Question About Moving SCCM Partially Out of Intune
Good afternoon, I've been given an environment that currently has SCCM integrated into InTune. Our department head would like to partially remove our servers from being managed by InTune, but still be managed by SCCM. Is such a thing possible? If so, could you link what documentation is available to lead me into that? I appreciate it!Installations via InTunes failing but work from SCCM
We have pretty much completed our migration from using SCCM to InTune (IT). However, we are encountering a few apps which hang at certain points during the installation. These have worked 100% falwlessly through SCCM and indeed, if we revive the SCCM deployment, we can install via that route. I strongly suspect that IT is handling output (STDOUT?) differently than SCCM does, wherein the installer is trying to display a screen but cannot and so just hangs indefinitely. Aside from the above return-to-using-SCCM work-around, we have occasionally resorted to repackaging the offending installer but this obviously introduces a delay in getting apps deployed to our user-base. Is there some flag we can set when adding apps to IT that we're somehow not seeing, or some other configuration we set - maybe at the client-level - to bypass this behaviour? If you feel like experimenting, grab the Innorix Agent installer which is one that's causing us grief presently.
Windows Defender AntiVirus with Intune
Hello Windows Defender antivirus is enabled with Intune(Co-managed deployment) Antivirus policy, Our organization normally had Symantec and did not use Defender. However the below is showing in Virus and Threat Protection. Basic settings are used in the policy: Allow Archive Scanning Allowed. Scans the archive files. Allow Behavior Monitoring Allowed. Turns on real-time behavior monitoring. Allow Cloud Protection Allowed. Turns on Cloud Protection. Allow Email Scanning Not allowed. Turns off email scanning. Allow Full Scan On Mapped Network Drives Not allowed. Disables scanning on mapped network drives. Allow Full Scan Removable Drive Scanning Allowed. Scans removable drives. Allow scanning of all downloaded files and attachments Allowed. Allow Realtime Monitoring Allowed. Turns on and runs the real-time monitoring service. Allow Scanning Network Files Not allowed. Turns off scanning of network files. Allow Script Scanning Allowed. Allow User UI Access Allowed. Lets users access UI. Avg CPU Load Factor 50 Check For Signatures Before Running Scan Enabled Cloud Block Level High Cloud Extended Timeout 50 Days To Retain Cleaned Malware 0 Disable Catchup Full Scan Disabled Disable Catchup Quick Scan Disabled Enable Low CPU Priority Disabled Enable Network Protection Enabled (block mode) PUA Protection PUA Protection on. Detected items are blocked. They will show in history along with other threats. Real Time Scan Direction Monitor all files (bi-directional). Scan Parameter Quick scan Schedule Quick Scan Time 720 Schedule Scan Day Monday Signature Update Interval 4 Submit Samples Consent Send safe samples automatically.HAADJ with Intune Co-Management
Hello, -I have HAADJ tenant with Intune Co-Management. -AD connect syncs devices only and not users to Entra (as users are third party provisioned and federated). -Devices appear in Azure then are added to group for Intune policy enrollment. Enrollment is done via GPO. -They get enrolled in Intune using Co-management with SCCM, Auto MDM enrollment with device credentials and appear in Intune as co-managed. -Bitlocker is applied via Intune on the devices to encrypt fixed data drives and operating system drives. GPO is applied to avoid backing up recovery key in AD as explained here. https://www.burgerhout.org/the-bitlocker-haadj-nightmare/ Question(s): 1-For testing, We encrypt and remove semantics drive encryption, Restart is done during removal then recovery key screen appears and key is requested to access device. Second Restart after uninstall, The Key is not requested. 2-After testing Recovery key is stored in Intune but not stored in the below location https://myaccount.microsoft.com/ -> Devices -> Manage Devices -> Select devices -> View Bitlocker Keys (It appears only in test environment where enrollment is done via User credentials as opposed to device credentials) 3-Devies in Azure under the following URL https://entra.microsoft.com/#view/Microsoft_AAD_Devices/DevicesMenuBlade/~/Devices/menuId/Devices -> Show an owner when device is first moved with AD sync however later on owner is removed and the behavior is very random, However in Intune, Devices show a Primary user logged in as long as someone is logged in to office which is fine and acceptable. So what could be the reason for issue in Azure/Entra?
Windows Servers AAD Hybrid Joined and SCCM ConfigMgr Co-Management MDM Auto-Enrollment
I have doubts about some configurations. Basically, we have: sccm installation with co-management performed via cloud-attach wizard intune pilot group device collection configured default client setting policy allows device registration in azure ad azure ad connect configured for hybrid join mdm user scope configured to all in azure ad mam user scope configured to none users can register devices in azure ad (Users may join devices to Azure AD) business premium licenses usage location configured in the azure ad synced user no conditional access or mfa configured The situation is that both client and server are synchronized in azure ad and are seen as join type "hybrid azure ad joined". In azure ad the clients has as mdm "microsoft configuration manager", the same clients then on intune in the managed column by show "co-managed". Servers on the other hand (windows 2016) are not automatically enrolled in intune and i don't understand why, the are hybrid azure ad joined in azure ad as devices. Other unclear thing, do i have to create the gpo for automatic enrollment in active directory (enable automatic mdm enrollment using default azure ad credentials)? At the moment it is created and linked to the OU containing servers and set as "device credential" (i read in documentation that with sccm or azure virtual desktop it is supported), even if i set in "user credential" anyway it doesn't work. With the gpo applied the scheduled task is created but in the events I get the following error: Auto MDM Enroll: Device Credential (0x1), Failed (Unknown Win32 Error code: 0x8018001c) By doing a dsregcmd /status on the machine everything seems ok. I don't understand what the best practices are regarding this gpo, and where I am going wrong.
Endpoint Security shows clients as unhealthy and device name not shown after Update 2303
Hi together, Endpoint Security shows almost all clients as unhealthy and the device name is not shown after Update Config Manager Version 2303. Any ideas? On SCCM and Security Center everthing is working fine and displayed as normal. Thanks for support and a happy weekend to all. Peter
Multiple autopilot profiles in TS for existing devices
Hi everyone 🙂 I hope you are all ok! I would like to ask for some advise regarding configuration of autopilot. In my organization we use SCCM and custom image to deploy various of computer models in a lot of locations. In all locations users use OS with their localized language. We plan to run DaaS based on Intune Autopilot. I don't have much experience in that but I made some tests and results are not good. My Autopilot profile works without any issues with an OEM system but my newly deployed machine with custom image isn't get autopilot profile - of course I have imported CSV with all necessary data and assign a profile to group where my machine has been added. To run enrollment I need to have reset OS on my VM and then intune rollout works. So I know that I need to export my autopilot profile as a json file and add a step in TS to make machines with my custom image worked. Is that correct? If so - is there possibility to add multiple autopilot profiles to TS? I would like to create a few autopilot profiles where I will define installation of OS with a different language to allow users in different locations having completely configured OS out-of-box. Is that possible? And the second question. I know that enrollment existing devices with autopilot doesn't requires import them (using CSV) to autopilot but what if we will import them with CSV file with additional group tag parameter. Based on that parameter and dynamic query will these devices be automatically assigned to proper groups during enrollment? Or Autopilot of existing devices ignores information about imported devices? And one more question. We have AD forest with four domains. Do we need four intune connectors one for each domain or one connector will be able to handle all requests for domain-join for all domains? I think about installation of one intune connector and delegate control in all four domains to this machine. edit: All devices will be Hybrid Joined and Co-manage. Thanks in advance for any answer and advice DamianDetection of Office C2R after Co-Mgmt Workload Move
Hi Everyone, I am in the process of identifying potential issues with moving our C2R workload from SCCM over to Intune. Our SCCM devices currently have Office C2R installed on them from when they were imaged, but are not managed using SCCM. From the Intune side we actively deploy Office to all machines using the built in Office C2R. My concern is when I toggle the switch over to Intune that my existing device will get Office reinstalled/removed. I have tested this and the result is inconsistent, but at least some of the devices did get Office reinstalled, MS Support confirmed this. In an effort to try and minimize the amount of devices that will get Office reinstalled I am trying to identify how Intune detects Office C2R built-in to be able to compare against our existing devices. Anyone have any info around how Intune detects the built in Office.
Co-Managed showing "Disabled" but machine is appearing in Intune
We are just beginning to enable co-management on our estate, and have started with just 1 test device. After enabling co-management in SCCM, the device is now showing in Intune. However, on the device itself under Control Panel - Configuration Manager, it says "Co-Management - Disabled" and I'm not sure whether this should be ignored. It has been several days, and I have tried Syncing policy within Intune, but it is still showing Co-Management as Disabled. Any tips on how to troubleshoot this?
Intune Managed Computer with HDD very slow
Have been using SCCM to manage a number of Dell AIO machines (i5, 8g ram, 500gb HDD) with Windows 10 (20H1) and have been working okay, starting to look at moving to Intune so have set up a couple of new machines using autopilot to be managed with Intune. Have found the Intune managed machines to be incredibly slow, login and application use and machines unusable at times. To see if slowness was related to the HDD, cloned the image onto an SSD and machines are much better. Has anyone else had issues using desktops with spinning disks with Intune?
