Friday, 24 April 2020

Win32 app lifecycle for Intune.


Microsoft's documentation on the format and deployment of Windows apps (Win32) within InTune is pretty comprehensive and is well supported by a number of technical blogs which take you through the packaging and the InTune Management Extension (IME) workflow

What is less well explained is what happens next.

Your V1 app has been marked as Required and deployed successfully but now the vendor has released V2. How do you get V2 onto the desktop ?

The new V2 app clearly requires repackaging to create an updated .intunewin payload and logic would suggest that if the V2 package replaces the old V1 version in the original InTune app definition the change will roll out to the desktops - but it doesn’t.

As far as InTune is concerned the V1 app is marked as installed for the device or the user. Simply uploading an updated .intunewin file doesn’t change that fact.  The only way to break the log jam is to convince InTune that the app isn’t installed anymore which forces a re-install and a subsequent upgrade.

The Win32 object has a number of ways to detect if an app is installed. Again these are well documented in other technical blogs but in summary it involves checking for files, folders or registry entries or a combination of all three. This works for the initial deployment because it’s a fair bet that if the startup executable can’t be found in the install path it’s probably not installed. However for an upgrade this approach cannot be relied on. Unless the process creates a new file / folder or updates a registry entry that you can check for, the logic will always return ‘installed’ and assume there is nothing to do.

Even if you can update the original app object and identify a feature to test for, you are not going to get much feedback on how the upgrade is progressing. The best that you can hope for is a report that tells you that 100 instances are installed and, at any time 100 instances are still installed. There’s no feedback on the roll-out process because the app only reports if it’s installed - which it is in all circumstances.

For this reason, best practice suggests creating a new Win32 object for each app version and retiring the old version by removing the assigned group or changing the status from Required to Available. This makes things nice and clean and gives you a good idea of how things are progressing but doesn’t solve the problem of triggering the install process in the first place.




Fortunately the Win32 object gives you the option of running a script instead of looking for files and folders which allows you to check the version of the application using the script below.


$ver = (Get-Command "<<< Path to the app.exe >>").FileVersionInfo.FileVersion
if ($ver -eq "<< Version Number to Test For >>") 
{
    Write-Host "Updated Version Installed"
}

The script must return zero in the exit code and write to STDOUT to signal that the application has been detected.

https://www.petervanderwoude.nl/post/working-with-custom-detection-rules-for-win32-apps/

This will force the update onto V1 machines and since the check is also run at the end of the process it’s a surefire way of ensuring the update has been a success.

Once you start scripting you can embed any logic you like but it’s best to keep it simple because once the code has been uploaded to Azure store there’s currently no method within the GUI to recover the script or even view the contents so this process has to be manually documented.

Clearly this is not an ideal situation and it’s likely that Microsoft has a roadmap to make this process easier, possibly by involving a version label or something similar. In the meantime it's worth giving some thought to how you intend to maintain Win32 apps before the initial install goes out.


Monday, 20 April 2020

Take a train ride to Azure.

For a while now Microsoft has been signalling it's intention to move towards role-based training in an attempt to test real world problem solving skills rather than the simple accumulation of facts around a specific platform or technology. This reorganization has resulted in the wholesale retirement of the old MCSx accreditation tracks which have formed the cornerstone of Microsoft training since Windows Server 3.5 launched in 1994.

The original announcement fixed the retirement date on June 30, 2020. In response to the current situation this has been extended to January 31, 2021 but this still places the cut-off within a nine month period. Any exam passed prior to the retirement date will stand for one year after the exam is retired but after that all current MCSx credentials will be stamped as inactive. From that point it’s over to the new role-based certification tracks.

Microsoft is well known for updating the training programs at regular intervals. Any network admin attempting to keep their CV up to date will know it’s pretty much a full time job so why is this change any different?




Well it’s down to the number of exams being retired and the wholesale shift to cloud technologies.

Consider this simple fact: there no longer an exam that explicitly tests for proficiency in Windows Server 2019 administration.

The official line is that

 “Windows Server 2019 content will be included in role-based certifications on an as-needed basis for certain job roles in Azure”.

The Windows Server admin exams were the cornerstone of the old MCSE but now they don’t even exist. As far as Microsoft is concerned Windows Server knowledge is still important but only as it applies to Azure cloud services.

Looking for the update to the SQL Server admin exam?  Much the same I’m afraid because you really should be using the Azure SQL Database as a PaaS.

The new Microsoft accreditation tracks are wholly and unashamedly focused on Azure and the associated cloud services such as Modern Management and Desktop Analytics. On-premise is is part of that but only as far as it supports Azure.

This change will feed into the partner channels who will need to rapidly re-skill before the cut-off date so it might be a good time to invest in training companies or get that training budget signed off.

For the traditional Microsoft IT administrator who expects to be cramming facts about Windows Server 2019 installation procedures, scaling limitations and hardware requirements it’s all going to look a little strange but the plan to sit tight and wait for the cloud to blow over is no longer an option.

There’s a general rule that if you want to get an insight into the future direction for any tech company - check out it’s training program.

Monday, 13 April 2020

Goodbye Office A1, hello Microsoft E3.

Why schools should expect to move away from free MS licencing.


There’s little doubt that one of the attractions of the Office 365 for Education A1 (O365 A1) licence is the price.

For no cost at all schools receive hosted mailboxes, a generous amount of cloud storage, office web apps and a user directory for an unlimited number of users that supports Single Sign On.

So with the ever increasing facilities offered by Office 365 it might seem like a plan to ditch the servers and the local licensing, operate entirely from the cloud and pay Microsoft nothing at all. Unfortunately as schools and businesses start to understand the requirements of Microsoft's Modern Management strategy that idea is a non-starter for a number of reasons.



Windows 10.
Without onsite servers schools will be relying on Microsoft InTune for device management and that requires a licence that’s not covered by O365 A1. It’s quite possible to register devices with Azure AD without incurring a licence and this gives you a certain amount of control around device security but this is best suited to BYOD deployments. It’s also possible to join Windows 10 devices to Azure AD in a similar way to adding a device to an on-premise Active Directory but this is not a full management package.  Without enrolment into InTune you have no control over the way users access and share information and, more importantly you are unable to deploy and authenticate applications.

Therefore licensing in a serverless solution will need at least Office 365 A1 + InTune for each user.

Azure AD.
The cloud directory service that you get bundled with O365 A1 is the Office365 Apps version which was previously called Basic. As the name suggests a few key features are missing from this package and one of the most important is auto-enrolment. This allows users to use a school account to join devices to Azure Active Directory while automatically enrolling into InTune.

Combining auto-enrolment with Auto-pilot  it’s possible to ship devices directly to the user from the supplier and be assured that the device will exit the OOBE with a secure work profile and an approved application set installed.

Auto-enrolment is closely related to Dynamic Groups which is another capability missing from the Office365 Apps version. Dynamic Groups allows a user or device security group to be defined on the basis of a user property. Because groups are the primary method of controlling the allocation of policy and access rights (Azure AD does not use an directory OU structure like on-premise AD) dynamic groups are pretty much essential in an environment where users and not admins are adding devices to the directory.

Going forward you are also going to need Conditional Access, the ability to manage access to data and systems based on user groups, locations, device platform and client application.   Another key requirement is Enterprise State Roaming which performs a similar function to roaming profiles providing users with a unified experience across their Windows devices.

Basically the Office 365 Apps version of Azure AD doesn't meet the requirements of a Window 10 deployment which means an upgrade to Azure AD Premium P1 as a minimum.

So you now need Office 365 A1 + InTune + Azure AD Premium P1.

Microsoft Office.
To activate and manage the Office desktop apps deployed through Microsoft Intune you need an Office 365 ProPlus licence allocated to each user.  So long as the user holds a licence the apps can be installed on multiple devices including Macs, iOS and Android platforms.

If you are keeping track the lists now reads Office 365 A1 + InTune + Azure AD Premium P1 + Office Pro Plus.

Azure Information Protection.
For most schools and businesses Azure Information Protection (AIP) is probably seen as a nice-to-have or even more likely, a complete unknown.

AIP helps an organisation to classify and protect its documents and emails by applying labels. Labels can be applied automatically by administrators which are then used to drive rules and conditions that control how that data might be shared and used within an organization and importantly external to the workplace. Once you adopt a strategy based on mobility and collaboration the security framework provided by the share permissions tied to a fixed storage location only goes so far.  Both business and schools need to adopt a new security model based on zero trust networking and move away from the historic perimeter method which is no longer effective.

With AIP the access permissions rest with the document itself regardless of its location and this allows far tighter control and visibility over where the sensitive data is and who can see it. As ever tighter regulation is placed on schools to demonstrate a robust data management policy, AIP will become a necessity.

Although rarely implemented in schools the O365 A1 Education licence includes some of the data protection capabilities of the Azure Information Protection platform. This feature is referred to as Azure Information Protection for Office 365. The full package extends data protection across non-Microsoft Office file formats as well as providing manual, default and mandatory document classification and for that you require a minimum of Azure Information Protection P1. 

So now you need Office 365 A1 + InTune + Azure AD Premium P1 + Office Pro Plus + Azure Information Protection P1.


The list is starting to grow but you are unlikely to upgrade your Office 365 A1 licence by purchasing each additional element separately because Microsoft offers some licence bundles to make life easier.

The obvious one is Enterprise Mobility + Security E3. This includes Azure Active Directory Premium P1, Microsoft Intune and Azure Information Protection P1 in a single licence so it gets you most of the way but without Office Pro Plus.

Previously, the easiest way to get a Office Pro Plus licence was to simply upgrade to Office 365 E3 which was essentially an Office 365 A1 licence with larger storage allocations and the ability to install the local Office apps. Putting both Office 365 E3 and Enterprise Mobility + Security E3 together gets you what you need but there is an easier way.

In the future Microsoft expects you to purchase the Microsoft 365 E3 licence which is the union of Office 365 E3 plus Enterprise Mobility + Security E3.  In many respects this is the end game - a single user licence that delivers Microsoft as a Service as a yearly subscription.

The pressure to move to this new licensing model comes from a number of directions. First, Microsoft's strategy is now fully focused on cloud services such as Teams and Desktop Analytics. In fact any new feature on the server platform is normally prefaced by the word "hybrid" which is generally a hint that a move to the cloud is imminent. When you see this, pack your bags.

Second, education has always been dependent on the ‘student use benefit’ which grants students free use of licences if the teaching team is fully licenced. Few schools would be able to afford the licencing bill without this scheme. However only the larger licence bundles are covered in any practical way.  Purchasing an individual licence for InTune or Office Pro Plus allows you to licence 15 students while the larger Microsoft 365 E3 bundle gives you 40. Trying to save money by targeting specific groups with individual licence packs will cost more in the long run because you need to cover the shortfall for students.

So what would be the cost of licencing a ‘serverless’ Microsoft school in the UK.

Let's say the annual subscription to E3 for education is £5.00 user/month which equates to £60 per year. Therefore a school with 70 staff will be paying £4,200 a year (60 X 70) with the rights to licence a further 2800 student accounts (70 x 40) under a student benefit agreement.

That seems like a scandal! One minute you’re paying nothing for Microsoft cloud services and the next you’re being scalped for just over four grand a year - but that's not the whole picture.

Running Office 365 A1 with local infrastructure has a range of hidden costs once you take into account the obvious requirement for  local server licences and user CALS. Servers and storage cost money to power up and cool down and represent a large initial investment that needs refreshing every five years. There’s an IT maintenance contract or internal staff costs to consider, backup hardware and software and a disaster recovery plan (maybe).

Also factor in the money used to provide end-point security such as anti-virus and drive encryption especially after you consider support contracts and upgrades. Remember to include the the annual renewal for the fashionable learning platform that promised to deliver collaborative workflow and remote learning but was never widely adopted.

In conclusion, schools pay indirectly for Office 365 A1 through the ancillary services but without having much idea of what the overall cost is.  Well now you do.

In our example and using Microsoft E3 it’s just under £1.50 a year for each of the 2870 staff and student members but only if you ditch those servers and embrace the new normal.