Stop SCCM Deployments with Immediate Effect

SCCM Configuration Manager Application Creation Deployment Installation

Let’s discuss the SCCM Configuration Manager Application Creation Deployment Installation. SCCM CB application creation is the next step after installing SCCM CB 1702 installation, SCCM CB AD discovery, and client installation.

I already covered in the previous posts “Step by Step Video Tutorial of SCCM CB 1702 Baseline version Installation” and “Video Tutorial How to Perform SCCM CB AD Discovery and Install Client“. SCCM CB application creation is the first step in this process.

The second step is SCCM CB Application Deployment, and the third step is installing the SCCM CB application on the clients. We will cover all the scenarios in this post. I have documented all these steps in the video tutorial, which details SCCM CB application creation (upload), deployment, and installation.

Application deployment is one feature many corporate organisations use to cater to their business requirements. In SCCM CB, we will have the option to create packages and deploy those SCCM packages. Yes, packages are required in some of the scenarios.

The packages are also used to deploy old Win32 apps that were migrated to the SCCM CB environment from SCCM 2003/2007/2012. I recommend taking advantage of SCCM CB applications rather than still using standard packages.

SCCM CB Application Creation Deployment User Experience

This video comprehensively covers all aspects of SCCM CB (Current Branch) application creation, deployment, and user experience. It provides detailed guidance on creating applications within SCCM, including the necessary configuration steps and considerations for deployment.

SCCM Configuration Manager Application Creation Deployment Installation – Video 1

How to Create/Upload SCCM Application – SCCM Configuration Manager Application Creation Deployment Installation

This guide provides instructions on creating and uploading an application in SCCM and details the steps for developing, deploying, and installing an SCCM application. By following this guide, administrators can effectively manage and distribute applications within their organization’s network using SCCM, ensuring easy and efficient software deployment and maintenance.

SCCM Configuration Manager Application Creation Deployment Installation - Fig.1
SCCM Configuration Manager Application Creation Deployment Installation – Fig.1

SCCM CB application creation is the first step in this process. The application can be created based on several types of installation files. These installation files range from Win 32 MSI apps to EXE and a wide range of mobile (MDM) apps.

  • MSI is the most preferred installation type for Windows devices, and this post will cover creating MSI apps.
  • First, we must ensure that the SCCM CB application source is stored in a UNC path (\\ServerShare\Sources\).
  • As the video tutorial shows above, the wizard will error if we don’t provide the UNC path as a source location for the MSI app source.
Baseline Configuration Analyzer Properties
Automatically download content when packages are assigned to distribution points
SCCM Configuration Manager Application Creation Deployment Installation – Table 1
SCCM Configuration Manager Application Creation Deployment Installation - Fig.2
SCCM Configuration Manager Application Creation Deployment Installation – Fig.2

The SCCM CB application creation process creates metadata in the console and related DB entries. It also creates a bundle of files that this MSI installation file requires for the complete application installation.

This bundle of files will be delivered to SCCM content stores called DPs. The client will download (if the deployment setting is to download the Content from DP) and install it. The video shown above covers this process, and the following sessions will cover it.

How to Deploy SCCM CB Application and Content?

Once the SCCM CB application is created and the app reference is in the console, we can deploy the application content (the source files) to the content store servers (Distribution Points). The entire process is explained in the video tutorial above.

We can initiate a distributed content option to start the application source replication process to remote DPs. SCCM CB application content distribution is mandatory before we deploy the application to SCCM client devices or users.

Once the application content is distributed to the DPs, we can deploy or schedule the application installation to the device or user collection. You want to make some decisions before starting the SCCM CB application deployment process.

The first step is deciding whether we should deploy apps to device collections. If we deploy an application to a device collection, then all the users on that device will get the application, and there could also be some license implications. The second option is to deploy the application to a user collection.

From my perspective, this should be the default deployment practice if you don’t have any specific requirements to deploy apps to devices.

SCCM Configuration Manager Application Creation Deployment Installation - Fig.3
SCCM Configuration Manager Application Creation Deployment Installation – Fig.3

The other important point in SCCM CB application deployment is the behavior of application installation. We have two options in the application installation behavior. The first one empowers the user experience by making the SCCM app available. In the available scenario, the application is deployed to the user and sits in the software center until the user initiates the installation from the software center app.

The second option is to deploy the application as REQUIRED. In this scenario, the application will automatically install on the device without any user intervention.

How to Install Application on End-User Device?

Once you deploy the application to the collection, as mentioned in the video tutorial above, the SCCM client will check for the new policies at the next scheduled interval.

On the schedule, the SCCM client will download the application source download, and installation will automatically start on the Windows device, as seen in the above video tutorial. The installation behavior setting is critical; the actual app install will kick off depending on that behaviour.

SCCM Configuration Manager Application Creation Deployment Installation - Fig.4
SCCM Configuration Manager Application Creation Deployment Installation – Fig.4

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Windows 10 Azure AD Join Automatic Intune Enrollment 1

Windows 10 Azure AD Join Automatic Intune Enrollment

Let’s discuss the Windows 10 Azure AD Join Automatic Intune Enrollment. In this post, I will provide you with the experience of Windows 10 1703 (RS2) Azure AD join and automatic MDM (Intune) enrollment.

As you can see in the above video tutorial, this is a real-time experience of Windows 10 1703 Azure AD join and Intune auto-enrollment.

Windows 10 1703 is the latest version of the Windows 10 production build, also known as the Red Stone 2(RS2) release. The Windows team has done great work to improve the Out-of-Box Experience(OOBE) of Windows 10 1703. A previous post explains the in-depth process of AADJ and MDM auto-enrollment: “How to Join Windows 10 1607 Machines to Domain or Azure AD.”

Signing in with a Microsoft School or Work account is the first screen in the Windows 10 1703 Azure AD join OOBE. A note on the same screen helps users select the account they want to use “Sign in with the username and password you use with Office 365 or business services from Microsoft”.

Yes, this is a generic kind of message. It would be more helpful if Microsoft could explain to the user how to use their corporate account rather than using technical terms like Office 365 and Business Services from Microsoft.

How to Perform Windows 10 1703 AAD Join and Intune Enrollment

The video below offers a comprehensive, step-by-step guide on performing a Windows 10 1703 Azure Active Directory (AAD) join and enroll your device in Microsoft Intune. It covers all the necessary steps, from initiating the AAD join process to successfully completing the Intune enrollment, ensuring that your device is properly managed and secured within your organization’s network.

Windows 10 Azure AD Join Automatic Intune Enrollment – Video 1

Windows 10 Azure AD Join Automatic Intune Enrollment

This is the sign-in screen. Please sign in using the username and password associated with your Office 365 account or any other Microsoft business services.

Windows 10 Azure AD Join Automatic Intune Enrollment - Fig.1
Windows 10 Azure AD Join Automatic Intune Enrollment – Fig.1

The Windows 10 1703 OOBE screen allows the user to choose a traditional domain join option. It also allows the user to create a local user account and log in with that account. The Windows 10 1703 OOBE experience has been greatly improved.

It will ask to connect to a Wi-Fi network and allow the user to connect to web-based authenticated Wi-Fi routers (not all? I need to test this further). Once connected to the internet, it will check for the latest software updates available and install them.

Windows 10 Azure AD Join Automatic Intune Enrollment - Fig.2
Windows 10 Azure AD Join Automatic Intune Enrollment – Fig.2

Windows 10 Azure AD Join Experience?

Windows 10 1703 Azure AD join is almost fully automated once users enter their user name and password in the OOBE mentioned above screen. However, user input is required on one particular screen: the screen for privacy settings.

Once the user has Windows 10 1703 privacy settings, the device will automatically log in with the user name and password. Is this a new SSO for Windows 10 1703 Azure AD join? You can confirm the AAD Join from the Settings—Accounts section in Windows 10 1703.

Your Informations
Email and App Accounts
Sign in Options
Access work or school
Other people
Sync your Settings
Windows 10 Azure AD Join Automatic Intune Enrollment – Table 1
Windows 10 Azure AD Join Automatic Intune Enrollment - Fig.3
Windows 10 Azure AD Join Automatic Intune Enrollment – Fig.3

Windows 10 MDM Intune Auto Enrollment Experience

Once the Windows device is joined to Azure AD, it should automatically enroll in Intune management. To get this experience, you should have enabled the MDM auto-enrollment option in your Azure AD. In my experience with Windows 10 1703, I got the encryption policy popup from the Intune compliance policy within a few minutes of the first login to the device.

The user can also check the Intune enrollment from the School or Work Account section in the Windows 10 settings menu. The Windows 10 MDM stack’s GUI has changed regarding School or Work account settings. The Windows 10 work account added to the device does not have a manage tab. Don’t worry about that because that is a new design for Windows 10 1703. The Windows 10 work/school account setting has only two tabs: Info and Disconnect.

How do you manually sync or check for the new Intune policies in a Windows 10 1703 device? The option is to click on Settings—Accounts—Access Work or School Account—Info—Sync. This will initiate an immediate policy sync with Intune services in the cloud. Afterwards, the user’s Windows 10 device will receive the latest policies from Intune.

Windows 10 Azure AD Join Automatic Intune Enrollment - Fig.4
Windows 10 Azure AD Join Automatic Intune Enrollment – Fig.4

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Perform SCCM AD Discovery Install SCCM Client 2

How to Perform SCCM AD Discovery Install SCCM Client

Let’s discuss how to Perform SCCM AD Discovery and Install SCCM Client. In the previous post, I covered the installation of SCCM/ConfigMgr 1702 infrastructure. This post will see the following SCCM AD Discovery and SCCM Client installation.

How can we perform SCCM CB AD discovery? Can we discover the devices and users from the on-prem Active Directory? And how can we manage the devices discovered from AD? Discovery Methods: Configure the methods to find resources. Client Push installation requires that resources first be discovered.

NOTE! – I usually use Active Directory System Discovery and Active Directory User Discovery to find the resources (users and systems) from Active Directory.

We must enable Active Directory System Discovery to discover all the devices from on-premise AD. SCCM will collect all the system records from AD and create a record in SCCM CB. SCCM will create the system record only when the SCCM server can find an IP in the DNS record of that system and can ping the system.

How to Perform SCCM CB AD Discovery? How to Perform SCCM AD Discovery Install SCCM Client

SCCM 2007 AD system discovery Flowchart. Adsysdis.log is the log file where you can find more details about the discovery. You can specify an Active Directory container to search during the discovery process.

How to Perform SCCM AD Discovery Install SCCM Client - Fig.1
How to Perform SCCM AD Discovery Install SCCM Client – Fig.1

SCCM AD User Discovery should be enabled when deploying apps and policies to user-based collections. The log file Adusrdis.log provides more details about SCCM AD User Discovery.

Another Discovery that I enabled in my SCCM LAB environment is “Active Directory Forest Discovery” to create the SCCM CB boundaries in your CB environment.

Active Directory Forest Discovery Properties
Enable Active Directory Forest Discovery
Enable Automatically create Active Directory site Boundaries when they are discovered
How to Perform SCCM AD Discovery Install SCCM Client – Table 1
How to Perform SCCM AD Discovery Install SCCM Client - Fig.2
How to Perform SCCM AD Discovery Install SCCM Client – Fig.2

What are the Prerequisites before Installing SCCM CB Clients on Devices?

So, now you can discover the devices, users, and AD Site Boundaries from on-prem AD. The next step is to manage these devices using SCCM infra.

I would first create an SCCM “Boundary Group” and add the required boundaries to that particular boundary group. The above video tutorial discusses more details about the creation and assignment of Boundary groups.

Another vital configuration we need to take care of before installing SCCM CB clients on a discovered system is setting up a “Network Access Account” and “Client Push Installation Account“.

How to Perform SCCM AD Discovery Install SCCM Client - Fig.3
How to Perform SCCM AD Discovery Install SCCM Client – Fig.3

SCCM Client Installation to Manage AD Discovered Systems

We need to install SCCM Client software to manage discovered systems from AD. There are loads of options for installing the client on the discovered devices. You can use the AD Group policy to install SCCM CB clients; a client can be installed as part of the OSD process, or It can be installed using the Client Push method.

The client push method has some drawbacks, such as the need for Admin$ access. The best option is to use the AD group policy client installation method.

How to Perform SCCM AD Discovery Install SCCM Client - Fig.4
How to Perform SCCM AD Discovery Install SCCM Client – Fig.4

Resources

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD 3

Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD

Let’s discuss the Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD. SCCM admins must go through the AAD Connect setup to build an Intune and SCCM hybrid lab.

AAD Connect is the app used to sync On-Prem AD with Azure AD. It can be installed on any server-class machine. The AAD Connect sync operation is critical for organizations.

If you plan to sync the hash of your passwords to the cloud, the AAD Connect setup configuration is pretty straightforward. However, if you have specific and advanced AAD Connect setup requirements, you must spend a lot of time on the initial setup.

AAD Connect setup and configuration will install and configure SQL Express DB. For big corporate organizations, we need to select advanced settings. These settings can be configured in advanced settings, as they may have custom attributes used in their sync process.

Also, the password hash may not be synced, and the ADFS configuration has been used for authentication.

Microsoft Azure Active Directory Connect

The window below helps you show the Microsoft Azure Active Directory Connect Express Settings. We will do the following if you have a single Windows Server Active Directory forest.

Express Settings
Configure synchronization of identities in the current AD forest of ASST
Configure password synchronization from on-premises AD to Azure AD
Start an initial synchronization
Synchronize all attributes
Enable Auto Upgrade
Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD – Table 1
Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD - Fig.1
Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD – Fig.1

Azure AD AAD Connect Setup – Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD

I have selected “Express Settings” for my lab, so installation is straightforward. You must provide two credentials during the configuration: AZURE AD and On-prem AD. UPN suffixes should match one of the verified custom domains in Azure AD to use on-premises credentials for Azure AD sign-in.

I have changed the UPN suffixes of 4 Prem AD users so that those On-Prem AD users will get synced with Azure AD. The high-level steps are completed in the AAD Connect setup and configuration wizard. Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD?

  • Install and Configure SQL Express DB
  • Install the synchronization engine
  • Configure Azure AD Connector
  • Configure On-Prem AD Connector
  • Enable Password Synchronization
  • Enable Auto Upgrade
  • Configure Azure AD Connect Health Agent for sync
  • Configure Synchronization services on the computer
  • End Results/Outcome of AAD Connect Sync
Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD - Fig.2
Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD – Fig.2

The AAD Connect sync process will start after the AAD Connect setup and configuration. As you can see in the above screen capture, the configuration has been completed successfully on my On-prem AD server. To confirm whether the on-prem users/groups synced with Azure AD, log in to portal.azure.com and confirm the user IDs.

Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD - Fig.3
Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD – Fig.3

You can sync on-prem user identities/attributes and passwords to Azure AD using Azure AD Connect. Azure AD connect installation and configuration is very straightforward if we use (express settings 🙂 ).

I have a video tutorial here that helps you understand the AAD connect configuration, How to enable MFA for Azure AD to join Windows 10 devices and Twitter app integration with Azure AD.

This post will cover two other Azure AD (AAD) Sync topics.

  1. Where is the Scheduled Task used to create Azure AD?
  2. How to Create a service connection point in on-premises Active Directory?
  3. Video Tutorial – How to Sync On-Prem AD User Accounts with Azure AD

Windows 10 MDM devices can write back to on-prem AD. More details are available here. AAD Connect is mandatory for the write-back feature of Windows 10 devices.  

Earlier versions of Azure AD Connect used a Windows task scheduler to schedule the Azure AD sync of on-prem objects and attributes. The latest version has a built-in sync engine, so we won’t be able to find a scheduled task for AAD Connect. 

The new default synchronization frequency is 30 minutes. We can change the AD Sync Schedule using the PowerShell command “Get-ADSyncScheduler” and other parameters documented here.

Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD - Fig.4
Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD – Fig.4
PS C:\Users\anoop\Desktop> Get-ADSyncSchedulerAllowedSyncCycleInterval            : 00:30:00
CurrentlyEffectiveSyncCycleInterval : 00:30:00
CustomizedSyncCycleInterval         :
NextSyncCyclePolicyType             : Delta
NextSyncCycleStartTimeInUTC         : 26-05-2016 02:06:23
PurgeRunHistoryInterval             : 7.00:00:00
SyncCycleEnabled                    : True
MaintenanceEnabled                  : True
StagingModeEnabled                  : False

I had trouble creating a service connection point in the on-premises Active Directory. This service connection point is used to “Connect domain-joined devices to Azure AD for Windows 10 experiences.” I followed the documentation here to configure the service connection points in on-prem AD but got stuck with PowerShell Commands. However, I ran the PowerShell commands per the above documentation with no luck.

After that, I installed the appropriate version of the Windows Azure Active Directory Module for Windows PowerShell. Then I tried to run the following PowerShell commands, which worked like a champ!

Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD - Fig.5
Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD – Fig.5
PS C:\Users\anoop\Desktop> Connect-MsolService

PS C:\Users\anoop\Desktop> Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"

PS C:\Users\anoop\Desktop> Initialize-ADSyncDomainJoinedComputerSync

cmdlet Initialize-ADSyncDomainJoinedComputerSync at command pipeline position 1
Supply values for the following parameters:
AdConnectorAccount: nair\Anoop
AzureADCredentials
Initializing your Active Directory forest to sync Windows 10 domain joined computers to Azure AD.
Configuration Complete

How to Sync On-Prem AD User Accounts with Azure AD

SCCM Intune Step-by-Step Training Video Guides help you understand the AAD connect configuration, how to enable MFA for Azure AD, join a Windows 10 device, and integrate the Twitter app with Azure AD.

This post will cover two other Azure AD (AAD) Sync topics. I’ve already downloaded and installed the AAD connect tool, and I can show you how to configure it and start syncing it.

Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD – Video 1

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

New SCCM Server Installation Step by Step Guide 4

New SCCM Server Installation Step by Step Guide

This post is the New SCCM Server Installation Step-by-Step Guide covering end-to-end scenarios. The SCCM team recently released the latest baseline version of the current branch.

What is the importance of the baseline version? SCCM CB baseline version is the version you can download directly from Eval Center/MSDN/VLSC and install it on a new SCCM server.

Also, the SCCM 1702 version can upgrade the SCCM 2012 infra. SCCM CB versions are updated via in-console servicing to the latest SCCM version.

  • Pre Requisite – Server Roles and Features
  • Pre-Requisite – Installation of SQL 2014
  • Pre Requisite – ADK for Windows 10 P
  • Pre Requisite – AD Schema Extension
  • Install – SCCM/ConfigMgr Baseline version Standalone Primary

New SCCM Server Installation Step-by-Step Guide

This guide provides simple step-by-step instructions for installing a new SCCM server. First, prepare your environment by ensuring all necessary prerequisites are met, such as installing a supported Windows Server and SQL Server. Next, download the SCCM installation files and run the setup.

Microsoft System Center Configuration Manager
Version 1702
Console version: 5.00.8498.1700
Site version: 5.0.8498.1000
New SCCM Server Installation Step by Step Guide – Table 1
New SCCM Server Installation Step by Step Guide - Fig.1
New SCCM Server Installation Step by Step Guide – Fig.1

Step by Step Video Guide for SCCM CB 1702 Baseline Version Installation

This step-by-step video guide shows you how to install the SCCM Current Branch (CB) 1702 Baseline version. It covers all the necessary prerequisites, including the server roles and features you must set up beforehand.

New SCCM Server Installation Step by Step Guide – Video 1

Prerequisites

You can’t install the SCCM/ConfigMgr baseline version if your server’s OS is Windows 2008 R2. The minimum OS requirement for SCCM server installation is Windows Server 2012 and Later. More details are here.

It would help if you ensured that the server where you plan to install the SCCM baseline version has a supported version of SQL. SQL 2008 R2 SP3 is not supported and should have at least SQL 2012 R2.

IIS BITs .NET

I have added the following roles and Features – IIS (for MP/DP), BITs (for MP), .NET Framework 3.5, Remote Differential Compression, and AD DS and AD LDS Tools. I didn’t add WSUS because I plan to add the SUP role later. However, I would recommend the WSUS role if you plan to install the SUP role on the primary server itself or install the WSUS console if you plan to install the SUP role on a remote server.

New SCCM Server Installation Step by Step Guide - Fig.2
New SCCM Server Installation Step by Step Guide – Fig.2

DotNET Framework 3.5 SP1 is still required? Yes! Specify an alternate path for .Net D:\Sources\sxs for installing .NET on Server 2016. Specify the location of the needed files.

NOTE! – If you get this error, “The request to add or remove features on the specified server failed.” Restart the server and try it with the alternate path “D:\Sources\sxs“, and that is my experience on Windows server 2016.

Install SQL DB for the SCCM Server

I installed SQL 2014, and you don’t have to worry about those “.Net” warnings. As you can see in the video tutorial for SQL setup, I have selected only the following features, which I think are required for SCCM CB.

  1. Database Engine Services 2. Reporting Services 3. Management tools

I installed SQL on the default Instance and configured the services, as shown in the video tutorial for ConfigMgr SCCM baseline version installation. Microsoft recommends using a separate account for each SQL Server service. However, I used the same account because this is my lab environment.

SQL Server Agent, SQL Server Database Engine, and SQL Server Reporting Services

I selected the required Collation for SCCM|ConfigMgr baseline version:- sql_latin1_general_cp1_ci_as

New SCCM Server Installation Step by Step Guide - Fig.3
New SCCM Server Installation Step by Step Guide – Fig.3

Install Windows ADK

I installed ADK for Windows 10, and during the installation, I selected only Deployment Tools, Windows Preinstallation Environment (Windows PE), and User State Migration Tools (USMT).

AD Schema Extension has to be extended if you have not done the extension for the previous versions of SCCM. AD schema extension is not mandatory, but I recommend extending the schema to make SCCM management easy.

New SCCM Server Installation Step by Step Guide - Fig.4
New SCCM Server Installation Step by Step Guide – Fig.4

Extend AD Schema

Executed extadsch.exe from SCCM|ConfigMgr baseline version primary server. The user must have schema admin rights to complete the AD SCHEMA extension. In the second part of this update, we need to Create a System Management container under systems using ADSIEDIT. The primary server should have full access to the System Management container.

References

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Software Update Policy Rings in Intune MEM 5

Software Update Policy Rings in Intune MEM

Let’s see how to configure Software Update Policy Rings in Intune MEM. How do you set up Windows 10 Software Update Policy Rings in the Intune?

Managing software updates for Windows 10 with Intune is straightforward, but there is a catch: you can’t expect the granular controls you have with SCCM/ConfigMgr. We must configure the Windows Software update policy and deploy that policy to Windows 10 devices.

I have an updated post on Intune monthly patching guide, troubleshooting, etc. Cloud PC Monthly Patching Process Using Intune. Another guide on Intune patching – Software Update Patching Options With Intune Setup Guide (anoopcnair.com)

Windows 10 devices will receive software updates directly from Microsoft Update services. Unlike SCCM, there is no need to download the updates, create a package, and deploy them to the devices (as seen in this video post here).

Windows Update for Business will give us more options to configure and control the behavior of Windows 10 updates and Servicing. Update:- FIX CBB Ring Devices are Getting Windows 10 CB (SAC-T) Updates Intune Windows 10 Update Rings.

Intune Video Software Update Rings Setup Design Decisions

This video guide is about Software Update Policy Rings in Intune MEM. It explains how to set up and manage these policy rings to control when and how updates are applied to your devices. This guide will teach you to update and secure your devices using Intune MEM.

Software Update Policy Rings in Intune MEM – Video 1

Software Update Policy Rings in Intune MEM

We have an out-of-the-box Software Update (Automatic Update) policy as part of the Intune Silverlight portal configuration policy. However, I have noticed that this policy has stopped working in the last few months. Now, there are two options to control the behavior of Windows 10 updates and Windows servicing.

If your Silverlight portal has not yet been migrated to the MEM portal, the first choice is to use custom policies in the Intune Silverlight portal. I have a post here about Intune Silverlight migration blockers.

The second choice is to control Windows Update for business via the Software Updates button in the Intune blade in the MEM portal. We will cover this in this post.

Software Update Policy Rings in Intune MEM
Software Update Policy Rings in Intune MEM – Fig.1

Basic Test Rings for Windows 10 Software Update

As a fundamental requirement, we may need to create at least two Windows 10 Software Update Policy Rings for your organization. One Windows 10 Update ring is for Windows 10 machines in the Current Branch (CB).

The second Windows 10 update ring is for Windows 10 machines in the Current Branch for Business (CBB). Windows 10 update rings evolve as you progress with your organization’s testing and development. But this is the first stage of your testing of Software update deployments.

Windows 10 CBB Update Ring - All the devices in Current Branch
Windows 10 CB Update Ring - All the device in Current Branch for Business

Pilot and Production Rings for Windows 10 or Windows 11 Servicing

Another recommendation is to create different Windows 10 Software Update Policy Rings for deferrals of Windows 10 servicing branches CB and CBB. The rings can be delayed for a maximum of 30 days.

These two update rings would help with the latest Windows 10 CB/CBB servicing updates (e.g., upgrading from 1607 to 1703) with some pilot devices rather than simultaneously deploying servicing updates to all the devices.

During the CB pilot testing, if you find any problems with the upgrade and don’t want to deploy the update to the CBB ring, you can PAUSE the updates for the production ring.

Pilot Windows 10 CBB Updates Ring - Pilot Servicing Ring for CBB 
Production Windows 10 CBB Updates Ring - Production Servicing Ring for CBB  
Pilot Windows 10 CB Updates Ring - Pilot Servicing Ring for CB
Production Windows 10 CB Updates Ring - Production Servicing Ring for CB

Pilot and Production Rings for Windows 10 or Windows 11 Monthly Security Patches

I would also recommend creating different Windows 10 Software Update Policy Rings for Windows 10 CBB  and Windows 10 CB quality updates (monthly security and other patches). So, Windows 10 CBB machines will have a minimum of 2 rings.

One ring is for the pilot machines running Windows 10 CBB, and the second ring is for the production machines running Windows 10 CBB. The same applies to Windows 10 CB devices, and the CB machines should also have two rings.

Pilot Windows 10 CB Quality Updates Ring - Monthly patch pilot ring
Production Windows 10 CB Quality Updates Ring - Monthly patch production ring
Pilot Windows 10 CBB Quality Updates Ring - Monthly patch pilot ring
Production Windows 10 CBB Quality Updates Ring - Monthly patch production ring
Software Update Policy Rings in Intune MEM - Fig.2
Software Update Policy Rings in Intune MEM – Fig.2

How to Create Advanced Windows 10 Software Update Rings?

There could be other complex scenarios of Windows 10 Software Update Policy Rings. These rings could depend purely on the requirements of your organisation’s region or business group. Some of the other essential options you have in Windows 10 Software Update Policy Rings are.

  • Windows 10 Automatic update behavior – How do you want to perform scan, download, and install updates? Scheduling options for Windows updates.
  • Do you want to update Windows 10 drivers as part of your patch deployment rings?
  • What kind of Delivery optimization (Build a caching solution with Windows 10) do you want to use?
Delivery Optimization Download Mode
HTTP blended with peering behind same NAT
Software Update Policy Rings in Intune MEM – Table 1
Software Update Policy Rings in Intune MEM - Fig.3
Software Update Policy Rings in Intune MEM – Fig.3

Deployment – Assignment of Windows 10 Software Update Rings

Windows 10 Software Update Policy Ring deployments/assignments are critical decisions. I recommend using dynamic device groups wherever possible, but at the moment, this is not possible for all scenarios. In some scenarios, we need to use static device/user groups. I hope Microsoft will develop assignment exclusion group options (similar to AAD Conditional Access policies).

Exclusion groups would be instrumental in Software Update ring deployment scenarios. For example, you want to exclude pilot devices from the production software update ring deployments, which is impossible without exclusion options.

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and leader of the Local User Group HTMD Community. His main focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

SCCM CB Nested Task Sequence PS Detection Method 6

SCCM CB Nested Task Sequence PS Detection Method

Let’s discuss the SCCM CB Nested Task Sequence PS Detection Method. SCCM/ConfigMgr preview release 1704 has many exciting features.

The video embedded in this post covers all the installation steps and new features. First, I could see some differences in the Updates and Servicing of SCCM CB.

The ConfigMgr CB 1704 preview version was available (available to download) in the console, but it didn’t start the download of the 1704 update. I think it may begin to download automatically after 24 hours, but I have not tested it.

This post will provide comprehensive details about the SCCM Current Branch (CB) Nested Task Sequence PowerShell Detection Method. It explains how to effectively use PowerShell scripts to detect and manage nested task sequences within SCCM, ensuring efficient deployment and maintenance of software and updates.

SCCM TP 1704 Video Tutorial Parent Child TS

This video guide is about the SCCM Technical Preview 1704, specifically focusing on Parent-Child Task Sequences. It explains how to create and manage these task sequences in simple terms, making organising and executing multiple related tasks easier.

SCCM CB Nested Task Sequence PS Detection Method – Video 1

SCCM CB Nested Task Sequence PS Detection Method

As you can see in the SCCM video tutorial, I started the preview version download by right-clicking on the available update in the console. You can also check the status of the download via the DMPDOWNLOADER.log file. 

SCCM CB Nested Task Sequence PS Detection Method - Fig.1
SCCM CB Nested Task Sequence PS Detection Method – Fig.1

Follow for the stages of the in-console upgrade of th CB preview.

  • Available to Download
  • Downloading
  • Ready to Install
  • Checking Prerequisites
  • Installing
  • Console Upgrade

Nested Task Sequence PS Detection Method

Most SCCM admins are waiting for a feature called nested Task Sequence. With the latest SCCM preview version 1704, we can create a parent-child relationship within the task sequence. This will help you nest/call a task sequence within another task sequence.

This feature should be used carefully; otherwise, it could become very complex. I wanted to see how complex Task Sequence troubleshooting would evolve with the introduction of TS nesting.

  • I have also seen that SMSTS.log logging has improved in the SCCM CB preview version.
SCCM CB Nested Task Sequence PS Detection Method - Fig.2
SCCM CB Nested Task Sequence PS Detection Method – Fig.2

PowerShell script can be the detection method for deployment types with SCCM CB Preview version 1704. It can also detect the application. We have three script types (1. PowerShell, 2.VBScript, and 3. Java Script) for detecting the application as part of the deployment type.

Script Types
PowerShell
VBScript
Java Script
SCCM CB Nested Task Sequence PS Detection Method – Table 1
SCCM CB Nested Task Sequence PS Detection Method - Fig.3
SCCM CB Nested Task Sequence PS Detection Method – Fig.3

Android for Work applications can be configured automatically with the JSON file upload option in SCCM/ConfigMgr CB preview version 1704. The option of configuring Android for Work apps with a complex property list using a JSON file is very useful for configuring A4W apps.

  • I have not seen this option in the Intune stand-alone version, so it will be very useful for hybrid customers once it is available in the production version.
  • SCCM Preview version 1704 comes with loads of new features.
  • However, I have noticed a few changes in the MDM channel configuration policies for iOS and Android devices.
  • Moreover, there are a few new additions in terms of compliance policies in SCCM CB Preview version 1704.
SCCM CB Nested Task Sequence PS Detection Method - Fig.4
SCCM CB Nested Task Sequence PS Detection Method – Fig.4

Resources

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Plan Design Intune Compliance Policy for Android Devices 7

How to Plan Design Intune Compliance Policy for Android Devices

Let’s discuss planning and designing an Intune Compliance Policy for Android Devices. This post will provide more details about planning and implementing the policy.

Intune compliance policies are the first step of the protection before giving access to corporate apps and data. Planning and designing compliance policies for Android devices is essential as Android is more vulnerable than other operating systems

Compliance policies and rules might include using a password/PIN to access devices and encrypting data stored on devices. This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.

Update: When you use or support Android for work enrollment, select a platform like Android for Work that complies with a policy. Otherwise, the compliance policies will evaluate your Android devices and say this policy does not apply to Android for Work-enrolled devices.

How to Setup Intune Compliance Policies for Android

This video guide shows you how to set up Intune compliance policies for Android devices. It provides easy-to-follow instructions for creating policies that ensure your devices meet security standards before accessing company apps and data.

How to Plan Design Intune Compliance Policy for Android Devices – Video 1

How to Setup Windows 10 Device Compliance Policy – How to Plan Design Intune Compliance Policy for Android Devices

Sign in to the Endpoint Manager portal with an Intune admin access account. Select More services, enter Intune in the text box, and then select Enter.

Select Intune—Device ComplianceCompliancePolicies and click on the +Create policy button to create a new compliance policy. Select the platform “Android.” Settings configurations are significant for compliance policies.

  • There are some improvements in Azure portal Android compliance policies.
  • There are three categories in Android compliance policies: Device Health, Device Properties, and System Security.
How to Plan Design Intune Compliance Policy for Android Devices - Fig.1
How to Plan Design Intune Compliance Policy for Android Devices – Fig.1

Sign in to the Intune portal with an Intune admin access account. Select More services, enter Intune in the text box, and select Enter.

  • Select Intune Device ComplianceCompliancePolicies –  and click the +Create policy button to create a new compliance policy. Select the platform “Android”.
  • Settings configurations are significant for compliance policy. There are some improvements in Azure portal Android compliance policies. Android compliance policies have three categories: Device Health, Device Properties, and System Security.
  • Device Health is where the compliance engine checks whether Android devices should be reported. The device health attestation service has many checks, including TPM 2.0 and BitLocker encryption.
  • Device Properties is where Intune Admins define minimum and maximum versions of operating system details for corporate application access. I would keep the minimum version as Android version 6 wherever possible.
    • Operating System Version
    • Minimum Android OS version
    • Maximum Android OS version
  • System Security is the setting where Intune Admins define password policies for Windows devices. These settings have three sections: Password, Encryption, and Device Security.
How to Plan Design Intune Compliance Policy for Android Devices - Fig.2
How to Plan Design Intune Compliance Policy for Android Devices – Fig.2

Password Compliance Policy for Android – I would create a complex Alphanumeric password for Android devices and all the above configurations.

Password Compliance Policy for Android
Require a password to unlock mobile devices.
Minimum password length
Required password type
Maximum minutes of inactivity before the password is required
Password expiration (days)
Number of previous passwords to prevent reuse
How to Plan Design Intune Compliance Policy for Android Devices – Table 1

Encryption Compliance Policy for Android – Encryption should be a must in your Android compliance policy for Android devices. Encryption of data storage on the device Device Security Compliance policy for Android: Block apps from unknown sources and Block USB debugging on Android devices. These policies are essential and should be enabled.

  • Block apps from unknown sources
  • Require threat scan on apps
  • Block USB debugging on the device
  • Minimum security patch level

Deploy Android Compliance Policy to all Android devices’ dynamic device groups (Update Device Groups are not supported for compliance policies; hence, use user groups for Intune compliance policies). Click on Assignment and select the dynamic device group. I would use AAD dynamic device groups rather than AAD user groups to deploy compliance policies.

How to Plan Design Intune Compliance Policy for Android Devices - Fig.3
How to Plan Design Intune Compliance Policy for Android Devices – Fig.3

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Setup Intune Compliance Policy for Windows 10 Devices 8

How to Setup Intune Compliance Policy for Windows 10 Devices

Let’s discuss Setting up an Intune Compliance Policy for Windows 10 Devices. This post will show how to do so. Managing Windows 10 devices is critical in modern device management.

Intune compliance policies are the initial safeguard in securing access to corporate applications. These policies help ensure that devices meet predefined security and compliance standards, preventing unauthorized or non-compliant devices from accessing sensitive corporate resources.

The Intune Compliance Policy for Windows 10 helps protect company data. The organization must ensure that the devices that access company apps and data comply with specific rules. These rules might include using a password/PIN to access devices and encrypting data stored on devices.

This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.

How to Setup Intune Compliance Policies for Windows10

This video guide shows you how to set up Intune compliance policies for Windows 10. It walks you through each step clearly and simply, making it easy to follow.

How to Setup Intune Compliance Policy for Windows 10 Devices – Video 1

How to Setup Intune Compliance Policy for Windows 10 Devices

Sign in to the MEM portal with an Intune admin access account. Select More services, enter Intune in the text box, and then select Enter.

How to Setup Intune Compliance Policy for Windows 10 Devices - Fig.1
How to Setup Intune Compliance Policy for Windows 10 Devices – Fig.1

Select Intune—Device ComplianceCompliancePolicies and click on the +Create policy button to create a new compliance policy. Select the platform as “Windows 10.” Settings configurations are really important for compliance policies. There have been some improvements in Azure portal Windows 10 compliance policies.

The 3 categories in Windows 10 compliance policies are shown in the table below.

Windows 10 Compliance Policies
Device Health
Device Properties
System Security
How to Setup Intune Compliance Policy for Windows 10 Devices – Table 1
How to Setup Intune Compliance Policy for Windows 10 Devices - Fig.2
How to Setup Intune Compliance Policy for Windows 10 Devices – Fig.2

Device Health is the setting where the compliance engine will check whether Windows 10 devices are reported as healthy by the Windows device Health Attestation Service (HAS). The device health attestation service includes loads of checks, such as TPM 2.0 (the requirement for the latest build of Windows 10 is TPM 1.0), BitLocker encryption, etc.

  • Device Properties is the setting where Intune Admins define the minimum and the maximum versions of operating system details for the corporate application access. Operating System Version.
    • Minimum OS version
    • Maximum OS version
    • Minimum OS version for mobile devices
    • Maximum OS version for mobile devices

System Security is the setting where Intune Admins define password policies for Windows devices. These settings have two sections: Password and Encryption. Password Policy—We don’t need to set the Windows password policy here if you already use “Windows Hello for Business.”

  • Require a password to unlock mobile devices. Simple passwords
  • Password type
  • Device default device defaultAlphanumericNumeric
  • Minimum password length
  • Maximum minutes of inactivity before the password is required
  • Password expiration (days)
  • Number of previous passwords to prevent reuse
  • A password is required when the device returns from an idle state (mobile only). Encryption – If you have enabled HAS in the above policy, you don’t need to enable this encryption policy.  
  • Encryption of data storage on a device.
How to Setup Intune Compliance Policy for Windows 10 Devices - Fig.3
How to Setup Intune Compliance Policy for Windows 10 Devices – Fig.3

Deploy Windows 10 compliance to All Windows devices’ dynamic device groups. (Update Device Groups are not supported for Compliance policies—hence, use user groups for Intune compliance policies.)

  • Click on Assignment and select the dynamic device group.
  • I would use AAD dynamic device groups rather than user groups to deploy compliance policies.
How to Setup Intune Compliance Policy for Windows 10 Devices - Fig.4
How to Setup Intune Compliance Policy for Windows 10 Devices – Fig.4

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Setup Intune Compliance Policy for iOS Devices 9

How to Setup Intune Compliance Policy for iOS Devices

Let’s discuss setting up an Intune Compliance Policy for iOS Devices. This post will explain how to do so. An Intune Compliance Policy ensures that iOS devices accessing company data meet specific security standards.

Enforcing these policies can help protect your organization’s data from unauthorized access and potential security threats. The organization must ensure that the devices that access company apps and data comply with specific rules.

These rules might include using a password/PIN to access devices and encrypting data stored on devices. This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.

A compliance policy is a set of guidelines that devices must meet to access organizational resources. It ensures that only secure and compliant devices can access company data, reducing the risk of data breaches or unauthorized access.

How to Setup Intune Compliance Policies for iOS

In this video, you will learn all the details on how to set up Intune compliance policies for iOS devices. We’ll guide you through creating and configuring these policies to ensure your company’s data remains secure.

How to Setup Intune Compliance Policy for iOS Devices – Video 1

How Do you Set up the Intune Compliance Policy for iOS?

Sign in to the Azure portal with an Intune admin access account. Select More services, enter Intune in the text box, and select Enter. Select Intune – Device Compliance – Compliance – Policies –  and click the +Create policy button to create a new compliance policy. Select the platform “iOS”.

  1. Settings configurations are significant for compliance policy. In terms of password settings, Azure portal iOS compliance policies have improved.
  2. iOS compliance policies have four categories: Email, Device Health, Device Properties, and System Security.
  3. Email settings require mobile devices to have a managed email profile to access corporate resources.
  4. The device Health setting will check whether the device is jailbroken or not. If the iOS device is Jailbroken, it won’t provide mail access to that device.
  5. The device Properties setting will check the OS version of the device and the minimum version of the iOS OS.
  6. The System Security setting is based mainly on password settings. There are some improvements over the Intune Silverlight portal here. We can have the option not to configure some of the settings, like “Number of non-alphanumeric characters in password.” This was not possible with the Intune Silverlight portal.
How to Setup Intune Compliance Policy for iOS?
Require a password to unlock mobile devices.
Simple passwords
Minimum password length
Not ConfiguredAlphanumericNumeric
Number of non-alphanumeric characters in the password
Maximum minutes of inactivity before a password is required
Password expiration (days)
Number of previous passwords to prevent reuse
How to Setup Intune Compliance Policy for iOS Devices – Table 1

10. Deploy the Intune Compliance Policy for iOS for all iOS devices in the dynamic device group. Click on Assignment and select the dynamic device group. I would use AAD dynamic device groups rather than AAD user groups to deploy compliance policies.

(Update Device Groups are not supported for Compliance policies – hence, use user groups for Intune compliance policies)/ How to Setup Intune Compliance Policy for iOS Devices | Microsoft Endpoint Manager | MEMCM.

How to Setup Intune Compliance Policy for iOS Devices - Fig.1
How to Setup Intune Compliance Policy for iOS Devices – Fig.1

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

SCCM Dynamic Collection Query Update Known Issue 10

SCCM Dynamic Collection Query Update Known Issue

Let’s discuss the SCCM Dynamic Collection Query Update Known Issue. SCCM/ConfigMgr dynamic collection query can be evil in some scenarios. It’s straightforward to make mistakes while editing already existing dynamic queries.

It’s better with device-based dynamic collections (as it gives a warning pop-up, as seen in the above video!) in the SCCM CB environment. Still, it’s not a very good user-based dynamic user collection.

I have created a quick video to demonstrate this issue here. I have Kannan C S to share his experience on this topic. He is a Sr. Infra Architect with several years of SCCM and System Center experience. I will let Kannan C S explain his experience in detail.

I’m Kannan C S, and I work as a Sr. Infra Architect at a leading IT company. I have 15 years of IT experience. I have been with Configuration Manager [Designing, Implementation, Migration, and Support], System Center Orchestrator [Designing and Implementation], and Windows Server support. You can refer to my blog here.

Related Post – SCCM Dynamic Collection – Part 2 | WQL Query | ConfigMgr | Create HTMD Blog (anoopcnair.com)

SCCM CB 1702 Dynamic Collection Query Update is or can be Evil?

The video details the SCCM CB 1702 Dynamic Collection Query Update and explores whether it can have negative consequences. It discusses the potential risks and issues associated with using dynamic queries in this version of SCCM, helping you understand how to manage and mitigate any problems effectively.

SCCM Dynamic Collection Query Update Known Issue – Video 1

SCCM Dynamic Collection Query Update Known Issue

I have seen the dynamic collection query update issues in different organizations, mainly with L1 and L2 teams where we lack real SCCM expertise. I have already created a user voice item. Please vote this up User Voice – Collection Query.

SCCM Dynamic Collection Query Update Known Issue - Fig.1
SCCM Dynamic Collection Query Update Known Issue – Fig.1

Known Issue?

I am looking at the issue/design from SMS 2003 to SCCM 2012 (even SCCM CB) version. I am unsure if any purpose must be behind this design of collection default query select * from sms_r_system/select * from sms_R_User. Suppose a user creates the query-based device or user collection if there is any modification in the query. They should remove the entire query and apply OK.

  • If a user applies OK, it’s automatically selected * from sms_r_system/select * from sms_R_User query will enable.
  • It will target all systems, with “All system”/”All Users” as the limiting collection.
  • It has serious issues in most companies; deployment is performed by L1 or L2 engineers.
  • It is not documented in the MS TechNet or Blog. I strongly recommend having some mechanism to avoid this kind of change in upcoming releases.
  • I have provided the impact screenshots below. When modifying the collection query, Click edit.
Membership Rule NameTypeCollection ID
InstallQueryNot Applicable
SCCM Dynamic Collection Query Update Known Issue – Table 1
SCCM Dynamic Collection Query Update Known Issue - Fig.2
SCCM Dynamic Collection Query Update Known Issue – Fig.2

Click Edit Query Statement. SCCM uses the Windows Management Instrumentation (WMI) Query Language (WQL) to query the site database. The screenshot below shows the Edit query statement.

SCCM Dynamic Collection Query Update Known Issue - Fig.3
SCCM Dynamic Collection Query Update Known Issue – Fig.3

The window below helps you show the General tab of Oracle database 12c Query Statement properties. Click Show Query Language.

SCCM Dynamic Collection Query Update Known Issue - Fig.4
SCCM Dynamic Collection Query Update Known Issue – Fig.4

Select the entire query in the Query Statement dialog box. Click Delete

SCCM Dynamic Collection Query Update Known Issue - Fig.5
SCCM Dynamic Collection Query Update Known Issue – Fig.5

You can see the section for query statements from the below Oracle database 12c Query statement properties,s. You should click OK from the window below.

SCCM Dynamic Collection Query Update Known Issue - Fig.6
SCCM Dynamic Collection Query Update Known Issue – Fig.6

By default, it will return with Select * from SMS_R_System/select * from sms_R_User query. By then, the deployment targeted to a specific collection will be mapped to All devices, including workstations and servers.

SCCM Dynamic Collection Query Update Known Issue - Fig.7
SCCM Dynamic Collection Query Update Known Issue – Fig.7

Resources

SCCM Dynamic Collection – Part 2 | WQL Query | ConfigMgr | Create HTMD Blog (anoopcnair.com)

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Intune Android Device Support for Google Android for Work Enrollment 13

Intune Android Device Support for Google Android for Work Enrollment

Let’s discuss Intune Android Device Support for Google Android for Work Enrollment. Google has a list of supported devices with its Android for Work program. But does Google’s list contain all supported devices?

I don’t think the list is exclusive and lists all the supported devices. I have tested 2 devices not listed as part of Android for work-supported devices. And surprisingly, both devices can enrol in Intune via the Android for Work program.

The article Intune Android Device Support for Google Android for Work Enrollment shows you how to configure the Android Enterprise platform for use with Intune Device Management. We will walk through the steps to set up Intune Enrollment for Android Enterprise Device Management, enabling you to manage corporate-owned devices efficiently with Microsoft Intune.

In this post, you will find all the details about Intune Android Device support for Google Android for Work enrollment. We’ll cover everything you need to know to get started and manage your Android devices effectively using Intune.

Intune Enrollment via Android for Work with Cheap and Affordable Devices

In this video, you will learn all the details about Intune enrollment through Android for Work using cheap and affordable devices. We’ll guide you on how to set up and manage these devices efficiently with Intune.

Intune Android Device Support for Google Android for Work Enrollment – Video 1

Video Tutorials for Android for Work Management via Intune

I tried Samsung Galaxy J7 and LetV Android devices. These devices are not very costly. Instead, the cost is less than 150 USD. Organizations always struggle to find cost-effective and affordable Android for Work devices from Google’s new list

After testing two fundamental Android devices, I found that we need to perform trial and error to understand whether the low-cost Android devices support Android for Work.

Android for Work management via Intune
Enterprise Devices
Affordable work Devices
Featured Device
Intune Android Device Support for Google Android for Work Enrollment – Table 1
Intune Android Device Support for Google Android for Work Enrollment - Fig.1
Intune Android Device Support for Google Android for Work Enrollment – Fig.1

Android – Intune Android Device Support for Google Android for Work Enrollment

Google recently rebranded, and now the name of Android for Work has changed to just “Android” management. Google announced that they are simplifying the names of Android for Work and Play for Work, directly calling Android and Google Play.

According to Google, there are 3 categories of Android devices. The new list also does not cover Samsung S7 and LetV devices.

  1. Enterprise Devices – Premium productivity devices
  2. Affordable work devices – Cost-effective devices ready for work
  3. Featured devices

I successfully enrolled low-cost (cheap) Android devices with Android for Work. Intune managed Samsung S7 and LetV devices with the Google Work profile. Both these devices are running Android version 6.

Conclusion – Intune Android Device Support for Google Android for Work Enrollment

Android for Work is supported for devices not listed in the Google portal. I recommend performing thorough testing before approving Android for Work-supported devices within your organization. Maintaining a recommended list of “Android for Work” supported devices within your organization is always better.

I hope Google will remove support for pain Android management and allow only “Android for Work” to manage Android devices. Also, we need to remember that Android for Support is available only for specific countries or regions. For example, in China, we don’t have any support for Android for Work.

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Resolve Intune Android for Work Configuration Refresh Error 14

How to Resolve Intune Android for Work Configuration Refresh Error

Let’s discuss how to Resolve Intune Android for Work Configuration Refresh Error. Android for Work configuration is straightforward in most scenarios.

I have configured “Android for Work” for several tenants without any issues. Recently, however, I encountered an issue while configuring this in the Intune Silverlight console. 

When I click on the configure button to “add Android for Work Binding” on the “Android for Work Mobile Device Management Setup” page in the Intune Silverlight console, it initiates the process. Still, Intune cannot launch the Android for Work binding wizard (webpage). 

In one of our posts, we will show you how to configure the Android Enterprise platform for use with Intune Device Management. You can efficiently manage Android Enterprise corporate-owned devices with Microsoft Intune.

Android for Work Refresh Error in Intune SilverLight Console

The video below demonstrates resolving the Intune Android for Work Configuration Refresh Error. Generally, configuring Android for Work is straightforward in most scenarios. I have successfully set up “Android for Work” for several tenants without issues.

How to Resolve Intune Android for Work Configuration Refresh Error – Video 1

Introduction – How to Resolve Intune Android for Work Configuration Refresh Error

I have already posted about Android for Work configuration and set it up in a different post (How to Enroll Android for Work Supported Devices into Intune). This post and video tutorial will provide a step-by-step process to enable Android for Work management.

As I explained in the first paragraph, the Intune console could not complete Android for Work binding. When I checked the Intune console, there was an Intune console page loading error: “Microsoft Intune was not able to retrieve all data. REFRESH.

How to Resolve Intune Android for Work Configuration Refresh Error - Fig.1
How to Resolve Intune Android for Work Configuration Refresh Error – Fig.1

I tried clicking on the Refresh button several times to see if it worked, but nothing did. There was another button on the Intune Silverlight page, and that was the Save Error Log.

I clicked on the button, and it asked me to save the text log file. For this, I could not retrieve all data errors for the Intune console. I opened the text file, which contains details about the error and possibly the root cause of this issue as well.

Error Message
Error occurred while retrieving JWT token, check that current user has an Intune license and try again.
How to Resolve Intune Android for Work Configuration Refresh Error – Table 1
How to Resolve Intune Android for Work Configuration Refresh Error - Fig.2
How to Resolve Intune Android for Work Configuration Refresh Error – Fig.2

As per the Intune Save Error LOG file, the Intune Silverlight error occurred while retrieving the JWT token, and the error log suggests we check whether the current user has an Intune license and try again. Following is the snippet of the log file.

2017-03-31 05:37:56Z Silverlight Error:
Error occurred while retrieving JWT token, check that current user has an Intune license and try again.
ParameterType: Unknown
OperationType: Unknown
Current URL: https://admin.manage.microsoft.com/MicrosoftIntune/Home?accountid=a8f58f04-e279-44ff-95b9-5e81532915e6#Workspace/administration/index%23?P=//administration/MobileAndroidManagement/&A=%7BGID=23363773-6797-4c777-b3c2-01b06e207b74%7D&S=7sh74c9-7bf5-45ac-9fbb-67369263b9
Console Version: 5.0.17411.0
Service address: https://msua02.manage.microsoft.com/
Last 50 Log Entries:
00CCE 03/31/2017 05:37:37 429 Z MainThread 0001    Page instantiated successfully

Resolution

I have added an Intune/EMS license to the Intune Administrator from the new Azure Active Directory portal. It might not work straight away after assigning the license. You may need to wait 3-4 minutes before configuring “Android for Work.” I recommend logging off and logging back into the Intune Silverlight console before configuring “Android for Work.”  

How to Resolve Intune Android for Work Configuration Refresh Error - Fig.3
How to Resolve Intune Android for Work Configuration Refresh Error – Fig.3

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.