Azure AD, Intune and Windows 10 offer an incredibly nice light management option, where your users can use any Windows 10 Pro or higher device and simply join it to your Azure AD on their own.
Intune then allows you to enforce your security policies on those devices, and to distribute AppX and MSI packages to those devices.
Traditionally, IT used to manage devices using GPO’s or more, allowing a very high degree of granular configuration and remediation. Intune or the Enterprise Mobility Suite don’t offer good alternatives for Group Policy, and don’t allow scripts to be deployed natively, this greatly limits us.
However, the ability to deploy an MSI can be leveraged to still offer any of the granular management we used to do. I would very, very strongly advocate only using this as a last resort, don’t swim against the current, let users manage their own device and move to a services based architecture for your organisation’s IT.
Today’s case for a global NGO with a fully EMS licensed user base covers the distribution and installation of a large number of templates for Microsoft Word, including a normal.dot, macro’s and the required group policy settings to make word use these templates. Continue reading EMS case: distributing Office templates and macro’s to your users on Windows 10 mobile managed Azure AD Joined devices
So, recently a customer installed the Intune client in an image, as my previous post details, causing the client to enter a bricked state.
Reinstallation of the client can fix this, but we wanted minimum user interaction as a large number of machines was already distributed.
For those who remember Winrar, it is a fantastic ZIP tool that can create a self-extracting archive (.EXE) which auto-self elevates (admin rights) and can automatically start a file from the archive after extraction.
Include the Intune setup file and the certificate Microsoft includes, and this script (as .bat), and your Intune installation will be ‘cleaned up’. Note that you may see some file protection dialogs.
Source code: Continue reading Killing and reinstalling the Intune Client without user interaction
If you want to deploy the Intune Client using a (golden/generalized) image with System Center Configuration Manager or any other tool, make sure you haven’t already installed the Intune Client on that machine and follow the correct procedure.
The Intune Client generates a machine specific certificate in the Personal Store of the machine. This certificate is only valid for that machine. If you then base your image on this machine, all installations using that image will fail, Intune will report error 0x80070005 when trying to update. The full log of Updates.log in c:\Program Files\Microsoft\OnlineManagement\Logs will look like this below log.
EDIT: if you want to ‘reset’ / ‘fix’ the Intune Client with a script / automatically, read here
Continue reading Intune Client does not appear in console and displays error 0x80070005 when updating
As of yesterday, Intune now lets us deploy MSI files to (auto) enrolled devices!*
This is another nice step forward into making this product more mature, hopefully in the future we’ll be able to use Intune auto enrollment to manage anything, anywhere, anytime. Until now, managing roaming laptops with Intune was basically useless if you wanted to deploy any type of software outside of the Windows Store.
Some gotcha’s with this improvement:
- you need a full deployment of SCCM (2012 R2 SP1 CU1)
- this only works with Windows 10 as target OS
- only a single MSI file is supported
If you’re using System Center Configuration Manager 2012 and have integrated it with Intune or are planning to pilot Windows 10, this is the time to update your hierarchy!
I’ve been stumped and irritated several times by the flimsy integration between SCCM and Intune, seems I wasn’t the only one. Both products have such a huge potential! With the service pack that was just released, this seems to be changing, read all about it in this blogpost by Microsoft’s Brad Anderson.
And for the techies, this article has a list of all the new features.
Are you considering deploying Intune? Then here are a few things you really need to know:
There is no universal enrollment experience accross devices or OS’es
When you direct your users to your Intune Portal, the portal attempts to detect the OS you’re running. If it detects Windows 7 or 8, it will display a prompt to enroll your device, the user has to download a client and wait for at least an hour, reboot for updates, etc etc. Quite a hassle, not every user will intuitively understand this process.
On Windows 8.1 or on mobile devices (iOS, Android, Windows Phone) Continue reading Think, before you InTune
When you’re using both ADFS and Intune, you may want to save your users the annoying redirect after they type in their UPN when they access ADFS secured resources.
I personally like simplicity, so to build a fast and effective method for logging in to the Intune Portal (could be used for other things too) I did the following: Continue reading ADFS SmartLink for the Intune Portal
If you hit error 0x80cf401b or 0x80cf0438 when attempting to install the Windows Intune client, disable your proxy or use a network that is not proxied.
In addition, after the Intune Client had been installed, I ran into several other errors that you might also run into. Always check for log files in c:\program files\microsoft\onlinemanagement\logs
The solution to below errors was Continue reading Windows Intune Client on Windows 7 errors 0x80cf401b or 0x80cf0438