Corporate laptops on Windows 10 can now be more easily managed and secured thanks to mobile device management (MDM). It’s an open-source approach, so there are a number of tools, but we’re exploring how it works with Microsoft’s Intune.
For this blog post, we will assume a scenario with an Office 365 customer who currently manages Windows 10 machines with Group Policy in an Active Directory domain that is syncing to Azure AD. Our Windows 10 MDM implementation needs to meet the following objectives to replace the controls in the current imaging and Group Policy implementation:
Run on any Windows 10 PC out of the box
Add local admin rights for desktop administrators
Require BitLocker encryption and backup BitLocker keys
Manage Windows Updates setting by user group
Upgrade the Windows license to Enterprise
Deploy a SCEP certificate for WiFi access
Deploy Office 365 ProPlus
Deploy a set of custom fonts
Allow users to access several office printers
We’ve already explored the first three in part one, and the second three in part two, so now we’ll cover how to:
Deploy Office 365 ProPlus
Deploy a set of custom fonts
Allow users to access several office printers
We are going to deploy Office 365 ProPlus with the app type Office 365 Suite – Windows 10. From here we can select the Office Apps we want to deploy, give our app deployment a name, and set application settings, including the Update channel. If you’re unfamiliar with the Office 365 ProPlus channels, check out Microsoft’s Best practices: Managing channels for the details. You will want to create separate app deployments for each channel you want to leverage for your environment.
After you save your app deployment, go to Assignments and add your app test group to the Included Groups with an Assignment type of Required so that Office will be automatically deployed to users’ computers when they sign in. You can also deploy other apps from the Microsoft Store, line-of-business apps with .msi, .appx, or .appxbundle extensions, or web apps and make them required or available from the Intune Company portal app. Hint: if you are going to use the make apps available option, make the Intune Company Portal a required install from the Windows Store so users have it when they want to install an available app.
Next, we need to deploy a set of open-source fonts to our machines. Before you skip this section as boring, in order to deploy and register the fonts we will be creating a custom PowerShell script that we will deploy with Intune. This is by far one of the most powerful features of Intune Windows 10 management, as anything you can do with PowerShell, you can do through Intune.
In order to deploy the fonts, we need to store the font files and a registry file in a publicly accessible location. For this example, we will upload the files to Azure Blob Storage. The registry file is needed to register the fonts with the OS once they are saved on the Windows 10 device. The .reg file for our example deployment is outlined below:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"Lato Black (TrueType)"="Lato-Black.ttf"
"Lato Black Italic (TrueType)"="Lato-BlackItalic.ttf"
"Lato Bold (TrueType)"="Lato-Bold.ttf"
"Lato Bold Italic (TrueType)"="Lato-BoldItalic.ttf"
"Lato Italic (TrueType)"="Lato-Italic.ttf"
"Lato Regular (TrueType)"="Lato-Regular.ttf"
"Lato-Hairline (TrueType)"="Lato-Hairline.ttf"
"Lato-HairlineItalic (TrueType)"="Lato-HairlineItalic.ttf"
"Lato-Light (TrueType)"="Lato-Light.ttf"
"Lato-LightItalic (TrueType)"="Lato-LightItalic.ttf"
Now we need to create our PowerShell script to download our Lato fonts and registry file from the Azure Blob Storage. We do a check to make sure the font isn’t already installed, and if not, we download the font file to the Fonts folder. Then, we download and execute the Fonts.reg file. Below is the PowerShell script for our example:
$Fonts = @("Lato-Black.ttf","Lato-BlackItalic.ttf","Lato-Bold.ttf","Lato-BoldItalic.ttf","Lato-Italic.ttf","Lato-Regular.ttf","Lato-Hairline.ttf","Lato-HairlineItalic.ttf","Lato-Light.ttf","Lato-LightItalic.ttf")
$RegFile = "Fonts.reg"
$FontURL = "https://win10mdm.blob.core.windows.net/fonts"
$LocalFontDir = "C:\Windows\Fonts"
foreach ($font in $Fonts){
$LocalFontFile = $LocalFontDir + "\" + $font
if (Test-Path $LocalFontFile) {
Write-Output "Already have $($font)"
}
else {
$FontUri = $FontURL + "/" + $font
Invoke-WebRequest -Uri $FontUri -OutFile "$LocalFontFile"
}
}
$RegUri = $FontURL + "/" + $RegFile
$OutputFile = "C:\" + $RegFile
Invoke-WebRequest -Uri $RegUri -OutFile $OutputFile
reg import $OutputFile
Once the PowerShell script is complete, run it locally on a test machine to make sure it’s working as expected, then save it and uploaded it to Intune in the PowerShell scripts section. Finally, assign the PowerShell script to the test group.
Printers were a forgotten and neglected issue in the Intune world until February 2018 when Microsoft announced Hybrid Cloud Print, which is built on Windows Print Server and IIS on Windows Server 2016. You can see Microsoft’s technical details for Hybrid Cloud Print. Another option for deploying printers is to package the print driver in an app that installs the printer via PowerShell, then deploy the new app as an .msi or .appx app in Intune.
That’s it! Now, get a test Windows 10 computer fresh out of your favorite manufacture’s box and walk through the Out-of-Box experience setting it up as a work or school computer and logging in with a user from the test group. Once you are signed in, Intune will start working in the background applying policy and deploying our profiles. You can see things happening by watching Task Manager and checking the Event Logs at Applications and Services Logs->Microsoft->Windows->DeviceManagement-Enterprise-Diagnostics-Provider. These logs are also helpful for troubleshooting any issues you may run into.
Do you have questions about creating an MDM Windows 10 deployment to meet your needs? Credera has expertise helping clients achieve modern deployment patterns that can streamline the deployment process, freeing up resources from time-consuming image deployment processes. We would love to discuss potential cloud and infrastructure solutions with you—contact us at findoutmore@credera.com.
Contact Us
We'd love to start a conversation. Fill out the form and we'll connect you with the right person.
Searching for a new career?
View job openings