User Profile
shockotechcom
Iron Contributor
Joined 6 years ago
User Widgets
Recent Discussions
Edge Branding and OneDrive Client Sync App Support
I'm trying to configure Edge branding using the Edge Management Service. From the guide here https://learn.microsoft.com/en-us/deployedge/microsoft-edge-organization-branding it states: Are there any scenarios where organization branding can't be used? Yes, organization branding isn't supported for the following scenarios. Organization branding isn't applied if: OneDrive desktop sync is enabled. The OneDrive policy to exclude specific kinds of files from being uploaded is disabled. We have OneDrive client app installed on all our desktops. It's not clear to me why this would make this feature not supported. Any ideas/information on this?Edge Branding - Company Color Configuration
I'm looking to configure https://learn.microsoft.com/en-us/deployedge/microsoft-edge-organization-branding in Edge 130+. We already have a custom branding profile configured in EntraID. To date we have configured Edge using group policy. When we configure the policy https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#organizationalbrandingonworkprofileuienabled we get our EntraID tenant/organisation name displayed on the profile pill and company logo as expected but we do not get the company color but rather a black color as follows: Where is the company color configured i.e. what aspect of Entra Branding does it correspond to?Re: Intune Policy Still Showing agianst Device even though Descoped
LeonPavesic thanks! You state Yes, it is expected behavior that the policy remains as applied under DeviceName -> Configuration Profiles -> Profile Name even after the device is removed from the AzureAD group. This is because Intune does not automatically remove security policies when you unassign the policy (stop deployment). But the settings applied by the policy are no longer being applied at the endpoint.Intune Policy Still Showing agianst Device even though Descoped
I have an Intune device configuration that I target at an AzureAD group. I add my Windows 10 devices to this group and after some time the profile applied successfully at these devices. Under each DeviceName -> Configuration Profiles -> Profile Name I see it as successfully applied as well as under the Profile -> Device Assignment Status. I then remove the devices from these AzureAD groups. Under each DeviceName -> Configuration Profiles -> Profile Name I see it as successfully applied but now it is not listed under the Profile -> Device Assignment Status. When I check the actual setting at the device the policy is indeed descoped and the setting shave reverted to defaults. So is this expected behaviour that the policy remains as applied under DeviceName -> Configuration Profiles -> Profile Name? Seems very counter intuitive!Setting User Account Control Settings (UAC) in Intune vs GPO
I have UAC settings defined in Intune and some in GPO. Can Intune be set to override GPO in this context or do I have to deiced to use one or the other? Reading this guide (https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict) it seems that the conflict control settings only override GPO settings that overlap with the policies CSP (https://learn.microsoft.com/en-us/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy) but UAC does appear to be included.Alert on failed client push in MECM
using MECM 2211. We have recently had many client push failures. Whilst we understand the cause and have addressed this it raised the question of how to alert on this condition? We could use Splunk or the like to tail the CCM logs but I was wondering is this condition is possible to alert on from MECM itself?Windows Autopilot and Configuration Management Client Installation Methods
I'm using Windows Autopilot to build my machines with AzureAD hybrid join. Currently as part of the ESP we deploy the configuration manager client and our VPN software (both Win32 apps) to them so we can get them co-managed ASAP. We also do this in ESP as blocking apps to control the device availability to users until they are completed. Our implementation partner advised us to install the Configuration Manager client in this manner to speed up co-management. Autopilot works (albeit slow at _ 60 mins). I am confused though on whether or not adding the configuration manager client into the autopilot build in this manner is supported? Reading this (https://learn.microsoft.com/en-us/mem/configmgr/comanage/how-to-prepare-win10) it states: You can't deploy the Configuration Manager client while provisioning a new computer in Windows Autopilot user-driven mode for hybrid Azure AD join. This limitation is due to the identity change of the device during the hybrid Azure AD-join process. Deploy the Configuration Manager client after the Autopilot process. For alternative options to install the client, see https://learn.microsoft.com/en-us/mem/configmgr/core/clients/deploy/plan/client-installation-methods. So reading this it seems what we are doing is invalid. So question 1: Is it incorrect/unsupported to install the configuration manager client as a Win32 app during autopilot (ESP or otherwise)? Furthermore I read here (https://learn.microsoft.com/en-us/mem/configmgr/comanage/how-to-prepare-win10) that it appears there is no longer a need to to deploy configuration manager client as an app at all but it can simply be configured in it via Home -> Device -> Enroll Devices -> Windows Enrollment > Co-management Authority You no longer need to create and assign an Intune app to install the Configuration Manager client. The Intune enrollment policy automatically installs the Configuration Manager client as a first-party app. The device gets the client content from the Configuration Manager cloud management gateway (CMG), so you don't need to provide and manage the client content in Intune. Is this method only valid post autopilot?WSUS - Howto view Update Metadata and Applicabilty Rules
I use WSUS to patch my Windows estate and Solarwinds Patch manager to add 3rd party patches. How can I see the metadata (applicability rules etc.) for an arbitrary update published in WSUS? I have an issue with some patches showing as 'Not Applicable' and I wish to see the rules/logic they are using.Windows Autopilot - OEM and User-Driven Mode
We currently have Autopilot User-Driven mode working for Hybrid join and co-management. The problem is to get the system ready with all configuration and software from Intune and MECM takes 90 mins and the user has to wait this long for their device to be ready from the time they unbox it to the time everything is complete. https://learn.microsoft.com/en-us/mem/autopilot/pre-provision allows for an OEM or IT function to add software before shipping to the user thus reducing the time at the user end before the system is fully ready. The problem for us is that it is in public preview so we cannot use it in production as it's against our policy. So I was wondering the following: Q: What is (or would be) preventing us using a single (or multiple) generic IT accounts to drive user-driven deployments. For example: OEM or IT admins sign-in into the devices with these generic accounts and kick off autopilot by signing into AzureAD with MFA etc. Cloud management gateway used to delivery most of the software to the SYSTEM as we don't really use pre-user apps Once complete we ship to the user The only issue I see out front maybe Bitlocker and where to store the recovery keys.Autopilot Pre-Provisioned Deployment General Availability Date
I'm looking at sue cases for Autopilot pre-provisioned deployment. As per this link (https://learn.microsoft.com/en-us/mem/autopilot/pre-provision) it state sit is still in public preview but it has been there for over 2 years as far as I can see! Out policy is only to use GA features beyond pilot/POC. Is there a date for pre-provisioned deployment to move to GA? It would add huge benefit to us but as it stands I cannot use it.
