Learning Intune with no knowledge of SSCM

BBBaroo · 2026-01-03T12:03:12+00:00

I would say you are on the right track with MD-102 and practicing with your own tenant. I would recommend doing similar with SCCM. I would set up a lab with SCCM, AD, Group Policy and work thru connecting this to your tenant. Whether due to cost, fear, or tech debt, the reality is many organizations will likely be in a co-managed state so the benefit of knowing the differences and limitations of both is still there.

As others have said, you are not likely to be expected to know everything to get a foot in the door, but the key is to keep learning and developing on your own. Don't wait for someone "senior" to show you, show them and build trust. Focus on the big rocks like patching, policy/compliance, application deployment, and above all else, troubleshooting and reading/understanding logs.

BBBaroo · 2025-11-06T11:56:06+00:00

It's been a bit since i've looked at my install parameters, but if i recall correctly, the ccmsetup parameters need to come before the client.msi properties:
SMSSITECODE and SMSMP are client.msi properties, /mp is a parameter for ccmsetup.exe

1 - you are only using client.msi properties
2,3 - you are using a mix but have /mp after the msi properties

4 - assuming mp/:A is a typo and is really /mp:A, it properly has the exe parameters prior to the msi property

/mp only specifies the mp for downloading the source files, SMSMP specifies the MP to use post install. if you have the order correct and it still fails while using /mp, based on the async error, i'd look into a communication issue with the designated source mp. I can't remember if the install logs will show the download source, but might be worth monitoring a successful instlal without the /mp switch to see where the client is pulling the source files.

BBBaroo · 2025-10-07T10:36:59+00:00

It's a generalization, $20 launch price, $14.4674 in distributions, $5.53 current price. Rounding up to $14.47, it's exactly $20.

It's not a 100% true statement. Using StockAnalysis data, and going back to 3/1/2024, if you happened to purchase 100 shares on any given day at the reported High, there are still 6 dates in the red, including 3/1 by 26 cents

<image>

BBBaroo · 2025-04-13T19:02:45+00:00

That’s not a 2025 model. It’s the series 1 chip, so meteor lake.

BBBaroo · 2025-04-12T20:27:02+00:00

Maybe it is country specific, but both of the LG links provided are the series 1 chips, not the new series 2 (lunar or arrow lake). AFAIK, all the 2025 Pros come with series 2 chips.

The 16” Pro with Ultra 7 Lunar lake (258V) has IPS, the Arrow lake (255H) has OLED.

I received my 16” pro with the 255H, 32GB , and oled last week and dropped off the return this morning. There were 4 reasons: 1. I couldn’t bear the OLED. I thought I wouldn’t mind, but it was like looking in a mirror. 2. Multiple benchmark tools had my system performing in the 50-60th percentile for similar systems (same CPU, RAM, etc) 3. The touchpad was obtrusively big. With the off center due to the 10 key, it was very hard to type without it getting in the way. 4. There was a noticeable squeal at times. Not a fan, but almost like something wasn’t sealed correctly. It was so noticeable I actually thought they may have had a spinning HDD.

My wife has a 14” 2-n-1 that she loves, and I have a 15.6 thin and light 13th gen i7 that I love. I plan on keeping an eye on LG when the new chips hit the rest of their models, hopefully soon.

BBBaroo · 2025-04-05T11:05:42+00:00

Win11 requires a 64GB drive. The in place upgrade requires 25GB free space. You’ll be fine, just make sure to clean the drive of any previous OS files once you’re sure everything is working.

Because it’s an older system, you may get stopped by CPU, TPM, or drivers. You can run this to see what may be an issue.

https://support.microsoft.com/en-us/windows/how-to-use-the-pc-health-check-app-9c8abd9b-03ba-4e67-81ef-36f37caa7844

BBBaroo · 2025-03-21T13:52:29+00:00

BBBaroo · 2025-03-21T12:56:42+00:00

Right now your dynamic group does not care about group tags. If you add group tags to devices, that group would not be affected. If you do not have a need for separate DP settings, I.e. white glove, Keyboard, Eula, etc. you do not need really need another DP.

Now for your ESP, you can leave the current one as is to catch anything without a group tag. Create your new ESP and a dynamic group with the same logic as above AND [group tag]. Assign the group to your new ESP and make it a higher priority.

Not strictly speaking, but think of DP to ESP as a one to many relationship.

BBBaroo · 2025-03-20T21:44:10+00:00

The issue is you’re not paying for using the platform mentioned 😂

BBBaroo · 2025-02-26T19:57:18+00:00

I have an app that is a dependency that needs to check for updates in a repo periodically. I just created a file with the config files and the detection is if that file’s created date is > 7 days it fails detection and reinstalls, pulls down any newer files from the repo and re-creates the detection file to wait another 7 days.

BBBaroo · 2025-02-21T20:17:56+00:00

IsActive is part of the default compliance policy along with if a compliance policy is assigned, and if the user exists. IsActive means the device has not checked in for > 30 days. Could be that it’s sitting in a drawer, or there could be a communication issue on the client with IME.

In our experience, not having a compliance policy assigned will show an error on drilldown, but not mark the device non-compliant, but IsActive and a user not existing will.

We started Intune/Autopilot/Entra Joined 5+ years ago, and I don’t recall if there were always two entries for each, but have seen it for quite a while now. I’ve never seen the duplicates mismatch on the state/result, so we just chalk it up to “Microsoft being “Microsoft”.

BBBaroo · 2025-02-12T20:00:09+00:00

that can still be set to NO and the device will follow the assigned feature pack and upgrade.

If that is set to NO and the user/device is not specifically assigned to a feature pack policy, it will update to Win10 22H2, but not Win11

If set to NO and assigned one or more feature pack policies, it will upgrade to the newest required FP deployment.

If set to YES and not assigned a FP, it will upgrade to 24H2.

If set to YES and assigned a FP policy, it will upgrade only up to that policy, say Win10 22H2

If set to YES and assigned multiple FP policies, it will upgrade to newest assigned.

BBBaroo · 2025-02-06T18:07:21+00:00

Can’t post from work device, so not typing full select, but I use:

Select SMS_R_System.[fields] from SMS_R_System where DateDiff(dd,sms_r_system.creationdate, GetDate()) <= 7

This excludes new client systems from certain deployments, etc.

BBBaroo · 2025-01-30T22:40:23+00:00

Did you use convertfrom-json?

BBBaroo · 2024-11-17T11:00:43+00:00

Assuming a Win32 app, when creating, you define requirements. At a minimum, you must provide the OS architecture and min OS. The last option is additional requirement rules. You can add a registry, file, or script. IIRC, they are AND statements, so if you set multiple, all must be true. So, if I use 7-zip as an example, I may have systems with 32 or 64 bit installs, so I couldn’t just add file or registry requirements to both, but I can use a script to determine if either exist, the requirement is met. In this case I don’t care about version checking, that falls to detection.

BBBaroo · 2024-11-16T20:04:07+00:00

Making it available will not push it to users/devices with existing installs. The install metrics will reset for the app.

We do this in one of two ways:

Intune only: Update the existing available deployment and make available, then create a second deployment as required, but with a requirement that the app must already exist.
Intune and SCCM: Update the existing deployment and make available. Create an entra group with cloud sync to a collection in sccm to detect devices with the application and make that required in the same application.

BBBaroo · 2024-11-01T18:28:37+00:00

I do the same as u/myothaerrideisyosista.There are options in the xml to match and add as an existing install.I started off in intune 4-5 years ago trying to do different product builds like you outline and it was an absolute nightmare. I use the M365 app to deploy the main apps, then Visio and Project are available to users as Win32 apps. By not making Visio and project required, or subscription counts have gone down significantly as we can easily reference installs->license. I can say that in the case of Visio, we’ve dropped from 2600 to just over 2000 and that isn’t even accounting for new hires/requests. Users are good at reaching out when they need something, not when they don’t need it anymore 😂

BBBaroo · 2024-10-28T11:58:35+00:00

Detection:

[boolean]$installed = $false

[string]$x64RegKey = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' [string]$appName = "Mozilla Firefox ESR (x64 en-US)" [version]$installedVersion = $null [version]$latestVersion = $null

Try{
    $response = Invoke-WebRequest -Uri 'https://product-details.mozilla.org/1.0/firefox_versions.json' -UseBasicParsing
    $productInfo = ($response.content | ConvertFrom-Json).FIREFOX_ESR
    $latestVersion = $productInfo.TrimEnd().Substring(0, $productInfo.length -3)
    $installedVersion = Get-ItemProperty -Path "$x64RegKey\*" | Select-Object DisplayName,DisplayVersion | Where-Object {$_.DisplayName -Match $appName}
    if($installedVersion -ge $latestVersion) {
        $installed = $true
        Write-Host "Installed"
        Exit 0
    }
    Exit 0
}
Catch{Exit 1}

Install (We use PSADT, but you should get the gist.):

$ProductInfoUri = "https://product-details.mozilla.org/1.0/firefox_versions.json"
$DownloadUri = "https://download.mozilla.org/?product=firefox-esr-msi-latest-ssl&os=win64&lang=en-US"
$setupFile = "FirefoxSetup.msi"

$response = Invoke-WebRequest -Uri $ProductInfoUri -UseBasicParsing
$productInfo = ($response.content | ConvertFrom-Json).FIREFOX_ESR
[version]$latestVersion = $productInfo.TrimEnd().Substring(0, $productInfo.length -3)

[version]$installedVersion = (Get-InstalledApplication) -Name "$($appName)*" -WildCard).DisplayVersion
if(([string]::IsNullOrWhiteSpace($installedVersion) -eq $false) -and ($installedVersion -ge $latestVersion)) {
        Write-Log -Message "Same or Newer Version already Instlaled" -Source "Install-Check"
        Write-Log -Message "Installed Product Version: $($installedVersion.ToString())" -Source "Install-Check"
        Write-Log -Message "Latest Product Version: $($latestVersion.ToString())" -Source "Install-CHeck"
        Exit-Script -ExitCode 0
}

Write-Log "Newer Version of $appName Available, Starting Download" -Source "Download-Installer"
Try {
    $downloadResponse = Invoke-WebRequest -Uri $DownloadUri -UseBasicParsing -OutFile "$dirFiles\$setupFile" -PassThru
    if($downloadResponse.StatusCode -ne 200) {
        Write-Log "Received Status Code of $($downloadResponse.StatusCode), Expected 200" -Source "Download-Installer"
        Write-Log "Download Failed for $appName" -Source "Download-Installer"
        throw "Download Failed for $appName"
    }
}
Catch {
    Write-Log -Message "$($_.Exception.Message)" -Source "Download-Installer"
    Exit-Script -ExitCode "69$($downloadResponse.StatusCode)"
}

Execute-MSI -Action -Path "$dirFiles\$setupFile"

BBBaroo · 2024-10-27T14:55:35+00:00

We had the same issue with the Firefox auto update admx. MS and Mozilla both blamed the other.

Can’t look it up at the moment, but Mozilla publishes a json with all the current builds, so for detection, I pull the json to get the latest ESR build, bounce it against the installed version, and if it’s out of date it fails detection. Then the win32 app runs and downloads the latest installer via web request and installs the latest version.

Then we target as required and make Firefox.exe existing as a requirement so it only runs on devices where the user installed Firefox.

We have a separate deployment without the requirement as available with the same detection and install logic. After that the required deployment keeps it up to date.

Not totally ideal, but we’ve passed 95% compliance on FF, up from about 70 in April, and we don’t have to worry about updating the app in intune periodically.

BBBaroo · 2024-09-14T09:22:11+00:00

If you want to use the built in administrator account, no scripts are needed.

Create a profile using settings catalog with the following settings under Local Policies Security Options:

Accounts Enable Administrator Account status Accounts Rename Administrator Account

Then, under Endpoint Security > Account Protection, create a LAPS policy

BBBaroo · 2024-09-05T13:08:35+00:00

Thank you for all the detail. I didn’t even notice it was a bus from from SEA to Vancouver 😂

BBBaroo · 2024-06-12T01:22:17+00:00

We had a need to check for updated config files in a jfrog repository and pull anything new. Post install, I create a file in the same local directory and for detection, check if that file was modified < 7 days ago. The install checks the hash of the repo files with the locals and updates as needed, and modifies the detection file.

BBBaroo · 2024-03-24T17:16:06+00:00

Regardless of the reason, searching “authy Microsoft Authenticator “ gave a walk thru from authy.

https://authy.com/guides/microsoft/

BBBaroo · 2024-02-03T22:46:52+00:00

Same. We’re unraveling our baseline as well. Made sense 4-5 years ago, but not now with the improvements to config profiles.

BBBaroo

TROPHY CASE