9 Dec.

Windows 10 Deployment And Management Lab Kit December 2016 Update

Head on over to the TechNet Evaluation Center to grab the latest release of the Windows 10 Deployment and Management Lab Kit, which provides you with a hands-on lab environment for evaluating the latest Microsoft products and tools available for managing your Windows 10 deployment. The kit includes:

Lab environment

The lab includes the latest evaluation versions of:

  • Windows 10 Enterprise, Version 1607
  • System Center Configuration Manager 1511
  • Windows Assessment and Deployment Kit for Windows 10, version 1607
  • Microsoft Deployment Toolkit 2013 Update 2
  • Microsoft Application Virtualization 5.1
  • Microsoft BitLocker Administration and Monitoring 2.5 SP1
  • Windows Server 2012 R2
  • SQL Server 2014

Step-by-step lab guides

Illustrated lab guides take you through multiple deployment and management scenarios:

  • In-Place Upgrade
  • Image Creation
  • Lite-Touch Deployment
  • Zero-Touch Deployment
  • Managing Windows 10 with Configuration Manager
  • Windows Information Protection
  • Code Integrity
  • Windows 10 Provisioning
  • Application Compatibility
  • Application Virtualization
  • Provisioning
  • Web Application Compatibility
  • Microsoft BitLocker Administration and Monitoring
  • Secure Host
  • Credential Guard
  • Windows Store for Business
  • Upgrade Analytics


English (United States)


The lab kit consists of two self-extracting zip files: the lab environment and the lab guides.

Preinstall Information

Carefully read the information below before you continue with the download.

Windows 10 Deployment and Management Lab Kit system requirements

The lab supports the 64-bit editions of Windows 10 RTM and Windows Server 2012 R2. It must be imported to set up a lab once Hyper-V is installed.

The Hyper-V Host on which the Windows 10 PoC Lab needs to be imported must meet the following minimum specifications:

  • Hyper-V role installed
  • Administrative rights on the device
  • 300 gigabytes of free disk space
  • High-throughput disk subsystem
  • 32 gigabytes of available memory
  • High-end processor for faster processing
  • An External virtual switch in Hyper-V connecting to the external adapter of the host machine for internet connectivity named External 2
  • A Private virtual switch in Hyper-V for private connectivity between the virtual machines named HYD-Corpnet

The required hardware will vary based on the scale of the provisioned lab and the physical resources assigned to each virtual machine.

Lab expires March 1, 2017. A new version will be published prior to expiration.

Things to Know

This lab kit contains evaluation software that is designed for IT professionals interested in evaluating Windows 10 deployment and management products and tools on behalf of their organization. We do not recommend that you install this evaluation if you are not an IT professional or are not professionally managing corporate networks or devices. Additionally, the lab environment is intended for evaluation purposes only. It is a standalone virtual environment and should not be used or connected to your production environment.

^ Scroll to Top
 8 Dec.

Azure AD Connect Now Supported On Windows Server 2016

Another update for Windows Server 2016 compatibility – you can now download install Microsoft Azure Active Directory Connect with Windows Server 2016 as a supported platform.


Version: 1.1.371.0
File Name: AzureADConnect.msi
Date Published: 12/7/2016
File Size: 78.1 MB
Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:
    • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
    • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
    • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
    • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

System Requirements

Supported Operating System

Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

For more information, please refer to


Install Instructions

For more information, please refer to


^ Scroll to Top
 8 Dec.

Updated Intune MAM With And Without MDM App List December 2016

Last month I created the table in this post to highlight the mobile apps that are MAM and MDM enabled with Intune, and this month there are some updates. Let’s start with the Android piece.

Android MAM only apps available through the portal last month gave us 11 apps.


This month you can see the new additions – Dynamics CRM and SharePoint.

iOS MAM apps available through the portal – no updates this month.

Below is the updated table, based on information found in the Intune-enlightened apps as well as the most recent updates and announcements. With the recent announcement of the new Intune SDK availability, we should start seeing some third party apps dropping in to the currently ISV free territory.

MAM with MDM MAM without MDM Multi-Identiy
Acronis Access iOS
Adobe Acrobat Android


Box for EMM iOS
Foxit Mobile PDF Android


Microsoft Dynamics CRM iOS




Microsoft Excel iOS




Microsoft Intune Managed Browser iOS




Microsoft OneDrive For Business iOS






Microsoft OneNote iOS iOS
Microsoft Outlook iOS






Microsoft PowerPoint iOS




Microsoft PowerBI iOS


Microsoft Remote Desktop iOS




Microsoft RMS Sharing/Azure Information Protection iOS


Microsoft SharePoint iOS




Microsoft Skype For Business iOS




Microsoft Word iOS




Microsoft Work Folders iOS


Outlook Groups iOS




SAP Fiori
Yammer iOS




^ Scroll to Top
 8 Dec.

Intune December 2016 Updates

There have been several new announcements over the last few days regarding EMS, but the one that many have been holding out for is the public preview of the Intune admin experience in the Azure Portal. While we can’t quite lay our Silverlight dependency to rest just yet, it’s getting closer. We’ve had MAM without enrolment in the Azure Portal for quite a while, recently user groups have moved out of Intune groups, and now the new portal preview.

What’s in the preview?

December 2016 (initial release)

  • Deploy and manage apps from a store to iOS, Android, and Windows devices
  • Deploy and manage line of business (LOB) apps to iOS, Android, and Windows devices
  • Deploy and manage volume-purchased apps to iOS, and Windows devices
  • Deploy and manage web apps for Android, iOS, and Windows devices
  • Volume-purchased apps for iOS (business and education)
  • iOS managed app configuration profiles
  • Configure app protection policies, and deploy line of business apps to devices that are not enrolled with Intune
  • VPN profiles, per-app VPN, Wi-Fi, email, and certificate profiles
  • Compliance policies
  • Conditional access for Azure AD
  • Conditional access for On-Premises Exchange
  • Device enrollment
  • Role-based access control

Here are the Intune team’s update for December 2016.

Public preview of the new Intune admin experience on Azure

In early calendar year 2017 we will be migrating our full admin experience onto Azure, allowing for powerful and integrated management of core EMS workflows on a modern service platform that’s extensible using Graph APIs.+

New trial tenants will start to see the public preview of the new admin experience in the Azure portal this month. While in preview state, capabilities and parity with the existing Intune console will be delivered iteratively.+

The admin experience in the Azure portal will use the already announced new grouping and targeting functionality; when your existing tenant is migrated to the new grouping experience you will also be migrated to preview the new admin experience on your tenant. In the meantime, if you want to test or look at any of the new functionality until your tenant is migrated, sign up for a new Intune trial account or take a look at the new documentation.+

If you have any questions about the timeline for your tenant’s migration, contact our migration team at intunegrps@microsoft.com.+

Telecom expense management integration in public preview of Azure portal

We are now beginning to preview integration with third-party telecom expense management (TEM) services within the Azure portal. You can use Intune to enforce limits on domestic and roaming data usage. We are beginning these integrations with Saaswedo.+

New Capabilities

Multi-factor authentication across all platforms

You can now enforce multi-factor authentication (MFA) on a selected group of users when they enroll an iOS, Android, Windows 8.1+, or Windows Phone 8.1+ device from the Azure Management Portal by configuring MFA on the Microsoft Intune Enrollment application in Azure Active Directory.+


Ability to restrict mobile device enrollment

Intune is adding new enrollment restrictions that control which mobile device platforms are allowed to enroll. Intune separates mobile device platforms as iOS, macOS, Android, Windows and Windows Mobile.+

    • Restricting mobile device enrollment does not restrict PC client enrollment.
    • For iOS only, there is one additional option to block the enrollment of personally owned devices.


Intune marks all new devices as personal unless the IT admin takes action to mark them as corporate owned, as explained in this article.+


Multi-Factor Authentication on Enrollment moving to the Azure portal

Previously, admins would go to either the Intune console or the Configuration Manager (earlier than release October 2016) console to set MFA for Intune enrollments. With this updated feature, you will now login to the Microsoft Azure portal using your Intune credentials and configure MFA settings through Azure AD. Learn more about this here.+

Company Portal app for Android now available in China 

We are publishing the Company Portal app for Android for download in China. Due to the absence of Google Play Store in China, Android devices must obtain apps from Chinese app marketplaces. The Company Portal app for Android will be available for download on the following stores:+


The Company Portal app for Android uses Google Play Services to communicate with the Microsoft Intune service. Since Google Play Services are not yet available in China, performing any of the following tasks can take up to 8 hours to complete. +

Intune Admin Console Intune Company Portal app for Android Intune Company Portal Website
Full wipe Remove a remote device Remove device (local and remote)
Selective wipe Reset device Reset device
New or updated app deployments Install available line-of-business apps Device passcode reset
Remote lock
Passcode reset


Firefox to no longer support Silverlight

Mozilla is removing support for Silverlight in version 52 of the Firefox browser, effective March 2017. As a result, you will no longer be able to log in to the existing Intune console using Firefox versions greater than 51. We recommend using Internet Explorer 10 or 11 to access the admin console, or a version of Firefox prior to version 52. Intune’s transition to the Azure portal will allow it to support a number of modern browsers without dependency on Silverlight.+

Removal of Exchange Online mobile inbox policies

Beginning in December, admins will no longer be able to view or configure Exchange Online (EAS) mobile mailbox policies within the Intune console. This change will roll out to all Intune tenants over December and January. All existing policies will stay as configured; for configuring new policies, use the Exchange Management Shell. Find out more information here.+

Intune AV Player, Image Viewer, and PDF Viewer apps are no longer supported on Android

From mid-December 2016 on, users will no longer be able to use the Intune AV Player, Image Viewer, and PDF Viewer apps. These apps have been replaced with the Azure Information Protection app. Find out more about the Azure Information Protection app here.

^ Scroll to Top
 2 Dec.

Intune MAM Exchange Online Conditional Access Now In Azure Portal

In a recent blog post New in Intune: More conditional access, App SDK updates, and Android for Work! the Intune team announced additional conditional access capabilities, including the ability to restrict access to Exchange Online to certain clients for MAM only scenarios.

Here is what they posted…

Conditional access is one of the signature experiences from Microsoft Enterprise Mobility + Security, bringing together the power of Intune and Azure Active Directory Premium to allow you to define policies that provide contextual control at the user, location, device and app levels. This rich set of features gives you the control you need to ensure your corporate data is secure, while giving your users the experience they expect in today’s world. We’re excited to announce these new features that further expand our conditional access capabilities to mobile applications and Windows PCs:

  • Conditional access for mobile apps
    This update allows you to restrict access to Exchange Online from only apps that are enabled with Intune’s mobile application protection policies, such as Outlook. If you’ve been looking for a way to block access to Exchange Online from built-in mail clients or other apps, look no further.

I’ve taken some screenshots of the updated portal so you can get an idea of how it works.


First of all you can see above that I’ve highlighted the new tile that appears.


Alternatively, if you customise it and hide the tile, you have the Exchange Online link underneath Conditional Access on the right.


From here we can start seeing what configuration options we’ve got.


First up, Allowed apps has the default setting of all apps.


The dropdown reveals the current MAM only enabled apps that are available to use.



We can add restricted user groups.


We can make exceptions for certain use cases or troubleshooting scenarios.


All up, pretty easy to follow and implement.

^ Scroll to Top
 25 Nov.

EMS Partner Training Events Coming Q1 2017

This year’s EMS training courses have all been booked out, but the long waiting lists for Sydney and Melbourne mean that we have some additional dates for next year to share. Make sure you reach out to the Microsoft Australia readiness team via the contact details below to register your interest and secure a seat.

Enterprise Mobility + Security (EMS)


Enterprise Mobility + Security

Type: Technical (L300)

Audience: Partners with existing competencies around devices and deployment, access and identity, management and virtualization, Office 365 and Azure related competencies. Suite Solution architects, pre-sales technical, and deployment roles

Cost: $499

Product: EMS

Duration: 4 Days

Location: Sydney (Mar 6-9), Melbourne (Mar 13-16)

This training consists of instructor-led technical content and hands-on labs covering Hybrid Identity and Access Management (Azure Active Directory Premium), Microsoft Device and Application Management (Intune), Information Protection (Azure Rights Management Service), identifying security threats to the datacentre (Advance Threat Analytics), and data protection in the cloud (Cloud App Security). For Expression of Interest please email msaupr@microsoft.com

^ Scroll to Top
 24 Nov.

Windows 10 Tech Series For Australian Partners

If you are attending the Sydney event make sure you let me know, I can’t make the first two days as I’ll be wrapping up an EMS training event, but I will be there on day 3. 

You are invited to enroll in the Windows Tech Series training course. Building on deployment, management and security features first introduced with Windows 10 at release, this 3-day workshop, which includes hands-on labs, will provide you with the opportunity to explore the different deployment, management and security options and functionality available for your customers. It will also review the opportunity to develop your business as a Microsoft Cloud Solution Provider — either as a new CSP for Windows or to understand how adding Windows to your existing CSP portfolio can provide opportunities to develop your business further. The Course While the course provides extensive information from Microsoft trainers, we believe you will benefit most in developing your understanding of Windows 10 through seeing it in action, and working with it hands-on. In this course, you will work your way through the labs, demos, and other content to learn about:

Deployment infrastructure overview
Applications and updates
Managing Windows as a Service
Browsers and Internet Security
Deploying Secure Boot and Device Guard
Base system setup
Managing Client devices
Advanced Client management
Analysis of common threats
Advanced Threat Analytics
Hardening Windows
Windows for SMB
Windows Enterprise Subscription
Deploying through CSP and managing updates
Competency Assessment Upon completion of the course, you will be given the opportunity to take the Security and Deployment Management assessment for the Windows and Devices competency. This competency provides you with tools, content and resources to help you build and grow your Windows 10 practice and shows customers that you are a trusted expert. Space is limited. Register today! We look forward to your participation in this interactive event. Please be advised that this workshop requires a commitment from you to attend from start to finish. We understand that your workload does not diminish while attending this workshop. Rest assured that numerous opportunities to stay connected will be provided throughout the day.
When and When Cliftons Sydney Office Level 13, 60 Margaret St 30th Nov – 2nd Dec 2016


Register Now!
Cliftons Melbourne Office Level 1, 440 Collins St 5th – 7th Dec 2016


Register Now!
^ Scroll to Top
 23 Nov.

Download The Windows 10 ADK Preview Build 14965

If you are trying to stay a step ahead of the public releases of the Windows ADK, and you haven’t done so already, sign up for the Windows Insider Preview so that you not only get early access to new Windows 10 builds, but you can also grab early releases of the Windows ADK as well.

Windows ADK Insider Preview – Build 14965 is available now, here is the information from the Insider page before you download the ISO.

Install Windows ADK Insider Preview

Download Windows Assessment and Deployment Kit (Windows ADK) Insider Preview to get the new and improved deployment tools used to automate a large-scale deployment. Windows ADK Insider Preview includes:

  • The Windows Assessment Toolkit and the Windows Performance Toolkit to assess the quality and performance of systems or components.
  • Several deployment tools such as WinPE, Windows Imaging and Configuration Designer (Windows ICD), and other tools to customize and deploy Windows 10 images.
^ Scroll to Top
 21 Nov.

Use cases for Microsoft Intune Client Software vs MDM

Something that often comes up during conversations about managing Windows PCs with Intune is whether they should be managed as a PC or as a mobile device. As with most conversations, there isn’t usually a clear cut answer. In this post I will highlight some of the scenarios where one option might make more sense than the other. In the next post I will have table that compares the two options side by side. Please note that these do not cover every single scenario that you might encounter, but instead should get you started in making the right decision.

Scenarios where the client software install makes sense

  1. More complex application setup requirements – if you have setup requirements greater than an MSI file, the Intune client can address this. With support for .exe and .msi setups with additional files and folders included it offers much more flexibility. You also benefit from the peer distribution capabilities of Intune if you allow that traffic on your network
  2. Centralised anti-malware management and reporting – if you are planning on using Intune Endpoint Protection as managed through the Intune Portal, MDM doesn’t deploy/manage that.
  3. Better update management and insights – Windows 10 isn’t as heavily impacted here as 8.1, with Windows 8.1 offering finer control over what gets updated. The insight into installed and missing updates isn’t something that MDM provides.
  4. Software inventory – the PC agent provides reporting on all software it detects, as opposed to reporting on just reporting on what it manages.
  5. Support for Windows 7 through to Windows 10 – if you want a consistent Intune management experience for all supported versions of Windows, this is your best option. Once the majority of the mobile PC fleet is Windows 10 based, it might be worth reinvestigating if MDM provides the capabilities that you require.

Scenarios where MDM makes sense

These are the flip side to the above points

  1. You have single file MSI installs, or are willing to repackage
  2. You already have centralised anti-malware management and reporting
  3. You are dealing with a BYOD environment where you don’t care as much about the update status of the PC
  4. You do not want full software inventory, eg BYOD
  5. You have moved away from previous editions of Windows

Things aren’t usually this clear cut, but these are part of the conversation you will need to have around these topics. If you need details on getting started with the Intune PC client software, start with the following…




^ Scroll to Top
 20 Nov.

Microsoft Intune November 2016 Updates

Another month, another round of feature updates for Intune. This month’s updates include news on enhanced Cordova and Xamarin support for MAM without enrollment. If you need a refresher on what’s currently available for MAM without MDM, take a look at the table here.

Over the last few months we’ve seen new tenants moving from traditional Intune groups over to AAD groups, a huge improvement, but one that also requires some planning for those who have been using Intune since before this change. This has an impact on Android for Work, with new or migrated tenants, providing support for the Available option for apps. If you are on a non-migrated tenants, you will have to rely on Required for now.

The last few updates related to the Windows Phone 8 Company Portal, take a look at the text below from the update page for more information.


New capabilities

An Update on Intune and Android for Work

While you can deploy Android for Work apps with an action of Required, you can only deploy apps as Available if your Intune groups have been migrated to the new Azure AD groups experience.+

Intune App SDK for Cordova plugin now supports MAM without enrollment

App developers can now use the Intune App SDK for Cordova plugin to enable MAM functionality without device enrollment in their Cordova-based apps for Android and iOS. The Intune App SDK for Cordova plugin can be found here.+

Intune App SDK Xamarin component now supports MAM without enrollment

App developers can now use the Intune App SDK Xamarin component to enable MAM functionality without device enrollment in their Xamarin-based apps for Android and iOS. The Intune App SDK Xamarin component can be found here.+


Symantec signing certificate no longer requires signed Windows Phone 8 Company Portal for upload

Uploading the Symantec signing certificate will no longer require a signed Windows Phone 8 Company Portal app. The certificate can be uploaded independently.+


Support for the Windows Phone 8 Company Portal

Support for Windows Phone 8 Company Portal will now be deprecated. Support for the Windows Phone 8 and WinRT platforms was deprecated in October 2016. Support for the Windows 8 Company Portal was also deprecated in October 2016.

^ Scroll to Top

%d bloggers like this: