Jens Du Four

Tag: MDM

  • Windows 365: Zero to Cloud in 1 hour!

    This blog article is throwback to the session I did at the MCT Summit in The Hague. The Windows 365 session was an eye-opener for organizations of all sizes and setups. It demonstrated how easy it is to implement Windows 365 and how it can benefit any organization. In this write-up, we will cover the basics of Windows 365 and the easy setup process.

    Gone are the days when Windows was consumed solely from a native PC. I still remember the day when the first PC arrived at our home. I finally got my hands on the glory of Windows XP.

    The first step towards virtualization was evolutionary. We introduced system administrators to the flexibility and control of their environment beyond the physical. Azure Virtual Desktop, formerly known as Windows Virtual Desktop, was a gamechanger.

    Today, a whole new option presents itself: Windows 365, or the Cloud PC. This option has a specific focus on experience, more importantly end-user experience. It takes into account that the end-user of this solution is not solely the consumer. The system administrator that needs to configure and maintain it, also plays a big part.

    How do I integrate this with my current environment?

    One of the most frequently asked questions I receive is “How can we integrate this into our existing environment?”. The answer is simple: How are you doing this today? Depending on your current environment, there are three main architectures you can use.

    The first option is to host the full solution in the Microsoft subscription and utilize the Microsoft Hosted Network. The option to connect to on-premises resources with something like a split-tunnel VPN is still valid.

    The second option utilizes something we call an Azure Network Connection. It basically allows you to connect your Cloud PC to a vNET that exists within your Azure subscription. You can connect this vNET through a site-to-site VPN or even an ExpressRoute.

    For our third option, we take it one step further. You can create a computer object in your AD and manage it as if it were an on-premises device. This allows for SCCM to perform the device management. This requires a line-of-sight from your vNET, that we specified in the ANC (Azure Network Connection), to your domain controller. You need to specify some additional information to allow the computer object to be created in the relevant organizational unit.

    The provisioning policy

    If you want to set up a Cloud PC, you need to create a provisioning policy first. This policy defines everything about your Cloud PC, such as its name, description, and features. One of the most important choices you have to make is whether to use Enterprise or Frontline.
    How do you decide? Well, it depends on how many Cloud PCs you and concurrent sessions you need. The Frontline license gives you three Cloud PCs for the price of one, but only one session at a time.
    For example, you have 300 workers who need a Cloud PCs. But only 100 of them will use it at the same time. This allows you to save money by choosing 100 Windows 365 Frontline licenses.

    Another important choice in the provisioning policy is your “Join type details”. This refers to the network architecture you want to use: Microsoft Hosted Network, Microsoft Entra Join with your own vNET, or Hybrid Microsoft Entra Join. I have explained these options above. You can enable the single sign-on checkbox if you use the Microsoft Entra Join or if you have a Cloud Kerberos Trust with the Hybrid Microsoft Entra Join.

    After clicking next, you get the option to choose a gallery image or a custom image. It is always recommended to go with the gallery images. These are created and maintained by Microsoft. Providing you with optimized images for the Cloud PC.

    The final step before applying the provisioning policy is to configure some settings. You can choose the language and region for the Cloud PC, create a naming template, and opt to enroll the device in Windows Autopatch. This is a service that I will cover in a future blog post.

    Easy-peazy!

    That’s it! Were done! The provisioning policy will check if the assigned group has some licenses. Afterwards, it will start spinning up the relevant Cloud PC. As you see, the entire process is as easy as one-two-three!

  • Adding a language pack using Proactive remediations

    One of the features of Intune is Proactive Remediation. This allows administrators to create scripts that automatically fix issues on devices before users even notice them. Adding a language pack using Proactive Remediation script is a straightforward process. I will guide you through the steps in this article.

    I have been using this method to add additional language packs to my Windows 365 deployments. This is from great use to organizations that are multi-geographical.

    Creating the scripts

    First, we will create a language pack installation script. This is split into two parts. One should be designed to detect the language currently in use on the device. The other installs the appropriate language pack.

    The first script here uses some basic PowerShell to detect what languages are installed on a system and verifies if the one required is installed. 

    $OSInfo = Get-WmiObject -Class Win32_OperatingSystem
$languagePacks = $OSInfo.MUILanguages

if ($languagePacks -contains "de-DE")
    {
    write-output "Installed"
     Exit 0
    }
    else
    {
    write-output "Not installed"
     Exit 1
    }

    We will leverage the LanguagePackManagement Module to install the required languages. This downloads and installs the language components for the specified language. 

    Install-Language de-DE

    Additionally, you have the option to directly enable the new language pack by using the following command:

    Install-Language de-DE -CopyToSettings

    Warning! Please verify that these scripts we created earlier are saved in UTF-8 encoding.

    Creating the script package

    After we created the language pack installation script , we should create the Proactive Remediation script in Microsoft Intune. To do this, log in to the Intune portal and navigate to Reports. Click on “Endpoint Analytics” and select “Proactive remediations”.

    After clicking on “Create script package”, give the script a name and a description and Publisher.

    The next step is to select the installation script that we created in the initial step. We do this for both the “Detection script file” and the “Remediation script file”.

    Make sure to set the slider for “Run script in 64-bit PowerShell” to “Yes”.

    Finally, we should assign the policy. To do this, navigate to the Assignments section of the policy and select the group that the policy should apply to.

    Additionally, you can also change the schedule and filter for specific devices.

    Conclusion

    Adding a language pack using a Proactive Remediation script is a straightforward process that can save administrators time and ensure that devices are always running in the correct language.

    By following the steps outlined in this article, administrators can easily create a language pack installation script and create a Proactive Remediation script to automate the installation process.

  • Enroll an Android device in Microsoft Intune

    The newly created AVD, from our last post, should be managed within Microsoft Intune. Microsoft Intune provides a range of options for managing and securing Android devices. Some of the key features include:

    • Device enrollment: Allows users to easily enroll their Android devices in Microsoft Intune and access corporate data.
    • Policy management: Enables administrators to configure policies that control how devices can be used. E.g. password policies and enforcing encryption.
    • Compliance monitoring: Provides the ability to monitor compliance with corporate policies and take action if any devices are not compliant.
    • Mobile application management: Allows organizations to securely distribute and manage corporate apps on Android devices.
    • Remote actions: Provides the ability to remotely wipe data from a device or perform other actions if necessary.

    There will be more in-depth guides on the capabilities of Microsoft Intune. In this article we will keep it simple and start with how to enroll an Android device.

    Android Device Management

    Enrolling an Android device into Microsoft Intune is a simple process. This will directly enable you to manage and secure mobile devices.
    There are three main methods of enrolling a device:

    • Android Enterprise (AE): Most up-to-date and secure method
    • Android Device Administrator (DA): It is encouraged to migrate to AE
    • AOSP: Method for devices that aren’t integrated with Google Mobile services

    The focus here will be on Android Enterprise. Because this is the most versatile method with applications for BYOD, personal- and corporate-owned devices.

    Android Enterprise

    Android Enterprise is a set of features and services provided by Google. This will enable organizations to manage and secure Android devices used by their employees. This can include features such as the ability to remotely lock or wipe a device, enforce password policies, or restrict access to certain apps or data. With Intune, you can take advantage of these features to manage and secure their Android devices. Additionally, you ensure that they are used in a way that aligns with the security and compliance policies. This can help organizations protect their data and prevent unauthorized access to sensitive information. Next to this, it allows employees to use their own Android devices for work purposes. When using Android Enterprise, there are two main modes of deployment: fully managed devices and work profiles.

    Fully Managed

    This method allows users to enroll their Android device as a fully managed device. This gives the organization complete control over the device and access to all of its features and functions.

    Fully managed devices are completely owned and controlled by the organization. This means that the organization can install any app, configure any settings, and enforce any policies on the device. This is typically used for devices that are provided by the organization and used exclusively for work purposes.

    Work Profile

    A work profile is a separate, secure profile on the device used for work purposes. In this mode, the employee still has their own personal space on the device. The organization can only manage and control the work profile. It cannot access or modify the personal space on the device. This is typically used for employee-owned devices. Enabling them to use their own device for both work and personal purposes.

    The main difference between the two modes is the level of control the organization has over the device. With fully managed devices, the organization has complete control over the device. With a work profile, the organization only has control over the work profile. Allowing employees to maintain their privacy on their own devices. In the meantime, still allowing the organization to manage and secure their work data.

    Microsoft Intune

    Android Enterprise

    Prerequisites

    Before starting with an enrollment profile, you must link a “Managed Google Play” account to Microsoft Intune. For this, you must have set up a managed Google Play account.

    Afterwards, you can use Intune to manage and distribute apps from Managed Google Play to your Android devices.

    Enrollment Profiles

    By default the “Personally-owned devices with work profile”-option is enabled. We need no additional configuration for this.

    Android Device Enrollment

    User-Drive Enrollment

    To enroll an Android device using the Intune Company Portal app, users simply need to download the app from the Google Play Store and sign in with their organizational credentials. Once logged in, the app will guide users through the enrollment process. Afterwards, allowing them to enroll their device in a matter of minutes.

    Automated Enrollment

    Zero-touch enrollment is a method of automated enrollment that allows organizations to enroll Android devices in Intune directly from the manufacturer or reseller. In this method, the organization provides the manufacturer or reseller with their enrollment configuration. You can automatically enroll devices in your mobile device management (MDM) solution when shipped to the user. This pre-configures the devices with their desired settings and policies. This ensures that they are ready for use as soon as received.

    In conclusion, enrolling an Android device into Microsoft Intune is a simple process. It can be done using user-driven or automated enrollment. Each of these methods provides organizations with the ability to manage and secure their mobile devices. Ensuring that sensitive data is protected and that employees have access to the tools they need to be productive.

  • Creating an Android Virtual Devices (AVD)

    I am a fond believer of the concept “Seeing is believing”. Does that mean that I will test everything? No, probably not. But I will at least try to! Today the goal is to be creating an Android Virtual Device (AVD).
    Further down the road, we will enroll these in Microsoft Intune.

    For those of you that don’t know Microsoft Intune yet, it is a cloud-based unified endpoint management solution. Intune provides a central console for monitoring, configuring, and managing mobile devices and applications across multiple platforms, including iOS, Android, Linux, Chrome OS and Windows. It also provides a comprehensive set of tools for managing mobile applications, such as managing the distribution, installation, and usage of apps. All of this helps to improve productivity and reduce costs.

    Creating an Android Virtual Device (AVD)

    First of all, we will be creating an Android Virtual Device (AVD). AVD is an emulator that is part of the Android Studio. It is a great tool for developers to test their apps on different versions of Android. With AVD different versions of Android and different hardware configurations can be simulated.

    However, that is not how we are intending to use it. In this article we will create an Android Virtual Device. This is helpful for those who don’t have access to physical Android devices. The AVD can be used to test out Intune policies and apps.

    Creating an Android Virtual Device (AVD)

    The process of creating an AVD is fairly straightforward within Android Studio. In addition, this software is freely available and has the following pre-requisites:

    • 16GB RAM
    • 64-bit Windows, macOS, Linux, or Chrome OS operating system
    • 16GB disk space

    After installing and verifying the prerequisite, we will be configuring the AVD in Android Studio:

    • Open Android Studio and select “Virtual Device Manager” from the “More Actions” drop-down menu.
    • Click the “Create device” button
    • Select a device definition, with or without Play Store
    • Select the system image for the preferred Android version
    • Configure the AVD hardware settings.
    • Click the “Finish” button to create the AVD.

    Select the AVD you created and click the “Start” button to launch the AVD.

    Configure hardware acceleration in Windows


    Lastly, some configuration changes should be made to Windows. This will enable hardware acceleration of the emulator. However, this is an optional step, you can still use the emulator without it, but it will be slower and may not perform as well.

    First, you must ensure that your computer has a processor that supports virtualization and that the feature is enabled in the BIOS. Then, you can follow these steps:

    1. Open the Start menu and type “Turn Windows features on or off” into the search box.
    2. Click on the “Turn Windows features on or off” option that appears in the search results.
    3. In the Windows Features window, scroll down and check the box next to “Hyper-V”.
    4. Click on the “OK” button to enable Hyper-V on your computer.

    This will enable Hyper-V acceleration for the Android emulator, which can improve its performance. Make sure that the AVD you are creating is using an x86_64 or x86-based system image.

    In conclusion, we are left with an Android Virtual Device (AVD) on Windows with all the necessities in-place to have hardware acceleration and still be able to use Hyper-V.
    Our next step will be to enroll this device in Microsoft Intune, just as described in my next post.