Pinned Posts
Forum Widgets
Latest Discussions
Wrap up: Manage, Configure, and Secure Devices with Microsoft Endpoint Manager Post Day
Thanks to the thousands of people who attended our Post Day! A few housekeeping things ------------------------------------------------- You've asked about the recordings for the event. You should be able to still access the recordings for now by using the AKA links below. It will start Teams Live Events and you can just click Play to watch the whole thing. (and if that doesn't work, let me know!) We're working on the "greatest hits" complication, and we'll post that to the VideoHub when we get that. I'm working on cleaning up the decks for posting - there's some accessibility stuff I need to do - and then I'll attach them to this thread when I have them. We were thrilled with all the great feedback we got about the 24-hour, round-the-world marathon training we offered - and we'd still love more feedback! We've already announced there will be another Microsoft Ignite in March 2021 - should we do this again? If so, what topics should we cover? What should we change (besides the registration process)? Reply here! --------------------------------------------------- The product team for Microsoft Endpoint Manager usually does a pre-day event at Ignite but this year we're doing a post-day event the week after. We'll have two 4-hour Teams Live Events about how to get the most out of Microsoft Endpoint Manager. It's free! When you go to register, you'll see three options for each track to accommodate time zones around the world. Most of the dates are September 29, but depending on your time zone a session may show up on Sept 28 or Sept 30, so check all three dates to be sure. You don't need to take them in order and you can take anything that fits your schedule, even if you need to jump around the options. You'll get a calendar invite for a 4-hour block but here's how the blocks break down. (and I know some of you are getting an error message, so I'm including the direct links to the Teams Live Events down below - as long as you have that link it will connect you to the meeting, but until we start the session it will just sit there and say the meeting hasn't started yet.) Track 1: Manage, Configure, and Secure Windows Devices with Microsoft Endpoint Manage Hour 1 - Get Your Windows Devices to Microsoft Endpoint Manager Hour 2 - Configure your Windows Devices Hour 3 - Secure your Windows Devices Hour 4 - Improve the End-User Experience on Your Windows Devices Track 2: Manage, Configure, and Secure Mobile Devices with Microsoft Endpoint Manage Hour 1 - Get Your Mobile Devices to Microsoft Endpoint Manager Hour 2 - Secure Your Mobile Devices with Microsoft Endpoint Manager Hour 3 - Manage You MacOS with Microsoft Endpoint Manager Hour 4 - Manage Shared Devices for Firstline Workers Here's how it maps out, based on what we figure are the best times for each part of the world Asia/Pacific/Japan and Europe/Middle East/Africa Windows Option 1: https://aka.ms/MEMPDC/WINREG01 Mobility Option 1: https://aka.ms/MEMPDC/MOBREG01 Europe/Middle East/Africa and Americas (Windows) Windows Option 2: https://aka.ms/MEMPDC/WINREG02 Mobility Option 2: https://aka.ms/MEMPDC/MOBREG02 Europe/Middle East/Africa and Americas (Mobility) Windows Option 3: https://aka.ms/MEMPDC/WINREG03 Mobility Option 3: https://aka.ms/MEMPDC/MOBREG03 Register now! (or grab the AKA links above and make your own calendar invite to remind you it's time)Announcing Windows 10 in Cloud Configuration
Today we released a recommended set of settings for Windows 10 devices that makes devices easy to deploy, highly secure, and cloud-first. Windows 10 in cloud configuration enables organizations to provide frontline workers, remote workers, and other individuals with a select set of applications, cloud-based data storage, and a familiar Windows experience. Want to learn more? Check out the official announcement in the Windows IT Pro Blog.
Request: Manage Apple Vision Pro with Intune MDM
Hi, At our company, some teams are working with Apple Vision Pro because they are hoping to find new technical solutions for the business. We would also like to include Apple Vision Pro in the management of our other mobile devices via Intune MDM. Since Apple has also offered an MDM interface for Apple Vision Pro with the visionOS 1.1 update, the glasses could in principle also be managed by an MDM, but the MDM must also support the glasses. Hence my question: When will this be possible via Intune MDM? As a company, we recently switched to Intune MDM with over 110,000 devices (both mobile devices and fat clients) and we are confident that Microsoft will also support new technical products (such as the Apple Vision Pro).How to create a backup of your Microsoft Endpoint Manager (Intune) infrastructure!
Dear Microsoft Intune Friends, Imagine the following situation. You have invested several hours to build your Microsoft Endpoint Manager (Intune) infrastructure. After the final tests, everything is now working exactly as you imagined. Now the question arises how can I backup all these settings and configurations? I will answer this question in this article. Note: I will describe how to compare and restore the backup in a next article. https://techcommunity.microsoft.com/t5/microsoft-intune/compare-and-restore-a-microsoft-endpoint-manager-intune-backup/m-p/2993736 What we can do in the Microsoft Endpoint Manager portal is export configuration settings to a CSV file. However, this is not exactly what I wanted. To create a complete backup of our tenant we need the power of PowerShell (power of PowerShell - funny ) I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments): #The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE Set-Location Clear-Host #Customize the ExecutionPolicy (absolutely OK for this demo) Set-ExecutionPolicy -ExecutionPolicy Unrestricted #Install the Module Install-Module -Name Microsoft.Graph.Intune -Verbose -Force -AllowClobber #Install the Module Install-Module -Name MSGraphFunctions -Verbose -Force -AllowClobber #Import the Module Import-Module -Name MSGraphFunctions #Install the Module Install-Module -Name AzureAD -Verbose -Force -AllowClobber #Install IntuneBackupAndRestore from the PowerShell Gallery Install-Module -Name IntuneBackupAndRestore -Verbose -Force -AllowClobber #Update the Module Update-Module -Name IntuneBackupAndRestore -Verbose #Import the Module Import-Module IntuneBackupAndRestore #Connect to Microsoft Graph Connect-MSGraph Here you must agree to the extended permissions. #Create a folder New-Item -ItemType Directory -Path C:\Backup\IntuneBackup #Switch to the folder Set-Location C:\Backup\IntuneBackup #Create the Full-Backup Start-IntuneBackup -Path 'C:\Backup\IntuneBackup' It starts with the creation of the backup. #Let's look at the content Get-ChildItem -Path 'C:\Backup\IntuneBackup' Let's start Windows Explorer and navigate to our backup folder, Bingo....we have a complete backup! I know that was nothing spectacular, but I still wanted to share my experience with you. Thank you for taking the time to read this article. Kind regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechslerUse PowerShell to retrieve all assigned Intune policies and applications per Azure AD group!
==>>A special thanks to Timmy Andersson for the PowerShell script!!<<== Dear Microsoft Intune Friends, In Microsoft Intune, it is possible to work with configuration profiles, among other things. OK, this is nothing new. But which Azure Active Directory groups have been assigned to the configuration profiles? I am confronted with this question again and again. This is where PowerShell comes into play. Let's explore this together. I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments): The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE. Set-Location C:\Temp Clear-Host #Install the module Install-Module -Name Microsoft.Graph.Intune -AllowClobber -Verbose -Force #Connect and change the scheme Connect-MSGraph -ForceInteractive Update-MSGraphEnvironment -SchemaVersion beta Connect-MSGraph #Which group do you want to check? $groupName = "AutoPilot Geräte" $Group = Get-AADGroup -Filter "displayname eq '$GroupName'" ####Config Start#### Write-host "Azure Active Directory Group: $($Group.displayName)" -ForegroundColor Green #Apps $AllAssignedApps = Get-IntuneMobileApp -Filter "isAssigned eq true" -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id} Write-host "Number of Apps found: $($AllAssignedApps.DisplayName.Count)" -ForegroundColor cyan Foreach ($Config in $AllAssignedApps) { Write-host $Config.displayName -ForegroundColor Yellow } #Device Compliance $AllDeviceCompliance = Get-IntuneDeviceCompliancePolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id} Write-host "Number of Device Compliance policies found: $($AllDeviceCompliance.DisplayName.Count)" -ForegroundColor cyan Foreach ($Config in $AllDeviceCompliance) { Write-host $Config.displayName -ForegroundColor Yellow } #Device Configuration $AllDeviceConfig = Get-IntuneDeviceConfigurationPolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id} Write-host "Number of Device Configurations found: $($AllDeviceConfig.DisplayName.Count)" -ForegroundColor cyan Foreach ($Config in $AllDeviceConfig) { Write-host $Config.displayName -ForegroundColor Yellow } #Device Configuration Powershell Scripts $Resource = "deviceManagement/deviceManagementScripts" $graphApiVersion = "Beta" $uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=groupAssignments" $DMS = Invoke-MSGraphRequest -HttpMethod GET -Url $uri $AllDeviceConfigScripts = $DMS.value | Where-Object {$_.assignments -match $Group.id} Write-host "Number of Device Configurations Powershell Scripts found: $($AllDeviceConfigScripts.DisplayName.Count)" -ForegroundColor cyan Foreach ($Config in $AllDeviceConfigScripts) { Write-host $Config.displayName -ForegroundColor Yellow } #Administrative templates $Resource = "deviceManagement/groupPolicyConfigurations" $graphApiVersion = "Beta" $uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=Assignments" $ADMT = Invoke-MSGraphRequest -HttpMethod GET -Url $uri $AllADMT = $ADMT.value | Where-Object {$_.assignments -match $Group.id} Write-host "Number of Device Administrative Templates found: $($AllADMT.DisplayName.Count)" -ForegroundColor cyan Foreach ($Config in $AllADMT) { Write-host $Config.displayName -ForegroundColor Yellow } ####Config End#### Now let's check all the groups from Azure Active Directory. $Groups = Get-AADGroup | Get-MSGraphAllPages ####Config Start #### Foreach ($Group in $Groups) { Write-host "Azure Active Directory Group Name: $($Group.displayName)" -ForegroundColor Green #Apps $AllAssignedApps = Get-IntuneMobileApp -Filter "isAssigned eq true" -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id} Write-host "Number of Apps found: $($AllAssignedApps.DisplayName.Count)" -ForegroundColor cyan Foreach ($Config in $AllAssignedApps) { Write-host $Config.displayName -ForegroundColor Yellow } #Device Compliance $AllDeviceCompliance = Get-IntuneDeviceCompliancePolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id} Write-host "Number of Device Compliance policies found: $($AllDeviceCompliance.DisplayName.Count)" -ForegroundColor cyan Foreach ($Config in $AllDeviceCompliance) { Write-host $Config.displayName -ForegroundColor Yellow } #Device Configuration $AllDeviceConfig = Get-IntuneDeviceConfigurationPolicy -Select id, displayName, lastModifiedDateTime, assignments -Expand assignments | Where-Object {$_.assignments -match $Group.id} Write-host "Number of Device Configurations found: $($AllDeviceConfig.DisplayName.Count)" -ForegroundColor cyan Foreach ($Config in $AllDeviceConfig) { Write-host $Config.displayName -ForegroundColor Yellow } #Device Configuration Powershell Scripts $Resource = "deviceManagement/deviceManagementScripts" $graphApiVersion = "Beta" $uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=groupAssignments" $DMS = Invoke-MSGraphRequest -HttpMethod GET -Url $uri $AllDeviceConfigScripts = $DMS.value | Where-Object {$_.assignments -match $Group.id} Write-host "Number of Device Configurations Powershell Scripts found: $($AllDeviceConfigScripts.DisplayName.Count)" -ForegroundColor cyan Foreach ($Config in $AllDeviceConfigScripts) { Write-host $Config.displayName -ForegroundColor Yellow } #Administrative templates $Resource = "deviceManagement/groupPolicyConfigurations" $graphApiVersion = "Beta" $uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)?`$expand=Assignments" $ADMT = Invoke-MSGraphRequest -HttpMethod GET -Url $uri $AllADMT = $ADMT.value | Where-Object {$_.assignments -match $Group.id} Write-host "Number of Device Administrative Templates found: $($AllADMT.DisplayName.Count)" -ForegroundColor cyan Foreach ($Config in $AllADMT) { Write-host $Config.displayName -ForegroundColor Yellow } } ####Config End#### I hope this article was useful. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler
Android 15 - CredentialProviderPolicy not surfaced by Intune
I have been having an issue with Android 15 devices. We use Authenticator as our password autofill provider. As soon as a device is updated from Android 14 to Android 15, the password autofill provider is no longer set and the setting to change it is 'blocked by work policy.' I have already tried removing all policies that apply to the devices (device config and device compliance policies) and factory resetting them. Simply having them enrolled as corporate owned fully managed devices causes this to happen. I raised the issue in the Android Enterprise community blog. A link to that is included below. Someone on that thread found that there is a policy in Android 14/15 called the credentialproviderpolicy. When that policy is blocked or unconfigured, this behavior happens. I cannot find anywhere in Intune where I can set this policy. It seems that it is allowed by default when managing Android 14 with Intune, but not set or blocked when the device switches to Android 15. Is there any way to specifically set a policy that is not reflected in the Intune UI? This is a blocker for being able to move more phones to Android 15. Link to Android Enterprise thread: https://www.androidenterprise.community/t5/admin-discussions/android-15-cannot-set-default-password-app/m-p/8827#M2105 Thanks, TomLinux Managed Device Chrome support
Hi, We are in process of On-boarding Linux devices as all other OS'es must pass Conditional Access Managed/Compliant Device check. We are stumbling on a lot (a lot) of user resistance with forcing them on switch to use (only) Edge. Is there any roadmap or date when will Chrome Extension (at least chrome) be available for Linux and Managed device check during sign-in?
