Last week at Ignite Australia 2017 I had to use my MCP credentials to test out the on-site testing facilities, for which I was given a free double-shot exam voucher. Because I’ve already done all of the Windows 10 and EMS related exams that are available I thought I’d try my hand at the Windows Server 2016 70-743 exam, what was the worst that could happen?
Thankfully nothing bad happened, I got through it, but it did highlight just how big and complex Windows Server 2016 is. The updated feature set and the new capabilities in Datacenter edition were more than enough to sink my teeth into, but the thing that has become evident to me with exams like this over the years are that there are huge chunks within Windows Server that I have never really spent any time with. My day to day life with Windows Server doesn’t involve administration, it’s more of a toolbox that I get to play in, primarily hosting VMs, running AD FS, and AAD Connect instances.
These pieces definitely got me through the exam, but the lack of time allocated to preparation showed up with some of the questions, I knew they weren’t hard questions, I just didn’t know enough about the topics they were asking about. Considering that my exam prep involved running through a MeasureUp practice exam and looking at the related articles to the questions, it wasn’t as structured or as hands on as it should have been. I had allocated two full days of study, but the original exam center I had booked at cancelled the exam, so I had to move it to another testing center and do it a day earlier.
I normally try to sit exams on a Friday afternoon, that way if I pass, I don’t have to worry about them on the weekend, and if I don’t succeed, I’ve got some time to focus on the areas that caught me out. If I hadn’t gotten through this exam, it would have been because of some of the networking pieces, especially IPAM. This was reflected in the score report, which was only broken down as 740/741/742 results, rather than a more granular breakdown.
If you work with Windows Server 2012 R2 in a broad sense, I don’t think that upgrading your certs to Windows Server 2016 will be that tough, but you will need to know about the enhancements in 2016, especially in Datacenter. Knowledge of PowerShell cmdlets and syntax is required, as well as knowing when you would use the different GUI tools.
I was just lucky that my lack of hands on over recent years was made up for with the time I had to spend with Windows Server 2016 over the launch period. If you think you might be able to sit this exam, just do it, maybe get a multi attempt exam voucher if you aren’t confident, but otherwise study up on the new additions, and you should be well on your way.
^ Scroll to Top
Continuing the ongoing addition of features into the Azure Portal for different components of the Enterprise Mobility + Security suite, Azure Active group based licensing is now in public preview. Here are some of the key take aways from the announcement.
Three additional articles that are worth looking at are
^ Scroll to Top
For those of you with recently created Intune tenants that have access to the Intune preview functionality within the Azure Portal, more capabilities have been added to test out. The one which I’ve had many people tell me was on their wish list is non-managed devices can access assigned apps, making it easier for MAM without device enrolment scenarios to become more user friendly for app location and installation use.
Intune is adding new enrollment restrictions that control which mobile device platforms are allowed to enroll. Intune separates mobile device platforms as iOS, macOS, Android, Windows and Windows Mobile.
Intune marks all new devices as personal unless the IT admin takes action to mark them as corporate owned, as explained in this article.
A new Device Actions report shows who has performed remote actions like factory reset on devices, and additionally shows the status of that action. See What is device management?.
As part of the design changes on the Company Portal website, iOS and Android users will be able to install apps assigned to them as “available without enrollment” on their non-managed devices. Using their Intune credentials, users will be able to log into the Company Portal website and see the list of apps assigned to them. The app packages of the “available without enrollment” apps are made available for download via the Company Portal website. Apps which require enrollment for installation are not affected by this change, as users will be prompted to enroll their device if they wish to install those apps.
You can now create, edit, and assign categories for apps you add to Intune. Currently, categories can only be specified in English. See How to add an app to Intune.
You can now view the device category as a column in the device list. You can also edit the category from the properties section of the device properties blade. See How to add an app to Intune.^ Scroll to Top
The What’s New In Intune page over on docs.microsoft.com has just been updated, and the following updates were covered across new capabilities and notices. These include a new guided experience for Windows 10 Company Portal, group migration impact on iOS policies, the new MDM server enrolment address for Windows devices, the upcoming Android Company Portal app changes and the ability to associate multiple management tools with the Windows Store for Business instead of only one.
Beginning in March, the Company Portal for Windows 10 will include a guided Intune walkthrough experience for devices that have not been identified or enrolled. The new experience provides step-by-step instructions, customized for the user’s build of Windows 10, that guide users through performing AAD registration (required for identification for Conditional Access features) and MDM enrollment (required for device management features). The guided experience will be accessible from the Company Portal home page and is optional; users can continue to use the app if they do not complete registration and enrollment, but may experience limited functionality.
For every Intune device group pre-assigned by a Corporate Device Enrollment profile, a corresponding dynamic device group will be created in AAD based on the Corporate Device Enrollment profile’s name, during the migration to Azure Active Directory device groups. This will ensure the as devices enroll, they will be automatically grouped and receive the same policies and apps as the original Intune group. +
Once a tenant enters the migration process for grouping and targeting, Intune will automatically create a dynamic AAD group to correspond to an Intune group targeted by a Corporate Device Enrollment profile. If the Intune Admin deletes the targeted Intune group, the corresponding dynamic AAD group will not be deleted. The group’s members and the dynamic query will be cleared, but the group itself will remain until the IT Admin removes it via the AAD portal.+
Similarly, if the IT Admin changes which Intune group is targeted by a Corporate Device Enrollment profile, Intune will create new dynamic group reflecting the new profile assignment, but will not remove the dynamic group created for the old assignment.+
The default behavior for enrolling Windows 10 desktops is changing. New enrollments will follow the typical MDM agent enrollment flow rather than through the PC agent. The Company Portal website will provide Windows 10 desktop users with enrollment instructions that guide them through the process of adding Windows 10 desktop computers as mobile devices. This will not impact currently enrolled PCs, and your organization can still manage Windows 10 desktops using the PC agent if you prefer.+
End users will be given additional guidance on how to regain access to work or school data if that data is automatically removed due to the “Offline interval before app data is wiped” policy.+
Links inside of the Company Portal app for iOS, including those to documentation and apps, will open directly in the Company Portal app using an in-app view of Safari. This update will ship separately from the service update in January.+
Windows and Windows Phone users attempting to enroll a device will fail if they enter manage.microsoft.com as the MDM server address (if prompted). The MDM server address is changing from manage.microsoft.com to enrollment.manage.microsoft.com. Notify your user to use enrollment.manage.microsoft.com as the MDM server address if prompted for it while enrolling a Windows or and Windows Phone device. For additional information about this change, visit aka.ms/intuneenrollsvrchange.+
If you are using more than one management tool to deploy Windows Store for Business apps, previously, you could only associate one of these with the Windows Store for Business. You can now associate multiple management tools with the store, for example, Intune and Configuration Manager. For details, see Manage apps you purchased from the Windows Store for Business with Microsoft Intune.^ Scroll to Top
For those of you heading along to Microsoft Ignite on the Gold Coast next week, drop by any of the four sessions I’ll be delivering during the week and say hello. When I’m not in one of these sessions I’ll either be near the hands on labs or dropping in to some of the sessions to make sure I learn something as well.
^ Scroll to Top
Another announcement from the Intune team about what’s required to make sure that the Outlook add-ins announced last week interact with Exchange and Mobile Application Management policies. Read on for the full details included in the email…
Last week, the Outlook team announced add-ins for Outlook on iOS. This add-in feature set already exists in Outlook on Windows, web and Mac (in Office Insiders). Since add-ins are managed via Exchange, users will be able to copy and share data and messages across Outlook and unmanaged add-in applications, unless access to add-ins is turned off by your Exchange admin. In order to manage user access permissions to add-ins, please work with your Exchange admin to ensure that your MAM data protection policies apply to add-ins. How does this affect me? If your Exchange policies are already set to prevent side loading add-ins or installing add-ins, then read no further. Your MAM policies will apply per your settings. If, however, you have set policies in MAM to restrict cut, copy, and paste operations within Outlook on iOS and have not set your add-in policy in Exchange, you should know that by default, users will be able to install add-ins to Outlook. These add-ins can access message body, subject and other message properties. You can turn off end-user ability to install add-ins by having your Exchange Admin remove the “My Marketplace Apps” and “My Custom Apps” roles. For more details, see the additional information link shared below. Note that the setting change in Exchange will apply to Outlook across Windows, web, Mac (in Office Insiders) and mobile. What do I need to do? Review your Exchange policies today. Read up on the documentation linked below. Inform your IT and helpdesk staff. Contact our support team with any specific questions or concerns. Please click additional information to learn more.^ Scroll to Top
We are still in early February, but a few updates have rolled out late last month and early this month, below you will find a summary of these, which include app updates, and portal updates. I’ve received notification that one of my Intune tenants is going to be migrated early so that I can test things out without having to keep spinning up new trial tenants.
New app protection reports have been added for both enrolled devices and devices that have not been enrolled. Find out more about how you can monitor mobile app management policies with Intune here.
Links inside of the Company Portal app for iOS, including those to documentation and apps, will open directly in the Company Portal app using an in-app view of Safari. This update will ship separately from the service update in January.
Beginning in February, the Company Portal website will support apps that are targeted to users who do not have managed devices. The website will align with other Microsoft products and services by using a new contrasting color scheme, dynamic illustrations, and a “hamburger menu,” which will contain helpdesk contact details and information on existing managed devices. The landing page will be rearranged to emphasize apps that are available to users, with carousels for Featured and Recently Updated apps. You can find before and after images available on the What’s new in the Intune app UI page.
The Company Portal for iOS is introducing a progress bar on the launch screen to provide the user with information about the loading processes that occur. There will be a phased rollout of the progress bar to replace the spinner. This means that some of your users will see the new progress bar while others will continue to see the spinner.^ Scroll to Top
When running through the different pieces of Enterprise Mobility + Security with those who are focused on the cloud only components, it usually comes as a surprise to see how many different on-premises services can be extended with the different EMS components. The one that people know about is AADConnect, but Intune has connectors for Configuration Manager, Exchange and Simple Enrolment Protocol, AIP/RMS has the Azure RMS connector, and of course Advanced Threat Analytics is deployed by the customer. The MFA server is also available, and today’s announcement highlights some changes that are in the pipeline.
First of all it’s worth mentioning that the announcement focuses solely on potentially reducing or eliminating the requirement for MFA Server for some VPN scenarios, it doesn’t target the other scenarios that MFA Server addresses such as extending ADFS authentication methods, IIS app integration, RDS broker support and general purpose RADIUS and LDAP authentication. Remember that you need AAD Premium P1 or P2 licensing for Azure MFA server, so you can buy those standalone or as part of EMS E3 or E5.
So what does it do? Well, as the article suggests, this focuses on providing a cloud based MFA server for VPN without the on-premises MFA Server requirement. Instead it requires the installation of the NPS extension for Azure MFA, which supports the following operating systems. The list looks like it might need to be cleaned up a little, it references some previews and release candidates for versions of Windows Server that are no longer supported, but I think the final one listed sums it up.
Windows Server 2008 R2 SP1, Windows Server 2008 Service Pack 2, Windows Server 2012, Windows Server 2012 Beta Essentials, Windows Server 2012 Datacenter, Windows Server 2012 Essentials, Windows Server 2012 R2, Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Essentials , Windows Server 2012 R2 Preview, Windows Server 2012 R2 Standard , Windows Server 2012 Release Candidate, Windows Server 2012 Standard, Windows Server 2016, Windows Server 2008 R2 SP1 or above with the NPS component enabled
The installation instructions provided, for those wanting to give it a try…
1. Run Setup.exe on your existing NPS Server
2. Run the PowerShell script from C:\Program Files\Microsoft\AzureMfa\Config (where C:\ is your installation drive)
For full details on the preview, head on over to Augment your existing authentication infrastructure with the NPS extension for Azure Multi-Factor Authentication – Public preview for more information, and keep an eye on the questions that are getting asked there in case anything relevant pops up.
^ Scroll to Top
For those of you not actively monitoring your tenant administrator email accounts, it’s worth reading the content of a message that was just sent out to advise of some changes that are coming through as part of the migration process.
Dear Tenant Administrator,
Microsoft Intune is a Mobile device management, mobile application management, and PC management solution from Microsoft. Intune is the mobility solution in Enterprise Mobility & Security (EMS) or can be purchased as a standalone service.
Over the next few months, Intune is migrating all Intune groups over to Azure AD groups. What does this mean to you? As an Azure AD admin, you’ll start to see Intune groups in your Azure AD infrastructure. Please do not delete these groups; they’ll pop in there in preparation for migration, then will be populated by our migration engine.
We’re excited to bring Intune groups over to Azure AD groups as this will provide an improved experience for our Intune service admins. Migration will also allow Intune admins to use the new Intune on Azure experience currently in preview at portal.azure.com.
If you have any questions on the grouping and migrating experience, please look at the docs here: https://aka.ms/new_grouping_experience_admin. Alternatively, if you have any questions on migration, reach out to our grouping migration team email@example.com or support.
Thank you, Microsoft Intune
Over on the recently updated What’s new in MDM enrollment and management page on MSDN new CSPs have been added for 1703. You can also check out the update listings for 1511 and 1607 while you are there, along with the change history.
|New nodes in Update CSP||Added the following nodes to the Update CSP:
|CM_CellularEntries CSP||To PurposeGroups setting, added the following values:
|CellularSettings CSP||For these CSPs, support was added for Windows 10 Home, Pro, Enterprise, and Education editions.|
|SecureAssessment CSP||Added the following settings:
|Messaging CSP||Added new CSP. This CSP is only supported in Windows 10 Mobile and Mobile Enteprise editions.|
|Policy CSP||Added the following new policies:
|DevDetail CSP||Added the following setting: DeviceHardwareData.|
|CleanPC CSP||Added new CSP.|
|DeveloperSetup CSP||Added new CSP.|