featured

How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune 1

How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune

How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune? In the previous post on how to Create Azure AD Dynamic Groups for Managing Devices using Intune, you might have seen the basic process for creating Azure AD dynamic user and device groups, along with explanations about the syntax of the queries/rules.

We will also experience performance issues with Azure AD dynamic groups when we don’t design our queries properly. This is similar to performance issues with dynamic collections with bad WQL queries, and SCCM admins are very familiar with this kind of performance issue.

This post will show how to create dynamic device groups for Windows devices with the “Device Ownership” attribute in Azure AD. This attribute is populated only when the devices are enrolled through MDM, and if I understand correctly, it is inhabited by Intune in this case.

If this attribute is not populated, you must ensure the device is correctly enrolled in Intune. Because some of these attributes are available only when the Intune portal is migrated to Azure, you may need to wait for your Intune migration to complete if you are still using the Intune Silverlight portal.

How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune

Let’s discuss creating an Azure AD device group for Windows BYOD CYOD devices Microsoft Intune. Creating Azure AD device groups for Windows BYOD and CYOD devices with Microsoft Intune is easy. It is explained in detail below.

How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune - Fig.1
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune – Fig.1

Following are the Advanced membership rules that you can use to create Azure AD and dynamic Device groups to segregate BYOD and CYOD devices! All Windows CYOD Devices Query for Azure Active Directory (device.deviceOwnership -contains “company”) -and (device.deviceOSType -contains “Windows”).

All Windows BYOD Devices Query for Azure Active Directory

(device.deviceOwnership -contains "Personal") -and (device.deviceOSType -contains “Windows”)

All BYOD Devices Query for Azure Active Directory (device.deviceOwnership -contains “Personal”) All CYOD Devices Query for Azure Active Directory (device.deviceOwnership -contains “Company”).

How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune - Fig.2
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune – Fig.2

Auditing Azure Active Directory Dynamic groups is very important from the ops teams’ perspective. These auditing options are available in the new Azure portal, and it’s beneficial to track the changes of a particular Azure AD dynamic group.

As you can see in the table below, the ACTOR performed the activity for that group. For example, when I created this group, “Microsoft Approval Management” (probably an AAD automated process in the background) added 2 devices to the device group.

DateActorActivityTarget
3/2/2017, 1:42:18 PMMicrosoft Approval ManagementAdd member to groupDevice : DESKTOP-FOSD7L3, Group : All Windows CYOD Devices
3/2/2017, 1:42:18 PMMicrosoft Approval ManagementAdd member to groupDevice : DESKTOP-IIRCSUV, Group : All Windows CYOD Devices
3/2/2017, 1:31:42 PManoop@sSDS.onmicrosoft.comAdd owner to groupUser : , Group : All Windows CYOD Devices
3/2/2017, 1:31:42 PManoop@sSDS.onmicrosoft.comAdd groupGroup : All Windows CYOD Devices
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune – Table 1
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune - Fig.3
How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune – Fig.3

So, it’s recommended that we look at the best practices when we create dynamic devices or user groups in Azure Active Directory. You may not see performance issues with AAD dynamic groups during testing or POC, but when you migrate all the users into Azure AD, this could undoubtedly impact.

I always try to use -eq rather than -contains in the AAD dynamic rules, but it’s not always possible to use -eq! How to Create Azure AD Dynamic Device Groups for Windows BYOD CYOD Devices Microsoft Intune.

Reference

 https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Configure Automatic Intune MDM Enrollment | Auto Enrollment 2

How to Configure Automatic Intune MDM Enrollment | Auto Enrollment

Microsoft Intune will automatically enroll CYO or BYO devices. You can scope automatic enrollment to some Azure AD users, all users, or none. This is an old post, but the concepts are still the same.

The old classic Azure portal offers an option to set up Automatic Intune MDM enrollment for Windows 10 devices. A similar option is available in the new Azure portal, which has new names and a new look. This post explains more details about the Windows 10 Intune Auto Enrollment Process.

One of the first things you must learn is how to use the Intune Admin Portal. This post will help you understand where the Intune admin portal is, officially known as the Microsoft Intune Admin Center.

The Intune Auto Enrollment option will help you perform two (2) things, as explained in the video below. It’s an old video now; the patch to configure auto-enrollment has changed a bit, and I have described it in the new Intune portal walkthrough video below.

First, whenever a Windows 10 device is joined to Azure AD, it will automatically enroll in Intune for MDM Management. Second, only the allowed users in the MDM user scope group can enroll devices in Intune.

How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Intune Portal Walkthrough | MEM Admin Center | Training

The Intune Admin Portal, officially known as the Microsoft Endpoint Manager (MEM) Admin Center, is a crucial tool for managing devices and applications within an organization. IT administrators must effectively navigate this portal to oversee and control various aspects of their endpoints.

How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Video 1

NOTE! – For Windows 10 BYOD devices, the MAM user scope takes precedence if both the MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configure them) rather than being enrolled by MDM.

Windows 10 Intune Auto Enrollment Process

The following is where you can set the MDM enrollment configuration in the new Azure portal. When your MDM User scope is set to None, none of the enrolled devices get the proper policies, and those devices won’t work as expected.

  • Choose Devices -> Device OnboardingEnrollment -> Windows in the Microsoft Intune admin centre.
  • Click on the Automatic Enrollment button.
How to Configure Automatic Intune MDM Enrollment | Auto Enrollment - Fig.1
How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Fig.1

Select the MDM user Scope to All or Custom Azure AD group per your requirement. If it is set to None, users won’t be able to enroll the devices into Intune management.

  • The simplest option is to specify “all users” in the MDM user scope so that all the users in your organization can enroll their devices into Intune. Windows 10 devices will automatically enroll in Intune when the users perform Azure AD Join.
  • User groups can manage this option. When you want to allow a specific group of users to enroll their devices into MDM/Intune, this is the place to configure that user group. Click on the SOME option in the MDM User scope and select the user group to which you want to provide access.
  • From the same place, you can perform a granular or phase-wise approach to moving users to new MDM management from the same place. This blade has 3 URL options; you can configure these URLs according to your MDM vendor.
How to Configure Automatic Intune MDM Enrollment | Auto Enrollment - Fig.2
How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Fig.2

Video Windows 10 Intune Auto Enrollment Process

This is an old video recorded using the Azure portal UI. The concept is the same, but the new portal UI has different options.

How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Video 1

Windows 10 Airwatch Mobileiron Auto Enrollment Process?

If Airwatch or Mobileiron manages your devices, you can specify those. The new Azure portal for Intune automatically configures all the URLs in MDM. This blade has three different URLs.

New Azure Portal for Intune MDMDescriptionLink
MDM Terms of use URLThe URL of the terms of use endpoint of the MDM servicehttps://portal.manage.microsoft.com/TermsofUse.aspx
MDM Discovery URLThis is the URL of the enrollment endpoint of the MDM service. The enrollment endpoint is used to enroll devices for management with the MDM service. The URL given below is the Intune enrollment endpoint URL.https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
MDM Compliance URLThis is the URL of the compliance endpoint of the MDM service. When a user is denied access to a resource from a non-compliance device.URL can navigate to this URL hosted by Intune service in order to understand why their device is considered noncompliant. Users can also initiate self-service remediation so their devices become compliant and they can continue to access resources.https://portal.manage.microsoft.com/?portalAction
How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Table 1
How to Configure Automatic Intune MDM Enrollment | Auto Enrollment - Fig.3
How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Fig.3

So, where is the option in the new Azure portal to configure the MDM auto-enrollment setting for Windows 10 devices and MDM enrollment for the rest of the devices (Android, iOS, and macOS)? The following is where you can configure the Intune MDM enrollment option: Microsoft Azure—Mobility (MDM and MAM).

  • Windows 10 Intune Auto Enrollment Process Screen capture.
How to Configure Automatic Intune MDM Enrollment | Auto Enrollment - Fig.4
How to Configure Automatic Intune MDM Enrollment | Auto Enrollment – Fig.4

Sign in to your account (microsoftonline.com)

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Reset MFA Contact Details of Azure AD User 3

How to Reset MFA Contact Details of Azure AD User

Let’s discuss how to Reset the MFA Contact Details of an Azure AD User. In this post, we will see the different types of users in the Azure Active Directory (Azure AD or AAD) and how to delete a user’s existing contact details and request the user to fill in new contact details.

More details to change the Azure MFA Authentication phone from the MyApps portal – https://www.anoopcnair.com/change-azure-mfa-authentication-phone-myapps/(opens in a new tab). End-User and trying to change MFA Mobile Number – https://aka.ms/MFASetup.

We can easily reset the contact details used for MFA (Multi-Factor Authentication) from the Azure AD portal. This is very useful when the user gets an internal transfer within the organization to another country and wants to change the number.

Also, there are options to “Delete all existing app passwords generated by the selected users” and “Restore multi-factor authentication on all remembered devices”.

Reset MFA Contact Details – MFA Mobile Contact Number Reset from Azure Portal with Admin Access?

Let’s talk about resetting the Multi-Factor Authentication (MFA) contacts of an Azure Active Directory (AD) user. The video below will guide you through the process, showing all the necessary details step by step. It’s a straightforward way to ensure that the MFA contacts for your Azure AD user are updated correctly.

How to Reset MFA Contact Details of Azure AD User – Video 1

As you can see in the picture, two types of symbols are near user accounts. The one with external email IDs like Gmail and those kinds of users are guest users in Azure AD.

How to Reset MFA Contact Details of Azure AD User - Fig.1
How to Reset MFA Contact Details of Azure AD User – Fig.1

Using the Guest user option, you can temporarily grant external contractors access to your organization’s apps. Internal users with your organization’s email IDs are another type of user.

How to Reset MFA Contact Details of Azure AD User - Fig.2
How to Reset MFA Contact Details of Azure AD User – Fig.2

To access the organisation’s resources, Guest users should go through a secure onboarding process with MFA (Multi-Factor Authentication). Guest users will receive an invitation mail on the external email ID, and the email subject will be “You’re invited to the {Anoop’s} organization“.

The user has to click on the “Get Started” link from the mail, and they will be guided through the onboarding process with MFA. As you can see in the welcome screen (below picture), you will access the MyApps.microsoft.com portal, where guest users can access internal applications allocated to that user.

How to Reset MFA Contact Details of Azure AD User - Fig.3
How to Reset MFA Contact Details of Azure AD User – Fig.3

So, coming back to the main topic, “How to Reset the MFA Contact Details of an Azure AD User,” this option is available in the Azure portal: “Microsoft Azure Active Directory –> Users and groups—All users.” Click on “Multi-Factor Authentication.” In the new tab, you will see the option to reset the AAD user’s contact details.

  • This blade will allow you to reset all app passwords the selected users generate and ask users to perform MFA on all existing devices.
  • Select the user ID and click “Manage user setting” to reset the AAD user’s MFA contacts.
How to Reset the MFA Contact Details of an Azure AD User
Microsoft Azure Active Directory
Users and groups
All users
Multi-Factor Authentication
How to Reset MFA Contact Details of Azure AD User – Table 1
How to Reset MFA Contact Details of Azure AD User - Fig.4
How to Reset MFA Contact Details of Azure AD User – Fig.4

When you click on any user account from the above place (as seen in the above pic), it will take you to the Office 365 licensing portal. So, there is no need to log into the Office portal separately to assign user licenses. This is handy stuff.

How to Reset MFA Contact Details of Azure AD User - Fig.5
How to Reset MFA Contact Details of Azure AD User – Fig.5

Once you click on “Manage User Settings,” you will see the following options: The first one requires selected users to provide contact methods again, and the second one deletes all existing app passwords generated by the selected users.

3. Restore Multi-factor authentication on all remembered devices. To reset an Azure AD user’s MFA contact details, select option one, “Require selected users to provide contact methods again,” and click save. The next time a user logs into a device, AAD will prompt the user to provide contact details again.

How to Reset MFA Contact Details of Azure AD User - Fig.6
How to Reset MFA Contact Details of Azure AD User – Fig.6

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

ConfigMgr SCCM Server Hardware Migration Step by Step Guide to Perform 4

ConfigMgr SCCM Server Hardware Migration Step by Step Guide to Perform

Let’s look at the SCCM Server Hardware Migration Step by Step Guide. Moving an SCCM/ConfigMgr server from one hardware to another is a common scenario in the enterprise world.

There could be several reasons for this kind of SCCM/ConfigMgr server hardware migration. Server OS upgrade is one of the most common scenarios. Yes, SCCM CB 1606 and later versions support the in-place upgrade of server OS. However, I’ve seen that most of our server teams don’t want to perform a place OS upgrade.

We have an article about the SCCM 2012 to CB Current Branch Upgrade | Migration | Possible Issues | ConfigMgr. In this post (SCCM 2012 to CB upgrade checklist), you will see the steps to upgrade SCCM 2012 to SCCM CB’s latest baseline (1606) and then the Latest Baseline to the newest version of CB (1610/1702).

This post provides a step-by-step guide for migrating ConfigMgr SCCM server hardware. It provides all the details you need to perform this migration smoothly and efficiently.

The Migration Process is into 5 Phases – ConfigMgr SCCM Server Hardware Migration Step by Step Guide to Perform

I have completed similar migration activities many times in my career. Following these steps is crucial when migrating or server hardware changes to your SCCM server.

I’m not covering SQL migration in this post. In this scenario, SQL is on the remote box. If the SQL is on the same box, things will be easier. I’ve divided the migration process into 5 phases:-

  1. Pre-SCCM Migration Activities
  2. Start of SCCM Migration Activities – Downtime starts from here
  3. SCCM Installation activities on the new server
  4. SCCM/ConfigMgr Recovery/Restore activities
  5. Post SCCM/ConfigMgr Repair/Recovery activities
ConfigMgr SCCM Server Hardware Migration Step by Step Guide to Perform - Fig.1
ConfigMgr SCCM Server Hardware Migration Step by Step Guide to Perform – Fig.1

Pre-SCCM Migration Activities

  • Create new servers with new names – check whether the SCCM version you will install supports the OS version of the servers.
  • Make sure new servers are created in the same VLAN, making life much easier.
  • Ensure the drive letters of newly provisioned servers are the same as those of existing ones.
  • You can request a storage extension to keep 3 or 4 copies of the SCCM full backup on the new server.
  • Document the SMS Groups and security settings of existing servers and configurations of the SCCM console.
  • SCCM Site backup and store remotely (confirm success) – Probably a day before the actual migration schedule.
  • 4 to 5 days before actual SCCM server migration, replicate all the Data SCCM Package folders, drivers, etc (all data except those NOT covered as part of SCCM Full backup) to the Newly provisioned server.
  • Make sure the copy of SCCM source files and prerequisites are already copied to new SCCM servers.
  • Perform a differential copy of Data SCCM Package folders, drivers, etc., to newly provisioned servers (maybe a few hours before, depending on the data size).
  • Document current servers, AD membership in groups, OU, etc., and IP information.
  • Remove remote site system roles like SUP/RP. Make sure the site system details are removed from the SCCM console.
  • Please take a couple of extra Site backup copies and store them on the newly provisioned SCCM server.
  • Take a Snapshot of existing SCCM servers (include the drive where SCCM is installed).
ConfigMgr SCCM Server Hardware Migration Step by Step Guide to Perform - Fig.2
ConfigMgr SCCM Server Hardware Migration Step by Step Guide to Perform – Fig.2

Start of SCCM Migration Activities – Downtime Starts from Here

  • Remove existing SCCM servers from the domain, ensuring you know local admin account details.
  • Shut down existing SCCM servers.
  • Rename existing SCCM servers in Vcenter or HyperV to old.
  • Rename the new SCCM server in Vcenter/HyperV to the existing SCCM server names.
  • Delete existing SCCM servers from AD.
  • Remove new SCCM/ConfigMgr servers from the domain and reboot, ensuring you have local admin account details.
  • Log onto new SCCM/ConfigMgr servers using the local admin account.
  • Change IPs of new SCCM servers to reflect old SCCM server IP details.
  • Change new SCCM server names to existing SCCM server names and reboot.
  • Log on to new SCCM servers using the local admin account.
  • Add new SCCM servers to the domain and reboot.
  • Verify the OU, System Management Access, and AD membership information for the new SCCM/ConfigMgr servers. If you have made any changes above, reboot.
  • Storage migrates any back-end storage in VMware/HyperV to ensure that vmdk and vmx/VHDX files are named correctly.
  • Take a full backup of the Remote SQL Database (confirm success).
  • Archive this SQL backup so the old server can be reinstated as a backup plan if the site is not working correctly.
  • Delete SCCM Databases (SCCM and SUSDB) from the remote SQL server.
  • Delete SQL logins for existing SCCM computer objects using SQL Management Studio.
ConfigMgr SCCM Server Hardware Migration Step by Step Guide to Perform - Fig.3
ConfigMgr SCCM Server Hardware Migration Step by Step Guide to Perform – Fig.3

SCCM Installation Activities on the New Server

  • Ensure all security permissions and security groups/computers are added to the new SCCM servers.
  • Install the WSUS admin console.
  • Depending on the SCCM version, install WAIK 2.0 (SCCM 2007) or ADK (SCCM 2012 or CB).
  • Install all the prerequisites like IIS, Bits, etc…on new servers.
  • Install WSUS on the remote WSUS server.
  • Install SCCM/ConfigMgr Software on the new SCCM server – Make sure you install the exact version of the existing SCCM server. For SCCM CB versions, source files are part of the SCCM Full backup.
  • Ensure that everything works fine after installing SCCM/ConfigMgr on new servers.
  • Take a copy of the SRVACCT folder from the new installation (<Install Path>\Microsoft Configuration Manager\SRVAcct) N.B. This is a hidden folder.
  • Re-populate the local SMS group memberships as they were (not all site roles may be installed, so repeat the task at the end).
  • Take a Snapshot of the server pre-site recovery.
ConfigMgr SCCM Server Hardware Migration Step by Step Guide to Perform - Fig.4
ConfigMgr SCCM Server Hardware Migration Step by Step Guide to Perform – Fig.4

SCCM/ConfigMgr Recovery/Restore Activities

  • Make sure the servers are restarted.
  • Restore/attach databases (SCCM and SUSDB) from backup (use SQL to restore if it is a remote SQL box).
  • Run the SCCM/ConfigMgr site REPAIR wizard. Select the “Do not restore database” check box to skip the database restoration.
  • Please ensure you have started the REPAIR wizard with administrator access and provide the exact path of the SCCM backup folder.
  • Stop the SCCM services and copy the previously archived SRVACCCT folder back over.
  • Start SCCM services and monitor the sitecomp.log as components are re-installed.
  • Once sitecomp.log is complete, perform a site reset to repair file and registry permissions.
  • Install SCCM RP.
  • Install SCCM SUP on a remote server.
ConfigMgr SCCM Server Hardware Migration Step by Step Guide to Perform - Fig.5
ConfigMgr SCCM Server Hardware Migration Step by Step Guide to Perform – Fig.5

Post SCCM/ConfigMgr Repair/Recovery Activities

Ensure all package sources, including classic and software update packages, are restored with the same share names and permissions. Repopulate the local security groups on SCCM servers.

  • Check the sender.log to ensure the restored SCCM servers can communicate with the child’s primary sites. Sometimes, we need to delete the addresses from the SCCM console and recreate it.
Post SCCM/ConfigMgr Repair/Recovery activities
Ensure all accounts with passwords in the SCCM console have been removed and recreated.
Please create a new package or collection and replicate it to downstream servers.
Please start a new WSUS Sync and check whether it works fine. You may need to wait for hours before completing the sync.
Make sure the replication of old and OSD-related packages is replicated OK or not.
ConfigMgr SCCM Server Hardware Migration Step by Step Guide to Perform – Table 1
ConfigMgr SCCM Server Hardware Migration Step by Step Guide to Perform - Fig.6
ConfigMgr SCCM Server Hardware Migration Step by Step Guide to Perform – Fig.6

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How-to-Restrict-Personal-iOS-Devices-from-Enrolling-on-Intune-Endpoint-Manager

How to Restrict Personal iOS Devices from Enrolling on Intune

How can I restrict Personal iOS Devices from Enrolling in Intune? Have you already seen the new Intune options in the MEM portal? If not, I recommend watching the following video post to get an overview of the new Intune portal.

The new Intune portal allows for more granular restrictions for MDM enrollments. On-prem services like ADFS or any federated access management system don’t need tweaking.

Now, we can block personal iOS devices from Intune enrollment. You can set this policy at the Enroll Devices node in the Intune Azure portal. Under “Enrolment restrictions,” you can find details about granular enrollment restriction policies.  

Enrollment restriction policies help us restrict/block a set of devices from enrolling in Intune. This post explains how to Restrict Personal iOS Devices from Enrolling in Intune Endpoint Manager.

How to Restrict Personal iOS Devices from Enrolling on Intune - Fig.1
How to Restrict Personal iOS Devices from Enrolling on Intune – Fig.1

How to Restrict Personal iOS Devices from Enrolling on Intune

There are two types of restrictions within enrolment restriction rules: device type and limit restrictions. Device limit restrictions are already available in the Intune Silverlight portal. In contrast, Device Type Restriction is new in the Intune Azure portal, allowing us to restrict or block specific platform devices from enrolling.

Read more – New Device Restriction Settings Available in macOS
New Device Restriction Settings Available in Apple Settings Catalog

Types of Restrictions
Device Type Restrictions
Device Limit Restrictions
How to Restrict Personal iOS Devices from Enrolling on Intune – Table 1
How to Restrict Personal iOS Devices from Enrolling on Intune - Fig.2
How to Restrict Personal iOS Devices from Enrolling on Intune – Fig.2

You can disable/block Android device enrollment from the new portal to restrict Android devices from enrolling in your Intune MDM enrollment. However, I’m unsure how we can allow ONLY “Android for Work” enabled devices to enrol in Intune.

  • I hope there are some limitations from the Android platform side to restrict the Android devices that are not enabled for the Android Work type of management.
How to Restrict Personal iOS Devices from Enrolling on Intune - Fig.3
How to Restrict Personal iOS Devices from Enrolling on Intune – Fig.3

The device type restriction policy is very helpful if you want to restrict Windows Mobile/Phone devices from enrolling into Intune. At the same time, you can allow Windows devices (desktops, laptops, surfaces, etc..) to enrol on Intune.

  • The most exciting feature, which is very helpful for any organization, is restricting personal iOS devices from enrolling on Intune.
  • Corporate/company-owned iOS devices can be enrolled using the Apple DEP program.
  • In this scenario, you need to create an enrollment type policy with the iOS platform enabled for enrollment via Device Type Restrictions — Platforms. Once the iOS platform is enabled for enrollment, go to Platform Configurations and then BLOCK personally owned iOS devices.

For example, when you try to enrol a device in Intune, the Enrollment restriction policies are checked against that device platform and user. Intune will check the device properties and user restriction limits configured in the enrollment restriction policies and confirm that the device platform and user can enrol. After this positive verification, Intune will allow the user to enrol on the device.

How do you restrict personal iOS devices from enrolling in Intune Endpoint Manager?

How to Restrict Personal iOS Devices from Enrolling on Intune - Fig.4
How to Restrict Personal iOS Devices from Enrolling on Intune – Fig.4

New Intune Home Page Redesign

The newly redesigned Intune Admin Portal Home Page comprehensively reviews the changes and the updated Intune Admin Portal Journey. The dynamic Home Page is used for Intune Administrators, and spotlight options highlight premium features, ensuring easy access to key functionalities.

How to Restrict Personal iOS Devices from Enrolling on Intune – Video 1

MEM Admin Portal

Below is a video on the Intune Admin Center Walkthrough for the latest updates. The Intune Admin Portal is one of the first things you must learn. This post explains where the Intune admin portal (aka Endpoint Manager) is. The official name of the Intune admin portal is the MEM Admin Center.

How to Restrict Personal iOS Devices from Enrolling on Intune – Video 2

Resources

How to Configure Intune Enrollment Setup for iOS macOS Devices

Windows 10 Intune Enrollment Manual Process AAD Registration (anoopcnair.com)

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Privileged to be Part of Veeam Vanguard for 3 Years in a Row | Three Years 6

Privileged to be Part of Veeam Vanguard for 3 Years in a Row | Three Years

WOW! I am Privileged to have been part of Veeam Vanguard for 3 Years. It’s a great pleasure to inform you all that I received an invitation from the Veeam Vanguard team to be part of an elite group of Techies called “Veeam Vanguards 2017.”

This is my 3rd Veeam Vanguard award in a row! Veeam Vanguard is a community program by Veeam, and I’m honoured and privileged to be part of this exciting tech community.

As Rick Vanover explains in the above video, the Veeam Vanguard program was created to connect different communities. This Veeam Vanguard community is there to connect different echo systems of the IT world.

This is also to help IT Pros worldwide gain more knowledge about the new technologies and trends in the IT market and gain real-world experience. More details about the Veeam Vanguard program are available at the following link.

Privileged to be Part of Veeam Vanguard for 3 Years in a Row | Three Years - Fig.1
Privileged to be Part of Veeam Vanguard for 3 Years in a Row | Three Years – Fig.1

Privileged to be Part of Veeam Vanguard for 3 Years in a Row | Three Years

We are a small group, and being part of a very diversified tech community is always a pleasure. The natural world experts from Backup, Hyper-V, VMware, Storage, Servers, Cloud, etc… Privileged to be Part of Veeam Vanguard are 3 Years in a Row | Three Years?

Am I privileged to be part of Veeam Vanguard for 3 Years in a Row | Three Years?

[Related Post – Video on Veeam Vanguard experience of VeeamON 2017]

  • The Veeam Vanguard Program is a prestigious community of top influencers recognized for their expertise, feedback, and commitment to mutual success within the Veeam technology ecosystem.
  • Vanguard members come from diverse backgrounds and excel in various technical disciplines, serving as thought leaders in their respective communities.
  • They are selected for their exceptional knowledge, active engagement, and impactful presence both online and offline. They represent the Veeam brand at the highest level across multiple technology platforms.
Privileged to be Part of Veeam Vanguard for 3 Years in a Row | Three Years - Fig.2
Privileged to be Part of Veeam Vanguard for 3 Years in a Row | Three Years – Fig.2

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Quick Overview Comparison between Intune Azure and Silverlight Portal 9

Quick Overview Comparison between Intune Azure and Silverlight Portal

Quick Overview Comparison between Intune Azure and Silverlight Portal? I’m excited to share the comparison video and post about Intune Silverlight and the new Intune in the MEM portal.

There are many new features and many perfect changes. All the new Azure tenants with a new Microsoft EMS subscription can access a preview version of Intune in the MEM portal.

Latest Intune Admin Portal Walkthrough Guide | MEM Admin Center Latest Intune Admin Portal Walkthrough Guide | MEM Admin Center HTMD Blog (anoopcnair.com).

The Intune console’s performance, look, and feel are far better than those of the Intune Silverlight console. Intune in the MEM portal helps us eliminate the duplication of work needed to create Azure AD and Intune groups.

In the new portal, we can directly deploy applications, policies, profiles, etc… to Azure Active Directory Dynamic device groups and user groups. Enrolment restriction rules and RBA for Intune admins are other most exciting features for me within the new portal.

Microsoft recently changed the brand name from MEM (Microsoft Endpoint Manager) to Microsoft Intune. You can also refer to the Top 50 Latest Intune Interview Questions and Answers, and if you are interested, check out the Top 50 Latest SCCM Interview Questions and Answers.

Quick Overview Comparison between Intune Azure and Silverlight Portal - fig.1
Quick Overview Comparison between Intune Azure and Silverlight Portal – fig.1

Video Tutorial to know Intune Silverlight Portal Experience

Video tutorial to learn about the Intune Silverlight Portal Experience. The Intune blade in the Azure portal is like a special section where you can manage many things for your devices. It’s part of the Azure portal, where you do all sorts of stuff with your cloud services.

  • This Intune blade has many new features and tools to help you manage your devices even better.
Quick Overview Comparison between Intune Azure and Silverlight Portal – Video 1

Quick Overview Comparison between Intune Azure and Silverlight Portal

Manage Apps node is where you can create apps from the Android, Apple, and Windows stores. The most exciting feature in Manage Apps is that you can directly search the Apple App Store (Yes, I think for preview, we have only the option to select the US store) and fetch the application from there.

Hence, you don’t need to specify the app’s properties. Deployments in the new MEM portal are called ASSIGNMENTS. You can directly deploy applications to AAD groups. One thing missing in the review version of Intune is an option to upload MSI applications.

Quick Overview Comparison between Intune Azure and Silverlight Portal - fig.2
Quick Overview Comparison between Intune Azure and Silverlight Portal – fig.2

The Configure Device node is in the new Azure console, where you can create configuration policies for iOS, Android for Work, Android, and Windows devices. Configuration policies in the Intune Silverlight portal have built-in generic policies for Windows, iOS, Android, etc. Similarly, the new Intune portal in Azure has built-in profiles.

We have different profile types, such as Device Restriction policies, WiFi profiles, VPN profiles, SCEP deployment profiles, and eMail profiles. Device restriction policies are the built-in configuration policies for specific device platforms.

Configuration Type
Custom
Quick Overview Comparison between Intune Azure and Silverlight Portal – Table 1
Quick Overview Comparison between Intune Azure and Silverlight Portal - fig.3
Quick Overview Comparison between Intune Azure and Silverlight Portal – fig.3

Set device compliance is the node where you can create new, improved compliance policies for all the supported devices like iOS, Android, and Windows. The improvement over the Silverlight Intune portal is that we can select the device platform explicitly in the compliance policies.

Also, depending upon the device platform, separate compliance policies will be applied to different devices (even if a user is targeted to iOS, Android, and Windows compliance policies). Compliance policies are deployed via assignments in the Intune portal.

Quick Overview Comparison between Intune Azure and Silverlight Portal - fig.4
Quick Overview Comparison between Intune Azure and Silverlight Portal – fig.4

The conditional Access node in the new Intune portal has very few options compared to Intune Silverlight conditional access options. All the device-based conditional access rules have been moved out of Intune and are now part of Azure Active Directory. Device-based conditional access policy has loads of granular options, more conditions, more control options, etc.

Quick Overview Comparison between Intune Azure and Silverlight Portal - fig.5
Quick Overview Comparison between Intune Azure and Silverlight Portal – fig.5

The Enroll Devices node is where you can define enrolment restriction rules. These rules help to prevent devices from enrolling in Intune. The enrolment restriction rule comes before conditional access verification. Within enrolment restriction rules, we can have different types of restrictions, such as Device Type restrictions and Device Limit restrictions.

Device type restriction is where we can select device platforms and platform configurations. The Enroll Devices node is where you can also define/configure Windows Hello for business and check the MDM management authority, Terms and conditions, Corporate device identities, and Apple MDM push certificates.

Quick Overview Comparison between Intune Azure and Silverlight Portal - fig.6
Quick Overview Comparison between Intune Azure and Silverlight Portal – fig.6

Access control is where we can define custom security permissions for Administrator users. Role-based administrator (RBA) is enabled in the new Intune portal, where you can create your own customized Intune admin roles.

Once you create a security role, you can assign it to a new Member Group and Scope Group. The Intune review portal offers the following permission options: Device Configurations, Managed Apps, Managed Devices, Mobile Apps, Organization, Remote tasks, Roles, Telecom Expenses, and Terms and Conditions.

Quick Overview Comparison between Intune Azure and Silverlight Portal - fig.7
Quick Overview Comparison between Intune Azure and Silverlight Portal – fig.7

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices 10

Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices

Learn how to Delete Devices from Azure Active Directory | Azure Portal. For effective device management, we need to delete and disable the Azure AD and Intune options.

A device can be retired and deleted from the Intune console (Silverlight), and I’m sure the new MEM portal will indeed have these options.

If you are an SCCM admin, you may recall that the SCCM console has an option to delete and disable a device. However, I have seen that when you retire and delete a device from the Intune console, that device will be removed from the Intune console but will still stay in Azure AD.

Managing devices in Azure Active Directory (AAD) and the Azure portal is crucial for maintaining organizational efficiency and security. The process remains similar whether you need to remove outdated devices or restrict access for specific ones.

How to Delete Devices from Azure Active Directory

So, it’s critical to delete these devices from Azure AD and keep the environment clean. I have created a video tutorial to help you with this topic, “Learn How to have a Clean and Tidy Intune and Azure AD Environment“.

NameEnabled/Disabled
DESKTOP-LNK7273Enabled
DESKTOP-213GHPAEnabled
DESKTOP-9GTRJRVEnabled
Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices – Table 1
Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices - Fig.1
Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices – Fig.1

Back to delete and disable device options in the new Azure AD portal. We will first cover the disable/enable device option and then discuss the delete option. Consider a hypothetical emergency scenario where you want to disable an AAD device to prevent further damage to your organization.

Go to the MEM portal’s All Users and Groups blade to disable a device. Select All Users and select the Devices option from that blade. This will give you a list of devices. You can choose one device from that list and click on disable/enable the option per the requirement.

You can review the video attached to this post for a real-time experience. We don’t have to disable the option in the Intune console, so the only way to disable a device is from the Azure AD portal. Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices?

Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices - Fig.2
Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices – Fig.2

Delete Devices from Azure Active Directory

Now, we can see the delete device option in the Azure portal. This is a critical option that is very helpful in keeping your Azure AD environment clean. It will also help device management admins get better results from configuration/compliance policy and application deployments. To disable a device, go to the Azure portal’s All Users and Groups blade here.

Select All Users and the Devices option from that blade. This will give you a list of devices; you can choose one device and click delete.

Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices - Fig.3
Learn How to Delete Devices from Azure Active Directory | Azure Portal | Disable Devices – Fig.3

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups 11

How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups

Let’s discuss how to Exclude a Device from Azure AD Dynamic Device Group or Azure Active Directory Dynamic Group.

In my previous post, “How to Create Azure AD Dynamic Groups for Managing Devices via Intune,” we discussed creating Azure AD Dynamic Device or User groups. Another question I usually get is, “How do you remove or Exclude a device from Azure Active Directory Dynamic Device Group?”.

I expect this could be one of the scenarios used in deploying security/configuration policies via Intune. It is a very valid scenario; you can’t avoid it in device management. If you are an experienced SCCM Admin, no explanation is needed.

Removing a single device directly from the AAD Dynamic device group is impossible. Yes, a remove button is available, but when you select a device and click on it, a confirmation popup with a YES button will appear.

Exclude a Device from Azure AD Dynamic Device Group

Clicking the YES button will give an error message stating that you can’t remove the device from the Azure AD dynamic device group: “Failed to remove member LENexus 5 from group _Android Devices.” However, this can be achieved by adding some conditions to the advance membership rule query in AAD dynamic groups.

DeviceDetails
MemberLGENexus 5
GroupAndroid Devices
Membership TypeDynamic
Member TypeDevice
How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups – Table 1
How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups - Fig.1
How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups – Fig.1

Advanced rules for AAD Dynamic membership are based on binary expressions. One Azure AD dynamic query can have more than one binary expression. Each binary expression is separated by a conditional operator, either ‘and” or “or“. You can play around with this conditional operator to remove the devices from the AAD dynamic device or user groups.

How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups - Fig.2
How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups – Fig.2

Following is the advanced membership rule query I used to remove a device in the AAD dynamic device group. In this query, the conditional operator between 2 binary expressions is -and.

(device.deviceOSType -contains "Android") -and (device.displayName -notcontains "LGENexus 5")

I don’t know the result or whether this will work effectively when we deploy a configuration policy via Intune to this AAD device group. I assume it will work because I can see a difference in the device icon called “LGENexus 5.” That is the device that I tried to exclude using the above query.

How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups - Fig.3
How to Exclude a Device from Azure AD Dynamic Device Group | Azure Active Directory Dynamic Groups – Fig.3

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How-to-Pause-Azure-AD-Dynamic-Group-Update-Fig.-1

How to Create Azure AD Dynamic Groups for Managing Devices using Intune | How to Pause AAD Dynamic Group Update

Learn two things from this post. How to Create Azure AD Dynamic Groups for Managing Devices using Intune? and How to Pause AAD Dynamic Group Update?

This post will see how to create Dynamic device groups and User Groups in Azure Active Directory. Azure AD groups are similar to collections (in the SCCM world) for Intune device management solutions.

These AAD groups can be used to target different policies for a specific group of devices. Latest postValidate Azure AD Dynamic Group Rules | Intune.

So this is very important in the world of modern management of devices using Microsoft Intune. If you are an SCCM admin, the AAD dynamic group is similar to creating a dynamic collection using WQL query rules. AAD groups don’t have that granularity in creating dynamic query rules if you compare them with WQL query rules.

However, the new Azure portal has many options to create dynamic query rules. The video tutorial will help you get more inside AAD Dynamic groups.

Updated Post -> How To Create Nested Azure AD Dynamic Groups.

Create Azure AD Dynamic Groups

Advanced rules for AAD Dynamic membership are based on binary expressions. One Azure AD dynamic query can have more than one binary expression. Each binary expression in the AAD dynamic membership rule query must have 3 parts: the left parameter, the binary operator, and the right constant.

A left parameter in the query rule is one of the attributes of the AAD object (either user or device). If you want to query users in a particular department, then the user is the object, and the department is the attribute (user. department).

A binary operator is only a conditional operator like “-ne,-eq, -contains -match.” The right constant is a constant value specific to your requirement; for example, if you want to create a group for all IT users, it is “IT.”

(user.department -startsWith "IT")

(user.department -match "IT")

(user.department -eq "IT")

Let’s take an example of creating an Azure AD dynamic group for Windows devices. The following are the steps to create the AAD dynamic Device group. You must have appropriate permissions to create Azure AD groups. Follow the steps to create the Device group for 22H2.

  • Login to Endpoint Manager Portal (endpoint.microsoft.com)
  • Navigate to the Groups node.
  • Click on “+ New Group. “
  • Select Security – Group Type from the drop-down option.
  • Enter Group Name “HTMD Windows 11 22H2 Device Group” (any name is fine).
  • Enter Group Description “HTMD Windows 11 22H2 Device Group” (any description is fine).
  • Select Dynamic Device as the Membership type.
  • Click on Add Dynamic Query under Dynamic Device Members.
How to Create Azure AD Dynamic Groups for Managing Devices using Intune | How to Pause AAD Dynamic Group Update - Fig.1
How to Create Azure AD Dynamic Groups for Managing Devices using Intune | How to Pause AAD Dynamic Group Update – Fig.1

You need to hover over the properties column to get an option to select Azure AD dynamic device groups based on Windows on the Dynamic membership rules page.

You can create or edit rules directly by editing the syntax in the box below. Or you can use the Azure AD portal UI as shown below to create a dynamic group query rule. There are some scenarios where the device properties (e.g. nesting) are not published in the UI property list.

(device.deviceOSVersion -startsWith "10.0.22621")
  • Click on the SAVE button to save the query rule.
  • You also have the option to validate the Azure AD query from the Validate Rules tab, as shown in the picture. The section below explains more details.
Dynamic Membership RulesDetails
PropertydeviceOSVersion
OperatorStarts With
Value10.0.22621
How to Create Azure AD Dynamic Groups for Managing Devices using Intune | How to Pause AAD Dynamic Group Update – Table 1
How to Create Azure AD Dynamic Groups for Managing Devices using Intune | How to Pause AAD Dynamic Group Update - Fig.2
How to Create Azure AD Dynamic Groups for Managing Devices using Intune | How to Pause AAD Dynamic Group Update – Fig.2

You can now click on the CREATE button to complete the process of creating a Windows devices Azure AD dynamic group. You can also change the version numbers to get different results.

How to Create Azure AD Dynamic Groups for Managing Devices using Intune | How to Pause AAD Dynamic Group Update - Fig.3
How to Create Azure AD Dynamic Groups for Managing Devices using Intune | How to Pause AAD Dynamic Group Update – Fig.3

How to Pause Azure AD Dynamic Group Update

Microsoft recently added an option to Pause Azure AD Dynamic Group Update. You can perform the PAUSE action from the Azure AD portal itself. You don’t have to do this using Microsoft Graph or any other crazy method.

An accidental deployment happened to the Azure AD dynamic group, and you must reduce the impact. What would be your first step? I think the update pause might help to pause the deployment with immediate effect at least for new devices.

You can navigate to the Azure AD dynamic group that you want to pause. You can enable the Pause Processing option for Azure AD Dynamic groups from the Overview tab.

  • When the setting is set to YES, the processing of this dynamic group will pause.
  • When set to NO, processing will continue.

The Dynamic Rule Processing Status = Updates Paused once you enable the Pause Processing option from Azure AD dynamic group. The Dynamic Rule Processing Status shows whether or not this group is processing changes to the dynamic group rules.

This is only applicable when a group is newly created or the rule was recently edited or the Pause Processing setting is changed. 

How to Create Azure AD Dynamic Groups for Managing Devices using Intune | How to Pause AAD Dynamic Group Update - Fig.4
How to Create Azure AD Dynamic Groups for Managing Devices using Intune | How to Pause AAD Dynamic Group Update – Fig.4

Maximum Supported Words/Characters

I did a test to understand the maximum supported words/characters in Azure AD dynamic, advanced membership rule, and I found that we could save a query with a maximum of 311 words and 3045 characters.

When I increased the numbers to 315 words and 3085 characters, it gave an error “Failed to create Group_Maxi. Undefined,” where MAXI is the group name.

How to Create Azure AD Dynamic Groups for Managing Devices using Intune | How to Pause AAD Dynamic Group Update - Fig.5
How to Create Azure AD Dynamic Groups for Managing Devices using Intune | How to Pause AAD Dynamic Group Update – Fig.5

Now back to Intune and device management. I will create 3 basic groups for device management. These AAD dynamic device groups (All Windows Devices, All iOS Devices, and All Android Devices) will be used to deploy different configuration policies.

Dynamic Query

First, I wanted to group all Windows devices in my Intune environment. There are two ways to create an AAD group with dynamic membership query rules 1. Simple rule, and 2. Advanced Rule. It’s better to use simple queries via Azure portal GUI to group Windows devices based on the operating system.

If you want to use advanced membership, then the following is the query “(device.deviceOSType -contains “Windows”).” When you create an Azure AD dynamic device group, it will take 1 or 2 minutes (depending upon the query’s complexity and the database’s size) to populate the devices into the group.

How to Create Azure AD Dynamic Groups for Managing Devices using Intune | How to Pause AAD Dynamic Group Update - Fig.6
How to Create Azure AD Dynamic Groups for Managing Devices using Intune | How to Pause AAD Dynamic Group Update – Fig.6

It’s time to find iOS devices (iPhone or iPad) in my environment via AAD Dynamic query and group them into an AAD dynamic group. Unlike the Windows device group, the iOS device AAD dynamic Device group can’t be created using a simple membership rule; rather, we should use the Advanced membership rule.

We need to have two constant values like iPhone and iPad. Following is the query that I used to fetch iOS devices (device.deviceOSType -contains “iPhone”) -or (device.deviceOSType -contains “iPad”).

How to Create Azure AD Dynamic Groups for Managing Devices using Intune | How to Pause AAD Dynamic Group Update - Fig.7
How to Create Azure AD Dynamic Groups for Managing Devices using Intune | How to Pause AAD Dynamic Group Update – Fig.7

OK, here we go with a grouping of Android devices. In this scenario, I want to create an AAD dynamic device group using a simple membership rule.

Because I don’t have more than one constant value in the AAD group binary expression. Following is the dynamic query for the Android device group “(device.deviceOSType -contains “Android”).”

How to Create Azure AD Dynamic Groups for Managing Devices using Intune | How to Pause AAD Dynamic Group Update - Fig.8
How to Create Azure AD Dynamic Groups for Managing Devices using Intune | How to Pause AAD Dynamic Group Update – Fig.8

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Intune 12

How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Intune

How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager? A Clean Intune environment always gives us better deployment results, and one of the important steps to keep your environment clean is explained in this post.

This is not the only way to keep your Intune environment clean. Rather you should have regular sanity checks for your environment to ensure that you don’t have duplicate copies of policies and applications.

Moreover, you should avoid duplicate deployments of policies and applications. Duplicate deployments of policies can cause conflicts and could result in unexpected results.

We SCCM Admins are familiar with the process of deletion and removal of a device in SCCM and Microsoft Intune. However, we are always not sure when you remove a device from SCCM, then that device record will automatically get removed from On-prem Active Directory or not.

Introduction – How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Intune

The removal or deletion of a device or machine from Active Directory is not SCCM’s responsibility, and this should be handled separately by on-prem Active Directory.

So how are these operations handled in the modern device management world in terms of Intune SA (or SCCM Hybrid) and Azure Active Directory? In most cases, I have not seen that when you retire and delete a device from Intune, that device record will automatically get purged from Azure Active Directory (AAD).

  • To have better results for your Compliance/configuration policy and application deployments in the modern device management world, we should ensure a clean environment with clean Azure AD.
  • You can get a better understanding of this issue from the above video tutorial.
  • How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager?
How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Intune - Fig.1
How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Intune – Fig.1

How to Delete Clean Tidy Intune Azure Active Directory?

In the above example, Intune console shows me only one device assigned to my user account. Whereas if you look at my Azure AD user ID and check for the devices assigned against my account, you can see there are a total of 3 devices, and all the 3 devices have been shown as managed by Intune.

This is not accurate data that is getting reflected in Azure Active Directory. I’m not saying every time this scenario will happen. I’ve seen some devices automatically get removed from Intune and AAD. How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Endpoint Manager?

I suppose we should have a better accuracy/sync between Intune and Azure AD databases.  I don’t see a scheduled task in Azure AD to purge the deleted records from Microsoft Intune. I’m not sure whether this is coming in the near future or not.

To ensure better results for Intune device management policies, when you delete a device from Intune, you should make sure that the device record is removed from Azure AD. I’m planning to post a video tutorial showing how to delete a device from Azure AD to have a clean and tidy environment.

NameEnabled/DisabledPlatformTrust TypeIs CompliantManaged by
DESKTOP-LNK7273DisabledWindows 10.0.1439AzureAdTrueIntune
DESKTOP-213GHPAEnabledWindows 10.0.1439AzureAdTrueIntune
How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Intune – Table 1
How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Intune - Fig.2
How to Delete Clean Tidy Intune Azure Active Directory Environment | Microsoft Intune – Fig.2

Resources

Windows 10 Intune Enrollment Manual Process AAD Registration (anoopcnair.com)

Validate Azure AD Dynamic Group Rules | Intune

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Troubleshoot Windows 11 10 Intune MDM Issues 13

How to Troubleshoot Windows 11 10 Intune MDM Issues

This blog post teaches you how to Troubleshoot Windows 11 10 Intune MDM Issues. There are several options to troubleshoot, and some of them are explained here.

Windows 11 or 10 MDM issues and troubleshooting are pretty new for SCCM admins like me! So what is the importance of Windows 10 MDM? When you use Intune or SCCM + Intune hybrid to manage Windows 10 machines, all the management policies are deployed through the MDM channel. This post is Windows 10 MDM Troubleshooting Guide.

There could be many ways to troubleshoot Windows 10 MDM issues while using Microsoft Intune to deploy policies to those devices. In this post, I will share the 3 easy ways to start MDM troubleshooting. Yes, it’s different from the SCCM/ConfigMgr client’s way of troubleshooting, as there are no log files for the MDM client.

MDM client is in build with the Windows 10 operating system, and events logs are the best place to troubleshoot Windows 10 MDM issues. The 3rd way mentioned in this post is very easy for me and IT Pros to understand and start Windows 10 MDM troubleshooting. I have created a video to explain the troubleshooting tips, as you can see above.

[Related Posts – How to Start Troubleshooting Intune Issues]

Related Posts

Understand Windows 10 MDM Architecture

For example, if an Intune policy is deployed to a Windows 10 machine but is not getting applied, how do we start troubleshooting? First, we need to understand Windows 10 management architecture.

The following is the high-level architecture diagram for Windows 10 management. If we know this high-level architecture, troubleshooting Windows 10 MDM issues will be easy. This post will help us as a Windows 10 MDM Troubleshooting Guide.

How to Troubleshoot Windows 11 10 Intune MDM Issues - Fig.1
How to Troubleshoot Windows 11 10 Intune MDM Issues – Fig.1

Video Tutorial – Windows 10 MDM Troubleshooting Guide

Windows 10 MDM Troubleshooting Guide video tutorial to help IT Pros! This video teaches you how to fix problems with Windows 10 MDM (Mobile Device Management) using the registry, WMI (Windows Management Instrumentation), and Event Logs.

It breaks down troubleshooting into simple steps, showing you how to identify and solve issues with your device management. You can learn to resolve common problems efficiently by following along with the video.

How to Troubleshoot Windows 11 10 Intune MDM Issues – Video 1

Troubleshoot with Windows 10 Event Logs

Event Logs  :- Microsoft->Windows->DeviceManagement-> Enterprise-Diagnostics-Provider/Admin

Event logs in Windows 10 machines are the best to start troubleshooting MDM-related issues. As you can see in the below screen capture, you could be able to see where to go in events logs (Microsoft->Windows->DeviceManagement->Enterprise-Diagnostics-Provider/Admin) to see the details of the MDM and Device Management related issues. When the machine is Workplace Joined or AAD joined, all the events related to Intune/SCCM policies are recorded in “this” event log section.

AAD event logs are also very useful in this Windows 10 MDM issue, and you can check out the following location for AAD-related event logs: “Microsoft-Windows-AAD/ Operational”. Event logs are an integral part of the Windows 10 MDM Troubleshooting Guide.

The event logs are the best way to troubleshoot Windows 10 MDM issues. You will get the detailed status of Intune or SCCM hybrid policies from event logs. Each entry in those event logs will tell you whether or not the deployed policies are reached and applied on that machine. There is also a way to export the MDM log files to the folder “C:\Users\Public\Documents\MDMDiagnostics” from Windows 10 settings – connect to the work or school page.

[Related Posts – How to Start Troubleshooting Intune Issues]

How to Troubleshoot Windows 11 10 Intune MDM Issues - Fig.2
How to Troubleshoot Windows 11 10 Intune MDM Issues – Fig.2

Troubleshoot Windows 10 with WMI Explorer

WMI Explorer way of Checking whether the Policy Settings are Applied or Not:-

WMI Explorer is the best tool to check the MDM policies to confirm whether those settings are applied on the windows 10 system or not. As you can see in the following screen capture, this is how to check whether MDM policies are correctly applied to a Windows 10 machine.

I have deployed the Windows Defender policy from Intune to this Windows 10 machine, and you can use WMI explorer to find out whether these policies are applied on the machine or not. Again, when you start troubleshooting, the best place to begin with is event logs.

We can also check this via WBEMTEST, but we may need to start WBEMTEST from the system context to see the policy details. WMI Explorer is the best place to check and confirm whether the MDM policies (from Intune or SCCM) have been applied to a machine.

[Related Posts – How to Start Troubleshooting Intune Issues]

Registry way of Checking Windows 10 MDM Policy Settings

Troubleshoot Windows 10 with Registry Entries

The 3rd and easiest way to check whether the MDM policies are applied to a Windows 10 machine is the registry key. Following is the registry location where you can find MDM policy settings. You want to check for MDM policy settings on Windows 10 machine is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers

In this below screen capture, you can see the Windows Defender settings I applied to Windows 10 machines through Intune policies. The only caveat of this method is we need to find out a way to decode each provider GUID (CLSID Key?) related to MDM policies. Following are some of the extracts from my Windows 10 machine:-

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\18dcffd4-37d6-4bc6-87e0-4266fdbb8e49 - Power Policy Settings Buttons

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\1e05dd5d-a022-46c5-963c-b20de341170f - Power Policy Controls Energy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\23cb517f-5073-4e96-a202-7fe6122a2271 - Power Policy Settings Disaplay

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\2648BF76-DA4B-409A-BFFA-6AF111C298A5 - ?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\268c43e1-aa2b-4036-86ef-8cda98a0c2fe - ? Power Policy Settings PCI Express

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\2AB668F3-6D58-4030-9967-0E5358B1B78B - Microsoft Intune MDM Policy Settings - Account, Bitlocker, Connectivity, Data Protection, Defender, Device Lock, Experience, Network Isolation, Security, System, update and WiFi

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\C8DC8AF6-2A7D-4195-BA77-0A4DAC2C05A4 - Microsoft Intune/SCCM MDM policy settings - Browser, Camera, Connectivity, Device Lock, Security, Systems and Wifi
  • System > Power Management > Button Settings
  • Select the Start menu Power button action (on battery)
  • Select the Start menu Power button action (plugged in)
  • Select the Start menu Power button action (plugged in)
  • Enabled – Select the Start menu Power button action (on battery).
Steps
System > Power Management > Button Settings
Select the Start menu Power button action (on battery)
Select the Start menu Power button action (plugged in)
Select the Start menu Power button action (plugged in)
Enabled – Select the Start menu Power button action (on battery).
How to Troubleshoot Windows 11 10 Intune MDM Issues – Table 1
How to Troubleshoot Windows 11 10 Intune MDM Issues - Fig.3
How to Troubleshoot Windows 11 10 Intune MDM Issues – Fig.3

Troubleshoot Windows 10 with MDMDiagReport

These GUID IDs can be found in the MDMDiagReport.xml file, and this XML can be decoded into HTML file MDMDiagReport.html using the tool.

How to Troubleshoot Windows 11 10 Intune MDM Issues - Fig.4
How to Troubleshoot Windows 11 10 Intune MDM Issues – Fig.4

[Related Posts – How to Start Troubleshooting Intune Issues]

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.