Call4Cloud | MMP-C | Autopilot | Device Preparation

Cloud PCs? Where we’re going we don’t need Device Query and Support Approved?

Patch My Pc | install & update thousands of apps

Are you using a nice Windows 365 Cloud PC and want to use kickass Intune Suite features like Device Query or EPM Support Approved? If you’re going to use them, you must beware of something funny and legacy simultaneously.

1. Window 365 Cloud PC and Device Query.

One of the most beautiful things about a Cloud PC is that you can log in and start working when you don’t have your notebook. Which is excellent, and it works pretty fast as well.

Logging in to my cloud pc

Some weeks ago, I was playing around with Device Query and Support Approved and trying to find out if they work the same way on a Cloud PC because that’s what I do! I try to find out how something works and doesn’t.

After activating my Cloud PC and logging in, I started playing with Device Query. I kicked off a device query because I noticed that the Intune Management Extension had been updated. With this update, I wondered if Microsoft fixed the issue with the 64-bit registry query. (which they did in the meantime… but this blog was in draft for “some reasons”.

2. The Device Query Issue

After firing off the device query to determine if the issue was resolved, I noticed it wasn’t giving me the expected output.

Device query doesn't seem to work on my cloud pc. an error occurred.

As shown above, it showed me that an error occurred while I was expecting some or no results. Well, that’s a bit weird. Within a couple of seconds, it became clear what was happening, and it wasn’t because of the IME update.

3. What’s happening?

Device Query and EPM Support Approved both rely on the fact that the Windows Notification Service (WNS) could contact the device. If the WNS service can’t send a push notification to your device, you are pretty much screwed.

Device Query | An Error occurred. Try Running the query again (call4cloud.nl)

Besides Device Query not working at all, EPM Support Approved will not show the notification within a couple of minutes. It will only get the latest policies when rebooting the device or when the scheduled sync kicks in.

The weird thing is that I didn’t configure a policy to block those Cloud Application Notifications as I showed in that blog above. Configuring such a policy to block push notifications on cloud-native devices is not the smartest thing to do.

To be sure, I opened the enrollment registry keys and the corresponding scheduled tasks.

The Push launch task was missing in both enrollments (mmp-c and Intune) from the enrollment registry and the enterprisemgmt scheduled tasks

As shown above, the MMP-C and Intune Enrollment were missing the “Push” registry keys and scheduled tasks. After opening the event log, I noticed the same error message as I had with the device query feature.

mdm push: failed to create wns push channel for mdm push sessions (Cloud notifications have been turned off)

With this notification popping up, It was pretty evident that my Cloud PC had a policy in place to block Cloud Application Notifications (Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications). I opened the registry and opened the corresponding policy. Somehow that same policy was on my device.

4. Trying to fix the NoCloudApplicationNotification Issue

I deleted that stupid key and rebooted the Cloud PC

we would spo a policy called: nocloudapplicationnotification that turns off push notifcations

After a reboot, that NoCloudApplicationNotification registry key was back where it was and was again blocking the push notifications! That’s weird! Well, until I opened the group policy event log

running gpupdate got me a gpo? on a cloud pc?

It mentioned that a change was detected? Huhhh? Cloud Native and having a GPO in place? I wasn’t expecting that at all until I opened the system32\grouppolicy\machine folder

inside the grouppolicy machine folder we will spot the registry.pol with some settings in it. when we take a closer look at the policies we will sopt the nocloudapplicationnotification policy

I noticed the same registry key to block push notifications inside the group policy POL file. After a few minutes of searching, it became apparent why that group policy was in place. In the provisioning policy, I selected the Windows 11 Enterprise 23h2 + OS Optimizations template

I was using a cloud pc with the provisioning template: windows 11 enterprise + os optimizations

This template is optimized for improved performance if we believe the corresponding docs

Afbeelding met tekst, Lettertype, schermopname, ontvangst  Automatisch gegenereerde beschrijving

I spent some time on Git Hub finding the policies that will be set with this optimization template. I stumbled upon this policy. It was obvious that this policy would be deployed when you selected the optimization template.

When looking at some old virtual desktop optimization tool we clould also spot the same pushnotification policy that breaks epm and devicequery on our cloud pc

Now we know the issue, how are we going to fix it?

5. The Simple fix

Well, fixing it is easy. I deleted the POL file on my Cloud PC and executed a gpupdate /force command. That command removed all the policies defined in the POL file. Once all the policies were gone, I rebooted the Cloud PC.

after deleting the pol file in the grouppolicy folder and executing gpupdate the push notifications came back to live

As shown above, after the device was rebooted, all of the corresponding Push launch tasks and registry keys showed up! After a couple of minutes of waiting, the device registered the device channel and started communicating with the WNS service.

With the device successfully communicating with the service, executing a device query worked again!

Afbeelding met tekst, schermopname, software, nummer  Automatisch gegenereerde beschrijving

Once my existing Cloud PC was fixed, I also selected the new template from the gallery.

This template doesn’t hold the Optimization GPO and does NOT break the push notifications. I reprovisioned my Cloud PC to make sure everything

6. The Microsoft Fix

It’s obvious that I shared my findings with Microsoft first before publishing this blog. So, in the meantime (while this blog was in draft), Microsoft was busy fixing it.

gallery images from windows  365 no longer show the optimization template

When we look at the device images overview of Windows 365, we will notice a change. It seems that they changed some pieces and are going to remove the Optimization template from the gallery images.

If we look at the changes that were committed to Git Hub, we will indeed notice that the optimization template’s name was removed!

when looking at the doc changes, we indeed notice that it is removed from the docs

With the docs being changed, the existing Optimization template from the gallery as shown below, will be removed.

the windows 365 cloud gallery images still shows the windows 11 enterprise + os optimizations template for now

With this template removed, the GPO messing around with the push notifications will also be removed!

That’s very, very nice and if you watched the message center, you could also have spot this message! It is mentioned that MSFT will be removing the current optimized gallery images in mid-August 2024

microsoft is mentionign the fact that if you are using the os optimizations  gallery image that they recommend to transitioning to the new images/ Beginning mid-august the os optimization tempalte will be removed

Conclusion

When using Cloud PCs, please select the proper template for your provisioning gallery. If you choose the optimization one, Device Query and EPM Support Approved will not function properly!

Leave a Reply

Your email address will not be published. Required fields are marked *

6  +    =  14

Proudly powered by WordPress | Theme: Wanderz Blog by Crimson Themes.