Modern device management with a few twists
' My goal is to share my knowledge and experiences with community members on their own road to Modern device management. I love working with Microsoft technology and hopefully I can help a few people along the way.'
Update: Bitesize demonstration Video coming soon on the GetModern Channel
Microsoft endpoint manager (mem) and Intune are changing at pace and new to the management options are Guided Scenarios currently in Preview. Get comfy and take a read.
Guided scenarios currently include (at the time of writing) the following options:
1 - Secure Office apps for mobile
2- Deploy Edge for mobile
3 - Set up a test device to try out cloud management
4 - Deploy Windows 10 in cloud configuration
In this blog post I want to cover 4 - Deploy Windows 10 in cloud configuration.
In Microsoft words - "A guided scenario is a starting point for people who want to ease in to Intune with step-by-step guidance. All you have to do is choose a setup scenario. We’ll walk you through the rest, assembling apps, assignments, and other management configurations for you automatically. By the end, you’ll have a basic understanding of the scenario and can start exploring more advanced configurations"
I personally think these are great as get started options and provide quick and easy ways of testing or deploying Intune functions and features in production. Obviously these are in public preview currently so I would wait until they have been made GA or generally available before using them in production. Cloud Config particularly provides organisations with a way to introduce a streamlined standard across devices which are more easily setup and monitored. The guided scenario can be applied for Windows 10 Professional, Enterprise, and Education devices and targets frontline and remote workers.
If your company is looking for a uniform deployment which includes general use of Microsoft Edge browser, Microsoft Teams and adds Microsoft recommended security, this is a great choice.
So where is it and how is it configured.....
Before we start, for the purpose of this blog my setup here is based on the following:
- A Windows 10 version 1909 Virtual machine on Hyper-V
- Hardware Hash collected and imported to Intune for Autopilot provisioning
- Intune configured to use Cloud Config with out of the box settings
Not covered here - the initial setup of the Windows 10 VM on Hyper-V or collection and import of the hardware hash ID. I have also assumed that you are aware of the different features of Intune such as enrolment profiles, ESP, compliance policies, Win 10 Update Rings etc. If you would like to learn or know more about these please visit the Microsoft MEM online documentation at:
Microsoft Endpoint Manager documentation | Microsoft Docs .
Cloud Config setup
First off it is worth noting the pre-requisites for deploying this to ensure you are prepared and the configuration doesn't fail. These include:
- Licenses: Azure Active Directory Premium P1,
Microsoft Intune, Microsoft Teams,
OneDrive for Business,
Windows 10 Pro or Enterprise.
- Setup of the MDM Authority before users can enrol devices
- Automatic enrolment for Windows 10 devices needs to be enabled.
The purpose of the guided scenario is to make it easy to deploy a cloud configuration which automatically sets up all the required resources. This is a nice step forward in automating the configuration of policies and apps and takes out the pain of doing this manually.
NOTE: While the guided scenario is automated, all related resources can be setup manually if you prefer which offers one way of becoming familiar with the policies and settings. You will find the documentation for this here. Windows 10 in cloud configuration (microsoft.com)
Resources setup during the guided scenario
The following a list of all the resources automatically configured by the guided scenario:
Go to https://endpoint.microsoft.com and login as a Global Admin or Intune admin account.
Select menu options:
> Troubleshooting + Support
> Guided Scenarios (Preview)
> Deploy Windows 10 in Cloud configuration > Start
After clicking start, you will be presented with a general information screen, please note the 'What you will need to continue' section.
On the next screen you can optionally choose to create a device name template. This can be useful to differentiate between Cloud Config and non Cloud Config devices. Enter a name and use the %RAND:% or %SERIAL% options if this matches your naming policy. Then choose a resource prefix. I have found this useful again to quickly identify the resources setup for Cloud Config only.
Click Next when done.
On the next screen the Guided scenario shows you the default applications which will be deployed to devices, these being the MS Edge browser and MS Teams App. You can add additional apps by clicking the checkbox and if preferred also add additional non MS standard apps at a later date however the default apps are those Microsoft recommends for uniform deployment and managment. Remember Cloud config targets Frontline and Remote workers concentrating on productivity and browsing. It could be that this doesn't fit the model you want to deploy in which case Cloud config also provides a good starting point from which to extend your additional requirements. Keeping the configuration slim will make deployment and management that bit quicker and easier.
Click Next when finished.
On the next window you assign the device groups to which the resources will apply. You can either create a new group here or choose an existing device group.
Click Next when complete.
The following window summarises the configuration to be deployed along with your personal choices and provides a list of the resources the guided scenario will complete. To proceed click the 'Deploy' button.
On completion, the following screen below should be visible. If for some reason there are any issues you may see all resources setup and ticked green and then automatically backed out. I experienced this when first deploying Cloud Config with no obvious reasons for the failure or no error codes provided. As this is in preview however im sure the error codes or even a dedicated report may be deployed. On the back of my experience I contacted members of the Microsoft Intune engineering team and sent them my suggestions. Im not holding my breath obviously.
Eventually I managed to resolve the issue by contacting IntuneSupport. I will post the reason here when I have more info. When complete which is basically instantly you will see successful checks against the resources and assignments.
Cloud Config deployment results
I thought it worth showing both the results and follow up actions after deploying the resources.
At this point I have my policies and apps created, now I need to assign a new Win 10 device to the newly created device group, enrol the device using Autopilot and check through the results of provisioning. As mentioned near the start of the blog I used a Win 10 VM running on Hyper-V.
- Import the VM Hardware Hash to Intune
- Assign the device to the Cloud Config device group
- Build the start the build of the Win 10 VM using a Windows v1909 deployment
- Provision the VM using Autopilot to enrol the machine.
- Check the status of deployment and resolve any issues.
I haven't included screens for the first 4 steps here but just to say the provisioning completed successfully even with MS teams being deployed in the device context and Autopilot was fairly swift in setting up the machine. There are no differences here with the provisioning process as this scenario is only using pre-existing methods to setup and deploy policies and apps. Especially when first testing the Cloud Config approach it is worth working through all Intune policies and Apps both within MEM and on the device to double check there are no issues or errors. I have included some of the checks I made below.
One thing worth noting which is different and new, is the deployment of a Microsoft produced PowerShell script to remove built-in apps. This includes the MS Store typically seen on the Win 10 Toolbar.
The picture below shows the Windows 10 toolbar before an after an enrolment where the included MS Store Icon along with other built-in apps have been removed from Windows. You will also notice that the Onedrive Icon has appeared on the right showing that this was configured as part of the device provisioning.
Image: Before Cloud-Config configuration.
After the the Cloud-Config setup
Other end user interface changes include those on the Start Menu which is simplified and no longer includes standard apps like calculator, calculator, Groove and Films & tv. (Note at the point of catching this image not all updates had completed on the changed menu)
After Cloud-config PowerShell updates.
To verify that the machine has enrolled and is being managed by Intune there are various ways to show this on the actual device. One way is to go into Settings > Accounts > Access work or school.
The red writing shows the device is being managed.
Another way is to go into Windows Updates to show that this is managed using a policy deployed and configured on the device.
Settings > Update & Security > Windows Update
To show that Onedrive has been installed, on the device open File explorer and check that Onedrive is now available.
Cloud Config compliance
One of the security policies setup and deployed through Cloud Config includes device Compliance. Compliance is used here to ensure the machine is setup with a minimum OS level of 20H2. As I initially setup my Windows 10 machine using version 1909 this meant that the device was automatically placed into an 'in-Grace period' status as it had not meet the compliance configuration.
As indicated below when not compliant the policy is set with an action to mark the device as non-compliant after 1 day. This means when deploying the out of the box compliance policies you will need to adjust these settings particularly within 1 day if you have a mixed selection of Windows 10 devices. There are no actions configured to email the user and warn them of this situation.
When you drill down to the individual compliance settings, as indicated below the device did not meet the minimum OS compliance level and therefore an error against the OSMinimumVersion flag is shown.
To resolve this issue I went back to the device Settings > Update & Security > Windows Update and clicked the check for updates button. Cloud Config does have a Windows Update Ring deployed to Automatically install at maintenance time. The maintenance time however is set to start at 6AM and end at 6AM so unless you change this the update should be deployed as soon as the policy has been updated on to the machine. I forced this and updated the machine myself which again is configured to allow.
Following the completion of the update once the device had checked back in with Intune compliance was updated and the device was reported as being compliant.
As a quick way to try out a comprehensive and standardised approach to setup the policies and Apps with Intune following recommended security guidelines, Cloud Config seems to me to be a great way to empower cloud managed on Windows 10 devices. If your end users require additional apps which in itself may demand more security then again Cloud config would help along that route for deployment.
Thanks for reaching the end of this and hope it has been useful.