User Profile
shehanjp
Iron Contributor
Joined 7 years ago
User Widgets
Recent Discussions
Re: Two Ways To Enable Hybrid AAD Join Mode For A Controlled Deployment
Hi oryxway 1. Have you created the Device Profile called "Domain Join"? This is where you specify the domain information. About the Intune Connector - My advice is to go through the Microsoft Official document and configure the permissions. 2. Looks like you have the selected OU which has been set up for Autopilot, which is the controlled method. Hope you have seen this already http://stevehardie.com/2021/04/windows-autopilot-error-code-80070774/ Few things you can check - * Run dsregcmd /status on the users computer to understand the join mode https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current * User who is enrolling the device needs to have proper licensing that covers Intune * MDM user scope should be Some or All and that should capture the end user who is enrolling the device * No proxy or firewall blocks https://docs.microsoft.com/en-us/mem/intune/fundamentals/intune-endpoints Shehan.Re: Two Ways To Enable Hybrid AAD Join Mode For A Controlled Deployment
Hi oryxway, Thanks for your comments about my article. I see you have few questions regarding the join mode and AAD connect. Please see my answers below. 1. For Autopilot to complete, you don't need to enable Hybrid AAD Join (HAAJ) mode. You only need HAADJ if you have an On-Premises AD which you need your Autopilot'ed machines to be joined afterwards. If not, they will be joined as AAD Joined to Azure AD. If you need to add devices to On-prem and join as HAADJ to Azure AD, then create the Domain Join profile and make sure you assign the Autopilot'ing device group to it and install the Intune Connector in an On-prem server. 2. Your 2nd question is not clear, is you can add a bit more details, that would be great 🙂 3. If Hybrid Azure AD configuration needs to be enabled in Azure AD Connect server, then will this affect any devices OnPrem? I do not want thousand of machines moving to Azure AD. It depends on how you want to enable. How's your AD OUs syncing with Azure AD, sync scope that is? a - Do you have a set of OUs that's syncing only or b - Do you have your whole AD syncing with all the OUs? If a, then you can create another OU, add your devices and add to the AAD Connect sync scope so only those machines will get synced. And then enable the HAADJ in AAD Connect tool and perform a full sync. So only machines that are syncing will get the Azure AD SCP via the AAD Connect tool If b, then, again create another OU, add your devices which you need to be added as HAADJ and set the Azure AD SCP from a GPO, so only those machines will get added as HAADJ The steps are in my article anyway. Mainly HAADJ is best if your computers needs to get authenticated from the on-prem domain for various reasons (file shares, on-prem legacy apps etc.) If not its recommended to add devices to Azure AD join directly, but really either is fine. Good luck! Shehan.Re: Microsoft Endpoint - Windows Selfdeploy / Autodeploy devices questions
MichaelW 1. What I meant there was you have to use Office 365 Apps as Shared Activation method. What you saying is the users who are using those shared computers have a single account? (like a generic account? is it? I didn't understand this part all have also an O365-E3 license 2. If the user has EMS-E3 that covers the licensing requirement. To use the Intune benefits, User or Device licence is required. If you are have Intune device license type, then having the adequate number of license in the portal is acceptable. You don't need to specifically assign them. But if the user has EMS-E3 already, you are covered.Re: Microsoft Endpoint - Windows Selfdeploy / Autodeploy devices questions
MichaelW 1. You can install MS Office on those devices. If you use the XML editor to write the Shared Licesning licensing lines, the installation can be used with different users who have the correct license. Check here for more info https://docs.microsoft.com/en-us/deployoffice/overview-shared-computer-activation 2. If you are using the Intune device license, then basically you must have an adequate number of licenses available for the number of devices you have. Maybe you can create an Azure AD Group, add the devices to it and assign the Intune device license in to the group so you can keep a track of that. If your user has the proper M365 license that has Intune in it, then no need to worry about the device license. I think I answered that correctly. If you think this answered your question, please mark it as the answer. Cheers!Get Notified When You Have Group Based License Assignment Issues
Hi All, Hope I'm posting this in the correct space. :memo: https://www.linkedin.com/feed/hashtag/?keywords=azuread&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A6946632350927585280 Group based licensing. A near neat feature with one element lacking. So I did a quick https://www.linkedin.com/feed/hashtag/?keywords=powerautomate&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A6946632350927585280 Flow to get notified in Teams, when you have licensing issues in the group. Please check the below link. Hope this helpful https://shehanperera.com/2022/06/25/group-based-licensing-notification-1/How to Setup Endpoint Manager RBAC
:pushpin:My new blog post on setting up Endpoint Manager RBAC permissions. In this article I explain how to assign the admins with correct and enough access without assigning them the powerful Intune Admin role. Hope this helps to anyone who is planning on introducing and setting up RBAC in their Endpoint Manager environment. https://shehanperera.com/2022/05/12/endpoint-manager-rbac/Re: Locking Intune Device Categories by Azure groups
NeilPD Another way to look at this without using device categories.. Group tags can be used to tag machines from the Device Registration page. You can use different enrollment profiles as MMelkersen_MVP mentioned that's assigned to Group Rag based Dynamic AAD Device groups. Also same AAD groups can be used to deploy Apps and device profiles if needed. Cheers!Pros and Cons of Using Microsoft Endpoint Manager Policy Sets Feature
What else can be a great feature in Microsoft Endpoint Manager other than bundling up all the policies and create that “Golden Image” type policy and assign it to the Device or User groups so from an Administrators perspective, you don’t need to individually assign groups in to policies and apps and managing this will be super easy. A great MEM function which is still in Preview though, but I already see great benefits as well as some caveats using it. Benefits of Using Policy Sets Most of the organizations when they move from SCCM or from their current management solution to MEM/ Intune, they look for similarities so things can be managed without an additional hassle. In a world where you don’t have MEM Policy Sets feature, you would have apps – each app assigned to a group, device profiles – each one assigned to group/s, Compliance policies – each one assigned to group/s etc. It is an overwhelming task to make sure every policy that’s created, every app that has been added has been assigned to the group/s etc. The main usage of Policy Sets is very simple to understand. It’s basically bundling up the policies, apps, configuration profiles etc. in one place and from that point onwards, if you have your set of users/ devices that needs to be assigned to those, rather than going to each policy and assigning them, you can go other way round. Assigning the Policy Set to the group/s. Also this is a great feature to set up that SOE level and maintain it as one single entity. You always have the ability to do modifications as you go. As an example, you can maintain 3 policies for Windows, iOS and Android devices which are manages by MEM. At this stage, below are available to configure in Policy Sets Apps App configuration policies App protection policies Device configuration profiles Device compliance policies Windows autopilot deployment profiles Enrollment status page Caveats of Using Policy Sets Microsoft have already identified some known issues with Policy Sets which is basically stopping the administrators to think twice before using it. In high level, Some policies can’t be applied to User groups Some apps which will be required by special devices/ users must be added separate to the policy sets Even in this form, the goal of creating that Super Policy and add all the policies and Apps that needs to go in and then assigning groups (Device or User) is bit dicey as if you assign a device group to the Policy Set object, the underlying policies that needs to be assigned to a user policy will not work. So to overcome this you would introduce chaos by direct assigned policies which are not a part of the policy set. According to https://docs.microsoft.com/en-us/mem/intune/fundamentals/policy-sets#policy-sets-known-issues, below are the Policy sets issues new to version1910 The following app types are currently supported by policy sets: iOS/iPadOS store app iOS/iPadOS line-of-business app Managed iOS/iPadOS line-of-business app Android store app Android line-of-business app Managed Android line-of-business app Microsoft 365 Apps (Windows 10) Web link Built-in iOS/iPadOS app Built-in Android app Setting a policy set assignment of All Users to Autopilot Profile is unsupported. Policy sets have the following enrollment restrictions and Enrollment Status Page (ESP) issues: Restrictions and ESP do not support virtual group assignments. Restrictions and ESP do not strictly support exclusion group assignments. Restrictions and ESP use priority-based conflict resolution. Restrictions and ESP might not be applied to the same users as the rest of a policy set’s payloads if the restrictions and ESP are also targeted by a higher priority restriction and ESP. The default restrictions and ESP cannot be added to a policy set. MAM policy types that support policy sets include the following: MAM WIP (Windows) MDM targeted managed app protection MAM iOS/iPadOS targeted managed app protection MAM Android targeted managed app protection MAM iOS/iPadOS targeted managed app configuration MAM Android targeted managed app configuration MAM policy types that do not support policy sets include the following: MAM WIP (Windows) targeted managed app protection MAM processes policy set assignments as direct assignments for the following policy types: MAM iOS/iPadOS targeted managed app protection MAM Android targeted managed app protection MAM iOS/iPadOS targeted managed app configuration MAM Android targeted managed app configurationIf a policy is added to a policy set that is deployed to a group, the group would show as directly assigned in the workload, not “assigned via the policy set”. As a result of this, MAM does not process group assignment deletions coming from policy sets. MAM does not support deployment to All Users and All Devices virtual groups for any policy types. The Device Configuration Profile of type “Administrative Templates” cannot be selected as part of a policy set. The Verdict I believe Policy Sets are still in Preview because of this situation as they have these known issues than the usages. Everyone’s requirement is not he same and If you can tackle the caveats, you can still use the Policy Sets, but since this is out there for a while now and because Microsoft has identified the issues, they may working on a better version of this that we call can use without any hesitation. https://shehanperera.com/2022/04/28/mem-policy-sets-1/Re: Locking Intune Device Categories by Azure groups
NeilPD Hi, Device categories are for devices, but not for the users, but admins can give the option to users to select the device category when enrolling the device. Is there a way to assign an azure group to a device category Yes. You can create device categories 1st and then using Dynamic AAD Groups (Dynamic Device), create a rule to assign devices with the specific category to the group. Check this - https://docs.microsoft.com/en-us/mem/intune/enrollment/device-group-mapping This will work - Or so users can only see the device categories that they have been given access to by the azure group(s)? This can be achieved if you install Company Portal app. When they 1st open the app, they will be asked to select the Device Category. However in this case they can see all the device categories and have to select the proper one. Once selected, the device will be assigned to the previously created AAD Dynamic device group so you can set targeted policies for that category. Check this - https://jannikreinhard.com/2021/07/18/configure-device-categories/ Hope this helps. Thanks you. **If you think my answer is valid, please Accept it as the solution. Thank you**How to Migrate Group Policies to Microsoft Endpoint Manager using Group Policy Analytics
An exciting feature was recently available in MEM and I wrote a step by step guide on how to analyse and migrate your GPOs to MEM. Hope you'll find this informative. https://shehanperera.com/2022/04/23/group-policy-analytics-1/Re: Autopilot change the operating systems default installed language
RahamimL Hi, In the Autopilot profile you creating, there is a section for Language (region) This is usually "OS Default", but you can change it to EN-US. As long as the device is assigned to that Autopilot profile, it will change the language during the process. Optional - You can set the "Automatically configure keyboard" to NO so the user will have to select it during the process. Hope this helps. **If you think my answer is valid, please Accept it as the solution. Thank you**Re: Error when enrolling Windows into Endpoint Protection with Intune
Hi, If I get the issue right, this is related to device compliance and you setup the desired level you chosen was Medium. Ideally the machine needs to be at or under Medium to be "Complied". Is there any particular reason why you applied the policy to "All Users" but not to a Device Group or "All Devices"? Cheers!Re: (Intune) Enable "Camera Uploads" In OneDrive app on IOS devices
Hi, Unfortunately this feature is not available in Intune yet even though the "Camera Uploads" option is available in the OneDrive client. Even the App Protection Policy for iOS have a policy to enable iCloud backup for organization data. Further in App Protection Policies you have the option of "Save copies of org data" and select OneDrive for Business. However photos won't go under Org Data so they will not be uploaded automatically.
