Microsoft Endpoint Manager's September 2209 service release includes a new security enhancement for user-based enrollments to help mitigate potential security incidents – this is a critical feature given the overall security landscape today. Additionally, we're releasing a Windows Autopilot device diagnostics capability that will automate the log-collection process and streamline troubleshooting for IT admins. I hope you appreciate these enhancements as deployment wraps up for the month. I look forward to your feedback. Please comment on this post or connect with me on LinkedIn.
Additional peace of mind for user-based enrollments
With the addition of enrollment notifications on Windows, Android or Apple devices, an administrator can send a customized email notification to an end user's email account upon a new enrollment. They can also send a push notification that will appear in an enrolled Android or iOS/iPadOS Company Portal app.
End users will then be asked to verify the enrollment and, if suspicious, it can be reported from the notification. This new feature adds a more robust element to an organization's security story. We have plans to extend this feature to more enrollment types and notification methods in the future.
During the preview of this feature, customers have seen an immediate positive impact. Suspicious enrollments were properly reported swiftly, which prevented potential security incidents. Again, this is critical given the current security landscape.
It should be noted that this feature is dependent on the end user checking and verifying once they receive the notification.
It should also be noted that email notifications will allow administrators to have some control over customization, with the ability to add HTML and branding so the notification doesn't look suspicious to end users. The push notifications will only have a subject and message to configure.
Here's a video showing the configuration from the Microsoft Endpoint Manager admin center:
Automating the Windows Autopilot log process
Windows Autopilot provides out-of-the-box enrollment for an organization's distributed devices. The apps and policies configured by the IT admin and applied during enrollment enable users to start being productive on their Windows devices. As we continue to add new capabilities to Windows Autopilot, we are also focused on enabling helpdesk, end-user support, admins, and all levels of the IT department utilizing Windows Autopilot logs, to help troubleshoot and resolve issues quickly.
With troubleshooting improvements in mind, we have released Windows Autopilot device diagnostics this month. When enabled, device diagnostics automatically captures the logs from your Windows devices when a failure occurs in the Enrollment Status Page (ESP) phase. Diagnostics will be stored in the service for 28 days and can be downloaded from the Windows Autopilot deployments monitor or the device diagnostics monitor node.
Editor’s note: The sentence above has been corrected to note that diagnostics are stored in the service for 28 days. For more information, see What's new in Windows Autopilot
How device diagnostics download data appears in the Microsoft Endpoint Manager admin center
You can also download the device diagnostics and see times when the request was initiated and uploaded in the Microsoft Endpoint Manager admin center on the device diagnostics tab. Enabling device diagnostics is a one-time setup.
This new troubleshooting feature complements other recent troubleshooting additions such as the device group membership report, multi-user support for Managed App Blade, and improvements to the folder/file structure in device diagnostics. These troubleshooting additions will be a time-saver for your entire IT department!
Let us know what you think
Please share your comments, questions, and feedback, so we can continue to improve the endpoint user experience and simplify IT administration. Simply comment on this post or connect with me on LinkedIn.
For 2209 release documentation which includes Enrollment notifications: https://aka.ms/IntuneDocs