configmgrdogs

ConfigMgrDogs Blog Shutting Down

Matt Shadbolt [MSFT] — Mon, 29 Oct 2018 19:53:58 GMT

Hi ConfigMgrDogs readers, We're sad to announce the ConfigMgrDogs blog will be shutting down. With the move to Microsoft Tech Communities, we've decided to post on other platforms and blogs rather than have a dedicated ConfigMgrDogs blog. We'll continue to engage deeply with the technical community for Intune, Configuration Manager and Azure and hope you'll follow us to our new platforms. Please follow us on Twitter (@ConfigMgrDogs) for the most frequent updates, the Intune Tech Community for formal Intune blog posts, and LinkedIn for informal posts (Matt, George, Ian). All of our posts have been archived at https://www.ConfigMgrDogsArchive.com and should be searchable via Bing and Google. We've really loved posting technical content for the past six years, and we've appreciated all of the community engagement with the ConfigMgrDogs. We absolutely love running into ConfigMgr and Intune admins at conferences and events and hearing how a post or two have helped solve your problems. We're sad the blog is going away, but plan to stay just as connected via Twitter. So long. Matt, George and Ian (AKA the ConfigMgrDogs)

Troubleshooting Windows 10 Intune Policy Failures

Matt Shadbolt [MSFT] — Thu, 09 Aug 2018 16:35:41 GMT

Quick brain dump today. One of our customers recently reached out with an issue where a policy for Windows 10 wasn’t applying correctly, and we were returning a very unhelpful error message “-2016281112 Remediation failed”. Unfortunately, the Remediation failed error message is all that is returned by the client when we issue the SET command on the OMA-URI’s required to configure the target setting. We’re partnering with Windows to improve this experience, so watch this space. But for now, we have to settle for what we have. So what are the next steps in troubleshooting this error? Luckily, Windows has a pretty good diagnostics channel in everyone’s favorite Event Viewer (eventvwr). So first, open up eventvwr.msc from Run. Next, browse to Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider. You’ll see two logs, Admin and Operational Firstly, take a look in the Admin log. You should see some high level error messages which might point to an obvious issue. For example, here on my corp device I’ve got an error message for an app deployment via MDM. This error obviously indicates an app is not being discovered as expected. I recon if I gave this a couple more syncs, the app would reinstall and all would be well.If the error messages in the Admin log are still unhelpful, we have one other option and that’s to enable Debug logging on the DeviceManagement-Enterprise-Diagnostics-Provider. To do this, from the View menu in eventvwr, enable the Show Analytic and Debug Logs option. This will likely make your eventvwr window flash like crazy for a minute or two, but it’s enabling a bunch of extra logs and the UI doesn’t like it much. Once enabled, you’ll now see a Debug log option in the DeviceManagement-Enterprise-Diagnostics-Provider. Now enable the log by right-clicking on the log and selecting Enable Log. Now run a repro of your issue by running a Sync (Control Panel > Access work or school > Connected to Azure AD > Info) In the debug log, you should see a bunch of verbose debug information about the sync and settings being applied. And here you can see the Wifi URI being applied successfully. If there was an issue with the Wifi configuration, I’d get a much more helpful reason as to why the URI failed. I’m not seeing the error from the MDM MSI anymore, so it must have fixed itself on subsequent check-ins. Hope you find this helpful! Matt Shadbolt Senior Program Manager for Microsoft Intune

Microsoft Ignite Pre-Day Registrations Now Open!

Matt Shadbolt [MSFT] — Fri, 25 May 2018 06:00:18 GMT

The 2018 Microsoft Ignite Florida event is fast approaching, so now is the time to secure your spot at one of the pre-day sessions. For those wanting to go deep on Windows 10 Modern Management and Mobile Device Management through Microsoft Intune, I recommend you attend the pre-day session "Modern Management for a Modern World - a technical deep dive into modern device management made easy with Microsoft Intune" This session will be delivered by technical program managers from Microsoft's Customer Acceleration Team (CAT) who work directly with large complex customers so understand many of the scenarios that you are going through. This will be a highly interactive session so bring your devices and your questions and leave with the technical knowledge to allow you to be successful. I look forward to seeing you there!!!

Modern Management for a Modern World - A technical deep dive into modern device management made easy with Microsoft Intune

Learn how to configure an end-to-end deployment of Microsoft Intune. This session will be delivered by technical Program Managers who will share real world scenarios learnt from customer deployments. In this session you will learn how to deploy, manage and secure your Windows 10, iOS, Android and OSX devices from the cloud; how to control access to you corporate resources using Azure Active Directory Conditional Access; How to implement a Data Loss Prevention strategy on these devices and secure your corporate data, and how Microsoft Graph is simplifying IT operations. This is a deep dive session and includes demos of the latest innovations. Please bring a Windows 10 and an iOS/Android device and follow the instructors as they step you through common user scenarios. Share your learnings during our Q/A session and have Microsoft Program Managers help you be successful.

We’ll be giving away a Surface Laptop to one lucky attendee, so be sure to sign-up!

Add this Pre-Day Workshop to your registration for $500. Visit the Microsoft Ignite registration website and sign in to your registration record to select your Pre-Day Workshop!

Apply Tags to Azure Resources based on Resource Group tags via PowerShell

George Smpyrakis — Wed, 14 Feb 2018 03:26:39 GMT

Hi everyone, its been a while since my last post and the main reason is that I now work on Azure with customers these days. Boooo I hear all the ConfigMgr fans say. I know, I know I'm still a fan of CM myself.

Today’s blog is sharing with you a PowerShell script that I wrote for one of my customers that apply’s Tags to all the Resources in a Resource Group, based on the Tags’s applied to that Resource Group.

The scenario here is that in this particular case billing was being charged by the Tag’s applied to each resource. The issue my customer had was

1)Tags for Resources are not inherited by default from their Resource Group

2)Some of their processes at this point in time meant there was no way for them to ensure the correct Tag’s were applied to each resource.

3)They needed to ensure that if somebody has applied a Tag not for billing that it doesn’t disappear. As an example Environment : Development.

So lets run through this scenario below

I have created two Resource Groups with Tags which we can see below

In AzureDogs I have one Managed Disk with no Tags

In ConfigMgrDogs I have two Managed Disks one with a single Tag Environment : Production, the other with no Tags

The script should run through each resource and save the non billing tags and apply the Resource Group tags.

Here is a link to the script on GitHub. Feel free to clone this and make any improvements. This can easily be tweaked and uploaded to Azure Automation and run on a nightly schedule.

Once the script is run we can see in my output that it has applied the appropriate Tags to each Resource

When we look back in the portal we can see that our resources now have the billing tags and the OSDisk3 resource has also kept its original custom environment Tag.

I hope this helps you out.

Support Tip: Intune App Protection Requires Modern Authentication Enabled for Skype for Business

Matt Shadbolt [MSFT] — Thu, 11 Jan 2018 22:42:56 GMT

Posted over at https://blogs.technet.microsoft.com/intunesupport/2018/01/11/support-tip-intune-app-protection-requires-modern-authentication-enabled-for-skype-for-business/ In May 2017, a Skype for Business Server 2015 Cumulative Update was released, enabling "Hybrid Modern Authentication" for Hybrid and On-Premises Skype for Business customers. Modern Authentication allows customers to enable many modern security features, such as Azure Active Directory Conditional Access or multi-factor authentication. It also enables the Intune App Protection features for the Skype for Business iOS and Android apps. Intune App Protection allows organizations to control Data Loss Prevention (DLP) settings for their Skype for Business users. https://docs.microsoft.com/en-us/intune/app-protection-policy If you target the Skype for Business app with App Protection policies and Modern Auth is not enabled, your App Protection policies will not apply successfully. To enable Hybrid Modern Auth, use the steps outlined in the following guide: https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Hybrid-Modern-Authentication-for-Skype-for-Business/ba-p/134751 Once all prerequisites have been met and all steps have been completed, your organization can target their Skype for Business DLP policies and provide another layer of security for your mobile users.

Android 7 (Nougat) Removes Remote Password Reset

Matt Shadbolt [MSFT] — Tue, 31 Oct 2017 23:27:45 GMT

It’s fairly well known across the mobile/MDM industry that Google removed support for resetting an Android 7 devices passcode/password from within a Device Administrator granted app. But for whatever reason, Google has not documented this change particularly clearly. So here it is! For any Android Nougat device, the only way to reset a device password/passcode is to be physically on the device and logged in. This means that any MDM vendor can not send a remote password reset request to a device if a user forgets the set password. For any Android 7 device with a forgotten password, the only option is a factory reset. For Microsoft Intune customers, we documented this new limitation a while ago https://docs.microsoft.com/en-us/intune/device-passcode-reset and https://docs.microsoft.com/en-us/intune-user-help/reset-your-passcode-cpwebsite This limitation is true for both Intune on Azure and Configuration Manager Hybrid scenarios, and is a limitation enforced by Google not Microsoft (or any other MDM vendor). All down-level Android devices (<7) should still have this function available. And just for further reference, Google has documented this in the Android developer API docs. https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html The API is resetPassword, and the relevant note is:

Note: This API has been limited as of N for device admins that are not device owner and not profile owner. The password can now only be changed if there is currently no password set. Device owner and profile owner can still do this when user is unlocked and does not have a managed profile.

Matt Shadbolt Senior Service Engineer Enterprise Client and Mobility – Intune

“Discovered apps” node in Microsoft Intune on Azure console

Matt Shadbolt [MSFT] — Mon, 17 Jul 2017 18:44:20 GMT

In the new Microsoft Intune on Azure administration console, there is a new “Discovered apps” node available for each MDM enrolled device. There’s been some recent confusion around what we should expect to see in here. The Discovered apps node is a direct reflection of the devices discovered apps at the last Hardware Inventory time. For devices with Device Ownership marked as Corporate this will be all apps installed on the device. For devices with Device Ownership marked as Personal this will be all apps installed via the Intune Company Portal or apps installed in a Required deployment. The list of apps displayed here are only reflective of those apps installed at the last inventory scan. Please be aware that inventory is run every 7 days for mobile devices, so the Discovered apps list could potentially be up to seven days out of date.

Intune on Azure Migration Blocker Guidance

Matt Shadbolt [MSFT] — Thu, 18 May 2017 03:33:11 GMT

A couple of months back, the Intune Support team posted a list of technical blockers that may result in a delay for your Intune tenant to be migrated to the Intune on Azure portal. https://blogs.technet.microsoft.com/intunesupport/2017/03/17/intune-migration-blockers-for-grouping-targeting/ The blog post has been very popular, as many customers were not aware of configuration issues causing delays in migration. We’ve also been notifying individual customers of configuration changes required to unblock their migration via the Office 365 Message Center To help customers resolve these issues and unblock their migration, I’ve posted seven technical guides for resolving migration blockers. It’s important to note that these guides are intended to explain how a migration blocker occurs, and how to remove the blocking issue. The guides are not intended to provide guidance on how to redesign your grouping/targeting to achieve functionality caused by the blocking configuration. I suggest you thoroughly review your grouping/targeting strategy before making any changes. 1. Deployments to Ungrouped Users and Devices: Fix Your Intune Migration Configuration Issues 2. Exclusion Clauses in Groups: Fix Your Intune Migration Configuration Issues 3. Nested Groups: Fix Your Intune Migration Configuration Issues 4. The Is Manager Clause: Fix Your Intune Migration Configuration Issues 5. Conflicting App Deployment Rules: Fix Your Intune Migration Configuration Issues 6. Upgrade Your Exchange Connector For Intune: Fix Your Intune Migration Configuration Issues 7. Enable Self-Service Group Management: Fix Your Intune Migration Configuration Issues We hope you find these guides useful and enjoy the Intune on Azure experience once migrated. Matt Shadbolt Senior Service Engineer Enterprise Client and Mobility – Intune

Enabling BranchCache for Configuration Manager using Client Settings

Scott Breen MSFT — Sun, 14 May 2017 10:21:42 GMT

Since Configuration Manager current branch, version 1606 it has been possible to enable BranchCache on clients using Client Settings. Previously, to enable BranchCache an administrator would need to configure BranchCache for clients using command line tools or Group Policy. To use BranchCache with Configuration Manager, the following prerequisites must be met:

Distribution Point;
- Cloud Distribution Point or Windows Server Distribution Point;
- BranchCache enabled in properties (only required for Windows Server).
Client
- A supported client Operating System (yes, this includes Windows Professional SKUs);
- BranchCache must be enabled in Distributed Mode on the client;
- The appropriate firewall rules must be opened.
Software Update, Application and Package Deployments must be configured with the option to Allow clients to share content with other clients on the same subnet.

This post explains how to enable BranchCache on the client using Client Settings, for any other information, see:

Enable BranchCache in Client Settings

To enable BranchCache on computers using Client Settings:

Open the Client Settings policy you want to apply to clients (it is recommended that a new policy be created to apply custom settings rather than editing the Default Client Settings policy)
Tick the box on the General tab to include Client Cache Settings [caption id="attachment_4975" align="aligncenter" width="452"] Create Custom Client Settings[/caption]
Select the Client Cache Settings tab
- Change Configure BranchCache to Yes
- Change Enable BranchCache to Yes
[caption id="attachment_4985" align="aligncenter" width="452"] Edit Client Cache Settings[/caption]
Deploy the settings (See Create and Deploy Custom Client Settings for more information).

NOTE Unlike Group Policy, if you want to disable BranchCache you must explicitly disable it using Client Settings or an alternate method. Simply removing the client setting to enable it won't revert it to it's previous state. In addition, while the feature will add the firewall rules to Windows Firewall, it will not remove them when the feature is disabled.

Verify BranchCache is Enabled

After the new client settings are retrieved and updated on clients, you will notice BranchCache is enabled.

Netsh

From a command prompt, run netsh to confirm that BranchCache is now running in Distributed Caching mode and the cache size is configured as per the Client Settings. [code]netsh branchcache show status all[/code] [caption id="attachment_4995" align="aligncenter" width="479"] Confirm BranchCache Enabled[/caption]

CAS.log

You will see the following entries in CAS.log: [code] Enabling BranchCache. ContentAccess 13/05/2017 6:45:30 PM 2600 (0x0A28) EnablePeerDistribution: Successfully enabled PeerDistribution ContentAccess 13/05/2017 6:45:32 PM 2600 (0x0A28) Setting BranchCache size to 10 of disk ContentAccess 13/05/2017 6:45:32 PM 2600 (0x0A28) SetCacheSize: Successfully set cache size ContentAccess 13/05/2017 6:45:32 PM 2600 (0x0A28) [/code]

Firewall Rules

Windows Firewall rules will be configured as per the table below:

Name	Group	Profile	Enabled	Action	Override	Program	Local Address	Remote Address	Protocol	Local Port	Remote Port
BranchCache Content Retrieval (HTTP-In)	BranchCache - Content Retrieval (Uses HTTP)	All	No	Allow	No	SYSTEM	Any	Any	TCP	80	Any
BranchCache Content Retrieval (HTTP-In)	BranchCache - Content Retrieval (Uses HTTP)	Domain,Private	Yes	Allow	No	SYSTEM	Any	Any	TCP	80	Any
BranchCache Hosted Cache Server (HTTP-In)	BranchCache - Hosted Cache Server (Uses HTTPS)	All	No	Allow	No	SYSTEM	Any	Any	TCP	80,443	Any
BranchCache Peer Discovery (WSD-In)	BranchCache - Peer Discovery (Uses WSD)	All	No	Allow	No	%SYSTEMROOT%\system32\svchost.exe	Any	Local subnet	UDP	3702	Any
BranchCache Peer Discovery (WSD-In)	BranchCache - Peer Discovery (Uses WSD)	Domain,Private	Yes	Allow	No	%SYSTEMROOT%\system32\svchost.exe	Any	Local subnet	UDP	3702	Any

Getting Started with Microsoft Intune for Education

Matt Shadbolt [MSFT] — Wed, 03 May 2017 20:22:50 GMT

HUGE announcements in the Education space yesterday, with the very exciting release of Microsoft Intune for Education. Intune for Education offers a streamlined management UI for IT Pros in Education, as well as integration with your schools Student Information System (SIS) to create/manage your groups. Getting started is quick and easy. First, browse to https://intuneeducation.portal.azure.com which is the custom portal endpoint for managing Intune for Education. Once logged in, you’ll see a UI like this Click the Launch Express Configuration to get started quickly. You’ll be prompted to Get Started If you’ve previously setup your AAD tenant to use Windows Store for Business, Intune will look to pull in the apps you’ve assigned & purchased previously. If you have a Student Information System, you’ll now be prompted to configure the School Data Sync. To setup the School Data Sync service, visit https://sds.microsoft.com/ Now select the group you’d like to first target with policies and apps. Select some apps to deploy Either leave the preconfigured settings, or customize them to your situation And your done! Now any user in the Grade 6 Students group who enrols their Windows 10 device will receive the policies and apps you’ve deployed. From the Azure Portal view, we can see: A Windows 10 settings profile has been created and deployed A Web App for Khan Academy and Mathletics has been created and deployed So within 5 minutes you’ve created and deployed some policies and apps! I hope you find the setup as quick and easy as I did. Until next time! Matt Shadbolt Senior Service Engineer Enterprise Client and Mobility – Intune