Category Archives: Intune Hybrid

Intune Hyrbid – Setting Edge homepage on Windows 10 machine using configuration baseline

This post will show how to set the Edge browser homepage on a Windows 10 machine enrolled in an Intune Hybrid environment with ConfigMgr 1610. I will create a configuration item, add it to a baseline, and then deploy the baseline to my Intune user collection. For a guide on setting up hyrbrid MDM with ConfigMgr, see Setup hybrid mobile device management (MDM) with System Center Configuration Manager and Microsoft Intune

In the ConfigMgr console, right click Configuration Items and select Create Configuration Item


Give the configuration item a name, and select Windows 8.1 and Windows 10 under Settings for devices managed without the Configuration Manager client and click Next.


In the Supported Platforms section, select Windows 10 as the supported platform and click Next.

On the Device Settings section, select Configure additional settings that are not in the default settings groups and select Next.


In the Additional Settings section, click on Add.

In the Available Settings search bar, search for “home” then select Homepages and click Select.


I have given the name a rule and given the Homepages value of “” – you can make this any site you like then click OK.


Now click Select to select the setting you created.

On the Additional Settings page, click Next.


Click on Close to close the Completion screen.

Now we will create the Configuration Baseline and add the Configuration Item we created.


Give the baseline a name, and then click on Add, then Configuration Items.


Select the Available configuration item, then click on Add then click on OK.

Once the Configuration Item is added to the baseline, click on OK.

Now we will Deploy the baseline to our Intune user group. Right click on the baseline and click on Deploy.


With the selected configuration baseline (top right), select the Remediate non compliant rules when supported, and select your Intune user collection.


Now on our enrolled Windows 10 machine, we can check the compliance in the Company Portal to speed things up.


Now we can see that it has set our Edge browser to use the specified homepage from our Configuration Item.


Intune Hybrid – Deploy Office 365 click-to-run and enroll Windows 10 computer

This post will cover how to deploy Office 365 click-to-run to an enrolled Windows 10 machine using a Hybrid ConfigMgr 1610 environment with an Intune subscription. I will generate the .msi for Office 365 ProPlus and deploy it using ConfigMgr, enroll a Windows 10 machine, then install Office 365 ProPlus from the Comapany Portal using Click-to-Run.

My hybrid environment is already set up, and PC enrollment is already enabled. For this see

First to create the Office 365 click-to-run msi which we will deploy from ConfigMgr to our Intune user group, download and install “Microsoft Office ProPlus Install Toolkit” from


Install it and open it up. I have configured the options to what suits my environment. Have a good look through the options and customize it to your needs.




You can choose to exclude certain products if you like.



I have enabled updates.


I have set the Display Level to none, and accepted the EULA.


Make sure the install type is MSI and select the file path to output the msi.


Once you click Generate, you will be left with a 2mb msi which we will deploy through ConfigMgr to our Intune user group.



Now we will create the application in the ConfigMgr console


Make sure to specify the type as Windows Installer through MDM (*.msi) and also specify the UNC path to the earlier generated msi.


Click Yes.


Click Next.


Specify the information you would like here such as Name.


I have left all other options as default and clicked Next.


Now we will go to the properties of the application we created and choose to use a logo to display in the Company Portal.


Click on the Application Catalog tab and browse and select an icon you would like to use. I searched the web for an icon for Office 365 and made sure its 250×250 in size or smaller.


Now we will deploy the application to our Intune user group.



Make sure to distribute the msi to the Intune distribution point. Select Add then Distribution Point, then select the distribution point.



Click Next


I am deploying this Appliction as Available so the user can install it from the Company Portal.



Now I will enroll my Windows 10 Pro 1607 machine. The prerequisites are here

Click on Start, then Settings.


Select Accounts


Click on Access work or school then click on Connect.


Enter in your details for an account with an Intune license.





Now the device is enrolled. If we take a look in the ConfigMgr console, we can see the Windows 10 machine is enrolled as a mobile device.


I have installed the Company Portal application from the Windows Store. Once opened, I can see the Microsoft Office 365 ProPlus. Click on it, then click on Install.


If you load up task manager, you can see the set up files running.


After a while you can see the programs in the program list on the Windows 10 machine.


Intune Hybrid – Deploy msi to enrolled Windows 10 machine with ConfigMgr

This post will show how to deploy an MSI application to a Windows 10 machine enrolled as a mobile device in a ConfigMgr Current Branch 1610 environment with an Intune subscription. The Windows 10 machine has already been enrolled and has the Company Portal installed. For details on how to configure hybrid MDM and how to enroll devices, see Setup hybrid mobile device management (MDM) with System Center Configuration Manager and Microsoft Intune

Right click Applications, select Create Application.


Make sure to specify the type as Windows Installer through MDM (*.msi) and specify the location of the .msi file. In my example I am using the 32bit 7zip msi.


I have clicked Yes.



I have changed the name and left it as all default information.




Now I will deploy the application as an available application for the user to download and install from the Company Portal. Right click on the application and click Deploy.


I have selected a user collection and clicked Next.


Click on Add then select distribution point, then I will distribute the package to the cloud based intune DP.


I am deploying this as Available in this example and have left all other options as default and clicked Next on each screen.


Now the application is deployed.


In the content status section of the ConfigMgr console, I have made sure that the application has been successfully distributed to the Intune distribution point.


Now on my enrolled Windows 10 (1607) machine I have opened up Company Portal and can see the 7zip application available.


I have clicked on the application and then clicked on Install.


Now 7zip has installed successfully.


Intune Hybrid – Creating compliance setting for iOS device in the ConfigMgr console

In this post, I will be using hybrid Intune with ConfigMgr to create a compliance policy to control the security settings on iOS device, in particular, iPhones. It will also show the user experience on the iPhone. First I will create the Configuration Item for iOS, then I will add the Configuration Item to a Baseline, and then deploy the Baseline to a collection where my Intune enrolled users are located.

I am using ConfigMgr Current Branch 1610 with an Intune subscription and have an iPhone 6 enrolled.

Right click on Configuration Items and select Create Configuration Item


Give the configuration item a name first, then under Settings for devices without the Configuration Manager client, select iOS and Mac OS X


I am only using this for iPhones so I have selected iPhone as the platform.


A list of groups for the device settings are displayed. In this example I have only selected Password. You can select the other groups to view which settings you can control.


In this example, I have selected the Minimum password length (characters) to be 6. Currently the iPhone has a passcode of 4 characters. I have selected the Number of failed logon attempts before device is wiped to 4. I have also selected Password complexity to be Strong and Number of complex Characters required in password to be 2.



Now that the configuration item has been created, it needs to be added to a Baseline.Right click on Configuration Baselines and select Create Configuration Baseline.


Give the baseline a name and click on Add, then Configuration Items.


Select the Configuration Item that was created before and click Add.


Now I will deploy the Baseline. Right click the Baseline and select Deploy.


The configuration baseline is already selected. I have selected Remediate noncompliant rules when supported. I have also selected a user collection I would like to deploy the baseline to.


This iPhone had a 4 digit passcode originally. The configuration item I configured said the iPhone needs a 6 character passcode length. Because the iPhone is not compliant, a Passcode Requirement prompt is on the iPhone giving the user 60 minutes to configure the new passcode. Once the user presses continue, the user is forced to set a 6 character passcode with 2 special characters.


Intune Hybrid with ConfigMgr – Deploying required app to iOS from App Store

This post will show how to deploy a required application to an iPhone (or iOS device) from the App Store (Microsoft Excel) and also create a Mobile Application Management (MAM) Policy as Microsoft Excel requires it. My environment below is ConfigMgr Current Branch 1610 with an Intune subscription.

In the ConfigMgr console, go into Software Library, right click Applications and select Create Application


Select the type App Package for iOS from App Store. Paste the link of the app from the App Store. In this example, I have pasted the link for Microsoft Excel. You can browse the other apps from and get the link  and paste it in. Click Next.



You can add the required information here and click Next.


Click Next



Now we will create our MAM (mobile application management) policy for Microsoft Excel, as it is required before we deploy the application. Right click on Application Management Policies and select Create Application Management Policies.


Select the platform as iOS.


I have left the options as default.



Now we can deploy our Microsoft Excel application we created before. Select the Application, right click and select Deploy.


I will be deploying it to my Intune Users collection


In my example, I am deploying it as Required. Alternatively you can deploy it as Available and then download it from the Company Portal app.


All other options have been left as default. Now on the Application Management section I have selected the MAM policy I created before. If you didn’t create this MAM policy then you will not be able to proceed (For Microsoft Excel anyway)


Now I am going to initiate a Send Sync Request to my iPhone.


Once the iPhone receives the policy, because it was a required application I deployed, the iPhone is presented with this screen. Microsoft Excel will begin to install.


Intune Hybrid MDM – Remote Wipe iPhone

This post will show how you can use ConfigMgr (I am using ConfigMgr Current Branch 1610) with an Intune subscription (hybrid MDM) to completely wipe an iPhone if it has been lost or stolen. When doing a full wipe, it will restore the iPhone to its factory settings (removing all company and user data).

In the ConfigMgr console, select the device and right click and select Remote Device Actions, then select Retire/Wipe


The warning below will be displayed where you can either do a selective wipe, or a full wipe. In my example, I will be doing a full wipe.


Another warning is displayed


I will send a sync request from the console to save time (new feature in ConfigMgr Current Brach 1610)


Once the iPhone has received the sync request, you can see it is now doing a full factory restore, removing all company and user data.

iphonewipe5   iphonewipe6



Intune Hybrid MDM – Reset iPhone Passcode from ConfigMgr console

When an iPhone is enrolled with Intune (or other devices such as iOS/Android/Windows Phone 8 and Windows Phone 8.1) using Hybrid MDM, ConfigMgr provides the ability to be able to reset the passcode. This is very helpful if a user has forgotten their passcode.

This post will show how to clear the iPhone passcode using ConfigMgr Current Branch 1610 with an Intune subscription. When clearing the passcode on an iOS device, the passcode is actually cleared. A temporary passcode is not created.

Select the iPhone in the ConfigMgr console and right click, select Remote Device Actions, then select Reset Passcode.


The following warning will be displayed


One of the nice new features in ConfigMgr Current Branch 1610 in a hybrid deployment is the ability to request a policy sync for a device enrolled with Intune rather than having to do it from the Company Portal. 

Right click on the device, select Remote Device Actions, then select Send Sync Request


You see that the Passcode Reset state is set to Pending.


Once the passcode has been reset, you can see that the reset state is Succeeded.


From the iPhone now, previously if there was a passcode set, the passcode is now removed. On my device, I would usually need the passcode to unlock the device. Now I can unlock the device without a passcode and set a new passcode.


Intune Conditional Access with Exchange Online for Windows PC’s – User Experience

This post will show the end user experience for when Conditional Access is configured to prevent non-domain joined Windows 7 and Windows 10 PC’s from accessing Exchange Online either from the Outlook client, or OWA web mail.If you would like more information on how to configure Conditional Access and for different scenario’s, see Use conditional access with Intune and Configuration Manager

In a ConfigMgr Current Branch 1610 Intune Hybrid environment, I have configured the Conditional Access in the ConfigMgr console which will then open up the Intune admin console


I have enabled conditional access policy.


Now on a non-domain joined Windows 7 machine when trying to access OWA, the user is presented with the “You can’t get there from here” screen below


And on the same Windows 7 machine, if a user tries to configure their Exchange Online account in Outlook application, they will get the same “You can’t get there from here” screen


This looks the same on Windows 10


The same screen when accessing OWA on a Windows 10 machine


What happens if a machine had Outlook configured and working before the Conditional Access policies were put in place? In my testing, when opening the Outlook app, the same screen was displayed when it tried to connect to Exchange Online


Adding Intune subscription to ConfigMgr for Hyrbid MDM

This post will show you how to add an Intune subscription to ConfigMgr  for Hybrid MDM and enable enrollment for iOS devices.

To see the benefits of using Intune with ConfigMgr rather than standalone, Microsoft has a good post Choose between Microsoft Intune standalone and hybrid mobile device management with System Center Configuration Manager

My current on-prem environment looks like this:

  • ConfigMgr Current Branch version 1606.
  • User collection created with users whose devices can be enrolled
  • Custom domain add and verified in Office 365 admin portal
  • Azure AD Connect set up to synchronize my user accounts to Azure AD. Steps to set this up are here
  • Intune subscription (You can get a 30 day trial subscription here)

First step to add the Intune subscription is to go into Cloud Services then right click Microsoft Intune Subscriptions and select Add Microsoft Intune Subscription


Have a read of the Getting Started and click Next.


Sign in with your Intune account


Have a read and if you agree, click the checkbox. Note that you can’t change this back unless you contact Microsoft Support.


Enter in your Intune username and password


Once you’re signed in, click on Next


Select the user collection with users whose devices can be enrolled. You can configure your company name and any other settings you like and click Next


Fill in any other information you would like and click Next


Specify a company logo if you like and click Next.


Select the user that you would like to be the Device Enrollment Manager. You can see more info here


If you would like to use MFA, select the enable checkbox and Next.


Confirm your settings and click Next.


Once its finished click Close. You can view the Cloudusersync.log to make sure the role was set up successfully and look out for any errors.


Next we will create an APN. The Apple Push Notification service (APNs) certificate is used to establish a trust relationship between the management service, Intune, and enrolled iOS mobile devices




Next we will login to the APN certificate portal with an Apple ID. The link is here


Click on Create Certificate


Click Accept if you accept the terms and conditions.


Upload the certificate you created earlier.


Now Download the certificate


Now we will configure the iOS platform.


Click Enable and browse to the certificate you downloaded before and click Ok.


ConfigMgr Intune enrolled device – send sync request

One of the new features of the recently released 1610 update for ConfigMgr current branch is the ability for an admin to initiate a policy sync from the ConfigMgr console for an Intune enrolled device. Previously this had to be done from the Company Portal on the device.

This can be done by right clicking on the device, in my example an enrolled iPhone, clicking on Remote Device Actions, then Send Sync Request.