Updating Office 365 Pro Plus with Microsoft Intune

Posted on

Note: This post is a companion to a very similar post called Updating Office 365 Pro Plus with Configuration Manager

By default, Microsoft Office 365 Pro Plus (licensed as part of Office 365) receives updates directly from the Office 365 service when the Click to Run installation method is used. This can be good for organizations that haven’t done a good job of updating their endpoints or that would like to remove Office updates from their regular update regimen and rely on Microsoft for this service. What about environments that manage endpoints with Microsoft Intune and would like to continue to manage Office updates that way?

There are two things that you need to address in order to update Office 365 client updates:

  1. Enable the product in the Intune Updates Service Settings
  2. Configure the Office 365 Client Management Policy

Enable the Product in the Intune Updates Service Settings

The first thing to understand is that when Microsoft releases updates to Office 365 for Pro Plus the same     updates are released to Window Update and WSUS. As such the relevant updates will be available to de deployed by Intune. Follow these steps to enable them:

  1. In the Intune Console navigate to Admin>Updates
  2. Scroll through the product categories to All Categories>Microsoft>Office
  3. Check the box for Office 365 Client
  4. Select the Products tab and then select Office 365 Client
  5. Select the required Update Classifications
  6. Click Save.

Configure the Office 365 Client Management Policy

The next thing to do is Configure clients to get updates from ConfigMgr. There are multiple ways to accomplish this. While it is possible to preconfigure this setting using the Office deployment Tool this may be cumbersome to use in scenarios where Office 365 Pro Plus is already deployed. Using group policy might be a better option as it can address deployed clients regardless of how they were installed. You can easily set the policy, however, you must first download and install the Office 2016 Administrative Template files. You need to enable the Office 365 Client Management Policy.

  1. Launch GPMC.MSC with Administrative credentials
  2. Navigate to Computer Configuration>Policies>Administrative Templates>Microsoft Office 2016 (Machine)>Updates and double-click Office 365 Client Management

  3. Enable the Policy

  4. Click Apply.

Now you can use Microsoft Intune to update Office 365 clients.

Updating Office 365 Pro Plus with Configuration Manager

Posted on Updated on

Note: This post is a companion to a very similar post called Updating Office 365 Pro Plus with Microsoft Intune.

By default, Microsoft Office 365 Pro Plus (licensed as part of Office 365) receives updates directly from the Office 365 service when the Click to Run installation method is used. This can be good for organizations that haven’t done a good job of updating their endpoints or that would like to remove Office updates from their regular update regimen and rely on Microsoft for this service. What about environments that manage endpoints with System Center Configuration Manager (ConfigMgr) and would like to continue to manage Office updates that way?

There are two things that you need to address in order to update Office 365 client updates:

  1. Enable the product in the Software Update Point (SUP)
  2. Configure the Office 365 Client Management Policy

Enable the Product in the SUP

The first thing to understand is that when Microsoft releases updates to Office 365 for Pro Plus the same     updates are released to Window Server Update Services (WSUS). Since ConfigMgr relies on the WSUS update database, the relevant updates will be available to de deployed by ConfigMgr. Follow these steps to enable them.

  1. In the ConfigMgr Console navigate to Navigate to Administration>Overview>Site Configuration>Sites
  2. Right-click on your site and select Configure Site Components and then select Software Update Point
  3. Select the Products tab and then select Office 365 Client

  4. Click Apply.

Configure the Office 365 Client Management Policy

The next thing to do is Configure clients to get updates from ConfigMgr. There are multiple ways to accomplish this. While it is possible to preconfigure this setting using the Office deployment Tool this may be cumbersome to use in scenarios where Office 365 Pro Plus is already deployed. Using group policy might be a better option as it can address deployed clients regardless of how they were installed. You can easily set the policy, however, you must first download and install the Office 2016 Administrative Template files. You need to enable the Office 365 Client Management Policy.

  1. Launch GPMC.MSC with Administrative credentials
  2. Navigate to Computer Configuration>Policies>Administrative Templates>Microsoft Office 2016 (Machine)>Updates and double-click Office 365 Client Management

  3. Enable the Policy

  4. Click Apply.

Now you can use ConfigMgr to update Office 365 clients.

Why IT Pros should use the Windows Insider Program

Posted on

The Windows Insider program is intended to let consumers and IT pros alike get access to pre-release builds of Microsoft Windows. Insiders can get builds at different pace based on the ring they are subscribed to Insiders can subscribe the Fast Ring, the Slow Ring or the Release Review Ring. Obviously the more rapid the build release cadence in you the ring the higher the likelihood of stability issues and bugs. There are currently millions of Windows Insiders and they are helping to uncover issues before the product is released to the general public. This has allowed Microsoft to increase the quality and the speed of windows 10 releases. But what’ in it for you, the IT Pro?

I’ve been working in IT for over 25 years and there are definitely trends in some of the frustration that I’ve heard from IT pros. Lately some of the issues I’ve heard from SysAdmins include:

  1. I can’t support something that I’m not familiar with
  2. I never get to work on anything new
  3. End users are running things that we haven’t approved or tested


Image courtesy of WorldArtsMe

The Windows Insider program can help IT pros with all of these issues. Let’s deal with Issues 1 and 2 first

There’s no denying that the consumerization of IT has created an environment where you may have to support a device or operating system that an end user has purchased that you may never have used before. This is particularly true if you support BYOD environments or web based services (such as eCommerce). If you run an online business and your potential customers are not able to use your service because it doesn’t work with their device no matter how much to protest that they are running a device or browser that you don’t support, you are likely going to lose that potential customer. Since we can’t control what devices they buy, perhaps we can at least incorporate testing of Insider builds of Windows 10 so that you can be proactive in supporting the builds that will be coming out in the near future. Remember that the feature in the insider builds will most likely find their way into an off the shelf device from BestBuy in the near future. Why not volunteer to use an Insider build as your primary device so that you can proactively identify potential incompatibilities in your IT infrastructure that might cause support issues. What manager doesn’t like to hear his staff is trying to be proactive? If you volunteer do you think you realistically think you will ever hear “Nah, let’s just wait and see what breaks and then make up some excuse like we didn’t know that Microsoft was releasing that new feature. That will make our IT department look like the victim and Microsoft the bad guy for releasing it without telling us. And the end user is just the unwilling accomplice. But maybe they will be gun-shy next time they see that shiny new device at BestBuy.”

So as the new Windows Insider lead for your IT team, you get to be one of the first people in the world to try out new features – so you are working on something new. You also become familiar with the upcoming builds before the general public so you can identify potential support issues to your management and create a strategy for dealing with them.

Now let’s deal with issue number 3 – End users are running things we haven’t approved.

This can be difficult to tackle if you don’t work in a locked down environment that only allows corporately owned standardized devices to be used. If you do then you probably don’t have this issue and if you do you have bigger issues around process, governance and compliance. The Windows Insider program can’t help you with those (Yet J). So let’s talk about environments users have the freedom to choose the devices and operating systems they would like to run. You can’t force them to choose devices that you approve. If they run into an issue with your service on their new device or device that has just received a new build, no matter how much you try to blame them for making a poor choice, you still look bad as the IT Pro. What if as part of your insider build testing, you flag known issues that you can’t fix immediately and communicate them proactively to your end users. Consider a browser based compatibility issue – perhaps test for builds and provide pop-up messages indicating that the version of their browser is known to be incompatible with a particular service. It’s much easier to have the discussion about support scope when you are already aware of an issue and have communicated it proactively. Perhaps create a list of devices and builds that you have tested and recommend that users chose from that list for the best experience. If you provide guidance proactively and they still chose to ignore it then they risk a poor user experience and less predictable support. Ultimately it’s their choice but most people will make better decisions when they have more information on which to base the decision. Until you proactively educate them as to why one device is preferred over another, they may be using decision criteria such as brand, price and form factor rather supportability. Now your users can make informed decisions about devices and start reducing the number of unsupported/approved devices being used.

This is just a start. As part of the Surface Smiths Podcast I spent four days at Microsoft Ignite speaking with IT Pros who were Windows Insiders and they had many other compelling reasons to be part of the Windows Insider program. We’ll be covering them in upcoming Surface Smiths episodes.

What are you waiting for? Sign up to be a Windows Insider Now!

OMS and System Center Configuration Manager

Posted on Updated on

On October 1st Microsoft announced new licensing options that make it very attractive for OMS managed servers to have a ConfigMgr license bundled with it. Is this the renaissance of server management with ConfigMgr?

As Microsoft has evolved the two-decade old System Center Configuration Manager (ConfigMgr) product to a “As a Service” model with multiple updates per year, there have been many feature additions and improvement mostly driven by changes in in services that ConfigMgr must integrate with such as Microsoft Intune and Office 365 Exchange Online. For the most part the enhancements have been improving the device management capabilities of ConfigMgr and extending use case scenarios based on rapidly changing mobile device capabilities and use case scenarios. I’ve been around this product for more than two decades and I’ve seen it change names and directions several times. In fact, my first deployment was of SMS 1.0 in 1994. In the late 1990s and early this millennium there was growing interest in using ConfigMgr (called SMS or SCCM back then) to manage servers. The problem was that client agent settings were set at the site level at that time. In order to have custom client agent settings for a group of systems, you would need to stand up another SMS or SCCM site. Consider that servers have different management requirements than desktops and laptops and you’ll understand why custom settings for servers were important. All of that changed in April of 2012 when System Center 2012 Configuration Manager shipped. This version of the product allowed custom client agent settings to be deployed to individual collections within a site. In fact, I blogged about this as being one of my favourite new features back in 2011 when I was evaluating a beta version of the product (we used to have betas back then). What a great way to have different configurations for different types of devices (kiosks, servers, desktops, laptops, DMZ, etc. all have different management requirements. Unfortunately, the mindshare of most datacenter managers hasn’t kept up with the capabilities of ConfigMgr. Other toolsets became more prevalent in server management and the uptake of virtualization shifted the toolset requirements as well. By the time that server administrators were able to consider using ConfigMgr for servers, the whole server paradigm had shifted from physical servers, clusters, virtual and now cloud.

Enter System Center Configuration Manager 1606. There are many new features in this version that you can read about here, but one that caught my eye in particular. It’s in prerelease but you can now connect your ConfigMgr site to an OMS tenant and OMS will have visibility into ConfigMgr data such as collections and manage the collections in OMS.

So how do you try this out? You will need to do three things:

  1. Ensure that you have consented to use Pre-Release features

  2. Enable the feature by right-clicking on it in the features pane and turning it on:

  3. Configure the OMS Connector:

The details of how to configure the connector are beyond the scope of this post but a detailed post on how to do it can be found here.

Ten Things to consider before Evaluating Microsoft Intune

Posted on Updated on

Cloud services promise easy setup and no infrastructure to manage. Even your grandmother setup her own Gmail account and iTunes subscription. How hard can it be to setup an Intune Subscription?

You could just go off and sign up for the free 30-day trial accept the defaults and try it out. What you miss out on with this approach is the total experience of an integrated solution and you may find some things more difficult than they need to be. Here’s my list of ten things to plan for before deploying Microsoft Intune. This list is not a recipe card, nor is it a complete deployment guide. There are many of those already available. This list helps you get your head around some of the items that you might otherwise be unprepared for.


  1. Do you already have Office 365 deployed or at least a demo tenant? Office 365 has some light mobile device management features that might be sufficient for some organizations. If not sufficient, the identity service required for Office 365 can be used for Intune. In fact, I suggest that for most organizations, they shouldn’t be thinking about Intune until they have deployed Office 365.
  2. How are you going to manage identity? You will need to use Azure Active Directory. Are you going to use a new AD instance or are you going to connect it to your corporate AD? It’s easiest if you already have Microsoft Azure AD Connect in place to synchronize your on premise AD with Azure for other services such as Office 365. What about your domain name? Are you going use the default DomanName.onmicrosoft.com domain or your own domain name. If you are going to use your own domain name you will need to update DNS records. Are you willing and able to do that? Again this is usually already taken care of if you have Office 365 in place.
  3. What policies are you going to be creating and applying to devices? Think about what you want to test from a use case scenario perspective. Don’t just turn every policy on or off.
  4. What devices are you going to be managing? Are they going to be corporate owned or personal (BYOD) or both? Do you have test devices available? It is not recommended to test of production devices because you might impact availability with poorly designed policy. If you are managing Windows Phones or iOS devices you will need certificates and a way to manage them (not required for android devices)
  5. Are you going to be integrating Intune with System Center Configuration Manager (ConfigMgr)? If you do, understand that ConfigMgr will be controlling Intune. Decoupling Intune from ConfigMgr is non-trivial and has implications that you need to plan for if you are not going roll the evaluation tenant into your production environment. If you are using System Center Configuration Manager LTSB you cannot connect to Intune.
  6. Are you going to be connecting Intune to Exchange or Exchange Online? This will allow you to manage Exchange mailbox policies from Intune. Do you have the necessary information, accounts, and permissions?
  7. What enrollment methods do you want test? Which ones make the most sense for your organization? There are many options that may or may not suit your needs.
  8. Are you going to publish any applications to mobile devices? If so what applications and what installation methods? It is easiest to test with applications in the devices respective App Stores. Do you have the required external links to the apps in the app stores?
  9. Are you going to customize the Company Portal or just use the defaults? I recommend customizing the Company Portal. This can provide useful information to device users as well as providing a level of comfort about the new technology. While the customizations are limited at this time, one of the more useful (and recommended) changes you can make is providing a custom EULA if you like.
  10. What are your evaluation criteria? How do you know that the evaluation has completed successfully (or unsuccessfully)?

Remember that Microsoft Intune is receiving updates every month. Be sure to check out what’s new page to see what’s been added.

System Center Configuration Manager Long Term Servicing Branch (LTSB)

Posted on Updated on

Today Microsoft announced that System Center Configuration Manager will be available in a Long Term Servicing Branch (LTSB) version with support extending for 10 years.

Background

Over the last year, Microsoft has been working hard at transforming System Center Configuration Manager (ConfigMgr) into a product that gets regular updates to keep pace with all of the updates in the products with which it must interact and integrate (E.g. Windows 10, Intune, iOS, Android, Widows Mobile, Exchange/Exchange Online, etc.) in order to bring the most value to administrators of PCs, Macs and Mobile devices.

ConfigMgr has transformed into an “As A Service” product from an operations and management perspective (although not from a purchasing and licensing perspective). That is to say that there are multiple product releases/updates each year. Each successive update is an easy in console update with minimal impact and down time.

ConfigMgr is using a system similar to the Windows 10 Servicing Branch model to identify

The new releases have been identified by a Year and Month designation in the form of YYMM. For example, the November 2015 release is known as version 1511, March 2016 is 1603 and June 2016 is 1606. The LTSB version of ConfigMgr is based on release 1606. Together these releases and future releases in the chain are referred to as Current Branch (CB)

What’s Missing?

Since this is essentially a static product that will not receive any feature enhancements, anything that has an external dependency on a product or service that is on a constant upgrade cycle would be difficult to support long term. As such some functionality and support has intentionally been removed, including:

  1. Support for the future releases of Windows 10 LTSB and Windows Server
  2. Support for Windows 10 CB/CBB
  3. The ability to add a Microsoft Intune Subscription, which prevents the use of:
    1. Hybrid MDM
    2. On-premise MDM
  4. Windows 10 Servicing Dashboard and Servicing Plans
  5. Asset Intelligence
  6. Cloud-based Distribution Point
  7. Support for Exchange Online as an Exchange Connector

Who is this for?

Organizations that use the LTSB would be able to use ConfigMgr until 2026 with security updates. While Windows 10 Enterprise LTSB up to 1607 and Windows Server from 2008 SP2 up to 2016 will be supported, other versions of Windows 10 (CB, CBB, etc.) and newer version of Windows Server will not be supported. This version of Configuration Manager is not intended for most organizations. It is intended for organizations that do not have a current Software Assurance (SA) agreement in place with Microsoft for ConfigMgr. Without SA rights, these organizations would not be entitled to use the current branch of ConfigMgr.

Windows Intune Mobile Device Management Authority

Posted on Updated on

I’ve known for quite some time that once you set System Center Configuration Manager (ConfigMgr) as the management authority for Mobile Device Management (MDM) that you would have to call Microsoft Support if you wanted to revert to MS Intune as the Management Authority. You need to retire all of your managed devices, remove certificates, policies, applications etc. It can take up to five days to reset the tenant back to the defaults.

You will lose all of your customizations and will need to re-enroll all of your devices. There is no way to save and reapply the customizations at this time.

But what about the reverse. You’ve started using Intune for MDM and now for whatever reason want to add the subscription to your ConfigMgr site and make it the MDM management authority? Since I work primarily with on premise ConfigMgr environments or hybrid implementations, I’ve never tested connecting ConfigMgr to a subscription that had Intune as the MDM management authority. The documentation says it shouldn’t work but what will you see in the ConfigMgr console?

First of all, this is not made very clear when you run the Create Microsoft Intune Subscription Wizard. When running the wizard you will be prompted to sign in to your Intune subscription. Even though the Next button is available you won’t be able to do anything until you sing in.

Clicking Sign In will display the Set the Mobile Device Management Authority dialogue. In my opinion this where a better explanation is required. Especially since this isn’t something you would normally do more than once. You won’t have past experience to rely on.

Once you check the I understand box you will be prompted to sign in to your Intune subscription with administrative credentials. If your subscription already has a management authority you will get the generic error below that doesn’t tell you what went wrong.

If thing the subscription does nto have a MDM management authority set (new un-configured subscription or rest tenant) then you will be returned to the previous screen with the Sign In button greyed out and the ability to continue through the wizard.


WARNING:  Cancelling the wizard at this point is possible but all you will accomplish is not having a configured Intune connector in ConfigMgr. You will have already changed the Management Authority in Intune.