It’s time for me to take on a new topic on the blog. I have been experimenting, working and blogging a lot about SCCM, Intune and Co-management, but never really touched base with Windows AutoPilot. Time is due and this will be the first in a series of posts about Windows AutoPilot and how to eventually reach Co-management with SCCM and Microsoft Intune through Windows AutoPilot.
First things first though. This post will give you everything you need to know on how to properly get started with Windows AutoPilot. Curious? Read on 🙂
A peek into my AutoPilot devices in my test tenant 🙂
In line with traditional practice on my blog, I’m kicking off my posts with an introduction – this time is no different.
The topic is something new however, and that’s even though I have been a frequent SCUG.DK attendee the past many years. I don’t dare to make a promise about making this an habit either, but I do think this event in particular deserves a written summary. So here goes my very first of it’s kind; the summary of SCUG.DK Fall Edition starring David James also known as @djammmer on Twitter.
And by the way, I’m not used to doing summaries – so please bare with me if I missed something obvious. I took notes and did a lot of pictures while tweeting live from the event, so there’s a slight chance I missed out on a thing or two. Apologies in advance.
Also, during this event there was a dedicated request to do tweets with the #MMSMOA hashtag for the chance of winning a trip to MMS 2018 Desert Edition, so if browsing Twitter for interesting Tweets, you will find some of them located on both #SCUGDK and #MMSMOA. 🙂
More good news! Microsoft Intune now provides us with an even easier way to pre-configure an e-mail account for Outlook on iOS (and android). This is done with the use of an App Configuration Policy and the additions to the configuration designer when configuring the Outlook app. Let’s walk through the process.
A peek into the Microsoft 365 device management portal
Not going to do a great introduction on this one, but I think it deserves a mention anyway (I couldn’t find the situation or error explained elsewhere). More specifically, this is about an error I encountered myself in a Co-management scenario, where the computer fails the auto enrollment into Intune MDM. Let’s dig in 🙂
Do you need a simple, but yet effective way of forcing people into updating iOS on their company enrolled Apple devices? Simply block access to company resources if iOS is not up to date. Here is how you can do that using Microsoft Intune and Conditional Access in Microsoft Azure.
Peek into Microsoft Intune and the device compliance policies
Again, continuing the Co-management and flipping the switch journey, and moving the brand new Device Configuration workload to Intune MDM. This is the latest addition to the co-management world introduced in Configuration Manager 1806 (released 2 days ago at time of writing) and it’s absolutely amazing.
This means we finally (almost) can ditch group policies altogether and do our device configurations with Intune MDM. I will give you how to and an excellent example in this post. Read on. 🙂
The highlighted configurations now also work on co-managed computers
This will be something completely different and new coming from my end. So please be aware; a lot of strong coffee is potentially needed. That be, because I usually talk about how to do something technically around Configuration Manager and MicrosoftIntune, or something technically related to those topics, and the typical reader would probably expect content in that context.
This time I’m going beyond that. “Why?” you may ask. Because I felt like giving back with a topic and content that I know that can make a difference. Not just limited to a specific technical topic, but as a whole, make a difference on how one will succeed in general with Configuration Manager and Microsoft Intune (and possibly other stuff too).
I believe in helping and promoting others, and as of such, I will give you 5 (and possibly some unique) advice on how you can improve and strengthen your SCCM and Intune knowledge. (No guarantees though, but the bullets mentioned in this post helped me a lot)
I have previously given a few examples on use cases for Conditional Access, and I admit, for the Conditional Access newbie, the options available can seem daunting. So how about a very simple scenario, where access to company resources are blocked, if not coming from a trusted IP?
Imagine service accounts running some Powershell scripts for automation in your Azure/O365 tenant or other accounts who are never meant to be used outside of your organization. Simply block those from authenticating in Azure/O365 if not coming from your headquarter public IP. This is how you can do just that, using Conditional Access.
Illustration of the conditions of a Conditional Access rule. In this scenario, location is in focus
Continuing on the Co-management and flipping the switch journey. I have previously been going through how to initially enable Co-management with Configuration Manager and Microsoft Intune, and how to move some of the Endpoint Protection workloads to Intune MDM.
This time I will walk you through how I moved the Software Updates workload from Configuration Manager to Intune MDM. Everything still based on a production environment and along the lines some additional ramblings on the topic.
Example of 2 Windows 10 update rings in Microsoft Intune
Last week I gave an example on how to leverage Microsoft Intune and Conditional Access to restrict access to Exchange Online for iOS devices. This week, I’m continuing the use of Microsoft Intune and Conditional Access, and will give an example on how to restrict access to company e-mail if not using a Windows 10 1803 device. All of this based on a computer co-managed with both Microsoft Intune and Configuration Manager.
So basically; no e-mails if not running on the latest and greatest version of Windows 10 on my co-managed device.
