MDM & GP Tips Blog

Jul 2022
19

Use Group Policy or Intune to Reclaim Disk Space with Storage Sense

Storage Sense is a disk cleanup feature found in Windows 10 and Windows 11 to free up drive space. When enabled, it serves as a silent assistant that automatically gets rid of items that you no longer need such as temporary files and items in your Recycle Bin. When enabled with its default settings it will run whenever the device is low on disk space. It can also delete neglected cloud backed content; a process referred to as Cloud Content Dehydration. This is especially valuable for users whose cloud storage far exceeds their local drives.

Using Group Policy to Manage Storage Sense

You can enable Storage Sense and configure settings using either Group Policy or Intune/MEM.  To enable it using Group Policy, create a GPO and go to Computer Configuration > Administrative Templates > System > Storage Sense and enable “Allow Storage Sense” as shown below.

Once enabled, Storage Sense will delete files from the Recycle Bin by default after 30 days. You can modify this period by enabling “Configure Storage Sense Recycle Bin cleanup threshold” and choose any digit between 0 and 365. A value of zero means that the files will never be deleted. You would do this if you wanted to enable Storage Sense but disable its Recycle Bin capabilities. The screenshot below shows the available policy settings.

Storage Sense also deletes Temporary files by default as well so there is no need to enable the “Allow Storage Sense Temporary Files cleanup” but you do need to specifically disable it if you don’t want it utilized.

One folder that Storage Sense doesn’t clean up by default is the Downloads folder. All those downloads become forgotten over time and can quickly add up, especially if it includes large ISO files. You can turn on this feature by enabling the “Configure Storage Storage Downloads Cleanup Threshold” and once again choosing 0 to 365 days. (BTW that isn’t a typo, the setting does repeat the world storage).

Next, lets enable the “Configure Storage Sense Cloud Content Dehydration Threshold” setting. Here you will input the minimum number of days you want a cloud-backed file to be unopened before being deleted. I chose 90 days in the screenshot below.

Finally, there is the “Configure Storage Sense Cadence” setting. By default, Storage Sense will run whenever it detects low disk space, but you can force it to run on a scheduled cadence using this setting as shown in the screenshot below.

Intune/Endpoint Manager and Storage Sense

You can also manage Storage Sense using Intune/MEM as well.  Create a Configuration Profile and select Windows 10 and later as the platform and Settings as the Profile type. After naming the configuration profile, do a search for Storage Sense and select Storage as the category once found. Then choose the desired settings you want to configure. The process is illustrated in the screenshot below.

Once the settings are configured, complete the wizard, and assign to the group your designated group(s). Now you won’t have to worry about forgotten files taking up footprints across your PC fleet.

 

 

Jun 2022
06

Microsoft Endpoint Manager Offers Built-in Settings for Google Chrome

Microsoft Endpoint Manager (Intune) has given admins the ability to manage and deliver Google Chrome settings for some time now.  Until recently however, one had to create a custom OMA-URI device configuration policy to do so, which no one considers a very fun thing to do.  For instance, if you wanted to enforce the home page in Chrome you would need to know the OMA-URI path which most people have to look up.

./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Startup/HomepageLocation

You would then configure the string value for the policy:

Data type: String

Value: https://www.mdmandgpanswers.com/"/>

Well good news, MEM now supports built in settings for Google Chrome and there are two ways to do this.  In MEM go to Devices > Configuration profiles > Create profile.  Choose “Windows 10 and later” as the platform and under profile type select either Settings catalog or Templates. 

Let’s first use the Settings catalog to set the home page.  Hit the Create button, name the profile, and click Next.  Here you need to click Add settings as shown in the screenshot below.

This takes you to the Settings picker. While built in settings are preferable to configuring OMA-URI configuration profiles, it isn’t always easy to find the setting you want.  Rather than browsing through all the included settings, you should do a search to locate the settings as efficiently as possible. This is much like doing a Google search so the more specific you are the better.  For instance, you could do a search for “Chrome” and choose the Chrome Administrative Templates that users cannot override, but this would still narrow it down to only 516 setting results as shown below.

Therefore, it’s good to know the name of the setting to find it quickly.  In the example below I searched “configure home page”.  Then I clicked on the “Home page and New Tab page” category and chose “Configure the home page URL” on the user side.

After finding the correct setting, I then configured it as shown in the screenshot below by enabling it and typing in the designated home page.  Click next and assign the profile to one or more groups and finish out the wizard to save it.

We can accomplish the same thing using Administrative Templates option. Once again you will name the profile using the Wizard and click Next.  This time let’s make it a computer side policy setting so expand Computer Configuration > Google > Google Chrome > Startup, Home page and New Tab page > Configure the home page URL.  Then enable and input the desired URL as last time.  The process is shown in the example below.

There are many setting options available in the Administrative Templates.  For instance, the screenshot below shows how to enforce Google SafeSearch for users.

In another example, I have specified the minimum SSL version for Google Chrome under User Configuration as well.

While you still must know where to go to find the desired settings you want, managing Google Chrome settings is a lot easier now under MEM.

May 2022
09

How to Filter Windows 11 Machines with Intune

Unless you are an SMB, you are probably going to phase in your Windows 11 upgrade over time.  That means that you will have to manage both versions until the upgrade is complete, which might require you to manage their settings or application deployments differently.  If you are using Intune to manage your Windows machines, you can use filtering to reduce the complexity of doing so. 

You can use Intune filters to target configurations, policies, and applications to specific device attributes such as Manufacturer, Model and OS version.  In this case we will create two filters that each target a different OS version.  Using Microsoft Endpoint Manager go to Intune > Tenant administration > Filters and create a new filter and name it as shown below.

Create a rule and select osVersion as the property, StartsWith as the operator and 10.0.2 as the value which I did myself in the screenshot below.  Then finish out the wizard to complete the filter.

Now create a second filter.  There are a couple of options when creating these filters.  You could use the same approach as the previous filter and match it with the Windows 10 value.  In this example, we chose a different approach and instead used the NotEquals operator, typing in 10.0.2 as the value.  This means that any Windows version other than Windows 11 will be included in this filter.

Now that you have the filters created, you can start applying them when needed.  In the example below, I have created a configuration profile that I have assigned to a computer group.  The group is made up of both Windows 10 and Windows 11 machines.  Because I want this profile to only apply to Windows 11 machines, I will click the filter link and choose “include filtered devices in assignment” and select the Windows 11 filter I created earlier.

Finish out the wizard and the configuration profile will now only target Windows 11 devices.  Those familiar with Group Policy will note the similarity to WMI filtering.  Once you upgrade all your Windows 10 devices, simply delete its designated filter.   

 

Apr 2022
15

Managing Compliance Deadlines for Windows

Keeping your Windows devices updated is critical today, not only from a security point of view, but a productivity one as Microsoft continues to deliver new features that spawn greater user innovation.  Deploying these updates is only part of the equation when it.  A computer can download a feature update for instance, but unless the computer is rebooted, it won’t be fully installed.  Often, users will delay the rebooting process, thus prolonging the pending start status and preventing it from attaining compliance.  That’s why you must enforce compliance.  Both Group Policy and Microsoft Endpoint Manager (MEM) give admins the ability to create an enforceable compliance window to ensure that Windows update processes are fully completed.

Deadlines and Grace Periods

These compliance policies allow you to configure a deadline that defines the number of days until a device is forced to restart to ensure compliance.  You can also configure an additional grace period to give users a little extra window if needed.  Note that you are restricted to defined ranges when assigning these time windows.  For Group Policy the ranges are as follows:

  • For quality updates the deadline can be between 0 and 7 days.
  • For feature updates the deadline can be between 0 and 14 days
  • Grace periods are limited to 0 to 3 days regardless of the type of update

MEM provides longer durations to accommodate mobile devices.

  • For quality updates the deadline can be between 2 and 30 days.
  • For feature updates the deadline can be between 2 and 30 days
  • Grace periods are limited to 0 to 7 days regardless of the type of update

For quality updates, the deadline and grace period start once the update is offered to the computer.  In the case of feature updates, both start once the update has been installed and the computer reaches a pending restart state.

Configuring Compliance Policies

To enforce a compliance policy using the Group Policy Administrative Console, go to Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience and choose “Specify deadlines for automatic updates and restarts.”  You can then configure the deadline and grace periods for both quality and feature updates as shown below.

Note that you have other settings available concerning the restarting process that you can assign as well.

To configure deadline and grace period durations using the Microsoft Endpoint Manager admin center and go to Devices > Create Update ring for Windows 10 and later.  Turn on the Allow button to enable deadlines and then assign the deadline and grace period for each update category.    Note that the deadlines and grace periods are appended to any configured deferral period.  The process is shown in the screenshot below.

By enforcing update compliance for your Windows machines through GP or MDM, you can ensure that required update processes are completed, keeping your computers secure and maximizing user productivity. 

Apr 2022
04

Analyze your GPOs with Group Policy Analytics

Many organizations are choosing to use some type of MDM provider to manage their mobile devices.  Some organizations are even turning to MDM for all of their client devices.  If you have been relying on Group Policy to deliver configuration and security settings to these your Windows devices, you should know that there is still a disparity gap between between Group Policy and an MDM such as Microsoft Endpiont Manager (MEM) when it comes to setting coverage.  While Microsoft has closed this gap considerably over the past couple of years, there are still a number of Group Policy settings that MEM and other MDM solutions don’t accommodate.   Obviously, you need to know what settings can’t be replicated when considering a move to MDM.

MEM now provides an easy to use tool called Group Policy Analytics (Preview) that will analyze your on-premise GPOs and determine how they will translate into the cloud.  It will analyze a specific GPO and identify which settings are supported in the MDM, which ones have been deprecated and which ones are simply not available.  The first step is to select the GPO you want to test out in the Group Policy Management Console.  As shown in the screenshot below, simply right click on your selected GPO and choose “Save Report.”  Save it as an XML file.

The next step is to import the XML file into MEM.  Using the MEM admin center, go to Devices > Group Policy analytics (preview).  Select Import and point to the saved XML file as shown in the screenshot below.  Note that the saved XML cannot be larger than 4 MB. 

Click the X in the upper righthand corner and wait for the analyzation process to complete.  You will then see the percentage of settings are supported by the MDM.

Now click on the stated percentage and review the status of all your settings.  The supported settings will list the corresponding CSP mapping in the righthand column as shown below.

Group Policy analytics is a great tool to determine the MDM setting coverage of your GPOs.  If any of the non-supported settings are critical to your management or security policies, you may want to continue using Group Policy for a while longer or utilize a third-party settings management solution.

 

Jul 2021
20

What is Cloud Config?

Not everyone needs to be a power user.  Some employees just need a basic computer to get the job done.  Examples include front line workers, home based users or those who access everything over a web browser.  While these users may only need the very basics, internal IT doesn’t want to skimp on security for them either.  It is for these types of situations that Microsoft began offering Windows 10 in cloud configuration.  Windows 10 Cloud Config simplifies the desktop experience for end users as well as the management experience for admins.   You can use it to configure new devices or reuse existing hardware in order to extend the life of older machines.   Because Windows 10 in cloud config is a Microsoft-recommended device configuration, you also know that it is secure.  Windows 10 Cloud Config is suited for the following types of scenarios:

  • Devices that do not require complex setting configurations
  • Are not dependent on any type of on-premise infrastructure
  • Uses a basic set of apps that are curated by internal IT such as Microsoft Teams and Edge

To be clear, cloud config is not Windows “lite.”  It is the full Windows experience.  You deploy devices with it or assign it to existing devices using Microsoft Endpoint Manager.  From there you manage these machines just like any other MDM enrolled device.  These devices are configured with Windows 10 endpoint security settings and automatically updated through Windows Update for Business.  Admins don’t have to do a thing.  All user data is stored and redirected to OneDrive.  For this reason, Microsoft does not recommend cloud config be used for shared devices.

Cloud config can be deployed to any device running any one of the following operating systems.   

  • Windows 10 Professional
  • Windows 10 Enterprise
  • Windows 10 Education

Cloud config requires the following licenses:

  • Azure Active Directory Premium P1
  • Microsoft Intune
  • Microsoft Teams
  • OneDrive for Business
  • Windows 10 Pro (minimum)

Note that Microsoft recommends Enterprise Mobility + Security E3 and Office 365 E3.

There are two ways to deploy Windows 10 cloud config in Microsoft Endpoint Manager.  The easiest way uses the new guided scenarios feature.  Cloud config is one of the sets of customized steps that admins can use to quickly deploy devices for a given scenario.  You can also configure cloud config manually in order to deploy it using the following steps:

  1. Create an Azure AD group
  2. Configure device enrollment
  3. Deploy a script to configure Known Folder Move and remove built-in apps
  4. Deploy apps
  5. Deploy endpoint security settings
  6. Configure Windows Update settings
  7. Deploy a Windows 10 compliance policy
  8. Additional optional configurations

For this example, we are going to use guided scenario.  You will find it by going to Troubleshooting + support > Guided scenarios.  The first time you access this section you may have to click the “Got it” button as shown below.

Then choose Deploy Windows 10 in cloud configuration by clicking the Start button for that scenario.

The first step involves the naming of the devices during the Windows Autopilot enrollment process.  If you choose not to use the device name template, all devices will use the OEM name.  If you select “Yes” however, you can then create a unique pattern to name the devices.  You can use the %RAND:x% variable to include a string of random characters after Fabrikam.  The X represents the number of random characters allocated.  In the example below we are appending 4 random characters to Fabrikam.

The next step is to select the apps you want to deploy to these devices. Because Cloud Config is about keeping things simple, Microsoft recommends keeping the list of included apps to a minimum so that your cloud config devices are simple to use and manage.  By default, the guided scenario includes Edge and Teams.  As you cannot remove them when using the guided scenario, you must uninstall them at a later time if you don’t want them.  You can then select additional Microsoft 365 optional apps as is shown in the screenshot below.

Next is the Assignment phase in which you will assign the cloud config devices to a group.  Here you can either create a new group or choose an existing group as is shown below.

After you create your group and click “Next” you will be presented with a Summary showing all of your selections.  You can go back to the other tabs, and change any values you added.  Once you verify your settings then click Deploy. 

You can then watch as the resources are being created along with their status.  If there's an error, then the guided scenario isn't deployed, and all changes are reverted.  Once deployed successfully you can use the monitoring and reporting features in the Endpoint Manager.  If you want to remove any of your chosen settings, go to each policy created by the cloud config guided scenario and configure the settings to Not Configured.  Then redeploy the policies. 

In the end, cloud config is just a recommended set of configuration settings for Windows 10 for standardized deployments that are easy to manage.  While it isn’t for everyone, it is an ideal fit for specific user scenarios. 

Sep 2020
02

Microsoft Endpoint Policy Types Explained (Part 1)

Microsoft Endpoint Manager (the Intune part), is a powerful device management and endpoint security system that is constantly evolving.  What began as a portal to manage and secure mobile devices can now manage desktop computers, virtual machines and even servers.  It can now deliver a broad spectrum of configuration and security settings as well as intelligent cloud actions.  Because of this, it’s hard to keep abreast of all of the changes and informational resources are perpetually outdated. 

Microsoft Endpoint offers multiple policy types.  With so much confusion out there concerning which policies do what, I thought it might be a good time to take a snapshot of the state of Microsoft Endpoint as it is today.  This two-part series will cover a quick review, (or for some an introduction), on the various parts of this rapidly expanding management ecosphere.

Configuration Profiles


This has long been the bread and butter of Intune.  Configuration policies are the equivalent of Group Policy Objects.  A configuration profile is created to deploy managed settings to targeted devices or users.  Like other MDM solutions, Microsoft Endpoint supports more than just Windows.  When you go about creating a configuration profile, you can choose between multiple platforms including Android, iOS, iPadOS, macOS and Windows as is shown in the screenshot below.

For the sake of this article, we will focus on Windows 10.  You then select which profile type you want to configure settings for.  The list of profiles has greatly expanded over the years.  Some of the profiles available at this time include:

  • Device Restrictions (Think Group Policy restrictions)
  • Edition upgrade and mode switch
  • Endpoint Protection
  • VPN
  • Wi-Fi

Below is an example of the available Control Panel Settings than you can block within the Device Restrictions policy.

A wizard then guides you through the process of configuring your desired settings and deploying them to the applicable targets.  While the number of available settings offered within Microsoft Endpoint has exponentially grown over the years, it still doesn’t come close to the more than 10,000 settings offered by the culmination of Group Policy and Group Policy Preferences combined.  While its capabilities and offerings may fall short for on-prem AD enterprises, it does provide ample coverage for many mobile and non domain-joined devices. 

Administrative Templates

Administrative Templates is one of the available Configuration profiles but I want to focus on it separately.  These are ADMX settings, some of the same ones you are accustomed to configuring in Group Policy Administrative Templates that includes both Computer and User side settings.  Here you can configure settings for things such as Microsoft Edge, One Drive, Word, Excel, etc.  In the screenshot below you will notice the same hierarchical structure you are familiar with in Group Policy Administrative Templates.  Again, while the list of available ADMX settings has grown substantially, it still falls far short of what is currently available in native Group Policy. (Hint: Use PolicyPak MDM to take 100% of real on-prem GPO settings and use them with Intune.)

Custom Profiles

One more Configuration Profile type I want to focus on is Custom Profiles because a lot of people find them confusing.  Windows 10 devices contain Configuration Service Provider (CSP) settings and it is these settings that MDM solutions actually manage.  MDM has the ability to manage any CSP setting, but not all of these settings are currently built into the Microsoft Endpoint interface.  That is where custom profiles come into play.  If you want to deliver settings to an available CSP that isn’t accessible within the Microsoft Endpoint, you can create a custom profile which does require some input the following settings:

  • Name:  The name is for your own reference to help you identify it.  Use any name you wish.
  • Description:  Enter a short summary of what the profile does and any other pertinent details
  • OMA-URI:  The OMA-URI settings are unique for each platform be it Android, iOS, Windows, etc.    It is also case sensitive so be careful to type in the setting path correctly.  To configure settings for a Windows 10 device you would type the path: Vendor/MSFT/Policy/Config/AreaName/PolicyName
  • Data type:  The data type will vary based on the OMA-URI setting.  The options are String, String (XML file), Date and time, Integer, Floating point, Boolean and Base 64 (file)
  • Value: Here is where you associate the OMA-URI value you wish to enforce.

 

Below is what the Custom Profile creation process looks like in Microsoft Endpoint.

So that sums up our look at Configuration Profiles. 

In case you want a more in-depth view of these, I suggest you check out my MDM book.... www.MDMandGPanswers.com/book where I give more details and examples.

In Part 2 of this series, we will look at the other policy types such as security and conditional access.

Mar 2020
01

Block CMD prompt with Intune

Group Policy admins have been blocking access to command prompt for standard users since the beginning.  That is why it is frustrating for MDM admins having no native way in Intune to block it in the same fashion of Group Policy.  Well in actuality, you can block the cmd prompt, it just takes a custom profile, which is something that not everyone likes to do much.  Below is how you set it up so feel free to use the settings.  

OMA-URI:  ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/IntuneEdu/EXE/Policy

Data Type:  String (XML file)

Here is the XML code to paste in:

<RuleCollection Type="Exe" EnforcementMode="NotConfigured">

        <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">

          <Conditions>

            <FilePathCondition Path="*" />

          Conditions>

        FilePathRule>

        <FilePathRule Id="ce9d9fd5-d765-48df-b87b-e1bafd5653ed" Name="All files" Description="Allows members of the Everyone group to run applications that are located in any folder." UserOrGroupSid="S-1-1-0" Action="Allow">

          <Conditions>

            <FilePathCondition Path="*" />

          Conditions>

                        <Exceptions>

                    <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® WINDOWS® OPERATING SYSTEM" BinaryName="CMD.EXE">

          <BinaryVersionRange LowSection="*" HighSection="*" />

        FilePublisherCondition>

                Exceptions>

        FilePathRule>

     RuleCollection>

Jan 2020
02

Two Worlds Unite to Form Microsoft Endpoint Manager

It is a wonderful thing when new initiatives benefit both the company behind the implementation and the customers they serve.  Such is the case with the announcement at Ignite 2019 that ConfigMgr and Intune are melding together to become one.  Together, the idea is that they will form a single management conglomerate tool called Microsoft Endpoint Manager. 

The MEM console will show a single view of all devices managed by either product through a single interface.  Here's an example.

So the idea is that you can now manage ConfigMgr devices through the MEM interface.  Of course, you can still manage through one or the other if you wish and there are some features that cannot be replicated amongst the two.  Separately, the two tools will be known as:

  • Microsoft Endpoint Manager Microsoft Intune (MEMMI)
  • Microsoft Endpoint Manager Configuration Manager (MEMCM)

The merging of these two management systems now forms a new modern device management system that is exactly what internal IT needs to manage the modern workplace of today.  Modern management for the modern workspace.  That was a common theme at Ignite.

Branding and Licensing Simplification

Some may say that the merging is a recognition by Microsoft that vast majority of companies continue to stick to ConfigMgr and Group Policy to manage enterprise desktop devices.  While Intune is capable of managing your entire Windows 10 environment, many companies continue to limit its management scope to mobile devices. 

For Microsoft, bringing the two management systems together under one roof allows them to simplify their branding under one incorporated name.  By integrating ConfigMgr into the Intune Portal itself, Microsoft is undoubtedly hoping that enterprises can better amalgamate themselves with the capabilities and functionality of MEMMI. 

Users will enjoy the simplification of both licensing and experience.  Those enterprises that currently have ConfigMgr licenses will automatically have Intune licenses too, allowing them to co-manage their desktop devices with both tools.  From a product perspective, admins will be able to view their mobile devices and ConfigMgr controlled PC’s from a single interface.  No more having to bounce repeatedly back and forth between interfaces throughout the course of the day.  Says Brad Anderson, Corporate Vice President at Microsoft, “It’s all about simplifying — and we’re taking that simplifying deep and broad from a branding, licensing and product perspective,”

By implementing the new co-existing licensing model, Microsoft is encouraging those companies that need to need leave existing systems in place to provision new machines as cloud-managed devices.  Regardless of how the device managed however, MEM provides a single view of all devices managed by either product.

Examining the Licensing Structure

So when you think of the new licensing model, think of the management scope of ConfigMgr.  ConfigMgr specializes in PC desktop management, so your PC devices are now automatically licensed for Intune as well so you can go ahead and enable co-management if you want. Note: Phones and non-Microsoft devices are still the exclusive domain of Intune (MEMMI) so those devices are not applicable to receive dual licensing.   Note you will still need Azure Active Directory P1 licensing for your users.  Mobile devices, iOS and Linux machines will remain exclusively licensed under MEMMI.

Intelligence Driven

Modern management systems must be intelligence based in order to maximize the user experience.  There are currently 190 million devices managed by either ConfigMgr or Intune.  The convergence of ConfigMgr and Intune greatly scales the potential use of telemetry power that Internal IT can utilize in its PC deployments and problem solving.  MEM will be introducing an array of intelligent actions that will give admins granular analysis as well as new comparative insights to their environments versus others. 

One example of this is Productivity Score.  Productivity Score will allow organizations to evaluate their employee and technology experiences into measurable metrics that Internal IT can use to justify the value that it brings to the organization.  From the perspective of the user experience, it will quantify how people are collaborating on content, developing a meeting culture and communicating with one another.  Real measured results concerning these types of user experiences can offer insights into how to enhance the user experience and increase productivity.    The technology experience will provide insights into assessing policies, device settings, device boot times, application performance and adherence to security compliances

MEM is an Endpoint

Many of us predicted this would happen one day.  As companies strive towards digitally transforming their organizations from the ground up, it was only a matter of time until something was done to streamline the management of on-premise and mobile desktops in scale.   One point that Anderson emphasized his Intune presentation MEM is that the merging of these two management system giants is not a temporary arrangement.  Says Anderson,

"Let me be very clear -- this vision includes both ConfigMgr and Intune.  Co-management isn't a bridge; it's a destination."

MEM allows you to start utilizing cloud intelligence without making a single change to your ConfigMgr policies.  Working collaboratively together, yet visible and accessible through a single interface, MEM provides the modern management system that Windows enterprises need. End-to-end management and automation is now available in a converged license package.  Look for the MEM transformation to emerge within your Intune environment. 

     

Jul 2019
10

Two (not Jeremy) blog posts about Windows Update for Business' Rings

Windows Update for Business is the method where you can use Group Policy, SCCM or Intune to describe "rings" for your business. In these rings, you express "who is going to go first" to get updates.

Then, who will go next, and so on.

I explain these rings in details in my new MDM book.

But I wanted to share two Microsoft blog entries on this important topic, since it comes up from time to time. These are good extra sources of information.

https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Deployment-rings-The-hidden-strategic-gem-of-Windows-as-a/bc-p/664595

-https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Tactical-considerations-for-creating-Windows-deployment-rings/ba-p/746979

Hope these help you out!