User Profile

Le_Michel

Brass Contributor

Joined Aug 28, 2019

43 Posts12 LikesLikes received1 Solution

View All Badges

User Widgets

Recent Discussions

Re: Security Baselines not seeing devices in device groups
AlexFogden Check if you have the correct licences for these devices. You can also enable the trial. https://learn.microsoft.com/en-us/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-capabilities?view=o365-worldwide
Jul 05, 2023 Place Microsoft Security Baselines
4.4KViews
0likes
0Comments
Re: MECM co-management enrollment not working
I recommend opening a MS case to solve this. I would not make changes in the configmgr database without guidance from MS.
Mar 29, 2023 Place Microsoft Intune
23KViews
0likes
0Comments
Explanation about redirection guard
Hello, I need some explanation about redirection guard. https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-printers#configureredirectionguardpolicy What is the additional protection if this setting is enabled ? What kind of attacks are prevented ? Regards.
Solved
Mar 29, 2023 Place Microsoft Security Baselines
8.4KViews
0likes
1Comment
MBAM group policies to encrypt removable media
Hello, I need help to configure MBAM group policies to encrypt removable storage. It should work like this : - User type a password to unlock the drive - MBAM is used for recovey in case the user forgets the password. My issue is that when the user turns on Bitlocker, he is prompted to save password. But the user has no other location to save password since all local drives are also encrypted. MBAM recovery is enough if the user forgets the password. So there is no need for the user to save recovery information. Is there a way to disable this step ?
Mar 01, 2023 Place Windows 10
489Views
0likes
1Comment
Re: MECM co-management enrollment not working
yannick_sierro Yes, it's solved. All co-management policies were duplicated in the SCCM database. And the client received the corrupted policies. The cause is that the first time we tried to activate the cloud attach, the operation did not complete due to lack of permissions on azure. Some uncomplete policies were left in the database. We removed the cloud attach, deleted policies from the DB with help of the escalation engineer and recreated the cloud attach.
Jan 08, 2023 Place Microsoft Intune
29KViews
0likes
3Comments
Re: MECM co-management enrollment not working
Finally had a meeting with an escalation engineer that found the issue. it seems that all co-management policies are duplicated in the SCCM database. And the client receives the corrupted policies. The cause is that the first time we tried to activate the cloud attach, the operation did not complete due to lack of permissions on azure. Some uncomplete policies were left in the database. Next week, we will work with the escalation engineer again to remove the cloud attach, delete policies from the DB and recreate the cloud attach.
Nov 18, 2022 Place Microsoft Intune
26KViews
0likes
7Comments
Re: MECM co-management enrollment not working
dmuels7 Hello. No, not yet solved. MS case is still open.
Nov 02, 2022 Place Microsoft Intune
27KViews
0likes
8Comments
Re: MECM co-management enrollment not working
Sorcia25910 . Hi. No solution till now. Nothing relevant found on the MECM side and waiting for a month for a support engineer from the intune team...
Oct 12, 2022 Place Microsoft Intune
27KViews
1like
10Comments
Re: MECM co-management enrollment not working
Hello, We have opened a support case with Microsoft. I'll let you know the findings. Our intent is to rely on MECM to start the onboarding process.
Sep 20, 2022 Place Microsoft Intune
29KViews
0likes
13Comments
MECM co-management enrollment not working
Hello, We are trying to enroll devices in intune using MECM Devices are Hybrid azure AD joined. Devices are member of the pilot collection : CoManagementHandler.log shows the following records : Auto enrollment agent is initialized. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Could not check enrollment url, 0x00000001: CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Device is not enrolled. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) AAD-Join Info: type = 1 DeviceId = 'DeviceID' TenantId = 'TenantID' JoinUserEmail = 'fooUser@company.com' TenantName = 'Name' EnrollmentUrl = 'https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc' CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Set device to not externally managed CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Could not check enrollment url, 0x00000001: CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Device is not MDM enrolled yet. All workloads are managed by SCCM. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Value of CoManagementFlags retrieved: 0x2001 CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Checking MDM_ConfigSetting to get Intune Account ID CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Expected MDM_ConfigSetting instance is missing, can't retrieve Intune SA Account ID. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Co-Management is disabled. Expect MDM_ConfigSetting instance to be deleted. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Current workload settings is not compliant. Setting enabled = 0, workload = 8193. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Checking MDM_ConfigSetting to get Intune Account ID CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Expected MDM_ConfigSetting instance is missing, can't retrieve Intune SA Account ID. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Updating comanagement registry key to 0x2001 CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) CoManagement flags registry key updated. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Nothing is changed for RS2, keep executing. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Setting co-management RS3 flags CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Nothing is changed for RS3, ENDOK. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Could not check enrollment url, 0x00000001: CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Device is not MDM enrolled yet. All workloads are managed by SCCM. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Value of CoManagementFlags retrieved: 0x2001 CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Could not check enrollment url, 0x00000001: CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Device is not provisioned CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Default CSP is Microsoft Enhanced RSA and AES Cryptographic Provider CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Default CSP Type is 24 CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) Calculating hash with 32772 algorithm using 'Microsoft Enhanced RSA and AES Cryptographic Provider' CSP. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) State ID and report detail hash are not changed. No need to resend. CoManagementHandler 12/09/2022 13:59:57 1712 (0x06B0) User 'S-1-5-21-SID' is logged on. CoManagementHandler 12/09/2022 14:00:03 9244 (0x241C) Check if it's enrollment pending and if it's already enrolled.... CoManagementHandler 12/09/2022 14:00:03 9244 (0x241C) UserLogon: enrollment isn't pending. CoManagementHandler 12/09/2022 14:00:03 9244 (0x241C) Released global agent cache. CoManagementHandler 12/09/2022 14:00:03 9244 (0x241C) There is no scheduled tasks under "EnterpriseMgmt" Baselines are evaluated like this : Eventlog shows : MDM ConfigurationManager: Command failure status. Configuraton Source ID: (SourceID), Enrollment Type: (WMIBridge), CSP Name: (EnrollmentStatusTracking), Command Type: (Clear: first phase of Delete), Result: (./Device/Vendor/MSFT/EnrollmentStatusTracking/DevicePreparation/PolicyProviders/ConfigMgr/LastError). MDM ConfigurationManager: Command failure status. Configuraton Source ID: (SourceID), Enrollment Type: (WMIBridge), CSP Name: (Policy), Command Type: (Clear: first phase of Delete), Result: (./Device/Vendor/MSFT/Policy/Config/Security/AllowAddProvisioningPackage). Can someone help ?
Solved
Sep 12, 2022 Place Microsoft Intune
Intune
mobile device management (mdm)
32KViews
0likes
15Comments
Re: Bitlocker compliance policies and MBAM
Thanks for your answer. My main concern is to avoid that intune will launch any remediation that will not save recovery key in MBAM database. it seems that intune allows to configure remediation actions for android and iOs but not for Windows.
Aug 03, 2022 Place Microsoft Intune
1.4KViews
0likes
1Comment
Bitlocker compliance policies and MBAM
Hello, For the moment, we use MBAM to manage bitlocker encryption keys. We would like to use MEM compliance policy to audit encryption of our Windows devices (audit only - no remediation). I would like to know if configuring "Require encryption of data storage on device." or "Require BitLocker" will try to remediate a non-compliant device. I want to avoid a situation where device is encrypted after remediation and Keys are not stored into MBAM database.
Aug 02, 2022 Place Microsoft Intune
Intune
1.5KViews
0likes
3Comments
Re: link to local file
HotCakeX Hello, we are experiencing a similar issue. We have a SharePoint site with links to a fileshare where we have scripts used by support teams. Microsoft' promise was if it works with edge legacy it will work with the new edge and in this case it works with edge legacy. Opening my SharePoint site in IE mode is of course not an option !
Sep 08, 2020 Place Discussions
25KViews
1like
0Comments
Re: VPN split tunneling test tool
Keith Eason In this case Wireshark is your best friend. Just check if the traffic go straight to the CMG or is encrypted and goes to the VPN tunnel.
May 13, 2020 Place Windows servicing
9.6KViews
0likes
0Comments
Re: GPO - Please Allow selective clear browsing data on close
ShirleyNg Hi Shirley. What we would like to do is be able to force the clear of "Cookies and other site data" and "Cached images and files" while preserving browsing and download history.
Mar 03, 2020 Place Discussions
7.4KViews
0likes
0Comments
Re: Edge extensions inventory
Joachim_T That's right. To goal is to make an assessment of extension installed by users and then decide what we allow or block.
Feb 09, 2020 Place Enterprise
1.8KViews
0likes
1Comment
Edge extensions inventory
Hello, Is it possible to inventory extensions (form Ms store & google store) installed by users using a tool like MECM ? Kind regards.
Feb 07, 2020 Place Enterprise
1.9KViews
0likes
4Comments
Manage edge extension based on permission level
Hello, Is it possible to block extensions based on their permissions ? I do not want to review all extensions permissions manually to allow or block the extension. Kind regards, Michel
Feb 07, 2020 Place Enterprise
654Views
1like
0Comments
Re: Updating Edge via Software Update (SCCM)
Finally found the answer in this new article : https://docs.microsoft.com/en-us/DeployEdge/deploy-edge-plan-deployment Define your update strategy and policies You also want to determine how you want to do updates after you deploy Microsoft Edge: Allow Microsoft Edge to update itself (default). If you choose to allow automatic updates of Microsoft Edge, then Microsoft Edge will automatically update itself at the pace determined by the channel(s) you deployed. Update Microsoft Edge at your own pace. If you prefer to have explicit control over when updates are deployed, you can disable automatic updates and deploy it yourself (see the https://docs.microsoft.com/DeployEdge/microsoft-edge-update-policies.) After you disable automatic updates you can deploy updates for each channel using one of the following tools: https://docs.microsoft.com/intune/apps/apps-windows-edge?toc=https://docs.microsoft.com/DeployEdge/toc.json&bc=https://docs.microsoft.com/DeployEdge/breadcrumb/toc.json https://docs.microsoft.com/DeployEdge/deploy-edge-with-configuration-manager the deployment tool of your choice. Regardless of your update strategy, we recommend leveraging a ringed deployment strategy. With automatic updates, this means having a representative sample of users running the Beta Channel, to identify issues with what will become the Stable Channel. With manual updates, this might also include additional validation of a pilot group after a new Stable Channel build is released. This is followed by broad deployment.
Jan 09, 2020 Place Enterprise
8.5KViews
0likes
0Comments
Re: Updating Edge via Software Update (SCCM)
lexcyn Hello, Can you clarify this : "Customers will be able to control the flow of updates, either by leveraging our general updating mechanisms and using policies to pause updates at a particular version while testing compatibility with a small set of pilot users, or by using the provided offline installers (MSIs and PKGs) to push updates directly to their managed devices on their own schedule." Ok, let's assusme that I deploy the enterprise MSI. By default, edge will be automatically updated. Is this correct ? I checked the policies and cannot see any setting to pause update at a particular version. Google Chrome has the GPO setting : "Target version prefix override" but I do not find equivalent setting for Edge.
Jan 09, 2020 Place Enterprise
8.6KViews
0likes
1Comment

Recent Blog Articles

No content to show