Is everyone footing the bill of $3 per user per month to provide help desk with the ability to remote control to AAD joined endpoints via Intune? My scenario is Win 11 AAD joined only devices that are co-managed (have sccm client installed) and we are trying to get help desk guys to be able to support users via a remote control console. In my testing SCCM remote control doesn’t work? Only other option is RDP via web creds which means the support guys can’t control over the existing user session….What are you guys doing to solve this?

Go ControlUp DX

anyone have a bulletproof method of removing personal teams from new deployments? that works during ESP

we're prepping to upgrade our Windows 10 intune laptops to 11 w/ a new update ring config. The config is getting down to the laptop and i thought i had it set to take effect pretty immediate but its been about 2 weeks and my test machine is still not getting anything (several reboots and even a manual check for updates). my first machine it sat for 4 days and i had to click check and only then would it go but not having a lot of trust in this so hoping I am just missing something. I made sure to include a new Windows 11 group with my test machine and on the existing Windows 10 upgrade ring exclude this group to isolate it. anything i'm missing that anyone can suggest? (i set the active hours to only an hour to try and nudge it along even )

I'm soft launching a SaaS called Always Up To Date targeting smaller Intune customers. The back plane is Patch My PC, but it's a pay per month service including X number of free custom apps depending on the plan. Referral Program. Please DM. https://alwaysuptodate.ai/subscription/

Struggling to get Windows Store (new) apps to install on hybrid joined VDIs. They don't appear in company portal if made available and do not install if set to required. I cannot see any logs in the intune management logs that show anything useful. I'm really not to sure.

Any one enrolling MacOS? There is no enrollment option to "Apply device name template" for supervised devices, ANy work around for this? that you are using or can point me to a solution?

Anyone managing MacOS in Intune, how do you manage access to on-prem file shares? do you have to bind the devices to ActiveDirectory? if so how does that work with the new Platform SSO via the Portal App?

has renamed the channel from "microsoft-intune" to "microsoft-endpoint-management"

set the channel description: Discuss all things endpoint management related

Test

Nice. Thanks @Jarian Gibson

Hi all. I'm looking for a good way with Intune or SCCM to detect devices that the user is in the administrator group. I have a single PSS, a couple of management points, including an IBCM, and about 3000 active devices being managed in my SCCM. So, I've tried several methods so far. First, using CMPivot, which works. However, the devices must be online, and most of our devices aren't on VPN or at the office, which SCCM manages. So, I don't get a lot of results. I've tried a couple of methods of pushing Configuration Baselines, but after weeks, I still don't have many showing up non-compliant where the user is in the Admin group. I have tried what I've found on Powerstacks, ItNinja, tcsmug.org, and eskonr.com. Again, I'm not seeing many results, even on devices where I know the user is in the local Admin group. I've done the MOF and added the item to the hardware inventory, too. Part of the issue is that the Baselines aren't running, but I'm unsure if that's it. I've also been testing a detection script in Intune, which may be promising. Does anyone have a better way to track which devices have users who are local admins?

We're a WorkspaceONE UEM and are evaluating Intune for MEM config / secure ActiveSync (On-prem Exchange 2016 --enroute to--> 2019 -> ExchangeSE ) access for BYOD Android/iOS devices. Currently fronting Exchange with on-prem SEG/UAGs as we do not have dNAT from the internet to Exchange EAS/EWS virtual directories enabled. Simple MEM config of EAS config payload and 2 compliance checks; not jailbroken/passcode enabled. Is there an Intune equiv of the UAG/SEG (middleware where compliance is validated before proxying back to EAS) or will we have to go back to fronting the EAS virtual directory with a FW/WAF/etc? Looks like MS Tunnel Server has similarities to the UAG? But my assumption is that's a persistent tunnel from mobile device to MS Tunnel Server -> Exchange. What about Azure App Proxy? Can that be used in front of Exchange on-prem, in conjunction with Entra Conditional Access Policies for auth eval -> MFA?

curious if anyone has used this script to battle Intune expired cert issues on endpoints. we're getting waves of them stopping from checking in so we opened a MS ticket which they gave us a much more drawn out solution that involved end user interaction until i stumbled on this which is super easy and silent to the user. I had MS validate that it was safe so we've been successfully using it. the big thing i'm trying to see is if the "test-intunesyncerrors" command can be run w/out the are you sure prompt (tried -force but doesnt work) so that i can fully automate it but no such luck yet https://call4cloud.nl/2022/10/intune-sync-debug-tool-the-last-royal-treasure/

Checking for peoples thoughts and experiences on using Intune Proactive Remediation to resolve issues and deploy fixes to end points, and the frequency these scripts run. I am attributing performance issues on endpoints to too many scripts being executed on endpoints one after the other. I am wondering if others experience this or have thoughts on using PR scripts.

When testing every 1 hour, once fixed, switch do daily

not seeing performance issues

this maybe is more of a general channel question but we are pushing Windows 11 to our 10 laptops via Intune policies and working well so far. One of our execs claims he never got the pop up saying the update was ready for reboot like we told him it would and that when he left for the day he "hit ctrl alt del, logged off and closed the lid and the next morning he had Windows 11". A lot of room for interpretation there to what actually happened but if 11 was staged and ready for reboot and he missed the pop up would logging off outside of business hours be enough for the system to kick off the reboot on its own since a user isn't logged on?

Anyone successfully deployed NetScaler as micro VPN gateway combined with Intune and MS Edge App's micro-VPN SDK (so no VPN app of third party like Citrix Secure Access needed, anymore) with or without NAC like described here? https://docs.netscaler.com/en-us/netscaler-gateway/current-release/microsoft-intune-integration/setup-gateway-for-microvpn-integration-with-intune

trying to clean up our Intune Autopilot setup to clear up some errors and speed it up a bit and a bit stuck. During the Device Setup we are getting stuck at a 0x87d1041c error during Apps. (this step eventually times out so takes a while). After it gets to the Account setup it seems to take quite a bit of time on Security policies (Identifying) before it eventually succeeds and moves on. the last thing i'm stuck on is the Apps section of Account setup shows 1 of 2 so i'm trying to find out which of our assigned apps are going in under Account setup and what is under Device (to maybe try and isolate which is ticked off in the device setup part. what we'd LOVE to do is ONLY install say 1 or 2 apps at this part and the rest can install once the user is logged in but want to streamline it as best as we can. I know we can set the policy to block unless certain apps are installed but as i understand it you have no control in which order things install so can't have it install those required apps first (unless i'm mistaken). any advice here ?

True, which 2 apps are you installing during ESP?

what's the best way to deploy registry entries with Intune? Building win32 app every time is beyond ridiculous. Is there a better way?

Proactive remedation

While you can deploy registry entries with remediations, they won't be there during or right after the Autopilot process. Only a script or a script wrapped into an intunewin file can do that. And proactive remediation still requires scripting, it's a bit overkill if you need to deploy one specific registry value for instance. I want something like Group Policy Preference but for Intune and AzureAD. 😬

Other option would be to use a custom ADMX. The chooses you have are this, platform script or Win32App wrapper if you’re wanted it to apply during the AP process.

If you need straight away, used script instead, easier, better, faster & plain powershell.

Hey crazy question, i am trying to find a way to export Device configuration policies for intune to for documentation. Am I just blind? i don't see a way, i found compliance and all sorts of others just not the ones i need

has anyone run into an issue w/ Intune (autopilot) laptops that go non compliant and attempting to re-enroll you find that the enrollment scheduled tasks are gone ? we use a script to fix non compliance which basically just does some cert, enrollment checks and any issues it finds it removes/readds itself to intune (under a new ID of course) but we're running into more situations where its failing when it gets to the re-enrollment due to those tasks being gone and only solution is to fresh start it locally . hoping theres a better way to avoid it

Is there a way to generate a report like GPresult for AAD or intune managed devices?