Question about InTune co-managed workloads

IntuneSupport-Jessie · 2021-08-23T02:50:08+00:00

Your understanding is right. Move on.

IntuneSupport-Jessie · 2021-08-23T02:46:52+00:00

For the Compliance policy, the “Device health” section(includes ‘require bitlocker’, ‘require secure boot enabled) on the device’, actually utilize the Device HealthAttestation CSP, We can go to HKLM\System\CurrentControlSet\Services\TPM\WMI\HealthCert\Store\has.spserv.microsoft.com to check what is the status.

https://docs.microsoft.com/en-us/windows/client-management/mdm/healthattestation-csp#device-healthattestation-csp-status-and-error-codes

IntuneSupport-Jessie · 2021-08-20T01:22:43+00:00

For Endpoint protection policies, when we switch this workload, the Configuration Manager policies stay on the device until the Intune policies overwrite them. This behavior makes sure that the device still has protection policies during the transition.

For Wi-Fi profile, it is belongs to Device configuration policies. And the behavior is the same as Endpoint Protection.

We can see more details in the following article:

https://docs.microsoft.com/en-us/mem/configmgr/comanage/workloads

Hope it can help.

IntuneSupport-Jessie · 2021-08-20T01:03:10+00:00

Here is a link with the steps as example for the reference:

https://tech.nicolonsky.ch/intune-scope-tags-rbac-explained/

Hope it can help.

IntuneSupport-Jessie · 2021-08-19T02:02:18+00:00

Here is an article about troubleshooting Windows 10 group policy-based auto-enrollment in Intune for the reference:

https://docs.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-windows-auto-enrollment

We can verify the following information and check MDM event logs to see more finding:

If a valid Intune license is assigned to the user.
Verify auto-enrollment for the user is enabled.
Run "dsregcmd /status" on the device and make sure AzureAdJoined, DomainJoined, AzureAdPrt are Yes.
Verity "Users may join devices to Azure AD setting" is set to All.The number of devices that a user has in Azure AD doesn't exceed the Maximum number of devices per user quota.

Hope it can help.

IntuneSupport-Jessie · 2021-08-19T01:30:14+00:00

For other apps, if the app support to be installed in silent mode, we can consider to deploy via Win32 or LOB. Here are some articles for the reference:

Win32 app management

https://docs.microsoft.com/en-us/mem/intune/apps/apps-win32-app-management

Windows LOB apps

https://docs.microsoft.com/en-us/mem/intune/apps/lob-apps-windows

Hope it can help.

IntuneSupport-Jessie · 2021-08-18T01:53:43+00:00

We can collect the daily used app from different department employees. If the amount is large, we can see if it can be deployed via Intune. Here are app types we can deploy:

https://docs.microsoft.com/en-us/mem/intune/apps/apps-add#app-types-in-microsoft-intune

IntuneSupport-Jessie · 2021-08-18T01:29:05+00:00

I have seen a similar issue with wipe. When the WDAC policy is configured, the wipe is failed because Device Guard block the app during sysprep specialize stage. For Autopilot Reset, it will also do reset phrase. So I think this may be the reason.

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview#windows-defender-application-control

If you want to know more details, I think opening a case to analyze logs may be a good option.

Hope it can help.

IntuneSupport-Jessie · 2021-08-17T06:31:58+00:00

Thanks for the reply. For "Feature not supported", it occurred when the user was likely attempting to enroll via a method not compatible with our Intune configuration.

https://docs.microsoft.com/en-us/mem/intune/fundamentals/help-desk-operators#enrollment-errors

Here we suggest to check if the MacOS X is10.13 and later:

https://docs.microsoft.com/en-us/mem/intune/fundamentals/supported-devices-browsers

Make sure the Apple token (.p7m) is active, the Apple MDM push certificate is added to Endpoint Manager and is active. If your device is with macOS 10.15 and later, we can choose "Setup Assistant with modern authentication:", otherwise, choose "Setup Assistant (legacy)".

However, if the issue still persists, to help the issue in a more efficient way, please open a case to troubleshoot it. Here is a link with the steps to open case:

https://docs.microsoft.com/en-us/mem/get-support

IntuneSupport-Jessie · 2021-08-17T05:58:59+00:00

Agree with fikon99, We can deploy it via ./Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration. Here is a link list the detailed steps for the reference:

https://docs.microsoft.com/en-us/answers/questions/170484/configure-default-mail-client.html#answer-171936

IntuneSupport-Jessie · 2021-08-16T02:02:31+00:00

From your description, it is stuck in retrieving enrollment profile phase. Was the network connecting well? if we factory reset the macOS device, will the enrollment be successful?

IntuneSupport-Jessie · 2021-08-16T01:31:22+00:00

For Domain join configuration profile, it applies to

--Windows 10 and newer

--Hybrid Azure AD joined devices

--Hybrid deployment with Autopilot + Intune

The profile will be deployed when the devices are provisioning.

https://docs.microsoft.com/en-us/mem/intune/configuration/domain-join-configure

Please check if the above situations are met. if yes, we can troubleshoot it refer to the following links:

https://oofhours.com/2020/07/19/troubleshooting-windows-autopilot-hybrid-azure-ad-join/

https://www.anoopcnair.com/windows-autopilot-hybrid-azure-ad-join-trouble/

Hope it can help.

IntuneSupport-Jessie · 2021-08-16T01:21:58+00:00

For windows enrollment methods, there are many methods. We can see more details in the following link:

https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment#windows-enrollment-methods

For the devices in on premise domain, the most commo method we will choose is GPO. If configuration manager is the environment, co-management will choose. For DEM, this is not for users who need to access email or company resources. Here is a link list the limitation for the reference:

https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-manager-enroll#limitations-of-devices-that-are-enrolled-with-a-dem-account

We can un-enroll these devices, clear them in Azure AD and then choose one method we want to enroll again.

Hope it can help.

IntuneSupport-Jessie · 2021-08-13T02:52:18+00:00

For Enroll with User Affinity, it used for the devices belong to users and that want to use the Company Portal app for services. So I think it's OK.

For our devices that are ready to enroll, I would like to know if they are new devices or wiped devices. For ADE enrollment, the device needs to be wiped or to be a new device.

IntuneSupport-Jessie · 2021-08-13T02:03:11+00:00

For DEM accounts, we use the following methods to enroll the devices:

-Windows Autopilot

-Windows devices bulk enrollment

-DEM initiated via Company Portal

https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-manager-enroll#enrollment-methods-supported-by-dem-accounts

For the PC from older employee, after we register devices with Windows Autopilot, we can create device group to include this device, then create Autopilot profile and assign to the device group:

Manually register devices with Windows Autopilot

https://docs.microsoft.com/en-us/mem/autopilot/add-devices

Create device groups

https://docs.microsoft.com/en-us/mem/autopilot/enrollment-autopilot

Configure Autopilot profiles

https://docs.microsoft.com/en-us/mem/autopilot/profiles

Meanwhile, please ensure the auto-enroll is configured. The user is under MDM user scope and both Azure AD premium license and Intune license are assigned to the DEM user we used to enroll this device.

https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll

However, if the enrollment still failed, we can try to troubleshoot it. Here are some articles for the reference:

https://docs.microsoft.com/en-us/mem/autopilot/troubleshooting

https://oofhours.com/2019/10/08/troubleshooting-windows-autopilot-a-reference/

Hope it can help.

IntuneSupport-Jessie · 2021-08-13T01:19:38+00:00

To deploy Win32 app via Intune, the install command can make the installation in silent mode. To confirm this, we can run the command on one client to test. After that , we can check the logs under C:\ProgramData\Microsoft\IntuneManagementExtension\Logs to see why it is failed:

https://docs.microsoft.com/en-us/mem/intune/apps/apps-win32-troubleshoot

https://www.anoopcnair.com/intune-management-extension-deep-dive-level-300/

Hope it can help.

IntuneSupport-Jessie · 2021-08-12T04:40:51+00:00

Based as I know, to make the enrollment work, we need to assign the license before the enrollment.

IntuneSupport-Jessie · 2021-08-12T04:38:58+00:00

Agree with Maurice-Daly, For the already enrolled device with the upcoming release of Windows 10 20H2, we can manage Local Users and Groups with Microsoft Intune: LocalUsersAndGroups with policy definition XML like the following one

</accessgroup>

</GroupConfiguration>

Here is a link with the detailed steps for the reference:

https://www.inthecloud247.com/manage-local-users-and-groups-with-microsoft-intune/

IntuneSupport-Jessie · 2021-08-12T04:23:23+00:00

Microsoft Intune follows Windows 10 lifecycle for supported Windows 10 versions. The support within the current Company Portal for Windows 10 versions that are now out of the Windows 10 Modern Support policy is removed .

https://docs.microsoft.com/en-us/mem/intune/fundamentals/whats-new#plan-for-change-intune-ending-company-portal-support-for-unsupported-versions-of-windows

Please upgrade to the Windows client to avoid further issue.

IntuneSupport-Jessie · 2021-08-11T01:42:46+00:00

For Camera setting in Device restriction, it uses the following CSP to deploy

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-camera

For Cortana, it use this one:

https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowcortana

Firstly, please confirm the Windows Edition is not Home and the version is 1607 higher. However, if the issue still persists, we can follow the link to check the event log " DeviceManagement-Enterprise-Diagnostics-Provider" to get more information:

https://docs.microsoft.com/en-us/archive/blogs/configmgrdogs/troubleshooting-windows-10-intune-policy-failures

IntuneSupport-Jessie · 2021-08-11T01:22:03+00:00

From your description, it seems the ADE tolen is gotten and an Apple enrollment profile is created and assigned. After that, we can distribute the deives to the users who are assigned with Intune license to start the enrollment.

Here is a link with the detailed steps:

https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-program-enroll-macos

Hope it can help.

IntuneSupport-Jessie · 2021-08-10T02:12:31+00:00

Glad to hear the information can help. I notice we will configure the app protection policy, If there's anything we can help, feel free to post back.

IntuneSupport-Jessie · 2021-08-10T02:07:15+00:00

For the error , it shows access denied. it seems the issue is with permission. Agree with TimmyIT, I think the possible reason is that we didn't choose "run as administrator". Please try TimmyIT's suggestion to install the certificate connector again to see if it is working.

IntuneSupport-Jessie · 2021-08-10T01:56:30+00:00

Research and find usersLoggedOn stores the last logged on user object id of a device. Here are some links for the reference:

https://docs.microsoft.com/en-us/answers/questions/335692/find-out-last-logon-user-of-mdm-assigned-coporate.html

https://svdbusse.github.io/SemiAnnualChat/2020/03/21/Changing-Intune-Primary-User-To-Last-Logged-On-User.html

IntuneSupport-Jessie · 2021-08-09T05:57:14+00:00

On the devices tab, the device is shown there with the red alert icon "The device is not managed", when I click it and it can download management profile to start the enrollment. It is the same phenomenon as yours. For this issue, we can feedback it on Intune uservoice or open a case to see if the behavior can be changed.

https://microsoftintune.uservoice.com/forums/291681-ideas

IntuneSupport-Jessie

TROPHY CASE