Author: Eswar Koneti

In this blog post, we'll explore how to detect the source of registry key modifications on a Windows device. In other words, we'll look into identifying who is adding, deleting, or changing registry keys, whether through Group Policy (GPO), Intune, SCCM, scripting, or other methods. Scenario: BitLocker Recovery Mode While investigating an event related to exceeding the maximum failed sign-in attempts that caused a device to enter BitLocker recovery mode, I have come across an interesting finding. For a full list of BitLocker recovery scenarios, you can refer to the official Microsoft documentation. Here’s how the situation cracked: I selected…

Read More

I recently had a conversation with a customer about Windows Update for Business (WUfB) deployment services and devices managed by Intune. Customer using MECM/SCCM and all of the WUfB workloads are moved to Intune. If you'd like to learn more about WUfB, you can refer to the official documentation here. During our discussion, we focused on improving the security posture of devices through timely Windows updates. To enhance compliance with Windows Update policies, the first step is to gather statistics on the update status of Intune-managed devices. A few months ago, I shared a post on how to identify whether…

Read More
EMS

Recently, I received a request from a customer to identify users who have enrolled their mobile devices, specifically iOS and Android, managed by Intune. Initially, I explored the Intune console, applying filters based on the operating system to generate a list of mobile devices and their associated users. However, this approach only provided a basic view, requiring me to export the data to a CSV file and use Excel formulas to identify users with both iOS and Android devices—an arduous and time-consuming process. Streamlining the Process with KQL and Power BI To simplify this use case, I turned to KQL…

Read More

Managing Windows endpoints with SCCM (System Center Configuration Manager) and co-management enabled can be challenging, especially when dealing with co-management issues. In this post, I’ll share insights and troubleshooting steps to help you resolve issues with devices that are supposed to be co-managed by Intune but aren’t appearing as expected. Background I recently worked on a Power BI report designed to compare devices listed in Active Directory (AD) with those in Intune (via Log Analytics) based on their last logon status. The goal was to identify devices that are co-managed or Intune-enrolled. During this process, I noticed that hundreds of…

Read More

In a recent conversation with a customer managing endpoints via SCCM ConfigMgr, we discussed the need to monitor the installation of critical security applications. Specifically, the customer wants to ensure that devices have essential applications—such as antivirus and device monitoring tools—installed. If any device is missing a required application, it should be flagged in a report. Use Case For instance, consider three essential security agents: Qualys agent, Netskope, Cisco VPN. It’s crucial that these applications are installed on every device. If a device is missing any of these agents, we need a mechanism to identify it in our reporting. To…

Read More
EMS

Requirement rules in Microsoft Intune offer a powerful way to manage application deployments . By ensuring that applications are installed only on devices that meet specific criteria, organizations can enhance security, improve user experience, and streamline IT processes. Limitations of Intune's GUI Requirement Rules Intune provides requirement rules through its GUI, but these options are somewhat limited to operating system and hardware checks. If you come from a SCCM/ConfigMgr background, you may be familiar with "global conditions," which allow you to reuse conditions across multiple applications. Unfortunately, Intune does not currently support this feature. Custom Scripts for Flexibility One of…

Read More

I recently encountered a Windows 10 KMS (Key Management Service) activation issue reported by a customer. The problem was evident from the screenshot provided, where the device displayed an "Activation Required" message on the desktop. The Issue The activation issue was reported from a remote system, and unfortunately, there wasn’t much information on whether the devices at the customer’s site were activated using KMS or MAK (Multiple Activation Key). Given the limited details and the fact that these devices are managed through SCCM/SCCM, I decided to leverage SCCM’s scripting capabilities to investigate the activation status. Activation Methods Overview If you're…

Read More
EMS

This blog post details the troubleshooting steps taken to resolve an issue where a co-managed device wasn't enrolling successfully in Microsoft Intune. The user wasn't able to access applications through the Company Portal, receiving a message about belonging to another organization. "This device is already set up in another organization. Contact company support." Despite the device being co-managed and all workloads transitioned to Intune, the error persisted. Here's a step-by-step breakdown of the investigation and resolution process. Check Device Status in Intune Console The first step was to verify the device's status in the Intune console. I noted that there…

Read More