Monday, 24 August 2020

Windows 10 2004 - Testing Delivery Optimization in Hyper-V using PowerShell

 Introduction

Windows Delivery Optimization is a peer to peer file sharing technology.  Windows Updates and Windows Apps can be downloaded from the internet or from peer devices on the local network. In Britain there is a tradition of "Getting the Rounds in".  This means that one person will go to the bar and order drinks for all of his or her friends.  This is much quicker than each friend individually going to the bar and ordering his or her drink.  In concept this is similar to what Delivery Optimization does for a number of devices on a network - it will decrease the amount of internet bandwidth usage, thus saving data costs.  In addition it can decrease the amount of time required for machines on a network to be updated to the latest security and feature upgrade requirements - depending of course on how the administrator configures the settings within the Delivery Optimization peer to peer technology.

In Windows 10 release 2004 Microsoft has made some improvements to the PowerShell commands that an administrator might use to test and troubleshoot Delivery Optimization.  The three improvements are as follows:

1) Get-DeliveryOptimizationStatus cmdlet with the -PeerInfo option: this provides real time visibility of the bytes received or sent between peering devices.

2) Get-DeliveryOptimizationLogAnalysis cmdlet: this provides a an overview of the Delivery Optimization log with an additional -ListConnections option to see which machines are retrieving cached data from your device.

3) Enable-DeliveryOptimizationVerboseLogs cmdlet: as the name suggests this PowerShell cmdlet will provide the administrator with more detailed log information for further troubleshooting or analysis.

Firstly I want to configure the Delivery Optimization settings via a GPO, so that HTTP blended with peering across a private group, is applied and tested on two domain joined clients - as in an on-premise environment.

Secondly I want to achieve all the testing on Hyper-V clients, rather than real machines - for obvious reasons this is very convenient for IT professionals.  Testing concepts, new features and configurations is easy to do in a virtual environment; as is documenting them as well.

Thirdly, I want to test the Get-DeliveryOptimizationLogAnalysis cmdlet with the -ListConnections option.  This is a very convenient cmdlet which can tell us if Delivery Optimization is actually engaging and behaving as we would expect such a feature to behave.

This article assumes the reader is an IT administrator and thus will not include fine detailed step by step instructions on how to configure a testing environment similar to my own virtual testing environment.  I will however detail my testing environment and provide a step by step overview, so you can emulate it if you desire.

In order to test the above Delivery Optimization PowerShell feature I start with two freshly built Windows 10 2004 Enterprise Eval Hyper-V machines.  Their netbios names are CLIENT12004v2 and CLIENT22004v2.  I join them to the domain (called domain1) and then complete the following:

1) Create an OU called DeliveryOpt and move the test machines into the OU

2) Create a GPO called Delivery Optimization containing the required DO settings and link it to the DeliveryOpt OU

3) Configure each client test device with two network adapters.  One network adapter is an External virtual network switch and the other is a Private network switch.  Thus each test VM has access to the internet as well as full access to the Domain Controller simulating an On Premise environment.

4) I then begin installing updates and test the new Get-DeliveryOptimizationloganalysis cmdlet with the -listconnections option to verify Delivery Optimization is taking place.

Let us begin.

The Delivery Optimization Organisation Unit

Ensure your test machines and user accounts are added to the Organisation Unit, similarly to how I have structured my own test devices.




The Delivery Optimization GPO

The GPO requirements for our test environment are to set the Download Mode to option number two.

The options can be found at Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization

Firstly lets consider the Download Mode Options as listed in the GPO setting itself:


Obviously option 0 is not suitable because we do want to test the peering feature. Option 1 should work in our test environment, however for most customers this is not the best option, even though it appears it might be the best option.  If two machines in two separate on premise locations are using the same internet connection then DO considers them to be peers even though they are not peers.  Thus we need to select option 2.  Option 3 is not suitable because we are testing two machines in an on premise scenario.

Accordingly our setting is as follows:


The next setting in my environment, to reflect a realistic customer environment, is to Enable Peer Caching while the device connects via VPN.


Now because I am testing Download Mode 2 I need to specify the source Group ID, thus I configure the Select the source of Group ID's setting so that the machine's AD Site option become the source of the Group ID.

And again, configuring settings realistically, according to a customer site, I want to change the Max Cache Age (in seconds) to 604800 which is one week



Our imaginary client would like a device to be a peering device even while on a battery - thus I set the allow uploads while the device is on battery while under set Battery level (percentage).


Because this is my test environment I do not want testing to be hampered by business hour settings.  Consequently I set the Set Business Hours to Limit Background Download Bandwidth to disabled.  I also do this for the Foreground setting.


For convenience - if you would like to ensure your settings are aligned with mine - here is a screenshot of the enabled, Not configured and disabled settings.


Having created the Delivery Optimization GPO verify the settings and ensure it is linked to the required OU.






Configure Client Network Adapters on Clients

As mentioned above we need each client to have both internet connectivity and also connectivity within an internal domain - representing an on-premise scenario.  There are a number of ways to achieve this however the reader may want to copy my configuration for testing: and thus the screenshots are included.

I use two virtual network switches.  The first one is for internal domain connectivity and is a Private Network.


The second virtual switch is for internet connectivity and is an External network.


Thus each test client has two network adapters - one that is connected to the private virtual switch and one that is connected to the external virtual switch.



Delivery Optimization Network Ports

We are only testing on virtual hosts and so I turn the Windows Defender Firewall off on each Hyper-V client.  For obvious reasons I do not want to do this on my host device, but I do want to ensure that Delivery Optimization ports are open between my host device and the Microsoft sites where updates definitions and files are located.  The ports required are UDP 7680 and optionally 3544.  Therefore I create inbound and outbound rules for these ports.





Preparing the Hyper-V Operating Systems for Delivery Optimization Testing

Having installed and configured our virtual environment we can now install some updates and test the new PowerShell features, but firstly I will add a few notes on how to prepare your Hyper-V client's OS environment.  I did find it a bit tricky to get this working and you may find my notes here useful.  I will not go into detail on each step because that is beyond the scope of this article.  Here is how I prepared each virtual

1) Downloaded Eval version of Windows 10 2004 iso file.

2) Created each virtual as generation 1 types with 4GB of RAM and 1 virtual processor

3) DVD configured to use the Windows 10 Evaluation iso.

4) Run through the Windows setup process accepting the default options but bypassing the Azure AD join (selected Domain Join)

5) While machines were in a workgroup I disabled the Windows Update Service and created checkpoints.

6) Created each VM's computer account in AD and added to the Delivery Optimization OU.

7) Joined each machine to the domain and took another checkpoint.

8) Performed a gpupdate /force command on each Virtual and then a reboot.

9) Enabled the Windows Update service after the restart

10) Performed a Check for Updates cycle in Windows Settings on each Hyper-V machine.

11) Executed the Get-DeliveryOptimizationLogAnalysis -ListConnections PowerShell command, new to Windows 2004, on each virtual machine.

Get-DeliveryOptimizationLogAnalysis -ListConnections

This article is the result of much tweaking and testing of the GPO and also the virtual clients - and it felt like a great achievement when it all started working as it should.

As stated in the introduction, Microsoft implemented the Get-DeliveryOptimizationLogAnalysis powershell cmdlet with the -listconnections option so that an administrator can test, troubleshoot and refine the Delivery Optimization configuration as required.

On the first machine on which I initiated Check for Updates Cycle I could see that I had finally achieved what I wanted after executing the PowerShell cmdlet as shown on Client12002V2.  Because this virtual was the first one on which I initiated the Updates Cycle, it became the peer serving client which is why there are peering files but not number for the NumFilesGotPeers value.


On the second virtual machine, whose NetBios name is Client22004v2, I initiated a Windows Update Cycle, waited a minute or so, and then rebooted the device.  After the restart I could see that things had picked up from before the restart and that the device was both downloading updates from its peer as well s providing updates to its peer.


If desired you can export the Delivery Optimization log file by using the get-deliveryoptimizationlog cmdlet to a log file.  In this capture we can see the command executed to create a file called dolog.txt and the peer connection attempt within that text file.



Finally - having tested the above cmdlets, we can verify that peering has occurred within Windows 10 Settings\Updates and Security\Delivery Optimization\Activity Monitor.

Here is the output from Client12004v2


And here is the output from Client22004v2



I hope you enjoyed reading this article and I wish you much success in your own testing of Delivery Optimization on your Hyper-V virtual machines.


Monday, 3 August 2020

COPE - Corporate Owned and Personally Enabled device management. Android and Intune.

Corporate Owned Personally Enabled Devices (COPE) Introduction

A newcomer to an organisation might receive two devices on day one - a laptop and a smart phone.  And in these days of Covid pandemic lock-down and furlough indeed they are becoming digital necessities.

The idea of your employees bringing along their own devices for corporate use, while sounding convenient, has never really taken off - at least in my experience.  There are a number of reasons for this.

1) On day one it doesn't create a good impression, informing your new worker he or she will be required to use their own equipment for a while, or until corporate equipment can be given to the new starter.

2) Personally owned devices are not necessarily secure enough and this exposes corporate data, that may download to that device: to possible loss or even to illegal misuse.

3) If the user's device is misplaced - remotely wiping the data on the user's device, using Intune or some other management application - well it is a bit inconvenient if the user finds that device and all their data is gone.  And also the legal implications need to be considered.

4) Personal devices are not necessarily maintained to the same level as corporate devices.  The latest updates may not be installed, or the latest anti-virus policies.  Personal applications may be effecting the performance of the device.  All these things can impact productivity if that device is essential to the worker's daily activities.

Perhaps it was a good idea, in the same way that the seaplane was a good idea - but the concept wasn't quite right.  Now initially the seaplane was seen as a boat that could fly and this was a good idea.  It became a great idea however, when the concept was adjusted so that a seaplane was a plane that could float, rather than a boat that could fly.  And in the same way - a corporate phone enabled for personal use may be a much better idea than a personal phone enabled for corporate use.  We shall see.

In this article I take the reader through the process of enabling COPE in Intune.  The COPE feature is currently in Preview mode.  In addition we will be enrolling a Huawei P smart phone into Intune with personal use enabled.  This phone has Android version 9 installed however you can also test the process on a device with Android version 8.  Stages of the process are as follows:

1) Intune is connected to a Managed Google Play Account
2) The Android COPE profile is created in Intune
3) A dynamic Intune group is created.
4) The smartphone is reset and enrolled into Intune

As part of the process the Microsoft Authenticator and the Microsoft Intune Portal applications are installed onto the Android device.

All the cloud based Intune steps are done in the Microsoft Endpoint Manager Admin Center.

After all of the above is completed, we will examine the personal Google PlayStore and compare it against the Corporate Google Play Store.


Connect Intune Account to your Managed Google Play Account

You can easily determine if you have connected your Intune tenant account to your Managed Google Play account by signing into Microsoft Endpoint Manager admin center and navigating to Devices\Android\Android enrollment.  Click on the Managed Google Play option.


If your tenant is correctly configured you will see a windows similar to the following.



Alternatively you will be given the lower bar in blue and the option to click on Launch Google to Connect now as shown.  



Create the Enrollment Profile

The next step in the process to enable COPE is to create COPE Android enrollment profile.  In the Microsoft Endpoint Manager admin center navigate to Home\Devices\Android\Android enrollment.  You will notice the Corporate owned devices with work profile (Preview) option.



Click on this option.


You are now in the blade where any profiles previously created will be listed.  Click on Create profile.  The Create profile window appears.


Enter a name for the profile that contains the word COPE.  In this case I name the profile COPE Mobile Devices. Click in Next.  The Review + create window appears.  Click on Create to establish the profile.



 Create the COPE dynamic Group

Having created the COPE profile we can now create the COPE group where Android devices will be automatically added when they enroll into the tenant.

Navigate to Home\Groups.  You will notice the option to create a new group.  Click on New Group.





The New Group window appears.  Select Security as the Group Type.  Enter in a relevant  group name such as COPE Android devices.  Select Dynamic Device for the Membership Device.


 
Click the Add dynamic Query option. The Dynamic membership rules window appears.

In the Property drop down selection box choose enrollmentProfileName.  For the Operator chose Contains and for the value enter in COPE.  The query should appear in the syntax box.  Click on Add Expression again if it does not appear.  Click on Save.


The New Group windows appears.  Click on Create to create the group.



Enroll the Smartphone

The Smartphone enrollment process can be sub-divided into the following phases

1) Device Reset
2) Enrollment either via a QR Scan or entering in the QR token code
3) Setting up the work profile
4) Adding your personal account

In the following sections I will keep written input to a minimum because the photographs, in most case, speak for themselves.

1 - Device Reset

On my device a system reset is initiated from Settings\System\Reset.  Data is erased and we start at the Welcome screen.


We are prompted to join a WIFI network.



2) Enrollment 

The important detail in this set of three is the Google sign in account window.  Rather than a standard Google account, we are required to enter in the following string:  afw#setup


You are now required to enroll the device either with the option of using the camera to scan for a QR code or you can manually enter in the code.  In this instance I manually enter in the code.  Where can this code or QR image be found?  

In Microsoft Endpoint Manager Admin Center navigate to Devices\Android\Android enrollment and click on Coprorate-Owned devices with work profile (Preview).  Your profile is listed - in my case it is the COPE Managed Devices profile.  Click on the profile and then click on Token.  Here you will find both the Token and the QR image.

With the Token in hand, we can proceed as shown in the following set of three.



The enrollment completes proceeds.



3) Setting up the work profile

We are now presented with some advisories about IT admin control, in addition a helpful reminder that personal apps are separate from work apps.


In the following three we enter in the user's Azure AD account.


In the next three we can see the installation is shifting into the application installation section of the work profile registration.


And indeed we see the Microsoft Authenticator and Microsoft Intune Apps installed.


In the next three we are required to enter in our credentials to the Microsoft Intune application.


And in the next three we are presented with the Default Directory screens - we can see that we have been registered in Azure and the last capture is actually a screen shot of the devices entry in the Microsoft Endpoint Manager Admin Center.


And there we have the affirmation screen that we are ready to work.



4) Adding your personal account

The final phase is for the user to enter in the details of their personal Google account.


We select an email address.


The final three present us with an Acceptance requirement, some SwiftKey options and finally our lock-screen window informing us the device is managed by our company.



How it works in Everyday Usage - Play Store as an Example

The purpose of this article was to detail the process required to enable COPE for Android devices and using then new Preview feature in Intune.  Detailing the process for creating configuration profiles and illustrating the total matrix of options relating to COPE is beyond this article's scope.  However we can quickly see how this feature can be useful to the user and the IT Administrator by looking at the Google Play Store.  In the following screenshot we can see there are two icons for the Play Store.  One of those icons has a briefcase peripheral icon attached to it, indicating it is for work place usage.  The other icon for the Play Store is the user's personal Play Store.



Thus if we click on the personal Play Store, we are presented with the familiar options we expect to see.


However if we click on the Play Store for corporate usage: we can see that we only have access to the Authenticator and the Intune Portal Apps.


And you will notice also that my attempt to capture the screenshot failed and thus I was required to take a photo with my camera.  Why is this?  It is because I have also created a configuration profile for Android COPE devices that restricts screenshots for applications that are being used within the work profile context.  You can see this setting in the capture below:


I hope you enjoyed reading this article on how to test the new COPE preview feature in Intune.