Microsoft Intune for Beginners

At first learning about Microsoft vision for MDM can be tricky. Different considerations for Personal Owned and Company Owned devices. Different approach for Standalone MDM solution (Microsoft Intune) and Unified Devices Management (ConfigMgr + Intune). Below collection of resources for beginners in MDM journey.

When we plan PKI Infrastructure for Customers big part is to define security policies aligned with business strategy. When we plan ITSM for Companies first phase is to validate or define process management according to ITIL/MOF aligned with Customer business needs. BYOD has the same requirement. Without good BYOD policy project may and likely will fail.

I recommend to get familiar with technology agnostic Microsoft guide called:

Bring Your Own Device (BYOD) Design Considerations Guide

Different industries have different challenges related to BYOD implementation. Microsoft published great document based on experience with schools environment:

BYOD Devices – A Deployment Guide for Education

Sooner or later we need to know capabilities for Microsoft Intune Standalone vs Unified Device Management:

Scenario System Center 2012 R2 Configuration Manager Only Microsoft Intune Only System Center 2012 R2 Configuration Manager and Microsoft Intune
Microsoft Windows Yes Yes Yes
Microsoft Windows Server Yes No Yes
Windows Phone No Yes Yes
Windows RT No Yes Yes
iOS No Yes Yes
Android No Yes Yes
Mac OS X Yes No Yes
Unix/Linux Servers Yes No Yes
Extensible Windows PC Device Configuration Settings (e.g., WMI, Registry) Yes No Yes
Extensible Mac OS X Configuration Settings Yes No Yes
Mobile Device Configuration Settings No Yes Yes
Application Deployment Yes Yes Yes
Windows Operating System Deployment Yes No Yes
(No deployment over Intune)
Software Updates Yes Yes Yes
Endpoint Protection Yes Yes Yes
Software Metering Yes No Yes
Hardware and Software Inventory Yes Yes Yes
Custom hardware and software inventory Yes No Yes
Role-based Administration and Reporting Yes No Yes
Unified Reporting for Cloud- and Corporate-connected Devices No No Yes
Cloud-based Reporting No Yes No
Security Settings Yes Yes Yes
Remote Wipe Yes Yes Yes
Remote Lock No Yes No
Passcode Reset No Yes No

Suppose we get familiar with document above and we are start implementation. First step to manage is to enroll and there are differences in “how to” during this phase:

Windows Phone 8 &Windows Phone 8.1 Windows Phone 8: Click system settings > company apps, and sign in using your user ID.Windows Phone 8.1: Click system settings > Workplace, and sign in using your user ID.Note : must select Install Company app or Hub to be able to get company apps Windows Intune account does not have a public domain and you are using a * account, you will need to type in the server address as “” when you are prompted for it
Windows RT , Windows RT 8.1, or Windows 8.1 devices that are not joined to the domain 1. Go to Settings > PC Settings > Network > Workplace.2. Enter the User ID and click Turn on.3. Check the Allow apps and services from IT admin dialog box, and click Turn on. Account does not have a public domain and you are using a * account, you must add the following registry information to enroll your Windows 8.1 computer:1. Create the MDM registry key if it is not already present [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM]2. Under the MDM registry key create a new REG_SZ called DiscoveryService with the value data “”
Windows RT Click Start, and type “System Configuration”, and click the dialog box to open the Company Apps.
iOS Enroll iOS devices by using the iOS company portal app, Windows Intune Company Portal that is available in the App store. The company portal app can be installed on iOS devices running iOS 6 or later. On the iOS device, open the Windows Intune Company Portal and enter your credentials. When Prompted click Install in the Management Profile screen.
Android Enroll Android devices by using the Android company portal app, Windows Intune Company Portal that is available on Google Play. The company portal app can be installed on Android devices running Android 4 or later. On the Android device, Open the Windows Intune Company Portal and enter your credentials.

Company Owned (Unified Device Management feature) vs Personal Owned (Intune Standalone):

Platform For Personal-owned Devices For Company-owned devices
Windows 8.1 (without the Configuration Manager client) Only managed apps Only managed apps
Windows Phone 8 Only managed apps Only managed apps
Windows RT Only managed apps Only managed apps
iOS Only managed apps All apps
Android Only managed apps All apps

Hardware Inventory details for supported platforms:

Hardware Inventory Class WP 8 & WP 8.1 Windows RT iOS Android (available when using the Android company portal app)
Name Device_ComputerSystem.DeviceName Device_ComputerSystem.DeviceName Device_ComputerSystem.DeviceName Not applicable
Unique Device ID Device_ComputerSystem.DeviceClientID Device_ComputerSystem.DeviceName Device_ComputerSystem.UDID Not applicable
Serial Number Not applicable Not applicable Device_ComputerSystem.SerialNumber Device_ComputerSystem.SerialNumber
Email Address Device_Email.OwnerEmailAddress Device_Email.OwnerEmailAddress Device_Email.OwnerEmailAddress Not applicable
Operating System Type Device_OSInformation.Platform CCM_OperatingSystem .SystemType Not applicable Device_OSInformation.Platform
Operating System Version Device_ComputerSystem.SoftwareVersion Win32_OperatingSystem.Version Device_OSInformation.OSVersion Device_OSInformation.Version
Build Version Not applicable Win32_OperatingSystem.BuildNumber Not applicable Not applicable
Service Pack Major Version Not applicable Win32_OperatingSystem.ServicePackMajorVersion Not applicable Not applicable
Service Pack Minor Version Not applicable Win32_OperatingSystem.ServicePackMinorVersion Not applicable Not applicable
Operating System Language Device_OSInformation.Language Not applicable Not applicable Not applicable
Total Storage Space Not applicable Win32_PhysicalMemory.Capacity Device_Memory.DeviceCapacity Device_Memory.StorageTotal
Free Storage Space Not applicable Win32_OperatingSystem.FreePhysicalMemory Device_Memory.AvailableDeviceCapacity Device_Memory.StorageFree
International Mobile Equipment Identity or IMEI (IMEI) Not applicable Not applicable Device_ComputerSystem.IMEI Device_ComputerSystem.IMEI
Mobile Equipment Identifier (MEID) Not applicable Not applicable Device_ComputerSystem.MEID Not applicable
Manufacturer Device_ComputerSystem.DeviceManufacturer Win32_ComputerSystem.Manufacturer Not applicable Device_Info.Manufacturer
Model Device_ComputerSystem.DeviceModel Win32_ComputerSystem.Model ModelName Device_Info.Model
Phone Number Not applicable Not applicable Device_ComputerSystem.PhoneNumber Device_ComputerSystem.PhoneNumber
Subscriber Carrier Not applicable Not applicable Device_ComputerSystem.SubscriberCarrierNetwork Device_ComputerSystem.SubscriberCarrierNetwork
Cellular Technology Not applicable Not applicable Device_ComputerSystem.CellularTechnology Device_ComputerSystem.CellularTechnology
Wi-Fi MAC Not applicable Win32_NetworkAdapter.MACAddress Device_WLAN.WiFiMAC Device_WLAN.WiFiMAC

Information sent from Intune to Configuration Manager

The following table shows the customer information that is retrieved from Microsoft Intune. This information is deleted from Microsoft Intune after it has been successfully downloaded by Configuration Manager.

Information and data sent to Microsoft Intune Examples
To help the Admin manage enrolled devices and deploy company’s software to users devices
  • Compliance settings and values, such as requiring a minimum password length of 4 characters
  • E-mail profile information, such as email server name and time of day preferences
  • Information to generate certificates for VPN profiles (but not the certificate itself)
  • Software name, description, encrypted content, and icon for apps
  • Any setting needed to enroll devices
To manage their users’ experience
  • Settings applied to user’s devices
  • Whether the company portal has been installed
  • What software applications are displayed as available in the company portals
  • What software the user has requested and installed
  • User’s software request history
To help enrolled users use single sign-on
  • User Principal Name (UPN)
  • User Name
  • Email (if email profiles are enabled and deployed)
To quickly view relevant information about enrolled devices
  • Device name
  • Device friendly name
  • Device Type
  • Device OS
  • Device Acton (Wipe/Retire/Connect) state
  • Certificate expiry date
  • Primary user
  • Last connection time
To distribute certs for Wi-Fi and VPN profiles
  • NDES server information
  • System Center Endpoint Protection challenge encryption certificate (public-key only)
  • Certificate provisioning information
  • Certificate assignment and status
To quickly assess current status and versions
  • Microsoft Intune Connector Installation status e.g. “Windows Phone 8.1 extension (V1) is installed”
  • Configuration Manager Version Information e.g. “Connector Build Version 5.0.7958.1000”
To connect authorized users remotely
  • RD Gateway Server Settings
  • Machine names and Microsoft Intune users for which this feature is enabled

Other information sent by Microsoft Intune to Configuration Manager

The following table shows information that is generated by Microsoft Intune and shared with Configuration Manager. This information is deleted from Microsoft Intune after it has been successfully downloaded by Configuration Manager.

Type of Information Examples
End-user initiated commands
  • Device Wipe/Retire action information
  • Application Request information
  • User-generated device commands (rename, wipe, retire, connect now)
Tenant, user, and device error messages
  • “Apple APNs Certificate Expired”
  • “Side-loading key could not be applied”

Customer commands temporarily stored in Microsoft Intune

Commands sent to and received from mobile devices are temporarily stored in the Microsoft Intune service while the device is actively connected to the service. This data is subsequently deleted after the device’s active session ends.

The best document which I could find regarding security planning for Windows Phone is written by Paweł Pławiak and Marcin Ostrowski – you can find it here:

Przewodnik Zabezpieczeń dla Windows Phone 8.1

For English readers there also great ebook which you might find it useful:

Windows Phone 8.1 Field Guide


/Tomasz Gościmiński

Webinar: System Center 2012 R2 Configuration Manager – Free Support Tools

Hi All!

we promised publish links used in our last Webinar:

System Center 2012 R2 Configuration Manager – Free Support Tools

Don’t forget to read our blog post:

Link to Webinar:


Hydration Kit

Powershell Deployment Toolkit

GUI for Powershell Deployment Toolkit

SQL Sizing Document

Prereq Tool

SQL Maintenance Solution




MDT 2013



App Management

Powershell Application Deployment Toolkit

Coretech Shutdown Tool

Coretech Application Approval workflow

Microsoft Application Approval Workflow

Configuration Manager Application Request

Application Importer




Automated Documentation Tool




Client Operations

Configuration Manager Support Center

Microsoft Security Compliance Manager

Client Center for Configuration Manager

Cireson Remote Manage App

Right Click Tools

ConfigMgr Inbox Monitor

Client push manager


PoshCAT aka SCCM Client Actions Tool

Jason Sandys Startup script



ConfigMgr Management Pack

ConfigMgr Integration Pack

Coretech Asset Intelligence 3rd. party software utility


Status Generator (StatGen)

ConfigMgr Content Locator



best regards

/Tomasz Gościmiński

Deploy Applications in Enterprise like a PRO

Hello, my name is Tomasz Gościmiński and I’m an Infrastructure Consultant at Predica. Today’s post is about the value of deployment tandem called System Center Configuration Manager and his smaller companion PowerShell App Deployment Toolkit. When both are integrated in your environment great things can happen – so let’s start…

Business Problem: Recently, Contoso experienced a number of system outages in which the Company’s core business applications shut down unexpectedly. After several days of investigation, John Snow, Contoso Infrastructure administrator, discovered that the outages were the result of a number of vulnerabilities in Enterprise Line of Business applications and users Software. Since then, it is critical for Contoso to manage lifecycle of applications:

  • initial creation and testing of application deployment;
  • updating the deployed application to a newer version;
  • update and removal of the application from computers on the production network.

To reduce unplanned downtime in the future, Contoso must find a way to ensure being always up to date and manage lifecycle of applications in a controlled manner.

Business Solution: Company IT Director decided to invest in System Center 2012 R2 Configuration Manager to support IT Department staff. He wants to ensure:

  • compliance
  • unattended deployment
  • redrawn apps
  • tracking
  • versioning
  • reporting

Business Case: Application Lifecycle – Adobe Reader example

Scenario: John is the Configuration Manager administrator at Contoso who must deploy the latest version of Adobe Reader 11 to 200 users, according to the requirements. So far Contoso corporate standard is to use Adobe Reader 10 which has few important security vulnerabilities found few days ago. John decided to redrawn Adobe Reader 10 and replace by Adobe Reader 11 in automated manner. John needs to be sure if the user is currently using Adobe Reader, so it can be safety closed by user or Configuration Manager before installation. Requirements:

  • Unattended redrawn Adobe Reader 10.0.14 and installation of Adobe Reader 11.0.09.
  • Mechanism that can defer installation by user to allow save work and proceed.
  • Mechanism to allow display of custom messages for users.
  • Mechanism should check if Adobe Reader or other specified apps are running before installation.

The following sections provide example steps for how to use Configuration Manager to create, deploy, and manage applications together with PowerShell Application Deployment Toolkit in your organization.

  • Download Adobe Reader 11.0.09 MSi
  • Extract Adobe Reader binaries
  • Download PowerShell App Deployment Toolkit
  • Prepare ConfigMgr Package Content
  • Modify PS1 to fulfil requirements
  • Prepare ConfigMgr 2012 Application
  • Prepare ConfigMgr Adobe Reader 11.0.09 Collection
  • Deployment
  • User Experience

Detailed Steps

  1. From site: download Adobe Reader 11.0.09 for proper OS.
  2. After download of .exe extract installation files open Command Line prompt then go to Adobe Reader download folder and execute command: AdbeRdr11009_en_US.exe -nos_o”C:\download\AR11.0.09″ -nos_ne clip_image002
    After few seconds extracted installation files are stored in C:\download\AR11.0.09 folder. We will need them to deploy app.
  3. From site: download and extract
  4. From previously extracted archive copy Toolkit folder to network share where ConfigMgr packages are stored. Rename folder Toolkit according to your needs. In example: PS Adobe Reader 11009.
    Just renamed PS Adobe Reader 11009 folder contain Files folder. Copy extracted Adobe Reader binaries inside Files folder to ensure all of them are in one place ready to distribute.
  5. Modify Deploy-Application.ps1 to fulfill requirements. I recommend to read Powershell App Deployment Administration Guide. In our example Deploy-Application.ps1 look as follow:

    [code lang=”powershell”]
    This script performs the installation or uninstallation of an application(s).
    The script is provided as a template to perform an install or uninstall of an application(s).
    The script either performs an "Install" deployment type or an "Uninstall" deployment type.
    The install deployment type is broken down in to 3 main sections/phases: Pre-Install, Install, and Post-Install.
    The script dot-sources the AppDeployToolkitMain.ps1 script which contains the logic and functions required to install or uninstall an application.
    To access the help section,
    Deploy-Application.ps1 -DeployMode "Silent"
    Deploy-Application.ps1 -AllowRebootPassThru -AllowDefer
    Deploy-Application.ps1 Uninstall
    .PARAMETER DeploymentType
    The type of deployment to perform. [Default is "Install"]
    .PARAMETER DeployMode
    Specifies whether the installation should be run in Interactive, Silent or NonInteractive mode.
    Interactive = Default mode
    Silent = No dialogs
    NonInteractive = Very silent, i.e. no blocking apps. Noninteractive mode is automatically set if an SCCM task sequence or session 0 is detected.
    .PARAMETER AllowRebootPassThru
    Allows the 3010 return code (requires restart) to be passed back to the parent process (e.g. SCCM) if detected from an installation.
    If 3010 is passed back to SCCM a reboot prompt will be triggered.
    .PARAMETER TerminalServerMode
    Changes to user install mode and back to user execute mode for installing/uninstalling applications on Remote Destkop Session Host/Citrix servers
    Param (
    [string] $DeploymentType = "Install",
    [string] $DeployMode = "Interactive",
    [switch] $AllowRebootPassThru = $false,
    [switch] $TerminalServerMode = $false

    Try {

    # Variables: Application

    $appVendor = "Adobe"
    $appName = "Reader"
    $appVersion = "11.0.09"
    $appArch = ""
    $appLang = "EN"
    $appRevision = "01"
    $appScriptVersion = "1.0.0"
    $appScriptDate = "03/11/2014"
    $appScriptAuthor = "Tomasz Gosciminski"

    # Variables: Script – Do not modify this section

    $deployAppScriptFriendlyName = "Deploy Application"
    $deployAppScriptVersion = [version]"3.2.0"
    $deployAppScriptDate = "09/01/2014"
    $deployAppScriptParameters = $psBoundParameters

    # Variables: Environment
    $scriptDirectory = Split-Path -Parent $MyInvocation.MyCommand.Definition
    # Dot source the App Deploy Toolkit Functions
    # Handle ServiceUI invocation
    If ($serviceUIExitCode -ne $null) { Exit-Script $serviceUIExitCode }


    If ($deploymentType -ne "uninstall") { $installPhase = "Pre-Installation"

    # Show Progress Message
    Show-InstallationProgress "Performing Pre-Install cleanup. This may take some time. Please wait…"

    # Show Welcome Message, close Internet Explorer if required, allow up to 3 deferrals, verify there is enough disk space to complete the install and persist the prompt
    Show-InstallationWelcome -CloseApps "iexplore,acrord32" -AllowDefer -DeferTimes 3 -CheckDiskSpace -PersistPrompt

    # Show Progress Message (with the default message)

    # Remove Adobe Reader
    Remove-MSIApplications "Adobe"

    $installPhase = "Installation"

    Show-InstallationProgress "Installing Acrobat Reader 11.0.09. This may take some time. Please wait…"

    # Perform installation tasks here
    Execute-MSI -Action Install -Path "AcroRead.msi"

    $installPhase = "Post-Installation"

    # Perform post-installation tasks here

    # Display a message at the end of the install
    # Show-InstallationPrompt -Message "You can customise text to appear at the end of an install, or remove it completely for unattended installations." -ButtonRightText "Ok" -Icon Information -NoWait

    } ElseIf ($deploymentType -eq "uninstall") { $installPhase = "Pre-Uninstallation"

    # Show Welcome Message, close Internet Explorer if required with a 60 second countdown before automatically closing
    Show-InstallationWelcome -CloseApps "iexplore, acrord32" -CloseAppsCountdown "60"

    # Show Progress Message (with the default message)

    $installPhase = "Uninstallation"

    # Perform uninstallation tasks here

    $installPhase = "Post-Uninstallation"

    # Perform post-uninstallation tasks here

    } } Catch { $exceptionMessage = "$($_.Exception.Message) ($($_.ScriptStackTrace))"; If (!($appDeployToolkitName)) {Throw "Failed to dot-source AppDeployToolkitMain.ps1 – please check if the file is present in the \AppDeployToolkit folder"; Exit 1}
    Else { Write-Log "$exceptionMessage"; Show-DialogBox -Text $exceptionMessage -Icon "Stop"; Exit-Script -ExitCode 1 } } # Catch any errors in this script
    Exit-Script -ExitCode 0 # Otherwise call the Exit-Script function to perform final cleanup operations

  6. Now we are going to create Adobe Reader package in Application Model.
    1. Open ConfigMgr Administrative Console and go to Software Library | Overview | Application Management.
    2. Right Click Applications and choose Create Application.
    3. Check Manually specify the application information. Click Next.
    4. In General Information tab fulfill as below. Click Nextclip_image005
    5. On Application Catalog tab click Next.
    6. On Deployment Types tab click Add.
    7. In Create Deployment Type Wizard, General tab check Manually specify the deployment type information. Click Next.
    8. On General Information tab fulfill as below. Click Next.clip_image006
    9. On Content tab ensure fields are as follows:
      1. Content location: [network location of Adobe Reader package]
      2. Installation program: Deploy-Application.exe Install
      3. Uninstall program: Deploy-Application.exe Uninstall
    10. On Detection Method tab click Add Clause and fulfill as follows:
      1. Settings Type: Windows Installer
      2. Product code: {AC76BA86-7AD7-1033-7B44-AB0000000001}
      3. Note: Value is provided automatically when we choose AcroRead.msi from location of Adobe Reader package.
      4. Choose This MSI product code must exist on the target system to indicate presence of this application.
    11. On User Experience tab fulfill as follows.
      1. Installation behavior: Install for system
      2. Logon requirement: Only when a user is logged on
      3. Installation program visibility: Normal
      4. Check: Allow users to view and interact with the program installation
    12. Rest of tabs leave with default options.
    13. Distribute Adobe Reader application on Distribution Point according to TechNet article:
  7. Create collection according to TechNet article:
  8. Create deployment according to TechNet article:
  9. Few screens from user experience
    1. There is Adobe Reader 10 icon on Desktop which will be replaced by 11.0.09. Applications of Adobe Reader and Internet Explorer are running to simulate daily user work.
    2. After policy is retrieved Application Deployment Toolkit check running processes and display message accordingly. User can defer installation for later after work is done and saved or can ask PADT to help close apps. Custom message is visible at top.
    3. After few dozen of seconds Adobe Reader 11 is installed and ready to go.

Summary PowerShell Deployment Toolkit is a must have for every ConfigMgr Admin. Saves time and has great amount of features. And even more important …IT IS FREE! To learn more:

Thank you and happy deployment! Tomasz