Microsoft Endpoint Manager (ConfigMgr & Intune) allows us to configure and deploy the Microsoft Store apps. For more information, please read through ConfigMgr and Intune . In my recent engagement with customer, there is need to deploy Microsoft store app (offline) using Configuration Manager as there is no integration with store for business. Online: This license type requires users and devices to connect to the store to get an app and its license. Devices running Windows 10 or later should be Azure Active Directory (Azure AD)-joined or hybrid Azure AD-joined. They can also be Azure AD-registered. Offline: This type lets you…
Author: Eswar Koneti
Long ago, I wrote a blog post on a report for finding the devices with pending reboot, more information is available on https://eskonr.com/2019/01/sccm-report-get-list-of-devices-with-pending-reboot-in-a-collection-with-different-states/ I was recently working on checking the compliance of the devices in SCCM for windows patching and I could see that the software update compliance is not that great due to various reasons. Before I start to dig deeper into it, the first thing was to check the pending reboot of the devices. In this blog post, I will provide 2 collections that will be useful for identifying the pending reboot devices. The following WQL collection query…
This week, I have another real-time use case about the audit of all azure AD app registrations and notify the application credential (secret key or certificate) near to expiration. Registering an application in Azure AD establishes a trust relationship between your app and the Microsoft identity platform, The application registration can be used to authenticate on behalf of a user and request access to resource applications. I was asked to have a mechanism to monitor the azure ad app registrations and notify the app owner (if exist) if the secret key or certification expiration is nearby (x days). When I…
Conditional Access in Azure Active Directory needs no introduction. To read more information about Conditional Access, please refer to https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview In my recent assignment, there was an ask to back up the conditional access policies every day and also notify through email for a list of conditional policies that are created or modified in the last 24 hours. I know that there are many blog posts out there to monitor the conditional access policies by enabling the diagnostic settings (export the audit logs), creating logic apps, power automate and other tools in a programmatic way and alert instantly, but that…
It has been a while since Microsoft has released the combined registration (security) feature that helps users to register for both MFA and SSPR can register once if the methods in the Azure AD Multi-Factor Authentication and SSPR policies are enabled. For more information about Combined security information registration please read https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-combined One of the very common challenges that organizations had was, how can I restrict the security registration process within the trusted location and secure it from bad actors. To enforce the security registration process from a trusted location only and block from any other, we can make use…
I was recently looking for a solution to add a device to SCCM Collection using the Task sequence. During the search, I have found Trevor has a blog post on this. So before I use the code in the task sequence, I plan to test it on a client device. The full code is given below. You will have to change the parameters where needed. cmd /c powershell.exe -Command "&{$Me = $Env:COMPUTERNAME; Invoke-command -Computername "SCCMSERVERFQDN" -ArgumentList $Me -scriptblock {param($Me)Import-Module ConfigurationManager; cd SITECODE:; $Computer = Get-CMDevice -Name $Me; if ($Computer){Add-CMDeviceCollectionDirectMembershipRule -CollectionID 'COLLECTIONID' -ResourceId $computer.resourceid}}}"Query to add device to collection Login to client computer that doesn't have…
Managing software updates and creation of custom reports in ConfigMgr is OCEAN. You have so much data to visualize based on your needs. One of the very common requirements or reports is, find out the missing/required updates of a device that is managed by SCCM. If you have not moved the device management solution to Microsoft Intune, especially windows updates and you are still with ConfigMgr, then this post is for you. I have written a couple of blog posts on finding the missing/required updates for a specific device in SCCM are listed below for your reference. http://eskonr.com/2016/08/sccm-configmgr-sql-query-to-find-top-x-missing-updates-for-specific-collection-for-specific-update-group/ http://eskonr.com/2015/12/sccm-configmgr-ssrs-report-get-list-of-missing-updates-for-pc-from-specific-software-update-group/ likewise,…
Intune has a Co-management eligibility report (currently in preview) which provides an eligibility evaluation for devices that can be co-managed. For devices to become co-managed, they must be running on windows 10 and enroll to Azure Active Directory. For a full set of intune reports, please refer to https://docs.microsoft.com/en-us/mem/intune/fundamentals/reports The other day, I was looking into the cloud-attached devices (preview) in Endpoint Manager for the co-management eligibility report. For more information about the Co-management eligibility report, https://docs.microsoft.com/en-us/mem/intune/fundamentals/reports#co-management-eligibility-report-organizational From the report, in the dropdown list, I am interested viewing only the devices that need AAD join. Generating the report reveals that…