Enterprise in the cloud

Rudy Ooms wrote a nice blog post on block pre-provisioning of devices with an outdated OS version using the default device restriction.  Windows Autopilot: Bypassing the Platform Enrollment Restriction But what if you cannot change that policy as other services still need to enroll Windows 10 22H2 devices? In our case there is another team managing Teams Rooms Systems in the same tenant. My colleague Lukasz Herod built a solution based on a separate ESP, an application and a device filter after we had a brainstorming session on this a few weeks ago. As of this week we implemented it in production. This is what we have built. The Device filter We started by creating a device filter to filter on Windows 10 (all versions) and Windows 11 21H1 like below: Rule syntax: (device.osVersion -startsWith "10.0.1") or (device.osVersion -startsWith "10.0.22000") The Application Next we created an application using the PowerShell App Deployment Toolkit (PSADK). The code part itsel...

Finally the long awaited (multi) Device query (MDQ) arrived by the end of February. Time to have a look at it again, as we already have tested it during the private preview. The PG already did a lot of work based on the feedback of the participants, but one thing I directly notice and miss is the ability to export data or to be able to use it outside the query area in some other form. And thing of course, is the 50000 limit of the query, which for bigger companies will be an issue.  Since I use our Log Analytics data on a daily basis, I am curious about MDQ.   So, let’s look at some testing I did over the last 3 weeks.  Device entity A good thing to know, were I ran it to, is  the fact the Device entity is a linked object and implicitly part of all other entities. So, there is no need to join, and when you do, you will get a syntax error. So, this query, which looks to be a valid query, will give a syntax error! But, the funny enough you can do the join the othe...

   Back in the days when we had SCCM, we could easily setup phased deployments. In a cloud native world these controls are missing, but  we can create phased deployments based (dynamic) groups.  In this blog post I will show you how to set it up and use it. Groups First of we need to create groups that contains the devices for each phase. You can of course fill those groups manually, but in larger environments Dynamic Groups will be a better option. We will use the first character of the DeviceId in our dynamic query to select the devices per group.  Keep in mind that the DeviceId is containing hexadecimal characters, so that means 16 options (0 till F) per character. How big you want to make the groups is up to you, but I have chosen for a group for each first character, so 16 groups. With 16 group you have around 6.25% of your devices per group. Of course this is a bit depending on the size of the environment, for 60K+ clients environment the distribution look...

  Why are we using Autopilot group tag? Do we need group tags?  Two valid questions which I will discuss in this blog post. So, why do we use group tags? The short answer, to add the device to the correct group! The long answer As we are in over 40 countries and might even have multiple entities in those countries, we have around 90 legal entities with their own local support teams, and so we need to be able to distinguish the devices per entity. Next, we have different device types for different use cases, we call them worker types. We currently have the standard device, engineering device, shared device, virtual device and kiosk device. User can have multiple devices which have different worker types. So, that is the second requirement. Other requirements are to separate laptops, desktops and virtual devices. And yes, we could use filters instead, but they were not available 4 years ago. And finally, the need to mark devices as pre-production and to be able to see which glob...

Recently I was asked again; “Why do you pre-provision devices?” I, or actually we, got that question several times last year. Also, in conversations with Microsoft this question pops up regularly. So, why do we pre-provision (aka. White Glove) devices? There are two main reasons to do this: Security Employee Experience And in addition, of course, the costs. Security Looking at security, by pre-provisioning devices we make sure we block things like Shift-F10, the Recovery Command prompt, etc. and to have the security policies applied before we hand the device over to the employee. Employee Experience Pre-provisioning devices will limit the time the employee needs to enroll the device to around 15 mins, with all applications installed on the device when the employee gets the desktop. As part of the pre-provisioning process, we make sure: The drivers and firmware are updated to the latest version before pre-provisioning. All core applications are installed as part of pre-provisioning....

My goal for this year is to share my experiences in moving the workplaces of our enterprise to the cloud with a broader audience. I will create a series of blogs on different topics this year. But let’s start with an introduction as this is my first blog ever. I am currently employed by ING, the largest Dutch Bank with around 60.000 employees and offices in over 40 countries worldwide. I have been working for ING for 8 years (of which 4 as external). Before I joined ING I was, this century, employed by Wortell, Siemens (Atos) and the Ceasar Group, as either Technical Specialist or (Technical) Project Manager. Mainly working on infrastructure and workplace projects. My career in IT started over 3 decades ago as an IT engineer at a small company building and selling personal computers, where I did everything from purchase to support. Back then I did beta testing of Microsoft DOS 4.01, but also installed Novell and Banyan Vines networks. In the years that followed I got certified as an IT...