Intune

Microsoft Intune is the SaaS solution provided by Microsoft. Microsoft Intune is a cloud-based desktop and mobile device management tool. This supports Mac OS, iOS, Android, and Windows 10. This cloud solution is used as a modern management tool.

You can check out HTMD Community Intune Training from Free Intune Training 2023 blog post.  Let’s learn about Intune Exam MD 102 Study Guide Starter Kit – Microsoft Intune Certification. Also, check out the Top 75 Latest Intune Interview Questions.

Microsoft Intune Architecture Diagram
Microsoft Intune Architecture Diagram

This MDM solution can be integrated with SCCM, Azure AD, and Active Directory. This place gives you a great opportunity Learn Microsoft Intune and become an expert with Intune.

This solution can be used to deploy UWP applications, Security policies, Configuration policies, WiFi profiles, PKI certificates, and so on.

This solution is future-proof When you take a look at the Desktop (43.29%) Vs. Mobile (52.29%) Vs. Tablet (4.42%) Market Share Worldwide for the last year, you could see that mobile devices are leaders. So, Mobile Device Management is very critical, and this is a new world of opportunities for IT Pros like us. From my perspective, learning this solution is very important for SCCM admins.

Intune is an enterprise mobility management (EMM) solution from Microsoft. The EMM provider helps to manage mobile devices, network settings, and other mobile services and settings. This solution is nothing but a combination of Device, Application, Information Protection, Endpoint Protection (antivirus software), and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in the Cloud.

Additionally, this solution has a feature called compliance policy, which can be integrated with the Azure AD “Conditional Access” policy to restrict access to company resources.

Intune Read-Only Experience Learn to Create Read-Only Operators Roles Admin Access 1

Intune Read-Only Experience Learn to Create Read-Only Operators Roles Admin Access

Intune Read-Only Experience Learn to Create Read-Only Operators Roles Admin Access. Role-Based Access Controls (RBAC) are one of my favorite features in Microsoft Intune.

People chose Intune hybrid instead of Intune standalone because of the lack of RBAC. The Intune team introduced RBAC features into their product back in 2017. This post will teach us how to provide read-only access to the Intune console.

I have two (2) posts covering Intune role-based access controls in detail. I recommend reading them to learn more about Intune RBAC.

However, the Intune team did excellent work in including scope features in Intune RBAC. Now, it’s getting close to SCCM RBAC features. My previous posts about Intune RBAC follow.

How to Provide Read-Only Access to Intune

RBAC helps Intune Admins control who can perform various Intune tasks within your enterprise. There are six (6) built-in Intune roles (RBAC roles). I use the default Intune role, “Read Only Operator,” to provide read-only access to the Intune console.

  1. Navigate Azure PortalMicrosoft Intune blade – Intune rolesAll roles Read-Only Operator – Assignments  – Click on + Assign.
  2. Once you click on the “+ Assign” button, a new Read-Only Operator—Role assignments blade will be displayed.
  3. Enter the following information in the blade                                                  Assignment Name = Read-Only Intune Users
    Assignment Description = Details of Read-Only Assignment Group
    Members (Groups)# = Click on the + Add button and select the Azure AD User Group, including Intune Read-Only users (my example – Intune Read-Only Users). Scope (Groups)* = Click on + Add and select the Azure AD User or/and Device group. Only the operator would be able to manage the resources in this group. More details are below.
  4. Save the Intune Role assignment by clicking the OK button

Administrators in Scope Groups Role Assignment can target policies, applications, or small
tasks to these Scope Groups. So the Intune ReadOnly user group members (in my
example screenshot) could target procedures, applications, or small functions
for the users/devices in my scoping group Intune ReadOnly. This is as per the design.

  •  Member Group users are the administrators assigned to this role.
Intune Read-Only Experience Learn to Create Read-Only Operators Roles Admin Access - Fig.1
Intune Read-Only Experience Learn to Create Read-Only Operators Roles Admin Access – Fig.1

Do You know what the Intune Scope Group Is?

Do you know what the Intune scope group is? “The users or devices that a specified person (the member) can manage.” Intune ReadOnly users can manage devices or parts of their Scope Groups in the above example.

If you are an SCCM admin, then the SCOPE option is already there in SCCM 2012 and CB console. I’ve another post that talks about Configuration manager RBAC detail.

Intune Read-Only User Experience

In this scenario, the Intune read-only user is a regular user in Azure Active Directory (without any other access). However, the user has been assigned a valid Intune (EMS) license.

I will cover all the following scenarios with Intune’s read-only user experience. The video tutorial on read-only access to Intune provides more details.

Device Enrollment Experience for Read-Only User

The user has read or view access to all the device enrollment blades. However, I noticed that the Configure MDM Push Certificate blade doesn’t allow downloading the CSR file.

The Android work enrollment experience is different from Apple’s. While trying to sign up with an Intune read-only account, I can see the following error: An error occurred requesting the Android for Work signup URL.

Windows enrollment, Terms and conditions, Enrollment restrictions, Device categories, Corporate device identifiers, and Device enrollment managers also work as expected for Intune read-only users.

Device Compliance Experience for Read-Only Users

The device compliance experience is different from the device enrollment experience. Read-only users can change the compliance policy schedule time for actions for non-compliance, but it never gets saved. Instead, it gives an error while trying to save the configuration. So we are fine!

As per my testing, the read-only user cannot assign the compliance policy to any group. For more details, refer to the Read-only Access to Intune video tutorial. However, the read-only user has access to check the status of the compliance policy on devices.

Devices Blade Experience  for Intune Read-Only User

View access for the device’s blade is intact. The user can view the properties of all devices. The Azure AD scope option may provide some opportunities to limit read-only users from checking out the properties of devices that are not in read-only users’ scope.

Also, read-only users cannot perform remote actions on devices (such as Removing company data, Factory reset, Deletion, and Remote Lock).

Device Configuration Experience  for Intune Read-Only User

Configuration profiles blade provides a classic view experience for Intune read-only users. The read-only users have view access to Overview, Properties, Assignments, Device status, User status, and Per-setting status.

The Configuration PowerShell Scripts blade provides a different experience for Intune read-only users. Like the compliance policy experience (explained above), the PowerShell scripts blade offers the option to edit or rename PowerShell script names. But we are fine with that, as Intune won’t allow read-only users to save those changes.

I had a similar experience with the PowerShell Script assignment. It allows a PowerShell script to be assigned to change the assignments, but it won’t allow the read-only user to save the changes.

Mobile Apps (Applications) Experience  for Intune Read-Only User

Intune read-only users’ mobile app experience is similar to that of device enrollment. Mobile apps Manage options provide standard view access to read-only users for Apps, App configuration policies, App protection policies, App selective wipe, and iOS app provisioning profiles.

Monitor options under mobile apps give a similar view experience for App licenses, Discovered apps, App install status, App protection status, and Audit logs.

SETUP options also give a similar view experience for iOS VPP tokens, Windows enterprise certificate, Windows Symantec certificate, Microsoft Store for Business, Windows sideloading keys, Company Portal branding, App categories, and Android for Work.

Conditional Access Experience  for Intune Read-Only User

The Conditional Access blade provides view access to read-only operators. I would love to see Azure AD Conditional Access What If work fine for read-only users. This would be very helpful from a learning perspective.

All the following items work fine as expected to provide standard view access.

Conditional Access Experience  for Intune Read-Only User
On-premises access
Users
Groups
Intune roles
Software Updates
Intune Read-Only Experience Learn to Create Read-Only Operators Roles Admin Access – Table 1
Intune Read-Only Experience Learn to Create Read-Only Operators Roles Admin Access - Fig.2
Intune Read-Only Experience Learn to Create Read-Only Operators Roles Admin Access – Fig.2

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc…

MVPHackADoc

Learn to Fix Microsoft SCCM Intune Documentation

Let’s learn how to fix Microsoft SCCM Intune Documentation Configuration Manager ConfigMgr. How many of us complain about SCCM Intune documentation?

The documentation is not updated, relevant, etc. Here is the real opportunity to help yourself and update the SCCM and Intune documentation.

But don’t worry about the quality of the SCCM Intune documentation, as there are several steps to validate before your edits/changes are published. Hack a doc is the theme of this post 😉

Check out the Video “Learn How to Help Fixing SCCM Intune Documentation Issues“. This post will give you all the details on learning to fix Microsoft SCCM Intune Documentation.

Learn to Fix Microsoft SCCM Intune Documentation

We had a great MVPHackaDoc session with Aaron during the MVP Summit 2018. All the credits to Aaron taught me how to update SCCM/Intune documentation. I don’t recommend going around and editing or updating all the documentation. But start small before you leap.

Start Small

Learn to Fix Microsoft SCCM Intune Documentation – Video 1

What has Changed?

The Microsoft documentation service (https://docs.microsoft.com) is hosted on the GitHub platform, which improves the user experience while reading the documentation.

Even SCCM and Intune documents have been migrated to a new platform. The following is my list of key features of the new docs on the Microsoft platform.

  • Readability
  • Estimated Reading Time
  • Content and Site Navigation
  • Shortened Article Length
  • Responsive Design
  • Community Contributions
  • Social Sharing
  • Friendly URLs

How to Start Updating SCCM Intune Documentation?

I hope you read a lot of Microsoft documentation every day. You found the wrong article and want to inform the Microsoft Doc team about this incorrect information.

  • If you don’t have one, create one. It took me one and two minutes to do so.
  • You can select the GitHub Free plan during the signup process and tailor your experience to include a short introduction about yourself.
  • Open the article you identified and click the EDIT button, as I showed in the video tutorial. You should open the article from the same browser you are already logged in to from your GitHub account.
  • Once you click on the EDIT button on that article, it will redirect to the GitHub editor.
  • You will perform all the updates in the GitHub editor.

Identify the Article and Start Contributing

How to Contribute to SCCM Intune Documentation

As Aaron mentioned in his “MVP Hack a Doc” session, start small. Standard GitHub accounts may not have access to edit live document code. And you will get the following error when you try to edit or update an article.

  • You’re editing a file in a project you don’t have write access to.
  • Submitting a change to this file will write it to a new branch in your fork.
  • AnoopCNair/SCCMdocs so that you can send a pull request.

As I have shown in the “Hack A Doc video, A perfect example of raising an issue from Jason. He raised a problem and a documentation BUG was filed to fix this issue. 

I also tried creating a pull request, but I think that requires more access to edit the master file. A normal GitHub account may not have access to proceed with a pull request.

Another interesting thing I learned was how to select the best title, title suffix, description, and ms. Custom, ms. Date, and Ms. Prod for technical articles. As Aaron suggested, we can start doing the following things:-

Start Doing the Following Things
Clarifications
Examples
SDK, PowerShell
Guidance tips
Translations
See something, fix something
Learn to Fix Microsoft SCCM Intune Documentation – Table 1

I have tried raising an issue with documentation, which is the best and easiest part I learned during the MVPHackaDoc session. I have more details about the problems raised in Hack A Doc’s video tutorial.

Another useful option trying to try to track the documentation issues with th GitHub account. So we can rest assured that Microsoft is aware of this bug and will fix it soon. Following is the file structure of the GitHub article (for example) SCCMdocs/sccm/core/plan-design/hierarchy/accounts.md .

Start Contributing = Raising an Issue

Learn to Fix Microsoft SCCM Intune Documentation - Fig.1
Learn to Fix Microsoft SCCM Intune Documentation – Fig.1

Resources

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc…

Free LinkedIn Learning Courses for SCCM Intune 2

Free LinkedIn Learning Courses for SCCM Intune

Free LinkedIn Learning Courses for SCCM Intune. I agree with the following sentence, so I’m sharing my experience with LinkedIn learning. Microsoft MVPs are notorious for passionately sharing their knowledge with the world.

In this post, we will learn about free LinkedIn learning courses available for SCCM and Intune (Learn SCCM Intune).

SCCM is great, and it will not die, as per Microsoft. But don’t abandon Intune learning. I strongly recommend going through the Intune learning process.

Microsoft MVP Award program celebrated its 25th anniversary. As part of the 25th-anniversary celebrations, LinkedIn unlocked 15 Courses Covering Key Technology Skills. The following is the list of 15 courses that LinkedIn has unlocked. This post will discuss more details about SCCM and Intune free study materials.

Introduction

I have a full-blown post about systematic learning of SCCM and Intune. The approach to learning should be the same as I mentioned in the post, which was published back in 2015. I learned SCCM the hard way. There was no one to handhold and teach me.

Great Learning – What to Learn Intune? Great Resource Around you!
(1) LinkedIn Learning Courses for Microsoft Intune
(2) Learning How to Learn SCCM Intune Azure
(3) Learn Intune Beginners Guide MDM MAM MIM
(4) Microsoft Intune for SCCM Admins Part 1
Free LinkedIn Learning Courses for SCCM Intune – Table 1

My Favourites Microsoft System Center Configuration Manager… SCCM CB Learning Microsoft Enterprise Mobility Suite (Azure AD and Intune) Office 365 for Administrators: Supporting Users Part 1 Windows 10: Deploy and Manage Virtual Applications Productivity Apps Excel 2016: Get & Transform PowerPoint: Designing Better Slides OneNote Tips and Tricks Visio Tips and Tricks Automation & Developer Microsoft Graph for Developers API Development in .NET with GraphQL ASP.NET Core: Razor Pages ASP.NET Core New Features Microsoft Cybersecurity Stack: Advanced Identity… Microsoft Cloud Services: Troubleshooting Online… Building and Securing RESTful APIs in ASP.NET Core

How to Start Learning SCCM and Intune?

I never got a chance to attend training before being pushed to work on SCCM. That is a different experience, as I explained in the future of SCCM/Intune jobs post.

How Do You Get Access to Free SCCM and Intune Video Courses?

These 15 courses are free only for a limited period. As per the MVP Award program post, they are unlocked for the general public until the middle of April! So don’t waste time—start learning SCCM/Intune using LinkedIn study materials.

In the video tutorial here, I explain how to start learning through LinkedIn courses. However, the SCCM course won’t work from the following link. I recommend using the link I provided in the next section of the post.

  1. Open https://learning.linkedin.com/events/2018/03/msft-mvp-global-summit
  2. No need to log in to LinkedIn to access these courses (anonymous access is allowed)
  3. Open any of the 15 free courses available
Free LinkedIn Learning Courses for SCCM Intune - Fig.1
Free LinkedIn Learning Courses for SCCM Intune – Fig.1

Start Free SCCM Online Course

To start the cause, you don’t need to log in with your LinkedIn account. Also, you don’t need to start the trial version of LinkedIn learning for a month. You can access the SCCM course from a private browser without logging in.

  • To start the Free SCCM online course from a private browser
  • Content of the SCCM CB Course
  • Introduction (More details about SCCM CB content at the bottom of the post)
  1. Planning and Deploying a Standalone Primary Site
  2. Designing and Deploying a Multiple-Site Hierarchy
  3. Planning Resource Discovery and Client Deployment
  4. Managing Content and Replicating Data in Configuration Manager
  5. Configuring Internet and Cloud-Based Client Management
  6. Maintaining and Monitoring SCCM CB
  7. Upgrading to SCCM CB
    Conclusion

Start Free Intune Online Course

Intune course is part of EMS. So, the EMS course includes both Azure AD and Microsoft Intune. I have an Intune starter kit that can help you start learning Intune from scratch. More details are available in the Intune guide for beginners in the enterprise mobility world.

  • Start the course Directly from the following link
  • Content of the Intune Course

Microsoft Intune

With Intune, you can easily manage apps and devices. You can also configure Intune to manage iOS and Android. More details are explained below.

  • Manage apps and devices with Intune – 3m 30s
  • Configure Intune to manage iOS and Android – 4m 0s
  • Build and deploy a basic policy for iOS or Android – 5m 17s
  • Deploy and manage mobile apps -5m 15s
  • Enrol your first device – 2m 45s

Resource

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc…

Intune Mobile App Assignment Exclude AAD Group Option

Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune

Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune. The Microsoft Intune team depreciated the application assignment type “Not Applicable for good reasons. So, you do not need to worry when you don’t see the “Not Applicable” assignment type for your Intune tenant.

“Not Applicable” will no longer be an option in the console but will be replaced by “Excluded Groups.” The Exclude Group option was already available for Configuration policies and is useful.

Do you remember the Groups in the Intune Silverlight portal? There was exclusion logic used in Intune groups in the Silverlight portal. I think the excluded Azure AD groups used in-app assignments do not use nested group logic (Implicit Exclusion Groups). 

I’m trying to explain two application assignment scenarios using Intune’s “Excluded Groups” logic in this post.

What are the New Features of Intune’s “Excluded Groups”

New app assignment process in Intune with an “Excluded Groups” option. Using the unique ” Excluded Groups ” option, you can now easily manage app assignments to groups with overlapping members or targeted with conflicting app assignment types by using the new “Excluded Groups” option.

How does the depreciation of “Not Applicable” effect?

Previously, the app assignment process in the Intune on Azure console allowed targeting groups with the “Not Applicable” assignment type. This will no longer be the case. The “Not Applicable” option will replace the “Excluded Groups” option.

This new feature manages app assignments, allowing an app to target a large group of users or devices while restricting it to a subset of the same group.

  • https://blogs.technet.microsoft.com/intunesupport/2018/02/02/new-feature-new-app-assignment-process-in-intune-with-an-excluded-groups-option/

What Do I Need to Do to Prepare for this Change?

Start using the new app assignment process and update your documentation if needed. Click on Additional Information to see screenshots and to read about different scenarios where this new feature can help you manage your app assignments.

I will try briefly explaining the new feature of excluded groups in Intune using the following two scenarios. I also have a video tutorial that explains both of these scenarios.

What Do I Need to Do to Prepare for this Change?
Scenario A – Facebook is available for All Users Except “Mumbai Users”
Scenario B – WhatsApp is available for All Bangalore Users Except the “L1 Team”
Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune – Table 1

Scenario A

I want to make the Facebook application available to “All Users” in the organization, but it should not be available for “Mumbai Users.”

Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune – Video 1

Launch Azure Portal and navigate to Microsoft Intune—Mobile Apps—Apps. Select the Facebook app that you want to assign. A dashboard related to the app is displayed.

  1. Select Assignments under the Manage section.
  2. Select Add Group to add the groups of users who are assigned the app.
  3. Select an Assignment type from the available types on the Add group blade. The available app assignments are “Available for enrolled devices,” “Available with or without enrollment,” and “Required.”
  4. Select “Available for enrolled devices” as the assignment type.
  5. Select Included Groups to select the group of users you want to make the Facebook app available.
  6. Select Yes to make “this app available to all users with enrolled devices”.
  7. Click OK to set the group to include.
  8. Select Excluded Groups to select the groups of users you want to make the Facebook app unavailable.
  9. Select the groups “Mumbai Users” to exclude, which makes this Facebook app unavailable for the users in Mumbai Users Azure AD groups.
  10. Click OK on the Add group blade. The app Assignments list is displayed.
  11. Click Save to make your group assignments active for the Facebook app.
Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune - Fig.1
Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune – Fig.1

Scenario B

I want to make the WhatsApp application available to “All Bangalore Users” in the organization, but it should not be available for the “L1 Team.” The video tutorial Intune App Assignment includes more details: Include Exclude Azure AD Groups.

  1. We need to follow the above steps from 1 to 7.
  2. Select Included Groups to select the groups of users that you want to make the WhatsApp application available.
  3. Select the “All Bangalore Users” Azure AD group to include, making this WhatsApp app available to users in that group.
  4. Click OK on the Add group blade to include the users. The app Assignments list is displayed to All Bangalore Users.
  5. Select Excluded Groups to select the groups of users that you want to make the WhatsApp app unavailable.
  6. Select the “L1 Team” group to exclude, making this WhatApps app unavailable for the L1 Team Azure AD group users.
  7. Click OK on the Add group blade. The app Assignments list is displayed.
  8. Click Save to activate your group assignments for the WhatApps app.
Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune - Fig.2
Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune – Fig.2

Resources

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc…

Intune to Restrict NON Patched Windows Devices

Use Intune to Restrict Non-patched Windows Devices from Accessing Email

Let’s discuss using Intune to restrict non-patched Windows devices from accessing EmailSecurity patching, which is vital to every organization. Now, with Intune, you can restrict Windows 10 devices that are not patched with the latest patches from accessing mail. Non-patched devices are risky to the organization.

There are two options to limit Windows devices from connecting to the corporate network. We will see these options in the following sections of the article.

Windows version = Specify the major.minor.build.CU number here. The version number must correspond to the version returned by the winvercommand.

I have uploaded a video tutorial to my YouTube channel. I hope this video will help you set these restrictions on your Intune test tenant.

Subscribe to the YouTube channel

Use Intune to Restrict Non-patched Windows Devices from Accessing Email

I would recommend testing these in a staging environment before implementing them in production. As you are aware, patching is essential in any modern workplace project implementation.

Intune and Windows Update for Business can ensure all the Windows devices managed through Intune are patched promptly.

There is no need for on-prem components like WSUS to patch Windows 10 devices using Intune and Windows Update for Business. Setting the Windows 10 Update rings in Intune will not create security concerns.

Read my previous post, “How to Setup Windows 10 Software Update Policy Rings in Intune Azure Portal,” to learn more about Windows 10 update rings.

How Do You Restrict Non-patched Windows Devices from Enrolling in Intune?

This option is available only for NEW Windows devices that are enrolled in the Intune environment via the MDM channel. It is not available for Intune PC agent-managed devices.

The setting explained in this section won’t apply to already enrolled and non-patched Windows devices.

If you have already enrolled and non-patched Windows devices, you need to check out the compliance policy option mentioned in the section below.

Servicing OptionVersionOS BuildMax/Min
Semi Annual Channel170916299.201Maximum Version
Semi-Annual Channel170315063.877Minimum Version
Use Intune to Restrict Non-patched Windows Devices from Accessing Email – Table 1
Use Intune to Restrict Non-patched Windows Devices from Accessing Email - Fig.1
Use Intune to Restrict Non-patched Windows Devices from Accessing Email – Fig.1

We need to set up Intune enrollment restriction policies to restrict Windows devices from enrolling in Intune. The above table is the best reference for setting up Intune enrollment restriction policies for non-patched Windows devices.

First, we need to decide on your Windows 10 minimum and maximum patch level requirements. More patch-level version details are available at http://aka.ms/win10releasenotes.

In my video, I have selected Windows 10’s minimum patch level of 10.0.15063.877 and maximum patch level of 10.0.16299.201. You can also leave the top patch level blank if you want to support all the latest patched Windows devices. 

I have uploaded a video tutorial to my YouTube channel. This video provides a more detailed explanation of how to set up enrollment restriction policies.

You can read my previous post, “How to Prevent Windows Devices from Enrolling to Intune“. This post provides more details about setting up Intune enrollment policies. This also covers the end-user experience of Windows 10 devices if the device patch level is lower than the “Minimum version”.

For example

I have a Windows 10 device, and it’s a non-patched device. And the patch version of that device is “10.0.15063.250“. In this scenario, Intune will check whether the device is patched with a minimum version of the patch required for the organization, which is 10.0.15063.877.

The current patch level of the Windows 10 device is below the minimum version requirement set in the enrollment restriction policy. Hence the device won’t be allowed to enroll in Intune. Update the patches on that Windows 10 device to register to Intune successfully.

Use Intune to Restrict Non-patched Windows Devices from Accessing Email - Fig.2
Use Intune to Restrict Non-patched Windows Devices from Accessing Email – Fig.2

How Can We Force Users to Install Patches on Windows 10 Devices to Access Emails?

Most end-users are not always happy to install the latest patches and restart their devices on time. But as IT admins, it’s our responsibility to secure the enterprise environment with the latest patches.

Intune can probably help you force users to install patches on their non-patched Windows devices.

We can create a new compliance policy in Intune to set rules and force users to install patches immediately. The policy gives an option to set minimum and maximum patch levels for Windows devices.

When a device does not match the minimum compliance requirement, that device will be flagged as non-compliant.

When you have conditional access associated with compliance policies, the Windows device will lose access to enterprise applications (like mail, SharePoint Online, Skype, etc.) associated with that conditional access policy.

Once users update their Windows version with the latest patches, their devices get access back to mail.

You can create a WINVER command to decide your organisation’s baseline Windows 10 version with a certain patch level. You can also use the following links to get the latest patch versions of Windows 10.

In my scenario, I set up a new compliance policy with a minimum patch level of 10.0.15063.877 and a maximum patch level of 10.0.16299.201.

This will ensure that all Windows 10 devices with access to enterprise applications are patched, and the patch level version will be greater than 10.0.15063.877.

I have uploaded a video tutorial to my YouTube channel. This video provides a more detailed explanation of how to create a new compliance policy for minimum and maximum patch levels supported within your organization.

Navigate to the Azure portal, “Microsoft Azure—Microsoft Intune—Device Compliance—Policies,” and create a new compliance policy called “Restrict Window device depending on patches.”

Use Intune to Restrict Non-patched Windows Devices from Accessing Email - Fig.3
Use Intune to Restrict Non-patched Windows Devices from Accessing Email – Fig.3

Resources

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc…

SCCM Intune Community Around Me 3

SCCM Intune Community Around Me

As David James mentioned in his tweet, SCCM’s summary of 2017 includes three production releases (SCCM CB 1702, 1706, and 1710).

There have been 12 Tech Preview releases of SCCM CB, hundreds of new features, 14k code check-ins, and bug fixes, and now managing more than 100 million endpoints. In this post, we will learn more about the 2017 SCCM ConfigMgr Intune community around me.

I can see that Microsoft Intune releases new features every week. More details are available in “What’s new in Microsoft Intune.” Also, the Intune community is growing strong worldwide and in India.

During the Bangalore IT Pro event, I learned that 99% of SCCM admins (who attended the event) realized they had to learn Intune, and they started to learn Intune.

Bangalore IT Pro SCCM Community

We recently conducted an in-person event for SCCM/Intune professionals all around India. This event was conducted at the Microsoft office in Bangalore. We had more than 80 SCCM professionals from different parts of India, like Chennai, Hyderabad, Delhi, and Bangalore.

Follow #BITPro Twitter Handler to Join the next events.

Roadmap of a Successful Blog

I started blogging in 2010, and I have more than 900 posts. 2017 was a very successful year for me in sharing my knowledge through my blog.

SCCM Intune Community Around Me - Fig.1
SCCM Intune Community Around Me – Fig.1

I started working on video tutorials for almost all the technical posts. How-to video guides are included for Intune, SCCM, and Windows 10. Thank you all for your great support over the years.

I’m working with other IT Pro colleagues to improve the blog experience and provide more valuable content to the SCCM/Intune community. More news about this will be available in 2018. I’m excited about next year for the SCCM/Intune community.

Subscribe to Anoop’s newsletter through the SUBSCRIBE button on the blog. Like the Facebook page to get updated on new posts of AnoopCNair.com. We have loads of SCCM Intune-related videos on the Facebook page below.

SCCM Facebook Groups – Community

We have a great SCCM professional community available on Facebook. We have more than 11,200 members in this SCCM professional Facebook group. If you want to join the SCCM, Intune, and Desktop Facebook community, please enter them with the following links.

SCCM Intune Community Around Me - Fig.2
SCCM Intune Community Around Me – Fig.2

Subscribe SCCM Intune YouTube Channel

I have a YouTube channel with more than 830 subscribers, 156,360 views, and 160 video tutorials. I started concentrating on my YouTube channel in 2017, and 90% of my subscribers are from 2017. Most of the videos are on SCCM, Intune, and Windows 10.

ConfigMgr SCCM LinkedIn Group

This is one of my old SCCM LinkedIn groups that started in 2010. At that time, Facebook groups were not there and were famous. Several different SCCM groups on LinkedIn, so I created this one for the Indian SCCM community.

We have more than 1900 members in this group. Some of them are still active. We announce Bangalore IT Pro events in this Indian SCCM Professionals LinkedIn group. This is for the people who don’t like Facebook or consider Facebook as a personal social media site.

SCCM Intune Community Around Me - Fig.3
SCCM Intune Community Around Me – Fig.3

WhatsApp SCCM Professional Group

I created a WhatsApp group for SCCM/Intune Professionals back in 2015. This is mainly to avoid people creating different WhatsApp groups in our Facebook SCCM group. I have created an official WhatsApp group for SCCM professionals after many discussions.

We have several admins in that WhatsApp group, and we don’t allow any spam/forwarded messages in that group apart from the Job/Opening of SCCM/Intune professionals. This is to help others get a better opportunity in their SCCM career.

  • Join #2 SCCM Professional GRP HERE

Happy New Year and Best Wishes for 2018

We already crossed the maximum limit of a WhatsApp group (#1 SCCM Professional GRP – 256 members). After many thoughts, discussions, and market analysis, we decided to create another WhatsApp group (#2 SCCM Professional GRP ), and we already have more than 100 members.

SCCM Intune Community Around Me - Fig.4
SCCM Intune Community Around Me – Fig.4

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Intune Decrypt Files Protected by WIP Policy 4

Intune Decrypt Files Protected by WIP Policy

Let’s learn about Intune Decrypt Files Protected by WIP Policy. Windows Information Protection (WIP) is Microsoft’s accidental Data Leakage protection solution. WIP is fully supported in Windows 10 anniversary edition (1607) and later versions. This post will see more details about the Decrypt Files Protected Intune SCCM WIP Policy.

Certificates Details – Intune/SCCM WIP Policies – Encrypting File System (EFS) Data Recovery Agent (DRA) certificate has been created and used in WIP policies. The cipher/r command can be used to create two certificates. The EFSDRA.CER and EFSDRA.PFX files are created.

EFSDRA.CER is used to encrypt data using WIP policies—the EFSDRA.The PFX file contains your private key, which should be used during decryption. I have a post that explains “How to Create, Configure, and Deploy Windows 10 WIP Policies Using SCCM and Intune.”

We may need to go through the migration process towards modern management. This happened during one of the user migrations, and it didn’t go well. The user’s files were encrypted with the WIP policy. The user unenrolled and reenrolled his Windows 10 device as part of troubleshooting.

Intune Decrypt Files Protected by WIP Policy - Fig.1
Intune Decrypt Files Protected by WIP Policy – Fig.1

Issue Statement – Personal Files Encrypted with WIP Policy – Intune Decrypt Files Protected by WIP Policy

Access to the protected files was revoked during troubleshooting and unenrollment from Intune. The user can’t open any files because those files are encrypted using the WIP policy and certificate. The user re-enrolled the device to Intune, but the WIP certificate still locks the protected files.

How to Decrypt WIP-Protected Files

To decrypt the protected files, you need to import the PFX file to the computer where you want to perform the decryption process. You must be very careful because of the private keys in your DRA. The PFX file can be used to decrypt any WIP file.

The PFX file must be stored offline, keeping copies on a smart card with strong protection for regular use. It’s better to keep master copies in a secured physical location.

  1. Import EFSDRA.pfx 
Intune Decrypt Files Protected by WIP Policy - Fig.2
Intune Decrypt Files Protected by WIP Policy – Fig.2

Double-click on the EFSDRA.PFX file to start the certificate import wizard. This wizard helps import the certificate to the user’s machine. Make sure you select Store Location as a Current user.

Browse and select the EFSDRA.PFX file to import. The private key PFX is protected with a secure password, which you must enter to proceed with the certificate import wizard. In the import options, make sure you select “Include all extended properties.”

Select the certificate store in the import wizard. The best way to have the default location of the cert store. And it’s “Automatically select the certificate store based on the type of certificate.” Complete the certificate import wizard.

Confirm whether the certificate or private key PFX file is imported successfully to the certificate store—certificates – Current User – Personal – Certificates. Check out the Intended Purposes tab in the console and check whether there is any File Recovery certificate.

Intune Decrypt Files Protected by WIP Policy - Fig.3
Intune Decrypt Files Protected by WIP Policy – Fig.3

2. Cipher /d Command to Decrypt the Files

Confirm the private file is imported into the machine’s certificate store. The next step is to run the following command cipher /d “File_Name.XXX” from the directory where the protected files are stored.

  • C:>cipher /d “SCCM Intune.docx”
  • Decrypting files in C:\WINDOWS\system32\
  • SCCM Intune.docx [OK]
  • 1 file(s) [or directories(s)] within 1 directories(s) were decrypted.

Troubleshooting – Check the WIP Logs

WIP troubleshooting can be done through Windows event logs. Navigate to Application and Services LogsMicrosoftWindows, click EDP-Audit-Regular, and click EDP-Audit-TCB.

Check the WIP Logs
EDP-Audit-TCB
Intune Decrypt Files Protected by WIP Policy – Table 1
Log Name: Microsoft-Windows-EDP-Audit-TCB/Admin
Source: Microsoft-Windows-EDP-Audit-TCB
Date: 25-11-2017 10:54:03
Event ID: 101
Task Category: None
Level: Information
Keywords: Windows Information Protection Audit Protection Removed Keyword
User: ANOOP-SURFACE-B\Anoop C Nair
Computer: Anoop-Surface-Book
Description:
Enterprise ACNS.COM tag has been removed (Protection removed) from the file: C:\Users\Anoop C Nair\Pictures\SCCM 1710\Overview SCCM Co-Mgmt CMG.jpg
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
 <Provider Name="Microsoft-Windows-EDP-Audit-TCB" Guid="{}" />
 <EventID>101</EventID>
 <Version>0</Version>
 <Level>4</Level>
 <Task>0</Task>
 <Opcode>0</Opcode>
 <Keywords>0x8000000889787810</Keywords>
 <TimeCreated SystemTime="2017-11-25T05:24:03.294238400Z" />
 <EventRecordID>15</EventRecordID>
 <Correlation />
 <Execution ProcessID="876" ThreadID="11836" />
 <Channel>Microsoft-Windows-EDP-Audit-TCB/Admin</Channel>
 <Computer>Anoop-Surface-Book</Computer>
 <Security UserID="" />
 </System>
Intune Decrypt Files Protected by WIP Policy - Fig.4
Intune Decrypt Files Protected by WIP Policy – Fig.4

Resources

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.