Microsoft Intune

Understand the Roles and Permissions for Distributed Management of an Intune Tenant

Just like the old SCCM days, a company using Intune needs to have proper understanding of how to allow distributed management of the organization’s resources. The Intune RBAC table is a Microsoft Word doc that provides the following information in easy-to-reference format: Definition – The name of a role, and the permissions it configures. Members – The user, or group of users who will be given these permissions. Scope – The users or devices that a specified person (the member) can manage. Assignment – When the definition, members, and scope have been configured, the role is assigned. Download: Intune RBAC table

Migrate Policies from SCCM to Intune

As Intune becomes the more popular option for managing devices in the cloud, the ability to easily migrate from existing system becomes important. One tool, Microsoft Intune Data Importer, aids in that effort. Microsoft Intune Data Importer is currently intended to migrate the following SCCM objects: Configuration items Certificate profiles Email profiles VPN profiles Wi-Fi profiles Compliance policies Apps Deployments Full details: Import Configuration Manager data to Microsoft Intune Download the tool: Microsoft Intune Data Importer

Preparing Windows Classic Apps for Delivery Using Intune

For those utilizing Intune for device management, being able to deliver software much like pre-Intune systems is a must. For Windows, Intune supports both Microsoft Store apps and legacy, “classic” apps. To deliver classic apps, a tool is available that converts (or wrap) the packages into the .intunewin format. The tool is available from here: Microsoft Win32 Content Prep Tool Use the Microsoft Win32 Content Prep Tool to pre-process Windows Classic apps. The packaging tool converts application installation files into the .intunewin format. The packaging tool also detects the parameters required by Intune to determine the application installation state. After you use this tool on your apps, you will be able to upload and assign the apps in the Microsoft Intune console.

Granting Local Admin Rights for Users Using Intune Devices that are Azure AD Joined

If you’d like to assign local administrator rights to specific people in the organization, you do it through the Azure Active Directory blade in the Azure portal. 1. In portal.azure.com go to Azure Active Directory. 2. Select Devices 3. Select Device Settings 4. Under Additional local administrators on Azure AD Joined devices, you can add the admins here.

Determine Which Group Policy Settings will Transfer to Intune and Which Will Not

Many organizations rely on Group Policies to manage various settings for their PCs. But, with a large portion of those organizations now looking to utilize Microsoft Intune for cloud-based management, determining how to manage those settings in a similar way can be difficult. A tool is available called the MDM Migration Analysis Tool (MMAT). MMAT will determine which Group Policies have been set for a target user/computer and cross-reference against its built-in list of supported MDM policies. MMAT will then generate both XML and HTML reports indicating the level of support for each Group Policy in terms of MDM equivalents. Download: https://github.com/WindowsDeviceManagement/MMAT

Keeping Current with the Intune Updates Roadmap

Microsoft provides a Microsoft 365 Roadmap site that lists out upcoming features and provides proposed dates for release. The site also provides a filter mechanism, allowing you to display only the products you’re most interested in seeing. Intune is included as a filter so you can identify upcoming features. Filtered just by Intune: https://www.microsoft.com/en-us/microsoft-365/roadmap?rtc=3&filters=Microsoft%20Intune RSS feed: https://www.microsoft.com/en-us/microsoft-365/RoadmapFeatureRSS Additionally, you can apply more filters to pare the list down to in development, rolling out, and launched.

Microsoft Intune configuration designer for OEMConfig

We’ve created a brand-new configuration designer that gives you an intuitive interface for creating OEMConfig profiles, no matter how complicated the schema gets. This eliminates the need to hand-code an OEMConfig profile using the JSON editor, which can get tricky, especially when dealing with complex or heavily nested schemas.  When you select an OEMConfig application to configure, Intune reads the schema from the app, and automatically generates a full graphical user interface for configuring the settings specified in the schema.  The configuration designer lets you easily:  Create and manage complex bundles and bundle arrays with many levels of nesting  View setting titles and descriptions, which OEMs may use to provide documentation  Understand what options are available for a given s...

Reminder: Hybrid MDM for Intune will Retire on September 1, 2019

Hopefully, this is just a reminder and customers won’t be blind-sided by the news. On September 1, 2019, the hybrid capability of Mobile Device Management in Intune will be retired. The original announcement for this was posted in 2018: Move from Hybrid Mobile Device Management to Intune on Azure From an email that went out to Intune customers recently: Microsoft will support hybrid MDM usage only up until September 1, 2019. We will continue to release major bug fixes but will not invest in new features for hybrid MDM. After September 1, any remaining hybrid managed MDM devices will no longer receive policy, apps, or security updates. There are no changes to licensing. Intune licenses are included with hybrid MDM. Note: This change does not affect on-premises System Center Configurat...

Use PowerShell to Document Your Intune Tenant

Thomas Kurth has put together a PowerShell script that can be run against an Intune tenant to retrieve information about it. This is useful in cases where you need a quick look at how Intune is configured in various areas. Currently it documents the following: Configuration Policies Compliance Policies Device Enrollment Restrictions Terms and Conditions Applications (Only Assigned) Application Protection Policies AutoPilot Configuration Get it here: Intune Documentation

Managing Windows 10 Devices in Intune Using Administrative Templates

Recently, Microsoft delivered over 2500 administrative templates-based settings for Intune administrators to better managed Windows 10 settings. These settings are very similar to what administrators are used to working with in Active Directory and GPO scenarios – further blurring the line between on-premises and the cloud. To setup and administer Windows 10 devices in Intune using these new benefits… In the portal, go to: Microsoft Intune > Device configuration – Profiles and create a new profile. Give the new profile an applicable name, select Windows 10 as the Platform, and choose Administrative Templates as the Profile Type. Once you click the Create button, you’ll be taken to the properties page of the new profile: Microsoft Intune > Device configuration ...

What to Expect When a Specific WSUS Synchronization Endpoint is Decommissioned on July 8

On Monday, July 8, Microsoft will decommission one of its synchronization servers. Failover to the new architecture is available, but organizations that are still connecting to the old endpoint may experience a slowdown in the initial sync. According to Microsoft… On Monday, July 8th, the WSUS synchronization endpoint fe2.update.microsoft.com will be fully decommissioned and no longer reachable. For WSUS servers that are still configured for the old endpoint, this change should result in a one-time slow sync (typically just a few minutes) as the WSUS server automatically switches to the new endpoint. Although the switch should occur automatically, if you encounter synchronization errors after Monday, see the KB article below for steps to verify if you are affected by the problem and ...

Tip: Windows Autopilot Branding

This repository contains a sample Windows Installer (MSI) definition that can be used to customize Windows 10 devices via Windows Autopilot (although there’s no reason it can’t be used with other deployment processes, e.g. MDT or ConfigMgr). https://github.com/mtniehaus/AutopilotBranding