Windows Autopilot self-deploying mode

This week a new blog post about Windows Autopilot. More specifically, Windows Autopilot self-deploying mode. Autopilot self-deploying mode is really useful for devices that are function specific, like for example kiosk devices. The biggest benefit is that a device with a wired network connection (with Internet) can be completely configured without any user interaction. Simply connect the device to the wired network and power it on! Real zero touch provisioning! In this post I’ll provide the configuration steps to create that experience, followed by some known errors and the end-user experience.

Configuration

Let’s start with a few important requirements and limitations:

  • The device must run Windows 10, version 1809 or later;
  • The device can only be Azure AD joined (Active Directory join is not supported);
  • The device must be a physical device with TPM 2.0 (virtual machine is not supported);

Now let’s continue by looking at the available configuration options. In this case I’ll look at the different available configurations options and the related impact of those configuration options. The following four steps walk through the steps to get create a new Windows Autopilot self-deploying profile (including the available settings). That deployment profile can be assigned to an Azure AD group that contains devices.

1 Open the Azure portal and navigate to Microsoft Intune > Device enrollment > Windows enrollment to open the Device enrollment – Windows enrollment blade;
2 On the Device enrollment – Windows enrollment blade, select Deployment Profiles in the Windows Autopilot Deployment Program section to open the Windows Autopilot deployment profiles blade;
3 On Windows Autopilot deployment profiles blade, select Create profile to open the Create profile blade;
4a

WA-SD-CreateProfileOn the Create profile blade, provide the following information and click Create;

  • Name: Provide a unique name for the Windows Autopilot deployment profile;
  • Description: (Optional) Provide a description for the Windows Autopilot deployment profile;
  • Convert all targeted devices to Autopilot: Select Yes to automatically convert Intune managed devices to Autopilot;
  • Deployment mode: Select Self-Deploying (preview), as that deployment mode provides the functionality that is needed for this post;
  • Join to Azure AD as: Azure AD joined is selected by default and grayed-out, as it’s the only configuration option supported for Windows Autopilot self-deploying devices;
  • Out-of-box experience (OOBE): See 4b.

Note: The Self-Deploying (preview) deployment mode, defines the available Azure AD settings and the available out-of-box experience (OOBE) settings.

4b

On the Out-of-box experience (OOBE) blade, provide the following information and click Save.

  • Language (Region): Select the Language that should be automatically configured during the Windows Autopilot self-deploying experience. This configuration will only be performed when the device is on a wired network connection (with Internet);
  • Automatically configure keyboard: Select Yes to automatically configure the keyboard based on the selected Language. This setting is only available when a Language is configured and this configuration will only be performed when the device is on a wired network connection (with Internet);
  • End user license agreement (EULA): Select Hide to hide the EULA during the Windows Autopilot self-deploying experience;
  • Privacy Settings: Select Hide to the hide the privacy settings during the Windows Autopilot self-deploying experience;
  • Hide change account options: Select Hide to hide the change account options during the Windows Autopilot self-deploying experience;
  • User account type: Select Standard to only make any user on the device a standard user. With the exception of global administrators and company administrators;
  • Apply computer name template (Windows Insider Only): Create a computer name, according to the configured template, for devices at initial startup;
WA-SD-OOBE

Note: The Autopilot settings can only be downloaded when a network connection is in place. That’s the reason why a wired network connection should be in place. When a wired network connection is not available, it’s required to configure the region, the keyboard and a Wi-Fi.

Known errors

During the testing of Windows Autopilot self-deploying, I ran into multiple errors. More information about an error can always be found in the Event Viewer, at Application and Services Logs > Microsoft > Windows > Provisioning-Diagnostics-Provider > AutoPilot (thank you for the reminder Sandy!). The errors that I’ve seen on screen are documented and explained in the table below. If you’ve seen errors that are not on this list, let me know and I’ll add them.


Error Description
0x800705B4 This error means that the device is either a virtual machine, or does not have TPM 2.0, and is not capable of running Autopilot self-deploying.
0x801c03ea This error means that the device is TPM 2.0 capable, but that the TPM still needs to be upgraded from 1.2 to 2.0.
0xc1036501 This error means that the device cannot do an automatic MDM enrollment, because there are multiple MDM configurations in Azure AD.

End-user experience

As always, let’s end this post by having a look at the end-user experience. The end-user experience will provide a welcome message (see below) after receiving the Autopilot deployment profile and an automatic restart. An easy differentiation between the Autopilot user-driven experience and the Autopilot self-deploying experience, besides the interaction, is the logo that’s used. At this moment the Autopilot user-driven experience uses the square logo of the Azure AD company branding and the Autopilot self-deploying experience uses the banner logo of the Azure AD company branding.

20181104_165048

Note: From and administrator perspective, an Autopilot self-deploying device can be easily recognized by the Management name of the device. It contains a GUID instead of a username.

More information

For more information about enrolling Windows devices by using Windows Autopilot self-deploying mode, please refer to the documentation named Windows Autopilot Self-Deploying mode.

Automagically convert Intune managed devices to AutoPilot

Tweet-AutoPilotThis week a short blog post about my tweet of a bit more than a week ago. In that tweet I mentioned a new easy method to automagically convert Intune managed devices to AutoPilot. That method makes some scenarios a whole lot easier. Like for example what I did in this post to get the AutoPilot device information of Intune managed devices. That type of custom scripting is not needed anymore!

As I got many reactions to that tweet, mainly related to the location of that configuration, I thought it would be good to make a short post describing the configuration option and the expected behavior. In this post I’ll provide the steps to make this configuration and I’ll describe the expected behavior. There is no real end-user or administrator experience to show for this configuration. So, no section related to that. I’ll do explain the the expected behavior in the introduction.

Introduction

Let’s start with a short introduction about the mentioned configuration option. That configuration option is the Convert all targeted devices to AutoPilot setting. By default an AutoPilot deployment profile is only applied to already existing AutoPilot devices and doesn’t apply to non-AutoPilot devices. Configuring the Convert all targeted devices to AutoPilot setting to Yes will automagically convert all devices in the assigned group to AutoPilot. This is a one-time conversion that also works for co-managed devices. That also means that removing the AutoPilot profile will not remove the converted devices from AutoPilot. After conversion the devices can only be removed by using the Windows AutoPilot devices view. Keep in mind that it can take up to 48 hours for the conversion to be completed.

Configuration

Now let’s continue by having a look at the actual configuration. And in this case only the specific Convert all targeted devices to AutoPilot setting. The following four steps walk through the steps to get to the specific setting and are not meant to create a complete the Windows AutoPilot deployment profiles.

1 Open the Azure portal and navigate to Microsoft Intune > Device enrollment > Windows enrollment to open the Device enrollment – Windows enrollment blade;
2 On the Device enrollment – Windows enrollment blade, select Deployment Profiles in the Windows AutoPilot Deployment Program section to open the Windows AutoPilot deployment profiles blade;
3 On Windows AutoPilot deployment profiles blade, either select Create profile or select [existing deployment profile] > Properties to open the Create profile blade or the [existing deployment profile] – Properties  blade;
4 On the Create profile blade or the [existing deployment profile] – Properties  blade, the setting Convert all targeted devices to AutoPilot must be switched to Yes (below is an example of the the [existing deployment profile] – Properties  blade, the Create profile blade looks similar) ;
MSIS-AutoPilot-Target

Note: There’s not a real easy method to see which devices are converted to AutoPilot. Those devices will show as any other imported device, without enrollment state. However, as the configuration is done via an AutoPilot deployment profile, the device is immediately assigned to a profile. Again, without creating any fancy configurations, like query based dynamic device groups.

More information

For more information about enrolling Windows devices by using Windows AutoPilot, please refer to the documentation named Enroll Windows devices by using the Windows Autopilot.

Join us at Experts Live Europe in Prague

b-B6v-rUA bit less than two weeks from now, October 25-26, Experts Live Europe will be in Prague. Together with my finest colleague, Arjan Vroege, I will deliver two sessions! And we hope to see you there!

Experts Live Europe is a Microsoft community conference with a focus on Microsoft cloud, datacenter and workplace management. During this conference, top experts from around the world present discussion panels, ask-the-experts sessions and breakout sessions and cover the latest products, technologies and solutions.

About our sessions

The maybe-not-that-sexy version of modern management – A true story –

In this session, we will take you into the real world of modern management. Modern management is a great buzzword and by now we all know the lovely story of modern management. We all know how it should work, but we often lack the real-world examples of organizations using modern management. During this session, we will show you how we internally deployed Windows 10 with Azure AD join and Intune management for over 10k devices. What choices did we make? Which challenges did we run into? Did we close all the gaps? We’ll try to answer these question. To conclude will also look at the available options right now and how they could have helped us. We will also have a couple of cool demos. To provide a sneak preview, here is a small list with subjects that will be part of our session: Win32 apps, MSIX and Windows AutoPilot.

Thursday Friday 2:40 PM – 3.40 PM

Create your ultimate hybrid workplace, what options do you have?

During this session we will take you into the world of the hybrid workplace. The modern workplace is a great story, for cloud only organizations, but the reality is often that there are a lot of components still on-premises. During this session we will touch the different delegate subjects from identity until apps and from management until connectivity. That means, a lot of ground to cover and a lot of choices to be made. Besides that we will have a couple of cool demos, here is a small list with a sneak preview of subjects that will be part of our session:  Pass-through authentication, Co-management, Win32 apps, MSIX and Azure AD Application Proxy.

Friday 8:00 AM – 9:00 AM

Make sure that you don’t miss these sessions!

Deploy customized Win32 apps via Microsoft Intune

Last week Microsoft announced the ability to deploy Win32 apps via Microsoft Intune during Microsoft Ignite. That takes away one of the biggest challenges when looking at modern management and Microsoft Intune. I know that I’m not the first to blog about this subject, but I do think that this subject demands a spot on my blog. Besides that, I’ll show in this post that the configuration looks a lot like deploying apps via ConfigMgr. Not just from the perspective of the configuration options, but also from the perspective of the configuration challenges when the installation contains multiple files. In this post I’ll show the configuration steps, followed by the end-user experience, when deploying a customized Adobe Reader DC app (including the latest patch).

Pre-process Win32 app

The first step in deploying Win32 apps via Microsoft Intune is using the Microsoft Intune Win32 App Packaging Tool to pre-process Win32 apps. Wrap the Win32 app. The packaging tool wraps the application installation files into the .intunewin format. Also, the packaging tool detects the parameters required by Intune to determine the application installation state.  After using this tool on apps, it will be possible to upload and assign the apps in the Microsoft Intune console. The following six steps walk through wrapping the Adobe Reader DC app, including some customizations and the latest patch.

1 Download the Microsoft Intune Win32 App Packaging Tool. In my example C:\Temp;
2 Create a folder that contains the Adobe Reader DC installation files (including the latest MSP and the MST that contains the customizations). In my example C:\Temp\AdobeReader;
3 Create an installation file that contains the complete installation command and place that file in the directory with the installation files. In my example I created an Install.cmd in C:\Temp\AdobeReader that contains msiexec /i “%~dp0AcroRead.msi” TRANSFORMS=”%~dp0AcroRead.mst” /Update “%~dp0AcroRdrDCUpd1801120063.msp” /qn /L*v c:\InstallReader.log ;
MSI-Win32-Explorer
Note: This method is similar to an easy method in the ConfigMgr world to make sure that the installation process would look at the right location for the additional files.
4 Open a Command Prompt as Administrator and navigate to the location of IntuneWinAppUtil.exe. In my example that means cd \Temp;
5 Run IntuneWinAppUtil.exe and provide the following information, when requested

  • Please specify the source folder: C:\Temp\AdobeReader;
  • Please specify the setup file: AcroRead.msi;
  • Please specify the output folder: C:\Temp
MSI-IWAU-start
Note: Even though I will use a command file to trigger the installation, it’s important to specify the MSI as setup file. That will make sure that, during the configuration in Microsoft Intune, the information will be preconfigured based on the information of the MSI.
6 Once the wrapping is done. The message Done!!! will be shown. In my example a file named AcroRead.intunewin will be created in C:\Temp.
MSI-IWAU-end

Note: It’s possible to use something like 7-Zip to open the created AcroRead.intunewin file. Besides content, that file contains a Detection.xml file that shows the detected information of the installation file.

Configure Win32 app

Now let’s continue by looking at the actual configuration steps, within Microsoft Intune, to configure the Win32 app. The following 17 steps walk through all the steps to configure the Win32 app, by using the .intunewin file. After configuring the app, make sure to assign the app to a user group.

1 Open the Azure portal and navigate to Intune > Client apps > Apps to open the Client apps – Apps blade;
2 On the Client apps – Apps blade, click Add to open the Add app blade;
3 On the Add app blade, select Windows app (Win32) – preview to show the configuration options and select App package file to open the App package file blade.
4 MSI-Win32-AppPackageFileOn the App package file blade, select the created AcroRead.intunewin as App package file and click OK to return to the Add app blade;
5 Back on the Add app blade, select App information to open the App information blade;
6

MSI-Win32-AppInformationOn the App information blade, provide at least the following information and click OK to return to the Add app blade;

  • Name: Adobe Acrobat Reader DC is pre-provisioned as name of the app;
  • Description: Provide a description of the app;
  • Publisher: Provide the publisher of the app;

Note: The remaining information regarding the Information URL, the Privacy URL, the Developer, the Owner, the Notes and the Logo is optional.

7 Back on the Add app blade, select Program to open the Program blade;
8 MSI-Win32-ProgramOn the Program blade, change the Install command to “Install.cmd”, verify the Uninstall command and click OK to return to the Add app blade;
9 Back on the Add app blade, select Requirements to open the Requirements blade;
10

MSI-Win32-RequirementsOn the Requirements blade, provide at least the following information and click OK to return to the Add app blade;

  • Operating system architecture: Select the applicable platforms;
  • Minimum operating system: Select a minimum operating system version;
11 Back on the Add app blade, select Detection rules to open the Detection rules blade;
12 On the Detection rules blade, select Manually configure detection rules and click Add to open the Detection rule blade.
13 MSI-Win32-DetectionRuleOn the Detection rule blade, select MSI as Rule type, verify the pre-provisioned MSI product code and click OK to return to the Detection rules blade;
14 Back on the Detection rules blade, click OK to return to the Add app blade;
15 Back on the Add app blade, select Return codes to open the Return codes blade;
16 MSI-Win32-ReturnCodesOn the Return codes blade, verify the preconfigured return codes and click OK to return to the Add app blade;
17 Back on the Add app blade, click Add to actually add app.

Note: The Intune Management Extension will be used for installing the Win32 app. That also means that the process regarding detection, download and installation, of the Win32 app, can be followed in the IntuneManagementExtension.log file.

End-user experience

Let’s end this post by looking at the end-user experience. The user will receive a notification that changes are required, followed by a notification that a download is in progress, followed by a notification about a successful installation. All three stages are shown below. After the last message, the Start Screen shows the newly installed Adobe Reader DC app. Also, in this case, the Desktop doesn’t show the default desktop icon, which I removed using the customization file (MST).

MSI-AAR-Desktop

More information

For more information about the Microsoft Intune Win32 App Packaging Tool, please refer to the GitHub location here.

Assign a user to a Windows AutoPilot device

This blog post uses capabilities that are added in Windows 10, version 1809, which is currently still in preview.

This week a short blog about another relatively new Windows AutoPilot feature. This week is all about assigning a specific user to a specific Windows AutoPilot device. That enables an administrator to directly assign a user to a Windows AutoPilot device. Assigning a user to a Windows AutoPilot device will make sure that the username will be pre-filled during Windows setup. It also lets the administrator set a custom greeting name, which will also be added during the Windows setup. In this post I’ll show the actual configuration steps, followed by the end-user experience.

Configuration

Before starting with the actual configuration steps, it’s important to name a few prerequisites.

  • Azure AD company branding is configured;
  • Device is running Windows 10, version 1809 or later;
  • User is Microsoft Intune licensed

When the prerequisites are in place, it’s time to start looking at the actual configuration. The following five steps walk through assigning a user to a Windows AutoPilot device.

1 Open the Azure portal and navigate to Intune > Device enrollment > Windows enrollment to open the Device enrollment – Windows enrollment blade;
2 On the Device enrollment – Windows enrollment blade, click Devices to open the Windows AutoPilot devices blade;
3 On the Windows AutoPilot devices blade, select the specific device (make sure to check the box) and click Assign user to open the Select user blade;
AP-AssignUser
4 On the Select user blade, select the specific user and click Select, which will open the Properties blade of the device;
5

AP-UserFriiendlyNameOn Properties blade of the device, provide the User Friendly Name and click OK to return to the Windows AutoPilot devices blade.

Note: This will provide a message like in this case “Awesome dude has ben successfully assigned to 3008-9109-1000-6969-987…

End-user experience

Now let’s end this post by looking at the end-user experience when using a user-driven deployment. After configuring the location and the keyboard, the user will get a personal welcome message. The message includes the configured custom user friendly name and the username will be preconfigured (as shown below). The user only needs to provide a password and click Next.

AP-UserExperience

Note: This experience does not work when used in combination with ADFS.

More information

For more information about assigning a user to a Windows AutoPilot device, please refer to the documentation Enroll Windows devices by using the Windows AutoPilot | Assign a user to a specific Autopilot device.

Software Center is getting close to awesome!

It’s almost been too long ago since I’ve done my latest post about Software Center. Luckily there are enough reasons introduced with Configuration Manager, version 1806,  to devote another blog post to Software Center, as Software Center is getting close to awesome. Yes, I deliberately say close to awesome, as we always need to leave options open for improvement. In this post I’ll focus on three great new additions to Software Center: 1) infrastructure improvements, 2) a custom tab and 3) maintenance windows.

No more application catalog website point and web service point required

Let’s start with the first and, in my opinion, best improvement related to Software Center. Starting with Configuration Manager, version 1806, available user-targeted apps can be made available in Software Center without using the application catalog website point and the application web service point. Both of these roles are no longer required. Software Center now relies on management points to get the information about available user-targeted apps. This also implies that the agent must be updated to provide the new functionality.

I’ve removed both of the mentioned roles. To completely clean up the configuration, especially from a Software Center perspective, also the Open the Application Catalog web site link must be removed (or actually be hidden) from Software Center. Otherwise it will still show a gray unneeded text. To achieve this, simply follow the next four steps.

1 Open the Configuration Manager administration console and navigate to Administration > Overview > Client Settings;
2 Now either open/create a new Custom Client Device Settings and select the Software Center section, or open open the Default Client Settings and select the Software Center section;
3 In the Software Center section, select Yes with Select these new settings to specify company information and click Customize with Software Center settings to open the Software Center Customization dialog box;
4

SC_Customization-GeneralOn the Software Center Customization dialog box, select the General tab and provide at least the following information;

  • Select Hide Application Catalog link in Software Center;

Note: In my example I’ve only selected to hide the Application Catalog link. Below is an example of the link in Software Center that will be removed. I deliberately left the link, to show that it’s not a link anymore and to show what will be removed;

SC_InstallationStatus

Custom configurable tab available for linking to a webpage

The second, also pretty good, improvement, is the ability to add a custom tab to Software Center. The administrator can define a name for the custom tab and the administrator can specify a URL that should be opened in the custom tab. It can be an internal webpage and an external webpage. The latter option would of course require an Internet connectivity. This also implies that the agent must be updated to provide the new functionality. To achieve this, simply follow the next four steps.

1 Open the Configuration Manager administration console and navigate to Administration > Overview > Client Settings;
2 Now either open/create a new Custom Client Device Settings and select the Software Center section, or open open the Default Client Settings and select the Software Center section;
3 In the Software Center section, select Yes with Select these new settings to specify company information and click Customize with Software Center settings to open the Software Center Customization dialog box;
4

SC_Customization-TabsOn the Software Center Customization dialog box, select the Tabs tab and provide at least the following information;

  • Select Specify a custom tab for Software Center;
  • Tab name: Provide a custom name;
  • Content URL: Provide a valid URL;

Note: In my example the custom tab is named Contact and it refers to the contact page of my blog. An example of the user experience is shown below.

SC_CustomTab

Next scheduled maintenance window is shown

The third improvement is a little bit smaller, but can provide really useful information to the end-user. The third improvement is the availability of the next available maintenance window within Software Center. Previously this required a little bit of custom scripting, but now the information is available within the Upcoming section of the Installation status tab in Software Center. This also implies that the agent must be updated to provide the new functionality.

SC_InstallationStatus

More information

More information about what’s new related to Software Center in the latest current branch version, please refer to this article about What’s new in version 1806 of Configuration Manager current branch – Software Center.

Single full-screen Kiosk Browser app in kiosk mode

This week is all about configuring a single full-screen app in kiosk mode and more specifically, configuring the Kiosk Browser app as a single full-screen app in kiosk mode. A couple of years ago, I also did a post about setting up kiosk mode on Windows 10. This time it’s not about using OMA-URI’s, this time is all about using the available options within the portal. Spoiler alert, it became a whole lot easier! Deployment scenarios that this adds on to are, for example, AutoPilot self-deploying mode and enrollment via a device enrollment manager. In this post I’ll go through a few prerequisites for the configuration, followed by the actual configuration of the Kiosk Browser app in kiosk mode. I’ll end this post by looking at the end-user experience.

Prerequisites

Before being able to configure kiosk mode with the Kiosk Browser app, the following prerequisites must be in place and available.

  • Deploy the de Kiosk Browser app. The best method to deploy the app is by using the Microsoft Store for Business integration with Microsoft Intune. That combination will enable the ability to assign the app as a required app to devices and users;
  • Get the Application User Model ID (AUMID) of the Kiosk Browser app. The easiest method is using the provided PowerShell script, which will provide the following AUMID for the Kiosk Browser app: Microsoft.KioskBrowser_8wekyb3d8bbwe!App;

Configuration

Now that the prerequisites are known, it’s time to look at the actual configuration. Within this configuration I will show the steps to create a kiosk profile that will create a full-screen Kiosk Browser app with an autologon user. The following four steps will walk through the required configuration. After that simply assign the created profile to a user (for example the device enrollment manager) or device group (for example the AutoPilot self-deploying devices).

1 Open the Azure portal and navigate to Intune > Device configuration > Profiles;
2 On the Devices configuration – Profiles blade, click Create profile to open the Create profile blade;
3

KioskProfileOn the Create profile blade, provide the following information and click Create;

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • Platform: Select Windows 10 and later;
  • Profile type: Select Kiosk (Preview);
  • Settings: See step 4a and 4b.
4a

KioskMode-AddRowOn the Kiosk (Preview) blade, select Kiosk to open the Kiosk blade. On the Kiosk blade, click Add to open the Add row blade. On the Add row blade, provide the following information and click OK (and click OK in the Kiosk (Preview) blade);

  • Kiosk configuration name: Provide a valid name;
  • Kiosk Mode: Select Single full-screen app kiosk;
  • Universal Windows Platform (UWP) app identifier: Select Enter UWP app AUMID;
  • Application user model ID (AUMID) of app: Microsoft.KioskBrowser_8wekyb3d8bbwe!App;
  • User account type: Select Autologon.
4a

KioskBrowser-ConfigOn the Kiosk (Preview) blade, select Kiosk web browser to open the Kiosk web browser blade. On the Kiosk web browser blade, provide the following information and click OK;

  • Default home page URL: https://petervanderwoude.nl;
  • Home button: Select Not configured;
  • Navigation buttons: Select Not configured;
  • End session button: Select Not configured;
  • Refresh browser when user exceeds idle time limit: (Optional) Provide a time limit;
  • Blocked websites: (Optional) Add blocked websites;
  • Website exceptions: (Optional) Add excluded websites.

Note: As I’m not providing any buttons, there is no real use for blocking any websites.

Note: Even though the configuration was a success, the device configuration would always show the status Failed on the setting Full screen kiosk app status.

End-user experience

Now let’s end this post by looking at the end-user experience. The first thing I would like to show, is the default user that is created when using autologon as the user account type. That user is a local user named Kiosk and that local user not configured with a password. Once that user is automatically logged on and somebody would press Ctrl+Alt+Del, the person would see the screen as shown below.

MSI-KioskUser

The second thing that I would like to show is the end result of the complete configuration. When the configuration is applied to the device, the Kiosk user will autologon to the device and the Kiosk Browser app will start with the configured home page and without the ability to navigate or any other interaction, as shown below.

MSI-KioskBrowserLD

The third and last thing that I would like to show is the end result when the configuration is changed. Changed in a way that the navigation buttons are shown, the home button is shown and the end session button is shown. That result is shown below. With that configuration is might be useful to create a list with blocked websites.

MSI-KioskBrowser

More information

For more information related to configuring kiosk mode on Windows 10 and the KioskBrowser area in the Policy CSP, please refer to the following articles:

Prevent users from ending tasks via Windows 10 MDM

This blog post uses the TaskManager node of the Policy CSP, to prevent the end task functionality on Windows 10 devices. This node is added in Windows 10, version 1809, which is currently still in preview.

This week a short blog post about a newly introduced setting in Windows 10, version 1809, which is currently still in preview. That’s the setting to prevent non-administrator users from ending tasks via Task Manager. That can be a useful addition to a Windows AutoPilot deployed device on which the users are configured as standard users. Simply preventing users from performing activities that an administrator might not like them to do. In this post I’ll show the available settings, followed by the configuration and the end-user experience.

Settings

Let’s start by having a look at the available settings. The TaskManager area is a new node within the Policy CSP. That area currently contains only one policy setting, which is AllowEndTask. That policy setting can be configured to an Integer value of 0, which means that the end task functionality is blocked in Task Manager, or to an Integer value of 1, which means that the end task functionality is available in Task Manager. By default, the end task functionality is available. Also, keep in mind that this configuration is only applicable to non-administrator users.

Configuration

Now let’s continue by having a look at the configuration to prevent non-administrator users from ending tasks via Task Manager. In other words, create a device configuration profile with the previously mentioned custom policy setting. The following three steps walk through the creation of that device configuration profile. After that simply assign the created profile to a user or device group.

1 Open the Azure portal and navigate to Intune > Device configuration > Profiles;
2 On the Devices configuration – Profiles blade, click Create profile to open the Create profile blade;
3a

On the Create profile blade, provide the following information and click Create;

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • Platform: Select Windows 10 and later;
  • Profile type: Select Custom;
  • Settings: See step 3b.
3b

EndTask-ConfigOn the Custom OMA-URI Settings blade, provide the following information and click Add to open the Add row blade. On the Add row blade, provide the following information and click OK (and click OK in the Custom OMA-URI blade);

  • Name: Provide a valid name;
  • Description: (Optional) Provide a description;
  • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/TaskManager/AllowEndTask;
  • Data type: Select Integer;
  • Value: 0.

Note: At some point in time this configuration will probably become available in the Azure portal without the requirement of creating a custom OMA-URI.

End-user experience

Let’s end this post by looking at the end-user experience. Below is an example of a Windows 10 device running the latest available Windows Insider Preview build and deployed via Windows AutoPilot. In that example it’s visible on the left that the TaskManager policy is configured and it’s visible on the right that the end task option is actually grayed out for the user. In other words, the user is unable to end a task via Task Manager.

EndTask-MSIntune

More information

For more information about the available Task Manager settings in the Policy CSP, please refer to the documentation about Policy CSP – TaskManager.

Factory reset, Fresh start, AutoPilot reset, so many options?!

This week something completely different. This time no technical configurations, this time I’ll try to provide some guidance about different Windows 10 features to remotely reset a Windows 10 device by using Microsoft Intune. With the introduction of the remote AutoPilot reset their are now 3 similar features to remotely reset a Windows 10 device: Factory reset , Fresh start and AutoPilot reset. In this post I’ll try to answer questions like “What are the differences between these reset options?” and “When can I use which reset option?”.

Factory reset

Introduction

The Factory reset action returns the device to its factory default settings. This removes all personal and company data and settings from this device. The drive will be securely erased. When triggering this remote action it is possible to select the Retain enrollment state and user account checkbox, to keep the device enrolled and the user account associated with this device. This action cannot be reverted.

By using the Factory reset action, it’s possible to get devices to a factory default state. Also, just like the Remove company data action, it enables administrators to simply remove devices from Microsoft Intune that are no longer needed, being repurposed, or missing.

Win10-Int-FactoryReset

Summary

Retain enrollment state and user account* Retain Intune enrollment Summary of performed actions
Factory reset Not checked No
  • Removes user accounts;
  • Removes user data;
  • Removes MDM policies;
  • Removes non-default settings;
  • Removes user-installed apps;
  • Retains OEM-installed apps;
  • Resets the operating system to its default state and settings.
Factory reset Checked Yes
(Also retains Azure AD join)
  • Retains user accounts
  • Retains user data;
  • Removes MDM policies;
  • Removes non-default settings;
  • Removes user-installed apps;
  • Retains OEM-installed apps;
  • Resets the operating system to its default state and settings.

*Retain enrollment state and user account requires Windows 10, version 1709 or later.

Fresh start

Introduction

The Fresh start action literally gives the user a fresh start. This removes any apps that are installed on the device. Then, it automatically updates the device to the latest version of Windows. This action helps with removing pre-installed (OEM) apps that are typically installed with a new device. When triggering this remote action it is possible to select the Retain user data on this device checkbox, to keep the user data, and only remove apps and settings.

By using the Fresh start action, it’s possible to get devices to an clean state by removing all bloatware and updating to the latest version of Windows 10 at the same time.

Win10-Int-FreshStart

Summary

Retain user data on this device Retain Intune enrollment Summary of performed actions
Fresh start*

 

Not checked No
(Retains Azure AD join)
  • Removes user accounts;
  • Removes user data;
  • Removes MDM policies
  • Removes settings;
  • Removes Win32 apps;
  • Retains Windows Store apps;
  • Updates to the latest version of Windows.
Fresh start* Checked Yes
(Also retains Azure AD join)
  • Retains user accounts
  • Retains user data;
  • Removes MDM policies;
  • Removes settings;
  • Removes Win32 apps;
  • Retains Windows Store apps;
  • Updates to the latest version of Windows.

*Fresh start requires Windows 10, version 1703 or later.

AutoPilot reset

Introduction

The AutoPilot reset action returns the device to a fully configured and/or IT-approved state. This removes personal files, apps, and settings, and applies the original settings and management settings, so the devices are ready to use. The management settings are coming straight from Azure AD ​and Intune device management.

By using the AutoPilot reset action, it’s possible to get the device to a known, good, managed and synchronized state while preserving the management enrollment.

Win10-Int-AutoPilotReset

Summary

Retain Intune enrollment Summary of performed actions
AutoPilot reset* Yes
(Also retains Azure AD join)
  • Retains user accounts;
  • Removes user data;
  • Removes MDM policies;
  • Removes settings;
  • Removes installed apps;
  • Returns the device to the original settings and management settings.

*Remote AutoPilot reset requires Windows 10 Insider Preview Build 17672 or later.

More information

For more information related to Fresh start, Factory reset and AutoPilot reset in combination with Microsoft Intune, please refer to the following articles:

Simply installing the Windows 10 Accounts extension for Google Chrome by using PowerShell

This week is all about simply automatically installing the Windows 10 Accounts extension for Google Chrome. About a year ago I showed that the extension is required when using conditional access and I also showed earlier that it’s possible to use ADMX ingestion to configure Google Chrome. However, the latter is always the easiest method. It actually might be a bit complicated for a simple configuration. That’s why I’m going a different road this time. This time I’m going for a small PowerShell script that will create a registry key and value. In this post I’ll show how to create the PowerShell script, how to assign it by using Microsoft Intune and the end result in Google Chrome.

Create PowerShell script

As I’ve decided to use a PowerShell script to install the Windows 10 Accounts extension for Google Chrome, together with Google Chrome, this section will explain the variables and actions used in the script. For installing Google Chrome, I’ll reuse a PowerShell script that I explained in this post about Combining the powers of the Intune Management Extension and Chocolatey.

Script variables

The PowerShell script contains a few variables that are used to make sure that the Windows 10 Accounts extension will be installed. Those variables together are actually a registry key and value. That means that the variables block on top of the script (see script snippet section) at least contains the values as shown below. The registry key and value will trigger the installation of the Windows 10 Accounts extension and is the same registry key and value that would otherwise be created by the ADMX configuration.

Path HKLM\Software\Policies\Google\Chrome\ExtensionInstallForcelist
Name 1
Type REG_SZ (String)
Data ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx

Script actions

The PowerShell script contains a few actions that it should perform to complete the required activities of installing Google Chrome and the required Windows 10 Accounts extension. It contains the following actions that can be found in the different try-catch blocks (see script snippet section).

  1. Install Chocolatey if it’s not installed;
  2. Install Google Chrome by using Chocolatey (it will automatically check if it’s already installed);
  3. Create the required registry path if it doesn’t exist;
  4. Create the required registry key if it doesn’t exist.

Script snippet

The PowerShell script is shown below and should pretty much explain itself.

Configure PowerShell script

The next step is to configure the PowerShell script in Microsoft Intune. To upload the script, follow the next five steps. After uploading the script, simply assign the script to the required users and/or devices.

1 Open the Azure portal and navigate to Intune > Device configuration > PowerShell scripts;
2 On the Device configuration – PowerShell scripts blade, click Add script to open the Script Settings blade;
3 ChromeExtension-PowerShell-IntuneOn the Add PowerShell script blade, provide the following information and click Settings to open the Script Settings blade;

  • Name: Provide a valid name for the PowerShell script policy;
  • Description: (Optional) Provide a description for the PowerShell script policy;
  • Script location: Browse to the PowerShell script.

Note: The script must be less than 10 KB (ASCII) or 5 KB (Unicode).

4 ChromeExtension-ScriptSettings-IntuneOn the Script Settings blade, provide the following configuration and click OK to return to the PowerShell script blade;

  • Run the script using the logged on credentials: No;
  • Enforce script signature check: No;

Note: Configure Run the script using the logged on credentials to No means that the PowerShell script will run in SYSTEM context;

5 Back on the Add PowerShell script blade, click Create.

End result

Now let’s end this post by looking at the end result. I’ll do that by showing a screenshot of Google Chrome. Below is a screenshot of Google Chrome showing the policy page, which shows the configured policy, and it also shows the installed Windows 10 Accounts extension (blue Windows icon on the top right).

ChromeExtension

More information

Fore more information related to conditional access and the requirements for Google Chrome, please refer to this article about Conditional Access Technical Reference | Client apps condition.