Intune

Microsoft Intune is the SaaS solution provided by Microsoft. Microsoft Intune is a cloud-based desktop and mobile device management tool. This supports Mac-OS, iOS, Android, and Windows 10. This cloud solution is used as a modern management tool. This MDM solution can be integrated SCCM, Azure AD, and Active Directory. This place gives you a great opportunity Learn Microsoft Intune and become an expert with Intune.

This solution can be used to deploy UWP applications, Security policies, Configuration policies, WiFi profiles, PKI certificates, and so on.

This solution is the future-proof When you take a look at the Desktop (43.29%) Vs. Mobile (52.29%) Vs. Tablet (4.42%) Market Share Worldwide for last one year, you could see the mobile devices are leaders. So, Mobile Device Management is very critical, and this is a new world of opportunities for IT Pros like us. From my perspective, learning this solution is very important for SCCM admins.

Intune is an enterprise mobility management (EMM) solution from Microsoft. The EMM provider helps to manage mobile devices, network settings, and other mobile services and settings. This solution is nothing but a combination of Device, Application, Information Protection, Endpoint Protection (antivirus software) and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in Cloud.

Additionally, this solution has features called compliance policy which can be integrated with the Azure AD “Conditional Access” policy to restrict access to company resources.

Intune Android Work SCEP Certificate Deployment Issue

Windows 10 Quality Feature Update Policies for Intune Step by Step Guide

Windows 10 Quality Feature Update Policies for Intune Step by Step Guide. Microsoft released Windows 10 1709 fall creators update. And the devices which are part of the current branch (Semi-Annual Targeted) should get the Windows 10 1709 update in Settings – update and security – Windows Update. Intune Windows 10 Quality Update Policies.

Microsoft Intune manages this Windows 10 device. In this post, we will see “Windows 10 1709 Fall Creators Update Upgrade with Intune Update Rings.”

https://www.youtube.com/watch?v=Dx9atc10x4g&feature=youtu.be

There are many methods to upgrade the existing Windows 10 version to the latest version, 1709. You can upgrade to windows 10 with an ISO file available in Visual Studio Subscriptions (previously known as MSDN) or VLSC (Volume Licensing Service Center).

If Microsoft Intune manages your devices, there would be a software update policy ring to manage Windows 10 feature updates.

Another related post on Windows 10 Update Rings

FIX CBB Ring Devices are Getting CB Updates Intune Windows 10 Update Rings
Windows 10 1709 Fall Creators Update Upgrade with Intune Update Rings

Windows 10 Quality Feature Update Policies for Intune Step by Step Guide

Navigate via Microsoft Azure – Microsoft Intune – Software Updates to get to “Windows 10 Update Rings.” This is where you can create Windows 10 Semi-Annual Targeted and Semi-Annual update rings.

These two update rings in Intune would be able to control the Windows 10 upgrade behavior for your organization. Intune Windows 10 Quality Update Policies.

Windows 10 Semi-Annual Targeted Update Ring – All the devices in the Current Branch.
Windows 10 Semi-Annual Update Ring – All the devices in the Current Branch for Business

Create Windows 10 Update Rings in Intune?

How to create Windows 10 update rings within Intune console? These Intune policy details are explained in one of my previous posts, “How to Setup Windows 10 Software Update Policy Rings in Intune Azure Portal.”

Navigate via Intune console to get to Windows 10 Update Rings – Create Update Ring – Settings. We need to select the “Servicing Branch” options according to your requirements. Feature update deferral period (days) is another set we want to set up as part of Create Update Ring policy.

For example:- If we set Service Branch = CB and Feature update deferral period (days) = 0 days, then the device will get the Windows 10 1709 updates on the 0 days of the release.

As I mentioned in the above paragraph, there are two types of Servicing Branches for Windows 10. Those servicing branches are Semi-Annual Targeted and Semi-Annual.

Select CB servicing branch (Semi-Annual Targeted) to set the devices for the first wave of deployment of Windows 10 features upgrades. The latest Windows 10 1709 Fall creators update is released only for the Semi-Annual Targeted branch.

How Do Windows 10 Update Rings Work?

Windows 10 update rings work flawlessly under the hood. I have not uploaded Windows 10 1709 ISO or files to Intune to deliver the updates to the devices. Intune helps to set up 2 MDM policies in Windows 10 1607 or later devices.

So, Devices are getting the Windows 10 feature updates binaries from any other Microsoft cloud service? Windows 10 devices are getting these feature update content/binaries from Windows Update for Business (WUfB).

Another important feature of Windows 10 is Delivery Optimization. Delivery optimization helps to find the binaries from the peer devices. These peer devices could be either from the same network or the internet.

Windows 10 Update Ring MDM policies?

The following are the two MDM policies that Intune set on Windows 10 devices. Intune Windows 10 Quality Update Policies.

CB/CBB Options :- MDM for version 1607 and above: MDM for version 1607 and above: ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel \Microsoft\PolicyManager\default\Update\BranchReadinessLevel

Deferral Period Days:- MDM for version 1607 and above: ../Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays

Windows 10 Upgrade End User Experience

Windows 10 1709 fall creator update is delivered through Windows Update for Business in the following video. The next video will give you an end-to-end experience for Windows 10 1709 fall creators update upgrade process via Software Update for Business (WUfB).

As you can see in the video, the Windows 10 device is in CB (Semi-Annual Target) channel, and differed period policy is set to zero days. Intune Windows 10 Quality Update Policies.

Windows 10 Quality Feature Update Policies for Intune Step by Step Guide

References

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………

Learn Intune Beginners Guide MDM MAM MIM | EndPoint Manager

How to Start Troubleshooting Intune Issues | Fix Intune Issues with Easy Steps MEM

How to Start Troubleshooting Intune Issues | Fix Intune Issues with Easy Steps Microsoft Endpoint Manager. Intune troubleshooting is made easy with the Azure portal. It’s recommended to start with the “Microsoft Intune – Help and Support” page in the Intune portal whenever you face any issue with Intune.

In this post, we will see “How to start Troubleshooting Intune Policy Deployment Issues from Intune portal.” More tips, “Troubleshoot Intune Issues.”

You can also check the user-based Intune security policy troubleshooting from the following post – Intune User Policy Troubleshooting Tips For Prevent Changing Theme. There is one post that will help you to resolve device based Intune security policy issues – Troubleshoot Microsoft Edge Security Policy Deployment Issues with Intune.

Latest Intune Troubleshooting Strategies | Fix Intune Policy Conflicts | Methods IT Admins -Helpdesk

In this video, you will learn about the Latest Intune Troubleshooting strategies to make Intune app and policy deployment troubleshooting easy!

Latest Intune Troubleshooting strategies

Update 20-Jan-2018 – When you have an iOS device and want to perform Intune side of troubleshooting, Microsoft released an excellent document here, “Troubleshooting iOS device enrollment problems in Microsoft Intune.”

How do you check the status of Intune service? – Troubleshooting Intune Issues

When you have a major issue with Intune managed devices, the first place is to look at the current status of the Intune and other dependent services. You can check that from the Intune Tenant Admin – tenant status tab from the MEM Admin Center portal.

Under the Tenant status tab, there is a link to check the status of your Intune and other services for your tenant. Intune service status – See the current level of the service where you can get the position.

You can check Intune service health for your tenant from the Sevice health and Message Center tab. Also, Intune message center provides you with the details about the new changes and information related to that.

How to Start Troubleshooting Intune Issues | Fix Intune Issues with Easy Steps MEM

How to start troubleshooting Intune Policy Deployment?

When you have a major impact on all Intune-managed devices/users, ensure that the tenant’s health is OK. Once you are sure that there is no issue from the Intune service side for your tenant, it’s time to proceed with your policy assignment and other detailed troubleshooting.

When the issue is NOT impacting all devices or users, it’s better to start with the second stage of Intune troubleshooting.

Troubleshoot +Support is the tab from the MEM admin center portal. Select one of the users having issues with application or policy deployment. For example, when a user is not getting the application assigned to AAD Group. Another example is the user is not getting the compliance of configuration policies assigned.

I selected Anoop Nair as the user. All the details of this user will be available in the troubleshooting tab. This will help Intune admin to confirm whether we have targeted all the applications and policies to correct AAD groups. You can check and confirm whether the user.

Does the user have a valid Intune license or not
Is the user part of the correct AAD group or not
Is the Device compliant or not
Status of Company Data Removal/wipe from a device

Another set of user details you can check in the troubleshoot tab of Intune blade is the Principal name of the selected user and Email ID. All the other information available in the Intune troubleshooting blade are

Intune license assigned to user or not
Whether Devices compliant status
Whether apps are in a compliant state or not
Azure AD Group membership for the user
Mobile Apps Assignment to the user
Compliance policies deployed or assigned to users
App protection status for the devices
Configuration profile deployment status for the user
List of the devices for that user and status of devices

There are some red icons, as you can see in the video tutorial and the screenshot below. Those red icons could indicate potential issues with application or policy deployments. I could see problems with the Android device of Anoop. App protection status is not looking good for Android devices. The Intune troubleshoot blade provides a useful report that “31 apps non-compliant”.

How to Start Troubleshooting Intune Issues | Fix Intune Issues with Easy Steps Microsoft Endpoint Manager

There are Six (6) Assignment categories in Intune Troubleshooting Blades. Each type will give you the details of the user assignments. If some terms are missing, we need to look at the targeting AAD groups of those policies.

Mobile Apps
Compliance Policies
Configuration Profiles
App Protection Policies
Windows 10 Update Rings
Enrollment Restrictions

The above information is important to start Intune troubleshooting from the Azure portal. We can directly go into details of each of the assigned policies for that user from the troubleshooting tab. More detailed troubleshooting can be done by looking at the device properties and hardware information.

For example, you have started a company data wipe action for a device, but, the device or user can still access the corporate mail from the device. Intune admin can directly search the user from Intune troubleshooting session and get all the user’s device details. Once the device is identified, you can check the following information about the device.

Device name, Managed by, Azure AD join type, Ownership, Intune compliant, Azure AD compliant, OS, OS version, and Last check-in.

Last Check-In details are important in this device retirement, or company data wipe troubleshooting scenario. The last check-in details will tell you when the device was in touch with Intune service is the last time. You can check the Company Data Removal action, Factory reset details, and status from the Intune troubleshooting blade.

The Intune Troubleshooting blade is a one-stop shop for all the troubleshooting activities related to Intune device management, compliance policies, configuration profile deployments, etc.

How to raise a free Intune support case for Intune Issues?

Microsoft provides an option to raise a support case for Intune issues from the Intune MEM admin center portal – The Help and Support tab. The charges of these types of support cases are directly linked to your Intune subscription contract.

There is an option to raise an Intune support case with Microsoft’s exclusive contract. I would recommend using premier contract support for Intune issues that are of high impact and if you need immediate help.

Severity options are important while raising Intune support case. Severity options should be selected as per the impact of the issue. Also, depending on the severity of the problem, the response time will vary. There are three categories, as you can see below:-

C- Minimal Impact – The issue impacts only a couple of users or devices etc.
B – Moderate Impact – The issues that can become critical in a couple of days if they aren’t resolved ASAP.
A – Critical Impact – High Priority issues which are impacting a whole lot of users

References

General troubleshooting tips for Microsoft Intune – here
How to get support for Microsoft Intune – here
How to Troubleshoot Windows 10 MDM Policy Deployments – here
Intune Support Case Severity Levels and Response time – here

Author

How to Schedule iOS Automatic Updates Using Intune Policies | Microsoft Endpoint Manager

How to Schedule iOS Automatic Updates Using Intune Policies | Microsoft Endpoint Manager? Do you have supervised iOS devices managed through Intune? If so, you may be aware that iOS software updates will force installation updates on supervised mode iOS devices. Intune has a new policy to prevent/delay these force updates.

This option will also give a more granular option to control the iOS software updates. This post will see How to Prevent iOS Automatic Updates Using Intune Policies. You have new options added to the automatic update of iOS and iPad OS updates. The following are the interesting options available for this update.

Update policy schedule settings
- Update During the scheduled time
- Updates Outside the scheduled time

If you are looking for Windows 10 update ring policies with Intune, I have a blog post, “How to Setup Windows 10 Software Update Policy Rings in Intune Azure Portal“.

How to Create iOS Software Update Policies in Intune? iOS Automatic Updates Using Intune

This Intune policy will help to delay iOS automatic updates to devices. The iOS devices should be part of the Apple DEP program. iOS devices should be managed through supervised mode. Create a profile to force assigned devices to install the latest iOS/iPadOS updates automatically.

These settings determine how and when software updates deploy. This profile doesn’t prevent users from updating the OS manually, which can be controlled for up to 90 days with a device configuration restriction policy. Updates will only apply to devices enrolled through Apple’s Automated Device Enrollment (ABM or ASM).

Login to the MEM Admin Center portal
Navigate via the Devices – iOS/iPad Update Policies (Update policies for iOS/iPadOS)
Click on + Create update policy.
From the Update Policy Settings page for iOS/iPad OS update:
- The version of iOS/iPadOS to install on devices at the time of update.

You can create a new policy with a proper name and description of the policy. This policy will prevent iOS Automatic Updates from forcefully getting installed on supervised iOS devices.

Schedule iOS Automatic Updates Using Intune

Update policy schedule settings for iOS/iPad OS Device

Update policy schedule settings: By default, when an iOS/iPadOS Software Updates policy is assigned to a device, Intune deploys the latest updates at device check-in (approximately every 8 hours). You can instead create a weekly schedule with customized start and end times. If you choose to update outside of the scheduled time, Intune won’t deploy updates until the scheduled time ends.

Select Type and Schedule for iOS update (When the updates will occur. Additional input is required to schedule updates during or outside of scheduled times)
- Update at next check-in
- Update During the scheduled time
- Update Outside of scheduled time

How to Schedule iOS Automatic Updates Using Intune Policies | Microsoft Endpoint Manager 4 — Schedule iOS Automatic Updates Using Intune

Update During the scheduled time to Stop Updates from installing at any random timing. You can delay the software update (automatic update) of iOS on the device by configuring this policy.

Weekly Schedule -> TimeZone, Start Day, Start Time, End Day, End Time

You can select the Time zone, Date, and time for iOS/iPad OS updates. Select the time zone of the targeted devices – In this section, you need to select the Time Zone of the devices you want to target this policy. For India Time Zone, I selected UTC+5:30.

Start Time – Select the beginning of the interval to stop iOS software updates from Installing on supervised iOS devices. Normally you don’t want to install software updates during business hours on iOS devices. This will help you to schedule iOS phone updates via Intune policies.

End Time – Select the end of the interval to stop iOS software updates from installing on supervised iOS devices.

Start Day of the update You can select any day of the week from the start day and end day option -> Sunday to Saturday. End Day of the iOs/iPad OS update by selecting any day between Sunday to Saturday.

How to Schedule iOS Automatic Updates Using Intune Policies | Microsoft Endpoint Manager 5 — Schedule iOS Automatic Updates Using Intune

You can select the iOS/iPad updates outside the scheduled time. You have to set a scheduled time when you don’t want this update to happen on iOS devices. The update will get initiated outside the scheduled time configured below.

How to Deploy or Assign Intune iOS Software Update prevention policy?

Once the Intune iOS Automatic Updates prevention Intune Policy is created, you can start assigning this policy to Azure AD Device groups. Deploy Updates Prevention Policy to iOS Devices.

Select Assignments – Click on Select Groups to find the appropriate Azure AD group for targeting the iOS update prevention policy. Once the policy is deployed to devices, it will postpone the iOS software update.

It would help if you were careful about the policy settings while targeting the AAD device groups. In the policy configuration, there is an option to configure the time zone of the devices. Time zone configuration in this policy is a bit tricky.

It seems we need to segregate Devices as per the time zone. I have not tested it, which is my assumption regarding this policy setting. Learn how To Create Azure AD Dynamic Groups For Managing Devices Using Intune.

Reporting options are coming soon for iOS update policies in Intune.

Schedule iOS Automatic Updates Using Intune

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

How to Block Windows Devices from Enrolling to Intune Microsoft Endpoint Manager Windows 10

How to Block Windows Devices from Enrolling to Intune Microsoft Endpoint Manager Windows 10? I have seen a scenario where Intune is exclusively used for managing iOS and Android Devices.

Windows devices are managed through SCCM. And there is a requirement to disable or prevent Windows devices from enrolling in Intune.

We can achieve this with new Intune Enrollment restriction policies. I have a blog post to explain “How to Use Intune Enrollment Restriction Rules“.

Video Tutorial – Disable Windows Devices from Enrolling to Intune-here

Add Work or School Account

I tested Windows 10 enrollment to Intune via “Add Work or School Account“. This was tested successfully before restricting Windows 10 devices from Intune console.

Check out the following message after successful enrollment of the Windows 10 device. More details are in the above video.

“We’ve added your account successfully, and you now have access to your organization’s apps and Services. The last step is setting up your new PIN to unlock this device.”

Prevent Windows Devices from Enrolling to Intune How to Block Windows Devices from Enrolling to Intune Microsoft Endpoint Manager Windows 10 — How to Block Windows Devices from Enrolling to Intune Microsoft Endpoint Manager Windows 10

Change the Intune Device Enrollment Policy to Restrict Windows Device

Navigate through the New Azure portal – Microsoft Intune – Device Enrollment – Enrollment restrictions. You would be able to see two Intune enrollment restrictions policies called 1.

Device Type Restrictions and 2. Device Limit Restrictions. Device Type restriction is where we can restrict Windows (8.1 +) devices from enrolling to Intune.

This policy will prevent Windows 8.1 and later devices from Intune management. This Includes Windows 10 device ENROLLMENT restriction as well. Windows 10 mobile devices will also get blocked when we configure this policy.

How to Block Windows Devices from Enrolling to Intune Microsoft Endpoint Manager Windows 10

End-User Experience of Windows 10 Device Restriction

I successfully added a Work or School account to Windows 10 1703 device. The one change I noticed through the enrollment process is that it didn’t prompt for MFA. After this enrollment, the message I received was different from the one I got above. The message was

We’ve added your account successfully, and you now have access to your organization’s apps and Services.

Moreover, the machine was NOT available in the company portal application under the “My Devices” list. So, the device enrollment never failed as I expected. The device got enrolled without any error.

But the main question is whether this device would be managed via Intune? Did the device receive Intune policies? And the answer is there in the below paragraph.

Experience on Azure – Intune Portal for Windows 10 Restriction

The Windows 10 enrolled device was NOT listed in Intune – All Devices (Microsoft Azure – Microsoft Intune – Devices – All Devices). But the device was listed in Azure AD, as you can see in the video tutorial here.

The Windows 10 device was listed under Azure AD against the user’s devices (Microsoft Azure – Users and groups – All users > Kaith Nair). But, as you can see in the below screen capture, the Windows device is NOT MANAGED by INTUNE.

Hence the device won’t get any Intune policies and won’t be managed through Intune. Therefore it won’t get corporate mail, SharePoint, OneDrive, and Skype for Business access.