Applications not appearing in Company Portal
I am looking for some help on why my applications I set up in Intune are not appearing in our Company Portal. Background Info: I work for an MSP and we have a client that we are taking on with devices enrolled in Intune. We have a remote agent that we would like to push to one of our clients as a Win32 app and make it a required install for the devices. My Setup: I have run through the process of packaging the app as a .intunewin file, I don't believe there is any error here. I am familiar with the install/uninstall commands and have tested via a direct install on a VM to ensure they work. I have a group set up with both a test user, and the test VM which is enrolled in Intune. I assigned this group and required the install. I also made the application available to all users in the Company Portal. The Issue: I believe all of these settings and setup are correct; however, I am not seeing any install or anything show up in the Company Portal. I verified that the device is definitely Intune-enrolled from within Endpoint Manager, and I verified I was logged in as my test user to the Company Portal app. I also checked the online version and same issue there. Within Intune, if I go to Devices > 'Test VM' > Managed Apps I can see my application listed there, with a status of "Waiting for Install Status". After letting this cook overnight, nothing changed. I synced from the VM and from Endpoint Manager with no success. To eliminate some of the complexity, I set up another app, this time just Spotify from the Windows Store which is fairly cut and dry. Same issue- I made it available for all users, it says that status is "Available for Install" from within Endpoint Manager on my test VM, but I see no apps in the Company Portal on that device. Has anyone experienced this before? Can you see anything I may be missing? Thanks in advance for any help you provide.Securing Windows devices away from the corporate network
During the current public health situation, ensuring that devices can still be effectively managed and secured in what can be called "the new normal" is of utmost priority. As a result, I wanted to share with you the first chapter in a new web series where we will discuss what you, as an IT professional, can do immediately, in the next few weeks, and over the next few months to properly maintain the security of your organization's devices while users are working away from your corporate networks. We will look at sample timelines for accelerated approaches, including ways to optimize the impact of virtual private networks (VPNs) and minimize overall workflow disruption. Learn more Here are links to the resources mentioned in this session. We've also included a list of frequently asked questions below. OSHA COVID19 guidance Configure and Deploy Security Baselines Setup/Configure Azure AD Connect Set up a Cloud Management Gateway Enable OneDrive for Business Switch to Split-Tunnel VPN Policies Enable ConfigMgr Co-Management Shift update and servicing workloads to the cloud (Windows Update for Business, Office 365 CDN) Begin OneDrive for Business Known Folder Migration Configure and Enable Azure AD Conditional Access Set up Azure App Proxy Replace Perimeter trust with Zero Trust Enhance MFA by issuing FIDO2 Keys Consider Further Advanced Cloud Security Solutions Leverage the power of Analytics: User Experience & Productivity Score Shift line of business (LOB) application workloads Configure and Deploy Security Baselines Begin piloting and shifting Policy, Compliance, and EP to the cloud Enable asset protection through Office ATP and MCAS Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager Azure Multi-Factor Authentication Conditional Access Data Leak Prevention Intune Migration Guide Zero Trust strategy—what good looks like How to implement Multi-Factor Authentication (MFA) Microsoft Cloud Security solutions provide comprehensive cross-cloud protection Blog: Brad Anderson Blog: Jared Spataro While not mentioned specifically in this session, here are some additional resources you might find helpful: Microsoft COVID-19 response site Enabling Remote Work Microsoft Endpoint Manager remote work blog Work remotely, stay secure 2 weeks in: what we’ve learned about remote work Frequently asked questions Q: How are others offloading patching traffic to Microsoft sources for full-VPN clients, like split tunneling (since Windows Update IPs aren’t clearly published)? A: We are seeing customers move all Internet traffic away from VPN and that’s what we do internally as well. There are a couple resources on this for WSUS (see 2.1.1) and Windows Update. Q: Are there instructions to shift Office updates from Configuration Manager to the cloud? A: Yes. Here's guidance on how to Manage Office 365 ProPlus with Configuration Manager. Q: Regarding disabling password expirations, do you have any formal documentation that can be provided for our security team? A: Here are some resources that are available on the topic: https://www.microsoft.com/security/blog/2019/07/11/preparing-your-enterprise-to-eliminate-passwords/ https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984 https://www.microsoft.com/en-us/security/business/identity/passwordless Q: Do you have any formal statements endorsing Split-Tunnel VPN? A: Statement below from: https://www.microsoft.com/en-us/itshowcase/enhancing-remote-access-in-windows-10-with-an-automatic-vpn-profile Split tunneling Split tunneling allows only the traffic destined for the Microsoft corporate network to be routed through the VPN tunnel, and all Internet traffic goes directly through the Internet without traversing the VPN tunnel. In the VPN connection profile, split tunneling is enabled by default. Q: How can we evaluate the potential cost of the cloud management gateway (CMG)? A: Refer to the Configuration Manager documentation here: https://docs.microsoft.com/en-us/configmgr/core/clients/manage/cmg/plan-cloud-management-gateway#cost Q: For split tunneling all Internet traffic out, how do you perform URL filtering for compliance? A: We use Microsoft Threat Protection across Office ATP and Microsoft Defender ATP. Specifically, the Endpoint Detection and Response (EDR) component. Feedback We hope you find this first session useful. We'd love your feedback and ideas for future sessions so please fill out this short survey. Thank you!Managing Windows 10 updates for a remote work world
During a global public health crisis in which working remotely has become the new normal, managing the Windows 10 operating system helps ensure remote users stay safe, secure, and productive. One of the most important issues is how best to configure a management approach for Windows 10 updates that will protect endpoints without adversely impacting device performance or user productivity. Here, we will focus on options for delivering feature and quality updates to remote worker endpoints, how to configure those endpoints to receive updates you designate as important, and how to maintain a desired level of control—all while minimizing infrastructure impact. Update types To help ensure device compliance and user productivity, Microsoft sends different types of updates including: Quality updates. These monthly updates include bug fixes and security enhancements. Because quality updates are cumulative and don’t require a complete reinstallation, the packages are smaller, and they download and install quickly. Feature updates. These twice-yearly updates include new features and significant enhancements to the Windows operating system. Feature updates are essentially a new version of Windows 10, and as such they require a complete reinstallation. While they are larger in size than quality updates, the only files downloaded are those necessary to complete the update, so staying current with updates has advantages. Device driver updates. These small pieces of software are the updates made to the device drivers by original equipment manufacturer (OEM) vendors. Microsoft Update is used as a channel for distributing these updates. Microsoft Defender definition updates. These updates include current threat information for Microsoft Defender. To support remote worker scenarios, we recommend that remote endpoints obtain approved updates via the internet. In such cases, split-tunnel VPN can help reduce traffic. For delivery of Windows 10 updates, there are three primary mechanisms to consider: Windows Update, Windows Update for Business, and Microsoft Endpoint Configuration Manager. Each mechanism has different benefits and limitations that you will need to assess to make the best selection for your specific scenarios. We will look at each of these mechanisms in more detail, but the basic comparison in the table below provides our starting point. Update mechanism IT pro control Update delivery Windows Update Low Internet Windows Update for Business Medium Internet Microsoft Endpoint Configuration Manager High On premises/Internet Windows Update Windows Update is a Microsoft service for Windows operating systems that automates the download and installation of updates over the internet. Windows Update provides update files for the Windows operating system, device drivers, and other products such as Microsoft Defender. While Windows Update is primarily used for feature and quality updates for consumer devices, given its effectiveness and global scale, many enterprise customers use Windows Update as the update mechanism for their devices. For the remote worker scenario, it’s the most cost effective. However, it provides the least management control for IT pros. To allow end users to update the endpoint using Windows Update policy through the Computer Configuration\Policies\Administrative Templates\Windows Update pathway, select either Not Configured (default setting) or Disabled under “Do not connect to any Windows Update Internet locations.” cy configuration options for "Do not connect to any Windows Update internet locations” Quality updates There are several control options in Windows Update for quality updates. Options on the Windows Update agent include checking for quality updates, pausing them, setting active hours, viewing update history, and advanced options, as shown below. After selecting Check for updates, the status of update downloads and installation is shown on the Windows Update agent. When you select Pause updates, update installation is paused for seven days by default. It is also possible to change the timeframe for the pause by selecting Advanced options and entering the necessary information. To avoid possible disruption caused by updates, you can set active hours for devices. Windows can also determine active hours automatically based on activity. Under Advanced options, there are additional settings related to update delivery. Along with pause timing mentioned above, advanced options include preferences for receiving updates for other Microsoft products, using metered connections such as 3G or LTE for downloading updates, and defining restart actions and notifications to complete updates. Feature updates Windows Update provides limited control over twice-yearly feature updates. Each endpoint should be configured to be in the Semi-Annual Channel by the end user. However, for Windows Update to be the active mechanism for updates, there should not be a policy or configuration in place for deferral branch, days, or pausing updates. If these policies are configured, devices are considered to be using Windows Update for Business, which we will discuss more in the next section. Update deferral can be configured from Advanced options by designating the number of days a feature update is deferred, as shown below. Windows Update for Business Windows Update for Business is the same Windows Update service described above but with one key differentiator: devices are managed and configured through centralized policies. This gives the IT pro more granular management capabilities, including deferral of feature updates for up to 365 days. Based on direct customer feedback, Microsoft continues to invest in new capabilities and features to make Windows Update for Business an enterprise friendly solution from a granular management perspective. Windows Update for Business can be configured using several different options. Among them are Active Directory Group Policy Objects, Microsoft Intune, and Microsoft Endpoint Configuration Manager. Group Policy Objects IT pros can manage Windows Update for Business using Group Policy Objects in Active Directory. Windows Update for Business policy objects are found through the Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Windows Update for Business pathway. Different policies are used to defer quality updates and feature updates. The “Select when Preview Builds and Feature Updates are received” policy defines the update channel and deferral period for preview builds and feature updates, as shown below. Similarly, the “Select when Quality Updates are received” policy is used to determine options for when quality updates will be received. Windows Insider Program for Business Companies can also manage joining Windows Insider Program through the “Manage preview builds” policy. Microsoft Endpoint Configuration Manager Configuration Manager is another option for creating and deploying Windows Update for Business policies. Under Software Library\Overview, you’ll find the Windows 10 Servicing node, where servicing plans and updates for Windows 10 can be managed. The Windows Update for Business Policies console is also located in this node. You can create new Windows Update for Business policies by using the task in the ribbon or via the Software Library tree by locating Windows Update for Business Policies and right-clicking to select “Create Windows Update for Business Policy Wizard.” In the wizard, your first step is to specify a name and description for the policy. You can then set deferral policies for feature updates and quality updates. You can also opt to install updates for other Microsoft products and whether to include drivers with Windows Update. After you create policies for Windows Update for Business, they can be deployed to the collections within the Configuration Manager environment just like any other policy. While deploying the update, the endpoint will be configured during maintenance windows unless you select “Allow remediation outside the maintenance window” in the Deploy Windows Update for Business Policy wizard. The deployed policy is listed in the Configurations tab of the Configuration Manager client agent. The device will be evaluated and remediated according to the deployment configuration for the policy. Microsoft Intune Windows Update for Business also can be managed through Microsoft Intune without any on-premises infrastructure components. Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). Intune integrates with Microsoft Azure Active Directory, and it can be used as a stand-alone cloud service or for co-management with Configuration Manager. You can configure updates and create Windows 10 update deployment rings through the Software updates node in the Microsoft Intune dashboard. In Intune, creating update rings is a four-step process. In Step 1: Basics, you will name the ring and provide a description. After naming the ring, you will move to Step 2: Update ring settings, where you will configure the servicing channel, whether to include updates for other products and drivers, and, importantly, deferral settings for quality and feature updates. You can also manage the user experience by defining active hours, restart checks, the ability to pause updates, and automatic update behavior settings. After the update ring settings are configured, you will move to Step 3: Assignments, where you assign the ring to a group of devices. In Step 4, you will review and apply the update ring settings you have created. When users review Windows Update settings from a managed device, they will see clear indication that some settings are managed by the organization. Users can also view policies for optional and required updates. When users select View configured update policies from the Windows Update settings screen, they can review details for the update policies that are applied to the mobile device. As shown in the list above, some of the many policies administrators can define for Windows Update for Business include “Branch readiness level,” “Quality update deferral period,” and “Feature update deferral period.” Microsoft Endpoint Configuration Manager Microsoft Endpoint Configuration Manager provides the greatest control and flexibility over servicing Windows. Administrators can approve which updates are distributed, which set of devices they should be distributed to, and when these updates should be deployed. It is possible to extend the Microsoft Endpoint Configuration Manager environment to support remote worker scenarios using granular controls through cloud services such as Cloud Attached Management and Co-Management. Let’s dig deeper into the different options and components for Configuration Manager and cloud services management scenarios. Cloud management gateway and cloud distribution points. The cloud management gateway (CMG) and cloud distribution points (CDPs) extend Configuration Manager capabilities for internet-based devices. To learn more, see Plan for the cloud management gateway in Configuration Manager. When managing remote machines, it is important to configure a split-tunnel VPN and Configuration Manager. For more information, see Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager. A CMG can be managed through the Administration\Overview\Cloud Services path in the Configuration Manager dashboard. You will find the list of content files for internet-based distribution points and endpoints in Properties, under the Content tab. A CMG is listed as a regular distribution point (DP) in the Configuration Manager hierarchy. IT pros can use a CMG and CDPs to deploy apps and other content to remote endpoints just as you would to deploy content for on-premises clients using on-premises DPs. Although a CMG does not block copying of update content, deployment of updates through a CMG is not recommended. Instead, internet-based clients get their updates from Microsoft Update cloud service as documented here. A CMG and CDPs can also be used to execute task sequences in remote endpoints. Content is distributed to CDPs and task sequences are deployed to a collection of remote devices just as they are for on-premises managed clients. Co-management When co-management is enabled in Configuration Manager, you can manage workloads for an endpoint by configuring different authorities. Co-management is located through the Administration\Overview\Cloud Services pathway in Configuration Manager. You will designate policies and configurations settings in the Workload tab for co-management properties. For example, in the screenshot below you can see that Windows Update policies are managed by Configuration Manager, so IT needs to review, approve, and distribute the updates to the distribution points in the Endpoint Manager hierarchy. IT can shift management of these policies to Intune by using the slider. Summary During these extraordinary times in which many organizations have embraced digital transformation in order position themselves with modern and cloud management, Microsoft is dedicated to helping businesses of all sizes succeed. The global pandemic has forced many organizations to embrace new solutions and endpoint management approaches in order to keep remote workers safe, secure, and productive while maintaining compliance with company policies. Microsoft will continue to evolve endpoint management solutions to address challenges IT pros experience, simplify processes, and ensure success. Additional resources For more details on how Windows Update works with different types of updates, see Get started with Windows Update. For more information on split-tunnel VPN, see how to quickly optimize Office 365 traffic for remote staff & reduce the load on your infrastructure. You can check your network configuration using the Office 365 Network Onboarding tool to validate split tunnel configuration. To learn more about Windows Update for Business, visit What is Windows Update for Business? For more about optimizing Windows Update, see Optimize Windows monthly update deployment for remote devices. For more information on deploying Windows 10 remotely, see Deploying a new version of Windows 10 in a remote world. For more on managing quality updates and Patch Tuesday, visit Managing Patch Tuesday with Configuration Manager in a remote work world.Provision Windows devices from anywhere to support a mobile workforce
In this, our second chapter of the Enabling Remote Work for IT Pros web series, we focus on practical tips to help you effectively provision Windows devices from anywhere. We walk through a variety of strategies, from simple to complex, to help you better understand how to leverage Azure AD Join with Microsoft Intune, or Configuration Manager co-management and task sequences. We then present you with a clear list of the steps you can take now, start soon, or work on in the future. Learn more Here are links to the resources mentioned in this session: Automatic MDM enrollment Using Windows Hello for Business to Access On-Premises Resources Enable Kerberos Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager While not mentioned specifically in this session, here are some additional resources you might find helpful: Microsoft COVID-19 response site Enabling Remote Work Microsoft Endpoint Manager remote work blog Work remotely, stay secure 2 weeks in: what we’ve learned about remote work Frequently asked questions Q: For Hybrid Azure AD join, if we have a line of sight with the domain controller, is the Intune connector required? A: Yes, it’s what gathers an offline domain join blob from your domain controller. Q: Is there a way to define the complete computer name for devices provisioned via Windows Autopilot? A: For Azure AD Join devices, yes, there is a graph API. For Hybrid Azure AD devices, no, there is only the ability to prefix something onto the name. Q: Is there a list of supported VPN clients? A: We don’t have a supported list because we don’t support the configuration of third-party VPN clients. Customers will need to figure out if your VPN works in this scenario. The real question to ask is ‘does your VPN support pre-logon/start before logon auth?’ or some sort of AOVPN. If so, it will work. These are some of the VPN providers we expect to work: Cisco AnyConnect (Win32 client): “Start before Logon” Pulse Secure (Win32 client): “Credential Provider” GlobalProtect (Win32 client): “Pre-logon” Checkpoint (Win32 client): “Auto Connect/Always Connected” Citrix NetScaler (Win32 client): “Always on” SonicWall (Win32 client): “NetExtender on Startup” Note: We do not document or support how you configure your VPN as it is a third-party configuration. Q: Is there a way to get the device enrolled in Windows Autopilot remotely? A: The only way is if it’s currently managed through Intune. You can assign a Windows Autopilot profile with the “Convert devices to Autopilot” option enabled, and the hardware has will be automatically harvested at the next check in. Q: Are there any alternatives to enroll multiple devices, already deployed, besides Windows Autopilot and Bulk enroll using provisioning package files (PPKG)? A: All of the possibilities are documented here: https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods Q: Is there a way to use White Glove deployment with standard applications without pre-assigning the device to a particular user? A: If you target your applications to devices, then you don’t need to. If the apps are assigned to users, then you need to assign a user. Q: Are we able to deploy the provisioning package files through Intune? A: No, this is not currently supported. Feedback We hope you find this session useful. We'd love your feedback and ideas for future sessions so please fill out this short survey. Thank you!
UPN missing from Devices in Endpoint
Hello all, At my workplace we have a mixed AD/AAD environment. We need to deploy a specific configuration profile through Endpoint, which, I've found out, is pending for all of those devices which aren't having any UPN associated. All those machines have a "primary user" configured, but for the majority of those older machines (which are also in the AD), no UPN is attached to the device. All our clients are based on Windows 21H1. I managed to get one working by assigning one user to a machine and then logging in with this user. After that the user relative UPN was correctly assigned to the machine. On another device I wasn't able to replicate this solution, so it's not clear to me what's wrong. What can I do to be sure to assign the UPN of the primary user to her/his device?Cloud attach and Microsoft Endpoint Manager
Today we take an in-depth look at Cloud Attach and Microsoft Endpoint Manager, as modern management becomes increasingly crucial. After a quick overview of cloud attach, we dive into the phases of cloud attach and finally tenant attach. This session is packed with valuable information including prerequisites, licensing information, dashboards and more. Learn more While not mentioned specifically in this session, here are some additional resources you might find helpful: Microsoft COVID-19 response site Enabling Remote Work Microsoft Endpoint Manager remote work blog Work remotely, stay secure 2 weeks in: what we've learned about remote work Frequently asked questions Q: Is co-managed the same as cloud attach? A: Co-management is fully managed by both Configuration Manager and Microsoft Intune with explicit admin intent on which workload is managed by either Configuration Manager or Intune. Cloud attach is Configuration Manager only managed devices that show up in the cloud portal. Q: When you enable co-management in the wizard, the Microsoft docs state that a Global Admin account is required to login. Is that really the case or can we use an Intune licensed account that has the Intune Administrator role? A: Yes, the Global Admin account is required. There are a couple of specific Azure AD object that are created (app registrations to be specific) that require this. Q: What has changed or been added/improved with Microsoft Endpoint Manager since Ignite 2019? A: Keep in mind that Intune and Configuration Manager, while becoming more integrated, are still two separate entities with different release schedules. Intune releases new functionality every month while Configuration Manager releases new functionality approximately every four months. For Intune, see What's new in Microsoft Intune and for Configuration Manager see What's new in Configuration Manager. Q: Should I start Cloud Attach without Cloud Management Gateway first and then do it later if I need? A: You could go this route. Attaching to the cloud allows your devices to take advantage of cloud features; CMG allows Configuration Manager to manage your devices directly over the internet. Q: I have a CSP sandbox tenant where creating VMs in Azure is now allowed. This is a permanent testing environment. Can I still populate the CMG there or will that also be forbidden? A: Unfortunately, CSP-based subscriptions do not support CMG. You need a separate non-CSP subscription to support CMG. This is documented in the Azure Resource Manager section of the article, "Plan for the cloud management gateway in Configuration Manager"(see the note). Q: Should Azure AD sync be what onboards the co-management? Or the Configuration Manager client? A: AD Connect syncs identities, so that is required to enable your devices to be hybrid Azure AD joined. Once your devices have a cloud identity (they are hybrid Azure AD joined), Configuration Manager will coordinate the enrollment to Intune, based on your co-management settings in the ConfigMgr console. Feedback We hope you find this session useful. We'd love your feedback and ideas for future sessions so please fill out this short survey. Thank you!Cloud management gateway deep dive
Following up on last week's episode, Cloud management gateway: what you need to know & what’s next, today we're taking an in-depth look at the cloud management gateway and offering general CMG enablement guidelines as well as tips on how to reduce reliance on VPN. We'll also provide some immediate next steps you can take to design a CMG plan for your Configuration Manager environment. Learn more Here are links to the resources mentioned in this session: Cloud management gateway: what you need to know & what’s next Cloud management gateway: addressing common challenges Client to cloud distribution point Configure Windows Update content to pull from Microsoft Configure boundary groups Deploy co-management Windows Servicing Deploy cloud management gateway & Cloud Distribution Point Managing remote machines with CMG CMG prerequisites Azure services Plan for the cloud management gateway in Configuration Manager Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager Prefer cloud distribution points over distribution points Configure Azure services for use with Configuration Manager Security and privacy for the cloud management gateway Internet access requirements Certificates for the cloud management gateway Token based authentication for cloud management gateway (2002) While not mentioned specifically in this session, here are some additional resources you might find helpful: Microsoft COVID-19 response site Enabling Remote Work Microsoft Endpoint Manager remote work blog Work remotely, stay secure 2 weeks in: what we’ve learned about remote work Frequently asked questions Q: What is the minimum version of Configuration Manager that is required to utilize the cloud management gateway? A: The CMG role is supported in all currently supported versions of Configuration Manager Current Branch (CB). Currently, that is version 1810+. If you’re on a version of Configuration Manager older than 1810, you are running an unsupported version of Configuration Manager CB. Q: What is the connectivity requirement for the CMG and on-premises site server? We have a single primary server in South Africa and want to build CMGs in Europe and Latin America. Would that work over busy WAN links? A: The CMG communicates with on-premises through the connector that is installed at the site level. We use a level of filtering to make sure CMG traffic for a primary site goes to the connector for that site. Those connectors make outbound connections to the CMG, so there’s no internal traffic requirement. Connectivity requirements are outbound only. For more details, check out Ports and data flow. Q: Our VPN only supports split-tunneling via IP addresses, not fully-qualified domain name (FQDN). What is the suggestion around this given Microsoft doesn’t have IP addresses for software updates? A: Windows Update relies on multiple CDN partners. We recommend if you have a hard requirement to leverage the CMG to store the content in your Azure subscription and then point to the Azure IP ranges. Take a look at the recent blog post from Rob York for more information. Q: Is there a good resource to configure split tunneling with Windows Update for Business/Microsoft Update? A: Yes - Managing Patch Tuesday with Configuration Manager in a remote work world. Q: Does the “Windows Update content to pull from Microsoft” require Windows Update for Business and Windows update co-management workload slider to be set to Intune for co-managed clients? A: No, it doesn’t. Q: Can we control what content (packages/apps) we want to sync on the Cloud DP? A: Yes, you distribute content to CMG/Cloud DP just like you would any other distribution point in your infrastructure. Q: What will be the cost of using Cloud DP per GB of data? A: For insight into the costs related to CMG usage, see the Cost section of Plan for the cloud management gateway in Configuration Manager. Q: Can Microsoft provide a list of IP address ranges (not URLs) to split out? A: For guidance around this, see Managing Patch Tuesday with Configuration Manager in a remote work world. Q: Do we have a way to report, on a client basis, who is downloading what from the CMG and Windows Update for billing purposes? A: It doesn’t show Windows Update, but it does show the CMG. See Monitor cloud management gateway for more details. Q: Would Microsoft suggest altering or adjusting BITS client settings at all to control software updates across VPN? A: If you need to reduce pressure on the VPN, then yes, that’s one way to throttle the traffic. Low Extra Delay Background Transport (LEDBAT) is another option. Q: What if internet-based client management (IBCM) is currently being used and the CMG is set up? Does that conflict; does IBCM need to be removed? A: No, there is no conflict. Similar to having two management points (MPs) or two distribution points (DPs), the clients will randomly choose between the two if they are both currently configured for a single site. We would recommend moving to the CMG if possible. It requires no ports to be opened from the CMG to the site server (the CMG Connection Point reached out). For IBCM, the MP needs to be able to reach into the environment. Q: Do you need CMG Connection Points for secondary sites? A: No, secondary sites have no part in a CMG. Feedback We hope you find this session useful. We'd love your feedback and ideas for future sessions so please fill out this short survey. Thank you!
GIA - Get Intune Assignments Application
Hello Everyone, Some time ago I was struggling to get all Assignments Intune for a Specific Azure AD Group. This option does not exist at console, and we need to run a lot of queries at MS Graph and/or use PowerShell to retrieve. So, to help the community I started to create PowerShell scripts to help to query some of the Assignments but, still, I had a lot of scripts each one to retrieve a specific type of items (like profiles, conditional access, apps, etc). After a while I decide to develop a C# .NET Application to facilitate the process. Today I want to share with all you my GIA App (Get Intune Assignments). It's available on my gitHub page: https://github.com/sibranda/GetIntuneAssignments I hope this app can help you guys the same way is helping me and my customers. RegardsCloud management gateway: what you need to know & what’s next
Today, as part of our Remote Work for IT pros series, I'm bringing in two amazing experts from Microsoft’s Customer Acceleration Team – Danny Guillory and Jason Sandys. Danny and Jason work with customers daily and are passionate about sharing key learnings to empower IT pros during these uncertain times. Together, they'll walk you through some simple things you can do to sidestep potential issues as you enable the cloud management gateway to manage your Configuration Manager clients on the internet, along with some highlights on what to do next. Make sure to check out the timestamps at the beginning of the video to jump to the content most valuable for your scenario. Learn more While not mentioned specifically in this session, here are some additional resources you might find helpful: Microsoft COVID-19 response site Enabling Remote Work Microsoft Endpoint Manager remote work blog Work remotely, stay secure 2 weeks in: what we've learned about remote work
