Last week I was surprised to find the Windows Intune Company Portal as a APPX file on the download area of the Microsoft Homepage. So I thought that it should be possible to use this Company Portal in the SCCM integrated Intune Scenario, rather than the old xap-File.

But I was not able to find any Information about that Topic. So I faced the following Problems: When try to sign the application, you will get the error, that the Publisher in the APPX is not the same as in the code signing Certificate (How it would, the Publisher of the APPX is Microsoft, and I don’t have a code signing certificate with a Microsoft subject).

And the second Problem is, that the Intune Connector only allows you to add a xap based Application. The Usage of the new APPX is as follows: When you are using Intune Standalone, and you are blocking Access to the Store, the users wont get the Company Portal. For this purpose, you should be able to use the appx-Version of the Company Portal, to use this, instead of the store one.

But I still not know, how to sign this Appx by yourself. See here for the announcement of the Company Portal App: http://blogs.technet.com/b/microsoftintune/archive/2015/04/17/new-intune-features-coming-over-the-next-week-for-android-and-more.aspx Just another point: Peter van der Woude has a very good blog post published last week about the Scenarios of the Windows Phone Company App deployments: http://www.petervanderwoude.nl/post/windows-phone-8-1-and-the-microsoft-intune-company-portal-app/

Martin

Hi all, here’s Martin serving some new Informations about the Intune Integration in System Center 2012 Configuration Manager R2 SP1.

With the newly available Service Pack 1 for SCCM 2012 R2, there is no Need to create a self-signed Company Portal for the Windows Phone 8.1. For old Windows Phone 8.0 you will still need the signed Company Portal, but who really does still use Windows Phone 8.1?

Let take a look to the Intune Subscription, when the Service Pack is applied:

The Device Settings are missing, but you will find them by right-click on the connector, or in the upper menu bar:

When you check the Windows Phone Platform, you will recognize, that you can select Windows Phone 8.1 only, and you can select None:

On a Windows Phone 8.1, there is also no Option to download the Company Hub anymore:

This means that users have to download the Company portal manually from the Store, where a Microsoft Account is needed. But you can also deploy the new Company Portal from Microsoft as APPX file, and deploy it through SCCM.
Here is the link to the Company Portal:
http://www.windowsphone.com/en-us/store/app/company-portal/0b4016fc-d7b2-48a2-97a9-7de3b5ea7424

Have fun :)

Hi there,
finally I got time to check, which new Features was brought to us System Center 2012 configuration Manager guys with the R2 SP1 update. My interests were on the iOS and Windows Management. And for both of them, some nice Features were added.

Blocking Apps
The availability of blocking Apps is now supported through the normal configuration, rather than using OMA-URIs as before (https://blog.hosebei.ch/2014/11/10/sccm-2012-r2-windows-phone-8-1-black-listing-apps-and-vendors/). You can create a Configuration Item with the specific Settings:

You might noticed the difference between iOS/Android and Windows Phone. Currently it is only possible to Block Apps on a Windows Phone Device, for the other Devices, only the state will be reported (if they are compliant or not), referring to https://technet.microsoft.com/en-us/library/mt131422.aspx .
The following Screen in the wizard is for all the platforms the same, thus I only Show it once.

As you can see, you can select allowed or Blocked Apps, and afterwards, you have to add the applications. You can add them one by one or using the Import Button to Import the apps with a csv-file.

iOS Custom Profiles
With the iOS Custom Profiles it is possible to configure the iOS Devices with the Apple Configurator (https://itunes.apple.com/us/app/apple-configurator/id434433123?mt=12). This Piece of cr.. eh I meant beauty only runs on an Apple Device (which means no Windows, no Linux). When you have created your Apple Profile, you can start by adding a configuration Item:

Then you can type the Name of the Profile and Import the XML-file created with the Apple Configurator:

You can also select to remediate the Profile Settings.

That’s it for the Moment…
Martin

Hey, here is Martin serving you with some new Information about the MAM (Mobile Application Management) Features in the SCCM 2012 R2 SP1 Release.
There is a new section in the Application Tree of the Software Library wunderbar, it is called “Application Management Policies”:

So, what can you do with this? The same like in Intune, finally! That means you can now wrap your applications in an application Container, to use it afterwards with the Application Management Policies. The process of wrapping an iOS Application is outlined in this TechNet Article: https://technet.microsoft.com/en-us/library/dn878028.aspx
And for android Apps you can find the documentation here: https://technet.microsoft.com/en-us/library/mt147413.aspx

If you have wrapped your app, it is now time to create the first Application Management Policy, click on “Create Application Management Policy”:

The first and second Screen of the Wizard simply asks for a Name of the AMP and which type, thus I don’t Show this Screen. But the second Screen is quite important, because here you set the actual policies:

If you now ask yourself, how to deploy the Policy, because there is no deploy Option, if you right-click on the policy:

This is because you have to deploy the AMP when you add a wrapped application to SCCM, as outlined here:
https://technet.microsoft.com/en-us/library/mt131414.aspx

When a deployment type is created for an app that requires an application management policy, Configuration Manager will recognize that an app management policy must be linked to this deployment type when the associated app gets deployed and prompt you to associate an app management policy. For the Managed Browser, you will be required to associate both a General and Managed Browser policy.

Hope this enlightens some IT-Crowds ;)

Hi Reader,

referring to my old Blogpost, where I described the Integration of the Conditional Access in System Center 2012 Configuration Manager for Exchange Online (Link) and because there was an Update with the Intune Extension to support the On-Premise Exchange Server aswell, I decided to create a new blogpost about this.

The Supported Exchange Versions are currently 2010 and 2013, be sure suing one of them with a current Update Rollup (afaik for 2013 UR6 is required).
And you can use the conditional Access to restrict the EAS connection on the following Devices:
•Windows 8 and later (when enrolled with Intune)
•Windows Phone 8 and later
•Any iOS device that uses an Exchange ActiveSync (EAS) email client
•Android 4 and later.

The first step is to set up the Exchange Connector within your SCCM 2012 Administration Workspace. Follow this TechNet Article to configure the Exchange Connector:
How to Manage Mobile Devices by Using Configuration Manager and Exchange

When this is done, you should create a User Collection, which is used later to Target the conditional access profile to this collection, you can already add the users you want to restrict. If needed, do the same for an exclusion collection, because you can exclude users from restrictions, even they are within the restrict Collection.

Then you can go to the “Conditional Access” area of the “Assets and Compliance” Tree, and select “Configure Conditional Access Policy”:

In the first screen you will be asked for your Intune Tenant Domain Name, you should use the onmicrosoft.com address:

In the next step, you have to add the previously created user collection on which you want to restrict the access:

The next screen of the wizards asks for the Exempted collections, if your configuration needs this, you can add it here. The last screen of the wizards shows you the message template that is sent to the user, when his Device is not compliant to the Policy:

This message is sent to a user, when EAS has recognized, that the device is not compliant. Make sure that you have configured the new “Conditional Access Email Notification Account” option on the Exchange Connector properties, this enables SCCM to send the Email:

But it can take up to 3 hours, that the Device is blocked, that means if a user sets up an Exchange ActiveSync profile, it might take from 1-3 hours for the device to be blocked (if it is not managed by Intune). Or otherwise if a user un-enrolls a Device from Intune it might take from 1-3 hours for the device to be blocked. But on the other hand, if a user then enrolls the device with Intune (again), email access will be unblocked within 2 minutes. (from Technet).

Update:
See also this link for a very detailed description:
https://technet.microsoft.com/en-us/library/mt595858.aspx

Referring to my last blogpost, I did not receive the Email telling me that my Device is not enrolled or compliant. The following Error was shown inside the Exchange Connector log (EasDisc.log):

ERROR: Failed to call ProcessConditionalAccess of managed COM. error = Unknown error 0x80131500

And Also:
ERROR: [MANAGED] Encountered error when trying to create Exchange service for user svc-sccm2012exch2010@hosebei.ch, exception : The Autodiscover service couldn’t be located.

The solution was quite simple: The Password of the service Account was not correctly set. After setting the correct password through the Account area of the Security Tree, the Mail was sent within minutes.

Hope this helps

In this post I would like to cover the topic of the Remote Passcode Change of a Windows Phone 8.1 Device when used as a Intune enrolled, where Intune is integrated to System Center 2012 Configuration Manager.
Open your SCCM Console and navigate to the Device where you would like to reset the Passcode. Right-Click on the Device and select “Remote Device Actions”, in the opening Fly-out choose “Reset Passcode”:


You will be asked for confirmation, because the user of the Device will not be able to use it until you told the new passcode to the user:

On the device, within a minute, the screen will be locked, and the information is given, that the user should contact the helpdesk to gain access to the new passcode:

If you have to provide a new passcode to a user, go again to the particular Device, Right-Click on the Device and select “Remote Device Actions”, in the opening Fly-out choose “View Passcode State”:

In the opening window, you can see the new Device passcode:

How nice is that?! :)

Hey Reader, yesterday I received my brand new Microsoft Lumia 950, and here is my unboxing video: (hahaha…. ;))
No, not really, but, here are my experiences when it comes to manage a Windows 10 Mobile Device with System Center 2012 Configuration Manager R2 SP1, and I have also installed the latest cumulative Update (at the moment CU2).
So I took the Phone and connected it to my WiFi to be able to access the Internet for enrolling the Device with Intune, which worked perfectly as before on my Windows Phone 8.1:

After this was done, I expected to receive all my settings, that I have configured within SCCM for my User, this means I should receive my Exchange ActiveSync Profile, my internal PKI Root Cert should be added to the Certification Store of Trusted Root Authorities, with the SCEP Profile the mobile should request and receive a Certificate for my user and last but not least, the VPN connection should also appear. But guess what, nothing was coming in. I tried to update the Policies on the mobile Device several times, but those settings wont show up. After a while, I reminded myself about the Option “Supported Platform” of the Compliance Settings, and there it was, I had to add the “Windows 10 Mobile” as supported platform:

After I added the Windows 10 Mobile as a supported Platform to all my settings, it took less than 5 minutes, and my mobile device was getting all those settings, and even the VPN was working with my certificate:

So, everything that is working with Windows Phone 8.1 does also work with Windows 10 Mobile, Microsoft did also pointed that out on the TechNet Article to the R2 SP1 Release:
You can now manage Windows 10 and Windows 10 mobile devices that are enrolled with Microsoft Intune. All existing Intune features for managing Windows 8.1 and Windows Phone 8.1 devices will work for Windows 10 and Windows 10 Mobile.
—-
From: https://technet.microsoft.com/en-us/library/mt131422.aspx

Happy Windows 10 Mobile enrolling to everybody :)

Today I would like to show you how the newly available Microsoft Windows Store for Business works, and how you implement it for your Windows 10 Mobile users.
The most interesting part for Businesses with the new Store is the fact, that end users do not longer need a Microsoft Account (which is the former Live-ID or MSN Account long time ago), instead they can download and install applications from the store with their Organizational or what I would call them with the Azure Active Directory Account.
To activate the Business Store for your Azure Tenant, you will need to have an Account with the Global Administrator permission (Source). With this account, you can go on to this Location and sign-up for the Business Store.
If you don’t have an Azure Tenant yet, you will be required to create one.
After you have created your Business Store or also called Private Store, you can assign Role Based access to different users within your Azure Tenant, the three Roles that are available are the following (Source):

• Administrator
• User Administrator
• Billing Administrator

The are two main scenarios, why you would use the Microsoft Business Store, the first is the deployment of your own Line of Business (LoB) Apps, and the second to handle the financial Situation for Store Apps required by your users. To import LoB apps, you can directly invite a developer with their Microsoft Account:

Now you can start to add your first Store app to your Business Store, you can even select free apps aswell as apps for which you are billed for. Simply use the Search Store section of the Administration Portal:

If you have selected your Business critical Application, in my case it is the TaucherInfo, you can click on “Get the app”:

Afterwards the wizards asks how the app will be distributed, in my case I select to distribute the Application to all users:

The Business store will then show you a message, that the process was successful, and that the app has been added to the private store. The overview of the distributed apps can be misleading with the status, but the most important information for you is, that it can take about twelve (yes, 12) hours until your app is shown up in the Business Store (Source). So this screenshot is quite appropriate for the first half day:

You can also change the name of your private Store, so as I did. But be aware, my experience is, that if you change the name, all the apps has to be readded again (this is done automatically), which means you have to wait again around twelve hours until the apps are visible. The name will change within a hour I would like to say.

Let’s see what is happening on the Windows 10 Mobile Device, you have to open the Settings App and go to “Accounts”. When you have opened Accounts, select “Work Access” and you should end up in the following screen, where you have to start to sign in to Azure Active Directory by tap on “Add or remove a work or school account:

In the following screen tap on “Add a work or school account” beyond the “Account used by other apps” section, the name of the section already shows, that it could also be used within an app like the normal Store app.

After the Azure Sign-In it is time to open the Windows 10 Mobile Store, and open the settings, in the lower section, tap on “Sign-In”:

Afterwards the store app will ask you with which type of account you want to login, just select your recently added Azure Account:

After you are logged in, a new section appears within the settings section of the app:

And if you are waiting long enough, the distributed apps will appear in this opened overview, but in my case, it took longer than those twelve hours. And here is the result:

Hi reader,

I was running ConfigMgr 1511 from an upgraded System Center 2012 Configuration Manager R2 SP1 Infrastructure with configured Intune Subscription without a problem for more than a month. But due to my Azure Tenant Name selection more than two years ago, I wanted to change the Tenant name from uncoolname.onmicrosoft.com to hosebei.onmicrosoft.com, because you might already guess it: the SharePoint URL.
Exchange Hybrid and all other Services was not easy, but worked how I planned to do it. But unfortunately the Service Connector did not work after this change, even after changing the Intune Subscription to my new Tenant.

I encountered the following errors within the Logfiles of ConfigMgr. Within the DMPDownloader.log was stated that:
Certmgr has not installed certificate yet, sleep for 1 minutes.
and later on:
WARNING: Cannot find a suitable certificate. Included extensions: 1.2.840.113556.5.11,1.2.840.113556.5.4,1.2.840.113556.5.6. Excluded extensions: . AgentTypeId:

Within the DMPUploader.log was the same message about the missing certificate and the following message:
ERROR: ERROR: Exception occured while calling REST UserAuth Location service The Dmp Connector failed to read the connector certificate.

And within the DMPDownloader.log there was quite the same errors. Don’t be mislead by the failure within the ConnectorSetup.log:
CTool::RegisterManagedBinary: Failed to register D:\Program Files\Microsoft Configuration Manager\bin\x64\IntuneContentManager\Microsoft.ConfigurationManager.IntuneContentManager.dll with .Net Fx 2.0

As outlined in this TechNet Forums post Link, the registration of the DLL will success with another .Net Version and it is also visible within the Logfile two Lines below the error.
I removed the Intune Subscription again, and also the Service connection point role, and readded them again without success. As outlined on this Technet Article, at the bottom of the Page, see this important notice for remote Server usage:

When the role installs on a computer that is remote from the site server:
You must configure the site system server that hosts the role with a Site System Installation Account
The Site System Installation Account is used by the distribution manager on the site server to transfer updates from the service connection point.

But even doing the Installation of the Role on the Site Server itself was not successful, or to say it right, the Service connection point was not able to do his work. I uninstalled the Service Connection Point again, and rebooted my primary site server. After adding the Role again, it was able to create or receive (?) a new connector certificate, which is also written to the Logfile (dmpdownloader.log):
Found connector certificate with subject 'CN=
You can find the certificate within the normal Machine Store of the Server that hosts the Service connection Role:

The synchronization afterwards was working like before.
Hope this helps.

Hi,

today I have upgraded my Azure AD Connect to the newest Version available (Download here).
Everything seemed to be fine, except that I was missing the Scheduled Task:

And I could also determine, that the Sync wasn’t be started within the Synchronization Service Manager. I then was searching for an opportunity to manually start the Sync process. I was found a message, that the following executable will start an sync:
C:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe
But this executable is not available with the new Version.
I then found the PowerShell Module for the Sync within this Directory:
C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync

With this, it was quite easy to start a manual sync through Powershell:

Import-Module "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\ADSync.psd1"
Start-ADSyncSyncCycle
This will run a Full Synchronization, and with
Start-ADSyncSyncCycle -PolicyType Delta
You can start a Delta Synchronization, and you can check it in the Sync Service Manager:

With this, it would be possible to create a scheduled task by myself, but I’m unsure if there was something wrong with the Installation, or why it does not sync automatically. I will update this blog, when I got more Information about this issue.

Update
The scheduled Task is gone with this new Version. The Sync process should be done within the Sync Engine. Obviously this does not work atm on my system. Will give an update if I have more Information.

Update 2
On this page, the new process is quite well explained: https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-feature-scheduler/
But on my side, I still have an issue with the sync:

I do not believe that the date of the next sync will be soon :)
I have to dig deeper…

Update 3 (Last)
As outlined on this page:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-feature-scheduler/
You can start the Sync Cycle, if it’s turned off (like you see on my PrintScreen of Get-ADSyncScheduler) by using this command:
Set-ADSyncScheduler -SyncCycleEnabled $true

Hi all, here’s Martin serving some new Informations about the Intune Integration in System Center 2012 Configuration Manager R2 SP1.

With the newly available Service Pack 1 for SCCM 2012 R2, there is no Need to create a self-signed Company Portal for the Windows Phone 8.1. For old Windows Phone 8.0 you will still need the signed Company Portal, but who really does still use Windows Phone 8.1?

Let take a look to the Intune Subscription, when the Service Pack is applied:

The Device Settings are missing, but you will find them by right-click on the connector, or in the upper menu bar:

When you check the Windows Phone Platform, you will recognize, that you can select Windows Phone 8.1 only, and you can select None:

On a Windows Phone 8.1, there is also no Option to download the Company Hub anymore:

This means that users have to download the Company portal manually from the Store, where a Microsoft Account is needed. But you can also deploy the new Company Portal from Microsoft as APPX file, and deploy it through SCCM.
Here is the link to the Company Portal:
http://www.windowsphone.com/en-us/store/app/company-portal/0b4016fc-d7b2-48a2-97a9-7de3b5ea7424

Have fun

Hi there,
finally I got time to check, which new Features was brought to us System Center 2012 configuration Manager guys with the R2 SP1 update. My interests were on the iOS and Windows Management. And for both of them, some nice Features were added.

Blocking Apps
The availability of blocking Apps is now supported through the normal configuration, rather than using OMA-URIs as before (https://blog.hosebei.ch/2014/11/10/sccm-2012-r2-windows-phone-8-1-black-listing-apps-and-vendors/). You can create a Configuration Item with the specific Settings:

You might noticed the difference between iOS/Android and Windows Phone. Currently it is only possible to Block Apps on a Windows Phone Device, for the other Devices, only the state will be reported (if they are compliant or not), referring to https://technet.microsoft.com/en-us/library/mt131422.aspx .
The following Screen in the wizard is for all the platforms the same, thus I only Show it once.

As you can see, you can select allowed or Blocked Apps, and afterwards, you have to add the applications. You can add them one by one or using the Import Button to Import the apps with a csv-file.

iOS Custom Profiles
With the iOS Custom Profiles it is possible to configure the iOS Devices with the Apple Configurator (https://itunes.apple.com/us/app/apple-configurator/id434433123?mt=12). This Piece of cr.. eh I meant beauty only runs on an Apple Device (which means no Windows, no Linux). When you have created your Apple Profile, you can start by adding a configuration Item:

Then you can type the Name of the Profile and Import the XML-file created with the Apple Configurator:

You can also select to remediate the Profile Settings.

That’s it for the Moment…
Martin

Hey, here is Martin serving you with some new Information about the MAM (Mobile Application Management) Features in the SCCM 2012 R2 SP1 Release.
There is a new section in the Application Tree of the Software Library wunderbar, it is called “Application Management Policies”:

So, what can you do with this? The same like in Intune, finally! That means you can now wrap your applications in an application Container, to use it afterwards with the Application Management Policies. The process of wrapping an iOS Application is outlined in this TechNet Article: https://technet.microsoft.com/en-us/library/dn878028.aspx
And for android Apps you can find the documentation here: https://technet.microsoft.com/en-us/library/mt147413.aspx

If you have wrapped your app, it is now time to create the first Application Management Policy, click on “Create Application Management Policy”:

The first and second Screen of the Wizard simply asks for a Name of the AMP and which type, thus I don’t Show this Screen. But the second Screen is quite important, because here you set the actual policies:

If you now ask yourself, how to deploy the Policy, because there is no deploy Option, if you right-click on the policy:

This is because you have to deploy the AMP when you add a wrapped application to SCCM, as outlined here:
https://technet.microsoft.com/en-us/library/mt131414.aspx

When a deployment type is created for an app that requires an application management policy, Configuration Manager will recognize that an app management policy must be linked to this deployment type when the associated app gets deployed and prompt you to associate an app management policy. For the Managed Browser, you will be required to associate both a General and Managed Browser policy.

Hope this enlightens some IT-Crowds😉

Today I would like to share my experience with troubleshooting a overcommitted security admin with less knowledge than it would be required (In fact, I’m talking about me here). Some month ago, I read about NTLM (v2 as well), and I decided to restrict NTLM in my LAB, to check what is working afterwards, and what stops working. To my surprise, everything went smooth, and I could not find an issue. So I forgot about this setting, everything seems to work, and it did.

Lastly I decided to cut off Direct Access, since Microsoft does not invest in its future, and for other reasons, I’m not required to have a permanent connection to the LAB from remote, a VPN would be sufficient. I’m using WorkFolders as well, and secured it with Azure MFA, the same should apply to my VPN connection, the authentication should be not only be covered by Username and Password. With this, the goal was set, and I built up the LAB. Everything went nice, until the first VPN client wanted to connect. The NPS Server gave me the error:
“The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.”

The status for the Event was:
Status: 0x80090302
Sub Status: 0xC0000418

Where the SubStatus error type helped me a lot. After a search, I found the following explanation for this error (source):
The authentication failed because NTLM was blocked.

With this error in my hand, I made a classic gpresult, and found the NTLM restriction setting. For more Information about the NTLM restrictions, see this blog: https://www.rootusers.com/implement-ntlm-blocking-in-windows-server-2016/

May this helps somebody facing the same issue.

When a journey ends, a new journey will begin. My journey with the old school domain joined and GPO managed devices within my LAB ended, and I finally conquer new areas with Azure AD join and Intune controlled devices. Due to the lack of opportunities, I still waited so long, because a lot of settings were not possible to set. And some of them are still not that simple to set through Intune, but there is a solution for, I would like to say, most of the requirements.

So within this blog post, I would like to document my current knowledge of Windows 10 settings management through Intune. As today, we have the following options to configure GPO alike settings through Microsoft Intune:

Let’s have a closer look to the different options.

Intune Windows Enrollment settings
First of all, all Devices enrolled with Microsoft Intune receive enrollment settings. Here we can already configure basic settings what should happen if a Device starts to be managed via Intune. I highly recommend to check the Default settings, and also make adjustments to fulfill your requirements.
You can find the Windows Enrollment settings within the Intune blade from Azure:

Refer to this official Microsoft Article as a starting point: Set up enrollment for Windows devices

Intune Portal blade settings
The next obvious settings location for Intune managed Devices are the device settings reachable within the Intune blade of Azure. Navigate to Microsoft Intune -> Device configuration -> Profiles:

If you have reached the profiles section as shown above, you can click on “Create Profile” to check the different options for the easy-to-configure settings, beside the currently in preview ADMX-backed settings (see later in this blog). After the click on create profile you need to select Windows 10 as platform, and you can open the Dropbox for the different profile types:

My intention is not to go through all the possible settings, I would not be able to finish this blog in a reasonable time. As example, just select the endpoint protection profile type, and check how many options you do have only within this class type(!):

You may think you have seen all? No way, you are not close to it…

Intune Portal Custom CSP settings
With the custom CSP settings, you can even do more than with the settings within the Intune Blade. But it is quite more complex to configure them. The complexity also depends on the CSP, and how the values are required to be handled. You can reach the custom CSP setting on the same page as the Intune Portal blade settings:

As example, if your clients are Azure AD joined, and you are using Intune for the device management, you will be required to use a custom CSP setting, to configure the trusted sites of the Internet Explorer to support seamless SSO within IE and Edge (AllowSiteToZoneAssignmentList). See this blog post from Zeng Yinghua (Sandy) (twitter) where this process is described:
Use Intune Policy CSP manage Windows 10 settings – Internet Explorer Site to Zone Assignment List
Microsoft has also released an article, how you need to handle the SyncML value for an ADMX-backed setting:
Intune: Deploying ADMX-Backed policies using Microsoft Intune
As a sidenote: I tried to disable the Option “Turn on fast startup” (or so-called “Hiberboot” or from GPO “Require use of fast startup”). With the article above from Microsoft, I found the setting within the WinInit.admx file, which lead me to search for a WinInit CSP, without success. Currently there is no manageable way to configure the fast startup via Intune, but we may can use PowerShell for this setting? Lets see…

Intune ADMX-backed administrative template settings (Preview)
This is fresh, and HOT! Those Intune ADMX-backed administrative templates helps a lot, if you need to transfer current GPO settings to Intune. With the search bar, you can check very fast, if your required setting is available within the administrative templates.
To access the ADMX-backed administrative templates, open a new profile within the device configuration, and select “Administrative Templates (Preview)”, and click on create at the bottom:

Afterwards you need to open the created profile, and click on settings, where you will find all currently available settings:

And you can easily search, as I said before:

Within this new settings console, now there are settings which can be configured in three different Intune profile types:
-Intune Portal blade
-Intune Portal custom CSP settings
-Intune administrative templates
Heads up with tracking the changes!

PowerShell Script
Last but not least, you can create a PowerShell script, which will do all the required modification on the client. But I would highly recommend to avoid PowerShell scripts as much as possible, as the settings are not really managed with this solution. It is more a Fire and Forget solution, which might be valid for some use-cases, no doubt about that. But in general, try to configure the required Windows 10 settings through the different Intune blade Options.
So as mentioned before, I will set the HiberBoot option through a PowerShell script, and I’m quite confident that it should work. I think this will be my next blog, where I can tell, if it worked or not
But see this previous blog, where I described the Application deployment with Intune and PowerShell (with the new Win32 wrapper of Intune, the process in this blog is no longer needed):
Create your own Software Deployment Repository with Azure and Intune

Since I changed my clients from GPO managed to Intune controlled, not all settings from GPO, but some of them needs to be set through Intune as well. As outlined in my previous blog, I tried to disable the Fast Startup Option on Windows 10 through a CSP. And I did not even found a CSP supporting this setting. Within this blog, I would like to show, how you can configure the fast startup (“Turn on fast startup (recommended)”) setting in Windows 10 through Microsoft Intune:

You may ask, why I want to disable this? My reason: I don’t want to reuse a desktop session which was hibernated. And only a reboot will force the client to create a new desktop session, if fast startup is enabled.

Since I found a GPO setting regarding the fast startup option, I was quite sure that this will be the starting point (Administrative Templates\System\Shutdown):

But: As outlined within the help text of this setting, this does only enable it, disable the GPO setting does not disable the fast startup itself:

If you disable or do not configure this policy setting, the local setting is used.

So we need to set this setting directly into the registry, without using the “Policy” tree. The registry key for disabling fast startup is described on this answers forum of Microsoft (I could not find an official KB article of Microsoft):
answers.microsoft.com – Turn off Fast Startup
Now we have all the Information and just can go on with implementing our solution.
First I go to this registry key (Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power) and set the value of HiberbootEnabled as I want to have it (0 is disabled):

Then I have to export this registry key to receive a *.reg file which should look like this:

Go ahead and delete all entries except the HiberbootEnabled, you should end up with a reg-file like this:

Now we need a solution to convert a reg file into a powershell script. Luckily, there is already such a converter available from Roger Zander which we can use for this. Simply navigate to https://reg2ps.azurewebsites.net/ and paste the content of your reg file into the upper section. Afterwards click on “Get remediation script” to receive the PowerShell script which sets the registry value:

Now copy the content of the PowerShell Script and save it into PowerShell script file with .ps1 as extension. Now it is time to navigate to the PowerShell Script Option of Intune Device Management. Open the Azure Portal and Navigate to Intune -> Device Configuration -> PowerShell Scripts:

Click on “Add”, and configure the new PowerShell Script:

You need to provide a name for the Script, I selected “Disable Fast Startup (HiberBoot)”. Then you need to provide the PowerShell script as saved before, and you are done. Leave the options on the default settings.
After a click on “Create”, the PowerShell Script is now added to the Intune blade, and can be assigned to user or device groups:

Afterwards, you should get the registry value set to the designated entry:

If you have troubles with the Intune PowerShell execution, I highly recommend this blog post from Oliver Kieselbach:
Deep dive Microsoft Intune Management Extension – PowerShell Scripts

Every step needs to be taken on a journey, this was one of them

It might be not that popular with Windows 10, but every company wants a well curated startmenu, rather than the default delivered from Microsoft:

We have multiple Options to configure the startmenu, I’m sure I don’t know them all. But when it comes to Windows 10 and Intune autopilot, we do not really have an option as what I have considered. This blog tries to catch the available options we currently have with Intune and Autopilot.

I have checked the Option to set the startmenu trough the Intune settings:
Customize Windows 10 Start and taskbar with mobile device management (MDM)
But as already outlined on this Microsoft doc article, the startmenu will be locked, or at least partially locked:

And I do not want this behavior, I want to prepopulate the startmenu, but the user can arrange whatever he wants afterwards. Then I thought of a provisioning pack created with the Windows Configuration Designer. But unfortunately there does not exist an native option to deploy such a package through Windows Intune. You can vote on this UserVoice topic if you would like to change that:
Intune Feedback: Native deployment of provisioning packages as deployment type

With this, I was not able to find a working solution, since also the Intune Management Extension kicks in, after the user has logged in, and the startmenu would be already present.
I then have thought of modifying a Windows 10 Image and import the Startmenu Layout modification. So I extracted a current Windows 10 1809 image with dism, and started with the modifications.

I have added the automatic Autopilot registration to the Windows 10 image, and also the startmenu. To configure a modified Windows 10 installation with an automatic Intune Autopilot registration, follow the following article from Microsoft, except the adjustments below:
Windows Autopilot for existing devices
Within this article, it is explained how you gain the required JSON file, which we have to add to the image. If you follow the blog, we just need to copy the JSON file to the following location:
$wim-MountDir\Windows\Provisioning\Autopilot
The folder does not exist and has to be created.

After this is done, we can add the startmenu modification to the extracted wim file. Unfortunately I had no luck with the PowerShell command Import-StartLayout to add the modification to the image. I the simply copied my modified startmenu XML to the following location:
$wim-MountDir\Users\Default\AppData\Local\Microsoft\Windows\Shell\LayoutModification.xml
Make sure that the xml file is named “LayoutModification.xml”.

If this is done, we can commit our changes to the wim file by using dism with /commit (handling of wim files is documented on various blogs like here).
I wanted to have a bootable ISO file, which I can use in VMs as well if I copy them on removable storage. I failed by creating a bootable Windows 10 ISO multiple times, until I found this blog from Ed Tittel (twitter), which perfectly shows an example of creating a bootable ISO:
Create a Custom ISO for Windows 10 — Part 5 of 6
I just copy the example from there, to have it archived for sure:
oscdimg.exe -m -o -u2 -udfver102 -bootdata:2#p0,e,bd:\iso_files\boot\etfsboot.com#pEF,e,bd:\iso_files\efi\microsoft\boot\efisys.bin d:\iso_files d:\Win10PROx64.iso
(again, all credits go to Ed)

Ending up with a bootable ISO file, I tried on a VM, and everything worked fine. The Autopilot Profile kicked in, and also the Startmenu was as expected:

In this blog I would like to describe, how I managed to set required user settings to Windows 10.
Since I still do have an On-Premises environment, in which also File Servers reside and a DFS Namespace is still up and running, I wanted to make sure to get the advantages of using the local network.
So here are my two use-cases to solve:
1. Add a Network location for the DFS Path if the user is logged on On-Premises
2. Modify the local “host” file, to redirect the workfolder clients to the file server internally

With this goals to achieve given, it was quite clear: It’s scripting time again *happy*
So I decided to create a single script, which I can use for both tasks. This means I need to check, if a user is running the script, or if it’s in System context. Due to the fact that the DFS link resides within the user profile, the script needs to run in user context. On the other hand the host file requires Admin permission for modifications. This is great, because within Intune, we can easily select, if the script should run in user or system context:

My solution to check if the script is running in system or in user context is the following line (I will provide the whole script at the end):

And the second important question is: Am I on the local network? For this, I simply check if I can reach port 389 of a known Domain Controller in my network:

With that is set, I was able to go ahead and define the settings that should get applied.
The first setting was creating a Network Location within Windows explorer if the domain controller is reachable, and if the DC is not reachable to remove the Link. For the creation of the Network location, I found a very nice function of Tom White on the TechNet Gallery:
Add-NetworkLocation – A function to create an advanced network location

Im simply took this function and implemented it in my script.
The following section creates the link if a DC is available, or it deletes the link:

This will cover the user settings. Now it’s up to the Host file. For modifying the host file, I have to make sure that the script is running in System Context, as it requires Administrative permission.
For adding or removing lines to the host file, I’m using those two functions (be aware, the search string is hard-coded):

So I then need only to trigger the correct function:

All is done for the script (again, for better readability of the blog, I post the whole script at the end), and I can go ahead, and test the solution through Intune. Just create a PowerShell configuration twice with the same script, where you configure one script running in user context, and the other in system context. I created a Azure AD security group and added my test machine to the group, this group I then used for both PowerShell Configuration Profiles.

And everything worked great:

So the first step of creating a script which does the job is done. Next up would be to deploy the script to the clients, because the Intune configuration would only run the script once. I’m thinking about to create a Script, which creates two scheduled tasks, one for the user and one for the system. The scheduled tasks would then be configured to run at user logon. But I am not sure about this yet, but I’m quite sure that I will create a blog about the final solution.

And here is the whole script:
Function Check-DCAvailable {
param(
[Parameter(Position=0,mandatory=$true)][string]$DCToCheck
)
#Check if DC is available on LDAP
$LDAPTestResult = $null
$LDAPTestResult = Test-NetConnection -ComputerName $LocalDomainController -Port 389 -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
if($LDAPTestResult.TcpTestSucceeded -ne $true) {
Write-Host ("Domaincontroller was not answering: " + $LocalDomainController) -ForegroundColor Yellow
return $false
}
else {
return $true
}
}

function Remove-HostFileWorkFolderEntry {
$hostFile = ($env:SystemRoot + "\System32\drivers\etc\hosts")
$hostFileContent = Get-Content -Path $hostFile
$hostFileContent = $hostFileContent | foreach{if(($_ -like "*workfolders.hosebei.ch*") -eq $true) { Write-Host $_ } else {$_}}
$hostFileContent | Out-File $hostFile -enc ascii

}

function Add-HostFileWorkFolderEntry {
$hostFile = ($env:SystemRoot + "\System32\drivers\etc\hosts")
$hostFileContent = Get-Content -Path $hostFile
if(($hostFileContent -contains "workfolders.hosebei.ch") -ne $true) {
$hostFileContent = $hostFileContent + "192.168.1.166 workfolders.hosebei.ch"

}
$hostFileContent | Out-File $hostFile -enc ascii

}

function Add-NetworkLocation

{
[CmdLetBinding()]
param
(
[Parameter(Mandatory=$true)][string]$networkLocationPath,
[Parameter(Mandatory=$true)][string]$networkLocationName ,
[Parameter(Mandatory=$true)][string]$networkLocationTarget
)
Begin
{
Write-Verbose -Message "Network location path: `"$networkLocationPath`"."
Write-Verbose -Message "Network location name: `"$networkLocationName`"."
Write-Verbose -Message "Network location target: `"$networkLocationTarget`"."
Set-Variable -Name desktopIniContent -Option ReadOnly -value ([string]"[.ShellClassInfo]`r`nCLSID2={0AFACED1-E828-11D1-9187-B532F1E9575D}`r`nFlags=2")
}
Process
{
Write-Verbose -Message "Checking that `"$networkLocationPath`" is a valid directory..."
if(Test-Path -Path $networkLocationPath -PathType Container)
{
try
{
Write-Verbose -Message "Creating `"$networkLocationPath\$networkLocationName`"."
[void]$(New-Item -Path "$networkLocationPath\$networkLocationName" -ItemType Directory -ErrorAction Stop)
Write-Verbose -Message "Setting system attribute on `"$networkLocationPath\$networkLocationName`"."
Set-ItemProperty -Path "$networkLocationPath\$networkLocationName" -Name Attributes -Value ([System.IO.FileAttributes]::System) -ErrorAction Stop
}
catch [Exception]
{
Write-Error -Message "Cannot create or set attributes on `"$networkLocationPath\$networkLocationName`". Check your access and/or permissions."
return $false
}
}
else
{
Write-Error -Message "`"$networkLocationPath`" is not a valid directory path."
return $false
}
try
{
Write-Verbose -Message "Creating `"$networkLocationPath\$networkLocationName\desktop.ini`"."
[object]$desktopIni = New-Item -Path "$networkLocationPath\$networkLocationName\desktop.ini" -ItemType File
Write-Verbose -Message "Writing to `"$($desktopIni.FullName)`"."
Add-Content -Path $desktopIni.FullName -Value $desktopIniContent
}
catch [Exception]
{
Write-Error -Message "Error while creating or writing to `"$networkLocationPath\$networkLocationName\desktop.ini`". Check your access and/or permissions."
return $false
}
try
{
$WshShell = New-Object -ComObject WScript.Shell
Write-Verbose -Message "Creating shortcut to `"$networkLocationTarget`" at `"$networkLocationPath\$networkLocationName\target.lnk`"."
$Shortcut = $WshShell.CreateShortcut("$networkLocationPath\$networkLocationName\target.lnk")
$Shortcut.TargetPath = $networkLocationTarget
$Shortcut.Description = "Created $(Get-Date -Format s) by $($MyInvocation.MyCommand)."
$Shortcut.Save()
}
catch [Exception]
{
Write-Error -Message "Error while creating shortcut @ `"$networkLocationPath\$networkLocationName\target.lnk`". Check your access and permissions."
return $false
}
return $true
}
}

#-----------------------------
#Main Script
#Variables
$LocalDomainController = "hosebeidc02.deheim.hosebei.ch"

#Determine if Script was started with system
$bSystemContext = ([Security.Principal.WindowsIdentity]::GetCurrent()).IsSystem

if($bSystemContext -eq $false) {
#Execute User Section

#Create Network Links
if(Check-DCAvailable($LocalDomainController)) {
#DC was found, we can assume getting a kerberos ticket for accesing SMB shares
Write-Host ("Connecting network locations") -ForegroundColor Green

#test if Hosebei DFSlink is existent, if not, create it
Write-Host ("Connecting Hosebei DFS") -ForegroundColor Green
if((Test-Path -Path "$env:APPDATA\Microsoft\Windows\Network Shortcuts\Hosebei DFS") -ne $true) {
$null = Add-NetworkLocation -networkLocationPath "$env:APPDATA\Microsoft\Windows\Network Shortcuts" -networkLocationName "Hosebei DFS" -networkLocationTarget "\\deheim.hosebei.ch\hosebeiDFSroot"
}
}
else {
#Remove existing Links
Write-Host ("Removing network locations") -ForegroundColor Yellow

#test if Hosebei DFSlink is existent, if true, remove it
Write-Host ("Remove Hosebei DFS Link due to no DC Access") -ForegroundColor Yellow
if((Test-Path -Path "$env:APPDATA\Microsoft\Windows\Network Shortcuts\Hosebei DFS") -eq $true) {
Remove-Item -Path "$env:APPDATA\Microsoft\Windows\Network Shortcuts\Hosebei DFS" -Force -Recurse
}
}
}
else {
#execute system Section

#Modify host file for Workfolder access
#Get HostFile
$hostFile = ($env:SystemRoot + "\System32\drivers\etc\hosts")
$hostFileContent = Get-Content -Path $hostFile
if(Check-DCAvailable($LocalDomainController)) {
#DC was found, we can directly access the file server
Add-HostFileWorkFolderEntry
}
else {
#No DC was found, we need to sync workfolders through the azure ad app proxy
Remove-HostFileWorkFolderEntry
}
}