Ignite 2021 – Modern Management recap

Ignite 2021 is almost over and most of the content I was hunting after is also available as on-demand sessions. So, a good time to start a blog about my impressions. In this post I will go over my highlights I captured for the Windows and Modern Management with Microsoft Endpoint Manager area. As I mostly deal with Microsoft Intune modern managed Windows devices, I was curious what Microsoft will bring us new in this field. My highlights are:

Endpoint Analytics

Let’s start with one of the technologies which will definitely play an important role in the future. I’m talking about Analytics in the context of Microsoft Endpoint Manager, it is called Endpoint Analytics. In my opinion this is an area with a huge potential for a lot of innovation and valuable insights which can be delivered there. Imagine predictive statements like:

  • We discovered devices with bad disk performance. Please go and upgrade the disk drives.
  • We found devices with crashing applications due to incompatible drivers. Please go and update driver x.
  • We found software which is installed and never executed on your device fleet. Are you sure you need it anymore.
  • We found an app crashing all the time. There is an update available, please go and update it.
  • We found devices operating constantly on very high resource utilization. Maybe replace it with a new more powerful one.
  • We found devices older than X years and they are suffering performance issues, consider to replace them.
  • and so on, …

You definitely get it, Analytics can be very insightful and perfectly used to drive various improvements, discover errors, and finally user experience with the endpoints/devices. Especially to mention here, these insights can and should be used for proactive improvements! Endpoint Analytics already gave us some of these values insights, but it is expected that this area will be expanded heavily in future. I bet a lot on it for the future!

Application Reliability

At this Ignite 2021 they announced the Application Reliability in Endpoint Analytics. It helps finding the real issues in your environment and not making assumptions about application problems based on user reported symptoms. Really, this is huge and defines our ability to take action completely new.

This is the Application reliability overview page in Endpoint Analytics:

Microsoft Intune Endpoint Analytics - Application reliability

You get a quick overview about your application environment and how it performs. On the right side of the webpage, you get the first recommendations 👍

If we dive in a little deeper, we can see detailed application reporting with their crash count and mean time to failure:

Microsoft Intune Endpoint Analytics - Application reliability - app performance details

With that valuable peace of information we can go and take action by finding the root cause for the crashes. For example pinpointing a particular application version which is crashing all the time and getting an update for the effected application. Or maybe it is just a configuration problem in the end.

Restart frequency

But this is not enough, they also added Restart frequency. Another useful insight, why restarts happen and how often they happen.

Microsoft Intune Endpoint Analytics -startup performance - restart frequency

This can be useful to identify devices with high amount of restarts, maybe based on blue screens.

Microsoft Intune Endpoint Analytics - startup performance - device performance - restarts and blue screens

On the device itself, we can get the detailed info about restarts and bluescreens.

Microsoft Intune Endpoint Analytics - Application reliability device detail page

And in addition we get a timeline with application related events. It reminds me a little bit on the reliability monitor in Windows 10 but now it is centrally available. Right now, it shows you application related events.

Microsoft Intune Endpoint Analytics - Application reliability device timeline history

In comparison here the Reliability Monitor from Windows 10.

Windows 10 Reliability Monitor

On the Application reliability timeline, Microsoft plans to add additional data point over time like app installed, patch installed, feature update applied etc. Again compare it this with the Reliability Monitor on Windows 10. The idea is to give you an complete picture what is happening on the device. And all this from the central admin portal – Microsoft Intune. How cool is that?

Productivity Score

Finally, Microsoft added the Endpoint Analytics as Technology experience score to the Productivity Score in the Microsoft 365 Admin center. This should provide more visibility on the great insights about Endpoint Analytics even for people with no access to Microsoft Endpoint Manager.

Microsoft 365 Admin Center Productivity Score with Endpoint Analytics

As already mentioned in the intro, you really should have a look at the Endpoint Analytics, it is a game changer to manage a well functioning environment and will make for happier users 👍 as they experience less issues with their devices.

For further information check out this on-demand session:

Windows Update for Business improvements

It was quite a while back when I heard Microsoft’s ambitions to provide more control in the Windows Update for Business (WUfB) process. I guess this is now the time when they are finally going to deliver this promise. I collected three announcements which will provide more control and safety during your update endeavor. These announcements are:

I will dive into each feature in the following paragraphs.

Driver and Firmware update policies

Microsoft introduced a Deployment Service for drivers & firmware. We will get dedicated driver update policies. Vendors are more and more publishing drivers and firmware via a quality assured publishing process to Microsoft. Microsoft Endpoint Manager – Intune takes control over the publishing process to your devices.

Microsoft Intune Windows Update for Business (WUfB) driver and firmware servicing evolution

This is done by configuring driver update policies in Intune.

Microsoft Intune Windows Update for Business (WUfB) - Windows 10 driver update policies

We are able to track the deployment progress with analytics and reporting.

Microsoft Intune Windows Update for Business (WUfB) - Windows 10 driver update policies - reporting and analytics

We are able to browse for the best drivers, approves them and schedule their deployments.

Microsoft Intune Windows Update for Business (WUfB) - Windows 10 driver update policies - recommended updates

Deployment timing and schedules can be configured easily.

Microsoft Intune Windows Update for Business (WUfB) - Windows 10 driver update policies - scheduling and timing

As seen in the screenshot above we can have an Automatic deployment with a deferral of up to 14 days and we can have an approval mode where only approved updates are deployed.

This is something many people have waited for. Now we need support from the vendors, taking this opportunity seriously, to provide a streamlined way to update devices, and provide their drivers via Microsoft Update. Major vendors like Intel, Lenovo and Dell expressed their full support. I’m really happy that this capability is now offered. Not only critical security issues in drivers can now be patched easily in your environment, also new features in firmware’s will make sure that you are compatible with the latest innovations.

For further information check out this blogs and on-demand session:

Expediting Quality Updates

This is a fairly simple addition but very useful and needed from time to time. You can simply specify a quality update profile to deploy an important update and define a deadline up to 3 days until forced restart will occur.

This is what the policy options will look like:

Microsoft Intune Expediting Quality Updates - Windows 10 Quality Updates

The install is the same as usual as you would configure Deadlines for Windows updates, users get their typical notifications:

Windows 10 Update Notification Deadline dialog

You can expect some reporting on the new reporting platform, as soon as the feature is ready to be released. This is a first mock-up:

Windows 10 Quality Updates - expediting quality updates - reporting mock up

For further information check out this blog and on-demand session:

Known Issue Rollback (KIR)

Known Issue Rollback is an interesting way to quickly rollback non-security bug fixes. It is available with Windows 10 version 2004. The idea is to contain the quality change within the code, so it can be revered without any uninstall as the code contains old and new behavior. Best demonstrated by this small code snipped:

Known Issue Rollback (KIS) code path - bug fix containment

This way a bug fix can easily be revered as the new code path can be skipped and the old code path takes care. This is only available for non-security updates, as security updates typically fix code that is vulnerable. Even if the bug fix might still be vulnerable, it is more likely “less” vulnerable as the old code. So, again this new feature is already enabled for quality bug fixes only and starting with Windows 10 version 2004. Right now, these Rollback configurations are coming as Group Policy downloads and Microsoft is actively exploring to deliver them also via other channels like MDM profiles.

For further information check out this blog and on-demand session:

Delivery Optimization – cloud-based congestion detection

This next feature is more a roadmap item as it will be released later this year, but I think it is really worth to mention as it will fine tune the great capabilities of Delivery Optimization. For all folks not familiar with Delivery Optimization I recommend to read the official docs Delivery Optimization for Windows 10 updates.

They announced cloud-based congestion detection. Starting with Windows 10 version 2004 the client will support this new feature. But from the name itself it is a cloud-based feature and the cloud needs to support the congestion detection. This will be enabled on the service side (cloud) later this year.

So, what is it all about? Cloud-based congestion detection will prevent download storms. Imagine a situation where a lot of clients start reaching out to the cloud to get new content. You could prevent this behavior by selecting a client, adding him to a special Windows Update ring, with a lower deferral then all other client, to allow him to download the content first. This will guarantee that the following clients will find the content locally. This would be the manual process. The service side cloud-based congestion will now do exactly this for you automatically. It will tell clients during a download storm to back off and let dedicated client(s) download the content first, to make sure content is available locally. It is technically enabled on the client by setting the already available policy “delay background/foreground download from http”.

Delivery Optimization - cloud-based congestion detection

For further information check out this blog and on-demand session:

Settings Catalog

Actually the Setting Catalog was available shortly before Ignite 2021, but was also mentioned/announced several times during Ignite 2021. So, I added it to the list as well. It is an important step in the settings architecture of Microsoft Endpoint Manager and how future settings are going to be made available in Intune.

The idea is very simple, Microsoft maintains a settings database, the so called settings catalog which has the settings and the descriptions directly parsed from the various components responsible for implementing (e.g. the Windows 10 Configuration Service Providers (CSP)). This catalog is available to be searched, and individual settings can be added to a configuration profile. A custom profile with the settings you need is the final result. This provides flexible ways in designing the configuration profiles according to your individual needs. From the Microsoft side it is far more efficient for them now, to add new settings to the catalog. As the settings catalog dynamically renders the user interface (UI) for the settings, Microsoft just needs to add the new settings to the database and they are instantly available for configuration. I’m really happy about this, as it will make sure new settings, like new Edge polices, can be made available near day zero of the release date. Why “near” day zero, as I expect some quality gates internally that are needed to pass, which take approximately a few days.

Microsoft Intune Settings Catalog

For further information check out this on-demand session:

I hope you like my collection of announcements in the modern management filed for Windows 10. I find them very useful and for me they are a step in the right direction. I welcome the new capabilities and I’m eager to incorporate them into the modern managed Windows 10 designs for the customers, as soon as they are broadly available.

So, keep an eye on the What’s new in Microsoft Intune page for the release announcement some time in the future.