Lilys Dad

    , , ,

    Workplace Ninjas UK 2025 Day 1 Part 1

    Published by

    LilysDad

    on

    Workplace Ninjas UK 2025 Day 1 Part 1

    Workplace Ninja UK 2025 – Day 1

    Due to time constraints and for ease of reading i’ll split this into a few posts.

    Content:

    Introduction
    Keynote
    Compliance Policies
    Windows365, Intune & Autopatch – the evergreen approach

    Click here to read Part two for Day 1 which contains the following subjects:

    Slice & Dice IT Challanges
    Autopilot Vs Device Preperation
    PatchMyPC
    Intune Reporting – lets make it better
    Become a Master Packager

    Introduction

    June 18 sees Workplace Ninjas UK 2025 kick off in Edinburgh.  For two days some of the finest in End User Compute, and me, get together to hear from over 70 sessions across Microsoft Copilot, Intune, Windows 365, Application deployment along with Security and Purview

    An early start for day 1 saw me arrive at the Edinburgh International Exhibition center for 8am to register and mingle with a coffee and a pastry.

    Day 1 Keynote – Windows Cloud & AI – The state of the union

    So Christiaan Brinkhoff and Bhavya Chopra kicked of the 2025 edition of Workplace Ninjas with a discussion of Windows now and the future of Windows Cloud, including Windows 365.

    Microsoft celebrates it 50th year this year and we can see exactly how far DOS and Windows 1 has come.  Microsoft have gone from “A computer on each desk and in each home” to now “AI and Cloud in every interaction.  And I think Microsoft have achieved that initial goal.  Just go and look at the triad of devices that we all now own and use and carry around with us on a daily basis!

    In 2025 we see Microsoft announced for the second year in a row as Garner leader for DaaS.  And we an see this in the economic impact of an enterprise using either Windows 365 or Azure Virtual desktop:

    • ROI of between 94% and 217%
    • Saving users between 6 and 12 minutes per day each

    With Virtual Desktop Solutions there are three distinct usage types:

    • 24/7/365 – Windows 365 Enterprise/Business
    • Shift Work with Front Line Worker dedicated (used for shift based workers, contractors)
    • Intermittent usage with Front Line Worker – Shared

    And Microsoft wont rest here with the feature set for Windows 365.  As of right now, you can integrated Windows 365 Shared Front Line Worker right into the Autopilot Device Preparation.  Taking full advantage of getting the device ready for a user to log onto.  And coming soon, it will be supported with Windows 365 Enterprise.

    Considering Windows 365, the following should be considered:

    • Securing Users – responsibility of the business
      • Secure the Identity with EntraID, passwordless throughout
      • Secure access with MAM capabilities in Windows App
      • Securing data with appropriate data protection controls from Purview
    • Securing Platform – Responsibility of Microsoft
      • The platform is designed as secure with access provided just in time when needed by Support.
    • Resiliency
      • Less bottlenecks for connectivity, reduction of single point of failures along with a great user experience.
      • Able to managed on a global scale, with a resilient foundation with data reliability
      • The workload for Windows 365 is on reliable infrastructure managed by Microsoft
      • The actual hosts, the VDI themselves, are resilient with Point in Time restore, for snapshot and backups
      • Windows 365 addons for resilience with cross region migration

    Alongside all the improvements that are here right now and in the pipeline for Windows 365, the Windows App keeps going from strength to strength.  With new Health checks coming into the client to allow users to self-troubleshoot and even further the ability to “chat” and try and sort out the connectivity issues before talking to the IS team.

    Additionally, RDP access is coming into the app in a future release meaning that the Windows App is the all-in-one app for any connection to a Windows device, be it a server, Virtual Desktop, RDS app or Devbox, the Windows App will do it all.

    Alongside this is the improvement and rollout of Teams optimization with Slimcore, bringing a “like-local” experience to Teams on Virtual desktop.

    And introducing the first purpose-built device to allow lightening quick access to Windows 365 is the Windows 365 Link device.  This runs a purpose built Windows OS which has enough of Windows to launch your Windows 365 device as soon as you log on.  Its taking the Windows 365 boot to the next level.

    And we see the next IT revolution on the horizon… The AI revolution where you will be able to control your device to run an action by using natural language and it will then go do and do that task.  Taking it to the next level, you can get it to run on your Windows 365 to integrate with the installed apps on there to get the job done.

    Coming soon, is Cloud NPU which gives Windows 365 devices the ability to do more Copilot actions similar to Copilot+ PC by attaching to a Cloud NPU for that processing.  One such thing will be copilot search in Windows 365 using that Cloud NPU.

    And not forgetting IT admins, Copilot is coming to Intune and Security.  Soon we will be able to as IT admins ask Copilot for Intune “show me all the underpowered Windows 365 devices” and it will display the report and give you options on whether you want to upgrade them to a more powerful device to remediate the issue.

    So as we see those devices on all desks and in all homes, we bring the power of AI into users hands and provie them a way to work better and do more value add.  AI and Cloud in every interaction.

    Device Compliance Policies

    Kenneth Van Surksum

    In this session we took a look at compliance policies, why we have them, what we can do with them

    Why Compliance Policies?

    Compliance policies measure the security configuration and policies applied to a device and make sure that they are both applied and effective.  This means that we can be sure that the endpoint being used to access the corporate resources are secure.

    But don’t get carried away – too many compliance policies and you’ll be chasing your tail constantly.

    The tips that I took away from this session:

    • Have a good naming and version process.  For example:  Lilysdad_Bitlocker_2025.6.1
      If we need to make a change to a compliance policy, we’ll take a copy of the live policy, make the change and then apply to a test group of people.  Once we are happy the changes work (and more importantly, do not break anything) we can deploy into production and retire the old one.
    • Don’t always plunk all the checks into one policy.  Especially with any of the device attestation settings as these will always require a reboot before the results can be passed to intune as the device attestation health is only measured during the system startup process and sent to Intune. 

      Sometimes Bitlocker policies cause the device to be uncompliant if it has finished Autopilot but not yet rebooted.  Pop this into its own compliance policy with a longer grace period allows the device time to be rebooted before its made non-compliant.
    • You can also use a custom script to collect non standard details – for example if CrowdStrike AV is installed.  The script will need to return just 1 return value as a JSON string for Intune to decode.
      • Via manual sync in Company Portal
      • Via Admin-initiated sync from Intune portal
      • Every 8 hours
      • When a policy, profile or app is assigned to the device/user
    • In the question of “how many” we can look at the compliance in three areas:
      • Critical Security [Grace period 0.5-1 days]
        • Bitlocker, SecureBoot, AntiVirus
      • OS & Software [Grace period 7 days]
        • Minimum OS
        • Required Updated
      • User Experience [Grace period 14 days]
        • Password
        • Complexity
    • Basically, the decision here is a balance between being to secure and preventing people from working to being insecure and inviting issues.
    • With multiple policies, you can be more granualar with the notifications sent to the user.  Ensure that the messaging is audience appropriate with steps detailing on how the user can fix and remediate their issue
    • The compliance of the device can then be used with Conditional Access to grant access to corporate resource, or used by other systems such as Cisco ISE to allow devices to even reach the network in the first place.

    Windows 365, Intune and Autopatch
    The Evergreen Approach

    David Rankin / Ken Gossens

    This session looked at using a combination of Windows 365, Intune and Autopatch when configured keeps the environment in top tip shape without any work.

    Windows 365

    This is an easy, rapid and secure way to deploy windows

    • Identity
      Move from AD and Hybrid join over to EntraID Join which means you can then introduce single signon or even passwordless connection to the device
    • Networking
      Don’t worry about bring your own VNet, azure networking.  Move to Microsoft Hosted Network which means that Microsoft handles the full network stack to the Windows 365 device.  This has a lower cost then the Azure network connection
    • Images
      Move from taking a “Golden image” and start to use the Microsoft gallery image as these contain both windows and teams optimisations already in them,meaning one less thing.  Tie this with intune to layer and install the apps on top and you’ll not miss the image management
    • Updates
      Stop worrying about Windows Update and WSUS (well you should as WSUS is deprecated) and move to Autopatch and you;ll not need to worry about patching.  Combine this with Hot patch and the users will have less interruption in the form of having to reboot.
    • User data
      Move away from the traditional data locations such as network shares, home drives and use cloud location for file storage such as OneDrive, Edge profile syncing, Teams and SharePoint storage

    By making a move into Windows 365, you can take learnings from the deployment experience and then apply this to your physical devices.  This is what we did to improve our deployment and management of physical devices.

    How to get there, just “Dream Big. Start Small.  Act now

    Provisioning a Windows 365 device is as easy as:

    • Ensure you have a license
    • Create a group to assign the license
    • Configure Microsoft Hosted network
    • Setup a Provisioning Policy (enable Single Sign on for that secure connection)
    • Assign the group to the policy

    And whoever you add into that group gets a device automatically provisioned and ready for use.

    Autopatch

    So for many, the rigmarole of Windows patching is handled on a regular basis by IT admins:

    • Evaluation
    • Defining and testing
    • Define Rollout schedule
    • Monitor, pause and rollback (if needed)

    With Autopatch, we can create Deployment profiles and Rings like Windows Update for Business, and let it look after itself.

    How do we set this up? Simples!  In the Intune portal, under tenant settings and slide the slider for Autopatch to Enabled and provide a group that contain all the devices to apply Autopatch to.

    Once we have this, we can create a deployment ring.  And to do this:

    • Provide Name and description
    • Deployment Ring 
      • How many rings?Provide the group of all the devices.  We can use this here to dynamically distribute amongst the various rings.There is also a dedicated Test ring that you can put IT admins into and you can adjust rings to be a specific group instead of the dynamic group.With the other rings you decide on the percentage to apply the update to.  There is not a way to spread this out as its done automatically. 
      • You can also specify a last ring group.  This could be VIPs that you don’t want to impact in the earlier rings or other “special” users.
    • Update Types
      • Select all bar Feature Update. We can create a separate policy for feature updates.
      • There is a 1:1 relationship between device and device group for rings.
    • Deployment Settings
      • We can use the same approvals as we do for Windows update for business or different on a per ring basis.
      • Control for M365 App updates coming soon and currently only supports Monthly Enterprise.
    • Release Schedule
      • There are presets available which can be applied and then edited to suit your own requirements

    Done. Autopatch now setup and ready to roll.  But wait – how to monitor.  Well we kinda have you covered if you like Intune reporting.

    Under Devices > Windows Updates there is a report which provides a status of the device and rollout.  From here you can also pause or uninstall.

    Autopatch not only covers the usual quality and driver updates, but also any out of bounds patches.

    So we have Autopatch doing quality updates, driver updates and M365 App updates.  What about Feature updates?

    We’ll setup a Multi Phase feature update. This allows us to select the target version (Windows 11 24h2) and similar to the other updates, create a phased ring approach to deploy the feature update out.

    Lastly, the question on everyone’s lips, how do we migrate from Windows Update for Business {WUfB) to Autopatch.  From an overview, its simple just move the ring groups from WUfB to Autopatch and your done.

    So, to enhance Autopatch, Microsoft released hotpatch.  This provides the ability to perform the quality update into memory and not require a reboot.  This was added to Windows 11 24H2 and will not be back ported so you need to run this version if you want hotpatch.

    With hotpatch there are required mandatory reboots on a quarterly basis to clear the hotpatch cache and be ready for the next tranche.  There is a pre-requirement to ensure that Virtualization-Based Security (VBS) must be enabled.  To setup Hotpatch:

    1. Enable Hotpatch in Intune:
    2. Go to Intune Admin Center → Devices → Windows Updates → Quality Updates.Create a new Windows Quality Update Policy.
    3. Set “When available, apply without restarting the device (hotpatch)” to Allow .
    4. For Arm64 Devices Only:
      • Disable CHPE (Compiled Hybrid PE) by setting the following registry key:
        Path: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory ManagementDWORD: HotPatchRestrictions = 1
      • Restart the device after setting this

    To verify that hotpatch is enabled and capable:

    • Check System Information to confirm VBS is running.
    • In Settings > Windows Update > Advanced Options, verify that hotpatching is enabled.
    • Use Event Viewer to search for AllowRebootlessUpdates to confirm enrollment

    So the takeaways for your evergreen Windows 365 and Autopatch:

    • With improvements in the RDP protocol to include UDP and RDP Shortpath there isn’t now a requirement to have it close to the user, it can be where you need it to be.  As soon as the connection enters into the Microsoft networking, it should be a quick connection across to the device.

      For us, it’s a case of data residency to host them in the UK South datacenter for our overseas resource to access
    • Embrace cloud-native zero trust deployment guidance (passwordless, Microsoft Managed Network, cloud based storage)
    • Register into Autoptatch
    • Use multi-phase autopatch groups for feature updates
    • Enable hotpatch

    Watch out for Part Two coming soon.

    One response to “Workplace Ninjas UK 2025 Day 1 Part 1”

    1. Workplace Ninja UK 2025 Day 2 Part 2 – Lilys Dad avatar
      Workplace Ninja UK 2025 Day 2 Part 2 – Lilys Dad

      […] Day 1 Part 1 […]

      Like

      Reply

    Leave a comment

    Hello,

    I’m Lilys Dad…

    Black and white image of Lilys Dad

    Welcome to my place to blog about all things Microsoft Endpoint management including Intune, Windows 365, Azure Virtual desktop, Windows and more…

    Connect with me…

    Recent posts