In his blog post today we will see How we can perform Autopilot for Windows 11 devices. It is applicable for any new device which is only Azure AD joined. Now, when we talk about Windows 11 we have certain pre-requisites that we need to complete first. Since I will be using a Hyper V so I have to complete these pre-reqs manually, but if you have a new physical device, you may need not do it. Just a small check is fine. Windows 11 Pre-requisites 1. Minimum Virtual processor should be more than or equal to 2. I am using 4 for my Hyper-v. 2. Memory should be more than or equal to 4 GB. I am using around 8 GB. 3. Your device should have the TPM Enabled. This is very important for Windows 11 devices. Once, we have all these above pre-reqs set, prepare your Windows 11 Hyper-v. But, before moving onto setting up Windows 11 for Autopilot, lets also make sure we have all the pre-reqs set for Windows Autopilot. Pre-requisites for Windows Autopilot. 1. Go to the Intune portal Devices > Windows > Windows Enrollment > Automatic Enrollment and make sure everything is set properly like below: 2. Let us next move on to Devices à Windows > Windows Enrollment > Windows Autopilot Deployment Program > Deployment Profiles . Make sure you have a Autopilot Deployment profile created. I have a very simple one created like below: 3. Create a Dynamic group where you would want all your apps, policies, configurations to be deployed to Autopilot Devices. I have created one with ZTD id. You can create with your own requirements, maybe with Group tag which was used during importing devices with Hardware Hash. The query I am using for the group is - (device.devicePhysicalIDs -any (_ -contains "[ZTDID]")) NOTE: Here we will be importing hardware hash online without csv so I am just trying to keep things simple. 4. The next one is optional but I would like to go with it so create one default Enrollment Status Page. Go to Devices > Windows > Windows Enrollment > Enrollment Status Page I have very simple settings for test purposes, you might want some proper standard settings in your Production environment 5. Have a User with Intune Administrator role who will help to upload the Hardware Hash and then also assign user with Intune E3/E5 license who will enroll the device to Intune. Apart from the above settings if you have any particular security apps, baselines or any configuration profiles like bitlocker and others you may want to deploy to Windows Autopilot group which we created earlier. Apart from this I think we are all set and ready now to prepare our Windows 11 Hyper-v. In this blog I am skipping all the basic steps of that you need to go through for creating a Hyper-v VM. I feel we all are aware of this and even if you are not you just need to follow the instructions. Make sure you have proper internet connection and above pre-requisites all set. So, when we boot-up and start the Hyper-v it goes through the basic steps of setting windows and we will wait until the below step completes Registering the Windows 11 to Autopilot Service Once the windows installation is completed it takes some time to setup and then we have OOBE screen in front of us When we have this screen press shift+F10(shift + fn+ f10) on Hyper-V to bring command prompt From command prompt, we will try to enter PowerShell where we will execute the commands to Import Hardware Hash to Intune. The commands which we want to run here one by one are as follows: PowerShell.exe -ExecutionPolicy Bypass Install-Script -name Get-WindowsAutopilotInfo -Force Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned Get-WindowsAutopilotInfo -Online Once you have entered the above command it will ask for your Intune Administrator ID. Please enter the same to register the device to Autopilot service. After you enter your credentials, you can see that your company logo appears in the password entry dialog box. Enter your password here. Then if your organisation has enabled MFA, approve that using Authenticator app. Then lets wait for the import to proceed and complete. When it is completed, you will find the below screen in your PowerShell. Mark the serial number of devices here: Lets cross verify it within the Intune console, go to Endpoint manager Devices > Windows > Windows Enrollment > Windows Autopilot Deployment Program > Windows Autopilot Devices We can see that the device is successfully registered now to Windows Autopilot. Lets now proceed with the OOBE and End-User Experience Windows 11 OOBE and End-User Experience We will have to close the command prompt now and procced with OOBE. Type Exit and hit enter until you exit the command prompt screen Select your country and Press Yes Select keyboard and the press Yes Windows will be starting to check for Updates Enter the user credentials whom you have assigned the Intune license. On the password entry dialog page you see your organization logo which proves device is now Autopilot registered. Once the above steps are done and you have clicked on Sign in device will be starting to configure You will see the Enrollment status page like below: Once these settings are completed you will notice a small green tick below each and then you will be presented with next screen for Privacy setting. Click on Next and then Accept to move ahead. Windows will check for nay updates again and then move ahead That’s it the Autopilot Process is complete now, you will be presented with Welcome message and then some time will be taken to complete the basic setup for your login. Since I have this Configuration Profile deployed for Interactive Logon Screen message for User, I was able to see this message before login. Then I tried to login using my company credentials. Note: After this I noticed that ESP page reappeared again and it was waiting for few things to be completed. What I did to fix it change this simple setting under ESP, it is by default set to Yes :- When I changed the above settings to No, Desktop was presented to me: Now, we need to verify few things lets go to Settings and check Work and School account as well as Device serial number Looks all good, lets find the device in Intune now That proves that we have successfully completed the Windows 11 Autopilot. Now what happens if something goes sideways and you need to troubleshoot. If you see something like the above screen then you need to expand it and see where exactly the autopilot failed. There could be different reasons. More things will be cleared when you click and check MDM diagnostics log. You also get a link to export these logs which will be helpful to see and find out where exactly the failure occurred. Unfortunately, I don’t have the screenshot from my end for these but I think that’s pretty easy process. Ok, so that’s all from my end this time. I Will Be Back… 😎 with some new content and new things. Cheers 🍻

Hey guys, so this post is all about my experience with Windows Package Manager and it may help you learn a bit with me. Let’s discuss little about the background and then we will see how to use this tool and how we can push applications from Intune. Microsoft has already announced that Windows store for business and education are getting retired in the first quarter of 2023. You can check it from here . Now, how we will install the apps that were available in windows store or how would you be able to push any custom apps to your endpoints. Microsoft has a comprehensive package manager solution which is Windows Package Manager or in short, a command line tool called Winget . According to Microsoft – “A package manager is a system or set of tools used to automate installing, upgrading, configuring and using software. The Winget command line tool enables users to discover, install, upgrade, remove and configure applications on Windows 10 and Windows 11 computers. This tool is the client interface to the Windows Package Manager service.” How to Install Winget By default, Winget is installed on all the Windows 10 and Windows 11 latest versions, but if you are using older versions of Windows there are 2 ways using which we can install the Winget tool. 1. Get the app from the windows app store, it is available by the name App installer and you can get it installed very easily without any issues 2. The other way to install the client is to get the installer bundle downloaded from GitHub . When the page opens, from the bottom select the tool and download. When downloaded, run the installer if Winget is old version it will update else it will perform a fresh install. NOTE: this doesn’t work on Windows 11 as it might have an updated version already. 🙂 Once winget is installed how would you verify that its installed properly, well very simple. Just open PowerShell and type winget, below screen appears: How to use Winget to install apps In the above PowerShell screen we can see that when we type winget we get many information with it, like the installed version, the commands and the parameters. Co Below are the list of commands along with its description that you can use in winget to perform any operation. Options Below are the set of option you can use with winget Supported Installer Formats The winget tool supports the below installer formats: · EXE (with Silent and SilentWithProgress flags) · INNO · NULLSOFT · MSI · APPX · MSIX · BURN · PORTABLE Now we have seen that what are the commands, supported installer formats and options that we can use with winget, let’s now try to install our first app. Let us suppose that we want to install Notepad ++ on our system. The first step to do here, we will want to search an app with the name notepad++ so in below screen, we see the search command to be used with Winget. In above screen we see that when we search for the app, a license agreement statement appears which you have to accept by typing Y for yes for the first time. After that you can see that the apps which are available with the name Notepad are shown as a list. We would now need to install the app which is at the top of list. So for that we would need to run the install command, let’s ee what happens when we run the blow command: Winget install Notepad++ Wow 😯 , it is so easy, it installed within seconds. Looks great right. We can also verify in our computer whether it installed or not. So lets go to windows start an check Well, this is all good but what happens if there are multiple apps with same name, then instead of using above command to install, use --id option, the install command changes to below: winget install --id=Notepad++.Notepad++ -e It installs the same application but with id parameter. Now, if I want to install multiple apps at a time or bulk app at a time, can I do that using winget. Off course yes, we can do that. Command for the same is provided below: winget install --id=Microsoft.Teams -e ; winget install --id=Zoom.Zoom -e ; winget install --id=SlackTechnologies.Slack -e ; winget install --id=ShareX.ShareX -e Awesome 😎 , we can install many apps together at once. What if, you want uninstall the app, very simple run the below command Winget uninstall Notepad++ We now know how to install apps, multiple apps together and uninstall apps using winget. Let’s see in the next section how we can do the same from Intune. How to install apps from Intune using winget At this moment, there is no assigned setting or configuration in Intune that you can use to deploy apps using Winget but there were few discussions to integrate Windows Package Manager with Intune. If you want to deploy or install an app using Intune create a PowerShell script and then deploy to your devices by creating a win32 app. Follow the process below: 1. Create a .ps1 file with your commandline 2. Create a win32 app with below properties 3. Lets now create a win32 app in intune 4. Go through the process to upload the .intunewin file and use the below properties for Install and Uninstall command: Install command : powershell.exe -executionpolicy bypass -windowstyle hidden .\Notepad_Install.ps1 Uninstall command : "%ProgramFiles%\Notepad++\uninstall.exe" /S Install Behavior - User Note: Install behavior should always be chosen as User for Winget apps otherwise Intune Management Extension would not know the path for desktop app installer in windows which is used by Winget to install apps. 🙂 5. Then on the Requirements tab select OS architecture and Minimum OS version. Click next 6. Then create a Detection rule for the app – 7. Next in Assignment make the app available for installation in company portal. Now, when I go to my Hyper V test machine and check the company portal app I see the Notepad++ app available for Installation. When I click on install it just installs fine with all the messages as you can see below Ok, we have learnt until now how we can use winget and how to deploy apps from Intune using winget. Let’s now see how we can troubleshoot How to troubleshoot Logs Winget by default creates logs when it is used to install any app. You can find the logs in the below path: %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\DiagOutputDir When I checked the same path in my test hyper V device here's something it looked like If you want more logs or detail logs, include --verbose-logs on the command line as well. Below is the example of how to use verbose with the command line. > winget install vscode --verbose-logs > winget search -n visual --verbose-logs > winget source add -n mysource -t Microsoft.REST -a https://www.contoso.org --verbose-logs How to Build Custom packages To create and submit your own package you would first require to install wingetcreate module: Open PowerShell and execute below command Winget install wingetcreate Once the module is successfully installed lets create a custom app by running the below command Wingetcreate new It asks for an url, when you provide it, it will download and parse the same and then it will ask you few questions, follow the instruction as asked and enter all details like below: when you select Yes to submit your manifest, a GitHub login will initiate with a code. You have to enter your GitHub creds and code If every thing is good your manifest will automatically be uploaded and custom app will be created. Your PowerShell screen will provide the below message: you can see your request in GitHub So, In this blog we see how to use Winget to install apps manually as well as from Intune and then how to build our own custom packages. You guys can explore more and create your custom packages as required. It looks really great and has many capabilities if you use properly. 🤓 Hope to see Windows Package Manager integrated to Intune soon so that our job becomes more easy. OK then we are done here for this post. I will come back with new post and new experience again until then…Cheers 🍺 🍺

We know that we can integrate Microsoft Defender for Endpoint with Microsoft Intune. This is a Mobile Threat Defender solution for all your devices that you enroll to Intune. In this blog post I will just show you the process on how to configure Intune and then onboard devices into MD ATP. MD ATP is not only a good solution for Windows devices but it acts as a pretty good threat defence solution for both iOS and Android. Even Mac devices can be on-boarded into it and you can create security baselines accordingly. So, without wasting much time lets get into it. 😎 Pre-Requisites Lets first checkout the pre-requisites for this and lets see what are the different subscriptions that we need. 1. Microsoft Azure Premium P1/P2 2. Microsoft Intune (M365 E5/ EMS E5) 3. Microsoft Defender for Endpoint P2(if you want to manage endpoints from security center then please get this P2 license) If you are asking why P2 then just checkout the table below and see the offerings from Microsoft, it’s better to have more services right, yeah 😉 Make sure you have the below license, this is Trial license for my lab purposes but you get an idea now which one to select for your tenant or Prod environment. At the End when you check your license subscription the screen should look something like this. NOTE : Although instead of Developer E5 you should have M365 E5/EMS E5. Your End-user should have assigned licenses like below: Configuring MS Defender for Endpoint with Intune Now, let's checkout the process to configure MD ATP with Intune. At this stage the assumption is, that you have let your devices enroll into Intune or if you are migrating devices then at least you are in the process to enroll them with using Hybrid Azure AD or Standalone Azure AD. When you open the Intune and navigate to Endpoint Security > Microsoft Defender for Endpoint you will see something like below. There is another way to configure it but let's just stick to our process, I feel this is simple way to do it. When you are in the above screen under Configuring Microsoft Defender for Endpoint Click on point number 1 link – Connect Microsoft Defender for Endpoint to Microsoft Intune in the Microsoft Defender Security Center . Also in the same page if you drag down below, you will find another link under Common shared settings – Open the Microsoft Defender Security Center . Clicking on this link will also take you to same page. When you have all the licenses assigned and configured and click on the above links it will open Microsoft Security Center for you like this. NOTE : It takes around 24 hrs to enable this Endpoints tab, also under settings once you have purchased the P2 license then it takes mentioned time to enable Endpoints tab. Next, on the right hand side scroll down and find Settings tab and click on it, the below screen appears Click on the Endpoints above, it will open the screen like below: Click on the Advanced features , then checkout the list, you have some very important features like web content filtering, Device Discovery and Microsoft Intune Connection . Enable Microsoft Intune Connection from here. You can also enable other features as per your requirement. Once you enable and click on Save Preferences, below temporary pop-up will show that your Settings are saved and that’s it you are done configuring Intune with MD ATP. Now, once you are done with above steps go back to your Intune and navigate back to Endpoint Security > Microsoft Defender for Endpoint . You will see that Connection Status is now shown as available and there would be a date to show you when it last synchronised. Under MDM Compliance Policy Settings enable each platform connection and that’s it you are now ready to onboard devices from different platform to MD ATP. On-Board Windows Devices to MD ATP When you enable this below button Windows devices start on-boarding to MD ATP automatically, but if you still face some issue then you can enable a configuration profile for Endpoint Detection and Response . Click on Create Policy on above screen. This will help you create a config profile like below:- Configure as per requirement, click Next and deploy to all Windows devices: NOTE : When you configure EDR policy after connecting Intune and Microsoft Defender for Endpoint, the policy setting Microsoft Defender for Endpoint client configuration package type has a new configuration option: Auto from connector. With this option, Intune automatically gets the onboarding package (blob) from your Defender for Endpoint deployment, replacing the need to manually configure an Onboard package. You can also enable this using Group Policy in Hybrid environment. Onboarding MacOS devices To onboard MacOS devices you would need to create an also configure some extensions. Follow the steps below to onboard Mac Devices. This step enables deploying Microsoft Defender for Endpoint to enrolled machines. In the Microsoft Endpoint Manager admin center, open Apps. Select By platform > macOS > Add. Choose App type=macOS, click Select. Keep default values, click Next. Add assignments, click Next. Review and Create. You can visit Apps > By platform > macOS to see it on the list of all applications. Just deploying the app may not work and you may need to also deploy different configuration profile for Extensions. You need to send Kernel Extension, Approve system Extensions and also provide Full Disk Access to MDATP. Follow the below link for more details from Microsoft. https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-with-intune?view=o365-worldwide Onboard iOS and Android Devices In both these cases you can download MD ATP app from iOS app Store/Managed Google Playstore and configure it with Intune and then Deploy accordingly. For iOS device you will find more information in this link: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios?view=o365-worldwide For Android devices find the steps and more information under: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android?view=o365-worldwide That’s it for this time guys, hope this help you configure Intune with MD ATP and onboard your devices. See you next time, until then Cheers 🤔