I have had several customers the last week asking how to fix the PrintNightmare and patch it when using Intune and Windows Update for Business. So this is just a short and quick HOWTO on using expedite updates feature in Intune.
Go to Microsoft Endpoint Manager portal: https://endpoint.microsoft.com and go to Groups.
Recently I migrated a customer from old devices to new Samsung devices. Both are enrolled using KME . The customer experienced they were not able to use Samsung Smart Switch after the new devices was enrolled and setup. That was a requirement from them, that their users needed to be able to migrate data from their old devices to their new devices.
We can always discuss if this is a good idea or not, anyway this was a requirement and here is the fix 🙂
The error the user is seeing is this:
Go to https://endpoint.microsoft.com, click Apps, Android, Managed Google Play app and click OK.
Search and find Samsung Smart Switch, approve it and start a sync.
And soon as the apps is available in the tenant, we can continue with the next step.
Go to https://endpoint.microsoft.com and go to Apps and App configuration policies. Click Add and then Managed devices.
Give it a name, select Android Enterprise and Fully Managed in profile type, select the Samsung Smart Switch app and continue.
In Configuration Settings select “Use configuration designer” and click +Add. Check “Allow SmartSwitch Run” and Click OK
Be sure to check the checkbox in “Configuration value”.
Click next and assign the policy to an group appropriate group and the apps will now work for the users.
A cool feature of Azure AD is Access review. It can be used for many things to control Azure AD group membership. One of the things I will be using it for is to control licenses and help to provide self service license management.
With Access Review we can control how often the users or owners are prompted to re-validate if the still need access to the group. This can be weekly, montly, quarterly or yearly. Once this period is over the users will be prompted via email to review their access to the group. We can even control what behavior will happen if the fail to do so.
As we know, in order to deploy apps with Intune on macOS the app needs to be a signed .pkg file wrapped into a .intunemac file.
From Adobe Admin console we can create a pkg file containing the Adobe CC app or other Adobe apps if needed. Unfortunately this file is not signed, and multiple forum threads confirm that signing them is not supported.
So how do we get around that? I was searching around to find a proper solution. I couldn’t find anyone who had come up with a solution, so I decided to find one my self. What if we don’t sign the Adobe CC pkg file it self but wrap it into another pkg file and run the Adobe CC pkg as a postscript? I did that and it’s actually working!
Disclaimer: I’m by no means a macOS guy, I’m a Windows guy and have always been :-). There might be things in this post that can be done smarter or in another way – if so, please let me know.
As stated on docs.microsoft.com, in order to distribute apps to macOS, they need to be in .pkg format and converted to the .intunemac format. Furthermore the .pkg file needs to be signed with a Apple Developer certificate.
Quote from docs:
The .pkg file must be signed using “Developer ID Installer” certificate, obtained from an Apple Developer account. Only .pkg files may be used to upload macOS LOB apps to Microsoft Intune. Conversion of other formats, such as .dmg to .pkg is not supported.
But what if we need to distribute an app there’s is not in the AppStore or is not in a signed .pkg file? Then we’ll have to repackage it with a packaging tool. I’m using an app called packages. Let me show it and explain.
Today my colleague (who have been working with SCCM for the last 15 years) asked how to handle USB dongles when they are shared between multiple Surface Pro devices in a staging facility. I was a bit surprised that he didn’t know, so I thought I’d put together a quick post about it, even though it’s pretty old news 🙂
Continue readingBy default, if we want to install multiple languages of Office 365 ProPlus on the same device, it is only possible if we create one package with all the desired languages. This is also the best practices from Microsoft on how to deploy additional languages with Office 365 ProPlus.
But what if we want to have one package for every language?
I know the same can be achieved by letting Office setting the install language to follow the OS language, but if the OS is always English and not localized, this doesn’t help.
An example could be if we always install English Office for all users, but want to provide the users an easy way to install another Office language. Or if we simply want to minimize the footprint and diskspace, by only installing the desired language or let the user decide what language of Office 365 ProPlus they want.
This can be done if we create the Office package as a Win32 app in Intune. Because we can specify Detection Rules, we can specify a different rule for each language. Using this method also lets you add an Image that fits and looks better in Company Portal. I’d recommend using the following image:
https://icons8.com/icons/set/office-365
Here’s the XML file i always start with:
<Configuration ID="ba28e355-69e8-490a-ba64-1ca58c928a8b">
<Add OfficeClientEdition="32" Channel="Broad" AllowCdnFallback="TRUE" ForceUpgrade="TRUE">
<Product ID="O365ProPlusRetail">
<Language ID="en-us" />
<ExcludeApp ID="Groove" />
<ExcludeApp ID="OneNote" />
</Product>
</Add>
<Property Name="SharedComputerLicensing" Value="0" />
<Property Name="PinIconsToTaskbar" Value="TRUE" />
<Property Name="SCLCacheOverride" Value="0" />
<Updates Enabled="TRUE" />
<RemoveMSI All="TRUE" />
<AppSettings>
<Setup Name="Company" Value="Larsstaal.com" />
<User Key="software\microsoft\office\16.0\common\general" Name="shownfirstrunoptin" Value="1" Type="REG_DWORD" App="office16" Id="L_DisableOptinWizard" />
<User Key="software\microsoft\office\16.0\common" Name="qmenable" Value="0" Type="REG_DWORD" App="office16" Id="L_EnableCustomerExperienceImprovementProgram" />
<User Key="software\microsoft\office\16.0\common\general" Name="ShownFileFmtPrompt" Value="1" Type="REG_DWORD" App="office16" Id="L_ShownFileFmtPrompt" />
<User Key="Software\Microsoft\Office\16.0\Outlook\Options\General" Name="DisableOutlookMobileHyperlink" Value="1" Type="REG_DWORD" App="office16" Id="L_DisableOutlookMobileHyperlink" />
<User Key="Software\Policies\Microsoft\Office\16.0\Outlook\Options\General" Name="DisableOutlookMobileHyperlink" Value="1" Type="REG_DWORD" App="office16" Id="L_DisableOutlookMobileHyperlink2" />
<User Key="software\microsoft\office\16.0\excel\options" Name="defaultformat" Value="51" App="excel16" Id="L_SaveExcelfilesas" />
<User Key="software\microsoft\office\16.0\powerpoint\options" Name="defaultformat" Value="27" App="ppt16" Id="L_SavePowerPointfilesas" />
<User Key="software\microsoft\office\16.0\word\options" Name="defaultformat" Value="" App="word16" Id="L_SaveWordfilesas" />
</AppSettings>
<Display Level="Full" AcceptEULA="TRUE" />
<Logging Level="Standard" Path="C:\Temp\Office365Logs" />
</Configuration>
First create the XML files needed, change the language in the configuration.xml to match what you want.
<Language ID="da-dk" />
Download the content prep tool from GitHub. https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool
Follow these instruction on how to use Win32 app in Intune:
https://docs.microsoft.com/en-us/intune/apps-win32-app-management
When you reach the point on where you can create the detection rule, use the following rule:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\O365ProPlusRetail – da-dk
key exist
Change da-dk to whatever language specified in the XML.
Deploy and assign the application.
Done 🙂
Just a quick step-by-step guide on how the configure Android Zero Touch with Intune.
Why do we want to use Corporate-owned, fully managed user devices? In order to give the user an out-of-box experience that automatically enrolls devices into our MDM solution, just like Apple DEP but for Android Enterprise devices. Also, it gives a less confusing user experience, as we only have a work profile and not a private AND work profile, like we do with personal owned android devices.
Of course this is still a preview feature in Intune, and context is subject to change.
When users try to use Acrobat Reader for Intune on Android, they might see the following error pop up on their phones:
This app has not been set up for you to use. Contact your IT administrator for help.
I had a customer who called about a single user had issues with setting MFA up to use text, Phone call or even Microsoft Authenticator via. http://aka.ms/MFASetup. The call or text message was never received. In the Authenticator App, when they scanned the QR code, they got the following error pop up:
“Activation failed. Make sure that push notifications are enabled on the phone and your Activation Code is not wrong, expired or formerly used.”
Larsstaal.com 