Hey folks, recently enough I have been working on a project in Intune where we had a requirement to support third party patching from Intune. Now, those who are from MECM/SCCM background they are well aware that how with security updates, we also have to support third party patching. There are lot of ways to achieve this, previously it started with SCUP(System Center Updates Publisher) then SCCM has integrated third party catalog support within itself too. Many has tried to automate this process with third party tools too, there are many apps & tools available on the horizon but today we are going to talk about Manage Engine’s – Patch Connect Plus . Many of us might have configured it earlier with our SCCM infrastructure to support third party patching but what I am going to discuss here is how you can set it up with Intune. There are already many article on this but here’s my take on the tool and hope this helps you too if you are stuck somewhere. I have tried to include as much details as possible. Pre-requisites Let’s see what are the basic requirements or pre-requsites for this. 1. Azure Active Directory P1/P2 2. Intune Subscription 3. Manage Engine Patch Connect Plus setup 4. Global Administrator/Cloud Application Administrator access on Azure AD and Enterprise Admin Access on-premise Patch Connect Plus Installation First of all, I am working with Free trial version here, but things are almost same except the license part in production full version scenario. You can open the below link to download Patch Connect Plus or to get any details: https://www.manageengine.com/sccm-third-party-patch-management/ I have downloaded the trial version and triggered the installation as an admin on the server from the msi. As you can see Installshield wizard appears for installation, got hrought the wizard step by step and complete it. NOTE : if you have any other choice of port you can change it here. Click on the Finish button to complete the installation and launch Patch connect plus. After few seconds you will see your default browser will open a Web Console of Patch Connect Plus and as we can see below, for the first time login the default username and password is Admin . NOTE : you can change login password and uername later from Admin tab > Credential Manager Patch Connect Plus Configuration with Azure AD When you login to patch connect plus console you will see that it asks for the initial setup like below, you can go step by step on each page and set it accordingly like proxy settings, sccm settings and others. Since, I am concerned with Intune settings so I skip all and move to setup Patch Connect Plus with Intune and open Intune Settings . So, in the above picture we can see that we have requirement for Application ID , Tenant ID and Client Security key which we can only get when we create a new App registration in Azure. Let’s jump into the Azure portal. On the Azure portal, go to Azure Active Directory and open it. On your AAD console you will find App registrations click on it. It will open a page like below, click on New registration to register a new App. A new page will open where you would need to Enter the name of the app like below and select Supported account types. I have only one organisational directory so I select Single Tenant. You can select multi-tenant based on your requirement for supported account types. I am keeping Redirect URI as blank there is no real need to set it up as you can see it’s optional. Click on Register to move ahead. After you click on Register you will see the successful message on the corner and below page will open. You can see the highlighted areas on the page which shows we get our Application ID and Tenant ID from here. Copy it and save it for future use. Next, we would need to provide API permissions for this app for MS Graph. Go to the API permissions page and click on Microsoft Graph A blade opens from your right, select Application permissions and provide the below mentioned permissions accordingly, screenshots also provided for the same so that you don’t have any confusions: 1.DeviceManagementApps.Read.All 2.DeviceManagementApps.ReadWrite.All 3.DeviceManagementConfiguration.Read.All 4.DeviceManagementConfiguration.ReadWrite.All 5.DeviceManagementManagedDevices.Read.All 6.Device ManagementManagedDevices.ReadWrite.All Once you have provided all the permissions you can see the details like below and in notifications you can see successfully saved permissions. In this way applications are authorised to call APIs as you can see below, next step is to Grant Admin Consent for your tenant and you should have green ticks like below. If you have amber exclamation select and grant admin consent else you will face errors when you configure Patch Connect Plus. Next, we would be creating Client Secret and we will try to get our last required component Client Secret Key for patch connect plus. Go to Certificates & secrets and open Client Secrets, click on New client secret On the blade from the right, enter Description and Select Expiry Period . From the drop down you can see that there are lot of choices for Expiry period. You can also select for custom period. Once you have created the Client Secret Key you need to copy its value and save it in a safe place, you can’t afford to lose this key, if you lose you have to generate a new Client Secret Key and repeat this process and make changes in Patch Connect Plus too. Now, we have our all 3 required components which is required to setup Patch Connect Plus. We have our Application ID, Tenant ID and Client Security Key . Patch Connect Plus Initial Setup Let’s now go back to the Patch Connect Plus Console and enter all these value like below: Select other options as per your requirement and click on Next . It will move to next setup of alerts but will show a green pop up at the top for few seconds that Intune Setup has been completed successfully. Setup your official mail id and confirm the checkbox to complete the initial setup. Publishing Third-Party Updates to Intune If everything went well and you have no issues with the setup and configuration you will see the screen like below. You can check few details in this page like Published Updates, Available Updates, Last intune deployment sync time and others. Let’s try to select one update and click on Publish Updates to test if it works perfectly. Select the patch and click on Publish Updates . It will ask for your confirmation to publish, click yes Check the progress at the top and select Click Here. We can see that its status is in progress. Lets wait for it to complete and meanwhile lets login to Intune portal > go to Apps > Windows Apps. After the publish is complete, you can see a new Win32 app here which starts with – Updates For . This is the same patch which we published from Patch Connect Plus. If you want to publish multiple patches together you can select the check-boxes besides and click on Publish Now . And that is how simply your Third-party patching has been automated. It’s very simple to configure very easy to use and saves lots of effort and time. 😎 In case if you want to change any settings in future you can go to Admin tab and select Intune settings. If you require more details on this tool, there is a great documentation by Manage Engine itself on their page below: https://www.manageengine.com/sccm-third-party-patch-management/help.html Also, you can get a quote and compare editions. Ok, that’s pretty much for this time, soon I will be back with new content. Cheers, enjoy the weekend and holiday season. 🍻 🎉

Robust IBM i/iSeries/AS400 Software Solutions | Workflow, Security, Monitoring, & Automation: We provide industry-leading IBM i (AS400 / iSeries) security, including IBM Workflow Software monitoring, auditing, and compliance software to help companies optimize their IBM workflow.

In his blog post today we will see How we can perform Autopilot for Windows 11 devices. It is applicable for any new device which is only Azure AD joined. Now, when we talk about Windows 11 we have certain pre-requisites that we need to complete first. Since I will be using a Hyper V so I have to complete these pre-reqs manually, but if you have a new physical device, you may need not do it. Just a small check is fine. Windows 11 Pre-requisites 1. Minimum Virtual processor should be more than or equal to 2. I am using 4 for my Hyper-v. 2. Memory should be more than or equal to 4 GB. I am using around 8 GB. 3. Your device should have the TPM Enabled. This is very important for Windows 11 devices. Once, we have all these above pre-reqs set, prepare your Windows 11 Hyper-v. But, before moving onto setting up Windows 11 for Autopilot, lets also make sure we have all the pre-reqs set for Windows Autopilot. Pre-requisites for Windows Autopilot. 1. Go to the Intune portal Devices > Windows > Windows Enrollment > Automatic Enrollment and make sure everything is set properly like below: 2. Let us next move on to Devices > Windows > Windows Enrollment > Windows Autopilot Deployment Program > Deployment Profiles . Make sure you have a Autopilot Deployment profile created. I have a very simple one created like below: 3. Create a Dynamic group where you would want all your apps, policies, configurations to be deployed to Autopilot Devices. I have created one with ZTD id. You can create with your own requirements, maybe with Group tag which was used during importing devices with Hardware Hash. The query I am using for the group is - (device.devicePhysicalIDs -any (_ -contains "[ZTDID]")) NOTE: Here we will be importing hardware hash online without csv so I am just trying to keep things simple. 4. The next one is optional but I would like to go with it so create one default Enrollment Status Page. Go to Devices > Windows > Windows Enrollment > Enrollment Status Page I have very simple settings for test purposes, you might want some proper standard settings in your Production environment 5. Have a User with Intune Administrator role who will help to upload the Hardware Hash and then also assign user with Intune E3/E5 license who will enroll the device to Intune. Apart from the above settings if you have any particular security apps, baselines or any configuration profiles like bitlocker and others you may want to deploy to Windows Autopilot group which we created earlier. Apart from this I think we are all set and ready now to prepare our Windows 11 Hyper-v. In this blog I am skipping all the basic steps of that you need to go through for creating a Hyper-v VM. I feel we all are aware of this and even if you are not you just need to follow the instructions. Make sure you have proper internet connection and above pre-requisites all set. So, when we boot-up and start the Hyper-v it goes through the basic steps of setting windows and we will wait until the below step completes Registering the Windows 11 to Autopilot Service Once the windows installation is completed it takes some time to setup and then we have OOBE screen in front of us When we have this screen press shift+F10(shift + fn + f10) on Hyper-V to bring command prompt From command prompt, we will try to enter PowerShell where we will execute the commands to Import Hardware Hash to Intune. The commands which we want to run here one by one are as follows: PowerShell.exe -ExecutionPolicy Bypass Install-Script -name Get-WindowsAutopilotInfo -Force Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned Get-WindowsAutopilotInfo -Online Once you have entered the above command it will ask for your Intune Administrator ID. Please enter the same to register the device to Autopilot service. After you enter your credentials, you can see that your company logo appears in the password entry dialog box. Enter your password here. Then if your organisation has enabled MFA, approve that using Authenticator app. Then lets wait for the import to proceed and complete. When it is completed, you will find the below screen in your PowerShell. Mark the serial number of devices here: Lets cross verify it within the Intune console, go to Endpoint manager Devices > Windows > Windows Enrollment > Windows Autopilot Deployment Program > Windows Autopilot Devices We can see that the device is successfully registered now to Windows Autopilot. Lets now proceed with the OOBE and End-User Experience Windows 11 OOBE and End-User Experience We will have to close the command prompt now and procced with OOBE. Type Exit and hit enter until you exit the command prompt screen Select your country and Press Yes Select keyboard and the press Yes Windows will be starting to check for Updates Enter the user credentials whom you have assigned the Intune license. On the password entry dialog page you see your organisation logo proving that you are on the right track. Once the above steps are done and you have clicked on Sign in device will be starting to configure You will see the Enrollment status page like below: Once these settings are completed you will notice a small green tick below each and then you will be presented with next screen for Privacy setting. Click on Next and then Accept to move ahead. Windows will check for nay updates again and then move ahead That’s it the Autopilot Process is complete now, you will be presented with Welcome message and then some time will be taken to complete the basic setup for your login. Since I have this Configuration Profile deployed for Interactive Logon Screen message for User, I was able to see this message before login. Then I tried to login using my company credentials. Note: After this I noticed that ESP page reappeared again and it was waiting for few things to be completed. What I did to fix it change this simple setting under ESP, it is by default set to Yes :- When I changed the above settings to No, Desktop was presented to me: Now, we need to verify few things lets go to Settings and check Work and School account as well as Device serial number Looks all good, lets find the device in Intune now That proves that we have successfully completed the Windows 11 Autopilot. Now what happens if something goes sideways and you need to troubleshoot. If you see something like the above screen then you need to expand it and see where exactly the autopilot failed. There could be different reasons. More things will be cleared when you click and check MDM diagnostics log. You also get a link to export these logs which will be helpful to see and find out where exactly the failure occurred. Unfortunately, I don’t have the screenshot from my end for these but I think that’s pretty easy process. Ok, so that’s all from my end this time. I Will Be Back… 😎 with some new content and new things. Cheers 🍻