Tag: Intune

MDM: Preventing Meeting Room devices registered to Intune by user account

Hey guys and girls, happy new year and hope you guys are healthy and safe!
I’ve come across of issues of users kept login their own corporate user accounts into a meeting room device through Microsoft Teams. Thus, this will also registered the meeting room device under the user’s account.

Kept manually deleting the devices objects from the user account is not flexible to administrators. Clean up is really not something that as administrators has to do every time a user uses that meeting room device. Our meeting room devices are not hybrid join. So this solution does not really impact the Windows license but this does not mean it would not cause issue for your environment. Recommended that you test it out at your lab environment. Our meeting room devices are custom made/design.

I was able to came across an article that really helps my situation. This solution require to modify the device’s registry editor.

Note:

Please run a lab test.

  1. Launch the registry editor on the affected machine
  2. Direct to this location HKLM\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin
  3. Create a new DWORD item and name it BlockAADWorkplaceJoin with the value of 1
  4. Reboot the machine
  5. You may run a command line “dsregcmd /status” to check the MDM status
    • WorkplaceJoined: No
    • SSO state: No

If you have multiple devices that you would need to apply this settings you could export and save this registry settings or use PowerShell method. You may refer the PowerShell method via the references below.

References:

  1. https://msendpointmgr.com/2021/03/11/are-you-tired-of-allow-my-organization-to-manage-my-device/
  2. https://support.microsoft.com/en-us/topic/how-to-back-up-and-restore-the-registry-in-windows-855140ad-e318-2a13-2829-d428a2ab0692

Microsoft Endpoint Manager: Troubleshoot Hybrid Device Joined

Good day everyone, hope you all are taking care of your health and safety during this pandemic. Hope you guys are also getting your booster shots.

Today’s issue is related to Microsoft Endpoint Manager, on hybrid device joined. I notice that when a device’s Azure AD Registered icon is removed from the Endpoint Manager portal and if the machine didn’t reboot immediately and leaving the device there for more than an hour after I have made the changes in the portal, the device will have issue in joining/registering as hybrid join.

There is this cache that the device stored, I’m not too sure about what is the refresh time that the device retrieve the new update from portal.

Symptoms that your hybrid join was not successful:

  1. The device’s Register status keeps showing/stuck at Pending, at Endpoint Manager
  2. The device’s MDM status keeps showing/stuck System Center Configuration instead of Microsoft Intune, at Endpoint Manager
  3. Command prompt keeps showing the MDM warning, when I perform “gpupdate /force” even though the machine’s object is no longer found in Endpoint Manager
  4. In the dsregcmd /status shows the DeviceAuth: Failed.Device is either disconnected or deleted.

Steps to resolve:

  1. First clear the machine object from Endpoint Manager
  2. Run an Azure AD Connect synchronization from on-premises
  3. Once the Azure AD Connect synchronization completed then proceed to the next step…
  4. Reboot the machine
  5. Launch the command prompt as administrator on the affected machine, and run the following command “dsregcmd /leave”
  6. Then run “dsregcmd /status”, check to make sure the the device is unjoined
  7. Go to the registry editor, “HKLM\SOFTWARE\MICROSOFT\Enrollments” delete all the GUID looking keys
  8. Reboot the machine
  9. Try again the hybrid join procedure

If you can’t delete some of the keys due to the system not allow, then it is fine, you can proceed deleting the ones that can delete.

References:

  1. https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/pending-devices
  2. https://www.itpromentor.com/troubleshooting-weird-azure-ad-join-issues/

Intune & PowerShell: Creation of Email accounts automation on Outlook

Hey guys and girls, hope you all are having a good day. Today’s topic has a relation of 3 platform.

  • Intune/Microsoft Endpoint Manager
  • PowerShell
  • Outlook App (Windows)

This topic is more related to migration situations, so basically the environment is running IMAP and are on the stage of migrating to Office 365. Hence, to allow users to able to proceed to make use of the new mailbox and having to receive latest emails without disruption or downtime, would need to create the office365 email account on their Outlook profile.

If you notice that you have an email account, user@abc.com with the type “IMAP” on your outlook default profile, but you would like to also add the user@abc.com with the type “Microsoft Exchange” on the outlook default profile too. This is where the issue happen, majority would just proceed to try to add the account from the Outlook app but it will never let you successfully add the new account in and return with the message saying “This account has been added.” It seems to me that the Outlook App unable to differentiate TYPES. If you dig into Google Search you will only get articles, guiding you to create a new Profile just for the Office 365 account.

Wait…there is a solution to this. Please don’t bother raising case to Microsoft Support from Intune, if you’re lucky you will meet a support that willing to go extra miles for you. Usually the support would recommend you to turn on this feature from Intune “Automating the creation of outlook profile for Exchange Accounts” this only applies to new profile not existing profile.

So basically the solution is simple but I’m still unable to find an automation way to perform this. Hence, manually, but luckily is was just a small business organization, else I’m poof of words. Just type organization that is not willing to spent other migration products such as BitTitan and etc..

Anyway, to create an email account o the default outlook profile we would need to

  1. Launch your Start/Windows button
  2. Search for “Control Panel”
  3. Search for “Mail” in Control Panel
  4. Select the Mail > select “email accounts”
  5. Then select “New”
  6. Enter the following details and click Next
  7. Wait for the establish processing…
  8. You will now have 2 user@abc.com accounts in the default Outlook Profile with different types, IMAP and Microsoft Exchange.

If you are still wanting to go with having 2 profiles in Outlook to serve each types here is a simple PowerShell Script that you can upload to Intune;

#This is to create new Profile with the new Profile name
New-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Outlook\Profiles\<Profile Name>" -Value ""

#This is to allow the prompt to users to choose which Outlook profile
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Exchange\Client\Options" -Name "PickLogonProfile" -Value "1"

Intune is Group Policy Management

Hey guys and girls, sorry about not updating my blog because I have been occupied with work. I feel so bad to break this goal, which is to write every once a week.

So I think my title caught your attention right? You thought that this post is going to be talking nonsense? Hahaha…No! I do still receiving people having misunderstanding what is Intune, its capability and its limitations. I do see quite a lot of blogs are only talking about the wins and lose of Intune and Group Policy Management,  not many in explaining.

Familiar questions that I usually get;

“I thought Intune is a replacement of GPO?”

“Why do we still need to rely on GPO?”

“No,  you are wrong, I saw there is administrative templates in Intune”

I am here to explain it to you properly.

If you took your time to look closely on Intune’s Device configuration categories, you will notice their settings are actually not as complete as GPO for Windows. So seeing something half does not mean it gives you full understanding of Intune capability and limitations until you put yourself and it into experiment or lab testing.

The journey I had with Intune, I would say it was a roller-coaster, I experience its limitations, behavior and good part. Yes, technology keeps changing to ease our daily challenges.

Throughout my experience, I would say that Intune does their job but still not stable enough. I usually have to combine other technology to achieve the work. You might thought of this “Urgh…is lots of work and to keep track on.”, well, if you are creative person, these are your possibilities to your resolutions from stopping you to get that work done.

In conclusion, Intune is not Group Policy Management, but Intune and Group Policy Management can be one (combine) to get your work done.

 

 

 

Intune Autopilot: Troubleshoot RDP access prompt

So I am testing Autopilot in my lab environment, consist a Hyper-V with its Virtual Machines. Well I am doing a manual registration, so how do I export the device information that is required my VM to be register for Autopilot?

I already have a VM running Windows 10 Pro, and I ran this script to export and automatic import the device information to be register into autopilot. However, I wasn’t running the script before Out-of-the-box-experience (OOBE) happen, so to make Autopilot work on my VM, I had to reset my VM.

Once the VM has reset,  it ask for region, language of my keyboard and next it shows a welcome page with the Display name and the company name. So I key in the email address and password of the user and also setup the PIN. However, I just notice that I set this user with the Standard permission only. Thus, the administrator account is disabled and I keep getting the RDP permission error prompt due to the user account is not in the RDP group in the VM.

Example of the prompt;

To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Remote Desktop Users group have this right. If the group you’re in doesn’t have this right, or if the right has been removed from the Remote Desktop Users group, you need to be granted the right manually.

050317_1039_Tosigninrem1

How I troubleshoot this;

  1. Is to run MMC as administrator > File > Add/Remove Snap-in
    • Capture
  2. Key in your Office 365 admin account (an account with permission that can manage device)
  3. Select Local Users and Groups > Add
    • Capture
  4. Select Local computer > Finish > Ok
  5. Expand the local users and groups > Users > Right click Administrator  > Uncheck Account is disabled
    • Capture
    • Capture
  6. Reset the local Administrator password too
  7. Select Groups > Right click on the remote desktop users > Add > Authenticated users > Ok
    • Capture
  8. Close MMC
  9. Sign out and Sign in again

 

These steps should help you from getting the prompt again.

Please take note that I am doing this in Lab environment. In production, by right not to enabled administrator account and not to do any changes to the local users and groups.