Uncategorized

Portal Kombat

Posted on Updated on

As Microsoft has integrated previously independent products evolved into a massive cloud service provider, disparate access methods and portals developed by individual product teams has lead to a an overwhelming number of different ways of accessing your MS cloud services. Examples include Office365, Azure AD, Dynamics, OMS, Intune and of course Azure.

While I applaud Microsoft’s movement to simplified, streamlined and unified portals where they make sense, it has been a bumpy ride. Up until earlier this year both Azure and Intune had two portals for a period. If that’s not confusing enough, not all functions are/were available in both portals. Some features are/were only available in the classic portal while others are/were only available in the modern portal.

To make it even more difficult for administrators, because of the Silverlight dependency, the classic portal does not support all modern browsers.

Here’s an article that outlines the browser support for each portal.

Let’s focus on Intune for now. Until the Windows 7 End of Life in January 2020 Microsoft will need to continue to support the classic Silverlight based portal to continue to provide support for Windows 7 devices that rely on agent based management. As organization move away from Windows 7 no agent required as OMA-DM is baked into Windows 10 the Azure service based version of the Intune portal can be used exclusively.

Figure 1- Classic Silverlight based Intune Portal

Figure 2- Azure “Ibiza” Portal

License Management

It’s hard to believe that something as simple (and revenue generating for Microsoft) like license assignment can be confusing. Intune has additional confusion beyond the two Intune specific portals in that license management can be done from either the Azure AD blade or from within Office365.

Of course, you can also assign the licenses using PowerShell from a computer with the Azure Active Directory Module for Windows PowerShell installed. I like this option as it can be integrated into a more complete automated user provisioning process. For example, you could create a PowerShell script that does the following:

  1. Create a user in AD (or Azure AD)
  2. Add the user to appropriate groups
  3. Assign an Office 365 license
  4. Turn on MFA
  5. Create a mailbox
  6. Assign an Intune Licence

 

 

 

 

 

In this short video I’ll show you three ways to assign Intune (or EMS) licenses to users:

  1. Office365 Portal
  2. Azure Portal
  3. PowerShell
Advertisements

Windows Autopilot vs System Center Configuration Manager

Posted on Updated on

I previously mentioned that I was excited to compare Windows Autopilot with System Center Configuration Manager (SCCM). Well, we finally have more details about Windows Autopilot and I’m finally able to give you a comparison of Autopilot and SCCM for Windows 10 deployments.

System Center Configuration Manager

Before I dive into Windows Autopilot, let us review the typical use cases for SCCM so that we have a basis for comparison. SCCM is an on premise tool that performs many functions in addition to Operating System Deployment (OSD) however; I will just focus on the OSD portion for now. Here are the three most common OSD scenarios:

Scenario 1 – Boot Media

This is a Light Touch deployment requiring physical access to each device. It is well suited to small remote offices or a small staging area without OSD infrastructure (Distribution Points etc.).

  1. SysAdmin creates a custom Windows Image, driver package(s) and task sequence
  2. SysAdmin either creates boot media
  3. Boot media is distributed to required locations
  4. Each device is booted with the boot media and the task sequence builds the device
  5. Applications can be added in the task sequence or post OSD through SCCM’s Software Deployment functionality

Pros

  • Minimal network impact
  • Minimal infrastructure requirements

Cons

  • Requires visiting each device (Light Touch)
  • Boot media management overhead

Scenario 2 – PXE Boot

This is a Light Touch deployment requiring physical access to each device to enter PXE boot – This can be made Zero Touch if the boot order is set to PXE first however, this is not a sustainable configuration. It is well suited to a large staging are or small remote offices with OSD infrastructure (Distribution Points etc.).

  1. SysAdmin creates a custom Windows Image, driver package(s) and task sequence
  2. Sysadmin deploys task sequence to a collection of devices
  3. Devices are booted and forced into network boot
  4. The device finds a boot image from the SCCM Distribution Point and
  5. Each device is booted with the boot media and the task sequence builds the device
  6. Applications can be added in the task sequence or post OSD through SCCM’s Software Deployment functionality

Pros

  • No media management
  • Easy modification of task sequences, boot images and driver packages

Cons

  • Requires visiting each device (Light Touch)
  • Requires complex infrastructure

Scenario 3 – Deployed Task Sequence

This is a true Zero Touch deployment that can be used a Self-Service option as well as a scheduled mandatory deployment. It can even be coupled with Wake-on-Lan to target devices that are powered off (but still connected to the network. This is well suited to upgrading or refreshing large numbers of devices currently in use as it requires that each device is already managed with SCCM.

  1. SysAdmin creates a custom Windows Image, driver package(s) and task sequence
  2. Sysadmin deploys task sequence to a collection of devices
  3. Task sequence is executed on device (Self-serve or scheduled)
  4. Required files are copied to the device and the device reboots and the task sequence deploys the operating system
  5. Applications can be added in the task sequence or post OSD through SCCM’s Software Deployment functionality

Pros

  • No requirement to visit each device (True Zero Touch)
  • No media management
  • Easy modification of task sequences, boot images and driver packages
  • Supports Self Service
  • Supports Scheduling

Cons

  • Requires complex infrastructure
  • Only available to existing SCCM clients

Windows Autopilot

Windows Autopilot is a cloud-based service that does not require any special infrastructure. Here’s a typical OSD scenario using Windows Autopilot:

  1. SysAdmin creates device profile(s)
  2. Sysadmin registers the device(s) with the Windows Autopilot service
  3. SysAdmin assigns a profile to the device(s)
  4. Device is booted end user
  5. Device is connected to network (any Network – home, work, public)
  6. User provides enterprise credentials, Language and Keyboard settings
  7. Device self configures based on assigned profiles
  8. If the organization uses Intune additional polices and applications may be delivered to the device

Pros

  • No requirement to visit each device (Near Zero Touch)
  • No media management
  • Easy modification of profiles
  • Supports Self Service

Cons

  • Cloud service (may be a con for some organizations)
  • Eliminates requirement of staging areas and internal device shipping
  • No support for system upgrade (maintaining user data and state information)
  • No support for complex configurations (multi partition, etc.)

Conclusion

InTune has been evolving rapidly over the last few years and has been able to provide much of the same functionality as SCCM such as hardware and software inventory, application management, software updates etc. The one feature that missing was OSD. Coupled with Windows Autopilot, Microsoft InTune is a credible end-to-end lifecycle management platform for many use cases that requires no on premise infrastructure. While it cannot service all of the use cases that SCCM can, it can save time and money for organizations where it is a good fit.

Introducing WinPE Peer Cache

Posted on Updated on

WinPE Peer Cache is a new feature of SCCM CB 1610. It functions in a similar manner to BranchCache however, it is only available for content access from the Windows Preinstallation Environment (WinPE). WinPE Peer cache is configured and managed as part of the SCCM CB client management settings.

A task sequence configured to use Windows PE Peer Cache can get the following content objects from a local peer while running in Windows PE:

  1. Operating system image
  2. Driver package
  3. Packages and Programs (When the client continues to run the task sequence in the full operating system, the client gets this content from a peer cache source if the task sequence was originally configured for peer cache when running in Windows PE.)
  4. Additional boot images

It is important to understand that WinPE Peer Cache is targeted at OSD scenarios and does not replace Distribution Points and BranchCache as locations for other types of content. For example, the following content objects never transfer using peer cache. Instead, they transfer from a distribution point or by Windows BranchCache if you have configured Windows BranchCache in your environment:

  1. Applications
  2. Software updates

WinPE Peer Cache only supports OSD scenarios that include a WinPE boot such as PXE boot or Boot Media.

WinPE Peer Cache is very new and is evolving very rapidly. To avoid possible issues with the model, Microsoft is adding features to create higher deployment success rates. Beginning with SCCM CB 1702, a peer cache source computer will reject a request for content when the peer cache source computer meets any of the following conditions:

  1. Is in low battery mode.
  2. CPU load exceeds 80% at the time the content is requested.
  3. Disk I/O has an AvgDiskQueueLength that exceeds 10.
  4. There are no more available connections to the computer.

Microsoft Education Event – Surface Laptop and Windows Autopilot

Posted on Updated on

At the Microsoft Education Event this past week, there were many announcements that we covered in the Universal Windows Podcast Episode 66. While most of the show was dedicated to the Education sector and Windows 10s, there were two announcements that I was particularly excited intrigued about. Specifically the new Surface laptop and Windows Autopilot.

When I try the Surface Laptop later this month I will check out the lapability but from the specs, there are definitely a couple of missing features that would fit my use cases. I’d really like to see a full USB-C port and built in LTE. From a USB-C perspective, I have run into issues with USB resources with my Surface Pro 3 and I think USB-C is the future. As the Surface Laptop is a premium device, for me to justify the price tag, I’d like to feel like the device has a long useful life ahead whether I keep it myself, hand it down to a family member or sell it. USB-C gives it a longer useful life in my opinion.

As far as LTE, I firmly believe the future is BYON (Bring Your Own Network). We won’t need to be hunting for free WiFi at Starbucks or airports and other locations with unknown risks and tethering while useful can be inconvenient and drain your mobile’s battery. There rumours that an LTE version might be out in the fall.

The most exciting reveal for me was Windows Autopilot. It appears to be a simple to use, Windows 10 mass deployment tool built for the classroom scenario. As I do a lot of work with SCCM, the de facto Enterprise class Operating System deployment tool, I am curious to see how this stacks up. I will do a side-by-side comparison once more details of Autopilot are available. Stay tuned.

When the Stars Align – Office365 and Windows Release Schedules

Posted on Updated on

This week Microsoft announced that Windows 10, Office 365 and System Center Configuration Manager would align their release schedules. They are looking at a spring and fall release most likely in March and September. This is great news for businesses that have being struggling to adapt to the new Windows-as-a-Service model align with Office-as-a-Service. There are definitely inter-dependencies between Windows and Office as well as SCCM the tool commonly used to deploy, update and manage both Windows and Office.

From an IT Management perspective, organizations have been trying to accelerate the engineering efforts previously put into Windows and Office deployments and operationalize the process but the various product release schedules with low predictability have made it difficult. This should help by providing regular milestones and predictability. Good Job Microsoft.

Here is a link to the release from Microsoft

Intune: Conditional Access for Exchange Online

Posted on Updated on

One the promises of Mobile Device Management (MDM) and Mobile Application Management (MAM) is the ability to separate the user’s personal data from corporate data. This capability enhances BYOD scenarios as a selective wipe can be performed on a device removing only the corporate data and leaving the personal data intact when a user leaves the organization or a device is retired from corporate use.

In Intune this functionality works in conjunction with MAM. Managed mobile apps are “wrapped” so that any data that they use is stored in a secure container that can be remotely wiped by the management platform.

This month a new conditional access capability has been introduced into Windows Intune that helps achieve this segregation. Conditional access policies can now be enforced preventing email client applications from connecting to Office 365’s exchange Online service unless the application is MAM managed application. This will prevent users from accessing corporate email with an unmanaged email app.

Windows Store for Business – Managing Paid Apps with Intune

Posted on

This post will walk you through simple management of Windows Store for Business (WSfB) apps that require a paid license.

You will need the following prerequisites:

  1. Configure synchronization between WSfB and Microsoft Intune
  2. Configure a payment method for license fees

Once you have met the prerequisites you can follow along below.

Instructions

  1. Login to the Windows store for Business with your management account.
  2. Navigate to Shop

  3. Use the category browser or the search tool to find the application that you wish to purchase. For this walk through I have chosen EZDictionary

  4. Click the app that you wish to purchase
  5. On the App page select Buy Now

  6. From the Buy dialogue select the quantity of licenses you wish to purchase and then click Next

  7. Verify your purchase information including payment method, price, quantity and total and then click Next

  8. You will receive a transaction completion notice. Click Close.

  9. Navigate to Manage>Inventory and verify that the app is available. Be sure to check the number of available licenses.

  10. Login to the Microsoft Intune Management Portal and navigate to Administration>Mobile Device Management>Windows>Store for Business and select Sync Now

  11. Once the Sync completes, navigate to Apps>Volume Purchased Apps and verify that the app is available to be managed. Notice that you get information about the number of licenses available and deployed.