Intune

Microsoft Intune is the SaaS solution provided by Microsoft. Microsoft Intune is a cloud-based desktop and mobile device management tool. This supports Mac OS, iOS, Android, and Windows 10. This cloud solution is used as a modern management tool.

You can check out HTMD Community Intune Training from Free Intune Training 2023 blog post.  Let’s learn about Intune Exam MD 102 Study Guide Starter Kit – Microsoft Intune Certification. Also, check out the Top 75 Latest Intune Interview Questions.

Microsoft Intune Architecture Diagram
Microsoft Intune Architecture Diagram

This MDM solution can be integrated with SCCM, Azure AD, and Active Directory. This place gives you a great opportunity Learn Microsoft Intune and become an expert with Intune.

This solution can be used to deploy UWP applications, Security policies, Configuration policies, WiFi profiles, PKI certificates, and so on.

This solution is future-proof When you take a look at the Desktop (43.29%) Vs. Mobile (52.29%) Vs. Tablet (4.42%) Market Share Worldwide for the last year, you could see that mobile devices are leaders. So, Mobile Device Management is very critical, and this is a new world of opportunities for IT Pros like us. From my perspective, learning this solution is very important for SCCM admins.

Intune is an enterprise mobility management (EMM) solution from Microsoft. The EMM provider helps to manage mobile devices, network settings, and other mobile services and settings. This solution is nothing but a combination of Device, Application, Information Protection, Endpoint Protection (antivirus software), and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in the Cloud.

Additionally, this solution has a feature called compliance policy, which can be integrated with the Azure AD “Conditional Access” policy to restrict access to company resources.

Intune Read-Only Experience Learn to Create Read-Only Operators Roles Admin Access

Intune Read-Only Experience Learn to Create Read-Only Operators Roles Admin Access. Role-Based Access Controls (RBAC) are one of my favorite features in Microsoft Intune.

The lack of RBAC was why people chose Intune hybrid instead of Intune standalone. Intune team introduced RBAC features into their product back in 2017. In this post, we will learn how to provide read-only access to Intune console.

I have two (2) posts covering Intune role-based access controls in detail. I recommend reading through those two posts to get more about Intune RBAC.

But Intune team did excellent work to include scope features into Intune RBAC. Now it’s getting close to SCCM RBAC features. Following are my previous posts about Intune RBAC.

How to Provide Read-Only Access to Intune

RBAC helps Intune Admins control who can perform various Intune tasks within your enterprise. There are six (6) built-in Intune roles (RBAC roles). I use Intune default role called “Read Only Operator” to provide read-only access to Intune console.

  1. Navigate Azure PortalMicrosoft Intune blade – Intune rolesAll roles Read-Only Operator – Assignments  – Click on + Assign.
  2. Once you click on the “+ Assign” button, a new Read-Only Operator – Role assignments blade will get displayed.
  3. Enter the following information in the blade                                                  Assignment Name = Read-Only Intune Users
    Assignment Description = Details of Read-Only Assignment Group
    Members (Groups)# = Click on the + Add button and select the Azure AD User Group, including Intune Read-Only users (my example – Intune ReadOnly Users). Scope (Groups)* = Click on + Add and select the Azure AD User or/and Device group. Read Only operator would be able to manage the resources in this group. More details are below.
  4. Save the Intune Role assignment by clicking the OK button

Administrators in Scope Groups Role Assignment can target policies, applications, or small
tasks to these Scope Groups. So the Intune ReadOnly user group members (in my
example screenshot) would be able to target procedures, applications, or small functions
for the users/devices in my scoping group Intune ReadOnly. This is as per the design.

  •  Member Group users are the administrators assigned to this role.
Read Only Access to Intune Intune Read-Only Experience Learn to Create Read-Only Operators Roles Admin Access. Role-Based Access Controls (RBAC) are one of my favorite features in Microsoft Intune.
Intune Read-Only Experience Learn to Create Read-Only Operators Roles Admin Access. Role-Based Access Controls (RBAC) are one of my favorite features in Microsoft Intune.

Do you know what Intune scope group is?

Do you know what Intune scope group is? “The users or devices that a specified person (the member) can manage.” In the above example, Intune ReadOnly users can manage devices or parts of their Scope Groups.

If you are an SCCM admin, then the SCOPE option is already there in SCCM 2012 and CB console. I’ve another post that talks about Configuration manager RBAC detail.

Intune Read-Only User Experience

In this scenario, the Intune read-only user is a regular user in Azure Active Directory (without any other access). But the user has a valid Intune (EMS) license assigned.

I will cover all the following scenarios with Intune read-only user experience. More details are available in the video tutorial called read-only access to Intune.

Device enrollment Experience for Read-Only User

The user has read or view access to all the blades of device enrollment. I have noticed that Configure MDM Push Certificate blade doesn’t provide any option to download the CSR file.

Android work enrollment experience is different from Apple. I can see the following error while trying to signup with Intune read-only account – An error occurred requesting Android for Work signup Url.

Windows enrollment, Terms and conditions, Enrollment restrictions, Device categories, Corporate device identifiers, and Device enrollment managers also work as expected for Intune read-only users.

Device Compliance Experience for Read-Only Users

The device compliance experience is different than the device enrollment experience. Read-only user has access to change the compliance policy schedule time for action for non compliance, but it never gets saved. Instead, it gives an error while trying to save the configuration. So we are fine!

As per my testing, the read-only user doesn’t have access to assign the compliance policy to any group. You can refer to the video tutorial called read-only access to Intune for more details. However, the read-only user has access to check the status of the compliance policy on devices.

Devices Blade Experience  for Intune Read-Only User

The view access is intact for the device’s blade. The user can view the properties of all the devices. Azure AD scope option may provide some opportunities to limit read only users from checking out the properties of the devices which are not in read-only users’ scope.

Also, read only users can’t not any remote actions (Remove company data, Factory reset, Delete, and Remote Lock) on devices.

Device Configuration Experience  for Intune Read-Only User

Configuration profiles blade provides a classic view experience for Intune read-only users. The read-only users have view access to Overview, Properties, Assignments, Device status, User status, and Per-setting status.

Configuration PowerShell Scripts blade provides a different experience for Intune read only users.  Similar to compliance policy experience (explained above), PowerShell scripts blade offers the option to edit or rename PowerShell script name. But we are fine as Intune won’t allow read only users to save those changes.

Similar experience with PowerShell Script assignment. It allows assigning PowerShell script to change the assignments. But it won’t allow the read-only user to save the changes.

Mobile Apps (Applications) Experience  for Intune Read-Only User

The mobile apps experience for Intune read only user is similar to devise enrollment. Mobile apps Manage options provides standard view access to read only users for Apps, App configuration policies, App protection policies, App selective wipe, and iOS app provisioning profiles.

Monitor options under mobile apps give a similar view experience for App licenses, Discovered apps, App install status, App protection status, and Audit logs.

SETUP options also give a similar view experience for iOS VPP tokens, Windows enterprise certificate, Windows Symantec certificate, Microsoft Store for Business, Windows sideloading keys, Company Portal branding, App categories, and Android for Work.

Conditional Access Experience  for Intune Read-Only User

Conditional Access blade provides view access to read-only operators. I love to see Azure AD Conditional Access What If works fine for read-only users. This would be very helpful from a learning perspective.

All the following items work fine as expected to provide standard view access.

  • On-premises access
  • Users
  • Groups
  • Intune roles
  • Software Updates

Useful Links

Learn to Fix Microsoft SCCM Intune Documentation Configuration Manager ConfigMgr

Let us learn about Learn to Fix Microsoft SCCM Intune Documentation Configuration Manager ConfigMgr. How many of us complaint about SCCM Intune documentation?

The documentation is not updated and not relevant etc.. Here is the real opportunity to help yourself and update SCCM and Intune documentation.

But don’t get worried about the quality of the SCCM Intune documentation, as there are several steps of validation before your edits/changes get published. Hack a doc is the theme of this post 😉

Check out the Video “Learn How to Help Fixing SCCM Intune Documentation Issues

We had a great MVPHackaDoc session with Aaron during the MVP Summit 2018. All the credits to Aaron taught me how to start updating SCCM/Intune documentation. I don’t recommend going around and editing or updating all the documentation. But start small before you leap.

Start Small

What is changed?

Microsoft documentation service (https://docs.microsoft.com) is hosted on the GitHub platform, and this helps to get a better user experience while reading the documentation.

Even SCCM and Intune documents have been migrated to a new platform. Following is my list of key features of new docs—Microsoft platform.

  • Readability
  • Estimated Reading Time
  • Content and Site Navigation
  • Shortened Article Length
  • Responsive Design
  • Community Contributions
  • Social Sharing
  • Friendly URLs

How to Start Updating SCCM Intune Documentation?

I hope you have gone through a lot of Microsoft documentation every day. Find out the wrong article, and you wanted to let the Microsoft doc team know about this incorrect info.

  • Create a GitHub account if you don’t have one. Creating a GitHub account took me one and 2 minutes for me.
  • Select the GitHub Free plan as part of the signup process, and Tailor your experience should be filled with a short intro about yourself.
  • Open the article you identified and click on the EDIT button, as I showed in the video tutorial. You should open the article from the same browser you already logged in from your GitHub account.
  • Once you click on the EDIT button on that article, it will redirect to the GitHub editor.
  • GitHub editor is the place where you will perform all the updates.

Identify Article and Start Contributing

How to Contribute to SCCM Intune Documentation

As Aaron mentioned in his “MVP Hack a Doc” session, start small. Standard GitHub accounts may not have any access to edit the code of live documents. And you will get the following error when you try to edit or update an article.

  • You’re editing a file in a project you don’t have write access to.
  • Submitting a change to this file will write it to a new branch in your fork.
  • AnoopCNair/SCCMdocs, so you can send a pull request.

As I have shown in the “Hack A Doc video, A perfect example of raising an issue from Jason. He raised a problem, and a documentation BUG is filed to fix this issue. 

Creating a PULL request is another option that I tried. But I think that needs more access to edit the master file. A normal GitHub account may not have access to proceed with a pull request.

Another interesting learning for me was tipping about selecting the best title, title suffix, description, ms. Custom, ms. Date, and ms. prod for technical articles. As Aaron suggested, we can start doing the following things:-

  • Clarifications
  • Examples
  • SDK, PowerShell
  • Guidance tips
  • Translations
  • See something, fix something

I have tried raising an issue with documentation, and that is the best and easy part that I learned during the MVPHackaDoc session. I have more details about the problems raised in Hack A Doc’s video tutorial.

Another useful option trying to try to track the documentation issues with th GitHub account. So we can rest assured that Microsoft is aware of this bug, and they will fix it soon. Following is the file structure of GitHub article (for example) SCCMdocs/sccm/core/plan-design/hierarchy/accounts.md .

Start Contributing = Raising an Issue

Resources

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………

Free LinkedIn Learning Courses for SCCM Intune

Free LinkedIn Learning Courses for SCCM Intune. I agree with the following sentence, and that is why I’m sharing my experience with LinkedIn learning. Microsoft MVPs are notorious for passionately sharing their knowledge with the world.

In this post, we will see the details about free LinkedIn learning courses available for SCCM and Intune (Learn SCCM Intune).

Great Learning

SCCM is great, and it will not die as per Microsoft. But, don’t go away from Intune learning. I would strongly recommend going through Intune learning process.

What to Learn Intune? Great Resource Around you!

(1) LinkedIn Learning Courses for Microsoft Intune ,

(2) Learning How to Learn SCCM Intune Azure

(3) Learn Intune Beginners Guide MDM MAM MIM,

(4) Microsoft Intune for SCCM Admins Part 1

Introduction

Microsoft MVP award Program celebrated its 25th anniversary. And as part of the 25th-anniversary celebrations, LinkedIn unlocked 15 Courses Covering Key Technology Skills. Following is the list of 15 courses unlocked by LinkedIn. This post will discuss more details about SCCM and Intune free study materials.

My Favourites Microsoft System Center Configuration Manager… SCCM CB Learning Microsoft Enterprise Mobility Suite (Azure AD and Intune) Office 365 for Administrators: Supporting Users Part 1 Windows 10: Deploy and Manage Virtual Applications Productivity Apps Excel 2016: Get & Transform PowerPoint: Designing Better Slides OneNote Tips and Tricks Visio Tips and Tricks Automation & Developer Microsoft Graph for Developers API Development in .NET with GraphQL ASP.NET Core: Razor Pages ASP.NET Core New Features Microsoft Cybersecurity Stack: Advanced Identity… Microsoft Cloud Services: Troubleshooting Online… Building and Securing RESTful APIs in ASP.NET Core

How to Start Learning SCCM and Intune?

I have a full-blown post about systematic learning of SCCM and Intune. The approach to learning should be the same as I mentioned in the post, which was published back in 2015. I learned SCCM a hard way. There was no one to handhold and teach me. 

I never got a chance to attend any training before I pushed to work on SCCM. That is a different experience, as I explained in the future of SCCM/Intune jobs post.

How to Get Access to Free SCCM and Intune Video Courses?

These 15 courses are free only for a limited period. As per the MVP Award program post, these courses are unlocked for the general public until the middle of April! So don’t waste time and start learning SCCM/Intune using LinkedIn study materials.

I have explained how to start learning through LinkedIn courses in the video tutorial here. The SCCM course won’t work from the following link. I would recommend using the link which I provided in the next section of the post.

  1. Open https://learning.linkedin.com/events/2018/03/msft-mvp-global-summit
  2. No need to login into LinkedIn to access these courses (anonymous access is allowed)
  3. Open any of the 15 free courses available
Learn SCCM Intune
Free LinkedIn Learning Courses for SCCM Intune

Start Free SCCM Online Course

To start the cause, you don’t need to log in with your LinkedIn account. Also, you don’t need to start the trial version of LinkedIn learning for a month. You can access the SCCM course from the private browser without any login.

To start the Free SCCM online course from a private browser

Content of the SCCM CB Course

Introduction (More details about SCCM CB content at the bottom of the post)

  1. Planning and Deploying a Standalone Primary Site
  2. Designing and Deploying a Multiple-Site Hierarchy
  3. Planning Resource Discovery and Client Deployment
  4. Managing Content and Replicating Data in Configuration Manager
  5. Configuring Internet and Cloud-Based Client Management
  6. Maintaining and Monitoring SCCM CB
  7. Upgrading to SCCM CB
    Conclusion

Start Free Intune Online Course

Intune course is part of EMS. So EMS course includes both Azure AD and Microsoft Intune. I have an Intune starter kit that can help you start learning Intune from scratch. More details are available in Intune guide for beginners in enterprise mobility world.

Start the course Directly from the following link

Content of the Intune Course

Microsoft Intune

  • Manage apps and devices with Intune – 3m 30s
  • Configure Intune to manage iOS and Android – 4m 0s
  • Build and deploy a basic policy for iOS or Android – 5m 17s
  • Deploy and manage mobile apps -5m 15s
  • Enroll your first device – 2m 45s

Resource

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………

Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune

Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune. For good reasons, the Microsoft Intune team depreciated the application assignment type “Not Applicable”. So no need to get worried when you don’t see the “Not Applicable” assignment type for your Intune tenant.

“Not Applicable” will not be an option in the console but replaced by “Excluded Groups“. Exclude Group option was already available for Configuration policies, and it’s useful.

Do you remember the Groups in Intune Silverlight portal? There was an exclusion logic used in Intune groups in the Silverlight portal. I think the excluded Azure AD groups used in-app assignment is not using nested groups logic (Implicit Exclusion Groups). 

In this post, I’m trying to explain two application assignment scenarios using Intune “Excluded Groups” logic.

What are the New feature Intune “Excluded Groups

New app assignment process in Intune with an “Excluded Groups” option. Using the unique ” Excluded Groups ” option, you can now easily manage app assignments to groups with overlapping members or targeted with conflicting app assignment types by using the new “Excluded Groups” option.

How does the depreciation of “Not Applicable” effect?

Previously, the app assignment process in the Intune on Azure console had the option of targeting groups with the “Not Applicable” assignment type. This will no longer be the case. “Not Applicable” will be replaced by the “Excluded Groups” option.

This new feature manages app assignments to target an app to a large group of users or devices while restricting it from a subset of the same group.

  • https://blogs.technet.microsoft.com/intunesupport/2018/02/02/new-feature-new-app-assignment-process-in-intune-with-an-excluded-groups-option/

What do I need to do to prepare for this change?

Start using the new app assignment process and update your documentation if needed. Click on Additional Information to see screenshots and to read about different scenarios where this new feature can help you manage your app assignments.

I will try to explain the use of the following two scenarios to give a brief idea about the new feature called Excluded Groups in Intune. I also have a video tutorial that explains both of these scenarios.

  • Scenario A – Facebook is available for All Users Except “Mumbai Users”
  • Scenario B – WhatsApp is available for All Bangalore Users Except “L1 Team”

Scenario A

I want to make the Facebook application available to “All Users” in the organization. But this application should not be available for “Mumbai Users”.

Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune
  1. Launch Azure Portal and navigate through Microsoft Intune – Mobile Apps – Apps
  2. Select the Facebook app that you want to assign. A dashboard is displayed related to the app.
  3. Select Assignments under the Manage section.
  4. Select Add group to add the groups of users who are assigned the app.
  5. Select an Assignment type from the available assignment types on the Add group blade. The available app assignments are “Available for enrolled devices“, “Available with or without enrollment,” and “Required”.
  6. Select “Available for enrolled devices” as the assignment type.
  7. Select Included Groups to select the group of users you want to make the Facebook app available.
  8. Select Yes to make “this app available to all users with enrolled devices”.
  9. Click OK to set the group to include.
  10. Select Excluded Groups to select the groups of users you want to make the Facebook app unavailable.
  11. Select the groups “Mumbai Users” to exclude, which makes this Facebook app unavailable for the users in Mumbai Users Azure AD groups.
  12. Click OK on the Add group blade. The app Assignments list is displayed.
  13. Click Save to make your group assignments active for the Facebook app.
Intune App Assignment Include Exclude Azure AD Groups Intune App Assignment
Intune App Assignment

Scenario B

I want to make the WhatsApp application available to “All Bangalore Users” in the organization. But this application should not be available for the “L1 Team”. The video tutorial Intune App Assignment includes more details: Include Exclude Azure AD Groups.

  1. We need to follow the above steps from 1 to 7.
  2. Select Included Groups to select the groups of users that you want to make the WhatsApp application available.
  3. Select the groups “All Bangalore Users” to include, making this WhatsApp app available for the users in “All Bangalore users” Azure AD groups.
  4. Click OK on the Add group blade to include the users. The app Assignments list is displayed to All Bangalore Users.
  5. Select Excluded Groups to select the groups of users that you want to make the WhatsApps app unavailable.
  6. Select the group “L1 Team” to exclude, making this WhatApps app unavailable for the L1 Team Azure AD groups users.
  7. Click OK on the Add group blade. The app Assignments list is displayed.
  8. Click Save to make your group assignments active for the WhatApps app.
Intune App Assignment Include Exclude Azure AD Groups
Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune

Resources

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………

Use Intune to Restrict NON-Patched Windows Devices from Accessing eMail

Security patching is vital to every organization. Now with Intune, you can restrict Windows 10 devices that are not patched with the latest patches. Non-patched devices are risky to the organization. Use Intune to limit non-patched Windows devices from accessing mail.

There are two options to limit Windows devices from connecting to the corporate network. We will see these options in the following sections of the article.

Windows version = Specify the major.minor.build.CU number here. The version number must correspond to the version returned by the winvercommand.

Subscribe to the YouTube channel

I have uploaded a video tutorial to my YouTube channel. I hope this video will help you to set these restrictions upon your Intune test tenant.

I would recommend testing these in a staging environment before implementing them in production. As you are aware, patching is essential in any modern workplace project implementation.

Intune and Windows Update for Business can ensure all the Windows devices managed through Intune are patched promptly.

There is no need for on-prem components like WSUS to patch Windows 10 devices using Intune and Windows update for Business. There won’t be any security concerns when you set the Windows 10 Update rings in Intune.

Read my previous post, “How to Setup Windows 10 Software Update Policy Rings in Intune Azure Portal,” to learn more about Windows 10 update rings.

How to Restrict Non patched Windows Devices from Enrolling into Intune?

This option is available only for NEW Windows devices that are getting enrolled in Intune environment via the MDM channel. This option is not available for Intune PC agent-managed devices.

The setting explained in this section won’t apply to already enrolled and non patched Windows devices.

If you have already enrolled and non patched Windows devices, then, you need to check out the compliance policy option mentioned in the below part of the post.

Intune to Restrict NON Patched Windows Devices
Use Intune to Restrict NON-Patched Windows Devices from Accessing eMail 1

We need to set up Intune enrollment restriction policies to restrict Windows devices from enrolling in Intune. The above table is the best reference to set up Intune enrollment restriction policies for non patched Windows devices.

First, we need to decide about your Windows 10 minimum and maximum patch level requirement. You can have more patch-level version details from http://aka.ms/win10releasenotes.

In my video, I have selected Windows 10 minimum patch level 10.0.15063.877 & maximum patch level 10.0.16299.201. You can also leave the top patch level as blank if you want to support all the latest patched Windows devices. 

I have uploaded a video tutorial to my youtube channel. And this video has a more detailed explanation of how to set up enrollment restriction policies.

You can read my previous post, “How to Prevent Windows Devices from Enrolling to Intune“. This post provides more details about settings up Intune enrollment policies. And this also covers the end-user experience of Windows 10 devices if the device patch level is lesser than “Minimum version”.

For example

I have a Windows 10 device, and it’s non patched device. And the patch version of that device is “10.0.15063.250”. In this scenario, Intune will check whether the device is patched with a minimum version of the patch required for the organization, and that version is 10.0.15063.877.

The current patch level of the Windows 10 device is below the minimum version requirement set in the enrollment restriction policy. Hence the device won’t be allowed to enroll in Intune. Update the patches on that Windows 10 device to get successfully registered to Intune.

Intune to Restrict NON Patched Windows Devices
Use Intune to Restrict NON-Patched Windows Devices from Accessing eMail 2

How to Force Users to Install Patches on Windows 10 Devices to Get Access back to eMails?

Most end-users are not always happy to install the latest patches and restart the devices on time. But as an IT admin, it’s our responsibility to make the enterprise environment secure with the latest patches.

Intune can probably help you force users to install patches on their non patched Windows devices.

We can create a new compliance policy in Intune to set rules and force users to install patches immediately. Intune compliance policy gives an option to set minimum & maximum patch levels for Windows devices.

When a device does not match the minimum compliance requirement, that device will be flagged as a non compliant device.

When you have conditional access associated with compliance policies, the Windows device will lose access to enterprise applications (like mail, SharePoint online, Skype, etc.) associated with that conditional access policy.

Once users update their Windows version with the latest patches, their devices get the access back to mail.

You can create a WINVER command to decide the baseline Windows 10 version with a certain patch level for your organization. Or you can use the following links to get the latest patch versions of Windows 10.

In my scenario, I set up a new compliance policy with a minimum patch level is 10.0.15063.877 and a maximum patch level is 10.0.16299.201.

This will ensure that all Windows 10 devices which have access to enterprise applications are patched, and the patch level version will be greater than 10.0.15063.877.

I have uploaded a video tutorial to my YouTube channel. And this video has a more detailed explanation of how to create a new compliance policy for minimum and maximum patch levels supported within your organization.

In my previous post, I explained the best practices for building compliance policies for Windows devices. Get more details from “How to Setup Intune Compliance Policy for Windows 10 Devices“.

Navigate via Azure portalMicrosoft AzureMicrosoft IntuneDevice compliance – Policies” and create a new compliance policy called “Restrict Window device depending on patches“.

Intune to Restrict NON Patched Windows Devices
Use Intune to Restrict NON-Patched Windows Devices from Accessing eMail 3

Resources

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………

SCCM Intune Community Around Me

As David James mentioned in his tweet, the summary of 2017 for SCCM is 3 production releases (SCCM CB 1702, 1706, and 1710).

12 Tech Preview releases of SCCM CB. 100s of new features, 14k code check-ins + bug fixes, and now managing >100 million endpoints. In this post, we will see more about the 2017 SCCM ConfigMgr Intune community around me.

I could see there are new features released every week for Microsoft Intune. More details are available in “What’s new in Microsoft Intune”. Also, I could see the Intune community is growing strong around the world and in India.

During the Bangalore IT Pro event, I came to know that 99% of SCCM admins (who attended the event) realized they had to learn Intune, and they started to learn Intune.

Bangalore IT Pro SCCM Community

We recently conducted an in-person event for SCCM/Intune professionals all around India. This event was conducted at Microsoft office Bangalore. We had more than 80 SCCM professionals from different parts of India like Chennai, Hyderabad, Delhi, and Bangalore.

Follow #BITPro Twitter Handler to Join the next events.

Roadmap of a Successful Blog

2017 SCCM ConfigMgr Intune Community Around Me
SCCM Intune Community Around Me

I started blogging in 2010, and I have more than 900 posts. 2017 was a very successful year for me in sharing my knowledge through my blog. 

I started working on video tutorials with almost all the technical posts. How to do video guides are included for Intune, SCCM, and Windows 10. Thank you all for the great support over the years.

I’m working with other IT Pro colleagues to improve the blog experience and provide more valuable content to SCCM/Intune community. More news about this will be available in 2018. I’m excited about next year for SCCM/Intune community.

Subscribe to the Anoop’s newsletter through SUBSCRIBE button on the blog. Like the Facebook page to get updated on new posts of AnoopCNair.com. We have loads of SCCM Intune-related videos on the following Facebook page here.

SCCM Facebook Groups – Community 

2017 SCCM ConfigMgr Intune Community Around Me
SCCM Intune Community Around Me

We have a great SCCM professional community available on Facebook. We have more than 11,200 members in this SCCM professional Facebook group.

If you would like to join the SCCM, Intune, and Desktop Facebook community, please enter them with the following links.

Subscribe SCCM Intune YouTube Channel

I have a YouTube channel with more than 830 subscribers, 156,360 views, and 160 video tutorials. I started concentrating on my YouTube channel in 2017, and 90% of my subscribers are from 2017. Most of the videos are on SCCM, Intune, and Windows 10.

ConfigMgr SCCM LinkedIn Group

This is one of my old SCCM LinkedIn groups that started in 2010. At that time, Facebook groups were not there and were famous. Several different SCCM groups on LinkedIn, so I created this one for the Indian SCCM community.

We have more than 1900 members in this group. Some of them are still active. We announce Bangalore IT Pro events in this Indian SCCM Professionals LinkedIn group. This is for the people who don’t like Facebook or consider Facebook as a personal social media site.

2017 SCCM ConfigMgr Intune Community Around Me
SCCM Intune Community Around Me

WhatsApp SCCM Professional Group

I created a WhatsApp group for SCCM/Intune Professionals back in 2015. This is mainly to avoid people creating different WhatsApp groups in our Facebook SCCM group. I have created an official WhatsApp group for SCCM professionals after many discussions.

We have several admins in that WhatsApp group, and we don’t allow any spam/forwarded messages in that group apart from the Job/Opening of SCCM/Intune professionals. This is to help others get a better opportunity in their SCCM career.

We already crossed the maximum limit of a WhatsApp group (#1 SCCM Professional GRP – 256 members). After many thoughts, discussions, and market analysis, we decided to create another WhatsApp group (#2 SCCM Professional GRP ), and we already have more than 100 members.

  • Join #2 SCCM Professional GRP HERE

Happy New Year and Best Wishes for 2018

2017 SCCM ConfigMgr Intune Community Around Me
SCCM Intune Community Around Me

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………

Intune Decrypt Files Protected by WIP Policy

Let’s learn about Intune Decrypt Files Protected by WIP Policy . Windows Information Protection (WIP) is an accidental Data Leakage protection solution from Microsoft. WIP is fully supported in Windows 10 anniversary edition (1607) and later versions. This post will see more details about Decrypt Files Protected Intune SCCM WIP Policy.

Certificates Details – Intune/SCCM WIP Policies 

Encrypting File System (EFS) Data Recovery Agent (DRA) certificate has been created and used in WIP policies. The cipher/r command can be used to create two certificates. The EFSDRA.CER and EFSDRA.PFX files are created.

EFSDRA.CER is used for encrypting the data with WIP policies. EFSDRA.PFX file contains your private key, and it should be used at the time of the decryption process. I have a post that explains “How to Create Configure and Deploy Windows 10 WIP Policies Using SCCM and Intune.”

Decrypt Files Protected Intune SCCM WIP Policy
Intune Decrypt Files Protected by WIP Policy 1

Issue Statement – Personal Files Encrypted with WIP Policy

We may need to go through the migration process in the journey towards modern management. This has happened during one of the user migrations, and it didn’t go well. And the user’s files got encrypted with the WIP policy. The user un-enrolled and re-enrolled his Windows 10 device as part of troubleshooting.

Access to the protected files got revoked during the troubleshooting process, and unenrollment from Intune. The user can’t open any files because those files are encrypted using the WIP policy and certificate. The user re-enrolled the device to Intune, but the protected files still stay locked by the WIP certificate.

How to Decrypt WIP Protected Files

To decrypt the protected files – you need to import the PFX file to the computer where you want to perform the decryption process. You need to be very careful because of the private keys in your DRA.PFX file can be used to decrypt any WIP file.

The PFX file must be stored offline, keeping copies on a smart card with strong protection for regular use. It’s better to keep master copies in a secured physical location.

  1. Import EFSDRA.pfx 
Decrypt WIP Protected Files through Intune Policy Intune Decrypt Files Protected by WIP Policy
Intune Decrypt Files Protected by WIP Policy 2

Double click on EFSDRA.PFX file to start the certificate import wizard. This wizard helps to import the certificate on to user’s machine. Make sure you select Store Location as a Current user.

Browse and select the EFSDRA.PFX file to import. The private key PFX is protected with a secure password, and you need to enter the password to proceed further with the certificate import wizard. In the import options, make sure you select “Include all extended properties.”

Select the certificate store in the import wizard. The best way to have the default location of the cert store. And it’s “Automatically select the certificate store based on the type of certificate.” Complete the certificate import wizard.

Confirm whether the certificate or private key PFX file is imported successfully to the certificate store. Certificates – Current User – Personal – Certificates. Check out the Intended Purposes tab in the console and check whether there is any File Recovery certificate.

Decrypt Files Protected Intune SCCM WIP Policy
Intune Decrypt Files Protected by WIP Policy 3

2. Cipher /d command to Decrypt the Files

  • C:>cipher /d “SCCM Intune.docx”
  • Decrypting files in C:\WINDOWS\system32\
  • SCCM Intune.docx [OK]
  • 1 file(s) [or directories(s)] within 1 directories(s) were decrypted.

Confirm the private file is imported into the certificate store of a machine. The next step is to run the following command cipher /d “File_Name.XXX” from the directory where the protected files are stored.

Troubleshooting – Check the WIP Logs

WIP troubleshooting can be done through Windows event logs. Navigate via Application and Services Logs\Microsoft\Windows, click EDP-Audit-Regular and EDP-Audit-TCB.

Log Name: Microsoft-Windows-EDP-Audit-TCB/Admin
Source: Microsoft-Windows-EDP-Audit-TCB
Date: 25-11-2017 10:54:03
Event ID: 101
Task Category: None
Level: Information
Keywords: Windows Information Protection Audit Protection Removed Keyword
User: ANOOP-SURFACE-B\Anoop C Nair
Computer: Anoop-Surface-Book
Description:
Enterprise ACNS.COM tag has been removed (Protection removed) from the file: C:\Users\Anoop C Nair\Pictures\SCCM 1710\Overview SCCM Co-Mgmt CMG.jpg
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
 <Provider Name="Microsoft-Windows-EDP-Audit-TCB" Guid="{}" />
 <EventID>101</EventID>
 <Version>0</Version>
 <Level>4</Level>
 <Task>0</Task>
 <Opcode>0</Opcode>
 <Keywords>0x8000000889787810</Keywords>
 <TimeCreated SystemTime="2017-11-25T05:24:03.294238400Z" />
 <EventRecordID>15</EventRecordID>
 <Correlation />
 <Execution ProcessID="876" ThreadID="11836" />
 <Channel>Microsoft-Windows-EDP-Audit-TCB/Admin</Channel>
 <Computer>Anoop-Surface-Book</Computer>
 <Security UserID="" />
 </System>
Decrypt Files Protected Intune SCCM WIP Policy
Intune Decrypt Files Protected by WIP Policy 4

Resources

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………

Windows 10 Quality Feature Update Policies for Intune Step by Step Guide

Windows 10 Quality Feature Update Policies for Intune Step by Step Guide. Microsoft released Windows 10 1709 fall creators update. And the devices which are part of the current branch (Semi-Annual Targeted) should get the Windows 10 1709 update in Settings – update and security  – Windows Update. Intune Windows 10 Quality Update Policies.

Microsoft Intune manages this Windows 10 device. In this post, we will see “Windows 10 1709 Fall Creators Update Upgrade with Intune Update Rings.”

There are many methods to upgrade the existing Windows 10 version to the latest version, 1709. You can upgrade to windows 10 with an ISO file available in Visual Studio Subscriptions (previously known as MSDN) or VLSC (Volume Licensing Service Center).

If Microsoft Intune manages your devices, there would be a software update policy ring to manage Windows 10 feature updates.

Another related post on Windows 10 Update Rings

  • FIX CBB Ring Devices are Getting CB Updates Intune Windows 10 Update Rings
  • Windows 10 1709 Fall Creators Update Upgrade with Intune Update Rings
Windows 10 Quality Feature Update Policies for Intune Step by Step Guide
Windows 10 Quality Feature Update Policies for Intune Step by Step Guide

Navigate via Microsoft Azure – Microsoft Intune – Software Updates to get to “Windows 10 Update Rings.” This is where you can create Windows 10 Semi-Annual Targeted and Semi-Annual update rings.

These two update rings in Intune would be able to control the Windows 10 upgrade behavior for your organization. Intune Windows 10 Quality Update Policies.

Windows 10 Semi-Annual Targeted Update Ring – All the devices in the Current Branch.
Windows 10 Semi-Annual Update Ring – All the devices in the Current Branch for Business

Create Windows 10 Update Rings in Intune?

How to create Windows 10 update rings within Intune console? These Intune policy details are explained in one of my previous posts, “How to Setup Windows 10 Software Update Policy Rings in Intune Azure Portal.”

Navigate via Intune console to get to Windows 10 Update Rings – Create Update RingSettings. We need to select the “Servicing Branch” options according to your requirements. Feature update deferral period (days) is another set we want to set up as part of Create Update Ring policy.

For example:- If we set Service Branch = CB and Feature update deferral period (days) = 0 days, then the device will get the Windows 10 1709 updates on the 0 days of the release.

As I mentioned in the above paragraph, there are two types of Servicing Branches for Windows 10. Those servicing branches are Semi-Annual Targeted and Semi-Annual.

Select CB servicing branch (Semi-Annual Targeted) to set the devices for the first wave of deployment of Windows 10 features upgrades. The latest Windows 10 1709 Fall creators update is released only for the Semi-Annual Targeted branch.

How Do Windows 10 Update Rings Work?

Windows 10 update rings work flawlessly under the hood. I have not uploaded Windows 10 1709 ISO or files to Intune to deliver the updates to the devices. Intune helps to set up 2 MDM policies in Windows 10 1607 or later devices.

So, Devices are getting the Windows 10 feature updates binaries from any other Microsoft cloud service? Windows 10 devices are getting these feature update content/binaries from Windows Update for Business (WUfB).

Another important feature of Windows 10 is Delivery Optimization. Delivery optimization helps to find the binaries from the peer devices. These peer devices could be either from the same network or the internet.

Windows 10 Update Ring MDM policies?

The following are the two MDM policies that Intune set on Windows 10 devices. Intune Windows 10 Quality Update Policies.

CB/CBB Options :- MDM for version 1607 and above: MDM for version 1607 and above: ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel \Microsoft\PolicyManager\default\Update\BranchReadinessLevel

Deferral Period Days:- MDM for version 1607 and above: ../Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays

Windows 10 Upgrade End User Experience

Windows 10 1709 fall creator update is delivered through Windows Update for Business in the following video. The next video will give you an end-to-end experience for Windows 10 1709 fall creators update upgrade process via Software Update for Business (WUfB).

As you can see in the video, the Windows 10 device is in CB (Semi-Annual Target) channel, and differed period policy is set to zero days. Intune Windows 10 Quality Update Policies.

Windows 10 Quality Feature Update Policies for Intune Step by Step Guide

References

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………