Now Available: Update 1802 for System Center Configuration Manager
First published on CLOUDBLOGS on Mar 22, 2018 We are delighted to announce that we have released version 1802 for the Current Branch (CB) of System Center Configuration Manager that includes new features and product enhancements!In this release we continue to build on the co-management capabilities we introduced in 1710.
Microsoft365 device management not showing all company devices
Hi all, our company has 3 locations spread over the world and we are using Office365 / Azure / SP and CRM since years now. When I navigate to https://devicemanagement.portal.azure.com/ known as the Microsoft365 Device Management I can see only 4 devices. Going to Azure AD Admin Center > All Devices I can see all 32 devices within the company but I am not able to manage them remotly because they have no MDM assigned. What do I need to do to enroll all company devices? Many thanks 🙂 Kind Regards Christian
Deploying Lock Screen as a slideshow in Azure AD + Intune fully cloud-based architecture
We are trying to deploy a lock-screen slideshow to display messages to all user devices. We were able to this with group-policy previously. However, we have recently ditched all on-premises servers and moved to a fully cloud-based architecture with Azure AD and Intune to manage our corporate devices. Intune does not allow this setting, is there a workaround that we can use?
Configure mobile Chrome app with protection policy
Hi, I'm currently trying to implement app protection policies for iOS with the Google Chrome browser as managed app but I can't get the to receive company owned data. I configured an app protection policy with certain MS apps and tried to implement Chrome as customized app (with string: com.google.chrome.ios) and also configured a configuration policy for chrome with the IntuneMAMUPN string, but still I can't send data from a company managed app like Outlook to Chrome? Does anyone know this issue? Is it even possible to set Chrome on mobile devices as company managed app? Thanks and Regards.Installing Intune for MFA with Airwatch MDM
Hello community, Question: I have a client that is using AirWatch for MDM. (Trying to move to Intune - Long story). Anyways they want Azure MFA because of the integration with PC's and no requirement for ADFS once we go with 3SO and PTA. We have some rather strict policies we are going to enforce when users are going to get an MFA prompt. i.e. never on approved devices. So for the mobile work force I do not see a way to make a device approved unless it is enrolled with Intune. So I pose the question, can we enroll a mobile device with Intune or Azure AD while AirWatch is providing MDM (iOS and Android). If I am missing something obvious here please let me know.Two MDM Solutions with One Office 365 Tenant
We have a requirement to use two different MDM solution with one Office 365 tenant because of user experience issues. Can we use two MDM solution e.g. MobileIron and Intune with one tenant? If yes, what are the gotchas we should be aware of? Any pointers will be appreciated. Thanks!Gpresult Like Tool For Intune
Hi, Jonas here! Or as we say in the north of Germany: "Moin Moin!" I had to troubleshoot a lot of Intune policies lately and I used a variety of tools for that. At the end, I built my own script to have a result which looks similar to what “GPresult /h” creates for on-premises group polices. The script is inspired by the following article: https://doitpshway.com/get-a-better-intune-policy-report-part-2 by Ondrej Sebela. It follows a similar approach, but without any module dependencies and fewer output options, as my script only generates an HTML page. What started as a script is now a module which might have more functions in the future. Feel free to read any of my other articles here: https://aka.ms/JonasOhmsenBlogs How to get the module The PowerShell module is called: "IntuneDebug" and can be installed or downloaded from the PowerShell Gallery. Install the module by running the following command: Install-Module -Name IntuneDebug The module repository can be found here https://aka.ms/IntuneDebug in case you want to download the module manually or want to contribute to it. The command to get the report is called: “Get-MDMPolicyReport” How to use Get-MDMPolicyReport The function can run without administrative permissions and without any parameters on a windows machine. But you can also start the function with administrative permissions to get more data about Intune Win32Apps and their install status. Use parameter “-MDMDiagReportPath” to load MDM report data captured on a remote machine. But more on that in section “How to use parameter -MDMDiagReportPath“ So, in summary, the function can run locally to output information specific to that device, or it can parse already captured data via the “-MDMDiagReportPath” parameter. It cannot gather data remotely, though. The function output As mentioned earlier, the only output of the function is an HTML file which will automatically open in Edge. The output is grouped into sections to make the report easier to read. The page looks like this when all sections are collapsed: Section: "DeviceInfo <Devicename>" DeviceInfo shows general information about the device and the Intune sync status: Section: "PolicyScope: Device" This section shows all the settings applied to the device grouped by area/product. Note: If you’re coming from ConfigMgr you might expect a policy ID in the report. While an Intune policy has an ID, the ID is not stored on the device. That’s by-design and that’s the reason why we just see the settings that apply to a device in this report. The following example shows some basic Defender and Delivery Optimization settings grouped together. You can also see the system's default value if there is one and the winning settings provider. This should typically be the MDM provider like Intune, but it could also be a different provider for some settings depending on the setup. Section: "PolicyScope: <SID> <UPN>" This section shows all the policies applied to a user. The user’s SID and UPN (UPN only when run locally) are visible in the policy-scope header. If there are multiple users working on a machine, each user will have their own section in the report. Section: "PolicyScope: EnterpriseDesktopAppManagement" This section shows all MSI installation policies from Intune. NOTE: Win32 and store apps are visible in the “Win32Apps” section. The application name is not available, instead I show the MSI filename to give an indication of what type of app that is. Section: "PolicyScope: Resources" Under resources we will see policies which typically contain some sort of payload. Like a certificate or Defender firewall rule. I tried to make each section as readable as possible. So, the output varies by type. Certificates for example, are shown in a different format as Defender firewall rules. NOTE: If the function runs without the parameter “-MDMDiagReportPath” it will try to enrich the policy info with as much data as possible. This is not possible when working with captured MDM-reports from a remote machine. The output might be limited in that case. Section: "PolicyScope: Local Admin Password Solution (LAPS)" This section shows all the settings applied to the device coming from a LAPS policy as well as some local settings. Section: "PolicyScope: Win32Apps" This section shows all available Win32App policies. Those apps can be installed already or just assigned as available. If you need more information about the installation status, you need to run the function with administrative permission. This only works locally and cannot be used with parameter “-MDMDiagReportPath” since the extra data is coming from the local registry. If a script is used for the detection or requirement, the script will be parsed and shown as it is. Use the copy button to copy the script and test it locally if needed. When the script is run as administrator locally, it will try to get more information about the actual installation status of an application: Section: "PolicyScope: Intune Scripts" Intune Scripts will show script policies and their current state. The example below shows a remediation script with the detection output string "Found". It does not have an remediation action and therefore no data for the related properties. Unfortunately, the script name is not part of the policy and cannot be shown here. But you can use Graph Explorer https://aka.ms/ge and use the following endpoint to get the script name by entering the script ID of your script: "https://graph.microsoft.com/beta/deviceManagement/deviceHealthScripts/<ScriptID>?$select=id,displayName" Where the data comes from The function will use the following command to generate an MDM report: MdmDiagnosticsTool.exe -out “C:\Users\PUBLIC\Documents\MDMDiagnostics\<DateTime>” NOTE: The tool MdmDiagnosticsTool.exe is part of the Windows operating system. More about it can be found HERE The tool will export the data to C:\Users\PUBLIC\Documents\MDMDiagnostics to a folder in the following format: "yyyy-MM-dd_HH-mm-ss" The function will then parse the following two files to extract the required data without administrative privileges: MDMDiagReport.html MDMDiagReport.xml Some data is directly read from the registry to enrich the output and in some cases administrator permissions are required. The Win32Apps and Intune script policy data is coming from the Intune Management Extension logfiles: C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\AppWorkload*.log C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\HealthScripts*.log NOTE: The folders under “C:\Users\PUBLIC\Documents\MDMDiagnostics” will be deleted when the creation time is older than one day. This can be changed with parameter “-CleanUpDays” set to a higher value than one day. How to use parameter “-MDMDiagReportPath” Simply generate MDM report data, either with the MdmDiagnosticsTool.exe, via the settings app or via Intune. Then copy the files to a system with the IntuneDebug module on it and unpack the report data. You can now run the function with the parameter “-MDMDiagReportPath” and point it to the unpacked report data. NOTE: The report header will contain the following when the parameter was used: “Generated from captured MDM Diagnostics Report” MdmDiagnosticsTool.exe example: mdmdiagnosticstool.exe -area "DeviceEnrollment;DeviceProvisioning;Autopilot" -zip C:\temp\MDMDiagnosticsData.zip Settings app example: Intune Example: I hope you find this tool helpful. In case of any issues or suggestions, head over to GitHub via https://aka.ms/IntuneDebug and create an issue or pull request. Stay safe! Jonas Ohmsen Code disclaimer This sample script is not supported under any Microsoft standard support program or service. This sample script is provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of this sample script and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of this script be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use this sample script or documentation, even if Microsoft has been advised of the possibility of such damages.Windows office hours: June 17, 2021
Post your questions for our next office hours session, which will take place here in the Windows servicing community on Thursday, June 17th from 9:00-10:00 a.m. Pacific Time. Join us to get answers to any questions you may have around managing updates for the remote and onsite devices in your organization, help with specific issues, and tips on how to increase update velocity. We'll have members of the Windows and Microsoft Endpoint Manager product and engineering teams on hand, as well as the FastTrack team. Save the date and see the Windows IT Pro Blog for full details. Let's get started!
Windows 10 BitLocker Management Options
Introduction : Starting in version 1910, use Configuration Manager to manage BitLocker Drive Encryption (BDE) for on-premises Windows clients, which are joined to Active Directory. It provides full BitLocker lifecycle management that can replace the use of Microsoft BitLocker Administration and Monitoring (MBAM). Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it. Configuration Manager provides the following management capabilities for BitLocker Drive Encryption: •Deploy the BitLocker client to managed Windows devices running Windows 10 or Windows 8.1 •Manage BitLocker policies and escrow recovery keys for on-premises and Internet-based clients (Internet-based clients requires version 2010) •Compliance reports •Administration and Monitoring web site: allows other roles in your organization (for example Help Desk) outside of the Configuration Manager console to help with key recovery, including key rotation and other BitLocker-related support •User self-service portal: lets users help themselves with a single-use key for unlocking a BitLocker encrypted device. Once this key is used, it generates a new key for the device Basic requirements : The general requirements for Configuration Manager to manage BitLocker are: •Reporting Services Point (for reports) •HTTPS on the Management Point (for key recovery) •Self-service portal or the administration and monitoring website require an IIS server, this can be a site system or a dedicated server •BitLocker management isn't supported on virtual machines (VMs) or on server editions •Azure Active Directory (Azure AD)-joined, workgroup clients, or clients in untrusted domains aren't supported. BitLocker management in Configuration Manager only supports devices that are joined to on-premises Active Directory. Hybrid Azure AD-joined devices are also supported. Best practice: Encryption: Encrypt recovery data on the network: Required for recovery key escrow Uses https to the Management Point Different procedures to enable this capability depending on the CM build Encrypt recovery data in the database: Requires a SQL Server certificate (the certificate must then be managed) Option to encrypt only recovery data (recommended) vs the entire site database (may reduce performance by 25%) Recovery keys are never deleted – allows recovery of data from a device that was stolen and later retrieved. Each encrypted volume adds up to 9 KB to the site database. Best practice: Deployment BitLocker management in Configuration Manager includes the following components: BitLocker management agent: enabled when you create a policy and deploy it to a collection Recovery service: The server component that receives BitLocker recovery data from clients Before deploying BitLocker management policies, enable network encryption (required) and data encryption (recommended). Also, make sure that the partitions on the clients are ready to support BitLocker (see slide Best practice: General Deployment) To create a BitLocker management policy: The Full Administrator role in Configuration Manager is needed Operating System Drive, Fixed Drive, Removable Drive, and Client Management options are available When you create more than one policy, you can configure their relative priority. If you deploy multiple policies to a client, it uses the priority value to determine its settings. Starting in version 2006, you can also use Windows PowerShell cmdlets for this task. Monitoring BitLocker deployment: Basic compliance statistics about the policy deployment are shown in the details pane of the BitLocker Management node: •Compliance count •Failure count •Non-compliance count To understand why clients are reporting not compliant with the BitLocker management policy, non-compliance codes are used Dedicated client logs can also be retrieved for additional troubleshooting Group Policy: It is recommended to not use any BitLocker Group Policy settings along with Configuration Manager, as the GPOs will override the CM settings and result in unpredictable behavior Re-encryption If a drive is already encrypted with BitLocker, the CM agent will not re-encrypt the drive, but will evaluate the CM policy against the current settings – if these don’t match (for example because of different encryption algorithms), CM will report the device as non-compliant (but the device is still protected) To work around this issue, it is necessary to decrypt the volumes first, then re-encrypt them TPM password hash: Windows 10 does not save the TPM password – this applied to previous versions of Windows Co-management: The Configuration Manager client handler for BitLocker is co-management aware. If the device is co-managed, and you switch the Endpoint Protection workload to Intune, then the Configuration Manager client ignores its BitLocker policy. The device gets Windows encryption policy from Intune Switching encryption management authorities while maintaining the desired encryption algorithm doesn't require any additional actions on the client. However, if you switch encryption management authorities and the desired encryption algorithm also changes, you will need to plan for re-encryption. Best practice: BitLocker portals The BitLocker CM portals must be installed separately: User self-service portal Administration and monitoring portal (for help desk and admins) Starting in version 2006, you can install the BitLocker self-service portal and the administration and monitoring website at the central administration site. In version 2002 and earlier, only install the self-service portal and the administration and monitoring website with a primary site database. In a hierarchy, install these websites for each primary site HTTPS for these portals is not mandatory, but highly recommended You can install the portals on an existing site server or site system server with IIS installed, or use a standalone web server to host them. Their usage is typically low, so the additional load they generate is negligible, so there is typically no need to use a dedicated web server, unless this is to honor network segmentation policies Portal customizations: The self-service portal can be customized with a custom notice, your organization name, and other organization-specific information Roadmap: On-prem management BitLocker Management + CAS/Hierarchy support (2006 release) BitLocker Management support over CMG (2010 release) Listing on-prem stored BitLocker recovery key for ConfigMgr tenant attach in the Microsoft Endpoint Management cloud console (CY 2021)
