Troubleshooting Tenant Attach and Device Action Issues

Microsoft has given us countless different products and services over the last few decades. Undoubtedly, we know the important role they have played for individuals and businesses on the journey towards utilizing technology to better our lives. When looking at the Microsoft ecosystem, one of the best examples of undeniable excellence is the Microsoft Intune family of products.

With this product, Microsoft gives you an integrated solution that enables you to seamlessly manage all your devices. Central to this solution is the single console that we know as the Microsoft Intune admin center which brings together Intune and Configuration Manager.

The capabilities of this platform can offer your organization a premium device-management solution like no other. The area that we want to focus on today will have to do with the troubleshooting of tenant attach and device actions.

Comparing Tenant Attach to Co-management

For a lot of people, it may be difficult to distinguish between these two. So, let’s start by looking at where these two options differ. Both of these make up two of the three primary cloud attach features. For a Configuration Manager environment to be cloud-attached, it has to use at least one of the three primary cloud attach features.

Tenant Attach gives you the advantage of having your device records in the cloud as well as the ability to take actions on these devices from the cloud-based console. IT admins can perform remote actions on tenant-attached devices such as sync machine policy, sync user policy, run scripts on clients, deploy applications, and much more.

Furthermore, users will be able to manage endpoint security for the attached devices from the Intune admin center for both Windows Servers and Client devices.

On the other hand, Co-management is going to modify your on-premises Configuration Manager environment without the need for a significant migration effort.

One of the more attractive features of Co-management is how it allows you to easily switch workloads such as compliance policies from SCCM to Intune. By enabling you to manage workloads from the cloud, your organization gets to benefit from a simpler device management experience.

Tenant Attach prerequisites

To make use of Tenant Attach, you will need to meet the following requirements:

  • When you decide to apply this onboarding change, you’ll need to sign in using an account that is a Global Administrator.
  • An Azure cloud environment.
  • With version 2107, United States Government customers will be able to use tenant attach features in the US Government cloud such as account onboarding, tenant sync to Intune, device sync to Intune, and device actions in the Microsoft Intune admin center.
  • The Azure tenant and the service connection point must have the same geographic location.
  • To access the Microsoft Intune admin center, there needs to be at least one Intune license for the administrator.
  • The administration service in Configuration Manager needs to be functional.
  • If your central administration site has a remote provider, you need to follow the instructions for the CAS has a remote provider scenario in the CMPivot article.

PERMISSIONS

In addition to the above, there will also be a few requirements for the user accounts performing device actions and these include:

  • The user account should be a synced user object in Microsoft Entra ID (hybrid identity).
  • The Initiate Configuration Manager action permission under Remote tasks in the Microsoft Intune admin center.

The troubleshooting process

Now and again, all of us will encounter issues with the products and services we use. That’s why it’s important to work with providers that offer great support services so that we avoid downtime. Microsoft puts a lot of effort into ensuring that customers get as much support as they need for the various products in its ecosystem. Understandably, tenant attach is no different.

At this point, most admins should be aware that you can sync Configuration Manager clients to the Microsoft Intune admin center. And from that admin center, some client actions can run on the synchronized clients.

These available actions include the sync user policy, sync machine policy, and app evaluation cycle. After an administrator runs an action from the Microsoft Intune admin center, the notification request will forward to the Configuration Manager site. And from there, it will forward to the client.

LOG FILES

The logs you need to use will be found on the service connection point and these are:

  • CMGatewaySyncUploadWorker.log
  • CMGatewayNotificationWorker.log

You should also use the logs located on the management point:

  • BgbServer.log

Lastly, there are other logs that will be found on the client:

  • CcmNotificationAgent.log

Review your upload

You’ll need to follow the steps given below:

  • Open CMGatewaySyncUploadWorker.log from <ConfigMgr install directory>\Logs.
  • You will see the next sync time recorded in a log entry similar to this format Next run time will be at approximately: 02/28/2024 10:15:30.
  • The log entries that you should look at for device uploads should be something like this Batching N Records. In this instance, N represents the number of changed devices uploaded since the last upload.
  • Admins should expect uploads every 15 minutes for changes. However, once that is done, they will probably need to wait up to 10 minutes to view the client changes appearing in the Microsoft Intune admin center.

Configuration Manager components and log flow

SMS_SERVICE_CONNECTOR: Will utilize the Gateway Notification Worker to process the notification from the Microsoft Intune admin center.

SMS_NOTIFICATION_SERVER: Receives the notification and subsequently creates a client notification.

BgbAgent: The client gets the task and runs the requested action.

SMS SERVICE CONNECTOR

Following the initiation of an action from the Microsoft Intune admin center, the CMGatewayNotificationWorker.log will process the request.

Received new notification. Validating basic notification details…

Validating device action message content…

Authorized to perform client action. TemplateID: RequestMachinePolicy TenantId: a1b2c3a1-b2c3-d4a1-b2c3-d4a1b2c3a1b2 AADUserID:     a1b2c3a1-b2c3-d4a1-b2c3-d4a1b2c3a1b2

Forwarded BGB remote task. TemplateID: 1 TaskGuid: a43dd1b3-a006-4604-b012-5529380b3b6f TaskParam: TargetDeviceIDs: 1

A notification is received from the Microsoft Intune admin center.

Received new notification. Validating basic notification details..

Validation of user and device actions is carried out.

Validating device action message content…

Authorized to perform client action. TemplateID: RequestMachinePolicy TenantId: a1b2c3a1-b2c3-d4a1-b2c3-d4a1b2c3a1b2 AADUserID:     a1b2c3a1-b2c3-d4a1-b2c3-d4a1b2c3a1b2

Forwarding of the remote task to the SMS NOTIFICATION SERVER.

Forwarded BGB remote task. TemplateID: 1 TaskGuid: a43dd1b3-a006-4604-b012-5529380b3b6f TaskParam: TargetDeviceIDs: 1

SMS NOTIFICATION SERVER

At this point, you should be expecting a task to be sent from the management point to the corresponding client as soon as the message has been forwarded to the SMS NOTIFICATION SERVER. In the BgbServer.log, which is on the management point, you should see the following:

Get one push message from database.

Starting to send push task (PushID: 7 TaskID: 8 TaskGUID: A43DD1B3-A006-4604-B012-5529380B3B6F TaskType: 1 TaskParam: ) to 1 clients  with throttling (strategy: 1 param: 42)

BgbAgent

The last step will occur on the client and you can view it in the CcmNotificationAgent.log. As soon as the task has been received, it will then request the scheduler to carry out the action. And once the action has been carried out, a confirmation message will appear:

Receive task from server with pushid=7, taskid=8, taskguid=A43DD1B3-A006-4604-B012-5529380B3B6F, tasktype=1 and taskParam=

Send Task response message <BgbResponseMessage TimeStamp=”2020-01-21T15:43:43Z”><PushID>8</PushID><TaskID>9</TaskID><ReturnCode>1</ReturnCode></BgbResponseMessage> successfully.

Common issues

In this section, we’ll take a look at some of the issues that admins may often encounter.

Unauthorized to perform client action

For whatever reason, there may be situations where administrators may not have the required permissions in Configuration Manager. If that happens, you’ll see an Unauthorized response in the CMGatewayNotificationWorker.log.

Received new notification. Validating basic notification details..

Validating device action message content…

Unauthorized to perform client action. TemplateID: RequestMachinePolicy TenantId: a1b2c3a1-b2c3-d4a1-b2c3-d4a1b2c3a1b2 AADUserID: 3a1e89e6-e190-4615-9d38-a208b0eb1c78

Administrators should verify that the user running the action from the Microsoft Intune admin center has all the necessary permissions on the Configuration Manager site.

Known issues

Data synchronization failures

When there are issues with the hierarchy onboarding configuration, you may end up facing challenges with viewing the tenant attach details in the Microsoft Intune admin center. This could potentially happen in situations where onboarding a hierarchy that has already been onboarded occurs. However, you may also detect this issue from entries in the GenericUploadWorker.log and CMGatewayNotificationWorker.log files.

Workaround for data synchronization failures

Resetting the tenant attach configuration will require you to follow the steps below:

  • Offboard the hierarchy. If the tenant attach is already enabled, you need to disable device upload and offboard by editing the co-management properties.
  • In the Configuration Manager admin console, go to Administration > Overview > Cloud Services > Cloud Attach. (Select the Co-management node if it is version 2103 and earlier)
  • In the ribbon, select Properties for your co-management production policy.
  • Next, you need to remove the Upload to Microsoft Endpoint Manager admin center selection from the Configure upload tab.
  • Once everything’s completed, select Apply.

You need to give the service about 2 hours to clean up the existing record. Once the above has been completed, you can onboard the hierarchy again.

Example errors in log files that require resetting the tenant attach configuration

Errors for AccountOnboardingInfo and DevicePost requests in GenericUploadWorker.log

[GetNotifications] Response from https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification is: 401 (Unauthorized)

Response status code: 401 (Unauthorized) Activity ID: 4c536a72-fd7f-4d08-948a-3e65d2129e44

Web exception when getting new notification

Exception details:

[Warning][CMGatewayNotificationWorker][0][System.Net.WebException][0x80131509]

The remote server returned an error: (401) Unauthorized.    at Microsoft.ConfigurationManager.ServiceConnector.ExtensionMethods.<GetResponseAsync>d__13.MoveNext()

Response in the web exception: {“Message”:”An error has occurred.”}

Errors for device actions in CMGatewayNotificationWorker.log

[GetNotifications] Response from https://us.gateway.configmgr.manage.microsoft.com/api/gateway/Notification is: 401 (Unauthorized)

Response status code: 401 (Unauthorized) Activity ID: 4c536a72-fd7f-4d08-948a-3e65d2129e44

Web exception when getting new notification

Exception details:

[Warning][CMGatewayNotificationWorker][0][System.Net.WebException][0x80131509]

The remote server returned an error: (401) Unauthorized.    at Microsoft.ConfigurationManager.ServiceConnector.ExtensionMethods.<GetResponseAsync>d__13.MoveNext()

Response in the web exception: {“Message”:”An error has occurred.”}

Specific devices don’t synchronize

Another issue that you may need to deal with has to do with specific devices, which also happen to be Configuration Manager clients, not being uploaded to the service. So, what devices should you expect to be potentially affected by this issue?

In scenarios where a device is a distribution point that uses the same PKI certificate for both the distribution point functionality and its client agent, then the device won’t be included in the tenant attach device sync.

Furthermore, administrators should look out for the behavior that is typical in such instances. During the on-boarding phase as you are going through the tenant attach process, a full sync will be carried out the first time.

You should be aware that any other sync cycles after this one will be delta synchronizations. If the impacted devices are updated in any way, that update will result in the device being removed from the sync.

When the Configuration Manager site is configured to require multi-factor authentication, most tenant attach features don’t work

More troubleshooting

If you find yourself in a situation where the SMS provider machine that communicates with the service connection point is configured to use multi-factor authentication, you won’t be able to install applications, run CMPivot queries, and perform other actions from the admin console.

Instead, you will get a 403 error code, forbidden. What you would normally do to address this is to configure the on-premises hierarchy to the default authentication level of Windows authentication.

The platform is designed to enable you to determine what the minimum authentication level should be for admins to access Configuration Manager sites. You should view this as a great feature for enhancing security because it means that admins have to sign in to Windows with the appropriate level before they can access Configuration Manager.

Authentication

Furthermore, this applies to all components that access the SMS provider. Configuration Manager supports a handful of authentication levels and these are as follows:

  • Windows authentication: Authentication with Active Directory domain credentials is necessary. Note that this setting represents the previous behavior, as well as the current default setting.
  • Certificate authentication. Authentication with a valid certificate that has been issued by a trusted PKI certificate authority is necessary. You also need to know that you don’t configure this certificate in Configuration Manager. Configuration Manager requires the admin to be signed into Windows using PKI.
  • Windows Hello for Business authentication: In this case, you need a strong two-factor authentication that’s linked to a device and also uses a PIN or biometrics. Before choosing this particular setting, you need to note that the SMS Provider and administration service will require the user’s authentication token to contain a multi-factor authentication (MFA) claim from Windows Hello for Business. In simple terms, all this means is that users of the console, SDK, PowerShell, or administration service are required to authenticate to Windows with their Windows Hello for Business PIN or biometric. If not done this way, the site rejects the user’s action. Another key thing to also remember is that this behavior is specific to Windows Hello for Business and does not apply to Windows Hello.

What to do when Configuration Manager components for tenant attach fail to connect to the backend cloud service

Another issue that some have encountered concerns the failure of Configuration Manager components for tenant attach to connect to the backend cloud service when you run a client action from the Microsoft Intune admin center. In those instances, you may see the error given below:

Failed to check and load service signing certificate. System.ArgumentException: Mismatch certificate subject name

According to the information available from Microsoft, this problem occurs in versions earlier than the Configuration Manager version 2203 hotfix rollup after a change in public certificates on July 27, 2022. The reason for this has to do with the change that came about in public certificates on July 27, 2022, where OU=Microsoft Corporation was removed from the public certificate.

Even though this change was carried out, the configuration manager database still retained the old subject name and this then caused the load check failure. Below are some example entries in the CMGatewayNotificationWorker.log file in the top-level site in the hierarchy:

Error occured when process notification with notification Id <notification Id>. Ignore the notification. SMS_SERVICE_CONNECTOR_CMGatewayNotificationWorker

Exception details: SMS_SERVICE_CONNECTOR_CMGatewayNotificationWorker

[Warning][CMGatewayNotificationWorker][0][System.IO.InvalidDataException][0x80131501]

Failed to check and load service signing certificate. System.ArgumentException: Mismatch certificate subject name at Microsoft.ConfigurationManager.ManagedBase.CertificateUtility.ServiceCertificateUtility.VerifyCertificate(X509Certificate2 certificate, Boolean crlCheck, X509Chain& certificateChain, X509Certificate2Collection extraStore)

and at Microsoft.ConfigurationManager.ManagedBase.CertificateUtility.ServiceCertificateUtility.Reload()

at Microsoft.ConfigurationManager.ManagedBase.CertificateUtility.ServiceCertificateUtility.Exists(String thumbprint)

and at Microsoft.ConfigurationManager.ServiceConnector.AccountOnboardingWorker.\<RefreshServiceSigningCertificateIfNotExistsAsync>d__19.MoveNext()

ADDRESSING THE ISSUE

To address this challenge, there are a couple of methods that you can employ. The first thing you can do is to install the Configuration Manager version 2203 hotfix rollup if you happen to be running Configuration Manager version 2203.

However, if your version of Configuration Manager is a previously supported one, you’ll first need to upgrade to Configuration Manager version 2203. After doing that, you can proceed with the installation of the Configuration Manager version 2203 hotfix rollup.

In the update rollup for Microsoft Endpoint Configuration Manager current branch, version 2203, the following issues have been addressed:

  • Application approvals through email not working with a cloud management gateway due to a missing Microsoft Entra token.
  • Metadata revisions to previously published metadata-only updates not being synchronized to Windows Server Update Services (WSUS) as expected.
  • If a window happens to be left open for a few minutes, the task Sequence Editor running on Windows Server 2022 would fail to apply changes to a task sequence. After this happens, you would see the following message:

Error connecting to provider, smsprov.log may show more details.

  • In situations where the Client checking status frequency (minutes) value has been set below 60, the BitLocker compliance status will be temporarily inaccurate.
  • Admins have also experienced the incorrect removal of some users and their group memberships by the SMS_AZUREAD_DISCOVERY_AGENT thread of the SMA_Executive service in cases when the site server is configured with a non-US English locale. You’ll have have noticed the removals occurring when the discovery cycle runs after the 12th day of the month. Errors will be recorded in the SMS_AZUREAD_DISCOVERY_AGENT.log file at various times during the discovery cycle and they will be similar to the following:
  1. ERROR: Encountered SqlException The conversion of a nvarchar data type to a datetime data type resulted in an out-of-range value.

2. ERROR: Exception message: [The conversion of a nvarchar data type to a datetime data type resulted in an out-of-range value.]

3. ERROR: Group full sync request failed. Exception: System.NullReferenceException: Object reference not set to an instance of an object.

More troubleshooting

  • When adding a CMPivot query as a favorite, it is split into two lines and characters are removed.
  • When searching Software Update Groups in the Configuration Manager console, the Name criteria is not an option.
  • Instead of the value you may have previously noticed, the Browse button for Content location in the properties for a deployment would return an empty location.
  • The implicit uninstall setting won’t be respected by an application that is targeted to a device collection but deployed in the context of the user.
  • Typing a Name value in the Create Orchestration Group wizard occurs at a below normal speed.
  • A misleading error message (false negative) is generated on a target distribution point that is co-located with a site server. You could expect to see this during content distribution from a parent site to a child site. In the distmgr.log, the false negative will appear in this format:

~RDC:Failed to set access security on \\<SiteServerFQDN>\SMSSIG$\<PkgID>.1.tar for package <PkgID> signature file

Conclusion

In some cases, unfortunately, both options involving installation of the Configuration Manager version 2203 hotfix rollup may not work to fix the above issues. For those situations, you’ll need to open a support ticket with the Configuration Manager support team.

From there, you’ll be able to get the appropriate assistance to resolve the problem in the supported version of Configuration Manager in your environment.

SMS_EXECUTIVE crashes on Hyper-V due to UserShadowStack

Introduction

In the realm of systems management, maintaining the stability and reliability of essential services is crucial for uninterrupted operations. A notable challenge that has emerged in this context involves the SMS_EXECUTIVE service, a vital component of the Configuration Manager, which is experiencing unexpected terminations shortly after startup. This issue not only hampers the functionality of the Configuration Manager but also poses significant concerns for system administrators who rely on this service for managing networked systems efficiently.

Overview of the Issue

The SMS_EXECUTIVE service, responsible for executing several critical tasks within the Configuration Manager infrastructure, including processing incoming data, executing administrative actions, and managing component threads, has been reported to crash moments after it is initiated. This abrupt termination of the service disrupts the normal workflow, leading to a series of operational challenges.

Scope of the Investigation

This post aims to delve into the potential causes of this issue, examining various aspects such as system logs, configuration settings, recent updates, and environmental factors that might contribute to the instability of the SMS_EXECUTIVE service. The primary objective is to isolate the root cause of the crash and provide a comprehensive analysis that can guide towards effective troubleshooting and resolution strategies.

Importance of Addressing the Issue

The stability of the SMS_EXECUTIVE service is paramount for the seamless operation of the Configuration Manager. Its failure not only impacts the efficiency of system management tasks but also poses risks related to security, compliance, and overall network health. Addressing this issue is thus critical for ensuring that the Configuration Manager continues to function as a robust and reliable tool for system administrators.

In the following sections, we will explore the technical details of the issue, outline the methodologies employed in the investigation, and discuss potential solutions to restore the functionality of the SMS_EXECUTIVE service effectively.

Identifying Potential Causes for the SMS_EXECUTIVE Service Crash


In order to effectively address the issue of the SMS_EXECUTIVE service crashing, it is essential to systematically identify and evaluate potential causes. This section outlines a structured approach for investigating various factors that could contribute to this problem.

1. System and Application Logs Analysis

  • Event Viewer Logs: A thorough examination of the Windows Event Viewer logs, specifically focusing on the Application and System logs around the time of the crash, can provide critical insights. Error messages or warnings preceding the crash are often indicative of underlying issues.
  • SMS_EXECUTIVE Logs: The Configuration Manager logs, particularly those related to SMS_EXECUTIVE, should be scrutinized for any unusual entries or error codes that could point towards the cause of the crash.

2. Configuration and Environment Review

  • Recent Changes: Any recent changes made to the system or the Configuration Manager settings could be a contributing factor. This includes updates, patches, or modifications in the configuration.
  • System Resources: Insufficient system resources, such as memory or CPU, can lead to service instability. Monitoring resource usage patterns around the time of the crash is crucial.
  • Network and Connectivity Issues: Network problems or connectivity interruptions can impact the functionality of the SMS_EXECUTIVE service, especially if it relies on remote components or databases.

3. Component Dependencies and Interactions

  • Dependent Services: Understanding the dependencies of the SMS_EXECUTIVE service, such as other Configuration Manager components or Windows services, is vital. If a dependent service is failing or unstable, it can cascade to the SMS_EXECUTIVE service.
  • Inter-Service Communication: Analyzing how SMS_EXECUTIVE interacts with other services and components within the Configuration Manager ecosystem can reveal potential points of failure.

4. Software Updates and Compatibility

  • Update History: Reviewing the history of updates applied to the Configuration Manager and the underlying operating system can help identify if a recent update might be causing compatibility issues.
  • Third-Party Software: The presence of third-party software or add-ons, particularly those that interface with the Configuration Manager, should be evaluated for compatibility and stability concerns.

5. Security and Access Control

  • Security Software Interference: Security solutions such as antivirus or firewall settings might be interfering with the operation of the SMS_EXECUTIVE service.
  • Permissions and Access Rights: Ensuring that the SMS_EXECUTIVE service has appropriate permissions to execute its tasks is crucial. Incorrect permissions can lead to service failures.

The specific issue identified from Event viewer:

Faulting application name: smsexec.exe, version: 0.0.0.0, time stamp: 0x00000000
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000409
Fault offset: 0x00007ffa5dc03d86
Faulting process id: 0x530
Faulting application start time: 0x01da4ae272f45384
Faulting application path: F:\Program Files\Microsoft Configuration Manager\bin\X64\smsexec.exe
Faulting module path: unknown
Report Id: 6463f350-fe42-4528-8849-c2489e6d558d
Faulting package full name:
Faulting package-relative application ID:

The issue is caused by UserShadowStack

UserShadowStack is a security feature introduced in Windows Server 2022, designed to enhance the protection against return-oriented programming (ROP) attacks, which are a common method used in exploiting software vulnerabilities.

Understanding UserShadowStack:

  1. Concept of Shadow Stack: At its core, UserShadowStack implements a ‘shadow stack’, which is a secondary, protected stack that keeps track of the intended return addresses for each function call in a program. When a function is called, its return address is stored both on the regular stack and the shadow stack. When the function returns, the return address from the regular stack is compared with the one in the shadow stack. If they match, the program continues as normal; if not, it indicates potential tampering, likely due to an attempted ROP attack, and the system can take appropriate action, such as terminating the process.
  2. Protection Mechanism: By ensuring the integrity of return addresses, UserShadowStack helps prevent attackers from hijacking the control flow of a program, which is a common technique in many sophisticated cyber attacks.

UserShadowStack in the Context of Hyper-V on Windows Server 2022:

Hyper-V is Microsoft’s hardware virtualization product, allowing users to create and run virtual machines. Each virtual machine runs its own operating system and is isolated from the host system. In this context, UserShadowStack can provide the following benefits:

  1. Enhanced Security for Virtual Machines: When running on Windows Server 2022 with Hyper-V, UserShadowStack can be used to protect the virtual machines from ROP attacks. This is particularly important as virtual machines often run critical or sensitive applications, and their security is paramount.
  2. Isolation and Containment: With Hyper-V, if an attack occurs within a virtual machine, it is typically contained within that VM, protecting the host system and other VMs. UserShadowStack adds an extra layer of defense within each VM, further reducing the risk of successful exploits.
  3. Compatibility and Performance: UserShadowStack is designed to work seamlessly with Hyper-V, ensuring that the additional security does not significantly impact the performance or compatibility of the virtual machines.

In summary, UserShadowStack in Windows Server 2022 provides a robust mechanism to thwart ROP attacks by validating return addresses. When integrated with Hyper-V, it ensures that both the host environment and the virtual machines benefit from enhanced security without compromising performance or compatibility.

Run the following command and start your service again: Set-ProcessMitigation -Name smsexec.exe -Disable UserShadowStack

Key Things To Know About Windows Safeguard Holds

Updating your computers and mobile devices is something that requires regular attention. Indeed this is rather important for a few reasons. For example, there are security updates to enhance your security posture and reduce the risk of breaches. Another important reason is to fix problems with applications. Additionally, updates can remedy issues with the operating system itself. This is where Windows safeguard holds come into play.

But, even though we perform updates expecting to improve the user experience, it doesn’t always work out that way. There are compatibility issues with particular devices sometimes. And in the worst of scenarios, you might lose connectivity, key functionality, or data. This is why Microsoft has systems in place to try and limit any problems to as few devices as possible.

What are Windows safeguard holds?

By leveraging data on compatibility and quality, Microsoft can identify issues that may cause a Windows client feature update to fail or rollback. In the instances where such issues arise, applying safeguard holds to update service helps.

Consequently, this action will prevent the affected devices from installing the update. It thereby protects them from any issues. Microsoft can also employ safeguard holds when clients, partners, or Microsoft internal validation find issues. It’s helpful for those issues that cause severe problems and there is no immediate solution available. Examples of possible events include loss of key functionality, rollback of update, and data loss.

With the use of safeguard holds, devices with known issues won’t be offered new versions of an operating system. However, once a fix has been found and verified, the update will become available.

Microsoft’s objective with safeguard holds is to enable clients to have a flawless experience when their devices are updating to new versions of Windows client. Those that use the Windows Update service for the deployment of new versions of Windows to their devices would already have benefited from the use of holds for known issues. These clients include all those using Windows Update for Business.

Looking at issues

When Microsoft describes how safeguard holds work, there is a lot of mention of the issues for which holds apply. But, what exactly are these issues? There are known issues. These are problems that can manifest after an upgrade is discovered by Microsoft or reported by clients or partners. Only after assessment and confirmation of an issue, for a specific set of devices, can it fall under known issues.

The next type are likely issues. As the name suggests, these issues are suspected, but not yet confirmed. What we have here are issues that have been picked up by the machine learning service across millions of unmanaged devices, corporate or personal. The service performs daily scans. And it searches for app or driver malfunctions, rollback during setup, connectivity issues, and more.

Subsequently, the machine learning service then looks for links among device hardware and software characteristics. This will then help to identify a larger set of devices yet to perform any updates to protect them. Basically what goes on in these instances is that there are issues that are yet to be confirmed. However, because they are likely it’s good practice to safeguard the at-risk devices.

How does it work?

Here are additional aspects to understand when recognizing how Windows safeguard holds work.

Identification of known issues

As one would expect, the process would naturally start by identifying the relevant issues. Microsoft has a setup that allows for the collection of feedback from various channels. This information is regarding known issues about a Windows update, now collected for your review.

Although there is an internal testing process, Microsoft also requires feedback from Windows Insiders, clients, and partners. And then, as issues are identified, device-specific criteria develop and for application to affected devices as a safeguard hold. These devices will no longer have access to updates until a fix is found and implemented.

Identification of likely issues

For the safeguarding of likely issues, Microsoft can use data obtained across millions of daily devices. Unmanaged by IT, these devices are installing the upgrade from the Windows Update.

All the diagnostic data that Microsoft has from the millions of client devices feeds into the machine learning system. From this, identity patterns associated with update-related disruptions can then be automatically identified. All data usage follows Microsoft’s privacy policy.

Safeguarding of devices

The actual safeguarding of devices can begin once the machine learning algorithm picks up a pattern. After this happens, a temporary safeguard hold for a likely issue is implemented. How long this hold remains in place can vary. But the priority will be device protection rather than progress.

This means the user experience can be preserved and IT staff can have fewer things to worry about. Because of the resultant delay, the few weeks you get can be used to decide how to proceed with the update in a way that keeps your devices protected and productive. The system intends to address the temporary hold for a likely issue in a matter of four to six weeks. This can be done in one of two ways:

  • Confirmation of the likely issue which consequently sees it transitioned to a known issue and thus sees the safeguard hold maintained.
  • In the second scenario, the issue is deemed to be a false positive and therefore the hold will be removed and devices can therefore begin updating.

Known and Unknown Issues

In the first option mentioned where the issue has been confirmed meaning the device is not in a position to update, the classification changes to a known issue. What this does is that it will continue to delay the upgrading of the device until a fix has been found and implemented.

When the system determines that the issue was actually a false positive, all unaffected devices will have the safeguard hold removed. In that case, any upgrades that are approved by the IT team may proceed as normal. According to information from Microsoft, two main criteria are used to determine whether to implement automatic safeguard holds for likely issues. These are:

  • In cases where deployment to consumer devices that are likely exposed to the issue has been paused.
  • The second criterion concerns situations where there are issues that are under active investigation by Microsoft engineers.

When it comes to Windows Update, Windows safeguard holds will be kept in place until the Microsoft investigation has been completed and a fix has been developed and verified. Only then will the solution be made available to the affected devices and update deployment restored.

So devices can only resume being offered updates after a fix has been delivered by Windows Update or a third party thereby lifting the safeguard hold. Under those circumstances, customers can be offered a seamless protection experience.

Taking advantage of Windows safeguard holds

Making use of the features that Microsoft has put in place can go a long way in improving the security posture of your organization. Leveraging safeguard holds will help you to get a better update deployment experience. These features will be available to you via the likes of Microsoft Intune, PowerShell SDK, Update Compliance, and Microsoft Graph.

You’ll find that deployment scheduling controls are consistently available. But, you need to, first of all, configure your devices to share diagnostic data with Microsoft and leverage available reporting tools. Without performing this action you won’t be able to benefit from the unique deployment protections tailored to devices under your management.

§  Pre-requisites

Before you can start benefiting from everything that safeguard holds have to offer, you need to meet a few requirements. These are:

Something that you do need to be aware of is that safeguards holds are applied to Windows Update for Business deployments by default. This is to ensure that your environment can benefit from optimal user experience and so opting out or doing manual updates is not recommended. However, in strict IT environments and for validation purposes you may still do that.

Keep track of safeguard holds reporting

One thing that you’ll want to do to stay up to date is to be meticulous about verifying safeguard hold records. When a safeguard hold is put in place, you can go to the M365 Admin Center or the Known Issues sections of the Windows release health dashboard online to get more information about the issue in question. The system also allows you to keep track of all the devices in your environment through up-to-date reporting.

For those that use Update Compliance, you can access information regarding which devices under your management are affected by which specific safeguard holds. To do this, you’ll have to check your safeguard hold report. For those who use Intune, on the other hand, safeguard holds are now visible in the Feature Update Failures Report.

How to opt-out

If you decide to opt-out, you can do so using the Local Group Policy Editor. This can be done by following the steps given below:

  • Navigate to the Open the Local Group Policy Editor (gpedit.msc).
  • In that section, look for the policy location in the left pane of the Local Group Policy Editor.
  • Next, head over to the right pane of Manage updates in the Windows Updates section of the Local Group Policy Editor. Proceed to tap on Disable safeguards for Feature Updates.

Microsoft recommendations

Until a solution has been developed and implemented and the safeguard hold has been released, Microsoft strongly cautions against performing manual updates. If you choose to opt-out of a safeguard hold, you should do so knowing that the concerned devices will be at risk of being affected by known performance issues.

So if you have made the decision that you still want to opt out despite the risk, you should make sure that you perform rigorous tests that will help you to verify the degree of the potential impact.

There is a way, however, for you to reduce your risk of being affected by issues and still opt-out. This can be possible as long as your IT admins check in regularly with Update Compliance and the Windows release health dashboard. If you’re in this position, you can have a greater degree of security when temporarily opting out so that you can enable an update to proceed.

As mentioned previously, this is still only recommended when in strict IT environments and for validation purposes. Furthermore, you should be aware that even if you do opt out, this will be temporary and only lasts the time it takes to complete the update. So as soon as that is done, the safeguard hold is automatically reapplied.

Wrap up about Windows safeguard holds

Compatibility issues are nothing new and we’ve all probably encountered them at one point or another. The frustration that this can cause as well as the cost in productivity terms can be immense. Loss of data or connectivity from an update that hasn’t worked out can mean downtime for the affected users.

That is why Microsoft has developed a service that is capable of monitoring quality and compatibility. Having this data means that issues can be swiftly identified and thus limit the number of devices that are affected.

In addition, the fact that this data is obtained from various sources including clients and Microsoft partners enables the creation of a very comprehensive compilation of information. Once issues are identified, safeguard holds are applied to allow for an investigation to take place, and a solution to be developed and applied. I think it’s pretty safe to say that safeguard holds can go a long way in giving users a streamlined experience and IT greater peace of mind.

Microsoft Intune – A Comprehensive Design Guide

So much technological innovation is going on all around us that it can at times be overwhelming to keep up with everything. And mobile device management solutions are no different. Which of the solutions do you pick to ensure that your organization is using the best management solution? Difficult to say.

In fact, plenty of organizations opt for using multiple device management solutions at the same time. Although, there may be advantages to that, finding a single comprehensive solution to provide you with everything you need in a single package offers greater convenience. This is why I’ve decided to write this guide on Microsoft Intune, a solution that can optimize your IT operations to perform at unprecedented levels.

Before you begin

In the first blog of this Microsoft Intune series, I looked at the different stages of planning that you’ll have to go through if you want to have a seamless adoption of Microsoft Intune in your organization. As one would expect, adopting any new technology will bring with it a few teething problems hence the need for a plan that covers as many potential scenarios as possible.

Getting started

Some of the key areas of consideration include:

  • Have your goals clearly itemized. This includes concerns about data security, device protection, access to organizational resources, and other objectives.
  • Creating a complete inventory of all the devices in your organization that will have access to company resources. So, this would include both organization-owned and personal devices as well as information about the platforms they are running.
  • You’ll also need to look at all potential costs and licensing. There will probably be some additional services and programs that you’ll need so all these will need consideration.
  • You probably already have existing policies and infrastructure that your organization relies on. However, all these will require reviewing when thinking of moving to Intune. This is because you may need to develop some new policies.
  • With the above in place, you need to determine a rollout plan that has pre-defined objectives and can ensure that the rollout proceeds as smoothly as possible.
  • As you introduce Intune to your organization, you cannot ignore the value of communicating with your users. People in your organization need to understand what Intune is, what value it will bring to your organization, and what they should expect.
  • Lastly, it’s crucial that you fully equip your IT support and helpdesk staff. You can do this by involving them in the adoption process from the early stages. Therefore, it enables them to learn more about Intune and gain invaluable experience. With the skills that they acquire, they’ll be able to play important roles in the full rollout of Microsoft Intune as well as help in the swift addressing of any potential issues that arise.

Design creation

After you go through your planning phase, you can start to look at creating a specific design for your organization’s Microsoft Intune setup. Coming up with a design will require you to review all the information already collected throughout the planning phase.

This is going to allow you to put together information on your existing environment. This includes the Intune deployment options, the identity requirements for external dependencies, the various device platform considerations, as well as the delivery requirements. One of the great things about Microsoft Intune is that you don’t need to worry about significant on-premises requirements to use the service.

However, having a design plan is still a good idea because it allows you to have a clear outline of the objectives that you want to achieve so that you can be certain about choosing the management solution.

Assessing your current environment

A logical place for you to begin your planning is with your current environment. Having a record of this environment can help to further clarify where you currently are and what the ultimate vision is. This record can also serve you well during the implementation and testing phases. There you can make numerous changes to the design.

Recording the environment

There are several methods for recording your existing environment such as:

  • Identity in the cloud – you can note if your environment is federated. Additionally, you can determine MFA enabling. Also, which of Azure AD Connect or DirSync do you use?
  • Email environment – you need to record what email platform you currently use. Also consider if it is on-premises or on the cloud. And if you’re using Exchange, for instance, are there any plans for migrating to the cloud?
  • Mobile device management solutions – you’ll need to go over all the mobile device management solutions (MDM) currently in use. Also consider what platforms they support. It’s also important to note down which solutions you’re using for corporate as well as BYOD use-case scenarios. Additionally, it’s useful to have a record of who in your organization is using these solutions, their groups, and even their use patterns.
  • Certificate solution – note whether or not you have implemented a certificate solution, including the certificate type.
  • Systems management – have a detailed record of how you manage your PC and server management. This, means you have to note what management platform you are using, whether it’s Microsoft Endpoint Configuration Manager or some other third-party solution.
  • VPN solution – you should note what you’re currently using as your VPN solution of choice. And if you’re using it for both personal devices and organization-issued devices.

Note to consider

In addition to having a detailed record of your current environment, it’s also important to not forget any other plans in the works. Or consider those on the docket for implementation. Especially if they could affect what you have already noted down in the record of your environment. For instance, your record could show that multi-factor authentication is off. Still, you could be planning to turn it on in the near future so you’ll want to highlight this coming change.

Intune tenant location

The location where your tenant will reside is extremely important to decide before making the decision to subscribe to Microsoft Intune. And this is especially so for organizations that operate across different continents. The reason why it’s so important to carefully think this through, is that you’ll need to choose the country/region when you are signing up for Intune for the first time. After you have made your selection, you won’t have the option to change your decision later on. The regions that are currently available for selection include North America, Europe, the Middle East, Africa, as well as Asia and Pacific.  

External dependencies

When we talk about external dependencies, we are referring to products and services that are not part of the Intune package. But they may be part of the prerequisites to use Intune. In addition, they could also be elements that can integrate with Intune. Given how integral external dependencies may be to your use of Intune, you’ll need to have a comprehensive list of any and all requirements. Make sure they’re for these products and services as well as the instructions for their configuration.

Below we’ll look at some of the more common examples of external dependencies that you will encounter:

Identity

Simply put, identity gives us the element through which we can recognize all the various users that belong to your organization as well as those enrolling devices. If you want to use Intune then you’ll need to be using Azure AD as your user identity provider. This comes with several advantages. One such benefit is enabling IT admins to enhance organizational security by controlling access to apps and app resources. Therefore, it’s easier to meet your access governance requirements. App developers will also benefit from the ability to leverage Azure AD APIs for creating personalized experiences using organizational data.

For those that are already using Azure AD, you’ll get the added convenience of continuing with the current identity that you have in the cloud. Not only that, but you also get the added benefit of Azure AD Connect. This happens to be the ideal solution for synchronizing your on-prem user identities with Microsoft cloud services. For organizations that already have an Office 365 subscription, the best scenario would be to ensure that Intune also uses the same Azure AD environment.

User and device groups

These groups play an important role as they are responsible for defining who exactly the target of a deployment will be. This will also include profiles, apps, and policies. It’s therefore important to come up with the user and device groups that your organization will need. And the best way to go about this may be for you to start by creating these groups in the on-premises Active Directory. And then once you have done this you can proceed to synchronize to Azure AD.

Public key infrastructure (PKI)

The role of PKI is to provide users or devices with certificates that will enable secure authentication to various services. So, when considering adopting Microsoft Intune you should be aware that it supports a Microsoft PKI infrastructure. Mobile devices can provide device and user certificates, so you meet all certificate-based authentication requirements. However, before you proceed with the use of certificates, you’ll need to verify a few things first:

  • Check whether or not you even need the certificates.
  • Check if certificate-based authentication provides support by the network infrastructure.
  • Lastly, you need to verify whether there are any certificates already in use in the existing environment. 

For some, they may need to use these certificates with VPN, Wi-Fi, or e-mail profiles with Intune. But to do that, you first need to check if you have a supported PKI infrastructure in place. It needs to be ready for the creation and deployment of certificate profiles. Furthermore, when it comes to the use of SCEP certificate profiles, you have to decide how to host the Network Device Enrollment Service feature. Not only that, but you also need to determine how to carry out any communication.

Pre-requisites for devices

As you proceed with your design plan for Microsoft Intune, you’ll also need to turn your focus over to devices and the requirements. Expectedly, as with any management solution, there will be devices to consider. But there will also be platform considerations that will determine suitability for Intune management.

Device platforms and Microsoft Intune

One of the most important parts of the design plan is to consider the device platforms that will be supported by your chosen management solution. Therefore, before making the final decision about whether or not to go with Intune, you should create a complete inventory of the devices that will be in your environment. Then crosscheck whether or not they have proper support by Intune.

Understanding systems

The table below contains the supported configurations.

Operating systemsAndroid iOS/iPadOS Linux macOS Windows
Chrome OS  
Apple (For device enrollment scenarios and app configuration that you get via Managed devices app configuration policies, Intune will require iOS 14.x or later. The same requirement also applies to Intune app protection policies and app configuration.)Apple iOS 14.0 and later   Apple iPadOS 14.0 and later   macOS 11.0 and later  
Android (For device enrollment scenarios and app configuration that you get via Managed devices app configuration policies, Intune will require Android 8.x or later. However, for Microsoft Teams Android devices, support will continue so this requirement does not apply. And then for Intune app protection policies and app configuration delivered via Managed devices app configuration policies, the requirement is for Android 9.0 or higher.)Android 8.0 and later (including Samsung KNOX Standard 3.0 and higher: requirements)   Android enterprise: requirements   Android open source project devices (AOSP) supported devices RealWear devices (Firmware 11.2 or later)HTC Vive Focus 3  
Linux (It’s to be noted that Ubuntu Desktop already has a GNOME graphical desktop environment installed)Ubuntu Desktop 22.04.1 LTS with a GNOME graphical desktop environment.   Ubuntu Desktop 20.04 LTS with a GNOME graphical desktop environment.  
Microsoft (Microsoft Endpoint Manager can still be used for the management of devices running Windows 11 the same as with Windows 10. Unless explicitly stated otherwise, assume that feature support that only mentions Windows 10 also extends to Windows 11. In addition, you should also note that configuring the available operating system features through MDM is not something that is supported by all Windows editions.)Windows 10/11 (Home, S, Pro, Education, Enterprise, and IoT Enterprise editions) Windows 10/11 Cloud PCs on Windows 365 Windows 10 LTSC 2019/2021 (Enterprise and IoT Enterprise editions) Windows 10 version 1709 (RS3) and later, Windows 8.1 RT, PCs running Windows 8.1 (Sustaining mode) Windows Holographic for Business Surface Hub Windows 10 Teams (Surface Hub)    
Microsoft Intune-supported web browsersMicrosoft Edge (latest version)   Safari (latest version, Mac only)   Chrome (latest version)   Firefox (latest version)  

Devices

By using Microsoft Intune, organizations can manage mobile devices more efficiently in a way that can enhance the security of organizational data. This means that the risk of malicious activity is reduced. And users can thus work from a greater number of locations. One of the greatest benefits of device management solutions such as these is that they can be both cost-efficient and convenient. This is because they support a wide variety of device types and platforms.

As a result of this, organizations are less likely to need to invest in new devices. And users can utilize the personal devices they already own in BYOD scenarios. With all this, however, it’s even more important for you to come up with a comprehensive template detailing what device types, OS platforms, and versions you will allow to have access to your organization’s resources.

Device ownership

As already mentioned, Microsoft Intune offers support for a wide variety of devices. And these devices can either be personal or organization-owned. When devices are enrolled via a device enrollment manager or a device enrollment program, they fall under the category of organization-owned devices. So, for instance, all devices that you enroll using the Apple Device Enrollment Program will categorize as organizational devices. Subsequently they will add to the device group, which will receive organizational policies and applications.

Bulk enrollment

As an organization, when enrolling a large number of devices into Intune, the process is simplified by the availability of a bulk enrollment feature. This feature provides you with a quick and easy way of setting up a large number of devices for management. A few use case examples. These include setting up devices for large organizations, setting up school computers, and setting up industrial machinery, among others. Intune has different ways to process the bulk enrollment of devices so you’ll need to determine which method fits best with your Intune design plan.  

Design requirements and Microsoft Intune

When making the design considerations, there are specific requirements you’ll need to look at for the Intune environment that you want to establish. There may be instances that require you to make adjustments to the general advice that you get concerning Intune deployment.

It’s essential to ensure that certain capabilities will meet the requirements for the use cases needed for your organization. These features include configuration policies, compliance policies, conditional access, terms and conditions policies, resource profiles, and apps.

Microsoft Intune Configuration policies

You can use configuration policies for the management of the security settings on devices in Intune in addition to the features, as well. It’s important that you design configuration policies that follow the configuration requirements by Intune devices. And the necessary information to design your configuration policies in this manner are in the use case requirements section. This enables you to note the settings and their configurations. Not only that, but you’ll need to make sure to verify to which users or device groups to apply certain configuration policies. The various device platforms that you use will need to have at least one configuration policy assigned to them or even several whenever the situation calls for it.

Compliance policies and Microsoft Intune

These types of policies are responsible for establishing whether devices are complying with the necessary requirements. Therefore, determining whether or not a device is compliant becomes a significantly easier matter for Intune. And this is very important because it allows for devices to categorize as either compliant or non-compliant. And that status can then determine which devices are given access to the organization’s network and which ones to restrict.

Furthermore, if you intend on using Conditional Access, then it will probably be in your best interests to create a device compliance policy. Before you can decide on your device compliance policies, you may again want to refer to the use cases and requirements section. This will provide you with the necessary information concerning the number of device compliance policies you’ll require. It will also help you decide which user groups you’ll be applying them. Lastly, you need to have clearly defined rules. These will detail how long devices are allowed to remain offline before they move to the non-compliant list.

Conditional Access for Microsoft Intune

Conditional access plays the role of enforcer for your organization’s policies on all devices. That means that if any device fails to comply with your requirements, conditional access measures can implement. They will prevent them from accessing organizational resources such as email. When it comes to Intune, you’ll also benefit from its integration with Enterprise Mobility + Security. This will give your organization better protocols to control access to organizational resources. So, when it comes to your design plan you still need to look at Conditional Access. You’ll also decide whether or not you need it and what you’d want to secure with it. 

Terms and conditions

Terms and conditions are essential for determining your organization’s requirements for any users that want access to the network. This is especially important in BYOD scenarios where some users may not be willing to meet those conditions. So, by establishing terms and conditions, your organization can give users an ultimatum if they want to access the organization’s resources. With Intune, you also get the option to add and deploy several terms and conditions to your user groups.

Profiles

Profiles play a key role by enabling the end user to connect to company data. To cater to the multiple scenarios that your organization may encounter, Intune provides several types of profiles. The information that you need, concerning the timeline for the configuration of the profiles, is obtainable by going through the section on use cases and requirements. Planning is easier because you’ll find all the device profiles grouped according to platform type. Profile types that you need to know about include email profiles, certificate profiles, VPN profiles, and Wi-Fi profiles.

Email profile

Email profiles are responsible for several capabilities. These include reducing the workload of support staff and enabling end-users with access to company email on their personal devices. Email clients will automatically set up with connection information and email configuration. Moreover, all this can be done without users having to perform any setup tasks. So this will ultimately improve consistency. However, not all of these email profiles will have support, on all devices.

Certificate profiles

Certificate profiles are the elements that enable Microsoft Intune to provide certificates to users or devices. The certificates that Intune supports include Trusted Root Certificate, PFX certificate, and Simple Certificate Enrollment Protocol (SCEP). For SCEP, all users who will receive it are going to need a trusted root certificate. This is because the latter is a requirement for SCEP certificate profiles. So, before you proceed make sure to have a clear idea of the SCEP certificate templates that you’d like to use. Your design plan should include a record of the user groups that require certificates. It should also include the number of certificate profiles needed, and to which user groups they’ll be targeted.

VPN profiles

Virtual private networks enable internet users to have secure access from almost any location across the globe. And using VPN profiles achieves the same thing for your organization’s users. They will be able to have secure access to the organization’s networks even from remote locations. Furthermore, Intune widens the options available to you by supporting VPN profiles from native mobile VPN connections and third-party vendors.

WiFi profiles

Wi-Fi profiles are important tools that enable your mobile devices to automatically connect to wireless networks. Using Intune, you can deploy Wi-Fi profiles to the various supported platforms. The device platforms that Wi-Fi profiles support include Android 5 and newer, Android Enterprise and kiosk, Android (AOSP), iOS 11.0 and newer, iPadOS 13.0 and newer, macOS X 10.12 and newer, Windows 11, Windows 10, and Windows Holographic for Business.

Microsoft Intune Apps

When using Intune, you’ll have the option to deliver apps to users or devices using any number of different ways. The apps that you can deliver cover a wide range including apps from public app stores, managed iOS apps, software installer apps, as well as external links. Moreover, this capability extends beyond individual app deployments. You’ll also be able to manage and deploy volume-purchased apps that you may have obtained from volume-purchase programs for both Windows and iOS.

App type requirements

Your design plan needs to include clear details regarding the types of apps that you will allow Intune to manage. This is especially necessary when you consider how apps deploy to users and devices. Information that you should consider for your criteria includes whether or not these apps will require integration with cloud services as well as the deployment measures you’d like to use.

You also need to decide if you’ll be availing these apps to employees using their personal devices and if users will need to have internet access to use the apps. Additionally, you need to verify if your organization’s partners will require you to provide them with Software-As-A-Service (SaaS) app data. Lastly, you need to check the availability of these apps to see if they will be available publicly in app stores or if they will be uniquely custom line-of-business apps.   

App protection policies

These policies intend to safeguard your organization’s data by keeping it secure or contained in a managed app. Generally, these policies are rules that go into play when users try to access or move your organization’s data. These rules may also be enforced if users try to engage in actions that are prohibited or monitored when users are inside the app.

Therefore, you can reduce the risk of data loss because of how apps are set up to manage organizational data. Any app that can function with mobile app management will receive app protection policy support from Intune. It will be up to the organization and the team of admins to determine what restrictions you’d like to place on your organization’s data within certain apps.

Setting up Microsoft Intune

When you have your design plan in place, then you can begin looking at setting up Microsoft Intune for your environment. To do that, there will be a few things that you need to consider.

Requirements for Microsoft Intune

The first thing you need to have is an Intune subscription and the license for this is offered as a stand-alone Azure service. It is a part of Enterprise Mobility + Security (EMS) and is included with Microsoft 365. From your design plan, you’ll have a better idea of what the goals of your organization are and you may end up choosing Microsoft 365 because it comes with all of Microsoft Intune, EMS, and Office 365 apps.

Current status

If your organization doesn’t have any MDM or MAM solutions that it is currently using then Intune is probably the best choice for you. Especially if a cloud solution is what you want and then you’ll also benefit from features like Windows Update, configuration, compliance, and app features in Intune.

You can add Endpoint Manager admin center as well to the list of benefits that will be availed to you. Something that does need to be mentioned is that organizations that use more than one device management solution should consider using only a single one.

And if you’ve been using MDM providers such as MobileIron, Workspace ONE, and MaaS360 you’ll still have the option to move to Intune. This will come with a significant inconvenience, however, because before users can enroll their devices in Intune, they will have to unenroll their devices from the current management platform.

Before you make the move to Intune, you’ll need to note in your design plan all the tasks you’ve been running and the features you need so that you know how to proceed with setting up Intune. Unenrolling devices from your current MDM solution not only presents a challenge but makes devices temporarily vulnerable.

This is because while they are in that unenrolled state, they stop receiving all your policies thus security is compromised. By using conditional access, you can block unenrolled devices until they complete their enrollment in Intune.

You should plan to implement your deployment in phases that start with small pilot groups so that you can monitor the success of your approach. If all goes well you can then proceed with a full-scale deployment. Furthermore, those who currently use Configuration Manager and would like to move to Intune can use the options below:

Add tenant attach

This option offers you the simplest way to integrate Intune with your on-prem Configuration Manager setup. By leveraging this option, you can upload your Configuration Manager devices to your organization in Intune. And then once your devices are attached, you’ll be able to use Microsoft Endpoint Manager admin center to run remote actions including user policy and sync machine.

Set up co-management

With this option, Intune will be used for some workloads and Configuration Manager for others. You need to first navigate to Configuration Manager and then set up co-management. And then you proceed to deploy Intune and that also includes setting the MDM Authority to Intune. Once all this is done, devices will now be ready to be enrolled and receive the necessary policies.

Moving to Microsoft Intune from Configuration Manager

This may not happen often because Configuration Manger users tend to want to stay on this platform. However, making the move is possible if you decide that a 100% cloud solution is what you are looking for. You’ll need to first register existing on-prem Active Directory Windows client devices as devices in Azure AD. Then, you proceed to move your existing on-prem Configuration Manager workloads to Intune. Using this method would be good for providing you with a more seamless experience for existing Windows client devices but the downside is that it will be more labor-intensive for your admins.

And if we’re looking at new Windows client devices then you would be better off starting from scratch with Microsoft 365 and Intune:

  • Start by setting up hybrid Active Directory and Azure AD for the devices. Devices that are Hybrid Azure AD joined will be joined to your on-prem Active Directory as well as registered with your Azure AD. Having devices in Intune helps to safeguard your organization from malicious activity because these devices can receive your Intune-created policies and profiles.
  • Go to Configuration Manager and set up co-management.
  • Next, you need to deploy Intune and that includes setting the MDM Authority to Intune.
  • You’ll also need shift all workloads from Configuration Manager to Intune in the Configuration Manager section.
  • With all this done, you can go ahead and uninstall the Configuration Manager client on the concerned devices. This is something that can be done by creating an Intune app configuration policy that can perform the uninstallation once Intune has been set up.

Start from scratch with Microsoft 365 and Microsoft Intune

You can only use this approach for Windows client devices, so for those Windows Server OSs, Configuration Manager will be the option you have.

  • Deploy Microsoft 365, including creating users and groups.
  • Next, you need to deploy Intune and that includes setting the MDM Authority to Intune.
  • The Configuration Manager client will need to be uninstalled on all existing devices.

Microsoft Intune Deployment

The steps to follow for your Microsoft Intune deployment are given below:

  • Navigate to Endpoint Manager admin center and sign up for Intune.
  • Set Intune Standalone as the MDM authority.
  • Next, you need to add your domain account because if you don’t your-domain.onmicrosoft.com is what will be used as the domain.
  • Add users and groups that will receive the policies you create in Intune.
  • Users will then need to be assigned licenses and once that is done, devices can enroll in Intune.
  • The default setting allows all device platforms to enroll in Intune so if there are platforms that you’d like to block you’ll need to create a restriction.
  • You need to customize the Company Portal app so that it has your company details.
  • Come up with your administrative team and assign roles as necessary. 

Windows 365 management and Microsoft Intune

Microsoft Intune not only manages your physical devices but will also play a key role in the management of your Windows 365 Cloud PCs. All you need to sign in is to head over to the Microsoft Intune admin center. This is where you’ll find the landing page for managing your Cloud PCs which is known as the Overview tab. Once signed in, go to Devices > Windows 365 (under Provisioning). In this section, you get a quick overview of the state of your Cloud PCs including the Provisioning status which summarizes the state of Cloud PCs in your organization, and the Connection health which summarizes the health of the Azure network connection in your organization.

All Cloud PCs page

On this page, you’re going to find a summary as well as a list view that will give you all the necessary information you need to know about the status of all the Cloud PCs in your organization. To make the task easier for you, the list view is refreshed every five minutes and allows you to search, filter, and sort. Additionally, there will be multiple Cloud PCs given to those users that have been assigned multiple Windows 365 SKUs. And what this means is that in the All Cloud PCs list view you will see multiple rows dedicated to a single user.

Column details

NameA combination of the assigned provisioning policy and the assigned user’s name will provide the name of the Cloud PC.
Device nameWindows computer name.
ImageSame image used during provisioning.
PC typeThe user’s assigned Windows 365 SKU.
StatusProvisioned: provisioning successful and user can sign in. Provisioning: still in progress. Provisioned with warning: warning is flagged in case of failure of a non-critical step in the provisioning process. Not provisioned: user has been assigned a Windows 365 license but not a provisioning policy. Deprovisioning: Cloud PC going through active deprovisioning. Failed: provisioning failed. In grace period: users with current Cloud PCs are placed in this state when a license/assignment change occurs for them. Pending: this happens when a provisioning request cannot be processed because of a lack of available licenses.
SUserUser assigned to the Cloud PC.
Date modifiedTime when last change of state of the Cloud PC occurred.
Third-party connectorWhen you have third-party connectors installed and currently in use on Cloud PCs, the connector provider is displayed as well as the connector status.

Remote management

Your organization can take advantage of the Microsoft 365 admin center to remotely manage your Windows 365 Business Cloud PCs. There will be several remote actions available to you but to access them you need Azure AD role-based access roles, either Global administrator or Windows 365 administrator. Once you have one of those two roles assigned, you’ll have several methods you can use for Cloud PC management including:

  • Windows365.microsoft.com
  • Microsoft 365 admin center
  • Microsoft Intune (on condition that you have all the necessary licenses)
  • Microsoft Graph

Cloud PC management design options

When it comes to the design options for Cloud PC management, there will be three options that we are going to look at:

Option 1 (Windows 365 Azure AD Joined + hosted in Microsoft Network)

Microsoft Intune

  • Cloud PCs are hosted in the cloud (Microsoft Hosted Network) and managed in the cloud (Intune)
  • Cloud PCs are enrolled as Azure AD joined and managed out-of-the-box by Intune
  • Eliminates customer constraints
  • Cloud PCs will get a unified endpoint management integration from the Microsoft Endpoint Manager admin portal
  • Simplifies Cloud PC management workloads such as app delivery and endpoint security among others
  • Comfortably address Cloud PC remote management needs

Co-Management

  • This is optional and allows you to bring your on-premises device management solution MECM for Option 1
  • Requires MECM + Cloud Management Gateway
  • Depends on customer device management on-premises environment
  • Some considerations before managing Cloud PCs include: Azure subscription and on-premises infrastructure, deployment and configuration of a CMG as well as a public SSL certificate for this CMG, enable Co-Management in Configuration Manager, and more. 

Option 2 (Windows 365 Azure AD Joined + hosted in Customer Network)

Microsoft Intune:

  • Cloud PCs are hosted in the Customer Network and managed in the cloud
  • Cloud PCs are enrolled as Azure AD joined and managed out-of-the-box by Intune
  • Eliminates customer constraints
  • Cloud PCs will get a unified endpoint management integration from the Microsoft Endpoint Manager admin portal
  • Simplifies Cloud PC management workloads such as app delivery and endpoint security among others
  • Comfortably address Cloud PC remote management needs

Co-Management

  • This is optional and allows you to bring your on-premises device management solution MECM for Option 2
  • Requires MECM. Cloud Management Gateway is optional
  • Depends on customer device management on-premises environment
  • Some considerations before managing Cloud PCs include: on-premises infrastructure, configuration of Intune to deploy the CM client for your Cloud PCs, enable Co-Management in Configuration Manager.  

Option 3 (Windows 365 Hybrid Azure AD Joined + hosted in Customer Network)

Co-management:

  • Cloud PCs are hosted in the Customer Network and managed by the customer (Co-Management)
  • Cloud PCs are enrolled as Hybrid Azure AD joined and managed by Co-Management
  • Requires MECM
  • Depends on customer device management on-premises environment
  • Cloud PCs will get a unified endpoint management integration from the Microsoft Endpoint Manager admin portal
  • Simplifies Cloud PC management workloads such as app delivery and endpoint security among others
  • Comfortably address Cloud PC remote management needs
  • Some considerations before managing Cloud PCs include: on-premises infrastructure, configuration of MECM to deploy the CM client for your Cloud PCs, enable Co-Management in Configuration Manager.  

Microsoft Intune

  • This is optional and if you don’t have a MECM environment you can use Intune as your Cloud PC device management solution for Option 3          
  • Some considerations for this option include: configuration of Azure AD Connect for Hybrid Domain Joined, Hybrid Azure AD Joined Cloud PCs need to be directly attached to an on-premises AD environment, for device management the Active Directory environment will depend on Group Policy Objects.

Wrap Up About Microsoft Intune

Device and application management can prove to be a very challenging task to get right for a lot of organizations. Finding the right solution that can streamline application use across your organization’s devices without breaking the bank would be a dream for any organization. You also want a platform that can increase the productivity levels of your IT staff by minimizing the complexity of device management and by extension reducing the time spent on device management.

With Microsoft Intune, you can get this and plenty more. This MDM and MAM solution will enhance the security of your organization by establishing strict access protocols for your organization’s resources. This means greater protection at a time when endpoints are increasingly a vulnerable point for malicious attacks. Intune can provide you with peace of mind while providing an effective management platform that can vastly improve the way your organization operates. 

Windows Autopatch: Guide to Setup and Configuration

Most businesses have several technologies that they use to help their employees operate at the highest levels of efficiency. Without them, your ability to provide high-quality products and services would be severely hindered.

But, all these devices and the associated operating systems and applications need maintenance for them to work the way they were designed to. They need regular attention as well as updates and security patches. This is so businesses can fully benefit from their productivity tools.

Windows Autopatch gives you a great solution for your Microsoft products by automating the update process. Additionally, it simplifies the maintenance process for you. In this article, we’ll be going over how your business can set up this must-have solution.

What is Windows Autopatch?

Let’s start by explaining what exactly Windows Autopatch is and what it does. According to the Windows Autopatch page:

Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.”

One of the key reasons this solution is a much-needed tool is that the process of implementing updates is not entirely seamless for a lot of organizations. IT admins are responsible for ensuring your organization’s devices get all the necessary updates upon release. And they’re responsible for overseeing that everything is working as it should.

So, even though Microsoft provides regular updates for its products and services, the task can sometimes be challenging and very time-consuming. Therefore, with a solution like Autopatch, IT admins can save a lot of time on the update processes. They can additionally cut time in positioning the overall security posture of the business, leading to improvements.

I’m sure most would agree that this is an excellent feature to have, given the increasing sophistication of cyber attacks. Additionally, end users will be able to work more efficiently with fewer distractions. Moreover, your IT personnel will potentially have a lot more time on their hands for dedicating to more productive tasks.

The role of Autopatch services

From what we have seen over the last year, we know that Windows Autopatch can manage your updates for you. But, you still need to know what exactly Autopatch will be responsible for regarding those updates. This is why it’s not too surprising that a lot of IT admins are hesitant about using Autopatch. They have concerns about losing control over their devices.

To simplify the rollout of the different updates, Windows Autopatch will place devices into groups based on their software and hardware configurations. Doing it this way enables suitable test machines to receive updates first. And if all goes well, broader deployments can proceed as well. Not only is this a crucial step for evaluating updates, but it can help alleviate some of the concerns that IT admins have.

Below is a list of what Autopatch will be responsible for updating:

  • Windows 10 and Windows 11 quality
  • Windows 10 and 11 features
  • Windows 10 and 11 drivers
  • Windows 10 and 11 firmware
  • Microsoft 365 apps for enterprise updates

In addition to the above list, Windows Autopatch will also be responsible for patching drivers and firmware that are only published to Windows Update as automatic. Also, in terms of how Windows Autopatch operates, there are four deployment rings. The first one caters to a few of your company’s devices, and the second one is responsible for 1% of these devices. The third and fourth rings will contain 9% and then 90% of the organization’s devices respectively. 

Setting up Windows Autopatch

The process of setting up Windows Autopatch includes several steps that we will be discussing in this section.

PREREQUISITES

AreaRequirements
LicensingWindows 10/11 Enterprise E3 (or higher) in addition to Azure Active Directory Premium and Microsoft Intune.
ConnectivityAll Windows Autopatch devices require dedicated connectivity to multiple Microsoft service endpoints across the corporate network.
Azure Active DirectoryThe source of authority for all user accounts needs to be Azure AD. Or, the user accounts can be synchronized from on-premises Active Directory using the very latest supported version of Azure AD Connect to enable Hybrid Azure Active Directory to join.
Device managementAll devices must be registered with Microsoft Intune, be connected to the internet, have a Serial number, Model and Manufacturer, and must be corporate-owned. Furthermore, the target devices will need to have Intune set as the Mobile Device Management (MDM) authority or co-management must be turned on.

NETWORK CONFIGURATION

  • Proxy configuration – Windows Autopatch needs to reach certain endpoints for the various aspects of the Windows Autopatch service. Network optimization can be done by sending all trusted Microsoft 365 network requests directly through their firewall or proxy.
  • Proxy requirements – should support TLS 1.2, and if not, then you may need to disable protocol detection. 
  • Required URLs – mmdcustomer.microsoft.com

                         – mmdls.microsoft.com

                         – logcollection.mmd.microsoft.com

                         – support.mmd.microsoft.com

  • Delivery optimization – Microsoft recommends configuring and validating Delivery Optimization when you enroll into the Windows Autopatch service.

TENANT ENROLLMENT

The first step in this next stage will require you to verify that you’ve met all the requirements discussed at the beginning of this section.

With that done, you’ll now need to run the readiness tool. This checks the settings in both Intune and Azure AD and verifies that they work with Autopatch. To access this readiness assessment tool, head over to the Intune admin center and select Tenant administration in the left pane. Once there, go to Windows Autopatch > Tenant enrollment. When the check is done, you’ll get one of four possible results: Ready, Advisory, Not ready, or Error. And if this check is showing any issues with your tenant, then your next step will involve fixing the issues picked up by the readiness assessment tool.

If everything is in order and the readiness assessment tool has given you the “Ready” result, then you can proceed and enroll the tenant. You’ll find the “Enroll” button that you need to select within the readiness assessment tool. Once you select this option, it will start the process of enrolling your tenant into the Windows Autopatch service. You’ll see the following during the process:

  • Consent workflow to manage your tenant.
  • Provide Windows Autopatch with IT admin contacts.
  • Setup of the Windows Autopatch service on your tenant. This step is where the policies, groups, and accounts necessary to run the service will be created.

Your tenant will be successfully enrolled upon completion of these actions. And then, after all this is done, you can delete the collected data by the readiness assessment tool if you want. To do so:

  • Head over to the Microsoft Intune admin center.
  • Go to Windows Autopatch > Tenant enrollment.
  • Select Delete all data.

ADD AND VERIFY ADMIN CONTACTS

After you have finished the process of enrolling your tenant, you can move on to the addition and verification of admin contacts. Windows Autopatch has several ways of communicating with customers. And there’s a requirement to submit a set of admin contacts when onboarding. Each specific area of focus should have an admin contact. This provides that the Windows Autopatch Service Engineering Team has a contact for assistance with the support request. These areas of focus are given below.

Area of focusDescription
DevicesDevice registration Device health
UpdatesWindows quality updates Windows feature updates Microsoft 365 Apps for enterprise updates Microsoft Edge updates Microsoft Teams updates

To add the admin contacts, follow these steps:

  • Sign in to the Intune admin center.
  • Head over to the Windows Autopatch section, find Tenant administration, and then select Admin contacts.
  • Select Add.
  • Now, you need to provide all the necessary contact details. This includes name, an email, phone number, and language of choice.
  • Choose an area of focus and provide information about the contact’s knowledge and authority in this particular area.
  • Click Save and then repeat the steps for each area of focus.

DEVICE REGISTRATION

  • Windows Autopatch groups device registration

Autopatch groups will start the device registration process for devices that aren’t yet registered using your existing device-based Azure AD groups. This is instead of the Windows Autopatch Device Registration group. Windows Autopatch will support a couple of Azure AD nested group scenarios, namely Azure AD groups synced up from:

  • On-premises Active Directory groups (Windows Server AD)
  • Configuration Manager collections
  • Clean up dual state of Hybrid Azure AD joined and Azure registered devices in your Azure AD tenant

For an Azure AD dual state to occur, a device needs to be initially connected to Azure AD as an Azure AD registered device. And then, when you enable Hybrid Azure AD join, the same device will be connected twice to Azure AD as a Hybrid Azure AD device.

So, what you’ll find in the dual state is a device with two Azure AD device records with different join types. However, the Azure AD registered device record is stale because the Hybrid Azure AD device record will take precedence.

About the Registered, Not ready, and Not registered tabs

Device blade tabPurposeExpected device readiness status
RegisteredShows successful registration of devices with Windows AutopatchActive
Not readyShows successfully registered devices that aren’t yet ready to have one or more software update workloads managed by the Windows Autopatch service.Readiness failed and/or Inactive
Not registeredShows devices that have not passed the prerequisite checks and thus require remediation.Prerequisites failed.

Device readiness statuses

Readiness statusDescriptionDevice blade tab
ActiveShows devices that: +have passed all prerequisite checks +registered with Windows Autopatch +have passed all post-device registration readiness checksRegistered
Readiness failedShows devices that: +haven’t passed one or more post-device registration readiness checks +aren’t ready to have one or more software update workloads managed by Windows AutopatchNot ready
InactiveShows devices that haven’t communicated with Microsoft Intune in the last 28 days.Not ready.
Prerequisites failedShows devices that: +haven’t passed one or more prerequisite checks +have failed to successfully register with Windows AutopatchNot registered

Built-in roles required for device registration

Roles are permissions granted to dedicated users. And there are a couple of built-in users in Autopatch that you can use to register devices:

  • Azure AD Global Administrator
  • Intune Service Administrator

Less privileged user accounts can be assigned to perform specific tasks in the Windows Autopatch portal. You can do this by adding these user accounts into one of the two Azure AD groups created during the tenant enrollment process:

Azure AD group nameDiscover devicesModify columnsRefresh device listExport to .CSV
Modern Workplace Roles – Service AdministratorYesYesYesYes
Modern Workplace Roles – Service ReaderNoYesYesYes

Details about the device registration process

The process of registering your devices with Windows Autopatch will accomplish a couple of things:

  • Creation of a record of devices in the service.
  • Device assignment to the two deployment ring sets and other groups required for software update management.

Windows Autopatch on Windows 365 Enterprise Workloads

As part of the Windows 365 provisioning policy creation, Windows 365 Enterprise admins will have the option to register devices with Windows Autopatch. This means that Cloud PC users will also benefit from the increased security and automated updates that Windows Autopatch provides. The process for registering new Cloud PC devices is as follows:

  • Head over to the Intune admin center and select Devices.
  • Next, go to Provisioning>Windows 365 and select Provisioning policies>Create policy.
  • Type in the policy name, select Join Type, and then select Next.
  • Pick your desired image and select Next.
  • Navigate to the Microsoft managed services section, select Windows Autopatch, and then select Next.
  • Assign the ideal policy, select Next, and then select Create.
  • Your newly provisioned Windows 365 Enterprise Cloud PCs will then be automatically enrolled and managed by Autopatch.

Windows Autopatch on Azure Virtual Desktop workloads

Azure Virtual Desktop (AVD) workloads can also benefit from the features that Windows Autopatch has to offer. Your admins can use the existing device registration process to provision their AVD workloads to be managed by Autopatch.

One of the most appealing features of Windows Autopatch is how it offers the same quality of service to virtual devices as it does to physical ones. This ensures that if your business is looking to migrate to virtual devices or is already using them, then you won’t miss out on what Windows Autopatch offers.

It is worth noting, however, that any Azure Virtual Desktop specific support is deferred to Azure support unless otherwise specified. In addition, the prerequisites for Windows Autopatch for AVD are pretty much the same as those for Windows Autopatch and AVD.

The service will support personal persistent virtual machines. But, there are some AVD features that are not supported such as multi-session hosts, pooled non-persistent virtual machines, and remote app streaming.

Deploy Autopatch on Azure Virtual Desktop

Another great feature that you’ll get with Autopatch is that you can register your Azure Virtual Desktop workloads using the same method as your physical devices. Microsoft recommends nesting a dynamic device group in your Autopatch device registration group to simplify the process for your admins. And this dynamic device group is going to target the Name prefix defined in your session host while also excluding any Multi-Session Session Hosts.

Client support

Windows Autopatch provides businesses with excellent support services to ensure that any issues are addressed. You can access the appropriate support services through Windows 365, or the Windows Autopatch Service Engineering team for device registration-related incidents.

Device management lifecycle scenarios

Before you proceed and register your devices in Windows Autopatch, there are a few device management lifecycle scenarios that you may want to consider. These include the following:

  • Device refresh – devices that were previously registered in Autopatch and require reimaging will require you to run one of the device provisioning processes available in Microsoft Intune to reimage these devices. Subsequently, these devices will be rejoined to Azure AD (Hybrid or Azure AD only) and then re-enrolled into Intune. And because the Azure AD device ID record of that device will not be altered, neither you nor Windows Autopatch will need to perform any additional actions.
  • Device repair and hardware replacement – when devices require you to repair them by replacing certain hardware, then you’ll need to re-register these devices into Autopatch when you’re done. We are talking about the kind of repairs that include replacing parts such as the motherboard, non-removable network interface cards (NIC), or hard drives. And the reason why re-registration is necessary is that when you replace those parts, a new hardware ID will be generated, including:
  • SMBIOS UUID (motherboard)
  • MAC address (non-removable NICs)
  • OS hard drive’s serial, model, manufacturer information

So, even though you still practically have the same device, whenever you replace major hardware, Azure AD will create a new ID record for that device.

UPDATE MANAGEMENT

Software update workloads

Software update workloadDescription
Windows quality update – on the second Tuesday of every month, Autopatch deploys monthly security update releases. Autopatch also uses mobile device management (MDM) policies to gradually release updates to devices. These policies are deployed to each update deployment ring to control the rollout.Requires four deployment rings to manage these updates
Windows feature update – in this instance, you’ll be the one to inform Autopatch when you’re ready to upgrade to the new Windows OS version. The feature update release management process has been designed to make the task of keeping your Windows devices up to date much easier and more affordable. This also has the added benefit of lessening your burden, thus allowing you to dedicate more time to more productive tasks.Requires four deployment rings to manage these updates
Anti-virus definitionUpdated with each scan
Microsoft 365 Apps for EnterpriseFind information at Microsoft 365 Apps for Enterprise
Microsoft EdgeFind information at Microsoft Edge
Microsoft TeamsFind information at Microsoft Teams

Autopatch groups

Autopatch groups play an essential role in helping Microsoft Cloud-Managed services work with businesses according to their various needs. When it comes to update management, Windows Autopatch groups provide an excellent tool that allows for the combining of Azure AD groups and software update policies. These might include Windows Update rings and feature update policies.

Reports

If there are any Windows Autopatch managed devices in your environment that are not up to date, you can monitor and remediate them using Windows quality and feature update reports. Not only that, but you can also resolve any device alerts to bring Windows Autopatch-managed devices back into compliance.

Policy health and remediation

To enable the management of Windows quality and feature updates, Autopatch needs to deploy Intune policies. Windows Update policies must be healthy at all times should you plan to remain up to date and receive Windows updates. Microsoft ensures continuous monitoring to maintain the health of the policies, as well as raise alerts and provide remediation actions.

Wrap up

The threat of attacks against businesses is something that is always lurking. And as we have seen on far too many occasions in recent years, these attacks can be devastating. Business operations can be severely compromised. Additionally, the financial penalties can be massive. Therefore, there is a need to do everything within your power to fortify your system defenses. Windows Autopatch allows you to bolster your security by automating certain tasks.

Make sure that update and patch deployments occur in a timely fashion. It can significantly reduce the risk of attacks against your business. And this is precisely what Autopatch is ready to help you prevent.

It helps you by automating the update process and simplifying tasks that are sometimes difficult and time-consuming. As a result, you get an easier and less expensive way of equipping your business with all the latest security updates necessary. Ultimately, it allows you to enhance your operations.

Check Autopilot Prerequisites – first update

Autopilot is an indispensable tool for managing and deploying Windows devices in the enterprise. Before deploying Autopilot, it is crucial to ensure that your environment meets the necessary prerequisites. This process can be time-consuming and prone to errors, which is why the Autopilot Prerequisite Checker has been introduced to automate the prerequisite checking process.

The Autopilot Prerequisite Checker is a PowerShell script that validates whether your environment meets the requirements for deploying Autopilot. The updated script now checks for the following prerequisites:

Tenant checks:

Check license requirements
Automatic Windows enrollment (MDM authority is set)
DNS records
Check user can join device to Azure AD
Check Enrollment Status Page
Check Windows Autopilot Deployment Profile
Check company branding

Device checks:

Windows OS version
Hardware hash uploaded to Intune
Check Windows Autopilot Deployment Profile assignment status
Updated with more devices check in version 1.0.1:
 - Windows InstallDate
 - Bios Version
 - Bios Status
 - Bios Serialnumber
 - OS Serialnumber
 - Hostname
 - Keyboardlayout
 - Timezone
 - TPM present
 - TPM Enabled
 - TPM ready

User checks:

User is licensed correctly

Network checks:

Required communication for Intune Autopilot is allowed
Updated with multiple in version 1.0.1 with more URLs

Using the script is a breeze. It can be run on any machine with PowerShell installed. Simply download the script, execute it, and wait for the results. The output will indicate whether your environment meets the necessary prerequisites for Autopilot.

Download the updated script 1.0.1

The advantages of using the updated script are numerous. It saves time by automating the prerequisite checking process, allowing you to concentrate on more crucial tasks. Additionally, it minimizes the risk of errors, ensuring that your Autopilot deployment is successful on the first attempt. Ultimately, it provides peace of mind by confirming that your environment meets the requirements for deploying Autopilot.

In summary, the Autopilot Prerequisite Checker is a robust script that simplifies the process of verifying the prerequisites for deploying Autopilot. Whether you are an IT administrator or a consultant, the Autopilot Prerequisite Checker is an essential tool for ensuring the success of your Autopilot deployment.

NOTE: THIS SCRIPT IS CONTINUALLY BEING IMPROVED – If you would like to suggest additional checks or improvements, feel free to reach out with your input.

Introducing a New Script to Check Autopilot Prerequisites

Autopilot is an essential tool for managing and deploying Windows devices in the enterprise. However, before deploying Autopilot, it’s important to ensure that your environment meets the necessary prerequisites. This can be a time-consuming and error-prone process, which is why we’re excited to introduce a new script that automates the prerequisite checking process.

The new script, called Autopilot Prerequisite Checker, is a PowerShell script that checks whether your environment meets the prerequisites for deploying Autopilot. The script checks for the following prerequisites:

Tenant checks:

  • Check license requirements
  • Automatic Windows enrollment (MDM authority is set)
  • DNS records
  • Check user can join device to Azure AD
  • Check Enrollment Status Page
  • Check Windows Autopilot Deployment Profile
  • Check company branding

Device checks:

  • Windows OS version
  • Hardware hash uploaded to Intune
  • Check Windows Autopilot Deployment Profile assignment status

User checks:

  • User is licensed correctly

Network checks:

  • Required communication for Intune Autopilot is allowed

The script is easy to use and can be run on any machine with PowerShell installed. Simply download the script, run it, and wait for the results. The script will output indicating whether your environment meets the necessary prerequisites for Autopilot.

Download the script

The benefits of using the script are numerous. First and foremost, it saves time by automating the prerequisite checking process, allowing you to focus on more important tasks. Second, it reduces the risk of errors, ensuring that your Autopilot deployment is successful the first time. Finally, it provides peace of mind by giving you the confidence that your environment meets the necessary requirements for deploying Autopilot.

In conclusion, Autopilot Prerequisite Checker is a powerful new script that simplifies the process of checking the prerequisites for deploying Autopilot. Whether you’re an IT administrator or a consultant, Autopilot Prerequisite Checker is an essential tool for ensuring the success of your Autopilot deployment.


NOTE: THIS IS A WORK IN PROGRESS – If would like me to add a check, just ping me the info 🙂

Microsoft Is Launching A New Intune Suite

Endpoint management is critical to the way that organizations can utilize and safeguard their resources. By using endpoint management solutions, IT teams can identify, monitor, and control the level of access that end users have to corporate resources. And it’s what inspired Microsoft’s new Intune Suite.

Endpoint management solutions enable IT professionals to improve the security of corporate data and significantly reduce the risk of security breaches. The importance cannot be overstated especially now when some research suggests that as a direct result of the pandemic there has been a 600% rise in cybercrime.

This is why Microsoft is looking to make changes to its array of endpoint management solutions to better cater to the needs of all organizations.

Recent developments

Microsoft has been working on improvements for endpoint management to strengthen corporate data security and increase efficiency. To that end, the company has just announced that a new suite of advanced endpoint management solutions will be launched in March 2023 together in one, cost-effective plan. This new plan has several benefits that will be offered to clients.

IT is going to be equipped with products that will improve endpoint management and also offer increased security to your hybrid workforce. This is ultimately going to deliver a better overall experience across your organization as well as increased operational efficiency. This new development is something that Microsoft had already talked about earlier this year.

The journey towards a bundled suite of advanced endpoint management solutions began with the rolling out of Remote Help for Windows. By using this service, the process of getting assistance for users on Windows devices is made easier.

Because of the integration with Microsoft Endpoint Manager, remote assistance can be rendered to managed devices. It also integrates with Azure AD ensuring that authentication and compliance information can be provided.

According to the announcement by Microsoft, in addition to Remote Help, this new bundled plan which will be introduced in March 2023 will also bring together Microsoft Tunnel for Mobile App Management, Endpoint Privilege Management, advanced endpoint analytics capabilities, and more advanced management capabilities in Microsoft Intune.         

Changes are coming

There was plenty to talk about at the Microsoft Ignite 2022 but one of the key areas would have been undoubtedly to do with Microsoft Endpoint Manager. As you would have noticed by now we are talking about a new Intune suite.

And that is because Microsoft announced that going forward the Microsoft Endpoint Manager brand will be replaced by Microsoft Intune. This change is not one for the future but something that has already been implemented. If you head over to the Microsoft Endpoint Manager landing page, you’ll notice that the name Microsoft Intune has already taken over.

It would appear that as far as endpoint management development is concerned, Microsoft is looking to place greater focus on cloud services. However, it’s worth noting that Intune, Configuration Manager, and the Co-management capability will still be retained. But, Microsoft Intune will be taking over as the main platform with regard to future development. Microsoft said in its announcement:

“Today, we’re announcing that Microsoft Intune will be the name of the growing product family for all things endpoint management at Microsoft…. The name Microsoft Endpoint Manager will no longer be used. Going forward, we’ll refer to cloud management as Microsoft Intune and on-premises management as Microsoft Configuration Manager.”    

Embracing the cloud

Although cloud-based services come with plenty of well-known benefits, it’s not everyone who has adopted the cloud approach. This is why Configuration Manager is still available to allow organizations to operate the way they want.

However, Microsoft continues to try and encourage migration to the cloud. And the cloud attach capability is one that is being talked about as something that could help facilitate the transition to the cloud. Most are already familiar with co-management and tenant attach so what exactly is cloud attach?

Cloud attach is a capability that allows for the enabling of both co-management and tenant attach. If your organization uses Configuration Manager, this gives you a way to have even more flexibility in managing endpoints without having to choose between security, compliance, and supporting new work realities.

Explaining the vision   

Inevitably, a lot of people will be rightly wondering why Microsoft is moving in this direction. Why the need for a suite of advanced solutions for endpoint management? Well, the answer is pretty simple.

When it comes to endpoint management, Microsoft is the biggest player in the game and so there is a need to continuously improve the services on offer. The countless millions of managed devices that Microsoft is responsible for require solutions that adapt to the changing environment.

As mentioned above, cybercrime has shot up at alarming levels in recent years. So endpoint management solutions need to strive to stay ahead of the threats. Microsoft received a lot of feedback from CTOs in recent years explaining how the needs of hybrid work are changing. This is leading organizations to combine security solutions from different providers to meet the security needs of their operations. As one would expect, this complicates life for IT staff and potentially adds massive costs to your overall expenditure.

This obviously will not go over well with management. And corporate security may end up suffering if the organization fails to meet the skyrocketing costs of the necessary solutions. IT departments feel pressure to cut corners and put in place temporary measures just to try and keep operations running.

Most would probably agree that this is not an ideal scenario and is a very tedious way of operating. So the announcement by Microsoft to introduce a bundled suite of advanced endpoint management solutions comes as welcome news. Clients can get a more comprehensive solution that can do what they currently need multiple products to do.

Enhancing endpoint management

The new Intune Suite intends to allow organizations to bring together in one place all the tools needed for securing their corporate data as well as managing their endpoints. In addition, this combined service will eliminate the risks of local admin users and give clients access to remote assistance. Not to mention that IT will be thrilled to see an improvement in the health and performance of Windows endpoints. The capabilities that we’ll discuss below will potentially change your IT environment for the better.

Remote Help for Windows and Android       

As I mentioned earlier, the initial version of Remote Help for Windows launched in April of this year. So what we can expect with the March 2023 release is an addition of enhancements to the Windows experience as part of the advanced management suite. The capabilities you get include ServiceNow integration that helps to provide service management incident information to Intune so that users’ technology issues can get a swift resolution.

Clients will also benefit from an improved messaging platform. It intends to simplify the process of viewing the reasons for device noncompliance, as well as how the IT Helpdesk staff hears the audio from the users who require remote assistance. Furthermore, there is enhanced elevation that will provide for quicker resolution. It’s especially helpful with issues that require alternate admin credentials because of the interaction with the User Account Control prompt.

Microsoft will also be looking to introduce support for Android. The addition of this capability will enable admins to serve their Frontline workers remotely with greater ease. This will offer a massive advantage to Android users because they can have any issues resolved a lot quicker. Admins can contact these users (who can also contact admins themselves), remotely diagnose the issue, and collaborate with the user to find a solution to the problem. This allows the user to quickly get back to work.

Endpoint Privilege Management

This is something that beginning in early 2023 Microsoft will be offering in public preview to clients with Microsoft Intune subscriptions. What this service will do is help you to automate and manage when workers have permission to use admin privilege for specific tasks on both Windows cloud-connected and co-managed endpoints.

According to Microsoft, by using Endpoint Privilege Management you’ll be able to give your users standard account privileges without making them local admins. With the use of these standard account privileges, users can be dynamically elevated to admin privilege for specific admin-approved tasks, based on the specific policies of your organization.

The advantage here is twofold. On one end, the organization will have a significant improvement in its security posture. And on the other end, users can become more productive. The objective is to ensure that IT admins have all the necessary tools to furnish employees of the organization with the capability to self-serve should the need arise.

To maintain a high level of security, this needs to follow Zero Trust principles hence the need for least privileged access. Furthermore, Endpoint Privilege Management will allow your organization to define the rules and parameters in Intune. Additionally, it will allow for configuration of a standard user’s permissions to be automatically elevated, be self-managed, or set to require authorization.

This is something that is going to impact operational efficiency massively by enabling users to perform tasks securely. These tasks include actions like adding approved apps, printers, or other peripheral devices. And all of this without the assistance of the IT helpdesk. Intune Endpoint Privilege Management will become generally available as part of the suite of advanced endpoint management solutions. It’s also available as an individual add-on to your Intune Suite subscription.

Microsoft Tunnel for Mobile Application Management

Microsoft Tunnel for Mobile Application Management (MAM) is a great service that is designed to bring convenience to end-users. In an era when employees are often carrying multiple devices to separate the personal from the professional, this feature will allow employees to use just a single device.

The beauty of the service is that there is no enrollment necessary. Corporate data will remain secure without end-users having to hand over control of their personal devices to IT. I’m sure many will like this the most about Microsoft Tunnel. So for organizations, this is going to address several issues.

You can now comfortably implement BYOD policies without worrying about the security of corporate data or user privacy. Switching to a BYOD program is also financially advantageous for organizations, as they no longer need to constantly invest in corporate-owned devices.

In addition, unenrolled iOS and Android devices get secure access to on-prem apps and resources using modern authentication, Single Sign On, and conditional access. This is because of how Microsoft Tunnel for MAM extends the VPN gateway to these devices. So this will enable the users of these unmanaged devices to also get secure access to corporate resources.

Because no device enrollment is needed the currently available capabilities of Microsoft Tunnel will be expanded. A good example of this is how Android apps won’t need integrating with any SDKs. Other than the MAM SDK, which is used to auto-start VPN for apps, applies if desired or to retrieve trusted root certs.

Advanced Endpoint Analytics

Endpoint Analytics aims to enable IT in optimizing the user experience and improve productivity. Endpoint Analytics provides insights that can help IT admins be proactive in their tasks, as well. This feature offers both IT staff and end-users a system that obtains detailed and granular data on the organization’s endpoints. Additionally, it improves insights into how the business is performing.

IT can leverage this data to provide proactive assistance to end-users. And it establishes a greater degree of working efficiency. This new suite that Microsoft is bringing to its clients will include several advanced endpoint analytics features. These seek to better equip IT to have a better analytical overview and understanding of how the end-user experience is going. And with these capabilities, the end-user experience can be optimized regardless of where the employee may be working from.

How it’s going to help

The introduction of improved drill-down capabilities is also going to help admins better cater to the needs of devices under their management. By using these capabilities, it becomes easier for IT to assess any areas that require improvement. And it will assist to prioritize targeted actions for specific people in your organization.

The insights that one can get are also invaluable for comparison purposes. For instance, some employees prefer working remotely. Organizations can take advantage of the detailed information they have to compare the experiences of workers in different working environments.

Microsoft has also talked about a new anomaly detection capability that will combine real-time visibility, AI, and machine learning. This capability intends to simplify the life of IT admins by eliminating the need to consistently monitor custom dashboards. It also eliminates complicated alert systems to assess the performance of endpoints in your care.

What anomaly detection will offer them, instead, is a system that delivers an early warning mechanism. This allows for proactive learning about user-impacting issues rather than relying on various other channels such as support for these reports. Anomaly detection helps to streamline the process and minimize any loss of productivity.

Additional benefits

This platform will enable the automatic identification of issues, including unexpected machine reboots, app crashes, and hardware and peripheral failures. It helps IT admins better analyze the issues at hand. And the anomalies are categorized based on severity and come with any relevant information. Once the information is available, IT can carry out a thorough analysis of the anomalies and implement the necessary measures.  

The new enhancements that Microsoft is introducing are going to make the organizations operate a lot more efficiently. By leveraging automations and proactive remediations, potential issues can be resolved before end-users are even aware that there’s an issue.

IT and support staff can look forward to plenty of new features in the new advanced endpoint management suite. They will now be able to run customized remediation scripts on individual devices on-demand and in real-time. This is something that happens within their troubleshooting sessions. Additionally, it offers instant fixes or change the device configuration to ensure devices are always performing optimally.       

Wrap Up

Going forward more and more organizations are embracing the hybrid workforce model as potentially the way to go. It’s not surprising as several surveys show that plenty of employees want to have the option of working remotely.

So if organizations are going to adopt this model, as well as put in place BYOD policies, it’s essential to have endpoint management solutions that make this a viable option. And this is just what Microsoft is aiming to do with the new advanced endpoint management solutions suite. This should give IT admins everything they need for effective endpoint management in one place.

No longer will you need to stitch together products from multiple vendors that will cost you dearly. If this new suite of products delivers as promised, then organizations will have an invaluable tool to add to their arsenal.

How to Improve Network Efficiency with Delivery Optimization and Endpoint Configuration Manager

Can Microsoft’s Delivery Optimization and Configuration Manager help solve enterprise network efficiency problems supercharged by the coronavirus pandemic?

The COVID-19 pandemic has forced numerous companies to adopt hybrid working models. This has seen demand for bandwidth capacity increase considerably.

Couple bandwidth-busting traffic connecting from all over with spiraling data costs and network administrators have something to worry about. With no end in sight of this global pandemic, enterprises are now looking for solutions to counter these issues.

As a result, the question that’s now at the fore for many network administrators is how to improve network efficiency as cost-effectively as possible in the New Year. 

COVID-19 and Network Efficiency

Pre-COVID, 17% of the American workforce worked remotely at least 5 days per week. Since the onset of the pandemic, this number has increased to 44%.

With nearly 6% of the population (i.e. 21 million people) having no high-speed connection, enterprises have begun to ask questions such as how best can they keep all their employees connected to their networks?

A range of solutions has been proposed in order to modernize the existing mainframes including the adoption of key technologies such as Microsoft’s Delivery Optimization, Connected Cache, and Configuration Manager.

Let’s examine each of these in greater detail.

What is Delivery Optimization

Delivery Optimization is an inbuilt Windows component. It’s distributed cache technology which means that it is software designed to act as an intermediary between an enterprise’s primary storage solutions and remote employees’ computer.

The benefits that Delivery Optimization provides include optimizing cloud download efficiency, minimizing internet bandwidth, and lowering the latency in data access.

This is excellent because you want to keep your internet bandwidth high. It translates to a faster and better experience for employees, particularly those working remotely.

What is Microsoft Connected Cache?

Microsoft Connected Cache is an application installed on a Windows Server 2012 or later. It is also a high-speed data storage function that works hand-in-hand with Delivery Optimization to reduce latency and improve efficiency.

Connected Cache acts as a dedicated cache on your enterprise network. This server-based solution caches the managed downloads that Delivery Optimization extracts from the Cloud.

It’s ideal for companies because it serves as a local cache on your on-premise network.

What is Microsoft Endpoint Configuration Manager

Microsoft Endpoint Configuration Manager, formerly known as System Center Configuration Manager (SCCM) or Systems Management Server (SMS) is a full-feature systems management software. It sets out to manage computers on a larger and streamlined scale.

Configuration Manager works by providing patch management, remote control, operating system deployment, software inventory, software distribution, and network access protection capabilities.

Now that we’re up to speed about what each of these features are and what they do, let’s look at the advantages and disadvantages of Delivery Optimization.

Delivery Optimization Pros

No Upfront Costs

For enterprises already encumbered by high remote operating costs, this is a welcome reprieve. There are no upfront costs because Delivery Optimization exists as part of Windows 10. Therefore, it’s a feature that’s paid for through your regular Windows 10 license.

Leverages Peer-to-Peer Efficiency

Delivery Optimization enables PCs connected to your network and to download updates in a more streamlined manner from other peers within the network that have already downloaded the content. In this way, there’s an overall reduction in bandwidth. This also mitigates update-related traffic.

Same Time Send/Reception of Update Files

Gone are the old days of having to wait long periods of time while update files sent and received in succession. Today, Delivery Optimization facilitates simultaneous sending and receiving of update files. This allows updates to easily and seamlessly take place.

Can Resume Interrupted Downloads

Do you remember the times when downloads would interrupt because of a network glitch and had to restart? This meant updating PCs across company networks took longer and sometimes pushed up data costs for enterprises. Thankfully, one of the perks of Delivery Optimization is the ability to resume downloads should they experience an interruption.

Load Balancing Capabilities

Network administrators can use all the help they can get to distribute workloads in a uniform manner across enterprise servers and employee PCs.

Load balancing is an incredibly important process as it promotes more efficient processing. It provides balance, so there are no uneven overloads on individual computer nodes. Delivery Optimization presents itself as a tool that expedites this distribution of network traffic.

Windows Native and Cumulative Updates Enabled

As a Windows 10 native feature, Delivery Optimization is Cumulative Updates enabled. This means that on all the PCs equipped with the DO feature, updates – both old and new – these can be bundled together into a single update package.

But it’s not all fun and games with Delivery Optimization. Here are a couple of disadvantages network administrators have to also contend with.

Delivery Optimization Cons

No Analytics and or Reporting

In Deloitte’s The Analytics Advantage report, analytics are highlighted as important as they enable companies to drive business strategy and facilitate data-driven decisions. Thus, it comes as a big disappointment that Delivery Optimization provides no such insights neither in the form of analytics nor reports.

No Content Control

Being able to control both the content that’s being downloaded and transmitted across networks is imperative for network safety. The fact that Delivery Optimization doesn’t give network administrators such control is frustrating.

No Support for Windows 7/10 Migration

Are you thinking of migrating from Windows 7 to Windows 10? Well, unfortunately, you’ll have no help from Delivery Optimization. It’s not clear as to why the developers over at Microsoft thought it was a good idea to complicate migration in this way.

No Support Packages and App Deployment

That’s not all, but Delivery Optimization also offers no support for Packages and Application with Configuration Manager stand-alone deployments. This greatly hampers the standardization and streamlining process of installing software on employees’ work devices.

No Smart Agent

Delivery Optimization is a tool full of potential. However, it is baffling trying to understand why this supposed network optimizing resource has no smart agent to facilitate Optimal Source Selection.

No SCCM Support

Microsoft’s System Center Configuration Manager (SCCM) is integral in the management, deployment, and security of connected enterprise devices as well as apps within the network. However, this Windows product doesn’t receive any support which is a major disadvantage.

Needs Manual Boundary Definition

Boundaries, according to Microsoft, are network-specific locations on enterprise intranets that can contain your PCs or other devices making them easier to manage. When using Delivery Optimization, boundaries aren’t automatic, you have to take time to manually define each boundary you want to be created.

Needs Substantial Boundary Configuration

It’s not enough to manually define the boundaries required either, you also need to make sure that each boundary is properly configured. This additional work can be automated so it’s a wonder why Delivery Optimization doesn’t come with boundary configuration pre-set.

5 Steps to Improving Network Efficiency with Delivery Optimization

Faced with hybrid work models and more employees working remotely, enterprises must be smart about network management. Here are the top 5 ways to improve network efficiency using Delivery Optimization, Configuration Manager, and Microsoft Connected Cache in 2022.

Improve Network Efficiency Step# 1. Remove Performance Bottlenecks

When it comes to network efficiency, congestion in the network is one of the major network problems that most enterprises face. There are many causes of bottlenecks in your network which you will need to remove in order to improve network efficiency. These range from:

a)     Network Overload

Network overload happens when you have numerous hosts within your broadcast domain. Delivery Optimization can aid in this particular case by allowing optimized cloud-managed downloads which reduce network pressure.

b)    Broadcast Storms

Broadcast storms occur when you receive more requests on the network than it can handle.

c)     Low Bandwidth

This occurs when there are too many people connected to the network at once. Delivery Optimization and Connected Cache are peer-to-peer cache technology and significantly help to lower the latency and minimize internet bandwidth.

d)    Not Enough Retransmitting Hubs

Failure to have sufficient retransmitting hubs slows down your network. Retransmitting hubs are necessary in order to make data transmission across the network easier.

e)     Multicasting

While created to help ease congestion, multicasting can in fact cause bottlenecks when two packets transferred simultaneously collide leading to congestion

f)      Old Hardware

Technology is changing so fast and hardware components need to be routinely upgraded otherwise servers, routers, and switches can inadvertently lead to network congestion

g)     Poor Configuration Management

When scripts are one-off or repetitive, they can introduce bugs that cause congestion. Thankfully Delivery Optimization and Configuration Manager can help to get rid of this issue.

h)    Foreign Adapter Broadcasts

When rogue adapters connect to your network, this can increase the network load leading to bottlenecks. A rogue adapter is any device that connects oftentimes illegally onto your network and exists like a parasite until it’s removed. These foreign devices also pose a security threat.

Fortunately, network monitoring tools like Configuration Manager make it possible to handle the life cycle of all the devices and configurations within your network. Such visibility can assist in identifying slow traffic and congestion so you can eliminate it.

And speaking of configurations…

Improve Network Efficiency Step# 2. Reconfigure Network Hardware

It doesn’t matter if it’s an installation of cumulative updates or new hardware, every element joining the company network must be properly configured. Failure to do so can lead to poor network efficiency.

When devices are incorrectly configured, they can’t communicate with their peers effectively. This will lead to routing problems and or increase latency.

Network administrators must ensure that each time a device is configured or reconfigured the network is tested to check network performance. Configuration Manager can be used to see whether the new configuration/reconfiguration is affecting the network negatively.

Improve Network Efficiency Step# 3. Educate Employees on Correct Network Usage

Now with more employees working remotely, it can be difficult to control what people do on the company network. However, it is pivotal to educate them on avoiding applications that are bandwidth-heavy and engaging in activities that consume a lot of data such as downloading movies, music videos, and other large files.

The more bandwidth employees are using in non-work-related activities, the less will be available for work slowing down the entire network. Configuration Manager can be used to curb non-work-related activities if necessary by blocking certain devices. 

Improve Network Efficiency Step# 4. Consider Creating a Guest Network

Have you ever thought of creating a separate guest network for people visiting your company?

You don’t want strangers and outsiders to be able to connect to your enterprise network. This is a major security threat. By creating a disparate guest network they will have their own distinct network to connect to.

In this way, guests’ activities don’t interfere with enterprise bandwidth and security threats are reduced.

Improve Network Efficiency Step# 5. Compress Network Traffic and Data

Every day, colossal amounts of data are transmitted across enterprise networks. More so now, in a world where virtual meetings are the order of the day. These data-heavy online activities necessitate data compression and compression of network traffic.

By compressing enterprise data, companies get more out of their internet packages. And with Windows components like Delivery Optimization, you get to stretch your data out more.

You see, Delivery Optimization extracts content from the cloud, stores it in a temporary cache, where peer PCs/devices can easily access said files in smaller, minute data-friendly sizes without having to download all the large files for each connected device.

Wrap up

2020 and 2021 have disrupted the way business is done. With more companies eager to try out hybrid work models that allow employees to work remotely with some days in the office, network administrators have their work cut out for them in terms of making sure networks are efficient and running at optimal round the clock.

And with so much uncertainty about when things will return to normal, enterprises need to get comfortable with the idea of remote work. Resources such as Delivery Optimization and Configuration Manager will prove to be more and more important in 2022 and beyond.

Relying on such Windows features, organizations can rest easy knowing that there are tools to help with improving network efficiency in a cost-effective manner.

Should You Allow Self-Service With Windows Autopilot?

With Windows Autopilot, Microsoft gives clients a collection of technologies designed to eliminate the challenges that come with building, maintaining, and applying custom images.

It’s a platform that IT professionals can utilize to set new desktops to join pre-existing configuration groups and apply profiles to the desktops. All of this is so that new users can access fully functional desktops from their first logon.

By using Windows Autopilot, you can simplify the entire lifecycle of Windows devices. Meaning that it covers devices from the initial deployment through to the eventual end of the life cycle. The question, however, is should you allow self-service?

Changing landscape with Windows Autopilot

Over the last few years, we have certainly witnessed a rapid evolution in the remote work landscape. And this evolution has become even more pronounced with the prevailing global pandemic. This has made the need for technology like Windows Autopilot even greater.

Self-service technology has plenty to offer any business. Benefits can include improved end-user experience, effortless coordination for a remote or blended workforce, less complicated management, and significant increases in productivity.

So as the way businesses operate continues to evolve, Windows Autopilot can be the perfect tool to deal with the headaches that we have faced in the past with automated deployment and self-service setups.

Using the self-service setup

The way that Windows Autopilot’s self-service setup works is that it makes workplace devices configured and ready out of the box with its self-deploying mode.

This means that when the employee receives the device they only need to turn it on to start working. Self-deploying mode automatically joins a new device into your company’s Azure Active Directory (Azure AD).

The device is then enrolled into Intune for mobile device management (MDM). Also, you don’t need to worry about apps, certificates, policies, and networking profiles provisioned on the device as they will be dealt with as well.

What this means is that everyone has a lot to gain from using Windows Autopilot, whether you’re IT or the end-user. IT people have their processes simplified and no longer have to deal with the time-consuming, outdated, and overly complex IT processes they had before.

And as for the end-user, all one needs to do is unbox the device, turn it on, connect to the internet, and then verify their credentials.

Self-deploying mode of Windows Autopilot

This feature plays a key role in making Windows Autopilot the platform that it is. Using it will allow you to deploy a device with little to no user interaction. If you have an Ethernet connection then no user interaction will be needed. But, end-users whose devices are connected via Wi-Fi will need to choose the language, locale, and keyboard. And then, they need to make a network connection.

By using self-deploying mode, you can deploy a Windows 10 device as a kiosk, digital signage device, or a shared device. Moreover, it’s also possible to completely automate device configuration by combining self-deploying mode with MDM policies. To deploy in self-deploying mode, you need to follow the steps below:

  • The first step involves creating an Autopilot profile for self-deploying mode that has the settings you want.
  • Next, you need to create a device group in Azure AD and assign the Autopilot profile to that group. Before you try to deploy the device, you should check that the profile has been assigned to the device.
  • Finally, you need to boot the device and connect it to Wi-Fi (if necessary). And then wait for the provisioning process to complete.

Gaining value from technology

As already mentioned earlier, the technological landscape is evolving and so businesses can take advantage of these changes to add value to their operations. The ability to seamlessly deploy devices without IT involvement has huge implications in an increasingly remote-working world.

With countless employees not being on-premises, companies cannot afford to have delays between delivery and deployment. Leveraging Windows Autopilot means that you can eliminate OS image re-engineering and customize the out-of-the-box-experience (OOBE).

By doing this, your processes become easier and faster. And this is going to enhance productivity and potentially increase profitability.

Possible scenarios

Windows Autopilot provides support for a growing list of different scenarios, designed to support the varying needs that most businesses will have. These needs often differ depending on the type of business as well as where you are with moving to Window 10 and transitioning to modern management. Below are some of the common scenarios:

  • Deployment of devices that will be set up by an employee of the company and configured for that person.
  • Deployment of devices that will be automatically configured for shared use, as a kiosk, or as a digital signage.
  • Re-deploying a device in a business-ready state.
  • Pre-provisioning a device with up-to-date apps, policies, and settings.       
  • Provisioning of WIndows 365 devices

User-empowered modern workplace

Windows Autopilot is one of the key components in the Microsoft ecosystem that are helping to create a more user-centric workplace. An environment where users are empowered by IT rather than restricted as they were with legacy IT.

Users will immediately see this from the very beginning as they unbox new devices and have no time-wasting setup involved. Combined with the streamlined benefits of other solutions in the Microsoft ecosystem, this creates a modern, all-digital workplace.

Leveraging digital transformation with Windows Autopilot

So much technological innovation has come to the fore in the last few decades. However, many outdated facets of legacy IT persist including device setup and configuration. But it certainly doesn’t have to be the case for your organization.

Making use of tools like Windows Autopilot has massive potential benefits for your business. Self-service deployments not only make life simpler, but they can help you to operate faster and with fewer complications.

Not to mention how you can create more productive time. The extensive range of capabilities that you get here gives you more automated and user-friendly processes that can enhance your organization’s performance.