Configuring and managing my Surface Pro X using Windows AutoPilot, Microsoft Intune and Configuration Manager (Hybrid AAD Join and other configs explained)

Introduction

This is not a traditional walk through of a specific technical topic. It’s rather a story about setting up my new Surface Pro X device, making it work with AutoPilot, Intune and ConfigMgr in a Hybrid AAD Join deployment.

You don’t per say have to own a Surface Pro X device in order to benefit from the content in this post. However, as the Surface Pro X ships with an ARM processor, it makes for some unique situations and experiences.

During the post, I will deep dive some of the technical aspects of Hybrid AAD joining the device, as this has a lot of moving parts and dependencies in order to work.

Additionally, this process was not completely without obstacles. I’m not sure if these obstacles are working as intended or not, but I failed to get Co-management work loads to work properly, as well as seeing weird things happening if applying the Security Baseline for Windows. More on that throughout the post. 🙂

Read more…

How I deploy, configure and set the new Microsoft Edge as default browser using Microsoft Intune and Configuration Manager

Introduction

Unless you have been hiding under a rock lately, you should be aware that the new Microsoft Edge browser happened and was released in the first stable release on January 15.

All very exciting and delicious, and we who have been testing with Dev and Beta versions across our enterprises, have been waiting eagerly to be able to offer the one browser to rule them all (hopefully).

So this is a little something on how I have chosen to deploy, configure and set the new Microsoft Edge as default browser, using a combination of both Microsoft Intune and Configuration Manager.

Read more…

Device Compliance with Configuration Baselines, Configuration Manager version 1910 and Microsoft Intune

Introduction

This must be one of my favorite features of Configuration Manager version 1910: Include custom configuration baselines as part of compliance policy assessment.

For a detailed description of the feature, I suggest you read the What’s new article.

In short, this enables us to assess device compliance based on almost anything and really extends the possibilities.

I will walk through the setup required and give you a quick and easy example on how to use this new awesome feature in a co-management scenario.

Read more…

Co-management with ConfigMgr and Intune and a little something about Microsoft Defender antimalware policies

Introduction

Originally when the Endpoint Protection workload for co-management was introduced with Configuration Manager 1802, this was done without antimalware policies.

That essentially meant that antimalware policies was still being managed solely by Configuration Manager, while a feature like Exploit Guard was managed by Intune.

Now, this has since changed (at the time of writing, I’m not sure when they snug in the addition, but that’s not related to the post anyway) and the workload now includes antimalware policies enabling us to manage all aspects of Microsoft Defender with Microsoft Intune.

So what does that mean, and are there anything specifically you need to be aware of? I believe there is. 🙂

Read more…

Enrollment of co-managed devices based on Azure AD device token with ConfigMgr 1906

Introduction

A short and sweet peek into the latest improvement to the enrollment of co-managed devices into Microsoft Intune.

Prior to SCCM 1906 (System Center Configuration Manager), the enrollment into Microsoft Intune required a user to sign in to the device. This has now changed and the device is able to auto-enroll into Microsoft Intune based on its Azure AD device token.

Note: This is not an A-Z guide, so I’m sadly not covering all the basics and requirements around enrollment nor co-management. Instead I’m touching base with some of the interesting parts, based on my own environment, setup and curiosity. 🙂

Read more…

Getting started with Security Baselines: Moving from Group Policy to Microsoft Intune

Introduction

Another delicious feature went GA (General Availability) this week: Security Baselines in Microsoft Intune.

The Security Baselines in Intune is the equivalent to what we have done with Group Policy for some years now, and is basically a set of pre-configured Windows settings, which are recommended for the enterprise by Microsoft.

This post is not a typical A-Z guide, but rather a first look into the feature and what initial experiences I had with moving from Security Baselines with Group Policy to Security Baselines with Intune in a Co-management scenario.

Read more…

AutoPilot for existing devices: Move from Windows 7 to modern Co-managed Windows 10 in a jiffy using ConfigMgr

Introduction

Lately I have been preparing our own shift from old school device provisioning with PXE and ConfigMgr, to the modern alternative with Windows AutoPilot. The preparation is two folded, where the mindset of the IT pros working with the technologies needs a shift, but obviously also the technologies and features involved.

We’ve been hitting F12 and preparing devices within IT for many years and while it’s easy to persuade IT pros into using new and exciting technologies, the businesses we serve also needs maturing. We are not quite there yet, but we are getting closer, and the first step is obviously to embrace the technology and start using it.

We don’t have any devices running Windows 7 in our environment (phew), but this is an approach that can be used with previous versions of Windows 10 as well. For example when moving from 1803 to 1809.

Read more…

Flipping the switch, part 5: A closer look on the client apps workload (Co-management with ConfigMgr and Intune)

Introduction

The client apps workload (also known as mobile apps for co-managed devices) was introduced in System Center Configuration Manager 1806 and was done so as a pre-release feature. The documentation on the workload is today still somewhat lacking, so I figured I’d give you some more insights based on my own findings.

The main idea here is, that apps deployed from Microsoft Intune are available through the Company Portal, and apps deployed from SCCM are available through the Software Center. This is quoted directly from the documentation, but what does this really mean? What types of apps are we able to deploy from Microsoft Intune and what’s the expected behavior? This is something I will try to address in this post. Curious? Read on 🙂

Apps installed from Microsoft Intune to a Co-managed device. Sorry about the obscure language. The company portal on my computer insists on being in Danish 🙁

Read more…

How to automatically join Windows AutoPilot devices to On-Premises AD (Hybrid Azure AD Join)

Introduction

Good news everyone! The feature was introduced at Ignite earlier this year and now it’s finally here. Windows AutoPilot now allows you to join your Windows 10 v1809 devices to your on-premises Active Directory (Hybrid Azure AD Join). All the magic lies in a new Intune connector for Active Directory. Sounds exciting, right? This will be everything you need to know, on how to get started with this new amazing feature.

The new Intune Connector for Active Directory (Preview)

Read more…

Deploy the SCCM Client using Microsoft Intune and the Cloud Management Gateway (CMG without PKI certificates)

Introduction

Last week I blogged about how to get properly started with Windows AutoPilot. This week I’m continuing on the topic, and going into details on how you can deploy the SCCM (System Center Configuration Manager) client as a part of the Windows AutoPilot enrollment and thus achieve Co-management with SCCM and Microsoft Intune.

I have previously blogged a lot about Co-management. Focus here has been enrolling devices already managed by SCCM into Intune MDM.

This post is the opposite. This time we are deploying a device through Windows AutoPilot, enrolling it into Microsoft Intune and then deploying the SCCM client through the Cloud Management Gateway. Sounds interesting? Read on 🙂

  • Find all my Co-management posts here: https://www.imab.dk/category/co-mgmt/
    • My post about setting up the Cloud Management Gateway without PKI certificates is especially of interest if pursuing Co-management

Read more…