Modern management for a modern world with Microsoft Intune - Ignite 2018
Updated: May 3, 2019
Modern management for a modern world made easy with Microsoft Intune! What a statement and title for the technical deep dive of todays pre-day session at the Orange County Conference Center in Orlando.
But how can you do that? Which systems are required for the configuration?
I don't want to give you a complete how to for all the configurations, but in this post I want to give you some information about the Autopilot deployment and device management in the cloud, also a tool to check if your Group Policy settings are supported in the cloud. I will do a later blogpost with a short how to, or step by step to configure Windows Autopilot if you want - just leave me a comment.
Autopilot device enrollment
The hole morning was under the theme of the cloud management of Windows 10 devices. Deployment with Windows Autopilot and manage with Microsoft Intune MDM (Mobile Device Management).
It is quiet easy to configure your Azure Active Directory and Intune Tenant to support the deployment of Windows 10 devices directly from the cloud. So you don't need to get the device from the vendor to the IT department and install the image from SCCM or WDS/MDT.
All you need from the hardware vendor ist the device hardware ID, if not, you can grab it with a simple PowerShell script before selecting the location and keyboard language (there you can press Shift+F10 to open a command prompt).
In Azure Active Directory you need a security group with all the devices you want to enroll with Windows Autopilot. You can now create a dynamic device group and need to add the advanced rule to grab all devices you want to enroll with Autopilot. This rule contains "(device.devicePhysicalIDs -any _ -contains "[ZTDId]")" without the starting and ending "".
You also need to upload the device hash you grabed before with the PowerShell script and assign an Autopilot profile to the security group you created before in Azure Active Directory.
That's it, you are ready to enroll? No, you need to do some more stuff, because your employees need some default applications to work and not only the native Windows 10.
And you need also to activate Windows Hello for Business and some more stuff, but that would be to much for this post.
Intune Application Management
First of all, can you deploy the Office suite with Intune and Windows Autopilot?
The answer is --> YES you can! But the only supported version of Office ist Office 365 Click-to-Run, you cannot deploy the Office by MSI. It also make no sense to deploy and manage your device from/in the cloud and don't use the newest Office from the cloud.
So you can directly in Intune select the Office Click-to-Run version to install, you find it under Apps --> Client Apps if you click Add and chose type Windows 10.
In the Microsoft Store for Business (https://businessstore.microsoft.com) you can purchase apps from the Microsoft Store to deploy or make available to your employees within the Enterprise Store or the Company Portal.
After you purchased some apps in the Business Store, you need to make a sync, which you can start in Intune --> Client Apps --> Microsoft Store for Business. If you don't have it enabled, you need to do it before.
You can make some policies, that your employees can only install apps you purchased in the Business Store and have no access to the normal Microsoft Store.
And last of the App Deployment, you can also deploy Line-of-Business Apps (LoB). Which means, you can deploy kind every application if it is an MSI package. It's quiet cool!
Now, what in the section application deployment is actually in preview and will be testet by Microsoft?
Some of the attendees asked about supporting EXE files and legacy apps in Intune. And it's quiet good news, this is actually in preview and test.
But Microsoft says, you better use the new format named MSIX, with this you have to possibility to move the apps in the Business Store. The only thing is, the MSIX package need to be signed with a certificate. So I can't give you more information about MSIX, because I'm not an SCCM or packaging specialist. But there will be a session on Thuesday and my collegue Patrick Fontana will visit this session. You will be then able to read about this on his blog (https://itworksmart.azurewebsites.net).
Next it will also be possible to use the SCCM packages with Intune! What a great announcement! It's not clear how it will work, but it is on the roadmap! I think you need to upgrade your packages from SCCM to MSIX packages with MSIX Packaging Tool from the store (https://www.microsoft.com/store/r/9N5LW3JBCXKF) - it is in Preview and needs an Insider MSA Account to use it.
Windows Update for Business (WUFB)
Microsoft want to move customers away from holding and deploying patches locally. They don't mind that an operating system will be updated only every 6 months.
This is why Microsoft says to keep Windows 10 devices up to date by directly connecting to Windows Update service.
But you need to implement some update policies and make 3 rings (waves):
Preview (IT, Developers)
Targeted Pilot (Early adopters, Volunteers)
Broadly Deploy (Information workers, General population)
You can configure this in your Intune Tenant. You need to go to Software updates --> Windows 10 Update Rings --> click on create and configure the first ring.
Short information about the Servicing channels:
Current branche for Business is now named --> Semi-Annual Channel
Current branch is now named --> Semi-Annual Channel (Targeted)
It is also possible to stop the rollout of new features, if after the first you find some problems. You can do it directly on the configured ring in Intune by clicking Pause. Or if you need to rollback you can also directly uninstall the latest features.
Last but not least about Windows Autopilot and Intune Enrollment, use the Windows Analytics service. You get a lot of information about the upgrade readiness, update compliance and device health. The Windows Analytics can help you solve some problems before they are big.
You will find it in your Azure Portal (https://portal.azure.com) unter Log Analytics.
How can I move my devices from On-Premises management to the cloud management with the same Group Policy Objects (GPO) or check if the GPO's can transformed to the cloud?
It is not recommended, to use all Group Policy configurations from On-Premises also in a cloud driven management. But to verify if your On-Premises GPO settings are supported in the cloud. Microsoft says, that they don't want to support all On-Premises settings in the cloud, because it is not needed.
To check your GPO's you can use the MMAT (MDM Migration Analysis Tool), which creates a report as an XML or HTML and the configured GPO settings and if they are supported in the cloud or not. How great is that?
If you think that some unsupported settings need to be supported, you can send the report directly to Microsoft and they will check it.
You now think, yes they "check" it and you never get an answer. But that's not right, they check it about all incoming reports and give you an answer if they will take it on the roadmap or why not. They need customers voice!
Microsoft is also checking to implement some ADMX files in Intune, but they won't be that big as you know them from your On-Premises environment. As said before, they don't want to bring all the Group Policy settings to the cloud, because you don't need it and in your actually applied GPO's you have still settings from Windows XP ;-)
One fancy stuff to the end. And it is really pretty cool.
Do you know the Graph API? No? You should learn how it works and how it can help you to automate perhaps a full configuration of Microsoft Intune.
David Falkus presented the ingredients of the Graph API and made a demo about configuring the full stuff we made in this workshop session today with a script and Graph API and JSON. The configurations over the hole day needed about 7h, and he made it in 2 minutes and 27 seconds! What a holy great stuff!
With the Graph API you can make export and import of device management policies, such as compliance policies.
You can get documentation about the Graph API at https://graph.microsoft.com, it is such a powerful and useful tool.
It has a GitHub repository too with a lot of scripts, you don't need to write them self (https://github.com/microsoftgraph/powershell-intune-samples).
It was a great first day at the # ignite18.
Thanks to the presenters, you made a great job!
And thank you for reading, I hope you found it a bit informative.
What do you think about the new management from the cloud?
Does this have potential in your environment or on your customers?
Leave me some comments, lets discuss together.