Monday, 29 July 2019

Intune custom notifications just arrived

This is just a quick post to demonstrate a really cool feature that's just arrived in the Intune console. You can use this feature to quickly notify employees about an important event and messages can be customized for any general communication purpose. Custom notification messages include a short title and a message body of 500 characters or less.

What you should know
  • Supported on managed iOS and Android devices (not Windows)
  • Company Portal is required
  • Messages appear as standard push notifications from the Company Portal
  • Intune doesn't actually save the messages
  • You can send up to 25 messages per hour
  • Intune and the Company Portal app can’t guarantee delivery of a custom notification. Custom notifications might show up after several hours of delay, if at all, so they shouldn't be used for urgent messages
  • Custom notifications can be visible on lock screens on both iOS and Android devices depending on device settings.
Sending a custom notification

So how do we send these notifications. 

Navigate to Devices > Send custom notifications.

Enter a title (max. 50 characters) and a body (max. 500 characters).

Assign the notification to the group you need....

...and create the notification.

Intune processes the message immediately. It doesn't save it so you can't see a list of notifications. This is the only confirmation we can see.

On a device, users see custom notification messages that are sent by Intune as a standard push notification from the Company Portal app. On iOS devices, if the Company Portal app is open when the notification is received, the notification displays in the app instead of being a push notification. This is what happened in my test. The dialog above popped up for me and I couldn't miss it.

The notification remains until the user dismisses it.

This is a cracking little feature and I hope you enjoy it.

Until next time...

Thursday, 11 July 2019

AutoPilot hybrid - issue resetting devices


I'm implementing an AutoPilot process for a customer at the moment involving hybrid AAD join of Windows 10 1809 devices (Lenovo T480 laptops). In general the AutoPilot process works. However we ran into trouble when we retired or reset a device that had been previously joined to Azure AD. The behaviour was consistent and the devices never joined AD or AAD.

After sign in the devices were stuck on "Please wait while we set up your device". (The screenshot above shows 1809 VM on the left and 1903 on the right).

After about 30 minutes they would fail with:

Something went wrong. Confirm that you are using the correct sign-in information and that your organization uses this feature. You can try to do this again or contact your system administrator with the error code 80070774”

This suggested that there was something preventing the Offline Domain Join from completing and the process timed out. I researched the problem and saw that I wasn't alone. Similar issues were reported in the TechNet forums.

  • I made sure that the devices did not still exist in AD or Azure AD but it did not make any difference.
  • Also I made sure that the ODJ profile was assigned to a dynamic group of my AutoPilot devices. Remember the solution worked perfectly first time around. It only gave trouble when the devices were reset.
  • The AutoPilot device group was based on the presence of the ZTDId attribute.

I reached out to the product group and Michael Niehaus gave me some advice. He suggested that only way to get it to reliably work was to remove all the device objects (AAD, Intune, Autopilot) and then re-import the device to Autopilot to start over. He also suggested a possible workaround. Target the Domain Join device configuration policy to "All Devices" instead of AutoPilot devices only as that would help with the ODJ timeout problems. 

That's what I did. I changed the targeting and it worked. The devices joined both AD and Azure AD as normal. Thanks Michael.

I hope this helps you if you find yourself in the same situation. 

Until next time......

Monday, 8 July 2019

AutoPilot CSV file formatting issues

I've been uploading hardware IDs to Intune for my customer so that the devices can be provisioned using AutoPilot and Intune. We create CSV files in batches of 50 and everything has been going well so far. However the process started to fail today.

Intune would not accept the formatting of the CSV files. 

Each row must have a minimum of 3 columns

The formatting looked ok to me though. It was a CSV file of 50 devices created using the -append parameter.

Get-WindowsAutoPilotInfo.ps1 -OutputFile .\batch1.csv -append

The project leverages Microsoft Teams for collaboration and I subsequently discovered that the files had been uploaded to Teams and downloaded again. This must have caused some subtle issue with the formatting. Once I got the original files I was able to continue as normal.

I've also noticed that a simple edit of the CSV file can cause formatting issues. There was a duplicate line in one of the files but simply deleting the line caused an issue.

In the end I uploaded the file with the duplicate and just accepted the import error.

I hope this helps anyone else scratching their head with AutoPilot CSV formatting issues. My advice:
  1. Use the original CSV file only
  2. Keep editing of the CSV file to a minimum
Until next time....

Thursday, 30 May 2019

Deploying Intune Connector for AD with a web proxy

I'm working on a Windows AutoPilot solution for a customer this week. This is a hybrid AD solution and the devices will join both Azure AD and the corp AD. I had previously deployed the Intune Connector for Active Directory for testing purposes and it's pretty straightforward. However it's a little different in an enterprise environment. 

I successfully installed the connector on a Windows Server 2016. However the connector never appeared in Intune. There were many errors in the ODJ Connector event logs

"We are unable to complete your request because a server-side error occurred. Please try again. [Exception Message: \"DiagnosticException: 0x0FFFFFFF. We are unable to complete your request because a server-side error occurred. Please try again.\"] [Exception Message: \"Failed to get a value for Key: OdjServiceBaseUrl\"] [Exception Message: \"The given key was not present in the dictionary.\"

The proxy log files showed no activity so clearly I needed some way to ensure that the tool was directing traffic to the proxy.

This document discusses using the tool with on-premise proxies

However, it’s really not useful as it just recommends bypassing the proxy and configuring the tool (ODJConnectorUI.exe.config and ODJConnectorSvc.exe.config) to do that. We all know that is not practical. Most enterprise customers won’t allow you to bypass the proxy so I needed a way to make the Intune Connector use the proxy.

  • Configuring the proxy in IE does not work
  • Using “netsh winhttp set proxy” does not work 
Michael Niehaus worked on this and provided the code to add to the config files.

It worked perfectly and the Intune Connector was created (you have to restart the Intune ODJConnector Service).

The documentation will be updated accordingly. 

This is the code snippet that should be added to both the ODJConnectorUI.exe.config and ODJConnectorSvc.exe.config files.

<?xml version="1.0" encoding="utf-8" ?>
      <proxy usesystemdefault="false" proxyaddress="http://contoso-proxy:3128" />  

    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6" />


 It was good to see successful communication in the event logs

It is important to include http:// in the proxy address. We didn't at first and we spotted the following in the event logs:

":"We are unable to complete your request because a server-side error occurred. Please try again. [Exception Message: \"DiagnosticException: 0x0FFFFFFF. We are unable to complete your request because a server-side error occurred. Please try again.\"] [Exception Message: \"The ServicePointManager does not support proxies with the scheme.\"]" 

I hope this helps someone to configure the Intune Connector for Active Directory behind a web proxy.

Until next time....

Tuesday, 21 May 2019

Renew Cloud Management Gateway Certificate

It's always a good idea to purchase an SSL certificate for as long as possible to minimize renewal times. They're a pain, right. We're always a little unsure about exactly how to renew the cert. However I have quite a few customer CMGs with one year SSL certificates and they are expiring soon so I thought I better figure out the renewal process.

Firstly, you cannot see that the CMG certificate is expiring in the ConfigMgr console. I've asked the Product Group to add this as a Management Insight or at least to expose the expiration date in the console.

Usually the only way you will be reminded about the expiring certificate will be an email from your certificate vendor (DigiCert in my case).

DigiCert remind you when the certificate is expiring in 90 days. There is no penalty for renewing early. When you renew early, DigiCert adds the remaining time from your current certificate to your new certificate (up to 3 months). You don't have to wait until the day before your certificate expires just to get your money's worth.

I have received the email and can now see the "Renew now" option in the DigiCert portal.

Should I renew the cert or generate a new one?

Technically, when you renew a certificate, you are purchasing a new certificate for the domain and company. Industry standards require Certificate Authorities to hard code the expiration date into the certificates. When a certificate expires, it is no longer valid and there is no way to extend its life. So, when you "renew" your certificate, DigiCert must issue a new one to replace the expiring one. So it's not really a renewed certificate.

What does renewing mean then?

To make renewing a certificate easier, DigiCert (and other vendors) automatically includes the information from the expiring certificate in the renewal wizard. However, because you're ordering a new certificate, you can update any of the information during the order process, if needed. Note that if you change any of your organization’s information (location, etc.) you may need to provide new validation documentation to verify the changes. 

I decided to go for a new certificate.

I generated a new CSR using the vendor tool with the same details as the previous certificate.

The certificate was approved and I could download the .crt file.

I imported the .crt file into the tool to complete the process and associate with the private key.

Then I was able to export the certificate to a usable format.

Selected .pfx with the private key, entered a password......

....and the new certificate was ready.

So what now? Is it just as simple as replacing the certificate in the properties of the CMG? Yes, it is. Simply browsed to the new certificate, entered a password and clicked Apply.

You can monitor activity in the Operations logs in Azure.

Finally you can run the CMG Connection Analyzer to make sure that everything is OK.

Will the world end if the certificate expires?

Not really. Your internet clients won't break and will still have the same functionality. You just won't be able to manage them over the internet though. When you eventually add a new certificate you will not have to take any action on the clients.

I hope this helps. Until next time.....