Out of Office Hours

Powered by
WordPress

  • Windows Autopilot high-level scenarios

    Time for a little up-leveling (especially after the super-long proxy server post).  Based on a recent Twitter conversation, I think it’s worth talking about a couple of higher-level topics.  First, what are the goals for Windows Autopilot.  And then, what high-level scenarios does Windows Autopilot support?  (Yes, the word “scenario” is exceedingly overused, but in…

  • Windows Autopilot and proxy servers

    Did I mention that I dislike proxy servers?  I certainly talked a lot about them in this post, but let me go on the record to say I really, really dislike them (at least non-transparent ones) and wish they would just go away.  But sadly, that’s not going to happen so we have to live…

  • BitLocker, ESP, and Windows Autopilot: Working in harmony

    Let’s say you want to enable BitLocker during a Windows Autopilot user-driven deployment, and you want “maximum security” by changing the default BitLocker encryption settings to instead use XTS-AES 256-bit encryption (instead of the default 128-bit).  You would end up creating a device configuration profile in Intune that looks something like this: Notice the note…

  • The Enrollment Status Page phases and steps

    Have you ever wondered what actually happens during each phase of the Enrollment Status Page (ESP) and each step within a phase?  Or maybe more simply, what exactly is it tracking?  If you look at a composite picture of the ESP UI (showing all sections expanded – something impossible to do while the ESP is…

  • Why does “Preparing your device for mobile management” take longer with Windows 10 1903?

    It’s a question that I’ve been asked a number of times, and one that I actually asked myself when doing initial tests with Windows 10 1903.  And the answer is interesting – yes, ESP is waiting longer while “Preparing your device for mobile management” in Windows 10 1903. But what is going on during that…

  • Requiring a network connection for the Windows Autopilot process

    If you’ve gone poking around in the available device configuration policies in Intune, you might have seen this one in the “Device Restrictions” category for “Windows 10 and later” devices, in the “General” section: But what does that “Require users to connect to network during device setup” actually do? The intent is simple: Don’t let…

  • Trying out the ConfigMgr task sequence debugger

    One of the new features in the ConfigMgr 1906 release (and in previous tech preview releases) is the task sequence debugger.  See the What’s new documentation that talks about it, and the official documentation that walks through using it and lists known issues.  Since this is still a pre-release feature, make sure you enable it…

  • Windows Autopilot oddities

    Sometimes I can’t explain them, but I can at least pass them on so that you don’t tear your hair out trying to figure out what’s going on. The enrollment status page doesn’t track PowerShell scripts executed via Intune Management Extensions.  They will be sent to the machine along with all the other policies, and…

  • Event Viewer and “Saved Logs”

    If you are like me and open lots of saved event log files (*.evtx), such as those captured by the “mdmdiagnosticstool.exe -area Autopilot -cab c:\autopilot.cab” command, you probably end up with an Event Viewer window that looks something like this: Always opening, never closing (which you can do by right-clicking and choosing “Delete”).  Fortunately, there’s…

  • Creating a Windows Autopilot role in Intune

    Some customers have asked “how do I delegate access to manage Windows Autopilot devices in Intune.”  Well, Intune has a robust Role-Based Access Control (RBAC) mechanism that can be used to create a role that can do that – and only that.  You just need to understand what needs to be granted to that role. …

  • What does an enterprise Windows 10 device look like?

    I always get into this “philosophical” debate with IT pros:  When buying new Windows 10 devices, what kind of configuration is recommended?  It’s certainly not “buy the cheapest possible PC you can find” because there are still some truly awful PC devices sold.  To be clear, I’m not saying they are awful from a quality…

  • UUP is (still) coming soon, and dynamic update is (still) important

    How many of you remember the Unified Update Platform, a.k.a. UUP, being announced in 2016?  Let me remind you: And there was another update in 2017: There was some documentation published in 2018: https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-overview And another blog in 2018: https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Language-pack-acquisition-and-retention-for-enterprise-devices/ba-p/275404 And it was talked about at Ignite 2018: There’s a slide in that video that…

  • Join me for a Q&A session

    One of the things that I’ve wanted to do for a while is to have an open Q&A call – you know, the typical “office hours” concept from your college days, where someone says they’ll be available during certain times for any questions you might have.  In my case, I’m not an instructor, and true…

  • Configuring the Intune Connector for AD to use a proxy server

    As I discussed previously, proxy servers are a pain.  I wish they could be wiped from the face of the earth.  But since that’s about as likely as everyone being off of Windows 7 by January 14, 2020 (didn’t you people learn from Windows XP?), we have to deal with them. If you are setting…

  • Trying out Windows Autopilot with Windows 10 1903? Install the latest update.

    As you kick the tires on Windows Autopilot scenarios (whether new scenarios like white glove or existing ones), make sure you’ve installed a recent cumulative update and aren’t using just the original unpatched Windows 10 1903 media.  These updates do fix known issues, and will reduce your overall frustration when trying things out. Today’s update,…

  • Want to watch the MDM client activity in real time?

    In the past, you could use the Microsoft Network Monitor to capture network traces, showing the gory details of all the network traffic to and from the machine.  That utility morphed into the Microsoft Message Analyzer, and while it’s now too hard to use for simple network traces (I suggest WireShark instead), it did pick…

  • Windows Autopilot and the joy of networking

    One of the biggest challenges that we run into with customers who want to adopt Windows Autopilot for deploying new devices is the variety of network setups.  This can be broken down into a few high-level categories: Challenges for devices that need to make an initial connection to the corporate network, due to network security…

  • Have you implemented “hybrid”?

    I’ve had lots of conversations with customers about Hybrid Azure AD Join, as it’s used as part of a key Windows Autopilot scenario.  But it seems this leads to a bunch of odd conversations because people hear the word “hybrid” and their minds go in different directions.  Here’s some examples: Q: Have you tried Hybrid…

  • Inside Windows Autopilot user-driven Hybrid Azure AD Join

    I already talked about user-driven mode with Azure AD Join – that’s the easiest scenario.  Now let’s talk about user-driven mode with Hybrid Azure AD Join.  For those who have no idea what Hybrid Azure AD Join means, let’s start with a simple explanation:  Hybrid Azure AD Join devices are joined to Active Directory and…

  • Using MFA with Azure AD Join

    Here’s an easy one to try.  In Azure AD, you can enable an option to require MFA before a user can join a device to Azure AD: When not using ADFS or an external federation provider (the Azure AD team now recommends passthrough or password hash authentication), turning that to “Yes” will result in an…