Beginning with Configuration Manager current branch, version 1602 it is now possible to see a list of active connected Configuration Manager consoles. At this stage there is no built in way of seeing historical information, but you could archive the information periodically using PowerShell if that is the sort of information you are looking for.

The active list of consoles connected can be viewed by querying the v_CMConsoleUsageData table in SQL.
Select * from v_CMConsoleUsageData

Here is an example of the information provided:

There is a corresponding SMS Provider WMI class called SMS_ConsoleUsageData, but querying this object currently returns no results.

Given the data is available in the database via SQL, you have plenty of options for querying and displaying the information including SQL Management Studio, SQL Reporting Services, or PowerShell. I’ve done up a quick PowerShell script to query and display this information if you are interested. The ConsoleConnectTime attribute is stored in UTC format, so my script adds a new attribute called ConsoleConnectTimeLocal which is converted to the time zone of the computer the script is running from.

Download the script here: Get Configuration Manager Connected Consoles (Script)

Example command line:

Example output:

Trying to install an application via Software Center and receveing error code 0x87D00443(-2016410557)? You are probably using the new running apps detection available in Configuration Mangaer Technical Preview 1701 or 1702.

Software Center Error Code 0x87D00443(-2016410557)

The new error code indicates that a the Application cannot install because the deployment type for the Application has been configured to require certain executables to be closed prior to installation (Application > Deployment Types > Deployment Type > Install Behaviour).

Install Behaviour Screen

You can see detailed information on the client for this error in CIAgent.log:

{75B53191-4F03-401D-B9F4-AB55FB48954F} - Initiating Enforce tasks.	CIAgent	12/03/2017 2:13:20 PM	7052 (0x1B8C)
Job({75B53191-4F03-401D-B9F4-AB55FB48954F}): CI ModelName ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/Application_9963a768-d8e6-4d5c-a0dd-b01e11f8b5b5 version 2 will be INSTALLED. : Task(ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/RequiredApplication_9963a768-d8e6-4d5c-a0dd-b01e11f8b5b5.2.Enforce)	CIAgent	12/03/2017 2:13:20 PM	7052 (0x1B8C)
Job({75B53191-4F03-401D-B9F4-AB55FB48954F}): CI ModelName ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/DeploymentType_a38f3baa-5913-47e7-bb98-0c50346fa856 version 2 will be INSTALLED. : Task(ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/Application_9963a768-d8e6-4d5c-a0dd-b01e11f8b5b5.2.Enforce)	CIAgent	12/03/2017 2:13:20 PM	7052 (0x1B8C)
Job({75B53191-4F03-401D-B9F4-AB55FB48954F}): Setting priority to 5 : Task(ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/DeploymentType_a38f3baa-5913-47e7-bb98-0c50346fa856.2.Enforce)	CIAgent	12/03/2017 2:13:20 PM	7052 (0x1B8C)
+++++++++++++++++ [ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/Application_9963a768-d8e6-4d5c-a0dd-b01e11f8b5b5 2] Initiating check for running processes for target Machine. AllowTermination: 10 jobTrigger: 1  +++++++++++++++++++++++	CIAgent	12/03/2017 2:13:20 PM	7052 (0x1B8C)
Unable to read user sid : 0x80070539	CIAgent	12/03/2017 2:13:20 PM	7052 (0x1B8C)
+++REMOVE sEncodedProcessList: PABQAHIAbwBjAGUAcwBzAEQAZQB0AGUAYwB0AGkAbwBuACAAVAB5AHAAZQA9ACIASQBuAHMAdABhAGwAbAAiAD4APABQAHIAbwBjAGUAcwBzACAATgBhAG0AZQA9ACIAbgBvAHQAZQBwAGEAZAAuAGUAeABlACIALwA+ADwALwBQAHIAbwBjAGUAcwBzAEQAZQB0AGUAYwB0AGkAbwBuAD4A	CIAgent	12/03/2017 2:13:20 PM	7052 (0x1B8C)
Unable to read user sid : 0x80070539	CIAgent	12/03/2017 2:13:20 PM	7052 (0x1B8C)
ProcessUtils::GetRunningProcessesDetails: Found running process 1 notepad.exe [4408]	CIAgent	12/03/2017 2:13:20 PM	7052 (0x1B8C)
Running processes: <processdetailslist><process name="notepad.exe" friendlyname="Notepad" processpath="C:\Windows\system32\notepad.exe"/></processdetailslist>	CIAgent	12/03/2017 2:13:20 PM	7052 (0x1B8C)
Job({75B53191-4F03-401D-B9F4-AB55FB48954F}): Setting priority to 5 : Task(ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/DeploymentType_a38f3baa-5913-47e7-bb98-0c50346fa856.2.Enforce)	CIAgent	12/03/2017 2:13:20 PM	7052 (0x1B8C)
Job({75B53191-4F03-401D-B9F4-AB55FB48954F}): Setting priority to 5 : Task(ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/DeploymentType_a38f3baa-5913-47e7-bb98-0c50346fa856.2.Enforce)	CIAgent	12/03/2017 2:13:20 PM	7052 (0x1B8C)
Raising client SDK event for class CCM_Application, instance CCM_Application.Id="ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/Application_9963a768-d8e6-4d5c-a0dd-b01e11f8b5b5",Revision="2",IsMachineTarget=1, actionType 25l, value , user , session 4294967295l, level 0l, verbosity 30l	CIAgent	12/03/2017 2:13:20 PM	7052 (0x1B8C)
Job({75B53191-4F03-401D-B9F4-AB55FB48954F}): Setting priority to 5 : Task(ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/DeploymentType_a38f3baa-5913-47e7-bb98-0c50346fa856.2.Enforce)	CIAgent	12/03/2017 2:13:20 PM	7052 (0x1B8C)
Raising client SDK event for class CCM_Application, instance CCM_Application.Id="ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/Application_9963a768-d8e6-4d5c-a0dd-b01e11f8b5b5",Revision="2",IsMachineTarget=1, actionType 25l, value , user , session 4294967295l, level 0l, verbosity 30l	CIAgent	12/03/2017 2:13:21 PM	7052 (0x1B8C)
+++++++++++++Raising notification for [ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/Application_9963a768-d8e6-4d5c-a0dd-b01e11f8b5b5, 2] InstancePath: CCM_Application.Id="ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/Application_9963a768-d8e6-4d5c-a0dd-b01e11f8b5b5",IsMachineTarget=1,Revision="2" for processes <processdetailslist><process name="notepad.exe" friendlyname="Notepad" processpath="C:\Windows\system32\notepad.exe"/></processdetailslist> +++++++++++++++++++++++	CIAgent	12/03/2017 2:13:21 PM	7052 (0x1B8C)
Raising client SDK event for class CCM_Application, instance CCM_Application.Id="ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/Application_9963a768-d8e6-4d5c-a0dd-b01e11f8b5b5",IsMachineTarget=1,Revision="2", actionType 50l, value <processdetailslist><process name="notepad.exe" friendlyname="Notepad" processpath="C:\Windows\system32\notepad.exe"/></processdetailslist>, user , session 2l, level 0l, verbosity 30l	CIAgent	12/03/2017 2:13:21 PM	7052 (0x1B8C)
Job({75B53191-4F03-401D-B9F4-AB55FB48954F}): Already Completed : Task(ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/DeploymentType_a38f3baa-5913-47e7-bb98-0c50346fa856.2.Enforce)	CIAgent	12/03/2017 2:13:21 PM	7052 (0x1B8C)
Job({75B53191-4F03-401D-B9F4-AB55FB48954F}): Setting priority to 5 : Task(ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/Application_9963a768-d8e6-4d5c-a0dd-b01e11f8b5b5.2.Enforce)	CIAgent	12/03/2017 2:13:21 PM	7052 (0x1B8C)
Raising client SDK event for class CCM_Application, instance CCM_Application.Id="ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/Application_9963a768-d8e6-4d5c-a0dd-b01e11f8b5b5",Revision="2",IsMachineTarget=1, actionType 25l, value , user , session 4294967295l, level 0l, verbosity 30l	CIAgent	12/03/2017 2:13:21 PM	7052 (0x1B8C)
Job({75B53191-4F03-401D-B9F4-AB55FB48954F}): Already Completed : Task(ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/Application_9963a768-d8e6-4d5c-a0dd-b01e11f8b5b5.2.Enforce)	CIAgent	12/03/2017 2:13:21 PM	7052 (0x1B8C)
Job({75B53191-4F03-401D-B9F4-AB55FB48954F}): Handling dependency failure : Task(ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/RequiredApplication_9963a768-d8e6-4d5c-a0dd-b01e11f8b5b5.2.Enforce)	CIAgent	12/03/2017 2:13:21 PM	7052 (0x1B8C)
Job({75B53191-4F03-401D-B9F4-AB55FB48954F}): Setting priority to 5 : Task(ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/DeploymentType_a38f3baa-5913-47e7-bb98-0c50346fa856.2.Enforce)	CIAgent	12/03/2017 2:13:21 PM	7052 (0x1B8C)
Job({75B53191-4F03-401D-B9F4-AB55FB48954F}): Setting priority to 5 : Task(ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/Application_9963a768-d8e6-4d5c-a0dd-b01e11f8b5b5.2.Enforce)	CIAgent	12/03/2017 2:13:21 PM	7052 (0x1B8C)
Job({75B53191-4F03-401D-B9F4-AB55FB48954F}): Setting priority to 5 : Task(ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/RequiredApplication_9963a768-d8e6-4d5c-a0dd-b01e11f8b5b5.2.Enforce)	CIAgent	12/03/2017 2:13:21 PM	7052 (0x1B8C)
Job({75B53191-4F03-401D-B9F4-AB55FB48954F}): Setting priority to 5 : Task(ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/RequiredApplication_9963a768-d8e6-4d5c-a0dd-b01e11f8b5b5.2.Enforce)	CIAgent	12/03/2017 2:13:21 PM	7052 (0x1B8C)
Job({75B53191-4F03-401D-B9F4-AB55FB48954F}): Already Completed : Task(ScopeId_32AC0480-B7FC-4D10-8146-019C7A0AA484/RequiredApplication_9963a768-d8e6-4d5c-a0dd-b01e11f8b5b5.2.Enforce)	CIAgent	12/03/2017 2:13:21 PM	7052 (0x1B8C)
CCIInfo::SetError - Setting CI level error to (0x87d00443).	CIAgent	12/03/2017 2:13:21 PM	7052 (0x1B8C)
All tasks are already in completed state	CIAgent	12/03/2017 2:13:21 PM	7052 (0x1B8C)

I was recently at a customer that was having trouble getting their user certificate to be used for the corporate Wi-Fi profile on Android devices. When checking the user certificates in settings the user certificate only showed up under “user” while “Wi-Fi” was empty.

User certiticate visible under System, but not under Wi-Fi on Android

After a device is enrolled, it begins to download policy. Once it receives the policy to request certificates using SCEP, the device will attempt to get a certificate and place it in the user certificate store. After this, the Company Portal will begin to evaluate the Wi-Fi profile settings and try and match a certificate to use. If the Company Portal finds a certificate, it will insert it into the Wi-Fi profile and install it on the device. When the Company Portal has configured a Wi-Fi profile, a notification will be displayed on the device.

Company Portal Configured Networks

If the Company Portal finds the certificate – it is injected into the profile before it’s added, not referenced from the system store. If successful, the certificate will be visible under the Wi-Fi section in user certificates.

Wi-Fi Certificate

If it’s not successful, the certifiate won’t be listed under Wi-Fi.

After many hours of troubleshooting, I found the following configuration worked for this customer so I thought I’d share it in case it works for you. The important thing to note here is that the settings on the Security Configuration screen must match the certificate template you are installing so that the Company Portal can find and inject the certificate into the Wi-Fi profile. This seems to differ on iOS and Windows Phone where the criteria can be less specific (unverified in general, but certainly the case at this customer).

Each of the settings below are found from the Security Configuration tab of the Wi-Fi profile:

Wi-Fi Profile > Security Configuration > Configure

On the Wi-Fi Profile > Security Configuration > Configure screen, select to Use a certificate on this computer and Use simple certificate selection. Click Advanced and follow the instructions in the next section.

Wi-Fi Profile Security Configuration Smart Card Configuration

Wi-Fi Profile > Security Configuration > Configure > Advanced

On the Advanced screen under Wi-Fi Profile > Security Configuration > Configure > Advanced, select the attributes that directly match the certificate you want to associate with the Wi-Fi profile.

Wi-Fi Profile Security Configuration Smart Card Configuration Advanced

Tip: Untick All Purpose and Any Purpose and directly match the EKUs of the certificate you want to match (the certificate being isused by SCEP).

Wi-Fi Profile > Security Configuration > Root CA

On the Root Certificates screen, select the tick box for the Root CA certificate profile you want to associate with the Wi-Fi profile. You will need to have created this before you create the Wi-Fi profile under Configuration Manager Console > Assets and Compliance > Compliance Settings > Company Resource Access > Certificate Profiles.

Wi-Fi Profile Security Configuration Root CA

Tip: Only select the Root Certificate Authority that will actually issue the certificate, not each certificate in the chain.

Wi-Fi Profile > Security Configuration > Client Authentication Certificate

On the Client Certificate screen, select the tick box for the SCEP certificate profile you want to associate with the Wi-Fi profile. You will need to have created this before you create the Wi-Fi profile under Configuration Manager Console > Assets and Compliance > Compliance Settings > Company Resource Access > Certificate Profiles.

Wi-Fi Profile Security Configuration Client Authentication Certificate

Helpful Links

• Configure certificate infrastructure for SCEP
• Create Wi-Fi profiles
• Deploy profiles in System Center Configuration Manager
• SCEP Certificate Enrollinng Using ConfigMgr 2012 CRP, NDES and Windows Intune
• So you want to test your NDES SCEP Certificate Enrollment

Hi all,

a few months back I was running an assessment and found an issue that identified the cause of some slow SQL query performance on Configuration Manager. An article has been released in regards to both SQL 2014 and SQL 2016 that shows Configuration Manager may run better when the site database is configured at a different SQL CE compatibility level.

I wanted to point it out to those that may have missed it, as it may not be obvious which was the case with my customer who did a fresh Install to SQL 2014 when they moved to 2012. Which meant the slow SQL queries were not so obvious as they may have been had they gone directly to SQL 2012 and then upgraded to SQL 2014 at a later date.

In my customers case we ran tests and found that the performance increase went from 45 seconds to 16 seconds. 

Here is a link to the article which is pretty self explanatory and has some SQL queries you can run to test and see if you’re experiencing some slow SQL query times.

SQL query times out or console slow on certain Configuration Manager database queries

I hope this helps you out

With version 52 of Mozilla Firefox released, the default installation has disabled support for NPAPI plugins.

This means you will no longer be able to administer Microsoft Intune via the Firefox browser.

https://support.mozilla.org/t5/Problems-with-add-ons-plugins-or/Why-do-Java-Silverlight-Adobe-Acrobat-and-other-plugins-no/ta-p/31069

Thankfully, Mozilla do have an Extended Support Release (ESR) version. So to continue to use Mozilla Firefox to manage Microsoft Intune Silverlight, we suggest installing the ESR version rather than running an out-of-date browser.

To install the ESR version, download the localized version from here

https://www.mozilla.org/en-US/firefox/organizations/all/

Over the next few months we’ll be migrating away from Silverlight to the Intune Azure Portal, so the Silverlight plugin requirement will go away shortly.

Matt Shadbolt
Senior Service Engineer
Enterprise Client and Mobility – Intune

One of the most common discussions I have with customers is how does an IT Pro ensure that corporate data is only being accessed by approved, managed applications.

Intune Mobile Application Management (MAM) provides a rich set of Data Loss Prevention (DLP) features that ensures no corporate data is leaked outside of the corporately managed apps. The Outlook app for iOS and Android is by far the most popular MAM enabled app, as it provides the most secure and user-friendly experience for accessing Exchange Online.

But how does an organization restrict access to their Exchange Online data to only the Outlook protected app?

Traditionally, we’ve had some very complex solutions utilizing Exchange Allow/Block/Quarantine (ABQ) rules and ADFS claim rules to ensure users can only use the Outlook app. ABQ rules to restrict the client, and ADFS claims to restrict the authentication method, for example.

This month, we released a new feature which will simplify this ask a whole lot – Conditional Access for MAM.

CA for MAM will allow an IT Pro to restrict Exchange Online to only the MAM enabled apps for iOS and Android. All other third party clients (for example, the native e-mail apps on iOS/Android) will not be able to connect to Exchange Online.

The feature is available for MAM Without enrollment (MAMWE), meaning your devices don’t even need to be enrolled to enable this functionality.

In the new Intune Portal, you’ll see a new blade called Conditional Access

Select the Exchange Online option to expand out the options.

Here you can set up which apps can access the data, and which users are/aren’t targeted by the policy.

Select Allowed apps to configure the policy setting.

Select Allow apps that support Intune app policies and press Save

Then target the Restricted user groups with your desired AAD group

And you’re done! The users in the targeted AAD group will now be required to install the Outlook app to access their Office 365 e-mail.

There are some minor prerequisites you should be aware of. For the MAM CA to work, iOS users must have the Microsoft Authenticator app installed and logged in and Android users must have the Company Portal app installed and logged in. If the users do not have these apps installed, they will be prompted to install them before e-mail access is granted.

Also note that for Device CA targeted users (traditional CA), if a user is targeted for both policies the compliance is determined in a logical OR.

For example, if the device is managed by Intune and CA compliant the device will have full e-mail access, including the native EAS mail apps. OR, if the device is not managed but has the Outlook app it will have full access via the Outlook app only. This is really a very good experience for BYO vs COD scenarios, where we’d enroll a corporate owned device, but require Outlook and MAM for a personally owned device.

Keep your eye on Twitter (@ConfigMgrDogs) for notifications of when MAM CA will be available for SharePoint online too!

Matt Shadbolt

Senior Program Manager
Enterprise Client and Mobility – Intune

This post explains how to use a script that will maintain user-defined Business Hours in the Configuration Manager client.

In-console updates have dramatically increased the take up of new versions of Configuration Manager, given users unprecedented ability to shape the product and delivered countless new features. One downside of this frequent change is that during a client upgrade, the user-defined Business Hours are reset to default. You can vote for this to be considered at UserVoice – Retain users settings in Software Center. i.e. Business Hours, after client upgrade. But in the meantime, I have developed a workaround!

Firstly, what are Business Hours?

Business Hours allows users to control deployments such as application installation or software updates ahead of a defined deadline. The default business hours are set to 5am – 10pm local time Monday to Friday, but are configurable by the user from Software Center.

Software Center – Business Hours

By default, when a new deployment is made available to a computer with a deadline a pop up notification will appear which gives the user the option to install the application ahead of the deadline outside of their defined business hours. To minimise disruptions, users can use Software Center to configure Configuration Manager automatically install any deployed software at the next available period outside of business hours. Business hours does not prevent an application from installing at a defined deadline. If a deadline occurs during the users defined business hours, the deployment will still run at the defined deadline time.

Software Center – Changes Required Prompt

Cool feature, right?

So, to maintain the user-defined settings, you might want to consider using a script I wrote. The script:

• Writes non-default Business Hours settings to a registry key;
• Restores the Business Hours settings from the registry if the client settings are reverted to default.

The only known issue with the script at the moment is that if custom registry settings are stored, but the user deliberately chooses the default settings they will be overwritten with the custom settings. The script outputs to the ConfigMgr client logs directory in CMTrace format.

Backup Business Hours Script Log File

To use the script, you would schedule it to run on a schedule to periodically update the registry settings and then restore the settings if a client upgrade occurs.

The script can be found at TechNet Gallery: Backup and Restore Configuration Manager Client Business Hours

Please let me know if you have any feedback

HUGE announcements in the Education space yesterday, with the very exciting release of Microsoft Intune for Education.

Intune for Education offers a streamlined management UI for IT Pros in Education, as well as integration with your schools Student Information System (SIS) to create/manage your groups.

Getting started is quick and easy.

First, browse to https://intuneeducation.portal.azure.com which is the custom portal endpoint for managing Intune for Education.

Once logged in, you’ll see a UI like this

Click the Launch Express Configuration to get started quickly. You’ll be prompted to Get Started

If you’ve previously setup your AAD tenant to use Windows Store for Business, Intune will look to pull in the apps you’ve assigned & purchased previously.

If you have a Student Information System, you’ll now be prompted to configure the School Data Sync. To setup the School Data Sync service, visit https://sds.microsoft.com/

Now select the group you’d like to first target with policies and apps.

Select some apps to deploy

Either leave the preconfigured settings, or customize them to your situation

And your done!

Now any user in the Grade 6 Students group who enrols their Windows 10 device will receive the policies and apps you’ve deployed.

From the Azure Portal view, we can see:

A Windows 10 settings profile has been created and deployed

A Web App for Khan Academy and Mathletics has been created and deployed

So within 5 minutes you’ve created and deployed some policies and apps!

I hope you find the setup as quick and easy as I did. Until next time!

Matt Shadbolt

Senior Service Engineer
Enterprise Client and Mobility – Intune

Since Configuration Manager current branch, version 1606 it has been possible to enable BranchCache on clients using Client Settings. Previously, to enable BranchCache an administrator would need to configure BranchCache for clients using command line tools or Group Policy.

To use BranchCache with Configuration Manager, the following prerequisites must be met:

• Distribution Point;
  • Cloud Distribution Point or Windows Server Distribution Point;
  • BranchCache enabled in properties (only required for Windows Server).
• Client
  • A supported client Operating System (yes, this includes Windows Professional SKUs);
  • BranchCache must be enabled in Distributed Mode on the client;
  • The appropriate firewall rules must be opened.
• Software Update, Application and Package Deployments must be configured with the option to Allow clients to share content with other clients on the same subnet.

This post explains how to enable BranchCache on the client using Client Settings, for any other information, see:

• Support for Windows Features
• What is BranchCache?

Enable BranchCache in Client Settings

To enable BranchCache on computers using Client Settings:

1. Open the Client Settings policy you want to apply to clients (it is recommended that a new policy be created to apply custom settings rather than editing the Default Client Settings policy)
2. Tick the box on the General tab to include Client Cache Settings

   Create Custom Client Settings

3. Select the Client Cache Settings tab
   • Change Configure BranchCache to Yes
   • Change Enable BranchCache to Yes

   Edit Client Cache Settings

4. Deploy the settings (See Create and Deploy Custom Client Settings for more information).

NOTE

Unlike Group Policy, if you want to disable BranchCache you must explicitly disable it using Client Settings or an alternate method. Simply removing the client setting to enable it won’t revert it to it’s previous state. In addition, while the feature will add the firewall rules to Windows Firewall, it will not remove them when the feature is disabled.

Verify BranchCache is Enabled

After the new client settings are retrieved and updated on clients, you will notice BranchCache is enabled.

Netsh

From a command prompt, run netsh to confirm that BranchCache is now running in Distributed Caching mode and the cache size is configured as per the Client Settings.

netsh branchcache show status all

Confirm BranchCache Enabled

CAS.log

You will see the following entries in CAS.log:

Enabling BranchCache.	ContentAccess	13/05/2017 6:45:30 PM	2600 (0x0A28)
EnablePeerDistribution: Successfully enabled PeerDistribution	ContentAccess	13/05/2017 6:45:32 PM	2600 (0x0A28)
Setting BranchCache size to 10 of disk	ContentAccess	13/05/2017 6:45:32 PM	2600 (0x0A28)
SetCacheSize: Successfully set cache size	ContentAccess	13/05/2017 6:45:32 PM	2600 (0x0A28)

Firewall Rules

Windows Firewall rules will be configured as per the table below:

A couple of months back, the Intune Support team posted a list of technical blockers that may result in a delay for your Intune tenant to be migrated to the Intune on Azure portal.

https://blogs.technet.microsoft.com/intunesupport/2017/03/17/intune-migration-blockers-for-grouping-targeting/

The blog post has been very popular, as many customers were not aware of configuration issues causing delays in migration.

We’ve also been notifying individual customers of configuration changes required to unblock their migration via the Office 365 Message Center

To help customers resolve these issues and unblock their migration, I’ve posted seven technical guides for resolving migration blockers.

It’s important to note that these guides are intended to explain how a migration blocker occurs, and how to remove the blocking issue. The guides are not intended to provide guidance on how to redesign your grouping/targeting to achieve functionality caused by the blocking configuration.

I suggest you thoroughly review your grouping/targeting strategy before making any changes.

1. Deployments to Ungrouped Users and Devices: Fix Your Intune Migration Configuration Issues

2. Exclusion Clauses in Groups: Fix Your Intune Migration Configuration Issues

3. Nested Groups: Fix Your Intune Migration Configuration Issues

4. The Is Manager Clause: Fix Your Intune Migration Configuration Issues

5. Conflicting App Deployment Rules: Fix Your Intune Migration Configuration Issues

6. Upgrade Your Exchange Connector For Intune: Fix Your Intune Migration Configuration Issues

7. Enable Self-Service Group Management: Fix Your Intune Migration Configuration Issues

We hope you find these guides useful and enjoy the Intune on Azure experience once migrated.

Matt Shadbolt

Senior Service Engineer
Enterprise Client and Mobility – Intune

In the new Microsoft Intune on Azure administration console, there is a new “Discovered apps” node available for each MDM enrolled device.

There’s been some recent confusion around what we should expect to see in here.

The Discovered apps node is a direct reflection of the devices discovered apps at the last Hardware Inventory time.

For devices with Device Ownership marked as Corporate this will be all apps installed on the device. For devices with Device Ownership marked as Personal this will be all apps installed via the Intune Company Portal or apps installed in a Required deployment.

The list of apps displayed here are only reflective of those apps installed at the last inventory scan. Please be aware that inventory is run every 7 days for mobile devices, so the Discovered apps list could potentially be up to seven days out of date.

It’s fairly well known across the mobile/MDM industry that Google removed support for resetting an Android 7 devices passcode/password from within a Device Administrator granted app.

But for whatever reason, Google has not documented this change particularly clearly.

So here it is!

For any Android Nougat device, the only way to reset a device password/passcode is to be physically on the device and logged in. This means that any MDM vendor can not send a remote password reset request to a device if a user forgets the set password. For any Android 7 device with a forgotten password, the only option is a factory reset.

For Microsoft Intune customers, we documented this new limitation a while ago

https://docs.microsoft.com/en-us/intune/device-passcode-reset and https://docs.microsoft.com/en-us/intune-user-help/reset-your-passcode-cpwebsite

This limitation is true for both Intune on Azure and Configuration Manager Hybrid scenarios, and is a limitation enforced by Google not Microsoft (or any other MDM vendor). All down-level Android devices (<7) should still have this function available.

And just for further reference, Google has documented this in the Android developer API docs.

https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html

The API is resetPassword, and the relevant note is:

Note: This API has been limited as of N for device admins that are not device owner and not profile owner. The password can now only be changed if there is currently no password set. Device owner and profile owner can still do this when user is unlocked and does not have a managed profile.

Matt Shadbolt

Senior Service Engineer
Enterprise Client and Mobility – Intune

Hi everyone, its been a while since my last post and the main reason is that I now work on Azure with customers these days. Boooo I hear all the ConfigMgr fans say. I know, I know I’m still a fan of CM myself.

Today’s blog is sharing with you a PowerShell script that I wrote for one of my customers that apply’s Tags to all the Resources in a Resource Group, based on the Tags’s applied to that Resource Group.

The scenario here is that in this particular case billing was being charged by the Tag’s applied to each resource. The issue my customer had was

1)Tags for Resources are not inherited by default from their Resource Group

2)Some of their processes at this point in time meant there was no way for them to ensure the correct Tag’s were applied to each resource.

3)They needed to ensure that if somebody has applied a Tag not for billing that it doesn’t disappear. As an example Environment : Development.

So lets run through this scenario below

I have created two Resource Groups with Tags which we can see below

In AzureDogs I have one Managed Disk with no Tags

In ConfigMgrDogs I have two Managed Disks one with a single Tag  Environment : Production, the other with no Tags

The script should run through each resource and save the non billing tags and apply the Resource Group tags.

Here is a link to the script on GitHub. Feel free to clone this and make any improvements. This can easily be tweaked and uploaded to Azure Automation and run on a nightly schedule.

Once the script is run we can see in my output that it has applied the appropriate Tags to each Resource

When we look back in the portal we can see that our resources now have the billing tags and the OSDisk3 resource has also kept its original custom environment Tag.

I hope this helps you out.

The 2018 Microsoft Ignite Florida event is fast approaching, so now is the time to secure your spot at one of the pre-day sessions. For those wanting to go deep on Windows 10 Modern Management and Mobile Device Management through Microsoft Intune, I recommend you attend the pre-day session “Modern Management for a Modern World – a technical deep dive into modern device management made easy with Microsoft Intune” This session will be delivered by technical program managers from Microsoft’s Customer Acceleration Team (CAT) who work directly with large complex customers so understand many of the scenarios that you are going through. This will be a highly interactive session so bring your devices and your questions and leave with the technical knowledge to allow you to be successful. I look forward to seeing you there!!!

Modern Management for a Modern World – A technical deep dive into modern device management made easy with Microsoft Intune

Learn how to configure an end-to-end deployment of Microsoft Intune. This session will be delivered by technical Program Managers who will share real world scenarios learnt from customer deployments. In this session you will learn how to deploy, manage and secure your Windows 10, iOS, Android and OSX devices from the cloud; how to control access to you corporate resources using Azure Active Directory Conditional Access; How to implement a Data Loss Prevention strategy on these devices and secure your corporate data, and how Microsoft Graph is simplifying IT operations. This is a deep dive session and includes demos of the latest innovations. Please bring a Windows 10 and an iOS/Android device and follow the instructors as they step you through common user scenarios. Share your learnings during our Q/A session and have Microsoft Program Managers help you be successful.

We’ll be giving away a Surface Laptop to one lucky attendee, so be sure to sign-up!

Add this Pre-Day Workshop to your registration for $500. Visit the Microsoft Ignite registration website and sign in to your registration record to select your Pre-Day Workshop!

Quick brain dump today. One of our customers recently reached out with an issue where a policy for Windows 10 wasn’t applying correctly, and we were returning a very unhelpful error message “-2016281112 Remediation failed”.

Unfortunately, the Remediation failed error message is all that is returned by the client when we issue the SET command on the OMA-URI’s required to configure the target setting. We’re partnering with Windows to improve this experience, so watch this space. But for now, we have to settle for what we have.

So what are the next steps in troubleshooting this error?

Luckily, Windows has a pretty good diagnostics channel in everyone’s favorite Event Viewer (eventvwr).

So first, open up eventvwr.msc from Run.

Next, browse to Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider. You’ll see two logs, Admin and Operational

Firstly, take a look in the Admin log. You should see some high level error messages which might point to an obvious issue. For example, here on my corp device I’ve got an error message for an app deployment via MDM.

This error obviously indicates an app is not being discovered as expected. I recon if I gave this a couple more syncs, the app would reinstall and all would be well.If the error messages in the Admin log are still unhelpful, we have one other option and that’s to enable Debug logging on the DeviceManagement-Enterprise-Diagnostics-Provider.

To do this, from the View menu in eventvwr, enable the Show Analytic and Debug Logs option. This will likely make your eventvwr window flash like crazy for a minute or two, but it’s enabling a bunch of extra logs and the UI doesn’t like it much.

Once enabled, you’ll now see a Debug log option in the DeviceManagement-Enterprise-Diagnostics-Provider. Now enable the log by right-clicking on the log and selecting Enable Log.

Now run a repro of your issue by running a Sync (Control Panel > Access work or school > Connected to Azure AD > Info)

In the debug log, you should see a bunch of verbose debug information about the sync and settings being applied.

And here you can see the Wifi URI being applied successfully. If there was an issue with the Wifi configuration, I’d get a much more helpful reason as to why the URI failed. I’m not seeing the error from the MDM MSI anymore, so it must have fixed itself on subsequent check-ins.

Hope you find this helpful!

Matt Shadbolt
Senior Program Manager for Microsoft Intune

Hi ConfigMgrDogs readers,

We’re sad to announce the ConfigMgrDogs blog will be shutting down.

With the move to Microsoft Tech Communities, we’ve decided to post on other platforms and blogs rather than have a dedicated ConfigMgrDogs blog.

We’ll continue to engage deeply with the technical community for Intune, Configuration Manager and Azure and hope you’ll follow us to our new platforms.

Please follow us on Twitter (@ConfigMgrDogs) for the most frequent updates, the Intune Tech Community for formal Intune blog posts, and LinkedIn for informal posts (Matt, George, Ian).

All of our posts have been archived at http://www.ConfigMgrDogsArchive.com and should be searchable via Bing and Google.

We’ve really loved posting technical content for the past six years, and we’ve appreciated all of the community engagement with the ConfigMgrDogs. We absolutely love running into ConfigMgr and Intune admins at conferences and events and hearing how a post or two have helped solve your problems.

We’re sad the blog is going away, but plan to stay just as connected via Twitter.

So long.

Matt, George and Ian (AKA the ConfigMgrDogs)