Intune Confusion
Hey guys, I'm relatively new to Microsoft Intune and have been playing with the platform with a view of potentially using it as our corporate endpoint management solution. I've been playing with it for a few days and I'm a little confused. Within our organisation we have about 25 'hotdesks' shared by Call Centre staff working on shifts - I thought that Intune Plan 1 Device Only would be a good fit for these systems. For the remainder of our staff (circa 250), I was thinking maybe Device Only or maybe User license. I'm not sure we require a full user license for everyone as we have a small amount of corporate software (so no real requirement for corporate software catalogue within the user portal etc) and only really need to manage Windows updates, configuration / security policies and to push / remove software - which I 'believe' is possible with the device only licenses. I've started off by acquiring x4 device only licenses (thus have not assigned them to any users) for testing purposes. My 4 test systems were already AAD joined and so to enroll them I did this using by a Device Enrollment Manager account and joined through 'Settings > Accounts > Access work or school > Enrol only in device management' on each test workstation. All 4 test systems enrolled without issue and are visible within the Intune Portal and are checking in. This is where I get confused: 1 of the 4 test workstations has the IntuneManagementExtension service running in Windows. The other 3 do not. The system that does have the service running also has the IME log directory present = C:\ProgramData\Microsoft\IntuneManagementExtension\Logs - the others do not. Again, all 4 systems are enrolled and checking in and reporting as compliant. Also, I've pushed a test piece of software to all 4 test systems (mandatory push)... none have received it. This was 8 hours ago. I also noticed when running dsregcmd / status that the MDMurl was blank on these workstations. I have a personal M365 tenant with Intune Plan 1 user licenses that I've used for a year or two and have had no problems or oddities experienced with software pushes (probably not oddities but more of a lack of understanding of device licenses on my part perhaps). I checked one of my personal workstations and they do have the Intune service running and the logs directory. Can anyone shine any light on why: A) One system has the service running / the log directory present and the others do not? B) Is there something fundamentally wrong with my understanding of device only licensing perhaps? Is there something wrong with the way in which I have enrolled these systems perhaps? C) Any idea why the software would not install on any of these 'device only' systems (nothing is being reported at all RE the deployment in Intune and I deployed the software about 8 hours ago)? D) Why would the MDMurl be blank but all systems are successfully checking in? Any pointers appreciated as I've been tying myself in knots with this. Pretty certain this is due to a chronic lack of understanding on my part. Greatly appreciate any assistance guys.
Enrolling Microsoft Entra Registered Devices into Intune
Hello, We currently operate in a workgroup environment, and all of our devices are listed in Microsoft Entra with a Join Type status of "Microsoft Entra Registered". Could you please confirm if it's possible to enroll these devices into Microsoft Intune with the "Entra Registered" status (rather than being fully "Entra Joined")? Additionally, what limitations or missing features should we be aware of if the devices remain registered rather than joined? Lastly, is there an easy way to transition devices from "Entra Registered" to "Entra Joined" in a workgroup environment, and if so, could you outline the process? ThanksEntra Registered vs Entra Joined
Hello All, In a workgroup environment, all devices are Entra Registered, and Intune enrollment is enabled for the group. I understand that Entra Joined devices have greater management capabilities in Intune than Entra Registered devices. Could you clarify which features or policies are not available for Entra Registered devices compared to Entra Joined by Intune? Please share any relevant Microsoft references. Thanks
ADMX drive mapping issue
We have a customer with 12 drive mappings pushed via Intune Import ADMX. We uploaded the admx for windows and the admx for the drivemappings. In the configuration created one policy with al the driveletters configured and pushed this to every device in the environment. Al worked great, untill we changed one drive letter from X to Z i remembered correctly and changed the path to a folder deeper in the folder three. Then it was pushed to everyone and people got issues with the drivermappings. Only 2 or 3 driveletters were showing in file explorer. When you want to add the drive letter via the wizard you can see all the paths to the different drive letters are there. Adding them via that way is not possible. We checked all the settings, like persistent drive mappings, enable linkedeconnections, setting all the drives to not configured, Create separate policy for every driveletter, removed the admx in intune and uploaded again, but nothing is working. currently using a custom script via our minitoring system to get it working again. I have used the ADMX by many customers and never have had these issues. Also opened a microsoft case but they couldn't get it fixed. Only way is a fresh install of the device. But 150 devices is a bit to much time consuming for us and the customer. Love to hear how i can solve this issue.
No se puede iniciar la sincronización (0x801901f4)
Actualmente en mi organizacion me empezo a salir este error los dispositivos hasta agosto funcionaron correctamente inscritos a intune de manera hibrida, despues del primero de agosto dejaron de reportar el estado a intune estos afecto a mi organizacion por que ya no tenemos visibilidad de los dispositivos en el portal de intune, ademas de ser administrados por intune, aparece en estado no conforme cuando trato de sincronizarlo me sale este error. " No se puede iniciar la sincronización (0x801901f4 error interno del servidor (500).) Googleando aparece un error de microsoft store, lo cual no tiene sentido si esto es intune, la tienda funciona bien y esta e la region correcta. He intentado de todo, el equipo lo elimino completamente de las consolas de administración, lo vuelvo a inscribir, el equipo se registra, y despues de un tiempo no le reporta el estado de cumplimiento a intune. Algo que hasta Agosto funciono perfectamente. No tengo bloqueos de firewall, ni politicas tan restrictivas. Agradezco de su ayuda para solucionar este errorGpresult Like Tool For Intune
Hi, Jonas here! Or as we say in the north of Germany: "Moin Moin!" I had to troubleshoot a lot of Intune policies lately and I used a variety of tools for that. At the end, I built my own script to have a result which looks similar to what “GPresult /h” creates for on-premises group polices. The script is inspired by the following article: https://doitpshway.com/get-a-better-intune-policy-report-part-2 by Ondrej Sebela. It follows a similar approach, but without any module dependencies and fewer output options, as my script only generates an HTML page. What started as a script is now a module which might have more functions in the future. Feel free to read any of my other articles here: https://aka.ms/JonasOhmsenBlogs How to get the module The PowerShell module is called: "IntuneDebug" and can be installed or downloaded from the PowerShell Gallery. Install the module by running the following command: Install-Module -Name IntuneDebug The module repository can be found here https://aka.ms/IntuneDebug in case you want to download the module manually or want to contribute to it. The command to get the report is called: “Get-MDMPolicyReport” How to use Get-MDMPolicyReport The function can run without administrative permissions and without any parameters on a windows machine. But you can also start the function with administrative permissions to get more data about Intune Win32Apps and their install status. Use parameter “-MDMDiagReportPath” to load MDM report data captured on a remote machine. But more on that in section “How to use parameter -MDMDiagReportPath“ So, in summary, the function can run locally to output information specific to that device, or it can parse already captured data via the “-MDMDiagReportPath” parameter. It cannot gather data remotely, though. The function output As mentioned earlier, the only output of the function is an HTML file which will automatically open in Edge. The output is grouped into sections to make the report easier to read. The page looks like this when all sections are collapsed: Section: "DeviceInfo <Devicename>" DeviceInfo shows general information about the device and the Intune sync status: Section: "PolicyScope: Device" This section shows all the settings applied to the device grouped by area/product. Note: If you’re coming from ConfigMgr you might expect a policy ID in the report. While an Intune policy has an ID, the ID is not stored on the device. That’s by-design and that’s the reason why we just see the settings that apply to a device in this report. The following example shows some basic Defender and Delivery Optimization settings grouped together. You can also see the system's default value if there is one and the winning settings provider. This should typically be the MDM provider like Intune, but it could also be a different provider for some settings depending on the setup. Section: "PolicyScope: <SID> <UPN>" This section shows all the policies applied to a user. The user’s SID and UPN (UPN only when run locally) are visible in the policy-scope header. If there are multiple users working on a machine, each user will have their own section in the report. Section: "PolicyScope: EnterpriseDesktopAppManagement" This section shows all MSI installation policies from Intune. NOTE: Win32 and store apps are visible in the “Win32Apps” section. The application name is not available, instead I show the MSI filename to give an indication of what type of app that is. Section: "PolicyScope: Resources" Under resources we will see policies which typically contain some sort of payload. Like a certificate or Defender firewall rule. I tried to make each section as readable as possible. So, the output varies by type. Certificates for example, are shown in a different format as Defender firewall rules. NOTE: If the function runs without the parameter “-MDMDiagReportPath” it will try to enrich the policy info with as much data as possible. This is not possible when working with captured MDM-reports from a remote machine. The output might be limited in that case. Section: "PolicyScope: Local Admin Password Solution (LAPS)" This section shows all the settings applied to the device coming from a LAPS policy as well as some local settings. Section: "PolicyScope: Win32Apps" This section shows all available Win32App policies. Those apps can be installed already or just assigned as available. If you need more information about the installation status, you need to run the function with administrative permission. This only works locally and cannot be used with parameter “-MDMDiagReportPath” since the extra data is coming from the local registry. If a script is used for the detection or requirement, the script will be parsed and shown as it is. Use the copy button to copy the script and test it locally if needed. When the script is run as administrator locally, it will try to get more information about the actual installation status of an application: Section: "PolicyScope: Intune Scripts" Intune Scripts will show script policies and their current state. The example below shows a remediation script with the detection output string "Found". It does not have an remediation action and therefore no data for the related properties. Unfortunately, the script name is not part of the policy and cannot be shown here. But you can use Graph Explorer https://aka.ms/ge and use the following endpoint to get the script name by entering the script ID of your script: "https://graph.microsoft.com/beta/deviceManagement/deviceHealthScripts/<ScriptID>?$select=id,displayName" Where the data comes from The function will use the following command to generate an MDM report: MdmDiagnosticsTool.exe -out “C:\Users\PUBLIC\Documents\MDMDiagnostics\<DateTime>” NOTE: The tool MdmDiagnosticsTool.exe is part of the Windows operating system. More about it can be found HERE The tool will export the data to C:\Users\PUBLIC\Documents\MDMDiagnostics to a folder in the following format: "yyyy-MM-dd_HH-mm-ss" The function will then parse the following two files to extract the required data without administrative privileges: MDMDiagReport.html MDMDiagReport.xml Some data is directly read from the registry to enrich the output and in some cases administrator permissions are required. The Win32Apps and Intune script policy data is coming from the Intune Management Extension logfiles: C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\AppWorkload*.log C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\HealthScripts*.log NOTE: The folders under “C:\Users\PUBLIC\Documents\MDMDiagnostics” will be deleted when the creation time is older than one day. This can be changed with parameter “-CleanUpDays” set to a higher value than one day. How to use parameter “-MDMDiagReportPath” Simply generate MDM report data, either with the MdmDiagnosticsTool.exe, via the settings app or via Intune. Then copy the files to a system with the IntuneDebug module on it and unpack the report data. You can now run the function with the parameter “-MDMDiagReportPath” and point it to the unpacked report data. NOTE: The report header will contain the following when the parameter was used: “Generated from captured MDM Diagnostics Report” MdmDiagnosticsTool.exe example: mdmdiagnosticstool.exe -area "DeviceEnrollment;DeviceProvisioning;Autopilot" -zip C:\temp\MDMDiagnosticsData.zip Settings app example: Intune Example: I hope you find this tool helpful. In case of any issues or suggestions, head over to GitHub via https://aka.ms/IntuneDebug and create an issue or pull request. Stay safe! Jonas Ohmsen Code disclaimer This sample script is not supported under any Microsoft standard support program or service. This sample script is provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of this sample script and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of this script be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use this sample script or documentation, even if Microsoft has been advised of the possibility of such damages.How to deploy M365 Companion app through Intune
Hi All, I have a requirement of deploying M365 companion app to a few users in the company. However, when I tried with Win32 apps in Intune, it gets failed every time even though the scripts success manually. Does anyone know how to deploy M365 companion app from Intune? I have downloaded the app from below link and used the below command: https://learn.microsoft.com/en-us/microsoft-365-apps/companions/overview#set-up-the-companion-apps Echo OFF m365companionsetup.exe /quiet Thanks in advanced, Dilan
Brave Browser Intune Deploy
Good Morning/Afternoon/Evening, I am having issues deploying Brave Internet Browser. I have tried following various guides but always end up with installation failures. Verified and double checked all settings, but still the issues persists. The main error I get is either Error unzipping downloaded content. (0x87D30067) or The unmonitored process is in progress, however it may timeout. (0x87D300C9). It seems that the process starts but stops awaiting some kind of approval which does not show. Tried using the recommended silent command but nothing seems to work. Anyone managed to make it work recently? Thanks!Cannot login to InTune with Ubuntu 22.04
I installed MS Intune on Ubuntu 22.04 but every login attempt fails with error [1001] and logs are showing the following error: říj 18 10:02:11 XXX microsoft-identity-broker[711136]: E/isServiceActivated: [2024-10-18 08:02:11 - thread_id: 44, correlation_id: 0275d5cb-f412-43f2-a04e-c6dc272fb4dd - ] Failed to activate service 'com.microsoft.identity.devicebroker1': timed out (service_start_timeout=25000ms) říj 18 10:02:11 XXX microsoft-identity-broker[711136]: org.freedesktop.dbus.exceptions.DBusExecutionException: Failed to activate service 'com.microsoft.identity.devicebroker1': timed out (service_start_timeout=25000ms) říj 18 10:02:11 XXX microsoft-identity-broker[711136]: at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ... říj 18 10:02:11 XXX microsoft-identity-broker[711136]: at com.microsoft.identity.broker.crypto.ProxyKeyManager.generateKeyPair(ProxyKeyManager.java:88) říj 18 10:02:11 XXX microsoft-identity-broker[711136]: at com.microsoft.identity.broker4j.broker.crypto.keymanagers.OneStkPerDeviceStkManager.generateSessionTransportKey(OneStkPerDeviceStkManager.java:72) říj 18 10:02:11 XXX microsoft-identity-broker[711136]: at com.microsoft.identity.broker4j.broker.prt.prtv3.PrtV3StrategyFactory.createInteractivePrtAcquisitionStrategy(PrtV3StrategyFactory.java:81) říj 18 10:02:11 XXX microsoft-identity-broker[711136]: at com.microsoft.identity.broker4j.broker.prt.prtv3.PrtV3StrategyFactory.createInteractivePrtAcquisitionStrategy(PrtV3StrategyFactory.java:55) říj 18 10:02:11 XXX microsoft-identity-broker[711136]: at com.microsoft.identity.broker4j.broker.prt.PrtController.acquirePrt(PrtController.java:191) ... říj 18 10:02:11 XXX microsoft-identity-broker[711136]: at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) říj 18 10:02:11 XXX microsoft-identity-broker[711136]: at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) říj 18 10:02:11 XXX microsoft-identity-broker[711136]: at java.base/java.lang.Thread.run(Thread.java:829) říj 18 10:02:11 XXX microsoft-identity-broker[711136]: W/Telemetry: [2024-10-18 08:02:11 - thread_id: 44, correlation_id: 0275d5cb-f412-43f2-a04e-c6dc272fb4dd - ] No telemetry observer set. říj 18 10:02:11 XXX microsoft-identity-broker[711136]: I/LocalBroadcaster:unregisterCallback: [2024-10-18 08:02:11 - thread_id: 44, correlation_id: 0275d5cb-f412-43f2-a04e-c6dc272fb4dd - ] Removing alias: return_authorization_request_result říj 18 10:02:11 XXX microsoft-identity-broker[711136]: I/CommandDispatcher:beginInteractive: [2024-10-18 08:02:11 - thread_id: 44, correlation_id: 0275d5cb-f412-43f2-a04e-c6dc272fb4dd - ] Completed interactive request for correlation id : **0275d5cb-f412-43f2-a04e-c6dc272fb4dd, with the status : ERROR říj 18 10:02:11 XXX microsoft-identity-broker[711136]: E/AuthSdkOperation:acquireToken: [2024-10-18 08:02:11 - thread_id: 35, correlation_id: 0275d5cb-f412-43f2-a04e-c6dc272fb4dd - ] Acquire token failed. říj 18 10:02:11 XXX microsoft-identity-broker[711136]: java.util.concurrent.ExecutionException: com.microsoft.identity.common.java.exception.ClientException: An unhandled exception occurred with message: null Does anyone know how to fix this issue, please?
