The Graph API and Intune portal(s) give insight into device compliance status, but what about a local equivalent? How can we locally detect from e.g. a script on a Windows 10 laptop if the device is compliant or not?
The good old Group Policy “Configuration\Policies\Administrative Templates\System\User Profiles\Delete User Profiles Older than a Specified Number of Days on System Restart ” isn’t part of Intune yet.
If you use shared devices in your environment, you can use below script to set the number of days after which a user profile is cleaned up on Windows 10 MDM / Intune managed.
It has to run under SYSTEM context or it won’t be allowed to write the right key.
EDIT: this no longer works and results in an UnSupportedFirstyPartyApplication or ServicePrincipalNotFound error.
If you set an Intune conditional access policy to target ALL applications in Azure AD with MFA, a new Windows 10 device will not be able to fully install, and will never become usable for the user.
This is because your client needs to connect to Azure AD endpoints such as the Graph API ( 00000002-0000-0000-c000-000000000000 ) and the Store for Business (45a330b1-b1ec-4cc1-9161-9f03992aa49f).
As these applications cannot be excluded from a conditional access policy through the GUI, you’ll have to use Fiddler:
Configure your policy, but don’t click ‘save’
Start Fiddler, enable SSL decrytion
Start monitoring in fiddler
Click ‘save’ in the conditional acccess policy
Stop monitoring in Fiddler
Look for the ‘put’ request, and copy it to notepad or directly to the ‘raw’ tab in the fiddler composer section
Modify the app id’s in the request, e..g. : “servicePrincipals”:{“allServicePrincipals”:1,”included”:{“ids”:[]},”excluded”:{“ids”:[“0000000a-0000-0000-c000-000000000000″,”d4ebce55-015a-49b5-a083-c84d1797ae8c”,”45a330b1-b1ec-4cc1-9161-9f03992aa49f”,”00000002-0000-0000-c000-000000000000″]}
Send the request
DO NOT EDIT THE POLICY AGAIN THROUGH THE INTUNE PORTAL. Otherwise your hidden id’s will be removed
Obviously the above method is not supported by Microsoft!
To get some google hits, these are some of the many errors that will hit your eventlog if you didn’t do the above.
Error:
0xCAA2000C The request requires user interaction.
Code:
interaction_required
Description:
AADSTS50076: Due to a configuration change made by your administrator, or
because you moved to a new location, you must use multi-factor authentication
to access ‘00000002-0000-0000-c000-000000000000’.
Error:
0xCAA2000C The request requires user interaction.
Code:
interaction_required
Description:
AADSTS50076: Due to a configuration change made by your administrator, or
because you moved to a new location, you must use multi-factor authentication
to access ‘https://substrate-dod-int.office365.us/‘.
Error:
0xCAA2000C The request requires user interaction.
Code:
interaction_required
Description:
AADSTS50076: Due to a configuration change made by your administrator, or
because you moved to a new location, you must use multi-factor authentication
to access ‘8f41dc7c-542c-4bdd-8eb3-e60543f607ca’.
Error:
0xCAA2000C The request requires user interaction.
Code:
interaction_required
Description:
AADSTS50076: Due to a configuration change made by your administrator, or
because you moved to a new location, you must use multi-factor authentication
to access ‘d32c68ad-72d2-4acb-a0c7-46bb2cf93873’.
I’ve updated the Microsoft cloud suites feature comparison page with all other suites Microsoft including all their features. I’ve also added all Education sku’s. You can use the pivot table to sort / mix / match according to your exact needs. If you need any assistance with Microsoft 365, don’t be a stranger π