Event banner
Event details
- Heather_Poulsen
Community Manager
Thanks for joining us today. See you next month. Visit https://aka.ms/Windows/OfficeHours to add future dates to your calendar!
- Is any work planned, or underway, to make Intune and Entra ID enrolments on Windows PCs in an AD/EID hybrid environment a bit more robust? We're regularly coming across machines, sometimes several per week that just stop correctly checking in with EID and Intune, causing updates to stop, etc. We're currently having to use commands such as dsregcmd /leave to force the client to remove itself from Entra ID, then manually delete the Intune device and any remnant device entries on Entra ID, then wait up to 30 minutes for the next AD to EID sync to repopulate the device, then reboot the PC to have it re-register on EID, before then running dsregcmd /join and dsregcmd /updateDevice to get everythng back on track again, after which updates from WUfB resume once more. It's a pain.
- Jason_Sandys
Microsoft
Hi Ryan, Sorry to hear this is happening and seemingly pervasive in your environment. Note that this is not in any way expected though and should not be a common occurrence (if ever) and thus should be troubleshot to determine the root cause as there's some additional factor or influence leading to this scenario that is, as noted, not normal or expected. I strongly suggest that you open a support case to help troubleshoot this issue. You can start this process on your own as well by reviewing the event logs. The troubleshooter described at https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-device-windows-joined may help as well. - Joe_Lurie
RyanSpoonerJCB Seeing as hybrid join is a step along the way to cloud native (Entra joined, Intune managed), and cloud-native is where we are directing all of our customers, we aren't really putting any more effort into the hybrid join experience. Of course, we're doing bug fixes and the like, but no new features are planned at this time.
That said, the scenario that you explain is not what we'd expect to happen. I suggest talking to your account team if you have one, or opening a support ticket to find out why this is happening.
--Joe.
- If i was a little startup starting up today, i'd go cloud native. But Microsoft seem to be forgetting the large established organisations with heavy investments in and perfectly functioning and performant on-prem environments. "Directing" all your customers to go cloud native is not only not serving your customers, it's naïve as well.
- Hi there, I have an Intune/AD related question, I would like to know if there's policy in Intune that can be used to force update a user's domain account password like AD GPO? I searched and found that Intune cannot be used. Since it can't act as a true source of authentication and AD has to be used to accomplish this task or update through online self-reset password portal. For context, I have user's account on-prem AD that are synced with Entra via Connect sync agent. I would like to know your insight on this. Thanks.
- Joe_Lurie
KaranS340 Intune doesn't manage users or user passwords. Users are managed in Entra. You might be better asking this in an Entra community: https://techcommunity.microsoft.com/t5/microsoft-entra/bd-p/Azure-Active-Directory
--Joe.
- Hello, Intune related question. I recently moved our organization to a Windows Autopilot/Intune deployment infrastructure and overall it has been a positive direction. One item that has been lost as part of this new environment has been related to local permissions on user’s laptops that I have not found a good solution and so I am curious if anyone has suggestions. For context, before we started deploying Windows laptops via Autopilot/Intune we would bind a laptop to an on-premise AD domain and then have the domain account run on the laptop as a standard account with non-administrator level permissions. This allowed us to have users effectively not have administrator level permissions over their laptop for day-to-day operations. However, our user base often has need to perform some tasks that requires administrator level permissions (install applications, make change to network adapters, copy/delete files in restricted folders, etc.) and our solution in the past was to have a second, separate domain account configured in the Administrators group under Computer Management. That way, when a user needed to perform a task that required administrator level permissions while they were running in a standard account, they could simply enter the credentials for this “admin” account when prompted and perform the task. This entire process worked very well. When we moved to Autopilot/Intune I could not find any solution that would replicate this form of permissions structure. We have a separate Jamf deployment infrastructure for our Apples devices (why we aren’t using Intune for that is a whole separate can of worms) and the Jamf MDM has the ability to run our macOS laptops as standard accounts with a push button ability to temporarily “elevate” an account to administrator for a set period of time (say 10 minutes) so that users can perform admin level tasks. I have been unable to find any form of solution on Windows that would allow for me to have my users operate day-to-day with only a standard user account and in some way either have a second local account that could have administrator level permissions or have some form of temporary account “elevation” capability like Jamf has. I would love suggestions/options/feedback if anyone has found solutions to this kind of problem.
- Joe_Lurie
Hi ToddMasegian thanks for the message. We don't recommend users ever having full admin rights on a desktop. Our solution for this is two-fold:
- Use Autopilot when you send the user the laptop. In the Autopilot configure the user as a standard user.
- Use Endpoint Privilege Management. EPM is part of the Microsoft Intune Suite, and instead of giving the user full-on admin rights, it gives them admin rights to a specific process.
As a sidenote, we also have a Cloud LAPS solution that allows you to rotate the local admin password, as well as additional policies.
Re: using JAMF for your macOS devices, Intune has come a very long way in managing macOS - it may be worth checking out again. Or at the very least joining our aka.ms/MacAdmins community. Our Cloud LAPS solution and EPM are Windows only today, but we are working with our mac team to get them integrated on macOS.
Keep an eye on aka.ms/M365Roadmap and aka.ms/IntuneInDev for more information on when these might be available in the future.
--Joe.
- Hi @joelurie thank you for the response. I had heard about EPM before but at the time I was advised that it was limited to only certain operations such as software installs and the other tasks such as modifying an Ethernet adapter properties weren't supported. I will have to take a deeper look at whether that is actually true or if EPM would actually cover my needs. On the LAPS front, I have been using LAPS on my on-prem AD for several years, I didn't realize there was a cloud version as well.
Hi Todd, our engineers have separate _onprem admin accounts, however our users have 'standard' accounts. One thing we have been using for some time is Admin By Request. Any user that has the client installed and is enabled to use it can elevate permissions. They would have to give a reason and this is logged into the audit logs. Just a suggestion, might be other stuff out there that others are using.
As an aside, you can also control what groups go into the local admin group on end user devices using Intune Configuration Profiles. We also use these and they work very well
- Hi Nick, thank you for the suggestion with Admin By Request. I hadn't seen this before and the possibility of having logging for requests would be awesome.
Delivery Optimization question and the new Microsoft Teams client - we have D.O. configured and are seeing alot of internet traffic when Teams updates and did not see this with the legacy Teams client. Does the New Teams client support D.O.?
- Question - are you configuring the behaviour of DO using Intune Config Profiles? We have this configured and it seems to work very well. VPN devices go directly out of the users home broadband connection (as they're told not to peer), but devices connected to a Corporate network (WiFi or cabled) peer content between themselves. This can be seem in the local activity monitor for DO on the devices themselves. Also seen in the Azure Workbooks
- We are leveraging Configuration Manager boundaries for D.O. and like you have home users go direct to the internet.
- Heather_Poulsen
According to this article, Delivery Optimization is used only if you're installing or updating Microsoft 365 Apps directly from the Office Content Delivery Network (CDN) on the internet. If you want some of these devices, such as those on Current Channel, to take advantage of Delivery Optimization, you need to reconfigure them to use the Office CDN.
- M365 Apps are configured to pull updates from the CDN.
- Is a feature planned for application push to the clients? like run remediation? And when are the new LAPS policies going in the preview?
- Jason_SandysHi Alexej Federov, > Is a feature planned for application push to the clients? Do you mean outside of Intune? Intune already has required application "pushes". Is there some other aspect that you are interested in?
- Hey Jason, yes, I mean that I could push an app install without changing the assigments. or if I, or some colleagues, deleted the app manually and I want to push the app back to the client. deleting regkeys is troublesome and takes time
- Joe_Lurie
AlexejFedorov Can you clarify your questions? I'm going to break them down here:
- Is there a feature planned for application push to clients? You can use Intune today to push apps to Windows devices. Do you mean something else?
- Like, run remediation? You can run remediations on demand today in Intune. Are you asking something else?
- When are new LAPS policies going into Preview? Which new LAPS policies? Cloud LAPS is available today. Are you asking for a specific policy?
Thanks!
--Joe.
- Hey Joe, I mean to push a reinstall to the clients via an action, like run remediation ;-) I mean the LAPS Automatic Account Management Policies, the CSP is only for the insider preview
- Heather_Poulsen
Welcome to Office Hours. Let's get started! Please post your questions here in the Comments. We’ll be here until 9:00 a.m. Pacific Time!
MECM question - we are migrating our current MECM infrastructure from Azure back to on-prem, predominately due to cost reasons. We currently have (and will have) one Primary Site Server (Green DMZ), with Management Points in Amber and Red DMZ's with SQL replication setup so we adhere to certain security co-co's. We are planning on doing a SQL export/import (yet to work out how that works between Azure and on-prem), can we change the Site Code afterwards, or would it be best practise to stick with the original Site Code?
We also have co-managed configured with Intune so will also be setting that up from the new infrastructure. Not sure it has any bearing on this, but thought it was worth mentioning. Thanks- Jason_SandysHi Nick Mitchell, You cannot change the Site Code of an existing ConfigMgr site. What's the motivation for wanting to as this would, if you actually could (in a supported way) orphan all of the clients. > We also have co-managed configured with Intune so will also be setting that up from the new infrastructure. If you're simply backing up the database and restoring it using the supported backup and restore path, then there's nothing to set up again as you are restoring the existing site including all of its configuration. Have you considered simply transitioning to full Intune management instead? This is our ultimate goal for all orgs (where possible). Is there anything stopping you from doing this?
Not much motivation other than we've changed our Company name so would be a good time to go with a new site code for the new infrastructure. That and it's playing havoc with my OCD 🙂 - we'll stick with the current one. We'll publish the new MP's into AD System Management and get clients to rotate with an installation package from existing MECM with command line pointing to new MP's.....either than or just discovery the domain joined ones and client deploy from within new Console, haven't decided yet. We have considering transitioning to full Intune management as we realise this is the direction of travel, however we're not quite there yet. Remote Support for one is still done through Intune, don't want to pay the additional cost of use remote support through Intune integration, we pay enough for Intune as it it 🙂 MECM is still utilised to patch our server estate (approx. 500), however this is separate to the endpoint device discussion
