Join me at the Tech Summit in Amsterdam

Next week, March 28-29, the Microsoft Tech Summit will be in Amsterdam and I will be there. On Wednesday (March 28) I will be available at the Ask the Experts Reception and on Thursday (March 29) I will be speaking about Manage Windows AutoPilot via Microsoft Intune. I hope I will see you there!

pvanderwoude

About my session

In this session, I will pull you into the world of Windows AutoPilot. Learn what Windows AutoPilot is and also, learn what Windows AutoPilot is not. In this demo-rich session I will show you how to use Windows AutoPilot, together with Microsoft Intune, to simplify device provisioning.

Co-management and the ConfigMgr client

This blog post is a follow-up on this earlier post about deploying the ConfigMgr client via Microsoft Intune. In this post I want to look more at the behavior of the ConfigMgr client in a co-management scenario. I want to show the available configurations and, more importantly, I want to show the behavior of the ConfigMgr client. I want to show the corresponding configuration and the messages in the different log files.

Co-management configuration

Now let’s start by looking at the different configuration options of co-management and the configuration values. To look at the available configuration options, simply follow the next three steps (assuming the initial co-management configuration is already created).

1 Open the Configuration Manager administration console and navigate to Administration > Overview > Cloud Services > Co-management;
2 Select CoMgmtSettingsProd and click Properties in the Home tab;
3

ComanagementPropertiesNavigate to the Workloads tab, which provides the option to switch the following workloads from Configuration Manager to Intune:

  • Compliance policies;
  • Resource access policies (this contains VPN, Wi-Fi, email and certificate profiles);
  • Windows Update policies.

Note: Looking at the current Technical Preview version, the number of available workloads will quickly increase.

ConfigMgr client behavior

Now let’s make it a bit more interesting and look at the behavior of the ConfigMgr client. By that I mean the configuration changes of the ConfigMgr client that can be noticed in the log files. The co-management configuration related log file is the CoManagementHandler.log (as shown below). That log file shows the processing of the configuration and the MDM information related to the device.

Log_ComanagementHandler

The values in the CoManagementHandler.log are shown, after a configuration change, in both hex and decimal. These values relate to the following workload distribution.

Value Configuration Manager Microsoft Intune
1 (0x1) Compliance policies, Resource access policies, Windows update policies
3 (0x3) Resource access policies, Windows Update policies Compliance policies
5 (0x5) Compliance policies, Windows Update policies Resource access policies
7 (0x7) Windows Update policies Compliance policies, Resource access policies
17 (0x11) Compliance policies, Resource access policies Windows Update policies
19 (0x13) Resource access policies Compliance policies, Windows Update policies
21 (0x15) Compliance policies Resource access policies, Windows Update policies
23 (0x17) Compliance policies, Resource access policies, Windows Update policies

Compliance policies

When co-management is enabled, the ConfigMgr client will verify if it should apply compliance policies. Before applying them. That information is shown in the ComplRelayAgent.log (as shown below). It shows the current configuration (for a translation of the workload flags see the table above) and what it means for the status of the compliance policies. After that it will perform an action on the policy. In this case it won’t report a compliance state.

Log_ComplRelayAgent

Resource access policies

When co-management is enabled, the ConfigMgr client will also verify if it should apply resource acces policies. Before applying them. That information is shown in the CIAgent.log (as shown below). As that log file is used for a lot more operations, it might be a bit challenging to find the information. It shows the current configuration (for a translation of the workload flags see the table above) and what it means for the status of the resource access policies. After that it will perform an action on the policy. In this case it will skip the related CI.

Log_CIAgent

Windows Update policies

When co-management is enabled, the ConfigMgr client will also verify if it should apply Windows Update for Business policies. Before applying them. That information is shown in the WUAHandler.log (as shown below). It shows the current configuration (for a translation of the workload flags see the table above) and what it means for the status of the Windows Update for Business policies. After that it will perform an action on the policy. In this case it will look for assigned policies.

Log_WuaHandler

Start with helping users by using the awesome troubleshooting portal

This week I’m back with a new blog post, after not posting anything last week due to visiting the yearly Global MVP Summit. This week is all about creating awareness. Awareness for the troubleshooting portal (the Troubleshoot blade). The troubleshooting portal is THE best place to start with troubleshooting to help the end-users. In this post I’ll provide a complete overview of the current status of the troubleshooting portal.

Troubleshooting portal

The troubleshooting portal can be used by Intune administrators, and other delegated users like help desk operators, to view user information. The troubleshooting portal provides information about the user, the assignments for the user and the devices of the user. To get to the troubleshooting portal, simply follow the next steps.

1 Open the Azure portal and navigate to Intune > Troubleshoot (or use the short link: https://aka.ms/intunetroubleshooting);
2 On the Microsoft Intune – Troubleshoot blade, select Select user and get the information to start with troubleshooting. This will provide the overview as shown below. I will go through the different numbered items in more detail;
IntuneTroubleshooting_Overview

Item 1 – Account status

IntuneTroubleshooting_AccountStatusThis shows the status of the current Intune tenant. The logged on user does need permissions to view this information.

Item 2 – User selection

IntuneTroubleshooting_UserSelectionThis shows the name of the selected user. Simply click Change user to select a different user. All the shown information is related to the selected user.

Item 3 – User status

IntuneTroubleshooting_UserStatusThis shows the Intune license of the selected user, the number of non-compliant devices and the number of non-compliant apps.

Item 4 – User group memberships

IntuneTroubleshooting_UserInformationThis shows the group memberships of the selected user.

Item 5 – User information

This shows the detailed information of the selected user, about the assignments, the devices, the app protection status and the enrollment failures. More details below.

Item 5.1 – Assignments

This shows the details about the assignments for the selected user. At this moment it’s possible to view the details about Mobile apps, Compliance policies, Configuration policies, App protection policies, Windows 10 update rings and Enrollment restrictions (see screenshot below). To view more details, about a specific assignment, simply select the assignment, which will bring the administrator to the policy overview. This information is really useful for getting a quick overview of the assignments that are applicable to the selected user.

IntuneTroubleshooting_Assignments

Item 5.2 – Devices

This shows the details about the devices of the selected user. The shown devices are all the devices joined or registered to Azure AD. The shown information is the Device name, Managed by, Azure AD join type, Ownership, Intune compliant, Azure AD compliant, OS, OS version and Last check-in (see screenshot below). To view more details, about a specific device, simply select the row, which will bring the administrator to the device properties as shown in Azure AD. This information is really useful for getting a quick overview of the devices of the selected user.

IntuneTroubleshooting_Devices

Item 5.3 – App protection status

This shows the details about the app protection policies that are assigned to the selected user. The shown information is Status, App name, Device name, Device type, Policies and Last sync (see screenshot below). This information is really useful for quickly determining the status of the app protection policies that are applicable to the selected user.

IntuneTroubleshooting_AppProtection

Item 5.4 – Enrollment failures

This shows the details about the enrollment failures for the selected user. The shown information is Enrollment attempt, Issue ID, OS and Failure (see screenshot below). Each row represents a unique attempt. To view more details, about an enrollment failure, and the suggested remediation, simply select the row. This information is really useful for quickly determining enrollment failures for the selected user.

IntuneTroubleshooting_EnrollmentFailures

More information

For more information about the troubleshooting portal, please refer to this article about using the troubleshooting portal to help users.