so by clicking on the policy you just created in Apps > App configuration policies. After that, select Properties > Settings (Edit). Choose Enter JSON data from the Configuration settings format drop-down menu. You should be able to see all your existing configurations in JSON format.

B.1. Add a managed folder to your home screen

You can organize your home screen better by creating a folder that you get to manage. This is something that you can only do using JSON data format in an app configuration policy. You’ll need to add the JSON snippet below in where feature configurations go:

Replace “PLACEHOLDER_FOLDER-NAME” with a name of your choice.
Replace “PLACEHOLDER_APP-PACKAGE-NAME” with the package name of the app that you want to put inside your folder. You have the option to add as many apps as you want.
B.2. Configure custom ordering of items on the home screen

A few things will happen if you want to create a custom ordering of items on the home screen. These include:

Apps, widgets, and folders should already be added to your home screen allow-list.
The home screen should be locked because this ensures that a user cannot make changes by moving things around themselves.
A grid size for all your home screen pages should be set.
App ordering mode should be enabled.

At this point, you can set the position of an item to an assigned grid position. Note that the positions will read from smallest to largest from left to right and then top-to-bottom.

DEVICE ENROLLMENT

As already alluded to earlier, devices should be running Android OS 8+ and run with Google Mobile Services (GMS). As soon as a device is ready, you can enroll from a factory-reset state using:

Near Field Communication
Token entry
QR code scanning
Google’s Zero Touch Enrollment
Samsung’s Knox Mobile Enrollment

User credentials are not necessary during enrollment or provisioning because these dedicated devices are not user-associated. Select the type of enrollment that you want and follow the instructions given in this section.

COMPLETION OF SETUP

After the setup process finalizes, you’ll find yourself on the device’s home screen. Then, the device will proceed to sync policies with Intune after which apps will begin to download and install on the device. And after Managed Home Screen has been installed, it will auto-launch and show you all your configurations.

Improvements to Managed Home Screen

Pursuant to the feedback that Microsoft received from its clients, some eye-catching new design changes have been made to the app to optimize usability. However, these new features are only available on the updated experience.

Although, you can look forward to an improved user experience, Microsoft has not made any intentional changes to feature support and you can expect only minor changes in current functionality such as:

You’ll no longer see the company logo on the Session PIN screen, but you will still have it on the home screen.
Swiping down will no longer give you access to the Managed Home Screen settings.

Addition of the top bar

A top bar is now available to the Managed Home Screen page with the intention of simplifying access as well as to enable quick access to device-identifying information. This top bar can configure as necessary and thus allows for the display of two descriptive elements.

IT administrators can decide between serial number, device name, and tenant name for the top and bottom element in situations where the device is not configured with sign-in. On the other hand, if the device is configured with sign-in, the top element will display the signed in user’s name.

Easily discoverable settings and sign out button

Another benefit of the top bar is that it enables quick navigation to settings as well as the sign-out button. However, for the latter, this is only possible when sign-in is configured. If you go to the upper right-hand corner of the top bar, you’ll now find a settings wheel icon.

When a user taps this icon, they’ll see which settings the IT administrator has selected to reveal to them within MHS settings. One thing to note with the updated experience is that swiping down on the device will no longer give you access to settings.

You can now find the Settings icon located on the top bar by default. IT admins get to decide which settings a user can configure or disable it altogether by enabling or disabling the configuration key “Show managed settings”. There are a couple of situations in which the Settings icon will still display, and these are:

When a user is signed in, the Settings icon is available to view the user’s profile information.
When device permissions are required but no user is signed in, the Settings icon will be available for the user to grant permissions. Moreover, you won’t see any additional settings unless configured.

Updated permissions flow

Updating the permissions granting flow has been necessitated by the desire to ensure that device users do not miss essential permissions. Upon launching MHS initially, a dialogue will appear requesting users to grant any required permissions. Users can get to the settings screen where the required settings will be clearly laid out by tapping either the message or the settings wheel.

By tapping on the message, users will be redirected to the correct page in the Android settings page to grant the permission that is needed for the functionality of all configurations that are set by the IT administrator for Managed Home Screen.

In the event a user rejects the permission, a message will then be displayed on the screen and a red dot will appear on the settings app icon. Ultimately, this update to the permissions flow has been designed to prevent permissions from being missed and to optimize the functions of Managed Home Screen.

Enhanced troubleshooting features

Managed Home Screen is helping to simplify the process of troubleshooting device issues. The new features that have been introduced will give users access to a debug menu, which includes the pages for Get Help, Exit Kiosk Mode, and About.

Users can now go to the Get Help page and easily upload logs. In addition, users can also view Management Resources, allowing them to launch adjacent management apps whenever necessary.

And if you want important information on Managed Home Screen, including the privacy statements, accessibility statements, and third-party configurable compliance links, if enabled, you’ll easily find it on the About page.

The updated debug menu can only appear within settings after an IT admin has configured easy access to the debug menu. Without this action, users will need to tap the back button 15 times to unhide the debug menu.

Start using the updated experience

To begin using the updated experience, you need to follow the steps given below:

Start by verifying that the target devices are running version 2.2.0.91169 or higher of Managed Home Screen.
Within the Intune admin center, head over to Apps > App configuration policies > Add > Managed devices. (And if you already have an app configuration policy in place for the target devices, you can skip the next step)
Filling in the Name will be required, but the Description is optional. Select Android Enterprise for platform, Fully Managed, Dedicated, and Corporate-Owned Work Profile Only for profile type, and Managed Home Screen for targeted app. When everything’s done, click Next.
To configure your settings, you can use either configuration designer or JSON data. Navigate to the Configuration settings format drop-down menu, and select Use configuration designer . Choose Add and this will open the panel with the available Managed Home Screen configuration keys.
Next, you need to choose the configuration key Enable updated user experience and switch it to True. For those using JSON data, they need to add the key and value below:

“key”: “enable_updated_user_experience”,

“valueBool”: true

Lastly, head over to the Assignments page and look under Included groups. Then, you need to choose Select groups to include and select the device group that you want to include in the public preview. You can review by clicking Next, and once all is set, click Create.

Another important thing to note is that this updated experience only works on the newest version of the Managed Home Screen application. So, you need to turn on the updated app experience and then verify that your devices are running the latest version of Managed Home Screen. If everything is in order, you should expect to see the updated workflows on the device.

Wrap up

Technology has been improving at a lightning speed and an ever-increasing pace for a long time now. The devices available to us, the operating systems, as well as the countless applications, have all gotten significantly better. So, it’s not surprising that businesses want platforms that can empower their workers to operate more efficiently and thus be more productive.

With Managed Home Screen, Microsoft offers its clients a tool that will do that and more. Businesses can get a tool with a lot of great features that will help users to get more from the available technology while eliminating time-consuming distractions.

And as updates like the ones we discussed today continue to be developed, MHS users can look forward to even more improvements that will optimize workflows and enhance their interaction with Intune.

How to Install Printer Drivers and Printers from Intune using Win32

Posted on May 29, 2024 by Thomas.Marcussen

The printing solution that a business uses is integral to its operations and can either positively or negatively affect productivity. It’s important to ensure that you can get the maximum benefits from your IT infrastructure. A key component of any printing solution requires proper printing setup.

But it’s not always as easy as we’d like it to be, especially with so many different products and services available on the market. IT admins need to choose wisely so that businesses can implement tailor-made solutions to address the needs of their employees.

Today, we’ll be going over how you can take advantage of Win32 for the installation of Printer Drivers and Printers, making light work of printing setup and execution.

Importance of printing solutions

Technology has come on in leaps and bounds over the last few decades and has made a massive impact on how companies do business. A lot of the products and services we now have allow us to conduct business in ways that most people couldn’t imagine just a decade ago.

But, even with all our mobile devices and remote working solutions, the simple printer still plays a very big role for most businesses. Plenty of business deals and various transactions still require us to have physical documents, and these can include contracts, proposals, various legal documents, and more. Although businesses can do their printing elsewhere, it’s easier and more cost-effective to have in-house printing solutions. This, of course, requires printing setup and ongoing infrastructure maintenance.

It also offers greater security for highly sensitive documents. Another potential benefit is increased productivity. With the capabilities of modern printing setup and solutions, anyone needing to print documents can do so from anywhere in the office using their PC or even mobile device. This cuts down on time that could otherwise be wasted going to print documents.

Furthermore, having your own in-house printing solution helps you to create a reproducible standard for all materials that your business needs to print. So, all your letterheads, business cards, contracts, etc., will all have a standard look and feel that every professional business wants to have. With that said, let’s look at how you’ll be able to add printers and printer drivers to your business.

Adding a Printer to Windows

When trying to add a new printer to your Windows setup, you’ll need to follow a few steps to ensure that the installation is seamless. Admins may often encounter issues, such as failing to remove the printer from the system, incomplete uninstallation, and failure to install new drivers, among other things.

You may also experience errors like “This driver is not fully installed”. By utilizing certain commands, you can make your printing setup task a bit easier and reduce the chances of facing these problems. In this section, we’ll be going over the steps that you need to follow.

WHAT IS POWERSHELL?

Let’s start by going over what PowerShell is before discussing the steps for adding a printer to Windows. According to Microsoft:

“PowerShell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework.”

Just about anyone who wants to use this solution can since it was built to run on Windows, macOS, and Linux, as well. By using this tool, administrators, developers, and DevOps professionals will be able to use code to easily automate tasks and configurations. Moreover, you can use it either as an open-source shell or a scripting language.

PowerShell offers you the following areas of functionality:

Command-line interface – accepts and returns .NET objects, unlike other shells that will only accept and return text. This interface enables PC users to directly interact with the computer through text, unlike the GUI most others use.
Scripting language – PowerShell is not just a scripting engine. It’s also a fully functional scripting language that you can use to automate various tasks for DevOps, user management, continuous integration/continuous development, and many other system administrator tasks.
Automation platform – because of how extensible PowerShell is by design, this allows an ecosystem of PowerShell modules to deploy and manage almost any technology you work with. And these cover a wide range of Microsoft services, such as Azure and Windows, as well as third-party services, such as Google Cloud and AWS.

POWERSHELL REQUIREMENTS

As with any product or service that you may want to use, there are a few requirements to know. Before you can deploy PowerShell scripts in Intune, be sure to follow the necessary requirements. Below is a list of these requirements:

The devices that you’ll be working on must have Windows 10 1709 or later.
Additionally, they should also be Azure AD Joined devices or Hybrid Azure AD Joined devices.
These devices will need to be enrolled in Intune. And this can be via MDM Auto Enrollment, GPO enrollment, or Manual enrollment.
Lastly, we’ll mention co-managed devices that use both Microsoft Intune and Configuration Manager.

Identification of Printer Driver source files

To begin the process of adding a printer to Windows and printing setup, we’ll need to identify all the required printer driver source files. The driver package is extremely important because it contains everything necessary for a device to work correctly with Windows.

A driver package will typically have an INF file, Catalog files, Driver files, and other files. Before you can build a Win32 app, you need to ensure that you know which specific files you’ll need to complete the Printer Driver installation. After deciding which printer you’ll be using, you can proceed as follows:

Navigate to the printer manufacturer’s website, where you can download the appropriate Printer Driver software.
To guide you through a UI for the installation of the driver package, you will use the Setup.exe installer. Because this installer doesn’t run silently, you should go to the Driver folder to prepare for driver installation using a PowerShell script.
Next, open the INF file to see the files needed for driver installation.
Windows then proceeds to leverage a catalog file to check that the files can be trusted. This will be in addition to noting any of the required source files using the INF file.

Windows Driver Store

Most people would probably find it far more convenient if their computers had the necessary driver files for printer installation. This would make the printing setup significantly easier. Fortunately, however, the process of adding drivers to the Driver Store is not an overly difficult one. When we say Driver Store, we are simply referring to the trusted location of inbox and third-party driver packages. The only drivers that you can install on a device are those found in this secure location.

A common way that admins will use for staging drivers into the Windows Driver Store involves the use of pnputil. Some would probably raise their eyebrows at this because pnputil is not actually a PowerShell command. But it does get the job done. And admins can run it from a Powershell console. You can pass various commands to the pnputil.exe command line tool. This command is going to require the directory path of the INF driver file for your particular printer:

Pnputil /add-driver <“inf_path”>

Admins should make sure they note the Printer Driver Name because it’s a requirement for the installation of the Printer Driver in Windows. This is something that you can also find in the INF file. After you have completed the staging of the drivers to the Driver Store, you can now Install a printer in Windows using PowerShell cmdlets such as Add-PrinterPort, Add-PrinterDriver, and Add-Printer.

ADD-PRINTER PORT

Those who will be deploying new Network Printers will need to use the Add-PrinterPort cmdlet to create the Printer Port. Upon completion, you can then run the Add-Printer cmdlet. And this will require passing the DriverName and PortName parameters. So, before you begin trying to install the printer, make sure that the Printer Port is available.

ADD-PRINTER DRIVER

Verify that the Printer Driver has been installed before printer installation with the Add-Printer cmdlet can proceed. You can find the name of the Print Driver in the Driver Store within the INF file. So, you can now go ahead and open this INF file, find the appropriate driver name, and then save it. When using the Add-PrinterDriver cmdlet, IT admins should check that they are using the same Driver Name. To install the Printer Driver directly in Windows from the Driver Store, you can use the Add-PrinterDriver cmdlet.

Add-PrinterDriver -DriverName <“driver_name”> -InfPath <“driver_path”>

ADD-PRINTER

After performing all the above steps, you’ll now get to the last one, which is the actual installation of the printer. Here, we’ll basically be putting together everything that’s already come before so we can have that great result we’ve been wanting. Admins will be able to install the printer using the Add-Printer cmdlet. But, this can only happen after the installation of the printer driver and creation of the printer port. After all this is done, you can check the printer installation using printmanagement.msc.

Add-Printer -DriverName <“driver_name”> -PrinterName <“printer_name”> -PortName <“port_name”>

How to build your Win32 App

WHAT IS A WIN32 APP?

When we talk of Win32 applications, we’ll be referring to programs that have been built for the Windows operating system. They have been written to use the Win32 Application Programmer Interface (API). The latter is a set of program functions that can enable a program to trigger just about every action in the operating system such as opening a file.

This 32-bit Windows API has been around for a few decades and was first availed back in 1993 when Windows NT was released. The early APIs would become known as Win16 and Win32 to distinguish between 16-bit and 32-bit programs. The Win32 APIs carry the following responsibilities:

Administration and management – both play a key role in the installation, configuration, and servicing of apps as well as systems.
Diagnostics – involved in the remediation of problems through the troubleshooting of both system and application problems. Also responsible for monitoring performance.
Graphics and multimedia – incorporation of various components such as video, audio, graphics, and text.
Security – ensures high-level security by implementing measures such as password protection, privileged access, rights management, security auditing, and more.
System Services – allows for access to computing resources and the operating system. This will include things such as devices, memory, processes, file system, and threads.
Windows User Interface – enables not only the creation but the management of a user interface as well. This is for things like display output, user interaction support, and prompts for input from users.

Win32 App Management Capabilities

Win32 app management capabilities will be fully allowed in Microsoft Intune. In addition, Intune also offers support for 32-bit and 64-bit operating system architecture for Windows applications. There are several different types of files that you can manage using the Win32 App, and these include the very well-known .exe, .msi, and .msix, among others. IT admins will need to know, however, that before they can create a Win32 App in Intune, they will need to package it.

Microsoft Intune has become increasingly important in recent years because more and more businesses are migrating to the cloud. As this trend continues, businesses are looking for a solution like Intune that can help with the management of Win32 apps from the cloud. So, with an Intune subscription, administrators will be able to manage and distribute Win32 apps to your Windows 10 or Windows 11 devices.

WIN32 APP REQUIREMENTS

To deploy Win32 apps with Microsoft Intune, there are several requirements that need to be met. These include:

Before you can start deploying Win32 apps, you need to have an active Microsoft Intune subscription. This can be purchased from the Microsoft 365 admin center if you don’t already have one.
Your devices must meet all the Microsoft Intune prerequisites, including having Windows devices enrolled in Intune as well as having the Intune Company Portal app installed.
The devices you’ll be working on should be enrolled in Intune. They also need to be either Azure AD joined, Azure AD registered, or Hybrid Azure AD joined.
The Windows application size must also be no more than 8GB per app.
The Win32 apps will need to be prepared for deployment. This can be done by leveraging the Intune Win32 app packaging tool to create an installation package for your app. The conversion of your app into an Intune-compatible format will be facilitated by this package tool, and the reason for this action is to simplify both deployment and management.

BUILDING THE APP

Now that we have gone over what the Win32 App actually is and the steps you need for printing setup, we can start looking at how we are going to build a Win32 App. To build this Win32 App, we will need a few source files: cnlb0m.cat, CNLB0MA64.INF, and gpb0.cab. IT admins are also going to need a few other things to create the Win32 App:

Driver package source files.
Specify an Install command.
Specify an uninstall command.

INSTALL COMMAND

Administrators will need to have several conditions that they need to pass to the script:

PortName – Provide the name of the port that you need to create.
PrinterIP – Provide the network IP address of the relevant printer.
PrinterName – Provide the name of the printer that is going to be created. Admins should be aware that this name is used in the Detection Method as well.
DriverName – Provide the name of the printer driver that will need to be installed. Earlier, we mentioned noting down this name so that when it comes to this point, our parameters are as they should be.
INF file – Provide the name of the INF file for the printer driver.

UNINSTALL COMMAND

With this option, you’ll get the convenience of uninstalling a Win32 application via the Company Portal. This means that your IT can run a lot more efficiently and get things done quickly rather than waiting around for help desk support to address their issues. It’s no surprise then that this was a highly requested feature by users of Microsoft Intune.

If you no longer want a program or perhaps you need the space, uninstallation is going to be a simple and straightforward affair. Because with this particular command, you will only need to pass a single condition to the script. So, as long as you have a valid command line with the correct input, you shouldn’t have any difficulties. A good example of this would be:

powershell.exe -executionpolicy bypass -file Remove-Printer .ps1 -PrinterName “Generic Printer Office1”

DETECTION METHOD

Another element that the Win32 App is going to require is a detection method. Using a detection method is meant to help administrators verify that an application has not already been installed. By detecting the presence of a Win32 App, this will create a scenario where the installation can only proceed if the check proves that the app has not yet been installed.

IT admins can use the printer’s own registry key for this detection. The PrinterName that we mentioned above (the one that will be used during the installation of the printer) will also be the name of the key.

CREATING THE .INTUNEWIN FILE

To begin, both the scripts and the source files must be copied to the same folder.
Then, you can proceed to create the .intunewin file using Win32ContentPrepTool.
Next, navigate to the Microsoft Endpoint Manager admin center.
Create a new Win32 App.
You’ll now be required to select an .intunewin file so you choose the one you’ve just created.
Provide all the app information necessary without leaving out any details.
Now, you can add both the Install and Uninstall commands.

Install command: powershell.exe -executionpolicy bypass -file Install-Printer .ps1 -PortName “IP_10.10.1.1” -PrinterIP “10.1.1.1” -PrinterName “Generic Printer Office1” -DriverName “Generic Driver ABC” -INFFile “CNLB0MA64.INF”

UNINSTALL command: powershell.exe -executionpolicy bypass -file Remove-Printer .ps1 -PrinterName “Generic Printer Office1”

Provide all the necessary information in the app requirements section.
Under Detection, select Manually configure detection rules and then select Add.
Next, for the detection method, you can use the values listed below. Just ensure the Key/Name accordingly.
Rule Type Registry
Key path

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion\ Print \ Printers \ Generic Printer Office1

Value Name Name
Detection method String comparison
Operator Equals
Value Generic Printer Office1
The last thing you’ll need to do is make sure that the app is assigned to the correct Users/Devices Group.

INSTALLATION MONITORING

Admins who have created an “Available” assignment for a user group can perform the installation of the Win32 App from the Company Portal. To view the generated log file, you can look in the systemroot %temp% folder. After all this is done, you can check the Printer, Driver, and Port installation using printmanagement.msc.

Wrap up

Having a modern printing setup and solution is something that can be extremely beneficial for your business. It can help your employees work more efficiently, increase productivity levels, safeguard sensitive documents from prying eyes, and many other benefits. A great way to install your Printer Drivers and Printers from Microsoft Intune is by using Win32.

This method, as described in this article, is not as complicated as you may imagine and can simplify the process of modernizing your printing setup and solutions. As long as you meet a few of the requirements that are listed, then your IT admins won’t face too many difficulties. So, if you’re looking for ways to upgrade the way your business operates, then you could hardly go trying by trying this method for your organization.

Enhancing Apple Device Management With Microsoft Intune

Posted on May 16, 2024 by Thomas.Marcussen

The technology that we have available to us today intends to make the user experience as smooth as possible. With increasing cybercrime causing headaches for plenty of businesses, the need to constantly improve continues. Security protocols and device management are very high priorities for every organization.

One area that plays a significant role in improving any organization’s security posture is identity management. The best solutions on the market offer a seamless user experience that can improve how users interact with their devices.

It’s always interesting to look at how products and services from different organizations can combine. Ideally, separate brands fuse the best of what they each have for the benefit of their customers. It’s with this in mind that we want to look at how Microsoft Intune and Apple Identity Services do something similar. Both are bringing great solutions to their clients to improve security, as well as secure the user experience.

Microsoft Intune has a lot to offer

As we all know, Intune is a fantastic endpoint management solution. It simplifies app and device management across your various devices. This can include mobile devices, desktop computers, and virtual workstations.

So, it’s perfectly understandable why Intune is such a popular solution for many organizations. It’s a platform that is not only for Windows devices, but it also works brilliantly to improve Apple device management.

Your security will immediately improve because Intune ensures your macOS software is up to date. It then minimizes vulnerabilities by reducing manual tasks. Customers can expect a native macOS software update client experience, as well. This is because of how system update policies for macOS in Intune are built on Apple’s MDM commands. By implementing measures such as these, Intune helps you to reduce the overall attack surface of your business.

SIMPLIFIED APP MANAGEMENT

Another thing you can look forward to is doing away with the trouble of app conversion. This is because Intune is introducing a new application deployment service. Additionally, this new service leverages the Intune MDM agent to install, monitor, and report DMG-type applications. This ability will enable you to deploy in-place DMG app upgrades. It’s also capable of reducing some of the burden on IT staff while also making tasks easier.

In addition to this, Microsoft has been working on a solution that will simplify the deployment of apps. It will do so with custom scripts and apps that are unsigned. This new option, which leverages the Intune MDM agent to deploy PKG-type installers, is going to improve flexibility and customization. But, even with these changes being made, Microsoft has assured its customers that support for the native PKG-type app management experiences for macOS will continue.

ENHANCED USER EXPERIENCE

The provision of a consistent onboarding experience for all Apple devices is a top priority to enhance the experience for all users. Intune will be leaning on the Just-In-Time (JIT) macOS/iPadOS enrollment experience. This simplifies the Mac device onboarding process for users with corporate-owned devices.

Once enrollment finalizes, users can log in on the Enterprise Single Sign-On extension. From there, you can establish SSO across Azure AD-enabled apps and use their Azure AD password to log on to their Mac.

Coupled with the consistent onboarding experience, Intune is also determined to speed up the iOS enrollment process. Because of what the JIT functionality can offer, the iOS Company Portal app will no longer be necessary for AAD registration.

We’ll see a move towards web-based device enrollment, which is going to offer a swifter end-to-end enrollment process. This is a result of the reduced need to switch back and forth between the apps in addition to fewer authentication steps.

EFFICIENT DEVICE MANAGEMENT

Microsoft has also been working on a solution that supports local administrator account and local primary account creation during macOS ADE. This will allow customization of local administrator settings within new and existing macOS enrollment profiles for devices enrolling with user-device affinity.

A couple of years back, Microsoft Intune announced support for Declarative Device Management (DDM). Intune also extended DDM to the macOS settings catalog.

Arguably, one of the best things about DDM is how it can easily co-exist with the standard MDM protocol. It does so without negatively affecting the end-user experience. Customers can send the policies they have created in the settings catalog as well as DDM-based policies to DDM-enabled devices. They can also send the standard MDM-based policy to those devices using the older protocol.

Apple Identity Services

One of the things that have helped Apple distinguish itself over the years is excellent data and device security. In a world where nefarious actors are constantly attempting to exploit device vulnerabilities, businesses need solutions to safeguard their data. With Apple Identity services, your organization will get a product that can securely manage usernames and passwords.

The first measure we’ll talk about is authentication. This action refers to the process of verifying the identity of a user. Apple uses several authentication methods, such as single sign-on. Apple also provides for services, like personal Apple ID, Managed Apple ID, iCloud, iMessage, and FaceTime.

Once authentication measures verify the identity of a user, you then have authorization. This determines precisely what users are allowed to do. For this process, you need to provide a username and a password to an identity provider (IdP).

Essentially, what you have is an identity provider that functions as the authority. The username and password are also the assertion. Together with authentication and authorization, we can also talk about identity federation.

This process will establish trust between two parties and authenticate users. The result enables the linking of a user’s identity across multiple separate identity management systems. The identity federation process can only work effectively if admins set up domains that trust each other. And there also needs to be a single method to identify users.

Enhancing Authentication with Platform Single Sign-On

Users constantly need the services they use to improve so that they can better interact with technology and work more efficiently. In light of this, Apple saw it fit to introduce Platform Single Sign-On, which represents the evolution of authentication protocols.

This solution is replacing Active Directory, binding and simplifying life for users by requiring them to sign in only once. This is possible because, upon a successful user login, the local account credentials synchronize with the IdP. And it allows the user access to various other resources without needing to enter their password again. Platform SSO supports several authentication methods with an identity provider (IdP):

Password and encrypted password
Password with WS-Trust
User secure enclave key
SmartCard

New local user accounts are set up on demand by Platform SSO (PSSO) at the login window using IdP credentials. The service can also integrate IdP group membership with macOS. And in addition to this, network accounts can be used for authorization, and groups may also authorize network accounts.

Authentication

As new users go through the authentication process using credentials from their organization’s IdP, they can now have new local user accounts automatically created by macOS. The benefits of this to your organization are several, including:

Better user experience – time is of the essence. And with a setup like this, new users won’t require pre-configured accounts, therefore allowing them a much swifter start. As one can imagine, this makes it an excellent solution in environments where device sharing is required.
More robust security – the use of user-unique credentials helps to significantly strengthen your organization’s security when users access their devices. Not only that, but the uniqueness of these credentials makes it easier to keep track of all users’ access and activities.
Lighten the burden on IT – most of us are aware of how taxing the manual tasks that IT staff have to undertake can be. So, this solution brings automation to the user creation process will undoubtedly be gladly welcomed by IT staff. No longer will IT pros have to go through the tedious process of manually setting up accounts for each new user.

REQUIREMENTS FOR LOCAL ACCOUNT CREATION

But, before moving ahead, you should know that there are a few requirements. Your organization needs to meet the following for you to take advantage of local account creation.

UseSharedDeviceKeys – to enable this, you’ll need to use a shared device key that enables the device to have a trusted connection to the Entra ID, regardless of the user.
Connectivity with the Identity Provider – your device should be able to connect to your Entra ID. Without this connection being established, authentication of user credentials won’t be possible neither will the user be able to be authorized to access the device.
Device State – Login Window with FileVault Unlocked – the device in question should be at the login window, and you also need to ensure that the FileVault is unlocked. The importance of this state is that it establishes that the device is secure while simultaneously verifying its readiness to set up a new user account when authentication has been successfully completed.
MDM Support for Bootstrap Tokens – ensure that Bootstrap Tokens are supported by the MDM system. These tokens are integral to the delivery of a seamless user experience within a highly secure environment. This becomes even more evident in situations that require the creation of new user accounts on macOS devices.
User Authentication – as soon as you have met all the requirements, users can then begin the authentication process using their Entra ID username and password or a SmartCard.
Assignment of User Permissions – the Identity Provider groups will determine the assignment of post-authentication, user permissions.
Defining Access Levels through MDM Profiles – to ensure organizational security of the highest standard, all newly created accounts should have their access levels carefully defined. Intune profiles will play a central role during this process and are responsible for determining which users have standard user permissions, administrator privileges, or permissions based on their group membership in Entra ID.

Creating extensions that support platform SSO

Performing single sign-on with an identity provider requires the creation of an SSO extension to support PSSO and implement the required functionality. Additionally, you need to specify the grant types that the extension and IdP support. In macOS 14.0 and later, implement supportedGrantTypes() and return:

Password: password

Secure enclave key, SmartCard, and encrypted password: jwtBearer

WS-Trust: saml1_1 or saml2_0

For PSSO 2.0, there will be a new key service for SSO extensions and IdPs. This is going to allow for an alternative registration flow and additional login configuration. Before you can use it, however, there is a need to implement protocolVersion() in the extension and return ASAuthorizationProviderExtensionPlatformSSOProtocolVersion.version2_0 to indicate that the extension and the IdP server support PSSO 2.0. To complete this section, you need to enable a ticket-granting ticket with Kerberos SSO extension, as well as use diagnostics to iterate on the configuration during development.

REGISTRATION OF USERS AND DEVICES

After creating an SSO extension, there are a few steps to follow to register devices and users with an identity provider, and it’s the PSSO that calls the extension to perform these steps. The extension will first register a device before registering users on that same device. Your SSO extension needs to implement the ASAuthorizationProviderExtensionRegistrationHandler protocol to support registration.

Device registration

The SSO extension will use the following to register a device:

beginDeviceRegistration(loginManager:options:completion:)

Furthermore, the extension will need to:

Register the device with its associated IdP.
Provide the login configuration to Platform SSO.
Execute the completion handler.
User registration

Successful device registration completes with the following result:

ASAuthorizationProviderExtensionRegistrationResult.success

Once complete, the SSO extension should then proceed with user registration through:

beginUserRegistration(loginManager:userName:method:options:completion:)

The system is designed such that all users on a device will need to use the login configuration, and this also includes when the system creates new users during login. In situations where shared keys are being used, user registration will only begin for each subsequent user on the device. Therefore, when new users are created during login, they will be prompted to start registration when they reach the desktop.

After completion of the registration process, the SSO extension is required to call the completion handler. Following this, the users need to authenticate using the new configuration, which can use platform SSO immediately.

Finally, if the extension supports the PSSO 2.0 protocol methods and the system uses password authentication, a new key will be provisioned by the key service and linked to the user account.

Microsoft introduces Platform SSO for macOS

In 2023, Microsoft announced Platform SSO for macOS. This feature is meant to be an enhancement that will give users of macOS devices a more seamless experience with even better security. What users can expect from this is a solution that enables them to use Touch ID to unlock their device and thereby eliminate the need to enter a password.

Users will then be signed into Entra ID under the hood with a device-bound cryptographic key. Because of the use of phishing-resistant credentials, your business can save money by removing the need for security keys or other hardware.

Adding to user convenience will be the fact that after signing in, the existing Microsoft Enterprise SSO plug-in ensures that you remain signed into the apps you use for work.

However, there is an alternative for those who may not yet be ready to completely remove passwords from Entra ID sign-ins. In this scenario, Platform SSO for macOS allows you to synchronize local account passwords with Entra ID passwords so that users can use one credential across their macOS devices. Furthermore, Platform SSO for macOS will enable administrators to configure the end-user authentication method.

The admins can then set up a phishing-resistant credential or a traditional password as the authentication method. You can easily prepare your business for Platform SSO for macOS by taking the steps given below:

Deploy the Microsoft Enterprise SSO plug-in.
Ensure that users are registered for Microsoft Entra ID multifactor authentication, and for the best experience, Microsoft Authenticator is recommended for this process.
Update macOS devices to macOS 13 (Ventura) or later.

Microsoft Enterprise SSO plug-in for Apple devices

Using the Microsoft Enterprise SSO plug-in for Apple devices, clients will get single sign-on for Microsoft Entra accounts on macOS, iOS, and iPadOS. And they can do so across all applications that support Apple’s enterprise single sign-on feature. Probably the biggest advantage of this plug-in is that it enables SSO for older applications that are integral to your business operations but don’t have support for the latest identity protocols.

To ensure that users would get the best possible experience, the final product that we get resulted from the efforts of both Microsoft and Apple working together. At the moment, you can get the Enterprise SSO plug-in as a built-in feature of Microsoft Authenticator (iPadOS, iOS) and Microsoft Intune Company Portal (macOS).

WHAT FEATURES DO YOU GET?

The Microsoft Enterprise SSO plug-in for Apple devices comes with several attractive features, including:

Single sign-on for Microsoft Entra accounts for all apps that support the Apple Enterprise SSO feature
Supported in both device and user enrollment, and you can use any mobile device management service of your choice to enable it.
Available for applications that don’t yet use the Microsoft Authentication Library (MSAL).
Also offers SSO to apps that use OAuth 2, OpenID Connect, and SAML.
End-users can be assured of a smooth experience when the Microsoft Enterprise SSO plug-in is enabled because of how it is integrated with the MSAL.

REQUIREMENTS

Device Requirements	iOS Requirements	macOS Requirements
The device must support and have an installed app that has the Microsoft Enterprise SSO plug-in for Apple devices: iOS 13.0 and later: Microsoft Authenticator appiPadOS 13.0 and later: Microsoft Authenticator appmacOS 10.15 and later: Intune Company Portal app Devices should be enrolled in MDM. Because Apple requires this security measure, configuration needs to be pushed to the device to enable the Enterprise SSO plug-in	Devices need to have iOS 13.0 or higher. Devices will also require a Microsoft application that provides the Microsoft Enterprise SSO plug-in for Apple. The app in question is the Microsoft Authenticator app.	Devices need to have macOS 10.15 or higher. Devices will also require a Microsoft application that provides the Microsoft Enterprise SSO plug-in for Apple. The app in question is the Intune Company Portal app.

HOW DOES THE SSO PLUG-IN WORK?

As mentioned before, this plug-in came about because of the efforts of both Microsoft and Apple. So, it’s not too surprising that the plug-in is reliant on the Apple Enterprise SSO framework. Once an identity provider has joined this framework, it can intercept network traffic for its domain as well as modify how those requests are managed. Native applications will also be able to implement custom operations and communicate directly with the SSO plug-in.

Wrap up

The integration of products and services from different tech companies can provide countless benefits for customers. End-user experiences will improve, businesses will get better value for their investment, and tech companies can ensure that their customers get the best possible solutions.

This is why Microsoft Intune has been working with Apple to improve the user experience for Apple device users. Intune wants to be able to offer organizations excellent device management solutions across all devices regardless of preferences.

So, whether you want to use Windows devices or Apple devices, you should be getting great device management options. We all know about Apple Identity Services and how those protocols have given Apple devices the high-level security they have.

Therefore, the fact that Intune measures can co-exist with Apple Identity Services can only be a good thing for customers because this will ultimately strengthen overall security even further, as well as provide a better user experience.

Unleashing The Power of Device Management with Intune and Declarative Management

Posted on March 26, 2024 by Thomas.Marcussen

Many businesses are increasingly adopting mobile devices, such as phones and tablets, as standard tools for their employees. As these devices become more powerful and technologies like 5G become more available, it makes perfect sense for businesses to take advantage if it makes their employees more productive. That’s where device management comes into play.

This has seen many organizations start to implement bring-your-own-device (BYOD) policies as the changes to traditional workplaces pick up momentum. However, there will be a need for effective device management solutions that can reduce the burden on IT staff while simultaneously enhancing the end-user experience.

Solutions such as Apple’s new approach to device management called Declarative Device Management (DDM). Products like these are heralding the future of device management by offering a great array of new features.

What is Declarative Device Management?

Declarative management represents the future of device management. As a relatively new offering from Apple, Declarative Device Management is a transformative update to the protocol. And it brings policy management to devices.

This solution enables devices to be autonomous and proactive. It can also be used together with the existing MDM protocol capabilities. One of the main advantages of having autonomous devices is that they can react to state changes. They then apply management logic to themselves without needing action from the server.

As a result of all this, you’ll get greater performance and increased scalability, which will help keep your organization’s devices running at optimum levels. The ability for devices to be autonomous as well as proactive are the key elements that make declarative management the ideal solution going forward.

Furthermore, declarative management works in a way that keeps devices in the best possible state. It does so, keeping important data secure, regardless of whether or not you have an internet connection. This allows users to have a more responsive experience that can help improve their efficiency.

And to assuage any concerns customers may have, Apple assures clients that although this may be a new offering, the protocol is not. The declarative functionality that is being offered has been built into existing MDM protocols.

Therefore, customers can expect to have access to a device management service that will streamline all management processes. And it improves the experience not only for end-users but for IT admins as well.

Requirements

As with any product, there are minimum requirements to consider if your organization wants to have access to Declarative Device Management.

Operating System	Versions Supported
macOS	Ventura 13 and later
iOS	15 for user enrollment only and 16 and later for all enrollment types
iPadOS	15 and later
tvOS	16 and later
watchOS	10 and later

Advantages of DDM

Probably the biggest benefit that users stand to gain from DDM is the improvement in device performance. With the main features on offer, devices can act proactively and more autonomously. This means that any actions requiring implementation will execute faster because there is no waiting for the server. Because of this efficiency, you should expect to have far more accurate device information that will also report back much faster.

This improvement in how devices run will also be a welcome change for IT admins. With certain actions being automated, administrators will have more time to prioritize and focus on more productive tasks. And all of this happens in a highly secure environment meaning taking advantage of these benefits will not come at the cost of data and device security.

Core data models

Declarative management comes with three main core data models, and these are as follows:

DECLARATIONS

Declarations refer to the payloads that servers define, forward to devices, and represent the state or behavior that businesses want for their devices. There are four types of declarations:

Declaration Type	Description
Configurations	Not dissimilar to what we’ve already been using for the application of settings and restrictions on devices.
Assets	Refers to the reference data that configurations need for large data items and per-user data.
Activations	Group of configurations that are automatically applied to a device. Activations and configurations have a many-to-many type of relationship. Another thing to note is that activations can support complex predicate expressions using an extended predicate syntax.
Management	The role of management is to transmit to the device key information about the organization as well as details about the MDM solutions.

STATUS CHANNEL

The status channel is a key means of communication in declarative management. And it is responsible for conveying information when the state of the device changes. When these changes occur, the device will proactively update the server via status reports containing details of the update. An important thing to note is that the server can be configured to subscribe only to specific status items meaning it will receive only the updates it considers necessary.

EXTENSIBILITY

Extensibility enables organizations to better tailor declarative management to meet their business needs. This feature gives you the flexibility of integrating with other products so that end-users have the best possible options available. What this gives you is a platform that enables both devices and MDM servers the ability to support new features as and when they release.

Introducing DDM to your organization

How to manage the transition to DDM

One of the goals with tech products and services is that the companies developing them should design them to be relatively easy to use if you want to draw in customers. To that end, the transition to declarative device management is much easier because the MDM protocol has various functions.

For instance, you will be able to embed existing profiles into a legacy profile declaration. Another good example would be how you can have an MDM solution take ownership of a profile that has already been deployed and subsequently migrate it into a legacy configuration declaration. The advantage of this action is that it eliminates the need to remove an existing profile to replace it with a configuration that may not be suitable for the user.

Integration of declarative management within the MDM protocol

Part of what makes Declarative Device Management such a great option is how it integrates into the MDM protocol. Not only that, but existing MDM vendors already have access to the features that are on offer.

The significance of integration within the MDM protocol is that declarative management will leverage it for the management of key areas including both enrollment and unenrollment, HTTP transport, as well as device and user authentication.

Moreover, DDM intends to make the transition from existing MDM products as seamless as possible. This means that you don’t have to worry about dealing with disruptive changes to adopt new protocols.

To add to the convenience, you’ll also find that declarations and the status channel will coexist with your existing MDM commands and profiles. By setting it up this way, DDM gives organizations the flexibility to adopt declarative management features at their own pace.

Because of this, you won’t need to immediately update all of your MDM workflows. Another very important thing to note is that declarative management will not affect existing MDM behaviors. What you’ll actually find is that declarative management utilizes existing MDM behaviors using an MDM command for activation and an MDC CheckIn request for synchronization and status reports.

Activating declarative management

We’ll start with a DeclarativeManagement command addition to MDM. This command has two roles that it will play. Firstly, it will activate the declarative management features on a device. Before proceeding with this, however, you need to know that you won’t be able to turn off declarative management once you’ve turned it on. But, you do get a way out of this if the need arises. By having the server remove all declarations, this action will, for all intents and purposes, disable declarative management.

The second thing the command can do is include a payload containing synchronization tokens that will initiate a synchronization flow if necessary. Additionally, there is a new CheckIn request type that devices use to synchronize declarations and send status reports to the server. And the server will give you a response when you use the CheckIn request to synchronize declarations. You can get two types of responses which are:

A manifest that lists the identifier and server token properties of all declarations defined by the server.
Single declarations for the device to apply.

Improved management enhances BYOD

Most of us may have noticed over the last few years that Bring-Your-Own-Device (BYOD) policies are growing in popularity across various business sectors. Similar to declarative management, BYOD can help organizations make better use of the technology available to them and improve the efficiency of their employees.

But, one thing you’ll be quick to notice about employees using their personal devices to connect to enterprise networks is that it can drastically reduce an organization’s capital outlay for devices. And as management solutions continue to get better, the security concerns that you might have about personal devices accessing sensitive corporate data are being addressed.

However, even with the potential financial gains, adopting BYOD policies would still be a difficult sell without effective management services available. This is why services such as Microsoft Intune’s web-based device enrolment for iOS/iPadOS are bringing new features to the table.

What this service will do is eliminate the need for the Company Portal app thereby providing a faster enrollment process that also delivers an improved user experience. Your life as an MDM admin should get somewhat more comfortable given that you’ll now be able to enroll personal devices in Microsoft Intune without users having to first install additional apps.

App or web–based enrollment

Microsoft Intune simplifies device enrollment for Apple users through the availability of Apple device enrollment. This service provides key iOS/iPadOS management capabilities for users in the Microsoft Intune admin center without compromising the security of personal data. When it comes to device enrollment, there are two options: app-based enrollment and web-based enrollment. So, if you navigate to the Intune admin center, the device enrollment options you’ll see are:

Device enrollment with the Company Portal
Web-based device enrollment

You’ll need to create an enrollment profile in the admin center to select and configure enrollment types. To do that:

Navigate to Devices > iOS/iPadOS > iOS/iPadOS enrollment
Select Enrollment types.

To simplify the process of Microsoft Entra registration within the employee’s work apps and reduce the number of times they have to authenticate, web-based enrollment will leverage just-in-time (JIT) registration with the Apple single sign-on. JIT registration in enrollments can be enabled by creating a device configuration profile with an SSO app extension policy. But, Intune clarifies that using JIT registration with web-based enrollment is not mandatory but it is highly recommended if you want a better experience for end-users.

EXPLAINING JUST-IN-TIME REGISTRATION

According to Microsoft Intune:

“Just in Time registration within the enrollment flow is an improvement to the Setup Assistant with a modern authentication enrollment method since it no longer requires the Company Portal app for Azure Active Directory (Azure AD) registration or compliance checking.”

The overall goal of JIT registration is to streamline the process for users by eliminating the Company Portal requirement which by extension removes some of the complex steps that users have had to deal with. By using JIT registration, all users will need to do to enroll their iOS devices is sign in with their corporate credentials.

To successfully complete the enrollment process, users must sign in with their corporate credentials. Doing this will authenticate them via Entra ID and automatically register their device with Intune. Setting up just-in-time registration requires your business to have an active Apple Business Manager or Apple School Manager account as well as devices that are eligible for JIT registration. Additionally, network settings will need configuration accordingly for enrolled devices and Intune to communicate. In the table below, you’ll find the details concerning web and app enrollment:

Specification	App-based enrollment	Web-based enrollment
Supported version	iOS/iPadOS 14 and later	iOS/iPadOS 15 and later
BYOD and personal devices	Yes	Yes
Device associated with a single user	Yes	Yes
Device reset required	No	No
Enrollment initiated by the device user	Yes	Yes
Supervision	No	No
Just-In-Time registration	No	Yes
Required apps	Intune Company Portal app for iOS Microsoft Authenticator	Microsoft Authenticator
Enrollment location	App-based enrollment takes place in the Company Portal app, Safari, and device settings app.	Web-based enrollment takes place in Safari and the device settings app.

Setting up web-based enrollment

Web-based enrollment is designed to speed up the enrollment process and give users a more user-friendly experience. Because users can do all they need to in Safari and in their device settings, the Company Portal app will no longer be required.

Furthermore, once you have enabled JIT registration, Intune can use it with the Microsoft Authenticator app for registration of the device and SSO thus eliminating the need for users to sign in constantly during enrollment and when accessing work apps. To set up web-based enrollment, you’ll need to follow the steps below:

Set up just-in-time registration

Before proceeding, you’ll need to verify that you meet the requirements:

Apple user enrollment: Account-driven user enrollment
Apple device enrollment: Web-based device enrollment
Apple automated device enrollment: For enrollments that use Setup Assistant with modern authentication as the authentication method.

Once you’ve checked the requirements, you can now proceed to create an SSO app extension policy that uses the Apple SSO extension to enable JIT registration. With that done, follow the steps below:

Sign in to the Microsoft Intune admin center.
Navigate to Device features > Category > Single sign-on app extension. Here you need to create an iOS/iPadOS device configuration policy.
Select Microsoft Entra ID for SSO app extension type.
For any non-Microsoft apps using SSO, you must add the app bundle IDs. Because the SSO extension is automatically applied to all Microsoft apps, it’s better not to add Microsoft apps to your policy. This way you can stay away from authentication issues. Also, note that the Microsoft Authenticator app will be later added in an app policy so you should avoid adding it to the SSO extension as well.
Under Additional configuration, add the required key-value pair. For JIT to work properly, you must eliminate trailing spaces before and after the value and key.

Key: device_registration Type: String Value: {{DEVICEREGISTRATION}}

Microsoft Intune also recommends that you add the key-value pair that enables SSO in the Safari browser for all apps in the policy. And similar to the previous step, you’ll need to eliminate trailing spaces before and after the value and key for JIT to work properly.

Key: browser_sso_interaction_enabled Type: Integer Value: 1

Select Next.
For Assignments, you must assign the profile to all users (or designate specific groups), then select Next.
You can now go and review your choices on the Review + create page. With everything done, select Create to finish creating the profile.
Lastly, you need to head over to Apps > All apps and assign Microsoft Authenticator to groups as a required app.

Create enrollment profile

An enrollment profile is necessary for all devices enrolling via web-based device enrollment. Once created, this profile will initiate the device user’s enrollment experience thereby allowing them to begin enrollment in Safari.

Navigate to Devices > Enrollment in the Intune admin center. Select the Apple tab.
Select Enrollment types (preview) under Enrollment Options.
Select Create profile > iOS/iPadOS.
Go to the Basics page and type in a name and description for the profile. This allows you to distinguish this profile from others in the admin center. Select Next.
Navigate to the Settings page, for Enrollment type, select Web based device enrollment. Select Next.
Head over to the Assignments page and assign the profile to all users or a group of users. Select Next.
You can now go and review your choices on the Review + create page. With everything done, select Create to finish creating the profile.

PREPARING EMPLOYEES FOR ENROLLMENT

Employees will be alerted by the app as to the enrollment requirements when they try to sign in to work apps on their personal devices. They will then be redirected to the Company Portal website for enrollment. The other option would involve you giving users an URL that opens the Company Portal website. For those not using Conditional Access, you’ll need to remember to share the enrollment link with device users so that they know how to initiate enrollment. The enrollment steps for device users are as follows:

Open Safari and sign in to your Company Portal website with your work or school account.
Next, you should get a prompt to download the management profile and this will be downloaded by the Company Portal while you wait in Safari.
Navigate to your device settings app to view and install the management profile.
Signing in to a work or school app can only happen after the Microsoft Authenticator is installed. The device will only be ready for use after this installation.
Now you can use your work account to sign in to a work app, such as Microsoft Teams.
You’ll then need to wait while the app identifies the required setting updates.

Wrap up

The future of device management lies in the integration of the best products and services that are available to customers. Often, we can get caught up debating which tech company offers the best services to meet our needs. But, as we are seeing with Microsoft Intune and Apple device management solutions, bringing together great products to coexist can deliver far more for the end-users.

Declarative management looks like a brilliant solution that is going to deliver a seamless user experience that could improve productivity. It’s therefore no surprise that when combined with what Microsoft Intune has to offer, businesses can look forward to better, faster, and more efficient device management.

Microsoft Intune: Management and Security

Posted on February 8, 2024 by Thomas.Marcussen

The way businesses utilize technology has changed significantly over the last few decades. No longer are individuals confined to their desks so that they can use physical desktops for work. With the advent of Bring-Your-Own-Device (BYOD) policies, plenty of organizations are now having employees use personal devices to do their work as well. This gives individuals greater flexibility regarding when, where, and how they can complete their work-related tasks.

However, despite the countless benefits this scenario presents, there is still the issue of organizations securing their data. This is why Microsoft Intune is so important as a cloud-based device and application management solution that gives the organization control over who can access its resources and how. Following on from the previous blogs on planning and designing your Intune environment, today I’ll be continuing our look into Intune.

Identity management

One of the most important areas that your organization should be looking at is identity management. Without this, your organizational security will not be as strong as it should be. When we talk about identity management, this will also refer to all the various user accounts and groups that will be able to access the organization’s resources. It is the role of admins to ensure that identity management is done properly and the responsibilities will include:

Management of account memberships.
Management of settings that affect user identities.
Authorizing as well as authenticating access to resources.
Securing and protecting the identities from actors with nefarious intentions.

The advantage that comes with using Microsoft Intune is that it will carry out all these tasks for you and plenty more. Because it’s a cloud-based platform, Intune can use policies such as security and authentication policies for identity management.

Scenario with existing users and groups

Management of users and groups forms a significant part of endpoint management and if you already have some existing then Intune can help. For organizations with on-premises environments, your user accounts and groups are created and managed in an on-prem Active Directory. And by using any domain controller in the domain, you can quite easily update the users and groups.

When it comes to Intune, you’ll find a central location for user and group management within the Endpoint Manager admin center. Since this admin center is web-based, access to it can be obtained through any device connected to the internet. As an admin, all you need is to sign in with your Intune administrator account. Getting the user accounts and groups into Intune can be done via several methods:

For users of Microsoft 365 with users and groups in the Microsoft 365 admin center, you’ll also find the users and groups in the Endpoint Manager admin center. For users that may have multiple tenants, you’ll need to sign in to the Endpoint Manager admin center, And you’ll do so in the same Microsoft 365 tenant as your existing users and groups.
Those with on-prem Active Directory can use Azure AD Connect to synchronize on-prem AD accounts to Azure AD. And then once these accounts are in Azure AD, you’ll also find them in the Endpoint Manager admin center.
Users and groups can also be imported into the Endpoint Manager admin center from a CSV file. Alternatively, you have the option of creating users and groups from scratch. To create a more structured situation, you can add users and devices to the groups that you add and organize them according to your chosen criteria, for example, location, hardware, department, etc.

Move from machine accounts

A computer account is automatically created every time a Windows endpoint joins an on-premises AD domain. This account can then be used for authenticating on-premises programs, services, and apps. However, you should note that machine accounts are strictly local and so you cannot use them on Azure AD-joined devices. So, in such a case, you would have to opt for user-based authentication to authenticate to on-premises programs, services, and apps.

Roles and permissions control access

Role-based access control (RBAC) is the feature that is used in Intune and the selection of who will have access to what resources is determined by the roles you assign. This will also set the rules clarifying what users can do with those resources. There are some built-in roles that you can find in the Endpoint Manager admin center whose focus is endpoint management. Among these are Policy and Profile Manager, Application, etc.

If necessary, roles will have their read, update, create, or delete permissions but in cases where admins may need specific permissions, custom roles can be created.

Create user affinity when devices enroll

Devices will become associated with a particular user the first time they sign in and this feature is what is known as affinity. This is particularly convenient because users will have available on all their devices all the policies assigned or deployed to their user identities.

Therefore, once associated with a device users will have access to their files, apps, email accounts, and more. Without this association, devices will be categorized as having no user which is often the case with kiosk devices that are focused on specific tasks as well as devices that are used by multiple individuals.

Regardless of which scenario you are dealing with, Intune allows for the creation of the appropriate policies on Windows, macOS, Android, and iOS. So, you’ll need to first establish the intended purpose of a device before proceeding with placing it under management so that you’ll have all the necessary information during enrollment.

Policy assignment with Microsoft Intune

On-premises and cloud-based scenarios have a few differences when it comes to policies. For on-premises scenarios, there are both domain and local accounts, and these accounts will then have group policies and permissions deployed to them at the local, site, domain, or OU level (LSDOU). There is a hierarchy that is followed with OU policies overwriting domain policies, and then domain policies overwriting site policies, and so on.

Alternatively, when it comes to Intune, any policies created therein will have settings for controlling security rules, device features, etc. Users and groups will have these policies assigned to them and unlike with LSDOU, there is no hierarchy.

Management of Windows, macOS, and iOS devices is simplified by the availability of the thousands of management settings that you get in the Intune settings catalogue. Using this settings catalogue will prove to be a relatively easy transition for those using on-premises Group Policy Objects (GPOs).

Securing identities

User identities need to maintain the highest level of security because they are used to access your organization’s resources. Therefore, you need to have measures in place to reduce the risk of unwanted actors potentially accessing these identities. Some of the things you can look at include:

Options that promote a password-less strategy such as Windows Hello for Business that does away with username and password sign-in. This will improve security because by entering a password on your device it will then be transmitted over a network where it can be vulnerable to interception. Not only that but if certain servers are compromised countless stored credentials can be exposed.

Windows Hello for Business

With Windows Hello for Business users have the option of signing in and then authenticating using biometrics. The advantage that this method gives you is that all this information will be stored locally on the device thus eliminating the risk of transmitted data being intercepted. Once you have Windows Hello for Business deployed to your environment, you can now use Intune to create the necessary policies for your devices to configure PIN settings, allow biometrics, and more.

Another option in the password-less strategy category is certificate-based authentication. By using certificates, you can authenticate users to apps and organization resources via Wi-Fi, a VPN, or email profiles. Therefore, certificates offer great simplicity by eliminating the need for entering usernames and passwords.
Next on the list is multi-factor authentication (MFA) which is a feature that you get with Azure AD. As the name suggests, this is an option that will require at least two different verification methods for successful authentication. Once you have MFA deployed to your environment, you could also make it a requirement for enrolling devices into Intune.
Lastly, you can also consider Zero Trust which is a feature that will verify all endpoints, devices, and apps included. By leveraging this option, organizations can significantly reduce the chances of data leaving the organization whether intentionally or by accident. The objective here is to ensure that your organization’s data remains internal.

Device management with Microsoft Intune

Microsoft Intune gives organizations a cloud-based service that is designed to make the colossal task of device management something that is much. Otherwise, you may look at all the laptops, tablets, and mobile phones in your environment and it may be daunting to even think about where to start.

Fortunately, with Intune, you get several policies that enable you to control your organization’s devices. These will help you to manage both organization-owned and personal devices in such a way as to ensure that the organization’s data remains secure. There are several elements that you need to consider when looking at your device management strategy.

Management of personal and organization-owned devices

Plenty of organizations nowadays have embraced Bring-Your-Own-Device policies as part of their overall IT strategies going forward. And allowing employees to access organizational resources using personal devices gives them greater flexibility in how they conduct their work.

Also, it can help the organization save money on purchasing devices for employees. To ensure the security of your organization you can request users to enroll their devices in the organization’s device management services. Admins can then deploy policies and configure device features among other things on these devices.

Alternatively, you can protect app data by leveraging app protection policies like SharePoint and Outlook. Another option you could consider is to combine both of these solutions. When it comes to organization-owned devices it’s a completely different situation because they should be fully managed by the organization.

New and existing devices

Intune allows you to use both new and existing devices. In addition, there is support for multiple platforms including Windows, macOS, Linux, Android, and iOS/iPadOS. However, a few changes could be necessary such as in the case of devices that have another MDM provider which may need a factory reset. Another concern could be that of devices that are still running older OS versions as they may not be supported.

Compliance health status

You need to verify the compliance health of your devices because it is a very important part of managing devices. For your organization to maintain high levels of security it needs to enforce the use of password/PIN rules as well as verify security features on devices.

The role of compliance is to evaluate which devices are compliant with your requirements and which are not. Your organization will be responsible for creating compliance policies that enforce your minimum requirements. This can include ensuring that there is a minimum OS version, blocking simple passwords, etc.

And when you combine these policies with built-in reporting, you’ll not only see which devices are falling under the non-compliant category but which settings exactly are causing them to be non-compliant. What this will do is give you a clear picture of the status of the devices that have access to organizational resources. With Azure AD you also get conditional access which is a solution that enables you to enforce compliance as well as block access to any non-compliant devices.

Controlling device features and assignment of policies

The policies that you can create with Microsoft Intune enable you to control any number of device features. You can also have device groups and with these, your organization can create policies targeted at the device experience or task.

Additionally, you may also create policies with settings that you want to be permanently established on a particular device regardless of the user. Devices can be placed in groups that you can differentiate based on any chosen criteria. These can be things like OS platform, location, function, etc.

Furthermore, groups may contain devices that are shared by multiple users and thus are not associated with one specific user. Generally, we find these dedicated or kiosk devices being targeted at frontline staff but they can also be managed by Intune. Assignment of policies to device groups can be carried out as soon as the groups are ready.

Securing your devices with Microsoft Intune

There are several measures you can take to secure your devices against attacks. These measures can include enabling security features and installing tools like antivirus solutions. Intune can offer your organization additional features to further enhance your security.

Mobile Threat Defense integration

To increase security for both organization-owned and personal devices, Intune enables integration with Mobile Threat Defense (MTD) partners. MTD services operate by scanning your devices and then assisting in addressing any detected vulnerabilities. And these MTD partners will also support the same platforms that are supported by Intune including Windows, macOS, Android, and iOS/iPadOS.

Using security baselines

Another thing that you should be doing is using security baselines on your Windows devices. These pre-configured Windows settings enable you to secure and protect your users and devices by giving you more granular control over security configurations. Not only will you get better overall control but each baseline that you deploy can be customized to apply the settings and values that you want. Therefore, you can take advantage of this to configure your settings specifically for your organization.

Built-in policy settings

You can also leverage built-in policy settings to perform several tasks such as encrypting hard disks, managing software updates, configuring built-in firewalls, etc. Furthermore, you can take advantage of the cloud service known as Windows Autopatch to enhance the security and productivity of your organization. It does this by automating aspects such as the patching of Windows and the updating of Microsoft 365 Apps for enterprise, Windows, Microsoft Teams, and Microsoft Edge.

Endpoint Manager

Lastly, you can use the Endpoint Manager admin center to manage your devices remotely. There are plenty of actions that can be performed remotely and these include locating lost devices, locking or restarting devices, restoring devices to factory settings, and more. Having the option of remote management can be very useful, especially in instances where devices are lost, stolen, or need remote troubleshooting.

App management

We cannot talk about securing an organization’s data if we don’t first address the issue of protecting apps and the data they contain. App management often comes with significant challenges because of where users may source apps that they use to access your organization’s resources. Not to mention LOB apps that need careful management to help secure company data. And this is where Intune can play a key role in facilitating the management of these apps and thus improving your overall security.

App deployment

Your organization can use several different types of apps such as LOB apps, web apps, store apps, etc. Intune makes life easier for you by enabling you to add apps and then deploy them to your devices using the app management policy. The Endpoint Manager admin center has app features that are designed to simplify the process of deploying various types of apps across multiple platforms such as:

Android devices

Through the Endpoint Manager admin center, you’ll get an automatic connection to the Play Store where you can search for apps. Additionally, you can sync with your Managed Google Play account thus gaining access to your Android Enterprise apps. There’s plenty you can deploy on Android devices such as custom LOB apps, public and retail apps from the Play Store, Android Enterprise system apps, and more.

iOS/iPadOS devices

Through the Endpoint Manager admin center, you’ll get an automatic connection to the Play Store where you can search for apps. Additionally, you can sync with your Apple Business Manager/Apple School Manager account thus gaining access to your volume-licensed apps. After syncing, you can expect to find the apps you purchase automatically appearing in the admin center. Similar to Android devices, you can deploy plenty of apps such as custom LOB apps, public and retail apps from the App Store, built-in apps, and more.

macOS devices

You’ll find built-in features in the Endpoint Manager admin center that have apps that plenty of users deploy to macOS. Additionally, you can sync with your Apple Business Manager/Apple School Manager account thus gaining access to your volume-licensed apps. After syncing, you can expect to find the apps you purchase automatically appearing in the admin center. For macOS devices, you can deploy custom LOB apps, Microsoft Defender for Endpoint, Apple disk image apps, Microsoft 365 apps, volume-licensed apps, and more.

Windows devices

Through the Endpoint Manager admin center, you’ll get an automatic connection to the public Microsoft Store where you can search for apps. Furthermore, you can sync with your Microsoft Store for Business account thus gaining access to your volume-licensed apps. After syncing, you can expect to find the apps you purchase automatically appearing in the admin center. When it comes to Windows devices, you can deploy custom LOB apps, volume-licensed apps, Win32 apps, public and retail apps in the Microsoft Store, and more.

App configuration

In an ideal scenario, you want to configure apps before they are installed as this will allow you to set them up the way your organization wants. Otherwise, if apps are deployed to users and devices and then they are required to enter configuration information it may end up creating problems.

So, the best thing for you to do may be to leverage app configuration policies that enable the automatic configuration of apps. You can even make your policies such that users won’t need to enter any information. Moreover, with app configuration policies you get the flexibility to deploy them at any time.

So, something you can do is to include the app configuration policy when users enroll their devices thus allowing you to complete the configuration of apps before users open them the first time.

App security

Another key part of your organization’s security is ensuring that apps are protected on both organization-owned and personal devices. The data in apps that have access to your organization’s data needs to be secured from malicious activity. With this in mind, we can easily see the importance of app protection policies that will help you to secure shared files, email, access to meetings, etc.

App protection policies can be created, configured, and deployed to your users and devices using Microsoft Intune. And this applies not only to personal devices but to devices that may be under the management of another MDM provider as well. As far as organization-owned devices are concerned, they are commonly managed by the organization so app security is not an issue.

However, when these devices may have certain apps that require additional security, app protection policies can also be used. These policies also come in handy when it comes to separating users’ personal data from the organization’s data. Therefore, you’ll have the option to set up policies that require a PIN for opening apps, prevent copy-and-paste between apps, and any other features you may deem necessary.

Updating apps

We all know about the importance of updating our apps for maintaining security standards and improving performance. To make things simpler, when using Intune most apps will get an automatic update if one happens to be available. As already mentioned earlier, Windows Autopatch is another solution that you can use for the automatic patching of Microsoft Edge, Microsoft 365 Apps for enterprise, and Microsoft Teams.

Whenever users install apps themselves, they will need to assume the responsibility of ensuring that these apps are manually updated. And this includes apps that they install from a public app store.

Your organization will want to protect its data and so the best solution, in this case, maybe to use app protection policies. By using these policies, you can enforce minimum app versions as well as wipe the organization’s data from any devices that do not comply with your requirements.

Endpoint security

Next, I want to look at the measures available in Intune to enhance your organization’s endpoint security. Security admins will find in Intune an Endpoint security node that can be used for configuring device security as well as managing security tasks for devices at risk. The comprehensive Endpoint security policies that you get will help you to enhance device security and mitigate risk. Admins will also get via Intune several tools designed for securing devices:

You can use the All devices view to verify the status of all managed devices and assess compliance.
You can utilize security baselines to implement standard security configurations for devices.
The management of security configurations on devices can be done through strict policies.
By using compliance policies, you can set the requirements for your devices and users. And this means that you determine the rules that users and devices need to follow for them to be compliant.
If you integrate Intune with Microsoft Defender for Endpoint this will allow you access to security tasks. The link that exists between Intune and Microsoft Defender for Endpoint due to these security tasks will enable your security team to detect at-risk devices. Subsequently, your Intune admins will then get the necessary information to implement remediation measures.

Device management

There is an All devices view section in the Endpoint security node that has a list of all devices from your Azure AD that are available in Microsoft Endpoint Manager. Using this section can allow you to review the status of devices for information such as the policies that they are not compliant with. Additionally, there are several actions that you can take from this view to remediate various device issues and this can include restarting devices, scanning for malware, and more.

Manage security baselines

Using security baselines is a great way to implement best practice recommendations from the relevant Microsoft security teams. The security baselines for Microsoft Edge, Windows 10/11 device settings, and Microsoft Defender for Endpoint Protection among others are supported by Intune. Leveraging security baselines enables you to quickly deploy the most ideal configuration of device and application settings to improve the security of users and devices.

However, it’s important to note that these baselines are for devices running Windows 10 version 1809 and later, as well as Windows 11. Another thing to note is that you can have several different methods in your environment for device configuration. So, when looking at the management of settings, you need to first establish what other methods may be in use to prevent problems.

Defender for Endpoint tasks

If you have integrated Intune with Microsoft Defender for Endpoint, you’ll have the option to assess Security tasks in Intune to identify devices that are at risk. With that done, you’ll have the information necessary to mitigate the risk. And then after you have successfully mitigated the risks, these tasks can be used to report back to Microsoft Defender for Endpoint.

The Defender for Endpoint team begins by reviewing which devices are at risk and then sends that information along to your Intune team as a security task. The process is a relatively simple one that will see a security task being created to identify the at-risk devices and their vulnerabilities, as well as provide the information necessary to mitigate the risk.
Once the information is passed along, the Intune Admins will review the security tasks before implementing actions within Intune to begin remediating the tasks. After the mitigation has been carried out, the task is set as complete and this will report the update back to the Defender for Endpoint team.

Using policies to manage device security

In the Endpoint security node under the Manage section, you will find security policies. If you are a security admin, these are policies that you will want to consider using to simplify the process of configuring device security. Otherwise, the process can involve a lot more work. For example, you may need to go through the vast number of settings in device configuration profiles or security baselines.

It’s also worth noting that these Endpoint security policies are only one of several methods in Intune that can be used for configuring settings on devices. So you’ll need to first verify what other methods may be in use to prevent problems.

Furthermore, under the same Manage section, you’ll also find Conditional Access and Device compliance policies. These two types of policies aren’t involved in the configuration of endpoints. But they do play a key role in device management and controlling access to your organization’s resources.

Use device compliance policy

These policies set the conditions for users and devices to have access to your organization’s resources. Common policy rules include, enforcing password requirements and requiring specific OS versions, among others. These policies also carry out various actions against non-compliant devices. For example, they’ll notify device users and going as far as retiring non-compliant devices. Also, just like other policies, you’ll want to verify what other methods may be in use in your environment so you can avoid policy conflicts.

Configuration of conditional access

Using Azure AD Conditional Access policies with Intune can enable you to enhance security for your devices and your organization’s resources. After an assessment of your environment has been carried out, Intune will then forward a report concerning device compliance policies to Azure AD.

The latter will then use conditional access policies to determine which devices and apps will be granted access to your organization’s resources. Conditional access policies may also be used to control access for devices that are not under Intune management. You will most likely be using device-based conditional access or app-based conditional access with Intune.

Set up Integration with Microsoft Defender for Endpoint

If you want to improve how your organization identifies risks and responds to them then integrating Microsoft Defender for Endpoint would be ideal. There are several MTD partners that Intune can integrate with to improve security.

However, by integrating Intune and Defender for Endpoint, you get additional benefits. These include access to Tamper Protection capabilities, security tasks, and streamlined onboarding for Defender for Endpoint on clients. Additionally, you’ll have access to Defender for Endpoint device risk signals in Intune compliance policies and app protection policies.

Pre-requisites for role-based access control

The management of tasks in the Endpoint security node of the Intune admin center requires you to have an account that has a license for Intune. In addition, the account should also have RBAC permissions that are equal to the permissions that you find in the built-in Intune role of Endpoint Security Manager. Access to the Intune admin center is something that you’ll obtain because of the Endpoint Security Manager role. Anyone responsible for the management of security and compliance features can utilize this role.

Permissions granted by the Endpoint Security Manager role

Android FOTA	Read
Android for work	Read
Audit data	Read
Certificate connector	Read
Corporate device identifiers	Read
Derived credentials	Read
Device compliance policies	AssignCreateDeleteReadUpdate View reports
Device configurations	ReadView reports
Device enrollment managers	Read
Endpoint protection reports	Read
Enrollment programs	Read deviceRead profileRead token
Filters	Read
Intune data warehouse	Read
Managed apps	Read
Managed devices	DeleteReadSet primary userUpdateView reports
Microsoft Defender ATP	Read
Microsoft Store for Business	Read
Mobile Threat Defense	ModifyRead
Mobile apps	Read
Organization	Read
Partner device management	Read
PolicySets	Read
Remote assistance connectors	ReadView reports
Remote tasks	Get FileVault keyInitiate Configuration Manager actionReboot nowRemote lockRotate BitLockerKeys (Preview)Rotate FileVault keyShut downSync devicesWindows defender
Roles	Read
Security baselines	AssignCreateDeleteReadUpdate
Security tasks	ReadUpdate
Telecom expenses	Read
Terms and conditions	Read
Windows Enterprise Certificate	Read

Avoid Policy Conflicts

In Microsoft Intune, what you’ll find out is that plenty of the configurable settings for the various devices can also be managed by different features. Some of the features on this list include device configuration policies, security baselines, Windows enrollment policies, and endpoint security policies among others.

A scenario that you can consider is that of Endpoint security policies with settings that are a subset of the settings that you’ll also find in endpoint protection and device restriction profiles in the device configuration policy. You should keep in mind that they are managed through various security baselines.

So, if you want to steer clear of conflicts then you must avoid using different baselines, instances of the same baseline, or different policy types and instances to manage the same settings on a device. Achieving this will require meticulous planning so that you clearly determine which methods will be used for configuration deployment. Fortunately, however, if you do encounter conflicts Intune has built-in tools that enable you to identify and resolve those conflicts.

Wrap up

The modern work environment has a lot going on in the IT department and this can be overwhelming for IT staff. With the advent of Bring-Your-Own-Device policies, no longer are you only concerned about physical desktops in the office. Employees have tablets, mobile devices, and personal laptops that can be used for work-related tasks. With that being the case, it means that these devices need to have access to organizational resources. And this is when security concerns become an issue.

This is why it’s important to have management solutions such as Microsoft Intune. Using this cloud-based platform gives you a solution that simplifies the management of the vast number of devices that have access to your organization’s data.

Additionally, you benefit from numerous management policies that ensure that all those devices are compliant with company regulations thus maintaining a high level of security for your company’s data. So, whether or not you already have a management solution in place, Intune is certainly worth considering.

Key Things To Know About Windows Safeguard Holds

Posted on January 9, 2024 by Thomas.Marcussen

Updating your computers and mobile devices is something that requires regular attention. Indeed this is rather important for a few reasons. For example, there are security updates to enhance your security posture and reduce the risk of breaches. Another important reason is to fix problems with applications. Additionally, updates can remedy issues with the operating system itself. This is where Windows safeguard holds come into play.

But, even though we perform updates expecting to improve the user experience, it doesn’t always work out that way. There are compatibility issues with particular devices sometimes. And in the worst of scenarios, you might lose connectivity, key functionality, or data. This is why Microsoft has systems in place to try and limit any problems to as few devices as possible.

What are Windows safeguard holds?

By leveraging data on compatibility and quality, Microsoft can identify issues that may cause a Windows client feature update to fail or rollback. In the instances where such issues arise, applying safeguard holds to update service helps.

Consequently, this action will prevent the affected devices from installing the update. It thereby protects them from any issues. Microsoft can also employ safeguard holds when clients, partners, or Microsoft internal validation find issues. It’s helpful for those issues that cause severe problems and there is no immediate solution available. Examples of possible events include loss of key functionality, rollback of update, and data loss.

With the use of safeguard holds, devices with known issues won’t be offered new versions of an operating system. However, once a fix has been found and verified, the update will become available.

Microsoft’s objective with safeguard holds is to enable clients to have a flawless experience when their devices are updating to new versions of Windows client. Those that use the Windows Update service for the deployment of new versions of Windows to their devices would already have benefited from the use of holds for known issues. These clients include all those using Windows Update for Business.

Looking at issues

When Microsoft describes how safeguard holds work, there is a lot of mention of the issues for which holds apply. But, what exactly are these issues? There are known issues. These are problems that can manifest after an upgrade is discovered by Microsoft or reported by clients or partners. Only after assessment and confirmation of an issue, for a specific set of devices, can it fall under known issues.

The next type are likely issues. As the name suggests, these issues are suspected, but not yet confirmed. What we have here are issues that have been picked up by the machine learning service across millions of unmanaged devices, corporate or personal. The service performs daily scans. And it searches for app or driver malfunctions, rollback during setup, connectivity issues, and more.

Subsequently, the machine learning service then looks for links among device hardware and software characteristics. This will then help to identify a larger set of devices yet to perform any updates to protect them. Basically what goes on in these instances is that there are issues that are yet to be confirmed. However, because they are likely it’s good practice to safeguard the at-risk devices.

How does it work?

Here are additional aspects to understand when recognizing how Windows safeguard holds work.

Identification of known issues

As one would expect, the process would naturally start by identifying the relevant issues. Microsoft has a setup that allows for the collection of feedback from various channels. This information is regarding known issues about a Windows update, now collected for your review.

Although there is an internal testing process, Microsoft also requires feedback from Windows Insiders, clients, and partners. And then, as issues are identified, device-specific criteria develop and for application to affected devices as a safeguard hold. These devices will no longer have access to updates until a fix is found and implemented.

Identification of likely issues

For the safeguarding of likely issues, Microsoft can use data obtained across millions of daily devices. Unmanaged by IT, these devices are installing the upgrade from the Windows Update.

All the diagnostic data that Microsoft has from the millions of client devices feeds into the machine learning system. From this, identity patterns associated with update-related disruptions can then be automatically identified. All data usage follows Microsoft’s privacy policy.

Safeguarding of devices

The actual safeguarding of devices can begin once the machine learning algorithm picks up a pattern. After this happens, a temporary safeguard hold for a likely issue is implemented. How long this hold remains in place can vary. But the priority will be device protection rather than progress.

This means the user experience can be preserved and IT staff can have fewer things to worry about. Because of the resultant delay, the few weeks you get can be used to decide how to proceed with the update in a way that keeps your devices protected and productive. The system intends to address the temporary hold for a likely issue in a matter of four to six weeks. This can be done in one of two ways:

Confirmation of the likely issue which consequently sees it transitioned to a known issue and thus sees the safeguard hold maintained.
In the second scenario, the issue is deemed to be a false positive and therefore the hold will be removed and devices can therefore begin updating.

Known and Unknown Issues

In the first option mentioned where the issue has been confirmed meaning the device is not in a position to update, the classification changes to a known issue. What this does is that it will continue to delay the upgrading of the device until a fix has been found and implemented.

When the system determines that the issue was actually a false positive, all unaffected devices will have the safeguard hold removed. In that case, any upgrades that are approved by the IT team may proceed as normal. According to information from Microsoft, two main criteria are used to determine whether to implement automatic safeguard holds for likely issues. These are:

In cases where deployment to consumer devices that are likely exposed to the issue has been paused.
The second criterion concerns situations where there are issues that are under active investigation by Microsoft engineers.

When it comes to Windows Update, Windows safeguard holds will be kept in place until the Microsoft investigation has been completed and a fix has been developed and verified. Only then will the solution be made available to the affected devices and update deployment restored.

So devices can only resume being offered updates after a fix has been delivered by Windows Update or a third party thereby lifting the safeguard hold. Under those circumstances, customers can be offered a seamless protection experience.

Taking advantage of Windows safeguard holds

Making use of the features that Microsoft has put in place can go a long way in improving the security posture of your organization. Leveraging safeguard holds will help you to get a better update deployment experience. These features will be available to you via the likes of Microsoft Intune, PowerShell SDK, Update Compliance, and Microsoft Graph.

You’ll find that deployment scheduling controls are consistently available. But, you need to, first of all, configure your devices to share diagnostic data with Microsoft and leverage available reporting tools. Without performing this action you won’t be able to benefit from the unique deployment protections tailored to devices under your management.

§ Pre-requisites

Before you can start benefiting from everything that safeguard holds have to offer, you need to meet a few requirements. These are:

You need to verify that diagnostic data is set to Required or Optional.
Secondly, you should have the AllowWUfBCloudProcessing policy set to 8. You can see how to do this in Microsoft Endpoint Manager, using Group Policy, or mobile device management.

Something that you do need to be aware of is that safeguards holds are applied to Windows Update for Business deployments by default. This is to ensure that your environment can benefit from optimal user experience and so opting out or doing manual updates is not recommended. However, in strict IT environments and for validation purposes you may still do that.

Keep track of safeguard holds reporting

One thing that you’ll want to do to stay up to date is to be meticulous about verifying safeguard hold records. When a safeguard hold is put in place, you can go to the M365 Admin Center or the Known Issues sections of the Windows release health dashboard online to get more information about the issue in question. The system also allows you to keep track of all the devices in your environment through up-to-date reporting.

For those that use Update Compliance, you can access information regarding which devices under your management are affected by which specific safeguard holds. To do this, you’ll have to check your safeguard hold report. For those who use Intune, on the other hand, safeguard holds are now visible in the Feature Update Failures Report.

How to opt-out

If you decide to opt-out, you can do so using the Local Group Policy Editor. This can be done by following the steps given below:

Navigate to the Open the Local Group Policy Editor (gpedit.msc).
In that section, look for the policy location in the left pane of the Local Group Policy Editor.
Next, head over to the right pane of Manage updates in the Windows Updates section of the Local Group Policy Editor. Proceed to tap on Disable safeguards for Feature Updates.

Microsoft recommendations

Until a solution has been developed and implemented and the safeguard hold has been released, Microsoft strongly cautions against performing manual updates. If you choose to opt-out of a safeguard hold, you should do so knowing that the concerned devices will be at risk of being affected by known performance issues.

So if you have made the decision that you still want to opt out despite the risk, you should make sure that you perform rigorous tests that will help you to verify the degree of the potential impact.

There is a way, however, for you to reduce your risk of being affected by issues and still opt-out. This can be possible as long as your IT admins check in regularly with Update Compliance and the Windows release health dashboard. If you’re in this position, you can have a greater degree of security when temporarily opting out so that you can enable an update to proceed.

As mentioned previously, this is still only recommended when in strict IT environments and for validation purposes. Furthermore, you should be aware that even if you do opt out, this will be temporary and only lasts the time it takes to complete the update. So as soon as that is done, the safeguard hold is automatically reapplied.

Wrap up about Windows safeguard holds

Compatibility issues are nothing new and we’ve all probably encountered them at one point or another. The frustration that this can cause as well as the cost in productivity terms can be immense. Loss of data or connectivity from an update that hasn’t worked out can mean downtime for the affected users.

That is why Microsoft has developed a service that is capable of monitoring quality and compatibility. Having this data means that issues can be swiftly identified and thus limit the number of devices that are affected.

In addition, the fact that this data is obtained from various sources including clients and Microsoft partners enables the creation of a very comprehensive compilation of information. Once issues are identified, safeguard holds are applied to allow for an investigation to take place, and a solution to be developed and applied. I think it’s pretty safe to say that safeguard holds can go a long way in giving users a streamlined experience and IT greater peace of mind.

Microsoft Intune – A Comprehensive Design Guide

Posted on December 28, 2023 by Thomas.Marcussen

So much technological innovation is going on all around us that it can at times be overwhelming to keep up with everything. And mobile device management solutions are no different. Which of the solutions do you pick to ensure that your organization is using the best management solution? Difficult to say.

In fact, plenty of organizations opt for using multiple device management solutions at the same time. Although, there may be advantages to that, finding a single comprehensive solution to provide you with everything you need in a single package offers greater convenience. This is why I’ve decided to write this guide on Microsoft Intune, a solution that can optimize your IT operations to perform at unprecedented levels.

Before you begin

In the first blog of this Microsoft Intune series, I looked at the different stages of planning that you’ll have to go through if you want to have a seamless adoption of Microsoft Intune in your organization. As one would expect, adopting any new technology will bring with it a few teething problems hence the need for a plan that covers as many potential scenarios as possible.

Getting started

Some of the key areas of consideration include:

Have your goals clearly itemized. This includes concerns about data security, device protection, access to organizational resources, and other objectives.
Creating a complete inventory of all the devices in your organization that will have access to company resources. So, this would include both organization-owned and personal devices as well as information about the platforms they are running.
You’ll also need to look at all potential costs and licensing. There will probably be some additional services and programs that you’ll need so all these will need consideration.
You probably already have existing policies and infrastructure that your organization relies on. However, all these will require reviewing when thinking of moving to Intune. This is because you may need to develop some new policies.
With the above in place, you need to determine a rollout plan that has pre-defined objectives and can ensure that the rollout proceeds as smoothly as possible.
As you introduce Intune to your organization, you cannot ignore the value of communicating with your users. People in your organization need to understand what Intune is, what value it will bring to your organization, and what they should expect.
Lastly, it’s crucial that you fully equip your IT support and helpdesk staff. You can do this by involving them in the adoption process from the early stages. Therefore, it enables them to learn more about Intune and gain invaluable experience. With the skills that they acquire, they’ll be able to play important roles in the full rollout of Microsoft Intune as well as help in the swift addressing of any potential issues that arise.

Design creation

After you go through your planning phase, you can start to look at creating a specific design for your organization’s Microsoft Intune setup. Coming up with a design will require you to review all the information already collected throughout the planning phase.

This is going to allow you to put together information on your existing environment. This includes the Intune deployment options, the identity requirements for external dependencies, the various device platform considerations, as well as the delivery requirements. One of the great things about Microsoft Intune is that you don’t need to worry about significant on-premises requirements to use the service.

However, having a design plan is still a good idea because it allows you to have a clear outline of the objectives that you want to achieve so that you can be certain about choosing the management solution.

Assessing your current environment

A logical place for you to begin your planning is with your current environment. Having a record of this environment can help to further clarify where you currently are and what the ultimate vision is. This record can also serve you well during the implementation and testing phases. There you can make numerous changes to the design.

Recording the environment

There are several methods for recording your existing environment such as:

Identity in the cloud – you can note if your environment is federated. Additionally, you can determine MFA enabling. Also, which of Azure AD Connect or DirSync do you use?
Email environment – you need to record what email platform you currently use. Also consider if it is on-premises or on the cloud. And if you’re using Exchange, for instance, are there any plans for migrating to the cloud?
Mobile device management solutions – you’ll need to go over all the mobile device management solutions (MDM) currently in use. Also consider what platforms they support. It’s also important to note down which solutions you’re using for corporate as well as BYOD use-case scenarios. Additionally, it’s useful to have a record of who in your organization is using these solutions, their groups, and even their use patterns.
Certificate solution – note whether or not you have implemented a certificate solution, including the certificate type.
Systems management – have a detailed record of how you manage your PC and server management. This, means you have to note what management platform you are using, whether it’s Microsoft Endpoint Configuration Manager or some other third-party solution.
VPN solution – you should note what you’re currently using as your VPN solution of choice. And if you’re using it for both personal devices and organization-issued devices.

Note to consider

In addition to having a detailed record of your current environment, it’s also important to not forget any other plans in the works. Or consider those on the docket for implementation. Especially if they could affect what you have already noted down in the record of your environment. For instance, your record could show that multi-factor authentication is off. Still, you could be planning to turn it on in the near future so you’ll want to highlight this coming change.

Intune tenant location

The location where your tenant will reside is extremely important to decide before making the decision to subscribe to Microsoft Intune. And this is especially so for organizations that operate across different continents. The reason why it’s so important to carefully think this through, is that you’ll need to choose the country/region when you are signing up for Intune for the first time. After you have made your selection, you won’t have the option to change your decision later on. The regions that are currently available for selection include North America, Europe, the Middle East, Africa, as well as Asia and Pacific.

External dependencies

When we talk about external dependencies, we are referring to products and services that are not part of the Intune package. But they may be part of the prerequisites to use Intune. In addition, they could also be elements that can integrate with Intune. Given how integral external dependencies may be to your use of Intune, you’ll need to have a comprehensive list of any and all requirements. Make sure they’re for these products and services as well as the instructions for their configuration.

Below we’ll look at some of the more common examples of external dependencies that you will encounter:

Identity

Simply put, identity gives us the element through which we can recognize all the various users that belong to your organization as well as those enrolling devices. If you want to use Intune then you’ll need to be using Azure AD as your user identity provider. This comes with several advantages. One such benefit is enabling IT admins to enhance organizational security by controlling access to apps and app resources. Therefore, it’s easier to meet your access governance requirements. App developers will also benefit from the ability to leverage Azure AD APIs for creating personalized experiences using organizational data.

For those that are already using Azure AD, you’ll get the added convenience of continuing with the current identity that you have in the cloud. Not only that, but you also get the added benefit of Azure AD Connect. This happens to be the ideal solution for synchronizing your on-prem user identities with Microsoft cloud services. For organizations that already have an Office 365 subscription, the best scenario would be to ensure that Intune also uses the same Azure AD environment.

User and device groups

These groups play an important role as they are responsible for defining who exactly the target of a deployment will be. This will also include profiles, apps, and policies. It’s therefore important to come up with the user and device groups that your organization will need. And the best way to go about this may be for you to start by creating these groups in the on-premises Active Directory. And then once you have done this you can proceed to synchronize to Azure AD.

Public key infrastructure (PKI)

The role of PKI is to provide users or devices with certificates that will enable secure authentication to various services. So, when considering adopting Microsoft Intune you should be aware that it supports a Microsoft PKI infrastructure. Mobile devices can provide device and user certificates, so you meet all certificate-based authentication requirements. However, before you proceed with the use of certificates, you’ll need to verify a few things first:

Check whether or not you even need the certificates.
Check if certificate-based authentication provides support by the network infrastructure.
Lastly, you need to verify whether there are any certificates already in use in the existing environment.

For some, they may need to use these certificates with VPN, Wi-Fi, or e-mail profiles with Intune. But to do that, you first need to check if you have a supported PKI infrastructure in place. It needs to be ready for the creation and deployment of certificate profiles. Furthermore, when it comes to the use of SCEP certificate profiles, you have to decide how to host the Network Device Enrollment Service feature. Not only that, but you also need to determine how to carry out any communication.

Pre-requisites for devices

As you proceed with your design plan for Microsoft Intune, you’ll also need to turn your focus over to devices and the requirements. Expectedly, as with any management solution, there will be devices to consider. But there will also be platform considerations that will determine suitability for Intune management.

Device platforms and Microsoft Intune

One of the most important parts of the design plan is to consider the device platforms that will be supported by your chosen management solution. Therefore, before making the final decision about whether or not to go with Intune, you should create a complete inventory of the devices that will be in your environment. Then crosscheck whether or not they have proper support by Intune.

Understanding systems

The table below contains the supported configurations.

Operating systems	Android iOS/iPadOS Linux macOS Windows Chrome OS
Apple (For device enrollment scenarios and app configuration that you get via Managed devices app configuration policies, Intune will require iOS 14.x or later. The same requirement also applies to Intune app protection policies and app configuration.)	Apple iOS 14.0 and later Apple iPadOS 14.0 and later macOS 11.0 and later
Android (For device enrollment scenarios and app configuration that you get via Managed devices app configuration policies, Intune will require Android 8.x or later. However, for Microsoft Teams Android devices, support will continue so this requirement does not apply. And then for Intune app protection policies and app configuration delivered via Managed devices app configuration policies, the requirement is for Android 9.0 or higher.)	Android 8.0 and later (including Samsung KNOX Standard 3.0 and higher: requirements) Android enterprise: requirements Android open source project devices (AOSP) supported devices RealWear devices (Firmware 11.2 or later)HTC Vive Focus 3
Linux (It’s to be noted that Ubuntu Desktop already has a GNOME graphical desktop environment installed)	Ubuntu Desktop 22.04.1 LTS with a GNOME graphical desktop environment. Ubuntu Desktop 20.04 LTS with a GNOME graphical desktop environment.
Microsoft (Microsoft Endpoint Manager can still be used for the management of devices running Windows 11 the same as with Windows 10. Unless explicitly stated otherwise, assume that feature support that only mentions Windows 10 also extends to Windows 11. In addition, you should also note that configuring the available operating system features through MDM is not something that is supported by all Windows editions.)	Windows 10/11 (Home, S, Pro, Education, Enterprise, and IoT Enterprise editions) Windows 10/11 Cloud PCs on Windows 365 Windows 10 LTSC 2019/2021 (Enterprise and IoT Enterprise editions) Windows 10 version 1709 (RS3) and later, Windows 8.1 RT, PCs running Windows 8.1 (Sustaining mode) Windows Holographic for Business Surface Hub Windows 10 Teams (Surface Hub)
Microsoft Intune-supported web browsers	Microsoft Edge (latest version) Safari (latest version, Mac only) Chrome (latest version) Firefox (latest version)

Devices

By using Microsoft Intune, organizations can manage mobile devices more efficiently in a way that can enhance the security of organizational data. This means that the risk of malicious activity is reduced. And users can thus work from a greater number of locations. One of the greatest benefits of device management solutions such as these is that they can be both cost-efficient and convenient. This is because they support a wide variety of device types and platforms.

As a result of this, organizations are less likely to need to invest in new devices. And users can utilize the personal devices they already own in BYOD scenarios. With all this, however, it’s even more important for you to come up with a comprehensive template detailing what device types, OS platforms, and versions you will allow to have access to your organization’s resources.

Device ownership

As already mentioned, Microsoft Intune offers support for a wide variety of devices. And these devices can either be personal or organization-owned. When devices are enrolled via a device enrollment manager or a device enrollment program, they fall under the category of organization-owned devices. So, for instance, all devices that you enroll using the Apple Device Enrollment Program will categorize as organizational devices. Subsequently they will add to the device group, which will receive organizational policies and applications.

Bulk enrollment

As an organization, when enrolling a large number of devices into Intune, the process is simplified by the availability of a bulk enrollment feature. This feature provides you with a quick and easy way of setting up a large number of devices for management. A few use case examples. These include setting up devices for large organizations, setting up school computers, and setting up industrial machinery, among others. Intune has different ways to process the bulk enrollment of devices so you’ll need to determine which method fits best with your Intune design plan.

Design requirements and Microsoft Intune

When making the design considerations, there are specific requirements you’ll need to look at for the Intune environment that you want to establish. There may be instances that require you to make adjustments to the general advice that you get concerning Intune deployment.

It’s essential to ensure that certain capabilities will meet the requirements for the use cases needed for your organization. These features include configuration policies, compliance policies, conditional access, terms and conditions policies, resource profiles, and apps.

Microsoft Intune Configuration policies

You can use configuration policies for the management of the security settings on devices in Intune in addition to the features, as well. It’s important that you design configuration policies that follow the configuration requirements by Intune devices. And the necessary information to design your configuration policies in this manner are in the use case requirements section. This enables you to note the settings and their configurations. Not only that, but you’ll need to make sure to verify to which users or device groups to apply certain configuration policies. The various device platforms that you use will need to have at least one configuration policy assigned to them or even several whenever the situation calls for it.

Compliance policies and Microsoft Intune

These types of policies are responsible for establishing whether devices are complying with the necessary requirements. Therefore, determining whether or not a device is compliant becomes a significantly easier matter for Intune. And this is very important because it allows for devices to categorize as either compliant or non-compliant. And that status can then determine which devices are given access to the organization’s network and which ones to restrict.

Furthermore, if you intend on using Conditional Access, then it will probably be in your best interests to create a device compliance policy. Before you can decide on your device compliance policies, you may again want to refer to the use cases and requirements section. This will provide you with the necessary information concerning the number of device compliance policies you’ll require. It will also help you decide which user groups you’ll be applying them. Lastly, you need to have clearly defined rules. These will detail how long devices are allowed to remain offline before they move to the non-compliant list.

Conditional Access for Microsoft Intune

Conditional access plays the role of enforcer for your organization’s policies on all devices. That means that if any device fails to comply with your requirements, conditional access measures can implement. They will prevent them from accessing organizational resources such as email. When it comes to Intune, you’ll also benefit from its integration with Enterprise Mobility + Security. This will give your organization better protocols to control access to organizational resources. So, when it comes to your design plan you still need to look at Conditional Access. You’ll also decide whether or not you need it and what you’d want to secure with it.

Terms and conditions

Terms and conditions are essential for determining your organization’s requirements for any users that want access to the network. This is especially important in BYOD scenarios where some users may not be willing to meet those conditions. So, by establishing terms and conditions, your organization can give users an ultimatum if they want to access the organization’s resources. With Intune, you also get the option to add and deploy several terms and conditions to your user groups.

Profiles

Profiles play a key role by enabling the end user to connect to company data. To cater to the multiple scenarios that your organization may encounter, Intune provides several types of profiles. The information that you need, concerning the timeline for the configuration of the profiles, is obtainable by going through the section on use cases and requirements. Planning is easier because you’ll find all the device profiles grouped according to platform type. Profile types that you need to know about include email profiles, certificate profiles, VPN profiles, and Wi-Fi profiles.

Email profile

Email profiles are responsible for several capabilities. These include reducing the workload of support staff and enabling end-users with access to company email on their personal devices. Email clients will automatically set up with connection information and email configuration. Moreover, all this can be done without users having to perform any setup tasks. So this will ultimately improve consistency. However, not all of these email profiles will have support, on all devices.

Certificate profiles

Certificate profiles are the elements that enable Microsoft Intune to provide certificates to users or devices. The certificates that Intune supports include Trusted Root Certificate, PFX certificate, and Simple Certificate Enrollment Protocol (SCEP). For SCEP, all users who will receive it are going to need a trusted root certificate. This is because the latter is a requirement for SCEP certificate profiles. So, before you proceed make sure to have a clear idea of the SCEP certificate templates that you’d like to use. Your design plan should include a record of the user groups that require certificates. It should also include the number of certificate profiles needed, and to which user groups they’ll be targeted.

VPN profiles

Virtual private networks enable internet users to have secure access from almost any location across the globe. And using VPN profiles achieves the same thing for your organization’s users. They will be able to have secure access to the organization’s networks even from remote locations. Furthermore, Intune widens the options available to you by supporting VPN profiles from native mobile VPN connections and third-party vendors.

Wi–Fi profiles

Wi-Fi profiles are important tools that enable your mobile devices to automatically connect to wireless networks. Using Intune, you can deploy Wi-Fi profiles to the various supported platforms. The device platforms that Wi-Fi profiles support include Android 5 and newer, Android Enterprise and kiosk, Android (AOSP), iOS 11.0 and newer, iPadOS 13.0 and newer, macOS X 10.12 and newer, Windows 11, Windows 10, and Windows Holographic for Business.

Microsoft Intune Apps

When using Intune, you’ll have the option to deliver apps to users or devices using any number of different ways. The apps that you can deliver cover a wide range including apps from public app stores, managed iOS apps, software installer apps, as well as external links. Moreover, this capability extends beyond individual app deployments. You’ll also be able to manage and deploy volume-purchased apps that you may have obtained from volume-purchase programs for both Windows and iOS.

App type requirements

Your design plan needs to include clear details regarding the types of apps that you will allow Intune to manage. This is especially necessary when you consider how apps deploy to users and devices. Information that you should consider for your criteria includes whether or not these apps will require integration with cloud services as well as the deployment measures you’d like to use.

You also need to decide if you’ll be availing these apps to employees using their personal devices and if users will need to have internet access to use the apps. Additionally, you need to verify if your organization’s partners will require you to provide them with Software-As-A-Service (SaaS) app data. Lastly, you need to check the availability of these apps to see if they will be available publicly in app stores or if they will be uniquely custom line-of-business apps.

App protection policies

These policies intend to safeguard your organization’s data by keeping it secure or contained in a managed app. Generally, these policies are rules that go into play when users try to access or move your organization’s data. These rules may also be enforced if users try to engage in actions that are prohibited or monitored when users are inside the app.

Therefore, you can reduce the risk of data loss because of how apps are set up to manage organizational data. Any app that can function with mobile app management will receive app protection policy support from Intune. It will be up to the organization and the team of admins to determine what restrictions you’d like to place on your organization’s data within certain apps.

Setting up Microsoft Intune

When you have your design plan in place, then you can begin looking at setting up Microsoft Intune for your environment. To do that, there will be a few things that you need to consider.

Requirements for Microsoft Intune

The first thing you need to have is an Intune subscription and the license for this is offered as a stand-alone Azure service. It is a part of Enterprise Mobility + Security (EMS) and is included with Microsoft 365. From your design plan, you’ll have a better idea of what the goals of your organization are and you may end up choosing Microsoft 365 because it comes with all of Microsoft Intune, EMS, and Office 365 apps.

Current status

If your organization doesn’t have any MDM or MAM solutions that it is currently using then Intune is probably the best choice for you. Especially if a cloud solution is what you want and then you’ll also benefit from features like Windows Update, configuration, compliance, and app features in Intune.

You can add Endpoint Manager admin center as well to the list of benefits that will be availed to you. Something that does need to be mentioned is that organizations that use more than one device management solution should consider using only a single one.

And if you’ve been using MDM providers such as MobileIron, Workspace ONE, and MaaS360 you’ll still have the option to move to Intune. This will come with a significant inconvenience, however, because before users can enroll their devices in Intune, they will have to unenroll their devices from the current management platform.

Before you make the move to Intune, you’ll need to note in your design plan all the tasks you’ve been running and the features you need so that you know how to proceed with setting up Intune. Unenrolling devices from your current MDM solution not only presents a challenge but makes devices temporarily vulnerable.

This is because while they are in that unenrolled state, they stop receiving all your policies thus security is compromised. By using conditional access, you can block unenrolled devices until they complete their enrollment in Intune.

You should plan to implement your deployment in phases that start with small pilot groups so that you can monitor the success of your approach. If all goes well you can then proceed with a full-scale deployment. Furthermore, those who currently use Configuration Manager and would like to move to Intune can use the options below:

Add tenant attach

This option offers you the simplest way to integrate Intune with your on-prem Configuration Manager setup. By leveraging this option, you can upload your Configuration Manager devices to your organization in Intune. And then once your devices are attached, you’ll be able to use Microsoft Endpoint Manager admin center to run remote actions including user policy and sync machine.

Set up co-management

With this option, Intune will be used for some workloads and Configuration Manager for others. You need to first navigate to Configuration Manager and then set up co-management. And then you proceed to deploy Intune and that also includes setting the MDM Authority to Intune. Once all this is done, devices will now be ready to be enrolled and receive the necessary policies.

Moving to Microsoft Intune from Configuration Manager

This may not happen often because Configuration Manger users tend to want to stay on this platform. However, making the move is possible if you decide that a 100% cloud solution is what you are looking for. You’ll need to first register existing on-prem Active Directory Windows client devices as devices in Azure AD. Then, you proceed to move your existing on-prem Configuration Manager workloads to Intune. Using this method would be good for providing you with a more seamless experience for existing Windows client devices but the downside is that it will be more labor-intensive for your admins.

And if we’re looking at new Windows client devices then you would be better off starting from scratch with Microsoft 365 and Intune:

Start by setting up hybrid Active Directory and Azure AD for the devices. Devices that are Hybrid Azure AD joined will be joined to your on-prem Active Directory as well as registered with your Azure AD. Having devices in Intune helps to safeguard your organization from malicious activity because these devices can receive your Intune-created policies and profiles.
Go to Configuration Manager and set up co-management.
Next, you need to deploy Intune and that includes setting the MDM Authority to Intune.
You’ll also need shift all workloads from Configuration Manager to Intune in the Configuration Manager section.
With all this done, you can go ahead and uninstall the Configuration Manager client on the concerned devices. This is something that can be done by creating an Intune app configuration policy that can perform the uninstallation once Intune has been set up.

Start from scratch with Microsoft 365 and Microsoft Intune

You can only use this approach for Windows client devices, so for those Windows Server OSs, Configuration Manager will be the option you have.

Deploy Microsoft 365, including creating users and groups.
Next, you need to deploy Intune and that includes setting the MDM Authority to Intune.
The Configuration Manager client will need to be uninstalled on all existing devices.

Microsoft Intune Deployment

The steps to follow for your Microsoft Intune deployment are given below:

Navigate to Endpoint Manager admin center and sign up for Intune.
Set Intune Standalone as the MDM authority.
Next, you need to add your domain account because if you don’t your-domain.onmicrosoft.com is what will be used as the domain.
Add users and groups that will receive the policies you create in Intune.
Users will then need to be assigned licenses and once that is done, devices can enroll in Intune.
The default setting allows all device platforms to enroll in Intune so if there are platforms that you’d like to block you’ll need to create a restriction.
You need to customize the Company Portal app so that it has your company details.
Come up with your administrative team and assign roles as necessary.

Windows 365 management and Microsoft Intune

Microsoft Intune not only manages your physical devices but will also play a key role in the management of your Windows 365 Cloud PCs. All you need to sign in is to head over to the Microsoft Intune admin center. This is where you’ll find the landing page for managing your Cloud PCs which is known as the Overview tab. Once signed in, go to Devices > Windows 365 (under Provisioning). In this section, you get a quick overview of the state of your Cloud PCs including the Provisioning status which summarizes the state of Cloud PCs in your organization, and the Connection health which summarizes the health of the Azure network connection in your organization.

All Cloud PCs page

On this page, you’re going to find a summary as well as a list view that will give you all the necessary information you need to know about the status of all the Cloud PCs in your organization. To make the task easier for you, the list view is refreshed every five minutes and allows you to search, filter, and sort. Additionally, there will be multiple Cloud PCs given to those users that have been assigned multiple Windows 365 SKUs. And what this means is that in the All Cloud PCs list view you will see multiple rows dedicated to a single user.

Column details

Name	A combination of the assigned provisioning policy and the assigned user’s name will provide the name of the Cloud PC.
Device name	Windows computer name.
Image	Same image used during provisioning.
PC type	The user’s assigned Windows 365 SKU.
Status	Provisioned: provisioning successful and user can sign in. Provisioning: still in progress. Provisioned with warning: warning is flagged in case of failure of a non-critical step in the provisioning process. Not provisioned: user has been assigned a Windows 365 license but not a provisioning policy. Deprovisioning: Cloud PC going through active deprovisioning. Failed: provisioning failed. In grace period: users with current Cloud PCs are placed in this state when a license/assignment change occurs for them. Pending: this happens when a provisioning request cannot be processed because of a lack of available licenses.
SUser	User assigned to the Cloud PC.
Date modified	Time when last change of state of the Cloud PC occurred.
Third-party connector	When you have third-party connectors installed and currently in use on Cloud PCs, the connector provider is displayed as well as the connector status.

Remote management

Your organization can take advantage of the Microsoft 365 admin center to remotely manage your Windows 365 Business Cloud PCs. There will be several remote actions available to you but to access them you need Azure AD role-based access roles, either Global administrator or Windows 365 administrator. Once you have one of those two roles assigned, you’ll have several methods you can use for Cloud PC management including:

Windows365.microsoft.com
Microsoft 365 admin center
Microsoft Intune (on condition that you have all the necessary licenses)
Microsoft Graph

Cloud PC management design options

When it comes to the design options for Cloud PC management, there will be three options that we are going to look at:

Option 1 (Windows 365 Azure AD Joined + hosted in Microsoft Network)

Microsoft Intune

Cloud PCs are hosted in the cloud (Microsoft Hosted Network) and managed in the cloud (Intune)

Cloud PCs are enrolled as Azure AD joined and managed out-of-the-box by Intune

Eliminates customer constraints

Cloud PCs will get a unified endpoint management integration from the Microsoft Endpoint Manager admin portal

Simplifies Cloud PC management workloads such as app delivery and endpoint security among others

Comfortably address Cloud PC remote management needs

Co-Management

This is optional and allows you to bring your on-premises device management solution MECM for Option 1

Requires MECM + Cloud Management Gateway

Depends on customer device management on-premises environment

Some considerations before managing Cloud PCs include: Azure subscription and on-premises infrastructure, deployment and configuration of a CMG as well as a public SSL certificate for this CMG, enable Co-Management in Configuration Manager, and more.

Option 2 (Windows 365 Azure AD Joined + hosted in Customer Network)

Microsoft Intune:

Cloud PCs are hosted in the Customer Network and managed in the cloud

Cloud PCs are enrolled as Azure AD joined and managed out-of-the-box by Intune

Eliminates customer constraints

Cloud PCs will get a unified endpoint management integration from the Microsoft Endpoint Manager admin portal

Simplifies Cloud PC management workloads such as app delivery and endpoint security among others

Comfortably address Cloud PC remote management needs

Co-Management

This is optional and allows you to bring your on-premises device management solution MECM for Option 2

Requires MECM. Cloud Management Gateway is optional

Depends on customer device management on-premises environment

Some considerations before managing Cloud PCs include: on-premises infrastructure, configuration of Intune to deploy the CM client for your Cloud PCs, enable Co-Management in Configuration Manager.

Option 3 (Windows 365 Hybrid Azure AD Joined + hosted in Customer Network)

Co-management:

Cloud PCs are hosted in the Customer Network and managed by the customer (Co-Management)
Cloud PCs are enrolled as Hybrid Azure AD joined and managed by Co-Management
Requires MECM
Depends on customer device management on-premises environment
Cloud PCs will get a unified endpoint management integration from the Microsoft Endpoint Manager admin portal
Simplifies Cloud PC management workloads such as app delivery and endpoint security among others
Comfortably address Cloud PC remote management needs
Some considerations before managing Cloud PCs include: on-premises infrastructure, configuration of MECM to deploy the CM client for your Cloud PCs, enable Co-Management in Configuration Manager.

Microsoft Intune

This is optional and if you don’t have a MECM environment you can use Intune as your Cloud PC device management solution for Option 3
Some considerations for this option include: configuration of Azure AD Connect for Hybrid Domain Joined, Hybrid Azure AD Joined Cloud PCs need to be directly attached to an on-premises AD environment, for device management the Active Directory environment will depend on Group Policy Objects.

Wrap Up About Microsoft Intune

Device and application management can prove to be a very challenging task to get right for a lot of organizations. Finding the right solution that can streamline application use across your organization’s devices without breaking the bank would be a dream for any organization. You also want a platform that can increase the productivity levels of your IT staff by minimizing the complexity of device management and by extension reducing the time spent on device management.

With Microsoft Intune, you can get this and plenty more. This MDM and MAM solution will enhance the security of your organization by establishing strict access protocols for your organization’s resources. This means greater protection at a time when endpoints are increasingly a vulnerable point for malicious attacks. Intune can provide you with peace of mind while providing an effective management platform that can vastly improve the way your organization operates.

Windows Autopatch: Guide to Setup and Configuration

Posted on October 24, 2023 by Thomas.Marcussen

Most businesses have several technologies that they use to help their employees operate at the highest levels of efficiency. Without them, your ability to provide high-quality products and services would be severely hindered.

But, all these devices and the associated operating systems and applications need maintenance for them to work the way they were designed to. They need regular attention as well as updates and security patches. This is so businesses can fully benefit from their productivity tools.

Windows Autopatch gives you a great solution for your Microsoft products by automating the update process. Additionally, it simplifies the maintenance process for you. In this article, we’ll be going over how your business can set up this must-have solution.

What is Windows Autopatch?

Let’s start by explaining what exactly Windows Autopatch is and what it does. According to the Windows Autopatch page:

“Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.”

One of the key reasons this solution is a much-needed tool is that the process of implementing updates is not entirely seamless for a lot of organizations. IT admins are responsible for ensuring your organization’s devices get all the necessary updates upon release. And they’re responsible for overseeing that everything is working as it should.

So, even though Microsoft provides regular updates for its products and services, the task can sometimes be challenging and very time-consuming. Therefore, with a solution like Autopatch, IT admins can save a lot of time on the update processes. They can additionally cut time in positioning the overall security posture of the business, leading to improvements.

I’m sure most would agree that this is an excellent feature to have, given the increasing sophistication of cyber attacks. Additionally, end users will be able to work more efficiently with fewer distractions. Moreover, your IT personnel will potentially have a lot more time on their hands for dedicating to more productive tasks.

The role of Autopatch services

From what we have seen over the last year, we know that Windows Autopatch can manage your updates for you. But, you still need to know what exactly Autopatch will be responsible for regarding those updates. This is why it’s not too surprising that a lot of IT admins are hesitant about using Autopatch. They have concerns about losing control over their devices.

To simplify the rollout of the different updates, Windows Autopatch will place devices into groups based on their software and hardware configurations. Doing it this way enables suitable test machines to receive updates first. And if all goes well, broader deployments can proceed as well. Not only is this a crucial step for evaluating updates, but it can help alleviate some of the concerns that IT admins have.

Below is a list of what Autopatch will be responsible for updating:

Windows 10 and Windows 11 quality
Windows 10 and 11 features
Windows 10 and 11 drivers
Windows 10 and 11 firmware
Microsoft 365 apps for enterprise updates

In addition to the above list, Windows Autopatch will also be responsible for patching drivers and firmware that are only published to Windows Update as automatic. Also, in terms of how Windows Autopatch operates, there are four deployment rings. The first one caters to a few of your company’s devices, and the second one is responsible for 1% of these devices. The third and fourth rings will contain 9% and then 90% of the organization’s devices respectively.

Setting up Windows Autopatch

The process of setting up Windows Autopatch includes several steps that we will be discussing in this section.

PREREQUISITES

Area	Requirements
Licensing	Windows 10/11 Enterprise E3 (or higher) in addition to Azure Active Directory Premium and Microsoft Intune.
Connectivity	All Windows Autopatch devices require dedicated connectivity to multiple Microsoft service endpoints across the corporate network.
Azure Active Directory	The source of authority for all user accounts needs to be Azure AD. Or, the user accounts can be synchronized from on-premises Active Directory using the very latest supported version of Azure AD Connect to enable Hybrid Azure Active Directory to join.
Device management	All devices must be registered with Microsoft Intune, be connected to the internet, have a Serial number, Model and Manufacturer, and must be corporate-owned. Furthermore, the target devices will need to have Intune set as the Mobile Device Management (MDM) authority or co-management must be turned on.

NETWORK CONFIGURATION

Proxy configuration – Windows Autopatch needs to reach certain endpoints for the various aspects of the Windows Autopatch service. Network optimization can be done by sending all trusted Microsoft 365 network requests directly through their firewall or proxy.
Proxy requirements – should support TLS 1.2, and if not, then you may need to disable protocol detection.
Required URLs – mmdcustomer.microsoft.com

– mmdls.microsoft.com

– logcollection.mmd.microsoft.com

– support.mmd.microsoft.com

Delivery optimization – Microsoft recommends configuring and validating Delivery Optimization when you enroll into the Windows Autopatch service.

TENANT ENROLLMENT

The first step in this next stage will require you to verify that you’ve met all the requirements discussed at the beginning of this section.

With that done, you’ll now need to run the readiness tool. This checks the settings in both Intune and Azure AD and verifies that they work with Autopatch. To access this readiness assessment tool, head over to the Intune admin center and select Tenant administration in the left pane. Once there, go to Windows Autopatch > Tenant enrollment. When the check is done, you’ll get one of four possible results: Ready, Advisory, Not ready, or Error. And if this check is showing any issues with your tenant, then your next step will involve fixing the issues picked up by the readiness assessment tool.

If everything is in order and the readiness assessment tool has given you the “Ready” result, then you can proceed and enroll the tenant. You’ll find the “Enroll” button that you need to select within the readiness assessment tool. Once you select this option, it will start the process of enrolling your tenant into the Windows Autopatch service. You’ll see the following during the process:

Consent workflow to manage your tenant.
Provide Windows Autopatch with IT admin contacts.
Setup of the Windows Autopatch service on your tenant. This step is where the policies, groups, and accounts necessary to run the service will be created.

Your tenant will be successfully enrolled upon completion of these actions. And then, after all this is done, you can delete the collected data by the readiness assessment tool if you want. To do so:

Head over to the Microsoft Intune admin center.
Go to Windows Autopatch > Tenant enrollment.
Select Delete all data.

ADD AND VERIFY ADMIN CONTACTS

After you have finished the process of enrolling your tenant, you can move on to the addition and verification of admin contacts. Windows Autopatch has several ways of communicating with customers. And there’s a requirement to submit a set of admin contacts when onboarding. Each specific area of focus should have an admin contact. This provides that the Windows Autopatch Service Engineering Team has a contact for assistance with the support request. These areas of focus are given below.

Area of focus	Description
Devices	Device registration Device health
Updates	Windows quality updates Windows feature updates Microsoft 365 Apps for enterprise updates Microsoft Edge updates Microsoft Teams updates

To add the admin contacts, follow these steps:

Sign in to the Intune admin center.
Head over to the Windows Autopatch section, find Tenant administration, and then select Admin contacts.
Select Add.
Now, you need to provide all the necessary contact details. This includes name, an email, phone number, and language of choice.
Choose an area of focus and provide information about the contact’s knowledge and authority in this particular area.
Click Save and then repeat the steps for each area of focus.

DEVICE REGISTRATION

Windows Autopatch groups device registration

Autopatch groups will start the device registration process for devices that aren’t yet registered using your existing device-based Azure AD groups. This is instead of the Windows Autopatch Device Registration group. Windows Autopatch will support a couple of Azure AD nested group scenarios, namely Azure AD groups synced up from:

On-premises Active Directory groups (Windows Server AD)
Configuration Manager collections
Clean up dual state of Hybrid Azure AD joined and Azure registered devices in your Azure AD tenant

For an Azure AD dual state to occur, a device needs to be initially connected to Azure AD as an Azure AD registered device. And then, when you enable Hybrid Azure AD join, the same device will be connected twice to Azure AD as a Hybrid Azure AD device.

So, what you’ll find in the dual state is a device with two Azure AD device records with different join types. However, the Azure AD registered device record is stale because the Hybrid Azure AD device record will take precedence.

About the Registered, Not ready, and Not registered tabs

Device blade tab	Purpose	Expected device readiness status
Registered	Shows successful registration of devices with Windows Autopatch	Active
Not ready	Shows successfully registered devices that aren’t yet ready to have one or more software update workloads managed by the Windows Autopatch service.	Readiness failed and/or Inactive
Not registered	Shows devices that have not passed the prerequisite checks and thus require remediation.	Prerequisites failed.

Device readiness statuses

Readiness status	Description	Device blade tab
Active	Shows devices that: +have passed all prerequisite checks +registered with Windows Autopatch +have passed all post-device registration readiness checks	Registered
Readiness failed	Shows devices that: +haven’t passed one or more post-device registration readiness checks +aren’t ready to have one or more software update workloads managed by Windows Autopatch	Not ready
Inactive	Shows devices that haven’t communicated with Microsoft Intune in the last 28 days.	Not ready.
Prerequisites failed	Shows devices that: +haven’t passed one or more prerequisite checks +have failed to successfully register with Windows Autopatch	Not registered

Built-in roles required for device registration

Roles are permissions granted to dedicated users. And there are a couple of built-in users in Autopatch that you can use to register devices:

Azure AD Global Administrator
Intune Service Administrator

Less privileged user accounts can be assigned to perform specific tasks in the Windows Autopatch portal. You can do this by adding these user accounts into one of the two Azure AD groups created during the tenant enrollment process:

Azure AD group name	Discover devices	Modify columns	Refresh device list	Export to .CSV
Modern Workplace Roles – Service Administrator	Yes	Yes	Yes	Yes
Modern Workplace Roles – Service Reader	No	Yes	Yes	Yes

Details about the device registration process

The process of registering your devices with Windows Autopatch will accomplish a couple of things:

Creation of a record of devices in the service.
Device assignment to the two deployment ring sets and other groups required for software update management.

Windows Autopatch on Windows 365 Enterprise Workloads

As part of the Windows 365 provisioning policy creation, Windows 365 Enterprise admins will have the option to register devices with Windows Autopatch. This means that Cloud PC users will also benefit from the increased security and automated updates that Windows Autopatch provides. The process for registering new Cloud PC devices is as follows:

Head over to the Intune admin center and select Devices.
Next, go to Provisioning>Windows 365 and select Provisioning policies>Create policy.
Type in the policy name, select Join Type, and then select Next.
Pick your desired image and select Next.
Navigate to the Microsoft managed services section, select Windows Autopatch, and then select Next.
Assign the ideal policy, select Next, and then select Create.
Your newly provisioned Windows 365 Enterprise Cloud PCs will then be automatically enrolled and managed by Autopatch.

Windows Autopatch on Azure Virtual Desktop workloads

Azure Virtual Desktop (AVD) workloads can also benefit from the features that Windows Autopatch has to offer. Your admins can use the existing device registration process to provision their AVD workloads to be managed by Autopatch.

One of the most appealing features of Windows Autopatch is how it offers the same quality of service to virtual devices as it does to physical ones. This ensures that if your business is looking to migrate to virtual devices or is already using them, then you won’t miss out on what Windows Autopatch offers.

It is worth noting, however, that any Azure Virtual Desktop specific support is deferred to Azure support unless otherwise specified. In addition, the prerequisites for Windows Autopatch for AVD are pretty much the same as those for Windows Autopatch and AVD.

The service will support personal persistent virtual machines. But, there are some AVD features that are not supported such as multi-session hosts, pooled non-persistent virtual machines, and remote app streaming.

Deploy Autopatch on Azure Virtual Desktop

Another great feature that you’ll get with Autopatch is that you can register your Azure Virtual Desktop workloads using the same method as your physical devices. Microsoft recommends nesting a dynamic device group in your Autopatch device registration group to simplify the process for your admins. And this dynamic device group is going to target the Name prefix defined in your session host while also excluding any Multi-Session Session Hosts.

Client support

Windows Autopatch provides businesses with excellent support services to ensure that any issues are addressed. You can access the appropriate support services through Windows 365, or the Windows Autopatch Service Engineering team for device registration-related incidents.

Device management lifecycle scenarios

Before you proceed and register your devices in Windows Autopatch, there are a few device management lifecycle scenarios that you may want to consider. These include the following:

Device refresh – devices that were previously registered in Autopatch and require reimaging will require you to run one of the device provisioning processes available in Microsoft Intune to reimage these devices. Subsequently, these devices will be rejoined to Azure AD (Hybrid or Azure AD only) and then re-enrolled into Intune. And because the Azure AD device ID record of that device will not be altered, neither you nor Windows Autopatch will need to perform any additional actions.
Device repair and hardware replacement – when devices require you to repair them by replacing certain hardware, then you’ll need to re-register these devices into Autopatch when you’re done. We are talking about the kind of repairs that include replacing parts such as the motherboard, non-removable network interface cards (NIC), or hard drives. And the reason why re-registration is necessary is that when you replace those parts, a new hardware ID will be generated, including:
SMBIOS UUID (motherboard)
MAC address (non-removable NICs)
OS hard drive’s serial, model, manufacturer information

So, even though you still practically have the same device, whenever you replace major hardware, Azure AD will create a new ID record for that device.

UPDATE MANAGEMENT

Software update workloads

Software update workload	Description
Windows quality update – on the second Tuesday of every month, Autopatch deploys monthly security update releases. Autopatch also uses mobile device management (MDM) policies to gradually release updates to devices. These policies are deployed to each update deployment ring to control the rollout.	Requires four deployment rings to manage these updates
Windows feature update – in this instance, you’ll be the one to inform Autopatch when you’re ready to upgrade to the new Windows OS version. The feature update release management process has been designed to make the task of keeping your Windows devices up to date much easier and more affordable. This also has the added benefit of lessening your burden, thus allowing you to dedicate more time to more productive tasks.	Requires four deployment rings to manage these updates
Anti-virus definition	Updated with each scan
Microsoft 365 Apps for Enterprise	Find information at Microsoft 365 Apps for Enterprise
Microsoft Edge	Find information at Microsoft Edge
Microsoft Teams	Find information at Microsoft Teams

Autopatch groups

Autopatch groups play an essential role in helping Microsoft Cloud-Managed services work with businesses according to their various needs. When it comes to update management, Windows Autopatch groups provide an excellent tool that allows for the combining of Azure AD groups and software update policies. These might include Windows Update rings and feature update policies.

Reports

If there are any Windows Autopatch managed devices in your environment that are not up to date, you can monitor and remediate them using Windows quality and feature update reports. Not only that, but you can also resolve any device alerts to bring Windows Autopatch-managed devices back into compliance.

Policy health and remediation

To enable the management of Windows quality and feature updates, Autopatch needs to deploy Intune policies. Windows Update policies must be healthy at all times should you plan to remain up to date and receive Windows updates. Microsoft ensures continuous monitoring to maintain the health of the policies, as well as raise alerts and provide remediation actions.

Wrap up

The threat of attacks against businesses is something that is always lurking. And as we have seen on far too many occasions in recent years, these attacks can be devastating. Business operations can be severely compromised. Additionally, the financial penalties can be massive. Therefore, there is a need to do everything within your power to fortify your system defenses. Windows Autopatch allows you to bolster your security by automating certain tasks.

Make sure that update and patch deployments occur in a timely fashion. It can significantly reduce the risk of attacks against your business. And this is precisely what Autopatch is ready to help you prevent.

It helps you by automating the update process and simplifying tasks that are sometimes difficult and time-consuming. As a result, you get an easier and less expensive way of equipping your business with all the latest security updates necessary. Ultimately, it allows you to enhance your operations.