MDM & GP Tips Blog

Dec 2022
29

New Intune Feature - Multiple Admin Approval Process

A new feature update was released in the 2211 November update for Intune. The feature is called, Multiple Admin Approval Process (MAA). The premise for the new feature is to protect against a possible compromised administrative account using something called Intune access policies. These access policies require that a change be approved by a second administrative account before being applied.  An access policy states what resource will be protected and which group of accounts are permitted to approve the changes to those resources.

Currently, MAA is supported for the following resources

  • Apps deployments
  • Script deployments to devices running Windows of macOS

Anytime any admin goes to create or edit an object that involves a resource that is protected by an access policy, it must be approved by an approver without exception.

Let’s use a scenario to demonstrate how MAA works. First let’s create an access policy. To create an access policy, you must be assigned one of the following roles:

  • Intune Service Administrator
  • Azure Global Administrator

In the Microsoft Endpoint Management admin center, go to Tenant Administration > Multi Admin Approval > Access policies and click “Create” as shown in the screenshot below.

Name the policy and then choose the resource you want to protect.

The final step is to choose an Approver group. Any user that is a member of this group can approve requests.  Now I have created my first MAA access policy as shown below.

For this demonstration, I created a temporary Intune administrator account.  When creating temporary accounts for testing purposes, it is good to define an active time window for these accounts so that they are deactivated automatically if forgotten. As shown in the example below, I created an account called testadmin and I defined a start and ending time for its active state.

Now, I will log on to Intune using the account I just created. I go to Apps > All apps and click Add. I then create a policy to deploy Windows 365 apps to Windows machines. In the final Review + Create screen of the wizard, there is a Business Justification section at the bottom, prompting the requester to state the justification for doing this. Also note the outlined banner alerting requester that they must enter a business justification and that the request must be approved before being implemented. Once the business justification has been entered, click “Submit for approval” and the request is now sent to Received requests where it can be reviewed.

In a separate session, I have logged into Intune using an account that is a member of the approver group. As shown in the screenshot below, the request now appears (in this example, I created two requests). To approve or deny the request, click the URL in the Business justification column.

After clicking on the URL, the approver is shown the requested resource changes. The request can be approved or denied and the approver can add notes for feedback as shown in the screenshot below.  

Switching back to the testadmin account, I can see the status of the requests made by that account. As shown below, one is approved while one still waits approval.

Note that any individual who submits a request and is also a member of the approval group can see their own requests, however, they cannot approve their own requests. Should no action be taken on a request for 30 days, it becomes expired and must be resubmitted.

 

Dec 2022
18

New Feature: Send Organizational Messages to Your Users with Intune

Intune has a new feature called Organizational Messages. It’s a way to send branded messages directly to Windows 11 devices using Intune. These messages notify and update users about key important information updates or provide onboarding information for employees.  This can be especially handy for organizations that utilize hybrid work strategies. There are three types of messaging to choose from.

  • Taskbar messages appear just above the taskbar and remain viewable until the user acts on them. Taskbar messages can be used to alert users about things like a critical Windows update that will be installed at the end of the week that will disrupt desktop operations.
  • Notification messages appear in the Notification Center as a popup before disappearing. Notification messages are good for informational messages such as a future training session.
  •  Get Started app messages appear in the Get Started app the first time a user initiates it once the device has been enrolled in Intune. These messages are good for sending welcome messages, device tips, company policy changes and new employee information.

To access the Organizational Messages feature, go to Tenant Administration in Microsoft Endpoint Manager and select Organizational Messages (preview) as shown below in the screenshot.

To configure Organizational Messages, you must be assigned one of the following roles.

  • Azure AD Global Administrator
  • Intune Administrator
  • Organizational messages manager (Microsoft Intune role)
  • Organizational messages writer (Azure AD role)

Prerequisites

Organization messages are only supported on devices running Windows 11, versions 22H2 or later. You must also have one of the following licenses for your users.

  • Microsoft 365 E3
  • Microsoft 365 E5
  • Endpoint Management + Security E3 and Windows Enterprise E3
  • Endpoint Management + Security E5 and Windows Enterprise E5

Each message type requires a logo for branding and identification purposes. This is usually the company logo. Only PNG files are supported, and each message type has a different dimensions requirement.

  • Taskbar messages must be 64 x 64 pixels
  • Notification area messages must be 48 x 48 pixels
  • Get Started app messages must be 50 pixels long and 50 – 100 pixels wide.

PNG files that don’t meet the exact dimension specifications will cause an error, preventing you from proceeding further in the message creation process as shown below.

You can include custom URLs in your messages, but they must be added to your list of verified Azure AD custom domain names.

Enabling Organizational Messages

Before creating your messages, you must enable the policy that allows the delivery of organizational messages. To do this, go to Devices > Configuration profiles and click “Create profile.” Select “Windows 10 and later” as the platform and “Settings catalog” as the profile type. Using the Settings picker, do a search for “experience” and then select it from the list of viewable categories. Then select “Enable delivery of organizational messages (User)” as shown in the screenshot below and complete the wizard by adding scope tags and user/group assignments.

Now you are ready to create your messaging.

Creating Organizational Messages

Go to Tenant Administration > Organizational messages (preview) and click on Message. You can then select the type of message you want to create as shown in the screenshot below. In this example we are creating a taskbar message.

Next you will upload your logo, which is required. You will also select which domain you want to apply the messages to and choose your preferred language. You can then preview what the message will look like.

Next you will configure a schedule for the message as shown below.

Complete the creation wizard by assigning the message to your targeted groups or users. Then review your created message.

The created message will then appear as part of your list of messages.

As mentioned previously, each of the three message types include different message templates. Below are some of the options for Notification messaging.

Some Limitations Concerning Organizational Messages

There are some limitations and issues concerning organizational messages that you should be aware of.

  • You cannot send messages to devices or mixed groups. An organizational message sent to both users and devices will only be sent to the users.
  • Users that belong to more than 200 groups are not supported by organizational messages (who knows why?)
  • You can’t assign priority levels to organizational messages so they will be received by users in random order.
  • Scope groups and scope tags aren't available in organizational messages.
Nov 2022
28

Managing Windows Package Manage with Group Policy

Microsoft made an announcement back in 2021 that Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. Microsoft wants organizations to transition to Windows Package Manager (WPM) instead. WPM is a command-line tool that utilizes either PowerShell or the Widows Package Manager Client terminal, also referred to as Winget-cli. If you are running Windows 10 version 1809 or greater, it should be installed on your computer through a prior update. You can also install it with the App Installer from the Microsoft Store.

There are two primary components when it comes to WPM. The first is the package, which represents an ap, application or program. The other is the manifest file, which contains metadata used by the Windows Package Manager to install and upgrade software on the Windows operating system. WPM functions similarly to Linux package manager as it doesn’t actually host the packages. What is does is let you create manifests that form a script to download your desired apps from central repositories such as GitHub or the Microsoft Store.

The point of this brief article isn’t to get into the details of WPM but to show how you can manage it with Group Policy. To do this, you will first need the Desktop App Installer Policies” Group Policy Administrative Template files, which you can download from the Microsoft Download Center. You will need to copy these files over to your central store. The create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Desktop App Installer. You will then see a variety of available settings as shown in the screenshot below.



Let’s look at some of the most important settings here.

  1. Enable App Installer: Enable this policy so that users can use WPM. This and many of the WPM policy settings only require you to enable or disable them as shown in the screenshot below.


     
  2. Enable App Installer settings: Enabling this setting will allow users to change settings for WPM
  3. Enable App Installer Default Source. Note that the default source for Windows Package Manager is an open-source repository of packages located at https://github.com/microsoft/winget-pkgs. Disabling the policy will make the default source unavailable.
  4. Enable App Installer Microsoft Store Source: When enabled, the Microsoft Store becomes available as a source.
  5. Enable App Installer Additional Sources: When enabled, additional sources will be available. Note that once additional sources are added here, they cannot be removed. You must specify the source location as shown in the screenshot below.

     
  6. Enable Windows Package Manager Allowed Sources: This policy is somewhat like the previous one. When enabled, users will be able to choose a source from a list of approved user sources. Here, you must also specify the approved source locations

    You can refer to this site for the latest information regarding Windows Package Manager.

 

Nov 2022
16

How To Set Time Zones using Intune

If you’re using Intune as your endpoint management solution, there’s a good chance you are managing devices dispersed over a wide geographical area. That may include multiple time zones. So how do you go about ensuring that each machine is matched with its correct time zone?

There are a variety of ways to assign time zones to a Windows 10 computer.

  1. You can configure it within the registry by navigating to

\HKLM\System\CurrentControlSet\Control\TimeZoneInformation

Then create GPO using Group Policy Preference to deploy the registry settings.

  1. In Windows 10/11 you can use the Windows Time Zone Utility. This is a command-line tool that you run using an Administrator command prompt. The command is tzutil.exe. You can use the question mark to see the available commands.


    To see the list of time zones supported by Windows 10, you can use the /l switch. Keep this command in mind for future reference later in the article.
  2. You can also use PowerShell. The screenshot below shows a couple of available commands. The second command is used to assign the desired time zone. Note that I am using “Hawaiian Standard Time” that appeared using the tzutil /l command above.

  3. While you could deploy the PowerShell using Intune, there is a simpler way using the settings catalog.  Log onto the Intune portal and go to Devices > Configuration Profiles and create a profile. Choose Windows 10 as the platform and Settings catalog as the Profile type. Name the profile and then click the “Add Settings” link. Using the Settings picker, do a search for “time zone” and choose “Time Language Settings” as the category. Then select “Configure Time Zone” as shown in the screenshot below.


    Then input the desired time zone as shown below. These are the same time zone names we saw using the tzutil command utility earlier. In the example below I am assigning Eastern Standard Time. Other possible assignments could be Central America Standard Time, Central Brazilian Standard Time, GMT Standard Time, Pacific Standard Time, etc.


    Then like any configuration profile, select any optional scope tags, and assign the profile to the desired group or users.

     
Nov 2022
02

Should You Delete or Retire Computers from Intune?

We often talk about adding devices to the Intune environment, but what about deleting them. What’s the best way to do it? There are several options. One option is to have inactive devices automatically removed from Intune using a cleanup rule. An inactive device means it hasn’t checked into Intune for a set number of days. You can configure the time window by going to Devices > Device clean-up rules and configuring the two required settings. You can input a number between 30 and 270. In the example below I have chosen 120 days as the cutoff. This means that day any device that has been inactive for 121 days or more will be deleted from Intune immediately. By clicking on the “View affected devices” link you can see the list of devices that will be deleted once the rule is saved. Device clean-up rules do not affect Android devices.

 

To Delete or Retire?

You can choose to delete or retire a computer from Intune at any time. What’s the difference? The answer is not much. Let’s outline what happens when a computer is retired.

  • The device is removed from the company Intune portal
  • Intune Endpoint Protection is removed
  • Intune deployed certificates are removed
  • Device configuration settings are no longer enforced or required so users can override them
  • The computer will no longer received its updates from the Intune service
  • Apps can no longer be installed from the portal and any Intune client software is removed
  • WiFi and VPN profile settings are removed

When you retire a device, the retire process will begin the next time the device checks in and it will be removed from Intune once the steps outlined above in the list are completed. Delete means that the computer is removed from the Intune “All devices” list immediately. However, the retire process will begin the first time the device checks in. In other words, Delete performs the same tasks that Retire does. It just hastens the removal of the device from the listings page. The exception is cleanup rules that do delete devices immediately but do not retire them.

To retire or delete a device, go to Devices > All devices and select the computer you want to delete. Then choose the appropriate action you want as shown in the screenshot below.

 

Oct 2022
17

How to Import ADMX and ADML Templates into Intune

Both Group Policy and Intune offer multiple Administrative Templates out of the box that provide settings for Microsoft operating systems and applications. Some third-party vendors provide ADMX and ADML templates that you can use to deploy settings for their products as well, but you must obtain them from the vendor and import them.  

Importing Administrative Templates into Group Policy

Importing third-party administrative templates into Group Policy simply requires that you paste the templates into the SYSVOL. Let’s say I wanted to manage settings for Zoom. I downloaded the templates and then placed them in the SYSVOL of one of my domain controllers as shown in the screenshot below. Note that you must also place the corresponding ADML templates into the appropriate language folder as well.

Then I use Group Policy Manager to create a GPO and the Zoom ADMX templates settings will appear automatically.

The Intune Importing Process

The process for importing ADMX and ADML templates into Intune is of course completely different. First off there are few limitations at present to keep in mind.

  • You can upload a maximum of 10 ADMX files
  • You can only upload one ADML file for each ADMX file
  • Only en-us ADML files are supported currently
  • Each file must be 1 MB or smaller
  • Some ADMX files may have dependencies that must be uploaded first

After the matching ADMX and ADML templates are downloaded, go to Devices > Configuration profiles and select “Import ADMX.”

Click the Import link and navigate to the matching ADMX and ADML files as shown in the screenshot below.

Once completed, the imported ADMX template will now be listed. You must allot ample time for the templates to upload before using them as shown below.

In this case, the upload failed. In the screenshot below I clicked on the link to find out the details of the error.

It says that an ADMX file reference file called NamespaceMissing: Microsoft.Policies.Windows. was not found. This is one of the gotchas I mentioned above. To fix this, you must first click the ellipsis to the right and delete it. Then you need to upload the Windows ADMX and ADML files. These files are in your SYSVOL folder by default.  Upload them the same way you did the Zoom template files.

Once you complete the import wizard, click refresh until you see that the Windows.admx is available. Then upload the Zoom template once again. This time the upload process shouldn’t fail, and you will see both ADMX files available as shown below.

Now you can create Configuration profiles that use your imported ADMX files. Go to Profiles > Create profile and choose Windows 10 and later as the platform and Templates as the profile type. Then select “Imported Administrative templates (Preview)“as shown below.

Then you can select and configure the settings you want in your policy.

Then complete the profile configuration process by assigning the profile to your designated users.

 

Oct 2022
03

How to Setup Printing in the Cloud Using Universal Print (Part 3)

So, in our last article, we talked about registering printers with the Universal Print portal. We registered a couple of printers using the Universal Print Connector and then shared them to designated users through group assignment. Users can then browse the list of shared printers that they have access to and pick the appropriate printer according to factors such as location or printing capabilities. While this is fine for users needing to send something to a printer they normally don’t use, it’s easier for users to directly install printers on client machines. This is done by creating an Intune policy.

Creating a Printer Policy

All users that will be receiving the printer policy must be assigned a universal print license as mentioned in Part 1 of this series.  You also need the Printer Administrator role to create the policies and the target computers must have Windows 10 or Windows 11.

Using MEM go to Intune > Devices > Configuration profiles and create a new profile. Choose Windows 10 and later as the platform and Settings catalog as the Profile type. Name the policy, click “Add settings” and do a search for the word “printer” as shown below. Scroll down and select Printer Provisioning and select Printer Shared ID User.

You will need three bits of information about each printer you want to install. You can access this information from the overview section of each printer in the Universal Print portal as shown below.

Next, Input the Printer ID, Printer Share Name and Share Id in their designated boxes as shown below.

The final step is to assign the profile to the designated users.  You can then monitor the status of the policy using Intune as shown below.

While Universal Print may not be a viable choice for large enterprises yet, it may be a good solution for SMBs that have moved to Azure AD in pursuit of a native cloud solution and want to deprecate their on-prem printing infrastructure.

Sep 2022
19

How to Setup Printing in the Cloud Using Universal Print (Part 2)

In my previous article I outlined the prerequisites for Universal Print, a Microsoft 365 subscription-based service that you can use to centrally mange your printers using Azure. As mentioned, most printers require the Universal Print Connector to be registered in Azure for universal printing. You can download the UP Connector here.

The prerequisites for the UP Connector are shown below.

  • You can install it on Windows Server 2016 64-bit but Windows Server 2019 is recommended.
  • You may also install it on Windows 10 64-bit Pro or Enterprise, version 1809 or later.
  • The host computer will also need .NET Framework 4.7.2 or later.
  • The host computer should have a permanent internet connection and have sleep/hibernate disabled

Once downloaded, simply run the installer

Once installed you will see the screen below. Here will need to sign onto your Azure portal using an Azure AD account that is assigned to the Printer Administrator role.

Once you are signed in, you will need to create a Connector Name as shown in the screenshot below. This could be the name of a building, a department, a site, or just about anything that has significance within your organization.

In this example I chose Central_Office. You will then register the Connector name.

Once registered, you will be able to see the connector in your Azure Universal Printer portal. If you can’t readily find the UP portal in Azure, you can do a search for “Universal Print” to navigate to it as shown below.

Then click connectors to see your newly registered connector.

Now it’s time to register for the printers. You need to install the printers onto the computer hosting your connector.  These printers will then be shown as available printers within the UP Connector admin console. Select the printer or printers you want from the list and click register.  The printer(s) will now move to the registered printer list as shown below. The printer is now registered in Azure.

Now we need to share the printer. Go to the Universal Print Portal and you will see that your printer is registered and ready but not shared.

To share, select the printer’s checkbox and click Share as shown below.

Now you will give the printer a share name and select the groups or users that can access the share as shown below.

You can then select Printer properties and provide descriptors so that users know where the printer is located within your enterprise. This allows them to search for printers according to location. I have filled out some of the properties in the screenshot below.

Now the printer is shared and ready and will show all green as shown in the screenshot below.

Registering Universal Printers Directly

Printers that natively support Universal Print can be registered with Azure without going through the UP Connector. Simply access the printer’s admin console through a web browser. Every vendor’s admin portal is different but essentially you will need to name the printer and configure its network properties so it can access the Internet. Usually in the advanced settings, there will be a way to register the printer. The registration process will require you to logon to Azure with the proper credentials. The printer will then be registered and assigned a registration code. Once registered, you will then log onto Azure in the same manner I did earlier and share the printer.

Next: Creating Intune Policies

In our third and final segment on Universal Print, we will review the process of installing registered universal printers on computers across the network.

Sep 2022
07

How to Setup Printing in the Cloud Using Universal Print (Part 1)

So, you’ve migrated your enterprise’s on prem AD presence to Azure AD and now and are thinking that everything will be native cloud from here on out. There’s just one problem. Your users are still printing stuff and those printers rely on on-prem infrastructure. While many consider printing to be a legacy technology, organizations still depend on it. The problem is that printer management can be a time consuming and manually intensive ordeal having to deal with so many different types of printers, associated drivers, and spoolers. What’s more, assigning printers using Intune can be challenging at best.

Fortunately, there is an option available from Microsoft that allows you to upgrade your printer environment to a cloud-based print solution. It’s called Universal Print, a subscription-based service that runs on Microsoft Azure, providing a centralized print management for print administrators. Some of the benefits of Universal Print include the following:

  • No need to install printer drivers on PCs as printing takes place using the Internet Printing Protocol (IPP). There’s also no need for print servers for supported printers.
  • Provides remote users the ability to print at the corporate office and integrates with Windows 365 virtual PCs.
  • Printers can be assigned end-user locations at a granular level so users can easily find the right printer for their location whether it be a country, town, site, building, floor, etc. You can also assign printers using Intune.
  • Extensive reporting is available to monitor your print capacity as well as obtain a daily aggregated job count for each printer or user, giving you the visibility to understand what is happening in your print environment each month.
  • Enhanced security as machines must be joined to Azure AD to print and printing takes place over encrypted connections while all print data is contained in the same secure platforms that Online Exchange and Teams utilizes.

There’s obviously a lot of benefits to Universal Print so let’s look at how to implement it.


Prerequisites for Universal Print

Let’s start with the printers themselves. Some printers can integrate directly with Universal Print out of the box. Here’s a list from Microsoft of Universal Print ready printers. Chances are, most of your printers don’t support Universal print. In that case, you need to download the Universal Print Connector to an on-prem machine and add your printers to it. The Connector will serve as the intermediary between Azure and legacy printers.

Next you will need the right subscription. Universal Print is included with multiple commercial and educational Windows 365 and Windows 10 subscriptions. You can also purchase a standalone subscription as well. Applicable licenses include the following:

  • Windows 365 Enterprise F3, E3, E5, A3, A5
  • Windows 10 Enterprise E3, E5, A3, A5
  • Microsoft 365 Business Premium
  • Universal Print (standalone)

You can confirm whether your current license provides Universal Print access by going to your Azure portal and navigating to Azure Active Directory > Licenses > All products. Select a product from your list and click on “Service plan details.”

Each print user will need an assigned license. A Universal Print license is also required for all print administrators regardless of whether they print or not. Keep in mind that the designated license doesn’t allot you unlimited printing. Universal Print uses the same OPEX model that is characteristic of cloud computing services in that you only pay for the resources that you use. Universal Print comes with a pool of print jobs that equates to 5 print jobs per user per month. That means that 100 licensed users will be able to print 500 print jobs each month. A print job constitutes a single printed document regardless of how many pages or the number of copies printed. A colored printed document counts the same as a standard print job and attributes such as single vs. double sided do not matter either. Note that there is currently no way to enforce a print quota on individual users. While the license allots 5 print jobs per user, one user can consume all the print jobs over the course of a month. It is believed that quota management will be introduced down the road.

To configure or manage Universal Print, an admin must be a global administrator or be assigned the Printer Administrator role. I had to assign myself the print administrator role even though I was a global administrator to complete the configuration steps for this article series.

Finally, client devices must be running Windows client OS, version 1903 or greater.

Next: Installation and Configuration

In the next article, I will show how to install the Universal Print Connector to an on-prem machine and configure the Universal Print service. We will then assign the printers using Intune.

 

Aug 2022
15

A Closer Look at Safeguard Holds

There are no guarantees in life. That’s certainly the case with software updates. Sometimes an update that offers a new operating system version just doesn’t’ work out due to compatibility issues with a particular device. This can cause the update to either fail or rollback. Even worse, it could result in data loss or a loss of connectivity or key functionality.  That’s why Microsoft monitors quality and compatibility data to identify issues before they can affect too many machines. Issues may also be reported from Microsoft partners and customers as well. Once these issues are identified, Microsoft enacts a Safeguard Hold to prevent other devices with this known compatibility issue from being offered the designated feature update. The safeguard hold is enforced long enough to give Microsoft ample time to address the issue. Once a fix is derived and verified, the hold is lifted, and the Windows update will once again be readily offered to devices.

Disabling Safeguards

While its not necessarily recommended, you can disable safeguards so that devices will ignore them. Keep in mind that the update may likely fail. If you want to take the chance, however, create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business and enable the “Disable safeguards for Feature Updates” setting as shown below.

 

You can also do this using an MDM such as Microsoft Endpoint Manager with the DisableWUfBSafeguards CSP. The required custom OMA-URI settings are as follows:

  • OMA-URI: ./Vendor/MSFT/Policy/Config/Update/DisableWUfBSafeguards
  • Data type: Select Integer
  • Value: 1


Safeguards for Two Types of Issues


New Windows feature updates that are deployed using either Windows Update service or Windows Update for Business are subject to Safeguard holds for a known issue.  A “known issue” is a confirmed problem that may occur after an upgrade for a specific set of devices. In addition to known issues, there are also “likely issues.” A likely issue means that the problem has not been confirmed by Microsoft but has been discovered through machine learning out in the ecosphere. Issues could involve rollbacks, connectivity issues, app or driver malfunction as well as problems with graphics and audio. Once identified, a temporary safeguard hold is enabled on the designated update until either the issue has been confirmed and upgraded to a known issue (in which the safeguard hold is continued) or it has been identified as a false positive, in which case the hold is removed.

The Windows Update for Business Deployment Service

The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It provides a next level of control concerning the approval, scheduling, and safeguarding of Windows updates. Here you can use safeguard holds against likely updates issues. You can also do things such as bypass preconfigured Windows Update for Business policies to manually deploy a security update on command across your organization should an emergency arise. To utilize this service, you must have one of the following subscriptions:

  • Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
  • Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
  • Windows Virtual Desktop Access E3 or E5
  • Microsoft 365 Business Premium

You can then do a search for it in MEM and configure as you need to.

To see if you are affected by a Safeguard hold you can use Update Compliance in MEM to run a Safeguard Holds report that can provide insights into existing holds that are preventing devices from updating or upgrading. You can get more information about these reports here.