In a recent conversation with a customer managing endpoints via SCCM ConfigMgr, we discussed the need to monitor the installation of critical security applications. Specifically, the customer wants to ensure that devices have essential applications—such as antivirus and device monitoring tools—installed. If any device is missing a required application, it should be flagged in a report. Use Case For instance, consider three essential security agents: Qualys agent, Netskope, Cisco VPN. It’s crucial that these applications are installed on every device. If a device is missing any of these agents, we need a mechanism to identify it in our reporting. To…
Author: Eswar Koneti
Requirement rules in Microsoft Intune offer a powerful way to manage application deployments . By ensuring that applications are installed only on devices that meet specific criteria, organizations can enhance security, improve user experience, and streamline IT processes. Limitations of Intune's GUI Requirement Rules Intune provides requirement rules through its GUI, but these options are somewhat limited to operating system and hardware checks. If you come from a SCCM/ConfigMgr background, you may be familiar with "global conditions," which allow you to reuse conditions across multiple applications. Unfortunately, Intune does not currently support this feature. Custom Scripts for Flexibility One of…
I recently encountered a Windows 10 KMS (Key Management Service) activation issue reported by a customer. The problem was evident from the screenshot provided, where the device displayed an "Activation Required" message on the desktop. The Issue The activation issue was reported from a remote system, and unfortunately, there wasn’t much information on whether the devices at the customer’s site were activated using KMS or MAK (Multiple Activation Key). Given the limited details and the fact that these devices are managed through SCCM/SCCM, I decided to leverage SCCM’s scripting capabilities to investigate the activation status. Activation Methods Overview If you're…
This blog post details the troubleshooting steps taken to resolve an issue where a co-managed device wasn't enrolling successfully in Microsoft Intune. The user wasn't able to access applications through the Company Portal, receiving a message about belonging to another organization. "This device is already set up in another organization. Contact company support." Despite the device being co-managed and all workloads transitioned to Intune, the error persisted. Here's a step-by-step breakdown of the investigation and resolution process. Check Device Status in Intune Console The first step was to verify the device's status in the Intune console. I noted that there…
In a recent project, I was involved in migrating endpoint workloads from SCCM/ConfigMgr to Microsoft Intune. A key part of this migration was transferring the Windows Update for Business (WUfB) workload to Intune, with the goal of managing Windows updates exclusively through Intune. However, after migrating the WUfB workload to Intune, I noticed that some devices continued to receive patches from SCCM. This discrepancy occurs because you will need to configure and assign update rings in Intune otherwise, SCCM will still manage the Windows update patching. To determine whether a device’s Windows patching is controlled by SCCM or Intune, you…
Two years ago, I wrote an article on how to disable or enable the auto-start feature of the classic Microsoft Teams application on Windows devices using Group Policy (GPO). For more details, please refer to my previous post: How to Disable or Enable Auto-Start of Teams Application Using GPO. With the release of the new Microsoft Teams, many of my blog readers have asked how to disable the auto-start feature for this updated version. Since the methods used for the classic Teams no longer apply, this blog post explores various options for managing auto-start with the new Teams. Managing Auto-Start…
Managing user profiles on shared or newly built Windows devices can be challenging, especially when dealing with stale profiles that haven't been active for a while. This need arises in various scenarios: For customers using Microsoft Intune, there’s a streamlined way to handle this issue. For customers using Microsoft Intune, there’s a streamlined way to handle this issue. If you are not using Intune to manage your endpoints yet (if co-managed, make sure the device configuration workload is moved to Intune), you can still leverage GPO to do the same. Here’s a step-by-step guide to leveraging Intune for automatically deleting…
During a recent Windows 11 migration project for a customer, I encountered some challenges using Intune (WUfB) to upgrade devices. As part of my troubleshooting efforts (collecting the windows device logs), mostly conducted remotely, I encountered an unexpected issue with the traditional Windows Update command-line tool, WUAUCLT.exe, which was no longer effective on Windows 10 and later versions. After looking into the issue, I discovered that WUAUCLT.exe has been replaced by USOClient.exe (Update Session Orchestrator Client). This newer tool serves to force scans, downloads, and installations of updates, essential for effective troubleshooting. For instance, I utilized the command-line switch USOClient.exe…