SCCM – New co-management options

With the latest version of SCCM Current Branch (1806), new options are available for the co-management capability: Mobile apps, to use Intune for mobile applications deployment while keeping your Windows client managed by SCCM Office Click-To-Run, to use your Intune for Office 365 Click to Run deployment

Read More

SCCM – A new version of SCCM Current Branch is now available

The update 1806 for System Center Configuration Manager (SCCM) Current Branch has been released and is now available for production customers. As usual the update is being delivered with the ‘in-console update’ (Administration workspace\Updates and Servicing) If the update is not yet available and you do not want to wait, a PowerShell script is available to force the detection here https://gallery.technet.microsoft.com/ConfigMgr-1806-Enable-3eb4b46c As part of the new capabilities, you can: add…

Read More

Intune – Third party certification authorities is now supported for SCEP

One of the important security management responsibilities of Microsoft Intune is the ability to issue certificates to devices using the Simple Certificate Enrollment Protocol (SCEP). Starting today, Intune now supports third party certification authorities for SCEP – starting with Entrust as first CA. Support of Active Directory Certificate Services is still supported of course Below an high level diagram explaining how SCEP works with Intune (courtesy Microsoft) To setup the…

Read More

Windows 10 – Error 0x80180014 when joining Windows 10 to Azure AD

I just got an interesting error when trying to join a Windows 10 1803 to Azure AD; I was continuously getting the error ‘0x80180014’ when trying to join the device to Azure AD. The interesting thing was this device has been already Azure AD Joined but has been reset, with all reference in Azure AD or Intune removed. Nonetheless, each time I tried to join again I was getting this…

Read More

Intune – Third party antivirus solutions are now supported for Device Compliance Policy

Until the last Intune update (week of July 2, 2018), when you were setting up a Windows 10 Device Compliance Policy you were obliged to use Windows Defender as local antivirus solution if you wanted to set an antivirus solution is required to be marked as compliant. After this update, you can now set this requirement even if you are using a third party antivirus solution (such as Symantec) as…

Read More

Intune – Automatic device cleanup

With the latest Intune update (week of July 2, 2018), a new feature has been added to automatically cleanup Intune from devices which did not contact the service. As you may be aware, devices which do not contact Intune service for a certain period of time are marked as not compliant and there maybe some work for the Intune administrators to cleanup these devices. With this update you can now…

Read More

Intune – The Intune Silverlight portal is going to be removed

About 18 months ago, Microsoft has announced the integration of Intune service into the Azure ARM portal. Now, the Intune Silverlight portal is going to be removed (starting August 31st, 2018) with all Intune capabilities moved to the Azure ARM portal. If you are still using the Intune agent to manage Window 7 (and later), the Silverlight portal will remain available.  This will be the only workload remaining in this…

Read More

Intune – Enhanced conditional access with Windows Defender ATP

With Windows 10, Microsoft has introduced an advanced protection system integrated with Windows Defender caller Windows Defender Advanced Threat Protection (WDATP) (see https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection to know more). Now, with Intune you can also use Windows Defender ATP status to allow/deny access to resources. To use Windows Defender ATP in your conditional access, go to your Azure ARM portal (https://portal.azure.com) and access your Intune\Device Compliance configuration blade Access the policies blade and…

Read More

Intune – Enable Windows Redeployment from logon screen

Starting with Window 10 build 1709, it is possible for administrators to re-initialize Windows 10 devices to remove personal files and settings and revert the device to an original state, while keeping the device enrollment. Enable the policy To make Windows Automatic Deployment available from the logon screen, you must first enable the policy; which can be done either with Intune (or any MDM supporting CSP) or with a Windows…

Read More

Intune – You can now assign mobile app to all users

A new option has been his apparition on the Intune management portal when assigning applications. You can now assign an application as available to all users with enrolled devices; you do not need anymore to assign it to a group At the time of writing this post, this option is only available for Microsoft Store for Business app (I’m sure this will come too to Apple and Google stores) In…

Read More

SCCM – Co-management is now available in SCCM Current Branch (1710)

The latest update for SCCM Current Branch is now available and includes the announced co-management feature. The co-management feature allows you to manage your devices with Intune and SCCM without having to setup an Intune subscription on SCCM. Especially in scenarios where Windows 10 Azure AD Joined device needs to use the SCCM agent. Once you have installed the SCCM update (as usual you can force it by using the…

Read More

Intune – Conditional Access is moving to be only on Azure AD

On January 2018, conditional access policies for Intune will be moved for good to Azure AD. Until now (and January 2018), conditional access configuration is/was available through the ‘classic’ Silverlight Intune portal, Intune App Protection (MAM) blade and classic Azure AD portal. If you have policies configured on any of these previous access point, you need to review them and start configuring these policies using the new Azure AD portal.…

Read More

Intune – Enrollment status screen

With Windows 10 build 1709 (Fall Creators Update) and Intune, you can now provide details to the end-user while enrolling the device. This can be quite helpful to let them know what is going on as well as for troubleshooting purpose. To enable and configure it, you need to logon to your Azure ARM portal and go to Intune Then you need to go to the Device enrollment\Windows enrollment section…

Read More

Azure AD – Allow end-users to reset password or PIN from the login screen

UPDATE 21 nov 2017 You can also use the registy key HKLM\Software\Policies\Microsoft\AzureADAccount to enable this. Create a DWORD key named AllowPasswordReset with the value 00000001. I have tested with an AAD Joined device managed with SCCM. Will test with an AD Joined device later.   With Windows 10 Fall Creators Update (build 1709) you can allow your end-user to self reset their password (or PIN) directly from the login screen.…

Read More