IT Consultant Everyday Notes

Just some problems/solutions storage

Category Archives: Intune

Intune: RemoteWipe fails to execute on Windows 10 client with "The request is not supported"

Another surprise from Intune – I tried to Wipe a Win 10 Client remotely from Intune Console and it failed with abovementioned error on the Client.

There are a couple of articles related to what can cause that Smile

https://support.microsoft.com/en-hk/help/4034985/intune-remotewipe-fails-to-execute-on-windows-10-client-with-the-reque

and

https://support.microsoft.com/en-ca/help/4039769/remotewipecommandfailstoexecuteonwindows10clientwiththerequestisnotsup

but my case was not documented – I had an encrypted data drive connected to my test VM. (I tested Bitlocker on data drives). As soon as I removed the drive and refreshed the policy the device was wiped.

I am wondering what if I will have the situation in prod and the drive removal is not an option?????

Interesting enough that FreshStart AKA CompleteWipe works just fine….

Advertisements

Intune: Remove Microsoft Teams shortcut

I am in the middle of Windows Autopilot project. The Customer wants Microsoft Teams be a part of an Application set we install.

We are also implementing One Drive Known folder Move  (KFM) to redirect desktop to One Drive for Business.

The problem is related to Teams behaviour – it installs its shortcut on a user desktop every time it is installed. As a result we do have multiple Teams shortcuts after each device wipe – Teams creates a shortcut and after that another shortcut is synchronized by KFM from One Drive.

I spent a while, trying to find a solution to disable Teams shortcut creation; but it looks like at that time Microsoft does not provide any policy/registry settings to prohibit that.

So, I decided to delete the excessive shortcut using PowerShell script.   The problem with that is Intune behaviour – it runs a script only once Smile. From my experience KFM kicks on quite a while after the user logon, so PowerShell script being added to the process will just miss it.

After all I decided to create a Win32 application in Intune and set up a detection rule to be sure the App will run (and re-run) when it is required.

Here is the removeshortcut.ps1 script to delete the excessive shortcuts

$DesktopPath = [Environment]::GetFolderPath(“Desktop”)
remove-item -path $DesktopPath\* -filter “Microsoft Teams (*.lnk”

Here is install.cmd acting as “Install” in win32 app

powershell.exe -ExecutionPolicy Bypass -command “& ‘.\removeshortcut.ps1′”

Here is detection.ps1 script for win32 application

$DesktopPath = [Environment]::GetFolderPath(“Desktop”)
if (-Not (Test-Path -Path “$desktoppath\Microsoft Teams (*.lnk”)) {write-host “missing”}

After that I packaged the “application” using IntuneWinAppUtil.exe tool and created a Win32 Application in Intune (it must be run in User context) and assigned it to a group of Users.

On the first run it successfully removed the shortcuts. I put them back to see when Intune realizes the “application” is not installed and run the command again Smile . Unfortunately, according MS dock re-evaluation will happen in 24 hours… Sad smile   https://docs.microsoft.com/en-us/intune/apps-add

Intune: Configure Intune NDES Connector to get User certificates from Digicert (Symantec) Web Services

One of my Customers moving everything to Azure decided to replace internal Microsoft PKI with a managed solution from Digicert (Digicert bought Symantec certificate business recently).

At the present time Microsoft has an article describing Intune Configuration with Symantec PKI Manager Web Service: https://docs.microsoft.com/en-us/intune/certificates-symantec-configure

Unfortunately, it is not very clear what needs to be configured on Symantec (sorry, Digicert) side and I spent some time to get it working.

So, first of you need to talk to Digicert and get a Managed PKI environment.

After that, as per the article, generate a managed certificate and deploy your Managed PKI environment Root cert using Intune. It should be easy.

I took this certificate:

image

image

After that you need to add  a certificate profile on Symantec side (MS article does not provide any details on it):

image

image

I select Client Authentication (User)

image

Give your template a friendly name, select a PKI Web Services as Enrollment method and click Advanced Options:

image

Now we need to do an interesting trick. It is in “Troubleshooting” section of Microsoft article and apparently is required if your UPN have a special characters. I need it even though my UPN did not have them… So:

– Click Add field and select Common Name (CN) and Webservice Request. That will create a new Common Name tab at the bottom. DO NOT click Save

– Delete the old Common Name (CN) at the top of the list.

image

– You can customize other parameters. For example, I added an email as a Subject Alternative Name

image

– Now you can save

Copy Certificate Template OID, you will need it for Intune:

image

At this point you can Download/Install Intune Connector. The procedure is described well in the Microsoft article.

When the connector is up:

image

you can create an Intune PKSC 10 profile (I also added EKU even though it is not in the doc):

image

Save the settings, click Create the profile and assign it to a group of users.

After Intune policy update the certificate should be requested by Intune on a Client behalf and deployed to your device:

image

Azure: Deploy One Drive Known Folder Move with Intune

I am preparing for an Autopilot project for one of my Customers. Microsoft recommends to use One Drive for Business for User data migration.

I tried a couple off approaches how it can be achieved with Intune:

1. Using OMA-DM as per Deploy OneDrive KFM with Microsoft Intune OMA-URI

2. Using Powershell Management Extension: How to deploy OneDrive Known Folder Move with Intune

Both approaches are working; personally I prefer OMA-DM hoping Microsoft will add this option to a standard profile options.

SCCM: Co-management setup with SCCM Client installation

I decided to set up a test lab for co-management. Here is what I have:

Azure AD tenant. In addition to Primary *.onmicrosoft.com I have multiple custom domains registered.

SCCM 1806 on-prem

I started from deploying CMG as demonstrated in Justin’s video: https://www.youtube.com/watch?v=kTOPhVHyZtE 

The only difference – I did not use internal domain name for CMG, just left it as myname.cloudapp.net. That allowed me to avoid CNAME requirement.

after that I configured co-management as per https://www.youtube.com/watch?v=rTapalSHv6U

but unfortunately SCCM client was not installed on my test machine joined to Azure AD.

I am using enhanced HTTP on SCCM side; my internal MP operates in HTTP mode and there is no certificate installed on the the Client. I tried to be as close as possible to real BYOD scenario.

After some troubleshooting I sent the question to Technet forums https://social.technet.microsoft.com/Forums/en-US/4a7bb933-0f6e-4588-a5a1-c3b71f38d090/sccm-1806-client-installation-from-cmgdp?forum=ConfigMgrMDM 

Based on the forum discussion I replaced Intune MSI-based SCCM Client deployment to W32 App which Microsoft has currently in preview. Just as Martin recommended: https://www.imab.dk/deploy-the-sccm-client-using-microsoft-intune-and-the-cloud-management-gateway-no-pki-certificates/

Nick provided great help with tokens troubleshooting. I found his article here: https://nhogarth.net/2018/10/26/sccm-1806-cmg-hybrid-azure-ad-failed-to-get-ccm-access-token/

And do not forget to Approve the Client in SCCM console (at least in my case it was a workgroup machine and auto-approval was not enabled on SCCM).

It took ~15 min after approval before the Client got policy from SCCM MP.

After all everything is working, but took some time with research and troubleshooting…

Nokia Lumia 835: Camera application failed “Something went wrong”

I tried to make a quick photo and got “Something went wrong” error on my phone Sad smile

I searched Intenet a bit and it looked like the issue is wide spread and people most often send the device to service since it a hardware issue.

I was almost there, but decided to think again if I changed anything recently. Sure enough I tested Microsoft Intune mobile device management and subscribed my phone to it. Even though “Camera off” policy was not enabled there it looks like it broke the device somehow.

So, I un-enroll from Intune and tried camera again. Now it works! Smile

Bottom line, I am not saying it will fix the issue in all cases, but at least worth to try to un-enroll you device from any sort of Mobile Device Management solution (if you have rights) and try without it.

Intune: Microsoft Application links for IOS and Android

Joe Kuster compiled a list of links we can use with Intune to populate Corp Portal with MS apps. Thank you Joe!

iOS

Microsoft Word: https://itunes.apple.com/us/app/microsoft-word/id586447913?mt=8

Microsoft Excel: https://itunes.apple.com/us/app/microsoft-excel/id586683407?mt=8

Microsoft PowerPoint: https://itunes.apple.com/us/app/microsoft-powerpoint/id586449534?mt=8

Microsoft OneDrive: https://itunes.apple.com/us/app/onedrive-cloud-storage-for/id477537958?mt=8

Microsoft OneNote for iPhone: https://itunes.apple.com/us/app/microsoft-onenote-for-iphone/id410395246?mt=8

Microsoft OneNote for iPad: https://itunes.apple.com/nl/app/microsoft-onenote-voor-ipad/id478105721?mt=8

Microsoft Intune Managed Browser: https://itunes.apple.com/us/app/microsoft-intune-managed-browser/id943264951?mt=8

Work Folders: https://itunes.apple.com/us/app/work-folders/id950878067?mt=8

OWA for iPhone: https://itunes.apple.com/us/app/owa-for-iphone/id659503543?mt=8

Lync: https://itunes.apple.com/us/app/lync-2013-for-iphone/id605841731?mt=8

RD Client: https://itunes.apple.com/us/app/microsoft-remote-desktop/id714464092?mt=8

Sunrise Calendar: https://itunes.apple.com/us/app/sunrise-calendar-outlook-app/id599114150?mt=8

Office Lens: https://itunes.apple.com/us/app/office-lens/id975925059?mt=8

OneDrive for Business: https://itunes.apple.com/us/app/onedrive-for-business-replaced/id655772279?mt=8

Office 365 Admin: https://itunes.apple.com/us/app/office-365-admin/id761397963?mt=8

Office 365 Message Encryption Viewer: https://itunes.apple.com/us/app/office-365-message-encryption/id942328937?mt=8

SharePoint Newsfeed: https://itunes.apple.com/us/app/sharepoint-newsfeed/id595847617?mt=8

Office Sway: https://itunes.apple.com/us/app/office-sway/id929856545?mt=8

Dynamics CRM: https://itunes.apple.com/us/app/dynamics-crm-for-phones-express/id723891307?mt=8

Azure Authenticator: https://itunes.apple.com/us/app/azure-authenticator/id983156458?mt=8

MyApps: https://itunes.apple.com/us/app/my-apps-azure-active-directory/id824048653?mt=8

PowerBI: https://itunes.apple.com/us/app/microsoft-power-bi/id929738808?mt=8

Office Delve: https://itunes.apple.com/us/app/office-delve-for-office-365/id969258781?mt=8

RMS Sharing: https://itunes.apple.com/us/app/rms-sharing/id689516635?mt=8

Office 365 Video: https://itunes.apple.com/us/app/office-365-video-for-iphone/id953685679?mt=8

Outlook: https://itunes.apple.com/us/app/microsoft-outlook/id951937596?mt=8

Android

Microsoft Word: https://play.google.com/store/apps/details?id=com.microsoft.office.word

Microsoft Excel: https://play.google.com/store/apps/details?id=com.microsoft.office.excel

Microsoft PowerPoint: https://play.google.com/store/apps/details?id=com.microsoft.office.powerpoint

Microsoft OneDrive: https://play.google.com/store/apps/details?id=com.microsoft.skydrive

Microsoft Intune Managed Browser: https://play.google.com/store/apps/details?id=com.microsoft.intune.mam.managedbrowser&hl=en

Microsoft Intune PDF Viewer: https://play.google.com/store/apps/details?id=com.microsoft.intune.mam.pdfviewer&hl=en

Microsoft Intune Image Viewer: https://play.google.com/store/apps/details?id=com.microsoft.intune.mam.imageviewer&hl=en

Microsoft Intune AV Player: https://play.google.com/store/apps/details?id=com.microsoft.intune.mam.avplayer&hl=en

Microsoft Office Hub: https://play.google.com/store/apps/details?id=com.microsoft.office.officehub

Office Lens: https://play.google.com/store/apps/details?id=com.microsoft.office.officelens

Microsoft Account: https://play.google.com/store/apps/details?id=com.microsoft.msa.authenticator

Sunrise Calendar: https://play.google.com/store/apps/details?id=am.sunrise.android.calendar

Outlook: https://play.google.com/store/apps/details?id=com.microsoft.office.outlook

OneNote: https://play.google.com/store/apps/details?id=com.microsoft.office.onenote

Remote Desktop Client: https://play.google.com/store/apps/details?id=com.microsoft.rdc.android

Lync 2013: https://play.google.com/store/apps/details?id=com.microsoft.office.lync15

Office Remote: https://play.google.com/store/apps/details?id=com.microsoft.office.officeremote

Keyboard for Excel: https://play.google.com/store/apps/details?id=com.microsoft.keyboardforexcel

OWA for Android: https://play.google.com/store/apps/details?id=com.microsoft.exchange.mowa

Office 365 Admin: https://play.google.com/store/apps/details?id=com.ms.office365admin

MyApps: https://play.google.com/store/apps/details?id=com.microsoft.myapps

OneNote: https://play.google.com/store/apps/details?id=com.microsoft.office.onenote.wear

SCCM: Intune and SCCM–ways to do MDM

found a nice article on Technet clearly explaining when you may want integrate Intune and SCCM and when use Intune as a standalone product: https://technet.microsoft.com/en-US/library/dn957912.aspx