Microsoft Intune is the SaaS solution provided by Microsoft. Microsoft Intune is a cloud-based desktop and mobile device management tool. This supports Mac OS, iOS, Android, and Windows 10. This cloud solution is used as a modern management tool.
This MDM solution can be integrated with SCCM, Azure AD, and Active Directory. This place gives you a great opportunity Learn Microsoft Intune and become an expert with Intune.
This solution can be used to deploy UWP applications, Security policies, Configuration policies, WiFi profiles, PKI certificates, and so on.
This solution is future-proof When you take a look at the Desktop (43.29%) Vs. Mobile (52.29%) Vs. Tablet (4.42%) Market Share Worldwide for the last year, you could see that mobile devices are leaders. So, Mobile Device Management is very critical, and this is a new world of opportunities for IT Pros like us. From my perspective, learning this solution is very important for SCCM admins.
Intune is an enterprise mobility management (EMM) solution from Microsoft. The EMM provider helps to manage mobile devices, network settings, and other mobile services and settings. This solution is nothing but a combination of Device, Application, Information Protection, Endpoint Protection (antivirus software), and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in the Cloud.
Additionally, this solution has a feature called compliance policy, which can be integrated with the Azure AD “Conditional Access” policy to restrict access to company resources.
How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager? A Clean Intune environment always gives us better deployment results, and one of the important steps to keep your environment clean is explained in this post.
This is not the only way to keep your Intune environment clean. Rather you should have regular sanity checks for your environment to ensure that you don’t have duplicate copies of policies and applications.
Moreover, you should avoid duplicate deployments of policies and applications. Duplicate deployments of policies can cause conflicts and could result in unexpected results.
We SCCM Admins are familiar with the process of deletion and removal of a device in SCCM and Microsoft Intune. However, we are always not sure when you remove a device from SCCM, then that device record will automatically get removed from On-prem Active Directory or not.
Table of Contents
Introduction – How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Intune
The removal or deletion of a device or machine from Active Directory is not SCCM’s responsibility, and this should be handled separately by on-prem Active Directory.
So how are these operations handled in the modern device management world in terms of Intune SA (or SCCM Hybrid) and Azure Active Directory? In most cases, I have not seen that when you retire and delete a device from Intune, that device record will automatically get purged from Azure Active Directory (AAD).
To have better results for your Compliance/configuration policy and application deployments in the modern device management world, we should ensure a clean environment with clean Azure AD.
You can get a better understanding of this issue from the above video tutorial.
How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager?
How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Intune – Fig.1
How to Delete Clean Tidy Intune Azure Active Directory?
In the above example, Intune console shows me only one device assigned to my user account. Whereas if you look at my Azure AD user ID and check for the devices assigned against my account, you can see there are a total of 3 devices, and all the 3 devices have been shown as managed by Intune.
This is not accurate data that is getting reflected in Azure Active Directory. I’m not saying every time this scenario will happen. I’ve seen some devices automatically get removed from Intune and AAD. How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager?
I suppose we should have a better accuracy/sync between Intune and Azure AD databases. I don’t see a scheduled task in Azure AD to purge the deleted records from Microsoft Intune. I’m not sure whether this is coming in the near future or not.
To ensure better results for Intune device management policies, when you delete a device from Intune, you should make sure that the device record is removed from Azure AD. I’m planning to post a video tutorial showing how to delete a device from Azure AD to have a clean and tidy environment.
Name
Enabled/Disabled
Platform
Trust Type
Is Compliant
Managed by
DESKTOP-LNK7273
Disabled
Windows 10.0.1439
AzureAd
True
Intune
DESKTOP-213GHPA
Enabled
Windows 10.0.1439
AzureAd
True
Intune
How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Intune – Table 1
How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Intune – Fig.2
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
This blog post teaches you how to Troubleshoot Windows 11 10 Intune MDM Issues. There are several options to troubleshoot, and some of them are explained here.
Windows 11 or 10 MDM issues and troubleshooting are pretty new for SCCM admins like me! So what is the importance of Windows 10 MDM? When you use Intune or SCCM + Intune hybrid to manage Windows 10 machines, all the management policies are deployed through the MDM channel. This post is Windows 10 MDM Troubleshooting Guide.
There could be many ways to troubleshoot Windows 10 MDM issues while using Microsoft Intune to deploy policies to those devices. In this post, I will share the 3 easy ways to start MDM troubleshooting. Yes, it’s different from the SCCM/ConfigMgr client’s way of troubleshooting, as there are no log files for the MDM client.
MDM client is in build with the Windows 10 operating system, and events logs are the best place to troubleshoot Windows 10 MDM issues. The 3rd way mentioned in this post is very easy for me and IT Pros to understand and start Windows 10 MDM troubleshooting. I have created a video to explain the troubleshooting tips, as you can see above.
For example, if an Intune policy is deployed to a Windows 10 machine but is not getting applied, how do we start troubleshooting? First, we need to understand Windows 10 management architecture.
The following is the high-level architecture diagram for Windows 10 management. If we know this high-level architecture, troubleshooting Windows 10 MDM issues will be easy. This post will help us as a Windows 10 MDM Troubleshooting Guide.
How to Troubleshoot Windows 11 10 Intune MDM Issues – Fig.1
Video Tutorial – Windows 10 MDM Troubleshooting Guide
Windows 10 MDM Troubleshooting Guide video tutorial to help IT Pros! This video teaches you how to fix problems with Windows 10 MDM (Mobile Device Management) using the registry, WMI (Windows Management Instrumentation), and Event Logs.
It breaks down troubleshooting into simple steps, showing you how to identify and solve issues with your device management. You can learn to resolve common problems efficiently by following along with the video.
How to Troubleshoot Windows 11 10 Intune MDM Issues – Video 1
Event logs in Windows 10 machines are the best to start troubleshooting MDM-related issues. As you can see in the below screen capture, you could be able to see where to go in events logs (Microsoft->Windows->DeviceManagement->Enterprise-Diagnostics-Provider/Admin) to see the details of the MDM and Device Management related issues. When the machine is Workplace Joined or AAD joined, all the events related to Intune/SCCM policies are recorded in “this” event log section.
AAD event logs are also very useful in this Windows 10 MDM issue, and you can check out the following location for AAD-related event logs: “Microsoft-Windows-AAD/ Operational”. Event logs are an integral part of the Windows 10 MDM Troubleshooting Guide.
The event logs are the best way to troubleshoot Windows 10 MDM issues. You will get the detailed status of Intune or SCCM hybrid policies from event logs. Each entry in those event logs will tell you whether or not the deployed policies are reached and applied on that machine. There is also a way to export the MDM log files to the folder “C:\Users\Public\Documents\MDMDiagnostics” from Windows 10 settings – connect to the work or school page.
How to Troubleshoot Windows 11 10 Intune MDM Issues – Fig.2
Troubleshoot Windows 10 with WMI Explorer
WMI Explorer way of Checking whether the Policy Settings are Applied or Not:-
WMI Explorer is the best tool to check the MDM policies to confirm whether those settings are applied on the windows 10 system or not. As you can see in the following screen capture, this is how to check whether MDM policies are correctly applied to a Windows 10 machine.
I have deployed the Windows Defender policy from Intune to this Windows 10 machine, and you can use WMI explorer to find out whether these policies are applied on the machine or not. Again, when you start troubleshooting, the best place to begin with is event logs.
We can also check this via WBEMTEST, but we may need to start WBEMTEST from the system context to see the policy details. WMI Explorer is the best place to check and confirm whether the MDM policies (from Intune or SCCM) have been applied to a machine.
Registry way of Checking Windows 10 MDM Policy Settings
Troubleshoot Windows 10 with Registry Entries
The 3rd and easiest way to check whether the MDM policies are applied to a Windows 10 machine is the registry key. Following is the registry location where you can find MDM policy settings. You want to check for MDM policy settings on Windows 10 machine is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers
In this below screen capture, you can see the Windows Defender settings I applied to Windows 10 machines through Intune policies. The only caveat of this method is we need to find out a way to decode each provider GUID (CLSID Key?) related to MDM policies. Following are some of the extracts from my Windows 10 machine:-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\18dcffd4-37d6-4bc6-87e0-4266fdbb8e49 - Power Policy Settings Buttons
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\1e05dd5d-a022-46c5-963c-b20de341170f - Power Policy Controls Energy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\23cb517f-5073-4e96-a202-7fe6122a2271 - Power Policy Settings Disaplay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\2648BF76-DA4B-409A-BFFA-6AF111C298A5 - ?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\268c43e1-aa2b-4036-86ef-8cda98a0c2fe - ? Power Policy Settings PCI Express
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\2AB668F3-6D58-4030-9967-0E5358B1B78B - Microsoft Intune MDM Policy Settings - Account, Bitlocker, Connectivity, Data Protection, Defender, Device Lock, Experience, Network Isolation, Security, System, update and WiFi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\C8DC8AF6-2A7D-4195-BA77-0A4DAC2C05A4 - Microsoft Intune/SCCM MDM policy settings - Browser, Camera, Connectivity, Device Lock, Security, Systems and Wifi
System > Power Management > Button Settings
Select the Start menu Power button action (on battery)
Select the Start menu Power button action (plugged in)
Select the Start menu Power button action (plugged in)
Enabled – Select the Start menu Power button action (on battery).
Steps
System > Power Management > Button Settings
Select the Start menu Power button action (on battery)
Select the Start menu Power button action (plugged in)
Select the Start menu Power button action (plugged in)
Enabled – Select the Start menu Power button action (on battery).
How to Troubleshoot Windows 11 10 Intune MDM Issues – Table 1
How to Troubleshoot Windows 11 10 Intune MDM Issues – Fig.3
Troubleshoot Windows 10 with MDMDiagReport
These GUID IDs can be found in the MDMDiagReport.xml file, and this XML can be decoded into HTML file MDMDiagReport.html using the tool.
How to Troubleshoot Windows 11 10 Intune MDM Issues – Fig.4
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss the Intune Starter Kit, a Helping Hand for IT pros who want to learn Intune. Loads of people requested a starter kit for Intune, as I have one for the SCCM 2012 starter kit, and the SCCM 2012 starter kit page was handy for the community (I think that is why people are requesting the Intune Starter Kit).
This post will mainly concentrate on Intune standalone (not Intune Hybrid and Office 365 Intune MDM). In most cases, there is no need/very minimal need for on-prem infrastructure if you go with Intune standalone and all the other cloud components like Azure Active Directory, Office 365, etc. I’ll keep adding new things to this page. This is just starting 😉
I started working with Intune in the latter part of 2012, and Microsoft Intune has evolved a lot over the years. In 2013, I started a post called “Microsoft Intune Wiki” (most of the links are outdated, but it’s worth going through if you want to see how Intune was).
We already have a Facebook group for Intune Professionals. If you would like to join the Facebook community of Intune Professionals, click here
Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune
What is Microsoft Intune?– Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune
Intune is Microsoft’s enterprise mobility management (EMM) solution. The EMM provider helps manage mobile devices, network settings, and other mobile services and settings. Microsoft Intune combines Device, Application, Information Protection, Endpoint Protection (antivirus software), and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in the Cloud.
Additionally, Intune has features where admins can create a “Conditional Access” policy to get access to company resources. Only Intune will provide access to company or corporate resources (corporate mail, SharePoint, etc.) if the devices meet those conditions.
Previously, I mentioned Microsoft Intune as a lighter version of SCCM or ConfigMgrin the cloud. However, I don’t want to make it so simple this time. Intune architecture is entirely cloud-based and agile. To get a more detailed idea about Intune (Yes, this video is old and outdated in some parts as Intune evolved along with Microsoft’s Enterprise Mobility and Security (EMS).
I’m going to explain this in a slightly different way. Let me know if this is confusing. We can manage devices with an Intune client agent and arguably without one. For example, Intune company portal application(s) in different app stores like Google Playand Apple Store are Intune client agents.
So, when you install the Intune company portal onto your Android or iOS devices, you are doing agent-based management. Also, the Microsoft Intune client MSI can be downloaded once you have a valid Intune subscription. You can download and install it on Windows machines that you want to manage.
I have an old post (published in Dec 2012) here to help you understand the basics of Intune MSI agent installation. Once you install the Intune MSI agent on Windows machines, Intune will “fully manage” those machines.
Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune – Fig.1
So, what is arguably agent-less Intune management? Within Windows 10, we have a “build—Native” MDM agent as part of the operating system. We can enrol Windows 10 devices in Intune using the “in build—Native” MDM agent. In this scenario, we must use the Intune company portal to install applications like a shopping cart.
So, the Intune company portal does not act as an Intune agent in native MDM enrolment scenarios. Native MDM-managed devices are arguably NOT fully managed devices (at this point). I’m sure this will change sooner or later. The Windows 10 in-built MDM agent can enrol your Windows 10 devices in any other MDM management software, such as VMware Airwatch, Mobileiron, etc.
Enrolled via the Intune company portal.
Enrolled via Installation of Intune MSI client.
Enrolled via Windows 10 1607 and above in build Azure AD join and MDM enrolment.
MAM without MDM enrolment.
Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune – Fig.2
How Do you Get an Intune Account and Start Working/Testing with Intune?
Download the Microsoft EMS step-by-step guide from here. This guide will help you get a free trial version of Office 365, Azure AD, and Intune subscription. If you already have an Azure AD (Azure AD premium) subscription, things are straightforward, as I posted in the blog here.
Suppose you don’t have an Azure AD subscription. It is better to start with anEnterprise Mobility Suite (EMS)trial account, an Azure Free Trial Account (an Azure trial account is already created as an EMS trial account), and an Office 365 free trial subscription. Creating a NEW outlook.com account and getting ready with credit card details to activate the Azure trial subscription is better for getting these trail accounts.
Getting a trial version of Azure AD, Office 365, and Intune is very straightforward if you have never done this same process with your credit card and mobile number. Azure AD and Office 365 are prerequisites for Intune if you want to test all its features.
Note: Intune can also be signed up separately from here. If you want to test only Intune now, this is the way to go.
How to Start using Microsoft Intune Console
Once you have completed the subscription steps, you can log in to the Microsoft Intune (http://manage.microsoft.com/) portal (Silverlight is necessary for the Intune console to work). Internet Explorer with the Silverlight plugin is the best internet browser for the Intune console.
However, the Intune console will work on any internet browser that can add Silverlight as a plugin. It might even work without the Silverlight plugin, and I would love to see this soon.
Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune – Fig.3
How Do you Select the MDM Authority from the Intune Console?
MDM authority and management options are significant to me. Please note that you won’t be able to change it once you set MDM (Mobile Device Management) authority to Intune in the following place at the Intune console.
To change Intune MDM authority, you must raise a ticket with CSS or a service request via the Intune/Office 365 portal. So be very careful when you click on any links on the following page at the Intune console.
What Types of Management Authority Do We have for Intune?
Microsoft Intune
Configuration Manager (SCCM)
Office 365 (lightweight Intune)
Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune – Table 1
Quick question: Do I need to re-enrol devices if the MDM authority is changed from o365 MDM to Intune MDM? It works without re-enrolment of devices; it is just a compliance check, and everything looks okay on the device. I heard it’s supported, as both use Intune for MDM.
Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune – Fig.4
How to Start Managing Windows/iOS /Android Devices with Intune?
Managing Windows devices is very straightforward. Yes, Windows 10 management is very straightforward; earlier, we needed side loading and key SEP certificates to manage/deploy apps for Windows and Windows Phone devices.
Most of these certificates and sideloading essential requirements have been removed for most scenarios. Managing Android devices is also very straightforward. It takes 10 minutes to sync your Windows Store for Business and Microsoft Intune. More details are provided in the post “Integrate Windows Store for Business” here.
If you want to install store apps without using a Microsoft account, read the blog post “How to Add Apps to Business Store and Install Intune Company Portal without Using MS Account” here.
However, iOS\MAC OS device management has certificate requirements, and we need to go to the Apple portal, upload your cert for the tenant, and get the certificate for your Intune tenant.
The process for SCCM CB is explained in the following video, but the process is similar for Intune. More details here Microsoft document specifically for Intune.
Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune – Video 1
How Do I Deploy MSI Applications to Windows PCs using Intune?
Like SCCM, Intune can also deploy different applications to other devices. The types of applications that Intune supports now are EXE, MSI (Windows Installer and Windows Installer through MDM), APK, IPA, XAP, and APPX—APPXBUNDLE for Windows app package and Windows Phone app package. We can make software or applications available to devices via three methods.
Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune – Fig.5
1. Software Installer – select the type of software you want to install
2. External Link – this can be used for deploying the applications in the Google Store via deep linking
3. Managed iOS apps from Apps Store – this can be used to deploy the apps in the Apple Store via the deep linking method
Creating policies in Intune is another crucial step in configuring and managing devices through Intune. The following is the list of policies you can create and deploy via Intune.
Configuration Policies
Compliance Policies
Dynamics CRM Online Conditional Access Policy
Exchange Online Conditional Access Policy
Exchange On-premises Conditional Access Policy
SharePoint Online Conditional Access Policy
Skype for Business Online Conditional Access Policy
MAM Application Policy
MAM Browser Policy
What is the difference between the Intune Configuration and Intune Compliance Policy? You can see similar settings in compliance and configuration policies in some cases. So, what is the exact difference? Compliance policy works with conditional access policies; however, configuration policies are independent of conditional access. Compliance policies can deploy ONLY to USERS, whereas Configuration policies can be deployed to Devices and Users.
The Following Video will Explain How to Create and Deploy Intune Compliance Policies from the Console.
Compliance policy won’t force the device to change its configuration; rather, it will wait until the device enters the compliance stage to provide access to company resources like mail/SharePoint (in case a Conditional access policy is set). The configuration policy forces the device or user to change the configuration setting mentioned in the policy (which is arguably not true in all scenarios).
Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune – Video 2
What are MAM (Mobile Application Management) Policies?
Mobile Application Management policies are application-specific policies you can set up via Intune. What is the difference between configuration, Compliance policies, and MAM policies? Configuration and Compliance policies are for the entire device. It applies to everything on the device. MAM policies will be used only for the application with which it’s associated.
Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune – Fig.6
What is MAM without MDM enrolment (MAM WE – MAM Less MDM)?
This is another policy type in Intune. What is the difference between MAM with MDM enrolment and MAM without MDM enrolment? These are Mobile Application Management policies without enrolling in Intune. They help secure corporate data using BYOD/personal devices to access corporate mail, SharePoint, etc.
Why is the Intune option visible in the Azure portal (https://portal.azure.com/)? This is good news for SCCM/Intune admins. We are getting new features in Intune. This time, it’s Intune MAM (Mobile Application Management) without MDM enrolment.
For complete mobile device management, we must use the original Intune portal (https://manage.microsoft.com). Forums and other communities regularly asked whether Intune could coexist with MDM products like Airwatch or Mobile Iron.
How Do You Manually Add Users to the Intune Console?
How do you add users to the Intune console and provide permissions to users in the Intune console? We don’t have to do this when Intune Silverlight console is migrated to the Azure portal??
Before you try to provide service administrator access (limited roles available in Intune Silverlight console Full Access, Read-Only access, or Helpdesk—Group Node access) to users in Intune, you should make sure the administrator or server administrator user is already available in the Intune administrator console. More info here.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Are You Having an Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr?
Are you having issues with Windows Information Protection (WIP, previously known as “Enterprise Data Protection – EDP” policies configured through the SCCM ConfigMgr CB 1606 production version?
If so, I was one of you. I’m talking about the issue I faced while deploying the WIP policy via the Windows 10 MDM channel. I will try to explain the problem which I had with WIP CI (for the specific scenario which I tested):-
When you open WIP CI, try to check whether everything is okay or not and exit out of CI with/without making any changes. Some values in CI XML will automatically change, breaking the entire CI.
Windows Information Protection WIP– Are You Having Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr
I’ve embedded a video below explaining this bug/issue. If you are new to WIP/EDP and want to know how to create, deploy, and test WIP with Windows 10, look at my previous post and video here.
The good news is that Microsoft’s new rollup update (KB3186654)most probably fixed this issue. I have done extensive testing with Windows Information Protection (WIP) policies/CIs after installing the new rollup on the SCCM CB 1606 server, and the results are very promising.
Name
Type
New Windows 10 WIP
General
Are You Having Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr – Table 1
Are You Having Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr – Fig.1
How to Create – Deploy WIP EDP Using SCCM CB 1606 and End-user experience of WIP
I tried creating new WIP CIs, editing the existing WIP CIs, etc. All the scenarios I tested worked well for me. I tested this with Windows 10 1607 build numbers 14393.00 and 14393.82 (via MDM channel). Are You Having an Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr Endpoint Protection?
Are You Having Issue with Windows 10 WIP EDP SCCM CB Configuration Manager ConfigMgr – Video 1
Sample of the correct WIP CI with correct ConstantValue
Let’s discuss the Sample of the correct WIP CI with the correct ConstantValue. The below section helps you show the sample of the correct WIP CI with the correct ConstantValue.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Intune Company Portal App Login Issues with Windows 11 or Windows 10 Devices? Have you tried to Repair or Reset Company Portal App to fix the issue? The Intune company portal application is not allowed to log in when it is installed on Windows 10 or Windows 11.
The issue explained in the post below could be due to either Azure AD authentication issues or proxy issues. It won’t let you log in with your username and password.
The Company Portal app will get redirected to the login page repeatedly. Have you tried to log in to the Intune company portal from a Windows device, and can you reproduce this issue?
Fix Company Portal App Login Error Occurred AAD Auth Proxy Issues. This post also explains the Tenant Restriction Policy and company portal issues.
Whenever you have an issue with the Intune Company Portal app, it’s better to Reset, Repair, or Reinstall it before trying to do further troubleshooting. Otherwise, this could be another issue if you see the same problems with a more significant number of Windows 11 devices.
Intune Company Portal App Repair options are easy to use, unlike other Win32 or MSI applications. Since the Intune Company portal is a Microsoft Store Application, it has all the Reset, Repair, and Reinstall options.
To fix Intune Company Portal App Repair Reset Options, you need to follow the steps explained below.
Navigate to the Apps & Features option by right-clicking on the Start button from Windows 11.
Use the search function to find the Company Portal application.
Click on the three (3) vertical dots menu.
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.1
To repair the Company Portal Application on a Windows 11 device, select Advanced options, as shown in the screenshot below.
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.2
The first step I always recommend is to TERMINATE the company portal app by clicking on the TERMINATE button from Apps -> Apps & Features -> Company Portal Advanced Options.
Intune Company Portal App Repair
Let’s check the next option, the Intune Company Portal app repair option. If this app isn’t working correctly, you can try to repair it. The Company Portal app’s data will not be affected.
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.3
Company Portal App Repair Reset and Uninstall
Let’s check the following options to see if the Terminate and Repair options for the Company portal don’t work well. Company Portal App Repair, Reset, and Uninstall are the other options available on Windows 11 devices.
Company Portal REPAIR helps to fix the issue if the app is still not working as expected. The RESET will remove all the app-related data from the Windows 11 PC and give the Company Portal a fresh start.
The UNINSTALL button is the last resource for fixing theCompany Portal Application on Windows 11PC. After uninstalling the app, you can reinstall it from the Microsoft Store.
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.4
Well, this is a weird issue, so stay with me! Let’s learn how to Fix the Company Portal App Login Error that Occurred. This issue is only for the Intune Company portal application. There was no issue accessing the company portal Website. This issue is only applicable to Windows 10/11 devices.
Problem Statement – Fix Company Portal App Login Error
Windows 10 devices started getting error messages when users tried to launch the Company portal app. The error details are given below.
Login error occurred – An error occurred while attempting to log in to Company Portal Login Error.
You get two options:
Share Details
Close
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.5
Send Company Portal App for Windows 10 Logs
You can try to click on Share details to get the Company portal app log for Windows 10 or 11 devices. The message shows “Sending the Logs to Microsoft.“
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.6
Now you can share the details with Microsoft using the Onenote file. Requesting help with the company portal app for Windows 10 or Windows 11.
NOTE! – You can send the company portal app logs for Windows 10 using the following method as well:
Open the Company Portal app.
Select Help & support > Get help.
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.7
Details of Company Portal App Log
Describe the problem you’re experiencing. The Company Portal has collected your logs (Diagnostics ID: 2WWEWN) and sent them to Microsoft to help troubleshoot. Your description will help us understand what happened and how to fix the problem. After you’ve described the situation, send this email to your company support for more help.
Troubleshooting – Fix Company Portal App Login Error
Now, let’s enter the real troubleshooting scenario of the Company Portal app for Windows 10 devices.
First, I couldn’t find much information from the Microsoft logs mentioned in the above section.
I started looking at event logs to get more details.
Navigate to Microsoft-Windows-AAD/Operational (Azure AD authentication-related errors).
The following event ID 1098 shows an error that started when I tried to launch the company portal app.
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.8
Event Log Details
The following are the company portal login issues with Windows 11/10 devices. As you can see in the paragraphs below, these logs are taken from event logs.
Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 15/07/2020 16:00:58
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
Keywords: Operational,Error
User:
Computer:
Description:
Error: 0xCAA82EE2 The request has timed out.
Exception of type 'class HttpException' at xmlhttpwebrequest.cpp, line: 163, method: XMLHTTPWebRequest::ReceiveResponse.
Log: 0xcaa10083 Exception in WinRT wrapper.
Logged at authorizationclient.cpp, line: 233, method: ADALRT::AuthorizationClient::AcquireToken.
Request: authority: https://login.microsoftonline.com/common, client: 8ba1a5c7-f19a-5de9-a1f1-7178c8d51343, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-2666988183-1750391847-2906264630-3525785777-2857982319-3063633125-1907478113
Log: 0xcaa1007b Acquire token failed.
Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 15/07/2020 16:00:58
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
Keywords: Operational,Error
User:
Computer:
Description:
Error: 0xCAA82EE2 The request has timed out.
Exception of type 'class HttpException' at xmlhttpwebrequest.cpp, line: 163, method: XMLHTTPWebRequest::ReceiveResponse.Log: 0xcaa1007b Acquire token failed.
Logged at aggregatedtokenrequest.cpp, line: 70, method: AggregatedTokenRequest::AcquireToken.
Request: authority: https://login.microsoftonline.com/common, client: 8ba1a5c7-f19a-5de9-a1f1-7178c8d51343, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-2666988183-1750391847-2906264630-3525785777-2857982319-3063633125-1907478113, resource: 00000002-0000-0000-c000-000000000000, correlation ID (request): 9d18dbac-d522-4d6e-8d14-c3e7610ec34c
0xcaa9004b Exception during nonce request
Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Date: 16/07/2020 10:11:06
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
Keywords: Operational,Error
User:
Computer:
Description:
Error: 0xCAA82EE2 The request has timed out.
Exception of type 'class HttpException' at xmlhttpwebrequest.cpp, line: 163, method: XMLHTTPWebRequest::ReceiveResponse.
Log: 0xcaa9004b Exception during nonce request.
Request: authority: https://login.microsoftonline.com/common, client: 8ba1a5c7-f19a-5de9-a1f1-7178c8d51343, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/S-1-15-2-2666988183-1750391847-2906264630-3525785777-2857982319-3063633125-1907478113, resource: 00000002-0000-0000-c000-000000000000, correlation ID (request): 9d18dbac-d522-4d6e-8d14-c3e7610ec34c
Fix Company Portal App Login Error Occurred
A proxy server tenant restriction was implemented using the following: Use tenant restrictions to manage access to SaaS cloud applications. For more details, see https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions.
The company portal app for Windows 10 or Windows 11 requires authentication to Azure AD through https://login.microsoftonline.com. These URLs are available in the above event logs. Tenant restrictions require TLS inspection only on traffic to Azure AD, not to the Office 365 cloud services.
It seems the TLS inspection for the following URL caused the issue. At least one of the following URLs is required:
https://enterpriseregistration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com
https://autologon.microsoftazuread-sso.com (If you use or plan to use seamless SSO)
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.9
Intune Company Portal Login Issues
After 3 login attempts, the company portal application will show you the following error: “Login error occurred – an error occurred while attempting to login“. You may also get the following details in the error log.
Have you ever seen this? The following scenarios show this issue in different Intune/AAD tenants. The table below helps you show more details.
The Issue in Different Intune/AAD Tenants
Windows 10 AAD Joined
Windows 10 MDM enrolled (Work account)
Windows 10 OOBE
FIX Intune Company Portal App Login Issues with Windows 10/11 – Table 1
I don’t have any solution for this issue yet. If you can reproduce this issue then please do comment on this post. When I remove add Work or School account from Settings – Accounts – Access work or school, then I’m able to login to the Intune company portal.
However, it will (obviously) say, “You need to add your device before you can install apps.” If you select “Don’t add this device,” the Intune company portal will proceed to the next page, which will show you the “my devices” list, etc., with a note, “It looks like you need to add this device so that you can install apps.”
FIX Intune Company Portal App Login Issues with Windows 10/11 – Fig.10
Log File Details – Intune Company Portal:-
Intune Company Portal Login Issues with Windows 10 Anniversary Update.
Microsoft.Management.Services.SelfServicePortal.CommonViewModels.ServiceLoginPageViewModel.<AuthenticateWithExceptionHandlingAsync>d__36.MoveNext()
2016-09-03T06:03:13.4876367Z WARN Event None 400 f67a7f1d-54e3-41e0-a838-e39ec3385ba3 3-0-0 Displaying error dialog
Title: Login error occurred
Message:An error occurred while attempting to login.
Exception: Microsoft.Management.Services.SelfServicePortal.Common.Portable.Authentication.IntuneAuthenticationException: Failed to authenticate with AAD
at Microsoft.Management.Services.SelfServicePortal.Extensions.AzureAD.Common.Authentication.AuthenticationResultHelper.ThrowIfAuthenticationStatusIsNotSuccess(AuthenticationStatus authenticationStatus)
at Microsoft.Management.Services.SelfServicePortal.Extensions.AzureAD.Common.Authentication.AzureADAuthenticationService.<AuthenticateAsync>d__0.MoveNext()
Resolution – Proxy Issue
The client app (in this case, Company Portal) should support tenant restrictions. I overlooked this point while writing this post. Microsoft docs already document that client software must request tokens directly from Azure AD so that the proxy infrastructure can intercept traffic.
NOTE! – The company portal (website) works well with tenant restrictions.
The proxy servers removed the OMT feature for TLS inspection for AAD authentication communication, which fixed the Company Portal.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His primary focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
How do I create and Upload an Apple Push Notification Service APN Certificate Using SCCM CB? We need an APN cert to manage iOS and Mac OS devices via Intune and Hybrid SCCM CB.
In this video tutorial, we can see how to get the certs from Apple and How to upload them to SCCM CB for a hybrid solution. How to Create an Apple Push Notification Service (APN) Certificate to Manage iOS and Mac OS X devices via Intune.
You must have an Apple ID/user name and password to upload and download the SCCM CB hybrid certificates. I’m adding more detailed Videos to my YouTube Channel;subscribe here.
The following is the location and file where I saved the downloaded cert from the SCCM CB hybrid environment: C: UsersanoopDocumentsApple CertApple_Cert_4_How_2_Manage.CSR.
Table of Contents
How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB – Fig.1
How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB
The screenshot below helps you show the Apple push certificates portal and the certificate for third-party servers. The table below enables you to show more details.
Sep 24, 2016
Vendor
Expiration Date
Status
Mobile Device Management
Microsoft Corporation
Sep 24, 2016
Active
Mobile Device Management
Microsoft Corporation
Sep 24 2016
Active
How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB – Table 1
How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB – Fig.2
How to Create Upload Apple Push Notification Service APNs Certificate Using SCCM CB
Go to the following website !! Apple Website:- https://identity.apple.com/pushcert/.
You can manage iOS and Mac OS devices via Microsoft Intune and SCCM CB hybrid environments at the end of this process!
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
How do you create and deploy compliance policies using SCCM CB Hybrid and Intune Environments? We will discuss developing and deploying compliance policies using SCCM CB Hybrid and Intune Environments. Ok, at 3 topics in this post.
1. How to Create Compliance policies using Intune and SCCM CB Hybrid environment.
2. How to deploy Compliance policies and
3. Differences between the compliance policy settings !!
I have created a quick and dirty video tutorial to explain all these steps, and the video is embedded in this post as well 🙂 First and foremost, the compliance policies work along with Conditional Access policies.
The device must comply with our policies to have permission to access corporate resources like emails, SharePoint Online, etc. SCCM CB and Intune Compliance policies can be deployed only to users, not device collections or groups.
As you can see in the following picture, we can specify the type of compliance policy that you want to create in SCCM CB. There are two options: 1. Compliance rules for devices managed with SCCM clients; 2. Compliance rules for devices managed without SCCM clients (MDM clients, etc.).
How Do You Create An SCCM CB Hybrid Compliance Policy?
Moreover, it allows you to select different device platforms, such as Windows 8.1, Windows 10 mobile, iOS, Android, and KNOX. This is a handy option in SCCM CB Hybrid compliance settings! The video tutorial above explains the steps to create an SCCM CB compliance policy.
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.1
How Do You Create a Compliance Policy using Intune?
As you must have noticed, all platforms have one general compliance policy. There is no option to create compliance policies for various device platforms, such as iOS, Android, and Windows.
Yes, we don’t have the option to select a specific OS platform in Intune compliance policies. The three common segregations available are as follows. The video tutorial above explains all the steps to create an Intune compliance policy.
Three Common Segregations
System Security
Device Health
Device Properties
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Table 1
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.2
How Do You Deploy Compliance Policies Using SCCM CB Hybrid?
Yes, compliance policies can deploy only to User Collections, not device collections, in SCCM. There are no DEVICE Collections in the drop-down menu!! Yes, this makes sense because compliance policies are associated with conditional access policies in BYOD and CYOD scenarios.
Another point is SCCM CB’s granularity regarding Compliance rules/policy evaluation schedules. You can change the Compliance policy evaluation schedule!!! By default, the SCCM CB compliance policy evaluation schedule is 23 hours. You can change and customize it according to your needs. The video tutorial above explains the steps to deploy the SCCM compliance policy.
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.3
How to Deploy Compliance Policy using Intune?
Yes, compliance policies can be deployed only to user groups in Intune, not device groups. Moreover, compared with SCCM CB, the scheduling of compliance policies is not granular. Instead, Intune provides global settings for all the compliance policies we create for that tenant.
Check out the Intune compliance policy settings. What is that? It’s the compliance status validity period. Nice!! It’s a global setting—we can’t specify 31 days for one compliance setting and 20 days for another!! The video tutorial above explains all the steps to deploy the Intune compliance policy.
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.4
Difference Between Intune vs SCCM CB Hybrid Compliance Policies
Following are the differences that I have noticed in Intune vs SCCM CB Hybrid Compliance Policies:- Intune does not allow users to select a specific supported platform. However, with SCCM CB, we can create platform-specific compliance policies.
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.5
There is no Granularity in Deploy Scheduling options with Intune. However, many more scheduling options are available for SCCM CB compliance policies.
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.6
Outcome/Result of Compliance Policies – Windows 10 Device
The following is an example of a Windows 10 machine that AAD and MDM joined, but it’s not compliant. Device encryption is not enabled on Windows 10 machines.
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.7
The following is an example of a Windows 10 device compliant with an organization’s policies. Once Windows 10 is compliant, the user can access corporate mail and other resources.
How to Create and Deploy Compliance Policies Using SCCM CB Hybrid and Intune Environments – Fig.8
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Video Tutorial to Learn about Intune MAM Policies and App Reporting by Specific User? In this post, I would like to share the video tutorial to explain. Microsoft Intune introduced MAM Reporting options with the Intune 2305 release.
Let’s learn how to create Intune App Protection Policies for iOS iPadOS. In this article – Create Intune App Protection Policies For IOS IPadOS. App Protection Policies can be applied to both enrolled and non-enrolled devices. APP can be used for third-party MDM solutions.
MAM policies created in the MEM portal are different from the MAM policies that we make from the Intune portal for MDM-enrolled devices. Outlook Groups is the newest application included in the Azure portal for Intune MAM-enabled applications.
Let’s check how to enable Intune App Protection Policies for Android and iOS devices. The video below provides more details and an end-user experience.
Also, I can see the PREVIEW option to add custom applications for MAM policies without MDM enrollment. This is an excellent feature. Settings –>Preview – Line-of-business apps –> Preview – Add a custom app.
Intune MAM Policies and App Reporting
Settings
Preview – Line of business apps
Preview – Add a custom app
Video Tutorial to Learn about Intune MAM Policies and App Reporting by Specific User – Table 1
Video Tutorial to Learn about Intune MAM Policies and App Reporting by Specific User – Fig.1
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Learn how to Set up Dynamic Device Groups in Intune. Do you want to add mobile devices automatically to Microsoft Intune Device Groups? Intune Dynamic groups have been a customer request for a long time.
This feature is similar to dynamic collections in SCCM/ConfigMgr. There are two ways to do it: one using the Azure AD Premium feature called AAD Dynamic Groups, and another is pretty new in Intune, something called Device Group Mapping.
One of our recent posts explains how tocreate nested Azure AD dynamic groups, a highly anticipated feature from the Azure AD team. This functionality shows the memberOf attribute, which was introduced to facilitate the nesting of Azure AD groups.
This capability allows for more flexible and efficient management of group memberships within Azure Active Directory, enabling organizations to simplify access controls and administration across their Azure resources.
Learn How to Setup Dynamic Device Groups in Intune – Fig.1
Navigate via – Directory –> Groups –> Open the group (MDM Group) –> Configure. Enable Dynamic Group (Only available for AAD Premium subscriptions) Membership –> Add Users where <Department> is equal to “IT”.
Learn How to Setup Dynamic Device Groups in Intune
Login to AAD.Portal.Azure.com.
Navigate to the Azure Active Directory -> Groups node -> Click on the New Group button.
Group Type -> Security
Group Name -> HTMD AAD Group based on Dept
Group Description -> To add all devices or users from a dept
Membership Type -> Dynamic User
Learn How to Setup Dynamic Device Groups in Intune – Table 1
In this scenario, all the users from the IT department will be added to the AAD Dynamic Security Group, which is called MDM Group.
Don’t panic if the group is not reflecting with users immediately; give it some time. It will get updated.
Once the AAD Dynamic Group is created and updated, log in to the Intune portal (endpoint.microsoft.com) and Create a New User Group to fetch all the devices of IT department users.
Learn How to Setup Dynamic Device Groups in Intune – Fig.2
Whenever a new user joins the IT department, that user is automatically added to the Intune MDM group. Provisioning and de-provisioning groups is made easy with this.
There are two options to build the Azure AD dynamic group query. You can use the rule builder or rule syntax text box to create or edit an AAD device group dynamic membership rule.
Rule Builder -> Graphical interface – Easy to create the dynamic query.
Rule Syntax -> Advanced technical users for complex queries.
Follow the steps below to use Azure AD dynamic group Rule Builder to create dynamic query rules for Hybrid Azure AD joined devices.
Under Configure Rules -> Choose Property drop-down list.
Select deviceTrustType as the property from the drop-down list.
How do you Add Devices automatically to Intune Device Groups using Device Group Mapping?
Click on the Admin tab in the Intune console. Navigate via Device Group Mapping—enable Device Group Mapping—Create a Device Group and ADD a CATEGORY to manage device group mapping rules. Once you click on Create Device Group, it will guide you through creating one device group.
When every user enrolls (during the Enrollment Process) to Intune using the Microsoft Intune Company Portal application, the User will get an extra screen to select “Choose the best category for this device.” I have created only one category, “ADMIN,” for users. You are free to make an Intune device category for each department!!
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
