Create Configuration Manager Collection based on Heartbeat DDR

 We'll look at how to create a Device collection that will display clients who haven't reported back to Configuration Manager in 14 days based on the client Heartbeat DDR agent date.

To find configuration manager clients that aren't sending heartbeat DDR older than 14 days, copy the below query to create a device collection. You can also change the 14 days to any number of days based on your office's needs.

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId not in (select ResourceID from SMS_R_System where AgentName in ("Heartbeat Discovery") and DATEDIFF(day,AgentTime,GetDate())<14)

Clear - CCMCache remotely using Configuration Manger Console & PowerShell Script

Have you ever needed to remotely clean the ccmcache folder on a computer? This blog article will explain how:

Step 1 - Add following PowerShell script in Software Library > Scripts:

## Initialize the CCM resource manager com object
[__comobject]$CCMComObject = New-Object -ComObject 'UIResource.UIResourceMgr'
## Get the CacheElementIDs to delete
$CacheInfo = $CCMComObject.GetCacheInfo().GetCacheElements()
## Remove cache items
ForEach ($CacheItem in $CacheInfo) {
$null = $CCMComObject.GetCacheInfo().DeleteCacheElement([string]$($CacheItem.CacheElementID))
}

Step 2 - In the Configuration Manager (SCCM/MECM) console, locate the computer. 

Step 3 - Click it with the right mouse button and select Run Script > Select the Script you added > Next. 

Step 4 - Wait for the process to complete, and monitor Script Status Monitoring for output.

Feature Update to Windows 10 Version 21H2 x64-based systems 2021-11 via Enablement Package

Here are the download links for the update mentioned in the title.

System requirements from Microsoft:

KB5003791: Update to Windows 10, version 21H2 by using an enablement package

Windows Build number: 19041/19042/19043.1237 or higher.

Download the package and install it with a double click on the file.

x64: http://b1.download.windowsupdate.com/d/upgr/2021/11/windows10.0-kb5003791-x64_14e7547b08f1b29cae6e41c9f7da5f1347d9955c.msu

Name: windows10.0-kb5003791-x64_14e7547b08f1b29cae6e41c9f7da5f1347d9955c.msu
Size: 168099 bytes (164 KiB)
CRC32: A83F3B3A
CRC64: 72F8B925467B2CD8
SHA256: A51288BDE7C8228C3244FEA5AA7BC7DB1A014E48EAAF7DC1DC04A16A2E45C0DF
SHA1: 14E7547B08F1B29CAE6E41C9F7DA5F1347D9955C
BLAKE2sp: 85D747995B03CEC0A18D2E23649FE05C7D2D64D277ECC0FFE7AC0A00117A3DE5

x86: http://b1.download.windowsupdate.com/d/upgr/2021/11/windows10.0-kb5003791-x86_ac1fc53b104c6ce0ffa50b70af754b81e56829ce.msu

Name: windows10.0-kb5003791-x86_ac1fc53b104c6ce0ffa50b70af754b81e56829ce.msu
Size: 168642 bytes (164 KiB)
CRC32: F0C57E17
CRC64: 304DC7C229403463
SHA256: 4C7F1F715FC335AA046E4BF6667B69B6B0512426F03792BBCA3262B486D128CE
SHA1: AC1FC53B104C6CE0FFA50B70AF754B81E56829CE
BLAKE2sp: 84A45BC25ABE3C9271F6FDD89DFE79CEA0D886D81E88E845AF5CE52F347063AD

arm64: http://b1.download.windowsupdate.com/d/upgr/2021/11/windows10.0-kb5003791-arm64_047071577e1aa33883b851a8b2c749b1e723e369.msu

Name: windows10.0-kb5003791-arm64_047071577e1aa33883b851a8b2c749b1e723e369.msu
Size: 168718 bytes (164 KiB)
CRC32: 85C4ACF6
CRC64: 1050BF8A799234A2
SHA256: 79689953E8B3E542B08C788E760BD9BDFBBCB3AF7D9E29ECEB9AC3FDBDF1DA79
SHA1: 047071577E1AA33883B851A8B2C749B1E723E369
BLAKE2sp: B5192D05461BEBAA91B2482ADEAA12727B4FB63A22FBFABD069FBACD9D4F292E

Introducing the next feature update to Windows 10: 21H2 | Windows Experience Blog

More information can be found in the following post:

https://www.reddit.com/r/Windows10/comments/qvenhp/windows_10_21h2_19044_launch_megathread/

Rev. 3 - Link to megathread added.

How to open directly Configuration Manager properties using cmd

How to open directly Configuration Manager properties using cmd

Control.exe smscfgrc

Register a Service Principle Name (SPN) for MBAM Web Application

When I am working to build MBAM infrastructure and during the MBAM web server setup I got below warnings/errors on MBAM web and setup event logs:

MBAM Event logs:

 

Log Name: Microsoft-Windows-MBAM-Setup/Admin
Task Category: WebProviderWarning
Event ID: 502
Keywords: Configurator,Cmdlet,WebApplication
Web application provider warning.
Description:
Cannot register the Service Principal Name (SPN) "HTTP/MBAMWEB.pj360i.co.uk" on the AppPool account "pj360i\MBAMAppPool". You may not have the required permissions to create the SPN. The SPN must be created for MBAM to function properly. Configure the SPN manually. http://go.microsoft.com/fwlink/?LinkId=390155
Could not set Service Principal Name (SPN) "HTTP/MBAMWEB.pj360i.co.uk". Error 0x21C7.
Could not set Service Principal Name (SPN) "HTTP/recoverykey.pj360i.co.uk". Error 0x2098.

Log Name: Microsoft-Windows-MBAM-Web/Admin
Task Category: WebAppSpnError
Event ID: 1
Keywords: Spn,WebApplication
Application: Microsoft BitLocker Administration and Monitoring/ServiceDesk is missing the following Service Principal Names (SPNs): http/HTTP/MBAMWEB.pj360i.co.uk

Application: Microsoft BitLocker Administration and Monitoring/SelfService is missing the following Service Principal Names (SPNs):

http/HTTP/MBAMWEB.pj360i.co.uk

Register the required SPNs on the account: MBAMAppPool.
For more information go to: http://go.microsoft.com/fwlink/?LinkId=526511

Register a Service Principle Name (SPN) for MBAM Web Application

When using the setspn command to add SPNs, the SPN must be specified correctly. The format of an HTTP SPN is http/host. The following is the command syntax for using the SetSPN tool to create an SPN for the service/server:

Syntax: Setspn -s http/<computer-name>.<domain-name> <domain-user-account>

Steps to register SPN:

1. Log in as domain administrator to the domain controller.

2. Launch the Command Prompt window.

3. Copy the following command, substituting placeholder values with actual data:

        Setspn -s http/<computer-name>.<domain-name> <domain-user-account>

    In my case: Setspn -s http/MBAMWEB.pj360i.co.uk pj360i\MBAMAppPool

4. Execute the command.

Managed Apple IDs: This Apple ID cannot be used to make purchases

Managed Apple IDs cannot be used to download apps; instead, Device-Based Assignment must be used.

Managed Apple IDs are not permitted to be used in any commercial transaction. This implies that IAPs, storage or service purchases, as well as app purchases, are no longer available. Apps may be distributed via Device Based Assignment. To compensate for the inability to purchase more, Apple has increased iCloud storage restrictions. There is presently no workaround for IAPs; you will need to contact the app creator for alternatives. To deal with this scenario, several apps provide a full-featured version.

Migrating ADE iOS Devices to Intune

The following article helps IT Pros and mobile device administrators understand some of the finer details regarding iOS device migration from an existing MDM platform to Intune when using Apple’s Automated Device Enrolment program (ADE), formally known as the Device Enrolment Program (DEP). We receive a lot of questions on how best to approach the issue of factory resets and how to handle the Apple Business Manager (ABM) side of things. We hope this article helps with some of the decisions you will face when deciding the best path forward for your organization.

 

As you migrate your mobile device management to Microsoft Intune, arguably one of the most important parts of the transition will be the impact to your users. Before considering how you will migrate your devices to Intune, it is important to understand your device landscape and how your employees are using their devices. This information will largely drive your migration path.

 

Based on our experience working with customers, the following are the most common points that will help you decide how you will migrate, and what the user experience will be during the migration:

• You currently have iOS Apple Business Manager devices enrolled in another MDM platform.

  • In this scenario, the devices will need to be moved to a new (Intune) MDM server in Apple Business Manager to be able to pick up an Intune ADE profile.

  • Devices must be factory reset to properly enrol in Intune and remain in a fully supported state with Microsoft and Apple.

• Users store personal data on these devices.

  • Devices with personal data on them will need to be backed up by the user to their iCloud account if they wish to retain it, however this does require you to backup corporate data to a consumer cloud service that is not controlled by your organization.

  • Devices must be unenrolled from the current MDM platform before the final backup is taken.

  • If users decide to use the restore option in the Apple Setup Assistant, once the restore is complete they will have to visit the App Store to install the Intune Company Portal.

• Users backup the device to personal iCloud.
  • Backing up a device while it is still enrolled in your current MDM will mean the management profile will also be backed up, and, subsequently, re-applied to the device at the point of restore.
• You are/are not willing to factory reset the devices.
  • The only supported way to enrol an ADE device is from the out-of-box experience, which requires a factory reset of the device. While it is technically possible to unenroll from one MDM platform and enrol into Intune manually via the App Store version of Company Portal, this is not recommended for several reasons:

    • It is not possible to “lock” a management profile to a device enrolled in this manner (however, the device does retain its “supervised” state).

    • The device will not show as being enrolled against an ADE profile in Intune, which means any configuration applied based on that logic will not be applied to the device.

    • Devices will not get automatically marked as “Corporate”.

 

NOTE: If you ever need to re-enrol your ADE device, you must first add the IMEI number of that device as a corporate identifier. You might need to re-enrol your ADE device if you are troubleshooting an issue, like the device not receiving policy. In this case, you would:

1. Retire the device from the Intune console.
2. Add the device's serial number as a corporate device identifier.
3. Re-enrol the device by downloading the Company Portal and going through device enrolment.

Failing to do this will mean the device will be marked as “Personal” and not “Corporate”.

 

Now let us look at an example scenario that we commonly see when working with our customers.

 

Example iOS scenario

Contoso has iOS ADE devices currently enrolled in an MDM platform. They allow their staff to use their personal Apple IDs on their devices and store personal data on them. Most of their users do this, and back-up their content to iCloud. Staff understand that devices may, from time to time, need to be factory reset and may be wiped if lost or stolen. Contoso IT wants the migration to Intune to be done as quickly as possible, so they are only managing two MDM platforms for a short time. They want minimal IT interaction when it comes to users enrolling their devices. Contoso has users in regions where ADE is not supported by Apple.

 

In this example, the migration flow for ADE devices could look like this:

1. IT Pro Action: In Apple Business Manager, move the user’s device to the new Intune MDM Server and sync devices in Intune.
2. IT Pro Action: Unenroll the device from the current MDM.
3. User Action: Backup the device to iCloud.
4. User Action: Factory reset the device.
5. User Action: Enrol device through ADE flow (do not select restore option as this will break the enrolment flow).
6. User Action: Once enrolled, add Apple ID and Once enrolled, add Apple ID and let the data resync to the device.

 

This procedure ensures that the data on the device is backed up without the old management profile and the device has been enrolled correctly with the new Intune-based ADE profile. Many of our customers add the user to a Conditional Access group after step #3, which blocks access to corporate resources until the user enrols and their device is compliant.

 

In the same example, the migration flow for non-ADE devices would look like this:

1. IT Pro Action: Unenroll the device from the current MDM.

2. User Action: Backup the device to iCloud.

3. User Action: Download Company Portal from the App Store.

4. User Action: Enrol device through Company Portal app.

5. User Action: Once enrolled, add Apple ID and restore any required data.

 

NOTE: The Intune service synchronizes with Apple at the following frequencies*:

• ADE: Once every 12 hours
• VPP: Once every 15 hours

*It is possible to run a manual synchronization, or use a synchronization script to increase the frequency, which can be found here (ADE) and here (VPP).

 

Conclusion

As you can see from the examples, the migration path will largely be determined by the way the devices are being used by your employees, so it is important to do some analysis before deciding the best path forward for your organization.

 

More info and feedback

For further resources on this subject, please see the links below.

 

Supported operating systems and browsers in Intune

Automatically enroll iOS/iPadOS devices with Apple's Automated Device Enrolment

Enroll iOS/iPadOS devices in Intune

Backup and restore scenarios for iOS/iPadOS

Troubleshoot iOS/iPadOS device enrolment problems in Microsoft Intune

 

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community Page, or leave a comment below.

 

Follow @MSIntune and @IntuneSuppTeam  on Twitter.

Microsoft Intune Policy Refresh Intervals

What are the policy refresh intervals for the various device platforms in Microsoft Intune?

1. iOS - Every 8hrs
2. Android - Every 8hrs
3. Windows Phone - Every 8hrs
4. Windows PCs - Every 24hrs

In addition to the above-mentioned policy update intervals, if the device was recently enrolled in Microsoft Intune, there are a few other intervals worth mentioning:

1. iOS - Every 15 minutes for 6 hours and then every 6 hours
2. Android - Every 3 minutes for 15 minutes then every 15 minutes for 2 hours, and then every 8 hours
3. Windows Phone - Every 5 minutes for 15 minutes then every 15 minutes for 2 hours, and then every 8 hours
4. Windows PCs enrolled as devices - Every 3 minutes for 30 minutes, and then every 24 hours

Reference: https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned