Intune – Windows Information Protection without enrollment

This post will show how you can use the Office 365 suite of apps deployed to a Windows 10 Pro 1709 device (with an EMS E3 license assigned), to enroll the device into MAM. This involves deploying a Windows Information Protection policy in Intune using the “without enrollment” setting, which means the device is not enrolled into Intune.

Suggested reading:
Protect your enterprise data using Windows Information Protection (WIP)
Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune

Make sure the MAM groups are configured, in the Intune portal in go to Azure Active Directory > Mobility (MDM and MAM) then Microsoft Intune.


I have an Azure AD group called Intune and an Azure AD group called MAM enrollment. The user I will be using in this demonstration is a member of the MAM enrollment group.

A caution from Microsoft “If both MAM user scope and automatic MDM enrollment (MDM user scope) are enabled for a group, only MAM is enabled. Only MAM is added for users in that group when they workplace join personal device. Devices are not automatically MDM enrolled.”


Now i’ll create the MAM/Windows Information Protection policy. In Intune > Mobileapps > App protection policies, select Add a policy


Give the policy a name and description, select Windows 10 for the platform, and select without enrollment for the enrollment state. Click on Add apps.


I’ll be adding some apps to allow them to access my corporate data.


After clicking OK on the section above, I will add some more apps such as Outlook and Word. For the publisher, make sure you specify “O=Microsoft Corporation, L=Redmond, S=Washington, C=US”


For now, I will skip the Exempt apps. On the required settings, in this demonstration I will select the Block setting, which will prevent users from moving data from an allowed app into a non-allowed app.


In the advanced settings, I will rename the Cloud resources section to Office 365, and also add OneDrive to the list and Office 365 email. In the example I have added “<domain> for OneDrive, and for Exchange Online. Seperate these by a “|”. So my full list is <domain>|<domain>|


Click on Create, then assign the policy to a group.


Once the policy has been assigned to a group, on a Windows 10 1709 Pro machine, with Office 365 installed, when adding an account to Microsoft Office product such as Word, it will ask you to sign in. This is where you can register the device in Azure AD and enroll the device into MAM.

Click Sign in


Type in the account that is a member of the group that has the MAM enrollment enabled, and also a member of the group which had the WIP policy assigned


Enter in the password and click Sign in


Make sure you say Yes here. This is where it will register the device in Azure AD, and also enroll it into MAM.


From the above steps, in the Azure portal, we can see the device now in Azure AD as Azure AD Registered.


Also on the Windows 10 device you can go to Settings > Accounts > Access work or school, and you should see your Azure AD account there. Select it and click Info. You can see the Management Server Address shows its enrolled into MAM now.


Earlier in the policy I set Microsoft Word to be a protected app to access enterprise data. In this demonstration I will save some corporate data, and click the drop down near File name and select Work.


Now if I try and copy and paste text out of the protected document into a non protected app such as Notepad running in personal context, I get the message “Can’t use content here. Your organization doesn’t allow you to use work content here”. This is because I set the Windows Information Protection Mode to Block in the WIP policy above.


What happens if the device is unenrolled from MAM? The encryption key has been revoked and you will get this message when opening a Work protected document



PXE – RequestMPKeyInformation: Send() failed.

I recently applied a hotfix to my SCCM Current Branch environment. When attempting to PXE boot a machine, the smspxe.log reported:

RequestMPKeyInformation: Send() failed.
PXE::MP_InitializeTransport failed; 0x80004005
PXE::MP_ReportStatus failed; 0x80070490
PXE::CPolicyProvider::InitializePerformanceCounters failed; 0x80070002
PXE::MP_LookupDevice failed; 0x80070490


I first tried unchecking the PXE option on the distribution point to remove Windows Deployment Services and then re-enabling PXE support on the distribution point. This was the same issue.  After troubleshooting more I tried to open up http://fqdn/sms_mp/.sms_aut?mplist in IE and it displayed a 403.4 Forbidden Access error. My management point is not set to use HTTPS.

I checked the IIS logs on my management point and saw consistent 403.4 forbidden access on directories such as SMS_MP and ccm_system. In IIS on those virtual direcories, I checked the SSL Settings and noticed they were set to “Require SSL”. This is strange because my management point is in HTTP.

The fix was to uninstall the management point and then reinstall it. Keep an eye on MPSetup.log in your SCCM site server logs for when the MP has uninstalled and then re-add the role.

PXE started working again without any errors.

SCCM TP 1802 – Cloud Management Gateway Azure Resource Manager and Azure User collection deployments

Microsoft recently released update 1802 for SCCM Current Branch Technical Preview. Two new features that I was excited to test were:

  • Improvements in Cloud Management Gateway – Cloud management gateway support for Azure Resource Manager – When you deploy CMG with Azure Resource Manager, Azure AD is used to authenticate and create the cloud resources and does not require the classic Azure management certificate.
  • Install user-available applications on Azure AD-joined devices – You can now browse and install user-available applications from Software Center on Azure AD-joined devices.

This post will go into testing and configuring the Cloud Management Gateway in SCCM Technical Preview 1802 in Azure Resource Manager, creating a Cloud Distribution Point, installing the SCCM client on a machine enrolled into Intune to let SCCM manage the machine, and then finally deploying an application to a user collection containing Azure AD users.

In my lab, I currently have the following certificates:

  • Management certificate uploaded to the Azure portal and exported to PFX. Instructions Here
  • Management Point certificate for IIS, so the management point can be in HTTPS to authenticate Azure AD Clients. Instructions Here.
  • Certificate for my Cloud DP which was created by Digicert.
  • Certificate for my CMG which was created by Digicert
  • Trusted Root certificate exported from a client used for the CMG setup. Instructions Here.

Azure AD User Discovery:

First I have created the Cloud Management service in \Administration\Overview\Cloud Services\Azure Services. This will set up Azure AD User Discovery and allow clients to authenticate using Azure AD.

Right click Azure Services and select Configure Azure Services. Select Cloud Management.


Select Browse next to Web App and click on Create to create the web app in Azure.


Give everything a name, then sign into Azure AD and click on OK.


Follow the same steps for the Native Client app. Once created, click OK.


You can configure the polling schedule by clicking on Settings. Next Next finish…


Now we need to grant the permissions in the apps we created in the Azure portal. Login to Then click on Azure Active Directory, then App Registrations. Click the drop down to All Apps so you can see the apps that were created


Now select the app, click on Settings, then Required permissions, then click on Grant Permissions. Do this for both apps.


Once the permissions have updated, you shouldn’t see any access denied errors in SMS_AZUREAD_DISCOVERY_AGENT.log on your site server.

Cloud Management Gateway:

Now we will create the Cloud Management Gateway. In the SCCM console go to \Administration\Overview\Cloud Services\Cloud Management Gateway and right click Cloud Management Gateway and click Create Cloud Management Gateway.

Make sure Azure Resource Manager deployment is selected. Login with your Azure account and click Next.


I have created a new resource group. Select your certificate file. I am using a certificate from Digicert. If you need to create a certificate see Here

Because I am using a certificate from Digicert, I have also created a CNAME in my external DNS to point my <cmgname> to <cmgname>

Click on Certificates and add your Trusted Root certificate. I have cleared Verify Client Certificate Revocation. For details on how to get this certificate, see Here. Complete the rest of the wizard.



Now I will add the Cloud management gateway connection point role on my site server from \Administration\Overview\Site Configuration\Servers and Site System Roles. Complete this wizard and make sure it connects to the newly created CMG.


To authenticate the Azure AD clients, the Management Point must be in HTTPS and allow configuration manager cloud management gateway traffic. Make sure you have changed the bindings in IIS so the HTTPS uses the correct certificate. Details for that are Here


Make sure clients can communicate with the Cloud distribution point and the Cloud management gateway in your client settings. You can do this by editing the client settings in the console here – \Administration\Overview\Client Settings


Cloud Distribution Point:

First, login to the Azure portal then go to Subscriptions. Take a note of your subscription ID as you will need it later, then click on your subscription. Click on Management Certificates under Settings, then Upload your management Certificate. Tip – you can create a management certificate using these steps Here.

In Administration\Cloud Services\Cloud Distribution Points, right click and Create Cloud Distribution Point.

Type in your Azure subscription ID and then browse to select the Management certificate.  Click Next.


I am using a certicate from Digicert, I have created a CNAME in my external DNS that points the <clouddpname> to <clouddpservicename> If you need to create a certificate from your CA, then see the steps Here.

Click on Next then finish the wizard.


Install the SCCM client from Intune:

In this section we will upload the ccmsetup.msi to Intune located on our SCCM site server in C:\Program Files\Microsoft Configuration Manager\bin\i386

In the Azure portal ( go to Intune then Mobile Apps, then Add App. Select Line-of-business-app and browse to the ccmsetup.msi and click on Next.


Fill in the required details including the command line arguments.

Note: An easy way to generate the command line arguments for the SCCM client is to configure the first few screens of the co-management wizard in the SCCM console in \Administration\Overview\Cloud Services\Co-management. You will then be presented with a box with the command line arguments that you can copy and paste. See the screenshot below.


Once ccmsetup.msi has been uploaded. assign it to a group. I have a group with my Azure AD joined and Intune enrolled Windows 10 1709 machine.


On my Azure AD Joined and Intune enrolled Windows 10 1709 machine, after syncing with Intune, you can see that the client is now installing and grabbing the rest of the source files from the Cloud Distribution point I created earlier.


The client is now communicating through the Cloud Management Gateway and can now be seen in the SCCM devices.


I have created a User Collection containing my Azure AD Users that have been discovered. I will now create an application, and then deploy it to my Azure AD User collection.


I will deploy the application to my Cloud Distribution Point.


On my client you can see it downloaded the application from the Cloud Distribution Point and it is now seen as Installed in Software Center.



PXE – Not Serviced no advertisements found

When at a new client site (SCCM Current Branch 1706) and trying to PXE boot a machine by importing the client MAC address into a collection where the task sequence is deployed, the smspxe.log was showing:

,  : Not Serviced
,  : device is in the database
,  : no advertisements found

The device was in the database because I imported it as I am not using Unknown Computer support. There was an advertisement targeted to the MAC address as I deployed my task sequence to the collection which the client was a member of.

The actual issue was that the Boot Image was not distributed to the PXE server as it was a new boot image. Once the boot image was distributed the client could PXE boot without issues.

If you run into this issue, check in the console in Monitoring\Distribution Status\Content Status and make sure the Boot Image is on the PXE enabled DP’s that you are using.

Intune – Windows 10 Interactive Logon Message

This blog post will show how you can set a logon message for a Windows 10 1709 Pro or Enterprise machine enrolled into Intune. To do this, I will create a custom Device Configuration profile in Intune and use the “InteractiveLogon_MessageTitleForUsersAttemptingToLogOn” policy CSP to set a message title, and “InteractiveLogon_MessageTextForUsersAttemptingToLogOn” policy CSP to set the message text. To read more about using custom OMA-URI see Custom device settings for Windows 10 devices in Microsoft Intune

You can read more about the interactive logon message here – Interactive logon: Message text for users attempting to log on
For more information about the Policy CSP that we will use:

Login to the Intune portal in Azure

For the message title, go to Intune, then Device configuration, then Profiles, Create Profile, give the profile a name, select Windows 10 and later for the Platform, and select Custom for the Profile type. Then click Configure.


Click on Add, then give it a name, I have chosen Interactive Message Title, and then for the OMA-URI put in “./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn” and then select String for the Data type. For the value, I have put “WARNING:”


Click on OK a few times then click on Create. Next we will assign the Configuration profile to a group.


Now we will create another Device configuration profile for the message text.

For the OMA-URI, put in “./Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn” and the Data type is String again, and type in your message text.



Also assign this policy to a group.


Once the machine has done a sync and has been restarted, you can see the interactive logon message.


On the Windows 10 1709 machine, you can also open up gpedit.msc and under Computer Configuration, Windows Settings, Security Settings,  Local Policies,  Security Options,  we can see the settings.



Intune – Windows Defender Security Center device configuration section

In the week of December 11, 2017, Microsoft added a new Windows Defender Security Center device confiugration profile section to Intune. This allows you to hide sections from the user:

  • Virus and threat protection
  • Device performance and health
  • Firewall and network protections
  • App and browser control
  • Family options

You can also add your IT contact information to the Windows Defender app and customize notifications. This post will show how to configure it and the end user experience.

In the Intune portal ( go to Intune > Device configuration > Profiles > Create Profile. Give the profile a name, and select Windows 10 and later for Platform. Then for the Profile type, select Endpoint protection. Down the bottom you will see Windows Defender Security Center.


Now here you can configure which sections to hide, customize the notifications and add your IT contact information. In my example, I have decided to hide everything and have added some dummy contact information.


Once you have created the profile, I have selected All Devices under Assign to to assign this configuration profile to all my devices.


This is how my Windows Defender Security Center previously looked on my Windows 10 1709 Enterprise machine.


After doing a sync, you can see it says has disabled Windows Defender Security Center. I have also added my dummy contact information.


Customize Software Center – SCCM 1710

Since Microsoft released SCCM Current Branch 1710, you can now add enterprise branding elements and choose to hide certain tabs in Software Center. This example will show how you can customize Software Center by deploying new custom client settings, and the user experience in a Windows 10 machine.

In the Administration section of the SCCM console, select Client Settings. You can choose to use the Default Client Settings, but I would recommend creating some new custom client settings for any tests, as the Default Client Settings apply to all machines.


Give the custom client settings a name, and select Software Center. Once you check the Software Center box, you will see the settings now appear on the top left.


I have selected Yes next to the arrow, given my company name, and also selected a custom colour scheme, and uploaded a company logo. Note that the maximum dimensions are 100×400 for the logo, and it cannot be larger than 750kb in size. Here you can also choose to hide any tabs you wish.


I will now deploy the custom settings to a collection, and then initiate a machine policy evaluation on my test client. After a few minutes, open Software Center and you will notice the new changes.



This is what my new Software Center looks like. I have not chosen to hide any tabs, but I have selected the custom image on the top left, given the company name ( and chosen the custom blue colour.