MDM & GP Tips Blog

The goal of IT today is to make IT processes as automated as possible so that your IT professionals that are being paid the big bucks don’t have to spend all of their time on trivial tasks such as MDM enrolling devices.  You also don’t want them answering help desk calls all day from users who are confused how to follow the steps on their own that you sent them. 

Well, as you might expect, there is another way.  You can use deep links.  Let’s say you have a new employee with his own BYOD system, and you need their new device to be MDM enrolled.  You send them a nice friendly email that say something like:

Welcome aboard.  We need you to enroll your new Windows 10 laptop.  Please click here to do so.

(Don't worry, that link won't send you to siberia or anything.)

You can check it.. that embedded hyperlink actually points to:

ms-device-enrollment:?mode=mdm

You could also put a link on your company’s portal page and inform users to click the link to enroll a new device.  Clicking this link will launch the flow equivalent to the Enroll into device management option in Windows 10, except it will do the kickoff via the browser.  Note that only Edge and Internet Explorer appear supported however for deep links during my testing. 

Your users still have to input some information. 

Buuuut... If you want to make it even easier for them, you could append their username as a parameter in the link so that it would already be filled in the Email address box.

ms-device-enrollment:?mode=mdm&[email protected]

Note that this option parameter and others are only available in Windows 10, version 1703 or later.

Of course there are more MDM solutions than just Intune.  If you are using Workspace One as your MDM, you may be required to enter a specific server name.  Once again, you can bypass the process of having your users input these specifics in manually by adding the server name parameter.

ms-devicenrollment:?mode=mdm&[email protected]&servername=https://techp-ds.awmdm.com

The result would look like this:

Note that there are other optional parameters such as ownership which denotes wheter the device is BYOD or owned by the business enterprise.  Another one is deviceidentifier which passes a unique identifier onto the device.

The point is that Deep Links is made to make it easy and comfortable for users to self enroll themselves.  Self deployment is one of the goals of cloud computing. 

Before you go about adding your first device to Intune, you have to choose your MDM authority for your tenant.  The mobile device management authority determines where you will perform mobile device management tasks.  In a domain joined network, the authority would be either Group Policy or SCCM for instance.  There are three options to configure the tenant-level MDM authority.

1. Intune MDM Authority
2. Configuration Manager MDM Authority
3. None

Intune MDM Authority used to be known as Intune Standalone.  This is a better name descriptor in that using this option, all mobile device management tasks will take place within Intune exclusively.  The second option, Configuration Manager MDM Authority was once known as Hybrid MDM.  Using this option means that devices are managed through a combination of Intune and SCCM Configuration Manager.  You should know that this hybrid ability will be depreciated as of Sept. 1, 2019.  On that date, Microsoft will stop delivering "policy, apps or security updates" to hybrid MDM users.  You can interpret this as strong encouragement by Microsoft to transition to Intune on Azure.  Really, Hybrid Intune was only meant to be a transition state for companies to begin their migrations to the cloud.

Configuring the MDM Authority for your tenant couldn’t be easier.  If you are configuring your MDM Authority for the first time, you can simply logon to the Intune administrator console.  If you are currently running in Hybrid MDM or Configuration Manager MDM Authority, you can either access the Intune administrator console or the Configuration Manager console of your SCCM server to initiate the process.  In this case, I will use the example of assigning the MDM Authority for the very first time.  Once you are logged on, simply go to Device enrollment.

Then you will see the option “Choose MDM Authority.”  Note that if you have assigned your MDM Authority already, this option will not be visible. 

Note that you can only transition from Configuration Manager MDM Authority to Intune MDM Authority and not vise versa.  Also know that while it was true at one time that you had to contact Microsoft support to change from hybrid to stand alone, that requirement is now null and void.  The entire MDM Authority selection process is self serve and simple.  Keep in mind that there may be a transition time involved when changing between the two types of authority modes.  Once the MDM Authority assignment process is complete, you can begin the process of enrolling devices.

When it comes to Mobile Device Management, it can be a little confusing keeping all the various MDM offerings straight.  For many organizations that utilize Office 365 for their email and/or other office suite applications, O365 MDM may be quite appealing due to one captivating detail…its free!  Yes, MDM for O365 is included with many Office 365 commercial subscriptions.  Free is indeed a good thing.

Free of course usually denotes some limitations and shortcomings.  This is the case with O365 MDM as it does not have near the feature rich options nor device coverability of Intune.  Intune either requires a paid subscription or can be purchased with Enterprise Mobility Suite.  Cost is one of the main differences between the two.

Mobile Device Management for Office 365 is designed for securing and managing mobile devices.  This includes such things as iPhones, iPads, Android devices, Windows Phones and tablets that are connected to Exchange Online.  You can create MDM policies to secure these devices by remotely wiping them or removing sensitive information.  This is one of the most important security management features for corporate mobile devices.  Other functions of O365 MDM include:

• Remotely wipe emails from any device
• Set up device policies like password requirements and security settings
• Ensure email and documents can only be accessed by company managed mobile devices
• Access reports and alerts concerning the jailbreaking of devices
• Review reports concerning which devices are not compliant

O365 MDM is a good fit for a company that fully utilizes domain joined services to manage their traditional workstations and laptops and need to manage and secure mobile devices as well.  For those organizations that want to go all in and manage all of their Windows 10 computer devices (including traditional PCs) using an MDM solution, Intune is the only choice between the two.  With Intune, it is possible to manage your devices without any on premise infrastructure as long as they are all Azure joined.

Another key difference is how you access each of the CSP interfaces.  O365 MDM is accessed using the Security and Compliance Center as is shown below.

Intune on the other hand is accessed through the Azure portal.

Intune has a lot more functionality than O365 MDM such as the following:

• You can integrate Intune with System Center Configuration Manager to coincidingly manage both on and off prem devices
• Supports Mac OS X as well as Linux and Unix servers
• Deploy your internal line-of-business apps and apps in stores to users
• Provide additional security for web browsing
• Implement Mobile Application Management policies for all your users

Which one is best depends on the needs of your organization. 

Microsoft puts a lot of emphasis on the education market.  In an effort to cater to the K12 educational organizations, Microsoft offers a separate product called Intune for Education.  While large metro school districts that have students numbering in the tens of thousands or more will most likely opt for the full Intune Console, Intune for Education is a very attractive alternative for private schools and public schools with a student body of less than 10,000 students. 

First off, Intune for Education is simpler.  Smaller school systems often lack high level fulltime inhouse IT staff with the knowledge base to granularly administer advanced settings for their enterprise.  Often a single staff member is assigned the duty of supporting everything.  In some cases, schools may rely on teachers themselves to manage their classroom students and devices.  This is where Intune for Education comes in.  It has a simplified management interface that is inviting and extremely user.  Task creation is wizard driven so that the user is guided through the setup process.  The interface makes use of graphical icons that make it less intimidating for teachers and non-technical staff.  Below is an example of the Express Configuration area that is designed to quickly achieve a desired task.

Simplicity does come at a cost.  Intune for Education lacks the advanced configuration functionality that the full console version boasts.  It does do a great job of the essentials however such as the basic management of users and devices (both Windows 10 and iOS), deploying mobile apps and ensuring basic security compliance.  It is a simplified Windows 10 experience, but for many schools, that is all that is needed.

Intune for Education is designed for the modern day educational organizations.  For instance, teachers can create “Take a Test” profiles.  These test profiles secure the browser during an online testing experience.  These secure testing profiles prevent students from using other computer or internet resources during a test.  Intune for Education also integrates with other Microsoft products such as School Data Sync and Minecraft Education Edition.

Screenshot originally from: https://docs.microsoft.com/en-us/education/windows/take-tests-in-windows-10

And then of course, there is cost.  Intune for Education is affordable for smaller school systems that face challenging budgets.  Currently, educational customers have two options.  The first is a “one and done” per device fee at the time of the device’s enrollment.  This license is good for the life cycle of the product.  The other option is to license it per user on an annual basis.  The good news here is that student account are free.  School administrators will have to run the numbers to decide which option is best for them.

Keep in mind that Intune for Education is for “schools” only and Microsoft does verify this.  While Intune for Education isn’t for everyone in education, it certainly makes sense for some.

Hi Team..!

As some of you know, Windows 1809 rollout was paused for upgrade problem (https://support.microsoft.com/en-us/help/4464619/windows-10-update-history).

But I got a copy before it got yanked. When I did some tests.. in upgrading from Windows 1803 to 1809 on  some machines ,

I found this interesting "Blue Screen" which.. you should NOT FREAK OUT ABOUT.

The good news is that this only occurs ONE time per machine, on the first attempted login. Then.. never again.

Maybe again the next time Windows is upgraded... maybe maybe you'll see it again.. but ... maybe not.

 Anyway: If you get people reporting this.. you can cheerfully just say "Got it" and then.. don't worry about it.

It's the one blue screen.. NOT to freak out about.

My friend Thorbjorn Sjovold from SpecopSoftware explains also how this can occur:

https://specopssoft.com/blog/things-work-group-policy-processing/ 

Another great read !

Also, and totally unrelated.. I'm doing a live webinar with my friends at NetWrix.. 

What: Group Policy Changes - What You Don’t Know Can Hurt You"
When: October 25 at 1.00 PM EST.
Who: You. Me. Them.
Where: https://www.netwrix.com/webinars.html?webinar_id=516&utm_source=webinars&utm_medium=jeremy-moskowitz&utm_campaign=gpanswers-link-upcoming-group-policy-changes
Anything else? : Not that I can think of.

Great? So what are you waiting for? Sign up and see you there.

See ya soon.

-Jeremy Moskowitz
 

Team:

Microsoft just pre-announced a bunch of interesting new policies for a future version of Windows. 

https://docs.microsoft.com/en-us/microsoft-edge/deploy/new-policies 

And, the latest ADMX items, which fix a small problem I mentioned several weeks back... is now available:

https://www.microsoft.com/en-us/download/details.aspx?id=56880

Go forth and go policy my friends !

This isn’t my story: This is me sharing THEIR story. In this story, I (Jeremy) am only the narrator. ?

While at a conference, I met two new friends (who already knew one of my friends). A bunch of awesome Danish gents who said to me.. “Hey Mr. Group Policy Guru.. maybe you know… we have a problem when Group Policy updates, some of our applications flicker! And our users are going crazy !”

The guys were: Roland Jørgensen (twitter: @mindlessdk) and Jonas Weinreich (twitter: @weinedk) (both at the conference), and Claus Wordenskjold (twitter: @CWordenskjold) (my original friend, who was NOT at the conference.)

Now I had heard of this issue from time to time. But to set the stage, in fact, a little flicker during foreground and GPudpate is perfectly normal.

In fact, there’s an older web article: https://msdn.microsoft.com/en-us/library/ms812018.aspx which tells the tale..

Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs a user can run, might interfere with tasks in progress.

So, if this is expected behavior, why are my Danish pals seeing a more “profound” flicker.. enough to make users call the help desk and start to get pretty annoyed?

You can find others’ with flicker issues if you Goog, I mean.. Bing for it.

1. For instance, here’s a resolution with GPupdate flicker + Cortana: https://answers.microsoft.com/en-us/msoffice/forum/msoffice_outlook-mso_win10/the-calendar-in-outlook-2016-is-blinkingflickering/07c3ca0f-4b38-4ad9-857e-f7d486d6e9b1
2. Here’s a chat about Group Policy updates making Dynamics flicker: https://community.spiceworks.com/topic/1539867-group-policy-refresh-causing-dynamics-gp-forms-to-flicker-on-windows-10
3. Here’s a patch which fixed Outlook To-Do bar flashing with GPupdate: https://www.policypak.com/knowledge-base/general-on-prem-troubleshooting/how-can-i-fix-outlook-to-do-bar-flashing-when-gp-or-policypak-does-a-background-refresh.html

So, yes, I (Jeremy) had heard of it.

I told them I would poke around, and they would too, and we’d meet up. But they found an answer.. and that’s this story.

Problem Statement

So after a little investigation, the team made a problem statement:

1. When the computer ran a gpupdate, some applications would flicker.
   •  Outlook 2016 started flickering, and switching back and forth, going to not responding and blank pages and return to normal.
   • Navision 2009 R2 client flickered and the formular which the user was working in would be reset.
2. We experienced the issue on both virtual and physical computers, and in a variety of different OS from Windows 8.1 to Windows 10 1607, 1703 and 1709.
3. The issue occurs every time a new setting is set a GPO. Thereby it happened every time a policy with a Group Policy Preferences item was run. All of our drive and printer mapping is set in GPO.

To get started to pare it down, they did what I always recommend…

GO NAKED.

By which I mean.. have a computer that is “born fresh”, has all the latest patches, and few applications as possible… JUST FOR TESTING.

This aspect is critical, because you can eliminate SO MUCH from your testing by paring it down and stripping the computer / OS to as basic as you can get.

Then.. BUILD UP you machine.. and find WHEN the problem STARTS.

And.. with this technique, they were able to start with a “pretty naked” machine, as soon as Group Policy applied, and Group Policy Preferences were re-applying, the “mega flicker” issue occurred.

Next step: Event Logs

My Danish friends got different reports and different applications flickering. But for them, it was Outlook that was driving them crazy, and flickering all the time.

So… with Group Policy, the best place to START troubleshooting would be.. the event log ! On the first computer they checked, they saw GPOs being refreshed every minute.

Then, some time later, it started to refresh every 5 seconds!

Crazy!

Log Name:       System

Source:         Microsoft-Windows-GroupPolicy

Date:          16-05-2018 16:25:39

Event ID:      1502

Task Category: None

Level:         Information

Keywords:     

User:          SYSTEM

Computer:      L-TEST-T480S.internal.org

Description:

The Group Policy settings for the computer were processed successfully. New settings from 8 Group Policy objects were detected and applied.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />

    <EventID>1502</EventID>

    <Version>0</Version>

    <Level>4</Level>

    <Task>0</Task>

    <Opcode>1</Opcode>

    <Keywords>0x8000000000000000</Keywords>

    <TimeCreated SystemTime="2018-05-21T01:17:12.416286700Z" />

    <EventRecordID>14030</EventRecordID>

    <Correlation ActivityID="{14E5F0E1-F113-47CD-B4F2-D7A2A362F1F4}" />

    <Execution ProcessID="6120" ThreadID="12080" />

    <Channel>System</Channel>

    <Computer>L-TEST-T480S.internal.org</Computer>

    <Security UserID="S-1-5-18" />

  </System>

  <EventData>

    <Data Name="SupportInfo1">1</Data>

    <Data Name="SupportInfo2">4201</Data>

    <Data Name="ProcessingMode">0</Data>

    <Data Name="ProcessingTimeInMilliseconds">9953</Data>

    <Data Name="DCName">\\ADSERVER.internal.org</Data>

    <Data Name="NumberOfGroupPolicyObjects">15</Data>

  </EventData>

</Event>

The Discovery… It wasn’t Group Policy at all.

So the team started to kill process after process looking for a solution.

And this is where Claus Wordenskjold found the process that made the problem stop.

When killing ccmexec (SCCM) process, the issue stopped.

The team proved that it was ccmexec causing the issue, which can be seen in the picture below. You should see four parts.. numbered 1 -4 with four little stories:

1. SCCM runs without GPO's applied
   • Gpupdate runs every 10th second
2. SCCM service is disabled and no GPO’s are applied
   • Gpupdate runs as per standard configuration
3. SCCM service is disabled and all GPO’s are applied
   • Gpupdate runs as per standard configuration
4. SCCM service is enabled and all GPO’s are applied
   • Gpupdate runs every 10th second

The key thing to look for in each of these stories is the number of 1502 events which expresses the attempt to perform computer-side Group Policy updates.  When SCCM was disabled, the 1502 events were normal and not “out of control.”

Event log KEY:

• Event 1500: The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy.
• Event 1501: The Group Policy settings for the user were processed successfully. There were no changes detected since the last successful processing of Group Policy.
• Event 1502: The Group Policy settings for the computer were processed successfully. New settings from X Group Policy objects were detected and applied.

So, in summary: the real issue was not gpupdate or the Group Policy engine. Gpupdate is working exactly as expected.

Solution

So, if killing SCCM processes made Group Policy “happier”, the Danish team needed to dig deeper.

Now, SCCM has a massive amount of logs, so this took a while.

After searching and searching, they discovered a lot of activity in wuahandler.log.

The errors discovered were identical as what is described here:

http://eskonr.com/2014/02/configmgr-onsearchcomplete-failed-to-end-search-job-error-0x80244022-wuahandler-log/ 

And….

As described in the article, the application pool "WsusPool" in the IIS server on our SCCM distribution point (DP) was stopped. Once it was started it, all of the computers did not refresh every 10th second anymore.

All refreshes returned to normal GPO update behavior.

Conclusion 

The programs are still flickering when GPO’s are refreshed, but this is expected and has has always happened.

The problem became obvious and noticeable to end users because GPO refresh happened every 10th second.

People started to notice.

It got weird.

So, why does the failure of an SCCM service make Group Policy “flip out?”

We’re not sure why.

The theory is that the when the SCCM agent cannot see its DP it will try to find a new one. For instance, if a computer moves from one branch office to another, then it might not be able to reach its former DP.

And, the information on where to find the DP is supplied in a GPO targeted the computer.

Thus we think the SCCM agent will trigger it’s own GPupdate, attempting to update only the computer policy. However, we do not have prove of that theory. But that’s what we think is going on.

If you have anything to share, on this interesting case, then just email me (Jeremy) and I’ll compile the best responses and tack them onto the end of the article.

Hope this helps you out.. and happy Group Policy + SCCM co-existence. ?

In my GP training classes, I go into DEEP DIVE DETAILS on how to set up and manage LAPS.. which is a local admin password rotation system. If you've taken the class, here's a great ADD-ON to tell you about overall LAPS health. Nice !

https://blogs.technet.microsoft.com/askpfeplat/2018/06/04/how-healthy-is-your-laps-environment/ 

And, unrelated, I also found this little nugget.. a more bad-a$$ password filter for Active Directory. 

And now.. the plugs. :)
Come to my next GP & MDM training class

Seattle (Tacoma) .. Aug 7 ,8 and 9 (three days).. 
$2250.. includes Awesomesauce.
www.gpanswers.com/live-class 
See you there, mates.

Some people, like my friend Brian I. (that’s “Brian I.”, not “Brian and I”)… discovered that upon UPDATING you existing Central Store with latest 1803 ADMX/ ADMLs.. You could get bitten.

The problem appears that the (current 1803) ADMX files are missing .. well.. and ADMX. That is, for every ADMX there should be a corresponding ADML file for each language.

And one ADMX file.. didn’t make it into the 1803 ADMX download: SearchOCR.admx.

So what’s happening is, that:

1. Some old (totally fine) ADMX version is there in your central store.
2. You leave that in place; and update/ overwrite the SearchOCR.ADML.
3. Now.. the OLD SearchOCR.ADML kind of “loses its mind” because he’s paired up with (essentially) the wrong SearchOCR.ADMX.

And.. Bingo. You’ve got an error message every time you open the GP editor.

Screenshot: https://i.imgur.com/EksFBMH.png

There are a few ways to solve this.. (now, note I could not reproduce the problem, but I think I’ve got a strong handle on what would solve it.)

1. JUST WAIT. I dont know DIRECTLY.. but I bet this gets fixed in some minor Admx update from Microsoft.

2. Delete the SearchOCR.ADMX and SearchOCR.ADML in the central store (for now.). This is a little tricky because you cannot know if you’re using these policies or not. But even if you *ARE*, the data in any GPOs which use(d) this ADMX are still valid. Just the definitions are now “gone” if you try this. Then when Microsoft repairs this problem, you can put these files (just these) back in.

3. Hand-edit the SearchOCR.ADMX file you *HAVE* to make SearchOCR.ADMX **NOT** lose its mind and properly marry up withthe SearchOCR.ADML.

Nice step by step details are found here… (so I dont need to go over it.)

https://social.technet.microsoft.com/Forums/windowsserver/en-US/cb97affb-9724-457b-a113-32cbd3d53331/searchocradmx-error-after-installing-win101803-admx-templates?forum=winserverGP

That’s it. Hope this gets you BACK on the road if you’re bitten by the 1803ADMX item.

Quick update, my friend Alan Burchill from GroupPolicy.Biz has this nice breakdown of the problem too. Click here for more.

(Another update): Official MS article about this published: https://support.microsoft.com/en-us/help/4292332/error-when-you-open-gpedit-msc-in-windows