Intune Data Collection Policy Error 0x87d1fde8

State = error

State Details = -2016281112 (Remediation failed)

image

It all started when I was checking my Intune Configuration policies and I found that all of a sudden I have a new policy called Intune data collection policy as shown above, that I didn’t created. Worse, it had errors!

image

When I looked at a specific device that was affected, as shown above, I could see two errors on the device. One was from a user designated as System account, which was also somewhat puzzling.

image

Digging further I found that the State was Error and the State details were -2016281112 (Remediation failed) as you can see above.

image

At the most granular level, I found the Error code was 0x87d1fde8 as shown above.

image

It turns out that the Intune data collection policy gets created when you use Endpoint Analytics as shown above.

image

This gives you some really nice reports as shown above on your Windows devices. You can read more about it here:

What is Endpoint Analytics?

I had now solved where the mystery Intune data collection policy came from and after much research it turns out that the device errors are because of licensing as you can read here:

Licensing Prerequisites

which says:

Endpoint analytics is included in the following plans:

Proactive remediations also require one of the following licenses for the managed devices:

  • Windows 10 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)

  • Windows 10 Education A3 or A5 (included in Microsoft 365 A3 or A5)

  • Windows Virtual Desktop Access E3 or E5

The error I was seeing was due to those machines only being Windows 10 Pro, NOT Win 10 Enterprise! Endpoint Analytics currently only works with Windows 10 Enterprise licensed devices.

Once I had changed the Intune data collection policy to exclude the Windows 10 Pro machines the errors went away, as did the duplicate System account as well.

Hopefully, Microsoft will consider extending Endpoint Analytics to Windows 10 Pro machines as well, but for now you’ll need to exclude them from any Intune data collection policy if you don’t want errors in Endpoint Manager.

Need to Know podcast–Episode 257

FAQ podcasts are shorter and more focused on a particular topic. In this episode I speak about some automation options that are available in the Microsoft Cloud.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-257-windows-autopilot/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

FAQ 18

@directorcia

Modern Device Management – Part 7

CIAOPS Patron Community

Need to Know podcast–Episode 255

FAQ podcasts are shorter and more focused on a particular topic. In this episode I speak about some automation options that are available in the Microsoft Cloud.

This episode was recorded using Microsoft Teams and produced with Camtasia 2020

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-255-modern-device-management/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send us any feedback or suggestions you may have for the show.

Resources

FAQ 17

Modern Device Management – Part 1

CIAOPS Patron Community

@directorcia

Modern Device Management with Microsoft 365 Business Premium–Part 3

In the previous parts of this series I have covered:

Office 365 Mobile MDM – Modern Device Management with Microsoft 365 Business Premium–Part 1

Intune MDM – Modern Device Management with Microsoft 365 Business Premium – Part 2

The next step in the step in the process of securing and managing devices with Microsoft 365 Business Premium is Mobile Application Management (MAM) which we’ll look at now.

MAM allows the ability to fully manage select applications, typically business applications like Outlook Mobile, Word Mobile, etc on any device. MAM is handy because it doesn’t require device management (MDM). This makes especially handy when users bring their own personal devices and want access to business data like emails but don’t want the organisation having fully control of their device. Thus, MAM is prefect for the Bring Your Own Device (BYOD) scenario.

image

We can thus use MAM on any device, independent of whether it is Azure AD joined, registered or stand alone.

The Intune service inside Endpoint Manager is typically what is used for MAM. Application control is once again managed by policies that are pushed down to the individual applications on the device. The first of these policies is known as App Protection policies which is focused on application security.

SNAGHTML2087555d

These policies are located in the Endpoint Manager portal under Apps and then App protection policies as shown above.

You can target policies to different device OS versions and here you typically define ‘targeted apps’ (i.e. corporate apps) as well any apps you want exempted from protection policies. Anything not defined by either of these is considered a non-corporate app. In here you also define corporate data locations, which will typically be Microsoft 365 services like OneDrive, SharePoint, etc but may also include on premises and third party cloud based services (say Salesforce). Now with both corporate apps and corporate data locations defined you can set policies around how data is to be stored and managed. For example, you may want to only allow corporate data to be saved to corporate locations or maybe you only want to store corporate data onto ‘secure’ devices. App protection policies allow these configurations and definitions.

App protection policies also give you the ability to selectively wipe data from corporate managed apps. MDM gives you the ability to wipe the WHOLE device remotely, both corporate and personal apps and data. MAM however, gives you the ability to just wipe the data inside Outlook mobile for example. This is why MAM is generally the best option for BYOD devices where the device owner don’t want the business to have access to anything but corporate data on the device.

image

You then have Application Configuration policies as shown above which are also part of Intune MAM. These policies target the options you want configured for applications on devices.

image

This is again controlled by policy which can be targeted at the device OS. The above is taken from the configuration policy for Outlook for iOS and illustrates the level of detail you can go down to when configuring. You can ensure that suitably configured apps are made available to user and devices optionally or as a requirement. There is a lot that can be done here to allow you to deploy and manage applications on mobile devices.

image

You get to these policies via the Apps option in Endpoint Manager and then App configuration policies as shown above.

Many people ask the question about whether you should or can use MDM and MAM together? The answer is most certainly, Yes. The reason you would choose to do that is to provide extra security and convenience. MDM means for example I can ensure that my device storage is encrypted while MAM will prompt me for a pin number when I actually use a corporate app. That makes my data more secure. Do you need to use both MDM and MAM? It all depends on your security and deployment requirements. If you mainly have BYOD devices that don’t want to be device managed then MAM will be your only option. The main thing is that it provides flexibility when it comes to both security and configuration of your devices. The best strategy is defence in depth. The more layers of protection you have the lower your risk.

Given all the options that have been covered in both MDM and MAM so far, hopefully you can now see the huge amount of options available to you when it comes to managing devices. The tricks is to firstly get the device enrolled, apply MDM and then MAM policies.

Don’t think however this is the end of device options available to you. Oh no, Endpoint Manager has a many additional configuration options you can implement to make your devices EVEN more secure. Stay tuned for that upcoming article.

MOdern device Management with Microsoft 365 Business Premium – Part 4

Modern Device Management with Microsoft 365 Business Premium–Part 2

In

Modern Device Management with Microsoft 365 Business Premium–Part 1

I covered the basic overview and out of the box device management you get with pure Office 365. In this article I want to start digging into the more advanced features you get by using Intune which is part of Microsoft 365 Business Premium.

image

Microsoft has a service called Endpoint Manager that allows advanced device configuration and management. You access this via:

https://endpoint.microsoft.com/

image

Intune is now part of Endpoint Manager, so you use that to gain access to the Intune configuration.

image

Part of the Intune configuration capability is device management, this is more advanced than the basic options in pure Office 365 that were detailed in the previous article.

image

To have devices managed by Intune they first need to go through a specific Intune enrolment process.

image

Intune device enrolment can only be achieved once devices have been joined to Azure AD. Both registered and stand alone devices cannot be managed at a device level via Intune, only those devices that have been fully joined to Azure AD can be enrolled in Intune for device management.

image

If you look at your Azure AD in the Azure portal you’ll see the option Mobility (MDM and MAM). If you select that, you’ll probably see a Microsoft Intune option on the right as shown above.

image

If you select that Intune option and you don’t have a license for Intune you’ll be greeted with something like the above. What this is telling you is that automatic enrolment of device requires an Intune license.

image

If you do however have a license for Intune you’ll see the above instead. This allows you to select which groups (None, Some, All) that will automatically be enrolled in both device management (MDM) and application management (MAM). You could still of course, manually enrol if you wished but by adding an Intune license you now get the ability to automatically enrol devices into Intune management once you have joined these devices to Azure AD.

So the, typical steps so far have been:

1. Join device to Azure AD

2. Have it automatically commence device enrolment in Intune

You will find the configuration for Intune enrolment by navigating to Endpoint Manager:

https://endpoint.microsoft.com/

SNAGHTML14ccbdd9[4]

and then go to the Devices option from the menu on the left then Enroll devices as shown above.

SNAGHTML1487c6b2

The first major difference you’ll now see is that you have enrolment options for Windows, Apple and Android as well as the ability to enforce restrictions and allocate managers. Each operating system will have it’s own enrolment capabilities and options. For example, it is here that you configure Windows Autopilot and Windows Hello for Business if you wanted, as they are considered potentially part of any advanced device enrolment.

I’ll look at covering off many of these different enrolment options in future articles, however I do want to call your attention that to enrol Apple devices you will need to set up a free Apple certificate beforehand. I have detailed that process previously here:

Adding an Apple Certificate to Intune

SNAGHTML14b17f9b

You can get an overview of the device enrolment status in your environment (i.e. successes and failures) via Endpoint Manager | Devices | Overview | Enrollment status as shown above. You’ll also see any Enrollment alerts on the very next tab to the right.

image

Once devices have successfully completed enrolment, they will commence device compliance.

SNAGHTML14a1feac

You can configure device compliance policies via Endpoint Manager | Devices | Compliance policies as shown above.

image

Here you create as many different Compliance policies as you wish. Typically, you have one per device operating system, however you can have more if you wish. A good example of why you might have two Windows 10 policies is to handle machines that have and those than don’t have TPM capabilities. Disk encryption is a compliance setting you can check for and enforce. However, you may not want to enforce full disk encryption via BitLocker for machines that don’t have inbuilt TPM chips for example. Thus, two separate compliance policies would be required. One to check machines with a TPM capability and one for those without.

image

If you select the Create Policy option, as shown above, you’ll be able to select from a range of platforms (OS’s).

image

The compliance options available will vary by device operating system, but an example of some of the Windows 10 options you can configure in the policy are shown above.

The main idea here is to configure appropriate checks via policies for each device operating system. Devices that fail these checks are considered and marked as ‘non-compliant’ and further action can then be taken. An example of an action that can be taken on a device that is ‘non-compliant’ is to exclude it from accessing Microsoft 365 information. A good example of this is a policy that prevents devices that have been jailbroken or have unsupported operating systems from being able to access corporate data.

SNAGHTML14b4bded

You can get an overview of the device compliance status in your environment by navigating to Endpoint Manager | Devices | Overview | Compliance status as shown above.

image

Once compliance policies have been applied to a device, the final part of adding devices to Intune device management is the application of configuration policies.

SNAGHTML14b99b3a

These policies are found by navigating to Endpoint Manager | Devices | Configuration policies as shown above.

image

When you create a new policy via the Create profile button from the menu as shown above you again need to select the device operating system and then the profile. The number, types and content of these profile will vary by operating system but for example allow to to do things like control when anti virus scans run, control photo uploads, enforce pin locks and so much more.

Here you will typically have lots of policies including different policies for different groups of users, different operating systems and so on.

image

Above is an example of the options that are available in an Android Device Restriction configuration policy.

In summary, this article has covered the process of enrolling in advanced device management (MDM) using Intune. The process is:

1. Join devices to Azure AD

2. Devices complete Intune enrolment

3. Devices have Intune compliance policies applied

4. Devices have Intune configuration policies applied

After this process, devices are considered to fully ‘device’ managed by Intune. That is MDM is now done via Intune.

Note, MDM is for devices that are Azure AD joined and require full control of the device down to the operating system. This means the business has full control of the device. That may not be desired for users who bring their own devices (BYOD). Such devices can be managed by application management (MAM) which will be the focus of the next article.

Modern Device Management with Microsoft 365 Business premium – Part 3