Event banner
Event details
65 Comments
- Hello I have two questions: With tenant attach can you use ASR rules in merge mode still? e.g. create groups to exclude individual rules for example? Secondly will it ever be possible to use PIN in Bitlocker from endpoint manager without having to use the MVP workaround of making your own pin program for user space?
- Heather_Poulsen
Community Manager
We're live. We've got Windows experts, Intune experts, Configuration Manager experts, security baseline experts, government experts. Post your questions!! - We established Co-Management for a test collection and moved Windows update workload to the test collection. Unfortunatley the client is still recognized as Config Manager managed in intune. Any idea where I can find some logs or information why this is not correct? The configuration was done about two months ago...
- In Intune in the Overview section of the device you see a story like Co-management This Windows PC is being co-managed between Intune and Configuration Manager........ Intune managed workloads Windows Update for Business
- Jason_Sandys
Microsoft
Hi Andreas, can you be a bit more specific about what this means: "Unfortunatley the client is still recognized as Config Manager managed in intune."? Have you reviewed the Co-management status of the ConfigMgr client itself by reviewing the properties in the ConfigMgr Control Panel Applet as well as the comanagementhandler.log on the client?- Hi Jason, in the endpoint manager console under devices the client is still marked as "managed by ConfigMgr". I would expect to see here Co-Managed.
- Can Windows 10 Language Packs be added with Intune?
- Good Morning/Afternoon/Evening Dawn, Indeed they can. Here's a great article to assist you: https://docs.microsoft.com/en-us/mem/intune/apps/apps-add-office365#:~:text=The%20list%20of%20available%20languages%20includes%20the%20Type,Select%20Languages%20in%20the%20App%20Suite%20Settings%20pane.
- We are looking at the Windows 365 Solution for virtual desktops. Do you have any advise on the deployments?
- Heather_Poulsen
Happy to help in this AMA! We have two great "getting started" guides to help you explore. I recommend starting here:
- Never mind here. I will ask in the cloud connected session.
Dawn M Wertz Thanks for the question! If you have adopted Endpoint Manager Intune, and you do not have a VM infrastructure on-prem, I'd highly suggest you take a look at our Windows 365 (Cloud PC) offering found here: https://www.microsoft.com/en-us/windows-365?ef_id=46acce82f77a1899db4aaf148d474074:G:s&OCID=AID2200899_SEM_46acce82f77a1899db4aaf148d474074:G:s&msclkid=46acce82f77a1899db4aaf148d474074&rtc=1
- We are just starting co-management. When the primary user changes in CM, does that information get uploaded to Intune? We have computers where when someone leaves, they are assigned to another person and where the manager will request the new computer for a new user, and OSD assigns that person as the primary user. How do we ensure the primary user is correct?
SCCM measures the primary user by used minutes over a timeframe in days
When the computer has been cloud-attached via the SCCM client, the first user with an Intune license enrolls this device to his/her name as primary user in Intune and it will stay.
If IT guys "preparing" machine for new users with their own user and they have Intune license they always set themselves as primary user and it needs to be changed in Intune console to final user manually afterwards. Such preparing must be done by users without Intune license.
Setting IT guys as Device enrollment managers isn't often an option as then they can't enroll their own device- Danny, with the co-management on the compliance settings, we are using conditional access. Since the email is sent to the primary user, we wanted to ensure it is going to the correct user. What happens is that a manager requests a computer and the primary user is set to that manager. The actual user's account is not created until the day they start. CM then changes the primary user based on the automatic primary user assignment. If the primary user is incorrect in MEM, the wrong person receives the email.
- Jason_SandysAnd, I forgot to add that you should file this as feedback in the ConfigMgr console so it can be considered and potentially prioritized to be addressed. Be sure to add the technical and business scenario(s) and impact.
- We wanted to always use Settings Catalog where possible as it seems to be way to configure policies in future. How could it happen that some policies are present in MEM "Administrative Templates" but not available in Settings Catalog? Example: "Configure the Enterprise Mode Cloud Site List " for Edge (https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#internetexplorerintegrationcloudsitelist). It's rather new. supported from Edge v93 = Aug 2021. Means Administrative Templates in MEM are kept up-to date better than Settings Catalog?
As you have probably noticed, Settings Catalog is marked as "preview", which means it continues to be developed and enhanced.
David_GuyerHi Anton, It actually depends on the situation, there are times when settings catalog will add a new setting first, and other times when it gets added to a template first.- Jason_SandysYou are correct that the Settings Catalog is the preferred method for configuring most policies on Windows managed endpoints, The initial population of all settings is nearly complete but there are a few lagging settings that haven't been added yet for various reasons. ANd, although we've designed the process to be able to quickly ingest new settings, there will always be some lag in the process. We are working making the logistics of this process faster, but there will always be some delay unfortunately.
- Hi, I am confused about support statement of Compliance policies in MEM and so called "devices enrolled to multiple users" (quote from this article: https://docs.microsoft.com/en-us/mem/intune/protect/create-compliance-policy#before-you-begin). Premier Support engineers interpret it in a way that if somebody else rather than primary user ever logs in to the device - it leads to unsupported state for compliance evaluation. And in case of any issues workaround is to re-enroll to MEM. The reason behind as i understood it that after configured in "Compliance policy settings" number of days a compliance status for one of the user accounts (who logged on once long time ago end never came back) "expires" and device doesn't satisfy the Built-in Device Compliance Policy. But we cannot technically disallow other people to sign in to domain joined (or AAD joined) devices. It means that any device can become unsupported at any time without our control. For 'Shared' devices Support proposes to configure them as either 'Kiosk mode' or 'Shared PC mode', but both of them are kind of special user experience.... Not intended to be assigned to everyone... It seems not logical to me that compliance policy controls which are all about device status are evaluated and stored separately for each user instead of just keeping track of most recent status of compliance check per computer. Do I get everything right? Or you see it differently? Because if it is how I understood - then compliance policies for Windows are hardly usable in conjunction with Conditional Access.
Thanks Heather, some of these may be slightly out of scope, but here's a start:
- Feasibility of adopting purely MEM over MEMCM Co management for managing a relatively large enterprise. What does MEM currently lack when compared? Reporting capabilities? Anything planned to bridge the gap here?
- Encouraging the adoption of Azure AD joined devices, and migrating group policy. The enhancements and additions to the settings catalog are most welcome. Mixed feedback from the community on whether to adopt Endpoint Security Policies over your own Device configuration profiles. Is one preferred over the other, and any pitfalls to be aware of with Endpoint Security besides having to periodically update the Baseline? Are there any enhancements planned for introducing something similar to the way Group Policy preferences used to work for ease of management?
- Managing Microsoft Edge extensions via settings catalog. Allowlist is currently capped to 100 entries. Is the an alternate approach to managing these based on permissions they request, like you can achieve with the Google Admin console for Chrome?
- Any official guides available for exporting intune data to another SIEM for reporting on things such as User assignment, App inventory, Device compliance etc
- Jason_SandysHi Dan, Just to address a couple of items here: - On a semantic note, Microsoft Endpoint Manager is a suite of products and solutions that includes both Intune and ConfigMgr thus saying "purely MEM" does include ConfigMgr. Our overall recommendation is still "better together" though as there are some things each does that other does not do and it may always be like this. We don't have any comprehensive comparison between Intune and ConfigMgr because of this. - Baselines, in general, should be the starting point for most orgs as these establish the minimum set of viable policies to secure your endpoints and no insecure endpoint should ever be allowed to access your corporate resources. From there, you can build out your additional required settings and policies using the Settings Catalog. There are some rough spots as we continue to work through all of the details, but this is our current engineering path. - For group policy preference coverage, today, PowerShell is your friend (well, PowerShell should always be your friend regardless). We are currently investigating filling in some of these gaps though. There's no to share at this time and no commitment, but we understand that this is a gap and are looking to fill it. - For third-party SIEM products and services, you should engage the vendors of those products and services. We have official documentation on using Azure Monitor though that you may be able to reference or leverage: https://docs.microsoft.com/en-us/mem/intune/fundamentals/review-logs-using-azure-monitor.
- Also adopting WuFB as the primary method of deploying Security updates. Tips on creating Deployment rings (Device groups) maintaining them, and is a sufficient level of control maintained when moving to this model? How reliable are the Pause / Resume / Uninstall functions when utilized?
- David_GuyerDan, there's a lot of actual questions in here. Much of these recommendations are covered in various documentation online, in each area. For example, some great information about Windows Update for Business is covered in this learning session: https://docs.microsoft.com/en-us/learn/modules/m365-windows-manage-cloud-device-updates/ HTH!
- Heather_Poulsen
Early access is now open!! Post your questions here in the Comments section and give our panel of experts something to discuss and answer at the start of Thursday's live event!
