Jump to content


anyweb

Managing devices with Microsoft Intune: What’s new and what’s next – my notes (Part 5 – Windows)

By anyweb, in Microsoft Intune

Recommended Posts

anyweb Proficient

anyweb

Posted
Posted

Introduction

At Microsoft Ignite this week in Florida, there were many new announcements of new capabilities in products such as Microsoft Intune. With so many new announcements it’s hard to keep up, but if you want to find out more, read on or select the part that interests you below.

This content is based on an excellent session entitled “BRK3036 – Managing devices with Microsoft Intune: What’s new and what’s next” and you can review it yourself here.

The session was presented by:

 

In this post we’ll look at some of the highlights for Windows 10 management with Intune.

Win32 App Management feature

windows-app-win32-684x1024.png

Now when you try out this feature in Intune, you’d think you can just point to a recently downloaded EXE, or MSI file, but no, you cannot.

You can only use files that have been converted into the .intunewin extension. How do you get that extension ? using this tool.

Download the required tool

Once downloaded, run the EXE and point it to the source folder that you have the MSI or EXE downloaded to that you want to convert, and then, spell out the file name, and finally select the output folder, it will then convert it to the *.intunewin extension as you see below.

converting-1024x394.png

which will allow you to upload it into Intune.

add-app-1017x1024.png

This new feature supports multi file installation, exe, msi, cab files.\ and you can even configure cmd line switches just like you do in Configuration Manager

cmd-line-switches-1024x364.png

You can configure the requirements

requirements-1024x616.png

And you can even configure detection rules and return codes, so that you know if the app installed successfully or failed.

return-codes-1024x844.png

Once added, you can assign this to groups of users, as required (mandatory) or optional (via the company portal), and keep in mind that for Office ProPlus with Intune all you need to know is that you can utilize what’s available within Intune to deploy that, I blogged it earlier here.

5a11baa3d6be6_everythingdone.png.f06f307

What about Configuration Management ?

A few of the concerns from customers to Microsoft was that using the MDM stack in Windows for configuring Windows was that it had a lot of important settings, but not enough for what was needed to be configured in the environment.

So now within (for example) Endpoint Protection in Intune, you can configure dozens of settings, that were previously available via Group Policy, things like firewall rules or Bitlocker.

dozens-of-settings-1024x623.png

But if you select, Windows 10 or later, then select the new feature Administrative Templates you have thousands of settings to choose from (searchable too), that can configure things for applications like Office Desktop.

office-configuration-1024x685.png

This takes the ADMX infrastructure from Group Policy and makes it possible to deploy via MDM.

MDM Security baselines

But wait, there’s more, you can now also configure MDM security baselines.

mdm-security-baselines-1024x656.png

And the idea behind these baselines is Microsoft has recommendations for what those settings should be. And with these options, you can select what should be good to select for your enterprise to have a secure compliant deployment of Windows.

The recommendations are available dynamically in the console on an ongoing basis.

mdm-security-baseline-example-1024x652.p

What about Devices ?

If we go to the device enrollment, windows enrollment tab you can select windows enrollment and look at the new Windows Autopilot options, as shown below.

autopilot-options-834x1024.png

Note: The below info was taken from another related session, see my notes on that here

Windows Autopilot

Announced at Microsoft Ignite last year (2017), helps customers moving to modern management.

Windows AutoPilot Scenarios.

windows-autopilot-scenarios.png
Hyrbid azure ad join, starting in 1809, can be hybrid azure ad joined (enrolled into Intune and device joined to on premise AD).

Also announced Windows Autopilot for existing devices…

Use Intune to create dynamic groups for those autopilot devices.

Can pre-assign users to devices, in the Intune console you find the device (in Windows Enrollment, Windows AutoPilot devices), click assign user,

assign-user-1024x370.pngWhen they go through autopilot they wont be prompted for the email address, instead they’ll get a custom welcome and a more personalized login.

Windows Autopilot and ConfigMgr

Autopilot task sequence, supported starting with windows 10 1809

AutoPilot-Task-Sequence.png
Create a package with the JSON file which was created using the Powershell cmdlets

powershell-cmdlets-1024x241.pngThen create the autopilot task sequence, add the package, provisioning the device using the task sequence

that’s it for this series, I hope you enjoyed it,

cheers

niall (at Microsoft Ignite in Orlando, Florida).

Share this post

Link to post
Share on other sites
doudoufr Newbie

doudoufr

Posted
Posted
On 9/30/2018 at 11:23 PM, anyweb said:

What about Configuration Management ?

A few of the concerns from customers to Microsoft was that using the MDM stack in Windows for configuring Windows was that it had a lot of important settings, but not enough for what was needed to be configured in the environment.

So now within (for example) Endpoint Protection in Intune, you can configure dozens of settings, that were previously available via Group Policy, things like firewall rules or Bitlocker.

dozens-of-settings-1024x623.png

But if you select, Windows 10 or later, then select the new feature Administrative Templates you have thousands of settings to choose from (searchable too), that can configure things for applications like Office Desktop.

office-configuration-1024x685.png

This takes the ADMX infrastructure from Group Policy and makes it possible to deploy via MDM.

MDM Security baselines

But wait, there’s more, you can now also configure MDM security baselines.

mdm-security-baselines-1024x656.png

And the idea behind these baselines is Microsoft has recommendations for what those settings should be. And with these options, you can select what should be good to select for your enterprise to have a secure compliant deployment of Windows.

The recommendations are available dynamically in the console on an ongoing basis.

mdm-security-baseline-example-1024x652.p

 

Hi

Where are those options ?

I don't see any administratives templates or securty baselines on my intune.

Is that normal ?

 

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.