Microsoft

Microsoft Intune Feedback

Suggestion box powered by UserVoice

JB

My feedback

  1. 1,297 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • sso
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      64 comments  ·  Ideas » Apps (all platforms)  ·  Flag idea as inappropriate…  ·  Admin →

      Here’s some more information about the public preview for Win32 app deployment.
      https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Sneak-peek-Public-preview-of-Win32-application-deployment-using/ba-p/264460

      And the video from Ignite: https://myignite.techcommunity.microsoft.com/sessions/64593?source=sessions#ignite-html-anchor

      For those of you adding additional suggestions in the comments, please create them as new suggestions. When Win32 app deployment comes out of public preview, we’ll call this one complete and I don’t want your requests to get lost!

      Thanks again for your support!

      JB commented  · 

      Hi everyone, glad to see this feature being extended into Intune.

      Question -- seems like this assumes the admin already has some experience with SCCM and Transforms, and needs that experience for preparing the installation package. I was hoping that once this feature got implemented it would automate some of that for you, but seems not. Am I wrong?

      Anyone have a good tutorial or set of documentation for the preparation steps? Looking for something that provides reliable/trustworthy information on "what's being done" and not just how to do it.

      Thanks!

      JB commented  · 

      @ON: I'm not sure where you're seeing that the IME PoSh script is only executed at enrollment time. As best I can tell, it is a "run until succeeded" mechanism that you can deploy to any system that is already enrolled.

      Furthermore, MSI apps are not only installed at enrollment time, you can deploy MSI apps to systems anytime you want (subject to a short propagation delay, in my experience it's been around 30 minutes or less).

      I think your scenario of "app vulnerability" is sufficiently remedied by simply uploading a new MSI and pushing that to enrolled devices, no need to bother the user at all....

      If you're seeing something different then we are having completely different experiences.

      JB commented  · 

      Folks, see my comment from Nov. 7 regarding the Intune Management Extension.

      I do wish expanded MSI and EXE deployment capabilities were provided directly in Intune; however, it looks like now that we have remote PowerShell scripting capabilities all of this should be possible thru this avenue. We would have to do a little development of course, so I would still prefer direct integration into the Azure Intune UI; but if anyone has critical needs right now, along with some PoSh development skills in-house, please check out the IME and perhaps report back here on your experiences if you can help out the rest of the community.

      JB commented  · 

      +1, and another feature I think is missing is the ability to deploy a file or set of files alongside a software installation. This feature was available in the Classic portal (include files/folders), but is no longer present in the Azure portal.

      That said, I came across the Intune Management Extension the other day and it seems that this feature will be rolling to Prod in the near future?

      https://docs.microsoft.com/en-us/intune/intune-management-extension

      This may solve a lot of these problems for us, if we can do a little scripting to close the gaps. Am I wrong?

      JB supported this idea  · 
    • 238 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • sso
      • facebook
      • google
        Password icon
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        28 comments  ·  Ideas » Windows-specific  ·  Flag idea as inappropriate…  ·  Admin →
        JB commented  · 

        It wasn't implied that your BitLocker deployment method works for all scenarios...

        If you need to configure a Startup PIN (or pass, etc.) due to lack of a TPM then sure, you may still be SOL.

        But anyway regardless, BL will self-activate on 1803 now *with standard users* which is the major improvement in this space that 1803 on AutoPilot brings. Very likely many folks are not aware of this.

        JB commented  · 

        As one of the previous complainants on this topic, I do want to post an update.

        With the upgrade to Windows 10 1803, BitLocker will self-activate if it's configured to do so in Intune. I am not positive if it's due to the Device Restrictions configuration profile or the Endpoint Protection profile but either way, it's working now.

        We anticipated this since it was an advancement our organization was looking to get from improvements to the AutoPilot process on 1803, and it is panning out.

        Granted, I don't think we can manage the BitLocker configuration yet (e.g., require Startup PIN and so on, but I haven't re-tested since we moved to 1803) but that is of much lesser importance than the simple ability to activate BitLocker, which may now work for many of you if you move to 1803.

        JB commented  · 

        BitLocker on 1803 is now self-activating, many of you may find the same thing.

        JB commented  · 

        Agreed. I don't see why you cannot control this on Pro.

        JB supported this idea  · 
      • 561 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • sso
        • facebook
        • google
          Password icon
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          25 comments  ·  Ideas » Mobile Device Management (general)  ·  Flag idea as inappropriate…  ·  Admin →

          You can deploy AirPrint settings for Mac and iOS – https://docs.microsoft.com/en-us/intune/air-print-settings-ios-macos

          You can configure some printer settings under device restrictions for Windows 10 – https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10

          But I’m hearing from a few people that this still doesn’t really help users get to local printers, and that seems the original intent. (@Henrik, if you’re getting this, please weigh in!)

          We won’t call this one complete. I’m switching this to “noted”, meaning we know you want it. Thanks again for the feedback!

          JB supported this idea  · 
          JB commented  · 

          Does using "Add-Printer" solve the issue of a print driver being missing on the machine? I'm finding that most drivers are not available as MSI installers, so we don't yet have a good way of pushing drivers to a system if they're not already included in Windows.

          If there's a simple way to knock all of this out in a centralized way (Intune), any examples please? :)

        • 580 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • sso
          • facebook
          • google
            Password icon
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            63 comments  ·  Ideas » Mobile Device Management (general)  ·  Flag idea as inappropriate…  ·  Admin →

            The PMs involved have been talking about how best to give you a way to disable the “remove device” action. They think rather than focusing on platform enrollment types (iOS, Android, Windows), they could allow you to disable based on corporate vs personal ownership. I said I’d ask if that would work for you. :-)

            Would that get you want you need?

            JB commented  · 

            While you may not be able to prevent a user from unenrolling his device (at least not without a vendor enrollment program like DEP), you can make the window of exposure smaller by reducing the "Compliance status validity period" (in Compliance policy settings) to a shorter amount of time before marking a device as non-compliant. It's far from perfect, but it's better to have a 1- or 2-day exposure than a 30-day exposure. If you require Compliance via Conditional Access, you should be able to automatically block the unenrolled devices once that amount of time has passed.

          • 1 vote
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • sso
            • facebook
            • google
              Password icon
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              1 comment  ·  Ideas » Mobile Device Management (general)  ·  Flag idea as inappropriate…  ·  Admin →

              As of the March 26 updates, after a compliance or configuration policy is applied to an iOS device, users are prompted to set a PIN every 15 minutes. Users are continually prompted until a PIN is set. So, not forcing exactly, but nagging, a lot – is that close?

              JB commented  · 

              Not using a vote here, although I do agree it would be good to have this capability.

              However make sure you're aware of the ramifications of forcing that on for your Android users.

              https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/32361511-should-be-able-to-manage-requirment-of-startup-boo

            • 34 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • sso
              • facebook
              • google
                Password icon
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                3 comments  ·  Ideas » Android-specfiic  ·  Flag idea as inappropriate…  ·  Admin →
                JB commented  · 

                Agreed. Nougat's "Direct Boot" is something Intune should support. Otherwise if a user's device reboots overnight (for example, for updates) they can miss calendar and e-mail notifications, alarm clock alerts, etc.

                https://www.howtogeek.com/269422/how-to-enable-android-nougats-direct-boot-for-less-annoying-encryption/

                Intune seems to consider the device "not encrypted" if Require PIN on Startup is disabled. Intune should be able to distinguish between the two, so we can still mark a device compliant while having user data encrypted and have the device remain bootable without entering a PIN. There is no such problem on iOS, which I'm assuming works the same way -- the operating system can load without requiring an unlock PIN just to boot the device.

                JB supported this idea  · 
              • 1,076 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • sso
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  27 comments  ·  Ideas » Azure Admin Console  ·  Flag idea as inappropriate…  ·  Admin →

                  We haven’t forgotten that many of you want PowerShell to manage the service! I’ll update this thread when I have more information on that which I can share. In the meantime, here are a few things related to Graph that may be of interest to you:

                  November 2017 we released the Intune management extension, which lets you Manage PowerShell scripts in Intune for Windows 10 devices (https://docs.microsoft.com/en-us/intune/intune-management-extension)

                  We’ve announced that Intune APIs in Microsoft Graph are no longer in beta and are now generally available https://cloudblogs.microsoft.com/enterprisemobility/2018/01/31/intune-apis-in-microsoft-graph-now-generally-available/

                  At Ignite 2018, we demonstrate key automation scenarios using PowerShell, using Microsoft Graph APIs to simplify Microsoft Intune administration; and transitioning profiles, apps, and policies from a pre-production to production environment.
                  https://myignite.techcommunity.microsoft.com/sessions/64603

                  Also, as of the Oct 29 2018 release we have a public preview for a new PowerShell module, which provides support for the Intune API through Microsoft Graph. More info…

                  JB commented  · 
                • 4 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • sso
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    1 comment  ·  Ideas » Apps (all platforms)  ·  Flag idea as inappropriate…  ·  Admin →
                    JB shared this idea  · 
                  • 13 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • sso
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      1 comment  ·  Ideas » Windows-specific  ·  Flag idea as inappropriate…  ·  Admin →
                      JB commented  · 

                      Can't you already do this? It's working on a couple machines I have tested; domain-joined to AD, but also enrolled to our Azure MDM channel.

                      Make sure you are doing the "Enroll in mobile device management" under Accounts as a user with admin privs; this is NOT the same as the Workplace Join that a standard user account can do.

                      Enrolling in MDM will make the device accept policies from Intune on Azure.

                    • 41 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • sso
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        2 comments  ·  Ideas » Windows-specific  ·  Flag idea as inappropriate…  ·  Admin →
                        JB supported this idea  · 

                      Feedback and Knowledge Base