Intune – Policy Sets

The ability to create Policy Sets came out in Intune in October 2019. This nice new feature allows you to group together different policies and applications and assign them to an Azure AD group. This post will show an example of creating a Policy Set for Windows 10 with a few policies and an app, and deploying it to an Azure AD group.

Suggested reading:

Policy Sets
Policy sets known issues

You can include the following management objects in a policy set:

  • Apps
  • App configuration policies
  • App protection policies
  • Device configuration profiles
  • Device compliance policies
  • Device type restrictions
  • Windows autopilot deployment profiles
  • Enrollment status page

At the time of writing this, you can see the Policy Sets in Intune in portal.azure.com but not in the M365 portal.

2019-10-22_9-15-26

Click Create to create a policy set.

2019-10-22_9-16-50

In my example, I am creating one for Windows 10.

2019-10-22_9-18-01

If you look at the Known Issues link above, only these apps are supported for Policy Sets today:

iOS store app
iOS line-of-business app
Managed iOS line-of-business app
Android store app
Android line-of-business app
Managed Android line-of-business app
Office 365 ProPlus Suite (Windows 10)
Web link
Built-in iOS app
Built-in Android app

I have selected Office 365 then clicked Net.

2019-10-22_9-18-31

I have selected some of my Device configuration profiles that I want to be applied:

2019-10-22_9-19-46

I have assigned this to a group.

2019-10-22_9-21-15

Once finished, click Review + create.

The device will apply the configurations from the Policy Set even if the individual apps and policies are not assigned to the group.

Policy Sets are still in preview at the moment and Microsoft will continue to improve them.

Windows 10 Pro 1809 Autopilot – The parameter is incorrect

I recently ran into an issue where I was using Windows 10 Pro 1809 media and before “Account setup” step in the enrollment status page in Autopilot, I kept seeing the error “The parameter is incorrect”

paramater001

paramater000

This error only occurred for me in Windows 10 Pro 1809, and not in Windows 10 Pro 1903.

In the Event Logs in Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics > Admin I saw:

MDM Session: Failed to get AAD Token for sync session User Token: (The parameter is incorrect.) Device Token: (Incorrect function.).

Long story short, I kept removing Device Configuration profiles I had assigned to the device, and the policy causing the issue was to upgrade Pro to Enterprise using an MAK key using the “Edition upgrade” policy.

paramter01

To get rid of this error using Autopilot for Windows 10 Pro 1809, with a policy to upgrade to Enterprise, was to either use subscription based licensing assigned to the user, or to use Windows 10 Pro 1903.

The policy above caused a reboot on Windows 10 Pro 1809.

https://docs.microsoft.com/en-us/intune/windows-enrollment-status

A reboot during Device setup will force the user to enter their credentials before transitioning to Account setup phase. User credentials aren’t preserved during reboot. Have the user enter their credentials then the Enrollment Status Page can continue.

Sync SCCM CB 1906 Collection membership to Azure AD groups

In the recently released 1906 version for SCCM Current Branch, you can now synchronize collection memberships to an Azure AD Group. This is really useful to take advantage of SCCM’s powerful collection membership queries that we can’t do today in Azure.

For more info, see https://docs.microsoft.com/en-us/sccm/core/clients/manage/collections/create-collections#bkmk_aadcollsync

In this post I have tested it out in my lab with:

  • Hybrid Azure AD join set up using Azure AD Connect syncing my computers to Azure AD. The devices in my collection have synchronized to Azure AD.
  • Azure AD Tenant added to Azure Services in SCCM and Azure AD User Discovery enabled
  • An existing group already created in Azure AD. I will use this to sync the collection members to

This is a pre-release feature of SCCM Current Branch 1906, it needs to be turned on.

2019-07-25_16-22-44

Once the feature has been turned on, you need to go to your Azure AD tenant in Azure Services, and Enable Azure Active Directory Group Sync.

2019-07-25_16-27-22

In my test collection, I have some devices that are co-managed and already exist in Azure AD. If you go to the properties of the collection, you will see a tab AAD Group Sync. Click on Add.

2019-07-25_16-32-14

Click on Search and then you will be prompted to login to your Azure tenant and then select the existing group in Azure AD.

2019-07-25_16-34-07

Click on Apply.

2019-07-25_16-34-26

The Azure AD synchronization happens every five minutes. It’s a one-way process, from SCCM to Azure AD.

Otherwise you can manually synchronize the collection to Azure AD, by right clicking on the collection and selecting Synchronize Membership (this is greyed out on collections that don’t have AAD Group Sync enabled)

2019-07-27_12-08-32

If I check the group in Azure AD, I can now see my collection members.

2019-07-25_17-05-03

Intune – Configure OneDrive Known Folder Move

Intune recently released the setting in the Administrative Templates to redirect known folders to OneDrive for Business.

This post will show how you can quickly configure it, and the user experience.

Login to the Intune portal https://devicemanagement.microsoft.com and create a new Device Configuration profile. Select Windows 10 and later for the platform, and Administrative Templates for the profile type.

2019-07-12_10-41-15

Tip: there are many settings here. Use the search feature to make it easier.

2019-07-12_10-43-21

Set the “Silently move Windows known folders to OneDrive” by selecting Enaled and enter in your Tenant ID. See below how you get the tenant ID.

2019-07-12_10-45-33

To get your Tenant ID, go to Azure Active Directory, then Properties. Copy the Directory ID.

2019-07-12_10-46-02

Configure the other settings such as “Silently sign in users to the OneDrive sync client with their Windows credentials”

2019-07-12_10-52-39

Once you’re finished, don’t forget to assign the profile to your devices.

Here is an example of my Autopilot device applying the profile, and then the files appear on the desktop after OneDrive for Business has been configured.

OdFBKFM

CMG – Post to http://.COM/CCM_Proxy_MutualAuth//ccm_system/request failed with 0x87d00231.

Following up on a similar post I did here about requiring Azure AD User Discovery and Active Directory user discovery so Windows 10 machines can communicate over the CMG using Hybrid Azure Active Directory  – https://nhogarth.net/2018/10/26/sccm-1806-cmg-hybrid-azure-ad-failed-to-get-ccm-access-token/

You may run into an issue where a specific Windows 10 client cannot communicate with the CMG. In ccmmessaging.log you will see “Post to http://<CMG&gt;.COM/CCM_Proxy_MutualAuth/<ID>/ccm_system/request failed with 0x87d00231.”

You can run through the CMG Connection Analyzer to confirm that everything is working fine.

cmg01

Then you realise it is something on the Windows 10 device end.

If you run “dsregcmd /status” and see that AzureAdJoined is set to No, then you know that the device is not Hybrid Azure AD joined, thus it cannot communicate with the SCCM CMG.

cmg02

This particular machine was put in an OU that was not synced to Azure AD using Azure AD Connect. After moving it in the correct OU and doing another Azure AD Connect Sync (Start-ADSyncSyncCycle -PolicyType Delta) the device can then communicate over the CMG fine.

cmg03

Conditional access – Require app protection policy

Microsoft recently added “Require app protection policy (Preview)” to conditional access. App Protection Policies in Intune are a great way to secure the apps on either a managed device or an unmanaged device.

Suggested Reading – https://docs.microsoft.com/en-us/intune/app-protection-policy

This blogpost will show creating an example Conditional Access policy leveraging the “Require an app protection policy (Preview)” control, targeting Exchange Online, and the user experience for a device that does not have any App Protection Policies assigned.

In devicemanagement.microsoft.com go to Conditional Access, and create the new policy.

01

Give the policy a name, and in my policy I am testing out this policy, so I have only targeted one user.

02

I will be testing this policy only for Exchange Online.

03

I will only be using iOS and Android for this policy.

04

I have configured the conditions for all apps.

05

I have selected the control to require app protection policy.

06

The policy has now been created and enabled.

07

Below is the user experience when trying to add an email account targeted by the CA policy to the native mail app on an iOS device. You can see that it is blocked (similar to what happens if you require an approved client app in the CA policy)

08

Now If I try and setup the account in Outlook, I get the error saying that no application protection policies have been assigned.

09

 

 

 

 

 

 

Intune – BitLocker Encryption report (Preview)

In the Whats new Page for Intune (https://docs.microsoft.com/en-us/intune/whats-new), you can see that Microsoft recently added some BitLocker encryption reports in Preview.

For more information: https://docs.microsoft.com/en-us/intune/encryption-monitor

To access the Bitlocker reports, go to the Intune portal (portal.azure.com or devicemanagement.microsoft.com) and go to Device Configuration > Encyrption report (preview)

An example of the Bitlocker report is below:

BitLocker01

You can also use the Filter button to filter the encryption readiness by Ready/Not ready and Encryption status by Encrypted/Not encrypted

BitLocker02

The example below shows the devices that are not encrypted:

BitLocker03