18 Mar.
0

Blockers For Migrating Intune Tenants

Over the last few weeks I’ve had a few ad-hoc conversations around the requirements for making sure the transition to the new AAD groups and portal goes smoothly, and a post on the topic has just appeared over on the Intune Support blog. In the post they mention six things to clean up to ensure a faster, smoother transition. While the removal of the Silverlight requirement is a big improvement from a browser compatibility perspective, the consolidation of management portals required and the consistency that is delivered is via a common portal UI and access via the Graph API are where the benefits really shine.

1- Policies or apps targeted to ungrouped users/devices

2- Using Exclusion Groups.

3 – Using Nested Groups (also called Implicit Exclusion Groups)

4- Any groups using the ‘Is Manager’ clause.

5- You have conflicting App deployment rules

6 –You are using an old version (prior to December 2016) of the Exchange connector for Intune.

Take a look over at the full post here.

^ Scroll to Top
 16 Mar.
0

Upcoming Windows 10 Training Events

The Microsoft Australia Partner Readiness team have lined up two 3-day Windows 10 training events in Sydney and Perth for April 2017.

Windows 10 Technical Series Training

4th – 6th April 2017 | 8:30am – 5:00pm, GMT+10:00 (Australia/Sydney)

10th – 12th April 2017 | 8:30am – 5:00pm, GMT+08:00 (Australia/Perth)

Level: 300

Target Product: Windows

Audience: technical

Event Identification: AUWW176

Event Description:

Building on deployment, management and security features first introduced with Windows 10 at release, this 3-day workshop, which includes hands-on labs, will provide you with the opportunity to explore the different deployment, management and security options and functionality available for your customers. It will also review the opportunity to develop your business as a Microsoft Cloud Solution Provider — either as a new CSP for Windows or to understand how adding Windows to your existing CSP portfolio can provide opportunities to develop your business further.

THE COURSE

While the course provides extensive information from Microsoft trainers, we believe you will benefit most in developing your understanding of Windows 10 through seeing it in action, and working with it hands-on.

In this course, you will work your way through the labs, demos, and other content to learn about:

• Deployment infrastructure overview

• Applications and updates

• Managing Windows as a Service

• Browsers and Internet Security

• Deploying Secure Boot and Device Guard

• Base system setup

• Configuration

• Managing Client devices

• Advanced Client management

• Analysis of common threats

• Advanced Threat Analytics

• Hardening Windows

• Windows for SMB

• Windows Enterprise Subscription

• Deploying through CSP and managing updates

COMPETENCY ASSESSMENT

Upon completion of the course, you will be given the opportunity to take the Security and Deployment Management assessment for the Windows and Devices competency. This competency provides you with tools, content and resources to help you build and grow your Windows 10 practice and shows customers that you are a trusted expert.

You can register for these events here.

^ Scroll to Top
 11 Mar.
0

Updated MAM With And Without MDM App List March 2017 – Now With Microsoft Teams!

The new kid on the Office block is the new kid on the MAM without MDM block – Microsoft Teams. For the last three months or so iOS and Android have been neck and neck for the number of supported apps, but this month Android pulls ahead.

Above – Pre-Microsoft Teams tally under Intune App Protection in Azure Portal.


Above – No Intune App Protection yet for Microsoft Teams

Above – What’s this? Something new for Android

Above – Since I’ve been tracking this I think this is the first time that Android has pulled ahead

With the Intune SDK updates that were released last year for iOS and Android, including releases for Cordova and Xamarin, I’m hoping we see some third party apps appear in these lists soon. That means over the next few months we should hopefully see Azure Active Directory GA in the Azure Portal, existing Intune tenants migrated to the Azure Portal, and third party apps, along with whatever new functionality also gets rolled in. I think it’s going to be a busy few months…

Anyway, with that information, here’s my latest version of the managed apps list.

App

MAM with MDM

MAM without MDM

Multi-Identity

Acronis Access

iOS

Adobe Acrobat

Android

iOS

Box for EMM

iOS

Foxit Mobile PDF

Android

iOS

Microsoft Dynamics CRM

iOS

Android

iOS

Android

Microsoft Excel

iOS

Android

iOS

Android

iOS

Microsoft Intune Managed Browser

iOS

Android

iOS

Android

Microsoft OneDrive For Business

iOS

Android

iOS

Android

iOS

Android

Microsoft OneNote

iOS

iOS

Microsoft Outlook

iOS

Android

iOS

Android

iOS

Android

Microsoft PowerPoint

iOS

Android

iOS

Android

iOS

Microsoft PowerBI

iOS

Android

iOS

Microsoft Remote Desktop

iOS

Android

iOS

Android

Microsoft RMS Sharing/Azure Information Protection

iOS

Android

Android

Microsoft SharePoint

iOS

Android

iOS

Android

Microsoft Skype For Business

iOS

Android

iOS

Android

Microsoft Teams

iOS

Android

Android

Microsoft Word

iOS

Android

iOS

Android

iOS

Microsoft Work Folders

iOS

Android

Outlook Groups

iOS

Android

iOS

Android

SAP Fiori

Yammer

iOS

Android

iOS

Android

What’s worth calling out right now is that the Azure Information Protection app and OneNote app are only available on one of the platforms as far as MAM only/Intune App Protection are concerned.

^ Scroll to Top
 10 Mar.
0

Windows 10 DynamicManagement CSP Information On MSDN

This week the MDM documentation for Windows 10 was updated to include information on the DynamicManagement CSP, which will allow devices to behave differently based on location, network or time. There are quite a few different scenarios for using this, including enabling additional security requirements, or alternatively focusing on costs by disabling cellular data when roaming. These policies are enforced even when the MDM service cannot be reached.

The configuration service provider provides the following settings…

  • DynamicManagement
    • Notifications Enabled
    • ActiveList
    • Contexts
      • ContextID
        • SignalDefinition
        • SettingsPack
        • SettingsPackResponse
        • ContextStatus
        • Altitude
    • AlertsEnabled

Take a look at the full documentation over on MSDN.

^ Scroll to Top
 3 Mar.
0

Refreshed version of Windows 10 Deployment And Management Kit Available

For those of you looking for an easy way to set up a Hyper-V based test environment for Windows 10 deployment scenarios, take a look at the updated version over on the TechNet Evaluation Center.

The Windows 10 Deployment and Management Lab Kit provides you with a hands-on lab environment for evaluating the latest Microsoft products and tools available for managing your Windows 10 deployment. The kit includes:

Lab environment

The lab includes the latest evaluation versions of:

  • Windows 10 Enterprise, Version 1607
  • System Center Configuration Manager 1511
  • Windows Assessment and Deployment Kit for Windows 10, version 1607
  • Microsoft Deployment Toolkit 2013 Update 2
  • Microsoft Application Virtualization 5.1
  • Microsoft BitLocker Administration and Monitoring 2.5 SP1
  • Windows Server 2012 R2
  • SQL Server 2014

Step-by-step lab guides

Illustrated lab guides take you through multiple deployment and management scenarios:

  • In-Place Upgrade
  • Image Creation
  • Lite-Touch Deployment
  • Zero-Touch Deployment
  • Managing Windows 10 with Configuration Manager
  • Windows Information Protection
  • Code Integrity
  • Windows 10 Provisioning
  • Application Compatibility
  • Application Virtualization
  • Provisioning
  • Web Application Compatibility
  • Microsoft BitLocker Administration and Monitoring
  • Secure Host
  • Credential Guard
  • Windows Store for Business
  • Upgrade Analytics

Windows 10 Deployment and Management Lab Kit system requirements

The lab supports the 64-bit editions of Windows 10 RTM and Windows Server 2012 R2. It must be imported to set up a lab once Hyper-V is installed.

The Hyper-V Host on which the Windows 10 PoC Lab needs to be imported must meet the following minimum specifications:

  • Hyper-V role installed
  • Administrative rights on the device
  • 300 gigabytes of free disk space
  • High-throughput disk subsystem
  • 32 gigabytes of available memory
  • High-end processor for faster processing
  • An External virtual switch in Hyper-V connecting to the external adapter of the host machine for internet connectivity named External 2
  • A Private virtual switch in Hyper-V for private connectivity between the virtual machines named HYD-Corpnet

The required hardware will vary based on the scale of the provisioned lab and the physical resources assigned to each virtual machine.

Lab expires June 1, 2017. A new version will be published prior to expiration.

Things to Know

This lab kit contains evaluation software that is designed for IT professionals interested in evaluating Windows 10 deployment and management products and tools on behalf of their organization. We do not recommend that you install this evaluation if you are not an IT professional or are not professionally managing corporate networks or devices. Additionally, the lab environment is intended for evaluation purposes only. It is a standalone virtual environment and should not be used or connected to your production environment.

Things to Know

This lab kit contains evaluation software that is designed for IT professionals interested in evaluating Windows 10 deployment and management products and tools on behalf of their organization. We do not recommend that you install this evaluation if you are not an IT professional or are not professionally managing corporate networks or devices. Additionally, the lab environment is intended for evaluation purposes only. It is a standalone virtual environment and should not be used or connected to your production environment.

 

^ Scroll to Top
 24 Feb.
0

Windows Server 2016 MCSA Upgrade Exam 70-743

Last week at Ignite Australia 2017 I had to use my MCP credentials to test out the on-site testing facilities, for which I was given a free double-shot exam voucher. Because I’ve already done all of the Windows 10 and EMS related exams that are available I thought I’d try my hand at the Windows Server 2016 70-743 exam, what was the worst that could happen?

Thankfully nothing bad happened, I got through it, but it did highlight just how big and complex Windows Server 2016 is. The updated feature set and the new capabilities in Datacenter edition were more than enough to sink my teeth into, but the thing that has become evident to me with exams like this over the years are that there are huge chunks within Windows Server that I have never really spent any time with. My day to day life with Windows Server doesn’t involve administration, it’s more of a toolbox that I get to play in, primarily hosting VMs, running AD FS, and AAD Connect instances.

These pieces definitely got me through the exam, but the lack of time allocated to preparation showed up with some of the questions, I knew they weren’t hard questions, I just didn’t know enough about the topics they were asking about. Considering that my exam prep involved running through a MeasureUp practice exam and looking at the related articles to the questions, it wasn’t as structured or as hands on as it should have been. I had allocated two full days of study, but the original exam center I had booked at cancelled the exam, so I had to move it to another testing center and do it a day earlier.

I normally try to sit exams on a Friday afternoon, that way if I pass, I don’t have to worry about them on the weekend, and if I don’t succeed, I’ve got some time to focus on the areas that caught me out. If I hadn’t gotten through this exam, it would have been because of some of the networking pieces, especially IPAM. This was reflected in the score report, which was only broken down as 740/741/742 results, rather than a more granular breakdown.

If you work with Windows Server 2012 R2 in a broad sense, I don’t think that upgrading your certs to Windows Server 2016 will be that tough, but you will need to know about the enhancements in 2016, especially in Datacenter.  Knowledge of PowerShell cmdlets and syntax is required, as well as knowing when you would use the different GUI tools.

I was just lucky that my lack of hands on over recent years was made up for with the time I had to spend with Windows Server 2016 over the launch period. If you think you might be able to sit this exam, just do it, maybe get a multi attempt exam voucher if you aren’t confident, but otherwise study up on the new additions, and you should be well on your way.

 

^ Scroll to Top
 24 Feb.
0

Public Preview Of Azure AD Group Based License Management for Office 365

Continuing the ongoing addition of features into the Azure Portal for different components of the Enterprise Mobility + Security suite, Azure Active group based licensing is now in public preview. Here are some of the key take aways from the announcement.

  • Licenses can be assigned using any “security group” in Azure AD, whether synced from on-premises or created directly in Azure AD.
  • AADP1 or AADP2 subscriptions can combine license management with dynamic group membership
  • All Microsoft Online Services that require user-level licensing are supported.
  • The administrator can disable one or more service components when assigning a license to a group. This allows staged deployments of rich products like Office 365 Enterprise E5 at scale.
  • The feature is only available in the Azure portal.
  • Licenses are typically added or removed within minutes of a user joining or leaving a group.

 

Three additional articles that are worth looking at are

Assigning licenses to a group in Azure Active Directory

What is group-based licensing in Azure Active Directory?

Azure Active Directory group-based licensing additional scenarios

Setting up Azure Active Directory for self-service group management

 

 

^ Scroll to Top
 16 Feb.
0

Intune Preview Portal Updates For February 2017

For those of you with recently created Intune tenants that have access to the Intune preview functionality within the Azure Portal, more capabilities have been added to test out. The one which I’ve had many people tell me was on their wish list is non-managed devices can access assigned apps, making it easier for MAM without device enrolment scenarios to become more user friendly for app location and installation use.

Ability to restrict mobile device enrollment

Intune is adding new enrollment restrictions that control which mobile device platforms are allowed to enroll. Intune separates mobile device platforms as iOS, macOS, Android, Windows and Windows Mobile. 

    • Restricting mobile device enrollment does not restrict PC client enrollment.
    • For iOS and Android only, there is one additional option to block the enrollment of personally owned devices.

 

Intune marks all new devices as personal unless the IT admin takes action to mark them as corporate owned, as explained in this article. 

View all actions on managed devices

A new Device Actions report shows who has performed remote actions like factory reset on devices, and additionally shows the status of that action. See What is device management?.

Non-managed devices can access assigned apps

As part of the design changes on the Company Portal website, iOS and Android users will be able to install apps assigned to them as “available without enrollment” on their non-managed devices. Using their Intune credentials, users will be able to log into the Company Portal website and see the list of apps assigned to them. The app packages of the “available without enrollment” apps are made available for download via the Company Portal website. Apps which require enrollment for installation are not affected by this change, as users will be prompted to enroll their device if they wish to install those apps. 

Custom app categories

You can now create, edit, and assign categories for apps you add to Intune. Currently, categories can only be specified in English. See How to add an app to Intune.

Display device categories

You can now view the device category as a column in the device list. You can also edit the category from the properties section of the device properties blade. See How to add an app to Intune.

^ Scroll to Top
 16 Feb.
0

Intune Updates February 2017 – Part 2

The What’s New In Intune page over on docs.microsoft.com has just been updated, and the following updates were covered across new capabilities and notices. These include a new guided experience for Windows 10 Company Portal, group migration impact on iOS policies, the new MDM server enrolment address for Windows devices, the upcoming Android Company Portal app changes and the ability to associate multiple management tools with the Windows Store for Business instead of only one.

New Capabilities

New guided experience for Windows 10 Company Portal

Beginning in March, the Company Portal for Windows 10 will include a guided Intune walkthrough experience for devices that have not been identified or enrolled. The new experience provides step-by-step instructions, customized for the user’s build of Windows 10, that guide users through performing AAD registration (required for identification for Conditional Access features) and MDM enrollment (required for device management features). The guided experience will be accessible from the Company Portal home page and is optional; users can continue to use the app if they do not complete registration and enrollment, but may experience limited functionality.

Notices

Group migration will not require any updates to groups or policies for iOS devices

For every Intune device group pre-assigned by a Corporate Device Enrollment profile, a corresponding dynamic device group will be created in AAD based on the Corporate Device Enrollment profile’s name, during the migration to Azure Active Directory device groups. This will ensure the as devices enroll, they will be automatically grouped and receive the same policies and apps as the original Intune group. +

Once a tenant enters the migration process for grouping and targeting, Intune will automatically create a dynamic AAD group to correspond to an Intune group targeted by a Corporate Device Enrollment profile. If the Intune Admin deletes the targeted Intune group, the corresponding dynamic AAD group will not be deleted. The group’s members and the dynamic query will be cleared, but the group itself will remain until the IT Admin removes it via the AAD portal.+

Similarly, if the IT Admin changes which Intune group is targeted by a Corporate Device Enrollment profile, Intune will create new dynamic group reflecting the new profile assignment, but will not remove the dynamic group created for the old assignment.+

Defaulting to managing Windows desktop devices through Windows settings

The default behavior for enrolling Windows 10 desktops is changing. New enrollments will follow the typical MDM agent enrollment flow rather than through the PC agent. The Company Portal website will provide Windows 10 desktop users with enrollment instructions that guide them through the process of adding Windows 10 desktop computers as mobile devices. This will not impact currently enrolled PCs, and your organization can still manage Windows 10 desktops using the PC agent if you prefer.+

Improving mobile app management support for selective wipe

End users will be given additional guidance on how to regain access to work or school data if that data is automatically removed due to the “Offline interval before app data is wiped” policy.+

Links inside of the Company Portal app for iOS, including those to documentation and apps, will open directly in the Company Portal app using an in-app view of Safari. This update will ship separately from the service update in January.+

New MDM server address for Windows devices

Windows and Windows Phone users attempting to enroll a device will fail if they enter manage.microsoft.com as the MDM server address (if prompted). The MDM server address is changing from manage.microsoft.com to enrollment.manage.microsoft.com. Notify your user to use enrollment.manage.microsoft.com as the MDM server address if prompted for it while enrolling a Windows or and Windows Phone device. For additional information about this change, visit aka.ms/intuneenrollsvrchange.+

New user experience for the Company Portal app for Android

Beginning in March, the Company Portal app for Android will follow material design guidelines to create a more modern look and feel. This improved user experience includes:+

    • Colors: tab headers can be colored according to your custom color palette.
    • Interface: Featured Apps and All Apps buttons have been updated in the Apps tab. The Search button is now a floating action button.
    • Navigation: All Apps shows a tabbed view of Featured, All and Categories for easier navigation.
    • Service: My Devices and Contact IT tabs have improved readability.

+

You can find before and after images on the UI updates page.+

Associate multiple management tools with the Windows Store for Business

If you are using more than one management tool to deploy Windows Store for Business apps, previously, you could only associate one of these with the Windows Store for Business. You can now associate multiple management tools with the store, for example, Intune and Configuration Manager. For details, see Manage apps you purchased from the Windows Store for Business with Microsoft Intune.

^ Scroll to Top
 10 Feb.
0

Say Hi At Ignite 2017 Australia

For those of you heading along to Microsoft Ignite on the Gold Coast next week, drop by any of the four sessions I’ll be delivering during the week and say hello. When I’m not in one of these sessions I’ll either be near the hands on labs or dropping in to some of the sessions to make sure I learn something as well.

[

 

^ Scroll to Top

%d bloggers like this: