Information about SharePoint, Microsoft 365, Azure, Mobility and Productivity from the Computer Information Agency
Slides from this month’s webinar are at:
October 2020 Microsoft 365 Need to Know Webinar
If you are not a CIAOPS patron you want to view or download a full copy of the video from the session you can do so here:
http://www.ciaopsacademy.com.au/p/need-to-know-webinars
Watch out for next month’s webinar.
State = error
State Details = -2016281112 (Remediation failed)
It all started when I was checking my Intune Configuration policies and I found that all of a sudden I have a new policy called Intune data collection policy as shown above, that I didn’t created. Worse, it had errors!
When I looked at a specific device that was affected, as shown above, I could see two errors on the device. One was from a user designated as System account, which was also somewhat puzzling.
Digging further I found that the State was Error and the State details were -2016281112 (Remediation failed) as you can see above.
At the most granular level, I found the Error code was 0x87d1fde8 as shown above.
It turns out that the Intune data collection policy gets created when you use Endpoint Analytics as shown above.
This gives you some really nice reports as shown above on your Windows devices. You can read more about it here:
I had now solved where the mystery Intune data collection policy came from and after much research it turns out that the device errors are because of licensing as you can read here:
which says:
Endpoint analytics is included in the following plans:
Proactive remediations also require one of the following licenses for the managed devices:
The error I was seeing was due to those machines only being Windows 10 Pro, NOT Win 10 Enterprise! Endpoint Analytics currently only works with Windows 10 Enterprise licensed devices.
Once I had changed the Intune data collection policy to exclude the Windows 10 Pro machines the errors went away, as did the duplicate System account as well.
Hopefully, Microsoft will consider extending Endpoint Analytics to Windows 10 Pro machines as well, but for now you’ll need to exclude them from any Intune data collection policy if you don’t want errors in Endpoint Manager.
FAQ podcasts are shorter and more focused on a particular topic. In this episode I speak about some automation options that are available in the Microsoft Cloud.
This episode was recorded using Microsoft Teams and produced with Camtasia 2020
Take a listen and let us know what you think – feedback@needtoknow.cloud
You can listen directly to this episode at:
https://ciaops.podbean.com/e/episode-257-windows-autopilot/
Subscribe via iTunes at:
https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2
The podcast is also available on Stitcher at:
http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr
Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.
Resources
FAQ 18
If you have a look in your Threat Management policies in Security and Compliance you’ll see a new tile called Configuration Analyzer as shown above. The direct URL is:
https://protection.office.com/configurationAnalyzer
When you select this tile you’ll see a screen like that shown above which compares your current policy settings to Microsoft best practices.
If you expand any of the headings you’ll the settings in question and what the recommendation is on the right. You’ll also see a link that allows you to easily Adopt this setting.
If you do select the Adopt link, you’ll be presented with the above warning asking you whether you wish to proceed and Confirm or Cancel the change.
You will also see a Configuration drift analysis and history option as shown above. This allows you to compare changes in configuration over time and their effect. Basically, whether changes made improve email security or not.
If you want to learn more about Microsoft’s best practice configurations I suggest you take a look at my previous article:
I see this as a further step towards what I spoke about here:
The changing security environment wit Microsoft 365
and how Ai will soon do all this automatically.
Previous parts in this series have been:
Office 365 Mobile MDM – Modern Device Management with Microsoft 365 Business Premium–Part 1
Intune MDM – Modern Device Management with Microsoft 365 Business Premium – Part 2
Intune MAM – Modern Device Management with Microsoft 365 Business premium – Part 3
Endpoint Manager – Modern Device Management with Microsoft 365 Business Premium – Part 4
Baselines – Modern Device Management with Microsoft 365 Business Premium – Part 5
Deployment – Modern Device Management with Microsoft 365 Business Premium – Part 6
Autopilot admin – Modern Device Management with Microsoft 365 Business Premium – Part 7
Autopilot endpoint – Modern Device Management with Microsoft 365 Business Premium – Part 8
Deploying applications – Modern device Management with Microsoft 365 Business Premium – Part 9
I’m going to wrap up this series with a range for helpful links that provide lots of help when troubleshooting issues with device management. I’ve covered a lot so far and figured that it is better to give you this one location to use for getting help with device management.
As I have noted elsewhere in this series, the best general best practice tips to help with troubleshooting I can give you are:
1. Maintain good documentation of your device management environment. The more complex it becomes, the more important good documentation becomes.
2. Maintain good naming conventions. With so many policies potentially in play with device management having a logical naming convention for make life a lot easier.
3. Start small and grow. Don’t implement everything at once. Start with one policy at a time, get that working and build on that. Doing too much too fast is a recipe for frustration.
Good troubleshooting links:
Intune troubleshooting 101 – https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Intune-Troubleshooting-101/ba-p/924827
Troubleshoot device enrollment in Microsoft Intune – https://docs.microsoft.com/en-gb/intune/enrollment/troubleshoot-device-enrollment-in-intune
Troubleshoot Windows device enrollment problems in Microsoft Intune – https://docs.microsoft.com/en-gb/intune/enrollment/troubleshoot-windows-enrollment-errors
Troubleshoot iOS device enrollment problems in Microsoft Intune – https://docs.microsoft.com/en-gb/intune/enrollment/troubleshoot-ios-enrollment-errors
Troubleshoot Android Enterprise device problems in Microsoft Intune – https://docs.microsoft.com/en-gb/mem/intune/enrollment/troubleshoot-android-enrollment
How to get support for Microsoft Intune – https://docs.microsoft.com/en-ca/intune/get-support
Intune app protection diagnostics and managed browser bookmarks – https://blogs.technet.microsoft.com/cbernier/2018/02/05/intune-app-protection-diagnostics-and-managed-browser-bookmarks/
Set the mobile device management authority – https://docs.microsoft.com/en-us/intune/mdm-authority-set
Troubleshooting devices using the dsregcmd command – https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-device-dsregcmd
MDM Diagnostics Tool – Tips & Tricks – Windows Autopilot Troubleshooting – https://www.anoopcnair.com/mdm-diagnostics-tool-windows-autopilot/
Azure AD device registration error codes – https://s4erka.wordpress.com/2018/03/06/azure-ad-device-registration-error-codes/
Enroll devices by using a device enrollment manager account – https://docs.microsoft.com/en-us/intune/device-enrollment-manager-enroll
Manually sync your Windows device – https://docs.microsoft.com/en-us/intune-user-help/sync-your-device-manually-windows
How long does it take for devices to get a policy, profile or app after they are assigned? – https://docs.microsoft.com/en-us/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned
Common questions, issues, and resolutions with device policies and profiles in Microsoft Intune – https://docs.microsoft.com/en-us/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned
Send log data to storage, event hubs or log analytics in Intune – https://docs.microsoft.com/en-us/intune/fundamentals/review-logs-using-azure-monitor
Do not clone an Azure AD-joined or MDM-enrolled Windows 10 OS – https://oofhours.com/2020/06/07/do-not-clone-an-azure-ad-joined-or-mdm-enrolled-windows-10-os/
Diagnose MDM failures in Windows 10 – https://docs.microsoft.com/en-us/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10
Common error codes and descriptions in Microsoft Intune – https://docs.microsoft.com/en-us/mem/intune/fundamentals/troubleshoot-company-resource-access-problems
Hopefully, you’ll be able to solve any issue you come up against by consulting the list of above links. I know I have.
Microsoft 365 device management will continue to evolve over time and I’ll continue to update you here on my blog, so stay tuned for more articles on Microsoft 365 device management.
If you navigate to the Teams admin portal and expand the Teams apps option from the menu on the left, you should see a Managed apps option. You can locate the Praise app by using search on the right.
If you select the Praise app you’ll then see a screen like that shown above. If you then select the Settings option just under the information banner you get the badges options.
Generally, default badges are enabled but why not also enable the Social and emotional learning badges for education as well? They are free after all!
When you do so, you’ll see the additional badges shown above in your Teams Praise app.
Even better, further down, you can also add you own custom Praise apps.
Just update a suitable badge graphic and add the details about the badge.
So now, when you Praise someone in Teams, you have many more options, including your own custom ones as shown above.
When selecting an image, keep badge dimensions in mind. For the best quality, we recommend uploading an image file that is 216 x 216 pixels (which are the maximum dimensions). Avoid stretching or distorting the image to fit these dimensions.
The above is from a great Microsoft article:
Manage the Praise app in the Microsoft Teams admin center
that provide lots of information about the Praise app and badges. So I recommend you take a look to learn more.
Previous parts in this series have been:
Office 365 Mobile MDM – Modern Device Management with Microsoft 365 Business Premium–Part 1
Intune MDM – Modern Device Management with Microsoft 365 Business Premium – Part 2
Intune MAM – Modern Device Management with Microsoft 365 Business premium – Part 3
Endpoint Manager – Modern Device Management with Microsoft 365 Business Premium – Part 4
Baselines – Modern Device Management with Microsoft 365 Business Premium – Part 5
Deployment – Modern Device Management with Microsoft 365 Business Premium – Part 6
Autopilot admin – Modern Device Management with Microsoft 365 Business Premium – Part 7
Autopilot endpoint – Modern Device Management with Microsoft 365 Business Premium – Part 8
In part 3 I talked about Mobile Application Management (MAM) and in the last part, I talked about Windows deployment using Autopilot, now it is time to look at deploying applications to devices via Endpoint Manager.
This tasks will be accomplished via the All apps option inside the Apps menu in Microsoft Endpoint Manager as shown above.
Here you’ll see a list of existing applications, but what you’ll typically need to do is select Add from the menu at the top to add a custom application.
You’ll now need to select an app type, as you can see above, from the list that appears. Because we are dealing with applications across a wide range of platforms, you need to create a deployment policy for each app on each platform.
In this case, I’ll go with an application from the iOS store as shown above, just to keep things simple.
I’ll then need to select the link, as shown above, to Search the App Store for the desired application. Note that it doesn’t necessarily have to come from the store, but it is easier if it does.
Here, I’ll locate Microsoft Whiteboard as shown above and select it.
The details of the app are now populated as shown above. You can make any changes here you wish. Note, I have elected to feature this app in the Company Portal as well.
Next, I can target that application to be Required by users and or devices, which I have done as shown above. However, you see that it is possible to just make the application available (i.e. optional) for enrolled and non-enrolled devices as well as being able to uninstall the application if present.
You can now review the application settings and then press the Create button to complete the policy process.
In a short amount of time the device will process that policy as seen above. Here the user will be prompted that a required application will be installed. Press Install on device to continue.
The application will be installed.
The application is now ready for use on the device.
If you now look back at the All Apps area, as shown above, you should see the app that was just configured for deployment.
If you select this entry and then select Device install status, you should see a confirmation that the Status is installed as shown above.
If you take a look inside the Intune Company Portal App, you see the app is featured as shown above. The application can now be installed directly from here as well if needed.
To configure the settings for applications that are deployed, navigate to the the App configuration policies option as shown above and select the Add button that appears on the right.
Here, I will select Managed devices from the drop down menu that appears.
To keep things simple, I’ll choose to configure the Outlook app for iOS. This is because there are many different ways to configure applications, especially if they are not from Microsoft or not common apps like Outlook, Word, Excel, etc.
In this case, you need to click the Select app at the bottom of the page as shown.
Select the Outlook option from the menu that appears as shown.
Because this a ‘well-known’ app, I select Use configuration designer in the Configuration settings format field as shown. This presents a number of options I can now configure for that application.
You’ll then need to allocate this application configuration policy as shown above. Again, to keep this example simple, the option for All users and all devices has been selected but you can get more granular if you wish.
You can now Review and Create the policy.
The policy should then appear in the list of App configuration policies as shown above. You can select the policy name at any time to return to editing the policy.
The main take away is that you can use Endpoint Manager to create deployment and configuration policies for the different applications on the different platforms and apply them quickly and easily. As shown above, this also extends to granular configuration of the Office suite of apps.
It is important to remember that there can be a lot to configure here if you consider individual apps on individual platforms, so be prepared for some set up initially. But, once complete, deployment and configuration going forward across all platforms is easy. The main benefit is that both deployment and configuration can be done directly across the Internet for both enrolled and non-enrolled devices give good management of devices in the environment.
Modern Device Management with Microsoft 365 Business Premium – Part 10
A while ago I wrote an article:
Do you need to backup Office 365?
Recently, Tony Redmond wrote this article on a similar topic:
Questioning Six Reasons Why Backing up Office 365 is Critical
That then lead to the following debate:
The Great Debate: The Need For Office 365 Backup [VIDEO]
I’ve also seen people quote the following from Microsoft:
which contains the following clause:
which reads:
“We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”
However, it is important to note at the top of that document:
which reads:
“These terms (“Terms“) cover the use of those Microsoft consumer products, websites, and services listed at the end of these Terms here (#serviceslist) (the “Services“).”
Note hyperlink to “services” that agreement actually covers. That leads to the following URL:
https://www.microsoft.com/en/servicesagreement/#serviceslist
and when you look through that list there are no M365/O365 commercial services listed:
Thus, that Microsoft Services Agreement doesn’t apply when talking about data retention in Microsoft 365 commercial products.
In fact, the following slide was taken from a recent Microsoft Ignite 2020 presentation:
Here’s the time stamped video it came from – https://youtu.be/zBHXVGrxBqM?t=1971 (Protecting Exchange Online Mailboxes As A Secure Vault)
I will also highlight the following article:
Set the OneDrive retention for deleted users
which says:
“The minimum value is 30 days and the maximum value is 3650 days (ten years).”
As my original article states and Tony Redmond reinforces, the importance is to understand what M365 does out of the box with data retention and how that can and ‘should’ be configured to reduce risk. After which, third party products can be added to supplement what Microsoft 365 does. As I say, more backups are good but at some point they fail to significantly reduce risk for the investment made in them. That point is up to the individual business to determine.
It is important to have the correct information when it comes to data retention and recovery in Microsoft 365, and if you don’t appreciate what can be done with Microsoft 365 out of box then I’d encourage you to go and take a closer look, because it does a pretty good job in my opinion.
CIAOPS 