Microsoft Endpoint Manager - Intune - Conditional Access

Background

In a post a few weeks ago I discussed my process for managing languages in a Microsoft Endpoint Manager task sequence. That post went in depth on using UI++ and a custom unattend.xml file to allow a technician to select a primary language and alternate keyboard layout during OS deployment. That process requires having a Windows image that already has language packs and features on demand injected. I briefly discussed my process for creating a WIM file.

That post mentioned that I initially created a WIM file with WimWitch from Donna Ryan (@theNotoriousDRR). I would create the image, run my own script to inject the languages and features on demand, and then update the WIM using WimWitch. At that point WimWitch did not support language pack injection. Donna had mentioned that language injection support was coming – but I didn’t know when it would be available. Shortly after posting my last post she released the 1.4 beta release of WimWitch which previewed the language pack injection! WimWitch version 1.4.1 is now available. The language support is excellent!

I was originally going to write about my own script, but Donna hit this process out of the park. With each new version, WimWitch adds amazing new features that could only be designed by someone who is familiar with MEMCM, the imaging process, and has an excellent eye for detail. If you aren’t already using WimWitch, take the time to explore all of the features that are currently available – it’s a great tool and new features are being added regularly!
​

The Challenge

I was recently asked to create a simple process to change the primary language of Windows 10 during OS Deployment. Due to regional expectations we also had to be able to select a different keyboard layout based on user preferences. One of the challenges we face is that we have support personnel in different regions, but not in all offices. Our remote offices did not have a centralized imaging solution, which meant that we needed to provide a solution and streamline the process.

My goal was to provide a solution that would be easy to understand, simple to execute, and easy to maintain across different regions. My personal preference is a simple task sequence that minimizes the number of conditional steps needed to execute.

In this case I wanted to provide our technicians with a clean user interface. I wanted to avoid using DISM to inject languages during the task sequence, which in turn prevents me from having to manage additional content used in the task sequence. The task sequence should be lite-touch, prompting for basic information like site code, form factor, language settings, and additional applications.

Microsoft Endpoint Manager 1910 added support for language settings to the “Apply Windows Settings” step. This would be a great solution if you have a small number of configurations to support, but in an environment with a multitude of possibilities it could be difficult to manage. I will cover using these settings in a future blog post as I think they are an excellent addition to Configuration Manager, they just don’t meet my needs for this project.

Most of the other documentation that I found required integration of MDT with SCCM. The posts that did not use integrated MDT used some elements of MDT or other scripts to set these values. I considered that option but wanted to see if I could get by without the additional steps.
When I saw that language support had been added to the task sequence I decided to test whether or not I could set the language settings without the use of a script. This may have worked prior to version 1910, but I have not tested it. I suspect that this functionality is a direct result of the settings being added to the task sequence directly.

After looking at different possible solutions I determined that the best way to create a technician-facing UI was UI++ by Jason Sandys of ConfigMgrFTW. UI++ gives me the ability to create a simple UI that can be easily customized and ported to other locations. I can use one deployment package for all my locations and point to a different XML file based on the region.
​

It’s not you, it’s me.

I get it – you want this amazing modern workplace experience, but I’m not sure you know what you’re ACTUALLY asking for. I mean, look at our environment. It’s complex because it needs to be. The old IT manager wrote a login script, and I’ve spent a lot of time adding to it and maintaining it – and, well, to be honest … I’m not quite sure what all of it does. I just don’t want to break anything by taking it out. And our group policies? I mean, I know what the stuff I created does. I’m just not sure about everything else … and besides, do we really want to mess with our Default Domain policy? I don’t think we can tolerate that kind of risk – and have you met OUR end users? OUR users are the worst! Way worse than anywhere else I have been!
​
I could insert any number of clichés here. (The world is changing, the future is now, or any statement involving the word synergy.) We all know that business and technology are changing at an unrelenting pace. Our organizations are demanding that we provide solutions that allow them to be more mobile, more collaborative, and more flexible. We, as IT Pros, have turned around and asked our vendors for better solutions. They have, in turn, provided those solutions. 

​​Do I belong at this table?
 
At a recent event I was sitting at a table with several Microsoft team members and customers. We all had one thing in common – a love for Microsoft’s Modern Endpoint Management solutions. While I looked around the table, I started keeping score in my head. On my right were two MVPs – Matthew Hudson and Kent Agerlund. To my right was another IT Pro from a Microsoft Partner. Rion was one of the most engaging and charismatic members of the community I have had the pleasure of meeting. The rest of the table was filled with members of the Endpoint Management team at Microsoft – from engineers to project managers.
 
Everyone at the table was someone whom I looked up to. They were all very accomplished professionals. I had used their blogs and technical articles to build my own environment. A lot of doubt began to creep in. How did I get here? How do I stack up to the other people sitting at this table? Do I have anything to offer to the conversation? What perspective do I have to offer that the other people sitting here can’t give? It was immediately obvious to me that I didn’t have the breadth of experience or depth of knowledge of the other professionals I was sitting with. My credentials didn’t seem to measure up to theirs, and I began to question my experience.

I am Sean Bulger, an IT Pro working in the Modern Endpoint Management workspace. I have been working with Intune and Configuration Manager in the enterprise since 2015. I have a broad range of experience having worked in nearly every career field from plumbing to emergency medicine. I have always come back to technology, initially starting out in QA, and then moving to desktop support. I rejoined the IT field in 2014 as a help desk analyst at a large accounting firm. I was able to quickly build my skill set and moved into a workstation engineering role a year later.

modernEndpoint.com represents the next stage in my personal and professional development. I have changed companies twice in the last two years. During that time I lost touch with the pulse of the endpoint management community. I was still doing the work, but I wasn't in an environment that was mature enough to adopt many of the modern solutions that were available. Over the last three months I have had the chance to re-engage with the community. It has been reinvigorating. I have been reminded that I have something to offer.

I am starting this site as a way to engage with the Modern Endpoint Management community, share my perspective, and most importantly to learn from all of the other professionals in our field. This is an exciting time for those of us who work with Intune, Configuration Manager, and the entire Enterprise Mobility and Security suite. Our organizations are changing quickly. The role of a windows administrator has shifted. We no longer spend (as much of) our time writing logon scripts and managing group policy to lock down Windows. Our organizations now expect us to provide a stable platform that empowers users rather than limits them.

Modern Endpoint Management requires us to take a holistic look at our environments and our existing workflows. We need to adjust our paradigms to work with tech savvy users and stay ahead of rapidly emerging trends. If we fail to get ahead we will continue to fight against Shadow IT in our organizations. I believe the best way for us to do that is to become solutions providers. Through this site I hope to help provide holistic solutions that drive technology adoption.

I plan on using modernEndpoint.com as a place to share information, explore technical challenges, and foster a dialog on how best to provide users with the cutting-edge experiences they desire. Through the various blogs on this site we will explore the challenges facing all of us as we transition from a traditional solutions to a modern workplace.

I hope that my blog – managed.modernEndpoint.com – and my collaborators' blogs – Scripted and Collaborative – will provide insight and value on how to manage solutions in the modern workplace.

Thank you for visiting. Please follow us on Twitter (@managed_blog) for more updates!

Sean Bulger