8 Dec.

Azure AD Connect Now Supported On Windows Server 2016

Another update for Windows Server 2016 compatibility – you can now download install Microsoft Azure Active Directory Connect with Windows Server 2016 as a supported platform.


Version: 1.1.371.0
File Name: AzureADConnect.msi
Date Published: 12/7/2016
File Size: 78.1 MB
Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:
    • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
    • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
    • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
    • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

System Requirements

Supported Operating System

Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

For more information, please refer to


Install Instructions

For more information, please refer to


^ Scroll to Top
 8 Dec.

Updated Intune MAM With And Without MDM App List December 2016

Last month I created the table in this post to highlight the mobile apps that are MAM and MDM enabled with Intune, and this month there are some updates. Let’s start with the Android piece.

Android MAM only apps available through the portal last month gave us 11 apps.


This month you can see the new additions – Dynamics CRM and SharePoint.

iOS MAM apps available through the portal – no updates this month.

Below is the updated table, based on information found in the Intune-enlightened apps as well as the most recent updates and announcements. With the recent announcement of the new Intune SDK availability, we should start seeing some third party apps dropping in to the currently ISV free territory.

MAM with MDM MAM without MDM Multi-Identiy
Acronis Access iOS
Adobe Acrobat Android


Box for EMM iOS
Foxit Mobile PDF Android


Microsoft Dynamics CRM iOS




Microsoft Excel iOS




Microsoft Intune Managed Browser iOS




Microsoft OneDrive For Business iOS






Microsoft OneNote iOS iOS
Microsoft Outlook iOS






Microsoft PowerPoint iOS




Microsoft PowerBI iOS


Microsoft Remote Desktop iOS




Microsoft RMS Sharing/Azure Information Protection iOS


Microsoft SharePoint iOS




Microsoft Skype For Business iOS




Microsoft Word iOS




Microsoft Work Folders iOS


Outlook Groups iOS




SAP Fiori
Yammer iOS




^ Scroll to Top
 8 Dec.

Intune December 2016 Updates

There have been several new announcements over the last few days regarding EMS, but the one that many have been holding out for is the public preview of the Intune admin experience in the Azure Portal. While we can’t quite lay our Silverlight dependency to rest just yet, it’s getting closer. We’ve had MAM without enrolment in the Azure Portal for quite a while, recently user groups have moved out of Intune groups, and now the new portal preview.

What’s in the preview?

December 2016 (initial release)

  • Deploy and manage apps from a store to iOS, Android, and Windows devices
  • Deploy and manage line of business (LOB) apps to iOS, Android, and Windows devices
  • Deploy and manage volume-purchased apps to iOS, and Windows devices
  • Deploy and manage web apps for Android, iOS, and Windows devices
  • Volume-purchased apps for iOS (business and education)
  • iOS managed app configuration profiles
  • Configure app protection policies, and deploy line of business apps to devices that are not enrolled with Intune
  • VPN profiles, per-app VPN, Wi-Fi, email, and certificate profiles
  • Compliance policies
  • Conditional access for Azure AD
  • Conditional access for On-Premises Exchange
  • Device enrollment
  • Role-based access control

Here are the Intune team’s update for December 2016.

Public preview of the new Intune admin experience on Azure

In early calendar year 2017 we will be migrating our full admin experience onto Azure, allowing for powerful and integrated management of core EMS workflows on a modern service platform that’s extensible using Graph APIs.+

New trial tenants will start to see the public preview of the new admin experience in the Azure portal this month. While in preview state, capabilities and parity with the existing Intune console will be delivered iteratively.+

The admin experience in the Azure portal will use the already announced new grouping and targeting functionality; when your existing tenant is migrated to the new grouping experience you will also be migrated to preview the new admin experience on your tenant. In the meantime, if you want to test or look at any of the new functionality until your tenant is migrated, sign up for a new Intune trial account or take a look at the new documentation.+

If you have any questions about the timeline for your tenant’s migration, contact our migration team at intunegrps@microsoft.com.+

Telecom expense management integration in public preview of Azure portal

We are now beginning to preview integration with third-party telecom expense management (TEM) services within the Azure portal. You can use Intune to enforce limits on domestic and roaming data usage. We are beginning these integrations with Saaswedo.+

New Capabilities

Multi-factor authentication across all platforms

You can now enforce multi-factor authentication (MFA) on a selected group of users when they enroll an iOS, Android, Windows 8.1+, or Windows Phone 8.1+ device from the Azure Management Portal by configuring MFA on the Microsoft Intune Enrollment application in Azure Active Directory.+


Ability to restrict mobile device enrollment

Intune is adding new enrollment restrictions that control which mobile device platforms are allowed to enroll. Intune separates mobile device platforms as iOS, macOS, Android, Windows and Windows Mobile.+

    • Restricting mobile device enrollment does not restrict PC client enrollment.
    • For iOS only, there is one additional option to block the enrollment of personally owned devices.


Intune marks all new devices as personal unless the IT admin takes action to mark them as corporate owned, as explained in this article.+


Multi-Factor Authentication on Enrollment moving to the Azure portal

Previously, admins would go to either the Intune console or the Configuration Manager (earlier than release October 2016) console to set MFA for Intune enrollments. With this updated feature, you will now login to the Microsoft Azure portal using your Intune credentials and configure MFA settings through Azure AD. Learn more about this here.+

Company Portal app for Android now available in China 

We are publishing the Company Portal app for Android for download in China. Due to the absence of Google Play Store in China, Android devices must obtain apps from Chinese app marketplaces. The Company Portal app for Android will be available for download on the following stores:+


The Company Portal app for Android uses Google Play Services to communicate with the Microsoft Intune service. Since Google Play Services are not yet available in China, performing any of the following tasks can take up to 8 hours to complete. +

Intune Admin Console Intune Company Portal app for Android Intune Company Portal Website
Full wipe Remove a remote device Remove device (local and remote)
Selective wipe Reset device Reset device
New or updated app deployments Install available line-of-business apps Device passcode reset
Remote lock
Passcode reset


Firefox to no longer support Silverlight

Mozilla is removing support for Silverlight in version 52 of the Firefox browser, effective March 2017. As a result, you will no longer be able to log in to the existing Intune console using Firefox versions greater than 51. We recommend using Internet Explorer 10 or 11 to access the admin console, or a version of Firefox prior to version 52. Intune’s transition to the Azure portal will allow it to support a number of modern browsers without dependency on Silverlight.+

Removal of Exchange Online mobile inbox policies

Beginning in December, admins will no longer be able to view or configure Exchange Online (EAS) mobile mailbox policies within the Intune console. This change will roll out to all Intune tenants over December and January. All existing policies will stay as configured; for configuring new policies, use the Exchange Management Shell. Find out more information here.+

Intune AV Player, Image Viewer, and PDF Viewer apps are no longer supported on Android

From mid-December 2016 on, users will no longer be able to use the Intune AV Player, Image Viewer, and PDF Viewer apps. These apps have been replaced with the Azure Information Protection app. Find out more about the Azure Information Protection app here.

^ Scroll to Top
 2 Dec.

Intune MAM Exchange Online Conditional Access Now In Azure Portal

In a recent blog post New in Intune: More conditional access, App SDK updates, and Android for Work! the Intune team announced additional conditional access capabilities, including the ability to restrict access to Exchange Online to certain clients for MAM only scenarios.

Here is what they posted…

Conditional access is one of the signature experiences from Microsoft Enterprise Mobility + Security, bringing together the power of Intune and Azure Active Directory Premium to allow you to define policies that provide contextual control at the user, location, device and app levels. This rich set of features gives you the control you need to ensure your corporate data is secure, while giving your users the experience they expect in today’s world. We’re excited to announce these new features that further expand our conditional access capabilities to mobile applications and Windows PCs:

  • Conditional access for mobile apps
    This update allows you to restrict access to Exchange Online from only apps that are enabled with Intune’s mobile application protection policies, such as Outlook. If you’ve been looking for a way to block access to Exchange Online from built-in mail clients or other apps, look no further.

I’ve taken some screenshots of the updated portal so you can get an idea of how it works.


First of all you can see above that I’ve highlighted the new tile that appears.


Alternatively, if you customise it and hide the tile, you have the Exchange Online link underneath Conditional Access on the right.


From here we can start seeing what configuration options we’ve got.


First up, Allowed apps has the default setting of all apps.


The dropdown reveals the current MAM only enabled apps that are available to use.



We can add restricted user groups.


We can make exceptions for certain use cases or troubleshooting scenarios.


All up, pretty easy to follow and implement.

^ Scroll to Top
 25 Nov.

EMS Partner Training Events Coming Q1 2017

This year’s EMS training courses have all been booked out, but the long waiting lists for Sydney and Melbourne mean that we have some additional dates for next year to share. Make sure you reach out to the Microsoft Australia readiness team via the contact details below to register your interest and secure a seat.

Enterprise Mobility + Security (EMS)


Enterprise Mobility + Security

Type: Technical (L300)

Audience: Partners with existing competencies around devices and deployment, access and identity, management and virtualization, Office 365 and Azure related competencies. Suite Solution architects, pre-sales technical, and deployment roles

Cost: $499

Product: EMS

Duration: 4 Days

Location: Sydney (Mar 6-9), Melbourne (Mar 13-16)

This training consists of instructor-led technical content and hands-on labs covering Hybrid Identity and Access Management (Azure Active Directory Premium), Microsoft Device and Application Management (Intune), Information Protection (Azure Rights Management Service), identifying security threats to the datacentre (Advance Threat Analytics), and data protection in the cloud (Cloud App Security). For Expression of Interest please email msaupr@microsoft.com

^ Scroll to Top
 24 Nov.

Windows 10 Tech Series For Australian Partners

If you are attending the Sydney event make sure you let me know, I can’t make the first two days as I’ll be wrapping up an EMS training event, but I will be there on day 3. 

You are invited to enroll in the Windows Tech Series training course. Building on deployment, management and security features first introduced with Windows 10 at release, this 3-day workshop, which includes hands-on labs, will provide you with the opportunity to explore the different deployment, management and security options and functionality available for your customers. It will also review the opportunity to develop your business as a Microsoft Cloud Solution Provider — either as a new CSP for Windows or to understand how adding Windows to your existing CSP portfolio can provide opportunities to develop your business further. The Course While the course provides extensive information from Microsoft trainers, we believe you will benefit most in developing your understanding of Windows 10 through seeing it in action, and working with it hands-on. In this course, you will work your way through the labs, demos, and other content to learn about:

Deployment infrastructure overview
Applications and updates
Managing Windows as a Service
Browsers and Internet Security
Deploying Secure Boot and Device Guard
Base system setup
Managing Client devices
Advanced Client management
Analysis of common threats
Advanced Threat Analytics
Hardening Windows
Windows for SMB
Windows Enterprise Subscription
Deploying through CSP and managing updates
Competency Assessment Upon completion of the course, you will be given the opportunity to take the Security and Deployment Management assessment for the Windows and Devices competency. This competency provides you with tools, content and resources to help you build and grow your Windows 10 practice and shows customers that you are a trusted expert. Space is limited. Register today! We look forward to your participation in this interactive event. Please be advised that this workshop requires a commitment from you to attend from start to finish. We understand that your workload does not diminish while attending this workshop. Rest assured that numerous opportunities to stay connected will be provided throughout the day.
When and When Cliftons Sydney Office Level 13, 60 Margaret St 30th Nov – 2nd Dec 2016


Register Now!
Cliftons Melbourne Office Level 1, 440 Collins St 5th – 7th Dec 2016


Register Now!
^ Scroll to Top
 23 Nov.

Download The Windows 10 ADK Preview Build 14965

If you are trying to stay a step ahead of the public releases of the Windows ADK, and you haven’t done so already, sign up for the Windows Insider Preview so that you not only get early access to new Windows 10 builds, but you can also grab early releases of the Windows ADK as well.

Windows ADK Insider Preview – Build 14965 is available now, here is the information from the Insider page before you download the ISO.

Install Windows ADK Insider Preview

Download Windows Assessment and Deployment Kit (Windows ADK) Insider Preview to get the new and improved deployment tools used to automate a large-scale deployment. Windows ADK Insider Preview includes:

  • The Windows Assessment Toolkit and the Windows Performance Toolkit to assess the quality and performance of systems or components.
  • Several deployment tools such as WinPE, Windows Imaging and Configuration Designer (Windows ICD), and other tools to customize and deploy Windows 10 images.
^ Scroll to Top
 21 Nov.

Use cases for Microsoft Intune Client Software vs MDM

Something that often comes up during conversations about managing Windows PCs with Intune is whether they should be managed as a PC or as a mobile device. As with most conversations, there isn’t usually a clear cut answer. In this post I will highlight some of the scenarios where one option might make more sense than the other. In the next post I will have table that compares the two options side by side. Please note that these do not cover every single scenario that you might encounter, but instead should get you started in making the right decision.

Scenarios where the client software install makes sense

  1. More complex application setup requirements – if you have setup requirements greater than an MSI file, the Intune client can address this. With support for .exe and .msi setups with additional files and folders included it offers much more flexibility. You also benefit from the peer distribution capabilities of Intune if you allow that traffic on your network
  2. Centralised anti-malware management and reporting – if you are planning on using Intune Endpoint Protection as managed through the Intune Portal, MDM doesn’t deploy/manage that.
  3. Better update management and insights – Windows 10 isn’t as heavily impacted here as 8.1, with Windows 8.1 offering finer control over what gets updated. The insight into installed and missing updates isn’t something that MDM provides.
  4. Software inventory – the PC agent provides reporting on all software it detects, as opposed to reporting on just reporting on what it manages.
  5. Support for Windows 7 through to Windows 10 – if you want a consistent Intune management experience for all supported versions of Windows, this is your best option. Once the majority of the mobile PC fleet is Windows 10 based, it might be worth reinvestigating if MDM provides the capabilities that you require.

Scenarios where MDM makes sense

These are the flip side to the above points

  1. You have single file MSI installs, or are willing to repackage
  2. You already have centralised anti-malware management and reporting
  3. You are dealing with a BYOD environment where you don’t care as much about the update status of the PC
  4. You do not want full software inventory, eg BYOD
  5. You have moved away from previous editions of Windows

Things aren’t usually this clear cut, but these are part of the conversation you will need to have around these topics. If you need details on getting started with the Intune PC client software, start with the following…




^ Scroll to Top
 20 Nov.

Microsoft Intune November 2016 Updates

Another month, another round of feature updates for Intune. This month’s updates include news on enhanced Cordova and Xamarin support for MAM without enrollment. If you need a refresher on what’s currently available for MAM without MDM, take a look at the table here.

Over the last few months we’ve seen new tenants moving from traditional Intune groups over to AAD groups, a huge improvement, but one that also requires some planning for those who have been using Intune since before this change. This has an impact on Android for Work, with new or migrated tenants, providing support for the Available option for apps. If you are on a non-migrated tenants, you will have to rely on Required for now.

The last few updates related to the Windows Phone 8 Company Portal, take a look at the text below from the update page for more information.


New capabilities

An Update on Intune and Android for Work

While you can deploy Android for Work apps with an action of Required, you can only deploy apps as Available if your Intune groups have been migrated to the new Azure AD groups experience.+

Intune App SDK for Cordova plugin now supports MAM without enrollment

App developers can now use the Intune App SDK for Cordova plugin to enable MAM functionality without device enrollment in their Cordova-based apps for Android and iOS. The Intune App SDK for Cordova plugin can be found here.+

Intune App SDK Xamarin component now supports MAM without enrollment

App developers can now use the Intune App SDK Xamarin component to enable MAM functionality without device enrollment in their Xamarin-based apps for Android and iOS. The Intune App SDK Xamarin component can be found here.+


Symantec signing certificate no longer requires signed Windows Phone 8 Company Portal for upload

Uploading the Symantec signing certificate will no longer require a signed Windows Phone 8 Company Portal app. The certificate can be uploaded independently.+


Support for the Windows Phone 8 Company Portal

Support for Windows Phone 8 Company Portal will now be deprecated. Support for the Windows Phone 8 and WinRT platforms was deprecated in October 2016. Support for the Windows 8 Company Portal was also deprecated in October 2016.

^ Scroll to Top
 11 Nov.

Microsoft Intune October 2016 Updates

As is usually the case, there are a few new features in October, including updates to Conditional Access, Android for Work support, Lookout integration, Android fingerprint reader support and more. One of the things that you do need to be aware of is that newly provisioned tenants that leverage the updated grouping and targeting features for the Android for Work features.

What’s new

Conditional access for mobile application management

You will be able to restrict access to Exchange Online so that access can come only from apps that support Intune mobile application management policies such as Outlook. This new feature pairs up perfectly with Intune mobile app management (MAM) policies as you can block access to built-in mail clients or other apps that have not been configured with the Intune MAM policies. This ensures your users are accessing your organization’s data with apps that can be protected using Intune MAM. You can get started in Intune mobile app management via the Azure portal. Look for the new Conditional Access section in the “Settings” blade.

Conditional access for Windows PCs

You can now create conditional access policies through the Intune admin console to block Windows PCs from accessing Exchange Online and SharePoint Online. You can also create conditional access policies to block access to Office desktop and universal applications. 

Android for Work support

Intune is now part of the Android for Work (AfW) program. We will begin rolling out support for AfW features starting this month and continuing over the next few months. Note that available app deployment of AfW leverages the new grouping and targeting experience. Newly provisioned Intune Service accounts will be able to use this feature once AfW is available to them. 

Existing Intune customers can use this feature in production once their tenant has been migrated. Existing customers are welcome to create a trial Intune account to plan for and test this feature until their tenant has been migrated. Any questions on grouping and targeting timelines, please contact our migration team.+

Read Microsoft’s announcement about Intune support for Android for Work. 

The following Intune topics are new, or updated with Android for Work information: 

For IT professionals: 

For end users: 

Lookout integration to protect iOS devices

In October, Microsoft is integrating with Lookout’s mobile threat protection solution to protect iOS mobile devices by detecting malware, risky apps, and more, on devices. Lookout’s solution helps you determine the threat level, which is configurable. You can create a compliance policy rule in Intune to determine device compliance based on the risk assessment by Lookout. Using conditional access policies, you can allow or block access to company resources based on the device compliance status. 

End users of noncompliant iOS devices will be prompted to enroll, and will be required to install the Lookout for Work app on their devices, activate the app, and remediate threats reported in the Lookout for Work application to gain access to company data. Learn how to Configure and deploy Lookout for Work apps 

Intune App Wrapping Tool for Android

You can enable your apps to use Intune mobile application management (MAM) policies by using the Intune App Wrapping Tool. Support for Intune MAM policies without requiring device enrollment is now available.+

Manage printing from apps managed using MAM policies

You can now prevent printing company data from apps that have MAM policies. This setting is available on the Azure portal and is supported on both iOS and Android devices. +

Support for fingerprints on Android devices

Android mobile app management (MAM) policies now allow users to access an app with their fingerprint instead of typing out their PIN. See this and other mobile app management policy settings for Android here.+


Android Samsung KNOX compatibility with Intune

Certain models of the Samsung Galaxy Ace phone cannot be managed by Intune as Samsung KNOX devices. When you enroll these devices with Intune, they will instead be managed as standard Android devices.+

The model numbers affected are:+

    • SM-G313HU
    • SM-G313HY
    • SM-G313M
    • SM-G313MY
    • SM-G313U

  You and your end users need take no further action. For more information, visit the Samsung KNOX website.

Company Portal app for Windows 8 is deprecated; support for Windows Phone 8 and Windows RT platforms are being deprecated

Starting in October 2016, Microsoft Intune will deprecate support for the Windows 8 Company Portal. Microsoft Intune will also deprecate support for the Windows Phone 8 and Windows RT platforms. As a consequence, you will not be able to enroll or update any Windows Phone 8 or Windows RT devices.+

You can continue to manage Windows Phone 8, Windows RT and Windows 8 devices that are already enrolled. Update Windows Phone 8 and Windows 8 devices to Windows 8.1 and Windows Phone 8.1, and use the corresponding Windows 8.1 and Windows Phone 8.1 Company Portal apps to continue distributing apps to these devices without disruptions.+

Starting in November 2016, we will deprecate support for the Windows Phone 8 Company Portal. +

What’s coming

New Microsoft Intune Company Portal available for Windows 10 devices

Microsoft is releasing a new Microsoft Intune Company Portal for Windows 10 devices. This app, which leverages the new Windows 10 Universal format, will provide the user with an updated user experience within the app and identical experiences across all Windows 10 devices, PC and Mobile alike, while still enabling all the same functionality that they are using today.+

The new app will also allow users to leverage additional platform features like single sign-on (SSO) and certificate-based authentication on Windows 10 devices. The app will be made available as an upgrade to the existing Windows 8.1 Company Portal and Windows Phone 8.1 Company Portal installs from the Windows Store. For more details, go to aka.ms/intunecp_universalapp. +

See also


To submit product feedback, please visit Intune Feedback
^ Scroll to Top

%d bloggers like this: