User Profile
KurtBMayer
Iron Contributor
Joined 7 years ago
User Widgets
Recent Discussions
Re: Compte Rename Show Error
Petercheungtsrd The error code means: 0x87D1FDE8: Remediation failed Since you say the computer is in fact renamed correctly, the error is probably a false positive. Likely it reports this because when the machine is renamed it loses track of the device momentarialy during the rename operation. Hence the CSP doesn't know for certain whether the action succeeded or failed. Others have reported related issues when using the method you describe. Reference: Change Windows Computer Name during Intune enrolling. Instead, for a more reliable way to avoid that error, you could use a script to perform the rename, such as in these examples: Want to rename computer after or during Autopilot Rename Hybrid Joined Computers deployed via Autopilot Please like or mark this thread as answered if it's helpful, thanks!2.1KViews0likes0CommentsRe: Android: Create dynamic group based on os build number
Truls_Paulsen Can try some of these queries to see if one is suitable: Intune filter rules based on OS versions — Handy reference Create an Azure AD dynamic group for Windows 11 devices Please like or mark this thread as answered if it's helpful, thanks!2.4KViews0likes1CommentRe: Windows 10 shutdown options
dave22339 You can set these GPO, CSP or registry keys to have the system make those extra items visible at shutdown. In this case, you'd want to set it to "Disabled" or "0" in the reg key since you want it to show. Disable Update and restart and Update and shut down in Windows 10 Could also look at some of these other related update settings to facilitate the process: Settings for Windows Update that you can manage through Intune policy for Update rings Other reference: Force install updates on PC shutdown and restart on Windows 10/11 Please like or mark this thread as answered if it's helpful, thanks!1.5KViews0likes0CommentsRe: Windows Firewall rules in intune vs local Firewall rules
Charmten Local firewall rules should be preserved and behave similar to Group Policy. The Intune policy won't wipe out the existing firewall store, but will create supplimental rules on top of the current configuration - whatever you've defined in the cloud Device Configuration Policy. You can still run PowerShell scripts or NETSH commands or use the MMC to make and manage machine-specific firewall rules. For example, the local default File and Print Sharing rules will be there, but if you make a GPO or Intune policy, a new set of similar rules will appear (and likely be gray, indicating they're set by a policy), but you can continue to manipulate the local rules. Please like or mark this thread as answered if it's helpful, thanks!3.5KViews0likes2CommentsRe: Enable 2FA for Hybrid Azure AD joined devices and Windows Hello for Business
oryxway In general, the best practice is not to deploy tenant-wide at first, in order to provide time for testing and troubleshooting so as not to cause undue disruption if things don't work as expected the first time. As such, create a group and input pilot users or computers first to validate the deployment before proceeding with additional rollouts. With that in mind, using the "Windows Enrollment" section of Intune for WHFB applies tenant-wide to the All Users scope. It also only shows a subset of the WHFB options because this is meant for a quicker, simpler deployment. Thus, if you want to get more granular about this with a phased rollout, or to leverage all options, it's probably better to use the CSP Identity Protection Configuration Profiles. Generally, do one or the other but not both (if you don't set them exactly the same there will be a policy conflict). The default first factor is: PIN Fingerprint Facial Recognition If you don't want to allow one of these methods, remove it from the list of GUIDs, per the article. If a Biometric method is available, Windows will prefer that first. The default credential providers for the Second unlock factor credential provider include: Trusted Signal PIN Since PIN is also available as the second factor, it is considered the "fallback" when Biometric or Trusted Signal fails (or if it isn't setup). Please like or mark this thread as answered if it's helpful, thanks!2KViews0likes0CommentsRe: Hybrid Azure AD devices have MDM set to NONE
EugenePetzer Likely, yes. A device can only report to SCCM or Intune for specific workloads. You need to enable Co-Management (Cloud Attach) in SCCM, then put some machines into an Intune Pilot collection to get those devices MDM enrolled and managed in the cloud. Where the device reports for management depends upon the workload sliders. Reference the following links for setup details. ENABLE SCCM 1902 CO-MANAGEMENT In newer builds of SCCM it's now called Cloud Attach, but is effectively the same. Enable cloud attach for Configuration Manager Please like or mark this thread as answered if it's helpful, thanks!3.6KViews0likes1CommentRe: Inspiron Laptops not able to be onboarded by autopilot
conredman I suspect the statement in question refers to Inspiron being a typically "consumer" oriented laptop model, versus, for example, Latitudes as being more "business" oriented. In other words, they probably don't support it for pre-provisioning from the OEM's perspective. But that doesn't mean it wouldn't work. You should still be able to manually get the device pre-enrolled by one of the methods in this article: Manually register devices with Windows Autopilot | Microsoft Learn That being said, it's possible certain features might not work on the Inspiron if it doesn't have the requisite hardware components, such as TPM 2.0 with attestation. Which might be one reason why it isn't officially supported. Please like and mark this thread as answered if it's helpful, thanks!1.7KViews0likes0CommentsRe: Applocker CSP updates not working
dasbult Not sure why it's failing to reapply, but possibly you could take a look at this PowerShell to go about clearing the local policy. Could be a possible workaround to purge the .policy files. How to clear a local Applocker policy Only other thought is that possibly during a previous update, some bad policy value got set which ends up clogging the XML from properly refreshing. Only way to know that would be to backtrack through the updates, or possibly restart with a fresh policy config rather than continuing to update the existing. Please upvote and accept this thread as answered if it's helpful, thanks!1.6KViews0likes0CommentsRe: Pinning Apps in start menu
oryxway There's a policy option to allow/disallow Start menu modifications. See these links for reference. Enable or Disable Changing Start Layout in Windows 10 | Tutorials (tenforums.com) Changes to Group Policy settings for Windows 10 Start menu (Windows 10) - Configure Windows | Microsoft Learn Add or remove pinned apps on the Start menu in Windows 11 - Configure Windows | Microsoft Learn Start menu layout but also allow user customizations? : Intune (reddit.com) Please like and mark this thread as answered if it's helpful, thanks!3.9KViews0likes2CommentsRe: replacing a file using intune
AB21805 Another possibly simpler detection rule would be to use the "Date Modified" method. If the file date is greater than or equal to MM/DD/YYYY, it's the latest version and doesn't need to run. Please like and mark this thread as answered if it's helpful, thanks!7.8KViews2likes0CommentsRe: Is it really best practice to have zero permanent active admin roles (except for break glass)?
Kiril Best practice would certainly be for admin accounts to have reachable email, not only for notifications but for MFA and SSPR, etc. If needed, set static email addresses in the alerts to go to a shared mailbox, so they are being received. For "full-time" admins who perform elevated work in the tenant regularly, this is a case where giving a permanent grant makes sense for simplicity. Take steps like enabling Security Defaults or requiring MFA to mitigate risk. Require MFA for administrators with Conditional Access - Azure Active Directory - Microsoft Entra | Microsoft Learn For contractors or "temporary admins" who only need the rights for a shorter duration, this is where PIM shines. Perhaps increase the duration from the default 8 hours if there's justifiable reason for it, like if the project will go on for longer so they don't need to request reauthorization quite so frequently. Configure Azure AD role settings in PIM - Azure AD - Microsoft Entra | Microsoft Learn Please like and mark this thread as answered if it's helpful, thanks!3.4KViews0likes0CommentsRe: Android (personally-owned work profile) - Factory reset
Sophie_Gewillig When factory reset, the device is effectively removed from Intune since its Company Portal app and access tokens will be purged - it won't be able to log back in without re-entering credentials. The device object is leftover in Intune, though, so it's not as graceful as full unenrollment. But take a look at Using Intune device cleanup rules  - Microsoft Community Hub. The device will become "inactive" and eventually clear out after the default 90 days (unless you shorten the interval). Please like and mark this thread as answered if it's helpful, thanks!3KViews0likes0CommentsRe: Android app deployment
JasonBreslau Check the requirements for the app. If it has a requirement that it needs cellular, then it might not pass the prerequisite check. Otherwise, be sure the device is connected to Wi-Fi and attempt to install it manually. If it works, then there isn't a requirement for cellular only. In that case, you'd proceed to check the properties of the deployment, make sure the device/user is in the necessary groups, etc. Please like and mark this thread as answered if it's helpful, thanks!1.3KViews0likes1CommentRe: Is it really best practice to have zero permanent active admin roles (except for break glass)?
Kiril The wording seems too strong to have "zero" GAs. I'd interpret this to mean most roles should be managed by PIM whenever possible as a best practice. Only keep the minimum number of permanent Global Admin accounts and review the list regularly. Any Azure role must be active for the user to be in it or to receive notification of alerts assigned to the role, along with things like SSPR, etc. Eligible accounts won't fit the criteria since they aren't actively in the role (although you can assign some notifications to static email addresses instead of dynamically via the role grant). For practical purposes, there must always at least one Break-Glass GA, which you could consider the "permanent" activation. Please like and mark this thread as answered if it's helpful, thanks!3.6KViews0likes2CommentsRe: Divide iOS devices for Compliance
nhtkid I don't think there's a query filter that will provide information on what devices "support upgrade" to iOS 16. It can only look at if the device is already on that version or not. You can still keep your Compliance Policy global at 15.7 as the minimum supported version, which would block all lesser versions but allow those above on 16. There isn't often a need to have different compliance polices by version, so it may be simpler to just settle on the least common denominator. The only other way to separate them is to put the "old" iOS devices into a static collection and "exclude" that group from the "newer version" compliance policy (and vice versa). But you'd still have to determine some distinguishing characteristic to identify the devices unable to upgrade and manually put them into the static collection. The Model attribute seems to be the only viable way to do it with dynamic device groups. But there is the Product Name information under Hardware in Intune, which breaks it down in a bit further granularity per https://gist.github.com/adamawolf/3048717. Perhaps the Azure AD PowerShell module or Graph API could be used to pull that info and add the device to a static collection as a workaround. Please like or mark this thread as answered if it's helpful, thanks!1.8KViews0likes0CommentsRe: Azure Sign-in Logs
Steph32UK This would be an example of how to implement the extra check: Conditional Access - Require MFA for Azure management - Azure Active Directory - Microsoft Entra | Microsoft Learn. This way they'd need to prove the second factor even if they gain access to valid credentials. You could make a variant on this to just block Azure Management for non-admins similar to the example described here: Block access to Azure Powershell Management (microsoft.com) or Block user access to Azure AD Powershell with Conditional Access - Microsoft Community Hub. In this case, you'd want to put your admins in a group that's excluded from the rule. Please like and mark this thread as answered if it's helpful, thanks!5.1KViews1like1CommentRe: Script a cmd to set Startup App
nhtkid Basically, after you move the machine from the "generic" staging group, you can trigger an Intune sync for policy sooner than the default schedule, at which time it should pick up its new deployments and profiles. Take a look at these links for information on possible approaches: Force Intune policy sync from a PowerShell script - MSEndpointMgr Forcing an MDM sync from a Windows 10 client – Out of Office Hours (oofhours.com) Please like and mark this thread as answered if it's helpful, thanks!8.6KViews0likes0CommentsRe: Convert from Azure Registered to Hybrid AD Join with ADFS
samppp Configure Device Writeback in AD Connect and sync the OUs with machines, per Configure hybrid Azure Active Directory join for managed domains. According to MSFT, such devices will convert from Azure AD Registered to Hybrid Azure AD Joined and in most cases will cleanup the old record. It may take a while for all devices to process, though. See: Plan hybrid Azure Active Directory join - Azure Active Directory. Regarding Q2 and Moe_Kinani's response, yes changing AD Connect would move away from ADFS, but just be aware it'd change the auth flow of the tenant. You could still use ADFS for other federated Relying Parties if needed, just the Office 365 integration would change over to Azure AD auth. Please like and mark this thread as answered if it's helpful, thanks!4.2KViews1like1CommentRe: Android iPads - weblink deployment
Krishnakumar_M See this similar post for further information: Web App not opening in IpadOS - "Action not allowed - Organization does not allow you to open this data here" - Microsoft Q&A. It seems like the quick fix is to disable/remove the App Protection Policy. Another workaround is to try long hold and "share to browser" per the question's comments. Please like and mark this thread as answered if it's helpful, thanks!885Views0likes1Comment
Recent Blog Articles
No content to show