MDM & GP Tips Blog

I found this 200% by accident.. It's pretty interesting.. about Microsoft's own transition to Microsoft Management. What's going well, what isn't, and so on.

Someone dares to ask the question of "When will Microsoft completely walk away from traditional management?" The answer ... is toward the end ... 

Spoiler alert: It's gonna be a while. 

Still interesting, and they're putting one foot in front of the other.

https://www.microsoft.com/en-us/itshowcase/it-expert-roundtable-modern-desktop-and-device-management

Intune has come a long way since its inception and now offers a lot of great features to manage your organization’s mobile and Windows 10 devices.  The MDM approach to device management is a real change from years ago in which computing devices were either managed through the traditional AD joined domain model or were simply allowed to operate independently at the discretion of the user. 

Intune continues to introduce cloud based services that streamline and secure your devices, but users are often slow to accept changes into their environment.  In order to better educate users about the importance and need for device management and mobile security, Microsoft just recently updated the Intune Customer Adaption Pack in order to make the change in approach more palatable and decrease the transition time of Intune enrollment.  The adaption pack is especially valuable to organizations that previously did not require mobile devices to be enrolled for work access.

What’s in the Intune Customer Adaption Pack

The Adaption Pack is essentially a comprehensive communication plan that sets out to accomplish three objectives:

• Education users in how to enroll their particular devices in Intune
• Reassure users about their privacy concerning what type of device data is shared with IT
• Explains the safeguards in place to protect user privacy and company resources

The adaption kit is suited for IT admins, management and trainers to educate, prepare and guide their users for the enrollment process.

You can download the Intune Adaption Pack here.

IT admins, management, and trainers

The link downloads a zip file that includes a variety of documents, videos, posters and templates that can be leveraged to spread Intune adaption throughout your organization.   The enclosed contents are shown in the screenshot below.

The Welcome document outlines what is in the adaption kit.  The kit includes two email templates that can be used to communicate with your users about the coming transition to Intune.  You can use them as written or customize them according to your needs.  An example of email #1 is shown below.

As part of the , all employees worldwide will soon transition to Microsoft Intune, a unified mobile device management platform. Intune enables you to work productively and securely from anywhere, at any time and across all of your devices. All other mobile device management platforms used worldwide to secure documents, devices, and corporate data will be retired.

The email goes on to explain some of the benefits and expectations of Intune as well as a schedule of the coming steps that they will be asked to complete at the appropriate time.  This opening email also provides an opportunity to showcase any other new services whose access will be granted on devices managed by Intune.  These required actions are then outlined in the second email template that also reinforces the benefits and strategic reasons for the migration and provides users a timeline for the outlined process. 

The Intune Deployment Guide provides a wealth of information for your users that is compressed into two palatable pages that they can quickly read and apprehend.  The guide also includes a Word version that allows you to customize and include your internal resources and contact information.  Some of the topics outlined include:

• What information about their personal devices can and cannot be seen by IT?  This includes a link to the Intune privacy policy. 
• How internal IT will use the company portal or app store to install work apps
• What users can do if their mobile device is lost or stolen
• Security steps IT can take to secure data residing on enrolled devices
• Intune enrollment links for each applicable operating system

An example of the guide is shown below.

Training Videos

If you’ve had concerns about how to train your users to complete the enrollment process, the enclosed videos in the Adaption Pack will be a welcome tool.  The videos are step-by-step YouTube videos that show users how to easily enroll their devices in Intune.  Below is a screenshot of the Windows 10 video.

Two videos demonstrate how to either enroll an Android device for full management or enroll for Work Profile management.  An example of the Android device management is shown below.

The videos not only provide step-by-step directions on how to complete the enrollment process, but also summarizes again what information Intune has access to when it comes to user devices.  An example of this is shown in the MacOS video.  Note that there is also a separate video concerning iOS devices as well.

A Great Tool to Assure a Smooth Transition

The Intune Customer Adaption Kit gives you out-of-the-box training tools to educate your users about why Intune enrollment is so important.  It can help ensure that all targeted devices are enrolled quickly without the constant prodding of your users asking “what to do.”  By effectively communicating the necessary messages and information to your users, you will be able to begin enforcing compliance through conditional policies for all of your targeted devices.

Interesting Rando-News 

First, I know in my last email I said writing my book took "none" months. I meant nine. Nine months.
These newsletters don't have an editor, or even a good spellchecker. So they're a bit off the cuff.
My book has eyeballs and eyeballs of real pros looking at it. Even THEN there will be errors, but, hey.. they're nicely shellacked !

Next, here's a bunch of items I've been sitting on for a bit. 

Item 1: Windows 1903
---
I know you already know that Windows 1903 is out. Buuut.. it seems a little mysterious how to GET it and what's IN IT. Well, here's a blog which explains both. Be sure to click on "What's new for IT Pros in Windows 10, 1903" for all the best stuff.

https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#Sot6SPqZhUjM7lSa.97 

Item 2: 1903 Baselines are out
---
So Baselines are preconfigured advice which can be delivered via Group Policy or an MDM service like  Intune. (And, YES, of course with ALL CAPS I cover this in my "Group Policy (with a side of MDM)" training class, AND also in Chapter 10 of my new MDM/Intune/Autopilot/Azure book !)

Those baselines are here:  https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines

And, here's the official blog entry on it:
https://blogs.technet.microsoft.com/secguide/2019/05/23/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903/

But, it's Item #3, that's related to Item #2 that's the big interesting thing.

Item #3: Microsoft no longer recommends password rotation for regular users. 
--
Yep, so inside the Baselines, Microsoft has taken a step back from requiring that users rotate their passwords. At first glance you might think "Wow, that really sounds like it LOWERS my security posture." But then, the real reason why this can be a good idea is found when you dig into Aaron Margosis' blog: "If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration?"

There you go. So, if you're already implementing password rotation.. I guess "keep doing it" if you haven’t implemented the other mentioned security functions; but STOP if you HAVE implemented these other security measures. I found a few other's takes on this advice:

https://www.forbes.com/sites/daveywinder/2019/04/27/microsoft-confirms-change-to-windows-10-passwords-that-nobody-saw-coming/#4c0a682d7bf2

https://www.scmagazine.com/home/security-news/privacy-compliance/some-cybersecurity-experts-argue-this-may-be-one-of-the-last-global-password-days/?utm_source=newsletter&utm_medium=email&utm_campaign=SCUS_Newswire_20190502&hmSubId=c_Ol5WdI-AA1&email_hash=1640a0a38d3b4b638fd2beadfc5e9dc7&mpweb=1325-7621-514959

Item #4: Windows 1903 and Blurred Backgrounds
---
What do you think of those Blurred Backgrounds in Windows 1903 at login time? Don't like them?
Computer | Admin Templates | System | Logon | Show Clear logon background and set it to ENABLED.

Ah.. but what if you don't have the Windows 1903 ADMX files? 

Item #5: No Windows 1903 ADMX files yet.
---
They're not available yet for download. So you can always take a Windows 10 1903 machine and use the ADMX and ADML items from there if you're in a hurry. But I advise to wait for the download. I’ll let you know when that occurs.

Item #6: Super cool Windows 10 thing to broadcast your screen "over there." 
---
This is one of those things I'm wondering if everyone on the planet knew, except maybe.. Me. 
Basically, you can "project your whole screen" to an app .. "over there" on another Windows 10 machine. I tested this and it's so freeking cool. Just. So. Cool. My. Head. Exploded.  
Tip: Both computers have to be on the same Wifi or Bluetooth network. 
https://techcommunity.microsoft.com/t5/Core-Infrastructure-and-Security/How-to-Use-an-Additional-Computer-as-a-Secondary-Display/ba-p/681152

And now.. time for the plugs... :-)

- My CLASS (next Group Policy+ MDM class Chicago Sep 16 - 18th [three days].. Sign up today at www.MDMandGPanswers.com/class ) 
- Nor did I plug my new MDM: Intune, Autopilot and Azure book which is coming out in July (www.MDMandGPanswers.com/book)

No time like the present. Sign up for class and/or get your book. :-)

Happy Friday everyone !

While we used to actively block devices from registering with Intune and SCCM or Group Policy at the same time, we more than welcome this duality of management capabilities today.  Outside of cloud-only enterprises, Microsoft not only allows, but encourages the practice of allowing settings management from multiple sources. Microsoft refers to this current practice as co-management. 

The advantage of Hybrid MDM was that it allowed you to manage SCCM exclusive and MDM exclusive devices from a single console.  Essentially it was a a product of convenience more than anything.  With co-management, the two work in cohesion.  Clients can now have the Configuration Manager client installed and be enrolled in Intune.  For those organizations that have a considerable investment in time and resources in SCCM, Co-management adds greater functionality to your SCCM structure by incorporating cloud functionality.

Co-management requires version 1710 or later and requires all involved Windows 10 devices to be Azure AD-joined or joined to on-premise AD and registered with Azure AD.  For new Windows 10 devices, you can simply join them to Azure AD, enroll them in Intune and install the Configuration Manager client for co-management ability.  When it comes to Windows 10 devices that already have the Configuration Manager client installed the path is more complex, but basically requires you to setup hybrid Azure AD and enrolling them into Intune. Whichever way you get there; the end result is that you get the best of both worlds. 

Co-management is about more than just increased functionality however.  It gives IT administrators the flexibility to choose which management solution works best for their organization, devices and workloads they have to manage.  This facility of choice is exemplified in the screenshot below that shows the workloads tab of the SCCM admin screen.  As you can see, with co-ecomanagement you can switch the authority from Configuration Manager to Intune for select workloads.  This puts the SCCM admin in charge of which tool will manage what policies by simply moving the slider to the selected choice.

Note the presence of the “Pilot Intune” option.  As MDM is relatively new to most admins, Pilot Intune gives you the ability to pilot things first in order to ensure everything operates as expected.  Once results are confirmed, you can throw the switch all the way.  Eventually, Microsoft hopes that all the siders will be moved to the right, with everything hosted and managed in the cloud.  Those who are intimidated by SCCM might say that’s not a bad thing. 

Surprises are great when you are engrossed in a captivating movie.  A good novel always has multiple twists that you don’t see coming.  For the most part though, the world prefers predictability, especially when it comes to managing corporate enterprises.  The whole purpose of deploying settings is to ensure conformity to your enterprise client devices.  Group Policy and MDM were made to deliver a level of certainty to the enterprise.  

So what happens when Group Policy Settings and MDM settings collide with one another?  Because Windows 10 can potentially be a member of an on-prem active directory domain and be MDM enrolled as well, that is a distinct possibility.  Starting with the 1709 release, Microsoft unveiled a GPO setting that allows hybrid joined devices to be automatically MDM enrolled.  So let’s say we have a hybrid environment of Windows 10 laptops and just for grins we disabled Cortana using an MDM policy setting and enabled it using a Group Policy Setting.  Which policy do you would win out?  

If you had to guess, you would probably say Group Policy since it is the elder of the two.  If you did, you would be sort of wrong.  You would also be sort of wrong if you said MDM. 

How can you be sort of wrong you ask? 

Because when MDM and GP settings conflict, we honestly have no idea which one is going to win out. 

In fact, that is the default, expected behavior.  Yes, the default behavior is uncertainty.  Just like the stock market doesn’t like uncertainty, neither do network admins.

So in order to add some stability to these conflicting scenarios, Microsoft introduced a Policy CSP called ControlPolicyConflict/MDMWinsOverGP.  It uses an integer based data type for which there are two supported values:

• 0 (default state of uncertainty)
• 1 - The MDM policy is used and the GP policy is blocked.

To enable this policy, we have to create a custom OMA-URI setting as shown in the screenshot below.

So if MDM and the same Group Policy setting are contending to assign the SAME value to the SAME setting .. then you can use MDMWinsOverGP to force the MDM to always regardless of what GP is trying to do.  

If you are managing a hybrid environment with MDM and GPO, it may in fact be good practice to enable this CSP for good measure just to ensure that certainty will always prevail.  In the IT world, certainty is a good thing.

Long, long ago, well, actually not so long ago, there were two worlds.  There was the on-prem world and the mobile world, and the two would never become one, until of course they did one day.  Up until Windows 10 version 1607, a device could either be on premise AD or Azure AD.  This made sense at the time.  Back then, MDM enrolled machines was pretty much restricted to mobile devices as administrators wanted the extensive management control that Group Policy or SCCM provided them for enterprise desktops. Mobile devices were better served in the cloud and outside of device resets and remote wipe capabilities, there wasn’t much you could do with MDM early on.

It wasn’t thought a good idea at the time to have settings delivered from multiple sources.  In order to prevent that from happening, devices were blocked from the ability to simultaneously register with SCCM and Intune at the same time.  In fact, the activation of the SCCM client on a Windows device automatically disabled any built-in MDM capabilities.  Devices were segregated to one or the other.

If your company’s IT staff had separated SCCM administrators and mobile device administrators, then everything was fine.  But if you had to manage both desktops and tablets, you had to switch back and forth between the Configuration Manager console and the MDM console.  So Microsoft set about to integrate Configuration Manager with Intune with what was called “hybrid configuration” so that both on-prem and mobile devices could be managed from the same console.  Co-management between the two was born.  Note that Intune was the only MDM supported in this scenario.  The merging of these two platforms is illustrated below.

But as in everything, things change.  Microsoft put more focus into MDM as time went on, and as a result, more setting capabilities and features were built into Intune.  Organizations also started recognizing the value of migrating more computers to the cloud than just mobile devices.  Microsoft also began figuring out that it was in their interest to encourage customers to move to the cloud.  Because of these and other factors, the usefulness of allowing devices to co-exist in both on-prem AD and Azure AD was realized.  Starting with 1607, computers could be a part of both at the same time.  Then came 1709 in which the SCCM client could now run on a device without its MDM capabilities being disabled.  This made it possible for a computer to receive setting input from both sources.  This signaled the end of Hybrid MDM.  In August of 2018, Hybrid MDM became a deprecated feature and Microsoft began blocking the registering of new Hybrid MDM customers in November of the same year. 

I have to admit... making a simple registry change in Intune can be ... difficult. 

The Administrative Templates function is nice, for those (under 300 settings) that support them. 

But for the rest of the simple settings ... you might have hand-create custom OMA-URIs and usin ADMX backed policies to do it.

Here are some others' great guides to help you "follow the leaders" and convert your ADMX and/or use an ADMX-backed policy:

Those resources, show how to tear into an ADMX and ADML file and create a more complex ADMX-backed policy:

• https://docs.microsoft.com/en-us/windows/client-management/mdm/understanding-admx-backed-policies
• https://docs.microsoft.com/en-us/windows/client-management/mdm/enable-admx-backed-policies-in-mdm
• https://www.petervanderwoude.nl/post/allow-users-to-connect-remotely-to-this-computer-via-windows-10-mdm-admx-style/
• https://www.petervanderwoude.nl/post/deep-dive-configuring-windows-10-admx-backed-policies/
• http://carlbarrett.uk/admx-backed-policies-quickish-reference-guide
• http://thesccm.com/use-intune-policy-csp-manage-windows-10-settings-internet-explorer-site-to-zone-assignment-list/

I got a tip from Pat DiPersia at www.dipersiatech.com and Susan Bradley, MVP about this one.

In short, I tested it myself, but the latest Office 2016 ADMX files seem to have got a messed up XML tag, rendering the Outlook policy useless. I tested both the 32 and 64 bit templates. They both have problems with Outlook.

I've reached out to report this issue.

At least now you know if you're trying it yourself... you're not crazy !

The error when adding to your Policy store looks like this after you click on Admin Templates.

TIP:

The issue is the /policies closing tag is before the final /policy closing tag.  Looks like someone added a policy after the fact, and didn’t put it in the right spot.  The /policies tag on line 6285, should be on line 6296 (Followed by /policydefinitions.) See screenshot below.

This week an Intune feature I have been playing with for a while has finally gone live for Preview.
It’s called “Administrative Templates” and … oh wow, that sounds a lot like Group Policy Administrative Templates, and, oh yes. You’re right… mostly.

Now, before you go bananas saying “Jeremy, clearly Intune now has total Group Policy support!” Or, worse, beat the old trope that “Group Policy must be dead.”

As anything new, it’s worth investigation and to ensure it does what you think it’s going to do.

Let’s talk about the good stuff first !

So, to set the stage, you have to first understand what ADMX backed settings are within Intune / MDM.
It starts with the idea that some settings which are curated by the MDM team. Now, this is weird so stick with me. Because the MDM team is not the Intune team.
You can think of the MDM team as the “receiving platform” which decides upon the settings within the platform.

You can think of the Intune team as “expressing” those settings with knobs and buttons. And this is because Intune isn’t the only MDM game in town; for instance, VMware Workspace one, MobileIron, SOTI and others.

So, these ADMX-backed settings are, as you can imagine, real Group Policy settings which are supported by the target application, say, Explorer or Office.

But these settings are curated by the MDM team as “guaranteed to work and supported as such.”

If you want to see the official docs on Administrative Templates feature you can find it here: https://docs.microsoft.com/en-us/intune/administrative-templates-windows
Here’s the best part from the docs:

These templates are similar to group policy (GPO) settings in Active Directory (AD), and are ADMX-backed settings that use XML. But, the templates in Intune are 100% cloud-based. They offer a more simple and straight-forward way to configure the settings, and find the settings you want.

This is really nice. What’s not to like? Indeed, if you wanted to achieve these ADMX-backed settings before this feature came to be, you needed to know how to perform the dark arts of custom OMA-URI (a different topic for a different day.) Now, with Administrative Templates in Intune, for all those settings, those values are just click and go. +1 for that !

If you look at the docs, you’ll see the following line:

The administrative templates include hundreds of settings that control features in Internet Explorer, Microsoft Office programs, remote desktop, access to OneDrive, use a picture password or PIN to sign in, and more.

The key word here is hundreds. Why is it hundreds, and not thousands or “all”?

Well, you need to go back to something I said earlier. All settings in MDM (and by extension, Intune) are curated. Each setting must be vetted to work as expected and then guaranteed by the MDM platform.

Also, at last count the number of exposed Administrative Template settings is 237. (Note: I did not re-count it before publishing this; the number could have gone up somewhat.). As the docs state, most of the settings seem to revolve around Office, OneDrive, Internet Explorer, and a handful of system settings.

As such you will likely see this list grow over time, but my understanding is that this is not meant to overtake or subsume all existing Group Policy settings.
If you are looking for a setting which doesn’t exist in Intune.. either a native clickable one or via Administrative Templates, don’t despair or throw in the towel, yet.

If you want to make any real Group Policy, Group Policy Security and/or Group Policy Preference setting work thru Intune, you need to enhance Intune with a 3rd party tool. Here's a video for how it's done. An equallty effective option is to use this other 3rd party option, which works with MDM or whenever there is no MDM present.

Let’s talk about what’s missing, last.

If you get a chance to play with this feature, click upon Intune | Device Configuration | Profiles | Create Profile and select Administrative Templates (Preview) like what’s seen here.

Then under Settings, you will see the list of Administrative Template settings like what’s seen here.
Top of the page…

Bottom of page….

At the top of the page begins an alphabetical list of the curated ADMX policy settings and a Search (Filter) bar.
So, if you wanted to quickly search of OneDrive, you can find those settings.
But what you cannot do, like Group Policy, is see these settings hierarchical.

I can see both sides of this; this flat view reduces clutter. But my preference would be to see the settings hierarchical, so I could maybe find related settings around the primary setting I’m searching for.

Summary about Admin Templates in Intune

In summary, Administrative Templates a nice step forward in Intune. Just know that it’s not designed to attempt to take on all of Group Policy settings, but be on the lookout for increased coverage over the long haul as new interesting scenarios pop-up.

Starting in Windows build 18309, Cortana doesn't start talking "at you."... unless you're using Windows Home.

Why is this important? Well, check out this (hysterical) video for why not ...

https://youtu.be/Rp2rhM8YUZY

Before this you had to set a registry key. I've updated the Microsoft docs to reflect the change. :-)

https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/cortana-voice-support