The Windows Insider program is intended to let consumers and IT pros alike get access to pre-release builds of Microsoft Windows. Insiders can get builds at different pace based on the ring they are subscribed to Insiders can subscribe the Fast Ring, the Slow Ring or the Release Review Ring. Obviously the more rapid the build release cadence in you the ring the higher the likelihood of stability issues and bugs. There are currently millions of Windows Insiders and they are helping to uncover issues before the product is released to the general public. This has allowed Microsoft to increase the quality and the speed of windows 10 releases. But what’ in it for you, the IT Pro?
I’ve been working in IT for over 25 years and there are definitely trends in some of the frustration that I’ve heard from IT pros. Lately some of the issues I’ve heard from SysAdmins include:
- I can’t support something that I’m not familiar with
- I never get to work on anything new
- End users are running things that we haven’t approved or tested
Image courtesy of WorldArtsMe
The Windows Insider program can help IT pros with all of these issues. Let’s deal with Issues 1 and 2 first
There’s no denying that the consumerization of IT has created an environment where you may have to support a device or operating system that an end user has purchased that you may never have used before. This is particularly true if you support BYOD environments or web based services (such as eCommerce). If you run an online business and your potential customers are not able to use your service because it doesn’t work with their device no matter how much to protest that they are running a device or browser that you don’t support, you are likely going to lose that potential customer. Since we can’t control what devices they buy, perhaps we can at least incorporate testing of Insider builds of Windows 10 so that you can be proactive in supporting the builds that will be coming out in the near future. Remember that the feature in the insider builds will most likely find their way into an off the shelf device from BestBuy in the near future. Why not volunteer to use an Insider build as your primary device so that you can proactively identify potential incompatibilities in your IT infrastructure that might cause support issues. What manager doesn’t like to hear his staff is trying to be proactive? If you volunteer do you think you realistically think you will ever hear “Nah, let’s just wait and see what breaks and then make up some excuse like we didn’t know that Microsoft was releasing that new feature. That will make our IT department look like the victim and Microsoft the bad guy for releasing it without telling us. And the end user is just the unwilling accomplice. But maybe they will be gun-shy next time they see that shiny new device at BestBuy.”
So as the new Windows Insider lead for your IT team, you get to be one of the first people in the world to try out new features – so you are working on something new. You also become familiar with the upcoming builds before the general public so you can identify potential support issues to your management and create a strategy for dealing with them.
Now let’s deal with issue number 3 – End users are running things we haven’t approved.
This can be difficult to tackle if you don’t work in a locked down environment that only allows corporately owned standardized devices to be used. If you do then you probably don’t have this issue and if you do you have bigger issues around process, governance and compliance. The Windows Insider program can’t help you with those (Yet J). So let’s talk about environments users have the freedom to choose the devices and operating systems they would like to run. You can’t force them to choose devices that you approve. If they run into an issue with your service on their new device or device that has just received a new build, no matter how much you try to blame them for making a poor choice, you still look bad as the IT Pro. What if as part of your insider build testing, you flag known issues that you can’t fix immediately and communicate them proactively to your end users. Consider a browser based compatibility issue – perhaps test for builds and provide pop-up messages indicating that the version of their browser is known to be incompatible with a particular service. It’s much easier to have the discussion about support scope when you are already aware of an issue and have communicated it proactively. Perhaps create a list of devices and builds that you have tested and recommend that users chose from that list for the best experience. If you provide guidance proactively and they still chose to ignore it then they risk a poor user experience and less predictable support. Ultimately it’s their choice but most people will make better decisions when they have more information on which to base the decision. Until you proactively educate them as to why one device is preferred over another, they may be using decision criteria such as brand, price and form factor rather supportability. Now your users can make informed decisions about devices and start reducing the number of unsupported/approved devices being used.
This is just a start. As part of the Surface Smiths Podcast I spent four days at Microsoft Ignite speaking with IT Pros who were Windows Insiders and they had many other compelling reasons to be part of the Windows Insider program. We’ll be covering them in upcoming Surface Smiths episodes.
What are you waiting for? Sign up to be a Windows Insider Now!
On October 1st Microsoft announced new licensing options that make it very attractive for OMS managed servers to have a ConfigMgr license bundled with it. Is this the renaissance of server management with ConfigMgr?
As Microsoft has evolved the two-decade old System Center Configuration Manager (ConfigMgr) product to a “As a Service” model with multiple updates per year, there have been many feature additions and improvement mostly driven by changes in in services that ConfigMgr must integrate with such as Microsoft Intune and Office 365 Exchange Online. For the most part the enhancements have been improving the device management capabilities of ConfigMgr and extending use case scenarios based on rapidly changing mobile device capabilities and use case scenarios. I’ve been around this product for more than two decades and I’ve seen it change names and directions several times. In fact, my first deployment was of SMS 1.0 in 1994. In the late 1990s and early this millennium there was growing interest in using ConfigMgr (called SMS or SCCM back then) to manage servers. The problem was that client agent settings were set at the site level at that time. In order to have custom client agent settings for a group of systems, you would need to stand up another SMS or SCCM site. Consider that servers have different management requirements than desktops and laptops and you’ll understand why custom settings for servers were important. All of that changed in April of 2012 when System Center 2012 Configuration Manager shipped. This version of the product allowed custom client agent settings to be deployed to individual collections within a site. In fact, I blogged about this as being one of my favourite new features back in 2011 when I was evaluating a beta version of the product (we used to have betas back then). What a great way to have different configurations for different types of devices (kiosks, servers, desktops, laptops, DMZ, etc. all have different management requirements. Unfortunately, the mindshare of most datacenter managers hasn’t kept up with the capabilities of ConfigMgr. Other toolsets became more prevalent in server management and the uptake of virtualization shifted the toolset requirements as well. By the time that server administrators were able to consider using ConfigMgr for servers, the whole server paradigm had shifted from physical servers, clusters, virtual and now cloud.
Enter System Center Configuration Manager 1606. There are many new features in this version that you can read about here, but one that caught my eye in particular. It’s in prerelease but you can now connect your ConfigMgr site to an OMS tenant and OMS will have visibility into ConfigMgr data such as collections and manage the collections in OMS.
So how do you try this out? You will need to do three things:
Ensure that you have consented to use Pre-Release features
Enable the feature by right-clicking on it in the features pane and turning it on:
Configure the OMS Connector:
The details of how to configure the connector are beyond the scope of this post but a detailed post on how to do it can be found here.
Cloud services promise easy setup and no infrastructure to manage. Even your grandmother setup her own Gmail account and iTunes subscription. How hard can it be to setup an Intune Subscription?
You could just go off and sign up for the free 30-day trial accept the defaults and try it out. What you miss out on with this approach is the total experience of an integrated solution and you may find some things more difficult than they need to be. Here’s my list of ten things to plan for before deploying Microsoft Intune. This list is not a recipe card, nor is it a complete deployment guide. There are many of those already available. This list helps you get your head around some of the items that you might otherwise be unprepared for.
- Do you already have Office 365 deployed or at least a demo tenant? Office 365 has some light mobile device management features that might be sufficient for some organizations. If not sufficient, the identity service required for Office 365 can be used for Intune. In fact, I suggest that for most organizations, they shouldn’t be thinking about Intune until they have deployed Office 365.
- How are you going to manage identity? You will need to use Azure Active Directory. Are you going to use a new AD instance or are you going to connect it to your corporate AD? It’s easiest if you already have Microsoft Azure AD Connect in place to synchronize your on premise AD with Azure for other services such as Office 365. What about your domain name? Are you going use the default DomanName.onmicrosoft.com domain or your own domain name. If you are going to use your own domain name you will need to update DNS records. Are you willing and able to do that? Again this is usually already taken care of if you have Office 365 in place.
- What policies are you going to be creating and applying to devices? Think about what you want to test from a use case scenario perspective. Don’t just turn every policy on or off.
- What devices are you going to be managing? Are they going to be corporate owned or personal (BYOD) or both? Do you have test devices available? It is not recommended to test of production devices because you might impact availability with poorly designed policy. If you are managing Windows Phones or iOS devices you will need certificates and a way to manage them (not required for android devices)
- Are you going to be integrating Intune with System Center Configuration Manager (ConfigMgr)? If you do, understand that ConfigMgr will be controlling Intune. Decoupling Intune from ConfigMgr is non-trivial and has implications that you need to plan for if you are not going roll the evaluation tenant into your production environment. If you are using System Center Configuration Manager LTSB you cannot connect to Intune.
- Are you going to be connecting Intune to Exchange or Exchange Online? This will allow you to manage Exchange mailbox policies from Intune. Do you have the necessary information, accounts, and permissions?
- What enrollment methods do you want test? Which ones make the most sense for your organization? There are many options that may or may not suit your needs.
- Are you going to publish any applications to mobile devices? If so what applications and what installation methods? It is easiest to test with applications in the devices respective App Stores. Do you have the required external links to the apps in the app stores?
- Are you going to customize the Company Portal or just use the defaults? I recommend customizing the Company Portal. This can provide useful information to device users as well as providing a level of comfort about the new technology. While the customizations are limited at this time, one of the more useful (and recommended) changes you can make is providing a custom EULA if you like.
- What are your evaluation criteria? How do you know that the evaluation has completed successfully (or unsuccessfully)?
Remember that Microsoft Intune is receiving updates every month. Be sure to check out what’s new page to see what’s been added.
Today Microsoft announced that System Center Configuration Manager will be available in a Long Term Servicing Branch (LTSB) version with support extending for 10 years.
Over the last year, Microsoft has been working hard at transforming System Center Configuration Manager (ConfigMgr) into a product that gets regular updates to keep pace with all of the updates in the products with which it must interact and integrate (E.g. Windows 10, Intune, iOS, Android, Widows Mobile, Exchange/Exchange Online, etc.) in order to bring the most value to administrators of PCs, Macs and Mobile devices.
ConfigMgr has transformed into an “As A Service” product from an operations and management perspective (although not from a purchasing and licensing perspective). That is to say that there are multiple product releases/updates each year. Each successive update is an easy in console update with minimal impact and down time.
ConfigMgr is using a system similar to the Windows 10 Servicing Branch model to identify
The new releases have been identified by a Year and Month designation in the form of YYMM. For example, the November 2015 release is known as version 1511, March 2016 is 1603 and June 2016 is 1606. The LTSB version of ConfigMgr is based on release 1606. Together these releases and future releases in the chain are referred to as Current Branch (CB)
Since this is essentially a static product that will not receive any feature enhancements, anything that has an external dependency on a product or service that is on a constant upgrade cycle would be difficult to support long term. As such some functionality and support has intentionally been removed, including:
- Support for the future releases of Windows 10 LTSB and Windows Server
- Support for Windows 10 CB/CBB
The ability to add a Microsoft Intune Subscription, which prevents the use of:
- Hybrid MDM
- On-premise MDM
- Windows 10 Servicing Dashboard and Servicing Plans
- Asset Intelligence
- Cloud-based Distribution Point
- Support for Exchange Online as an Exchange Connector
Who is this for?
Organizations that use the LTSB would be able to use ConfigMgr until 2026 with security updates. While Windows 10 Enterprise LTSB up to 1607 and Windows Server from 2008 SP2 up to 2016 will be supported, other versions of Windows 10 (CB, CBB, etc.) and newer version of Windows Server will not be supported. This version of Configuration Manager is not intended for most organizations. It is intended for organizations that do not have a current Software Assurance (SA) agreement in place with Microsoft for ConfigMgr. Without SA rights, these organizations would not be entitled to use the current branch of ConfigMgr.
I’ve known for quite some time that once you set System Center Configuration Manager (ConfigMgr) as the management authority for Mobile Device Management (MDM) that you would have to call Microsoft Support if you wanted to revert to MS Intune as the Management Authority. You need to retire all of your managed devices, remove certificates, policies, applications etc. It can take up to five days to reset the tenant back to the defaults.
You will lose all of your customizations and will need to re-enroll all of your devices. There is no way to save and reapply the customizations at this time.
But what about the reverse. You’ve started using Intune for MDM and now for whatever reason want to add the subscription to your ConfigMgr site and make it the MDM management authority? Since I work primarily with on premise ConfigMgr environments or hybrid implementations, I’ve never tested connecting ConfigMgr to a subscription that had Intune as the MDM management authority. The documentation says it shouldn’t work but what will you see in the ConfigMgr console?
First of all, this is not made very clear when you run the Create Microsoft Intune Subscription Wizard. When running the wizard you will be prompted to sign in to your Intune subscription. Even though the Next button is available you won’t be able to do anything until you sing in.
Clicking Sign In will display the Set the Mobile Device Management Authority dialogue. In my opinion this where a better explanation is required. Especially since this isn’t something you would normally do more than once. You won’t have past experience to rely on.
Once you check the I understand box you will be prompted to sign in to your Intune subscription with administrative credentials. If your subscription already has a management authority you will get the generic error below that doesn’t tell you what went wrong.
If thing the subscription does nto have a MDM management authority set (new un-configured subscription or rest tenant) then you will be returned to the previous screen with the Sign In button greyed out and the ability to continue through the wizard.
WARNING: Cancelling the wizard at this point is possible but all you will accomplish is not having a configured Intune connector in ConfigMgr. You will have already changed the Management Authority in Intune.
There are lots of good blog posts from the Intune Team and many others the such as Peter Dalmaans’ ConfigMgrBlog.com and Peter van der Woude’s More than just ConfigMgr. They cover many in depth topics and use case scenarios.
Today at the prompting of one of my friends and colleagues, Sean “Energized Tech” Kearney I’m going to do the exact opposite. Instead of a deep dive or instructions for a specific feature, I’m going to help you with the most basic of all recipe cards. If you’ve never tried Intune the first and most basic thing you will need to do before trying out and features is setting up a trial subscription.
Note: No credit card is requried to setup a trial subscription.
- Go to the Microsoft Intune Product page. There is lots of good information here so go grab a coffee and educate yourself a bit. Don’t worry, I’ll wait. All done? Good. Let’s continue.
From the Microsoft Intune Product page, click Try Now
Complete the Step 1 – About you screen and then click Next
Complete step 2 by creating an ID and
To prove you are not a bot, Select the radio button for either Text me or Call Me. Enter your phone number and then click the approppriate link at the the bottom to continue.
- When you receive the verification code, enter it, select your communication preferrences for Microsoft Online services, and then click Create my account.
The account creation process witll start. You will see a screen like the following:
When the account creation process is complete, click You’re ready to go
You will be taken to the Get Started with Microsft Intune page. Click Start.
- If you used an Office 365 account, you will be redirected to the Office 365 admin console.
The actual portal may be different depending on which type of account you used to setup the subscription. Select the users you want to assign Intune licenses to. You can check the account status to verify that a license has been assigned.
You can select different Admin Centers to manage different parts of your infrastructure. Select the Intune Admin Center and login using the ID you created in step 2.
You will be taken to the Microsoft Intune Management portal.
There are many things you can do from here but I will leave you with one warning. If you select Start Managing Mobile Devices the first thing you will be prompted to configure is the Mobile Device Management authority.
- Make sure you are able to make an informed decision before making a selection. The selection you make here cannot be undone without a call to Microsoft to reset the subscription. This can take up to five days and you will lose any device enrollments and customizations you have made. You have been warned. A good place to start informing yourself is the Prerequisites for mobile device management in Intune
When I was writing my post about Operation Management Suite (OMS) and System Center Configuration Manager (ConfigMgr) I realized that one of the many advantages on System Center Configuration Manager Current Branch is the availability of pre-release functionality for testing without having to setup an entire test and dev environment. If you are careful with what you test and your test methodology this can be a big time saver with minimal impact on your production environment.
At the time of this writing there are three Pre-Release features available:
- Conditional Access for managed PCs – To help secure Office 365 access and other services on PCs enrolled with Configuration Manager, use conditional access. Conditions that can be used to control access include workplace join, BitLocker, antimalware and software updates.
- Server Groups – control settings for software updates in server groups, including the order and percentage of devices that can be updates at any one time including cluster aware updating
- Microsoft Operations Management Suite (OMS) Connector – Sync data such as collections from ConfigMgr to OMS
In order to enable pre-release features you need to do the following:
Navigate to the Hierarchy Settings
Consent to use Pre-Release features
Navigate to the features and right-click on the ones that you want to enable
Microsoft Intune users can access the Company Portal from a web browser or from a mobile app. Regardless of how the access the portal, it is worth your while to customize it to provide the best possible user experience.
Depending on whether you are using System Center Configuration Manager (ConfigMgr) or Microsoft Intune as your Mobile Device Management Authority you will have a different interface for customizing your company portal based on each product’s respective console. Regardless of which authority you use you have essentially the same customization options. In this post I will describe the customization options so that you can be prepared with the correct information before you begin the customization process.
I’ll even provide you nice little table that you can use as a worksheet.
|FIELD NAME||MAX LENGTH / SIZE||YOUR DATA|
|Company name||40 char|
|IT department contact name||40 char|
|IT department phone number||20 char|
|IT department email address||40 char|
|Additional information||120 char|
|Company privacy statement URL||79 char|
|Support website URL||150 char|
|Support website name||40 char|
|Company logo||400 x 100 750KB|
You can also customize the theme color and chose a background for the company portal mobile app.
Source: Microsoft Intune Get Started
One of the big improvements in manageability of System Center Configuration Manager (ConfigMgr) has been the introduction of in console updates.
In the not too distant past, updates were done either as Cumulative Updates or as individual hotfixes when required. You would have to do your research to find out when these were available and in the case of hotfixes whether they applied to your situation.
With the transition of ConfigMgr to a rapid update cycle and the “As a Service” model, Microsoft has introduced in console updates. No you can check from within the ConfigMr console if there are updates available (including new current branch versions) and install them directly from the console. This should be done in a two-step process:
- Check the prerequisites
- Install the update pack
- Navigate to Administration>Cloud Services>Updates and Servicing to see available updates
- Right-click on an available update and then select Run prerequisite Check
- Wait for the check to complete and then click Show Status
- Verify that the Prerequisite check passed
- Return to the in console updates, Right click the update again and this time select Install Update Pack
While poking around the Intune console you may notice that you can integrate the popular TeamViewer remote support tool into Intune.
Note: Team viewer provides a replacement for the default Windows Remote Assistance functionality already in Intune. You must purchase the TeamViewer licenses separately.
With the TeamViewer integration administrators can initiate a remote assistance request or respond to request from end users.
- In the Microsoft Intune administration console, choose Admin.
- In the Admin workspace, choose TeamViewer.
- On the TeamViewer page, under TeamViewer Connector, choose Enable.
- In the Enable TeamViewer dialog box, view, then Accept the license terms. If you don’t already own a TeamViewer license, choose Purchase a TeamViewer license.
- After the TeamViewer browser window opens, sign into the site with your TeamViewer credentials.
- On the TeamViewer site, read, then accept the options to allow Intune to connect with TeamViewer.
- In the Intune console, verify that the TeamViewer Connector item shows as Enabled.