MDM & GP Tips Blog

Dec 2018
19

Why you can use LAPS and banish logging on as Domain Admin when doing remote help

So, okay.. you don't want to log on with your Domain Admin credentials to Mr. End User's machine.

Doing so increases the risk of Pass the Hash attacks.

My pal Aaron Margosis from Microsoft shows how you can use Group Policy to block logins from anyone EXCEPT local admins.

AND, because you're using LAPS to maintain local admin passwords, only that account can log on.

Brilliant.

Here's the blog entry to increase your security:

https://blogs.technet.microsoft.com/secguide/2018/12/10/remote-use-of-local-accounts-laps-changes-everything/

 

Dec 2018
11

What is ADMX File Ingesting in Intune?

What is ADMX File Ingesting in Intune?

 

We’ve talked about how Intune has incorporated ADMX backed policies to manage even more settings in your Windows 10 devices.  But what if you want to deliver settings that aren’t part of the “in the box” policies from Microsoft.  Well, if you are familiar with Group Policy, then you are aware that you can garner more policy setting opportunities by importing new ADM or ADMX files.  For instance, Microsoft Office has an ADMX file as does other third party applications such as Adobe Reader and to some extent, Mozilla Firefox.   Well you can import additional ADMX files for MDM as well, although its currently not as easy as there is no central store for MDM like is the case for Group Policy.  There is no way (at present) to add additional ADMX templates with a couple clicks of the mouse, but with just a little bit of trouble, you can do it.

The process of importing ADM or ADMX files into MDM is called “ingesting.”  The ingesting process goes like this:

  • We create a Custom Windows 10 policy
  • We ingest the custom ADMX through the Policy CSP
  • We apply the settings we want to enforce

So how do we ingest an ADMX file?  Well, in this case, ingesting means copy/paste.  You obtain the ADMX file you need and then open it in some type of editor such as Notepad.  For this example, I’m going to use the OneDrive.admx file.  I’m not going to show what the entire file looks like in Notepad, but here is what the first part of it looks like:


    
As discussed earlier, creating a custom policy means creating a Custom OMA-URI.  To ingest an ADMX file we must use the following format:

./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingType}/{AdmxFileName}. 

I don’t want to get into the boring details concerning the naming of these variables.  Just follow the basic guideline that you should assign the (setting type) variable as “policy” and the other two variables should be meaningful names such as the actual name of the App and the actual name of the ADMX file.  You can name them anything you want actually but its always best to use names that are intuitive for other personnel.  In the case of our OneDrive ADMX example, that would translate to this:

./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/OneDrive/Policy/OneDriveAdmx

As you mentioned, copy the entire contents of the opened ADMX file in Notepad and paste it into the value text box as shown below:

Once the new profile is created, we can then use it to deliver the new supported settings using that profile.   

Dec 2018
07

Azure and Intune Assigned Groups (and how Groups are related to Intune)

One of the principles of proper AD administration is to congregate your users into groups to make it easier to assign permissions and rights.  We use groups within Intune as well for this same reason.  In this case, Intune uses Azure AD to manage access to your company’s resources which is controlled using roles in the directory.  There are two default groups within every implementation of Intune.

  • All devices
  • All users

If you are using Intune for Education and you use School Data Sync to import you school records, you have two additional default groups.

  • All teachers
  • All users

These default groups represent a very broad scope and by themselves probably aren’t of much use.  That is why we need to create custom groups that can be tailored to the needs of our organization. There are two types of custom created groups in Intune, one being Assigned Groups.  Assigned groups are used when you want to manually add specific users or devices to a group.  You can create groups by a number of criteria such as geographic location, department, hardware characteristics, etc.  For instance, you could create one assigned group for your Windows 10 devices and one for your iPads.  You could create one for your desktop PCs and one for your mobile devices.  You can separate users into separate groups as well such as HR, Finance and Marketing.  You can then use those groups to assign policies to users or deploy apps to a set of devices.  Note that the ability to create custom groups is available in any MDM service, not just Intune.

Creating a group is easy.  Go to the Groups section of Intune and click “New Group.”  Then add the required information for that group.  In this case we would select “Assigned” as the membership type. 

Once the group is made, you can then assign users to that group.  Note that just as in domain joined AD, you can nest groups within one another.  These subgroups can be used to break down large groups into smaller more manageable sizes.  Groups have a hierarchical structure to them in Intune which allows for inheritance.  Parent groups are at the top of the hierarchy and any settings applied to these parent groups are passed down to the subgroups.  This settings inheritance feature makes it easer to apply settings to large numbers of users and devices.  Know that you can only create subgroups under assigned groups.

Dec 2018
04

Azure and Intune Dynamic Groups

So Assigned Groups are great and there are many uses for them.  But we live in a dynamic world today and our Azure/Intune environments are often reflective of that.  Things change, and sometimes we need our groups to adapt to those changes.  That is why we also have Dynamic Groups.  Rather than specifying the users or devices to add to a group, we set criteria to define the members of a Dynamic Group.   When the specified condition applies for a user or device, it is added to the group automatically.  Should a member no longer satisfy the rule, it is removed from the group.  The use of Dynamic Groups can greatly reduce the administrative overhead of constantly adding and removing users for large enterprise environments that perpetually change.

There are a couple of things that are different when creating Dynamic Groups.  First off, P1 or P2 licensing is required to create and use Dynamic groups.  Second of all, we must make separate groups for users and devices as is shown below.

Once we create our Dynamic Group, we need to populate it.  Remember, we don’t select the users or devices ourselves.  We cannot manually add or remove a member from a Dynamic group.  We create membership rules which will then populate the groups by querying Azure AD to find the members that meet the criteria of that rule.  Make note again that we cannot create a rule that contains both users and devices.

There are two types of rules, Simple and Advanced.  I assume everyone wants to start with the easier one first so let’s create a Simple Rule.

A membership rule has 3 components:

  • A property
  • An operator
  • A value

Say we wanted to create a dynamic group to include all current users of the HR Department.  In this case the property would be “department,” the operator would be “equals,” and the value would be HR.  If this isn’t sounding very simple, think again, because the Simple Rule creator interface does a great job of guiding you through the process.  You just simply choose which option you want from each component menu.  This of course means that your rules are limited to the choices made available in the GUI.

So what about Advanced Rules?  Well sometimes you may want to run extensive queries that go beyond the confines of the Simple rule creation process.  Creating Advanced rules may look a little intimidating because there is no easy to follow GUI menu to guide you.  Instead you only get a text box where you write out your rule.  Actually its not that intimidating.  We could have created an Advanced rule for our previous example for those users who belong to the HR Department.  The “rule equation” per say would be as follows:

(user.department -eq "HR")

A good example of when you might need to use an Advanced rule would be if you are applying multiple criteria in a single rule.  For instance, you want to create a Dynamic device group for Windows 1809 devices.  In this example, the rule would have to first query for Windows devices and then perform a subsequent query for the build number, which in this case is “10.0.17758.”  The resulting rule would then be as follows:

(device.deviceOSType -eq “Windows”) -and (device.deviceOSVersion -startsWith “10.0.17758”)

 

Nov 2018
30

How to Buy a Laptop for the Normal Person.. in 2019

This is a yearly re-post / re-edit. It started in 2009 and has been updated yearly. This started out as a post to just my closest friends but has become one of my popular blog entries of all time. Here’s my fully updated guide to end-of-year 2018 into 2019.

Quick updates for 2018-2019:

  • Snapdragon "Always on / Always Connected" PCs
  • What is M.2 storage?
  • Jeremy's laptop update ... one year later... after 7 years with his old one.
  • The laptop I use around the office for regular people (Spoiler alert.. it's NOT a Dell).

If you’re an IT geek like me, you’re often asked “What kind of laptop should I buy?”

If you’re NOT an IT geek, you’re likely asking an IT geek friend “What kind of laptop should I buy?”

This is a guide for both of you.

If you’re in IT, this question might not directly affect you, since many IT organizations dole out laptops to the whole staff, including you. However, since you’re seen walking around with a laptop, or have that geeky-vibe about you, I’m guessing you’ve been asked more than once “What kind of laptop should I buy?”

You might be tempted to say “Buy a Macbook” – if only for the reason that you DON’T have a Macbook, and therefore would be unable to help the person in the future. (See this for the example of the problem: http://theoatmeal.com/comics/computers) That being said, Macbooks are pretty awesome, and if you want to real work on a Macbook, you can do that. That’s just not the point of this article. This is about how to buy a Windows PC laptop. Macs are great, if you want to go there.

If you’re NOT in IT, your problems are substantial too. If you ask three geeks, you might get THREE answers.

With that in mind, here’s “Jeremy’s Guide to Buying a new PC-based Laptop in 2017-2018.” Again, there are a LOT of ways someone COULD do this task. This is what I send to people in my inner circle (friends, family, etc.) when I get the question.

Seriously. I just email them a link to this blog entry, and .. I’m done.

These suggestions should be “good enough” for the common man / woman / student for the foreseeable near term future. Any one person’s particular needs may vary, but you, the IT Pro, should be able to “print out and hand over” these suggestions and have them work for about 90+% of the people you come in contact with.

If you’re NOT an IT geek, you’re looking at the Internet and catalogs and think that desktop and laptops could be “infinitely configured.”

And you don’t have time for that. You want to get back to real work. So, here is a document you can send to anyone who has ever asked that question with some “straight dope answers.”

Yes: This document is long. But, you want to make a GOOD decision which will last you the next 2-4 years, right? So, just read it. Really READ it. Then go shopping.

Jeremy’s Guide to Buying a new PC-based Laptop in 2019

We’re going to answer some questions here like:

  • Laptop or Ultrabook ?
  • What "Chip" should I get in my laptop?
  • Laptop or iPad or Surface (Windows Tablet)?
  • Should I get a $200 Windows laptop?
  • What is / should I get a Microsoft Surface?
  • What’s the deal with Android Tablets and Google Chromebook Laptops?
  • iPad Pro? Will that work for me?
  • Where can I get good deals?
  • What kind of hardware (and warranty) should I get?
  • Should I get Windows 10 or hunt down a laptop with Windows 7?
  • Should I get 32-bit or 64-bit?

Part I: Laptop, Ultrabook or Netbook ?

To make sure we all understand the marketing vocabulary you’re likely to encounter as you go to buy a machine:

  • Laptops: You know what a laptop is.
  • Ultrabook: Just like a laptop, but thinner and lighter.

For most people, they want Laptops. They’re mid priced, mid weight and have a full sized keyboard.

If you pay a little more, you can get an Ultrabook, which is just like a laptop — except lighter.

I think there are a ton of great options out there where you don’t have buy a HEAVY laptop, or buy an EXPENSIVE Ultrabook.

Said another way, you can get a great laptop, which approaches the weight of an Ultrabook, at a “Laptop cost.”

Part II:  Non-Windows tablets (iPad, Android, Chromebooks)

Before we talk about ACTUAL laptops, let’s take a quick turn and chat about your “second” device.

In fact, you might be thinking “Maybe I don’t need a laptop at all, and instead, I’ll just get an iPad, iPad Pro, or Chromebook.” And, what’s the deal with “Microsoft Surface?”

In short, nothing beats a laptop for ACTUAL WORK.

The iPad can be FORCED into a device that can help kinda-sorta help you to do ACTUAL WORK. There’s the iPad, iPad Mini and “jumbo” iPad Pro which.. is just a REALLY BIG iPad and pen with some specialty apps to help you try to do ACTUAL WORK. 

But honestly, I’ve tried a lot of stuff, and NOTHING BEATS A LAPTOP for ACTUAL WORK.

For me, I tend to use my iPad Mini when on the airplane and on the road, watching movies and quick dash emails. 

The bonus of a laptop over an iPad is… its just better at creating and editing documents. Yes, you CAN create documents, deliver slideshows, or make a spreadsheet on an iPad. For me, when it comes to creating content, even simple emails… I need a keyboard. Yes, yes, you can get Bluetooth keyboards that sync with the iPad (and I have one), but still the content creation software and experience isn’t the same as a Netbook, laptop or desktop.

That being said, you might have a friend who "gets away with" having an iPad instead of a laptop. Indeed, Apple tried to suggest this was possible with this ad (link to video).. where a child in the future doesn't even understand te concept of a computer. Spoiler alert: Most people completely hate this ad.

So, here’s my verdict if you want a “Not Full Windows Machine”:

  • If I had “real work” to do, and had to only pick one travel machine for the next 5 years, then, sorry iPad, I’d have to go laptop.
  • If I’m sitting on a beach, bus or couch and want to read, game, surf or NetFlix.. I use my iPad.

How about Android Tablets? Are those good choices?

Possibly. So, I’m (personally) not a huge fan of the current Android world. But I actually believe it’s a very personal choice / taste.

But, I actually recognize I’m in the minority.

That is, apparently more portable devices run Android than anything else out there. But I don’t own one, so I can’t personally recommend it.

I will say that Android devices (Phones and tablets) seem to get a lot of viruses and crap that iPads simply do not. For that reason alone, I wouldn’t recommend them to most people.

If you’ve got a friend with one, ask to play around on it. But even if I loved it, I’m not sure I’d want it as my only content-creation machine.

What’s the deal with the “Google Chromebook Laptop”?

Whew. This is a tough one. So, non-IT folks… stick with me here.

Every year I get a lot of comments telling me that I don’t give Google Chromebooks enough “discussion.”

Fine. Okay.. Here’s the Wall Street Journal article entitled “You can ditch your PC now” which demonstrates for some people its possible to use a Chromebook for many (most) tasks.

Google has a “full size laptop thing” running an OS called the Chrome OS.

Here’s the deal: It has no hard drive, and ALMOST everything you do is in the cloud. Meaning, really, that when you save stuff you’re saving to a website which stores your stuff for later access.

  • Does it run Windows applications? No.
  • Does it run Mac applications? No.
  • Does it run iPad apps? No.
  • Does it run Android apps?  See below.
  • Might you want one anyway? Possibly.

A recent addition to the Android arsenal is the new idea where SOME Chromebooks can run Android apps. Here’s a list of currently supported devices. Of course I don’t maintain that list and who knows when it gets updated.

But that’s kind-of-sort of interesting for me, if there was some key application I wanted to use while in my submarine or the WiFi goes down.

Back to their core usage: Where are these Chromebook devices GREAT? In school (K-12) environments. They run Google apps and all the Google-y stuff you already use.

So teachers just give ‘em to students and if they break? O well. There’s nothing stored on them anyway. Since the Internet is always on (usually) in the school, it makes a lot of sense there.

For me, though, it’s not how I want to work. But some people can and do use a Google Chromebook is their “daily driver” for all things. And with the addition of Android apps you can take on-the-go with you, it’s a serious iPad contender and possible laptop replacement for some.

But not me personally. I have several friends who love them and give them to their parents as their “daily driver” for all things. In fact, I tried this.. I tried to suggest to an "older friend" to give a Chromebook a try, but she didn't love it. I'm not exactly sure why.. but maybe it was just too different from her usual (old) experience and went back to Windows.

Okay: Back to laptops and Netbooks.

Part III: Which laptop brand should I get?

Read this part first, before we get to the “Should I try really hard to get Windows 7 on my laptop” section. We’ll answer that in a minute.

Okay: Here’s the thing about all laptops. All of them: basically, they’re all the same.

Shocker, I know. But so are cars. They are all basically, almost exactly, 99% the same. Some of the “differences” might be:

  • Extra ports or USB 3.0 vs. USB 2.0.
  • USB “C” port(s). (None of my laptops have this, and I do just fine, thank you very much.)
  • One or two “video chips” (don’t get me started).
  • Keyboard twists / converts to make it a tablet.
  • Keyboard snaps off to make it a tablet.
  • Keyboard doesn’t exist at all (so it *IS* a tablet) and you ADD a keyboard.
  • Some are a little faster or a little slower.
  • Some are heavier. Others are lighter.
  • Some have 10-key keypads build in and some do not.
  • Some have BIG power supplies (which add to the overall weight of travel). Others have small wee ones.
  • Some are “bigger” and have a full sized keyboard. Others are smaller (Netbooks.)
  • Some laptops have touch screens, some do not.

But… again 99% of all laptops running Windows are EXACTLY the same “guts” and what they’re capable of.

Since they all do the same basic thing, for the MAJORITY of “Joe and Jane users” you almost CANNOT GO WRONG in buying a new laptop nowadays.

This is going to sound totally weird, but my primary suggestion to prospective buyers of laptops and desktops is: UNDERSTAND THE WARRANTY.

We’ll cover this in the next part of this talk.

Of course, you’re also looking for a good deal. So, here are my top five deals for anyone looking for a computer:

1. New Dell Inspiron laptops. They’re cheap, decent, fast, and have Dell’s warranty (again, more on this in a second.) Click here to see them. I wouldn’t recommend _all_ of them. Some of them have the “wrong” processor type. (again, more on this in a second.) And this year and until I'm dead, I’m recommending ONLY disks without moving parts (SSD) .. again, more on this in a bit.

2. Dell Factory Outlet  This is Dell’s “island of lost toys.” This usually mans “Jane Doe couldn’t afford her new laptop for her son Johnny Doe after all, so she sent it back after 9 days of light use.” It doesn’t really mean “It was dropped, so it’s now crap.”  Even if it did, Dell still puts an original warranty on everything they sell there, which is the most important part of owning a laptop. I’ve literally bought 4 Dell laptops using the Outlet store.

3. Tigerdirect.com and NewEgg. They do sell new computers, but also “fell off the truck, if ya know what I mean”, off-lease (meaning, used) or are market closeouts in some way. But, holymoly.. lots and lots of awesome deals here. I promise you won’t find better deals than Tigerdirect. You will get the MOST bang for your buck, especially if you’re looking for something “higher end” at “lower cost.” But here’s the trick: Tigerdirect doesn’t warranty these. They’re always “factory direct warranties” whatever that means. And since they sell all brands, I don’t know what to tell you – even if you find a great deal. You’ll have to manually inspect the warranty yourself, call the company and see what their story is. Don’t expect Tigerdirect to help you when you have a problem. They sell it to you. They mail it to you. That’s the extent of your relationship.

4. Retail: Best Buy, hhGregg, Office Max, Office Depot, Staples: Even if they swore “up and down” that they had the most amazing warranty of all time, PLUS a killer deal  I still wouldn’t buy the computer and warranty from any of them. Plain and simple: There are KIDS working in these stores, and this is YOUR business / personal laptop. Sorry, but I can’t trust any of these outfits with my most precious business instrument. Not to mention that these kinds of stores turn over equipment types and makes and models so, so quickly. Will the kid behind the desk know what to do when you bring yours in from 1.5 years ago?

5. Other Internet sites: NewEgg.com, Buy.Com, Woot.com and others. Again almost always ONLY manufacturer’s warranty or some kind of 30-90 day only warranty. Again, not my cup of tea... as a RECOMMENDATION for most people. (More on this later.)

Part IV: Understanding the warranty (the most important part of your laptop.)

Let’s talk about Dell, specifically, for a second though. Why have I, historically, always owned a Dell laptop? (But, read all the way to the end about why I personally use Lenovo laptops. Trust me: This makes sense if you read all the way to the end.)

Simple. Dell's warranty is easy for my pea-brain to understand.

Here’s how it works:

  • The default warranty is 1 year if something “dies.” Examples are: Power supply, screen goes blank, USB port dies, whatever. You call up. They try to fix it over the phone.
  • If it needs a part you can replace (ie: battery, mouse, removable DVD drive) they ship it to you; you replace it yourself. You put the broken part in a pre-paid box back to them, and drop it in the mail. You are done.
  • If it needs a part you can’t replace (laptop screen, motherboard) the part is shipped “overnight” to a “regional center.” Then when the part arrives, the center calls you and you schedule a time to get your machine fixed.
  • For a little extra money when you buy your laptop, you can get 3 years on-site (ie: they come to you) coverage.
  • For a little “extra extra”, you can get “I spilled coffee directly in it”, “I dropped it hard on a marble floor” or “I dropped it in a lake” insurance, which will cover things like that. Really. At least that’s what they say.

Now.. with that said: I, with my pea-brain, can understand this warranty structure, and can embrace what it means.

To be clear: This warranty structure doesn’t mean “my problem will be fixed in 24 hours.” (Especially on a Thursday or Friday.)

It means: “We (Dell) spring to action right away… If you called us with your problem after 2.00 PM or so, then we’re going to miss Mr. DHL delivery dude for today. So, we’ll have to ship it tomorrow then it will (usually) get to the local repair depot the next business (shipping) day. And when it arrives, then you’ll get a call. Only after the part arrives at the local depot center, will we call you and schedule an appointment for up to 24 hours after that.”

That’s the deal.

So don’t expect your warranty coverage to mean “your problem will be fixed within 24 hours.” Expect them to get started on your problem right away and have it fixed 24 hours AFTER the part is in the hands of the depot.

So, because I ‘get’ the deal, I usually recommend Dell. It’s the “warranty-devil” I know, and I’m totally cool with that deal.

That said, I always recommend Dells to Joes and Janes when they ask me what laptop to get because:

  • 99% of the any laptop you get is exactly the same and
  • I can EXPLAIN the warranty to them and ..
  • They can decide if that’s what they want.

I cannot OVER-EMPHASIZE how important UNDERSTANDING your laptop’s warranty and restrictions are. This is literally, the #1 factor you should choose in buying a laptop.

Again: I’ve described Dell’s warranty service above. If you want to check out other manufacturer’s warranties, great. I’m just giving you my personal experience with Dell and warranties.

Part V: “How much laptop do I, a regular person, need?”

If you’re planning on: Surfing, Facebook, using Microsoft Office, Google Docs, Gmail, Hotmail, Office 365, NetFlix, Skype and other usual stuff you’ve got what I call “modest needs.”

If you’re running some high powered stuff like Quark, World Of Warcraft (or other high end games), Final Cut, Movie Maker, VMware Workstation, HyperV, Autocad, Camtasia Studio or Mathemetica, you might need more than what I’ve listed here.

Now, before we get into this, there’s a handful of.. holycow.. NEW $200 full Windows laptops out there. (Here’s an older Wall Street Journal Entry on them. And here’s a LaptopMag.com article from 2017 on sub-$200 laptops) And here's an article for 2018 from Best Laptops World for computers under $200. But … they FAIL the “sniff test.” Read the article, then also read my discussion on Chip Type.. right here.

So, here’s my answer for your “modest needs” person.

CPU Chip type and speed:

Here’s the dirty little secret the laptop manufactures don’t want you to know: This almost doesnt matter. Or said another way, you almost cannot go wrong. Here are my suggestions:

Regular Intel Chips: i3 / i5 / i7

Intel’s chip lines are the Intel Core i3, i5 and i7s. The i3 is usually the best bang for the buck but I wouldn’t turn down the higher model i5s or i7s. Again, i3 (any speed) will be perfectly fine for almost anyone. Get the i5s if you can afford it. The i7s are almost certainly overkill for almost everyone.

Intel Celerons (Avoid at all costs)

Avoid “Intel Celerons” at all costs. None are acceptable. Ever. This is why you don’t want to buy the $200 HP Stream 11 laptop .

See the above line: NEVER EVER buy a laptop with an Intel Celeron. EVER.  

ATOM Processor

I would also avoid anything with Intel ATOM. They’ll run all Windows apps. But slower. The PLUS side is that battery life is greater on these, but definitely slower than the Intel “i” series I mentioned above.

Snapdragon Laptops (new for 2018-2019)

New for 2018-2019, there's a new choice on the block ... in a chip called Snapdragon. If this word maybe sounds familiar to you, it's because many phones utilize Snapdragon processors. They are very low power, which means you get pretty insane battery life. Snapdragon laptops are closer to ATOM processors than they are to Intel i3/i5/i7s. This is because all the software you're running has to convert everything from "Intel speak to Snapdragon speak."

They are considered "Always on, always connected." So even if you close the lid, they don't really go to sleep... they jusst "sip" power and will just be ready to rock when you re-open the lid. (Like an iPad works.)

The good news is that, by all accounts, Snapdragon PCs are pretty nifty and if you use your PC like I use my iPad... for checking web stuff, surfing, skyping, etc etc. If you use a PC like this, then a Snapdragon PC is a pretty good choice. There is a tradeoff: you have to sacrifice a speed drop, but you get a really big advantage of outrageous near all-day battery life. Well, that's the idea anyway. This fair review of a Snapdragon PC is not too, too glowing. These Snapdragon PCs are getting faster... but I'm not sure I would want it to be my daily driver. So... I'm not recommending it for students, and "worker bees" or people who create content and work for a living... yet. Maybe 2019 - 2020 or 2021 will be the year.

Gamer Laptops

Avoid all “gamer” laptops. Avoid due to the high price tag and low battery life and large power supply to lug around. And I've used some of these gamer laptops, and they don't really feel faster than what I'm using now for work-like stuff. I'm sure they do awesome on games. But I don't play games.

RAM:

The new modern standard is 8GB. You could get away with 4GB likely just fine. But if if you had an extra $40, get 8GB over 4GB.

Note that I am NOT recommending you get more than 8GB for most modest-needs users. If you happen to get MORE than 8GB of RAM, bully for you, but you likely will never really need or use it.

Hard drive:

There are fivekinds of hard drives now:

  • Spinning disks (the kind we’ve had for years)
  • SSD disks which have no moving parts at all and
  • eMMC drives (also have no moving parts at all)
  • Hybrids which are spinning disks with some extra SSD stuff slapped on.
  • M.2 disks which are like SSD disks, and look like little sticks of Wrigley's gum. These are generally faster than SSD disks, aren't needed for most mere mortals. Standard SSD disks are just fine.

Note that the older spinning disks are still found in 50% of all laptops. These are typically labeled SATA, but that's kind of a misnomer. SATA is the interface... so a SATA interface might connect wither a traditional spinning disk -or- an SSD disk. So, read the fine print and verify what you're getting when you see "SATA": are you getting a spinning disk (connected via SATA)? or are you getting an SSD disk (connected via SATA)?

I would avoid spinning disks in total now, and opt only for the SSD  or M.2s (which has no moving parts.) The catch however is that SSD and M.2 disks are more expensive than older spinning disks (for the same amount of space.) Manufacturers used to only have small SSDs for some reason; now they’re finally getting their acts together and you can go pretty big. Avoid eMMC drives, which are found in PCs as well; these kinds of drives are made for phones' storage, but sometimes PC makers will put them in PCs. Don't use eMMC drives if possible.

In short getting an SSD (or M.2)  vs. spinning disks is going to be the greatest one thing you can do to make your laptop (even your old, crappy 3 year old laptop) feel insanely fast. More on SSD disks a little later.

Video card / chip:

Unless you’re playing games, it doesn’t matter.

Really.

Even if you’re planning on watching NetFlix or Hulu, or playing Mindcraft, those kinds of apps really don’t care about your video chip / card much.

Even on my super old crappy 8 year old Netbook, I am able to see full screen videos (wirelessly!) without any issue with a good network connection.

Avoid laptops which tout “multiple” or “two” video chips. These give you extra headaches for almost NO VALUE to the mere mortal.

Screen Size / Resolution & Touch:

Look for something with WXGA or WXGA+ resolution. This can mean 1280×720 and up, which is decent on a laptop. 

In a total surprise, I find Microsoft Surface laptops to have "too much" resolution and too insane on my eyes. I'm over 40, and.. well, that means my eyes are just so-so. I would test-drive any laptop and make sure the resolution works for you. Of course this is adjustable in software / Windows.. but sometimes Windows looks lousy when not at the uppermost maximum resolution.

Some laptops don’t have touch screens. You might as well get a touch-enabled laptop, since things do appear to be getting “touch-ier.” That being said, as I write this year’s revised article, the two laptops I own; neither has a touch screen.

Wireless Network Card:

All laptops have built-in Wireless cards. You don’t have to get all worried if you don’t have the fastest wireless card.

Ideally, look for one that has “n” in the spec, like 802.11n to get the fastest. Note that 802.11n isn’t actually the fastest thing out there. It’s actually 802.11AC but I think only a handful of laptop manufacturers put 802.11AC chips built into their notebooks (Asus being one of them).

Part VI: Picking the OS. Windows 10, Windows 10 S and Windows 7 

So, let me start out by saying it’s really, really hard to get a new laptop WITHOUT Windows 10 on it.

There really isn’t any compelling reason to get Windows 7 anymore anyway. Windows 10 is the “last” version of Windows, but it will constantly upgraded and updated with new features every few months.

In short, you pretty much have to get it.. so just get it… UNLESS your business or school or something requires you to have Windows 7 and NOT Windows 10. Besides, Windows 7 support ends January of 2020.. so I would avoid Windows 7. It's hard to find now on new machines anyway, so, just go Windows 10 and be done with it. 

My advice for “normal people” would be to spring for a machine with Windows 10 Pro.

Why not “Windows 10 Home?” It’s Cheaper right?

Right. But it’s missing ONE KEY feature I think everyone should be using, which is BITLOCKER Full Disk Encryption. And that is not within Windows 10 Home, so, for me.. it’s a non-starter.

Note: My geeky friends will notice Windows 10 Enterprise isn’t on this list, because they are NOT sold with NEW machines are only available to IT departments.

This chart is excellent to see what you get in which edition (left most columns): https://en.wikipedia.org/wiki/Windows_10_editions 

Note also that some new laptops might come with Windows 7 or Windows 8 or 8.1 pre-loaded. It depends on the manufacturer if you get “Windows 10 Ugprade rights.” I would just skip all of this and get Windows 10 Pro.

Now: There’s another new kid on the block with Windows. Windows 10S. Windows 10S comes pre-loaded on some laptops and here’s the deal:

  • You can only install stuff from the Windows 10 Store.
  • You can only use Microsoft Edge as your browser
  • You cannot “download any application from the Internet” (like .MSI or EXE apps) and expect it to run. It won’t.
  • You can UPGRADE from Windows10S one time to Windows 10Pro if you purchase a upgrade license.
  • You CANNOT DOWNGRADE from Windows 10Pro backward to Windows 10S.

So, why does Windows 10S exist? Because in the same way there is goodness and utility when an iPad is “locked” to using the Apple apps store, and an Android Tablet has goodness and utility when “locked” to the Android Store… Windows 10S also has goodness and utility when “locked” to the Windows 10 Store.

So these Windows 10S machines are like “Windows’ versions of Chromebooks, but you can download apps.. lots of them from the Windows Store and do a lot of useful stuff.” But you can’t get yourself into too much trouble with viruses, malware, and evil stuff because.. these Windows 10S computers simply cannot run that stuff.

So Windows 10S might be a pretty good option.. for SOME PEOPLE, SOME TIMES. Microsoft is touting Windows 10S as an excellent choice for Schools and “Front Line Workers” like hotel clerks, storefronts, and so on.. because they don’t need to do too, too much and don’t want to get into too much trouble. If this sounds good to you, check it out and see if a Windows 10S machine might be right for you. If it stinks, just return it. Or... you can do a one-time upgrade of Windows 10S to Windows 10 Pro. Here’s a good article about using a Windows 10S as a daily driver. I recommend the read.

Part VII: 32 bit vs 64 bit.

Most new machines you will get are 64-bit capable. 64-bit capable means you get two major benefits.

Since most machines (laptops, not netbooks) you will buy nowadays are 64-bit capable, if you had an extra minute before clicking “buy now” I would check to ensure your new machine it’s 64-bit compatible and Windows 10 64-bit is pre-loaded.

Okay  — why would you care?

  • Benefit #1: With 64-bit you can tap into all 4GB+ of memory you purchase. If you were to use the older 32-bit OS you will only see 3.2GB of your 4GB purchase. Weird, but that’s how it works.
  • Benefit #2: By and large, the computer will be “faster” than the exact same machine running a 32-bit operating system. Even though we’re talking about identical systems, the 64-bit is faster all around because it processes (many / most) things in 64-bit “chunks” as opposed to 32-bit “chunks.” So it’s overall, faster.

So, in short, if you CAN get a 64-bit Windows 10 edition pre-loaded on your machine, I say “do it.”

In the old days, there were driver problems with 64-bit editions.

No more.

If the machine comes pre-loaded with Windows 10 and has 64-bit support, you’re likely quite golden with regards to drivers. You could, maybe possibly have some problems with some of the stuff ATTACHED to your machine, like Printers and Scanners. But Windows 7 and 8′s drivers support is excellent and those drivers should work in Windows 10. It’s a rare (mostly modern) device that won’t work with Windows 64-bit. Note: some won’t, and that’s a possible 64-bit risk.

For more information on 32 vs 64 bit support from Microsoft’s perspective, read this.

In short, for regular people, my advice is simple: Get Windows 10 Pro 64-bit edition pre-loaded on your laptop if you want guaranteed success.

Where do I go next:

Again, your best bet for Price / Performance is the Dell Factory Outlet: http://www.dell.com/Outlet/ 

I found many, many, many under $600. Here’s an example available now as I write this:

  • Processor: Intel Core 7th Generation i5 Processor
  • Windows 10 Pro 64-bit
  • 256 GB Solid State Drive
  • 8GB DDR4 RAM 
  • 14 Inch HD (1366×768) LED-backlit Non-Touch Display
  • Intel HD Graphics
  • Dell Outlet Latitude 5480 Laptop

Total price: $587 (as of Nov 29, 2018)

Are these the best, lightest, fastest, crispest, nicest laptops you’re going to find? DEFINITELY NO. But for MOST PEOPLE these laptops (and the warranty I explained earlier) are PERFECT for mere mortals.

So, after this: everything else.. everything else.. is just bells and whistles when it comes to laptops. 

You could argue that touch is becoming more and more important. So, if you wanted touch, then… get one with touch.  :-) Again: I have two "daily driver" Windows PC laptops, neither has touch, and I don't miss it, not even a litle bit.

If you do want to go there, my only other big alternative might be a Microsoft Surface device. These are tablets that convert into laptops with snap-on keyboards (extra cost.) But the devices are amazingly built and very slick. You can go thru the myriad of options (again, this will be more expensive than other laptops, but you will almost certainly be happy with the experience.) Anyway, check them out here.

Part VII: Wait.. you said Solid-State (SSD) disks were the best, why don’t I see those (sometimes) when I try to buy a new laptop?

Here’s a fact: Your computer is ONLY as fast as its SLOWEST part.

Want to know what the slowest part is? The “spinning disk” hard drive. (Or “Hybrid” which is a spinning disk with SOME non-spinning stuff slapped on.)

Remember: Most computer manufacturers are cheap. They want to make something cheap and sell you something that works. When you get it they want you to be REASONABLY happy enough NOT to send it back. Its also in their best interest to say “500GB hard drive” or “750GB Hard drive”. Sounds HUUUUGE. So, ”spinning disks” do the job. They’re cheap and plentiful.

But, your spinning disk is holding you back.

SSD and M.2 disks are where the action is. Sometimes you cannot buy SSD disks with new systems (or if you do, you can only get the smaller ones.)

Why? See point #1 above: Spinning disks are good enough. So that’s what manufacturers sell. It won’t be like this forever. I suspect in the next year this will tip the other way to SSDs being normally available in bigger sizes.

So, here’s the (counter-intuitive) recommendation if you want to maximize your new laptop and make it feel AWESOME / ZIPPY for the next several years. Note: There is a litttttttle risk and costs involved here. But I think its worth it. Here goes:

  • Buy your machine with the SMALLEST spinning disk hard drive you can. Usually the smallest is 320GB for laptops made.
  • Buy your own SSD. Buy the biggest you can afford. I have tested several brands, and can only hands-down recommend ONE manufacturer: Samsung.

Samsung has three “flavors” of SSD disks. But, for YOU the mere mortal, there’s only one: The Samsung EVO.  Here on Amazon it’s $158.00 for the 120GB version.  A little more for 256 and so on, and you can select up to 1TB if you wanted (obviously for more money.)

In MOST cases (not all!) these drives come with a cable and software to MIGRATE the hard drive you HAVE onto the new platform. Always remember that in most cases, you need to be USING less space than you’re GOING to. (Be sure to read the details of your purchase CAREFULLY to ensure that your drive comes with a transfer cable if you want to do this yourself.)

Anyway.. here’s an example:

– Your new laptop comes with a 500GB spinning disk hard drive.

– Its using 20GB of space of that 500GB.

You can then upgrade to the 120GB SSD because you’re only using 20GB of that space.

Here’s another example:

-Your laptop comes with 500GB hard drive.

-You’re using 300GB of that space.

You cannot shove 300GB of stuff into that 120GB SSD disk.

Its usually pretty easy to then take out the OLD drive and throw in the NEW drive. If you’re UNCOMFORTABLE with all of this, you can pay someone at Best Buy or your local computer store to do all of this for you. Don’t pay more than $100 for the LABOR involved here.

What do you do with the original drive you took out? For $10 whole dollars on Amazon, you can put your ORIGINAL drive in a USB 3.0 case and reclaim that space as “spare” .. for pictures, videos, docs, whatever.

Part IX: What kind of laptop do you own, Jeremy? (Here comes a little geekier stuff.)

Some of you may wonder what kind of laptop I am running?

I finally in 2017, retired my laptop that I used since 2011 !! Up until this year, I used a Lenovo W520 with a four-core i7 processor and 1.5TB of SSD hard drive space (two SSD disks) and 32GB of RAM. It’s big and heavy and the power supply is .. just.. huge.

Now, for a little over a year, I have used a Lenovo T470P (P= Performance in case you care) with an i7-7820HQ 4-Core 2.9Ghz processor, 32GB RAM, and 2TB M.2 SSD space (which cost me as much as the laptop ITSELF!)

BUT REMEMBER: BUT I AM NOT A REGULAR PERSON.

I do live demonstrations in front of thousands of people and my laptop has to FLY.

I have another machine which is a Lenovo X260 running Windows 10 64-bit with 16GB of RAM and 512GB SSD disk, and its totally fantastic to represent my “mere mortal machine”. This is the machine I carry around the house, or on a one or two day trip somewhere, where I am not presenting demos (but maybe demoing PowerPoints only). It has "near all day" battery life, but is pretty fast, and I can do 98% of what I would need to on my super fast "big boy" laptop.

I can hear you now: “But what about Dell? You reference Dell like 80 times in this article. Didn’t you basically tell me to buy a Dell?”

Yes, I did.

I recommend Dell for most people. But I personally like Lenovo’s “build quality” a lot better, and .. with my multiple Lenovo laptops I’ve owned over the years, I have literally NEVER needed the warranty. I’ve never had a pixel go bad, never had a USB port fry out, or a keyboard die. Not one. Not ever.

Remember: I’m an IT guy who does hard core demonstrations, so my needs are greater than some others. I need 32GB of RAM in my laptop, seriously fast hard drive and a lot lot more.

Again: my set up is NOT RECOMMENDED for regular people.

Let me be frank: the Lenovo buying experience is not great. The laptops take forever to get to me and the last time, my assistant called every day for 90 days to get confirmation of the activation of the warranty.

I wouldn’t want to put Jon and Jane Buyer thru either of those experiences. And I’m bordering on afraid to use the warranty service. Haven’t used it yet, I’ll cross my fingers. Heck, I don’t even know where to call if I had a problem. And that’s a problem.

For some of the people in my business, I have purcahsed them Lenovo T430s machines which I got as a refurbished deal on Woot.com. These are "off lease" / refubished machines. "Why would I do this to myself?" flying in the face of my own advice. Again: I'm not a regular person. I know what I'm doing. If one of these laptop dies, I'm confident I can rip the hard drive out and stick it another PC and be working the same day. And, I've had one of these machines fail.. the same day I got it. And then never again. So, again: Lenovo's appear to work like tanks, and I'm happy with my skillset to deal with "no warranty" or "sub-par" warranty on these systems to save some dollars, because I can recover if one of these T430s machines should die around the office.

Final Thoughts (and if you read nothing else…)

So, for regular people, I still recommended the Dell Outlet to get cheap, reliable, new computers and the Dell warranty for reliable, easy to understand warranty service.

Hope this guide helps you and your friends out.

– Signed, your friendly neighborhood Jeremy Moskowitz, Enterprise Mobility MVP

Nov 2018
27

Windows 1809 ADMX Files, Spreadsheet, and Security Baselines ... Out the door and final.

If you're using Windows 1809, the final 1809 ADMX, 1809 ADMX Spreadsheet and 1809 security baselines are out the door.

1809 ADMX: https://www.microsoft.com/en-us/download/details.aspx?id=57576

1809 Spreadsheet: https://www.microsoft.com/en-us/download/details.aspx?id=57464

1809 Baselines: https://blogs.technet.microsoft.com/secguide/2018/11/20/security-baseline-final-for-windows-10-v1809-and-windows-server-2019/  

As a reminder, here's my best practice video for ADMXs and how to update the central store: https://www.youtube.com/watch?v=Op7hAvc5a0M

That's it. ! Hope it helps you out!

Thanks to my friend Jeremy F for the reminder to send this to the gang... !

 

 

Nov 2018
27

What is the Policy CSP and why is it special to Intune?

So we said that CSPs are embedded interfaces in the Windows 10 OS that give MDMs the ability to read, set, modify and delete configuration settings.  This gives administrators the ability to command and deliver settings for enterprise devices.

There are many CSPs, but there is one particular one that is special.  That one is the Policy CSP. 

Like all CSPs, the MDM engine takes directives from it.  What makes it prominent is that it contains so many of the common items that admins are used to managing in Group Policy.  For instance, the Policy CSP contains settings for common components such as:

  • Browser
  • Defender
  • Device Guard
  • Power
  • Remote Desktop Services
  • Update

For instance, may you want to prevent users from terminating a task in the Task Manager.  Well, the Policy CSP contains a TaskManager Policy and the name of the settings is TaskManager/AllowEndTask.  The data type for this setting is integer and the supported values are as follows:

  • 0 - Disabled. EndTask functionality is blocked in TaskManager.
  • 1 - Enabled (default). Users can perform EndTask in TaskManager.

The TaskManager Policy is supported in the following Windows 10 Editions.

Chart taken from https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-taskmanager

The Policy configuration service provider contains sub-categories.

  • Policy/Config/AreaName – Handles the policy configuration request from the server.
  • Policy/Result/AreaName – Provides a read-only path to policies enforced on the device.

The Policy CSP have a scope to which its settings can be configured.  Some policies have settings that only apply to the device itself regardless of who is logged on to it.  Others apply to the user which means that settings can vary depending on which user logs on.  Each policy includes a path that defines its scope.  The possible scope paths are as follows:

User scope:

  • ./User/Vendor/MSFT/Policy/Config/AreaName/PolicyName to configure the policy.
  • ./User/Vendor/MSFT/Policy/Result/AreaName/PolicyName to get the result.

Device scope:

  • ./Device/Vendor/MSFT/Policy/Config/AreaName/PolicyName to configure the policy.
  • ./Device/Vendor/MSFT/Policy/Result/AreaName/PolicyName to get the result.

This is a quick introduction to the PolicyCSP. In other blog articles we'll examine more how to take advantage of it.

 

Nov 2018
20

What is a CSP and what is a Custom OMA-URI? (and how do I deploy one in Intune)?

CSP stands for Configuration Service Provider.  You might think Intune i somehow a CSP but that would be incorrect. 

Intune is an MDM service. 

A CSP is a component of the Windows 10 operating system; kind of like a Client Side Extension (CSE) is to Group Policy.

The CSP is what gives IT personnel the ability to apply device-specific settings to Windows devices.  In our case, that means using Intune to do it.  In doing so, IT can be assured that all company devices are compliant with the standards and policies set forth by the organization.  Keep in mind that you can deliver setting configurations to CSPs through other means than an MDM such as Windows Configuration Designer, which is used to create provisioning packages.  

So what are these CSP’s?  Well, you can go to Microsoft’s website and look them up at https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference.

Notice that not all operating system editions support each CSP because some settings are unique to select OS versions.  In addition, many CSP’s contain settings introduced in designated Windows versions.  This means that the settings are not supported in versions prior to that release.  

So let’s look at the inner workings of a CSP.  Let’s say you want to enable BitLocker for all the mobile devices used by your HR and Finance personnel.  Well, there is a CSP for that called BitLocker CSP.  If we look at the available settings for that CSP, they look like this:

Chart came from https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp

CSP settings accept some sort of data type value to enable or disable the setting.  In this case, the data types are integers, either a 0 or a 1.  A value of 0 disables the settings while a value of 1 enables it.  The setting RequireDeviceEncryption for instance allows an administrator to require the use of BitLocker encryption on designated devices.

So let’s say our security minded administrator wants to deliver an integer data value of “1” to the BitLocker CSP contained within the HR and Finance devices.  That administrator just needs an interface to configure, assign and deliver them, and that is where Intune comes in.  Below, a Profile was created called “BitLocker Settings”  that now delivers the selected Windows Encryption settings.

How easy was that?  Ridiculously simple indeed. 

Keep in mind that not all CSP settings are "surfaced" as settings within Intune. 

So what happens when we want to configure settings on a CSP that doesn’t appear in Intune?  Well, there are two options.  The first would be to sit and wait around with our fingers crossed and hope that Microsoft Intune developers will add our desired settings soon.  The other way is to take matters into our own hands and make a Custom OMA-URL.  So how do we do this?

A key (and useful) example is how to make MDM vs. GP more deterministic.  Starting with 1803 however, a policy called “ControlPolicyConflict/MDMWinsOverGP was created to give you control over which one won.  So while the policy setting doesn’t appear by default, we can create a customized URI for it that will enforce the outcome we want. 

Intune provides an interface to create Custom OMA-URI policies within a profile.  We just have to provide some information which is outlined below. 

  • Name
  • Description
  • OMA-URI
  • Data Type
  • Value

In the case of this CSP, the possible values are

  • 0 (default)
  • 1 - The MDM policy is used and the GP policy is blocked

In the case the creation process will look like this:

For more information concerning this particular CSP:

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-mdmwinsovergp

But the point is: Don't have a "knob" for the setting? Make a custom OMA-URA and you're off to the races.