Conditional access – third party apps

This post will show how you can add a third party app to Azure AD that supports SAML, and then create a conditional access policy so that only compliant devices can access the third party cloud resource.

In my example I have signed up for a GoToMeeting trial. I will add GoToMeeting app to Azure AD and configure the single sign-on options to use SAML, and then on the GoToMeeting side I will configure Azure AD to be the Identity Provider. Once this is set up, I will create a Conditional Access policy that will require devices to be compliant in order for them to access GoToMeeting. When logging in with a work account to GoToMeeting, GoToMeeting will then redirect me to sign in through Azure AD, and then the conditional access policy will kick in.

Always test conditional access with test users, and plan thoroughly for any changes in a Production environment. The information below is for testing purposes.

Recommended reading:

Single Sign-On SAML protocol

Single sign-on to applications in Azure Active Directory

Tutorial: Azure Active Directory integration with GoToMeeting

What is conditional access in Azure Active Directory?

Tutorial: Configure GoToMeeting for automatic user provisioning

In Azure Active Directory, go to Enterprise applications then click on New application.


Search for the application. Note that it says it supports SAML based sign-on for the Single Sign-On Mode. Click on Add.


Once the application has been added, I will give access to my test users by clicking on Users and groups, and then Add user.


Now I will configure SAML for the single sign-on mode. Click on Single-Sign-On on the left hand side, then select SAML.


In the Identifier (Entity ID) I have put in and Reply URL (Assertion Consumer Service URL) and Relay State


Now I am going to download the Federation Metadata XML and upload it to the GoToMeeting site.


When logging in with my admin account in on the Identity provider section, I have selected to Upload SAML metadata file. This will contain all the Azure AD information and then configure Azure AD as the identity provider.


Now with a user I will login to and select My Company ID so it can redirect me to my identity provider (Azure AD)


As expected, it has redirected me to Azure AD. I can confirm that the the SAML single sign-on mode has been configured successfully.


Next I will add the conditional access policy.


For the Cloud apps, you can see that GoToMeeting now appears because we added it earlier. I will select this as the Cloud app.


I will configure it to apply to all device platforms.


I have configured it to apply to Browser, and mobile apps etc.


In this test example, I have configured it to require only Intune enrolled compliant devices to access GoToMeeting.


Now lets login to with the My Company ID


It will redirect us to Azure AD as we configured Azure AD as the identity provider earlier (and the domain used in my UPN was also added and confirmed in GoToMeeting)


Now because my device is not enrolled into Intune, I am blocked from accessing the GoToMeeting cloud resource as expected.


I have installed the GoToMeeting app on an Android phone, and it is the same expected user experience.


On an Intune enrolled compliant device I can login fine as expected (or you can launch the app from


SCCM Current Branch 1810 – Windows Store for Business

This post will show how you can integrate Windows Store for Business with SCCM Current Branch 1810, to sync applications and deploy WSfB applications to machines like Company Portal app.

Suggested Reading for prerequisites: Manage apps from the Microsoft Store for Business with Configuration Manager

In the SCCM console, go to Cloud Services > Azure Services > Configure Azure Services


Enter in the Name, and then select Microsoft Store for Business and click Next.


If you already have other Azure services configured in SCCM (Cloud Management Gateway for example), then it will automatically pull the server app, then you can click Next. If it doesn’t find a web app, then follow the instructions below.


If it doesn’t find a web app, click on Browse and we will create it.


Click on Create.


Give it a name and sign in to create the web app.


Click on Next.


Enter in a path and select your languages and click Next.


Now we need to login to the Microsoft Store for Business and give the web app we created before permission. Log in to and go to Manage > Settings > Distribute > Add management tool


Enter in the name of the web app that was either created earlier in the Azure Services wizard, or the one that you imported.


Click on Activate.


Back in the SCCM console, select the Microsoft Store for Business and click Sync from Microsoft Store for Business


The sync status should change to Successful.


You can view the WsfbSyncWorker.log for more information.

After a successful sync, you should see your MSfB apps in License Information or Store Apps.


To deploy one of these apps, right click on the app and select Create Application and then follow through the wizard.



The application will then appear in the Applications section. You can now deploy it as normal.


Further reading: Manage apps from the Microsoft Store for Business with Configuration Manager

SCCM Current Branch – Currently logged on user in Console not displaying

One of the new features that came out in SCCM Current Branch 1806 was the ability for the SCCM console to show the currently logged on user.

I had an issue where this field was blank. First thing I checked was that the SCCM client on the device was up to date (1806 or later)

On all clients, in the ccmmessaging.log I noticed:

No reply message from Server. Server may be temporarily down or a transient network error.
Post to http://<mp>/ccm_system_windowsauth/request failed with 0x8000000a.

Then when checking the IIS status codes on the Management Point IIS logs it said:

CCM_POST /ccm_system_windowsauth/request 401.2 (401.2 – Logon failed due to server configuration.)
CCM_POST /ccm_system_windowsauth/request 500.0 (500.0 – Module or ISAPI error occurred.)

This was due to Active Directory User Discovery being disabled in my site.


Once it was enabled and the users were discovered, the errors went away in the ccmmessaging.log and as well as the MP IIS logs. Now the Last logged on username appears in the ConfigMgr console.


SCCM Co-management – MDM enrollment failed with error code 0xcaa9001f ‘Integrated Windows authentication supported only in federation flow.’

Recently I was setting up Co-Management in SCCM Current Branch 1810. I was having issues with clients not being enrolled into Intune.

First I confirmed that the device was Hybrid Azure AD joined (this is a requirement, the device needs to be registered in Azure AD) then when looking at the CoManagementHandler.log file on the client I saw the error:

MDM enrollment failed with error code 0xcaa9001f ‘Integrated Windows authentication supported only in federation flow.’. Will retry in 240 minutes…

I found this error to be misleading. I am using Azure AD Connect with password sync, and not ADFS.


In my case, this error was caused by an enrollment restriction being set that blocked Windows 10 devices from being enrolled.

In Intune ( or in Device enrollment > Enrollment restrictions

In my Default restriction in Properties, then Select platforms, I had Windows (MDM) set to Block.


After allowing Windows (MDM) to Allow, the CoManagementHandler.log said Queuing enrollment timer to fire at 01/15/2019 21:42:19 local time

After trying again it was successfully enrolled into Intune and you can see the Managed By now says MDM/ConfigMgr Agent


How can I view information, errors and warnings about my Intune tenant?

Intune now has a new Tenant Status section. This new section will give you information about your Intune tenant such as

  • Tenant Name
  • MDM Authority
  • Tenant Location
  • Service Release (the Intune build, this is handy to see if the latest Intune build has been released to your tenant)
  • Total Licensed Users
  • Total Intune Licenses
  • Total Enrolled Devices

You can also view the Connector Status of the Auto Pilot last sync date and Windows Store for Business last sync date and others.

Intune Service Health is on the Tenant Status, this will let you know of any issues or active incidents.

Intune News is also there. This includes categories like Stay Informed where you can see whats new in the later builds of Intune, and Prevent or Fix Issues where you can view known issue and resolved issues.

For more information see

To get to the Tenant Status screen to view information about your Intune Tenant, you will find it in , under Intune, then Tenant Status. Here is what it looks like:


Prevent Personal Windows 10 devices from enrolling into Intune

This post will show how you can easily configure Enrollment Restrictions in Intune to prevent personal Windows 10 devices from enrolling into Intune. It will also show what Intune authorizes as corporate enrollment, and the end user experience of when a user with a personal device tries to enroll.

The Intune enrollment restrictions support the following platforms:

  • Android
  • Android work profile
  • iOS
  • macOS
  • Windows

However this post will focus on Windows 10.

Further reading: Set enrollment restrictions

Intune will allow the following corporate methods to be enrolled:

  • The enrolling user is using a device enrollment manager account.
  • The device enrolls through Windows AutoPilot.
  • The device is registered with Windows Autopilot but is not an MDM enrollment only option from Windows Settings.
  • The device’s IMEI number is listed in Device enrollment > Corporate device identifiers. (Not supported for Windows Phone 8.1.)
  • The device enrolls through a bulk provisioning package.
  • The device enrolls through automatic enrollment from SCCM for co-management.

These corporate enrollment methods will be blocked:

  • Automatic MDM enrollment with Azure Active Directory join during Windows setup (unless registered with Autopilot)
  • Automatic MDM enrollment with Azure Active Directory join from Windows Settings (unless registered with Autopilot)

These personal enrollment methods will be blocked:

  • Automatic MDM enrollment with Add Work Account from Windows Settings*.
  • MDM enrollment only option from Windows Settings.

How to block the enrollments that aren’t authorized corporate devices:

To block the enrollment of Windows personal devices, inn or, select Intune, Device Enrollment, Enrollment restrictions, then Create restriction (you can modify the Default restriction if you like, but be careful as it targets all users)


Give it a name, and select Device Type Restriction, then click select platforms. In my example I have allowed all platforms then clicked OK.


Click on Configure platforms. Now for Windows (MDM) I am going to block personal enrollments then click OK.



It now needs to be assigned to a group.


So what happens if I try to enroll a personal Windows 10 device?

  • Automatic MDM enrollment with Azure Active Directory join during Windows setup (unless registered with Autopilot)


  • Automatic MDM enrollment with Azure Active Directory join from Windows Settings (unless registered with Autopilot)


  • Automatic MDM enrollment with Add Work Account from Windows Settings


  • MDM enrollment only option from Windows Settings.


You can also view the errors in the Enrollment Status page under Device Enrollment. If I click on the Windows data then I can see the Enrollment failures saying Enrollment restrictions not met.



Customizing Windows 10 – Office 365 using Intune Administrative Templates

Microsoft recently released a preview of the Administrative Templates for Windows 10 in Intune. These Administrative Templates can be found in the Windows 10 Device Configuration profiles. In addition to Office settings, you can also customize Internet Explorer, OneDrive, and other Windows settings.

This post will show how we can easily change some Office 2016 settings on a Windows 10 machine with Office 365 installed that is Intune enrolled and Azure AD joined. I will set some example settings, but feel free to check out any other settings that may interest you.

To configure the Administrative Templates, in the Intune portal ( go into the Intune section, then go to Device configuration, profiles, Create profile.


Give the profile a meaningful name, and select Windows 10 and later for the platform. For the profile type, select Administrative Templates (Preview) then click on Create.


Now in our new Administrative Templates (Preview) device configuration profile, click on Settings to view all of the settings that we can configure. I would suggest to go through all these settings as there may be other settings that you might want to configure. These will most likely get updated in the future as well with new settings.

In my example I have searched for Office to filter the settings for Microsoft Office.


If you click on one of the settings, it will take you to the setting with the description and the option to enable, or disable the setting. For example I have chosen to enable the setting to hide the option to enable or disable updates.


I am going to go ahead and enable some other settings. You can see the settings that I have enabled are below.


Once the settings are configured, as usual you need to assign the profile to a group. I have chosen to assign this to All Devices in my example.


Now on my example Windows 10 machine that is Intune enrolled, Azure AD joined with Office 365 installed after doing a sync:

You can see that enable automatic updates is enabled, Hide option to enable or disable updates is enabled, and the update branch is set to Current as per my settings in the Administrative Templates.


As noted in the registry above, you can see that the option to Disable Updates has now been removed as well.








Intune – Win32 app Deploying BGInfo

Microsoft released a preview back in October 2018 for deploying Win32 applications through Intune. I wanted to deploy BGInfo to some Windows 10 machines that were enrolled in Intune and joined to Azure AD with a simple method, so I chose to try out the Win32 apps preview in Intune. It turned out to be really easy, and got the job done.

This post will show using the Intune Win32 App Packaging Tool to package up my required files into an .intunewin file, and then in Intune I will run a very basic PowerShell file that will:

  • Copy the BGInfo files (x64 version and config file) to C:\Program Files\BGInfo
  • Copy a shortcut for BGInfo to the StartUp folder so it can start up each time Windows runs
  • Run the BGInfo executable after it has copied everything

Prerequisites for Win32 Apps public preview

  • Windows 10 version 1607 or later (Enterprise, Pro, and Education versions)
  • Windows 10 client needs to be:
    • joined to Azure Active Directory (AAD) or Hybrid Azure Active Directory, and
    • enrolled in Intune (MDM-managed)
  • Windows application size is capped at 8 GB per app in the public preview

My install.ps1 is very simple and contains:

New-item -itemtype directory -force -path “c:\Program Files\BGInfo”

Copy-item -path “$psscriptroot\bginfo64.exe” -destination “C:\Program Files\BGInfo\bginfo64.exe”

Copy-item -path “$psscriptroot\custom.bgi ” -destination “C:\Program Files\BGInfo\custom.bgi”

Copy-item -path “$psscriptroot\bginfo.lnk” -destination “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\bginfo.lnk”

Start-process “C:\Program Files\BGInfo\Bginfo64.exe” -ArgumentList “`”C:\Program Files\BgInfo\custom.bgi`””,”/timer:0″,”/silent”,”/nolicprompt”

Return 0

I have downloaded the Win32 packaging tool from and saved it to my C:\Intune

I have a folder called C:\bginfo that contains my BGinfo files:

  • Bginfo.lnk – This is the BGInfo shortcut that will be copied to the StartUp folder with the target of “”C:\Program Files\BGInfo\Bginfo64.exe” “C:\Program Files\BgInfo\custom.bgi” /timer:0 /silent /nolicprompt”
  • Bginfo64.exe – the executable to run BGInfo
  • custom.bgi – this is just my BGInfo configuration
  • install.ps1 – this contains the commands for copying the files and is mentioned above


InTuneWinAppUtil.exe is very easy to run it, and it will prompt you for the source folder (the screenshot above with my Bginfo files and powershell file), the setup file (Bginfo64.exe), and the output folder (of where it will place the .intunewin file to upload to Intune).


Once done, it will output the .intunewin file to upload to Intune to deploy.


To create the Win32 app in Intune, login to the Azure and select Intune > Client Apps > Add


Select Windows app (Win32) – preview for the App type, and browse to the .intunewin package that was created earlier.


Fill in the required information.


For my install command, I have entered in “powershell.exe -executionpolicy Bypass .\install.ps1”

The uninstall command is required as well (I have used the same command which won’t work to uninstall, but I am not concerned about that)


Fill in the requirements.


I have used a detection rule to search for the file Bginfo64.exe in C:\Program Files\BGInfo


Once you finish all the steps, the app needs to upload.


You can now assign the app.


Once the Windows 10 Azure AD Joined and enrolled into Intune device syncs, it will install.


For troubleshooting, you can check the following log – C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log


Demo of a new machine using Autopilot with the Win32 app deployed.


Thanks to Steve Hosking for pointing out to me that I could use PowerShell isntead of a cmd file.

SCCM Current Branch – Import Azure Services existing Web Apps to use same Azure subscription for CMG in different SCCM environments

This post will show how you can import the Azure Web Apps in SCCM Current Branch so you can use the same Azure hosting subscription for the CMG for different SCCM Current Branch environments. For example, you might have a Dev SCCM environment and a Production SCCM environment, and you only have one Azure Subscription, but you want to deploy a CMG in both the Dev and Prod environment.

In the SCCM Cloud Management Gateway documentation, there is an FAQ’s section here that says:

Do the user accounts have to be in the same Azure subscription as the subscription that hosts the CMG cloud service?

If your environment has more than one subscription, you can deploy CMG into any subscription that can host Azure cloud services.

This question is common in the following scenarios:

  • When you have distinct test and production Active Directory and Azure AD environments, but one single, centralized Azure hosting subscription
  • Your use of Azure has grown organically across different teams

When you’re using a Resource Manager deployment, onboard the associated Azure AD tenant. This connection allows Configuration Manager to authenticate to Azure to create, deploy, and manage the CMG.

If you’re using Azure AD authentication for the users and devices managed over the CMG, onboard that Azure AD tenant. For more information on Azure services for cloud management, see Configure Azure services. When you onboard each Azure AD tenant, a single CMG can provide Azure AD authentication for multiple tenants, regardless of the hosting location.

In the SCCM console, go to Azure Services, then Configure Azure Services.


Give it a Name, and select Cloud Management Gateway.


Click on Brwose next to the Web app.


You can create a new one, or you can import the existing one. Select Import.


Now open up your Internet browser, go to, then Azure Active Directory, I am using the new preview for App Registrations, so I have selected App registrations (Preview) and selected my Server App that I want to import.


To import this web app, copy the Display Name, Client ID, and Tenant ID.


Also go to Certificates & secrets, and create a new client secret.


Copy the value. We will use this later.


Type in your Azure AD Tenant name, the Tenant ID that you copied earlier, the Application Name, Client ID, Secret Key,  Secret Key Expiry, and the App ID URI. Make sure to click the Verify button to verify that all the information is correct.


Click on OK.


Do the same for the Native Client app. You can follow the instructions above to get the correct values.


Once both apps have been imported, click on Next.


I won’t be enabling Azure AD discovery.


Finish the rest of the wizard and the the Subscription information will be imported so you can deploy the CMG in this subscription.


SCCM 1806 CMG – Hybrid Azure AD – Failed to get CCM access token

When using the Cloud Management Gateway in SCCM Current Branch 1806, with Hybrid Azure AD clients for authentication, you may see the following errors in ccmmessaging.log on the client:

[CCMHTTP] ERROR: URL=https://<cmgname>/CCM_Proxy_MutualAuth/<guid>/ccm_system_windowsauth/request, Port=0, Options=1216, Code=0, Text=CCM_E_NO_TOKEN_AUTH
Failed to get CCM access token and client doesn’t have PKI issued cert to use SSL. Error 0x80004005
Post to https://<cmgname>/CCM_Proxy_MutualAuth/<guid>/ccm_system_windowsauth/request failed with 0x87d00231.


If you then check the logs on the management point, specifically CCM_STS.log, you will see:

AAD user with ID <ID> and SID is not completely discovered
Return code: 403, Description: Un-authorized request, AAD user is not discovered


At the time of writing this post, if you are using hybrid Azure AD for authentication, you need enable both Azure AD User Discovery, and the on-premises User Discovery. You can see in the CCM_STS.log above that it says the Azure AD user is not discovered which causes the 403 error.

Once both user discovery methods have been enabled, the client can authenticate over the CMG.