Intune

Microsoft Intune is the SaaS solution provided by Microsoft. Microsoft Intune is a cloud-based desktop and mobile device management tool. This supports Mac OS, iOS, Android, and Windows 10. This cloud solution is used as a modern management tool.

You can check out HTMD Community Intune Training from Free Intune Training 2023 blog post. Let’s learn about Intune Exam MD 102 Study Guide Starter Kit – Microsoft Intune Certification. Also, check out the Top 75 Latest Intune Interview Questions.

Microsoft Intune Architecture Diagram

This MDM solution can be integrated with SCCM, Azure AD, and Active Directory. This place gives you a great opportunity Learn Microsoft Intune and become an expert with Intune.

This solution can be used to deploy UWP applications, Security policies, Configuration policies, WiFi profiles, PKI certificates, and so on.

This solution is future-proof When you take a look at the Desktop (43.29%) Vs. Mobile (52.29%) Vs. Tablet (4.42%) Market Share Worldwide for the last year, you could see that mobile devices are leaders. So, Mobile Device Management is very critical, and this is a new world of opportunities for IT Pros like us. From my perspective, learning this solution is very important for SCCM admins.

Intune is an enterprise mobility management (EMM) solution from Microsoft. The EMM provider helps to manage mobile devices, network settings, and other mobile services and settings. This solution is nothing but a combination of Device, Application, Information Protection, Endpoint Protection (antivirus software), and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in the Cloud.

Additionally, this solution has a feature called compliance policy, which can be integrated with the Azure AD “Conditional Access” policy to restrict access to company resources.

How to Block Windows Devices from Enrolling to Intune Microsoft Endpoint Manager Windows 10

How to Block Windows Devices from Enrolling to Intune Microsoft Endpoint Manager Windows 10? I have seen a scenario where Intune is exclusively used for managing iOS and Android Devices.

Windows devices are managed through SCCM. And there is a requirement to disable or prevent Windows devices from enrolling in Intune.

We can achieve this with new Intune Enrollment restriction policies. I have a blog post to explain “How to Use Intune Enrollment Restriction Rules“.

Video Tutorial – Disable Windows Devices from Enrolling to Intune-here

Add Work or School Account

I tested Windows 10 enrollment to Intune via “Add Work or School Account“. This was tested successfully before restricting Windows 10 devices from Intune console.

Check out the following message after successful enrollment of the Windows 10 device. More details are in the above video.

“We’ve added your account successfully, and you now have access to your organization’s apps and Services. The last step is setting up your new PIN to unlock this device.”

Prevent Windows Devices from Enrolling to Intune How to Block Windows Devices from Enrolling to Intune Microsoft Endpoint Manager Windows 10 — How to Block Windows Devices from Enrolling to Intune Microsoft Endpoint Manager Windows 10

Change the Intune Device Enrollment Policy to Restrict Windows Device

Navigate through the New Azure portal – Microsoft Intune – Device Enrollment – Enrollment restrictions. You would be able to see two Intune enrollment restrictions policies called 1.

Device Type Restrictions and 2. Device Limit Restrictions. Device Type restriction is where we can restrict Windows (8.1 +) devices from enrolling to Intune.

This policy will prevent Windows 8.1 and later devices from Intune management. This Includes Windows 10 device ENROLLMENT restriction as well. Windows 10 mobile devices will also get blocked when we configure this policy.

How to Block Windows Devices from Enrolling to Intune Microsoft Endpoint Manager Windows 10

End-User Experience of Windows 10 Device Restriction

I successfully added a Work or School account to Windows 10 1703 device. The one change I noticed through the enrollment process is that it didn’t prompt for MFA. After this enrollment, the message I received was different from the one I got above. The message was

We’ve added your account successfully, and you now have access to your organization’s apps and Services.

Moreover, the machine was NOT available in the company portal application under the “My Devices” list. So, the device enrollment never failed as I expected. The device got enrolled without any error.

But the main question is whether this device would be managed via Intune? Did the device receive Intune policies? And the answer is there in the below paragraph.

Experience on Azure – Intune Portal for Windows 10 Restriction

The Windows 10 enrolled device was NOT listed in Intune – All Devices (Microsoft Azure – Microsoft Intune – Devices – All Devices). But the device was listed in Azure AD, as you can see in the video tutorial here.

The Windows 10 device was listed under Azure AD against the user’s devices (Microsoft Azure – Users and groups – All users > Kaith Nair). But, as you can see in the below screen capture, the Windows device is NOT MANAGED by INTUNE.

Hence the device won’t get any Intune policies and won’t be managed through Intune. Therefore it won’t get corporate mail, SharePoint, OneDrive, and Skype for Business access.

Prevent Windows Devices from Enrolling to Intune — How to Block Windows Devices from Enrolling to Intune Microsoft Endpoint Manager Windows 10

References

Set Intune enrollment restrictions policies – here
How to configure device restriction settings in Microsoft Intune – here

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………

Deploy Office 365 Pro Plus Suite to Windows 11 using Intune

Microsoft Intune Evolution Over 10 Years | Endpoint Manager | Intune Admin

Intune MSI Application Deployment Video Guide Microsoft Endpoint Manager Step by Step Guide

Intune MSI Application Deployment Video Guide Microsoft Endpoint Manager Step by Step Guide? How to upload and deploy MSI applications to Windows 10 machines with Intune via Azure console? MSI application deployment could be one of the most used features in Intune (at least for a couple of years).

In this video post, we will see the step-by-step MSI application deployment (Intune LOB application deployment) process.

NOTE! – Do not include the msiexec command or arguments, such as /i or /x, as they are automatically used. For more information, see Command-Line Options. If the .MSI file needs additional command-line options, consider using Win32 app management.

Introduction – Intune MSI Application Deployment

This post is also an end-to-end guide to creating MSI applications in Intune via the Azure portal. I already blogged about MSI MDM deployment via the MDM channel in the following post, “How to Deploy MSI App to Intune MDM Using SCCM CB and Intune“. This will include:-

Uploading the MSI LOB app to Intune
Deployment or Assignment options
End-User Experience on Windows 10 machine
How to Troubleshooting with event logs and Pending Sync
How to get application installation status messages back to Intune console

Upload MSI LOB application to Intune

Uploading the MSI LOB app to Intune is a very straightforward process. Login to Azure portal and navigate via Microsoft Intune -> Mobile Apps -> Apps -> + Add button and select app type as “Line-of-Business app”. Click on “App package file,” browse to the MSI source file location and click on the OK button, as you can see in the video here.

Intune LOB application deployment — Intune MSI Application Deployment Video Guide Microsoft Endpoint Manager Step by Step Guide

You have to complete/fill the “App information” section before you can proceed with uploading the MSI to Intune. There are a couple of mandatory fields which you need to fill in. Command-line options are also available in this section. But, as per my experience, you can see in the video as well.

I have not used any silent switch for MSI, but by default, Intune/MDM on Windows 10 will install the app as silent (without any user interaction or input). Click on the ADD button to complete the MSI app creation process in Intune on the Azure portal.

Deployment or Assignment options of MSI Intune LOB application deployment

It would be best to wait until the application is successfully uploaded to Intune before you can create an assignment (or deployment). An assignment is a method that we use to deploy MSI applications to Windows 10 devices. You can deploy applications to Azure AD dynamic user groups or device groups. In this video/scenario, I used the AAD dynamic user group to target the MSI LOB apps. More details are available in the video here. There are different deployment types available in Intune.

Available – The user needs to go into the company portal and trigger the installation
Not applicable – Won’t get installed
Required – Forcefully get installed without any user interaction
Uninstall – Remove the application from the device
Available with or Without enrollment – Mobile Application Management (MAM) without MDM enrollment scenarios.

Intune LOB application deployment Intune MSI Application Deployment Video Guide Microsoft Endpoint Manager Step by Step Guide — Intune MSI Application Deployment Video Guide Microsoft Endpoint Manager Step by Step Guide

End-User Experience on Windows 10 machine

Windows 10 machines will get the new application deployment policy once the assigned user is logged into that machine. What is the option to speed up the application deployment to the machines? You need to sync with Intune services using the following method (manually).

You can go to “Settings – Access Work or School – Work or School Account – Info (click on this button)” and click on Sync. This will initiate Windows 10 machine sync with Intune services, and after a successful sync, the machine will get the latest application policies.

How to Troubleshooting with event logs and Pending Sync

Unlike SCCM/ConfigMgr deployments, we don’t have log files to look at the application installation status via the MDM channel on Windows 10 machines. So, you need to rely on the Company portal for troubleshooting the MSI application troubleshooting.

As you can see in the following pic, the installation is waiting for “Pending Sync“. In this scenario, you can immediately initiate a manual sync to kick start the installation process, as I mentioned above.

Intune MSI Application Deployment Video Guide Microsoft Endpoint Manager Step by Step Guide

Event logs – Windows Logs – Applications are where you can get the status of MSI application installation via MDM or Intune channel on to Windows 10 machine.

How to get application installation status messages back to Intune console

To get the installation status of the MSI LOB apps to Intune on the Azure portal, you need to sync your work or school accounts with Intune services. The installation status will be blank in Intune blade unless the device is not synced with Intune after installing the application on the Windows 10 machine.

Initiate the sync via “Settings – Access Work or School – Work or School Account – Info (click on this button)” and click on Sync. Once the sync is completed successfully, you can try to check the Intune Device Install Status in Intune to check the status.

Reference:-

How to add an app to Microsoft Intune – here
How to add Windows line-of-business (LOB) apps to Microsoft Intune – here

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

Differences Between Intune Enrollment Restriction Device Restriction Profile

Difference Between Intune Enrollment Restriction Device Restriction Profile? I was going through one of the TechNet documentation and got confused with enrollment restriction policies and device restriction policies. I have posted about both of these policies.

1. “Video Experience Intune Device Restriction Policy Deployment to Windows 10 Device”

2. “How to Restrict Personal Android Devices from Enrolling into Intune“.

Device restrictions are entirely different from Enrollment restrictions. Both options have different use cases and that will be explained in this post. These two policies are used in modern device management solutions like Intune and Azure AD.

Enrollment Device Platform Restrictions

Intune Device restriction profiles (Enrollment Device Platform Restrictions) are policies similar to GPO from the traditional device management world. Most enterprise organizations use GPO to restrict corporate-owned devices. These are security policies that need to apply to devices. Intune Device restriction policies control a wide range of settings and features of mobile devices (iOS, Android, macOS, and Windows 10).

MDM – Allow or Block
Allow – min/max range
Personally owned devices – Allow or Block

Device Type Restriction in Intune

Enrollment device platform restrictions make more sense. Navigate to Devices – Enroll Devices – Enrollment Device Platform Restrictions.

Enrollment Device Platform Restrictions

This type of policy could be applicable to different categories including security, browser, hardware, and data sharing settings. For example, you could create a device restriction profile policy that prevents users of Windows devices from sharing the internet or using Cortana, etc.

Intune Device Restriction profiles can be deployed to specific users/devices in AAD groups whereas Intune Enrolment restriction policies can’t be deployed to specific user/device groups in Azure AD. More details are available in the following section of this post.

Intune Device Limit Restrictions

Enrollment is the first part of Mobile Device Management (MDM). Why do we need to enroll a mobile device into Intune? Enrollment is the first step for management. When a device is enrolled in Intune, they have issued an MDM certificate, which that device then uses to communicate with the Intune service.

In several scenarios, we need to block employees from enrolling their personal devices into the corporate management platform. You want to block devices that are not secured enough to enroll in Intune. For example, You want to block personal devices from enrolling.

Also, we could be able to block lower OS version devices How is this possible from Intune? Difference Between Intune Enrollment Restriction Device Restriction Profile | Configuration Manager ConfigMgr

Navigate through Microsoft Intune – Enroll Devices – Enrollment device limit restrictions. You would be able to see two Intune enrollment restrictions policies called

1. Device Type Restrictions and 2. Device Limit Restrictions.

Device Type restriction is where we can define which platforms, versions, and management types can enroll. So all other devices are blocked from Intune enrollment.

The only problem with Intune enrollment restrictions that I can think of is: – Device type restrictions in Intune are deployed to “All Users, ” and we can’t deploy or assign Intune enrollment restriction policies to “specific user group”. At the moment, the device type restrictions policies are tenant-wide configurations.

Device Limit Restrictions in Intune

Navigate to Devices – Enroll Devices – Enrollment Device Limit Restrictions to configure the limitation.

Device Limit Restrictions in Intune

Difference Between Intune Enrollment Restriction Device Restriction Profile ?

Author

Intune How to Setup Android Work Support Step by Step Guide Microsoft Endpoint Manager

Intune How to Setup Android Work Support Step by Step Guide Microsoft Endpoint Manager? Google’s strategic approach is to support management only via the Android Work channel, and Microsoft Intune’s strategy is to support Android work. In this post, we will see how to set up Android work support in Intune portal.

Latest Post – How To Configure Intune Enrollment Setup For Android Enterprise Device Management – HTMD Blog #2 (howtomanagedevices.com)

I have blogged about the enrollment for Android Work management via Intune “Intune How to Enroll Android for Work Supported Devices for Management“. The video embedded in the above post explains the process of enabling Android Work support in Intune Silverlight portal.

As you can see in the embedded video guide attached to this post, we will see how to unbind or change the Gmail/Google account which we used to set up Android work support in Intune Azure portal.

Once the existing Gmail account has been removed, then we can use a different Gmail account to configure, or set up Android Work support in Intune Azure console.

How to Unbind Android Work Account from Intune Azure Portal

We need to unbind the account from Intune Azure console when we want to change the Setup Android Work Google account. Unbind button in Intune Azure removes support for Android Work enrollment and removes the relationship between the Android work account Gmail and Intune.

I have seen some delay in the process of unbinding the Gmail account from Intune blade in the Azure portal. As you can see in the video here, I removed the Gmail account from the Android work setting in Intune blade in the Azure portal, but it took 2 minutes to reflect these changes. However, the removal of Android Work was immediately reflected on Intune Silverlight portal.

Setup Android Work Support in Intune Azure Portal

The configuration or setup of Android Work support in Intune Azure portal is very similar to the one in the Silverlight portal. You just need to click on the Configure button, and that will open up a pop where you can log in with a new Gmail or Android work account. The Google configuration wizard will help you to set up the connection between Intune and Google API like Google Play for Work, Android Work management, etc…

Android For Work _ Intune Azure Portal-Setup-Configure

Setting up Android Work Enrollment & Management via Intune

Android for Work enrollment settings is also the same as Intune Silverlight console. We get three options for setting up Android work enrollment in Intune Azure portal.

1. Manage all devices as Android – This is opposite to Google’s strategic approach regarding managing the Android devices
2. Manage supported devices as Android for Work – As per my testing, all the Android 6.0 and above devices are supported for Android work enrollment and management via Intune. I have a blog post that explains A4W supportability “Intune Entry Level Low-Cost Device Support for Android for Work Enrollment“. Hence this is my best bet option for enrollment.
3. Manage supported devices for users only in these groups as Android Work – This could be used in case of testing or pilot process if your organization doesn’t have any test Intune environment.

Android For Work _ Intune Azure Portal-SettingUP

Author

Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices

Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices? In this post, we will go through creating and deploying SCEP Certificate to Windows 10 Devices (How to Deploy SCEP Certificate to Windows Devices).

We need to take care of some prerequisites before creating SCEP Certificates in Intune. You need to have on-prem infrastructure components available before creating SCEP cert profiles in Intune. Related post > Intune SCEP HTTP Errors Troubleshooting Made Easy With Joy – #5 (anoopcnair.com)

NDES setup for SCEP

NDES connector should be installed on your Data Center, and NDES connector should be able to talk to CA server and with Azure AD App proxy connector if you are using Azure app proxy. I’m not going to cover the setup of NDEs and the Azure AD App proxy connector. Those two configurations are very complex and very well explained in other blogs.

All these configurations are explained in the video above or you can watch it here

Deploying SCEP Certificate to Windows10 Devices will help connect corporate resources like Wi-Fi and VPN profiles. Before creating Windows 10 SCEP Certificate in Intune, you need to create and deploy a certificate chain. The certificate chain includes the Root CA certificate and the Intermediate /Issuing CA certificate.

There are 3 certificate profiles available in Intune those are TRUSTED Certificate, SCEP Certificate, and PKCS certificate. We are not going to use the PKCS certificate for SCEP profile deployment.

Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices

Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices. Following are the high-level tasks for deploying SCEP Certificate to Windows10 Devices via Intune:-

Create and Deploy iOS Root CA certificate using Intune Azure Portal Create and Deploy iOS Intermediate/Issuing CA Certificate using Intune Azure Portal Create and Deploy SCEP Certificate to iOS Devices using Intune Azure Portal

Create and Deploy Windows 10 Root CA, Windows 10 Intermediate/Issuing CA Certificate Profiles

As the first step, we need to create a Root CA cert profile. To create a Root CA cert, navigate through Microsoft Intune – Device Configuration – Profiles – Create profile. Select the platform as Windows 10 and profile type as Trusted Certificate. You need to browse and upload your ROOT CA cert (Name of the cert = ACN-Enterprise-Root-CA.CER)from your CA server.

In Windows 10 Trusted certificate profile, we need to select a destination store. For the root cert profile, we need to select Computer Certificate store -root. Once settings are saved, you need to deploy the root cert profile to the required Windows 10 devices.

Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices

We need to follow the same process for Intermediate/Issuing CA certificate profile deployment via Intune. Make sure that you are uploading issuing CA cert (Name of cert = ACN-Issuing-CA-PR1.CER) from your CA server.

Another point we need to take care of is the destination store. We need to select the destination store as Computer Certificate Store – Intermediate. Click OK – Create to finish the creation of Issuing cert profile.

Deploy Windows 10 Root CA and Intermediate/Issuing CA Certificate Profiles to the same group of Windows 10 devices. We can use either AAD User or Device group to deploy these profiles. However, I would prefer to use AAD dynamic device groups wherever possible.

Create and Deploy Windows 10 SCEP profile via Intune – Intune Create SCEP Certificate Profiles

To create and deploy a SCEP profile to Windows 10 devices, navigate through Microsoft Intune – Device Configuration – Profiles – “Create profile“. Select the platform as Windows 10 and profile type as SCEP Certificate.

There is some specific setting you need to put in when you create a SCEP profile for Windows 10 device. Loads of these configurations can differ as per the CA server setup and another on-prem component setup.

Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices

The certificate validity period is 1 year, which is the standard in the industry. There are four options for Key storage provider (KSP), and those are Enrol to trusted platform Module(TPM) KSP if present Software KSP, Enrol to Trusted platform module(TPM), otherwise fail, Enrol to passport, otherwise fail and Enrol to Software KSP.

In this scenario, I have selected Enrol to trusted platform Module(TPM) KSP if present Software KSP. We need to select the subject name format value depending on your organizational requirement. In this scenario, I selected a common name as email. Subject alternative name as UPN. Key usage is a digital signature and key encipherment. The key Size value is 2048. Hash algorithm value (SHA-2) should be the latest one if your CA supports the same.

Another important point is to link the SCEP profile with the ROOT cert profile you already created. If you have not created any ROOT cert and intermediate/issuing CA cert profiles in Intune, it won’t allow you to create a SCEP profile. Extended key usage is another setting, and it should automatically get populated. One example here is “Client Authentication – 1.3.6.1.5.5.7.4.3.”

Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices

The last set of settings for Windows 10 SCEP profiles in Intune is Enrollment Settings. I would recommend keeping the renewal threshold of certificates as the default value of 20%. SCEP server URLs (e.g., https://acnndes-sccz.msappproxy.net/certsrv/mscep/mscep.dll) are very important. These are the URL/s to which Windows 10 devices will go and request SCEP certs.

So, this should be reachable from the internet. As I mentioned above, you can use Azure AD app proxy URLs here. In this scenario, I will use Azure AD app proxy settings.

SCEP profile cert will be deployed to users’ stores in the following format “ACN-Issuing-CA-PR5“.

End-User Windows 10 Certificate Store Experience – Intune Create SCEP Certificate Profiles

SCEP profile will be deployed to Current User\Personal\Certificates = “ACN-Issuing-CA-PR5”

Root and Intermediate CA cert will be deployed to Local Computer\Intermediate Certification Authorities\Certificates = ACN-Enterprise-Root-CA.CER and ACN-Issuing-CA-PR1.CER

Intune Create SCEP Certificate Profiles in Endpoint Manager Deploy SCEP profiles to Windows 10 Devices

Resources

Configure and manage SCEP certificates with Intune – New Azure Portal – here
How to configure certificates in Microsoft IntuneÂ – New Azure Portal – here
How to Protect NDES with Azure AD Application Proxy – here

Author

Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices using Endpoint Manager

Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices using Endpoint Manager? We need to take care of some prerequisites before creating SCEP Certificate in Intune. You need to have on-prem infrastructure components available before creating SCEP Certificates in Intune.

NDES connector is supposed to be installed on your Data Center, and the NDES connector should be able to talk to the CA server and Azure AD App proxy connector if you are using the Azure app proxy. Related post – Intune SCEP HTTP Errors Troubleshooting Made Easy With Joy – #5 (anoopcnair.com).

I’m not going to cover the setup of NDEs and Azure AD App proxy connectors. Those two configurations are complex and well explained in loads of other blogs. This post will cover how to create and deploy a SCEP Profile to iOS Devices via Intune blade in the Azure portal.

All these configurations are explained in the video above or you can watch it here

Introduction – Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices

Deployment of SCEP Certificate to iOS devices will help connect to corporate Wi-Fi and VPN profiles etc… Before creating iOS SCEP Certificate in Intune, you need to create and deploy a certificate chain. The certificate chain includes the Root CA certificate and the Intermediate/Issuing CA certificate.

There are 3 certificate profiles available in Intune, and those are TRUSTED Certificate, SCEP Certificate, and PKCS certificate. We are not going to use the PKCS certificate for SCEP profile deployment. Following are the high-level tasks list for deploying SCEP Profile to iOS Devices (Deploy SCEP profiles to iOS Devices):-

Create and Deploy iOS Root CA certificate using Intune Azure Portal
Or Create and Deploy an iOS Intermediate CA certificate using Intune Azure Portal
Create and Deploy SCEP Certificate to iOS Devices using Intune Azure Portal

Intune – Create – Deploy SCEP Certificate to iOS Devices – Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices using Endpoint Manager

Create and Deploy iOS Root CA, iOS Intermediate/Issuing CA Certificate Profiles

As the first step, we need to create a Root CA cert profile. To create Root CA cert, navigate through Microsoft Intune – Device Configuration – Profiles – Create profile (Deploy SCEP profiles to iOS Devices). Select the platform like iOS and profile type as Trusted Certificate. You need to browse and upload your ROOT CA cert (Name of the cert = ACN-Enterprise-Root-CA.CER) from your CA server.

Once settings are saved, you need to deploy the root cert profile to the required iOS devices. The same process needs to follow for Intermediate/Issuing CA certificate profile deployment via Intune. Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices using Endpoint Manager?

Make sure that you are uploading issuing CA cert (Name of cert = ACN-Issuing-CA-PR1.CER) from your CA server. All these configurations are explained in the video above or you can watch them here.

Create and Deploy iOS SCEP Certificate Profile for iOS Devices

To create a SCEP certificate profile, navigate Microsoft Intune – Device Configuration – Profiles – Create a profile. While creating iOS SCEP Certificate, we need to select Profile type as “SCEP certificate” and platform as iOS.

The next step is configuring the settings, these settings are very important, and we need to consult with your CA team when you create a SCEP Certificate. Loads of these configurations can differ as per the CA server setup and another on-prem component setup (Deploy SCEP profiles to iOS Devices).

The certificate validity period is 1 year, which is the standard in the industry. The subject name format is also depending on your organization’s preference. In this scenario, I selected a common name as email. Subject alternative name as UPN. Key usage is a digital signature and key decipherment. The key Size is 2048.

Another important point is to link the SCEP Certificate with the ROOT cert profile you already created. If you have not created any ROOT cert in Intune, it won’t allow you to create a SCEP Certificate. Extended key usage is another setting, and it should automatically get populated.

One example here is Client Authentication – 1.3.6.1.5.5.7.4.3. Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices using Endpoint Manager?

Intune Create SCEP Certificate Profiles Deploy SCEP profiles to iOS Devices using Endpoint Manager

The last set of settings for iOS SCEP profiles in Intune is Enrollment Settings. I would recommend keeping the renewal threshold of certificates as the default value of 20%. SCEP server URLs are very important. These are the URLs to which iOS devices will go and request SCEP certs.

So, this should be reachable from the internet. As I mentioned above, you can use Azure AD App proxy URLs here (e.g., https://acnndes-sccz.msappproxy.net/certsrv/mscep/mscep.dll ). In this scenario, I will use Azure AD App proxy settings. All these configuration details are explained in the video here.

SCEP certificate will be in the following format “ACN-Issuing-CA-PR5“.

Resources

Configure and manage SCEP certificates with Intune – New Azure Portal – here
How to configure certificates in Microsoft Intune – New Azure Portal – here
How to Protect NDES with Azure AD Application Proxy – here

Author

Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune

Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune? Android for Work Device Restriction Policies Deployment is nothing but the Security Policy for Android Devices. The security policies are important to secure the corporate data and applications in those devices.

In this post, we will how to create and deploy Security Policy for Android Devices via Intune blade in the Azure portal. Intune compliance policies are another set of policies that we need to set up for Android devices’ security.

I have a post about setting up compliance policies for Android devices “How to Plan and Design Intune Compliance Policy for Android Devices“. Latest post – How To Configure Intune Enrollment Setup For Android Enterprise Device Management – HTMD Blog #2 (howtomanagedevices.com).

How to Create Security Policy for Android Devices

You can create Intune device restriction policy for Android for Work from Microsoft Intune – Device Configuration – Profiles – Create New Profile. I selected Android for Work as the platform and the Selection of the platform is very important.

Also, you need to select the profile type while creating Intune Configuration Restriction policy, in my scenario, it’s the Device restriction policy. The name of the policy is Android Restriction policy as you can see in the video.

Security Policy for Android devices Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune — Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune

There are two categories to configure device restriction settings for Android for Work devices. Work profile settings and Device password are the two settings available. Again, I won’t suggest setting up a device password policy as part of the configuration policy when you have a compliance policy setting for the Device password.

Data sharing between work and personal profiles settings specify whether apps in the work profile can share data with apps in the personal profile. Microsoft Intune recommended value for this setting is to prevent any sharing across the boundaries.

We can block the Work profile notifications while the device is in a locked state. Default app permission is another Android for the Work security setting. I don’t recommend configuring the password settings as part of Intune configuration policies rather password settings should be part of compliance policies for Android for Work devices.

Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune

Deploy Security Policy for Android Devices

Deploying the Android for Work device restriction policy is straightforward. But it’s important to take care of some of the points before deploying Security Policy for Android devices. Click on assignment after settings up the policy and select the AAD User/Device group.

Click on the Save button and you are done. The best-recommended way is to assign policies to the Azure AD dynamic device group for Android devices. However, the AAD device groups are still in preview; we may better off using user groups for deploying device restriction policies to Android Devices.

One thing to remember is that you can’t apply Android device platform policies to Android for Work devices. You should rather use Android for Work device platform policies for A4W. Another useful option while deploying device restriction policies in Intune is EXCLUDE option.

This is very useful when you want to exclude some of the devices or users from these particular security policies. Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune?

User Experience of Security Policy for Android devices

The user experience of Android for Work devices can vary depending upon the manufacturers of the devices. As I mentioned in the previous post here, Samsung and Nexus are the best-experienced devices that I tested till now.

But I would admit the user experience of Android for Work is far better than Android devices! As Android devices have different variants, it’s better to make sure all the Security Policy for Android devices experience is nice for all the manufacturers. Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune?

Learn How to Create Deploy Security Policies for Android Devices using Endpoint Manager Intune

Resources

Intune SCEP HTTP Errors Troubleshooting Made Easy With Joy – #5 (anoopcnair.com)

How To Configure Intune Enrollment Setup For Android Enterprise Device Management – HTMD Blog #2 (howtomanagedevices.com)

Author

Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices Endpoint Manager

Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices Endpoint Manager? Intune configuration restriction policies are very important in modern device management strategy. Intune device restriction policy is the security settings applied on your Windows 10 CYOD device.

As part of your organization’s security policies, you may need to lock down mobile devices or Windows devices that have access to corporate data and app. yes, Intune configuration restriction policies help you lock down Windows devices as per your organization’s security requirements.

Create Intune Device Restriction Policy for Windows 10 Devices

You can create Intune device restriction policy for Windows 10 from Microsoft Intune – Device Configuration – Profiles – Create New Profile. I selected Windows 10 as the platform, and the Selection of the platform is very important.

Also, it would be best if you had to select the profile type while creating Intune Configuration Restriction policy. In my scenario, it’s the Device restriction policy. The name of the policy is “Windows 10 CYOD Restrictions“. Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices Endpoint Manager?

Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices Endpoint Manager

Windows platform Intune device restriction policy out of box Settings is segregated into 16 sections, as you can see below. This list is very comprehensive, and we can lock down Windows 10 machines as per the requirement.

Is this Intune device restriction policy a replacement for group policies? No, it’s still not a replacement for AD group policies. Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices Endpoint Manager?

General
Password
Personalization
Locked screen experience
App Store
Edge Browser
Search
Cloud and Storage
Cellular and Connectivity
Control Panel and Settings
Defender
Defender Exclusions
Network proxy
Windows Spotlight
Display
Start

Deploy Windows 10 Intune Device Restriction Policy

You can deploy Windows 10 Intune Device Restriction Policy to either Windows 10 CYOD dynamic devices or Windows 10 users group. Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices Endpoint Manager?

Dynamic device groups are still in preview, and those typos of groups are not stable at times. So at least for the next two months, I will prefer to deploy policies to user groups rather than dynamic device groups.

Windows 10 End-user experience of Intune Device Restriction Policy

As you can see in the video tutorial at the top of this post or here, I’ve enabled the time settings to disable the option as part of the initial Windows 10 device restriction policy. The end-user logged to Windows 10 machine can’t change the time on the system.

After that, I changed the windows time setting policy again, and after applying the new policy, the user can change the time on Windows 10 system.

Author

How to Enable Intune Company Portal Browser Access for Conditional Access Enabled Web apps Endpoint Manager

How to Enable Intune Company Portal Browser Access for Conditional Access Enabled Web apps, Endpoint Manager? I have been testing and developing a solution for Android device management with Intune. Those Android for Work learning experience has been shared in my previous posts here.

In this post, we will see and learn how to enable Intune Company Portal Browser Access for Android devices. What is the need for enabling company portal browser access? To put it in simple words, if your organization is using Azure AD Conditional Access (CA) enabled internal web applications, then we need to enable the Company portal browser access option.

How to enable Intune Company Portal Browser Access

Open the Company Portal app.
Go to the Settings page from the ellipsis (…) or hardware menu button.
Press the Enable Browser Access button.

The above video recording gives you the same user experience when you have CA access enabled web applications and you have not enabled company portal browser access. As you can see in the video, managed browser for Android devices gives an error stating that the device is not enrolled.

Yes, the managed browser application can’t understand whether the device is already enrolled. When you perform an action like “Intune Company Portal Browser Access, ” the app will try to install the Microsoft work account certificate on an Android device. There is a known issue with the previous version of the Company Portal application on Android devices.

Microsoft Work Account Certificate installation Error

How to Enable Intune Company Portal Browser Access for Conditional Access Enabled Web apps Endpoint Manager

The solution to the Microsoft mentioned above “work account certificate installation” error is to update the company portal application for Android devices. Are you getting an error called ENROLL your device (as you can see in the following screen capture)? Is this error appear when you try to access Conditional Access enabled web applications through the managed browser? The web apps without CA are working fine? If so, you need to perform following the action from your Android device “Intune Company Portal Browser Access.”

End-User Experience of ENROLL device Error

Now, it’s time to update the company portal application on Android for work-enabled devices. Once the device is updated with the latest version of the company portal app, then open up the company portal app and go to settings – tap on the button “Enable Browser Settings.”

This action gives you a popup for Microsoft Work Account certificate installation; the user must select the cert and tap on the ALLOW button. This process is explained in the video tutorial at the top of this post.

Microsoft Work Account Certificate Installation

Android-Company-portal-Enable-Browser-Access-ALLOW-Cert How to Enable Intune Company Portal Browser Access for Conditional Access Enabled Web apps Endpoint Manager — How to Enable Intune Company Portal Browser Access for Conditional Access Enabled Web apps Endpoint Manager

Once the managed browser has a certificate, the web applications opened in the Managed browser can use the Microsoft work account cert. This will allow the managed browser to securely open conditional access enabled internal web applications. The user doesn’t require a tap on the INSTALL button, as per my experience; rather user needs to tap on ALLOW button to complete this configuration.

End USER Experience of CA enabled Web application Access

Android Company portal Enable Browser Access CA enabled app — How to Enable Intune Company Portal Browser Access for Conditional Access Enabled Web apps Endpoint Manager

Author

How to Deploy Microsoft Store for Business Apps using Intune

How to Deploy Microsoft Store for Business Apps using Intune to Windows 10 or Windows 11 Devices Endpoint Manager? Microsoft Store for business apps is part of your organization’s private store apps.

Only one way to deploy Store apps using Intune is required deployment. Microsoft Store for business apps can be deployed as “Available,” “Required,” or “Uninstall” apps to Windows 10 or Windows 11 devices.

On September 15, 2023, Microsoft Store for Business and Education apps will be removed from the Intune admin center. Apps on the device will remain until intentionally removed. The Microsoft Graph API microsoftStoreForBusinessApp will no longer be available about a month later. Use New Store to Deploy New Microsoft Store Apps Type From Intune with Winget.

How to Deploy Microsoft Store for Business Apps using Intune Fig. 1.0

The logic behind NOT having an “available” deployment option is very understandable because the user doesn’t need an available deployment via Intune because the user always has private store access to install the apps manually.

Let’s check how to deploy the WhatsApp application from the Microsoft store to Windows 10/11 devices which are managed by Microsoft Endpoint Manager Intune.

NOTE! – Microsoft Store for Business retirement is announced and Microsoft Store will be retired by early 2023. Read More Use Winget Windows Package Manager Tool To Install Microsoft Store Apps Using Intune.

Requirements – Microsoft Store for Business Application Deployment using Intune

Let’s have a quick look at the requirements for Microsoft Store for Business Application Deployment using Intune.

Browser compatible with Microsoft Store for Business
The administrator account needed to integrate MSfB with SCCM
Employees need Azure AD accounts when they access the content from MSfB
Proxy configuration requirements for MSfB
Devices must be Azure AD Registered, or Azure AD joined to the same Azure AD tenant where you registered the MSfB for online app deployment.
Azure AD Global admin (or appropriate) access to create Applications to connect ConfigMgr site to Azure AD and MSfB

Decide Offline or Online Applications using Intune

The MSfB supports two types of application licenses, and you should be very careful with the license type of application you want to add. For Offline apps, you don’t need devices Hybrid Azure AD registered or joined.

Online: Windows 10 devices must be Azure Active Directory (Azure AD)-joined or hybrid Azure AD-joined.
Offline: Devices don’t need to connect to the store or have a connection to the internet.

Read More -> Offline Application deployment example – Install Windows Company Portal Offline Version Using Intune

Search Store Applications from MSfB for Intune App Deployment

Let’s log in to the Microsoft Store for Business and start searching for the apps you want to add to Configuration Manager. Try to add Whatsapp to the private store and deploy it to managed Intune managed Windows 10/11 devices.

NOTE! – Microsoft Store for Business will be retiring in the first quarter of 2023.

Login to MSfB with Azure AD admin account https://businessstore.microsoft.com/
Search for the Microsoft Store application “WhatsApp” that you want to add.
Search URL https://businessstore.microsoft.com/en-us/store/search?q=whatsapp

Deploy Microsoft Store for Business Apps using Intune Endpoint Manager 1

Add Apps to Private Store

You have already found the required app (above section) – WhatsApp. Now let’s add those to the organization’s private store.

Click on any application – WhatsApp
Select License type: Offline
Click on Get the app

Deploy Microsoft Store for Business Apps using Intune Endpoint Manager 2

Once you click on Get the app button, the WhatsApp application has been purchased and added to your Microsoft private store.

Successfully added the app WhatsApp Beta to the private store.
This app will be available in the admin console after the next MSfB sync with Intune.
Click Close to continue.

Deploy Microsoft Store for Business Apps using Intune Endpoint Manager 3

Initiate a Manual Sync between Intune Portal and Microsoft Store for Business

Let’s Initiate a Manual Sync between Intune Portal and Microsoft Store for Business. The schedule sync will happen every 24 hours if I’m not mistaken.

Login to Endpoint.Microsoft.com
Navigate to Tenant Administration – Connectors and Tokens.

Enabling Microsoft Store for Business sync lets you access volume-purchased apps with Intune. There are two options and this must be always ENABLED for this scenario.

First, you’ll need to sign up and associate your Microsoft Store for Business account with Intune Open the business store
Choose the language in which apps from the Microsoft Store for Business will be displayed in the Intune console Language:

Enable
Disable

Sync the apps you’ve purchased from the store with Intune. To reflect the newly purchased application called WhatsApp, you need to the client on the SYNC button and wait for the sync to complete.

Deploy Microsoft Store for Business Apps using Intune Endpoint Manager 4

Deploy Microsoft Store App to Windows 11/10 using Intune

Let’s check how to Deploy Microsoft Store App to Windows 11/10 using Intune. Let’s head over to Apps and check for the WhatsApp Beta application.

Open Endpoint.Microsoft.com portal.
Navigate to All Apps and Search for WhatsApp.

Deploy Microsoft Store for Business Apps using Intune Endpoint Manager 5

Click on the WhatsApp application to start the deployment process. This is the normal deployment Intune application deployment process. The application is already created automatically when you sync Intune and Microsoft Store for Business.

You can assign applications to at least one group. You can Click ‘Properties’ and then edit ‘Assignments’ to start the assignment.

Deploy Microsoft Store for Business Apps using Intune Endpoint Manager 6

I have deployed this as an available application to an Azure AD group of USERS.

Deploy Microsoft Store for Business Apps using Intune Endpoint Manager 7

Video Tutorial (Outdated one)

There are 3 sections in this post and the video tutorial here:-

Enable and Configure Windows Store for Business
Sync the applications and Deploy applications
End-User Experience of App installation on Windows 10 device

Enable and Configure Microsoft Store for Business

First, we need to sign up and associate the Microsoft Store for Business (MSfB) account with Intune. Accept the agreement and consent for Windows Store for Business.

https://businessstore.microsoft.com/en-us/store

How to Deploy Microsoft Store for Business Apps using Intune to Windows 10 Devices Endpoint Manager

Intune and Microsoft Store for Business Connection

To enable and configure Microsoft Store for Business, you need to open up Intune portal (Azure). Microsoft Intune – Mobile Apps- Windows Store for Business. Choose the language in which apps from the Windows Store for Business will be displayed in the Intune console.

Once signed up for the Windows store for business then, we need to set up a connection between Intune and Windows store for business. This is required to Deploy Windows Store Apps via Intune. Click on the Manage tab and select store setting.

Once you are in store settings, you could see there are three out-of-box connections already configured for deploying Windows store for business apps via MDM solutions. Airwatch, MobileIron Cloud, and Microsoft Intune are the three connections created. Click on Intune activate button to set up the connection between the store and Intune.

Windows_Store_App_via_Intune How to Deploy Microsoft Store for Business Apps using Intune to Windows 10 Devices Endpoint Manager — How to Deploy Microsoft Store for Business Apps using Intune to Windows 10 Devices Endpoint Manager

Sync the applications and Deploy applications via Intune

Once Intune connection is activated then, we need to shop the apps and add them to the private store for your organization. It could take 24 hours (it’s pretty fast nowadays within minutes it will be available) to reflect the newly added apps to appear in the private store. You can sync Intune to get the newly added apps into Intune.

We need to save the settings after the successful app sync.

Updated NOTE! – You can now login to the Microsoft Endpoint Manager Admin center and head over to Tenant Administration – Connectors and Tokens. You can click on the SYNC button to make the application available in Intune applications.

After a successful connection, you would be able to see the following settings in Microsoft Store for Business.

How to Deploy Microsoft Store for Business Apps using Intune 11 — How to Deploy Microsoft Store for Business Apps using Intune 56

How to Deploy Microsoft Store for Business App from Intune

Learn How to Deploy Microsoft Store for Business App from Intune. You will need to head over to Apps – Windows node in MEM Admin center portal (Intune) to search for application availability there. After the successful sync between Intune and Microsoft Store for Business, the Firefox browser app will be available in the MEM Intune portal

Now you will need to head over to Select the Windows Store apps that you want to deploy to AAD user groups. We have only two options while deploying the Windows Store app via Intune. And those are REQUIRED and UNINSTALL.

So, there is no option to deploy Windows Store app as available deployment via Intune because the users already have access to Windows Private store.

Setup_Windows_Store_App_via_Intune_Deployment_Options — How to Deploy Microsoft Store for Business Apps using Intune to Windows 10 Devices Endpoint Manager

End-User Experience of App installation on Windows 10 device

The end-user experience for Windows 10 1703 users is flawless. The deployment of the Windows Store app via Intune happened in the background, and the user’s name came to know about the installation on his/her Windows 10 device.

Author

Microsoft Endpoint Manager Intune Android Work Apps User Experience Explained

Microsoft Endpoint Manager Intune Android Work Apps User Experience Explained? The android operating system has several variants, and fragmentation is very high. What are the reasons for this? With the open standards, every smartphone manufacturer has the freedom and option to customize the operating system according to their preference.

So all the Android mobile device manufacturers grabbed the opportunity to push their apps and tweaked versions of Android. So, what is the biggest problem I see with Intune Android Work app’s user experience? I will see the details in this post. Also, I have explained the same in the above video.

There is no standard user experience for different mobile manufacturers like Samsung, Sony, and LetV have their way of arranging Android Work applications. Once you have enabled Android for Work support, you can enroll the Android devices into Intune for management, as I explained in the post “How to Enroll Android for Work Supported Devices into Intune“.

Intune Android Work Apps User Experience

In this post, we will see what the Intune Android for Work good user experience is and a bad user experience. I wanted to make it clear that there is nothing much Intune can do to improve the user experience because this is a necessary OS capability.

I have tested Intune Android for Work enrollment with the following devices like Nexus 6P, Sony, Samsung, etc. Intune Android Work Apps user experience is good for all the tested devices. However, the problem is the placement of badged applications on the devices.

Microsoft Endpoint Manager Intune Android Work Apps User Experience Explained? Each Android mobile manufacturers have its way of placing badged Android Work applications. I like how a manufacturer places all the badged apps into a folder.

This is very useful for the user to switch from work applications to personal ones. If the manufacturer does not create a group for work application after Intune Android for Work enrollment, it’s not a good user experience from my testing.

Microsoft Endpoint Manager Intune Android Work Apps User Experience Explained? As per my testing on several Android devices, I liked the Intune Android for the Work user experience of Samsung and Google Nexus the most.

Initially, Intune Android for Work enrollment experience with the company portal was not flawless. But with the latest version of Intune company portal, the enrollment process is improved a lot. Suppose you enroll the device with the latest company portal app. You don’t have to close the existing company portal app and open the company portal app for the work app (with badge/briefcase symbol) to continue the enrollment process.

This previous Android for Work Enrollment process experience has explained in the video here.

Microsoft Endpoint Manager Intune Android Work Apps User Experience Explained

I like Samsung and Google Nexus user experience because all the Android work applications are placed or stored in a separate WORK folder. The work folder helps users segregate their apps from work apps better.

That user experience is excellent. Microsoft Endpoint Manager Intune Android Work Apps User Experience Explained? The Android work apps user experience of Sony and LetV Android devices is not so good if you compare the UX of Samsung and Nexus.

The bad user experience is that those devices won’t create a separate folder for WORK apps. You can see the more detailed experience in the video tutorial in the first part of this project. Intune Android Work Apps User Experience Explained in the above video.

Resources

Intune SCEP HTTP Errors Troubleshooting Made Easy With Joy – #5 (anoopcnair.com)

Author

Windows 10 Azure AD Join Automatic Intune Enrollment using Microsoft Endpoint Manager Intune | Azure AD

Windows 10 Azure AD Join Automatic Intune Enrollment using Microsoft Endpoint Manager Intune | Azure AD? In this post, I will provide you with the experience of Windows 10 1703 (RS2) Azure AD join and automatic MDM (Intune) enrollment.

As you see in the above video tutorial, the real-time experience of Windows 10 1703 Azure AD join and Intune auto-enrollment.

Latest Posts – Windows 10 Intune Enrollment Manual Process AAD Registration (anoopcnair.com) & Intune Company Portal Setup for Personal Windows 10 Device Intune Enrollment Options

Windows 10 1703 is the latest version of the Windows 10 production build. This is also called as Red Stone 2(RS2) release. The Windows team has done great work to improve the Out Of Box Experience(OOBE) of Windows 10 1703. I have a previous post that explains the in-depth process of AADJ and MDM auto-enrollment, “How to Join Windows 10 1607 Machines to Domain or Azure AD“.

Sign in with Microsoft School or Work account is the first screen you will get in the Windows 10 1703 Azure AD join OOBE. There is also a note on the same screen that helps users select the account they want to use “Sign in with the username and password you use with Office 365 or business services from Microsoft”.

Yes, this is a generic kind of message. I think it would be more helpful if Microsoft could explain to the user to use their corporate account rather than using technical terms like office 365 and Business services from Microsoft.

Windows 10 Azure AD Join Automatic Intune Enrollment using Microsoft Endpoint Manager Intune | Azure AD?

Windows 10 1703 OOBE screen will give the user an option to choose a traditional domain join option. This will also allow the user to create a local user account and log in with that account. The Windows 10 1703 OOBE experience is improved a lot. Windows 10 Azure AD Join Automatic Intune Enrollment using Microsoft Endpoint Manager Intune | Azure AD?

It will ask to connect to a Wi-Fi network, and it allows the user to connect to web-based authenticated Wi-Fi routers (Not all? Need to test this further). Once connected to the internet, it will check for the latest software updates available and install it.

Windows 10 Azure AD Join Automatic Intune Enrollment using Microsoft Endpoint Manager Intune | Azure AD 15 — Windows 10 Azure AD Join Automatic Intune Enrollment using Microsoft Endpoint Manager Intune | Azure AD

Windows 10 Azure AD Join Experience?

Windows 10 1703 Azure AD join is an almost fully automated process once users enter their user name and password in the OOBE mentioned above screen. The user input is required on one particular screen, which is the screen for privacy settings.

Once the user is done with Windows 10 1703 privacy settings, the device will get automatically logged with the user name and password. Is it a new SSO for Windows 10 1703 Azure AD join? You can confirm the AAD Join from the Settings – Accounts section in Windows 10 1703.

Windows 10 Azure AD Join Automatic Intune Enrollment using Microsoft Endpoint Manager Intune | Azure AD

Windows 10 MDM Intune Auto Enrollment Experience

Once the Windows device is Azure AD joined, it should automatically get enrolled in Intune management. You should have enabled the MDM auto-enrollment option in your Azure AD to get this experience. In my experience with Windows 10 1703, I got the encryption policy popup from Intune compliance policy within a few minutes of the first login to the device.

The user can also check the Intune enrollment from School or Work Account section in Windows 10 settings menu. There is a change in the GUI of the Windows 10 MDM stack with respect to School or Work account settings. There is no manage tab in the Windows 10 work account added to the device. Don’t worry about that because that is a new design for Windows 10 1703. Windows 10 work/school account setting has only two tabs: Info and Disconnect.

How do you manually sync or check for the new Intune policies in Windows 10 1703 device? The option is to click on Settings – Accounts – Access Work or School Account – Info – Sync. This will initiate an immediate policy sync with Intune services in the cloud. And intern, the user’s Windows 10 device will receive the latest policies from Intune.

Author

Software Update Policy Rings in Intune MEM

Let’s see how to configure Software Update Policy Rings in Intune MEM. How to Setup Windows 10 Software Update Policy Rings in Intune Endpoint Manager Portal?

Managing software updates for Windows 10 with Intune is straightforward, but there is a catch you can’t expect the granular controls you have with SCCM/ConfigMgr. We need to configure the Windows Software update policy and deploy that policy to Windows 10 devices.

I have an updated post on Intune monthly patching guide and troubleshooting, etc. Cloud PC Monthly Patching Process Using Intune. Another guide on Intune patching – Software Update Patching Options With Intune Setup Guide (anoopcnair.com)

Windows 10 devices will take the software updates directly from Microsoft Update services. Unlike SCCM, no need to download the software updates, create a package, and deploy it to the devices (as you can see in this video post here).

Windows Update for Business will give us more options to configure and control the behavior of Windows 10 updates and Servicing. Update:- FIX CBB Ring Devices are Getting Windows 10 CB (SAC-T) Updates Intune Windows 10 Update Rings.

Intune Video tutorial to help to create Software updates rings for Windows 10

We have an out of box Software Update (Automatic Update) policy as part of Intune Silverlight portal configuration policy. I have noticed that this Out of box configuration policy stopped working in the last few months. Now, there are two options to control the behavior of Windows 10 updates and Windows servicing.

The first choice is to use custom policies in Intune Silverlight portal if your Silverlight portal is not yet migrated to the MEM portal. I have a post that talks about Intune Silverlight migration blockers here.

The second choice is to control Windows Update for business via the Software Updates button in Intune blade in the MEM portal. We will cover this in this post.

Software Update Policy Rings in Intune MEM

Basic Test Rings for Windows 10 Software Update

We may need to create at least two Windows 10 Software Update Policy Rings for your organization as a very basic requirement. One Windows 10 Update ring is for Windows 10 machines that are in the Current Branch (CB).

The second Windows 10 update ring is for Windows 10 machines that are in the Current Branch for Business (CBB). Windows 10 update rings would evolve as you progress with the testing and development for your organization. But this is the first stage of your testing of Software update deployments.

Windows 10 CBB Update Ring - All the devices in Current Branch
Windows 10 CB Update Ring - All the device in Current Branch for Business

Pilot and Production Rings for Windows 10 or Windows 11 Servicing

Another recommendation would be to create different Windows 10 Software Update Policy Rings for deferrals of Windows 10 servicing branches CB and CBB. We can put a maximum of 30 days delay in Windows 10 software update rings. These two update rings would help with the latest Windows 10 CB/CBB servicing updates (e.g. upgrade from 1607 to 1703) with some pilot devices rather than deploy servicing updates to all the devices at the same time.

During the pilot testing of CB, if you find any problem with the upgrade and you don’t want to deploy the update to the CBB ring then, you have the option to PAUSE the updates for the production ring.

Pilot Windows 10 CBB Updates Ring - Pilot Servicing Ring for CBB 
Production Windows 10 CBB Updates Ring - Production Servicing Ring for CBB  
Pilot Windows 10 CB Updates Ring - Pilot Servicing Ring for CB
Production Windows 10 CB Updates Ring - Production Servicing Ring for CB

Pilot and Production Rings for Windows 10 or Windows 11 Monthly Security Patches

I would also recommend creating different Windows 10 Software Update Policy Rings for Windows 10 CBB and Windows 10 CB quality updates (monthly security and other patches). So, Windows 10 CBB machines will have a minimum of 2 rings.

One is for the pilot machines which are on Windows 10 CBB and the second ring is for the production machines which are on Windows 10 CBB. The same applies to Windows 10 CB devices, and the CB machines should also have two rings.

Pilot Windows 10 CB Quality Updates Ring - Monthly patch pilot ring
Production Windows 10 CB Quality Updates Ring - Monthly patch production ring
Pilot Windows 10 CBB Quality Updates Ring - Monthly patch pilot ring
Production Windows 10 CBB Quality Updates Ring - Monthly patch production ring

Software Update Policy Rings in Intune MEM 17 — Software Update Policy Rings in Intune MEM 68

How to create advanced Windows 10 Software Update Rings?

There could be other complex scenarios of Windows 10 Software Update Policy Rings. These rings could be depending purely on the requirement of each region or business group of your organization. Some of the other important options you have in Windows 10 Software Update Policy Rings are:-

Windows 10 Automatic update behavior – How do you want to perform scan, download, and install updates. Scheduling options for windows updates.
Do you want to update Windows 10 drivers as part of your patch deployment rings or not.
What kind of Delivery optimization (In build caching solution with Windows 10) that you want to use.

Deployment – Assignment of Windows 10 Software Update Rings

Windows 10 Software Update Policy Ring deployments/assignments are very critical decisions to make. I would recommend using dynamic device groups wherever possible, but at the moment this is not possible for all the scenarios. I think, in some scenarios, we need to use static device/user groups. I hope, Microsoft will come up with exclusion group options for assignments (similar to AAD Conditional Access policies).

The exclusion groups would be really useful in Software Update ring deployment scenarios. For example, you want to exclude pilot devices from the production software update ring deployments. At this point, it’s not possible without exclusion options.

Author

How to Plan Design Intune Compliance Policy for Android Devices | Microsoft Endpoint Manager | Intune

How to Plan Design Intune Compliance Policy for Android Devices | Microsoft Endpoint Manager | Intune? This post will provide more details about planning and implementing the Intune compliance policy for Android devices. Intune compliance policies are the first step of the protection before giving access to corporate apps and data.

It’s very important to plan and design compliance policies for Android devices as Android is more vulnerable than other operating systems.

Compliance policies rules might include using a password/PIN to access devices and encrypting data stored on devices. This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.

Update:- When you use or support Android for Work enrollment, select the platform like Android for Work in a compliance policy. Otherwise, the compliance policies will evaluate your Android devices and say this policy is not applicable for Android for Work enrolled devices.

Video

Check out the video tutorial to setup Intune compliance policies for Android – here

Intune Compliance policy setup for Windows 10 Devices here
Intune Compliance policy setup for iOS Devices here

How to setup Windows 10 Device compliance policy

How to Plan Design Intune Compliance Policy for Android Devices | Microsoft Endpoint Manager | Intune

1. Sign in to the Endpoint Manager portal with an account that has Intune admin access.
2. Select More services, enter Intune in the text box, and then select Enter.
3. Select Intune – Device Compliance – Compliance – Policies – and Click on the +Create policy button to create a new compliance policy and select the platform as “Android”.
4. Settings configurations are really important for compliance policy. There are some improvements in Azure portal Android compliance policies. There are three categories in Android compliance policies and those are Device Health, Device Properties, and System Security.
5. Device Health is the setting where the compliance engine will check whether Android devices are to be reported. The device health attestation service has loads of checks, including TPM 2.0, BitLocker encryption, etc.
6. Device Properties is the setting where Intune Admins define minimum and maximum versions of operating system details for the corporate application access. I would keep the minimum version as Android version 6 wherever possible.
Operating System Version
Minimum Android OS version
Maximum Android OS version
7. System Security is the setting where Intune Admins define password policies for Windows devices. There are 3 sections in these settings – Password, Encryption, and Device Security.

Password Compliance Policy for Android – I would create a complex Alphanumeric password for Android devices and all the above configurations.

Require a password to unlock mobile devices.
Minimum password length
Required password type
Maximum minutes of inactivity before the password is required
Password expiration (days)
Number of previous passwords to prevent reuse

Encryption Compliance policy for Android – Encryption should be enabled as a must in your Android compliance policy for Android devices.

Encryption of data storage on the device

Device Security Compliance policy for Android – Block apps from unknown sources and Block USB debugging on Android devices policies are important and should be enabled.

Block apps from unknown sources
Require threat scan on apps
Block USB debugging on the device
Minimum security patch level

8. Deploy Android Compliance Policy to All Android devices dynamic device group (Update Device Groups are not supported for Compliance policies – hence use user groups for Intune compliance policies). Click on Assignment and select the dynamic device group.

I would use AAD dynamic device groups to deploy compliance policies rather than AAD user groups.