Windows 365 Cloud PC

Windows 365 Cloud PC

Windows 365 Cloud PC is Microsoft’s latest addition to the VDI scene. Announced at Inspire back in July, and then released General Availability on 2nd August 2021. On a basic level, you provision a Windows 10 (or 11) VM to a user, and it’s dedicated to that user – so effectively the same as a standard PC in that you’re not sharing resources in a multi-user environment as you may do with Azure Virtual Desktop. Licensing is made simple as it’s a fixed price per user, per month, regardless of how much usage they make. There’s a variety of different SKUs which correspond to different VM specifications.

Windows 365 comes in two versions – Business and Enterprise. Business is limited to 300 users and designed to be much simpler to set up and configure. Enterprise does not have a user limit and integrates with Endpoint Manager (Intune). The core difference here is Business could be implemented by anyone at the company, Enterprise will most likely require an IT department to manage it.

This does not replace Azure Virtual Desktop – it runs along side it. Azure Virtual Desktop requires more technical expertise to set up and manage, and can be more expensive or less expensive than Windows 365 depending on your host sizes, whether you share devices with Windows 10 multi-user, and whether you shut them down or not. Windows 365 is a fixed price with no knowledge of Azure Virtual Desktop and RDS required.

I’m going to look at the setup process for Business and Enterprise and give my thoughts.

Continue reading “Windows 365 Cloud PC”

WUfB and Update Compliance

Windows Update for Business (WUfB) is a free service which allows you a level of control over Windows Update on certain SKU of Windows 10 – Pro/Enterprise/Education/Pro for Workstation – basically everything except Home edition. You can select which types of updates you would like – Feature updates, Quality (security) updates, Driver updates and Microsoft Product updates. Product updates are for other Microsoft products, but not Office if you used the Click-to-Run installer.

Whilst you don’t approve/deny each update as you’d have done in the past with WSUS, you can specify update deferral periods. For Quality updates this is 30 days or less, and for Feature updates it’s 365 days or less. You can create multiple policies, for example one targeting a pilot group with 0 day deferral, one with 5 day for a wider group, and a 10 day deferral for the rest of your devices. If you find an issue with an update installed by the pilot group, you can pause updates for up to 35 days on the other policies. The devices should then resume at the end of the 35 days and skip the missed update, moving on to the next cumulative update.

Device driver updates are enabled by default, but can be turned off, and Microsoft Product updates are disabled by default, but can be turned on. I tend to leave these at the default settings – as the trend with recent Microsoft products has been for them to look after the updating process themselves (e.g. Office 365 Click-to-Run, Edge etc) rather than using Windows Update.

You don’t need Intune or Config Manager for this, and you don’t need your devices to be Azure AD joined – it can even be a PC in a workgroup – although it’s a lot easier to manage if you have some central control over the client side settings.

Continue reading “WUfB and Update Compliance”

Intune: Introducing Filters

Endpoint Manager/Intune Filters is a new feature which is currently (at time of writing) in public preview. This gives you advanced targeting for things like compliance policies, configuration profiles and app assignment by adding filters.

At a basic level, you apply a filter over the top of an included device or user group, with two modes to either include or exclude devices from the assignment. For this kind of thing I currently use dynamic device groups, and set assignments to these groups. Going forward I can change this to using filters, and assigning to larger (perhaps assigned membership) groups. The benefit to doing this is that you no longer have to wait for dynamic group membership to update, which can take a while – especially on larger environments.

Continue reading “Intune: Introducing Filters”

Endpoint Analytics

I’ve been looking at ways to get performance data for all our devices, currently 99% in Config Manager but in the future we’re expecting to have quite a large deployment which is only managed by Intune. I’ve already set up Desktop Analytics but this just covers things like Windows 10 feature updates, which is good but not really what I was after.

Introducing Endpoint Analytics.

This is part of Intune and, if you set up tenant attach or device co-management, you can pull data for ConfigMgr managed devices into the console. Endpoint Analytics will show you a score, based off various factors such as startup performance, recommended software and application reliability, and there’s various screens you can look at with more detailed information such as startup performance and application reliability. Most report lists can be exported for offline analysis in Excel. I think it’s a key tool for identifying devices which need attention – whether it’s a device that has missed its upgrade from HDD to SSD sitting at the top of the “slowest boot up time” list, or a device which frequently suffers from bugchecks/BSODs potentially being a hardware issue, it brings to light troublesome devices which the end user may not have ever reported.

I’ll cover setting it up and then look at each section in turn, with lots of screenshots.

Continue reading “Endpoint Analytics”

Intune: Manage non-DEP iOS devices via AC2 DEP enrolment

I often refer to DEP as “Autopilot for iPads”, and Autopilot as “DEP for Windows”. The Device Enrolment Program allows you to register your devices with Apple so that when they are reset and go through activation, any DEP-assigned configuration is enforced onto the device.

DEP (and Volume Purchasing Program) have since been rebranded into Apple School Manager (or Apple Business Manager), which I think is a good move by Apple as I find it a lot easier than having to remember the special VPP store URL whenever I want to get some new apps, and having to remember the DEP URL to alter any device assignments.

Assigning devices to DEP is something that traditionally the reseller/supplier needed to do – you’d give them your DEP ID when placing the order and put their reseller ID into your DEP portal, and the devices would appear – however you can now add other devices yourself using Apple Configurator 2. This is particularly useful for older devices that you didn’t get set up on DEP, or if someone else in the organisation has randomly purchased some devices without speaking to you first from a supplier you don’t have an existing relationship with. You’ll need a Mac computer to run this – I use a Mac Mini – and it’ll need to be a fairly recent version. In this post I’ll go through how to set up AC2 to add devices to DEP, and then get them in to Intune for management. I’ll be referring to Apple School Manager in this post but the steps for Apple Business Manager are the same.

Continue reading “Intune: Manage non-DEP iOS devices via AC2 DEP enrolment”

Intune: Windows Hello for Business

Windows Hello is Windows 10’s biometric authentication system which allows users to sign into their device using facial recognition (if the device has an IR camera), fingerprint (if the device has a fingerprint reader) and PIN. The data for these is stored on the device itself rather than transmitted to the authentication provider (i.e. Azure AD) so is more secure than a password as an attacker would need the device as well as the face/finger/PIN of the person they are trying to impersonate. In this case a PIN is more like a password, as we can define the minimum and maximum length, and allow/forbid/require lower case, upper case and special characters. The default setting permits numbers, lower and upper case letters but does not allow special characters.

At a basic level it works by using a public/private key pair or certificate based authentication. The private key and other biometric data is stored in the device, either in the TPM chip (if present) or in the file system. Windows Hello for Business is the enterprise version of Windows Hello and can be configured using Group Policy or a modern MDM such as Intune.

If configured correctly it can also be used to authenticate to on-premise resources such as from a domain-joined or hybrid-joined device. My preferred method of working here is to move things to use modern authentication and as such the devices I use to test this are just Azure AD joined (and provisioned using Autopilot), so I won’t be setting up the certificate for on-premise authentication. Continue reading “Intune: Windows Hello for Business”

Intune: Endpoint Protection

Whilst Endpoint Protection can be suitably managed for traditional Active Directory-joined devices using Group Policies, you’ll need an alternative to protect your Azure AD joined devices. Luckily Intune can do this for us by way of a device configuration profile. 

Go to  Intune > Devices > Configuration Profiles   and click on Create profile. Select Windows 10 and later as the platform, and Endpoint protection. Once you’ve filled out the basic detail, you’ll see a large selection of things we can manage. I’ll go through these one at a time. Continue reading “Intune: Endpoint Protection”

Intune: iOS Wireless Profile with embedded credentials

It’s something that isn’t recommended but sometimes there’s not really much you can do otherwise – we have a set of iPad minis which are shared between multiple pupils and at the moment they are on Meraki MDM, connected to the 8021X Enterprise wireless network using a username/password which is set via the MDM profile. I really want to move these devices to Intune but you can’t create a WiFi profile with embedded credentials on Intune – presumably this was never an option for obvious reasons.

The only other option I can see is to set up SCEP and have the devices issued with certificates, and then use those to authenticate, presumably I’d also need to enable device writeback so that the NPS server can see the devices in AD. Due to the way our AD is configured (single forest with lots of domains, synced to multiple Azure AD tenancies) device writeback is unsupported, so let’s look at embedding the credentials into Intune instead. Continue reading “Intune: iOS Wireless Profile with embedded credentials”

Intune Part 2 – Autopilot/Win10 – Applications

Today I’m going to look at deploying applications to devices managed by Intune. Back in part 1 I looked at enrolling devices, setting up Autopilot, some basic configuration policies and also created a few Azure AD groups containing the devices.

There’s quite a lot of different application types in Intune, covering iOS, Android and Windows devices. As this series is focussed on Windows I’m not going to look at the iOS or Android ones at this time.

This post will go through the steps for installing/deploying the following:

  • Microsoft 365 Apps – Hassle free Office 365 deployment,
  • Microsoft Store Apps – primarily Store for Business/Education apps, including linking Intune to the Store for Business/Education,  but you can also deploy without setting up the Business/Education store.
  • Web Apps – essentially shortcuts to a website
  • Windows Applications (Win32) – your traditional Windows apps which come with a setup.exe or setup.msi.

Continue reading “Intune Part 2 – Autopilot/Win10 – Applications”