Intune

Microsoft Intune is the SaaS solution provided by Microsoft. Microsoft Intune is a cloud-based desktop and mobile device management tool. This supports Mac OS, iOS, Android, and Windows 10. This cloud solution is used as a modern management tool.

You can check out HTMD Community Intune Training from Free Intune Training 2023 blog post. Let’s learn about Intune Exam MD 102 Study Guide Starter Kit – Microsoft Intune Certification. Also, check out the Top 75 Latest Intune Interview Questions.

Microsoft Intune Architecture Diagram

This MDM solution can be integrated with SCCM, Azure AD, and Active Directory. This place gives you a great opportunity Learn Microsoft Intune and become an expert with Intune.

This solution can be used to deploy UWP applications, Security policies, Configuration policies, WiFi profiles, PKI certificates, and so on.

This solution is future-proof When you take a look at the Desktop (43.29%) Vs. Mobile (52.29%) Vs. Tablet (4.42%) Market Share Worldwide for the last year, you could see that mobile devices are leaders. So, Mobile Device Management is very critical, and this is a new world of opportunities for IT Pros like us. From my perspective, learning this solution is very important for SCCM admins.

Intune is an enterprise mobility management (EMM) solution from Microsoft. The EMM provider helps to manage mobile devices, network settings, and other mobile services and settings. This solution is nothing but a combination of Device, Application, Information Protection, Endpoint Protection (antivirus software), and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in the Cloud.

Additionally, this solution has a feature called compliance policy, which can be integrated with the Azure AD “Conditional Access” policy to restrict access to company resources.

How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager

How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager? Have you already seen the new Intune options in the MEM portal? If not, I would recommend watching the following video post to get an overview of the new Intune portal here.

We can have more granular restrictions for MDM enrollments in the new Intune portal. We don’t need any tweaking in on-prem services like ADFS or any federated access management system.

Now, we have the option to block personal iOS devices from Intune enrollment. Enroll Devices node is the place in Intune Azure portal where you can set up this policy. “Enrolment restrictions” is the place where you can find the details about granular enrollment restriction policies.

Enrollment restriction policies help us restrict/block a set of devices from enrolling into Intune.

How to Restrict Personal iOS Devices

Within enrolment restriction rules, we can have two types of restrictions Device Type restriction and Device Limit restrictions. Device limit restrictions are already available in Intune Silverlight portal. Device Type Restriction is new in Intune Azure portal, and that gives us the option to restrict or block specific platform devices from enrolling.

If you want to restrict Android devices from enrolling into your Intune MDM enrollment, you can disable/block Android devices enrollment from the new portal. However, I’m not sure how we can allow ONLY “Android for Work” enabled devices to enroll in Intune. I hope there could be some limitations from the Android platform side to restrict the Android devices which are not enabled for Android Work type of management.

The device type restriction policy is very helpful in a scenario you want to restrict Windows Mobile/Phone devices from enrolling into Intune. At the same time, you can allow Windows devices (desktops, laptops, surfaces, etc..) from enrolling into Intune.

The most interesting feature which is very helpful for any organization is to restrict personal iOS devices from enrolling into Intune. Yes, corp/company-owned iOS devices can be enrolled using the apple DEP program. In this scenario, you need to create an enrollment type policy with the iOS platform enabled for enrollment via Device Type Restrictions — Platforms. Once the iOS platform is enabled for enrollment, then go to Platform Configurations and then BLOCK personally owned iOS devices.

For example, when you try to enroll a device into Intune, the Enrollment restriction policies are checked against that device platform and user. Intune will check the device properties + user restriction limits configured in the enrollment restriction policies and confirm that the device platform and user are allowed to enroll. After this positive verification, Intune will allow the user to enroll the device.

How to Restrict Personal iOS Devices from Enrolling into Intune Endpoint Manager?

Resources

How to Configure Intune Enrollment Setup for iOS macOS Devices

Windows 10 Intune Enrollment Manual Process AAD Registration (anoopcnair.com)

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

Quick Overview Comparison between Intune Azure and Silverlight Portal

Quick Overview Comparison between Intune Azure and Silverlight Portal? I’m excited to share the comparison video and post of Intune Silverlight and the new Intune in MEM portal.

Loads of new features and loads of very good changes. All the new Azure tenants with a new Microsoft EMS subscription will be able to access a preview version of Intune in the MEM portal.

Latest Intune Admin Portal Walkthrough Guide | MEM Admin Center Latest Intune Admin Portal Walkthrough Guide | MEM Admin Center HTMD Blog (anoopcnair.com)

The performance, look and feel of Intune console is far better than Intune Silverlight console. Intune in MEM portal helps us eliminate loads of duplication works that we need to perform to create groups in Azure AD and Intune groups.

In the new portal, we can direct deploy applications, policies, profiles, etc… to Azure Active Directory Dynamic device groups and user groups. Enrolment restriction rules and RBA for Intune admins are other most exciting features for me within the new portal.

Quick Overview Comparison between Intune Azure and Silverlight Portal

Video Tutorial to know Intune Silverlight Portal Experience

Video Tutorial to know Intune Silverlight Portal Experience.

Video Tutorial to know Intune Silverlight Portal Experience

Overview Comparison between Intune Azure

Manage Apps node is the place where you can create apps from the Android store, Apple Store, and Windows store. The most exciting feature in Manage apps is that you can directly search the Apple App store (Yes, I think for preview, we have only the option to select the US store) and fetch the application from there.

Hence you don’t need to specify the properties of that app. Deployments in the new MEM portal are called ASSIGNMENTS. You can directly deploy applications to AAD groups. One thing missing in the review version of Intune is an option to upload MSI applications.

Configure Device node is the place in the new Azure console where you can create configuration policies for iOS, Android for Work, Android, and Windows devices. In the Intune Silverlight portal, configuration policies have build-in generic policies for Windows, iOS, Android, etc…similarly new Intune portal in Azure has build-in profiles.

We have different profile types called Device Restriction policies, WiFi profiles, VPN profiles, SCEP deployment profiles, eMail profiles, etc… Device restriction policies are nothing but the build-in configuration policies for specific device platforms.

Set device compliance is the node where you can create new, improved compliance policies for all the supported devices like iOS, Android, and Windows. The improvement over the Silverlight Intune portal is that we can select the device platform explicitly in the compliance policies.

Also, depending upon the device platform, the separate compliance policies will get applied to different devices (even if a user is targeted to iOS, Android, and Windows compliance policies). Deployment of compliance policies is done via assignments in Intune portal.

The conditional Access node in the new Intune portal got very few options if you compare it with Intune Silverlight conditional access options. All the device-based conditional access rules are moved out of Intune. Now those device-based conditional access rules are part of Azure Active Directory. Device-based conditional access policy has loads of granular options, more conditions, more control options, etc…

Enroll Devices node is where you can define enrolment restriction rules. Enrolment restriction rules are the rules which help to restrict the devices from enrolling into Intune. The enrolment restriction rule comes before conditional access verification. Within enrolment restriction rules, we can have different types of restrictions like Device Type restrictions and Device Limit restrictions.

Device type restriction is the place where we can select device platforms and platform configurations. Enroll Devices node is the place where you can also define/configure Windows Hello for business, check the MDM management authority, Terms and conditions, Corporate device identities, and apple MDM push certificates.

Access control is the place where we can define custom security permissions for Administrator users. Role-based administrator (RBA) is enabled in the new Intune portal, where you create your own customized Intune admin roles.

Once you create a security role, you can create a new assignment to it and add Members Group and Scope Groups. Following are the permission options available in Intune review portal – Device Configurations, Managed Apps, Managed Devices, Mobile Apps, Organization, Remote tasks, Roles, Telecom Expenses, and Terms and conditions.

Author

Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices

Learn How to Delete Devices from Azure Active Directory | Azure Portal? We need to have deleted and disabled options in Azure AD and Intune as part of effective device management.

A device can be retired and deleted from Intune console (Silverlight), and I’m sure the new MEM portal will surely have these options.

If you are an SCCM admin, you could recollect there is an option in the SCCM console to delete and disable a device. However, I have seen that when you retire and delete a device from Intune console, that device will get removed from Intune console but will still stay in Azure AD.

How to Delete Devices from Azure Active Directory

So it’s very critical and important to delete these devices from Azure AD and keep the environment clean. I have created a video tutorial to help you with this topic, “Learn How to have a Clean and Tidy Intune and Azure AD Environment“.

Back to delete and disable device options in the new Azure AD portal. We will cover the disable/enable device option first and then discuss the delete option. Think about a hypothetical scenario, there is an emergency, and you want to disable the device AAD to prevent further damage to your organization.

To disable a device, you need to go to All users and groups blade in the MEM portal here. Select All Users and select the Devices option from that blade. This will give a list of devices, and from that list, you can select one device and click on disable/enable the option as per the requirement.

You can review the video attached to this post to get a real-time experience of this. We don’t have to disable the option in Intune console, so the only way to disable a device is from the Azure AD portal. Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices?

Delete Devices from Azure Active Directory

Now, we can see the delete device option in the Azure portal. This is a critical option, which is very helpful in keeping your Azure AD environment clean. This will help device management admins to get better results of configuration/compliance policy and application deployments. To disable a device, you need to go to All users and groups blade in the Azure portal here.

Select All Users and select the Devices option from that blade. This will give a list of devices and from that list, you can select one device and click on delete.

Author

How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups

How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups? We discussed creating Azure AD Dynamic Device or User groups in my previous post, “How to Create Azure AD Dynamic Groups for Managing Devices via Intune“.

Another question I usually get is “How to remove or Exclude a device from Azure Active Directory Dynamic Device Group”.

I expect this could be one of the scenarios which will be used in the deployment of security/configuration policies via Intune. This is a very valid scenario, and you can’t avoid this kind of scenario in the device management world. No explanation is needed if you are an experienced SCCM Admin.

Exclude a Device from Azure AD Dynamic Device Group

It’s impossible to remove a single device directly from the AAD Dynamic device group. Yes, there is a remove button available, but when you select a device and click on that remove button, it will give a confirmation popup with a YES button.

If you click on the YES button, it will give an error stating you can’t remove the device from the Azure AD dynamic device group. “Failed to remove member LENexus 5 from group _Android Devices”. However, this can be achieved by adding some conditions to the advance membership rule query in AAD dynamic groups.

How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups

AAD Dynamic membership advanced rules are based on binary expressions. One Azure AD dynamic query can have more than one binary expression. Each binary expression is separated by a conditional operator, either ‘and” or “or“. You can play around with this conditional operator to remove the devices from the AAD dynamic device or user groups.

Following is the advanced membership rule query I used in the AAD dynamic device group to remove a device. In this query, you can see the conditional operator between 2 binary expressions is -and.

(device.deviceOSType -contains "Android") -and (device.displayName -notcontains "LGENexus 5")

I don’t know the result and whether this will work effectively when we deploy a configuration policy via Intune to this AAD device group. I assume that this will work because I can see a difference in the device icon for the device called “LGENexus 5”. And that is the device that I tried to exclude using the above query.

How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups 5 — How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups

Author

How to Create Azure AD Dynamic Groups for Managing Devices using Intune | How to Pause AAD Dynamic Group Update

Learn two things from this post. How to Create Azure AD Dynamic Groups for Managing Devices using Intune? and How to Pause AAD Dynamic Group Update?

This post will see how to create Dynamic device groups and User Groups in Azure Active Directory. Azure AD groups are similar to collections (in the SCCM world) for Intune device management solutions.

These AAD groups can be used to target different policies for a specific group of devices. Latest post – Validate Azure AD Dynamic Group Rules | Intune.

So this is very important in the world of modern management of devices using Microsoft Intune. If you are an SCCM admin, the AAD dynamic group is similar to creating a dynamic collection using WQL query rules. AAD groups don’t have that granularity in creating dynamic query rules if you compare them with WQL query rules.

However, the new Azure portal has many options to create dynamic query rules. The video tutorial will help you get more inside AAD Dynamic groups.

Updated Post -> How To Create Nested Azure AD Dynamic Groups.

Create Azure AD Dynamic Groups

AAD Dynamic membership advanced rules are based on binary expressions. One Azure AD dynamic query can have more than one binary expression. Each binary expression in the AAD dynamic membership rule query must have 3 parts Left parameter, the Binary operator, and the Right constant.

A left parameter in the query rule is one of the attributes of the AAD object (either user or device). If you want to query users in a particular department, then the user is the object, and the department is the attribute (user.department).

A binary operator is nothing other than a conditional operator like “-ne,-eq, -contains -match.” The right constant is a constant value specific to your requirement; for example, if you want to create a group for all IT users, it is “IT.”

(user.department -startsWith "IT")

(user.department -match "IT")

(user.department -eq "IT")

Let’s take an example of creating an Azure AD dynamic group for Windows devices. The following are the steps to create the AAD dynamic Device group. You must have appropriate permissions to create Azure AD groups. Follow the steps to create the Device group for 22H2.

Login to Endpoint Manager Portal (endpoint.microsoft.com)
Navigate to the Groups node.
Click on “+ New Group. “
Select Security – Group Type from the drop-down option.
Enter Group Name “HTMD Windows 11 22H2 Device Group” (any name is fine).
Enter Group Description “HTMD Windows 11 22H2 Device Group” (any description is fine).
Select Dynamic Device as the Membership type.
Click on Add Dynamic Query under Dynamic Device Members.

How to Create Azure AD Dynamic Groups for Managing Devices using Intune Fig. 1

You need to hover over the properties column to get an option to select Azure AD dynamic device groups based on Windows on the Dynamic membership rules page.

You can create or edit rules directly by editing the syntax in the box below. Or you can use the Azure AD portal UI as shown below to create a dynamic group query rule. There are some scenarios where the device properties (e.g. nesting) are not published in the UI property list.

(device.deviceOSVersion -startsWith "10.0.22621")

Click on the SAVE button to save the query rule.
You also have the option to validate the Azure AD query from Validate Rules tab, as shown in the picture. More details are explained in the below section.

How to Create Azure AD Dynamic Groups for Managing Devices using Intune Fig. 2

You can now click on the CREATE button to complete the process of creating a Windows devices Azure AD dynamic group. You can also change the version numbers to get different results.

How to Create Azure AD Dynamic Groups for Managing Devices using Intune Fig. 3

How to Pause Azure AD Dynamic Group Update

Microsoft recently added an option to Pause Azure AD Dynamic Group Update. You can perform the PAUSE action from the Azure AD portal itself. You don’t have to do this using Microsoft Graph or any other crazy method.

There is an accidental deployment that happened to the Azure AD dynamic group and you must reduce the impact. What would be your first step? I think the update pause might help to pause the deployment with immediate effect at least for new devices.

You can navigate to the Azure AD dynamic group that you want to pause. From the Overview tab, you can enable the Pause Processing option for Azure AD Dynamic groups.

When the setting is set to YES, the processing of this dynamic group will pause.
When set to NO, processing will continue.

The Dynamic Rule Processing Status = Updates Paused once you enable the Pause Processing option from Azure AD dynamic group. The Dynamic Rule Processing Status shows whether or not this group is processing changes to the dynamic group rules. This is only applicable when a group is newly created or the rule was recently edited or the Pause Processing setting is changed.

How to Pause Azure AD Dynamic Group Update Fig. 1

Maximum supported words/characters

I did a test to understand what is the maximum supported words/characters in Azure AD dynamic advanced membership rule, and I found that we could save a query with a maximum of 311 words and 3045 characters.

When I increased the numbers to 315 words and 3085 characters, it started giving an error “Failed to create Group_Maxi. Undefined,” where MAXI is the group name.

How to Create Azure AD Dynamic Groups for Managing Devices using Intune

Now back to Intune and device management. I will create 3 basic groups for device management. These AAD dynamic device groups (All Windows Devices, All iOS Devices, and All Android Devices) will be used to deploy different configuration policies.

Dynamic Query

First, I wanted to group all windows devices in my Intune environment. There are two ways to create an AAD group with dynamic membership query rules 1. Simple rule and 2. Advanced Rule. To group windows devices based on the operating system, it’s better to use simple queries via Azure portal GUI.

In case you want to use advance membership, then the following is the query “(device.deviceOSType -contains “Windows”).” When you create an Azure AD dynamic device group, it will take 1 or 2 minutes (depending upon the complexity of the query and the size of the database) to populate the devices into the group.

It’s time to find iOS devices (iPhone or iPad) in my environment via AAD Dynamic query and group them into an AAD dynamic group. Unlike the Windows device group, the iOS device AAD dynamic Device group can’t be created using a simple membership rule; rather, we should use the Advanced membership rule.

We need to have two constant values like iPhone and iPad. Following is the query which I used to fetch iOS devices (device.deviceOSType -contains “iPhone”) -or (device.deviceOSType -contains “iPad”).

OK, here we go with a grouping of Android devices. I want to create an AAD dynamic device group using a simple membership rule in this scenario.

Because I don’t have more than one constant value in the AAD group binary expression. Following is the dynamic query for the Android device group “(device.deviceOSType -contains “Android”).”

Author

How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager

How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager? A Clean Intune environment always gives us better deployment results, and one of the important steps to keep your environment clean is explained in this post.

This is not the only way to keep your Intune environment clean. Rather you should have regular sanity checks for your environment to ensure that you don’t have duplicate copies of policies and applications.

Moreover, you should avoid duplicate deployments of policies and applications. Duplicate deployments of policies can cause conflicts and could result in unexpected results.

Introduction

We SCCM Admins are familiar with the process of deletion and removal of a device in SCCM and Microsoft Intune. However, we are always not sure when you remove a device from SCCM, then that device record will automatically get removed from On-prem Active Directory or not.

The removal or deletion of a device or machine from Active Directory is not SCCM’s responsibility, and this should be handled separately by on-prem Active Directory.

So how are these operations handled in the modern device management world in terms of Intune SA (or SCCM Hybrid) and Azure Active Directory? In most cases, I have not seen that when you retire and delete a device from Intune, that device record will automatically get purged from Azure Active Directory (AAD).

To have better results for your Compliance/configuration policy and application deployments in the modern device management world, we should ensure a clean environment with clean Azure AD. You can get a better understanding of this issue from the above video tutorial. How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager?

How to Delete Clean Tidy Intune Azure Active Directory?

In the above example, Intune console shows me only one device assigned to my user account. Whereas if you look at my Azure AD user ID and check for the devices assigned against my account, you can see there are a total of 3 devices, and all the 3 devices have been shown as managed by Intune.

This is not accurate data that is getting reflected in Azure Active Directory. I’m not saying every time this scenario will happen. I’ve seen some devices automatically get removed from Intune and AAD. How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager?

I suppose we should have a better accuracy/sync between Intune and Azure AD databases. I don’t see a scheduled task in Azure AD to purge the deleted records from Microsoft Intune. I’m not sure whether this is coming in the near future or not.

To ensure better results for Intune device management policies, when you delete a device from Intune, you should make sure that the device record is removed from Azure AD. I’m planning to post a video tutorial showing how to delete a device from Azure AD to have a clean and tidy environment.

Resources

Windows 10 Intune Enrollment Manual Process AAD Registration (anoopcnair.com)

Validate Azure AD Dynamic Group Rules | Intune

Author

How to Troubleshoot Windows 11 10 Intune MDM Issues

Learn how to Troubleshoot Windows 11 10 Intune MDM Issues from this blog post. There are several options to troubleshoot and some of them are explained here.

Windows 11 or 10 MDM issues and troubleshooting are pretty new for SCCM admins like me! So what is the importance of Windows 10 MDM? When you use Intune or SCCM + Intune hybrid to manage Windows 10 machines, all the management policies are deployed through the MDM channel. This post is Windows 10 MDM Troubleshooting Guide.

Related Posts

Understand Windows 10 MDM Architecture

For example, if an Intune policy is deployed to a Windows 10 machine, but it’s not getting applied on a Windows machine, then how do we start troubleshooting? First of all, we need to understand Windows 10 management architecture. Following is the high-level architecture diagram for Windows 10 management. Windows 10 MDM issues troubleshooting will be easy if we know this high-level architecture. This post will help us as Windows 10 MDM Troubleshooting Guide.

How to Troubleshoot Windows 11 10 Intune MDM Issues 1

There could be many ways to troubleshoot Windows 10 MDM issues while using Microsoft Intune to deploy policies to those devices. In this post, I will share the 3 easy ways to start MDM troubleshooting. Yes, it’s different from the SCCM/ConfigMgr client’s way of troubleshooting as there are no log files for the MDM client.

MDM client is in build with Windows 10 operating system, and events logs are the best place to start troubleshooting Windows 10 MDM issues. The 3rd way mentioned in this post is very easy for me and IT Pros to understand and start Windows 10 MDM troubleshooting. I have created a video to explain the troubleshooting tips, as you can see above.

[Related Posts – How to Start Troubleshooting Intune Issues]

Video Tutorial – Windows 10 MDM Troubleshooting Guide

Windows 10 MDM Troubleshooting Guide video tutorial to help IT Pros!

How to Troubleshoot Windows 11 10 Intune MDM Issues 1

Troubleshoot with Windows 10 Event Logs

Event Logs :- Microsoft->Windows->DeviceManagement-> Enterprise-Diagnostics-Provider/Admin

Event logs in Windows 10 machines are the best to start troubleshooting MDM-related issues. As you can see in the below screen capture, you could be able to see where to go in events logs (Microsoft->Windows->DeviceManagement->Enterprise-Diagnostics-Provider/Admin) to see the details of the MDM and Device Management related issues. When the machine is Workplace Joined or AAD joined, all the events related to Intune/SCCM policies are recorded in “this” event log section.

AAD event logs are also very useful in this windows 10 MDM issue, and you can check out the following location for AAD-related event logs “Microsoft-Windows-AAD/ Operational”. Event logs are an integral part of the Windows 10 MDM Troubleshooting Guide.

The event logs are the best to start the Windows 10 MDM issues troubleshooting. You will get the detailed status of Intune or SCCM hybrid policies from event logs. Each entry in those event logs will tell you whether the deployed policies are reached and applied on that machine or not. There is also a way to export the MDM log files to the folder “C:\Users\Public\Documents\MDMDiagnostics” from Windows 10 settings – connect to the work or school page.

[Related Posts – How to Start Troubleshooting Intune Issues]

Troubleshoot Windows 10 with WMI Explorer

WMI Explorer way of checking whether the policy settings are applied or not:-

WMI Explorer is the best tool to check the MDM policies to confirm whether those settings are applied on the windows 10 system or not. As you can see in the following screen capture, this is how to check whether MDM policies are correctly applied to a Windows 10 machine.

I have deployed the Windows Defender policy from Intune to this Windows 10 machine, and you can use WMI explorer to find out whether these policies are applied on the machine or not. Again, when you start troubleshooting, the best place to begin with is event logs.

We can also check this via WBEMTEST, but we may need to start WBEMTEST from the system context to see the policy details. WMI Explorer is the best place to check and confirm whether the MDM policies (from Intune or SCCM) have been applied to a machine.

[Related Posts – How to Start Troubleshooting Intune Issues]

Registry way of checking Windows 10 MDM Policy settings

Troubleshoot Windows 10 with Registry Entries

The 3rd and easiest way to check whether the MDM policies are applied to a Windows 10 machine is the registry key. Following is the registry location where you can find MDM policy settings. You want to check for MDM policy settings on Windows 10 machine is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers

In this below screen capture, you can see the Windows Defender settings I applied to Windows 10 machines through Intune policies. The only caveat of this method is we need to find out a way to decode each provider GUID (CLSID Key?) related to MDM policies. Following are some of the extracts from my Windows 10 machine:-

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\18dcffd4-37d6-4bc6-87e0-4266fdbb8e49 - Power Policy Settings Buttons

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\1e05dd5d-a022-46c5-963c-b20de341170f - Power Policy Controls Energy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\23cb517f-5073-4e96-a202-7fe6122a2271 - Power Policy Settings Disaplay

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\2648BF76-DA4B-409A-BFFA-6AF111C298A5 - ?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\268c43e1-aa2b-4036-86ef-8cda98a0c2fe - ? Power Policy Settings PCI Express

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\2AB668F3-6D58-4030-9967-0E5358B1B78B - Microsoft Intune MDM Policy Settings - Account, Bitlocker, Connectivity, Data Protection, Defender, Device Lock, Experience, Network Isolation, Security, System, update and WiFi

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\C8DC8AF6-2A7D-4195-BA77-0A4DAC2C05A4 - Microsoft Intune/SCCM MDM policy settings - Browser, Camera, Connectivity, Device Lock, Security, Systems and Wifi

System > Power Management > Button Settings
Select the Start menu Power button action (on battery)
Select the Start menu Power button action (plugged in)
Select the Start menu Power button action (plugged in)
Enabled – Select the Start menu Power button action (on battery).

How to Troubleshoot Windows 11 10 Intune MDM Issues 11

Troubleshoot Windows 10 with MDMDiagReport

These GUID IDs can be found in the MDMDiagReport.xml file, and this XML can be decoded into HTML file MDMDiagReport.html using the tool here.

How to Troubleshoot Windows 11 10 Intune MDM Issues 111

[Related Posts – How to Start Troubleshooting Intune Issues]

Author

How to Manually Add Users to Intune Console Portal Microsoft Endpoint Manager Portal | Azure AD

How to Change Intune MDM Authority Office 365 MDM Authority to SCCM or Intune Endpoint Manager

Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune | Endpoint Manager

Loads of people requested a starter kit for Intune as I have one for the SCCM 2012 starter kit, and the SCCM 2012 starter kit page was very useful for the community (I think that is why people are requesting the Intune Starter Kit). In this post, we will mainly concentrate on Intune standalone (not Intune Hybrid and Office 365 Intune MDM).

In most cases, no need/very minimal need for on-prem infrastructure if you are going with Intune standalone and all the other cloud components like Azure Active Directory, Office 365, etc. I’ll keep adding new things to this page. This is just starting 😉

63 Episodes Of Free Intune Training For Device Management Admins HTMD Blog (anoopcnair.com)

I started working with Intune in the later part of 2012, and Microsoft Intune has evolved during the years, and it has changed a lot. In 2013, I started a post called “Microsoft Intune Wiki” (most of the links in that post are outdated, but it’s worth going through if you want to see how Intune was ?).

We already have a Facebook group for Intune Professionals. If you would like to join the Facebook community of Intune Professionals, click here

Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune

What is Microsoft Intune?

Intune is an enterprise mobility management (EMM) solution from Microsoft. The EMM provider helps manage mobile devices, network settings, and other mobile services and settings. Microsoft Intune is nothing but a combination of Device, Application, Information Protection, Endpoint Protection (antivirus software), and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in Cloud.

Additionally, Intune has features where admins can create a “Conditional Access” policy to get access to company resources. If the devices met those conditions, only Intune would provide access to company or corporate resources (corporate mail, Share point, etc…).

Previously, I mentioned Microsoft Intune as a lighter version of SCCM or ConfigMgr in the cloud. However, I don’t want to make it so simple this time. Intune architecture is entirely cloud-based and agile. To get a more detailed idea about Intune (Yes, this video is old and outdated in some parts as Intune evolved along with entire Microsoft’s Enterprise Mobility and Security (EMS))

Management Options using Intune?

I’m going to explain in a bit different way. Let me know if this is confusing. We can manage devices with an Intune client agent and arguably without an Intune client agent. For example, Intune company portal application(s) in different app stores like Google Play and Apple Store are Intune client agents.

So, when you install Intune company portal onto your Android or iOS devices, you are doing agent-based management. Also, there is Microsoft Intune client MSI available to download once you have a valid Intune subscription. You can download and install it on Windows machines that you want to manage.

I have an old post (published in Dec 2012) here to help you understand the basic stuff about Intune MSI agent installation. Once you install Intune MSI agent on Windows machines, those machines are “fully managed” by Intune.

So what is arguably agent less Intune management? Within Windows 10, we have an “in build – Native” MDM agent as part of the operating system. We can enroll Windows 10 devices to Intune using the “in build – Native” MDM agent. In this scenario, we have to use Intune company portal to install applications like a shopping cart.

So Intune company portal is not acting as Intune agent in native MDM enrolment scenarios. Native MDM-managed devices are arguably NOT fully managed devices (at this point in time). I’m sure this will change sooner or later. Windows 10 in-build MDM agent can be used to enroll your Windows 10 devices to any other MDM management software VMWare Airwatch, Mobileiron, etc…

Enrolled via Intune company portal
Enrolled via Installation of Intune MSI client
Enrolled via Windows 10 1607 and above in build Azure AD join and MDM enrolment
MAM without MDM enrolment

How to get an Intune account and start working/Testing with Intune?

Download the Microsoft EMS step-by-step guide from here. This guide will help you to get a trial version of Office 365, Azure AD, and Intune subscription for free. If you already have an Azure AD (Azure AD premium) subscription, things are very straightforward, as I posted in the blog here.

Suppose you don’t have an Azure AD subscription, then better to start with an Enterprise Mobility Suite (EMS) trial account, Azure Free Trial Account (Azure trial account is already created EMS trial account), and Office 365 free trial subscription. To get these trail accounts, it’s better to create a NEW outlook.com account and get ready with Credit Card details to activate the Azure trial subscription.

Getting a trial version of Azure AD, Office 365, and Intune is a very straightforward process if you have never done this same process with your credit card and mobile number. Azure AD and Office 365 are prerequisites for Intune if you want to test/trial all the features of Intune.

Note:- Intune can be signed up separately as well from here. If you feel you are interested in testing only Intune now, this is the way.

How to start using Microsoft Intune Console

Once you have completed the subscription things and you can log in to Microsoft Intune (http://manage.microsoft.com/) portal (Silverlight is a must for Intune console to work). Internet Explorer with Silverlight plugin is the best internet browser for Intune console.

However, Intune console will work on any internet browser which can add Silverlight as a plugin. In the future, maybe, Intune console will work without the Silverlight plugin, and I would love to see this very soon.

The following documentation is where you can start reading about all the Intune topics:- Microsoft documentation Intune quick start guide here.

How to select the MDM authority from Intune console?

For me, MDM authority and management options are very important. Please note once you set MDM (Mobile Device Management) authority to Intune in the following place at Intune console, then you won’t be able to change it.

To change Intune MDM authority, you have to raise a ticket with CSS or service request via Intune/office 365 portal. So be very careful when you click on any links on the following page at Intune console.

What are types of Management Authority do we have for Intune?

Microsoft Intune
Configuration Manager (SCCM)
Office 365 (lightweight Intune)

Quick question:- Do I need to re-enroll devices if MDM authority is changed from o365 MDM to Intune MDM? – It is working without re-enrolment of devices, just a compliance check, and everything looks ok on the device. I think I heard it’s supported as both use Intune for MDM.

How to start managing Windows/iOS /Android devices with Intune?

Managing Windows devices is very straightforward. Yes, Windows 10 management is very straightforward; earlier we need to have side loading and key SEP certificates to manage/deploy app Windows, windows phone devices.

Now, most of these certificates and sideloading key requirements have been removed for most scenarios. Managing Android devices is also very straightforward. It’s 10 minutes of work to sync your Windows Store for Business and Microsoft Intune. More details in the post “Integrate Windows Store for business” are here.

If you want to install store apps without using a Microsoft account, read the blog post “How to Add Apps to Business Store and Install Intune Company Portal without Using MS Account” here.

However, iOS\MAC OS device management has certificate requirements, and we need to go to the apple portal, upload your cert for the tenant, and get the certificate for your Intune tenant.

The process for SCCM CB is explained in the following video, but the process is similar for Intune. More details here Microsoft document specifically for Intune.

How to Deploy MSI applications to Windows PCs using Intune?

Similar to SCCM, Intune can also deploy different kinds of applications to different types of devices. The types of applications that Intune supports now are EXE, MSI (Windows Installer and Windows Installer through MDM), APK, IPA, XAP, APPX – APPXBUNDLE for Windows app package and Windows Phone app package. We can make software or application available to devices via 3 methods.

1. Software Installer – select the type of software you want to install
2. External Link – this can be used for deploying the applications in Google Store via deep linking
3. Managed iOS apps from Apps Store – this can be used to deploy the apps in the apple store via the deep linking method

The following post will help understand the process of deploying applications using Intune “How to Deploy Applications and MAM Policies to Mobile Devices Using Intune Part 1” – here. More details about deploying the application via Intune are given in the following links here and here.

How to create policies within Intune console?

Creating policies in Intune are one of the other thing important step as part of Intune configuration and device management through Intune. Following is the list of policies you can create and deploy via Intune.

Configuration Policies
Compliance Policies
Dynamics CRM Online Conditional Access Policy
Exchange Online Conditional Access Policy
Exchange On-premises Conditional Access Policy
SharePoint Online Conditional Access Policy
Skype for Business Online Conditional Access Policy
MAM Application Policy
MAM Browser Policy

What is the difference between Intune Configuration Policy and Intune Compliance Policy:- In some cases, you can see similar kinds of settings in compliance and configuration policies. So what is the exact difference? Compliance policy works with conditional access policies however configuration policies are independent of conditional access. Compliance policies can deploy ONLY to USERS, whereas Configuration policies can be deployed to both Devices and Users.

Compliance policy won’t force the device to change the configuration at device rather it will wait until the device gets into the compliance stage to provide access to company resources like mail/SharePoint (in case of Conditional access policy is set). Configuration policy forces the device or user to change the configuration setting mentioned in the policy (arguably not true in all the scenarios).

The following video will explain to you how to create and Deploy Intune Compliance Policies from the console.

What are MAM (Mobile Application Management) policies?

Mobile Application Management policies are application specific policies that you can set up via Intune. What is the difference between configuration, Compliance policies, and MAM policies? Configuration and Compliance policies are for the entire device. It’s applicable for everything on the device. MAM policies will get applied only to the application with which it’s associated.

The following post will guide you through the process of deploying MAM policies to iOS or Android devices “How to Deploy Applications and MAM Policies to Mobile Devices Using Intune” – here. Microsoft Intune documentation about MAM policy creation here.

What is MAM without MDM enrolment (MAM WE – MAM Less MDM)?

This one another policy type in Intune. What is the difference between MAM with MDM enrolment and MAM without MDM enrolment? This is Mobile Application Management policies without enrolling to Intune. These policies are really helpful in BYOD/personal devices to get access to corporate mail and SharePoint, etc., securing the corporate data.

Why Intune option is visible in the Azure portal (https://portal.azure.com/)? This is good news for SCCM/Intune admins. We are getting new features in Intune. This time it’s Intune MAM (Mobile Application Management) without MDM enrolment.

For full management of mobile devices, we need to use the original Intune portal (https://manage.microsoft.com). It was a regular question in forums and other communities that can Intune coexist with other MDM products like Airwatch or Mobile Iron. More details here.

How to Manually Add Users to Intune Console?

How to add users to Intune console, and how to provide permissions to users in Intune console? We don’t have to do this when Intune Silverlight console is migrated to the Azure portal?? Before you try to provide service administrator access (Only limited roles available in Intune Silverlight console Full Access, Read-Only access, or Helpdesk – Group Node access) to users in Intune, you should make sure the administrator or server administrator user is already available in Intune administrator console. More info here.

Author

Are You Having Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr Endpoint Protection

Are You Having Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr Endpoint Protection?

Are you having issues with Windows Information Protection (WIP, previously known as “Enterprise Data Protection – EDP”) policies configured through SCCM ConfigMgr CB 1606 production version?

If so, I was one of you. Here I’m talking about the issue I faced during the deployment of the WIP policy via the Windows 10 MDM channel. I will try to explain the issue which I had with WIP CI (for the specific scenario which I tested):-

Windows Information Protection = WIP

When you open WIP CI and try to check whether everything is ok or not and exit out of CI with/without doing any changes, it will automatically change some values in CI XML, which will break the entire CI.

I’ve embedded a video below that will explain this bug/issue in more detail. If you are new to WIP/EDP and want to know how to create, deploy, and test WIP with Windows 10, look at my previous post and video here.

The good news is that the new rollup update (KB3186654) released by Microsoft most probably fixed this issue. I have done extensive testing with Windows Information Protection (WIP) policies/CIs after installing the new rollup on SCCM CB 1606 server, and the results are very promising.

Are You Having Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr Endpoint Protection

I tried creating new WIP CIs, editing the existing WIP CIs, etc…All the scenarios which I tested worked well for me. I tested this with Windows 10 1607 build Build numbers 14393.00 and 14393.82 (via MDM channel). Are You Having Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr Endpoint Protection?

EDP WIP CI Known Issue with SCCM CB 1606 before installing Rollup Update KB 3186654

https://youtube.com/watch?v=TA9aXAHZTms

Are You Having Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr Endpoint Protection

How to Create – Deploy WIP EDP Using SCCM CB 1606 and End-user experience of WIP:-

Are You Having Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr Endpoint Protection?

Are You Having Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr Endpoint Protection

Sample of the correct WIP CI with correct ConstantValue

<Condition>                   <Expression>                     <Operator>NotEquals</Operator>                     <Operands>                       <SettingReference AuthoringScopeId="GLOBAL" LogicalName="EnterpriseDataProtection" DataType="String" SettingLogicalName="AllowedEXEHash" SettingSourceType="CIM" Method="Value" Changeable="false" />                       <ConstantValue Value="EB9D585A55FAEA4A913BBAB7101911F5BAEA7CA84A8D8AD6BBB7FB50363117F1" DataType="String" />                     </Operands>                   </Expression>                 </Condition>

Are You Having Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr Endpoint Protection?

Resources

Learn Microsoft Intune Related Posts Real World Experiences (anoopcnair.com)

Intune Device Management – HTMD Blog #2 (howtomanagedevices.com)

Author

FIX Intune Company Portal App Login Issues with Windows 10/11

Intune Company Portal App Login Issues with Windows 11 or Windows 10 Devices? Have you tried to Repair or Reset Company Portal App to fix the issue? The Intune company portal application is not allowed to log in when it is installed on Windows 10 or Windows 11.

The issue explained in the post below could be because of either Azure AD authentication issues or proxy issues. Basically, it won’t allow you to log in with your user name and password.

The Company portal app will get redirected to the login page again and again. Have you tried to log in to Intune company portal from a Windows device and are you able to reproduce this issue?

Fix Company Portal App Login Error Occurred AAD Auth Proxy Issues. Tenant Restriction Policy and company portal issues are also explained in this post.

Intune Company Portal App Repair Options

Whenever you have an issue with Intune Company Portal app, it’s better to Reset, Repair, or Reinstall it before trying to do further troubleshooting. Otherwise, if you see the same issues with a larger number of Windows 11 devices, then this could be some other issue.

Intune Company Portal App Repair options are easy unlike other Win32 or MSI applications. Since Intune Company portal is a Microsoft Store Application, it has got all the Reset, Repair, and Reinstall options.

To fix Intune Company Portal App Repair Reset Options, you need to follow the steps explained below.

Navigate to Apps & Features option by right-clicking on the Start button from Windows 11.
Use the search function to find the Company Portal application.
Click on the three (3) vertical dots menu.

Intune Company Portal App Repair Options 1

Select Advanced options as you see in the below screenshot to repair the Company Portal Application on Windows 11 device.

The first step I always recommend is to TERMINATE the company portal app by clicking on the TERMINATE button from Apps -> Apps & Features -> Company Portal Advanced Options.

Intune Company Portal App Repair

Let’s check the next option and that is Intune Company Portal app repair option. If this app isn’t working correctly, you can try to repair it. The Company Portal app’s data won’t be affected.

Company Portal App Repair Reset and Uninstall

Let’s check what are the next options if the Terminate and Repair options of the Company portal didn’t work well. Company Portal App Repair, Reset, and Uninstall are the other two options available on Windows 11 devices.

Company Portal REPAIR helps to fix the issue if the app is still not working as expected. The RESET will remove all the app-related data from the Windows 11 PC and give a fresh start to Company Portal.

The UNINSTALL button is the last resource to fix Company Portal Application on Windows 11 PC. Uninstall the app and you can reinstall Company Portal App from Microsoft Store.

Intune Company Portal App Repair Options 4

Fix Company Portal App Login Error Occurred AAD Auth Proxy Issues | Tenant Restriction Policy

Well, this is a weird issue and so stay with me! Let’s learn how to Fix Company Portal App Login Error Occurred. This issue is only for the Intune Company portal application. There was no issue accessing the company portal Website. And this issue is only applicable to Windows 10/11 devices.

I have a couple of other posts that might be interesting for you. Learn how to install a company portal application on Windows 10 devices. Intune Company Portal Setup for Personal Windows 10/11 Device Intune Enrollment Options.

Problem Statement – Fix Company Portal App Login Error

Windows 10 devices started getting error messages whenever the user tries to launch the Company portal app. The error details are given below.

Login error occurred – An error occurred while attempting to log in to Company Portal Login Error.

You get two options:

Share Details
Close

FIX Intune Company Portal App Login Issues with Windows 10 11 1

Send Company Portal App for Windows 10 Logs

You can try to click on Share details to get the Company portal app log for Windows 10 or 11 devices. The message shows “Sending the Logs to Microsoft.“

FIX Intune Company Portal App Login Issues with Windows 10 11 2

Now you have an option to share the details with Microsoft using the Onenote file. Requesting help with the company portal app for Windows 10 or Windows 11.

NOTE! – You can send the company portal app logs for Windows 10 using the following method as well:

Open the Company Portal app.
Select Help & support > Get help.

FIX Intune Company Portal App Login Issues with Windows 10 11 3

Details of Company Portal App Log

Describe the problem you’re experiencing. The Company Portal has collected your logs (Diagnostics ID: 2WWEWN) and sent them to Microsoft to help troubleshoot. Your description will help us to understand what happened and how we can fix the problem. After you’ve described the problem, send this email to your company support for more help.

Troubleshooting – Fix Company Portal App Login Error

Now let’s enter into the real troubleshooting scenario of the Company Portal app for Windows 10 devices.

First of all, I couldn’t find much information from the Microsoft logs mentioned in the above section.
I started looking at event logs to get more details.
Navigate to Microsoft-Windows-AAD/Operational (Azure AD authentication-related errors).
The following event ID 1098 shows up with an error that started whenever I tried to launch the company portal app.

Error: 0xCAA5001C Token broker operation failed. Log: 0xcaa10083 Exception in WinRT wrapper. Log: 0xcaa1007b Acquire token failed. Log: 0xcaa9004b Exception during nonce request.

FIX Intune Company Portal App Login Issues with Windows 10 11 4

Event Log Details

The following are the company portal login issues with Windows 11/10 devices. These logs are taken from event logs as you can see in the below paragraphs.

Error: 0xCAA5001C Token broker operation failed.

Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 15/07/2020 16:00:58
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
Keywords: Operational,Error
User:
Computer:
Description:
Error: 0xCAA5001C Token broker operation failed.
Operation name: GetTokenSilently, Error: -894947614 (0xcaa82ee2), Description: The request has timed out.
Logged at webaccountprocessor.cpp, line: 593, method: AAD::Core::WebAccountProcessor::ReportOperationError.

Error: 0xCAA82EE2 The request has timed out.

Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 15/07/2020 16:00:58
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
Keywords: Operational,Error
User:
Computer:
Description:
Error: 0xCAA82EE2 The request has timed out.
Exception of type 'class HttpException' at xmlhttpwebrequest.cpp, line: 163, method: XMLHTTPWebRequest::ReceiveResponse.
Log: 0xcaa10083 Exception in WinRT wrapper.
Logged at authorizationclient.cpp, line: 233, method: ADALRT::AuthorizationClient::AcquireToken.
Request: authority: https://login.microsoftonline.com/common, client: 8ba1a5c7-f19a-5de9-a1f1-7178c8d51343, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-2666988183-1750391847-2906264630-3525785777-2857982319-3063633125-1907478113

Log: 0xcaa1007b Acquire token failed.

Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 15/07/2020 16:00:58
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
Keywords: Operational,Error
User:
Computer:
Description:
Error: 0xCAA82EE2 The request has timed out.
Exception of type 'class HttpException' at xmlhttpwebrequest.cpp, line: 163, method: XMLHTTPWebRequest::ReceiveResponse.
Log: 0xcaa1007b Acquire token failed.
Logged at aggregatedtokenrequest.cpp, line: 70, method: AggregatedTokenRequest::AcquireToken.
Request: authority: https://login.microsoftonline.com/common, client: 8ba1a5c7-f19a-5de9-a1f1-7178c8d51343, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-2666988183-1750391847-2906264630-3525785777-2857982319-3063633125-1907478113, resource: 00000002-0000-0000-c000-000000000000, correlation ID (request): 9d18dbac-d522-4d6e-8d14-c3e7610ec34c

0xcaa9004b Exception during nonce request

Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 16/07/2020 10:11:06
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
Keywords: Operational,Error
User:
Computer:
Description:
Error: 0xCAA82EE2 The request has timed out.
Exception of type 'class HttpException' at xmlhttpwebrequest.cpp, line: 163, method: XMLHTTPWebRequest::ReceiveResponse.
Log: 0xcaa9004b Exception during nonce request.
Request: authority: https://login.microsoftonline.com/common, client: 8ba1a5c7-f19a-5de9-a1f1-7178c8d51343, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-2666988183-1750391847-2906264630-3525785777-2857982319-3063633125-1907478113, resource: 00000002-0000-0000-c000-000000000000, correlation ID (request): 9d18dbac-d522-4d6e-8d14-c3e7610ec34c

Fix Company Portal App Login Error Occurred

There was a proxy server tenant restriction implemented using the following Use tenant restrictions to manage access to SaaS cloud applications. More details https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions.

The company portal app for Windows 10 or Windows 11 requires authentication to Azure AD through https://login.microsoftonline.com. These URLs are available in the above event logs. Tenant restrictions require TLS inspection only on traffic to Azure AD, not to the Office 365 cloud services.

It seems the TLS inspection for the following URL cause the issue. At least one of the following URLs is required:

https://enterpriseregistration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com
https://autologon.microsoftazuread-sso.com (If you use or plan to use seamless SSO)

FIX Intune Company Portal App Login Issues with Windows 10 11 5

Intune Company Portal Login Issues

After 3 login attempts the company portal application will show you the following error “Login error occurred – an error occurred while attempting to login”. You may also get the following details in the error log.

Have you ever seen this? I have seen this issue in different Intune/AAD tenants in the following scenarios:-

Windows 10 AAD Joined
Windows 10 MDM enrolled (Work account)
Windows 10 OOBE

I don’t have any solution for this issue yet. If you can reproduce this issue then please do comment on this post. When I remove add Work or School account from Settings – Accounts – Access work or school, then I’m able to login to the Intune company portal.

However, it will (obviously) say “You need to add your device before you can install apps.”. In case, you select “Don’t add this device” then Intune company portal will proceed to the next page where will show you the “my devices” list, etc… with a note “it looks like you need to add this device so that you can install apps”.

Fix Company Portal App Login Error Occurred AAD Auth Proxy Issues Intune Company Portal Login Issues with Windows 10 Anniversary Update | Endpoint Manager — Intune Company Portal Login Issues with Windows 10 Anniversary Update | Endpoint Manager

Log File Details – Intune Company Portal:-

Intune Company Portal Login Issues with Windows 10 Anniversary Update | Endpoint Manager?

Microsoft.Management.Services.SelfServicePortal.CommonViewModels.ServiceLoginPageViewModel.<AuthenticateWithExceptionHandlingAsync>d__36.MoveNext()
2016-09-03T06:03:13.4876367Z WARN Event       None                   400 f67a7f1d-54e3-41e0-a838-e39ec3385ba3 3-0-0 Displaying error dialog
 Title: Login error occurred
 Message:An error occurred while attempting to login.
 Exception: Microsoft.Management.Services.SelfServicePortal.Common.Portable.Authentication.IntuneAuthenticationException: Failed to authenticate with AAD
    at Microsoft.Management.Services.SelfServicePortal.Extensions.AzureAD.Common.Authentication.AuthenticationResultHelper.ThrowIfAuthenticationStatusIsNotSuccess(AuthenticationStatus authenticationStatus)
    at Microsoft.Management.Services.SelfServicePortal.Extensions.AzureAD.Common.Authentication.AzureADAuthenticationService.<AuthenticateAsync>d__0.MoveNext()

Resolution – Proxy Issue

The client app (in this case Company Portal) should support tenant restrictions. I have overlooked this point while writing this post. This is already documented in Microsoft docs that client software must request tokens directly from Azure AD so that the proxy infrastructure can intercept traffic.

NOTE! – The company portal (website) works well with tenant restrictions.

The OMT feature for TLS inspection for AAD authentication communication was removed from the proxy servers and that fixed the Company Portal.

Author

How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB

How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB? To Manage iOS and Mac OS devices via Intune and Hybrid SCCM CB, we need an APNs cert.

In this video tutorial, we can see how to get the certs from Apple and How to upload them to SCCM CB for a hybrid solution. How to Create Apple Push Notification Service (APNs) Certificate to Manage iOS and Mac OS X devices via Intune.

You must have an apple id/user name and password to upload and download the certs for SCCM CB hybrid. More detailed Videos are coming up on my YouTube Channel Subscribe here.

Following is the location and file where I saved the downloaded cert from the SCCM CB hybrid environment C:\Users\anoop\Documents\Apple Cert\Apple_Cert_4_How_2_Manage.CSR

How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB

Go to the following website !! Apple Website:-

https://identity.apple.com/pushcert/

At the end of this process, you would be able to manage iOS and Mac OS devices via Microsoft Intune and or SCCM CB hybrid environment !!

Author

How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments? We are going to How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments? Ok, at 3 topics in this post.

1. How to Create Compliance policies using intune and SCCM CB Hybrid environment.

2. How to deploy Compliance policies and

3. Differences between the compliance policy settings !!

I have created a quick and dirty video tutorial to explain all these steps, and the video is embedded in this post as well 🙂 First and foremost, the compliance policies work along with Conditional Access policies.

To have permission to access corporate resources like Mails, SharePoint online, etc… the device must be compliant with the policies we set! SCCM CB and Intune Compliance policies can be deployed only to users, not device collections or groups.

How to Create SCCM CB Hybrid Compliance Policy?

As you can see in the following picture: – In SCCM CB, we can specify the type of compliance policy that you want to create. There are two options 1. Compliance rules for devices managed with SCCM clients 2. Compliance rules for devices managed without SCCM clients (MDM clients etc…).

Moreover, it gives the granularity to select the different device platforms like Windows 8.1, Windows 10 mobile, iOS and Android and KNOX, etc… a Very useful option in SCCM CB Hybrid compliance settings! The steps to create an SCCM CB compliance policy are explained in the video tutorial above.

How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

How to create a Compliance Policy using Intune?

As you must have noticed one general compliance policy for all the platforms. There is no option to create different compliance policies for different device platforms like iOS, Android, and Windows.

Yes, in Intune compliance policies, we don’t have the option to select a specific OS platform.

The three common segregation available is

1. System Security

2. Device Health and

3. Device Properties.

All the steps to create Intune compliance policy is explained in the video tutorial above.

Intune_Vs_SCCM_Compliance_Policies_1 How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments — How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

How to Deploy Compliance Policies using SCCM CB Hybrid?

Yes, compliance policies can deploy only to User Collections, not to device collections in SCCM. No DEVICE Collections in the drop-down menu !! Yes, this makes sense because compliance policies are associated with conditional access policies in BYOD and CYOD scenarios.

And another point is the granularity that SCCM CB provides in terms of Compliance rules/policy evaluation schedule. You can change the Compliance policies evaluation schedule !!! By default SCCM CB compliance policy evaluation schedule is 23 hours. You can change and customize it according to your needs. The steps to deploy the SCCM compliance policy are explained in the video tutorial above.

Intune_Vs_SCCM_Compliance_Policies_2 How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments — How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

How to deploy compliance policy using Intune?

Yes, compliance policies can deploy only to User Groups in Intune, not device groups. Moreover, there is no granularity given in the scheduling of the compliance policies if you compare it with SCCM CB. Rather Intune provides global settings for all the compliance policies we create for that tenant.

Check out the Intune compliance policy settings… what is that?? It’s compliance status validity period ……Nice !! It’s a global setting – We can’t specify 31 days for one compliance setting and 20 days for another compliance setting!! All the steps to deploy Intune compliance policy is explained in the video tutorial above.

Intune_Vs_SCCM_Compliance_Policies_4 How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments — How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

Difference Between Intune vs SCCM CB Hybrid Compliance Policies

Following are the differences that I have noticed in Intune vs SCCM CB Hybrid Compliance Policies:-
– There is no option to select a specific supported platform in Intune. However, with SCCM CB, we can create platform-specific compliance policies.

Intune_Vs_SCCM_Compliance_Policies_5 — How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

– There is no Granularity in Deploy Scheduling options with Intune. However, many more scheduling options are available for SCCM CB compliance policies.

Intune_Vs_SCCM_Compliance_Policies_3 — How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

Outcome/Result of Compliance policies – Windows 10 device

Following is an example of a Windows 10 machine that is AAD and MDM joined, but it’s not in compliance. The device encryption is not enabled on the Windows 10 machine.

Intune_Vs_SCCM_Compliance_Policies_6 — How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments

Following is an example of a Windows 10 device that is compliant with the policies which an organization set. Once Windows 10 is compliant, the user can access corporate mail and other resources.

Author

Video Tutorial to Learn about Intune MAM Policies and App Reporting by Specific User

Video Tutorial to Learn about Intune MAM Policies and App Reporting by Specific User? In this post, I would like to share the video tutorial to explain. Microsoft Intune introduced MAM Reporting options with the Intune 2305 release.

Let’s learn how to create Intune App Protection Policies for iOS iPadOS. In this article – Create Intune App Protection Policies For IOS IPadOS. App Protection Policies can be applied to both enrolled and non-enrolled devices. APP can be used for third-party MDM solutions.

MAM policies created in the MEM portal are different from the MAM policies which we create from Intune portal for MDM-enrolled devices. Outlook Groups is the newest application included in the Azure portal for Intune MAM-enabled applications.

Let’s check how to enable Intune App Protection Policies for Android and iOS devices. You can get more details and end-user experience from the video given below.

Intune MAM Policies and App Reporting?

Also, I can see the PREVIEW option to add custom applications for MAM policies without MDM enrollment. This is an excellent feature. Settings –>Preview – Line-of-business apps –> Preview – Add a custom app.

“1. How to Create Intune MAM (Mobile Application Management) – Without MDM Enrollment

2. MAM policies App Reporting By Specific Users.

Resources

SCCM Video Tutorials For IT Pros – HTMD Blog #2 (howtomanagedevices.com)