News

Microsoft Details Improvements to Intune, SCCM and Windows Autopilot

• By Kurt Mackie
• September 28, 2018

Microsoft's various configuration, deployment and management tools are getting a raft of improvements, as detailed by Microsoft this week at its Ignite conference.

The improvements will specifically affect the Intune mobile management service, System Center Configuration Manager (SCCM) for client devices and Windows Autopilot for new device provisioning.

Intune Improvements
On the Intune side, Microsoft is previewing a new capability of the service to support the installation of most 32-bit applications on Windows 10 devices. The 32-bit apps can be installed using various file formats, such as .MSI and .MSP files, as well as Setup.exe executable files. This 32-bit app install preview capability will support line-of-business applications, Microsoft suggested, and will broaden options for organizations to use Intune:

This will effectively unblock organizations interested in shifting this workload to Intune and the Cloud. The same team that perfected Windows app deployment via Configuration Manager has now built this into Intune. This [32-bit install] feature is currently in public preview and we expect to add significant new capabilities over the next few months.

In the next few weeks, Microsoft plans to publish new security baselines for Intune's mobile device management (MDM) capabilities, which will get automatically updated from Microsoft's datacenters. This addition will make it easier for organizations currently using Group Policy to ensure device security compliance when shifting to Intune, Microsoft's announcement claimed.

Intune now supports setting "scope tags for individual policies, profiles and devices," which has been available for all Office 365 tenancies "since the 1808 release," Microsoft's announcement noted. It's a feature for "large distributed IT departments." Here's why an organization might use scope tags, according to the announcement:

Scope tags ensure that each division/ region/ department/ school/ agency/ etc. only has visibility into their respective profiles, policies or devices. This level of administrative control is imperative when IT departments have local autonomy, yet are part of a larger, single tenant. Scope tags are flexible and allow you to name each tag according to your business model and fit right in with your existing Intune Roles.

There's a "new Intune console page for Outlook Mobile," according to the announcement. It lets IT pros "push specific Outlook Mobile App configuration settings" to end users, Microsoft explained. The policy controls concern things like syncing, Focused Inbox, MailTips and the blocking of external images in Outlook Mobile.

Microsoft has added four enterprise management features to its Edge browser for Android and iOS devices that are now available in public preview when using Intune for management. A "dual-identity" feature in the browser will let end users use work accounts and personal accounts in separate browser sessions, and IT pros can set Intune policies for the work accounts. Next, IT pros also can use Intune to set application protection policies in the Edge browser, such as controlling the use of "cut, copy and paste" actions and screen captures. In addition, access to services and Web apps can be constrained such that end users must use the Edge browser. Lastly, IT pros can enforce the use of "managed favorites and home page shortcuts" for corporate Edge users.

On the Android mobile device management side, Intune is now using Google's new Android Management API, which will broaden management capabilities. Microsoft expects to deliver "a public preview of full device management for Android Enterprise devices by the end of the year" using the new API. The addition of Android Management API use in Intune will open up a complete set of management features "for BYOD and corporate-owned deployments on Android Enterprise," Microsoft promised.

Microsoft also is collaborating with security solutions partners to add Intune support for the setting of conditional access policies for mobile devices. Conditional access policies typically set compliance restrictions before granting access to corporate resources. The collaborations involve working with various security solution providers. The current list includes "Lookout, Zimperium, Checkpoint, Symantec, Pradeo, Better Mobile and Google Play Protect," per Microsoft's announcement.

Microsoft also is working on Android, iOS, macOS and Windows device security by collaborating with certification authority (CA) providers. Intune already works with CA provider Entrust Datacard, but "other partners will be coming on board in the next few months, including Comodo CA, GlobalSign, Digicert, CGI and Idnomic," Microsoft's announcement explained.

Configuration Manager Improvements
Microsoft's announcement had less to say about new SCCM improvements. However, SCCM is getting integrated with the new Desktop Analytics app compatibility service. Desktop Analytics is an expansion of the Windows Analytics service, but it's unclear from Microsoft's announcements when it'll be available. Microsoft describes Desktop Analytics as a tool for assessing application upgrade readiness to Windows 10 or Office 365 ProPlus

Apparently, the Desktop Analytics integration with SCCM will let IT pros create better pilot groups for testing upgrades. Here's how the announcement described it:

ConfigMgr administrators can leverage data from Desktop Analytics in several ways, including enablement of an intelligent pilot selection which ensures coverage of apps, add-ins and hardware, as well as deep integration with Phased Deployments for a data driven production rollout of task sequences, updates and applications.

Microsoft's announcement also clarified that SCCM will be capable of using the smaller "quality updates" that will be rolling out to Windows 10 and Windows Server users, possibly starting next month. Quality updates, which arrive every month, don't deliver new operating system features. Instead, they just deliver updates to existing OS components.

In July, Microsoft had explained that it was doing away with the use of "delta updates" for quality update deliveries, starting on Feb. 12, 2019, in favor of using "express updates" instead. However, in August, Microsoft further clarified the matter. Microsoft actually isn't favoring the use of express updates going forward. Rather, it plans to deliver "a new design for quality updates," which will be arriving with "the next major versions of Windows 10 and Windows Server, coming later this year." The new design for these future quality updates wasn't described. However, organizations using the next major versions of Windows 10 and Windows Server will only be offered these new smaller types of quality updates, Microsoft indicated.

In contrast, users of "down-level supported versions of Windows 10" will continue to get express updates, as well as full updates (which are also known as the "latest cumulative updates").

Windows Autopilot Improvements
Microsoft will light up two new Windows Autopilot features with the release of the Windows 10 October 2018 Update (version 1809), according to an announcement. Windows 10 version 1809 is expected to arrive next month.

One of the new Windows Autopilot features is called "hybrid Azure AD join." It lets IT pros decide on using Azure Active Directory or Active Directory to join new devices to a domain. Using the Azure Active Directory option requires having Windows 10 version 1703 or greater installed on the device, while choosing the Active Directory option requires having Windows 10 version 1809.

The other Windows Autopilot feature is an ability to take an existing Windows 7 device to Windows 10, while also setting it up for Windows Autopilot provisioning. Such a device will start the Windows Autopilot deployment process when it gets booted into Windows 10.

Microsoft also is adding a Windows Autopilot option to completely automate the provisioning process with no user interactions, as well as an option to reset a device remotely.

Microsoft's current OEM partners with the Windows Autopilot program include Dell, HP, Lenovo and Toshiba, as well as Microsoft itself with its Surface device. However, "Panasonic and Acer are coming soon," Microsoft's announcement noted.

Windows Autopilot is Microsoft's OEM program where new PCs can be shipped directly to end users. The end users can then carry out the new device provisioning process themselves in a kind of plug-and-play scenario.