User Profile
alexandertuvstrom
Brass Contributor
Joined Aug 22, 2019
Chief Technical Architect with Rewired and focusing on enterprise mobility & security, advanced threat protection and cloud security.
User Widgets
Recent Discussions
Re: Sccm/Intune co-management - deploying apps (not applicable)
Peanut2020 What's your co-management workload settings? Configuration Manager continues to manage all workloads before you change the co-management workload settings. Please read the documentation here: https://docs.microsoft.com/en-us/mem/configmgr/comanage/workloads#client-appsRe: BYOD Restrictions
ben_2 You can find some information here: Windows BYOD https://docs.microsoft.com/en-us/mem/intune/user-help/what-happens-if-you-install-the-company-portal-app-and-enroll-your-device-in-intune-windows#it-support-permissions MAC BYOD https://docs.microsoft.com/en-us/mem/intune/user-help/what-happens-if-you-install-the-company-portal-app-and-enroll-your-device-in-intune-macosRe: SCCM Software Updates not installing to endpoints
Michiel Overweel No, that's correct. But in this case, the information was that the user had installed a site server with DP, SUP, MP and a remote DP. And as you say, the distribution points (Site server with DP role and remote DP) need IIS installed. So my answer was not wrong here, was it? This is a example log on the SCCM server with "Failed to create virtual directory on the defined share or volume on distribution point": Failed to create virtual directory on the defined share or volume on distribution point "["Display=\\<DISTRIBUTIONPOINT.DOMAIN>\"]MSWNET:["SMS_SITE=XYZ"]\\<DISTRIBUTIONPOINT.DOMAIN>\". Possible cause: Distribution Manager requires that IIS base components be installed on the local Configuration Manager Site Server in order to create the virtual directory. Distribution Manager also requires that IIS Web Services be installed on the Distribution Point Server that needs to support Background Intelligent Transfer Service (BITS). Solution: Verify that IIS base components are installed on the local Configuration Manager Site Server, and IIS Web Services are installed on the Distribution Point Server. Michiel Overweel Is it wrong information Microsoft provides as a possible cause and solution in the status messages and logs on SCCM?Re: SCCM Software Updates not installing to endpoints
Michiel Overweel That's correct. I wrote that he would review pre-reqs on DP and site server? 🙂 You may correct me but the Distribution Manager requires that IIS base components be installed on the local Configuration Manager Site Server in order to create the virtual directory? Distribution Manager also requires that IIS Web Services be installed on the Distribution Point Server that needs to support Background Intelligent Transfer Service (BITS)?Re: Allow Admins to install all apps from company portal
93Imagine Is it azure ad joined device? The primary user of a device controls the ability to install available apps. Convert a device to a shared device by enrolling it without a primary user (Autopilot self-deploying mode) or remove the primary user will get the chance to install the apps again. A shared device has no primary user. Setup shared device configuration documentation: https://docs.microsoft.com/en-us/mem/intune/configuration/shared-user-device-settingsRe: Non User Affinity iPad
Jeff Harlow Devices that are configured with no user affinity do not support the Company Portal and should not have the app installed. The Company Portal is designed for users who have corporate credentials and require access to personalized corporate resources (like email). Devices that are enrolled with no user affinity aren't intended to have a dedicated user sign in. Kiosk, point of sale (POS), or shared-utility devices are typical use cases for devices that are enrolled with no user affinity. have you set up Apple MDM Push certificate in endpoint manager? An Apple MDM Push certificate is required for endpoint manager to manage iOS/iPadOS and macOS devices. You can find more info here: https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-program-enroll-ios https://docs.microsoft.com/en-us/mem/intune/enrollment/apple-configurator-enroll-iosRe: software deployment on autopilot devices
Krishanthad Endpoint Managers group tag field maps to the OrderID attribute on Azure AD devices. To create a group that includes all Autopilot devices with a specific group tag (the Azure AD device OrderID), type: (device.devicePhysicalIds -any (_ -eq "[OrderID]:<grouptag>")) Use Intune's security baselines to help you secure and protect your users and devices. You deploy security baselines to groups of users or devices in Intune, and the settings apply to devices that run Windows 10 or later. For example, the MDM Security Baseline automatically enables BitLocker for removable drives, automatically requires a password to unlock a device, automatically disables basic authentication, and more. When a default value doesn't work for your environment, customize the baseline to apply the settings you need. Separate baseline types can include the same settings but use different default values for those settings. It's important to understand the defaults in the baselines you choose to use, and to then modify each baseline to fit your organizational needs. You can use one or more of the available baselines in your Intune environment at the same time. You can also use multiple instances of the same security baselines that have different customizations. When you use multiple security baselines, review the settings in each one to identify when your different baseline configurations introduce conflicting values for the same setting. Because you can deploy security baselines that are designed for different intents, and deploy multiple instances of the same baseline that includes customized settings, you might create configuration conflicts for devices that must be investigated and resolved. When a security baseline setting no longer applies to a device, or settings in a baseline are set to Not configured, those settings on a device don't revert to a pre-managed configuration. Instead, the previously managed settings on the device keep their last configurations as received from the baseline until some other process updates those settings on the device. Other processes that might later change settings on the device include a different or new security baseline, device configuration profile, Group Policy configurations, or manual edit of the setting on the device. If you want to apply settings on a device, regardless of who’s signed in, then assign your profiles to a devices group. Settings applied to device groups always go with the device, not the user. Use device groups when you don’t care who’s signed in on the device, or if anyone is signed in. You want your settings to always be on the device. Use user groups when you want your settings and rules to always go with the user, whatever device they use.Re: software deployment on autopilot devices
Krishanthad A1 - Endpoint Managers group tag field maps to the OrderID attribute on Azure AD devices. To create a group that includes all Autopilot devices with a specific group tag (the Azure AD device OrderID), type: (device.devicePhysicalIds -any (_ -eq "[OrderID]:<grouptag>")) A2 - Use Intune's security baselines to help you secure and protect your users and devices. You deploy security baselines to groups of users or devices in Intune, and the settings apply to devices that run Windows 10 or later. For example, the MDM Security Baseline automatically enables BitLocker for removable drives, automatically requires a password to unlock a device, automatically disables basic authentication, and more. When a default value doesn't work for your environment, customize the baseline to apply the settings you need. Separate baseline types can include the same settings but use different default values for those settings. It's important to understand the defaults in the baselines you choose to use, and to then modify each baseline to fit your organizational needs. You can use one or more of the available baselines in your Intune environment at the same time. You can also use multiple instances of the same security baselines that have different customizations. When you use multiple security baselines, review the settings in each one to identify when your different baseline configurations introduce conflicting values for the same setting. Because you can deploy security baselines that are designed for different intents, and deploy multiple instances of the same baseline that includes customized settings, you might create configuration conflicts for devices that must be investigated and resolved. A3 - When a security baseline setting no longer applies to a device, or settings in a baseline are set to Not configured, those settings on a device don't revert to a pre-managed configuration. Instead, the previously managed settings on the device keep their last configurations as received from the baseline until some other process updates those settings on the device. Other processes that might later change settings on the device include a different or new security baseline, device configuration profile, Group Policy configurations, or manual edit of the setting on the device. If you want to apply settings on a device, regardless of who’s signed in, then assign your profiles to a devices group. Settings applied to device groups always go with the device, not the user. Use device groups when you don’t care who’s signed in on the device, or if anyone is signed in. You want your settings to always be on the device. Use user groups when you want your settings and rules to always go with the user, whatever device they use.Re: Microsoft Defender Security Center
Kotresha Microsoft Defender Security Center is the portal where you can access Microsoft Defender for Endpoints capabilities. Use the Security operations dashboard to gain insight on the various alerts on devices and users in your network. Use the Threat & Vulnerability Management dashboard to expand your visibility on the overall security posture of your organization. You'll see devices that require attention and recommendations that can help you reduce the attack surface in your organization. Use the Threat analytics dashboard to continually assess and control risk exposure to Spectre and Meltdown. Before you can gain insight on the various alerts on devices you need to onboard devices to the Microsoft Defender for Endpoint service. You can deploy Microsoft Defender for Endpoint using various management tools: Group policy Microsoft Endpoint Configuration Manager Mobile Device Management tools Local scriptRe: HOW MANY PLAN ON MICROSOFT ATP
Heng_Sokdarom1380 Hello, Which ATP are you referring to? If you are thinking of Microsoft Defender for Office 365 (Office 365 ATP) then you can find more information here: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-atp?view=o365-worldwide Other modules in the Microsoft Defender suite: Azure Defender (Azure security center cloud workload protection platform) Microsoft Defender for Endpoint (Defender ATP) Microsoft Defender for Identity (Azure ATP) Microsoft 365 Defender (Microsoft Threat Protection)Re: OneDrive stopped working after Windows 10 version 2004
BjrnN Have you tried to install the sync client as per-machine installation? Download OneDriveSetup.exe (latest production ring version right now https://go.microsoft.com/fwlink/?linkid=823060) Run "OneDriveSetup.exe /allusers" from a command prompt window (will result in a UAC prompt) or by using Microsoft Endpoint Configuration Manager. This will install the sync app under the "Program Files (x86)\Microsoft OneDrive" directory. When setup completes, OneDrive will start. If accounts were added on the computer, they'll be migrated automatically.Re: Scheduled Scan Results
Thiago_Mota have you switch the co-management workloads for endpoint protection to Intune? Otherwise you can follow "Use Configuration Manager to review scan results" from the link I provided you earlier. https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/monitor-endpoint-protectionRe: SCCM Software Updates not installing to endpoints
christian31 Can you check "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate WUServer" on the device? Correct server? 1. Go to C:\Windows\System32\GroupPolicy\Machine and delete Registry.pol. 2. Run Gpupdate /force 3. Start machine policy retrieval in configuration manager client control
