Simplifying management of the Google Chrome browser

This week is all about simplifying the management of the Google Chrome browser. I’ve done my fair share of posts about different methods for managing settings for the Google Chrome browser, by using Microsoft Intune, like for example by using ADMX-files or by using PowerShell, but it can be easier. It can also be achieved by using Chrome Browser Cloud Management. Chrome Browser Cloud Management is a cloud-based solution that enables the management of the Google Chrome browser across Windows, Mac and Linux devices. In this post I’ll start with a short introduction about Chrome Browser Cloud Management, followed by the steps to enrol Windows devices by using Microsoft Intune. I’ll end this post by looking at the end-user experience.

Note: Keep in mind that this post is only intended to provide a simple management solution for the Google Chrome browser. Please make your own consideration if this would be added value for your organization.

Introduction to Chrome Browser Cloud Management

Let’s start with a short introduction to Chrome Browser Cloud Management. Chrome Browser Cloud Management provides the IT administrator with a unified managed experience across Windows, Mac and Linux devices via a single cloud-based console. That removes the need to use different management tools for different platforms when managing Google Chrome across the organisation. Besides that, it can even provide benefits when managing a single platform. Even in combination with Microsoft Intune. At this moment, Microsoft Intune can provide some challenges with managing Google Chrome, as it would require the use of either PowerShell scripting or ADMX-files. Both, at this moment, time intensive activities. In that case, using Chrome Browser Cloud Management would add an additional management tool, but would save time in configurations.

Chrome Browser Cloud Management provides a method to enroll Google Chrome browsers by providing an enrollment token to the browser. On Windows devices that can be achieved by applying a simple registry key. Once the Google Chrome browsers are enrolled, the Chrome Browser Cloud Management enables the management over user settings and apps and extensions. Both contain some often used configurations. Below are a couple of examples of often used configurations. Figure 1 shows how to easily configure the Homepage and Page to load on startup setting and Figure 2 shows how to easily add the Windows 10 Accounts extension.

Enroll cloud-managed Google Chrome browsers

Now let’s continue by looking at enrolling Google Chrome browsers. Basically that requires two actions. The first actions is to generate the enrollment token and the second action is to enroll Google Chrome browsers by using the enrollment token.

Action 1: Generate enrollment token

The first action is to generate and enrollment token. That token will be used for enrolling the Google Chrome browsers. The following four steps walk through the process of generating that token.

  1. Open the Google Admin console and navigate to Devices > Chrome management > Managed browsers to open the Managed browsers page
  2. On Managed browsers page, on the right bottom of the screen click on the + button to open the Chrome Browser Cloud Management License Agreement dialog box
  3. On the Chrome Browser Cloud Management License Agreement dialog box, click I ACCEPT to generate an enrollment token and to open the Enrollment token dialog box
  4. On the Enrollment token dialog box, click the copy sign to copy the enrollment token and click DONE.

Note: I’m not downloading the registry file, as I think that it’s easier to deploy the enrollment token by using a PowerShell script.

Action 2: Enroll Google Chrome browsers on Windows devices

The second action is to enroll Google Chrome browsers on Windows devices by using the generated enrollment token. For that purpose I’ve created a small PowerShell script that will be deployed via Microsoft Intune. That means two steps. The first step is to create the PowerShell script and second step is distribute the PowerShell script via Microsoft Intune.

Let’s start with the first step. The following PowerShell script provides a simple example that will create the registry path and key if needed. Simply add the copied enrollment token as the value of the $KeyValue variable.

The second step is to distribute the PowerShell script by using Microsoft Intune. That will make sure that the enrollment token applied to the Windows devices, which will trigger the Google Chrome browser to enroll. The next seven steps walk through the deployment of the PowerShell script.

  1. Open Microsoft Endpoint Manager admin center portal and navigate to Devices > Windows > PowerShell scripts to open the Windows | PowerShell scripts blade
  2. On the Windows | PowerShell scripts blade, click Add to open the Add PowerShell script wizard
  3. On the Basics page, provide the following information and click Next
  • Name: Provide a valid name for the PowerShell script
  • Description: (Optional) Provide a description for the PowerShell script
  1. On the Script settings page, provide the following configuration and click Next
  • Script location: Select the PowerShell script
  • Run the script using the logged on credentials: Select No to run the script in SYSTEM context
  • Enforce script signature check: Select No
  • Run script in 64-bit PowerShell Host: Select Yes
  1. On the Scope tags page, configure any additional scope tags for this PowerShell script and click Next
  2. On the Assignments page, configure the assignment of this PowerShell script and click Next
  3. On the Review + add page, review the settings and click Add

End-user experience

Let’s end this post by having a look at the end-user experience. Below I’ve provided a few examples of the experience for the end-user. Figure 5 provides an overview of the applied registry key and its value and Figure 6 provides an overview of the Google Chrome browser and the applied policies. The latter shows the managed state of the Google Chrome browser and the applied Chrome policies. With those Chrome policies it provides the source of the policy, which is Platform for the cloud management enrollment token configured via Microsoft Intune and Cloud for all policies configured via Chrome Browser Cloud Management, and the policy name and value. The shown Chrome policies – and their results – are the examples provided in the introduction.

Note: An administrator can also look at the enrolled browsers in the Google Admin console by navigating to Devices > Chrome management > Managed browsers.

More information

For more information about cloud-management of the Google Chrome browser, refer to the documentation about Cloud-managed Chrome Browser.

Simplifying the migration of Android device administrator to Android Enterprise work profile management

This week is all about a recently introduced feature that will help organizations with their move away from Android device administrator managed devices to Android Enterprise work profile management. That is a very welcome feature as Google is decreasing device administrator support in new Android releases, which makes difficult for Microsoft Intune (and any other MDM-solution) to adequately manage Android device administrator managed devices starting with Android 10. The feature in Microsoft Intune that will help with moving away from Android device administrator managed devices is a compliance setting that will enable organizations to block devices in a structured manner and to provide a direct migration path to Android Enterprise work profile management.

In this post I’ll show how to create and configure a device compliancy policy that will slowly trigger end-users to start the migration to Android Enterprise work profile management, followed by the steps to block the enrollment of Android device administrator managed devices. Together that should help organizations to fully move away from Android device administrator managed devices. I’ll end this post by having a look at the end-user experience.

Configuring the device compliance policy

The first step is preparing a good migration experience, from Android device administrator managed devices to Android Enterprise work profile management, for the end-users. That can be achieved by creating a device compliance policy that eventually will block Android device administrator managed devices. To make sure that the end-user is not immediately being blocked from accessing company resources, I advise to use at least two levels of noncompliance. The first level would be that the end-user receives an email message with the advise to start the migration and the second level would be to actually block access to company resources. That can be after a longer period of noncompliance. The following seven steps walk through the steps for configuring a device compliance policy and provide some guidance for the different configurations. After the creation of the device compliance policy, assign the policy like any other policy.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate to Devices Android > Compliance policies to open the Android | Compliance policies blade
  2. On the Android | Compliance policies blade, click Create Policy to open the Create Policy blade
  3. On the Create Policy blade, provide the following information and click Create
  • Name: Provide a valid name for the device compliance policy
  • Description: (Optional) Provide a description for the device compliance policy
  • Platform: Select Android device administrator
  • Settings: See step 4 and 5
  • Locations: Leave default (for this post)
  • Actions for noncompliance: See step 6
  • Scope (Tags): Leave default (for this post)
  1. On the Android compliance policy blade, select Device Health to open the Device Health blade
  2. On the Device Health blade, select Block with Devices managed with device administrator and click OK to return to the Android compliance policy blade and click OK to return to the Create Policy blade
  3. On the Create Policy blade, select Actions for noncompliance to open the Actions blade
  4. On the Actions blade, add an action to first notify the user via email and make sure to adjust the default action to not mark a device as noncompliant immediately. That will provide the end-user with time to perform the migration before completely being blocked.

Note: The url https://portal.manage.microsoft.com/UpdateSettings.aspx can be used in the email message to launch the Company Portal app directly in the Update device settings page.

For automation purposes, automating the device compliance policy configuration can be achieved by using the deviceCompliancePolicies object in the Graph API.

https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies

Configuring the device enrollment restrictions

The second step is making sure that new Android device administrator managed devices can no longer be enrolled into Microsoft Intune. That can be achieved by using device enrollment restrictions. The device enrollment restrictions can be used for blocking the enrollment of Android device administrator devices. The following five steps walk through the adjustment of the default enrollment restrictions. Something similar, and often more flexible, can be achieved by using custom enrollment restrictions.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate to Devices > Enroll devices > Enrollment restrictions to open the Enroll devices | Enrollment restrictions blade
  2. On the Enroll devices | Enrollment restrictions blade, select the Default device type restriction and navigate to Properties to open the All Users | Properties blade
  3. On the All Users | Properties blade, navigate to the Platform settings section and click Edit to open the Platform settings page on the Edit restriction blade
  4. On the Platform settings page, select Block with Android device administrator (see example below) and click Review + save to continue to the Review + save page
  5. On the Review + save page, click Save

For automation purposes, automating the device type restriction configuration can be achieved by using the deviceEnrollmentConfigurations object in the Graph API.

https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations

End-user experience

Now let’s end this post by having a look at the end-user experience, which is the most important part of everything in this post. The end-user experience determines whether this migration process will be adopted by the end-user and whether this migration process is intuitive enough to walk the end-user through this migration process. My personal experience, after performing multiple of these migrations, is very positive. It catches problems and brings the end-user back to the progress in the Company Portal app. Even on an older device, which wasn’t encrypted, I eventually ended up in the Company Portal app.

Figure 4 to Figure 14 below, walk through the migration steps for the end-user when starting with an Android device administrator managed device and moving to Android Enterprise work profile management. Figure 5 is also the starting point when the end-user would click on the provided link in an email and Figure 15 provides an overview of the end result.

Note: In Figure 4 it already shows that the device status is “Not in Compliance“, while in fact the device can still be “In grace period“. Also, in Figure 5 the end-user will receive the message “Unable to resolve” when the enrollment of Android Enterprise (work profile) devices is restricted for the specific end-user.

More information

For more information about moving to Android Enterprise work profile management and enrollment restrictions, refer to the following docs:

Enable device upload when already using co-management

This week is all about the recently introduced functionality of Microsoft Endpoint Manager tenant attach. More specifically, the device sync and the device action functionalities that become available via the Microsoft Endpoint Manager admin center for Configuration Manager managed devices. This is the first big step into creating an integrated solution for managing all devices. This brings Configuration Manager and Microsoft Intune together into a single console. In this post I’ll start with an introduction to the different cloud integration options, followed by the step for enabling the device upload. I’ll end this post by having a look at what this integration brings from an administrator perspective.

Introduction to cloud integration

Let’s start with a quick introduction to all the different cloud integration terminologies that are currently used in combination with Configuration Manager. The main reason for that is that I often hear a lot of confusion about the terminologies in regards to what it is and what it is used for and a new term – tenant attach – will not make that a lot easier.

  • Co-management – Co-management (sometimes even referred to as client attach) is about enrolling Configuration Manager managed devices into Microsoft Intune for additional cloud value. In other words, managing Windows 10 devices by using both Configuration Manager and Microsoft Intune. That enables the administrator to configure specific workloads for Configuration Manager or Microsoft Intune, to enable a smooth transition to the cloud. These products balance the workloads to make sure that there are no conflicts. For a complete overview of the benefits and these workloads, please refer to this doc about what co-management is.
  • Coexistence – Coexistence is about enrolling Configuration Manager managed devices into a third-party MDM solution. In other words, managing Windows 10 devices by using both Configuration Manager and a third-party MDM. That creates two management authorities on a device that don’t integrate with each other, which might create conflicts. To prevent these conflicts the Configuration Manager client detects when a third-party MDM service is also managing the device. When detected, it automatically deactivates certain workloads in Configuration Manager. For a complete list of these workloads, please refer to this doc about third-party MDM coexistence with Configuration Manager.
  • Tenant attach – Tenant attach (the new kid) is about attaching a Configuration Manager environment to the Microsoft Intune tenant for instant cloud value. That will bring all devices to single console and that console is Microsoft Endpoint Manager admin center. Bringing all the devices to that single console will enable the administrator (at first mainly focussed on the helpdesk) to perform basic actions on all devices, either managed by Configuration Manager or managed by Microsoft Intune.
  • Cloud hosted – Cloud hosted is about hosting Configuration Manager components in Microsoft Azure. That will bring the reliability and flexibility of Microsoft Azure to Configuration Manager for managing for example Internet clients by using a Cloud Management Gateway (CMG).
  • Cloud attach – Cloud attach is about attaching different cloud components to a Configuration Manager environment. That is a more generic term that is often used when attaching any cloud functionality to a Configuration Manager environment. That can be about co-management (client attach), tenant attach, and cloud hosted. Basically any cloud service that is attached to the on-premises environment for providing more and better functionalities for managing devices by using cloud functionality.
  • Hybrid MDM – Previously there was even hybrid MDM (or Microsoft Intune hybrid) that would integrate Microsoft Intune with Configuration Manager to provide cloud MDM-capabilities to Configuration Manager. That would enable customers to use Configuration Manager as a single pane of glass for managing all devices within the environment. That feature is retired as of September 1, 2019.

Note: For a nice overview see also this session about Supercharging PC and mobile device management: Attach Configuration Manager to Microsoft Intune and the Microsoft 365 cloud (starting at about 6:38) of Microsoft Ignite 2019.

Enable device upload

After processing the terminology for all the different cloud (and management) integration options for a Configuration Manager environment, it’s time to look at the new tenant attach functionality. When assuming that co-management is already being used within the environment, the following five steps will walk through also configuring the device upload functionality.

  1. Open the Microsoft Endpoint Configuration Manager administration console and navigate to Administration > Overview > Cloud Services Co-management
  2. Select the CoMgmtSettingsProd policy and click Properties in the Home tab to open the Properties dialog box
  3. In the Properties dialog box, navigate to the Configure upload tab, perform the following configuration and click OK
  • Select Upload to Microsoft Endpoint Manager admin center to enable this site to upload devices to Microsoft Endpoint Manager admin center
  • Select All my devices managed by Microsoft Endpoint Configuration Manager (recommended) to enable this site to upload all devices to Microsoft Endpoint Manager admin center, or select A collection I select to enable this site to only upload specific devices to Microsoft Endpoint Manager admin center
  1. In the authentication prompt, provide credentials of a global administrator
  2. In the Create AAD Application dialog box, click Yes to register an application in AAD

Administrator experience

The most interesting part of this post – in my opinion – is the administrator experience. New objects that are created and the relation between the different new objects and activities that an administrator can see. Below is an overview of a those objects and activities from a Configuration Manager perspective. Figure 2 and Figure 3 provide an overview of the new objects in the Configuration Manager administration console. The Cloud Attach Azure service and the application registration with the Azure Active Directory Tenants. Both of these objects are created when enabling device upload. The latter is a reference to the created app registration in Azure Active Directory.

Figure 4 and Figure 5 provide an overview of the objects that are being synchronized to Microsoft Endpoint Manager admin center. As I’ve selected that all device are synchronized, those figures show that my All Systems collections (9 members) relates to the number (6) found in CMGatewaySyncUploadWorker.log. That’s 9 objects minus the default objects of the unknown computer objects (2) and the provisioning device object.

Figure 6 provides an overview of the devices that are synchronized in the Microsoft Endpoint Manager admin center. In green it shows the ConfigMgr only devices (4) and in red it shows the co-managed devices (2). That brings the total the the 6 device objects that were synchronized.

Figure 7 and Figure 8 provide an overview of the device actions that become available for the synchronized devices. It shows the different locations of these actions for co-managed devices as well as for ConfigMgr only devices. At this moment the device actions of Sync machine policy, Sync user policy and App evaluation cycle are available.

Note: The user performing the actions via the Microsoft Endpoint Manager admin console need to have the appropriate permissions within Configuration Manager.

More information

For more information about enabling device upload in Configuration Manager, please refer to the documentation about Microsoft Endpoint Manager tenant attach: Device sync and device actions.

Changing the primary user of Windows devices

This week is all about the primary user of a Windows device. More specifically about the recently introduced functionality to change or remove the primary user of a Windows device. The primary user is used within Microsoft Intune to map a licensed user to a device. Changing the primary user enables the administrator to switch the primary user of a device from one user to another user, or to switch a device without an assigned primary user (shared device) to a specific user. Besides that, removing the primary user enables the administrator to switch a device from a specific user to a shared device. In this post I’ll start with a short introduction about the primary user (and shared devices), followed by actually changing the primary user. The steps for changing the primary user manually and the places to look at in the Microsoft Graph API for automating the steps.

Introduction to the primary user

Before looking at the possibilities of changing or removing a primary user, it’s good to understand the usage and default configuration of the primary user of a Windows device. That’s why it’s good to start with a short introduction. The primary user is used within Microsoft Intune to map a licensed user to a device. That enables the user to see the device in the Company Portal app and the Company Portal website, and also enables the user to perform self-service actions on that device. Besides that, it helps the administrator when troubleshooting and supporting users.

When a device has no primary user assigned, the Company Portal app detects it as a shared device. Shared devices can be identified with a “shared” label appearing on the device tile in the Company Portal app. On a shared device, the Company Portal app can still be used to request and install available apps. However, self-service actions aren’t available. By removing the primary user of a device, the device is configured to operate in shared mode.

Microsoft Intune automatically adds the primary user to the Windows device during, or soon after, the enrollment of the device. The table below, based on the table in my post about Windows 10 enrollment methods, provides an overview of the user that is added as primary user to the device. When the user performs the enrollment, the primary user is added during enrollment, and when the device is automatically enrolled, the primary user is added during sign in.

Enrollment methodOwnershipPrimary user
Bring Your Own DevicePersonalUser that performs enrollment
Azure AD joinCorporateUser that performs enrollment
Windows AutopilotCorporateUser that performs enrollment
Device Enrollment ManagerCorporateNone
Provisioning packageCorporateNone
Co-managementCorporateFirst user that signs in
Group PolicyCorporateFirst user that signs in

Note: Keep in mind that Windows Autopilot contains multiple scenarios, including a scenario without user interaction. In that case no primary user is assigned.

Changing the primary user

Just before looking at the actual steps of changing the primary user of a Windows device, it’s good to go through a few notes about changing the primary user.

  1. Changing the primary user can take up to 10 minutes to be reflected.
  2. Changing the primary user is currently not possible on co-managed devices.
  3. Changing the primary user does not make any changes on the local device (the local group membership are not adjusted).
  4. Changing the primary user doesn’t change the “Enrolled by” user.
  5. Changing the primary user doesn’t affect the assigned user in Windows Autopilot.

Now let’s have a look at the steps for changing the primary user of a Windows device in the Microsoft Endpoint Manager admin center portal. After looking at the manual steps, I’ll also have a quick look at the Graph API for automating these steps. The steps for removing the primary user are similar and just one click away. When following the four steps below for changing the primary user of the Windows device, the steps for removing the primary user will also become clear (during step 2).

Note: To change the primary user of a Windows device, the administrators should be at least Intune Administrator, Help Desk Operator, School Administrator, or Endpoint Security Manager.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate to Devices > Windows devices > {DeviceName} > Properties to open the {DeviceName}|Properties blade
  2. On the {DeviceName}|Properties blade, select Change primary user to open the Select primary user blade
  1. On the Select primary user blade, select a user and click Select to return to the {DeviceName}|Properties blade
  2. On the {DeviceName}|Properties blade, click Save

For automation purposes, it might be better to know how to automate the primary user configuration. That can be achieved by using the managedDevices object in the Graph API.

https://graph.microsoft.com/beta/deviceManagement/managedDevices('{managedDeviceId}')/users/$ref

Below is an example of a JSON that should be used for adding a primary user. To create the relationship between the mangedDeviceId and the userId, the JSON contains OData data.

@odata.id: "https://graph.microsoft.com/beta/users/{userId}"

Keep in mind that at the moment of writing this article the required properties are only available in the BETA version of the API and production use is not supported.

More information

For more information about primary users of Windows devices, refer to the following articles:

Managing local administrators via Windows 10 MDM

This week is all about managing local administrators via Windows 10 MDM by using restricted groups. There has been many requests for a post like this after I wrote this post about creating local user accounts. And I have to admit that this post has been on my backlog for a long time. Better late than never, I think. Also, I’m definitely not the first to write about this subject, but I do think that I have some new insights that can be really helpfull. In this post I’ll start with an overview of the options for configuring local administrators on Azure AD joined (and Microsoft Inune managed) devices and reasons for using restricted groups, followed by the steps for configuring restricted groups. I’ll end this post by looking at the end-user experience.

Overview

When discussing the local administrators on Azure AD joined devices, it’s often about the Global administrator role and the Device administrator role. These roles are by default local administrator on Azure AD joined devices. Users can be added to the Global administrator role like any other administrator role. Adding users to the Device administrator role, however, is a different configuration. Users can be added by configuring additional local administrators on Azure AD joined devices. These two roles have one thing in common and that is that those roles apply to all Azure AD joined devices. No exceptions. However, there might be scenarios in which it’s required to limit the local administrators on a device, or scenarios in which it’s required to differentiate the additional local administrators for different groups of devices.

Another option to manage local administrator on Microsoft Intune managed devices – which are often also Azure AD joined – is by using restricted groups. For this it’s possible to use the RestrictedGroups section in the Policy CSP. That contains a single node that can be used for adding local administrators (or for adjusting any other existing local group). When specifically looking at managing local administrators, make sure to keep the following in mind:

  • By using restricted groups, the provided local administrators will replace the existing local administrators.
  • By using restricted groups, which is a configuration node of the Policy CSP, the provided local administrators will be reapplied, within 8 hours, when changed by the user (behavior starting with Windows 10, version 1903).
  • The default local Administrator account must be part of the custom configuration, as it’s required for applying a custom configuration.
  • Every Azure AD joined device contains two SIDs (one representing the Global administrator role and one representing the Device administrator role) that are by default part of the local administrators.

Note: By default, on Azure AD joined devices, the user joining the device to Azure AD is also local administrator on the device.

Configuration

By knowing the available configuration options and the different configurations it’s time to look at the configuration steps. The five steps below walk through the configuration. Throughout those configuration steps, I’ll provide the required information regarding the OMA-URI and the XML-value that should be configured.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Devices > Windows > Configuration profiles to open the Windows | Configuration profiles blade
  2. On the Windows | Configuration profiles blade, click Create profile to open the Create a profile blade
  3. On the Create a profile blade, provide the following information and click Create to open the Create profile blade
  • Platform: Windows 10 and later
  • Profile type: Custom
  1. On the Create profile blade, select Settings to open the Custom OMA-URI Settings blade
  2. On the Custom OMA-URI Settings blade, click Add to open the Add row blade. On the Add row blade, provide the following information and click OK (and click OK in the Custom OMA-URI blade)
  • Name: Provide a valid name
  • Description: (Optional) Provide a valid description
  • OMA-URI: ./Vendor/MSFT/Policy/Config/RestrictedGroups/ConfigureGroupMembership
  • Data type: Select String
  • Value: The value should be an XML. That XML should contain a groupmembership-element and that groupmembership-element should contain an accessgroup-element. That accessgroup-element contains the local group that should be adjusted and that accessgroup-element contains member-elements that contain the users that should be added to the local group. For an example see the XML below.

Note: The RestricedGroups section can be used to add members to any local group on a device.

<groupmembership>
	<accessgroup desc = "Administrators">
		<member name = "Administrator" />
		<member name = "AzureAD\pvanderwoude@petervanderwoude.nl" />
		<member name = "AzureAD\tvanderwoude@petervanderwoude.nl" />
		<member name = "S-1-12-1-2091167666-1329275207-1706997396-915002206" />
		<member name = "S-1-12-1-2447031348-1225114094-1633491097-1064162478" />
	</accessgroup>
</groupmembership>

End-user experience

Now let’s end by having a look at the end-user experience. The best place to look is in the Properties of the Administrators group. That group should reflect the provided configuration, as shown in Figure 4.

This configuration is the most common to be used when the primary user of the device is not a local administrator. A method to provide additional support to the end-user, without the requirement of adding that specific account as a local administrator on all devices.

It’s also good to keep in mind that starting with Windows 10, version 1903, the settings of the Policy CSP actually refresh. When, for whatever reason, the configuration of the local administrators was adjusted, the configuration will refresh within 8 hours. The next device check-in will take care of that.

Another place for verifying the configuration, would be to look at MDM Diagnostic Report. That report will show an overview of the RestrictedGroups setting configuration.

More information

For more information about managing local administrators, refer to the following articles:

.

Using bulk actions for renaming Windows devices

A few months ago, I did a blog post about the different ways of renaming Windows 10 devices. This week is a follow-up on that post, as it will also be about renaming Windows devices. This time it’s about using the recently introduced functionality to perform Bulk actions on devices. Those Bulk actions include the action to rename Windows 10 devices in bulk. That Bulk action is also available as a single action on a device and is currently not available for hybrid Azure Active Directory joined devices, nor available for co-managed devices. In this post I’ll show how to perform this action by using the Microsoft Endpoint Manager admin center, followed by using the Microsoft Graph Explorer. I’ll end this post by showing an example using PowerShell and the Microsoft Graph API.

Rename Windows devices using the Microsoft Endpoint Manager admin center

Now let’s start by having a look at using a Bulk action for renaming a Windows 10 device by using the Microsoft Endpoint Manager admin center. This method is – in my opinion – always the first step towards automating an action. The following 9 steps walk through the Bulk action for renaming Windows 10 devices. While performing these steps make sure to use Microsoft Edge and to turn on the Developer tools (Ctrl + Shift + I), as that will help with identifying the Graph request that should be used for automation purposes.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate to Devices All devices > Bulk Device Actions to open the Bulk device actions blade
  2. On the Basics page, provide the following information (see Figure 1) and click Next
  • OS: Select Windows
  • Device action: Select Rename
  • Enter new name: Provide a new naming conform the provided guidelines
  1. On the Devices page, click Select devices to include to select the devices to rename and click Next
  2. On the Review + create page, review the provided information and click Create

Verify request information using the Microsoft Graph Explorer

When following the Bulk action via the Network trace in the Developer tools, it shows the executeAction action that will perform the actual action. The most relevant parts of that action are shown below, as Figure 2 shows the request URL and Figure 3 shows the request payload. That combination is needed for automation purposes.

A closer look shows that the executeAction action is used as the request location to post the request.

https://graph.microsoft.com/beta/deviceManagement/managedDevices/executeAction

That request requires a request body to supply a JSON representation of the different properties. A closer look at that JSON payload shows the properties action, actionName, deviceIds, deviceName, platform, realAction and restartNow. The good thing is that these properties are pretty self explanatory, especially in combination with the action that was performed to retrieve this information. It’s good to specifically point out that the deviceIds property is an array that can currently contain up to a 100 devices and that the deviceName property should contain the naming format for the different applicable devices.

{
	action: "setDeviceName",
	actionName: "setDeviceName",
	deviceIds: ["d8cd02c1-9443-4ad0-8681-937c2e6d7607"],
	deviceName: "CLDCLN%RAND:2%",
	platform: "windows",
	realAction: "setDeviceName",
	restartNow: false
}

The next step toward automating this Bulk action is by trying the correct request URL and request payload via the Microsoft Graph Explorer, as that’s an easy method to try Graph API requests. Simply sign-in, change the action to POST, add the request URL, add the request payload (as shown in Figure 4) and click Run Query.

Note: The application requires the scope DeviceManagementManagedDevices.PrivilegedOperations.All.

Running the query will return a bulkManagedDeviceActionResult result type. That result type provides a JSON representation of the status properties. Those status properties include successfulDeviceIds, failedDeviceIds, notFoundDeviceIds and notSupportedDeviceIds. The good thing is that these properties are also pretty self explanatory. A simple method to verify this behavior is by throwing in some random deviceIds. Those deviceIds should end up as part of the notFoundDeviceIds.

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#microsoft.graph.bulkManagedDeviceActionResult",
    "successfulDeviceIds": [
        "d8cd02c1-9443-4ad0-8681-937c2e6d7607"
    ],
    "failedDeviceIds": [],
    "notFoundDeviceIds": [],
    "notSupportedDeviceIds": []
}

Rename Windows devices using PowerShell and the Microsoft Graph API

After verifying the request URL and the request payload, the last step toward automating this Bulk action is putting it all together in a PowerShell script. I’m going to provide a really simple example that would still require administrator interaction, but does show how it can be achieved. That example is shown below and basically performs the following actions:

  • Install the PowerShell SDK for Microsoft Intune Graph API (if it’s not installed).
  • Connect with the Graph API, which will prompt the administrator for credentials.
  • Set the required variables for the request URL and the request payload.
  • Invoke the Graph API request with the configured variables.
#Install PowerShell SDK for Microsoft Intune Graph API
If ((Get-Module Microsoft.Graph.Intune) -eq $null) {
    Install-Module -Name Microsoft.Graph.Intune
}

#Connect to Microsoft Graph
$ConnectGraph = Connect-MSGraph

#Set the request URL
$URL = "https://graph.microsoft.com/beta/deviceManagement/managedDevices/executeAction"

#Set the JSON payload
$JSONPayload = @"
{
	action: "setDeviceName",
	actionName: "setDeviceName",
	deviceIds: ["d8cd02c1-9443-4ad0-8681-937c2e6d7607"],
	deviceName: "CLDCLN%RAND:2%",
	platform: "windows",
	realAction: "setDeviceName",
	restartNow: false
}
"@

#Invoke the Microsoft Graph request
Try {        
    Invoke-MSGraphRequest -HttpMethod POST -Url $URL -Content $JSONPayload -Verbose -ErrorAction Stop
}
Catch {
    Write-Output "Failed to rename the Windows devices"
} 

When the PowerShell script was successfully executed it will also return the bulkManagedDeviceActionResult result type, as shown in Figure 5. Simple improvements to this PowerShell script would be to remove the administrator interaction, add the deviceIds to a variable and query for the required devices.

More information

For more information about renaming Windows devices and , refer to the following articles:

Using policy sets to group objects

This week is all about Policy sets in Microsoft Intune. Policy sets are introduced a few months ago and enable administrators to group management objects that need to be identified and assigned as a single object. That can help with simplifying the administration of the environment. A Policy sets can be a group of almost all different object that are available within Microsoft Intune. That includes objects for different platforms within the same Policy sets. This enables an administrator to use Policy sets for a lot of different use case, from creating a standard for a specific user type to creating a standard set of apps for all users. In this post I’ll walk through the configuration steps and through the different steps I’ll describe the available options and challenges. I’ll end this post with some notes about the assignment of a Policy set.

Creating policy sets

Now let’s have a closer looking at Policy sets by walking through the configuration. The following 9 steps walk through the creation of a Policy set and the different options.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate to Devices Policy sets to open the Policy sets blade
  2. On the Policy sets blade, select Policy sets and click Create to open the Create a policy set wizard
  3. On the Basics page, provide the following information (see Figure 1) and click Next: Application management
  • Policy set name: Provide a valid name for the Policy set
  • Description: (Optional) Provide a description of the Policy set
  1. On the Application management page, provide the following information (see Figure 2) and click Next: Device management
  • Apps: Click Select apps to add apps to the Policy set. That can be an iOS/iPadOS store app, an iOS/iPadOS line-of-business app, a Managed iOS/iPadOS line-of-business app, an Android store app, an Android line-of-business app, a Managed Android line-of-business app, an Office 365 ProPlus Suite (Windows 10), a Web link, a Built-in iOS/iPadOS app, or a Built-in Android app. That also means that a Windows app (Win32) is currently not supported. After adding an app to the Policy set, the assignment type can also be configured.
  • App configuration policies: Click Select app configuration policies to add app configuration policies to the Policy set.
  • App protection policies: Click Select app protection policies to add app protection policies to the Policy set. That can be an APP targeted at managed Windows devices, an APP targeted at managed iOS/iPadOSOS devices, an APP targeted at managed Android devices, an APP targeted at unmanaged iOS/iPadOSOS devices, or an APP targeted at unmanaged Android devices. That also means that APP targeted at unmanaged Windows devices are not supported.
  1. On the Device management page, provide the following information (see Figure 3) and click Next: Device enrollment
  • Device configuration policies: Click Select device configuration policies to add device configuration policies to the Policy set.
  • Device compliance policies: Click Select device compliance policies to add device compliance policies to the Policy set. Only the Android Enterprise device owner type policies are not available.
  1. On the Device enrollment page, provide the following information (see Figure 4) and click Next: Scope tags
  • Device type restrictions: Click Select device type restrictions to add custom device type restrictions to the Policy set.
  • Windows autopilot deployment profiles: Click Select Windows autopilot deployment profiles to add Windows autopilot deployment profiles to the Policy set.
  • Enrollment status pages: Click Select enrollment status page profiles to add custom enrollment status page profiles to the Policy set.
  1. On the Scope tags page, provide the following information (see Figure 5) and click Next: Assignments
  • Scope tags: Click Select scope tags to add custom scope tags to the Policy set.
  1. On the Assignments page, provide the following information (see Figure 6) and click Next: Review + create
  • Included groups: Click Select groups to include to include groups to the assignment of the Policy set.
  • Excluded groups: Click Select groups to exclude to exclude groups from the assignment of the Policy set
  1. On the Review + create page, verify the following information and click Create

After going through the configuration of a Policy set it’s good to note that security baselines are not part of a Policy set configuration. The guided scenario Try out a cloud-managed PC also creates a policy set to group the different objects that are created during the guided scenario and that are supported as being a part of the guided scenario. That scenario also creates a security baseline assignment that is not part of the created Policy set. Guided scenarios are available on the Home page of the Microsoft Endpoint Manager admin center.

For automation purposes, it might be better to know how to automate the device type restriction configuration. That can be achieved by using the policySet object in the Graph API.

https://graph.microsoft.com/beta/deviceAppManagement/policySets

Assignment notes

Let’s end this post with some notes about the assignment of a Policy set. The following should be kept in mind when creating the assignment for the Policy set.

  • The different non-Windows app protection policies (APP) do not support an assignment via a Policy set. In that case the group will be added as a direct assignment. Those assignments will not be deleted when the assignment of the Policy set is removed.
  • The different APPs do not support an assignment to All users or All devices
  • A Windows autopilot deployment profile does not support an assignment to All users
  • An Enrollment status page profile does not support the assignment of virtual groups (All users, All devices or All user & All devices)
  • An Device type restriction profile does not support the assignment of virtual groups (All users, All devices or All user & All devices)

When the assignment of the Policy set is created it will show as a specific assignment with the different objects that are part of the Policy set (as shown in Figure 8).

More information

For more information about using policy sets for managing groups of objects in Microsoft Intune, refer to the documentation about Use policy sets to group collections of management objects.

Configure FIDO2 security key restrictions

This week is all about FIDO2 security keys. More specifically about configuring FIDO2 security key restrictions to make sure that users can only use specific FIDO2 security keys, or to prevent users from using specific FIDO2 security keys. That makes this blog post a follow up on this post about enabling password-less sign-in with security keys. In this post I’ll provide a short introduction about the FIDO2 security key AAGUID (and how to find it), followed by the steps to configure the FIDO2 security key restrictions. I’ll end this post by looking at the end-user experience.

FIDO2 security key AAGUID

According to the FIDO2 specification each authenticator should provide an Authenticator Attestation GUID (AAGUID) during attestation. An AAGUID is a 128-bit identifier that indicates the type (for example make and model) of the authenticator. The AAGUID should be identical across identical authenticators that are created by the same manufacturer, and should be different from the AAGUID of authenticators of different types and different manufacturers. To ensure this, the AAGUID is randomly generated.

The AAGUID of a FIDO2 security can be used to configure restrictions for the end-users, by either only allowing specific FIDO2 security keys based on their AAGUID or by only blocking specific FIDO2 security keys based on their AAGUID. To help with that some manufactures (like Yubico) provide a complete list of the AAGUIDs of their FIDO2 security keys.

When this information is not easily available, it’s possible to find the AAGUID by using the get_info.py script that’s available in the Python-FIDO2 library provided by Yubico. That script can make the device WINK, which will provide the information about the FIDO2 security that includes the AAGUID. Below (in Figure 1) is an example of FIDO2 security key that is sending a WINK. The information provided when sending the WINK includes the AAGUID and on some devices also the FIDO2 security key name and model.

Another method to retrieve the AAGUID of a FIDO2 security key is to register the security key as a sign-in method. That can be achieved via the Security method section of My account. After registering the security key, the AAGUID can be found with the security key as shown below in Figure 2.

Below is an overview of the FIDO2 security keys that I’ve had available during testing, including their AAGUID.

FIDO2 security keyFIDO2 AAGUID
Yubikey 5 NFC (Firmware version: 5.1.x)fa2b99dc9e3942578f924a30d23c4118
Yubikey 5C (Firmware version: 5.1.x)cb69481e8ff7403993ec0a2729a154a8
Feitian ePass FIDO-NFC Security Key K9ee041bce25e54cdb8f86897fd6418464
Feitian BioPass FIDO2 Security Key K2677010bd7212a4fc9b236d2ca5e9d4084
Feitian BioPass FIDO2 Security Key K2777010bd7212a4fc9b236d2ca5e9d4084
Feitian BioPass FIDO2 Security Key K3312ded7454bed47d4abaae713f51d6393
eWBM Goldengate Security Key G31095442b2ef15e4defb270efb106facb4e
eWBM Goldengate Security Key G32087dbc5a14c944dc88a4797d800fd1f3c

Configuring FIDO2 security key restriction

The configuration steps are pretty straightforward and can be achieved by adjusting the FIDO2 Security Keys authentication method. That can be achieved by performing the 3 steps mentioned below. Those steps are fully focussed on configuring the KEY RESTRICTION POLICY. When the FIDO2 Security Keys authentication method is not yet enabled, make sure to also perform the required actions for that. In other words, make sure to enable the authentication method and configure the target of the authentication method.

  1. Open the Azure portal and navigate to Azure Active Directory Security > Authentication methods Authentication method policy (preview) to open the Authentication methods – Authentication method policy (preview) blade
  2. On the Authentication methods – Authentication method policy (preview) blade, select FIDO2 Security Key to open the FIDO2 Security Key settings section
  3. On the FIDO2 Security Key settings section, provide at least the following information (see also Figure 3 for an overview of the available options) and click Save
  • Enforce key restrictions: Select Yes
  • Restrict specific keys: Select Block to create a key restriction policy that will blacklist the specified AAGUIDs and select Allow to create a key restriction policy that will whitelist the specified AAGUIDs
  • Click Add AAGUID and specify the specific AAGUIDs that should be blocked (blacklisted) or allowed (whitelisted)

End-user experience

Let’s end this post by having a look at the end-user experience. When the end-user wants to register a security key (either not on whitelist, or on the blacklist), via the Security info section in My Profile, the end-user can walk through the complete process of adding another sign-in method. At the end of the process, the end-user will receive an error with the message that the particular key type has been blocked by the organization. The message doesn’t provide a list of supported security keys.

More information

For more information about password-less authentication deployment and password-less FIDO2 security keys, refer to the following articles:

Windows 10 enrollment methods

This week is all about Windows 10 enrollment methods. The different methods to enroll Windows 10 devices into Microsoft Intune. There are many different methods to enroll Windows 10 devices, which makes it easy to get lost. In this post I’ll provide an overview of these different enrollment methods, including the use case of the enrollment method and how to perform the enrollment. This post is definitely not a complete guide through the different enrollment methods. Its main purpose is to create awareness for the different enrollment methods and to describe the main characteristics of the enrollment methods.

The different enrollment methods

Now let’s discuss the different enrollment methods and their use cases. Before starting, it’s good to mention that I’m aware of the existence of the MDM only enrollment method. However, I don’t consider that as a valid option to enroll a device into Microsoft Intune, as that method doesn’t register the device in Azure AD. And that provides many challenges, for example with conditional access. When discussing the different enrollment methods, I’ll try to group those methods were possible and I’ll try to mention the differences.

Bring Your Own Device (BYOD)

Description: The Bring Your Own Device (BYOD) method enables the user to enroll a personal device into Microsoft Intune by using the Settings panel and adding a Work and School account. That action will trigger the flow to register the device in Azure AD and that will also automatically enroll the device into Microsoft Intune.

Important requirements: This requires that auto-enrollment is configured (as shown in Figure 1). Keep in mind that within the auto-enrollment configuration, the administrator can also configure MAM enrollment. When the MDM and MAM enrollment is configured for a user, the MAM enrollment takes precedence for personal devices.

Example scenario: This can be useful for Bring Your Own Device (BYOD) scenarios. The device will be enrolled as a personal device.

Azure AD join (with auto enrollment)

Description: The Azure AD join method enables the user to enroll a corporate-owned device into Microsoft Intune, similar to enrolling a personal device – by using the Settings panel and adding a Work and School account – the user can also choose to join the device to Azure AD. That option will become available during the same configuration flow. The user has to specifically choose to join Azure AD during that flow (as shown in Figure 2). This same behavior can also be triggered during the Out-Of-the-Box-Experience (OOBE). That can be achieved by setting the device up for an organization. That will trigger the flow to Azure AD join the device.

Important requirements: This requires that auto-enrollment is configured (as shown in Figure 1).

Example scenario: This can be useful for Choose Your Own Device (CYOD) scenarios. The device will be enrolled as a corporate-owned device.

Windows Autopilot

Description: The Windows Autopilot method enables users to easily enroll corporate-owned devices. Windows Autopilot can be used to automate the Azure AD Join and directly enroll corporate-owned devices into Microsoft Intune. This method simplifies the OOBE – as mentioned with the Azure AD join method – as it will automatically add the device to AD or Azure AD and directly enroll the device into Microsoft Intune.

Important requirements: This requires that the device should be added in Microsoft Intune as Windows Autopilot devices (as shown in Figure 5) and specific Windows Autopilot profiles should be created to control the behavior and the OOBE.

Example scenario: This is useful in scenarios when handing out devices to users without the need to build, maintain, and apply custom operating system images to the devices. The device will be enrolled as a corporate-owned device.

Device Enrollment Manager (DEM)

Description: The Device Enrollment Manager (DEM) method enables the administrator to enroll multiple corporate-owned devices. The DEM account is a special account with permissions to enroll and manage multiple (up to 1000) corporate-owned devices. That enables a bulk enrollment method for non-personal corporate-owned devices. The enrollment can be achieved by following any of the flows to configure an Azure AD join.

Important requirements: This requires that auto-enrollment is configured (as shown in Figure 1). Besides that the Device Enrollment Manager (DEM) should be configured (as shown in Figure 3) and make sure to keep the maximum number of devices that the user account can add to Azure AD matches.

Example scenario: This can be useful in scenarios where the device is enrolled and prepared before handing it out to the user of the device. The device will be enrolled as a corporate-owned device.

Provisioning package

Description: The provisioning package method enables the administrator to bulk enroll corporate-owned devices. A provision package can be used to add devices in bulk to Azure AD and automatically enroll those devices into Microsoft Intune. That provisioning package can be created by using the Windows Configuration Designer (as shown in Figure 4) and can be applied to corporate-owned devices. Once the package is applied, it’s ready for Azure AD users to sign in.

Important requirements: This requires that auto-enrollment is configured (as shown in Figure 1). Besides that make sure to keep the maximum number of devices that a user can add to Azure AD matches with the usage of the package.

Example scenario: This can be useful in scenarios where an authorized user joins large numbers of corporate-owned devices. The device will be enrolled as a corporate-owned device.

Co-management

Description: The co-management method enables administrators to automatically enroll corporate-owned devices. Co-management enables organizations to automatically enroll devices into Microsoft Intune. This requires the device to be managed with Configuration Manager and the enablement of co-management. Within the co-management configuration, the automatic enrollment in Microsoft Intune can be configured (as shown in Figure 6).

Important requirements: This requires that auto-enrollment is configured (as shown in Figure 1) and that the device is registered or joined to Azure AD (can be achieved via Client Settings).

Example scenario: This is useful in scenarios when the flexibility is still required to use the technology solution that works best for the organization. The device will be enrolled as a corporate-owned device.

Group Policy

Description: The Group Policy method enables administrators to automatically enroll corporate-owned devices. Group Policy enables organizations to automatically enroll devices into Microsoft Intune. The automatic enrollment is triggered by the Group Policy (as shown in Figure 7). That means that the device is always hybrid Azure AD joined.

Important requirements: This requires the device to registered in Azure AD.

Example scenario: This is useful in scenarios when mass-enrolling domain-joined devices.The device will be enrolled as a corporate-owned device.

An overview of the enrollment methods

Let’s end this post by providing short overview of the different enrollment methods and their most important characteristics that are mentioned in throughout this post. Those characteristics are the ownership registration of the device, the user affinity with the device and the user interaction with the device during the enrollment.

Enrollment methodOwnershipUser affinityUser interaction
Bring Your Own DevicePersonalYesYes
Azure AD joinCorporateYesYes
Windows AutopilotCorporateYesYes
Device Enrollment ManagerCorporateNoNo
Provisioning packageCorporateNoNo
Co-managementCorporateYesNo
Group PolicyCorporateYesNo

A couple of remarks with this table are that 1) Windows Autopilot contains multiple scenarios, including scenarios without user interaction and that 2) methods without user affinity provide challenges with conditional access.

More information

For more information about configuring Windows 10 enrollment methods, refer to the following docs:

Controlling Windows 10 feature updates

This week is all about controlling Windows 10 feature updates. A couple of months ago a new policy type was introduced to control Windows 10 feature updates. And even more recent, support for Windows Autopilot devices was added to that policy type. That latest addition was the trigger for this blog post. In this post I’ll start with a short introduction about the different options for controlling Windows 10 feature updates, followed by more details about the Windows 10 feature updates policy. I’ll end this post by looking at the configuration options.

Introducing the control options for Windows 10 feature updates

Now let’s with an introduction about the options to control Windows 10 feature updates by using Microsoft Intune. I’m deliberately naming it controlling – and not managing – as it’s more controlling the (pace of the) installation of Windows 10 feature updates. I see managing more as being in full control of the Windows 10 (feature) updates on a device. Via Microsoft Intune it’s possible to utilize Windows Update for Business to simplify the Windows 10 update management experience in general. Utilizing Windows Update for Business is focused more on controlling the Windows 10 updates cycle, instead of approving individual updates for (specific) devices. Controlling the Windows version and controlling the installation of the quality and security updates.

It’s also good to keep in mind that Microsoft Intune only stores the policy assignments and not the updates themselves. Windows 10 devices will access Windows Update directly for the updates itself. Within Microsoft Intune the following policy types are provided to control updates:

  • Windows 10 update rings: The Windows 10 update rings policy is a collection of settings that configures setting to control when Windows 10 updates get installed. This policy type already exists for a while and enables administrators to create update rings that specify how and when Windows 10 devices should be updated with feature and quality updates. As long as the latest update is installed, the Windows 10 devices are up to date.
  • Windows 10 feature updates: (Currently public preview) The Windows 10 feature updates policy brings devices to the specified Windows version and freezes the feature set on those devices until the administrator chooses to update them to a later Windows version. While the feature version remains static, devices can continue to install quality and security updates that are available for their feature version.

As the Windows 10 feature updates policy is a new feature, the remainder of this post will focus on that feature.

Introducing the Window 10 feature updates policy

A Windows 10 feature updates policy is a pretty simplistic policy – from a configuration perspective – to control the Windows 10 feature updates on a device. When a device receives a Windows 10 feature updates policy, the device will update to the Windows version that is configured in the policy. When a device is already running a later Windows version then the Windows version that is configured in the policy, that device remains on its current Windows version. The device will not downgrade to a previous Windows version.

During the period that the Windows 10 feature updates policy is assigned to the device, the device will basically freeze on the configured Windows version (unless – as previously mentioned – the device is already running a later Windows version). That also provides the administrator more flexibility for controlling the Windows version of the device. With a Windows 10 update rings policy the administrator was limited in controlling the timeframe that a device could stay on a specific Windows version. The administrator could defer the period when the device would install a new feature update with 365 days and then pause the update assignment for another 35 days, but that was it. The Windows 10 feature updates policy actually freezes the device to the configured Windows version until the administrator modifies or removes the assigned policy.

The assigned Windows 10 feature updates policy only controls the feature updates on the device. That means that while the installed Windows version is frozen, the device can still receive and install quality and security updates for their installed Windows version. These updates will apply for the duration of support for the installed Windows version.

Limitations for the Windows 10 feature updates policy

Before looking at the current prerequisites and the configuration steps of a Windows 10 feature updates policy, it’s good to be familiar with the current limitations of this policy type.

  • When deploying a Windows 10 feature update policy to a device that also receives a Windows 10 update rings policy, the following configurations should be in place within the configured update ring:
    • The Feature update deferral period (days) setting must be set to 0.
    • The feature updates of the Windows 10 update rings policy must be running.
  • Windows 10 feature update policy cannot be applied during the Windows Autopilot process, instead the policy will apply at the first Windows Update scan after a device has finished provisioning (which is typically a day).

Also, keep in mind that this is still preview functionality. It might behave different than expected in some scenarios. At the time of writing this post I’ve seen scenarios in which this policy type might not work correctly when skipping a Windows version.

Prerequisites for the Windows 10 feature updates policy

When starting with the implementation of a Windows 10 feature updates policy, the following prerequisites must be met – at this moment – by the assigned devices to guarantee the described behavior.

  • The device must be running Windows 10 version 1703 or later
  • The device must be enrolled in Microsoft Intune and should be Azure AD joined or Azure AD registered.
  • The device must have telemetry turned on, with a minimum setting of Basic.

Configuring the Windows 10 feature updates policy

The configuration of the Windows 10 feature updates feature is actually pretty straight forward and doesn’t require a lot of configuring. The following 5 steps walk through the configuration of the Windows 10 feature updates feature and all the available configuration options.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate to Devices Windows > Windows 10 feature updates to open the Windows – Windows 10 feature updates blade
  2. On the Windows – Windows 10 feature updates blade, click Create profile to open the Create feature update deployment wizard
  3. On the Deployment settings page, provide the following information and click Next
  • Name: Provide a valid name for the Windows 10 feature updates deployment
  • Description: (Optional) Provide a description for the Windows 10 feature updates deployment
  • Feature update to deploy: Select the Windows 10 version that should stick on the devices (current options are Windows 10 1803, Windows 10 1809, Windows 10 1903 and Windows 10 1909)
  1. On the Assignments page, click Select groups to include to assign the Windows 10 feature update deployment to a group of devices and click Next
  2. On the Review + create page, review the configuration of the Windows 10 feature update deployment and click Create

Administrator experience

Now let’s end this post by having a quick look at the administrator experience. Once the policy is assigned to the device, the device will check-in and install the Windows feature update according to the configured policy. The eventual result can be verified by navigating to Devices Windows > Windows 10 feature updates > [CreatedWindows10FeatureUpdatesPolicy] > End user update status. That report provides an overview of the assigned devices and their (feature) update status (as shown below).

More information

For more information about configuring updates in Microsoft Intune, refer to the documentation about Manage Windows 10 software updates in Intune.