Saturday 1 December 2018

InTune for Chromebook Admins (p1).

Enrolling Devices.

One of the advantages of deploying Chromebooks into schools is the ease of management. With no dependency on local infrastructure and a simple to use web management console, installing and configuring Chromebooks couldn’t be more straightforward.

Wouldn’t it be great if your Windows devices worked in the same way? Well with Microsoft’s new SaaS based framework maybe they can.

In this series of posts I take a look at Windows Modern Management from the point of view of the Chromebook administrator and just to make it interesting lets jumble things up a bit and assume Chromebooks are the established technology.

In this alternative reality Microsoft Windows is the new kid on the block and you have the job of incorporating this feisty newcomer into your serverless SaaS based school?  So let's take the red pill and wander around this particular wonderland just to see how far we can go.

Windows Version.
Fortunately our imaginary school has invested in a batch of Windows 10 laptops all running the 1809 feature update. You can try this trick on your IT suite running Windows 8 but I suspect you won’t get very far. After all you wouldn’t expect a set of Chromebooks running version 55 to support all the functions of admin console and Windows is no different.  So the first step is to make sure you have the latest Windows 10 release.

User Accounts.
Currently Windows devices only authenticate through a Microsoft user directory. So as much as the Chromebook admin would like to see a Google dialog logon on boot that’s not going to happen soon.

Note: Since this post was written this has become possible. Details are given here.

 For this reason all your users will need a Windows Azure account to control the access rights and licensing. This really shouldn’t be a surprise because all SaaS services work by referencing some form of local account even if authentication is managed by another party. Although you can force Chromebooks to use Azure AD as an authentication source you still have to maintain a separate Google user account to apply policy.

Web Management.
Google provides a web based management console that controls all aspects of the User and Device policy for Chromebooks. Microsoft's counterpart is the InTune for Education portal.  The first thing any G Suite administrator will notice moving into Microsoft’s wonderland is the fact that many of the  management functions are split between various web portals, all having different navigation styles and UI layouts.

The InTune for Education portal is itself a simplified ‘skin’ that rest on top of the InTune blade in the Azure console.  In this walkthrough we’ll stick with InTune for Education unless we’re forced out for some function. Right on cue the first one of these is user and licence assignment which is not managed by InTune for Education but the Office365 portal.

For the records the Windows Administrator will be spending most of the time moving between the following portals.

Office 365 - User management and Licencing
InTune for Education - General Device Management
Azure Portal - Advanced Device Management
Microsoft Store for Education - Application selection and authorization.

Licencing Chromebooks is easy. It’s a one-off device licence that’s valid for the life of the Chromebook. This simple relationship has not been lost on Microsoft and they have a direct equivalent, an InTune device licence that lasts for five years. The cost  is roughly equivalent and it gives you the ability to apply policy to the device and any organisational user account logging onto the same PC/laptop. It’s a very good deal and highly recommended.

Unfortunately that’s the end of the good news because although the device licence exists and can be purchased there’s no way of applying it to a device. It’s almost like the licence has been released to meet a marketing need before the software exists to support it. No doubt this will be fixed in time but currently the failback is to apply inTune license to individual user accounts and that’s done though the Office365 portal.

Enrolment and DEM accounts..
We now have user accounts set up in Azure and InTune licences applied to those accounts so lets start enrolling some devices. Google admins will be familiar with the fact that enrolling Chromebook out of the box is pretty easy and an small cottage industry has grown up to support the mass deployment of Chromebooks. In comparison the InTune enrolment experience takes a bit longer but on the whole is pretty slick and surprisingly straightforward.

Microsoft have a new facility called AutoPilot which we don’t cover here. It’s the equivalent of a Chromebook white-glove service working through the partner channels.

The first thing you will need is a device enrolment manager (DEM) account. Unlike G Suite where any user account can enroll a Chromebook, you need a user account with a special deployment flag set to enroll devices in bulk. Once created and with an InTune user licence applied you can enroll up to one thousand mobile devices using a single DEM account. The InTune for Education portal provides simple dialog to create and manage Azure enrolment accounts.

Once we have our DEM account created we are ready to enroll.

Power on your new Windows 10 device and move through the OOBE inputs. Set any dialogs regarding language and network access and select Set up for an organisation which is the the Windows equivalent of Ctrl -Alt-E.

Signing in using the DEM account adds the device to the Azure directory and places it under InTune management. Once rebooted you can logon using any organisational account with both device and user policies applied. Pretty simple.

Opening the InTune for Education portal you’ll see the appliance listed in the All Devices section along with some basic system information. The managed by field should read MDM.

The check in time records the last time the device took policy from Azure. A sync can be forced at any time and is a useful way of getting changes out to the devices on a short schedule. The time taken to apply a policy update can vary from seconds to a long coffee break so the ability to force a sync is a useful tool.

Opening the device record displays further information and options that would be familiar  to the the Chromebook manager.  The Retire action is the equivalent of deprovisioning in Chrome with one major difference, the licence is returned to the pool.  The admin also has the option to force a restart of the device, wipe the PC of personal data and return to factory default settings - a sort of remote Esc-Refresh-Power.

Hidden under the More button are actions to force a virus scan of the device and update Windows defender, duties that the Chromebook admin doesn't have worry about but essential tasks for the Windows admin.

The device action panel records the status and result of all active tasks.

Now we have the device enrolled we can take a look at policy management in the next post.

Next: InTune for Chromebook Admins (p2).

Also: Windows Delivery Optimisation for the G Suite admin.


  1. This article examines the limitations of formal educational training. It also sensitizes the reader on the fact that being a graduate does not guarantee a bright future. Thus, it recommends how people can improve their lives when school days are over in order to enjoy healthy and happy future. Class 6 Assignment 2021

  2. Will we become a nation where a segment of our society is forever denied education? Will we become a nation of haves and have nots? urls list by google

  3. I was looking for this. Really refreshing take on the information. Thanks a lot. rref matrix calculator

  4. Black Ops Zombies is now available… [...]Take a look here[...]… matrix calculator

  5. Great post, you have pointed out some great points , I also think this s a very excellent website. Best Instagram Captions

  6. stays on topic and states valid points. Thank you. SBCtoto

  7. I was looking for this. Really refreshing take on the information. Thanks a lot. SBCtoto

  8. SEO is the name of a broad concept that houses different techniques and tricks that work towards making a website rank higher in search engine rankings. The key ingredient that SEO uses for its implementation is content. If the content published on a website is high quality, the website would automatically gain better rankings. Professional article writing services proficient in SEO writings help make it happen more effectively.

  9. Psychological focal point, training, likability, aspect, calm yet rely on. However these are some of the items Tang Soo Use, your current Mandarin chinese style created by self defense, can show we and additionally instilling in your soul the power not only to fight you and your family about the craft the very first hazards signs in conflict altogether.

  10. I am typically to blogging and i actually recognize your content. The article has actually peaks my interest. I am going to bookmark your web site and maintain checking for brand new information. thesis help

  11. Those who have devoted themselves to essay writing know how difficult it can be sometimes to choose the correct style of expressing the thoughts. Depending on topic and the main aim of an essay it can be written in a narrative, descriptive style or, for example, a discussion. Every style demands following its own rules of composing, such as manner, vocabulary, literary devices and so on. Each of the rules seems simple at first sight, but using them all in harmony can create needed atmosphere of an essay, and as a result a reader will easily apprehend everything what the author wanted to give him... Ash Kaashh Age

  12. To analyze the basic points of the essay is the first step in essay writing. You should write down all the information that brain discovers. Political campaign

  13. To analyze the basic points of the essay is the first step in essay writing. You should write down all the information that brain discovers. Cidb