maximios

In the Azure Active Directory (AzureAD) Preview portal it is possible to create dynamic groups for users and devices based on attributes. In this blog post I will show how to create a dynamic group for every Windows 10 Build that has been released at this moment.

First you need to find out what information you need in your groups.

I my case I what to create dynamics groups based on what build version there are installed on the devices I have in Azure AD. The I can assign policy, settings, applications etc. from my Microsoft Intune portal.

If I go inside my Intune management portal in Azure –>  Devices –> All Devices then I can see the OS Version number.

Now I can create some powershell commandlines to get my dynamic groups created.

First I need to run this to connect to my AzureAD

$AzureAdCred = Get-Credential
Connect-AzureAD -Credential $AzureAdCred

The I have to login with a account in AzureAD with rights to create groups.

Then I can use the Command-let New-AzureADMSGroup

New-AzureADMSGroup -Description “All Windows 10 1507 – MDM” -DisplayName “All Windows 10 1507 – MDM” -MailEnabled $false -SecurityEnabled $true -MailNickname “Win” -GroupTypes “DynamicMembership” -MembershipRule “(device.deviceOSVersion -contains “”10.0.10240″”)” -MembershipRuleProcessingState “On”

New-AzureADMSGroup -Description “All Windows 10 1511 – MDM” -DisplayName “All Windows 10 1511 – MDM” -MailEnabled $false -SecurityEnabled $true -MailNickname “Win” -GroupTypes “DynamicMembership” -MembershipRule “(device.deviceOSVersion -contains “”10.0.10586″”)” -MembershipRuleProcessingState “On”

New-AzureADMSGroup -Description “All Windows 10 1607 – MDM” -DisplayName “All Windows 10 1607 – MDM” -MailEnabled $false -SecurityEnabled $true -MailNickname “Win” -GroupTypes “DynamicMembership” -MembershipRule “(device.deviceOSVersion -contains “”10.0.14393″”)” -MembershipRuleProcessingState “On”

New-AzureADMSGroup -Description “All Windows 10 1703 – MDM” -DisplayName “All Windows 10 1703 – MDM” -MailEnabled $false -SecurityEnabled $true -MailNickname “Win” -GroupTypes “DynamicMembership” -MembershipRule “(device.deviceOSVersion -contains “”10.0.15063″”)” -MembershipRuleProcessingState “On”

The result of the powershell commands

And now we can also find the newly created groups in AzureAD ready to use.

It is possible to create and deploy Windows Installer through MDM (*.msi) with Microsoft Intune in Azure.

When managing Windows 10 as a MDM device – aka Modern Management the limitation for deploying software is for some companies an issue. But in my experience some companies can every user be under modern management and in other companies it is only a part of the workforce in the company where this is an option. The typical user that can gain from modern management is:

• Users that have a normal at the office, like salesforce, consultants.
• Users that only are using webbased application
• Users that uses published applications from RDS or Citrix.

Here I will show how to get Google Chrome to the Company Portal as a self service app.

Start https://Portal.azure.com go to the Intune blade.

Click Add

Select Line-of-business app

Click on select fil

Browse for the single MSI file you what to deploy

Click on App Information

Enter a description

Enter a publisher

Then you need to wait for the MSI file to be uploaded to Intune

And the you are ready to deploy the MSI app

If you what a icon on you app then:

Click on App information –> Select image –> browse for the app icon

After uploading the icon click Assignments

“Select groups” and the group of users you what to assign the app to

Then you what to assign the type of assignment – select Available to get it in the Company Portal

• Available
• Not applicable
• Required
• Uninstall
• Available with or without enrollment

After the Windows 10 device has run a sync against Intune – the new app is available in the Company Portal

How is the user experience for available applications

Go to the company portal

Click on the app to install

First it will have a status “Pending sync” while the MDM stack are communicating with Intune

Then it will change the status to “Downloading” and download the MSI installer – and install the application

At last the status has changed to “Installed” and the user can start the application

MDT 2013 Update 2 is released.

http://blogs.technet.com/b/msdeployment/archive/2015/12/22/mdt-2013-update-2-now-available.aspx

From TechNet blog:

MDT 2013 Update 2 is primarily a quality release; there are no new major features. The following is a summary of the significant changes in this update:

• Security- and cryptographic-related improvements:
  • Relaxed permissions on newly created deployment shares (still secure by default, but now also functional by default)
  • Creating deployment shares via Windows PowerShell adds same default permissions
  • Updated hash algorithm usage from SHA1 to SHA256
• Includes the latest Configuration Manager task sequence binaries
• Enhanced user experience for Windows 10 in-place upgrade task sequence
• Enhanced split WIM functionality
• Fixed OSDJoinAccount account usage in UDI scenario
• Fixed issues with installation of Windows 10 language packs
• Various accessibility improvements
• Monitoring correctly displays progress for all scenarios including upgrade
• Improvements to smsts.log verbosity

First you need to download the new MDT

Download MDT 2013 Update 2

Then you need to uninstall the old MDT from Control panel – Uninstall a program

Click Uninstall

Click Yes

Click Yes in the UAC dialog and let the uninstall complete

Now Install the new MDT 2013 Update 2

Use the x64 MSI

Click Next

Click “I accept the terms in the License Agreement”

Click Next

Click Next

Click Next

Click Install

Click Yes in the UAC dialog

Click Finish

Start the Deployment Workbench

Click Yes in the UAC dialog

Now you can see that the deployment share does not match the version of the new MDT 2013 Update 2

Right click and “Upgrade Deployment share”

Click Next

Click Finish

You can also do this from PowerShell:

Import-Module “C:\Program Files\Microsoft Deployment Toolkit\bin\MicrosoftDeploymentToolkit.psd1”
new-PSDrive -Name “DS002” -PSProvider “MDTProvider” -Root “d:\DeploymentPROD” -Description “MDT Deployment Share” -Force -Verbose | add-MDTPersistentDrive -Verbose

And now the deployment share are ready to use

This I a post about using a normal Ad user only member od Domain Users to Domain Join a Device doing OSD.

First create a user called CM_DJ:

Remember to set the:

“User cannot change password” and “Password never expires”

Now you are ready to Delegat control by using the Wizard in “Active Directory Users and Computers”

Start by creating a OU for your devices

Start the Delegate Control Wizard

Click Next

Click Add

Find the user you just created

Create a custom task to delegate

Select “only the following objects in the folder” – Computer objects

Select the properties as shown in the picture

Click finish

Now you can use the CM_DJ user to domain to your OU from MDT or SCCM