This week is all about conditional access in combination with Windows 7 domain joined devices. I know, simple solution, migrate as fast as possible to Windows 10. Having said that, it’s not always possible to simply migrate those devices to Windows 10 and in the mean time those devices do need access to Office 365. That’s why I thought it would be good to write
something about those Windows 7 domain joined devices in combination with conditional access. As Windows 7 should not be a reason to not implement conditional access. In this post I’ll provide the details about the additional configurations that need to be in place, to allow Windows 7 domain joined devices access to Office 365. So, not directly about conditional access, … Read more It’s already known that the default install.wim of Windows 8, by default, applies to C:\, but wouldn’t
it be great if there was this same functionality for Windows 7? That way there is no need for a Build and Capture task sequence anymore to maintain a thin image. Applying the default image to C:\ in combination with offline servicing of updates will do the trick. Well… I’ve got good news! In this post I will show how to apply the default install.wim of Windows 7 to C:\! Configuration The configuration is actually very easy, it’s more about knowing that it exists. ConfigMgr 2012 SP1, which is
currently still in BETA, brings a set of new task sequence variables. One of these variables can be used … Read more After the release of Windows 8 last week we can already start thinking about migrating. When I’m thinking about migrations I always like the computer-refresh scenario’s where we can use hard-links. In this post I will show a basic task sequence to capture user files and settings, either offline or online, with help of hard-links. I already showed the basics of that in an earlier post last year when ConfigMgr 2012 was
still in Beta. Since then the Wizard screens have not changed so I will not show that again, but I will show some more information about what happens. Prerequisites To support migrating to Windows 8 we need ConfigMgr 2012 SP1 (which is currently still CTP) in place with at least the following packages: … Read more Inspired by a previous post about the option to Schedule Updates for an already
existing Operating System Image in ConfigMgr vNext, I created a little batch-file to do something similar without the GUI of ConfigMgr vNext. Of course, I do know that the ‘best practice’ for ConfigMgr 2007 is to just run another Build and Capture Task Sequence, but in some cases this can come in handy. One thing is for sure, this updates a Windows 7 Image within fifteen minutes. Background Story Now lets start with a little background story, to explain why in some situations there might be the
need for this batch-file. Every month there are new Software Updates released by Microsoft. During the Software Updates Deployment the, for the organization needed, … Read more It took a while but this weekend it was finally time for some testing of, what’s code-named, “Modena”. Modena is a tool, developed by Microsoft IT, that enables the ability of an End-User Experience by using a powerful OSD Wizard. When you are searching for a way to get your users “involved” in an OS Deployment, then I would recommend you to take a look at Modena. The OSD Wizard of Modena (see
picture) can be changed in a lot of different way’s. As an administrator you can select which settings can be done by a user and which are pre-set. By these customizable settings you can think about things like computername, domain, local administrators, language, time, image, backup (via USMT 4.0) and the applications. … Read more Last week I had some problems with opening the ConfigMgr Console. The weird part was that the error only appeared for one user. This was the error I
got: MMC cannot open the file <driver>:\Program Files (x86)\Microsoft Configuration Manager\AdminUI\bin\adminconsole.msc. This may be because the file does not excist, is not an MMC console, or was created by a later version of MMC. This may also be because you do not have sufficient rights to the file. Then I figured that, because the ConfigMgr Console is a MMC snap-in, it creates a version in the user profile. Because I use Windows 7 and Windows Server 2008 R2 it is located at: <Drive>:\Users\<Username>\AppData\Roaming\Microsoft\MMC\adminconsole.msc.
So after deleting the version from the profile and restarting the ConfigMgr Console it … Read more Let’s discuss Intune support for Multi-Session Windows Server OS version Windows 11 or Windows 10 multi-session. Intune support is there only for a server opening system called multi-session. The Intune support for the rest of the server operating system is still not there. Intune support is already available for Hybrid Azure AD, and Azure AD joined AVD (a.k.a Azure Virtual Desktop) VMs. Intune support for a Windows 11 or Windows 10 multi-session preview was announced a few months back. In this post, let’s also discuss Ivanti Environment Manager and Citrix WEM requirements for the VDI server workload production deployment scenario (don’t forget to check out the Conclusion section). Microsoft announced the general availability of Intune support for multi-session in April 2022. Windows 10 or Windows 11 multi-session VM’s Intune management is out of public preview now. It’s not recommended to use the same policies for multi-session and single-session workloads in AVD.  More details on policy creation for multi-session are discussed in the following sections. This means all the user-based policies are not supported for the multi-session scenarios. So, it would be best if you were careful while creating Intune policies for multi-session scenarios. The tag line here with Intune management of multi-session VMs is you must use device-based configurations wherever possible to support user-less enrollments. Windows 10 multi-session support is already in place for Configuration Manager (a.k.a SCCM). You can read more about SCCM Windows 10 or Windows 11 Multi-Session Support For AVD. Prerequisites Multi-Session Support with IntuneI had tested multi-session when it was not in support at all. However, the following are prerequisites for a supported scenario for multi-session Windows 11 or Windows 10 management with Intune.
Overview of Multi-Session Management with IntuneLet’s check the overview of Multi-Session Management with Intune. You can check the supported policy details in the below section. #1 You need to remember that the user policies are applied only after the user’s first log in (as expected). I don’t think it won’t take more than 2 minutes to apply security policies to the VM after the user first login. This is the same experience with a single session. #2 Use device-based Intune policies wherever possible to speed up the user enrollment process, as explained in the above link. User-based policies must be deployed to Azure AD user groups, and device-based policies must be deployed to Azure AD Device groups. While writing this post, only device policies are supported.
#4 Critical User Policy for multi-session scenarios – There are some user policies that should be applied immediately after login; otherwise, outlook auto-discovery or configurations won’t get loaded properly.
#6 Intune won’t deliver unsupported templates to multi-session devices, and those policies appear Not applicable in reports. #7 – ADMX-ingested policies are supported with multi-session, including Office and Microsoft Edge settings available in Office administrative template files and Microsoft Edge administrative template files. Some of the ADMX-ingested policies are not applicable for multi-session.
Multi-Session Server OS Policy Deployment Using IntuneAs discussed in the overview section above, most default policy templates are not supported for multi-session scenarios. So, you are allowed to reuse the existing policies created using unsupported templates. Only the certificate templates are supported for multi-session, as explained above. Windows 10 or Windows 11 Multi-Session policy creation and deployment must use Intune settings catalog or ADMX injection templates as mentioned in the overview section. Let’s check how to create the Multi-Session server OS policy using Intune.
Click on the Create button to continue to the next page. You can enter the details such as the name of the Policy and settings on the below screens. The multi-Session policy is being created now. I recommend specifying the scenario and user/device-based policy in the name itself.
You can click on the +Add Settings link to bring up the new blade of the policy configuration wizard. This link will help with a new blade called the Settings Picker with a search box. Settings catalog – You can choose which settings you want to configure with the settings catalog. Click on Add settings to browse or search the catalog for the settings you want to configure.
Click on Apply button to show the filtered list of all configuration profile categories that support Windows 10 or Windows 11 multi-session. You can see the scope for the policy in parentheses (Device or User). NOTE! – While writing this post, only device settings are supported for multi-session. However, in this post, I try to deploy some user-based policies for testing. I don’t recommend trying this out. I used the keyword “Control panel” to filter down the policy results further. Remember, I have already filtered down for a multi-session OS version. The following are the 4 settings available for the Control panel settings available for the Multi-session scenarios. All those 4 settings are user-based policies, so they must be deployed to the Azure AD User Group.
I have selected a user-based setting called Hide specified Control Panel items (User). Enable the policy by using the toggle button, as shown in the screenshot below.
The System and Administrative Tools will be hidden from the control panel once this policy is successfully implemented. You must use the Azure AD User group to assign this policy deployment. You can use Intune filters from the assignment page to filter out devices that are not required (single session and physical). You can click on the Next button and add the Scope Tags on the next page. You will need to click on the next and create buttons to complete the policy creation process. I have explained how to build an Intune filter rule for multi-session devices in the following blog post. More details – AVD Intune Support Is Available For Windows 10 Or Windows 11 Multi-Session. I see the policies are applied to the user immediately after the login, which is really nice from the event logs. You can check event logs of multi-session VM to get more details. I see some gotchas with the user policy deployments, which are covered in this post’s summary section. Intune log (event) path is the Applications and Services Logs – Microsoft – Windows – Devicemanagement-Enterprise-Diagnostics-Provider – Admin. More Details – Intune Logs Event IDs Registry Entries For Windows Client Side Troubleshooting. Endpoint Security Platform Supports Windows Server?Let’s check whether the Endpoint Security Platform Supports Windows Server? This supports Windows 10 or Windows 11 multi-session VMs.
Microsoft Defender for Endpoint endpoint detection and response capabilities provide advanced attack detections near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. Intune Application Deployment for Multi-Session VMsYou can deploy the application to multi-session VMs if the application is installed in the System or Device context. There is no support to deploy web applications because they always get installed in the user context. The available deployment is not supported for multi-session VMs. Also, AVD Remote Apps and MSIX app attach are not supported for Intune application deployment scenarios. PowerShell Script Deployment for Multi-Session VMsLet’s check options for PowerShell Script Deployment for Multi-Session VMs with Intune. While writing this post, you can deploy the PowerShell script only in System Context. The setting called Run this script using the logged on credentials must be set to No. Patching Policies for Multi-Session VMsLet’s check the Software Updates or Patching Policies for Multi-Session VMs. You have to use the Settings Catalog Windows Update for Business option for WUfB policies. There are only 8 WUfB supported policies for Windows 11 or Windows 10 multi-session VMs. You need to filter the setting catalog based on OS edition as explained in the above section and then search with the keyword “Windows Update for Business” to get the results that you can see in the screenshot below.
Intune Remote Actions Support for Multi-Session VMsLet’s check Intune Remote Actions Support for Multi-Session VMs. More details on Remote actions on Device Actions using Intune. While writing this post, the following 6 remote actions are not supported for multi-session VMs.
Conclusion | Intune Support for Multi-Session Windows Server OS Version | AVD WorkloadsThe User-based policy deployments using the settings catalog are not supported yet. This is mandatory for production deployment of AVD multi-session with Intune management. Let’s have a quick summary of Intune Support for Multi-Session Windows Server OS. Avoiding user-based policies in production AVD deployment is not quite feasible in my experience, even though Microsoft recommends avoiding user-based policies. User-based policies and control are essential for AVD multi-session deployments.
#2 – It’s great news that Microsoft is taking baby steps toward Windows 11 or Windows 10 multi-session support with user policies in the coming days. However, I feel it would be difficult to rely only on Intune multi-session support for the production deployment of server workloads such as multi-session now.
You would be able to Deploy Multi-Session Windows 11 or Windows 10 Workloads to an on-prem datacenter using Azure Stack HCI implementation. More details are available – On-Prem Azure Virtual Desktop With Azure Stack HCI. AuthorAnoop is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc. Which of the OS is support in Microsoft Intune?Google. Intune requires Android 8. x or higher for device enrollment scenarios and app configuration delivered through Managed devices app configuration policies. This requirement does not apply to Microsoft Teams Android devices as these devices will continue to be supported.
What devices are compatible with Intune?Intune supports devices running the following operating systems (OS): iOS. Android. Windows.
...
Supported Samsung Knox Standard devices.. Does Intune support Windows Server?Configuration Manager supports Windows and macOS devices, and Windows Servers. If you're using other platforms, you may need to reset the devices, and then enroll them in Intune. Once enrolled, they'll receive the policies and profiles you create.
Can Windows 10 home enroll in Intune?You will enroll in a personal device configured with your email id. Intune, Azure AD subscription, setup, and configuration should be completed. The user might need administrator access to enroll the Windows 10 device into Intune.
|
