Enable device upload when already using co-management

This week is all about the recently introduced functionality of Microsoft Endpoint Manager tenant attach. More specifically, the device sync and the device action functionalities that become available via the Microsoft Endpoint Manager admin center for Configuration Manager managed devices. This is the first big step into creating an integrated solution for managing all devices. This brings Configuration Manager and Microsoft Intune together into a single console. In this post I’ll start with an introduction to the different cloud integration options, followed by the step for enabling the device upload. I’ll end this post by having a look at what this integration brings from an administrator perspective.

Introduction to cloud integration

Let’s start with a quick introduction to all the different cloud integration terminologies that are currently used in combination with Configuration Manager. The main reason for that is that I often hear a lot of confusion about the terminologies in regards to what it is and what it is used for and a new term – tenant attach – will not make that a lot easier.

  • Co-management – Co-management (sometimes even referred to as client attach) is about enrolling Configuration Manager managed devices into Microsoft Intune for additional cloud value. In other words, managing Windows 10 devices by using both Configuration Manager and Microsoft Intune. That enables the administrator to configure specific workloads for Configuration Manager or Microsoft Intune, to enable a smooth transition to the cloud. These products balance the workloads to make sure that there are no conflicts. For a complete overview of the benefits and these workloads, please refer to this doc about what co-management is.
  • Coexistence – Coexistence is about enrolling Configuration Manager managed devices into a third-party MDM solution. In other words, managing Windows 10 devices by using both Configuration Manager and a third-party MDM. That creates two management authorities on a device that don’t integrate with each other, which might create conflicts. To prevent these conflicts the Configuration Manager client detects when a third-party MDM service is also managing the device. When detected, it automatically deactivates certain workloads in Configuration Manager. For a complete list of these workloads, please refer to this doc about third-party MDM coexistence with Configuration Manager.
  • Tenant attach – Tenant attach (the new kid) is about attaching a Configuration Manager environment to the Microsoft Intune tenant for instant cloud value. That will bring all devices to single console and that console is Microsoft Endpoint Manager admin center. Bringing all the devices to that single console will enable the administrator (at first mainly focussed on the helpdesk) to perform basic actions on all devices, either managed by Configuration Manager or managed by Microsoft Intune.
  • Cloud hosted – Cloud hosted is about hosting Configuration Manager components in Microsoft Azure. That will bring the reliability and flexibility of Microsoft Azure to Configuration Manager for managing for example Internet clients by using a Cloud Management Gateway (CMG).
  • Cloud attach – Cloud attach is about attaching different cloud components to a Configuration Manager environment. That is a more generic term that is often used when attaching any cloud functionality to a Configuration Manager environment. That can be about co-management (client attach), tenant attach, and cloud hosted. Basically any cloud service that is attached to the on-premises environment for providing more and better functionalities for managing devices by using cloud functionality.
  • Hybrid MDM – Previously there was even hybrid MDM (or Microsoft Intune hybrid) that would integrate Microsoft Intune with Configuration Manager to provide cloud MDM-capabilities to Configuration Manager. That would enable customers to use Configuration Manager as a single pane of glass for managing all devices within the environment. That feature is retired as of September 1, 2019.

Note: For a nice overview see also this session about Supercharging PC and mobile device management: Attach Configuration Manager to Microsoft Intune and the Microsoft 365 cloud (starting at about 6:38) of Microsoft Ignite 2019.

Enable device upload

After processing the terminology for all the different cloud (and management) integration options for a Configuration Manager environment, it’s time to look at the new tenant attach functionality. When assuming that co-management is already being used within the environment, the following five steps will walk through also configuring the device upload functionality.

  1. Open the Microsoft Endpoint Configuration Manager administration console and navigate to Administration > Overview > Cloud Services Co-management
  2. Select the CoMgmtSettingsProd policy and click Properties in the Home tab to open the Properties dialog box
  3. In the Properties dialog box, navigate to the Configure upload tab, perform the following configuration and click OK
  • Select Upload to Microsoft Endpoint Manager admin center to enable this site to upload devices to Microsoft Endpoint Manager admin center
  • Select All my devices managed by Microsoft Endpoint Configuration Manager (recommended) to enable this site to upload all devices to Microsoft Endpoint Manager admin center, or select A collection I select to enable this site to only upload specific devices to Microsoft Endpoint Manager admin center
  1. In the authentication prompt, provide credentials of a global administrator
  2. In the Create AAD Application dialog box, click Yes to register an application in AAD

Administrator experience

The most interesting part of this post – in my opinion – is the administrator experience. New objects that are created and the relation between the different new objects and activities that an administrator can see. Below is an overview of a those objects and activities from a Configuration Manager perspective. Figure 2 and Figure 3 provide an overview of the new objects in the Configuration Manager administration console. The Cloud Attach Azure service and the application registration with the Azure Active Directory Tenants. Both of these objects are created when enabling device upload. The latter is a reference to the created app registration in Azure Active Directory.

Figure 4 and Figure 5 provide an overview of the objects that are being synchronized to Microsoft Endpoint Manager admin center. As I’ve selected that all device are synchronized, those figures show that my All Systems collections (9 members) relates to the number (6) found in CMGatewaySyncUploadWorker.log. That’s 9 objects minus the default objects of the unknown computer objects (2) and the provisioning device object.

Figure 6 provides an overview of the devices that are synchronized in the Microsoft Endpoint Manager admin center. In green it shows the ConfigMgr only devices (4) and in red it shows the co-managed devices (2). That brings the total the the 6 device objects that were synchronized.

Figure 7 and Figure 8 provide an overview of the device actions that become available for the synchronized devices. It shows the different locations of these actions for co-managed devices as well as for ConfigMgr only devices. At this moment the device actions of Sync machine policy, Sync user policy and App evaluation cycle are available.

Note: The user performing the actions via the Microsoft Endpoint Manager admin console need to have the appropriate permissions within Configuration Manager.

More information

For more information about enabling device upload in Configuration Manager, please refer to the documentation about Microsoft Endpoint Manager tenant attach: Device sync and device actions.

Windows 10 enrollment methods

This week is all about Windows 10 enrollment methods. The different methods to enroll Windows 10 devices into Microsoft Intune. There are many different methods to enroll Windows 10 devices, which makes it easy to get lost. In this post I’ll provide an overview of these different enrollment methods, including the use case of the enrollment method and how to perform the enrollment. This post is definitely not a complete guide through the different enrollment methods. Its main purpose is to create awareness for the different enrollment methods and to describe the main characteristics of the enrollment methods.

The different enrollment methods

Now let’s discuss the different enrollment methods and their use cases. Before starting, it’s good to mention that I’m aware of the existence of the MDM only enrollment method. However, I don’t consider that as a valid option to enroll a device into Microsoft Intune, as that method doesn’t register the device in Azure AD. And that provides many challenges, for example with conditional access. When discussing the different enrollment methods, I’ll try to group those methods were possible and I’ll try to mention the differences.

Bring Your Own Device (BYOD)

Description: The Bring Your Own Device (BYOD) method enables the user to enroll a personal device into Microsoft Intune by using the Settings panel and adding a Work and School account. That action will trigger the flow to register the device in Azure AD and that will also automatically enroll the device into Microsoft Intune.

Important requirements: This requires that auto-enrollment is configured (as shown in Figure 1). Keep in mind that within the auto-enrollment configuration, the administrator can also configure MAM enrollment. When the MDM and MAM enrollment is configured for a user, the MAM enrollment takes precedence for personal devices.

Example scenario: This can be useful for Bring Your Own Device (BYOD) scenarios. The device will be enrolled as a personal device.

Azure AD join (with auto enrollment)

Description: The Azure AD join method enables the user to enroll a corporate-owned device into Microsoft Intune, similar to enrolling a personal device – by using the Settings panel and adding a Work and School account – the user can also choose to join the device to Azure AD. That option will become available during the same configuration flow. The user has to specifically choose to join Azure AD during that flow (as shown in Figure 2). This same behavior can also be triggered during the Out-Of-the-Box-Experience (OOBE). That can be achieved by setting the device up for an organization. That will trigger the flow to Azure AD join the device.

Important requirements: This requires that auto-enrollment is configured (as shown in Figure 1).

Example scenario: This can be useful for Choose Your Own Device (CYOD) scenarios. The device will be enrolled as a corporate-owned device.

Windows Autopilot

Description: The Windows Autopilot method enables users to easily enroll corporate-owned devices. Windows Autopilot can be used to automate the Azure AD Join and directly enroll corporate-owned devices into Microsoft Intune. This method simplifies the OOBE – as mentioned with the Azure AD join method – as it will automatically add the device to AD or Azure AD and directly enroll the device into Microsoft Intune.

Important requirements: This requires that the device should be added in Microsoft Intune as Windows Autopilot devices (as shown in Figure 5) and specific Windows Autopilot profiles should be created to control the behavior and the OOBE.

Example scenario: This is useful in scenarios when handing out devices to users without the need to build, maintain, and apply custom operating system images to the devices. The device will be enrolled as a corporate-owned device.

Device Enrollment Manager (DEM)

Description: The Device Enrollment Manager (DEM) method enables the administrator to enroll multiple corporate-owned devices. The DEM account is a special account with permissions to enroll and manage multiple (up to 1000) corporate-owned devices. That enables a bulk enrollment method for non-personal corporate-owned devices. The enrollment can be achieved by following any of the flows to configure an Azure AD join.

Important requirements: This requires that auto-enrollment is configured (as shown in Figure 1). Besides that the Device Enrollment Manager (DEM) should be configured (as shown in Figure 3) and make sure to keep the maximum number of devices that the user account can add to Azure AD matches.

Example scenario: This can be useful in scenarios where the device is enrolled and prepared before handing it out to the user of the device. The device will be enrolled as a corporate-owned device.

Provisioning package

Description: The provisioning package method enables the administrator to bulk enroll corporate-owned devices. A provision package can be used to add devices in bulk to Azure AD and automatically enroll those devices into Microsoft Intune. That provisioning package can be created by using the Windows Configuration Designer (as shown in Figure 4) and can be applied to corporate-owned devices. Once the package is applied, it’s ready for Azure AD users to sign in.

Important requirements: This requires that auto-enrollment is configured (as shown in Figure 1). Besides that make sure to keep the maximum number of devices that a user can add to Azure AD matches with the usage of the package.

Example scenario: This can be useful in scenarios where an authorized user joins large numbers of corporate-owned devices. The device will be enrolled as a corporate-owned device.

Co-management

Description: The co-management method enables administrators to automatically enroll corporate-owned devices. Co-management enables organizations to automatically enroll devices into Microsoft Intune. This requires the device to be managed with Configuration Manager and the enablement of co-management. Within the co-management configuration, the automatic enrollment in Microsoft Intune can be configured (as shown in Figure 6).

Important requirements: This requires that auto-enrollment is configured (as shown in Figure 1) and that the device is registered or joined to Azure AD (can be achieved via Client Settings).

Example scenario: This is useful in scenarios when the flexibility is still required to use the technology solution that works best for the organization. The device will be enrolled as a corporate-owned device.

Group Policy

Description: The Group Policy method enables administrators to automatically enroll corporate-owned devices. Group Policy enables organizations to automatically enroll devices into Microsoft Intune. The automatic enrollment is triggered by the Group Policy (as shown in Figure 7). That means that the device is always hybrid Azure AD joined.

Important requirements: This requires the device to registered in Azure AD.

Example scenario: This is useful in scenarios when mass-enrolling domain-joined devices.The device will be enrolled as a corporate-owned device.

An overview of the enrollment methods

Let’s end this post by providing short overview of the different enrollment methods and their most important characteristics that are mentioned in throughout this post. Those characteristics are the ownership registration of the device, the user affinity with the device and the user interaction with the device during the enrollment.

Enrollment methodOwnershipUser affinityUser interaction
Bring Your Own DevicePersonalYesYes
Azure AD joinCorporateYesYes
Windows AutopilotCorporateYesYes
Device Enrollment ManagerCorporateNoNo
Provisioning packageCorporateNoNo
Co-managementCorporateYesNo
Group PolicyCorporateYesNo

A couple of remarks with this table are that 1) Windows Autopilot contains multiple scenarios, including scenarios without user interaction and that 2) methods without user affinity provide challenges with conditional access.

More information

For more information about configuring Windows 10 enrollment methods, refer to the following docs:

Microsoft Connected Cache in ConfigMgr with Win32 apps of Intune

This week is all about an awesome new feature that was introduced with the latest version of Configuration Manager, version 1910. That feature is that Microsoft Connected Cache now supports Win32 apps that are deployed via Microsoft Intune. Microsoft Connected Cache can be enabled on a Configuration Manager distribution point and serve content to Configuration Manager managed devices. That includes co-managed devices and now also Win32 apps, which enables a Configuration Manager distribution points to serve as a content location for Win32 apps deployed via Microsoft Intune. In this post I’ll start with a short introduction about Microsoft Connected Cache, followed with the required configuration of a Configuration Manager distribution point and the required configuration of the Configuration Manager clients. I’ll end this post by verifying the behavior on a client device.

Microsoft Connected Cache with Configuration Manager

Starting with Configuration Manager, version 1906, it’s possible to configure a Configuration Manager distribution point as a cache server that acts as an on-demand transparent cache for content downloaded by Delivery Optimization. In that version, the feature was known as Delivery Optimization In-Network Cache (DOINC). Starting with Configuration Manager, version 1910, this feature is now named Microsoft Connected Cache. Client settings can be used to make sure that the cache server is offered only to the members of the local Configuration Manager boundary group.

When clients are configured to use the Microsoft Connected Cache server, those clients will no longer request Microsoft cloud-managed content from the Internet. Those clients will request the content from the cache server installed on the Configuration Manager distribution point. The on-premises server caches the content using the IIS feature for Application Request Routing (ARR). Then the cache server can quickly respond to any future requests for the same content. If the Microsoft Connected Cache server is unavailable, or the content isn’t cached yet, clients download the content directly from the Internet.

Note: This cache is separate from the content on the Configuration Manager distribution point.

Enable distribution point as Microsoft Connected Cache server

The first step in configuring Microsoft Connected Cache in Configuration Manager for usage with Win32 apps from Microsoft Intune (or any other Microsoft cloud-managed content), is to enable a distribution point as a Microsoft Connected Cache server. However, before looking at that configuration, make sure that the on-premises distribution point meets the following configurations:

  • The server is running Windows Server 2012, or later
  • The default web site enabled on port 80
  • The IIS Application Request Routing (ARR) feature is not yet installed
  • The distribution point has Internet access to at least the Microsoft cloud

When the mentioned prerequisites are in-place, it’s time to have a look at the actual configuration steps. The following three steps walk through the process of enabling a distribution point as a Microsoft Connected Cache server.

  1. Open the Microsoft Endpoint Configuration Manager administration console and navigate to Administration > Overview > Site Configuration Servers and Site System Roles
  2. Select {YourSiteSystemServer} select Distribution point and click Properties in the Site Role tab to open the Distribution point Properties dialog box
  3. In the Distribution point Properties dialog box, navigate to the General tab, perform the following configuration and click OK
  • Select Enable the distribution point to be used as Microsoft Connected Cache server to enable this distribution point as a Microsoft Connected Cache server and to trigger the installation
  • Select By checking this box, I acknowledge that I accept the License Terms to accept the license terms (and make sure to read them)
  • Configure with Local drive the drive that should be used to store the cache on the server
  • Configure with Disk space the maximum size of the cache on the server
  • Optionally select Retain cache when disabling the Connected Cache server to make sure that the cache will be retained on the server when the configuration is disabled

Verify the installation

After enabling the distribution point to be used as a Microsoft Connected Cache server it’s time to follow the installation process to verify a successful installation. This process can be followed in the distmgr.log, as shown below. This log keeps track of the beginning and the ending of the installation.

When looking closely on the distmgr.log, the installation is actually wrapped in a PowerShell script. That script contains all the intelligence for checking the prerequisites, making the necessary backups and starting the actual installation. That whole process of that PowerShell script is logged in DoincSetup.log. Once it completed all actions, it will be shown in the both log files.

Additional things to look at are the CacheNodeService website and the Server Farms in IIS and the DOINC folder on the selected drive. All of these created items, should be created with the same unique ID in the name. Also, in the Task Scheduler there are two tasks created for maintenance and for keeping it alive.

Enable a client to use Microsoft Connected cache

The second step in configuring Microsoft Connected Cache in Configuration Manager for usage with Win32 apps from Microsoft Intune (or any other Microsoft cloud-managed content), is to enable a client to use a Microsoft Connected Cache server as location for content download. However, before looking at that configuration, make sure that the client devices meet the following configurations:

  • The device is running Windows 10, version 1709, or later
  • The client is Configuration Manager, version 1910, or later
  • The device has 4GB, or more

When the mentioned prerequisites are in-place, it’s time to have a look at the actual configuration steps. The following three steps walk through the process of enabling a client to use a Microsoft Connected Cache server as location for content download. After creating these custom client settings, assign them to the devices like any other client settings.

  1. Open the Microsoft Endpoint Configuration Manager administration console and navigate to Administration Overview Client Settings
  2. Select Create Custom Client Device Settings to open the Create Custom Client Device Settings dialog box
  3. On the General section, provide a valid name and select Delivery Optimization
  4. On the Delivery Optimization section, provide the following settings and click OK
  • Select Yes with Use Configuration Manager Boundary Groups for Delivery Optimization Group ID to make sure that the client uses this identifier to locate peers with the desired content
  • Select Yes with Enabled devices managed by Configuration Manager to use Microsoft Connected Cache servers for content download to make sure that the client can use an on-premises distribution point that is enabled as a Microsoft Connected Cache server for content download

Verify the behavior

After deploying the custom device settings to the required devices, it’s time to verify the behavior of the co-managed devices. I specifically mention co-managed devices, as I need to use Configuration Manager functionality and Microsoft Intune functionality. However, before verifying the behavior, it’s good to make sure that the following is also in-place to be able to use Win32 apps deployed by Intune on co-managed devices.

  • The co-managed device and the Microsoft Connected Cache-enabled distribution point are in the same boundary group
  • The pre-release feature Client apps for co-managed devices is enabled (often displayed as Mobile apps for co-managed devices)
  • The Client apps workload is set to Pilot Intune or Intune

When everything is available and configured, it’s time to actually look at the co-managed device. The first thing to look at is the actual configuration of Delivery Optimization on the device. Based on the custom client settings, the device will get the settings as shown below. The value DOCacheHost indicates that the distribution point is configured as Microsoft Connected Cache server, the value DODownloadMode indicates that a private group is configured and the value DOGroupId indicates the boundary group that is configured.

After verifying the settings, it’s time to look at what happens after downloading a Win32 app that’s deployed via Microsoft Intune. The easiest method to verify the required behavior is by using PowerShell. The Get-DeliveryOptimizationStatus cmdlet will provide the information to verify the behavior. The property BytesFromCacheServer indicates that the Microsoft Connected Cache server is used for the download, the property DownloadMode indicates that the correct download mode is used and the property PredefinedCallerApplication indicates that the download was an Intune app download.

More information

For more information about Microsoft Connected Cache with or without Configuration Manager, please refer to the following articles:

Device compliance based on custom configuration baselines

This week is all about the new feature to include a custom configuration baselines as part of a compliance policy assessment. That’s a new feature that is introduced in Configuration Manager, version 1910. That will also make this a followup on the post I did earlier this year about using the power of ConfigMgr together with Microsoft Intune to determine device compliance. This will be added functionality, as it’s now possible to make custom configuration baselines part of the device compliancy check. For both, Configuration Manager managed devices and co-managed devices. Even when the workload is switched to Microsoft Intune.

Introduction

This option that makes it possible to use a custom device configuration baseline part of a compliancy policy, opens up a whole new world of possibilities. Especially when knowing that this can also be used when co-managing devices. This enables organisations to create a custom device configuration baseline for specific business requirements that cannot be captured by using the default functionalities that are available for Configuration Manager and Microsoft Intune.

This provides a lot of flexibility for devices that are either managed by Configuration Manager, or that are co-managed by using a combination Configuration Manager and Microsoft Intune. In the latter scenario, that even still provides that flexibility when the compliance policies workload is switched to Microsoft Intune. In that case Microsoft Intune can be configured to take the ConfigMgr compliance assessment result as part of the overall compliance status. The info gets sent to Azure AD and can be used for conditional access. In this post I’ll show how to correctly configure the device compliance policy, the configuration baseline and (optionally) the Configuration Manager compliance.

Before starting with the different configurations it’s good to keep in mind that if the compliance policy evaluates a new baseline that has never been evaluated on the client before, it may report non-compliance at first. This occurs if the baseline evaluation is still running when the compliance is evaluated.

Configure device compliance policy

The first configuration that should be in place is the device compliance policy. The device compliance policy is used to determine the compliance status of the device. Within the device compliance policy, a new rule is available that will enable the evaluation of configuration baselines as part of the compliance of the device. The following steps walk through the creation of a new device compliance policy including the required rule. The device compliance policy can be deployed like any other device compliance policy.

  1. Open the Configuration Manager administration console and navigate to Assets and Compliance > Overview > Compliance Settings > Compliance Policies
  2. Click Create Compliance Policy to open the Create Compliance Policy Wizard
  3. On the General page, provide the following information and click Next
  • Name: Provide a valid name for the compliance baseline
  • Description: (Optional) Provide a description for the compliance baseline
  • Select Compliance rules for devices managed with Configuration Manager client
  1. On the Supported Platforms page, select Windows 10 and click Next
  1. On the Rules page, perform the following actions and click Next
  • Click New to open the Add Rule dialog box
  • On the Add Rule dialog box, select Include configured baselines in compliance policy assessment and click OK
  1. On the Summary page, click Next
  2. On the Completion page, click Close

Configure configuration baseline policy

The second configuration that should be in place is the configuration baseline policy. The configuration baseline policy is used to configure, or verify, specific configuration on a device. Within a configuration a new settings is available that will make the evaluation of the configuration baseline a part of the compliance evaluation. The following steps will walk through the process of creating a new configuration baseline including the new setting. In my example I’m adding a configuration item that will verify if the local administrators comply the the organisation defaults. The configuration baseline can be deployed like any other configuration baseline.

  1. Open the Configuration Manager administration console and navigate to Assets and Compliance > Overview > Compliance Settings > Configuration Baselines
  2. Click Create Configuration Baseline to open the Create Configuration Baseline dialog box
  1. On the Create Configuration Baseline dialog box, provide the following and click OK
  • Name: Provide a valid name for the configuration baseline
  • Description: (Optional) Provide a description for the configuration baseline
  • Configuration data: Select the required configuration items that should be part of this configuration baseline
  • Select Always apply the baseline even for co-managed devices
  • Select Evaluate the baseline as part of compliance policy assessment

The combination of these settings will make sure that the configuration baseline is applied to co-managed devices and that the configuration baseline will be evaluated as part of the compliance. Keep in mind that any baseline with the second option selected, that is deployed to the user, or to the user’s device, is evaluated for compliance.

(Optional) Configure Configuration Manager Compliance

An optional configuration is to configure Microsoft Intune to also look at information of Configuration Manager for determining the compliance. In my scenario that is a required configuration as I’m using it in combination with co-managed devices. Within a compliance policy a setting is available that will require compliance from Configuration Manager. The following steps walk through the configuration of that setting in a device compliance policy. Nothing more, nothing less. The device compliance policy can be assigned like any other device compliance policy.

  1. Open the Microsoft 365 Device Management portal and navigate to Devices Windows > Compliance policies to open the Windows – Compliance policies blade
  2. On the Windows – Compliance policies blade, click Create Policy to open the Create Policy blade
  3. On the Create Policy blade, provide the following information and click Create
  • Name: Provide a valid name for the compliance policy
  • Description: (Optional) Provide a description for the compliance policy
  • Platform: Select Windows 10 and later
  • Settings: See step 4 and 5
  • Actions for noncompliance: Leave default (for this post)
  • Scope (Tags): Leave default (for this post)
  1. On the Windows 10 compliance policy blade, select Configuration Manager Compliance to open the Configuration Manager Compliance blade
  2. On the Configuration Manager Compliance blade, select Require with Require device compliance from System Center Configuration Manager and click OK to return to the Windows 10 compliance policy blade and click OK

Experience

Now let’s end this post by having a look at the end-user experience. In my scenario I’ve created a custom configuration baseline that will verify the number of local administrators on the device. When it’s above a specific number of local administrators, the device is considered not compliant as the device might be compromised. In that case the end-user will receive a message in the Company Portal app as shown below. It explains the end-user that the security settings should be updated and to look for more information in Software Center.

When looking at Software Center it actually provides exactly the same message to the end-user. It provides the end-user with the message that the security settings should be updated. For more information the end-user should contact the support department. So make sure that the requirements are clear to the end-user.

More information

For more information see the Include custom configuration baselines as part of compliance policy assessment section of the Create configuration baselines doc.

Join us at Experts Live Netherlands in Den Bosch

EXPERTSLIVE.6015_email-signature_spreker_ENG_200x200A bit less than a week from now, June 6, Experts Live Netherlands will be in Den Bosch. Experts Live Netherlands is one of the biggest Microsoft community events, with over 1200 visitors. I’m proud to be part of the speaker lineup again. Together with my finest colleague, Arjan Vroege, I will deliver a session about moving to a modern managed workplace at your own pace! And we hope to see you there!

About our session

During our session we will discus (and show) how to migrate to a modern managed workplace at your own pace. As many organizations want to make the switch to a modern managed workplace, but are currently unable to make the complete switch. Often this is related to missing specific management features, like limited control over updates and missing rich app deployment features. The good news is that it’s not required to directly make the complete switch. This can be achieved in steps, by using Configuration Manager and Microsoft Intune. In this session we will present and show you how to use these tools in combination with Windows 10 to make a smooth transition.

Always apply baseline to co-managed devices

Like the last couple of weeks, this week is also about co-management. This week is all about another nice detail that can be really useful, in specific use cases. That detail is the ability to always apply a configuration baseline to co-managed devices. Even when the Device configuration workload is switched from Configuration Manager to Microsoft Intune. That can be useful for configurations that are not available yet via Microsoft Intune, or for compliance checks that need to be performed and consolidated in one location. In this post I’ll provide a short introduction about the different configuration options, followed by the steps to configure a configuration baseline to co-managed devices when the workload is switched to Microsoft Intune. I’ll end this post with the end-results.

Introduction

When looking at the evaluation of baselines, co-management provides the administrator with 3 different configuration options (of which the third options is the main subject of this post):

  1. Apply Configuration Baselines via Configuration Manager when the Device configuration workload is set to Configuration Manager:
  2. Apply Device configuration profiles via Microsoft Intune when the Device configuration workload is set to Microsoft Intune:
  3. Apply Configuration Baselines via Configuration Manager as an exception to Device configuration profiles via Microsoft Intune when the Device configuration workload is set to Microsoft Intune

Configuration

Let’s start by having a look at the configuration. I’ll do that by going through an example that will create a baseline to verify the update compliance of co-managed devices. That will provide an easy method to verify compliance and consolidate the results. Below are 4 steps that walk through the process.

1 Open the Configuration Manager administration console and navigate to Assets and Compliance > Overview > Compliance Settings > Compliance Baselines;
2 On the Home tab, click Create Configuration Baseline to open the Create Configuration Baseline dialog box;
3a

AlwaysApply-Step01On the Create Configuration Baseline dialog box, provide the following information and click OK to create the configuration baseline.

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description; 
  • Configuration data: See step 3b;
  • Select Always apply this baseline even for co-managed clients;

Explanation: The check Always apply this baseline even for co-managed clients in the baseline will make sure that the baseline is always applicable to co-managed devices. Even when the Device configuration workload is set to Microsoft Intune.

3b

AlwaysApply-Step02On the Create Configuration Baseline dialog box, click Add > Software Update to open the Add Software Updates dialog box. On the Add Software Updates dialog box, find the required software update and click OK.

Explanation: This configuration will make sure that this baseline will verify the compliance of all co-managed devices for the latest cumulative update.

4

AlwaysApply-Step03Right-click the just created baseline and click Deploy to open the Deploy Configuration Baselines dialog box. Leave everything default, select the collection for this baseline deployment and click OK.

Explanation: This configuration will make sure that this baseline is deployed to the required collection and will make sure that this baseline is only used for compliance and not for remediation.

Note: The setting Always apply this baseline even for co-managed clients in the baseline, as mentioned in step 3a, can be used to make sure that the baseline is always applied on co-managed devices.

End-results

Now let’s continue by having a look at the results on a co-managed device. Below are two examples of one of a co-managed device. First an overview of the Configuration Manager Properties, followed by a look in the DCMAgent.log file. Both are client-side details, as the server-side will provide status information similar like for any other device.

1 AlwaysApply-ConfigMgrPropertiesThe first example that I would like to show, is the Configurations tab in the Configuration Manager Properties. The Configurations tab shows the deployed baseline, including the last evaluation time and the compliance state. Similar to the evaluation of a baseline when the Device configuration workload is still set to Configuration Manager;
2 The second example that I would like to show, is the DCMAgent.log file. That log file records high-level information about the evaluation, conflict reporting, and remediation of configuration items and applications. Specifically to this post, this log file provides information about the status of the Device configuration workload (first arrow below) and provides information about specifically enabled baselines (second arrow below);
AlwaysApply-DCMAgent

More information

For more information about co-managed devices and configuration baselines, please refer to this article about creating configuration baselines in System Center Configuration Manager.

Switching the Office Click-to-Run apps workload

This week is all about the Office Click-to-Run apps workload. More specifically, this week is all about what’s happening, from a Configuration Manager perspective, when switching the Office Click-to-Run apps workload to Microsoft Intune. Switching the Office Click-to-Run apps workload to Microsoft Intune will make sure that the Office Click-to-Run app will be installed via Microsoft Intune and no longer via Configuration Manager. In this post I’ll show how to switch the Office Click-to-Run apps workload to Microsoft Intune, followed by what is actually making sure that Configuration Manager will no longer install Office Click-to-Run apps. I’ll end this post with a summary.

Configuration

Let’s start with the easy part, in this case, the configuration. Assuming that co-management is already configured, the following 3 steps will walk through the process of switching the Office Click-to-Run apps workload to Microsoft Intune.

1 Open the Configuration Manager administration console and navigate to Administration > Overview > Cloud Services > Co-management;
2 Select CoMgmtSettingsProd and click Properties in the Home tab, to open the Properties dialog box;
3

O365W-ComanangementPropertiesOn the Properties dialog box, navigate to the Workloads tab. On the Workloads tab, move the slider with Office Click-to-Run apps to Intune.

Note: When there is a need to first test this configuration with a pilot group, simply move the slider with Office Click-to-Run apps to Pilot Intune. In that case make sure to configure a Pilot collection on the Staging tab of the Properties dialog box. 

Note: This configuration change will update the configuration baseline that is used to apply the co-management configuration to Configuration Manager clients. That baseline is shown on Configuration Manager clients as CoMgmtSettingsProd (and for pilot devices also CoMgmtSettingsPilot).

Effect of the configuration

Now let’s continue by looking at the effect of this configuration, from a Configuration Manager perspective. I’ll do that by showing the Global Condition that is used, I’ll do that by showing how that Global Condition is used and I’ll do that by showing what happens on the client device.

1 The first thing that I want to look at is the Global Condition that is used. Starting with Configuration Manager, version 1806, the Intune O365 ProPlus management condition is created as a Global Condition in Configuration Manager. That condition is used to make sure that the Configuration Manager client can no longer install the Office Click-to-Run app on co-managed devices, as the condition will be added as a requirement to the app. That is achieved by a VBScript, in the condition, that queries SELECT * FROM DeviceProperty WHERE DeviceIsO365IntuneManaged=TRUE in the root\ccm\cimodels namespace. Based on the results of the query, the VBScript will either return true or false. That return value will be used to evaluate the requirement of the app.
O365W-ConfigMgrConsole
2 O365W-AppRequirementThe second thing that I want to look at is the default configuration of the Office Click-to-Run app that is created when walking through the Microsoft Office 365 Client Installation Wizard. More specifically, the Requirements tab of the created Deployment Type. After a new Office Click-to-Run app is created, the Intune O365 ProPlus management condition is added as requirement to the Deployment Type. The value is configured to False, to make sure that the Office Click-to-Run app is not installed when the Office Click-to-Run apps workload is switched to Intune (or to Pilot Intune).
3 O365W-WbemTestThe third thing that I want to look at is the change on a co-managed device after the Office Click-to-Run apps workload is switched to Intune. Starting with Configuration Manager, version 1806, the Configuration Manager client has a new DeviceProperty named DeviceIsO365IntuneManaged in the root\ccm\cimodels namespace.Based on the configuration of the Office Click-to-Run apps workload, this property is configured to either TRUE or FALSE. That is done during the evaluation of the CoMgmtSettingsProd (and for pilot devices also CoMgmtSettingsPilot) baseline on Configuration Manager clients.

Note: Together these 3 things will make sure that the Configuration Manager client will no longer install any deployed Office Click-to-Run apps when the Office Click-to-Run apps workload is switched.

Summary

Let’s end this post with a summary of what is happening from a Configuration Manager perspective.

  • A relatively new Global Condition, named Intune O365 ProPlus management, is available in Configuration Manager;
  • The Intune O365 ProPlus management condition is used to verify if the co-managed device should use Configuration Manager or Intune for installing the Office Click-to-Run app;
  • The Intune O365 ProPlus management condition is added by default to to Office Click-to-Run apps created through the Microsoft Office 365 Client Installation Wizard;
  • A relatively new DeviceProperty, named DeviceIsO365IntuneManaged, is available in the Configuration Manager client configuration in WMI;
  • The DeviceIsO365IntuneManaged property is used to contain the status of the co-managed device, regarding whether Configuration Manager or Intune should be used to install the Office Click-to-Run app;
  • The DeviceIsO365IntuneManaged property is configured based on the status of the Office Click-to-Run apps workload in the co-management configuration;
  • The Office Click-to-Run app is deployed via Configuration Manager and the Configuration Manager client verifies the status of the DeviceIsO365IntuneManaged property by using the Intune O365 ProPlus management condition.

More information

For more information regarding the Office Click-to-Run apps workload, please refer to this article about Co-management workloads.

Using the power of ConfigMgr together with Microsoft Intune to determine device compliance

This week is all about device compliance. More specifically, about using the combination of ConfigMgr and Microsoft Intune for device compliance. In a cloud-attached scenario, in which ConfigMgr is attached to Microsoft Intune, it’s possible to use the ConfigMgr client in combination with a MDM enrollment. This is also known as co-management. In that scenario it’s possible to slowly move workloads from ConfigMgr to Microsoft Intune, like the compliance policies workload. In that scenario Microsoft Intune will become responsible for the compliance state of the device. However, switching that workload to Microsoft Intune, also limits the available device compliance checks. In case the organization still needs to verify the availability of certain apps, or updates, there’s a solution. Even when the workload is switched to Microsoft Intune. That solution is: Configuration Manager Compliance. In this post I’ll start with an introduction about Configuration Manager Compliance and using that in combination with Microsoft Intune, followed by the configuration in Microsoft Intune. I’ll end this post by showing the end-user experience.

Introduction about Configuration Manager Compliance

Now let’s start with an introduction about Configuration Manager Compliance. Configuration Manager Compliance is a recently introduced configuration option in a device compliance policy in Microsoft Intune. That configuration options enables the administrator to use the device compliance policy in Microsoft Intune together with the device compliance state send from Configuration Manager. That enables the administrator to still use the configuration options from a compliance policy in Configuration Manager, even though the workload is switched to Microsoft Intune. In other words, it enables the administrator to still verify if specific required apps are installed, or that the device has the latest updates installed. End-to-end the following happens for the user/device:

  • Device is managed by Configuration Manager;
  • Device is enrolled with Microsoft Intune;
  • Configuration Manager evaluates the device compliance;
  • Configuration Manager sends the compliance state to Microsoft Intune;
  • Microsoft Intune evaluates the device compliance;
  • Microsoft Intune generates a combined compliance report;
  • Azure AD enforces conditional access;
  • Azure AD allows (or blocks) access for (non)compliant devices;
  • End-user receives a friendly remediation experience via Microsoft Intune and Configuration Manager (see the section about the end-user experience).

Note: This configuration option requires Configuration Manager 1810, or later.

Configuration of Configuration Manager Compliance

Let’s continue by having a look at the configuration. The configuration assumes that a Configuration Manager compliance policy is already available. The following 3 steps walk through the configuration of the Configuration Manager Compliance policy setting in a device compliance policy. Nothing more, nothing less. After creation, the device compliance policy can be assigned like any other device compliance policy. The created device compliance policy is applicable to all targeted users and/or devices. The Configuration Manager Compliance policy setting is only applicable to co-managed devices.

1 Open the Azure portal and navigate to Microsoft Intune > Device compliance > Policies to open the Device compliance – Policies blade;
2 On the Device compliance – Policies blade, click Create Policy to open the Create Policy blade;
3a

CMC_CreatePolicyOn the Create Policy blade, provide the following information and click Create;

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • Platform: Select Windows 10 and later;
  • Settings: See step 3b;
  • Actions for noncompliance: Leave default (for this post);
  • Scope (Tags): Leave default (for this post);

Note: Configuring non-standard values for Actions for noncompliance and Scope (Tags), is out of scope for this post.

3b

CMC_Windows10CompliancePolicyOn the Windows 10 compliance policy blade, select Configuration Manager Compliance to open the Configuration Manager Compliance blade;

Note: Configuring non-standard values for the Device Health, Device Properties, System Security and Windows Defender ATP, is out of scope for this post.

3c On the Configuration Manager Compliance blade, select Require with Require device compliance from System Center Configuration Manager and click OK to return to the Windows 10 compliance policy blade;
CMC_ConfigurationManagerCompliance
3d Back on the Windows 10 compliance policy blade, click OK;

Note: To take full advantage of this device compliance policy configuration, it must be used in combination with a conditional access policy that requires the device to be marked as compliant.

End-user experience

Let’s end this post by having a look at the end-user experience. As a starting point for the example below I’ve created a compliance policy that requires all applications (and software updates) with a deadline older than 30 days to be installed. When one (or more) of the required applications is not installed, the end-user will receive a message in Software Center as shown below. It clearly explains the end-user that not all required applications are installed. Mentioning the required applications would be a nice addition.

CMC_Example_SoftwareCenter

Via the Company Portal app the message will be a little less clear. The end-user will simply receive the message that some changes need to be made. A referral to Software Center could be a nice addition.

CMC_Example_CompanyPortal

The administrator can always see the status in the different consoles. Microsoft Intune will show a not compliant message for the Require with Require device compliance from System Center Configuration Manager setting and Configuration Manager will show a not compliant message for the specific rule of the compliance policy.

More information

For more information regarding Configuration Manager Compliance, please refer to the section Configuration Manager Compliance in the  Add a device compliance policy for Windows devices in Intune article.

Automagically convert Intune managed devices to AutoPilot

Tweet-AutoPilotThis week a short blog post about my tweet of a bit more than a week ago. In that tweet I mentioned a new easy method to automagically convert Intune managed devices to AutoPilot. That method makes some scenarios a whole lot easier. Like for example what I did in this post to get the AutoPilot device information of Intune managed devices. That type of custom scripting is not needed anymore!

As I got many reactions to that tweet, mainly related to the location of that configuration, I thought it would be good to make a short post describing the configuration option and the expected behavior. In this post I’ll provide the steps to make this configuration and I’ll describe the expected behavior. There is no real end-user or administrator experience to show for this configuration. So, no section related to that. I’ll do explain the the expected behavior in the introduction.

Introduction

Let’s start with a short introduction about the mentioned configuration option. That configuration option is the Convert all targeted devices to AutoPilot setting. By default an AutoPilot deployment profile is only applied to already existing AutoPilot devices and doesn’t apply to non-AutoPilot devices. Configuring the Convert all targeted devices to AutoPilot setting to Yes will automagically convert all devices in the assigned group to AutoPilot. This is a one-time conversion that also works for co-managed devices. That also means that removing the AutoPilot profile will not remove the converted devices from AutoPilot. After conversion the devices can only be removed by using the Windows AutoPilot devices view. Keep in mind that it can take up to 48 hours for the conversion to be completed.

Configuration

Now let’s continue by having a look at the actual configuration. And in this case only the specific Convert all targeted devices to AutoPilot setting. The following four steps walk through the steps to get to the specific setting and are not meant to create a complete the Windows AutoPilot deployment profiles.

1 Open the Azure portal and navigate to Microsoft Intune > Device enrollment > Windows enrollment to open the Device enrollment – Windows enrollment blade;
2 On the Device enrollment – Windows enrollment blade, select Deployment Profiles in the Windows AutoPilot Deployment Program section to open the Windows AutoPilot deployment profiles blade;
3 On Windows AutoPilot deployment profiles blade, either select Create profile or select [existing deployment profile] > Properties to open the Create profile blade or the [existing deployment profile] – Properties  blade;
4 On the Create profile blade or the [existing deployment profile] – Properties  blade, the setting Convert all targeted devices to AutoPilot must be switched to Yes (below is an example of the the [existing deployment profile] – Properties  blade, the Create profile blade looks similar) ;
MSIS-AutoPilot-Target

Note: There’s not a real easy method to see which devices are converted to AutoPilot. Those devices will show as any other imported device, without enrollment state. However, as the configuration is done via an AutoPilot deployment profile, the device is immediately assigned to a profile. Again, without creating any fancy configurations, like query based dynamic device groups.

More information

For more information about enrolling Windows devices by using Windows AutoPilot, please refer to the documentation named Enroll Windows devices by using the Windows Autopilot.

Join us at Experts Live Europe in Prague

b-B6v-rUA bit less than two weeks from now, October 25-26, Experts Live Europe will be in Prague. Together with my finest colleague, Arjan Vroege, I will deliver two sessions! And we hope to see you there!

Experts Live Europe is a Microsoft community conference with a focus on Microsoft cloud, datacenter and workplace management. During this conference, top experts from around the world present discussion panels, ask-the-experts sessions and breakout sessions and cover the latest products, technologies and solutions.

About our sessions

The maybe-not-that-sexy version of modern management – A true story –

In this session, we will take you into the real world of modern management. Modern management is a great buzzword and by now we all know the lovely story of modern management. We all know how it should work, but we often lack the real-world examples of organizations using modern management. During this session, we will show you how we internally deployed Windows 10 with Azure AD join and Intune management for over 10k devices. What choices did we make? Which challenges did we run into? Did we close all the gaps? We’ll try to answer these question. To conclude will also look at the available options right now and how they could have helped us. We will also have a couple of cool demos. To provide a sneak preview, here is a small list with subjects that will be part of our session: Win32 apps, MSIX and Windows AutoPilot.

Thursday Friday 2:40 PM – 3.40 PM

Create your ultimate hybrid workplace, what options do you have?

During this session we will take you into the world of the hybrid workplace. The modern workplace is a great story, for cloud only organizations, but the reality is often that there are a lot of components still on-premises. During this session we will touch the different delegate subjects from identity until apps and from management until connectivity. That means, a lot of ground to cover and a lot of choices to be made. Besides that we will have a couple of cool demos, here is a small list with a sneak preview of subjects that will be part of our session:  Pass-through authentication, Co-management, Win32 apps, MSIX and Azure AD Application Proxy.

Friday 8:00 AM – 9:00 AM

Make sure that you don’t miss these sessions!