Modern device management with a few twists
' My goal is to share my knowledge and experiences with community members on their own road to Modern device management. I love working with Microsoft technology and hopefully I can help a few people along the way.'
Author: Andy Jones
Filters were introduced to Intune around mid 2021 and for some reason have mainly escaped me up to this point. I like many have used Dynamic groups as the default approach when needing to narrow down the assignment of compliance policies, configuration profiles and applications. Filters however bring a number of welcome improvements to the table we will go through in this blog.
Filters introduce a way of applying advanced targeting and in some scenarios performance benefits to help you replace the use of dynamic group assignment. When it comes to defining and applying Filters you typically need to make the right architectural decisions for your own Intune deployments but filters add a new layer of targeting definitely worth considering. The natural way of structuring your users and devices hasn't changed by creating Azure Active Directory 'Groups'. By creating these you are defining a hierarchy and structure that reflects your organisation which may be through specific teams of people such as the 'Sales team' or device types 'Windows 11 devices'. These are still relevant and provide the baseline for assignment to your applications, policies and profiles. For each of these groups where Microsoft have added the option for filters, you now have the ability to narrow the assignment scope that best fits your needs.
We do need to mention 'Virtual Groups' as these include 'All users' and 'All devices' and by default they don't have any management overhead meaning there is no need to first create or make changes for these. Its worth noting that every time you create a new group (one that has never been used before in an Intune assignment) they go through a first-time setup process together with a membership sync. This first sync will always take longer than subsequent (incremental) syncs. The upside to these virtual groups is that they are stable and highly optimized for assignment. The use of these may be few and far between so most admins will break down all users and all devices into sub groups. As a result the groups you create need to be synchronized from Azure AD and evaluated for assignment. And therein lies the major benefit for me, the performance of assignment. I have seen technical community requests for information when it comes to dynamic group assignment for example. The underlying issue is it sometimes takes longer than expected especially on larger group assignments to verify the members that apply to the dynamic groups which can then delay an app or policy being deployed or even delay an enrolment.
Author: Andy Jones Date Published: 09/08/2022
Expedite built from Windows Update for Business (WUfB)
I first want to provide some background to this blog topic. If you're familiar with the Windows Update for Busines (WUfB) service you'll know this is the main channel for updating your Windows 10 or later devices with the latest security defenses, bug fixes and Windows features. Once you switch from Configuration manager workloads to WUfB your devices can be updated with policies defined with cloud-based management using Intune. There are four key management policies provided by WUfB which include:
So What is Expedite for Quality updates
Expedite for quality updates were introduced to quickly maintain the productivity of devices. Originally released in May 2021 this option is still in preview at the time of writing, so please be aware of this when deploying on your production paltform.
PLEASE NOTE: Its important to know also that Expedite only includes security updates right now but could see this being expanded in the future.
July 8th, 2022 by Andrew Jones
I’m sure you will agree that using passwords is on a road to extinction. Hi there is this blog post Im going to cover the topic of security and going Password-less using FIDO2 Security keys. If you would prefer to watch the video version of this head over to Youtube https://youtu.be/Kq74imD6KPY
In this blog I will cover setting up Azure AD, Microsoft Intune and registering a hardware security key for a single test user.
Let me start by saying a special thanks to Feitian who kindly provided me with three of their FIDO2 security keys. And I’ll be using one of these the K26 to demonstrate how it works in a Password-less experience.
Before we dive into the detail, we first need to look at some of the background and put some context around this topic. Recent statistics show around 81% of cyberattacks are due to comprised username or passwords. So, when we look at the use of passwords, old security approaches in the enterprise simply no longer apply. When we think about it the only people who like passwords are hackers. We have to create and remember them which is why help desks get so many calls and not only are they expensive to manage but easy for hackers to guess.
So the first approach and one quickly becoming a standard is to turn on multi-factor authentication which reduces the risk considerably. We won’t go into setting this up or configuring this here but take a look at the Microsoft article in how to achieve this. Enable Azure AD Multi-Factor Authentication - Microsoft Entra | Microsoft Docs
It is important to highlight that 2 factor Authentication using passwords is not the most convenient and secure method we can use. The diagram below shows a representation of the current guidance on this.
the When you're looking to migrate your infrastructure into the cloud they're generally two areas of concern
that pop up time and time again, these include your applications and group policy objects (GPOs). So in this blog I'm going to look at how you collect your group policy objects, analyse them within Microsoft Intune, and deploy available settings to Windows devices.
When examining a GPO policy within Intune, you'll first require a GPO report file. This you can either create directly or create a backup of an existing Group Policy object and requires a report .xml file. To achieve this, launch your group policy management within your own environment (Domain) and navigate to the group policy objects. Select a specific GPO for examining and then right click that GPO to make a backup. You will need to select your destination and then take a a copy of what is the gpreport.xml file. This will then be the report file you can use to import into your Intune environment.
With your gpreport file saved Login to Microsoft Endpoint Manager admin center using an Intune administrator or Global Admin account and navigate to: Devices > Group Policy analytics.
Please note: this is currently still in preview at the time of doing this blog but i'm hoping it will become GA fairly soon (Fingers crossed).
Import your GPO into Intune
The next step is to hit the import option and select the report file you backed up previously. After you have imported the gpreport.xml file it will first show that it's being processed and then that it has been
imported. Go ahead and close that option after which the page will start showing details straight away.
If we take a look at my actual imported gpreport.xml in more detail you will notice that basically what it has imported is a computer GPO which has a number of settings. The setting types contained within this group policy includes things like clear text password, lockout bad count and minimum password age.
So i'm a little late to the game on this I know but when it comes to proactive remediations with Intune it is a bit of a waiting game. I'm obviously referring to that short time frame before you start seeing some great examples appearing within the community. There are now probably 100's of great blogs and PR packages created which address real life issues and help simplify an admin's role. We can all learn by example but also why reinvent the wheel.
On my own path to understanding what Proactive Remediations are and how they can be applied I have used many of these to better my knowledge so I thought Id create a Quick links on these for you guys. A big thanks to all early adopters and especially those willing to share their experience and hard work.
Watch out for my forthcoming YouTube video where I introduce and test out Proactive Remediations for myself and even develop my own to share. Meanwhile take a look and download my 10 getting started links provided by community members.
The Microsoft authenticator app that we know and love has been around for some time now and it gives us an additional layer of security to Azure AD working school accounts and our Microsoft accounts. When using the app it allows users to authenticate in a passwordless way when signing in but also as an additional layer of verification to SSPR or self-service password reset and also during an Azure AD mfa event.
The big news though is that Microsoft have now gone one step further with their latest release and have introduced some new security features for iOS and Android devices which includes 1 - The number matching experience with push notifications 2 - Additional context to authentication where it gives you information about the app and location the person is logging in from.
Example of Number matching
Hi there back in july of 2021 the Cloud Managment Community released a video called 'voice typing
windows 11 is awesome' this seemed to be a really popular video so in this blog Im going to have a little bit of fun showing you how awesome Voice access is and how it extends the speech recognition capabilities on your Windows 11 device. Since the preview build 22518 which was released in december 2021 the Windows voice access feature can now do many more things, you can open, close applications, maximize, minimize, scroll, edit text and basically you can control your desktop so let's have a little look at this and give it a go.
To begin with what you're going to need for this to work is open up your settings on your windows 11 device, scroll down on the left and select Accessibility, then scroll down on the right and under interaction and select 'Speech' which should be a an option you already have. When you switch this on for the first time it will prompt you get and download the speech module. Click the download and carry out the install. When installed this is run by the Executable C:\Windows\System32\VoiceAccess.exe.
To switch this on toggle the switch on the page and go through the interactive guide to help you setup and provides you with some basic experience. If you have more than one microphones connected then select the one you want to use. You are then done and ready to try this out. If at some point you want to turn the service off navigate to Settings > Accessibility > Speech and toggle the switch to off.
Its worth pointing out that Intially you will see that Voice Access is in sleep mode. You wake it up by saying 'voice access wake up' which will enable the feature to begin listening to your microphone. The service begin to provide verification of this instantly based on the commands and the words you dictate. This is great and really useful because you can immediately see how accurate the service recognises and interprets your speech. I found this to be extremely accurate myself and despite the service originally only available in the american language pack it works with my UK English. It should be said that there will obviously be some small inaccuracies however which for me it worked very well. Now that the Voice Access feature is enabled you can dictate commands to interact and navigate with your Windows PC. Interact with applications and Windows
features using your voice and search the internet using the web browser. This is all available handsfree!
Now, to understand how you intreact with the module and carry out commands there is a great website which shows the full list of commands. Take a look for yourself as a little bit of easy training goes a long way.
When running voice access you can quickly change some of the settings using the settings icon at the top right hand side of the command line. Within here you can can select your microphone and switch them, change any of the automatic options or even swith the service off.
Aside from this website you can also give a command where you can say 'what can i say' and then you see a selection of the terms and phrases you can use. I have no doubt this is going to be expanded on but i think it's a really good start for opening up what you can do with the desktop as opposed to just dictating text into a document.
Let's go through a few of these commands and see how we get on.
- Open word
- double click
- snap word to left
- minimize word
All these worked by the way.
A popular phrase you may want to use is when searching the internet:
- search on bing for microsoft
- search on youtube for microsoft
- search on google for microsoft
In each case a new tab is opened in your default browser as per below and the phrase dictated is searched automatically by only speaking. Will voice access replace what you do on a day-to-day basis probably not but i do think it's starting to get there and will be provide a powerfull way for some end users especially people with some disabbilities.
To finish off here I will end with a few more commands:
- minimize edge
- open notepad
- dictation mode
- type thank you for joining this video it's been really useful i hope you really enjoy what you've seen here and give it a go for yourself.
some of the other commands I tried out were:
- open excel
- go to desktop
- restore excel
- double click
- scroll down
- scroll up
- maximise word
- move mouse left
- stop mouse
- select all
- copy that
I would imagine there are plenty more commands and features planned and I look forward to see where this goers next. Thanks for reading.