Search This Blog

Monday, May 9, 2022

Provide the end-users with a localized Windows 365 Cloud PC experience

logo    
Provide the end-users with a localized Windows 365 Cloud PC experience.    

 


 

Introduction

A few months back, I wrote a post about localizing a custom image for Windows 365 Cloud PCs. Back then, the Windows 365 Cloud PCs were only provisioned in English (United States). - Microsoft has since then made it possible to configure the language and region directly in the provisioning policy, with support for more than 30 languages.

Some users prefer that Windows is in a language they are comfortable with to be productive. - Configuring the language and region settings in the provisioning policy will provide those users with a great experience when they see the correct language immediately at first sign-in.
 
So with that in mind, in this article, I will show you how to configure the language, region, and time zone of your Windows 365 Cloud PCs. - Let's get started!


Read about the prerequisites and requirements for Windows 365 Cloud PCs in our original blog post here - How to configure Windows 365 Enterprise in Microsoft Endpoint Manager.



Configure Language and Region

First, let's visit the Microsoft Endpoint Manager Admin center and change the language and region settings within my current provisioning policy from English (United States) to Danish (Denmark).

Go to https://endpoint.microsoft.com

Click Devices | Windows 365 | Provisioning policies   
Create a new policy or select an existing policy in the list of provisioning policies. - For this article, I chose to modify my current provisioning policy.
01

On the overview page, look for Configuration and click Edit.
02

Change the Language & Region (preview) from English (United States) to the language of your preference. For example, I chose Danish (Denmark).
03

Click Next.
04


Click Update.
05


From Devices | Windows 365, click the All Cloud PCs tab.

If you are provisioning a new Cloud PC, it will show in the list after approx. 20-30 minutes.
Otherwise, select an existing Cloud PC to reprovision. - For this article, I chose to reprovision an existing Cloud PC.  
06


Click Reprovision.
If all goes well, the Cloud PC should appear in the All Cloud PCs list after approx. 20-30 minutes.
07 

Let's sign in to my newly reprovisioned Windows 365 Cloud PC and confirm the configuration changes.
Go to https://windows365.microsoft.com
 

From a Windows PowerShell session, we can confirm that the language and region on my Cloud PC have been configured to Danish (Denmark) and that the time zone is correct.
10

We can also confirm this from the Windows Settings.
08
09


The time zone redirection is enabled by default, allowing clients capable of time zone redirection to send their time zone information to the Windows 365 Cloud PCs.
 
You can go to the below path in the Registry Editor on your Windows 365 Cloud PC to confirm that time zone redirection is enabled.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services


10

Success! - We now have a localized Windows 365 Cloud PC.
But wait, what if the time zone redirection is not configured on my Cloud PC by default? - If that's the case, continue reading this article.



Configure Time Zone Redirection

Is time zone redirection not configured on your Cloud PCs by default? No worries! - We can configure that with a device configuration profile or a proactive remediation script.

We have a couple of options to choose from when it comes to setting the time zone on your Windows 365 Cloud PCs:

  • Let the users change the time zone themselves. - Possible on Cloud PCs provisioned after April 18, 2022.
  • Create a Settings Catalog profile that sets the time zone.
  • Create a Settings Catalog profile that configures time zone redirection.
  • Create a Custom CSP that sets the time zone.
  • Create a Proactive Remediation script that sets the time zone.
  • Etc.

 

Tip. To get a list of available time zones, run Get-TimeZone -ListAvailable in PowerShell.


Let me show you how to configure the time zone redirection on Windows 365 Cloud PCs.
Go to https://endpoint.microsoft.com

Click Devices | Configuration profiles
Click Create profile.
01

Select Windows 10 and later as the platform and Settings catalog (preview) as the profile type.
Click Create.
02

Fill in the required Name field. Although the Description field is optional, I would recommend filling it out. - It's always a great idea to leave some breadcrumbs, so others know precisely why someone created the configuration profile.

Click Next.
03

Click Add settings.

In the Settings picker, search for "time zone redirection" and select the setting Allow time zone redirection in the Device and Resource Redirection category. 
04

Enable the setting Allow time zone redirection.
Click Next.
05


Choose either to assign the profile to "All devices/All users" or a group. - I chose to assign this profile to "All users", and then I've added a filter to only include Windows 365 Cloud PCs.

Click Next.
06

Click Next.
07

Review the configuration and click Create.
08
09

This configuration is all it takes to enable time zone redirection on your Windows 365 Cloud PCs.



 

Summary

In this article, you learned how to change the language and region settings of your Windows 365 Cloud PCs. In my provisioning policy, we changed the language and region settings from English (United States) to Danish (Denmark) and confirmed the results on a reprovisioned Cloud PC.

One thing worth mentioning is that, while preparing for this article, I noticed that the Windows 11 welcome screen was in English during the first sign-in, but after a reboot, it was in Danish.


That's it, folks. Happy testing!
If you have any questions regarding this topic, please feel free to reach out to us.

Monday, May 2, 2022

Migrate imported GPOs to Intune with Group Policy analytics (preview)

01

Migrate imported GPOs to Intune with Group Policy analytics (preview)


Introduction

In our previous blog post, where I wrote about exporting GPOs from Group Policy management on-prem using PowerShell and doing a proper cleanup with Microsoft Graph, I promised you an article about the new migration option within Group Policy analytics (preview). Using this new feature, you can create a Settings Catalog profile based on your imported GPOs and assign the profile to "All devices/All users" or your groups directly from Group Policy analytics (preview) in Intune.

Read about the prerequisites and requirements for Group Policy analytics (preview) and how to use the tool in our original blog post here - Analyze on-premises GPOs with MEM Group Policy analytics (preview).



Migrate GPOs to a Settings Catalog profile

Alright, let's assume that you have imported all of your GPOs and analyzed the result, and you know precisely which on-prem policies you will transition to Intune. What are your options, then?

Well, before the migration option became available, you would have to search for an equivalent setting in the Endpoint Security blade, Settings Catalog, Administrative Template, or create a Custom profile, which can be a very time-consuming task. So, as mentioned in the introduction, we can now migrate imported GPOs to a Settings Catalog profile and assign "All device/All users" or a group to this profile directly from the Group Policy analytics (preview), which eases the burden a lot compared to doing it manually.

Now, let's take a closer look at this new migration option.
Go to https://endpoint.microsoft.com

Click Devices | Group Policy analytics (preview)
02
 
In the list of your imported GPOs, select the Migrate checkbox next to the GPO you want to include in your Settings Catalog profile.

Note. You can choose to select one GPO or multiple GPOs.

Click Migrate.
03

From the Settings to migrate page, you can select all settings or search and manually select the settings to transition to Intune. - I chose four random settings for this article.

Important note. As mentioned above, you can migrate multiple GPOs to the same Settings Catalog profile, but the list may include identical settings with different values! - If you choose identical settings with different values, a conflict will occur, and an error will show with the following message:

 
Conflicts are detected for the following settings: <setting name>. Select only one version with the value you prefer in order to continue.
 

Click Next.
04

On the Configuration page, you can review the selected settings and their values.

Click Next.
05
  
On the Profile info page, fill in the required Name field. Although the Description field is optional, I would recommend filling it out. - It's always a great idea to leave some breadcrumbs, so others know precisely why someone created the configuration profile.

Click Next.
06

Choose either to assign the profile to "All devices/All users" or a group from the Assignments page. - I chose to assign this profile to "All devices", and then I've added a filter to only include corporate devices.

Note. You do not have to configure the assignment at this point if your organization is not ready for it.

Click Next.
07

Please carefully review your configuration on the Review + deploy page and click Deploy.
Important note. Some settings don't migrate exactly and may use different settings or values. - Read more here
08

The page will redirect you to an overview of your configuration profiles in Intune, and in the Notifications area, you should see that the migration was successful. 
09

Select the newly created Settings Catalog profile from the overview and scroll down to the Configuration settings area. You will see the settings we chose during the profile creation. Shortly after creating and assigning the profile, the devices should start returning some data to the dashboard within the configuration profile.
10

 


Summary

In this article, you learned how to use the new migration option within Group Policy analytics (preview) in Microsoft Endpoint Manager. This new possibility will, without a doubt, ease the burden of migrating on-prem policies to Intune. However, it's not perfect, and you need to carefully review the settings you selected during the creation of the Settings Catalog profile.

Read more at Microsoft docs about what you need to know.

That's it, folks. Happy testing!
If you have any questions regarding this topic, please feel free to reach out to us.

Monday, April 25, 2022

Group Policy analytics (preview) made a bit easier with PowerShell

demo

Group Policy analytics (preview) – Export linked and enabled GPOs.



Introduction

It has almost been a year since I wrote our original blog post about Group Policy analytics (preview) in Microsoft Endpoint Manager. Since then, several improvements have been added to the tool, but there are still a few areas lagging some attention, in my opinion! So, at our Modern Endpoint Management Summit 2022, I presented a live demo about how to export linked and enabled GPOs on-prem and perform a cleanup (bulk deletion) of the imported GPOs in Group Policy analytics after you have completed the analysis and transition to Intune.

Note
. The Group Policy analytics migration to device configuration profile feature was not generally available at our Modern Endpoint Management Summit, so I could unfortunately not demo that feature. Instead, I will be writing a blog post about that feature soon.

Read about the prerequisites and requirements for Group Policy analytics (preview) and how to use the tool in our original blog post here - Analyze on-premises GPOs with MEM Group Policy analytics (preview).



Prerequisites and Requirements

 

  • Access to Microsoft Graph  
  • PowerShell scripts (download)


Export linked and enabled GPOs as XML files

Let's dive right into it. But first, you'll need to download the PowerShell script from my GitHub repository.

Download the GPO export script from the GitHub repository here  

Next, connect to your domain controller and copy the GPO export script to a folder (For example, C:\Temp)  
From the Start Menu, search for PowerShell ISE and select it in the list.
01

Open the GPO export script and fill in the following variables:

  • OURoot - Specify an Active Directory path.
  • OUName - Specify a specific OU or add * for all OUs.
  • GPOName - Optional - Use this variable to export GPOs containing a particular keyword.
  • ExportPath - Specify a path where to save the exported GPOs.


Hit F5 or click on the Run Script button.
02

Go to your export folder, and you should see that all the GPOs linked and enabled on a specific OU or all OUs were exported and ready for import to Group Policy analytics in Intune.
03

I have created this small GIF to show you the entire export process.
demo



Perform a cleanup (bulk deletion) with Microsoft Graph

Once we have completed the GPO to Intune transition, we would probably like to clean up at some point in time. And as for now, the only option within Microsoft Endpoint Manager web portal is to delete each imported GPO manually. So, I've gathered some inspiration from our amazing community (Thank you, Damien Van Robaeys) and came up with a few small scripts samples that will perform a bulk deletion based on a keyword or just delete everything.

Download the cleanup script from the GitHub repository here


First, let's go to https://endpoint.microsoft.com
Click Devices | Group Policy analytics (preview)

Okay, we have completed the GPO to Intune transition and now want to clean up in Microsoft Endpoint Manager. But as you can see from the below screenshot, we can only delete each imported GPO manually! That's not a big deal if it's only a few GPOs, but what if you have imported several hundred policies? Then it would turn out to be a much more cumbersome task to complete, Right?

01

Save the cleanup script somewhere on your local device (For example, C:\Temp)
Open the script in an elevated PowerShell ISE session.

If this is your first time working with Microsoft Graph, you need to install and import the module before connecting to Microsoft Graph. - Read more about Microsoft Graph at What is Microsoft Graph.

Mark the first three lines of the script and hit F8 or click on the Run Selection button.
02


You will be prompt for authentication.
03


If the authentication is a success, you should see your UPN and Tenant ID, and we are ready to run our samples.
04

Mark a sample in the script. - I chose the sample that deletes every imported GPO in Group Policy analytics.
Hit F8 or click on the Run Selection button.

You can see from the PowerShell output that all three GPOs are listed.
05

Let's switch back to Microsoft Endpoint Manager and see if the imported GPOs have been deleted. - Success, they are all gone!
06

I have created this small GIF to show you the cleanup process.
demo

 

Summary

In this article, you learned how to export GPOs from Group Policy management on-prem using PowerShell and do a proper cleanup with Microsoft Graph after you have completed your GPO to Intune transition. - That's it, folks. Happy testing!

If you have any questions regarding this topic, please feel free to reach out to us.

Friday, April 22, 2022

Microsoft Intune – Where is my filter used?

Introduction

Have you started using the awesome filters in MEM? If the answer to this question is NO, then you should get started and try them out. I did a blog post on how to get started with filters and you can read more here

 

But what if you already have an environment where you use filter?

The customers that I work with use filters and widely deploy to either “all users” or “all devices” where filter make more granular decisions for us. It simply works great, and we cross our fingers for even more granular controls in the future.

But what if I wanted to know where my filter is used?

Currently we have no option to see that in Intune (oh yes, we do, but who wants to go to every single assignment and check?!), this is where Microsoft Graph comes to the rescue!

 

Create filters in Microsoft Intune | Microsoft Docs

Picture source: Create filters in Microsoft Intune | Microsoft Docs

 

Requirements

  • Microsoft Intune
  • Access to Microsoft Graph

 

Find out where my filter is used

First we go to our browser and look at David Falkus awesome collection of scripts

Go to raw and copy the whole thing.

clip_image002

 

Go to Windows PowerShell ISE and paste the code:

clip_image004

 

Click the run button

clip_image006

 

Insert your username

clip_image008

 

Insert your filter name:

clip_image010

 

From the Intune portal you can see the names: (I will try with DeviceName start with AADONLY)

clip_image012

 

Insert the filter name in the PowerShell window

clip_image014

 

Let it work and see the results:

clip_image016

clip_image018

Job done and based on these information’s we can determine the risk of changing in the current filter or if we should create a new one and where to replace it.

 

Summary

Using filters in Microsoft Intune is here and supports more and more assignments in Microsoft Intune as we move forward.

Use it where you can, and your environment speed will love you for it.

Happy filtering!