I recently had a conversation with a customer about Windows Update for Business (WUfB) deployment services and devices managed by Intune. Customer using MECM/SCCM and all of the WUfB workloads are moved to Intune. If you'd like to learn more about WUfB, you can refer to the official documentation here. During our discussion, we focused on improving the security posture of devices through timely Windows updates. To enhance compliance with Windows Update policies, the first step is to gather statistics on the update status of Intune-managed devices. A few months ago, I shared a post on how to identify whether…
Author: Eswar Koneti
Recently, I received a request from a customer to identify users who have enrolled their mobile devices, specifically iOS and Android, managed by Intune. Initially, I explored the Intune console, applying filters based on the operating system to generate a list of mobile devices and their associated users. However, this approach only provided a basic view, requiring me to export the data to a CSV file and use Excel formulas to identify users with both iOS and Android devices—an arduous and time-consuming process. Streamlining the Process with KQL and Power BI To simplify this use case, I turned to KQL…
Managing Windows endpoints with SCCM (System Center Configuration Manager) and co-management enabled can be challenging, especially when dealing with co-management issues. In this post, I’ll share insights and troubleshooting steps to help you resolve issues with devices that are supposed to be co-managed by Intune but aren’t appearing as expected. Background I recently worked on a Power BI report designed to compare devices listed in Active Directory (AD) with those in Intune (via Log Analytics) based on their last logon status. The goal was to identify devices that are co-managed or Intune-enrolled. During this process, I noticed that hundreds of…
In a recent conversation with a customer managing endpoints via SCCM ConfigMgr, we discussed the need to monitor the installation of critical security applications. Specifically, the customer wants to ensure that devices have essential applications—such as antivirus and device monitoring tools—installed. If any device is missing a required application, it should be flagged in a report. Use Case For instance, consider three essential security agents: Qualys agent, Netskope, Cisco VPN. It’s crucial that these applications are installed on every device. If a device is missing any of these agents, we need a mechanism to identify it in our reporting. To…
Requirement rules in Microsoft Intune offer a powerful way to manage application deployments . By ensuring that applications are installed only on devices that meet specific criteria, organizations can enhance security, improve user experience, and streamline IT processes. Limitations of Intune's GUI Requirement Rules Intune provides requirement rules through its GUI, but these options are somewhat limited to operating system and hardware checks. If you come from a SCCM/ConfigMgr background, you may be familiar with "global conditions," which allow you to reuse conditions across multiple applications. Unfortunately, Intune does not currently support this feature. Custom Scripts for Flexibility One of…
I recently encountered a Windows 10 KMS (Key Management Service) activation issue reported by a customer. The problem was evident from the screenshot provided, where the device displayed an "Activation Required" message on the desktop. The Issue The activation issue was reported from a remote system, and unfortunately, there wasn’t much information on whether the devices at the customer’s site were activated using KMS or MAK (Multiple Activation Key). Given the limited details and the fact that these devices are managed through SCCM/SCCM, I decided to leverage SCCM’s scripting capabilities to investigate the activation status. Activation Methods Overview If you're…
This blog post details the troubleshooting steps taken to resolve an issue where a co-managed device wasn't enrolling successfully in Microsoft Intune. The user wasn't able to access applications through the Company Portal, receiving a message about belonging to another organization. "This device is already set up in another organization. Contact company support." Despite the device being co-managed and all workloads transitioned to Intune, the error persisted. Here's a step-by-step breakdown of the investigation and resolution process. Check Device Status in Intune Console The first step was to verify the device's status in the Intune console. I noted that there…
In a recent project, I was involved in migrating endpoint workloads from SCCM/ConfigMgr to Microsoft Intune. A key part of this migration was transferring the Windows Update for Business (WUfB) workload to Intune, with the goal of managing Windows updates exclusively through Intune. However, after migrating the WUfB workload to Intune, I noticed that some devices continued to receive patches from SCCM. This discrepancy occurs because you will need to configure and assign update rings in Intune otherwise, SCCM will still manage the Windows update patching. To determine whether a device’s Windows patching is controlled by SCCM or Intune, you…