Hey folks, recently enough I have been working on a project in Intune where we had a requirement to support third party patching from Intune. Now, those who are from MECM/SCCM background they are well aware that how with security updates, we also have to support third party patching. There are lot of ways to achieve this, previously it started with SCUP(System Center Updates Publisher) then SCCM has integrated third party catalog support within itself too. Many has tried to automate this process with third party tools too, there are many apps & tools available on the horizon but today we are going to talk about Manage Engine’s – Patch Connect Plus. Many of us might have configured it earlier with our SCCM infrastructure to support third party patching but what I am going to discuss here is how you can set it up with Intune. There are already many article on this but here’s my take on the tool and hope this helps you too if you are stuck somewhere. I have tried to include as much details as possible. Pre-requisites Let’s see what are the basic requirements or pre-requsites for this. 1. Azure Active Directory P1/P2 2. Intune Subscription 3. Manage Engine Patch Connect Plus setup 4. Global Administrator/Cloud Application Administrator access on Azure AD and Enterprise Admin Access on-premise Patch Connect Plus Installation First of all, I am working with Free trial version here, but things are almost same except the license part in production full version scenario. You can open the below link to download Patch Connect Plus or to get any details: https://www.manageengine.com/sccm-third-party-patch-management/ I have downloaded the trial version and triggered the installation as an admin on the server from the msi. As you can see Installshield wizard appears for installation, got hrought the wizard step by step and complete it. NOTE: if you have any other choice of port you can change it here. Click on the Finish button to complete the installation and launch Patch connect plus. After few seconds you will see your default browser will open a Web Console of Patch Connect Plus and as we can see below, for the first time login the default username and password is Admin. NOTE: you can change login password and uername later from Admin tab > Credential Manager Patch Connect Plus Configuration with Azure AD When you login to patch connect plus console you will see that it asks for the initial setup like below, you can go step by step on each page and set it accordingly like proxy settings, sccm settings and others. Since, I am concerned with Intune settings so I skip all and move to setup Patch Connect Plus with Intune and open Intune Settings. So, in the above picture we can see that we have requirement for Application ID, Tenant ID and Client Security key which we can only get when we create a new App registration in Azure. Let’s jump into the Azure portal. On the Azure portal, go to Azure Active Directory and open it. On your AAD console you will find App registrations click on it. It will open a page like below, click on New registration to register a new App. A new page will open where you would need to Enter the name of the app like below and select Supported account types. I have only one organisational directory so I select Single Tenant. You can select multi-tenant based on your requirement for supported account types. I am keeping Redirect URI as blank there is no real need to set it up as you can see it’s optional. Click on Register to move ahead. After you click on Register you will see the successful message on the corner and below page will open. You can see the highlighted areas on the page which shows we get our Application ID and Tenant ID from here. Copy it and save it for future use. Next, we would need to provide API permissions for this app for MS Graph. Go to the API permissions page and click on Microsoft Graph A blade opens from your right, select Application permissions and provide the below mentioned permissions accordingly, screenshots also provided for the same so that you don’t have any confusions: 1.DeviceManagementApps.Read.All 2.DeviceManagementApps.ReadWrite.All 3.DeviceManagementConfiguration.Read.All 4.DeviceManagementConfiguration.ReadWrite.All 5.DeviceManagementManagedDevices.Read.All 6.Device ManagementManagedDevices.ReadWrite.All Once you have provided all the permissions you can see the details like below and in notifications you can see successfully saved permissions. In this way applications are authorised to call APIs as you can see below, next step is to Grant Admin Consent for your tenant and you should have green ticks like below. If you have amber exclamation select and grant admin consent else you will face errors when you configure Patch Connect Plus. Next, we would be creating Client Secret and we will try to get our last required component Client Secret Key for patch connect plus. Go to Certificates & secrets and open Client Secrets, click on New client secret On the blade from the right, enter Description and Select Expiry Period. From the drop down you can see that there are lot of choices for Expiry period. You can also select for custom period. Once you have created the Client Secret Key you need to copy its value and save it in a safe place, you can’t afford to lose this key, if you lose you have to generate a new Client Secret Key and repeat this process and make changes in Patch Connect Plus too. Now, we have our all 3 required components which is required to setup Patch Connect Plus. We have our Application ID, Tenant ID and Client Security Key. Patch Connect Plus Initial Setup Let’s now go back to the Patch Connect Plus Console and enter all these value like below: Select other options as per your requirement and click on Next. It will move to next setup of alerts but will show a green pop up at the top for few seconds that Intune Setup has been completed successfully. Setup your official mail id and confirm the checkbox to complete the initial setup. Publishing Third-Party Updates to Intune If everything went well and you have no issues with the setup and configuration you will see the screen like below. You can check few details in this page like Published Updates, Available Updates, Last intune deployment sync time and others. Let’s try to select one update and click on Publish Updates to test if it works perfectly. Select the patch and click on Publish Updates. It will ask for your confirmation to publish, click yes Check the progress at the top and select Click Here. We can see that its status is in progress. Lets wait for it to complete and meanwhile lets login to Intune portal > go to Apps > Windows Apps. After the publish is complete, you can see a new Win32 app here which starts with – Updates For. This is the same patch which we published from Patch Connect Plus. If you want to publish multiple patches together you can select the check-boxes besides and click on Publish Now. And that is how simply your Third-party patching has been automated. It’s very simple to configure very easy to use and saves lots of effort and time.😎 In case if you want to change any settings in future you can go to Admin tab and select Intune settings. If you require more details on this tool, there is a great documentation by Manage Engine itself on their page below: https://www.manageengine.com/sccm-third-party-patch-management/help.html Also, you can get a quote and compare editions. Ok, that’s pretty much for this time, soon I will be back with new content. Cheers, enjoy the weekend and holiday season.🍻🎉

In his blog post today we will see How we can perform Autopilot for Windows 11 devices. It is applicable for any new device which is only Azure AD joined. Now, when we talk about Windows 11 we have certain pre-requisites that we need to complete first. Since I will be using a Hyper V so I have to complete these pre-reqs manually, but if you have a new physical device, you may need not do it. Just a small check is fine. Windows 11 Pre-requisites 1. Minimum Virtual processor should be more than or equal to 2. I am using 4 for my Hyper-v. 2. Memory should be more than or equal to 4 GB. I am using around 8 GB. 3. Your device should have the TPM Enabled. This is very important for Windows 11 devices. Once, we have all these above pre-reqs set, prepare your Windows 11 Hyper-v. But, before moving onto setting up Windows 11 for Autopilot, lets also make sure we have all the pre-reqs set for Windows Autopilot. Pre-requisites for Windows Autopilot. 1. Go to the Intune portal Devices > Windows > Windows Enrollment > Automatic Enrollment and make sure everything is set properly like below: 2. Let us next move on to Devices > Windows > Windows Enrollment > Windows Autopilot Deployment Program > Deployment Profiles. Make sure you have a Autopilot Deployment profile created. I have a very simple one created like below: 3. Create a Dynamic group where you would want all your apps, policies, configurations to be deployed to Autopilot Devices. I have created one with ZTD id. You can create with your own requirements, maybe with Group tag which was used during importing devices with Hardware Hash. The query I am using for the group is - (device.devicePhysicalIDs -any (_ -contains "[ZTDID]")) NOTE: Here we will be importing hardware hash online without csv so I am just trying to keep things simple. 4. The next one is optional but I would like to go with it so create one default Enrollment Status Page. Go to Devices > Windows > Windows Enrollment > Enrollment Status Page I have very simple settings for test purposes, you might want some proper standard settings in your Production environment 5. Have a User with Intune Administrator role who will help to upload the Hardware Hash and then also assign user with Intune E3/E5 license who will enroll the device to Intune. Apart from the above settings if you have any particular security apps, baselines or any configuration profiles like bitlocker and others you may want to deploy to Windows Autopilot group which we created earlier. Apart from this I think we are all set and ready now to prepare our Windows 11 Hyper-v. In this blog I am skipping all the basic steps of that you need to go through for creating a Hyper-v VM. I feel we all are aware of this and even if you are not you just need to follow the instructions. Make sure you have proper internet connection and above pre-requisites all set. So, when we boot-up and start the Hyper-v it goes through the basic steps of setting windows and we will wait until the below step completes Registering the Windows 11 to Autopilot Service Once the windows installation is completed it takes some time to setup and then we have OOBE screen in front of us When we have this screen press shift+F10(shift + fn + f10) on Hyper-V to bring command prompt From command prompt, we will try to enter PowerShell where we will execute the commands to Import Hardware Hash to Intune. The commands which we want to run here one by one are as follows: PowerShell.exe -ExecutionPolicy Bypass Install-Script -name Get-WindowsAutopilotInfo -Force Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned Get-WindowsAutopilotInfo -Online Once you have entered the above command it will ask for your Intune Administrator ID. Please enter the same to register the device to Autopilot service. After you enter your credentials, you can see that your company logo appears in the password entry dialog box. Enter your password here. Then if your organisation has enabled MFA, approve that using Authenticator app. Then lets wait for the import to proceed and complete. When it is completed, you will find the below screen in your PowerShell. Mark the serial number of devices here: Lets cross verify it within the Intune console, go to Endpoint manager Devices > Windows > Windows Enrollment > Windows Autopilot Deployment Program > Windows Autopilot Devices We can see that the device is successfully registered now to Windows Autopilot. Lets now proceed with the OOBE and End-User Experience Windows 11 OOBE and End-User Experience We will have to close the command prompt now and procced with OOBE. Type Exit and hit enter until you exit the command prompt screen Select your country and Press Yes Select keyboard and the press Yes Windows will be starting to check for Updates Enter the user credentials whom you have assigned the Intune license. On the password entry dialog page you see your organisation logo proving that you are on the right track. Once the above steps are done and you have clicked on Sign in device will be starting to configure You will see the Enrollment status page like below: Once these settings are completed you will notice a small green tick below each and then you will be presented with next screen for Privacy setting. Click on Next and then Accept to move ahead. Windows will check for nay updates again and then move ahead That’s it the Autopilot Process is complete now, you will be presented with Welcome message and then some time will be taken to complete the basic setup for your login. Since I have this Configuration Profile deployed for Interactive Logon Screen message for User, I was able to see this message before login. Then I tried to login using my company credentials. Note: After this I noticed that ESP page reappeared again and it was waiting for few things to be completed. What I did to fix it change this simple setting under ESP, it is by default set to Yes:- When I changed the above settings to No, Desktop was presented to me: Now, we need to verify few things lets go to Settings and check Work and School account as well as Device serial number Looks all good, lets find the device in Intune now That proves that we have successfully completed the Windows 11 Autopilot. Now what happens if something goes sideways and you need to troubleshoot. If you see something like the above screen then you need to expand it and see where exactly the autopilot failed. There could be different reasons. More things will be cleared when you click and check MDM diagnostics log. You also get a link to export these logs which will be helpful to see and find out where exactly the failure occurred. Unfortunately, I don’t have the screenshot from my end for these but I think that’s pretty easy process. Ok, so that’s all from my end this time. I Will Be Back…😎with some new content and new things. Cheers🍻

Hey guys, so this post is all about my experience with Windows Package Manager and it may help you learn a bit with me. Let’s discuss little about the background and then we will see how to use this tool and how we can push applications from Intune. Microsoft has already announced that Windows store for business and education are getting retired in the first quarter of 2023. You can check it from here. Now, how we will install the apps that were available in windows store or how would you be able to push any custom apps to your endpoints. Microsoft has a comprehensive package manager solution which is Windows Package Manager or in short, a command line tool called Winget. According to Microsoft – “A package manager is a system or set of tools used to automate installing, upgrading, configuring and using software. The Winget command line tool enables users to discover, install, upgrade, remove and configure applications on Windows 10 and Windows 11 computers. This tool is the client interface to the Windows Package Manager service.” How to Install Winget By default, Winget is installed on all the Windows 10 and Windows 11 latest versions, but if you are using older versions of Windows there are 2 ways using which we can install the Winget tool. 1. Get the app from the windows app store, it is available by the name App installer and you can get it installed very easily without any issues 2. The other way to install the client is to get the installer bundle downloaded from GitHub. When the page opens, from the bottom select the tool and download. When downloaded, run the installer if Winget is old version it will update else it will perform a fresh install. NOTE: this doesn’t work on Windows 11 as it might have an updated version already.🙂 Once winget is installed how would you verify that its installed properly, well very simple. Just open PowerShell and type winget, below screen appears: How to use Winget to install apps In the above PowerShell screen we can see that when we type winget we get many information with it, like the installed version, the commands and the parameters. Co Below are the list of commands along with its description that you can use in winget to perform any operation. Options Below are the set of option you can use with winget Supported Installer Formats The winget tool supports the below installer formats: · EXE (with Silent and SilentWithProgress flags) · INNO · NULLSOFT · MSI · APPX · MSIX · BURN · PORTABLE Now we have seen that what are the commands, supported installer formats and options that we can use with winget, let’s now try to install our first app. Let us suppose that we want to install Notepad ++ on our system. The first step to do here, we will want to search an app with the name notepad++ so in below screen, we see the search command to be used with Winget. In above screen we see that when we search for the app, a license agreement statement appears which you have to accept by typing Y for yes for the first time. After that you can see that the apps which are available with the name Notepad are shown as a list. We would now need to install the app which is at the top of list. So for that we would need to run the install command, let’s ee what happens when we run the blow command: Winget install Notepad++ Wow😯, it is so easy, it installed within seconds. Looks great right. We can also verify in our computer whether it installed or not. So lets go to windows start an check Well, this is all good but what happens if there are multiple apps with same name, then instead of using above command to install, use --id option, the install command changes to below: winget install --id=Notepad++.Notepad++ -e It installs the same application but with id parameter. Now, if I want to install multiple apps at a time or bulk app at a time, can I do that using winget. Off course yes, we can do that. Command for the same is provided below: winget install --id=Microsoft.Teams -e ; winget install --id=Zoom.Zoom -e ; winget install --id=SlackTechnologies.Slack -e ; winget install --id=ShareX.ShareX -e Awesome😎, we can install many apps together at once. What if, you want uninstall the app, very simple run the below command Winget uninstall Notepad++ We now know how to install apps, multiple apps together and uninstall apps using winget. Let’s see in the next section how we can do the same from Intune. How to install apps from Intune using winget At this moment, there is no assigned setting or configuration in Intune that you can use to deploy apps using Winget but there were few discussions to integrate Windows Package Manager with Intune. If you want to deploy or install an app using Intune create a PowerShell script and then deploy to your devices by creating a win32 app. Follow the process below: 1. Create a .ps1 file with your commandline 2. Create a win32 app with below properties 3. Lets now create a win32 app in intune 4. Go through the process to upload the .intunewin file and use the below properties for Install and Uninstall command: Install command : powershell.exe -executionpolicy bypass -windowstyle hidden .\Notepad_Install.ps1 Uninstall command : "%ProgramFiles%\Notepad++\uninstall.exe" /S Install Behavior - User Note: Install behavior should always be chosen as User for Winget apps otherwise Intune Management Extension would not know the path for desktop app installer in windows which is used by Winget to install apps.🙂 5. Then on the Requirements tab select OS architecture and Minimum OS version. Click next 6. Then create a Detection rule for the app – 7. Next in Assignment make the app available for installation in company portal. Now, when I go to my Hyper V test machine and check the company portal app I see the Notepad++ app available for Installation. When I click on install it just installs fine with all the messages as you can see below Ok, we have learnt until now how we can use winget and how to deploy apps from Intune using winget. Let’s now see how we can troubleshoot How to troubleshoot Logs Winget by default creates logs when it is used to install any app. You can find the logs in the below path: %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\DiagOutputDir When I checked the same path in my test hyper V device here's something it looked like If you want more logs or detail logs, include --verbose-logs on the command line as well. Below is the example of how to use verbose with the command line. > winget install vscode --verbose-logs > winget search -n visual --verbose-logs > winget source add -n mysource -t Microsoft.REST -a https://www.contoso.org --verbose-logs How to Build Custom packages To create and submit your own package you would first require to install wingetcreate module: Open PowerShell and execute below command Winget install wingetcreate Once the module is successfully installed lets create a custom app by running the below command Wingetcreate new It asks for an url, when you provide it, it will download and parse the same and then it will ask you few questions, follow the instruction as asked and enter all details like below: when you select Yes to submit your manifest, a GitHub login will initiate with a code. You have to enter your GitHub creds and code If every thing is good your manifest will automatically be uploaded and custom app will be created. Your PowerShell screen will provide the below message: you can see your request in GitHub So, In this blog we see how to use Winget to install apps manually as well as from Intune and then how to build our own custom packages. You guys can explore more and create your custom packages as required. It looks really great and has many capabilities if you use properly. 🤓 Hope to see Windows Package Manager integrated to Intune soon so that our job becomes more easy. OK then we are done here for this post. I will come back with new post and new experience again until then…Cheers🍺🍺

We know that we can integrate Microsoft Defender for Endpoint with Microsoft Intune. This is a Mobile Threat Defender solution for all your devices that you enroll to Intune. In this blog post I will just show you the process on how to configure Intune and then onboard devices into MD ATP. MD ATP is not only a good solution for Windows devices but it acts as a pretty good threat defence solution for both iOS and Android. Even Mac devices can be on-boarded into it and you can create security baselines accordingly. So, without wasting much time lets get into it.😎 Pre-Requisites Lets first checkout the pre-requisites for this and lets see what are the different subscriptions that we need. 1. Microsoft Azure Premium P1/P2 2. Microsoft Intune (M365 E5/ EMS E5) 3. Microsoft Defender for Endpoint P2(if you want to manage endpoints from security center then please get this P2 license) If you are asking why P2 then just checkout the table below and see the offerings from Microsoft, it’s better to have more services right, yeah😉 Make sure you have the below license, this is Trial license for my lab purposes but you get an idea now which one to select for your tenant or Prod environment. At the End when you check your license subscription the screen should look something like this. NOTE: Although instead of Developer E5 you should have M365 E5/EMS E5. Your End-user should have assigned licenses like below: Configuring MS Defender for Endpoint with Intune Now, let's checkout the process to configure MD ATP with Intune. At this stage the assumption is, that you have let your devices enroll into Intune or if you are migrating devices then at least you are in the process to enroll them with using Hybrid Azure AD or Standalone Azure AD. When you open the Intune and navigate to Endpoint Security > Microsoft Defender for Endpoint you will see something like below. There is another way to configure it but let's just stick to our process, I feel this is simple way to do it. When you are in the above screen under Configuring Microsoft Defender for Endpoint Click on point number 1 link – Connect Microsoft Defender for Endpoint to Microsoft Intune in the Microsoft Defender Security Center. Also in the same page if you drag down below, you will find another link under Common shared settings – Open the Microsoft Defender Security Center. Clicking on this link will also take you to same page. When you have all the licenses assigned and configured and click on the above links it will open Microsoft Security Center for you like this. NOTE: It takes around 24 hrs to enable this Endpoints tab, also under settings once you have purchased the P2 license then it takes mentioned time to enable Endpoints tab. Next, on the right hand side scroll down and find Settings tab and click on it, the below screen appears Click on the Endpoints above, it will open the screen like below: Click on the Advanced features, then checkout the list, you have some very important features like web content filtering, Device Discovery and Microsoft Intune Connection. Enable Microsoft Intune Connection from here. You can also enable other features as per your requirement. Once you enable and click on Save Preferences, below temporary pop-up will show that your Settings are saved and that’s it you are done configuring Intune with MD ATP. Now, once you are done with above steps go back to your Intune and navigate back to Endpoint Security > Microsoft Defender for Endpoint. You will see that Connection Status is now shown as available and there would be a date to show you when it last synchronised. Under MDM Compliance Policy Settings enable each platform connection and that’s it you are now ready to onboard devices from different platform to MD ATP. On-Board Windows Devices to MD ATP When you enable this below button Windows devices start on-boarding to MD ATP automatically, but if you still face some issue then you can enable a configuration profile for Endpoint Detection and Response. Click on Create Policy on above screen. This will help you create a config profile like below:- Configure as per requirement, click Next and deploy to all Windows devices: NOTE: When you configure EDR policy after connecting Intune and Microsoft Defender for Endpoint, the policy setting Microsoft Defender for Endpoint client configuration package type has a new configuration option: Auto from connector. With this option, Intune automatically gets the onboarding package (blob) from your Defender for Endpoint deployment, replacing the need to manually configure an Onboard package. You can also enable this using Group Policy in Hybrid environment. Onboarding MacOS devices To onboard MacOS devices you would need to create an also configure some extensions. Follow the steps below to onboard Mac Devices. This step enables deploying Microsoft Defender for Endpoint to enrolled machines. In the Microsoft Endpoint Manager admin center, open Apps. Select By platform > macOS > Add. Choose App type=macOS, click Select. Keep default values, click Next. Add assignments, click Next. Review and Create. You can visit Apps > By platform > macOS to see it on the list of all applications. Just deploying the app may not work and you may need to also deploy different configuration profile for Extensions. You need to send Kernel Extension, Approve system Extensions and also provide Full Disk Access to MDATP. Follow the below link for more details from Microsoft. https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-with-intune?view=o365-worldwide Onboard iOS and Android Devices In both these cases you can download MD ATP app from iOS app Store/Managed Google Playstore and configure it with Intune and then Deploy accordingly. For iOS device you will find more information in this link: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios?view=o365-worldwide For Android devices find the steps and more information under: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android?view=o365-worldwide That’s it for this time guys, hope this help you configure Intune with MD ATP and onboard your devices. See you next time, until then Cheers🤔

As we all know, recently Intune has changed many features, well to be accurate added some features and removed some features. One of the features that got removed recently is setting up the servicing channel for Windows Update for Business. To be honest, I liked this feature previously and it was good that everything was at one place and I could select my servicing channel from one place. Under Update rings for Windows 10 we could see this below feature available:- But now, from latest update of Intune this feature is gone. It is not properly mentioned and documented under Microsoft that they have removed this. When we reached out to Microsoft regarding this they mentioned that many of the popularly not used features have been removed from this latest version. I was really in shock that really this was not a popular property. 😣 But, we had to accept and move on😏 and find other ways to set it. Well, since we are talking about the ways to move on and other ways to set it, there is one which I feel is good if you want these to be pushed from Intune and not using Group Policies. This is helpful for those who use Standalone Intune to manage there Windows 10/11 devices. Lets see now how we can still set the Windows Servicing Channels without Group Policies. Navigate to Devices - Windows - Configuration profiles - Click on Create Profile From the new blade on the right hand side drop down Platform, Select Windows 10 and later - under Profile Types - select Settings Catalog (preview) - click on Create Provide proper Name and Description and click Next Under Configuration Settings - click on Add Settings A new blade for Settings Picker will open on the right, now either you can search for the Category required or what you can do is just scroll down from the list and select Windows Update for Business(WUfB). When you select WUfB, there will be 62 settings under it. For this blog I am only choosing the one setting that is required but you can go ahead and check all the settings that are required. So, for setting up the servicing channel, you will see that Branch Readiness Level is the one where you get that option with drop down to choose from. Check the setting from below and once you have selected the required settings close the setting picker. Under Configuration settings now you can find the Branch Readiness Level drop down options like below:- Please make a note here which is very important that if you select Semi annual Channel its only applicable till 1903. After 1903 Semi-annual channel and semi-annual targeted has been merged to one and there value is 16. So, choose your options wisely. After selecting your channel select Next and choose groups to assign deployments too. Use Device groups for this kind of deployment. Click on Next to move on. Select Scope tags if any and then click next Review the settings you selected and click on Create That’s all folks, you have selected the servicing channel with an alternate option and deployed it in your environment. If you have other ways to set it up let me know. Also, lets wait for Microsoft to provide better options with Windows Update for Business. See you guys next time then with some new blog post.😉😎

When you start managing devices from Intune, obviously you would start having requirement to check the reports for various purposes, like if you are doing patching using WUfB you need to check how many devices are compliant, if you are deploying an application you may want to check its compliance count. We had many reports in MECM which made our tasks easy. But in Intune I still feel we lack few important reports. Yes we do have many reports under Device Monitoring but we may still need to create some dashboards as per our requirements. Now, Intune may not have much inbuilt reports but it certainly gives you opportunity to build some dashboards by exploring the Data warehouse data model which you can get access to. This blog post helps you reach there where you should be able to create a report or dashboard. It seemed pretty straightforward to me. So, here we go... The first thing you would require here is Power BI Desktop app. Now that's free either you can download it and install from App store or you can check the below link, download and install manually the latest version: https://powerbi.microsoft.com/en-us/downloads/ When the installation is complete and you have opened the app you will find the below screen. There are generally 2 ways to connect to OData feed of Intune, one by clicking on Get Data from Home menu or you can just click on the Get data from another source pointed by the red arrow above. Both will open the same window like below. so, when you see this window come to the last option Other and select oData Feed. When you click on this it will ask you for the link of the OData feed: Select Basic or Advanced as per your need, I am gonna go with Basic for demo purposes. To get the URL for OData Feed of Intune you need to got to your Intune Console -> goto Reports -> under Intune Data Warehouse select Data Warehouse and the copy the URL from OData feed for reporting service. Now come back to Power Bi Desktop and paste the URL on the required window and click OK. New window opens for authentication and it will ask you to sign in to connect to this OData Feed. Now, remember here to use Organizational account and then click on Sign In and provide your creds for Intune. Make sure you have enough permissions to do this in Intune when doing in Production. In my test environment I have not faced any issue with connection or any slowness, but when I tried to connect using my prod credentials it threw error one time and the loading of tables or data seemed a bit laggy, but it can be anything maybe my internet connection was not good enough.😂 Anyways, you will now see the tables loading with all the required data under Navigator. looking pretty good up until now huh. 😎 if you want to check some data on these tables, just click on any one and you can see like above on the right hand side you corresponding values stored in them. Now, if you want to create a dashboard, based on your requirement just select the tables and you will check boxes highlighted once you select them. Once done click on Load. This will begin to load your tables with values on your workspace. When loading of data is complete you can then work with them click on Visualisations to select the type of graph or data representation according to your needs and then work with columns under Fields and create your own dashboards like below: That's it done, now you can create your own dashboards/reports as per your requirement. I am not that much good with Power BI so digging down deep to create reports and dashboards is lil difficult for me here but you guys are expert so go on and create reports and help people like me in need.😊 That will be all folks for this time, see you guys in my next post. Until then, Cheers 😉

Recently, I had a requirement where I would need to set the Device Category of the devices in Intune. Well, for a single device it’s pretty easy right. We all know how we can do that. For those of you who are not aware how to change device category go to this MS article and learn https://docs.microsoft.com/en-us/mem/intune/enrollment/device-group-mapping. Now, we all have to agree that Device categories are there to make your job easier so that you can create Azure Security groups based on them and then do your deployments. But what happens to those Windows devices which you have enrolled using Hybrid Azure AD join. Like Mac and iOS, they don’t get any option or there isn’t any option where you could categorise them or rather assign some category automatically at the time of enrolment as you have done it using MDM GPO obviously. So, the question is how can I update the device category of multiple devices at once. Well, there isn’t a straight forward procedure to do it as of now. You just can’t go to Intune portal and start updating each device separately, too much of manual effort. But we have some help from Graph API and Intune PowerShell Module. Small lines of code can achieve things so fast amazing right.🤗 Let’s see how we can achieve that. Well, here I will show how you can update it for one device; putting loops around those lines and executing the code for multiple devices is your job to do it. I can just show you how to build the code and achieve it.🤓 Below is the screenshot of the device where you can see that Device Category is Unassigned. Let us see what we need to do in PowerShell to change this manually. If you have not installed the Microsoft.Graph.Intune module. Execute below line first and install the module. Install-Module -Name Microsoft.Graph.Intune Note: If you face any error, try to open PowerShell in an elevated Admin prompt and set execution policy to Unrestricted. Once the installation of the module is done do an import of the module now using the below command: Import-Module Microsoft.Graph.Intune After the importing the module successfully, we would need to connect to MS Graph to execute our code. The only pre-req here is that you should have at least Intune Administrator role to access and make changes to the device category. Command is below to connect to MSGraph: Connect-MSGraph Once you hit enter it will ask for your credentials like shown below Enter your credentials to connect and then it would show your tenant id confirming the connection Now, once you are connected you have to check your available device categories. This is required so that you get the id of your device categories, since at this moment you would not have any other way to get the id of device categories. Execute the below command to get the device category information. Get-DeviceManagement_DeviceCategories Check in the Intune portal whether you have correct information For me all good up until now. Next, you would require Intune Device ID of the device. You can get it from the Intune portal or since we are executing everything using PowerShell let’s get the device details in a file in .csv format and find the Device ID. You can use the same command to get the list of all device id’s: Get-IntuneManagedDevice | Get-MSGraphAllPages | Select ID, DeviceName |Export-Csv -Path "c:\Temp\Listdevice.csv" The .csv file looks like this Now, we have everything that we need to execute the code to change the device category. I am going to change the device category of the device DESKTOP-U9IRJ4D so I am using it’s device id and device category will be Windows so I am using the device category id of the windows here. #Declare Variables $DeviceID = "dde9c683-ba2c-491c-92d2-453c8d549da0" $DeviceCategory = '3deae90a-1692-446a-97e0-46ee2ce673ab' # Create the request body which will associate the objects $requestBody = @{ "@odata.id" = "https://graph.microsoft.com/beta/deviceManagement/deviceCategories/$DeviceCategory" } # Make a call to Graph that will create the association Invoke-MSGraphRequest -HttpMethod PUT -Url "deviceManagement/managedDevices/$DeviceID/deviceCategory/`$ref" -Content $requestBody That’s it all done and your device category is changed from Unassigned to Windows. You can use the same code now and just make changes to bulk amount of data at once. Keep the device category id constant and get a dynamic entry for device id’s using foreach block and execute the same code for other devices. That should help you achieve your task. Great, that’s it guys I hope that this should help you guys sort out the issue for Hybrid joined devices and Autopilot devices too. See you until next time. Cheers…😉

We all know that we need to test the things before we move on to production. Now, I am sure there are more people like me who have very less knowledge on Mac VM creation and just face issue to create it and then enrolment to Intune becomes other challenge. I have seen separate posts where people explained, how to create a Mac OS VM and the other posts on how to enrol them to Intune. So, here is my blog for creating your mac VM step by step and then the procedure to enrol mac VM to Intune. Note: Pardon me for my English or language mistakes I am not so much good of writer just concentrate on the technical part and things should be easy folks.😉 This post is divided into 3 phases: Phase 1 – creating VM Image out of Mac OS. Phase 2 – Download the package of company portal and install the same. Phase 3 – Steps to enrol your mac VM. Pre-requisites: Expectation here is that you already have some hands-on knowledge coming here to check out the mac VM enrolment. Based on that this article explains the procedure step by step. 1. Testlab for Microsoft Endpoint Manager Admin Center(better called as Intune) 2. Microsoft Enterprise Mobility + Security E5 license for the user who wants to enrol the device. 3. Mac OS ISO image file version 10.14 or later, in this post I am using Mac OS BigSur(11.0.1) 4. VMware Workstation Pro to create a VM. NOTE: Microsoft suggests that Mac VM should only be used for testing purposes and not in production so please be aware of that and you just might not want to do this in Production. Ok so once you are done and ready with all the pre-reqs lets just get started with our phase 1 to create the Mac VM PHASE 1 Download VMware workstation latest version from https://www.vmware.com/in/products/workstation-pro/workstation-pro-evaluation.html and the just run the installation on your windows device. I am using Vmware workstation version 16 for my lab. Once it starts just click on File and select New Virtual Machine A new wizard starts and helps you create your new VM just follow the steps below, Select Typical and then click Next: Choose, I will select the Operating system later and click Next: In this window select Guest Operating system to be Apple Mac OS X and then version as Mac OS 11.0 and then next. Next you would need to choose your VM location where you want to save it as well as provide an appropriate name, click Next. Specify the disk capacity in here. Note: Remember to set it up for more than at least 35 GB. As less than 35 GB would not allow you to install Mac. Select store virtual disk as a single file and then Click Next. Once every thing is done just click on Finish. Now, if you have something to change like Assigned memory or Disk size and others you can just right click on the VM you just created and change it accordingly, In the above window select CD/DVD (SATA) to choose the OS and then browse onto the location where you have your mac ISO downloaded. Select it and click OK. This here does not mark the completion of your VM creation before starting installation or powering on your VM make sure to make the below changes into your .vmx file. These changes are necessary so that you have no issues powering on your VM and to enrol smoothly into Intune otherwise you will face some issues. Navigate to the file location of .vmx and right click open it with Notepad like below: Make sure to add the below lines in the end of this file: smbios.reflectHost = "TRUE" hw.model = "MacBookPro14,3" serialNumber = " " board-id = "Mac-551B86E5744E2388" smc.version = "0" NOTE: I have kept the serial number part empty so that you can enter your own, it is of format like below screenshot but make sure you use your own serial number in the same format or try copy from some physical mac and just change the last digit. This is important otherwise Intune will not recognize your device and would not allow you to enrol. After these changes are appended to Notepad save the .vmx file and now you can power on your VM. Power on your VM and just wait for it to boot up. Select English and click on the arrow below to go to next window: Click on Disk Utility and Continue: Select VMware Virtual SATA Hard Drive Media and Select Erase Provide Name and rest keep as it is and then just hit Erase: Let it complete and then just click Done when completed: Go to Disk Utility above and then click Quit Disk Utility Click Install Mac OS Big Sur, click continue Click Continue Click Agree and then Agree again: Select the disk and click Continue Wait for it to install to complete PHASE 2 Now once you setup your VM, installation is complete and then you log into your mac, we are ready to execute our second phase i.e., download and install our company portal package. To download the company portal package copy the below link and paste it in your safari browser. https://go.microsoft.com/fwlink/?linkid=853070 you will get the below notification just click on Allow. On the Apple dock below you will see the package downloaded and popping up for you to install, select it and start installation. Click Continue Read the license and the click Continue Click on Agree If you want to change the installation location you can, in my case we had one drive only as seen earlier so just click on Install You would need to provide your account password again to install the software and the click Install Software Application starts to install once done click on Continue Click on Close once the installation is successful. You will get the below Notice of MS AutoUpdates just click Ok to close. This marks the completion of Phase 2 and you have now successfully installed Company portal on your Mac. Next we would move onto Phase 3 of our Mac enrolment to Intune. PHASE 3 From the Apple Dock and click on Launchpad From Launchpad select Company portal and run it. Click on Sign In Provide the user credentials who has the authority to enrol devices Once logged in you will see the Vendor name at the top in this case TestLab and also notifications will pop up at the top. Click On Begin. Step1: Review the privacy information. Click Continue Step2: Install management profile – Click on Download profile and wait for it to pop up Profiles window for installing the management profile. Select Install to install the management profile and proceed. Click on Install Provide Mac login credentials and click enrol. NOTE: If earlier in Phase 1 we would not have made changes to .vmx file for serial number here your installation of profile would fail as by default mac VM takes serial number of windows host. So, make sure to keep the changes in .vmx file. Once all the enrolment tasks completed successfully you will see the below line in Profiles highlighted. Close the profiles window. Step3: Check Device settings completes automatically and once done below message shows up. Click on Done. Check the status, should be in compliance. Go to Intune Admin Center Portal and check whether it shows up under Mac devices or not. That’s all folks, hopefully this helps you guys enrol your mac VM easily and you should not face any difficulties like me which I faced during mac VM enrolment. Cheers…