Anoop C Nair

Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc...
New SCCM Server Installation Step by Step Guide 1

New SCCM Server Installation Step by Step Guide

This post is the New SCCM Server Installation Step-by-Step Guide covering end-to-end scenarios. The SCCM team recently released the latest baseline version of the current branch.

What is the importance of the baseline version? SCCM CB baseline version is the version you can download directly from Eval Center/MSDN/VLSC and install it on a new SCCM server.

Also, the SCCM 1702 version can upgrade the SCCM 2012 infra. SCCM CB versions are updated via in-console servicing to the latest SCCM version.

  • Pre Requisite – Server Roles and Features
  • Pre-Requisite – Installation of SQL 2014
  • Pre Requisite – ADK for Windows 10 P
  • Pre Requisite – AD Schema Extension
  • Install – SCCM/ConfigMgr Baseline version Standalone Primary

New SCCM Server Installation Step-by-Step Guide

This guide provides simple step-by-step instructions for installing a new SCCM server. First, prepare your environment by ensuring all necessary prerequisites are met, such as installing a supported Windows Server and SQL Server. Next, download the SCCM installation files and run the setup.

Microsoft System Center Configuration Manager
Version 1702
Console version: 5.00.8498.1700
Site version: 5.0.8498.1000
New SCCM Server Installation Step by Step Guide – Table 1
New SCCM Server Installation Step by Step Guide - Fig.1
New SCCM Server Installation Step by Step Guide – Fig.1

Step by Step Video Guide for SCCM CB 1702 Baseline Version Installation

This step-by-step video guide shows you how to install the SCCM Current Branch (CB) 1702 Baseline version. It covers all the necessary prerequisites, including the server roles and features you must set up beforehand.

New SCCM Server Installation Step by Step Guide – Video 1

Prerequisites

You can’t install the SCCM/ConfigMgr baseline version if your server’s OS is Windows 2008 R2. The minimum OS requirement for SCCM server installation is Windows Server 2012 and Later. More details are here.

It would help if you ensured that the server where you plan to install the SCCM baseline version has a supported version of SQL. SQL 2008 R2 SP3 is not supported and should have at least SQL 2012 R2.

IIS BITs .NET

I have added the following roles and Features – IIS (for MP/DP), BITs (for MP), .NET Framework 3.5, Remote Differential Compression, and AD DS and AD LDS Tools. I didn’t add WSUS because I plan to add the SUP role later. However, I would recommend the WSUS role if you plan to install the SUP role on the primary server itself or install the WSUS console if you plan to install the SUP role on a remote server.

New SCCM Server Installation Step by Step Guide - Fig.2
New SCCM Server Installation Step by Step Guide – Fig.2

DotNET Framework 3.5 SP1 is still required? Yes! Specify an alternate path for .Net D:\Sources\sxs for installing .NET on Server 2016. Specify the location of the needed files.

NOTE! – If you get this error, “The request to add or remove features on the specified server failed.” Restart the server and try it with the alternate path “D:\Sources\sxs“, and that is my experience on Windows server 2016.

Install SQL DB for the SCCM Server

I installed SQL 2014, and you don’t have to worry about those “.Net” warnings. As you can see in the video tutorial for SQL setup, I have selected only the following features, which I think are required for SCCM CB.

  1. Database Engine Services 2. Reporting Services 3. Management tools

I installed SQL on the default Instance and configured the services, as shown in the video tutorial for ConfigMgr SCCM baseline version installation. Microsoft recommends using a separate account for each SQL Server service. However, I used the same account because this is my lab environment.

SQL Server Agent, SQL Server Database Engine, and SQL Server Reporting Services

I selected the required Collation for SCCM|ConfigMgr baseline version:- sql_latin1_general_cp1_ci_as

New SCCM Server Installation Step by Step Guide - Fig.3
New SCCM Server Installation Step by Step Guide – Fig.3

Install Windows ADK

I installed ADK for Windows 10, and during the installation, I selected only Deployment Tools, Windows Preinstallation Environment (Windows PE), and User State Migration Tools (USMT).

AD Schema Extension has to be extended if you have not done the extension for the previous versions of SCCM. AD schema extension is not mandatory, but I recommend extending the schema to make SCCM management easy.

New SCCM Server Installation Step by Step Guide - Fig.4
New SCCM Server Installation Step by Step Guide – Fig.4

Extend AD Schema

Executed extadsch.exe from SCCM|ConfigMgr baseline version primary server. The user must have schema admin rights to complete the AD SCHEMA extension. In the second part of this update, we need to Create a System Management container under systems using ADSIEDIT. The primary server should have full access to the System Management container.

References

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Software Update Policy Rings in Intune MEM 2

Software Update Policy Rings in Intune MEM

Let’s see how to configure Software Update Policy Rings in Intune MEM. How do you set up Windows 10 Software Update Policy Rings in the Intune?

Managing software updates for Windows 10 with Intune is straightforward, but there is a catch: you can’t expect the granular controls you have with SCCM/ConfigMgr. We must configure the Windows Software update policy and deploy that policy to Windows 10 devices.

I have an updated post on Intune monthly patching guide, troubleshooting, etc. Cloud PC Monthly Patching Process Using Intune. Another guide on Intune patching – Software Update Patching Options With Intune Setup Guide (anoopcnair.com)

Windows 10 devices will receive software updates directly from Microsoft Update services. Unlike SCCM, there is no need to download the updates, create a package, and deploy them to the devices (as seen in this video post here).

Windows Update for Business will give us more options to configure and control the behavior of Windows 10 updates and Servicing. Update:- FIX CBB Ring Devices are Getting Windows 10 CB (SAC-T) Updates Intune Windows 10 Update Rings.

Intune Video Software Update Rings Setup Design Decisions

This video guide is about Software Update Policy Rings in Intune MEM. It explains how to set up and manage these policy rings to control when and how updates are applied to your devices. This guide will teach you to update and secure your devices using Intune MEM.

Software Update Policy Rings in Intune MEM – Video 1

Software Update Policy Rings in Intune MEM

We have an out-of-the-box Software Update (Automatic Update) policy as part of the Intune Silverlight portal configuration policy. However, I have noticed that this policy has stopped working in the last few months. Now, there are two options to control the behavior of Windows 10 updates and Windows servicing.

If your Silverlight portal has not yet been migrated to the MEM portal, the first choice is to use custom policies in the Intune Silverlight portal. I have a post here about Intune Silverlight migration blockers.

The second choice is to control Windows Update for business via the Software Updates button in the Intune blade in the MEM portal. We will cover this in this post.

Software Update Policy Rings in Intune MEM
Software Update Policy Rings in Intune MEM – Fig.1

Basic Test Rings for Windows 10 Software Update

As a fundamental requirement, we may need to create at least two Windows 10 Software Update Policy Rings for your organization. One Windows 10 Update ring is for Windows 10 machines in the Current Branch (CB).

The second Windows 10 update ring is for Windows 10 machines in the Current Branch for Business (CBB). Windows 10 update rings evolve as you progress with your organization’s testing and development. But this is the first stage of your testing of Software update deployments.

Windows 10 CBB Update Ring - All the devices in Current Branch
Windows 10 CB Update Ring - All the device in Current Branch for Business

Pilot and Production Rings for Windows 10 or Windows 11 Servicing

Another recommendation is to create different Windows 10 Software Update Policy Rings for deferrals of Windows 10 servicing branches CB and CBB. The rings can be delayed for a maximum of 30 days.

These two update rings would help with the latest Windows 10 CB/CBB servicing updates (e.g., upgrading from 1607 to 1703) with some pilot devices rather than simultaneously deploying servicing updates to all the devices.

During the CB pilot testing, if you find any problems with the upgrade and don’t want to deploy the update to the CBB ring, you can PAUSE the updates for the production ring.

Pilot Windows 10 CBB Updates Ring - Pilot Servicing Ring for CBB 
Production Windows 10 CBB Updates Ring - Production Servicing Ring for CBB  
Pilot Windows 10 CB Updates Ring - Pilot Servicing Ring for CB
Production Windows 10 CB Updates Ring - Production Servicing Ring for CB

Pilot and Production Rings for Windows 10 or Windows 11 Monthly Security Patches

I would also recommend creating different Windows 10 Software Update Policy Rings for Windows 10 CBB  and Windows 10 CB quality updates (monthly security and other patches). So, Windows 10 CBB machines will have a minimum of 2 rings.

One ring is for the pilot machines running Windows 10 CBB, and the second ring is for the production machines running Windows 10 CBB. The same applies to Windows 10 CB devices, and the CB machines should also have two rings.

Pilot Windows 10 CB Quality Updates Ring - Monthly patch pilot ring
Production Windows 10 CB Quality Updates Ring - Monthly patch production ring
Pilot Windows 10 CBB Quality Updates Ring - Monthly patch pilot ring
Production Windows 10 CBB Quality Updates Ring - Monthly patch production ring
Software Update Policy Rings in Intune MEM - Fig.2
Software Update Policy Rings in Intune MEM – Fig.2

How to Create Advanced Windows 10 Software Update Rings?

There could be other complex scenarios of Windows 10 Software Update Policy Rings. These rings could depend purely on the requirements of your organisation’s region or business group. Some of the other essential options you have in Windows 10 Software Update Policy Rings are.

  • Windows 10 Automatic update behavior – How do you want to perform scan, download, and install updates? Scheduling options for Windows updates.
  • Do you want to update Windows 10 drivers as part of your patch deployment rings?
  • What kind of Delivery optimization (Build a caching solution with Windows 10) do you want to use?
Delivery Optimization Download Mode
HTTP blended with peering behind same NAT
Software Update Policy Rings in Intune MEM – Table 1
Software Update Policy Rings in Intune MEM - Fig.3
Software Update Policy Rings in Intune MEM – Fig.3

Deployment – Assignment of Windows 10 Software Update Rings

Windows 10 Software Update Policy Ring deployments/assignments are critical decisions. I recommend using dynamic device groups wherever possible, but at the moment, this is not possible for all scenarios. In some scenarios, we need to use static device/user groups. I hope Microsoft will develop assignment exclusion group options (similar to AAD Conditional Access policies).

Exclusion groups would be instrumental in Software Update ring deployment scenarios. For example, you want to exclude pilot devices from the production software update ring deployments, which is impossible without exclusion options.

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and leader of the Local User Group HTMD Community. His main focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

SCCM CB Nested Task Sequence PS Detection Method 3

SCCM CB Nested Task Sequence PS Detection Method

Let’s discuss the SCCM CB Nested Task Sequence PS Detection Method. SCCM/ConfigMgr preview release 1704 has many exciting features.

The video embedded in this post covers all the installation steps and new features. First, I could see some differences in the Updates and Servicing of SCCM CB.

The ConfigMgr CB 1704 preview version was available (available to download) in the console, but it didn’t start the download of the 1704 update. I think it may begin to download automatically after 24 hours, but I have not tested it.

This post will provide comprehensive details about the SCCM Current Branch (CB) Nested Task Sequence PowerShell Detection Method. It explains how to effectively use PowerShell scripts to detect and manage nested task sequences within SCCM, ensuring efficient deployment and maintenance of software and updates.

SCCM TP 1704 Video Tutorial Parent Child TS

This video guide is about the SCCM Technical Preview 1704, specifically focusing on Parent-Child Task Sequences. It explains how to create and manage these task sequences in simple terms, making organising and executing multiple related tasks easier.

SCCM CB Nested Task Sequence PS Detection Method – Video 1

SCCM CB Nested Task Sequence PS Detection Method

As you can see in the SCCM video tutorial, I started the preview version download by right-clicking on the available update in the console. You can also check the status of the download via the DMPDOWNLOADER.log file. 

SCCM CB Nested Task Sequence PS Detection Method - Fig.1
SCCM CB Nested Task Sequence PS Detection Method – Fig.1

Follow for the stages of the in-console upgrade of th CB preview.

  • Available to Download
  • Downloading
  • Ready to Install
  • Checking Prerequisites
  • Installing
  • Console Upgrade

Nested Task Sequence PS Detection Method

Most SCCM admins are waiting for a feature called nested Task Sequence. With the latest SCCM preview version 1704, we can create a parent-child relationship within the task sequence. This will help you nest/call a task sequence within another task sequence.

This feature should be used carefully; otherwise, it could become very complex. I wanted to see how complex Task Sequence troubleshooting would evolve with the introduction of TS nesting.

  • I have also seen that SMSTS.log logging has improved in the SCCM CB preview version.
SCCM CB Nested Task Sequence PS Detection Method - Fig.2
SCCM CB Nested Task Sequence PS Detection Method – Fig.2

PowerShell script can be the detection method for deployment types with SCCM CB Preview version 1704. It can also detect the application. We have three script types (1. PowerShell, 2.VBScript, and 3. Java Script) for detecting the application as part of the deployment type.

Script Types
PowerShell
VBScript
Java Script
SCCM CB Nested Task Sequence PS Detection Method – Table 1
SCCM CB Nested Task Sequence PS Detection Method - Fig.3
SCCM CB Nested Task Sequence PS Detection Method – Fig.3

Android for Work applications can be configured automatically with the JSON file upload option in SCCM/ConfigMgr CB preview version 1704. The option of configuring Android for Work apps with a complex property list using a JSON file is very useful for configuring A4W apps.

  • I have not seen this option in the Intune stand-alone version, so it will be very useful for hybrid customers once it is available in the production version.
  • SCCM Preview version 1704 comes with loads of new features.
  • However, I have noticed a few changes in the MDM channel configuration policies for iOS and Android devices.
  • Moreover, there are a few new additions in terms of compliance policies in SCCM CB Preview version 1704.
SCCM CB Nested Task Sequence PS Detection Method - Fig.4
SCCM CB Nested Task Sequence PS Detection Method – Fig.4

Resources

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Plan Design Intune Compliance Policy for Android Devices 4

How to Plan Design Intune Compliance Policy for Android Devices

Let’s discuss planning and designing an Intune Compliance Policy for Android Devices. This post will provide more details about planning and implementing the policy.

Intune compliance policies are the first step of the protection before giving access to corporate apps and data. Planning and designing compliance policies for Android devices is essential as Android is more vulnerable than other operating systems

Compliance policies and rules might include using a password/PIN to access devices and encrypting data stored on devices. This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.

Update: When you use or support Android for work enrollment, select a platform like Android for Work that complies with a policy. Otherwise, the compliance policies will evaluate your Android devices and say this policy does not apply to Android for Work-enrolled devices.

How to Setup Intune Compliance Policies for Android

This video guide shows you how to set up Intune compliance policies for Android devices. It provides easy-to-follow instructions for creating policies that ensure your devices meet security standards before accessing company apps and data.

How to Plan Design Intune Compliance Policy for Android Devices – Video 1

How to Setup Windows 10 Device Compliance Policy – How to Plan Design Intune Compliance Policy for Android Devices

Sign in to the Endpoint Manager portal with an Intune admin access account. Select More services, enter Intune in the text box, and then select Enter.

Select Intune—Device ComplianceCompliancePolicies and click on the +Create policy button to create a new compliance policy. Select the platform “Android.” Settings configurations are significant for compliance policies.

  • There are some improvements in Azure portal Android compliance policies.
  • There are three categories in Android compliance policies: Device Health, Device Properties, and System Security.
How to Plan Design Intune Compliance Policy for Android Devices - Fig.1
How to Plan Design Intune Compliance Policy for Android Devices – Fig.1

Sign in to the Intune portal with an Intune admin access account. Select More services, enter Intune in the text box, and select Enter.

  • Select Intune Device ComplianceCompliancePolicies –  and click the +Create policy button to create a new compliance policy. Select the platform “Android”.
  • Settings configurations are significant for compliance policy. There are some improvements in Azure portal Android compliance policies. Android compliance policies have three categories: Device Health, Device Properties, and System Security.
  • Device Health is where the compliance engine checks whether Android devices should be reported. The device health attestation service has many checks, including TPM 2.0 and BitLocker encryption.
  • Device Properties is where Intune Admins define minimum and maximum versions of operating system details for corporate application access. I would keep the minimum version as Android version 6 wherever possible.
    • Operating System Version
    • Minimum Android OS version
    • Maximum Android OS version
  • System Security is the setting where Intune Admins define password policies for Windows devices. These settings have three sections: Password, Encryption, and Device Security.
How to Plan Design Intune Compliance Policy for Android Devices - Fig.2
How to Plan Design Intune Compliance Policy for Android Devices – Fig.2

Password Compliance Policy for Android – I would create a complex Alphanumeric password for Android devices and all the above configurations.

Password Compliance Policy for Android
Require a password to unlock mobile devices.
Minimum password length
Required password type
Maximum minutes of inactivity before the password is required
Password expiration (days)
Number of previous passwords to prevent reuse
How to Plan Design Intune Compliance Policy for Android Devices – Table 1

Encryption Compliance Policy for Android – Encryption should be a must in your Android compliance policy for Android devices. Encryption of data storage on the device Device Security Compliance policy for Android: Block apps from unknown sources and Block USB debugging on Android devices. These policies are essential and should be enabled.

  • Block apps from unknown sources
  • Require threat scan on apps
  • Block USB debugging on the device
  • Minimum security patch level

Deploy Android Compliance Policy to all Android devices’ dynamic device groups (Update Device Groups are not supported for compliance policies; hence, use user groups for Intune compliance policies). Click on Assignment and select the dynamic device group. I would use AAD dynamic device groups rather than AAD user groups to deploy compliance policies.

How to Plan Design Intune Compliance Policy for Android Devices - Fig.3
How to Plan Design Intune Compliance Policy for Android Devices – Fig.3

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Setup Intune Compliance Policy for Windows 10 Devices 5

How to Setup Intune Compliance Policy for Windows 10 Devices

Let’s discuss Setting up an Intune Compliance Policy for Windows 10 Devices. This post will show how to do so. Managing Windows 10 devices is critical in modern device management.

Intune compliance policies are the initial safeguard in securing access to corporate applications. These policies help ensure that devices meet predefined security and compliance standards, preventing unauthorized or non-compliant devices from accessing sensitive corporate resources.

The Intune Compliance Policy for Windows 10 helps protect company data. The organization must ensure that the devices that access company apps and data comply with specific rules. These rules might include using a password/PIN to access devices and encrypting data stored on devices.

This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.

How to Setup Intune Compliance Policies for Windows10

This video guide shows you how to set up Intune compliance policies for Windows 10. It walks you through each step clearly and simply, making it easy to follow.

How to Setup Intune Compliance Policy for Windows 10 Devices – Video 1

How to Setup Intune Compliance Policy for Windows 10 Devices

Sign in to the MEM portal with an Intune admin access account. Select More services, enter Intune in the text box, and then select Enter.

How to Setup Intune Compliance Policy for Windows 10 Devices - Fig.1
How to Setup Intune Compliance Policy for Windows 10 Devices – Fig.1

Select Intune—Device ComplianceCompliancePolicies and click on the +Create policy button to create a new compliance policy. Select the platform as “Windows 10.” Settings configurations are really important for compliance policies. There have been some improvements in Azure portal Windows 10 compliance policies.

The 3 categories in Windows 10 compliance policies are shown in the table below.

Windows 10 Compliance Policies
Device Health
Device Properties
System Security
How to Setup Intune Compliance Policy for Windows 10 Devices – Table 1
How to Setup Intune Compliance Policy for Windows 10 Devices - Fig.2
How to Setup Intune Compliance Policy for Windows 10 Devices – Fig.2

Device Health is the setting where the compliance engine will check whether Windows 10 devices are reported as healthy by the Windows device Health Attestation Service (HAS). The device health attestation service includes loads of checks, such as TPM 2.0 (the requirement for the latest build of Windows 10 is TPM 1.0), BitLocker encryption, etc.

  • Device Properties is the setting where Intune Admins define the minimum and the maximum versions of operating system details for the corporate application access. Operating System Version.
    • Minimum OS version
    • Maximum OS version
    • Minimum OS version for mobile devices
    • Maximum OS version for mobile devices

System Security is the setting where Intune Admins define password policies for Windows devices. These settings have two sections: Password and Encryption. Password Policy—We don’t need to set the Windows password policy here if you already use “Windows Hello for Business.”

  • Require a password to unlock mobile devices. Simple passwords
  • Password type
  • Device default device defaultAlphanumericNumeric
  • Minimum password length
  • Maximum minutes of inactivity before the password is required
  • Password expiration (days)
  • Number of previous passwords to prevent reuse
  • A password is required when the device returns from an idle state (mobile only). Encryption – If you have enabled HAS in the above policy, you don’t need to enable this encryption policy.  
  • Encryption of data storage on a device.
How to Setup Intune Compliance Policy for Windows 10 Devices - Fig.3
How to Setup Intune Compliance Policy for Windows 10 Devices – Fig.3

Deploy Windows 10 compliance to All Windows devices’ dynamic device groups. (Update Device Groups are not supported for Compliance policies—hence, use user groups for Intune compliance policies.)

  • Click on Assignment and select the dynamic device group.
  • I would use AAD dynamic device groups rather than user groups to deploy compliance policies.
How to Setup Intune Compliance Policy for Windows 10 Devices - Fig.4
How to Setup Intune Compliance Policy for Windows 10 Devices – Fig.4

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Setup Intune Compliance Policy for iOS Devices 6

How to Setup Intune Compliance Policy for iOS Devices

Let’s discuss setting up an Intune Compliance Policy for iOS Devices. This post will explain how to do so. An Intune Compliance Policy ensures that iOS devices accessing company data meet specific security standards.

Enforcing these policies can help protect your organization’s data from unauthorized access and potential security threats. The organization must ensure that the devices that access company apps and data comply with specific rules.

These rules might include using a password/PIN to access devices and encrypting data stored on devices. This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.

A compliance policy is a set of guidelines that devices must meet to access organizational resources. It ensures that only secure and compliant devices can access company data, reducing the risk of data breaches or unauthorized access.

How to Setup Intune Compliance Policies for iOS

In this video, you will learn all the details on how to set up Intune compliance policies for iOS devices. We’ll guide you through creating and configuring these policies to ensure your company’s data remains secure.

How to Setup Intune Compliance Policy for iOS Devices – Video 1

How Do you Set up the Intune Compliance Policy for iOS?

Sign in to the Azure portal with an Intune admin access account. Select More services, enter Intune in the text box, and select Enter. Select Intune – Device Compliance – Compliance – Policies –  and click the +Create policy button to create a new compliance policy. Select the platform “iOS”.

  1. Settings configurations are significant for compliance policy. In terms of password settings, Azure portal iOS compliance policies have improved.
  2. iOS compliance policies have four categories: Email, Device Health, Device Properties, and System Security.
  3. Email settings require mobile devices to have a managed email profile to access corporate resources.
  4. The device Health setting will check whether the device is jailbroken or not. If the iOS device is Jailbroken, it won’t provide mail access to that device.
  5. The device Properties setting will check the OS version of the device and the minimum version of the iOS OS.
  6. The System Security setting is based mainly on password settings. There are some improvements over the Intune Silverlight portal here. We can have the option not to configure some of the settings, like “Number of non-alphanumeric characters in password.” This was not possible with the Intune Silverlight portal.
How to Setup Intune Compliance Policy for iOS?
Require a password to unlock mobile devices.
Simple passwords
Minimum password length
Not ConfiguredAlphanumericNumeric
Number of non-alphanumeric characters in the password
Maximum minutes of inactivity before a password is required
Password expiration (days)
Number of previous passwords to prevent reuse
How to Setup Intune Compliance Policy for iOS Devices – Table 1

10. Deploy the Intune Compliance Policy for iOS for all iOS devices in the dynamic device group. Click on Assignment and select the dynamic device group. I would use AAD dynamic device groups rather than AAD user groups to deploy compliance policies.

(Update Device Groups are not supported for Compliance policies – hence, use user groups for Intune compliance policies)/ How to Setup Intune Compliance Policy for iOS Devices | Microsoft Endpoint Manager | MEMCM.

How to Setup Intune Compliance Policy for iOS Devices - Fig.1
How to Setup Intune Compliance Policy for iOS Devices – Fig.1

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

SCCM Dynamic Collection Query Update Known Issue 7

SCCM Dynamic Collection Query Update Known Issue

Let’s discuss the SCCM Dynamic Collection Query Update Known Issue. SCCM/ConfigMgr dynamic collection query can be evil in some scenarios. It’s straightforward to make mistakes while editing already existing dynamic queries.

It’s better with device-based dynamic collections (as it gives a warning pop-up, as seen in the above video!) in the SCCM CB environment. Still, it’s not a very good user-based dynamic user collection.

I have created a quick video to demonstrate this issue here. I have Kannan C S to share his experience on this topic. He is a Sr. Infra Architect with several years of SCCM and System Center experience. I will let Kannan C S explain his experience in detail.

I’m Kannan C S, and I work as a Sr. Infra Architect at a leading IT company. I have 15 years of IT experience. I have been with Configuration Manager [Designing, Implementation, Migration, and Support], System Center Orchestrator [Designing and Implementation], and Windows Server support. You can refer to my blog here.

Related Post – SCCM Dynamic Collection – Part 2 | WQL Query | ConfigMgr | Create HTMD Blog (anoopcnair.com)

SCCM CB 1702 Dynamic Collection Query Update is or can be Evil?

The video details the SCCM CB 1702 Dynamic Collection Query Update and explores whether it can have negative consequences. It discusses the potential risks and issues associated with using dynamic queries in this version of SCCM, helping you understand how to manage and mitigate any problems effectively.

SCCM Dynamic Collection Query Update Known Issue – Video 1

SCCM Dynamic Collection Query Update Known Issue

I have seen the dynamic collection query update issues in different organizations, mainly with L1 and L2 teams where we lack real SCCM expertise. I have already created a user voice item. Please vote this up User Voice – Collection Query.

SCCM Dynamic Collection Query Update Known Issue - Fig.1
SCCM Dynamic Collection Query Update Known Issue – Fig.1

Known Issue?

I am looking at the issue/design from SMS 2003 to SCCM 2012 (even SCCM CB) version. I am unsure if any purpose must be behind this design of collection default query select * from sms_r_system/select * from sms_R_User. Suppose a user creates the query-based device or user collection if there is any modification in the query. They should remove the entire query and apply OK.

  • If a user applies OK, it’s automatically selected * from sms_r_system/select * from sms_R_User query will enable.
  • It will target all systems, with “All system”/”All Users” as the limiting collection.
  • It has serious issues in most companies; deployment is performed by L1 or L2 engineers.
  • It is not documented in the MS TechNet or Blog. I strongly recommend having some mechanism to avoid this kind of change in upcoming releases.
  • I have provided the impact screenshots below. When modifying the collection query, Click edit.
Membership Rule NameTypeCollection ID
InstallQueryNot Applicable
SCCM Dynamic Collection Query Update Known Issue – Table 1
SCCM Dynamic Collection Query Update Known Issue - Fig.2
SCCM Dynamic Collection Query Update Known Issue – Fig.2

Click Edit Query Statement. SCCM uses the Windows Management Instrumentation (WMI) Query Language (WQL) to query the site database. The screenshot below shows the Edit query statement.

SCCM Dynamic Collection Query Update Known Issue - Fig.3
SCCM Dynamic Collection Query Update Known Issue – Fig.3

The window below helps you show the General tab of Oracle database 12c Query Statement properties. Click Show Query Language.

SCCM Dynamic Collection Query Update Known Issue - Fig.4
SCCM Dynamic Collection Query Update Known Issue – Fig.4

Select the entire query in the Query Statement dialog box. Click Delete

SCCM Dynamic Collection Query Update Known Issue - Fig.5
SCCM Dynamic Collection Query Update Known Issue – Fig.5

You can see the section for query statements from the below Oracle database 12c Query statement properties,s. You should click OK from the window below.

SCCM Dynamic Collection Query Update Known Issue - Fig.6
SCCM Dynamic Collection Query Update Known Issue – Fig.6

By default, it will return with Select * from SMS_R_System/select * from sms_R_User query. By then, the deployment targeted to a specific collection will be mapped to All devices, including workstations and servers.

SCCM Dynamic Collection Query Update Known Issue - Fig.7
SCCM Dynamic Collection Query Update Known Issue – Fig.7

Resources

SCCM Dynamic Collection – Part 2 | WQL Query | ConfigMgr | Create HTMD Blog (anoopcnair.com)

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Intune Android Device Support for Google Android for Work Enrollment 10

Intune Android Device Support for Google Android for Work Enrollment

Let’s discuss Intune Android Device Support for Google Android for Work Enrollment. Google has a list of supported devices with its Android for Work program. But does Google’s list contain all supported devices?

I don’t think the list is exclusive and lists all the supported devices. I have tested 2 devices not listed as part of Android for work-supported devices. And surprisingly, both devices can enrol in Intune via the Android for Work program.

The article Intune Android Device Support for Google Android for Work Enrollment shows you how to configure the Android Enterprise platform for use with Intune Device Management. We will walk through the steps to set up Intune Enrollment for Android Enterprise Device Management, enabling you to manage corporate-owned devices efficiently with Microsoft Intune.

In this post, you will find all the details about Intune Android Device support for Google Android for Work enrollment. We’ll cover everything you need to know to get started and manage your Android devices effectively using Intune.

Intune Enrollment via Android for Work with Cheap and Affordable Devices

In this video, you will learn all the details about Intune enrollment through Android for Work using cheap and affordable devices. We’ll guide you on how to set up and manage these devices efficiently with Intune.

Intune Android Device Support for Google Android for Work Enrollment – Video 1

Video Tutorials for Android for Work Management via Intune

I tried Samsung Galaxy J7 and LetV Android devices. These devices are not very costly. Instead, the cost is less than 150 USD. Organizations always struggle to find cost-effective and affordable Android for Work devices from Google’s new list

After testing two fundamental Android devices, I found that we need to perform trial and error to understand whether the low-cost Android devices support Android for Work.

Android for Work management via Intune
Enterprise Devices
Affordable work Devices
Featured Device
Intune Android Device Support for Google Android for Work Enrollment – Table 1
Intune Android Device Support for Google Android for Work Enrollment - Fig.1
Intune Android Device Support for Google Android for Work Enrollment – Fig.1

Android – Intune Android Device Support for Google Android for Work Enrollment

Google recently rebranded, and now the name of Android for Work has changed to just “Android” management. Google announced that they are simplifying the names of Android for Work and Play for Work, directly calling Android and Google Play.

According to Google, there are 3 categories of Android devices. The new list also does not cover Samsung S7 and LetV devices.

  1. Enterprise Devices – Premium productivity devices
  2. Affordable work devices – Cost-effective devices ready for work
  3. Featured devices

I successfully enrolled low-cost (cheap) Android devices with Android for Work. Intune managed Samsung S7 and LetV devices with the Google Work profile. Both these devices are running Android version 6.

Conclusion – Intune Android Device Support for Google Android for Work Enrollment

Android for Work is supported for devices not listed in the Google portal. I recommend performing thorough testing before approving Android for Work-supported devices within your organization. Maintaining a recommended list of “Android for Work” supported devices within your organization is always better.

I hope Google will remove support for pain Android management and allow only “Android for Work” to manage Android devices. Also, we need to remember that Android for Support is available only for specific countries or regions. For example, in China, we don’t have any support for Android for Work.

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Resolve Intune Android for Work Configuration Refresh Error 11

How to Resolve Intune Android for Work Configuration Refresh Error

Let’s discuss how to Resolve Intune Android for Work Configuration Refresh Error. Android for Work configuration is straightforward in most scenarios.

I have configured “Android for Work” for several tenants without any issues. Recently, however, I encountered an issue while configuring this in the Intune Silverlight console. 

When I click on the configure button to “add Android for Work Binding” on the “Android for Work Mobile Device Management Setup” page in the Intune Silverlight console, it initiates the process. Still, Intune cannot launch the Android for Work binding wizard (webpage). 

In one of our posts, we will show you how to configure the Android Enterprise platform for use with Intune Device Management. You can efficiently manage Android Enterprise corporate-owned devices with Microsoft Intune.

Android for Work Refresh Error in Intune SilverLight Console

The video below demonstrates resolving the Intune Android for Work Configuration Refresh Error. Generally, configuring Android for Work is straightforward in most scenarios. I have successfully set up “Android for Work” for several tenants without issues.

How to Resolve Intune Android for Work Configuration Refresh Error – Video 1

Introduction – How to Resolve Intune Android for Work Configuration Refresh Error

I have already posted about Android for Work configuration and set it up in a different post (How to Enroll Android for Work Supported Devices into Intune). This post and video tutorial will provide a step-by-step process to enable Android for Work management.

As I explained in the first paragraph, the Intune console could not complete Android for Work binding. When I checked the Intune console, there was an Intune console page loading error: “Microsoft Intune was not able to retrieve all data. REFRESH.

How to Resolve Intune Android for Work Configuration Refresh Error - Fig.1
How to Resolve Intune Android for Work Configuration Refresh Error – Fig.1

I tried clicking on the Refresh button several times to see if it worked, but nothing did. There was another button on the Intune Silverlight page, and that was the Save Error Log.

I clicked on the button, and it asked me to save the text log file. For this, I could not retrieve all data errors for the Intune console. I opened the text file, which contains details about the error and possibly the root cause of this issue as well.

Error Message
Error occurred while retrieving JWT token, check that current user has an Intune license and try again.
How to Resolve Intune Android for Work Configuration Refresh Error – Table 1
How to Resolve Intune Android for Work Configuration Refresh Error - Fig.2
How to Resolve Intune Android for Work Configuration Refresh Error – Fig.2

As per the Intune Save Error LOG file, the Intune Silverlight error occurred while retrieving the JWT token, and the error log suggests we check whether the current user has an Intune license and try again. Following is the snippet of the log file.

2017-03-31 05:37:56Z Silverlight Error:
Error occurred while retrieving JWT token, check that current user has an Intune license and try again.
ParameterType: Unknown
OperationType: Unknown
Current URL: https://admin.manage.microsoft.com/MicrosoftIntune/Home?accountid=a8f58f04-e279-44ff-95b9-5e81532915e6#Workspace/administration/index%23?P=//administration/MobileAndroidManagement/&A=%7BGID=23363773-6797-4c777-b3c2-01b06e207b74%7D&S=7sh74c9-7bf5-45ac-9fbb-67369263b9
Console Version: 5.0.17411.0
Service address: https://msua02.manage.microsoft.com/
Last 50 Log Entries:
00CCE 03/31/2017 05:37:37 429 Z MainThread 0001    Page instantiated successfully

Resolution

I have added an Intune/EMS license to the Intune Administrator from the new Azure Active Directory portal. It might not work straight away after assigning the license. You may need to wait 3-4 minutes before configuring “Android for Work.” I recommend logging off and logging back into the Intune Silverlight console before configuring “Android for Work.”  

How to Resolve Intune Android for Work Configuration Refresh Error - Fig.3
How to Resolve Intune Android for Work Configuration Refresh Error – Fig.3

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager 13

Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager

Let’s discuss the Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager. What essential improvement can I see in the SCCM CB 1702 production console? Are Feedback Balloons everywhere? Yeah, SCCM/ConfigMgr is an excellent product for device management, and there is no competition! Why?

This is because of the improvements the product team made and the GREAT SCCM/ConfigMgr community we have for this product.

It’s all about the community’s contributions to improving a software product. The SCCM product team is always open to new ideas and feedback, which is one reason why SCCM is so great.

Software developers can’t make an excellent product without great feedback from real-time users of the applications. So, that is the importance of the SCCM/ConfigMgr IT Pro community.

Feature Comparison SCCM ConfigMgr CB Production 1702 vs 1610

The video below explains the differences between SCCM ConfigMgr CB versions 1702 and 1610. It compares the features of both versions, highlighting what has been improved or added in 1702.

The video also helps you show the benefits of upgrading and what new capabilities they can expect. It is helpful for anyone deciding whether to move from version 1610 to 1702.

Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager – Video 1

Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager

If you have yet to download and upgrade to the latest version of SCCM CB, here is my previous post, which will help you upgrade SCCM CB to the newest version, Configuration Manager CB 1702.

Another significant change is repositioning the “Updates and Servicing” node in the SCCM CB console.

The “Updates and Servicing” node is the topmost node in the Administration workspace of the SCCM CB 1702 production version console. In console increased a lot in SCCM CB 1702 console. SCCM CB 1702 onwards SUP (Software Update points) are boundary aware, similar to MPs and DPs. This is an excellent help for SCCM architects in making better decisions to have SUPs.

Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager - Fig.1
Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager – Fig.1

The biggest and most awaited feature in the SCCM CB hybrid is feature parity between the Intune Standalone and SCCM CB hybrid versions. The SCCM product team achieved feature parity between Intune SA (StandAlone) and the SCCM CB hybrid version.

I explained this in the above comparison video. If we review the Configuration Policy for iOS and MAC OS devices via the MDM channel without SCCM Client, you can see HUGE improvements! Some of the changes in numbers are given below.

Password - Passcode Modification
 Device - 9 settings in CB 1610 -- 33 settings in 1702
 Store - 3 settings in CB 1610 --6 settings in 1702
 Content Rating - 5 settings in CB 1610 -- 6 settings in CB 1702
 Cloud - 4 settings in CB 1610 -- 8 settings in CB 1702
 Security - 1 settings in CB 1610 -- 2 settings in CB 1702
 System Security - 5 settings in CB 1610 -- 12 settings in CB 1702
 Data Protection - 2 settings in CB 1610 -- 4  settings in CB 1702
Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager - Fig.2
Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager – Fig.2

The SCCM CB 1610 version included 17 features, and the SCCM/ConfigMgr Product team added 4 more to the latest release of SCCM CB 1702! Those four new pre-release features are listed below. Only one feature moved from pre-release to production release: Conditional Access for Managed PCS.

Latest Release of SCCM CB 1702
Pre-Release – Install Behaviour of applications
Pre-Release – Data Warehouse Service Point
Pre-Release – Task Sequence content Pre-Caching
Pre-Release –Device Guard
Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager – Table 1
Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager - Fig.3
Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager – Fig.3

Feature Comparison Video Between SCCM?

Another excellent news for SCCM CB hybrid customers is that there are some great 5 new additions to Compliance policies! We can’t select the different versions of the Android and iOS platforms anymore while creating a compliance policy or configuration policy with SCCM CB 1702.  Granularity in choosing different Android/iOS versions was removed. New compliance policies are.

Apps that cannot installed
Password expiration
Remember password history
Password Quality
Minimum Android Patch Level
Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager - Fig.4
Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager – Fig.4

In SCCM CB 1702, we can create a configuration policy for Android for Work! The configuration policy for AfW (Android for Work) has only 2 policies or configuration settings.

Some improvements or additional settings appeared in ConfigMgr/SCCM CB 1702 regarding Windows 10-related configuration policies in a hybrid environment. Following are some of the high-level changes in Windows 10  Configuration Policies: –

Device - 10 settings in CB 1610 -- 11 settings in CB 1702
System Security - 9 settings in CB 1610 -- 10 settings in CB 1702

The SCCM product team did excellent work in catching up with Intune SA regarding Cloud Services integration with SCCM CB’s latest version. They have added support for “Android for Work” enrollments and improved the Cloud Management Gateway and OMS connector.  

  • Cloud Services
  • Android For Work
  • Cloud Management Gateway
Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager - Fig.5
Feature Comparison Video Between SCCM ConfigMgr CB 1610 and 1702 Configuration Manager – Fig.5

References

What’s new in version 1702 of SCCM CB System Center Configuration Manager

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Perform SCCM ConfigMgr CB Production Upgrade to 1702 Video Tutorial Configuration Manager 14

How to Perform SCCM ConfigMgr CB Production Upgrade to 1702 Video Tutorial Configuration Manager

Let’s discuss how to Perform the SCCM ConfigMgr CB Production upgrade to 1702 Video Tutorial Configuration Manager. Microsoft released a new version of SCCM/ConfigMgr CB 1702 here.

If your SCCM infrastructure runs with an ONLINE “service connection” point and your SCCM CB version is 1602 (and later), you will receive the SCCM CB 1702 update in the console.

For SCCM CB infra with an online service connection point, the SCCM CB 1702 update will automatically appear in the console once Microsoft releases it for the “slow ring. ” Microsoft released SCCM CB 1702 updates only for the “fast ring.” I have upgraded the standalone SCCM CB 1610 primary site to SCCM CB 1702. My experience with this upgrade was very smooth and robust.

I didn’t face any hiccups after automatically downloading the SCCM CB 1702 source files to the primary server. The video below will give a step-by-step walkthrough of the SCCM/ConfigMgr CB 1610 and 1702 upgrade process.

How to Perform SCCM ConfigMgr CB Production Upgrade to 1702

The video tutorial on “How to Perform SCCM ConfigMgr CB Production Upgrade to 1702” provides a comprehensive guide for IT administrators upgrading their SCCM Current Branch (CB) to version 1702. The tutorial helps you to cover all essential steps, from the prerequisites and preparatory tasks to the upgrade process and post-upgrade verification.

How to Perform SCCM ConfigMgr CB Production Upgrade to 1702 Video Tutorial Configuration Manager – Video 1

How to Perform SCCM ConfigMgr CB Production Upgrade to 1702 Video Tutorial Configuration Manager

Don’t upgrade to the SCCM/ConfigMgr CB 1702 version if your primary servers/CAS run on a Windows 2008 R2 server. The minimum OS requirement for the SCCM CB 1702 upgrade is Windows Server 2012 and Later.

You must ensure that a supported version of SQL is installed on the primary servers/CAS. SQL 2008 R2 SP3 is not supported, and you should have a minimum of SQL 2012 R2. So, hold on with your SCCM CB 1702 to upgrade if you lack supported SQL and OS versions.

How to Perform SCCM ConfigMgr CB Production Upgrade to 1702 Video Tutorial Configuration Manager - Fig.1
How to Perform SCCM ConfigMgr CB Production Upgrade to 1702 Video Tutorial Configuration Manager – Fig.1

Issues with Getting ConfigMgr SCCM 1702 Updates Available in the SCCM CB Console?

Is the SCCM/ConfigMgr CB 1702 update still unavailable in the SCCM CB console? How do you perform the SCCM ConfigMgr CB Production upgrade to 1702 Video Tutorial Configuration Manager?

Following are the steps you need to follow for the FAST RING release of SCCM CB 1702:- More details are available in my previous post, “SCCM ConfigMgr 2012 to CB upgrade Unofficial Checklist

  1. Download the PowerShell script to ENABLE the first wave of customers (The script is available at the above link). SKIP THIS STEP, which is NOT required NOW.
  2. Run the PowerShell Launch from an elevated command prompt (local admin access) PS Command – “EnableFastUpdateRing1702.ps1 <SiteServer_Name | SiteServer_IP>” – SKIP THIS STEP – NOT Required NOW
  3. Force a check for the update.  Go to \Administration\Overview\Cloud Services\Updates and Servicing and click “Check for Updates.”  You may need to try “Check for Updates” more than once if the package is not downloaded on the first try.
  4. Wait for some time. The DMP Downloader component will start the Download via SCCM CB 1606 updates and the Servicing channel (DMPdownloader.log for more details)
  5. SCCM CB 1702 Prerequisites check
  6. Start the installation and wait for the replication of source files to the server in the hierarchy if you have CAS and Primary servers (this is not covered as I don’t have the SCCM CB hierarchy in the lab)
  7. Once installation is completed on the CAS server, the automatic SCCM CB 1702 upgrade process will kick in for child Primary servers per the service windows scheduled on the respective primary server.

As you can see in the above screen capture, the SCCM/ConfigMgr CB 1702 has already been downloaded and is available for the upgrade process on my SCCM primary server. However, the download process still has some challenges, and there is room for improvement.

The SCCM CB 1702 download was stuck in the downloading state for a long time. I had to restart the SMS Executive service to make the “in-console” 1702 update available. Please right-click on the Configuration Manager 1702 update and Install it.

The SCCM/ConfigMgr CB 1702 upgrade experience was very smooth for me. However, the process can take time, depending on factors like server components’ hardware performance and the SQL DB’s size. You can monitor the status of the upgrade from CMUpdate.log.

Also, check the Monitoring workspace for a more standardized status table with the respective log file details for each stage of an upgrade. How do you perform the SCCM ConfigMgr CB Production upgrade to 1702 Video Tutorial Configuration Manager?

Version

The last stage of the ConfigMgr/SCCM CB 1610 to 1702 upgrade process is the SCCM CB console upgrade. Once the console is upgraded successfully, you can see the latest site server version.

Also, the SCCM CB 1702 version details will be updated in the primary servers or CAS server registry key.

Version 1702
Console Version 5.000.8498.1400
Site Version:5.0.8498.1000
How to Perform SCCM ConfigMgr CB Production Upgrade to 1702 Video Tutorial Configuration Manager - Fig.2
How to Perform SCCM ConfigMgr CB Production Upgrade to 1702 Video Tutorial Configuration Manager – Fig.2

References

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Intune App Protection Policies for Android iOS Devices 16

Intune App Protection Policies for Android iOS Devices

Let’s check how to enable Intune App Protection Policies for Android and iOS devices. The video below provides more details and an end-user experience. The latest post is available for MAM policies: Step-by-Step Procedure to Create App Protection Policies for iOS/iPadOS in Intune.

Microsoft Intune supports MAM without enrollment (MAM WE) and Conditional Access policies for Android devices. With Intune, there are two types of management options for Android devices.

The first is the traditional way of MDM management, and the second is the light management of apps installed on Android devices via Intune. The previous post discussed the Android MDM management options and end-user experience.

In this post, you will find all the details about Intune App Protection Policies for Android and iOS devices. These policies are essential for managing and securing apps on mobile devices, ensuring that corporate data remains protected even when accessed from personal devices.

Intune MAM without Enrollment along with CA Android Devices

To apply Intune App Protection Policies (APP) effectively, the applications must support these policies. Most Microsoft 365 (M365) applications, such as Outlook, Word, and OneDrive, are compatible with App Protection Policies. These policies help ensure that corporate data accessed through these apps remains secure.

Intune App Protection Policies for Android iOS Devices – Video 1

Intune App Protection Policies for Android iOS Devices

Mobile Application Management (MAM) Without Enrollment (WE) is a lightweight management option for Android devices. This option has some advantages over full MDM management options.

For example, if a consultant’s device has already enrolled in a 3rd part EMM solution, but he wants to have access to the client’s corporate mail access on his mobile device for a very short period, then The “MAM WE” is the best option for that consultant. With MAM WE, Intune and Azure AD will ensure that corporate mail and other MAM-enabled applications are protected with MAM policies.

Intune—Mobile Apps—Apps—Skype for Business—Properties: In the following example, you can see that Android’s Skype for Business application has been deployed with a deployment type called “Available with or without enrollment.” So, the deployment type without enrollment is for MAM WE management.

Intune App Protection Policies for Android iOS Devices - Fig.1
Intune App Protection Policies for Android iOS Devices – Fig.1

The Intune “MAM WE” has a separate set of conditional access policies that differ from the MDM conditional access policy. So, you must take extra care when deploying both CA policies to the same user groups. I would avoid using the same user group for both policies, or you could use the exclude groups options.

I would avoid deploying the MDM CA policy to user groups whenever possible and deploy it to device groups. Otherwise, we should have a different MDM CA user group and a MAM WE CA user group with unique users in both groups, which will be tricky.

Intune App Protection Policies for Android iOS Devices - Fig.2
Intune App Protection Policies for Android iOS Devices – Fig.2

Each MAM-enabled application comes with application protection policies (MAM app protection). We need to deploy these app protection policies to MAM WE user groups. Remember, these types (MAM WE) of policies can’t be deployed to Device Groups. 

With an app protection policy, you can restrict corporate data relocation and App data encryption. Creating app protection policies and deploying them to MAM WE user groups is critical.

Intune App Protection Policies for Android iOS Devices - Fig.3
Intune App Protection Policies for Android iOS Devices – Fig.3

 End-User Experience – How to Enable Intune MAM without Enrollment

The video here will provide the Intune MAM WE real-time end-user experience. How do you enable Intune MAM without Enrollment and Azure AD Conditional Access | Endpoint Manager?

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.