The more clients are managed in your tenant and the more people have contributor rights in your tenant, the more important it becomes to have good release management processes. In this blog post I would like to introduce you to my Intune CI pipeline that allows you to transfer configurations from one tenant to another. This offers the possibility that only a small number of administrators have access in the Prod tenant and all others create configurations in a Dev tenant and these are then transferred to the Prod tenant via a DevOps pipeline.
In one of my last posts we took a closer look at how the Intune Management extension works and even looked behind the scenes directly into the code. In this post I have already mentioned the ClientHealthEval.exe and I would like to take a closer look into this.
A useful validation step after importing custom ADMX settings is to export the resulting Intune profile and compare it with the vendor documentation. This confirms that the setting name, supported Windows version, and value format match the template you intended to use.
If a policy does not apply, review the device event logs and the MDM diagnostics report before changing the template. Most failures are caused by assignment scope, unsupported OS builds, or value formatting rather than the ADMX import itself.
Custom ADMX and ADML imports are helpful when a required Windows policy is not yet available as a native Intune setting. Treat every import like configuration source code: keep the original vendor files, document the version, and test the policy in a separate device group first.
After importing the templates, verify that the settings appear in the expected Intune category and that the generated policy writes the correct registry values on a test device. This avoids troubleshooting confusion later when multiple custom templates exist in the same tenant.
Most of the policies you’ll ever need are already exposed in Intune’s Settings Catalog — but every IT environment has at least one app whose admins still ship a custom ADMX/ADML template from the on-prem Group Policy days. Adobe Reader, FortiClient, custom in-house tools, and a long tail of vendor utilities all use this format, and Intune supports it natively as long as you know the slightly hidden import workflow. This post walks through importing a custom ADMX/ADML pair into Microsoft Intune end-to-end — where to grab the template files, how to upload them, how to assign the resulting profile, and what to expect on the client. Plus the debugging steps for the most common import failures.
With the Intune service release 2208 there is a really nice feature that provides the support to import ADMX and ADML templates very easy into Intune. This helps you create configurations for e.g. third-party products. I will explain how this works based on Firefox.
With the introduction of assignment filters, the value of applicability rules has diminished. With applicability rules you could define on which OS versions a configuration profile should work. Unfortunately, the ability to configure or delete applicability rules for some configuration profile types from the console has also been removed. It is to be expected that this can happen piece by piece for further types as well. In this blog post I want to show you how you can easily remove all applicability rules and switch to filters as soon as possible.
In your environment you have multiple groups to create assignments of an app or a configuration profile. If you later realize it would be better if this was not a device group but a user group, it is hard to change this without the user having an impact or you have big efforts. I have written a script that you can convert a user group into a device group or a device group into a user group based on the user assigned to a device or based on the devices assigned to the user.
For the Windows Update reboot notification scenario, keep the message short and action-oriented. Users should immediately understand whether they can postpone, whether a restart deadline exists, and which business application might be affected if they ignore the prompt.
Also check the policy assignment after deployment. If the same device receives multiple update rings or conflicting restart settings, the notification can look correct while the underlying restart behavior is still confusing for users and support teams.
This guide is about Windows Update reboot notifications in Intune and how to make restart behavior predictable for users. The important part is not only enabling a toast, but also choosing timing, wording, and assignment groups that match your patching process.
Before rolling this out broadly, test the notification on a small pilot group and compare the user experience with your existing update rings. That gives you a clean baseline for support tickets, restart deadlines, and expected device behavior after monthly patch deployment.
Windows Update reboots are one of those topics where the default behaviour annoys exactly the people you want least to annoy: knowledge workers in the middle of a presentation, factory operators on a kiosk, and your CEO on a Friday afternoon. Out of the box, Windows shows generic reboot prompts that users either dismiss without reading or only see seconds before the machine restarts. The good news is that Microsoft Intune exposes a complete set of CSP-backed settings to tame these notifications: when they appear, how often they nag, when they auto-restart, and how aggressively they enforce. This post collects the small handful of policies I deploy in every tenant for predictable reboot behaviour, with the gotchas that don’t make it into the docs.
Quick assist was a useful Windows out-of-the-box tool that could get or provide PC support via a remote connection. Because Quick Assist is a pre-installed app in Windows, it can also be used to provide support during setup, e.g. via Autopilot. The experience for the user was really easy. You only have to read out a 6-character code from the client and type it into the Quick Assist app on the supporter side.
But this is going to change. Quick Assist will no longer be a built-in tool in Windows. Microsoft posted on April 27, 2022 in the Windows Insider blog that Quick Assist will only be available via the Windows Store in the future and that support for the old client will end. So, if you want to continue using Quick Assist in the future, you will have to install it from the Windows Store.
However, there are several problems here. The first problem is that the installation of Quick Assist from the Windows Store requires admin rights. This is not always the case in a professionally managed business environment where users do not have admin rights on their PC. The second problem is that if you are using Windows LTSC there is no Windows Store to get Quick Assist from. And users get an error message about missing WebView2 runtimes.
I will show you how to solve this problem in today’s blog.
This is Part 2 of How to Restrict the Login to Dedicated Users with Microsoft Intune. Where Part 1 covered the standard CSP-based approach, Part 2 walks through the more advanced configurations — including dynamic group filtering, Conditional Access integration, and the gotchas you only discover after rolling out to a thousand devices.
Hello everyone, after several months of inactivity I would like to post regularly new content here on my blog. I start here with a topic which I have already blogged last year. This post is about how to restrict who can log on to Windows via Intune. Intune has a cool new feature that allows you to manage the members of local groups. In how to restrict the login to dedicated users with intune I did this restriction with a configuration profile and put a Microsoft Entra ID user into the local group via a custom profile and an OMA-URI. Now Microsoft has added a new CSP that allows you to do this in a much more elegant way. How to use this I explain now in this blog post.
After we have looked at the three categories of Device Management, Application Management and Endpoint Security, this blog continues with the Reporting section of Intune. Thanks to everyone who read the preceding blogs and gave me feedback. But it’s not over with very powerful and helpful features in Intune. Also in the reporting section you will find features that can make your daily work easier as an administrator and with which you can greatly increase the user experience. With Endpoint Analytics there is a very powerful feature which is continuously developed and improved. But let’s take a closer look at it below.
In the Active directory it was possible to allow a user to log in only to certain computers. This is no longer so easy with Microsoft Entra ID and Intune. In this blog we would like to look at how you can realize this with the help of a custom profile.
