Event details
170 Comments
- Also please bring back the ability to run PS scripts against individual devices (was in preview at one time) rather than having to filter down or group one device to isolate it for the script.
- What about Scope Tags for Autopilot profiles, MDM profiles, and such.
- A lot of people are mentioning the need for dynamic collections. I think we already have the plumbing for this, it just needs a little nudge. How cool would it be if we could populate an AAD collection based on the results of a Proactive Remediation script?
- We have been deleting devices from Endpoint Manager when we send a device to salvage. We noticed that it doesn't get deleted in Azure AD. What is the best practice to remove a device that is going to salvage (never to be used again). What is the best practice of removing a device that has been reset and it has created a new entry in Endpoint Manager Devices.
- Thank you for the info. When a device is EOL we remove the hard drives and they are destroyed. We chose delete because no one was ever going to use that device again, it goes to salvage without a hard drive. What I would like is a method that would also remove the device entry from Azure AD as well as Endpoint Manager. If we used the wipe method for ones that are being reset does that also remove it from Azure AD?
- Use the Intune WIPE command. that will delete the computer record from Intune and factory reset the computer. If registered for Autopilot, it will need to be deleted from the AP device list before you can delete the record from AAD. You would want to do this anyway to stop anyone else Autopiloting it later on with all your company system access.
- The various Retire, Wipe, Autopilot Reset, Fresh Start, Delete options are a mess. The names do not reflect what they do. I can't keep track in my head of what each one does, and many of them have sub-options too. I spent a day testing each one, and reading what they should do, and then came to the conclusion that generally I want 'Wipe'. (Which IIRC is the same as the "Reset" option within Windows 10 - why not name it consistently?) Look at it from my perspective. I either want to blow it away completely (it's EOL), I want to Reset it because it is playing up, or I want to quickly clear down user data to reallocate it to someone else. 3 options that cover those scenarios, with names that match the use case, and a description that tell the admin what they will do is all we need.
- Latency in Intune in general. Once we kick something off in Intune, it's anyones guess when it might actually occur. Sit Two PCs next to each other, set both to "Wipe", and one will kick off right away while the other has taken up to an hour. Gotta be a better way. We've literally reinstalled Windows to "Reset" the device fully due to the questionable device management experience in Intune otherwise.
We've seen this - sometimes the WIPE command doesn't run at all (computer definitely has an Internet connection etc.) - even after several device syncs (both from the Intune console and locally via Company Portal) and several reboots. For these we use the local "Factory Reset" option and manually delete the device record in the Intune console etc.
- I am wondering if the Intune team is running the Wipe command per user (which, if they are, makes no sense when Wiping the entire device). As, I have seen Wipes will always fail if the user's password has changed or otherwise have the "There is a problem with your Work or School Account" notice. Usually, a reboot will kick it in the pants.
- Policy sets is another one. In the beginning I was really hyped on that one. But still there are a lot of things missing that we are not able to assign through Policy sets.
Similar to my request to filter / constrain by Scope Tag(s) and/or Group(s) in the Device view, it would be very helpful (in our larger environment with multiple scopes) to constrain the Endpoint Analytics views / reports.
There is a "Device scope" drop-down in Endpoint Analytics, but only shows "All Devices".
- It was mentioned earlier to not create duplicate groups as this might create delays with syncing all our groups. When looking at our groups in Intune it would be nice to see what profiles, policies, apps, rings, etc.. the group is assigned to. This could help with easily identifying if the group is still valid.
- But it would be nice to have it in the GUI
- Hi Chris! I needed this also while building HAADJ AP flow and refinement. I have a script that works really nice for this purpose. Too often, I need to know what assignments are on a given group and this is an easy one to provide that information. Let me know if you want it and I'll send to you.
- Yes please Gary 🙂
- Agreed - this would be very helpful and similar to the "Deployments" tab on a Device Collection in ConfigMgr.
- Will you resolve config or compliance issues were windows 11 does not have a function and it show as an error not just NA for that device.
- What is your take on where to config policies. You created a great view of all security related stuff under Endpoint Security, but a lot of settings are also configurable under configuration profiles. In some case, like Bitlocker, in configuration profiles there are more settings than under Endpoint Security. What is the best practice or what is the vision on that?
Same here.... before the Endpoint security module even existed, we configured everything using the default Intune policy templates, then found the security baseline policies, then the ESM was released so we moved (almost) all our security settings to there, then MS released the Settings Catalog. We're keeping our security settings in the ESM - for now at least, until MS unveil their next new policy config location 😉
