8 Feb.

Intune Updates February 2017 – Part 1

We are still in early February, but a few updates have rolled out late last month and early this month, below you will find a summary of these, which include app updates, and portal updates. I’ve received notification that one of my Intune tenants is going to be migrated early so that I can test things out without having to keep spinning up new trial tenants.

New Capabilities

In-console reports for MAM without enrollment

New app protection reports have been added for both enrolled devices and devices that have not been enrolled. Find out more about how you can monitor mobile app management policies with Intune here.


Company Portal for iOS links open inside the app

Links inside of the Company Portal app for iOS, including those to documentation and apps, will open directly in the Company Portal app using an in-app view of Safari. This update will ship separately from the service update in January.

Modernizing the Company Portal website

Beginning in February, the Company Portal website will support apps that are targeted to users who do not have managed devices. The website will align with other Microsoft products and services by using a new contrasting color scheme, dynamic illustrations, and a “hamburger menu,” Company Portal website hamburger menu which will contain helpdesk contact details and information on existing managed devices. The landing page will be rearranged to emphasize apps that are available to users, with carousels for Featured and Recently Updated apps. You can find before and after images available on the What’s new in the Intune app UI page.

Progress bar when launching the Company Portal on iOS

The Company Portal for iOS is introducing a progress bar on the launch screen to provide the user with information about the loading processes that occur. There will be a phased rollout of the progress bar to replace the spinner. This means that some of your users will see the new progress bar while others will continue to see the spinner.

^ Scroll to Top
 8 Feb.

Azure MFA VPN Support In Preview

When running through the different pieces of Enterprise Mobility + Security with those who are focused on the cloud only components, it usually comes as a surprise to see how many different on-premises services can be extended with the different EMS components. The one that people know about is AADConnect, but Intune has connectors for Configuration Manager, Exchange and Simple Enrolment Protocol, AIP/RMS has the Azure RMS connector, and of course Advanced Threat Analytics is deployed by the customer. The MFA server is also available, and today’s announcement highlights some changes that are in the pipeline.

First of all it’s worth mentioning that the announcement focuses solely on potentially reducing or eliminating the requirement for MFA Server for some VPN scenarios, it doesn’t target the other scenarios that MFA Server addresses such as extending ADFS authentication methods, IIS app integration, RDS broker support and general purpose RADIUS and LDAP authentication. Remember that you need AAD Premium P1 or P2 licensing for Azure MFA server, so you can buy those standalone or as part of EMS E3 or E5.

So what does it do? Well, as the article suggests, this focuses on providing a cloud based MFA server for VPN without the on-premises MFA Server requirement. Instead it requires the installation of the NPS extension for Azure MFA, which supports the following operating systems. The list looks like it might need to be cleaned up a little, it references some previews and release candidates for versions of Windows Server that are no longer supported, but I think the final one listed sums it up.

Windows Server 2008 R2 SP1, Windows Server 2008 Service Pack 2, Windows Server 2012, Windows Server 2012 Beta Essentials, Windows Server 2012 Datacenter, Windows Server 2012 Essentials, Windows Server 2012 R2, Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Essentials , Windows Server 2012 R2 Preview, Windows Server 2012 R2 Standard , Windows Server 2012 Release Candidate, Windows Server 2012 Standard, Windows Server 2016, Windows Server 2008 R2 SP1 or above with the NPS component enabled


The installation instructions provided, for those wanting to give it a try…

1. Run Setup.exe on your existing NPS Server

2. Run the PowerShell script from C:\Program Files\Microsoft\AzureMfa\Config (where C:\ is your installation drive)

For full details on the preview, head on over to Augment your existing authentication infrastructure with the NPS extension for Azure Multi-Factor Authentication – Public preview for more information, and keep an eye on the questions that are getting asked there in case anything relevant pops up.


^ Scroll to Top
 4 Feb.

Intune Groups Migrating to Azure AD Groups Email Notification

For those of you not actively monitoring your tenant administrator email accounts, it’s worth reading the content of a message that was just sent out to advise of some changes that are coming through as part of the migration process.


Intune Groups Migrating to Azure AD Groups

Dear Tenant Administrator,

Microsoft Intune is a Mobile device management, mobile application management, and PC management solution from Microsoft. Intune is the mobility solution in Enterprise Mobility & Security (EMS) or can be purchased as a standalone service.

Over the next few months, Intune is migrating all Intune groups over to Azure AD groups. What does this mean to you? As an Azure AD admin, you’ll start to see Intune groups in your Azure AD infrastructure. Please do not delete these groups; they’ll pop in there in preparation for migration, then will be populated by our migration engine.

We’re excited to bring Intune groups over to Azure AD groups as this will provide an improved experience for our Intune service admins. Migration will also allow Intune admins to use the new Intune on Azure experience currently in preview at portal.azure.com.

If you have any questions on the grouping and migrating experience, please look at the docs here: https://aka.ms/new_grouping_experience_admin. Alternatively, if you have any questions on migration, reach out to our grouping migration team intunegrps@microsoft.com or support.

Thank you, Microsoft Intune


^ Scroll to Top
 3 Feb.

New Configuration Service Providers for Windows 10 1703

Over on the recently updated What’s new in MDM enrollment and management page on MSDN new CSPs have been added for 1703. You can also check out the update listings for 1511 and 1607 while you are there, along with the change history.

What’s new in Windows 10, version 1703

Item Description
New nodes in Update CSP Added the following nodes to the Update CSP:

  • FailedUpdates/Failed Update Guid/RevisionNumber
  • InstalledUpdates/Installed Update Guid/RevisionNumber
  • PendingRebootUpdates/Pending Reboot Update Guid/RevisionNumber
CM_CellularEntries CSP To PurposeGroups setting, added the following values:

  • Purchase – 95522B2B-A6D1-4E40-960B-05E6D3F962AB
  • Administrative – 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364
CellularSettings CSP

CM_CellularEntries CSP

EnterpriseAPN CSP

For these CSPs, support was added for Windows 10 Home, Pro, Enterprise, and Education editions.
SecureAssessment CSP Added the following settings:

  • AllowTextSuggestions
  • PrintingCapability
  • ScreenCaptureCapability
Messaging CSP Added new CSP. This CSP is only supported in Windows 10 Mobile and Mobile Enteprise editions.
Policy CSP Added the following new policies:

  • DeliveryOptimization/DOAllowVPNPeerCaching
  • DeliveryOptimization/DOMinDiskSizeAllowedToPeer
  • DeliveryOptimization/DOMinFileSizeToCache
  • DeliveryOptimization/DOMinRAMAllowedToPeer
  • EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint
  • EnterpriseCloudPrint/CloudPrintOAuthAuthority
  • EnterpriseCloudPrint/CloudPrintOAuthClientId
  • EnterpriseCloudPrint/CloudPrintResourceId
  • EnterpriseCloudPrint/DiscoveryMaxPrinterLimit
  • EnterpriseCloudPrint/MopriaDiscoveryResourceId
  • Privacy/LetAppsGetDiagnosticInfo
  • Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps
  • Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps
  • Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps
  • Privacy/LetAppsRunInBackground
  • Privacy/LetAppsRunInBackground_ForceAllowTheseApps
  • Privacy/LetAppsRunInBackground_ForceDenyTheseApps
  • Privacy/LetAppsRunInBackground_UserInControlOfTheseApps
DevDetail CSP Added the following setting: DeviceHardwareData.
CleanPC CSP Added new CSP.
DeveloperSetup CSP Added new CSP.
^ Scroll to Top
 31 Jan.

Changes to Access Work Or School in Windows 10 Insider Preview

One of the things that Windows 10 Azure Active Directory join with Intune auto enrolment is that it has protected me from some of the changes that were taking place in the Windows Settings UI for Access Work Or School. With the Anniversary Update there were some changes that made it harder to figure out what was happening, especially around clarity in joining Azure AD versus just performing a device enrolment. With the current Insider preview builds, steps have been taken to address this, and you’ll see them in screenshots further in this post.

The auto enrolment capability is provided by Azure Active Directory Premium, and needs to be enabled in the Intune app settings in the Azure portal, so it’s not something a free Azure Active Directory tenant or Office 365 user would see unless they had licensed AAD Premium or EMS separately. Sure, it’s not hard to enrol a device manually, but it is easy enough to automate. That’s not the topic of today’s post though, I’ll focus on the UI changes in Windows Insider Preview 15019. In the screenshots below I have the Insiders build on the left, and 1607 on the right.

On the left under Related settings you can see Enroll only in device management making a welcome appearance, which helps to differentiate it from the Connect option above, which provides device registration by default.


On both builds, Connect provides the same screen. You can see here that this performs device registration, as you have to click in Alternate actions to for Join this device to Azure Active Directory.

On the left in the Insiders Preview, I’ve selected Enroll Only in Device Management, but I’ve left the Connect screen on the right.

As I mentioned above, some of the previous changes here have lead to confusion, and hopefully some of these changes make it easier to follow the required steps for end user driven enrollments.


^ Scroll to Top
 29 Jan.

Pointing to “manage.microsoft.com” will no longer work for enrollment

For those of you not actively monitoring the Office 365 Message Center, you might have missed the plan for change message that was posted on January 27. Below you will find the details of the message. If you need more details, take a look at Enroll Windows Phone and Windows 10 Mobile Devices and Enroll Windows PCs As Mobile Devices.

Pointing to “manage.microsoft.com” will no longer work for enrollment


Published On : January 27, 2017

Expires On : March 27, 2017

Action required by

When your users enroll their Windows devices, in Intune, the enrollment server can be automatically discovered if you have a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to enterpriseenrollment-s.manage.microsoft.com. If no enrollment CNAME record is found, users are prompted to manually enter the Mobile Device Management (MDM) server name, https://manage.microsoft.com. Manage.microsoft.com is being deprecated and will no longer work for enrolling devices, beginning February 11.

How does this affect me?

If you have a CNAME in DNS that maps to manage.microsoft.com, it won’t work after this change takes effect. If you tell your users to enter manage.microsoft.com if their device fails to find an enrollment server, those instructions won’t work after this change takes effect. If you already have a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to enterpriseenrollment-s.manage.microsoft.com, and the enrollment server is accessible by the user devices, this change will not impact you.

What do I need to do to prepare for this change?

If you currently have a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to manage.microsoft.com, replace it with a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to enterpriseenrollment-s.manage.microsoft.com. if you currently reference manage.microsoft.com in your user training for Windows MDM enrollment, update it (for both Phone and PCs.) to enrollment.manage.microsoft.com. For more information about configuring Windows enrollment, please click Additional Information.

Additional information

^ Scroll to Top
 25 Jan.

Microsoft announces Intune for Education

Microsoft announced Intune for Education, a customised version of Intune to help education administrators deploy and manage devices and applications, as well as PC settings. With a recent update on Intune User Voice highlighting the incorporation of Apple VPP for Education, this should make the Intune in education story a much better one.

If you missed the announcement it may have been because it was posted on the Windows blog, where they also make some new low cost PC announcements as well. You can sign up for more information at http://aka.ms/intuneforedu but for now, here are a few screenshots of the new interface, if you want to see it in action watch the video at the bottom of the post.

From this screenshot you can see that this is leveraging the Azure Portal.

School Data Sync is on of the features discussed.

An alternate view of where you deploy apps and settings.


Choosing Windows Store apps to deploy, made easy

Applying settings made easy.

^ Scroll to Top
 23 Jan.

Power BI Content Pack for Azure Active Directory

The Power BI team have announced the Power BI Content Pack for Azure Active Directory, and it’s a great way to get additional reporting insights from your Azure Active Directory Premium subscriptions. It’s easy enough to set up, I had it enabled within a few minutes, but I haven’t had too much of a chance to dig in just yet.

First select Azure Active Directory Activity Logs

Click Get It Now

You can choose OAuth2 as I have here to connect in to a non-federated tenant.

Enter the tenant name (you can use yourcompany.com or yourtenant.onmicrosoft.com)

And there’s the default dashboard.

^ Scroll to Top
 12 Jan.

Microsoft Intune January 2017 Updates

This month’s Intune updates have just been published, and includes updates for Android, iOS and Windows 10. Take a look below at the full update announcement from the Intune team.

New Capabilities

Android 7.1.1 support

Intune now fully supports and manages Android 7.1.1.

Resolve issue where iOS devices are inactive, or the admin console cannot communicate with them

When users’ devices lose contact with Intune, you can give them new troubleshooting steps to help them regain access to company resources. See Devices are inactive, or the admin console cannot communicate with them.+


Defaulting to managing Windows desktop devices through Windows settings

The default behavior for enrolling Windows 10 desktops is changing. New enrollments will follow the typical MDM agent enrollment flow rather than through the PC agent.

The Company Portal website will provide Windows 10 desktop users with enrollment instructions that guide them through the process of adding Windows 10 desktop computers as mobile devices. This will not impact currently enrolled PCs, and your organization can still manage Windows 10 desktops using the PC agent if you prefer.

Improving mobile app management support for selective wipe

End users will be given additional guidance on how to regain access to work or school data if that data is automatically removed due to the “Offline interval before app data is wiped” policy.

New documentation for app protection policies

We have updated our documentation for admins and app developers who want to enable app protection policies (known as MAM policies) in their iOS and Android apps using the Intune App Wrapping Tool or Intune App SDK.+

The following articles have been updated:


The following articles are new additions to the docs library:+

^ Scroll to Top
 12 Jan.

January Updates To The Intune Preview In Azure

As we get closer to Intune moving over to the Azure portal, there are a few updates that have already worked their way in since the initial preview release last month. The best way to check out all of the new capabilities is a with a new trial tenant, as opposed to waiting for your production or existing test tenants to be updated. As you’ll see in a few of the screenshots below, this is the path I had to go down to expose the preview functionality.

Custom app categories

You can now create, edit, and assign categories for apps you add to Intune. Currently, categories can only be specified in English.

Let’s take a look at how we do this.

First up I need to add an app, and one of the new capabilities is the ability to search directly for the app from within the portal. This means you don’t have to search, copy and past the URL etc.

Searching for Word gives a few hits, but obviously it’s the first one that I need to select.

Once selected, we can move to App Information > Configure, where you will see some of the fields are pre-populated, but you will still need to add some information manually and change fields like the App Description. You will also notice that the Word icon is presented.

Assign line of business apps whether or not devices are enrolled

You can now assign line of business and apps from the store to users whether or not their devices are enrolled with Intune. If the users device is not enrolled with Intune, they must go to the Company Portal website to install it, instead of the Company Portal app.

Resolve issue where iOS devices are inactive, or the admin console cannot communicate with them

When users’ devices lose contact with Intune, you can give them new troubleshooting steps to help them regain access to company resources. See Devices are inactive, or the admin console cannot communicate with them.

^ Scroll to Top

%d bloggers like this: