Intune

Microsoft Intune is the SaaS solution provided by Microsoft. Microsoft Intune is a cloud-based desktop and mobile device management tool. This supports Mac OS, iOS, Android, and Windows 10. This cloud solution is used as a modern management tool.

You can check out HTMD Community Intune Training from Free Intune Training 2023 blog post.  Let’s learn about Intune Exam MD 102 Study Guide Starter Kit – Microsoft Intune Certification. Also, check out the Top 75 Latest Intune Interview Questions.

Microsoft Intune Architecture Diagram
Microsoft Intune Architecture Diagram

This MDM solution can be integrated with SCCM, Azure AD, and Active Directory. This place gives you a great opportunity Learn Microsoft Intune and become an expert with Intune.

This solution can be used to deploy UWP applications, Security policies, Configuration policies, WiFi profiles, PKI certificates, and so on.

This solution is future-proof When you take a look at the Desktop (43.29%) Vs. Mobile (52.29%) Vs. Tablet (4.42%) Market Share Worldwide for the last year, you could see that mobile devices are leaders. So, Mobile Device Management is very critical, and this is a new world of opportunities for IT Pros like us. From my perspective, learning this solution is very important for SCCM admins.

Intune is an enterprise mobility management (EMM) solution from Microsoft. The EMM provider helps to manage mobile devices, network settings, and other mobile services and settings. This solution is nothing but a combination of Device, Application, Information Protection, Endpoint Protection (antivirus software), and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in the Cloud.

Additionally, this solution has a feature called compliance policy, which can be integrated with the Azure AD “Conditional Access” policy to restrict access to company resources.

Intune Mobile App Assignment Exclude AAD Group Option

Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune

Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune. The Microsoft Intune team depreciated the application assignment type “Not Applicable for good reasons. So, you do not need to worry when you don’t see the “Not Applicable” assignment type for your Intune tenant.

“Not Applicable” will no longer be an option in the console but will be replaced by “Excluded Groups.” The Exclude Group option was already available for Configuration policies and is useful.

Do you remember the Groups in the Intune Silverlight portal? There was exclusion logic used in Intune groups in the Silverlight portal. I think the excluded Azure AD groups used in-app assignments do not use nested group logic (Implicit Exclusion Groups). 

I’m trying to explain two application assignment scenarios using Intune’s “Excluded Groups” logic in this post.

What are the New Features of Intune’s “Excluded Groups”

New app assignment process in Intune with an “Excluded Groups” option. Using the unique ” Excluded Groups ” option, you can now easily manage app assignments to groups with overlapping members or targeted with conflicting app assignment types by using the new “Excluded Groups” option.

How does the depreciation of “Not Applicable” effect?

Previously, the app assignment process in the Intune on Azure console allowed targeting groups with the “Not Applicable” assignment type. This will no longer be the case. The “Not Applicable” option will replace the “Excluded Groups” option.

This new feature manages app assignments, allowing an app to target a large group of users or devices while restricting it to a subset of the same group.

  • https://blogs.technet.microsoft.com/intunesupport/2018/02/02/new-feature-new-app-assignment-process-in-intune-with-an-excluded-groups-option/

What Do I Need to Do to Prepare for this Change?

Start using the new app assignment process and update your documentation if needed. Click on Additional Information to see screenshots and to read about different scenarios where this new feature can help you manage your app assignments.

I will try briefly explaining the new feature of excluded groups in Intune using the following two scenarios. I also have a video tutorial that explains both of these scenarios.

What Do I Need to Do to Prepare for this Change?
Scenario A – Facebook is available for All Users Except “Mumbai Users”
Scenario B – WhatsApp is available for All Bangalore Users Except the “L1 Team”
Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune – Table 1

Scenario A

I want to make the Facebook application available to “All Users” in the organization, but it should not be available for “Mumbai Users.”

Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune – Video 1

Launch Azure Portal and navigate to Microsoft Intune—Mobile Apps—Apps. Select the Facebook app that you want to assign. A dashboard related to the app is displayed.

  1. Select Assignments under the Manage section.
  2. Select Add Group to add the groups of users who are assigned the app.
  3. Select an Assignment type from the available types on the Add group blade. The available app assignments are “Available for enrolled devices,” “Available with or without enrollment,” and “Required.”
  4. Select “Available for enrolled devices” as the assignment type.
  5. Select Included Groups to select the group of users you want to make the Facebook app available.
  6. Select Yes to make “this app available to all users with enrolled devices”.
  7. Click OK to set the group to include.
  8. Select Excluded Groups to select the groups of users you want to make the Facebook app unavailable.
  9. Select the groups “Mumbai Users” to exclude, which makes this Facebook app unavailable for the users in Mumbai Users Azure AD groups.
  10. Click OK on the Add group blade. The app Assignments list is displayed.
  11. Click Save to make your group assignments active for the Facebook app.
Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune - Fig.1
Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune – Fig.1

Scenario B

I want to make the WhatsApp application available to “All Bangalore Users” in the organization, but it should not be available for the “L1 Team.” The video tutorial Intune App Assignment includes more details: Include Exclude Azure AD Groups.

  1. We need to follow the above steps from 1 to 7.
  2. Select Included Groups to select the groups of users that you want to make the WhatsApp application available.
  3. Select the “All Bangalore Users” Azure AD group to include, making this WhatsApp app available to users in that group.
  4. Click OK on the Add group blade to include the users. The app Assignments list is displayed to All Bangalore Users.
  5. Select Excluded Groups to select the groups of users that you want to make the WhatsApp app unavailable.
  6. Select the “L1 Team” group to exclude, making this WhatApps app unavailable for the L1 Team Azure AD group users.
  7. Click OK on the Add group blade. The app Assignments list is displayed.
  8. Click Save to activate your group assignments for the WhatApps app.
Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune - Fig.2
Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune – Fig.2

Resources

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc…

Intune to Restrict NON Patched Windows Devices

Use Intune to Restrict Non-patched Windows Devices from Accessing Email

Let’s discuss using Intune to restrict non-patched Windows devices from accessing EmailSecurity patching, which is vital to every organization. Now, with Intune, you can restrict Windows 10 devices that are not patched with the latest patches from accessing mail. Non-patched devices are risky to the organization.

There are two options to limit Windows devices from connecting to the corporate network. We will see these options in the following sections of the article.

Windows version = Specify the major.minor.build.CU number here. The version number must correspond to the version returned by the winvercommand.

I have uploaded a video tutorial to my YouTube channel. I hope this video will help you set these restrictions on your Intune test tenant.

Subscribe to the YouTube channel

Use Intune to Restrict Non-patched Windows Devices from Accessing Email

I would recommend testing these in a staging environment before implementing them in production. As you are aware, patching is essential in any modern workplace project implementation.

Intune and Windows Update for Business can ensure all the Windows devices managed through Intune are patched promptly.

There is no need for on-prem components like WSUS to patch Windows 10 devices using Intune and Windows Update for Business. Setting the Windows 10 Update rings in Intune will not create security concerns.

Read my previous post, “How to Setup Windows 10 Software Update Policy Rings in Intune Azure Portal,” to learn more about Windows 10 update rings.

How Do You Restrict Non-patched Windows Devices from Enrolling in Intune?

This option is available only for NEW Windows devices that are enrolled in the Intune environment via the MDM channel. It is not available for Intune PC agent-managed devices.

The setting explained in this section won’t apply to already enrolled and non-patched Windows devices.

If you have already enrolled and non-patched Windows devices, you need to check out the compliance policy option mentioned in the section below.

Servicing OptionVersionOS BuildMax/Min
Semi Annual Channel170916299.201Maximum Version
Semi-Annual Channel170315063.877Minimum Version
Use Intune to Restrict Non-patched Windows Devices from Accessing Email – Table 1
Use Intune to Restrict Non-patched Windows Devices from Accessing Email - Fig.1
Use Intune to Restrict Non-patched Windows Devices from Accessing Email – Fig.1

We need to set up Intune enrollment restriction policies to restrict Windows devices from enrolling in Intune. The above table is the best reference for setting up Intune enrollment restriction policies for non-patched Windows devices.

First, we need to decide on your Windows 10 minimum and maximum patch level requirements. More patch-level version details are available at http://aka.ms/win10releasenotes.

In my video, I have selected Windows 10’s minimum patch level of 10.0.15063.877 and maximum patch level of 10.0.16299.201. You can also leave the top patch level blank if you want to support all the latest patched Windows devices. 

I have uploaded a video tutorial to my YouTube channel. This video provides a more detailed explanation of how to set up enrollment restriction policies.

You can read my previous post, “How to Prevent Windows Devices from Enrolling to Intune“. This post provides more details about setting up Intune enrollment policies. This also covers the end-user experience of Windows 10 devices if the device patch level is lower than the “Minimum version”.

For example

I have a Windows 10 device, and it’s a non-patched device. And the patch version of that device is “10.0.15063.250“. In this scenario, Intune will check whether the device is patched with a minimum version of the patch required for the organization, which is 10.0.15063.877.

The current patch level of the Windows 10 device is below the minimum version requirement set in the enrollment restriction policy. Hence the device won’t be allowed to enroll in Intune. Update the patches on that Windows 10 device to register to Intune successfully.

Use Intune to Restrict Non-patched Windows Devices from Accessing Email - Fig.2
Use Intune to Restrict Non-patched Windows Devices from Accessing Email – Fig.2

How Can We Force Users to Install Patches on Windows 10 Devices to Access Emails?

Most end-users are not always happy to install the latest patches and restart their devices on time. But as IT admins, it’s our responsibility to secure the enterprise environment with the latest patches.

Intune can probably help you force users to install patches on their non-patched Windows devices.

We can create a new compliance policy in Intune to set rules and force users to install patches immediately. The policy gives an option to set minimum and maximum patch levels for Windows devices.

When a device does not match the minimum compliance requirement, that device will be flagged as non-compliant.

When you have conditional access associated with compliance policies, the Windows device will lose access to enterprise applications (like mail, SharePoint Online, Skype, etc.) associated with that conditional access policy.

Once users update their Windows version with the latest patches, their devices get access back to mail.

You can create a WINVER command to decide your organisation’s baseline Windows 10 version with a certain patch level. You can also use the following links to get the latest patch versions of Windows 10.

In my scenario, I set up a new compliance policy with a minimum patch level of 10.0.15063.877 and a maximum patch level of 10.0.16299.201.

This will ensure that all Windows 10 devices with access to enterprise applications are patched, and the patch level version will be greater than 10.0.15063.877.

I have uploaded a video tutorial to my YouTube channel. This video provides a more detailed explanation of how to create a new compliance policy for minimum and maximum patch levels supported within your organization.

Navigate to the Azure portal, “Microsoft Azure—Microsoft Intune—Device Compliance—Policies,” and create a new compliance policy called “Restrict Window device depending on patches.”

Use Intune to Restrict Non-patched Windows Devices from Accessing Email - Fig.3
Use Intune to Restrict Non-patched Windows Devices from Accessing Email – Fig.3

Resources

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc…

SCCM Intune Community Around Me 1

SCCM Intune Community Around Me

As David James mentioned in his tweet, SCCM’s summary of 2017 includes three production releases (SCCM CB 1702, 1706, and 1710).

There have been 12 Tech Preview releases of SCCM CB, hundreds of new features, 14k code check-ins, and bug fixes, and now managing more than 100 million endpoints. In this post, we will learn more about the 2017 SCCM ConfigMgr Intune community around me.

I can see that Microsoft Intune releases new features every week. More details are available in “What’s new in Microsoft Intune.” Also, the Intune community is growing strong worldwide and in India.

During the Bangalore IT Pro event, I learned that 99% of SCCM admins (who attended the event) realized they had to learn Intune, and they started to learn Intune.

Bangalore IT Pro SCCM Community

We recently conducted an in-person event for SCCM/Intune professionals all around India. This event was conducted at the Microsoft office in Bangalore. We had more than 80 SCCM professionals from different parts of India, like Chennai, Hyderabad, Delhi, and Bangalore.

Follow #BITPro Twitter Handler to Join the next events.

Roadmap of a Successful Blog

I started blogging in 2010, and I have more than 900 posts. 2017 was a very successful year for me in sharing my knowledge through my blog.

SCCM Intune Community Around Me - Fig.1
SCCM Intune Community Around Me – Fig.1

I started working on video tutorials for almost all the technical posts. How-to video guides are included for Intune, SCCM, and Windows 10. Thank you all for your great support over the years.

I’m working with other IT Pro colleagues to improve the blog experience and provide more valuable content to the SCCM/Intune community. More news about this will be available in 2018. I’m excited about next year for the SCCM/Intune community.

Subscribe to Anoop’s newsletter through the SUBSCRIBE button on the blog. Like the Facebook page to get updated on new posts of AnoopCNair.com. We have loads of SCCM Intune-related videos on the Facebook page below.

SCCM Facebook Groups – Community

We have a great SCCM professional community available on Facebook. We have more than 11,200 members in this SCCM professional Facebook group. If you want to join the SCCM, Intune, and Desktop Facebook community, please enter them with the following links.

SCCM Intune Community Around Me - Fig.2
SCCM Intune Community Around Me – Fig.2

Subscribe SCCM Intune YouTube Channel

I have a YouTube channel with more than 830 subscribers, 156,360 views, and 160 video tutorials. I started concentrating on my YouTube channel in 2017, and 90% of my subscribers are from 2017. Most of the videos are on SCCM, Intune, and Windows 10.

ConfigMgr SCCM LinkedIn Group

This is one of my old SCCM LinkedIn groups that started in 2010. At that time, Facebook groups were not there and were famous. Several different SCCM groups on LinkedIn, so I created this one for the Indian SCCM community.

We have more than 1900 members in this group. Some of them are still active. We announce Bangalore IT Pro events in this Indian SCCM Professionals LinkedIn group. This is for the people who don’t like Facebook or consider Facebook as a personal social media site.

SCCM Intune Community Around Me - Fig.3
SCCM Intune Community Around Me – Fig.3

WhatsApp SCCM Professional Group

I created a WhatsApp group for SCCM/Intune Professionals back in 2015. This is mainly to avoid people creating different WhatsApp groups in our Facebook SCCM group. I have created an official WhatsApp group for SCCM professionals after many discussions.

We have several admins in that WhatsApp group, and we don’t allow any spam/forwarded messages in that group apart from the Job/Opening of SCCM/Intune professionals. This is to help others get a better opportunity in their SCCM career.

  • Join #2 SCCM Professional GRP HERE

Happy New Year and Best Wishes for 2018

We already crossed the maximum limit of a WhatsApp group (#1 SCCM Professional GRP – 256 members). After many thoughts, discussions, and market analysis, we decided to create another WhatsApp group (#2 SCCM Professional GRP ), and we already have more than 100 members.

SCCM Intune Community Around Me - Fig.4
SCCM Intune Community Around Me – Fig.4

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Intune Decrypt Files Protected by WIP Policy 2

Intune Decrypt Files Protected by WIP Policy

Let’s learn about Intune Decrypt Files Protected by WIP Policy. Windows Information Protection (WIP) is Microsoft’s accidental Data Leakage protection solution. WIP is fully supported in Windows 10 anniversary edition (1607) and later versions. This post will see more details about the Decrypt Files Protected Intune SCCM WIP Policy.

Certificates Details – Intune/SCCM WIP Policies – Encrypting File System (EFS) Data Recovery Agent (DRA) certificate has been created and used in WIP policies. The cipher/r command can be used to create two certificates. The EFSDRA.CER and EFSDRA.PFX files are created.

EFSDRA.CER is used to encrypt data using WIP policies—the EFSDRA.The PFX file contains your private key, which should be used during decryption. I have a post that explains “How to Create, Configure, and Deploy Windows 10 WIP Policies Using SCCM and Intune.”

We may need to go through the migration process towards modern management. This happened during one of the user migrations, and it didn’t go well. The user’s files were encrypted with the WIP policy. The user unenrolled and reenrolled his Windows 10 device as part of troubleshooting.

Intune Decrypt Files Protected by WIP Policy - Fig.1
Intune Decrypt Files Protected by WIP Policy – Fig.1

Issue Statement – Personal Files Encrypted with WIP Policy – Intune Decrypt Files Protected by WIP Policy

Access to the protected files was revoked during troubleshooting and unenrollment from Intune. The user can’t open any files because those files are encrypted using the WIP policy and certificate. The user re-enrolled the device to Intune, but the WIP certificate still locks the protected files.

How to Decrypt WIP-Protected Files

To decrypt the protected files, you need to import the PFX file to the computer where you want to perform the decryption process. You must be very careful because of the private keys in your DRA. The PFX file can be used to decrypt any WIP file.

The PFX file must be stored offline, keeping copies on a smart card with strong protection for regular use. It’s better to keep master copies in a secured physical location.

  1. Import EFSDRA.pfx 
Intune Decrypt Files Protected by WIP Policy - Fig.2
Intune Decrypt Files Protected by WIP Policy – Fig.2

Double-click on the EFSDRA.PFX file to start the certificate import wizard. This wizard helps import the certificate to the user’s machine. Make sure you select Store Location as a Current user.

Browse and select the EFSDRA.PFX file to import. The private key PFX is protected with a secure password, which you must enter to proceed with the certificate import wizard. In the import options, make sure you select “Include all extended properties.”

Select the certificate store in the import wizard. The best way to have the default location of the cert store. And it’s “Automatically select the certificate store based on the type of certificate.” Complete the certificate import wizard.

Confirm whether the certificate or private key PFX file is imported successfully to the certificate store—certificates – Current User – Personal – Certificates. Check out the Intended Purposes tab in the console and check whether there is any File Recovery certificate.

Intune Decrypt Files Protected by WIP Policy - Fig.3
Intune Decrypt Files Protected by WIP Policy – Fig.3

2. Cipher /d Command to Decrypt the Files

Confirm the private file is imported into the machine’s certificate store. The next step is to run the following command cipher /d “File_Name.XXX” from the directory where the protected files are stored.

  • C:>cipher /d “SCCM Intune.docx”
  • Decrypting files in C:\WINDOWS\system32\
  • SCCM Intune.docx [OK]
  • 1 file(s) [or directories(s)] within 1 directories(s) were decrypted.

Troubleshooting – Check the WIP Logs

WIP troubleshooting can be done through Windows event logs. Navigate to Application and Services LogsMicrosoftWindows, click EDP-Audit-Regular, and click EDP-Audit-TCB.

Check the WIP Logs
EDP-Audit-TCB
Intune Decrypt Files Protected by WIP Policy – Table 1
Log Name: Microsoft-Windows-EDP-Audit-TCB/Admin
Source: Microsoft-Windows-EDP-Audit-TCB
Date: 25-11-2017 10:54:03
Event ID: 101
Task Category: None
Level: Information
Keywords: Windows Information Protection Audit Protection Removed Keyword
User: ANOOP-SURFACE-B\Anoop C Nair
Computer: Anoop-Surface-Book
Description:
Enterprise ACNS.COM tag has been removed (Protection removed) from the file: C:\Users\Anoop C Nair\Pictures\SCCM 1710\Overview SCCM Co-Mgmt CMG.jpg
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
 <Provider Name="Microsoft-Windows-EDP-Audit-TCB" Guid="{}" />
 <EventID>101</EventID>
 <Version>0</Version>
 <Level>4</Level>
 <Task>0</Task>
 <Opcode>0</Opcode>
 <Keywords>0x8000000889787810</Keywords>
 <TimeCreated SystemTime="2017-11-25T05:24:03.294238400Z" />
 <EventRecordID>15</EventRecordID>
 <Correlation />
 <Execution ProcessID="876" ThreadID="11836" />
 <Channel>Microsoft-Windows-EDP-Audit-TCB/Admin</Channel>
 <Computer>Anoop-Surface-Book</Computer>
 <Security UserID="" />
 </System>
Intune Decrypt Files Protected by WIP Policy - Fig.4
Intune Decrypt Files Protected by WIP Policy – Fig.4

Resources

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Windows 10 Quality Feature Update Policies for Intune Step by Step Guide 4

Windows 10 Quality Feature Update Policies for Intune Step by Step Guide

Let’s discuss Windows 10 Quality Feature Update Policies for Intune Step-by-Step Guide. Microsoft released Windows 10 1709, the fall Creators update. Devices in the current branch (Semi-Annual Targeted) should be updated in Settings—Update and Security—Windows Update.

Intune Windows 10 Quality Update Policies. Microsoft Intune manages this Windows 10 device. This post will see “Windows 10 1709 Fall Creators Update Upgrade with Intune Update Rings.”

Many methods exist to upgrade the Windows 10 version to the latest version, 1709. You can upgrade to Windows 10 with an ISO file available in Visual Studio Subscriptions (previously known as MSDN) or VLSC (Volume Licensing Service Center).

If Microsoft Intune manages your devices, a software update policy ring will manage Windows 10 feature updates.

Windows 10 Quality Feature Update Policies for Intune Step by Step Guide
Windows 10 Quality Feature Update Policies for Intune Step by Step Guide

Another Related Post on Windows 10 Update Rings

Navigate via Microsoft Azure—Microsoft Intune—Software Updates to “Windows 10 Update Rings.” Here, you can create Windows 10 Semi-Annual Targeted and Semi-Annual update rings.

These two update rings in Intune can control your organization’s Windows 10 upgrade behavior. Intune Windows 10 Quality Update Policies.

  • Windows 10 Semi-Annual Targeted Update Ring – All the devices in the Current Branch.
  • Windows 10 Semi-Annual Update Ring – All the devices in the Current Branch for Business
  • FIX CBB Ring Devices are Getting CB Updates Intune Windows 10 Update Rings
  • Windows 10 1709 Fall Creators Update Upgrade with Intune Update Rings
Windows 10 Quality Feature Update Policies for Intune Step by Step Guide - Fig.1
Windows 10 Quality Feature Update Policies for Intune Step by Step Guide – Fig.1

Create Windows 10 Update Rings in Intune?

In my previous posts, I explained the details of the Intune policy, “How to Setup Windows 10 Software Update Policy Rings in Intune Azure Portal.”

Navigate via the Intune console to access Windows 10 Update Rings – Create Update Ring – Settings. We must select the “Servicing Branch” options according to your requirements. Feature update deferral period (days) is another set we want to set up as part of the Create Update Ring policy.

  • For example:- If we set Service Branch = CB and Feature update deferral period (days) = 0 days, then the device will get the Windows 10 1709 updates on the 0 days of the release.
  • As I mentioned in the above paragraph, there are two types of Servicing Branches for Windows 10: Semi-Annual Targeted and Semi-Annual.
  • Select the CB servicing branch (Semi-Annual Targeted) to set the devices for the first wave of deployment of Windows 10 feature upgrades. The latest Windows 10 1709 Fall Creators update is released only for the Semi-Annual Targeted branch.

How Do Windows 10 Update Rings Work?

Windows 10 update rings work flawlessly under the hood. I have not uploaded Windows 10 1709 ISO or files to Intune to deliver the updates to the devices. Intune helps to set up 2 MDM policies in Windows 10 1607 or later devices.

So, Devices, are you getting the Windows 10 feature update binaries from any other Microsoft cloud service? Windows 10 devices are getting these feature update content/binaries from Windows Update for Business (WUfB).

Another essential feature of Windows 10 is Delivery Optimization. Delivery optimization helps to find the binaries from the peer devices. These peer devices could be either from the same network or the internet.

Windows 10 Update Ring MDM Policies?

The following are the two MDM policies that Intune sets on Windows 10 devices. Intune Windows 10 Quality Update Policies.

CB/CBB Options:- MDM for version 1607 and above: MDM for version 1607 and above: ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel \Microsoft\PolicyManager\default\Update\BranchReadinessLevel

Deferral Period Days:- MDM for version 1607 and above: ../Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays

Windows 10 Upgrade End User Experience

The following video delivers the Windows 10 1709 fall creator update through Windows Update for Business. The next video will give you an end-to-end experience for the Windows 10 1709 fall creators’ upgrade process via Software Update for Business (WUfB).

As you can see in the video, the Windows 10 device is in the CB (Semi-Annual Target) channel and the differed period policy is set to zero days—Intune Windows 10 Quality Update Policies.

Windows 10 Quality Feature Update Policies for Intune Step by Step Guide

References

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Start Troubleshooting Intune Issues Fix Intune Issues with Easy Steps 5

How to Start Troubleshooting Intune Issues Fix Intune Issues with Easy Steps

Let’s discuss how to Troubleshoot and Fix Intune Issues with Easy Steps. Intune troubleshooting is easy with the Azure portal. You should start with the “Microsoft Intune—Help and Support” page in the Intune portal whenever you face any issue with Intune.

This post will see “How to start Troubleshooting Intune Policy Deployment Issues from the Intune portal.” For more tips, see Troubleshoot Intune Issues.

You can also check the user-based Intune security policy troubleshooting from the following post – Intune User Policy Troubleshooting Tips For Prevent Changing Theme. One post will help you resolve device-based Intune security policy issuesTroubleshoot Microsoft Edge Security Policy Deployment Issues with Intune.

Update 20-Jan-2018 – When you have an iOS device and want to perform the Intune side of troubleshooting, Microsoft released an excellent document here, “Troubleshooting iOS device enrollment problems in Microsoft Intune.”

Latest Intune Troubleshooting Strategies | Fix Intune Policy Conflicts | Methods IT Admins -Helpdesk

In this video, you will learn about the Latest Intune Troubleshooting strategies to simplify Intune app and policy deployment troubleshooting!

How to Start Troubleshooting Intune Issues Fix Intune Issues with Easy Steps – Video 1

How Do You Check the Status of the Intune Service? – Troubleshooting Intune Issues

When you have a major issue with Intune managed devices, the first place is to look at the current status of the Intune and other dependent services. You can check that from the Intune Tenant Admin – tenant status tab from the MEM Admin Center portal.

Under the Tenant status tab, there is a link to check the status of your Intune and other services for your tenant. Intune service status – See the current level of the service where you can get the position.

You can check Intune service health for your tenant from the Service Health and Message Center tab. The Intune message center also provides details about new changes and related information.

How to Start Troubleshooting Intune Issues Fix Intune Issues with Easy Steps - Fig.1
How to Start Troubleshooting Intune Issues Fix Intune Issues with Easy Steps – Fig.1

How to Start Troubleshooting Intune Policy Deployment?

When you significantly impact all Intune-managed devices/users, ensure that the tenant’s health is OK. Once you are sure there is no issue from the Intune service side for your tenant, it’s time to proceed with your policy assignment and other detailed troubleshooting.

When the issue is NOT impacting all devices or users, it’s better to start with the second stage of Intune troubleshooting.

[Related Posts – How to Troubleshoot Windows 10 Intune MDM Issues]

Troubleshoot +Support is the tab from the MEM admin center portal. Select one of the users having issues with application or policy deployment. For example, when a user is not getting the application assigned to AAD Group. Another example is that the user is not compliant with the configuration policies assigned.

How to Start Troubleshooting Intune Issues Fix Intune Issues with Easy Steps - Fig.2
How to Start Troubleshooting Intune Issues Fix Intune Issues with Easy Steps – Fig.2

I selected Anoop Nair as the user. All the details of this user will be available in the troubleshooting tab. This will help the Intune admin to confirm whether we have targeted all the applications and policies to correct AAD groups. You can check and confirm whether the user.

You can check and confirm whether the user
Does the user have a valid Intune license or not
Is the user part of the correct AAD group or not
Is the Device compliant or not
Status of Company Data Removal/wipe from a device
How to Start Troubleshooting Intune Issues Fix Intune Issues with Easy Steps – Table 1

Another set of user details you can check in the troubleshooting tab of Intune Blade is the Principal name of the selected user and Email ID. All the other information available in the Intune troubleshooting blade are

  • Intune license assigned to a user or not
  • Whether Devices compliant status
  • Whether apps are in a compliant state or not
  • Azure AD Group membership for the user
  • Mobile Apps Assignment to the user
  • Compliance policies deployed or assigned to users
  • App protection status for the devices
  • Configuration profile deployment status for the user
  • List of the devices for that user and status of devices

There are some red icons, as seen in the video tutorial and the screenshot below. Those red icons could indicate potential issues with application or policy deployments. I could see problems with Anoop’s Android device. The app protection status does not look suitable for Android devices. The Intune troubleshooting blade provides a valuable report that “31 apps non-compliant“.

How to Start Troubleshooting Intune Issues Fix Intune Issues with Easy Steps – Video 2

Intune Troubleshooting Blades has six (6) Assignment categories. Each type provides details about the user assignments. If some terms are missing, we need to examine the targeting AAD groups of those policies.

  • Mobile Apps
  • Compliance Policies
  • Configuration Profiles
  • App Protection Policies
  • Windows 10 Update Rings
  • Enrollment Restrictions
How to Start Troubleshooting Intune Issues Fix Intune Issues with Easy Steps - Fig.3
How to Start Troubleshooting Intune Issues Fix Intune Issues with Easy Steps – Fig.3

The above information is essential to start Intune troubleshooting from the Azure portal. From the troubleshooting tab, we can directly access details of each assigned policy for that user. We can also look at the device properties and hardware information for more detailed troubleshooting.

For example, you have started a company data wipe action for a device, but the device or user can still access the corporate mail from the device. Intune admin can directly search for the user from the Intune troubleshooting session and get all the user’s device details. Once the device is identified, you can check the following information about it.

Device name, Managed by, Azure AD join type, Ownership, Intune compliant, Azure AD compliant, OS, OS version, and Last check-in.

How to Start Troubleshooting Intune Issues Fix Intune Issues with Easy Steps - Fig.4
How to Start Troubleshooting Intune Issues Fix Intune Issues with Easy Steps – Fig.4

Last Check-In details are essential in this device retirement or company data wipe troubleshooting scenario. The previous check-in details will tell you when the device was in touch with Intune service for the last time. You can check the Company Data Removal action, Factory reset details, and status from the Intune troubleshooting blade.

[Related Posts – How to Troubleshoot Windows 10 Intune MDM Issues]

The Intune Troubleshooting Blade is a one-stop shop for all the troubleshooting activities related to Intune device management, compliance policies, configuration profile deployments, etc.

How Do You Raise a Free Intune Support Case for Intune Issues?

Microsoft provides an option to raise a support case for Intune issues from the Intune MEM admin center portal’s Help and Support tab. The charges for these support cases are directly linked to your Intune subscription contract.

There is an option to raise an Intune support case with Microsoft’s exclusive contract. I recommend using premier contract support for high-impact Intune issues and if you need immediate help.

How to Start Troubleshooting Intune Issues Fix Intune Issues with Easy Steps - Fig.5
How to Start Troubleshooting Intune Issues Fix Intune Issues with Easy Steps – Fig.5

Severity options are essential while raising an Intune support case. Severity options should be selected based on the impact of the issue. Also, depending on the severity of the problem, the response time will vary. There are three categories, as you can see below:-

  • C- Minimal Impact – The issue impacts only a few users, devices, etc.
  • B—Moderate Impact—These issues can become critical in a couple of days if they aren’t resolved ASAP.
  • A – Critical Impact – Priority issues that are impacting a whole lot of users

[Related Posts – How to Troubleshoot Windows 10 Intune MDM Issues]

References

  • How to get support for Microsoft Intune – here
  • How to Troubleshoot Windows 10 MDM Policy Deployments – here
  • Intune Support Case Severity Levels and Response time – here

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Schedule iOS Automatic Updates Using Intune Policies 6

How to Schedule iOS Automatic Updates Using Intune Policies

Let’s discuss how to Schedule iOS Automatic Updates Using Intune Policies. Do you have supervised iOS devices managed through Intune?

If so, you may know that iOS software updates will force installation updates on supervised mode iOS devices. Intune has a new policy to prevent/delay these force updates.

This option will also give more granular control over iOS software updates. This post will discuss how to Prevent iOS Automatic Updates Using Intune Policies.

New options have been added to the automatic iOS and iPad OS updates. The following are the exciting options available for this update.

  • Update policy schedule settings
    • Update During the scheduled time
    • Updates Outside the scheduled time

If you are looking for Windows 10 update ring policies with Intune, I have a blog post titled “How to Setup Windows 10 Software Update Policy Rings in Intune Azure Portal.”

How to Create iOS Software Update Policies in Intune? iOS Automatic Updates Using Intune

This Intune policy will help delay iOS automatic updates. iOS devices should be part of the Apple DEP program and managed through supervised mode. Create a profile to force assigned devices to automatically install the latest iOS/iPadOS updates.

These settings determine how and when software updates deploy. This profile doesn’t prevent users from updating the OS manually, which can be controlled for up to 90 days with a device configuration restriction policy. Updates will only apply to devices enrolled through Apple’s Automated Device Enrollment (ABM or ASM).

How to Create iOS Software Update Policies in Intune
Login to the MEM Admin Center portal
Navigate via the Devices – iOS/iPad Update Policies (Update policies for iOS/iPadOS)
Click on + Create update policy
From the Update Policy Settings page for iOS/iPad OS update – The version of iOS/iPadOS to install on devices at the time of update
How to Schedule iOS Automatic Updates Using Intune Policies – Table 1

You can create a new policy with a proper name and description of the policy. This policy will prevent iOS Automatic Updates from forcefully getting installed on supervised iOS devices.

How to Schedule iOS Automatic Updates Using Intune Policies - Fig.1
How to Schedule iOS Automatic Updates Using Intune Policies – Fig.1

Update Policy Schedule Settings for iOS/iPad OS Devices

Update policy schedule settings: By default, when an iOS/iPadOS Software Updates policy is assigned to a device, Intune deploys the latest updates at device check-in (approximately every 8 hours).

You can instead create a weekly schedule with customized start and end times. If you choose to update outside the scheduled time, Intune won’t deploy updates until the scheduled time ends.

  • Select Type and Schedule for iOS update (When the updates will occur. Additional input is required to schedule updates during or outside of scheduled times)
    • Update at next check-in
    • Update During the scheduled time
    • Update Outside of the scheduled time
How to Schedule iOS Automatic Updates Using Intune Policies - Fig.2
How to Schedule iOS Automatic Updates Using Intune Policies – Fig.2

Update During the scheduled time, stop updates from being installed at any random time. By configuring this policy, you can delay the software update (automatic update) of iOS on the device.

Weekly Schedule -> TimeZone, Start Day, Start Time, End Day, End Time

You can select the Time zone, Date, and time for iOS/iPad OS updates. Select the time zone of the targeted devices – In this section, you must select the Time Zone of the devices you want to target for this policy. For the India Time Zone, I selected UTC+5:30.

Start Time—Select the beginning of the interval to stop iOS software updates from Installing on supervised iOS devices. You usually don’t want to install software updates on iOS devices during business hours. This will help you schedule iOS phone updates via Intune policies.

End Time – Select the end of the interval to stop iOS software updates from installing on supervised iOS devices.

Start Day of the update: You can select any day of the week from the start and end day options, from Sunday to Saturday. End the Day of the iOs/iPad OS update by selecting any day between Sunday and Saturday.

How to Schedule iOS Automatic Updates Using Intune Policies - Fig.3
How to Schedule iOS Automatic Updates Using Intune Policies – Fig.3

You can select the iOS/iPad updates outside the scheduled time. You must set a scheduled time when you don’t want this update to happen on iOS devices. The update will be initiated outside the scheduled time configured below.

How to Schedule iOS Automatic Updates Using Intune Policies - Fig.4
How to Schedule iOS Automatic Updates Using Intune Policies – Fig.4

How to Deploy or Assign Intune iOS Software Update Prevention Policy?

Once the Intune iOS Automatic Updates prevention Intune Policy is created, you can start assigning this policy to Azure AD Device groups. Deploy Updates Prevention Policy to iOS Devices. 

Select Assignments—Click on Select Groups to find the appropriate Azure AD group to target the iOS update prevention policy. Once the policy is deployed to devices, the iOS software update will be postponed.

It would help to be careful about the policy settings while targeting the AAD device groups. In the policy configuration, there is an option to configure the devices’ time zones. Time zone configuration in this policy is a bit tricky.

It seems we need to segregate devices according to their time zones. I have not tested this, but it is my assumption regarding this policy setting. Learn how To Create Azure AD Dynamic Groups For Managing Devices Using Intune.

Reporting options for iOS update policies in Intune are coming soon.

How to Schedule iOS Automatic Updates Using Intune Policies – Video 1

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Block Windows Devices from Enrolling to Intune 7

How to Block Windows Devices from Enrolling to Intune

Let’s discuss how to block How to Block Windows Devices from Enrolling to Intune. I have seen a scenario where Intune exclusively manages iOS and Android devices.

Windows devices are managed through SCCM and must be disabled or prevented from enrolling in Intune. We can achieve this with new Intune Enrollment restriction policies. I have a blog post explaining “How to Use Intune Enrollment Restriction Rules“.

This post covers everything you need to know about stopping Windows devices from enrolling in Intune. It explains each step clearly so you can understand it easily. Whether you’re just starting out or want to improve your setup, this post will guide you through keeping your devices out of Intune’s management system.

I tested Windows 10 enrollment to Intune via “Add Work or School Account.” This was tested successfully before restricting Windows 10 devices from the Intune console. Check out the following message after the Windows 10 device is successfully enrolled. More details are in the video below.

How to Restrict Windows 10 Devices from Intune Management

This video provides a step-by-step guide on restricting Windows 10 devices from being managed through Intune. It covers all the necessary details, including the settings and configurations required to ensure proper restriction.

How to Block Windows Devices from Enrolling to Intune – Video 1

Add Work or School Account

“We’ve added your account successfully, and you can now access your organization’s apps and Services. The last step is setting up your new PIN to unlock this device.”

How to Block Windows Devices from Enrolling to Intune - Fig.1
How to Block Windows Devices from Enrolling to Intune – Fig.1

Change the Intune Device Enrollment Policy to Restrict Windows Device

Navigate through the New Azure portal Microsoft Intune – Device Enrollment – Enrollment restrictions. You will be able to see two Intune enrollment restriction policies: 1.

Device Type Restrictions and 2. Device Limit Restrictions. Device Type restriction is where we can restrict Windows (8.1 +) devices from enrolling on Intune.

This policy will prevent Windows 8.1 and later devices from Intune management and restrict Windows 10 device enrollment. Windows 10 mobile devices will also be blocked when we configure this policy.

How to Block Windows Devices from Enrolling to Intune - Fig.2
How to Block Windows Devices from Enrolling to Intune – Fig.2

End-User Experience of Windows 10 Device Restriction

I successfully added a Work or School account to a Windows 10 1703 device. The one change I noticed through the enrollment process is that it didn’t prompt for MFA. After this enrollment, the message I received differed from the one I got above.

We’ve successfully added your account, and you can access your organization’s apps and Services. Moreover, the machine was NOT available in the company portal application under the “My Devices” list. So, the device enrollment never failed as I expected. The device was enrolled without any error.

However, the main question is whether this device would be managed via Intune. Did the device receive Intune policies? The answer is in the paragraph below.

How to Block Windows Devices from Enrolling to Intune - Fig.3
How to Block Windows Devices from Enrolling to Intune – Fig.3

Experience on Azure – Intune Portal for Windows 10 Restriction

The Windows 10 enrolled device was NOT listed in Intune – All Devices (Microsoft AzureMicrosoft Intune – Devices – All Devices). However, the device was listed in Azure AD, as shown in the video tutorial.

The Windows 10 device was listed under Azure AD against the user’s devices (Microsoft Azure—Users and groups—All users > Kaith Nair). But, as you can see in the screenshot below, the Windows device is NOT MANAGED by INTUNE.

Hence, the device won’t receive any Intune policies or be managed through Intune. It also won’t have access to corporate mail, SharePoint, OneDrive, and Skype for Business.

NAMEENABLED/DISABLEDPLATFORMTRUST TYPEIS COMPLIANTMANAGED BY
Windows10_BYODEnabledWindows 10.0.15063.0WorkplaceNoneNone
How to Block Windows Devices from Enrolling to Intune – Table 1
How to Block Windows Devices from Enrolling to Intune - Fig.4
How to Block Windows Devices from Enrolling to Intune – Fig.4

References

  • Set Intune enrollment restrictions policies – here
  • How to configure device restriction settings in Microsoft Intune – here

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.