Let’s discuss the Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices. Intune configuration restriction policies are critical in modern device management strategy. Intune device restriction policy is the security settings applied on your Windows 10 CYOD device.
As part of your organization’s security policies, you may need to lock down mobile or Windows devices with corporate data and app access. Yes, Intune configuration restriction policies help you lock down Windows devices as per your organization’s security requirements.
In this post, you will learn everything you need to createdevice restriction policy profiles in Intune and deploy security policies to Windows 10 devices. We will guide you step-by-step through setting up these policies to ensure your devices are secure and comply with your organization’s requirements.
Whether you’re new to Intune or looking to enhance your device management skills, this guide will provide clear and straightforward instructions to help you effectively manage and protect your Windows 10 devices.
Intune Configuration Restriction Policy Deployment with Windows 10
In this video, you’ll learn all about deploying Intune Configuration Restriction Policies on Windows 10. We’ll show you each process step, making it easy to follow. Whether setting up new policies or adjusting existing ones, this video will help you understand how to use Intune to keep your Windows 10 devices secure and well-managed.
Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices – Video 1
Create Intune Device Restriction Policy for Windows 10 Devices
You can create an Intune device restriction policy for Windows 10 from Microsoft Intune—Device Configuration—Profiles—Create New Profile. I selected Windows 10 as the platform, and platform Selection is essential.
Also, it would be best to select the profile type while creating an Intune Configuration Restriction policy. In my scenario, the Device restriction policy is named “Windows 10 CYOD Restrictions.”
Platform
Profile Type
Windows 10 and Later
Device Restrictions
Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices – Table 1
Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices – Fig.1
As shown below, the Windows platform Intune device restriction policy for out-of-box settings is segregated into 16 sections. This list is comprehensive, and we can lock down Windows 10 machines as required.
Is this Intune device restriction policy a replacement for group policies? No, it’s still not a replacement for AD group policies.
General
Password
Personalization
Locked screen experience
App Store
Edge Browser
Search
Cloud and Storage
Cellular and Connectivity
Control Panel and Settings
Defender
Defender Exclusions
Network Proxy
Windows Spotlight
Display
Start
Deploy Windows 10 Intune Device Restriction Policy
You can deploy the Windows 10 Intune Device Restriction Policy to either Windows 10 CYOD dynamic devices or Windows 10 user groups. Dynamic device groups are still in preview, and the group typos are not always stable. So, at least for the next two months, I will prefer to deploy policies to user groups rather than dynamic device groups.
Windows 10 End-user Experience of Intune Device Restriction Policy
As you can see in the video tutorial at the top of this post, I’ve enabled the time settings to disable the option as part of the initial Windows 10 device restriction policy. The end-user logged in to the Windows 10 machine can’t change the time on the system.
After that, I changed the Windows time setting policy again, and after applying the new policy, the user can change the time on the Windows 10 system.
Intune Create Device Restriction Policy Profiles Deploy Security Policies to Windows 10 Devices – Fig.2
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss how to Enable Intune Company Portal Browser Access for Conditional Access Enabled Web apps. I have been testing and developing a solution for Android device management with Intune. I have shared my Android for Work learning experiences in my previous posts – Android.
In this post, we will see and learn how to enable Intune Company Portal Browser Access for Android devices. What is the need for enabling company portal browser access?.
To put it in simple words, if your organization is using Azure AD Conditional Access (CA) enabled internal web applications, then we need to enable the Company portal browser access option.
This post will provide a comprehensive guide on enabling Intune Company Portal browser access for conditional access-enabled web apps. We will walk you through the necessary steps to configure your settings, ensuring easy access control and security compliance.
How to Enable Intune Company Portal Browser Access
The above video recording gives you the same user experience when you have CA access-enabled web applications and you have not enabled company portal browser access. As you can see in the video, the managed browser for Android devices gives an error stating that the device is not enrolled.
Yes, the managed browser application can’t understand whether the device is already enrolled. When you perform an action like “Intune Company Portal Browser Access, ” the app will try to install the Microsoft work account certificate on an Android device. There is a known issue with the previous version of the Company Portal application on Android devices.
How to Enable Intune Company Portal Browser Access
Open the Company Portal app.
Go to the Settings page from the ellipsis (…) or hardware menu button.
Press the Enable Browser Access button.
How to Enable Intune Company Portal Browser Access for Conditional Access Enabled Web Apps – Table 1
Microsoft Work Account Certificate Installation Error
Allow the Company portal and Intune-managed apps to record future actions in greater detail, which may help your IT administrator better identify and solve issues.
How to Enable Intune Company Portal Browser Access for Conditional Access Enabled Web Apps – Fig.1
End-User Experience of ENROLL Device Error
The solution to the Microsoft mentioned above “work account certificate installation” error is to update the company portal application for Android devices. Are you getting an ENROL error on your device (as you can see in the following screen capture)?
Does this error appear when you try to access Conditional Access-enabled web applications through the managed browser? The web apps without CA are working fine? If so, you must perform the following action from your Android device: “Intune Company Portal Browser Access.”
How to Enable Intune Company Portal Browser Access for Conditional Access Enabled Web Apps – Fig.2
Microsoft Work Account Certificate Installation
Now, it’s time to update the company portal application on Android for work-enabled devices. Once the device is updated with the latest version of the company portal app, then open up the company portal app and go to settings – tap on the button “Enable Browser Settings.”
This action opens a popup for installing a Microsoft Work Account certificate. The user must select the cert and tap on the ALLOW button. The video tutorial at the top of this post explains this process.
How to Enable Intune Company Portal Browser Access for Conditional Access Enabled Web Apps – Fig.3
End USER Experience of CA-enabled Web Application Access
Once the managed browser has a certificate, the web applications opened in the Managed browser can use the Microsoft Work account cert. This will allow the managed browser to securely open conditional access-enabled internal web applications. In my experience, the user doesn’t require a tap on the INSTALL button; rather, the user must tap on the ALLOW button to complete this configuration.
How to Enable Intune Company Portal Browser Access for Conditional Access Enabled Web Apps – Fig.4
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with over 20 years of IT experience (calculation done in 2021). He is a Blogger, Speaker, and leader of the Local User Group HTMD Community. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss how to Deploy Microsoft Store for Business Apps using Intune. Microsoft Store for business apps is part of your organization’s private store apps.
Only one way to deploy Store apps using Intune is required deployment. Microsoft Store for business apps can be deployed as “Available,” “Required,” or “Uninstall” apps to Windows 10 or Windows 11 devices.
On September 15, 2023, Microsoft Store for Business and Education apps will be removed from the Intune admin center. Apps on the device will remain until intentionally removed.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.1
The logic behind NOT having an “available” deployment option is very understandable. The user doesn’t need an available deployment via Intune because the user always has private store access to install the apps manually.
Let’s check how to deploy the WhatsApp application from the Microsoft store to Windows 10/11 devices, which Microsoft Intune manages.
Devices must be registered with Azure AD or joined to the same Azure AD tenant where you registered the MSfB for online app deployment.
Azure AD Global admin (or appropriate) access to create Applications to connect ConfigMgr site to Azure AD and MSfB
Decide Offline or Online Applicationsusing Intune
The MSfB supports two types of application licenses, and you should be very careful with the license type of application you want to add. You don’t need devices Hybrid Azure AD registered or joined for Offline apps.
Online: Windows 10 devices must be joined to Azure Active Directory (Azure AD) or hybrid Azure AD-joined.
Offline: Devices don’t need to connect to the store or have a connection to the internet.
Search Store Applications from MSfB for Intune App Deployment
Let’s log in to the Microsoft Store for Business and search for the apps you want to add to Configuration Manager. Try to add WhatsApp to the private store and deploy it to managed Intune Windows 10/11 devices.
NOTE! – Microsoft Store for Business will retire in the first quarter 2023.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.2
Add Apps to Private Store
You have already found the required app (above section): WhatsApp. Now, let’s add it to the organization’s private store.
Click on any application – WhatsApp
Select License type: Offline
Click on Get the app
How to Deploy Microsoft Store for Business Apps using Intune – Fig.3
Once you click the Get the App button, the WhatsApp application will be purchased and added to your Microsoft private store.
You have successfully added the WhatsApp Beta app to the private store.
This app will be available in the admin console after the next MSfB sync with Intune.
Click Close to continue.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.4
Initiate a Manual Sync between Intune Portal and Microsoft Store for Business
Let’s Initiate a Manual Sync between Intune Portal and Microsoft Store for Business. If I’m not mistaken, the schedule sync will happen every 24 hours.
Login to Endpoint.Microsoft.com
Navigate to Tenant Administration – Connectors and Tokens.
Enabling Microsoft Store for Business sync lets you access volume-purchased apps with Intune. Two options must always be enabled for this scenario.
First, you must sign up and associate your Microsoft Store for Business account with Intune. Open the business store
Choose the language in which apps from the Microsoft Store for Business will be displayed in the Intune console Language:
Enable
Disable
Sync the apps you’ve purchased from the store with Intune. To reflect the newly purchased application WhatsApp, click the SYNC button on the client and wait for the sync to complete.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.5
Deploy Microsoft Store App to Windows 11/10 using Intune
Let’s check how to Deploy the Microsoft Store App to Windows 11/10 using Intune. Let’s head over to Apps and check for the WhatsApp Beta application.
Deploy Microsoft Store App to Windows 11/10 using Intune
Open Intune portal.
Navigate to All Apps and Search for WhatsApp.
How to Deploy Microsoft Store for Business Apps using Intune – Table 1
How to Deploy Microsoft Store for Business Apps using Intune – Fig.6
Click on the WhatsApp application to start the deployment process. This is the typical deployment process for the Intune application. The application is created automatically when you sync Intune and Microsoft Store for Business.
You can assign applications to at least one group. Click ‘Properties‘ and edit ‘Assignments‘ to start the assignment.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.7
I have deployed this as an available application to an Azure AD group of USERS.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.8
End-User Experience of App installation on Windows 10 device
How to Deploy Microsoft Store for Business Apps using Intune – Video 1
Enable and Configure Microsoft Store for Business
First, we must sign up and associate the Microsoft Store for Business (MSfB) account with Intune. Then, we must accept the agreement and consent for Windows Store for Business.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.9
Intune and Microsoft Store for Business Connection
You must open the Intune portal (Azure) to enable and configure Microsoft Store for Business. Microsoft Intune – Mobile Apps- Windows Store for Business. Choose the language in which Windows Store for Business apps will be displayed in the Intune console.
Once you sign up for the Windows Store for Business, you need to connect Intune with the store. This is required to Deploy Windows Store Apps via Intune. Click on the Manage tab and select Store Settings.
Once you are in store settings, you can see three out-of-box connections configured to deploy Windows Store for business apps via MDM solutions. Airwatch, MobileIron Cloud, and Microsoft Intune were the three connections created. Click on the Intune activate button to set up the connection between the store and Intune.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.10
Sync the Applications and Deploy Applications via Intune
Once the Intune connection is activated, we must shop the apps and add them to your organization’s private store. It could take 24 hours (it’s pretty fast nowadays. Within minutes, it will be available) to reflect the newly added apps appearing in the private store. You can sync Intune to get the newly added apps into Intune.
We need to save the settings after the app syncs successfully.
Updated NOTE! You can now log in to the Microsoft Endpoint Manager Admin center and head to Tenant Administration—Connectors and Tokens. Then, click the SYNC button to make the application available in Intune applications.
Login to Endpoint.Microsoft.com and Navigate to Tenant Administration – Connectors and Tokens.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.11
After a successful connection, you can see the following settings in Microsoft Store for Business.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.12
How to Deploy Microsoft Store for Business App from Intune
Learn How to Deploy Microsoft Store for Business Apps from Intune. It would help if you headed to Apps – Windows node in the MEM Admin center portal (Intune) to search for application availability there. After the successful sync between Intune and Microsoft Store for Business, the Firefox browser app will be available in the MEM Intune portal.
Select the Windows Store apps you want to deploy to AAD user groups. We only have two options when deploying the Windows Store app via Intune. And those are REQUIRED and UNINSTALL.
So, there is no option to deploy the Windows Store app as an available deployment via Intune because the users already have access to the Windows Private Store.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.12
End-User Experience of App Installation on Windows 10 Device
The end-user experience for Windows 10 1703 users is flawless. The deployment of the Windows Store app via Intune happened in the background, and the user’s name came to know about the installation on their Windows 10 device.
How to Deploy Microsoft Store for Business Apps using Intune – Fig.13
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s learn about the SCCM Intune Facebook Community Growing Strong Microsoft Intune Facebook. We’ve created SCCM and Intune pages/groups to share knowledge between SCCM and Intune professionals.
Within the SCCM Intune FB Community, we share information about personal experience, the latest updates, tricks, solutions, Hotfixes, and tips from community experts and Microsoft.
SCCM Intune’s Facebook community is always fun and very interactive. Moreover, this type of community gives a personal touch. Real people interact with each other with loads of authenticity.
SCCM Intune Facebook Community groups are the virtual community group for SCCM/ConfigMgr/Intune professionals. Intern, these are the groups where we announce the “SCCM Intune User Group Event” and get feedback from the community.
More than just sharing information, it became a most efficient place for discussions of SCCM and Intune-related topics. This page and its groups have been very helpful to me personally because I don’t want to look at my RSS feed now and then to get updates from the IT world.
SCCM Intune Facebook Community Growing Strong Microsoft Intune Facebook – Fig.1
SCCM Intune Facebook Technical Community Groups Pages
Facebook groups are very interactive, and their design is very well suited for the IT Pro community. I’m a big fan of closed groups, as your posts in a closed group are visible only to the members of that group.
SCCM Intune Facebook Community Growing Strong Microsoft Intune Facebook – Video 1
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss the Microsoft Intune Android Work Apps User Experience Explained. The android operating system has several variants, and fragmentation is very high. What are the reasons for this? With the open standards, every smartphone manufacturer has the freedom and option to customize the operating system according to their preference.
So, all the Android mobile device manufacturers grabbed the opportunity to push their apps and tweak their versions of Android. So, what is the biggest problem with the Intune Android Work app’s user experience? I will see the details in this post. Also, I have explained the same in the below video.
There is no standard user experience, and different mobile manufacturers, like Samsung, Sony, and LetV, have their own way of arranging Android Work applications. Once you have enabled Android for Work support, you can enrol the Android devices into Intune for management, as I explained in the post “How to Enroll Android for Work Supported Devices into Intune.”
In this post, we explain the user experience of Microsoft Intune Android Work Apps in all its details. This comprehensive guide delves into the user experience of Microsoft Intune Android Work Apps.
In this post, we will examine the difference between a good and a bad Intune Android for Work user experience. I wanted to make it clear that Intune cannot do much to improve the user experience because this is a necessary OS capability.
Microsoft Intune Android Work Apps User Experience Explained – Fig.1
I have tested Intune Android for Work enrollment with devices like Nexus 6P, Sony, Samsung, etc. The Intune Android Work Apps user experience is good for all the tested devices. However, the problem is the placement of badged applications on the devices.
Each Android mobile manufacturer has its own way of placing badged Android Work applications.
I like how a manufacturer places all the badged apps into a folder.
This is very useful for the user to switch from work applications to personal ones. In my testing, if the manufacturer does not create a group for work applications after Intune Android for Work enrollment, it does not provide a good user experience.
Per my testing on several Android devices, I liked the Intune Android for the Work user experience of Samsung and Google Nexus the most.
Intune Android for Work End User Device Experience Video LetV Samsung Nexus Sony
Initially, the Intune Android for Work enrollment experience with the company portal was not flawless. However, the enrollment process has greatly improved with the latest version of the Intune company portal. Suppose you enroll the device with the latest company portal app. You don’t have to close the existing company portal app and open the company portal app for the work app (with a badge/briefcase symbol) to continue the enrollment process.
Microsoft Intune Android Work Apps User Experience Explained – Video 1
Intune Android for Work Nexus 6s Enrollment Experience
In this video, we’ll walk you through the comprehensive enrollment experience of Intune Android for Work on the Nexus 6s. From the initial setup to the final configuration, we’ll guide you step-by-step to ensure a smooth and efficient process.
Microsoft Intune Android Work Apps User Experience Explained – Video 2
I like the Samsung and Google Nexus user experience because all the Android work applications are placed or stored in a separate WORK folder. The work folder helps users better segregate their apps from work apps.
That user experience is excellent. Microsoft Endpoint Manager Intune Android Work Apps User Experience Explained? The Android work apps’ user experience of Sony and LetV Android devices is not so good if you compare the UX of Samsung and Nexus.
The bad user experience is that those devices won’t create a separate folder for WORK apps. The video tutorial in the first part of this project explains the more detailed experience. Intune Android Work Apps User Experience Explained in the above video.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss the SCCM Configuration Manager Application Creation Deployment Installation. SCCM CB application creation is the next step after installing SCCM CB 1702 installation, SCCM CB AD discovery, and client installation.
The second step is SCCM CB Application Deployment, and the third step is installing the SCCM CB application on the clients. We will cover all the scenarios in this post. I have documented all these steps in the video tutorial, which details SCCM CB application creation (upload), deployment, and installation.
Application deployment is one feature many corporate organisations use to cater to their business requirements. In SCCM CB, we will have the option to create packages and deploy those SCCM packages. Yes, packages are required in some of the scenarios.
The packages are also used to deploy old Win32 apps that were migrated to the SCCM CB environment from SCCM 2003/2007/2012. I recommend taking advantage of SCCM CB applications rather than still using standard packages.
SCCM CB Application Creation Deployment User Experience
This video comprehensively covers all aspects of SCCM CB (Current Branch) application creation, deployment, and user experience. It provides detailed guidance on creating applications within SCCM, including the necessary configuration steps and considerations for deployment.
SCCM Configuration Manager Application Creation Deployment Installation – Video 1
How to Create/Upload SCCM Application – SCCM Configuration Manager Application Creation Deployment Installation
This guide provides instructions on creating and uploading an application in SCCM and details the steps for developing, deploying, and installing an SCCM application. By following this guide, administrators can effectively manage and distribute applications within their organization’s network using SCCM, ensuring easy and efficient software deployment and maintenance.
SCCM CB application creation is the first step in this process. The application can be created based on several types of installation files. These installation files range from Win 32 MSI apps to EXE and a wide range of mobile (MDM) apps.
MSI is the most preferred installation type for Windows devices, and this post will cover creating MSI apps.
First, we must ensure that the SCCM CB application source is stored in a UNC path (\\ServerShare\Sources\).
As the video tutorial shows above, the wizard will error if we don’t provide the UNC path as a source location for the MSI app source.
Baseline Configuration Analyzer Properties
Automatically download content when packages are assigned to distribution points
The SCCM CB application creation process creates metadata in the console and related DB entries. It also creates a bundle of files that this MSI installation file requires for the complete application installation.
This bundle of files will be delivered to SCCM contentstores called DPs. The client will download (if the deployment setting is to download the Content from DP) and install it. The video shown above covers this process, and the following sessions will cover it.
How to Deploy SCCM CB Application and Content?
Once the SCCM CB application is created and the app reference is in the console, we can deploy the application content (the source files) to the content store servers (Distribution Points). The entire process is explained in the video tutorial above.
We can initiate a distributed content option to start the application source replication process to remote DPs. SCCM CB application content distribution is mandatory before we deploy the application to SCCM client devices or users.
Once the application content is distributed to the DPs, we can deploy or schedule the application installation to the device or user collection. You want to make some decisions before starting the SCCM CB application deployment process.
The first step is deciding whether we should deploy apps to device collections. If we deploy an application to a device collection, then all the users on that device will get the application, and there could also be some license implications. The second option is to deploy the application to a user collection.
From my perspective, this should be the default deployment practice if you don’t have any specific requirements to deploy apps to devices.
The other important point in SCCM CB application deployment is the behavior of application installation. We have two options in the application installation behavior. The first one empowers the user experience by making the SCCM app available. In the available scenario, the application is deployed to the user and sits in the software center until the user initiates the installation from the software center app.
The second option is to deploy the application as REQUIRED. In this scenario, the application will automatically install on the device without any user intervention.
How to Install Application on End-User Device?
Once you deploy the application to the collection, as mentioned in the video tutorial above, the SCCM client will check for the new policies at the next scheduled interval.
On the schedule, the SCCM client will download the application source download, and installation will automatically start on the Windows device, as seen in the above video tutorial. The installation behavior setting is critical; the actual app install will kick off depending on that behaviour.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss the Windows 10 Azure AD Join Automatic Intune Enrollment. In this post, I will provide you with the experience of Windows 10 1703 (RS2) Azure AD join and automatic MDM (Intune) enrollment.
As you can see in the above video tutorial, this is a real-time experience of Windows 10 1703 Azure AD join and Intune auto-enrollment.
Windows 10 1703 is the latest version of the Windows 10 production build, also known as the Red Stone 2(RS2) release. The Windows team has done great work to improve the Out-of-Box Experience(OOBE) of Windows 10 1703. A previous post explains the in-depth process of AADJ and MDM auto-enrollment: “How to Join Windows 10 1607 Machines to Domain or Azure AD.”
Signing in with a Microsoft School or Work account is the first screen in the Windows 10 1703 Azure AD join OOBE. A note on the same screen helps users select the account they want to use “Sign in with the username and password you use with Office 365 or business services from Microsoft”.
Yes, this is a generic kind of message. It would be more helpful if Microsoft could explain to the user how to use their corporate account rather than using technical terms like Office 365 and Business Services from Microsoft.
How to Perform Windows 10 1703 AAD Join and Intune Enrollment
The video below offers a comprehensive, step-by-step guide on performing a Windows 10 1703 Azure Active Directory (AAD) join and enroll your device in Microsoft Intune. It covers all the necessary steps, from initiating the AAD join process to successfully completing the Intune enrollment, ensuring that your device is properly managed and secured within your organization’s network.
Windows 10 Azure AD Join Automatic Intune Enrollment – Video 1
Windows 10 Azure AD Join Automatic Intune Enrollment
This is the sign-in screen. Please sign in using the username and password associated with your Office 365 account or any other Microsoft business services.
Windows 10 Azure AD Join Automatic Intune Enrollment – Fig.1
The Windows 10 1703 OOBE screen allows the user to choose a traditional domain join option. It also allows the user to create a local user account and log in with that account. The Windows 10 1703 OOBE experience has been greatly improved.
It will ask to connect to a Wi-Fi network and allow the user to connect to web-based authenticated Wi-Fi routers (not all? I need to test this further). Once connected to the internet, it will check for the latestsoftware updates available and install them.
Windows 10 Azure AD Join Automatic Intune Enrollment – Fig.2
Windows 10 Azure AD Join Experience?
Windows 10 1703 Azure AD join is almost fully automated once users enter their user name and password in the OOBE mentioned above screen. However, user input is required on one particular screen: the screen for privacy settings.
Once the user has Windows 10 1703 privacy settings, the device will automatically log in with the user name and password. Is this a new SSO for Windows 10 1703 Azure AD join? You can confirm the AAD Join from the Settings—Accounts section in Windows 10 1703.
Your Informations
Email and App Accounts
Sign in Options
Access work or school
Other people
Sync your Settings
Windows 10 Azure AD Join Automatic Intune Enrollment – Table 1
Windows 10 Azure AD Join Automatic Intune Enrollment – Fig.3
Windows 10 MDM Intune Auto Enrollment Experience
Once the Windows device is joined to Azure AD, it should automatically enroll in Intune management. To get this experience, you should have enabled the MDM auto-enrollment option in your Azure AD. In my experience with Windows 10 1703, I got the encryption policy popup from the Intune compliance policy within a few minutes of the first login to the device.
The user can also check the Intune enrollment from the School or Work Account section in the Windows 10 settings menu. The Windows 10 MDM stack’s GUI has changed regarding School or Work account settings. The Windows 10 work account added to the device does not have a manage tab. Don’t worry about that because that is a new design for Windows 10 1703. The Windows 10 work/school account setting has only two tabs: Info and Disconnect.
How do you manually sync or check for the new Intune policies in a Windows 10 1703 device? The option is to click on Settings—Accounts—Access Work or School Account—Info—Sync. This will initiate an immediate policy sync with Intune services in the cloud. Afterwards, the user’s Windows 10 device will receive the latest policies from Intune.
Windows 10 Azure AD Join Automatic Intune Enrollment – Fig.4
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss how to Perform SCCM AD Discovery and Install SCCM Client. In the previous post, I covered the installation of SCCM/ConfigMgr 1702infrastructure. This post will see the following SCCM AD Discovery and SCCM Client installation.
How can we perform SCCM CB AD discovery? Can we discover the devices and users from the on-prem Active Directory? And how can we manage the devices discovered from AD? Discovery Methods: Configure the methods to find resources. Client Push installation requires that resources first be discovered.
NOTE! – I usually use Active Directory System Discovery and Active Directory User Discovery to find the resources (users and systems) from Active Directory.
We must enable Active Directory System Discovery to discover all the devices from on-premise AD. SCCM will collect all the system records from AD and create a record in SCCM CB. SCCM will create the system record only when the SCCM server can find an IP in the DNS record of that system and can ping the system.
How to Perform SCCM CB AD Discovery?How to Perform SCCM AD Discovery Install SCCM Client
SCCM 2007 AD system discovery Flowchart. Adsysdis.log is the log file where you can find more details about the discovery. You can specify an Active Directory container to search during the discovery process.
How to Perform SCCM AD Discovery Install SCCM Client – Fig.1
SCCM AD User Discovery should be enabled when deploying apps and policies to user-based collections. The log file Adusrdis.log provides more details about SCCM AD User Discovery.
Another Discovery that I enabled in my SCCM LAB environment is “Active Directory Forest Discovery” to create the SCCM CB boundaries in your CB environment.
Active Directory Forest Discovery Properties
Enable Active Directory Forest Discovery
Enable Automatically create Active Directory site Boundaries when they are discovered
How to Perform SCCM AD Discovery Install SCCM Client – Table 1
How to Perform SCCM AD Discovery Install SCCM Client – Fig.2
What are the Prerequisites before Installing SCCM CB Clients on Devices?
So, now you can discover the devices, users, and AD Site Boundaries from on-prem AD. The next step is to manage these devices using SCCM infra.
I would first create an SCCM “Boundary Group” and add the required boundaries to that particular boundary group. The above video tutorial discusses more details about the creation and assignment of Boundary groups.
Another vital configuration we need to take care of before installing SCCM CB clients on a discovered system is setting up a “Network Access Account” and “Client Push Installation Account“.
How to Perform SCCM AD Discovery Install SCCM Client – Fig.3
SCCM Client Installation to Manage AD Discovered Systems
We need to install SCCM Client software to manage discovered systems from AD. There are loads of options for installing the client on the discovered devices. You can use the AD Group policy to install SCCM CB clients; a client can be installed as part of the OSD process, or It can be installed using the Client Push method.
The client push method has some drawbacks, such as the need for Admin$ access. The best option is to use the AD group policy client installation method.
How to Perform SCCM AD Discovery Install SCCM Client – Fig.4
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss the Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD. SCCM admins must go through the AAD Connect setup to build an Intune and SCCM hybrid lab.
AAD Connect is the app used to sync On-Prem AD with Azure AD. It can be installed on any server-class machine. The AAD Connect sync operation is critical for organizations.
If you plan to sync the hash of your passwords to the cloud, the AAD Connect setup configurationis pretty straightforward. However, if you have specific and advanced AAD Connect setup requirements, you must spend a lot of time on the initial setup.
AAD Connect setup and configuration will install and configure SQL Express DB. For big corporate organizations, we need to select advanced settings. These settings can be configured in advanced settings, as they may have custom attributes used in their sync process.
Also, the password hash may not be synced, and the ADFS configuration has been used for authentication.
The window below helps you show the Microsoft Azure Active Directory Connect Express Settings. We will do the following if you have a single Windows Server Active Directory forest.
Express Settings
Configure synchronization of identities in the current AD forest of ASST
Configure password synchronization from on-premises AD to Azure AD
Start an initial synchronization
Synchronize all attributes
Enable Auto Upgrade
Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD – Table 1
Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD – Fig.1
Azure AD AAD Connect Setup – Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD
I have selected “Express Settings” for my lab, so installation is straightforward. You must provide two credentials during the configuration: AZURE AD and On-prem AD. UPN suffixes should match one of the verified custom domains in Azure AD to use on-premises credentials for Azure AD sign-in.
I have changed the UPN suffixes of 4 Prem AD users so that those On-Prem AD users will get synced with Azure AD. The high-level steps are completed in the AAD Connect setup and configuration wizard. Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD?
Install and Configure SQL Express DB
Install the synchronization engine
Configure Azure AD Connector
Configure On-Prem AD Connector
Enable Password Synchronization
Enable Auto Upgrade
Configure Azure AD Connect Health Agent for sync
Configure Synchronization services on the computer
End Results/Outcome of AAD Connect Sync
Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD – Fig.2
The AAD Connect sync process will start after the AAD Connect setup and configuration. As you can see in the above screen capture, the configuration has been completed successfully on my On-prem AD server. To confirm whether the on-prem users/groups synced with Azure AD, log in to portal.azure.com and confirm the user IDs.
Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD – Fig.3
You can sync on-prem user identities/attributes and passwords to Azure AD using Azure AD Connect. Azure AD connect installation and configuration is very straightforward if we use (express settings 🙂 ).
I have a video tutorial here that helps you understand the AAD connect configuration, How to enable MFA for Azure AD to join Windows 10 devices and Twitter app integration with Azure AD.
This post will cover two other Azure AD (AAD) Sync topics.
Where is the Scheduled Task used to create Azure AD?
How to Create a service connection point in on-premises Active Directory?
Video Tutorial – How to Sync On-Prem AD User Accounts with Azure AD
Windows 10 MDM devices can write back to on-prem AD. More details are available here. AAD Connect is mandatory for the write-back feature of Windows 10 devices.
Earlier versions of Azure AD Connect used a Windows task scheduler to schedule the Azure AD sync of on-prem objects and attributes. The latest version has a built-in sync engine, so we won’t be able to find a scheduled task for AAD Connect.
The new default synchronization frequency is 30 minutes. We can change the AD Sync Schedule using the PowerShell command “Get-ADSyncScheduler” and other parameters documented here.
Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD – Fig.4
I had trouble creating a service connection point in the on-premises Active Directory. This service connection point is used to “Connect domain-joined devices to Azure AD for Windows 10 experiences.” I followed the documentation here to configure the service connection points in on-prem AD but got stuck with PowerShell Commands. However, I ran the PowerShell commands per the above documentation with no luck.
After that, I installed the appropriate version of the Windows Azure Active Directory Module for Windows PowerShell. Then I tried to run the following PowerShell commands, which worked like a champ!
Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD – Fig.5
PS C:\Users\anoop\Desktop> Connect-MsolService
PS C:\Users\anoop\Desktop> Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"
PS C:\Users\anoop\Desktop> Initialize-ADSyncDomainJoinedComputerSync
cmdlet Initialize-ADSyncDomainJoinedComputerSync at command pipeline position 1
Supply values for the following parameters:
AdConnectorAccount: nair\Anoop
AzureADCredentials
Initializing your Active Directory forest to sync Windows 10 domain joined computers to Azure AD.
Configuration Complete
How to Sync On-Prem AD User Accounts with Azure AD
SCCM Intune Step-by-Step Training Video Guides help you understand the AAD connect configuration, how to enable MFA for Azure AD, join a Windows 10 device, and integrate the Twitter app with Azure AD.
This post will cover two other Azure AD (AAD) Sync topics. I’ve already downloaded and installed the AAD connect tool, and I can show you how to configure it and start syncing it.
Azure AD AAD Connect Setup User Password Sync Tool to Sync On-prem AD Domain to Azure AD – Video 1
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
This post is the New SCCM Server Installation Step-by-Step Guide covering end-to-end scenarios. The SCCM team recently released the latest baseline version of the current branch.
What is the importance of the baseline version? SCCM CB baseline version is the version you can download directly from Eval Center/MSDN/VLSC and install it on a new SCCM server.
Also, the SCCM 1702 version can upgrade the SCCM 2012 infra. SCCM CB versions are updated via in-console servicing to the latest SCCM version.
Pre Requisite – Server Roles and Features
Pre-Requisite – Installation of SQL 2014
Pre Requisite – ADK for Windows 10P
Pre Requisite – AD Schema Extension
Install – SCCM/ConfigMgr Baseline version Standalone Primary
This guide provides simple step-by-step instructions for installing a new SCCM server. First, prepare your environment by ensuring all necessary prerequisites are met, such as installing a supported Windows Server and SQL Server. Next, download the SCCM installation files and run the setup.
Microsoft System Center Configuration Manager
Version 1702
Console version: 5.00.8498.1700
Site version: 5.0.8498.1000
New SCCM Server Installation Step by Step Guide – Table 1
New SCCM Server Installation Step by Step Guide – Fig.1
Step by Step Video Guide for SCCM CB 1702 Baseline Version Installation
This step-by-step video guide shows you how to install the SCCM Current Branch (CB) 1702 Baseline version. It covers all the necessary prerequisites, including the server roles and features you must set up beforehand.
New SCCM Server Installation Step by Step Guide – Video 1
Prerequisites
You can’t install the SCCM/ConfigMgr baseline version if your server’s OS is Windows 2008 R2. The minimum OS requirement for SCCM server installation is Windows Server 2012 and Later. More details are here.
It would help if you ensured that the server where you plan to install the SCCM baseline version has a supported version of SQL. SQL 2008 R2 SP3 is not supported and should have at least SQL 2012 R2.
IIS BITs .NET
I have added the following roles and Features – IIS (for MP/DP), BITs (for MP), .NET Framework 3.5, Remote Differential Compression, and AD DS and AD LDS Tools. I didn’t add WSUS because I plan to add the SUP role later. However, I would recommend the WSUS role if you plan to install the SUP role on the primary server itself or install the WSUS console if you plan to install the SUP role on a remote server.
New SCCM Server Installation Step by Step Guide – Fig.2
DotNET Framework 3.5 SP1 is still required? Yes! Specify an alternate path for .Net D:\Sources\sxs for installing .NET on Server 2016. Specify the location of the needed files.
NOTE! – If you get this error, “The request to add or remove features on the specified server failed.” Restart the server and try it with the alternate path “D:\Sources\sxs“, and that is my experience on Windows server 2016.
Install SQL DB for the SCCM Server
I installed SQL 2014, and you don’t have to worry about those “.Net” warnings. As you can see in the video tutorial for SQL setup, I have selected only the following features, which I think are required for SCCM CB.
I installed SQL on the default Instance and configured the services, as shown in the video tutorial for ConfigMgr SCCM baseline version installation. Microsoft recommends using a separate account for each SQL Server service. However, I used the same account because this is my lab environment.
SQL Server Agent, SQL Server Database Engine, and SQL Server Reporting Services
I selected the required Collation for SCCM|ConfigMgr baseline version:- sql_latin1_general_cp1_ci_as
New SCCM Server Installation Step by Step Guide – Fig.3
Install Windows ADK
I installed ADK for Windows 10, and during the installation, I selected only Deployment Tools, Windows Preinstallation Environment (Windows PE), and User State Migration Tools (USMT).
AD Schema Extension has to be extended if you have not done the extension for the previous versions of SCCM. AD schema extension is not mandatory, but I recommend extending the schema to make SCCM management easy.
New SCCM Server Installation Step by Step Guide – Fig.4
Extend AD Schema
Executed extadsch.exe from SCCM|ConfigMgr baseline version primary server. The user must have schema admin rights to complete the AD SCHEMA extension. In the second part of this update, we need to Create a System Management container under systems using ADSIEDIT. The primary server should have full access to the System Management container.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s see how to configure Software Update Policy Rings in Intune MEM. How do you set up Windows 10 Software Update Policy Rings in the Intune?
Managing software updates for Windows 10 with Intune is straightforward, but there is a catch: you can’t expect the granular controls you have with SCCM/ConfigMgr. We must configure the Windows Software update policy and deploy that policy to Windows 10 devices.
Windows 10 devices will receive software updates directly from Microsoft Update services. Unlike SCCM, there is no need to download the updates, create a package, and deploy them to the devices (as seen in this video post here).
Intune Video Software Update Rings Setup Design Decisions
This video guide is about Software Update Policy Rings in Intune MEM. It explains how to set up and manage these policy rings to control when and how updates are applied to your devices. This guide will teach you to update and secure your devices using Intune MEM.
Software Update Policy Rings in Intune MEM – Video 1
Software Update Policy Rings in Intune MEM
We have an out-of-the-box Software Update (Automatic Update) policy as part of the Intune Silverlight portal configuration policy. However, I have noticed that this policy has stopped working in the last few months. Now, there are two options to control the behavior of Windows 10 updates and Windows servicing.
If your Silverlight portal has not yet been migrated to the MEM portal, the first choice is to use custom policies in the Intune Silverlight portal. I have a post here about Intune Silverlight migration blockers.
The second choice is to control Windows Update for business via the Software Updates button in the Intune blade in the MEM portal. We will cover this in this post.
Software Update Policy Rings in Intune MEM – Fig.1
Basic Test Rings for Windows 10 Software Update
As a fundamental requirement, we may need to create at least two Windows 10 Software Update Policy Rings for your organization. One Windows 10 Update ring is for Windows 10 machines in the Current Branch (CB).
The second Windows 10 update ring is for Windows 10 machines in the Current Branch for Business (CBB). Windows 10 update rings evolve as you progress with your organization’s testing and development. But this is the first stage of your testing of Software update deployments.
Windows 10 CBB Update Ring - All the devices in Current BranchWindows 10 CB Update Ring - All the device in Current Branch for Business
Pilot and Production Rings for Windows 10 or Windows 11 Servicing
Another recommendation is to create different Windows 10 Software Update Policy Rings for deferrals of Windows 10 servicing branches CB and CBB. The rings can be delayed for a maximum of 30 days.
These two update rings would help with the latest Windows 10 CB/CBB servicing updates (e.g., upgrading from 1607 to 1703) with some pilot devices rather than simultaneously deploying servicing updates to all the devices.
During the CB pilot testing, if you find any problems with the upgrade and don’t want to deploy the update to the CBB ring, you can PAUSE the updates for the production ring.
Pilot Windows 10 CBB Updates Ring - Pilot Servicing Ring for CBB Production Windows 10 CBB Updates Ring - Production Servicing Ring for CBB Pilot Windows 10 CB Updates Ring - Pilot Servicing Ring for CBProduction Windows 10 CB Updates Ring - Production Servicing Ring for CB
Pilot and Production Rings for Windows 10 or Windows 11 Monthly Security Patches
I would also recommend creating different Windows 10 Software Update Policy Rings for Windows 10 CBB and Windows 10 CB quality updates (monthly security and other patches). So, Windows 10 CBB machines will have a minimum of 2 rings.
One ring is for the pilot machines running Windows 10 CBB, and the second ring is for the production machines running Windows 10 CBB. The same applies to Windows 10 CB devices, and the CB machines should also have two rings.
Pilot Windows 10 CB Quality Updates Ring - Monthly patch pilot ringProduction Windows 10 CB Quality Updates Ring - Monthly patch production ringPilot Windows 10 CBB Quality Updates Ring - Monthly patch pilot ringProduction Windows 10 CBB Quality Updates Ring - Monthly patch production ring
Software Update Policy Rings in Intune MEM – Fig.2
How to Create Advanced Windows 10 Software Update Rings?
There could be other complex scenarios of Windows 10 Software Update Policy Rings. These rings could depend purely on the requirements of your organisation’s region or business group. Some of the other essential options you have in Windows 10 Software Update Policy Rings are.
Windows 10 Automatic update behavior – How do you want to perform scan, download, and install updates? Scheduling options for Windows updates.
Do you want to update Windows 10 drivers as part of your patch deployment rings?
What kind of Delivery optimization (Build a caching solution with Windows 10) do you want to use?
Delivery Optimization Download Mode
HTTP blended with peering behind same NAT
Software Update Policy Rings in Intune MEM – Table 1
Software Update Policy Rings in Intune MEM – Fig.3
Deployment – Assignment of Windows 10 Software Update Rings
Windows 10 Software Update Policy Ring deployments/assignments are critical decisions. I recommend using dynamic device groups wherever possible, but at the moment, this is not possible for all scenarios. In some scenarios, we need to use static device/user groups. I hope Microsoft will develop assignment exclusion group options (similar to AAD Conditional Access policies).
Exclusion groups would be instrumental in Software Update ring deployment scenarios. For example, you want to exclude pilot devices from the production software update ring deployments, which is impossible without exclusion options.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and leader of the Local User Group HTMD Community. His main focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss the SCCM CB Nested Task Sequence PS Detection Method. SCCM/ConfigMgr preview release 1704 has many exciting features.
The video embedded in this post covers all the installation steps and new features. First, I could see some differences in the Updates and Servicing of SCCM CB.
The ConfigMgr CB 1704 preview version was available (available to download) in the console, but it didn’t start the download of the 1704 update. I think it may begin to download automatically after 24 hours, but I have not tested it.
This post will provide comprehensive details about the SCCM Current Branch (CB) Nested Task Sequence PowerShell Detection Method. It explains how to effectively use PowerShell scripts to detect and manage nested task sequences within SCCM, ensuring efficient deployment and maintenance of software and updates.
This video guide is about the SCCM Technical Preview 1704, specifically focusing on Parent-Child Task Sequences. It explains how to create and manage these task sequences in simple terms, making organising and executing multiple related tasks easier.
As you can see in the SCCM video tutorial, I started the preview version download by right-clicking on the available update in the console. You can also check the status of the download via the DMPDOWNLOADER.log file.
Follow for the stages of the in-console upgrade of th CB preview.
Available to Download
Downloading
Ready to Install
Checking Prerequisites
Installing
Console Upgrade
Nested Task Sequence PS Detection Method
Most SCCM admins are waiting for a feature called nested Task Sequence. With the latestSCCM preview version 1704, we can create a parent-child relationship within the task sequence. This will help you nest/call a task sequence within another task sequence.
This feature should be used carefully; otherwise, it could become very complex. I wanted to see how complex Task Sequence troubleshooting would evolve with the introduction of TS nesting.
I have also seen that SMSTS.log logging has improved in the SCCM CB preview version.
PowerShell script can be the detection method for deployment types with SCCM CB Preview version 1704. It can also detect the application. We have three script types (1. PowerShell, 2.VBScript, and 3. Java Script) for detecting the application as part of the deployment type.
Android for Work applications can be configured automatically with the JSON file upload option in SCCM/ConfigMgr CB preview version 1704. The option of configuring Android for Work apps with a complex property list using a JSON file is very useful for configuring A4W apps.
I have not seen this option in the Intune stand-alone version, so it will be very useful for hybrid customers once it is available in the production version.
SCCM Preview version 1704 comes with loads of new features.
However, I have noticed a few changes in the MDM channel configuration policies for iOS and Android devices.
Moreover, there are a few new additions in terms of compliance policies in SCCM CB Preview version 1704.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss planning and designing an Intune Compliance Policy for Android Devices. This post will provide more details about planning and implementing the policy.
Intune compliance policies are the first step of the protection before giving access to corporate apps and data. Planning and designing compliance policies for Android devices is essential as Android is more vulnerable than other operating systems.
Compliance policies and rules might include using a password/PIN to access devices and encrypting data stored on devices. This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.
Update: When you use or support Android for work enrollment, select a platform like Android for Work that complies with a policy. Otherwise, the compliance policies will evaluate your Android devices and say this policy does not apply to Android for Work-enrolled devices.
How to Setup Intune Compliance Policies for Android
This video guide shows you how to set up Intune compliance policies for Android devices. It provides easy-to-follow instructions for creating policies that ensure your devices meet security standards before accessing company apps and data.
How to Plan Design Intune Compliance Policy for Android Devices – Video 1
How to Setup Windows 10 Device Compliance Policy– How to Plan Design Intune Compliance Policy for Android Devices
Sign in to the Endpoint Manager portal with an Intune admin access account. Select More services, enter Intune in the text box, and then select Enter.
Select Intune—Device Compliance—Compliance—Policies and click on the +Create policy button to create a new compliance policy. Select the platform “Android.” Settings configurations are significant for compliance policies.
There are some improvements in Azure portal Android compliance policies.
There are three categories in Android compliance policies: Device Health, Device Properties, and System Security.
How to Plan Design Intune Compliance Policy for Android Devices – Fig.1
Sign in to the Intune portal with an Intune admin access account. Select More services, enter Intune in the text box, and select Enter.
Select Intune – Device Compliance – Compliance – Policies – and click the +Create policy button to create a new compliance policy. Select the platform “Android”.
Settings configurations are significant for compliance policy. There are some improvements in Azure portal Android compliance policies. Android compliance policies have three categories: Device Health, Device Properties, and System Security.
Device Health is where the compliance engine checks whether Android devices should be reported. The device health attestation service has many checks, including TPM 2.0 and BitLocker encryption.
Device Properties is where Intune Admins define minimum and maximum versions of operating system details for corporate application access. I would keep the minimum version as Android version 6 wherever possible.
Operating System Version
Minimum Android OS version
Maximum Android OS version
System Security is the setting where Intune Admins define password policies for Windows devices. These settings have three sections: Password, Encryption, and Device Security.
How to Plan Design Intune Compliance Policy for Android Devices – Fig.2
Password Compliance Policy for Android – I would create a complex Alphanumeric password for Android devices and all the above configurations.
Password Compliance Policy for Android
Require a password to unlock mobile devices.
Minimum password length
Required password type
Maximum minutes of inactivity before the password is required
Password expiration (days)
Number of previous passwords to prevent reuse
How to Plan Design Intune Compliance Policy for Android Devices – Table 1
Encryption Compliance Policy for Android – Encryption should be a must in your Android compliance policy for Android devices. Encryption of data storage on the device Device Security Compliance policy for Android: Block apps from unknown sources and Block USB debugging on Android devices. These policies are essential and should be enabled.
Block apps from unknown sources
Require threat scan on apps
Block USB debugging on the device
Minimum security patch level
Deploy Android Compliance Policy to all Android devices’ dynamic device groups (Update Device Groups are not supported for compliance policies; hence, use user groups for Intune compliance policies). Click on Assignment and select the dynamic device group. I would use AAD dynamic device groups rather than AAD user groups to deploy compliance policies.
How to Plan Design Intune Compliance Policy for Android Devices – Fig.3
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss Setting up an Intune Compliance Policy for Windows 10 Devices. This post will show how to do so. Managing Windows 10 devices is critical in modern device management.
Intune compliance policies are the initial safeguard in securing access to corporate applications. These policies help ensure that devices meet predefined security and compliance standards, preventing unauthorized or non-compliant devices from accessing sensitive corporate resources.
The Intune Compliance Policy for Windows 10 helps protect company data. The organization must ensure that the devices that access company apps and data comply with specific rules. These rules might include using a password/PIN to access devices and encrypting data stored on devices.
This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.
How to Setup Intune Compliance Policies for Windows10
This video guide shows you how to set up Intune compliance policies for Windows 10. It walks you through each step clearly and simply, making it easy to follow.
How to Setup Intune Compliance Policy for Windows 10 Devices – Video 1
How to Setup Intune Compliance Policy for Windows 10 Devices
Sign in to the MEM portal with an Intune admin access account. Select More services, enter Intune in the text box, and then select Enter.
How to Setup Intune Compliance Policy for Windows 10 Devices – Fig.1
Select Intune—Device Compliance—Compliance—Policies and click on the +Create policy button to create a new compliance policy. Select the platform as “Windows 10.” Settings configurations are really important for compliance policies. There have been some improvements in Azure portal Windows 10 compliance policies.
The 3 categories in Windows 10 compliance policies are shown in the table below.
Windows 10 Compliance Policies
Device Health
Device Properties
System Security
How to Setup Intune Compliance Policy for Windows 10 Devices – Table 1
How to Setup Intune Compliance Policy for Windows 10 Devices – Fig.2
Device Health is the setting where the compliance engine will check whether Windows 10 devices are reported as healthy by the Windows device Health Attestation Service (HAS). The device health attestation service includes loads of checks, such as TPM 2.0 (the requirement for the latest build of Windows 10 is TPM 1.0), BitLocker encryption, etc.
Device Properties is the setting where Intune Admins define the minimum and the maximum versions of operating system details for the corporate application access. Operating System Version.
Minimum OS version
Maximum OS version
Minimum OS version for mobile devices
Maximum OS version for mobile devices
System Security is the setting where Intune Admins define password policies for Windows devices. These settings have two sections: Password and Encryption. Password Policy—We don’t need to set the Windows password policy here if you already use “Windows Hello for Business.”
Require a password to unlock mobile devices. Simple passwords
Password type
Device default device defaultAlphanumericNumeric
Minimum password length
Maximum minutes of inactivity before the password is required
Password expiration (days)
Number of previous passwords to prevent reuse
A password is required when the device returns from an idle state (mobile only). Encryption – If you have enabled HAS in the above policy, you don’t need to enable this encryption policy.
Encryption of data storage on a device.
How to Setup Intune Compliance Policy for Windows 10 Devices – Fig.3
Deploy Windows 10 compliance to All Windows devices’ dynamic device groups. (Update Device Groups are not supported for Compliance policies—hence, use user groups for Intune compliance policies.)
Click on Assignment and select the dynamic device group.
I would use AAD dynamic device groups rather than user groups to deploy compliance policies.
How to Setup Intune Compliance Policy for Windows 10 Devices – Fig.4
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Let’s discuss setting up an Intune Compliance Policy for iOS Devices. This post will explain how to do so. An Intune Compliance Policy ensures that iOS devices accessing company data meet specific security standards.
Enforcing these policies can help protect your organization’s data from unauthorized access and potential security threats. The organization must ensure that the devices that access company apps and data comply with specific rules.
These rules might include using a password/PIN to access devices and encrypting data stored on devices. This set of such rules is called a compliance policy. The best option is to use a compliance policy with Azure AD Conditional Access.
A compliance policy is a set of guidelines that devices must meet to access organizational resources. It ensures that only secure and compliant devices can access company data, reducing the risk of data breaches or unauthorized access.
In this video, you will learn all the details on how to set up Intune compliance policies for iOS devices. We’ll guide you through creating and configuring these policies to ensure your company’s data remains secure.
How to Setup Intune Compliance Policy for iOS Devices – Video 1
How Do you Set up the Intune Compliance Policy for iOS?
Sign in to the Azure portal with an Intune admin access account. Select More services, enter Intune in the text box, and select Enter. Select Intune – Device Compliance – Compliance – Policies – and click the +Create policy button to create a new compliance policy. Select the platform “iOS”.
Settings configurations are significant for compliance policy. In terms of password settings, Azure portal iOS compliance policies have improved.
iOS compliance policies have four categories: Email, Device Health, Device Properties, and System Security.
Email settings require mobile devices to have a managed email profile to access corporate resources.
The device Health setting will check whether the device is jailbroken or not. If the iOS device is Jailbroken, it won’t provide mail access to that device.
The device Properties setting will check the OS version of the device and the minimum version of the iOS OS.
The System Security setting is based mainly on password settings. There are some improvements over the Intune Silverlight portal here. We can have the option not to configure some of the settings, like “Number of non-alphanumeric characters in password.” This was not possible with the Intune Silverlight portal.
How to Setup Intune Compliance Policy for iOS?
Require a password to unlock mobile devices.
Simple passwords
Minimum password length
Not ConfiguredAlphanumericNumeric
Number of non-alphanumeric characters in the password
Maximum minutes of inactivity before a password is required
Password expiration (days)
Number of previous passwords to prevent reuse
How to Setup Intune Compliance Policy for iOS Devices – Table 1
10. Deploy the Intune Compliance Policy for iOS for all iOS devices in the dynamic device group. Click on Assignment and select the dynamic device group. I would use AAD dynamic device groups rather than AAD user groups to deploy compliance policies.
(Update Device Groups are not supported for Compliance policies – hence, use user groups for Intune compliance policies)/ How to Setup Intune Compliance Policy for iOS Devices | Microsoft Endpoint Manager | MEMCM.
How to Setup Intune Compliance Policy for iOS Devices – Fig.1
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
