Search This Blog

Wednesday, August 25, 2021

How to setup OneDrive using Settings Catalog

Introduction

OneDrive has gained a foothold in most companies. It makes sense to use because of the 1TB available storage (based on the right licenses) and the ability to have a sort of “Backup” for your desktop, documents, and pictures.

In a given Microsoft Intune setup it is also standard to create policies to setup known folder redirection which now changed name to PC folder backup - read more here.

When it comes to setup these policies we used to go to the “Administrative templates” which looks like the ADMX (GPO structure) we used to use in our on-prem environment. Now the good news and what this blog post is about is how to set up OneDrive settings using Settings Catalog which is the better choice for reporting.

clip_image002

 

Requirements

  • Microsoft Intune

 

Setup the most common OneDrive settings

Go to endpoint manager

Press devices and windows

clip_image004

 

Press Configuration profiles and create profile

clip_image006

 

Choose Windows 10 and later, Settings catalog (preview) and press create

clip_image008

 

Give it a name and press next

clip_image010

 

Press add settings

clip_image012

 

To be sure we get the settings for the platform we like to manage, you first filter for that.

Next write “Onedrive”

Press search

clip_image014

 

Choose setting accordingly.

You need to find out with your organization if your users are allowed to add other organizations. If not, then configure this setting. (value will be shown later in this post)

clip_image016

 

We were recently given the possibility to exclude certain file types from synchronizing to OneDrive. I like to stop synchronizing shortcut files as they fill up my desktop.

clip_image018

 

Who want to allow personal OneDrive on a company owned device? Not me, so I configure this setting as well among others (see screenshot)

clip_image020

clip_image022

 

1. I prevent OneDrive to be setup with any other tenant than my company tenant.
2. I exclude *.lnk which is link files (Shortcuts) so they do not upload and sync to my other devices.
3. I prevent OneDrive from syncing with personally owned OneDrive accounts.
4. Setup a update ring for updating OneDrive on the clients.

clip_image024

 

5. I want OneDrive to automatically move desktop, documents, and pictures to OneDrive for backup reasons. Fits better into my strategy to quickly be able to work on a new device.

6. I want to silently sign in users to the OneDrive with their Windows credentials. If you enable this setting, users who are signed in on the PC with the primary Windows account can set up the sync app without entering the credentials for the account.

7. Sync Admin report let me see OneDrive healthy status on the OneDrive Sync health center.

8. On-demand to save bandwidth in case your users has a lot data in OneDrive, then only meta data is downloaded, and finally fully downloaded once the user click on the file.

clip_image026

 

Assign the profile. I do that to all users. You might need to differentiate who get it, then use a groups or filters.

clip_image028

 

Next

clip_image030

 

Create the policy

clip_image032

 

If you head back to the Configuration Profile and click the new OneDrive policy you will immediate see the difference from Administrative templates to the settings catalog reporting.

If you click the “Per setting status”

clip_image034

 

You can see a per setting status, and it is called “Compliant” instead of the usual “Succeeded”

clip_image036

 

Summary

Using settings catalog is a great thing as we get more and more policies enabled. Does it make sense to migrate your old settings? It depends. What would you like to benefit out of it? The settings from “Administrative templates” does the job, but if you like the smooth reporting, go ahead and create those settings for OneDrive now available in the Settings Catalog.

Another cool thing is to keep an eye on your OneDrive health sync portal, to give critical information to your users, in a situation where they shift device or other scenarios where files are stuck.

OneDrive health center can be found here

image

Happy testing!

 

For more content on the health portal, see this video:

Cutting Edge Microsoft OneDrive Insight Capabilities explained - YouTube

Wednesday, August 11, 2021

Test base – test you most critical apps automatically against insider builds

image

Borrowed from Microsoft

 

Introduction

Test Base for Microsoft 365 is a validation service made for Software Vendors and System Integrators.

Why should that be interesting for you as a Configuration Manager or Intune admin?

Because most businesses does have critical applications that they like to test properly and to make sure the applications work on the next Windows feature level.

Test Base is a service in Azure that will help you test your applications against a subset of OS versions after your choice. That could be the insider of the next Windows 10 build or even Windows 11, to make sure you are all set for next version of Windows feature rollout.

In the end this will give you a good indication of how your app stack will behave, save you a lot of time and make you sleep better!


Important question: How much does it cost?

At least while in preview it is free. Customers will be charged once it go GA

clip_image002


Requirements

  • Azure Subscription


How to set it up

Browse to https://portal.azure.com/

Search for “test base” and click on “Test Base for Microsoft 365”

clip_image004


Press Create

clip_image006


Tick “I confirm I have read and acknowledged the terms of use above”

Choose your subscription

And choose “Create new” on the resource group

clip_image008


Give it a name and press ok

clip_image010


Choose Resource Group Location and create a Test Base Account Name

clip_image012


Validation passed and we can press Create

clip_image014


Test Base was deployed and ready to be used.

NOTE: Before you proceed from here you should already know what applications you would like this service to test.

Click “Go to resource”

clip_image016


Press “Upload new package” and let’s start adding details to the work we would like Test Base to go through.

clip_image018


I’ve used 7-zip in this example:

Add package name

Add package version

Choose the test type

NOTE: the Out-of-Box (OOB) test performs install, launch, closed and uninstall of your package. After the install, the service will launch and close the application 30 times before continuing to uninstall the application. Scripts will run for 80 minutes at the most.

clip_image020


OS update type I’ve selected Security updates and feature updates.

NOTE: The Security updates enables your package to be tested against Windows pre-release monthly security updates
The Feature updates enables your package to be tested against Windows pre-release bi-annual feature updates builds from the Windows Insider Program.

clip_image022


Mark the Windows builds that you like to test against

clip_image024


Select “Insider Beta Channel”

Select “Windows 10 21H1”

Press “Next”

clip_image026


Before we can proceed with this step, we need to create a ZIP file with a certain format.

TIP: There is no limited number of ZIP files you can uploade, but the size is limited to 2GB per ZIP.

clip_image028


Go to your application(s) you want Test Base to go through.

clip_image030


Inside the application folder we need certain binaries to be present.

First of all, we need the application. This is because the test base will install the product inside a virtual machine.

Second of all, we need a script that can open the applications executable for test base to open op the program.

Third of all, we need a script to close the process that the second script opens. This is because test base performs the “launch action” 30 times and then the “close action” 30 times.

And finally, we need a script to uninstall the application, to make sure the machine can be cleaned up.

clip_image032


All the scripts are very basic and does not contain error handling:

TIP: If your script exists with other than 0 the operation will fail, and the sequence stops.


Script Argument
Install.ps1 Start-Process -FilePath ".\7z1805-x64.msi" -ArgumentList "/QB ALLUSERS=1"
Open.ps1 Start-Process -FilePath "C:\Program Files\7-Zip\7zFM.exe"
Close.ps1 Stop-Process -Name "7zFM" -Force
Uninstall.ps1 Msiexec /x 7z1805-x64.msi /QB


Once the scripts have been made and saved inside the application folder - ZIP the folder.

clip_image034

clip_image036


Back to the instructions of test base

Browse for the newly created ZIP.

clip_image038


Open it

clip_image040


Uploaded successfully

Click Next

clip_image042


Insert all of the scripts that will do the jobs. If you need the virtual machine to be rebooted after the application install, tick the “Reboot after execution”

clip_image044


NOTE: The script path should be like this app/script, so when having the scripts in the root of your ZIP, then the name for the folder + the script e.g., 7-zip/install.ps1

clip_image046


Once you added all the information, click Next

clip_image048


We did not add “Functional test”, so nothing to do here

NOTE: Functional test is a more a custom test method for Software Vendors. If you need more than the Out of box test can deliver you can use this feature and describe your flow Functional testing on Test Base | Microsoft Docs


Press Review

clip_image050


Press Create

clip_image052


Now be patient. The test process will take some time. But once it completed you will be able to see the result on the “Test Summary” page

clip_image054

clip_image056


You get a lot of data that you can pull out for documentation purposes.

NOTE: you can download a video of the test process, but you cannot get access to the actual virtual machine.

clip_image058


Summary

This was Test base and how you set it up to test your most critical applications towards the newest Windows builds before security patches and feature updates apply to your production environment. I thrilled about the idea and makes me sleep better when Windows evergreen is doing its thing.

Happy testing!


Source: Test Base for M365 documentation | Microsoft Docs

Wednesday, August 4, 2021

How to configure Windows 365 Enterprise in Microsoft Endpoint Manager

logo_thumb1
Connected to my Windows 365 Cloud PC from my son's iPad
    
   

ATTENTION: Microsoft has paused their free Windows 365 trial program while they provision additional capacity!

Sign up to learn more about Windows 365


Introduction

In this blog post we'll take a first look at Windows 365 Enterprise and how to configure it in Microsoft Endpoint Manager Admin Center. Windows 365 is a cloud-based service also known as Software/Desktop as a Service (SaaS/DaaS) provided by Microsoft which delivers a personalized Windows Cloud PC experience and is accessible from anywhere, on any endpoint.

 

By default, Windows 365 Enterprise Cloud PCs are joined to your Active Directory domain, synced to Azure AD and fully managed by Microsoft Endpoint Manager. Each Cloud PC is assigned to an individual user and is their dedicated Windows device. Assigning a Cloud PC to a user is just like assigning an Exchange Online mailbox to a user. When a Windows 365 license is assigned to a user, provisioning of a new Cloud PC automatically starts and the Cloud PC is enrolled into Microsoft Endpoint Manager.

 

As mentioned, Windows 365 does require a user-based license and the license price depends on the size and performance of the Cloud PC needed - More details about Windows 365 plans and pricing

 

Source: Microsoft Docs

Prerequisites and Requirements

  • An active Azure subscription
  • Sufficient Azure subscription permissions (e.g. Subscription Owner) to grant Windows 365 each of the following:
    • A reader role on the subscription
    • Network contributor permissions on the resource group
    • A network contributor role on the virtual network (VNet)
  • A valid and working Intune and Azure AD tenant.
  • Azure virtual network (VNet) with access to an enterprise domain controller, either in Azure or on-premises and it must be able to resolve DNS entries for your Active Directory Domain Services (AD DS) environment
  • Site-to-Site VPN or Express route for connectivity to your on-premises Active Directory
  • A subnet within the virtual network (VNet) and available IP address space
  • An Active Directory user account with sufficient permissions to join the computer to your Active Directory domain
  • The Active Directory must be in sync with Azure AD to provide hybrid identity in Azure AD (AD Connect)
  • Users that are assigned Cloud PCs must have a synced identity available in both Active Directory and Azure AD
  • Supported Azure regions for Cloud PC provisioning (The virtual network (VNet) should be in a supported region)
    • US East, US East 2, US West 2, US South central, Asia Southeast, Australia East, Europe North, Europe West, UK South, Canada Central, India Central, Japan East, France Central
  • Microsoft Intune supported licenses (e.g. Microsoft 365 E3) in order to manage the devices
  • Users must have licenses for Windows, Intune, Azure AD, and Windows 365 to use their Cloud PC (e.g. Microsoft 365 E3 + Windows 365 Enterprise 4 vCPU, 16 GB, 128 GB)
  • Microsoft Endpoint Manager Admin Center for Cloud PC management
  • The new built-in Cloud PC Administrator role in MEM or one of the following permissions in Azure AD:
    • Global Administrator
    • Intune Administrator


Source: Microsoft Docs

NOTE. I will be skipping the part about Azure subscription, Azure Virtual Network (VNet), Site-to-Site VPN and Hybrid Azure AD join configuration, since I've already got these prerequisites in place for my Azure Virtual Desktop (AVD) configuration.
             
For more information about that, please take a look at the following sites.

  - How to create a Site-to-site connection in the Azure portal

  - Build in the cloud with an Azure free account

  - How to create an additional Azure subscription

  - How to configure Hybrid Azure AD join for managed domains

 


Purchase and assign Windows 365 licenses

Okay, let's get started! - The first thing we need to do is purchase a Windows 365 Enterprise license.
Go to https://admin.microsoft.com


Expand “Billing”, select “Purchase services” and click on “Windows 365”

As you can see on this page, there are 3 x Windows 365 editions available.

  • Windows 365 Business
  • Windows 365 Business (with Windows Hybrid Benefit)
  • Windows 365 Enterprise

In this blog post we will be focusing on the enterprise edition. Are you looking for a Windows 365 Business vs. Enterprise comparison? - More details about get started with Windows 365 Business


licenses_01_thumb1

Click on “Licenses”

From the licenses page you can select products to view and assign licenses (not recommended).

As you can see, I've added a “Windows 365 Enterprise 4 vCPU, 16GB, 128GB” trial license for the purpose of this blog post.
licenses_02_thumb1

Let's assign licenses the “right” way.
Go to https://endpoint.microsoft.com

Click on “Groups”, create a new user-based security group and give it a friendly group name and description (optional).
Note. We recommend using a synced user-based security group from your on-premises Active Directory.
00_thumb1

Select your newly created security group. Click on “Members” and add the users who need a Windows 365 license.
01_thumb1

Click on “Licenses” and assign your Windows 365 license to the group.
02_thumb1
 

Windows 365 Configuration

We can continue with the Windows 365 configuration, when all the prerequisites and requirements are met.

Click on “Devices” and select “Windows 365” from the “Provisioning” section in Microsoft Endpoint Manager Admin Center.
03_thumb1

On-premises network connection

First we'll need to configure a on-premises network connection, which is required so that the Cloud PCs can be created, domain joined and managed with Microsoft Endpoint Manager.

Click on the “On-premises network connection” tab and select “Create connection”
04_thumb1

On the “Network details” page, we need to give the configuration a friendly name. Next, select your Azure subscription, Resource group, Virtual network and Subnet from the drop-down menus.

Note. If you have multiple locations, we recommend that you add the region to the name (e.g. MINDCORELAB West Europe)

Click “Next”
05_thumb1

On the “AD domain” page, we need to enter the required Active Directory domain information and credentials.
Note. The “Organizational Unit” field is optional.

Click “Next”
06_thumb1

Review the information and click “Review + create”
07_thumb1

After completing the on-premises network connection configuration, a service called Watchdog runs in the background and will check your environment for all the prerequisites and requirements needed to use Windows 365 Enterprise.

Within 5-10 minutes we should be able to check the on-premises network connection status.

Click on the status.
08_thumb1

If you see any errors or warnings on the status page, I would suggest that you address those before continuing the Windows 365 configuration. I encountered a warning for "Azure AD device sync" during my first try and it turned out that I forgot to add the new Active Directory device OU for Windows 365 devices in AD Connect - Everything passed after I fixed that small issue.
09_thumb1

To review or change the on-premises network connection details, select the “Properties” tab.
10_thumb1     
 

Provisioning policy

Once the on-premises network connection is created and with all check successful passed, you can go ahead and configure the provisioning policy.

Click on “Windows 365” from the “Provisioning” section, select the “Provisioning policies” tab and then click on “Create policy”
11_thumb1

Give the policy a friendly name and a description (optional). Select your on-premises network connection and click “Next”
Note. If you have multiple locations, we recommend that you add the region to the name (e.g. MINDCORELAB West Europe)
12_thumb1

Select your image type and click “Select” - I will be using one from the PC OS image gallery.
Note. It is possible to upload and use a custom image.
13_thumb1

Select an image and click “Select”
14_thumb1

Click “Next”
15_thumb1

Select the user-based security group we created earlier and click “Next”
16_thumb1

Review the information and click “Create”
17_thumb1

You'll see the new policy in the list of provisioning policies.
18_thumb1

Provisioning of a new Cloud PC starts automatically for each user in the assigned security group.

Click on the “All cloud PCs” tab.
19_thumb1

After 20-50 minutes the Cloud PCs are ready to use and the status has changed to “Provisioned”

Whoopsie… In my eager to get started with Windows 365 I accidentally selected the wrong user (a cloud only user) DOH!
20_thumb1

At this point we should be able to see the Cloud PCs in our Active Directory, Azure AD and Intune.

Access you domain controller, open “Active Directory Users and Computers” and navigate to the OU as provided during the creation of the on-premises network connection.21_thumb1

The view from “All devices” in Azure AD.
22_thumb1

The view from “Windows devices” in Intune.
23_thumb1

Self-service purchases (Enabled by default)

Here is something to consider! - Do you want to allow your end users to make self-service purchases? If not, you should consider disable that option since it's enabled by default.

More details about Self-service purchases

PS_Self_Service_Purchases_thumb1

Results

We are finally ready to test the newly created Windows 365 Cloud PC.
Go to https://cloudpc.microsoft.com or https://myapplications.microsoft.com
37

Click “Next, Next, Next…”
24_thumb1
 

Windows 365 web portal

From within the web portal you should see your cloud PC and its configuration.
25_thumb1

If you click on the gear icon in the right corner, you will find the self-service capabilities for end users (Restart, Rename and Troubleshoot).

To start the Cloud PC from within the web portal, click on “Open in browser”
26_thumb3

Click “Allow”
27_thumb1

Enter your credentials.
28_thumb1

And we are connected - Awesome!

Note. By default the users does not have local admin rights. However, it is possible to provide local admin rights to a user-based security group through "User settings" for Windows 365 in Microsoft Endpoint Manager Admin Center.
29_thumb1

From a Command Prompt, I can confirm that the Cloud PC is hybrid joined and it can communicate with on-premises devices.
30_thumb1
31_thumb3

Let's start writing on a word document and then close the web browser.
31_thumb1    
 

Remote Desktop

From within the web portal, click on the “download icon” and download the “Microsoft Remote Desktop for Windows”
32_thumb1

Install the “Microsoft Remote Desktop for Windows” and start the “Remote Desktop” app.

Choose to subscribe with URL and you should see your Cloud PC workspace appear within a few seconds.
33_thumb1

Double-click on your Cloud PC and enter your credentials.
34_thumb1

You will immediately notice that the word document is still open and that we can continue our writing.
35_thumb1
 

Summary

That was our very first look at Windows 365 Enterprise edition!

There are many prerequisites and requirements to address before setting up Windows 365 Enterprise - Microsoft has announced that native Azure AD support will be available for Windows 365 Enterprise soon, which will simplify the process even further and at a lower cost. But once the prerequisites and requirements are met, Windows 365 was quite simple to configure and easy to use from both a web browser and remote desktop app. - That's it folks. Happy testing!

If you have any questions regarding this topic, feel free to reach out to us.