Recently when working with a customer I was troubleshooting why their devices were showing up as Azure AD Registered in the Azure portal in Azure Active Directory when they should be Hybrid Azure AD joined. These were Windows 10 1809 devices.
When running “dsregcmd /status” on one of the machines, it would show as AzureAdJoined : NO. When it is Hybrid Azure AD joined, it should still say Yes.
If you run the command as admin, you will see there is Diagnostic Data section. On my devices, it said:
Client ErrorCode : 0x801c03f2 Server ErrorCode : DirectoryError Server Message: The device object by the given id (guid) is not found.
This is because the device(s) has not been synced to Azure AD by Azure AD Connect. Make sure that the OU’s that the computer objects are in is set to sync to Azure AD. In my customer’s configuration, they had additional filtering where the users and computer objects needed to be in a Security Group to be synced to Azure AD.
Once the Azure AD Connect sync had completed successfully, and the device registration task had run again on the client, the machine now shows as Hybrid Azure AD joined in the Azure portal.
The following post contains the new features and updated features from October 2019. This post enables you to quickly glance at the Office 365 Roadmap that directly targets Microsoft Intune based on the latest information provided from Microsoft.
Leveraging your Azure subscription for Microsoft Intune massively reduces the requirements for on-premises infrastructure. In this post I will show you how to use Azure Blob Storage to provide the Lock Screen and Desktop background all with the power of the Microsoft Cloud.
First up you will need to create a storage account within your Azure subscription.
Specify the following; – Resource Group – Storage Account Name – Location (Europe) UK South
Once the storage account has successful created, you will need to go to the resource
Go to “Containers” Create new “Container” Specify the name of the Container Specify the Public Access level as “Blob” Then click ok
Click on your new “Container”
Click Upload You will need to upload your required .jpg file
Click on the uploaded file and you will be provided a URL which can be used
Provide the URL into your required destination for example Lock Screen as shown below
As you can see from below my Lockscreen and Desktop backgrounds are what I have specifed.
Enterprise organizations today are becoming more and more security conscious of where the corporate resides. If you have come across Windows Information Protection yet, check out the below video from Microsoft.
Right let us jump right into it
Windows Information Protection is configured via the Microsoft Intune portal. Browse to Client Apps –> App protection policies –> Required settings
Windows Information Protection mode
Block: Block enterprise data from leaving protected apps
Allow overrides: User is prompted when attempting to relocate data from a protected to a non-protected app. If they choose to override this prompt, the action will be logged.
Silent: User is free to relocate data off of protected apps. No actions are logged.
Off: User is free to relocate data off of protected apps. No actions are logged.
You will need to specify your corporate identity, if you have multiple identities you will need to “Protected Domains” under “Advanced settings” –> “Add network boundary”
Once you have selected the Windows Protection mode, we need some applications to protect.
This step is definitely one of the easiest to do, as Microsoft has already generated a list of all the default applications and all you need to do is go to “Protected Apps” and “Add apps”.
For the purpose of this blog, I have missed out the Cloud Resources as shown below.
This detail can be found via the following url
Now you are good to go to protect your corporate information
I have recently been running into the following issue where using white-glove experience for Windows Autopilot. The error already occurs around the 14-minute mark when “Registering the device for mobile management”.
This issue is cause by multiple MDM enrollment applications defined within the Mobility (MDM and MAM) window within your Azure Active Directory
Once I had remove Microsoft Intune Enrolment, Windows Autopilot provisioing was able to successful complete.
After a bit of recent investigate App Protection policies I have noticed a large chunk of information missing from Microsoft resources and other blog posts. I have recently experienced an issue where network boundaries were not configured correctly and I had to ensure that all applications that were being protected do not experience any issues access corporate resources.
It is recommended to use the following when adding a network boundary.
The following post contains the new features and updated features from September 2019. This post enables you to quickly glance at the Office 365 Roadmap that directly targets Microsoft Intune based on the latest information provided from Microsoft.
One of the many cool things about Microsoft Intune is the granular configuration of Windows 10 devices using the native functions available us today. In this little post we will look at just how easy is it to create a corporate Windows 10 layout and publish to all of your client desktops automatically.
The general prerequisites for this feature is that your Windows 10 desktops are synchronized and present in Azure Active Directory.
Export the Start Layout
When you have the Start screen layout that you want your users to see, use the Export-StartLayout cmdlet in Windows PowerShell to export the Start screen to an .xml file.
From Start, open Windows PowerShell.
At the Windows PowerShell command prompt, enter the following command:
Once you have an exported Start Layout you can use the XML file to apply this start layout to your entire organization using Microsoft Intune. Browse to your Intune Portal and go to Device Configuration –> Profile
Hopefully you may already have a Windows 10 – Device Restriction Profile.
If not, dont worry you will just have to create a new profile for Windows 10 and Device Restrictions.
Once in the profile properties, go to Settings and look for “Start” as at this point you can upload your Windows 10 start menu layout. If you may chose you will also be able to affect the look of the start menu by blocking or hide elements on the menu. For example you can block Fast Switching and hide File Explorer from the Start.
Once you have saved your configured and your Windows 10 device has checked in, it will receive your new and improved Start Menu
As the power of Microsoft Intune grows with great force, in this blog post we are going to look at how to install Google Chrome and manage via Microsoft Intune. I have been recently looking how to leverage Microsoft Intune for more than just Microsoft based tooling and Google Chrome can be installed and managed for Windows 10 desktop estate.
Microsoft 365 Device Management otherwise known as InTune, is a very popular and command device management solution you will see in most organizations. The evolution of InTune has moved very quickly with the times and you probably have the correct licenses within your organization but are currently using something like AirWatch. This post is going to dive into my personal tenant where I have configured 365 Device Management for my Android phone. In this post I am going to run through the basics of getting Microsoft 365 Device Management up and running for mobile devices likes phones and tablets. All configuration is based on what is current set within my own environment and may not apply to your organisation.
The Microsoft 365 Device Management dashboard is configurable to your requirements. If there is something on the dashboard you would like to see or not, you can easily edit the page and add in additional tiles as shown below.
You can also create your own Dashboard leaving the defaults as they are;
This section contains all the services that available within the M365 Device Management Portal, as you can some of the options dont know contain a gold star. All this basically means is that the option is not displayed on your left hand panel which is customizable to the options you want to see.
In order to support iOS device Microsoft inTune requires an Apple MDM Push Certificate to manage and support multiple enrollment methods.
Microsoft Intune by default supports all Android devices. Managed Google Play enables management of Work Profile and other Android Enterprise functionality.
Android Enterprise provides 3 additional functions within this selected once Managed Google Play is configured.
Personal devices with work profiles
This options allows your corporation to manage corporate data and apps on user-owned Android device. You are able to approve applications within the Google Play Store which you organization would like to manage for example Outlook. Once the applications are approved, Enrollment Restrictions allows you to configure with greater control, which groups of users should be managed using Work Profiles.
Corporate-owned dedicated devices
This option allows your corporation to manage manage device owner enrollments for kiosk and task devices using with QR Codes or tokens.
This option is only in Preview currently and more developments are expected. In its current state, end users are able to enroll their corporate-owned devices by sending a company token. You can also use the Zero Touch Portal for auto provisioning deployment, this features apart of the InTune portal but will be coming soon.
In this section we can configure Microsoft Intune enrollment for Windows devices.
This options allows your corporation to configure Automatic Enrollment when a Windows devices join or register with Azure Active Directory. You can configure user scopes for MDM and MAM.
Unsure of the the different between the two?
MDM: addresses lack of control over corporate and personal devices, and lost device security
Ensures device compliance through user and device registration, configuration on-premisesand passcode management
Secures devices on the network so you can monitor, report, track and update devices – and even locate, lock and wipe devices, if lost or stolen
MAM: addresses lack of compliance with data and privacy requirements, and lost data retrieval
User identity policy, single sign-on and conditional access tailored
by role and device (with Intune or Active Directory on premises or in
Monitors and pushes app updates, including mobile document
management for online or cloud-provisioned apps like SharePoint and
Windows Hello for Business
This option allows your corporation to replace password with strong two-factor authentication. Please note: This is a default Windows Hello for Business configuration applied with the lowest priority to all users regardless of group membership. Devices must be Windows 10, Windows 10 Mobile or later to be supported.
This option is a must for all organizations as its removes the need for end user to provide the MDM server address when enrolling this devices.
Enrollment Status Page
This option allows your end user to see the status of how the enrollment process. However, you can also block devices until all apps and profiles are installed.
Windows Autopilot deployment profiles lets you customize the out-of-box experience for your devices
Windows Autopilot lets you customize the out-of-box experience (OOBE) for your users.
Intune connector for Active Directory
This option requires your organisation to download the Intune connector for Active Directory to support the Hybrid connection for Azure AD.
Terms and conditions
This option can be configured with Intune but the look and feel is quite basic as shown below;
However, if you configure Azure AD T&C it gives a better slicker output within your Company Portal.
A device must comply with the highest priority enrollment restrictions assigned to its user. You can drag a device restriction to change its priority. Default restrictions are lowest priority for all users and govern userless enrollments. Default restrictions may be edited, but not deleted.
Create device categories from which users must choose during device enrollment. You can filter reports and create Azure Active Directory device groups based on device categories
Corporate device identifiers
This option you add devices in based on the IMEI or serial, this can be done manually or via CSV upload.