Edge browser for iOS and Andriod has been out since year (First released on Dec 2017) to give you continuous browsing experience from your mobile device to windows device. Microsoft previously had intune managed browser as a secure browser to open Microsoft office and other apps managed by Microsoft Intune. Since Apr 2018 ,there are no updates to Intune managed browser that shows the investment made on intune browser and Microsoft is moving towards Edge browser for mobile devices as a replacement of Intune Managed browser (aka ManBro)

Edge browser is secure ,manageable and provides rich browsing experience. Using a protected browser with Intune policy (Microsoft Edge or Intune Managed Browser), you can ensure company resources are always accessed with corporate safeguards in place. This ties back to your O365 Identity.

Microsoft Edge and Managed Browser have integration with the Intune SDK, so you can apply app protection policies like controlling the use of cut, copy, and paste , preventing screen captures , ensuring corporate links open only within managed apps and browsers.

We plan to move from Intune ManBro to Microsoft Edge browser for our workforce. I have been testing the features of edge browser in comparison with managed browser and also validated end user experience. I am going to list all the test cases and my experience with Edge browser for iOS and Andriod devices. These are my observations from the field and with my interaction with the pilot users we rolled Edge Browser for.

--> Edge browser has huge improvements for AllowListURLs and BlockListURLs feature.Though this configuration does work with intune managed browser but it only works for allowlistURL or blocklistURL with work account and managed browser doesn't support multi-identity .

Edge browser introduced in-private mode that can be configured with personal account which will be used to open non-AllowListURLs and the web pages that are opened in private mode do not get applied with MAM App Protection Policies. This gives you flexibility to access your personal sites and attach files from non-corporate locations. Intune Managed Browser did not provide you this flexibility.

Edge browser can be configured with work account and personnel Microsoft account  (can be outlook.com,live.com,hotmail.com and any other Microsoft) .You cannot use gmail,yahoo or any other account in personal mode. This may change in future.

-->  AllowListURLs and BlockListURLs lets end users to open the approved URL’s using work account and have flexibility to move the data around the managed apps and remaining non-corporate URL’s in private window which has no access to work account applications like teams,onedrive,outlook etc.

If you are worried about data leakage issues in Edge browser ,then you must configure AllowListURLs .

As an example ,if i allow gmail.com or hotmail.com in allowed URL ,i can then launch gmail.com using work account ,create a new email ,attach the files from corp onedrive. With this ,there is DLP issue.

How do you prevent such activity ? identify the list of URL’s for your business to be opened in work account and rest will be opened in private mode. For e.g. <tenant>.Sharepoint.com in your app configuration policies.

--> If you have internal applications that are published via application proxy to external and you have AllowListURLs configuration ,then you need to allow certain URL’s inorder for users to access these external apps on Andriod device.

What does it mean ? I have internal (on-prem) application that is being published to external ,for ex: cyberark-koneti.msappproxy.net . Koneti is tenant name.

Since i have AllowListURLs configured with list of URL’s including https://*.msappproxy.net/*, when my users browse this application on android device ,they hit with following screen.

Blocked Site.

Your IT Admin has blocked access to this site using your work account .Browse inprivate

Why did this happened ?Even though the URL ends with msappproxy.net and is allowed but still URL getting blocked and this happens only for Andriod devices but not iOS.

After troubleshooting and with support from Microsoft ,Andriod behaviour is different for app proxy URL’s and backend URL’s will be getting blocked unless you make some changes to allowlistURLs.

So to fix this ,there are 2 URL’s to be added to AllowListURLs configuration . https://*.akamaized.net/*|https://*.msocdn.com/*

This fix is only for Andriod devices ,for iOS ,without the above URL’s ,it works fine. We are pushing Microsoft to align this behavior for both OSes and make life easy for admins like us.

If you don't have AllowListURLs configuration then you can ignore this point.

--> With AllowListURLs configuration ,all the applications or URL’s that you allow will have access to MAM-protected application but again ,it depends on your MAM policy setting how you transfer the data to other apps.

How does the AllowlistURL configuration looks like that include allowed URLs for a protected browser and also bookmarks ?

To create App configuraiton poliicy , login to https://portal.azure.com ,click on Intune App protection blade, App configuration policies https://portal.azure.com/#blade/Microsoft_Intune_Apps/MainMenu/3 ,click on Add

Choose Associated apps as Edge for iOS and Andriod.

In the Configuration settings ,Key in the following information

Name                                                                                                                          Value

com.microsoft.intune.mam.managedbrowser.AppProxyRedirection                       True

com.microsoft.intune.mam.managedbrowser.bookmarks                                        Algosec|https://algosec-koneti.msappproxy.net/algosec/suite/login.html||Diagnostic|about:intunehelp

com.microsoft.intune.mam.managedbrowser.AllowListURLs                                   https://*.apac.asia/*|https://*.akamaized.net/*|https://*.msocdn.com/*|https://*.msappproxy.net/*|https://*.eskonr.com/*

There are few configuration policies that are supported by intune managed browser/Edge : homepage, bookmarks, and allowed and blocked URLs and set edge as default browser (to take over managed browser)

For more information about app configuration ,please read https://docs.microsoft.com/en-us/intune/app-configuration-managed-browser#how-to-specify-allowed-and-blocked-urls-for-a-protected-browser 

--> If users installed managed Browser or Microsoft Edge on their devices but not not managed by Intune, they cannot access data from other Intune-managed applications. So make sure you create app protection policies that include edge for iOS and Andriod.

--> If you are using conditional access policy ,make sure you have policy that will have grant access with ‘Require approved client app’  because Managed Browser /Edge is now an approved client app for Conditional Access.

--> While testing edge browser for iOS and Andriod ,i did not observe DLP issues and edge browser works way better compared with Intune managed browser. It was sleek and GUI is quite modern. However, there is still a lot of work ahead for Microsoft to enhance end user experience.

Prompting every time to open links in Private mode probably is not a good idea. This may confuse a lot of users. Since there is already an “AllowURLs” list configured everything else opens in in-private mode. Why does Microsoft prompts users to choose in-private mode?

--> If you are moving from Managed browser to Edge ,make sure you send proper communication to end-users to know how does edge browser works .Mostly the private mode prompt. It is upto user to configure Microsoft account or not but still the URLs not in allowList can be opened in private mode without Microsoft account.

--> The following table summarizes what happens if users have both Edge and Managed browser on mobile device ?

On Android:

• Managed Browser if both MB and Edge are on the device, unless app config setting “com.microsoft.intune.useEdge” is set to “true” for all Intune managed apps with a policy managed browser required.
• Microsoft Edge if only Microsoft Edge is on the device and is targeted with policy.
• Managed Browser if only Managed Browser is on the device and is targeted with policy.

On iOS, for apps that have integrated the Intune SDK for iOS v. 9.0.9+:

• Managed Browser if both MB and Edge are on the device, unless app config setting “com.microsoft.intune.useEdge” is set to “true” for all Intune managed apps with a policy managed browser required or Microsoft Edge if Microsoft Edge is installed and has recieved policy.
• Microsoft Edge if only Microsoft Edge is on the device, is targeted with, and has recieved policy.
• Managed Browser if only Managed Browser is on the device, is targeted with, and has recieved policy.

--> When the user signs-out from Edge browser ,data on the edge browser will be wiped off automatically.

-->  To troubleshoot managed applications and collect logs ,share with Microsoft representative on iOS ,you can still use about:intunehelp command in edge browser that will take you to Intune diagnostic ,where as for Andriod, you need to use company portal to collect the logs.

If you have noticed any other interesting things on edge browser ,do let me know in comments ,i will get it added to this post with credits .

We recently hit into an issue that, user has configure to store PST files  (outlook files) into the user’s Onedrive (office 365) . Though we did not think of blocking the pst ,nsf files in onedrive sync configuration until it report to us.

Storing of PST into onedrive do create multiple versions and that eat all your space .We have instructed user to delete some files from onedrive but cannot access the OneDrive due to storage FULL.

The only option left is ,get SharePoint admin increase the onedrive quota (if you are eligible as there are different office 365 plans available) to higher ,exclude user from any retention period ,let user delete the files from onedrive .

I  have given the steps below to fix the issue.

Accessing user OneDrive to remove files:

1. Find the purposed user in Office 365 admin center (https://admin.microsoft.com/AdminPortal/Home#/users)
2. Click on Access files under OneDrive Settings

3. Find the URL of the user .If you unable to get the user URL ,you can access your onedrive URL and simply replace that with user email address or UPN.
4. for ex: eswar.koneti@eskonr.com onedrive URL is https://koneti123-my.sharepoint.com/personal/eswar_koneti_eskonr_com/_layouts/15/onedrive.aspx​​​​​​​ ,replace the user email address here to get full URL.

Steps to increase OneDrive storage to 5TB (since we are having M365 with E5 ,we are eligible for 5TB) .Check what is your max limit of onedrive storage with your subscription.

1) Download SharePoint Online Management Shell

https://www.microsoft.com/en-us/download/details.aspx?id=35588

2) Run script below in SharePoint Online Management Shell

Connect-SPOService

3) Insert your SharePoint admin center URL

https://[domain].sharepoint.com

4) Run script below to increase the OneDrive storage to 5TB, you need to change the highlighted part to user login ID, or the best is to get the user OneDrive URL from their OneDrive:

Set-SPOSite -Identity https://[domain]-my.sharepoint.com/personal/eswar_koneti_eskonr_com -StorageQuota 5242880

3. Remove site from retention policy

1) Make sure you have added the admin account into Security & Compliance center > Permissions > Organization Management > Edit role group

2) Run Windows PowerShell as admin

3) Insert script below to connect to EXO powershell

Set-ExecutionPolicy RemoteSigned

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session

4) Insert script below to exclude site collection from Retention policy

Set-RetentionCompliancePolicy -Identity "Policy Name" -AddSharePointLocationException "Site URL"

E.g.

4. Exclude user OneDrive from retention policy

1. Run Windows PowerShell as admin
2. Insert script below to connect to EXO powershell

Set-ExecutionPolicy RemoteSigned

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session

3. Insert script below to exclude user from Retention policy, you can add multiple values for Site URL

Set-RetentionCompliancePolicy -Identity "Policy Name" --AddOneDriveLocationException "Site URL"

Once the onedrive quota increased to higher number ,user can login to onedrive to remove the unnecessary data.

and finally ,dont forget to add user back to retention hold policy as per your governance policy.

How to block syncing of specific file types to Onedrive client app ?

Login to onedrive admin portal https://admin.onedrive.com/ using Global Admin or necessary permissions.

Click on Sync tab https://admin.onedrive.com/?v=SyncSettings

Choose block syncing of specific file types

add the file types without any dot or something.

exe
msi
mp3
mp4
avi
nsf
pst

There could be more files which you want to block but it varies from org to org.

When user try to upload to Onedrive client app with any of the above file types ,they will by notified about the file block and cannot be synced to cloud.

But ,user can go web browser ,access onedrive URL and upload above file types and it does sync back to your onedrive client app. After these files sync to onedrive app on your windows device ,if you make any changes ,they will sync to cloud again.

For ex, using web browser ,i can upload file with extension .AVI which is blocked in onedrive file sync .So after the upload ,these files will download to your onedrive client app on windows device.

Once the file downloaded ,if you rename the file ,the fill will be blocked immediately and will not sync back to cloud and is limitation currently.

Hope you find this post useful!

Microsoft Edge browser is secure ,manageable and provides rich browsing experience. Using a protected browser with Intune policy (Microsoft Edge), you can ensure company resources are always accessed with corporate safeguards in place. This ties back to your O365 Identity.

You can use Microsoft Edge for enterprise scenarios on iOS and Android devices. Microsoft Edge supports all of the same management scenarios as the Intune Managed Browser with the addition of improvements to end-user experience.

The following Microsoft Edge enterprise features enabled by Intune policies are available. These enterprise features include:

1. Dual-Identity - Users can add both a work account, as well as a personal account, for browsing. There is complete separation between the two identities, which is similar to the architecture and experience in Office 365 and Outlook. Intune admins will be able to set the desired policies for a protected browsing experience within the work account.
2. Intune app protection policy integration - Admins can now target app protection policies to Microsoft Edge, including the control of cut, copy, and paste, preventing screen captures, and ensuring that user-selected links open only in other managed apps.
3. Azure Application Proxy integration - Admins can control access to SaaS apps and web apps, helping ensure browser-based apps only run in the secure Microsoft Edge browser, whether end users connect from the corporate network or connect from the Internet.
4. Managed Favorites and Home Page shortcuts - For ease of access, admins can set URLs to appear under favorites when end users are in their corporate context. Admins can set a homepage shortcut, which will show as the primary shortcut when the corporate user opens a new page or a new tab in Microsoft Edge.

we have users who are still on managed browser ,who access on-premise applications published through Azure AD app proxy securely .

Before we switch users to to Microsoft Edge ,we need to ensure Edge is capable of handling DLP along with what managed browser does. Edge does many things compared to managed browser (listed above), however ,DLP is one of the main concern .

After spending quite some time on DLP and other functionality testing on edge, we have finally decided to release Edge to users.

Since client is on MAM scenario (no device enrollment), we need educate /send COMM's to users to install Microsoft Edge from playstore/apple store .This is manual task for users since no device management and it is only MAM.

Once user install the Edge browser ,how do we make Edge as default browser and switch all URL’s to open automatically with Edge instead of Managed browser ? we have 2 options 1) Educate users uninstall managed browser 2)Keep both the apps and make changes on intune side.

we do not want to instruct users to uninstall managed browser at this point of time and keep edge and managed browser for time being .

While releasing Edge to users ,we need to make sure all URL’s from managed apps open with Edge browser.

If users have only Edge or managed browser then no additional configuration is required ,you can skip this post.

This post is useful for those who are looking to configure edge as default browser and take over the control from managed browser.

Leaving managed browser on user devices gives some flexibility to go back incase edge has some issues opening URL’s. Technically there shouldn’t be need to use but we just leave it for a while .

Following are the steps to make Edge as default browser over Managed browser on iOS and Andriod:

Steps:

1. Login to Portal.azure.com and browse to Intune App protection https://portal.azure.com/#blade/Microsoft_Intune_Apps/MainMenu/0 OR https://devicemanagement.Microsoft.com ,click Client Apps ,click on App Configuration Policies

2.Leave the existing configuration policies that are configured for managed browser ,click on ADD to create one for edge browser .

Click on Add

Provide the Name, description

device enrollment type, i choose Managed apps because no device enrollment and it is only MAM

Associate App, Choose the applications that you want to open the URL’s with edge browser . If you don't choose the apps in this section ,then clicking URL from outlook,teams,yammer will not open automatically with Edge browser.

I choose all the apps that are managed by intune.

Configuration Settings:

com.microsoft.intune.useEdge  true

This is main setting to ensure Microsoft Edge is being opened instead of Managed Browser, for all Intune managed apps with a policy-managed browser required.

Additional configuration settings  that would help are:

com.microsoft.intune.mam.managedbrowser.AppProxyRedirection        true

com.microsoft.intune.mam.managedbrowser.bookmarks           Eskonr|http://eskonr.com||AppCatalog|https://portal.manage.microsoft.com||Diagnostic|about:intunehelp

com.microsoft.intune.mam.managedbrowser.homepage            <http://eskonr.com>

com.microsoft.intune.mam.managedbrowser.AllowListURLs         http://*.apac.asia/*|https://*.akamaized.net/*|https://*.msocdn.com/*|https://*.msappproxy.net/*|

With this ,we are not yet completed. There is another configuration we will have to do (if not done) .

In your App protection policies (iOS and Andriod) , you need to make sure , Edge is selected for iOS and Andriod with the following min setting:

In app protection policy, Data protection, there is setting called  send Org data to other apps : Policy managed apps.

Share web content with policy managed browser: Enable

These 2 settings will help to open URL’s from intune managed apps with Edge browser automatically irrespective of whether user device has both edge and managed browser.

End user experience:

When user click on any URL from managed app ,it will automatically launch the URL in edge browser.

If users don't have edge on their mobile device and when clicking on the URL ,they will see the following screen to get Edge app since the URL opens only with Edge as per our app configuration.

One way ,it is good to force users to install edge on their devices.

Reference: https://docs.microsoft.com/en-us/intune/app-configuration-managed-browser

Microsoft has released Configuration Manager current branch 1902 as in-console and baseline version. You can apply this update on sites running on 1710, 1802, 1806, or 1810 .If you want to install new site ,you can download 1902 as baseline and install the update.

This build includes bunch of features listed below:

Site infrastructure:
  Client health dashboard
  New management insight rules
  Improvement to enhanced HTTP
  Improvement to setup prerequisites

Cloud-attached management:
  Stop cloud service when it exceeds threshold
  Use Azure Resource Manager for cloud services
  Add cloud management gateway to boundary groups

Real-time management:
  Run CMPivot from the central administration site
  Edit or copy PowerShell scripts

Content management:
  Distribution point maintenance mode

Client management:
  Client provisioning mode timeout
  View first screen only during remote control
  Specify a custom port for peer wakeup

Application management:
  Improvements to application approvals via email
  Improvements to Package Conversion Manager

OS deployment:
  Progress status during in-place upgrade task sequence
  Improvements to task sequence media creation
  Specify temporary storage
  Add a label to the media
  Import a single index of an OS image
  Optimized image servicing
  Improvements to Run PowerShell Script task sequence step
  Other improvements to OS deployment

Software Center:
  Replace toast notifications with dialog window
  Software changes are required
  Restart required
  Configure user device affinity in Software Center
  Configure default views in Software Center

Software updates:
Specify priority for feature updates in Windows 10 servicing

Office management:
  Redirect Windows known folders to OneDrive
  Integration with analytics for Office 365 ProPlus readiness
  Additional languages for Office 365 updates
  Office products on lifecycle dashboard

Phased deployments:
  Dedicated monitoring for phased deployments
  Improvement to phased deployment success criteria

Configuration Manager console:
    Improvements to Configuration Manager console
    Configuration Manager console notifications
    Confirmation of console feedback
   View recently connected consoles
    In-console documentation dashboard
    Search device views using MAC address
    Use .NET 4.7 for improved console accessibility

Read full set of features with description  https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1902 

list of PowerShell cmdlet changes https://docs.microsoft.com/en-us/powershell/sccm/1902-release-notes?view=sccm-ps 

For list of known issues https://docs.microsoft.com/en-us/sccm/core/servers/deploy/install/release-notes 

To download the baseline version of 1902 ,you can login to volume licensing servicing center or from evaluation center.

For now ,Microsoft has released this update via fastring . What does fastring means ? To get the update in console at this point of time,you need to run the script manually to see 1902 in console.

If you are not in rush and ok to wait for slow ring then you can simply ignore this script and continue to read the blog post.

Installation of this update via in-console is similar to previous build versions but Always review the latest checklist for installing this update. For more information, see Checklist for installing update 1902. After you update a site, also review the Post-update checklist.

For fastring ,download the PowerShell script from TechNet https://gallery.technet.microsoft.com/ConfigMgr-1902-Enable-87eef616?redir=0 and copy it to your SCCM site server.

Extract it and run the script from PowerShell command.

1.      Launch an elevated command prompt

2.      Run PowerShell

3.      Run the EnableFastUpdateRing1902.ps1 script (bundled in the exe in the link above)

·         EnableFastUpdateRing1902.ps1 <SiteServer_Name | SiteServer_IP> where SiteServer refers to the CAS or standalone primary site server

4.      Force a check for the update.

·         Go to \Administration\Overview\Cloud Services\Updates and Servicing and click "Check for Updates". 

Once you ran the script ,close any SCCM console connections and restart SMS executive service .

Launch SCCM console now. On a side ,open dmpdownloader.log .This log will track all info related to download of update.

On the updates and servicing node, click on check for updates

After a while ,you will see 1902 update appear in the console.

You can monitor dmpdownloader.log for any errors.

Once you see 1902 update in the console ,run the pre-requisites check to see if your site is ready for the upgrade.

After a while ,status will be updated .

Run the pre-requisite checker to see if your site is ready to update to 1902.

Once the pre-req check is passed, you are good to install the update pack.

Choose the features that you want to enable. If you are not sure what to be enabled, you can do it later after the update installed via features .

Have a pre-production collection and select the collection to install the 1902 client.

Accept the license terms , click next

Check the summary page ,click Next

you will see completion wizard

Now ,monitor the status of update 1902 from updates and servicing node or using log file cmupdate.log

Once the installation completed ,you will see a prompt asking to install new console version .click ok  to install new console.

Configuration manager version:

SCCM Site version: 5.00.8790.1000

SCCM console version:5.1902.1085.1500

SCCM Client version: 5.00.8790.1005

Happy exploring !

Additional resources:

• What’s New in System Center Configuration Manager
• Get Ready for System Center Configuration Manager
• Evaluate Configuration Manager in a lab
• Upgrade to System Center Configuration Manager
• Documentation for System Center Configuration Manager
• System Center Configuration Manager Forums
• System Center Configuration Manager Support
• Report an issue
• Provide suggestions

Microsoft has released SCCM ConfigMgr Current Branch build version 1902 and is available as in-console update and baseline version. You can apply this update on sites that runs on 1710,1802,1806 and 1810.

If you want to install new site ,you can download 1902 as baseline . Download baseline version of 1902 from volume licensing or

Once you update your existing version to 1902 ,you need to upgrade your secondary sites manually by right click on secondary site and upgrade.

You also need to update your configmgr clients to latest version to newly supported client features.

With 1902, there are bunch of new features added .Which means ,there is also number of SQL tables/views added which will help us to create custom reports.

Following are the newly added SQL views for custom reporting.

v_CH_ClientHealth
v_ClientActionResultOfTaskSummary
v_ClientActionResultSummary
v_ConsoleAdminsData
v_GS_OFFICE_ADDIN
v_GS_OFFICE_DOCUMENTMETRIC
v_GS_OFFICE_VBASUMMARY
v_GS_PHYSICALDISK
v_GS_SYSTEMBOOTDATA
v_GS_SYSTEMBOOTSUMMARY
v_Office_AdoptionStatus
v_Office_EntityLookup
v_Office_ValueLookup
v_OfficeProplusReadinessStrings
v_PhasedDeploymentOperationalDataCI
v_PhasedDeploymentOperationalDataPkgProgram
vSMS_CMPivotResult
vSMS_OfficeProplusReadiness

we can make use of these SQL views and create variety of dashboards.

Looking at some of the office SQL views like v_GS_OFFICE_ADDIN,v_GS_OFFICE_VBASUMMARY,_GS_OFFICE_DOCUMENTMETRIC etc, it is now easier to take decision to move to 64bit proplus from 32bit.

SCCM Configmgr 1902 build comes with following office 365 client management dashboard report and this dashboard is being made from these SQL tables/views.

Microsoft recommends to install 64bit proplus for many reasons .If you look at this article ,Microsoft default option to install proplus from office 365 is 64bit. https://support.office.com/en-us/article/Choose-between-the-64-bit-or-32-bit-version-of-Office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261#32or64Bit=Newer_Versions

If you still want to go with 32bit then Read the reasons to choose 32bit version. The decision factor for choosing 32bit depends on the data that you get from SQL Views above (Office).

We can now create some nice dashboards to monitor the system boot time for different models and take action against those causing trouble with long time boot.

When creating client health reports, we can now use V_CH_ClientHealth as it contains almost all info about client health like last policy request,LastDDR,Lastonline time,last offline time,OS ,member of what collection etc.

we can now monitor the CMPivot results executed by users and how much time does it take to run specific query. All this info stored in vSMS_CMPivotResult .Though it is not SQL view ,access to this table not permitted to all RBAC users/sccm console access unless you are SCCM Admin/SQL admin access provided.

Download SCCM Configmgr SQL views documentation for 1902 from TechNet  https://gallery.technet.microsoft.com/SCCM-Configmgr-2012-R2-SQL-5fefdd3b

Happy reporting!

Management insights are introduced from SCCM 1802 build to provide information about the current state of your environment. With build 1802 ,there are very limited insights added .These insights are based on analysis of data from the site database.These Insights help you to better understand your environment and take action based on rules that are pre-defined.

With the release of SCCM current branch 1902 ,there are more insights added to the console which will help you to understand your environment in more better way and take necessary action based on the recommendations .

To locate the management insights from the console ,\Administration\Overview\Management Insights

I am going to list down the list of all management insights (MI) that are available in CMCB 1902 .

There are total 27 management insights available in CMCB 1902.

These insights are grouped into 9 categories  based on their function like collection,packages,applications,boot images,software updates/ADR etc.

Management insight group names:

1. Security
2. Software Center
3. Software updates
4. Applications
5. Mac OS and Unix
6. Simplified management
7. Collections
8. Cloud Services
9. Proactive Maintenance

Following are the list of actual management insights that exist on SCCM Configmgr CMCB 1902 build along with its rule Description.Hope the following information useful for you to understand what each rule does .

If you want to know the status of each rule ,you can either check from SCCM admin console by clicking the insight group and go through each task or use SCCM report,but to take action ,you can only do using SCCM console and cannot be done using reporting .

On a schedule basis these rules will be evaluated and display the status in the console whether they are completed, failed or in progress .If any rules failed/action needed then you need to review the rule and take necessary action.

The management insight rules reevaluate their applicability on a weekly schedule. To reevaluate a rule on-demand, right-click the rule and select Re-evaluate.

The log file for management insight rules is SMS_DataEngine.log on the site server.

For example, Collections with query time over 5 minutes. What this rule does is ,it will check against all your CM collections and find collections that are taking more than 5 min for evaluation.

If you want know how many of these rules are needing your action, you need to click on each group and see the status which is time consuming process .

Starting in version 1810, the Management Insights node includes a graphical dashboard. This dashboard displays an overview of the rule states, which makes it easier for you to show your progress.

The new addition of MI in 1902 also included in the the dashboard .

Please note that, this dashboard is available only via console. If you want to view the MI stats using reporting URL ,you need to build custom report.

This dashboard is based on the SQL table vSMS_ManagementInsights and  ManagementInsightRulesLocalizedData . These are not SQL views hence non-SCCM Administrators (users are given with RBAC role) cannot access these SQL tables.

Following the SQL code for you to create custom SSRS report .

SELECT
MI.Id,
MI.GroupID,
loc.RuleName As Name,
case when MI.Status='1' then 'Completed' when MI.status='-1' then 'Action Needed' else 'Progress' end as 'Status',
MI.Results,
MI.LastRunTime,
MI.LastSuccessfulRunTime,
MI.Duration,
MI.Error,
MI.MoreInfoLink,
MI.ActionType
FROM vSMS_ManagementInsights MI
LEFT JOIN ManagementInsightRulesLocalizedData loc ON MI.Id = loc.Id
order by 2

Reference https://docs.microsoft.com/en-us/sccm/core/servers/manage/management-insights

Microsoft released SCCM Configmgr Technical preview build 1903 for this month (March 2019).  Technical previews are intended to use Lab purpose only and cannot be used in production environment.

The technical preview introduces new functionality that Microsoft is working on. It introduces new features that aren't yet included in the current branch of Configuration Manager. These features might eventually be included in an update to the current branch. Before we finalize the features, we want you to try them out and give us feedback.

If you already have technical preview lab running on build 1808 and above, you can get this in the console or if you want to build new lab ,you can download 1902.2 as baseline ,install it and then use in-console update to install 1903 build.

The Configuration Manager technical preview version 1902.2 is available as both an in-console update and as a new baseline version. Download baseline versions from the TechNet Evaluation Center..

Please read the technical preview supported hardware and products https://docs.microsoft.com/en-us/sccm/core/get-started/technical-preview

Features that are introduced in technical preview version 1903:

Cloud services cost estimator:This release introduces a new cost estimator tool in the Configuration Manager console.

Use your distribution point as a local cache server for Delivery Optimization:You can now install Delivery Optimization In-Network Cache server on your distribution points. By caching this content on-premises, your clients can benefit from the Delivery Optimization feature, but you can help to protect WAN links

Reclaim lock for editing task sequences :If the SCCM console stops responding, you can be locked out of making further changes until the lock expires after 30 minutes. This lock is part of the Configuration Manager SEDO (Serialized Editing of Distributed Objects) system

Drill through required updates: you can now drill through compliance statistics to see which devices require a specific software update. To view the device list, you need permission to view updates and the collections the devices belong to

Improvement to task sequence media creation: when you create task sequence media, Configuration Manager doesn't add an autorun.inf file. This file is commonly blocked by antimalware products

To install this update using in-console ,from the console, administrations –updates and servicing  ,check for updates to see 1903.

Once download and status changes to ready to install ,right click and choose install update pack.

If the binaries are not downloading, you can review dmpdownloader.log located in SCCM installation folder logs and review it. If it stuck at downloading, you can try restart of SMS executive and click check for updates to see download progress

Go with the default options that it take you through.

Monitor the installation using log (cmupdate.log located in your SCCM install directory) and also from the console (monitoring, updates and servicing status) .

After a while ,it will complete the installation and when you launch console ,it will display notification bar on the top to install new console.

Click on install new console.

Console version: 5.1906.1021.1000

Site version:5.0.8800.1000

Happy exploring of technical preview!

Issue description:

On intune MAM scenario ,user trying configure outlook/teams/onedrive app on android device to access corporate resources. Device already has company portal app which is broker app for android and authenticator app for iOS.

If the user doesn't have broker app installed on android device when trying to authenticate for the first time ,(the broker app can be either the Microsoft Authenticator for iOS) ,user will be redirected to store to install broker app.

When user launch the outlook app ,it prompt with the following screen .This happened because user was using the outlook app managed by intune earlier .

Error code: connect to your organization , Sign in to continue accessing work or school data in your apps.

When user click on remove account ,nothing happens ,so user choose option sign in and it takes to sign-in page.

User key in email address and password ,once authenticates with Azure AD/ADFS ,it send MFA (if MFA enabled) and after the approval of MFA ,it goes back to the same page like above.

User cleared the cache data from outlook app and also from company portal app and tried configuring outlook , but doesn't work. User tried to configure other apps like teams,onedrive etc but still getting the same error.

Since this is MAM scenario ,have no control on device and the only option is to guide user with possible options to fix the issue.

Solution:

Remove the brokerage app (company portal ) on your android device and install it again from paly store.

Once this is done, user can Launch outlook/teams/onedrive or any other intune managed apps ,it take you through the device registration process and able to access the apps successfully.

There are many users voice requests  and also questions in different forums ,asking for ‘How to reset MFA’ ‘how to delete permissions for managing MFA’ ‘allow service desk to reset MFA ’ . Until today ,if user want to reconfigure their MFA for several reasons ,service desk or user will reach out to Global admin who can only reset the MFA for user.

Since the Global administrator accounts are very limited (recommended not to have more than 2-3) per tenant ,it would be difficult for GA’s to be available all the time to reset MFA for end-users.

Until today ,organizations found different ways to to delegate permissions to service desk with help of PowerShell scripts and others to reset MFA for users but now ,we don't need any custom solution.

Microsoft has introduced new role called ‘Privileged Authentication Administrator’ :  Users with this role can set or reset non-password credentials for all users, including global administrators.

Privileged Authentication Administrators can force users to re-register against existing non-password credential (e.g. MFA, FIDO) and revoke ‘remember MFA on the device’, prompting for MFA on the next login of all users. Privileged Authentication Administrators can:

Force users to re-register against existing non-password credential (e.g. MFA, FIDO)
Revoke ‘remember MFA on the device’, prompting for MFA on the next login

In this blog post ,we will see, how to assign permissions for managing MFA in Azure Active Directory and how service desk can reset MFA for users?

How to assign permissions ?

Login to Azure Portal using Global Administrator account https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview 

Click on Azure Active Directory ,click on and Roles and administrators

On the right side you will see “Privileged authentication administrator “: Allowed to view, set and reset authentication method information for any user (admin or non-admin).

Following are the permissions that users get when you assign this role.

Click on Add

You can only add individual users to this role but not AD security groups. So if you have many users ,you can either script it or add one by one.

Once the permissions are added, you will see the list of users . The permissions will be effective immediately to perform tasks.

With this ,we have completed assigning the permissions to reset MFA for users .

How does service desk or users can reset MFA ?

Service desk users can to go https://portal.azure.com or https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview

Click on all users ,enter the user name or email address

Click on the user account

Click on authentication methods on the left side

You will see 2 options here

Require MFA re-registration :Require this user to go through the MFA registration process again. This will not delete existing authentication methods but will require a user to validate them.

Revoke MFA sessions: Clear this user's remembered MFA sessions and require this user to perform MFA the next time it's required by policy on this device.

If you want to reset MFA for user ,click on re-registration ,you will see the operation complete on the top right corner.

With the permissions assignment ,it is also possible to find who reset the MFA for specific user:

How to find out who reset MFA for specific user ?

From Azure Active Directory ,all users ,search for user and click on Audit logs:

Under audit logs ,it list all activities that are initiated by user.

For MFA reset ,the activity name is Update user with category UserManagement and intiated by eswar koneti .This is the user who reset the MFA for the target user  based on the permissions that we provided above.

If you want to revoke the MFA sessions ,choose the other option .

This is great option to route all MFA reset options to service desk .

List of available roles can be found from https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles

Issue Description:

Few months ago, I have migrated the Primary SCCM site along with its secondary sites to SCCM build 1806 . Update of Primary site along with secondary site upgrades went fine except 1 secondary site.

The failed secondary site throw the following error code in log.

On the secondary site ,in the root of windows directory (C:\) ,you will find log called Configmgrsetup.log

Server components are experiencing fatal errors.

Failed to create process of SetupWpf.exe. return value 1

Error code 1 means Incorrect function.

While reading the log file ,found Registered OCX: D:\Configmgr\bin\x64\smsprov.dll with regsvr32.exe

It looks to me that ,it is failing to register the smsprov.dll and it just hangs there for longer period (almost an hour).

Have looked at the AV (anti virus) if something holding the process for long time ,but there is nothing .Have even tried disabling the AV but no luck.

Without further waiting , have rebooted the server and initiated the secondary site upgrade using SCCM console.

This time ,it failed again with same error code. I could not troubleshoot much further so raised support case to identify the root cause and fix it.

Support engineer collected the dump file and also procmon logs to find the root cause .

we Notice that TMP folder is created and all files are existing. However, the log stopped at “INFO: Registered OCX: D:\Configmgr\bin\x64\smsprov.dll with regsvr32.exe~”. No further more logs after 30 minutes. Then bootstrap delete the TMP file.

1. Go through previous log, notice that it will take several hours to make the registration works. It is not a correct behavior.

10-06-2018 12:44:05.261    Configuration Manager Setup    5196 (0x144c)    INFO: Registered OCX: D:\Configmgr\bin\x64\smsprov.dll with regsvr32.exe~

10-06-2018 18:27:37.251    Configuration Manager Setup    5196 (0x144c)    INFO: Registered OCX: D:\Configmgr\bin\x64\extnprov.dll with regsvr32.exe~

4. Manually run regsvr32.exe extnprov.dll. It did not finish. Check the process monitor. We see the process is there and did not process.
5. We check Analyze Wait Chain, it shows the block process is Isass.

6. We restart the secondary site, still not work.
7. Collected DUMP file of both Isass and regsvr32. DUMP shows that regsvr32 call isass. Isass send request to DC. But there is no information back. Below is details about the DUMP. “SMS Admins” is one default name, it will not display the exact account name.

The regsvr32.exe process stuck on the following call stack which invoke the RPC call LsaLookuprTranslateNames3 for account “SMS Admins” to LSASS.EXE process.

we tried possible solutions to fix the issue ,but none of the worked .support engineer discussed internally and come back with following workaround which is really simple.

Solution:

On secondary site (SS2) , open Local Users and Groups.

1. Click More Actions  > New Group…
2. Set group name as SMS Admins.

After you create SMS Admins group , reinitiate the secondary site upgrade ,that will fix the issue.

Few weeks ago ,on different customer, i ran into same issue for 2 of the secondary sites while upgrading to SCCM build 1810.  After creating SMS admins group locally ,secondary site installation went fine.

I hope this solution solve the mystery of installing secondary sites.

Microsoft made Office cloud policy service for Office 365 ProPlus generally available and supported for all Office 365 ProPlus customers.

The Office cloud policy service is a cloud-based service that enables you to enforce policy settings for Office 365 ProPlus on a user’s device, even if the device isn’t domain joined or otherwise managed. The policy settings roam to whichever device the user signs into and uses Office 365 ProPlus.

The Office cloud policy service is part of a portal for managing Office 365 ProPlus and includes many of the same user-based policy settings that are available when using Group Policy on Windows Server.

Office client policy service manages only user-based policies for Office 365 ProPlus irrespective of what device you use .  Please read the FAQ section at bottom of this post to see the differences between office cloud policy Vs GPO.

What are the requirements for using the Office cloud policy service ?

• At least Version 1808 of Office 365 ProPlus (not particular about monthly or semi annual as long as it meet proplus version 1808 ) &
  higher of Project Online Desktop Client or Visio Online Plan 2 (previously named Visio Pro for Office 365).
• Office cloud policy service can’t be applied to other commercial versions of Office that use Click-to-Run, such as Office 365 Business, Office Professional Plus 2019, or Office Standard 2016.
• User accounts created in or synchronized to Azure Active Directory (AAD). The user must be signed into Office 365 ProPlus with an AAD-based account.
• Security groups created in or synchronized to Azure Active Directory (AAD), with the appropriate users added to those groups.
• To create a policy configuration, you must be assigned one of the following roles in Azure Active Directory (AAD): Global Administrator, Security Administrator, or Desktop Analytics Administrator.

The Office cloud policy service isn't available to the following:

• Customers with Office 365 operated by 21Vianet, Office 365 Germany, Office 365 GCC, or Office 365 GCC High and DoD plans.
• Tenants located in Australia, Brazil, Germany, India, or South Korea.

Once you meet the requirements that are listed above ,we will start creating creating a policy configuration and deploy to users:

• Build a policy configuration that includes the policies you want to enforce, configured for your organization’s needs.  The service is always up to date and includes the latest policies as they are released.
• Target a group of users by assigning the policy configuration to a specific AAD security group.
• Policies automatically enforced as users sign into Office 365 ProPlus.
• Health reporting available for each of the policy configurations, letting administrators know that the policies are getting deployed to users and their devices.

Login to https://config.office.com/officeSettings/

1. On the Office Customization page, choose Got to Office policy management.

If there are no policy configurations created and is the first time, you will be promoted with following screen.

On the Policy configurations page, choose Create.

On the Create policy configuration page, do the following:

• Enter a name.
• Provide a description (optional).
• Select the AAD-based security group that is assigned to the policy configuration. Each policy configuration can only be assigned to one group, and each group can only be assigned one policy configuration.
• Configure the policy settings to be included in the policy configuration. You can search on the policy setting name to find the policy setting that you want to configure. You can also filter on the application and whether the policy has been configured

As you can see below ,there are 1334 policy settings available .

For now ,i  will search with outlook and choose empty the deleted items folder when outlook closes . (this is only for testing)

Choose true to enable this setting.

Once you are done with the policy ,you will see the following screen allowing to change the order of priority and copy from option .

To change a policy configuration, select the policy configuration on the Policy configurations page, and then choose Edit. Make the appropriate changes and then choose Save. You can find the configured policies by filtering on status.

If you want to create a new policy configuration that is similar to an existing policy configuration, select the existing policy configuration on the Policy configurations page, and then choose Copy from. Make the appropriate changes and then choose Save

we now have created the cloud policy service and applied to AD sec group . We will now monitor the results on outlook for the config that we did.

How to monitor the settings that are applied to users :

Policy settings from the Office cloud policy service are stored in the registry under HKEY_CURRENT_USER\Software\Policies\Microsoft\Cloud\Office\16.0 .

Note:  Only user-based policy settings are available. Computer-based policy settings aren’t available.

The Click-to-Run service used by Office 365 ProPlus checks with the Office cloud policy service on a regular basis to see if there are any policy configurations that pertain to the user. If there are, then the appropriate policy settings are applied and take effect the next time the user opens the Office app, such as Word or Excel.

For example, when a user signs into Office on a device for the first time, a check is immediately made to see if there is a policy configuration that pertains to the user. If the user isn't a member of an AAD group that is assigned a policy configuration, then another check is made again in 24 hours. If the user is a member of an AAD group that is assigned a policy configuration, then the appropriate policy settings are applied and a check is made again in 90 minutes. In the event of an error, a check is made when the user opens an Office app, such as Word or Excel. If no Office apps are running when the next check is scheduled, then the check will be made the next time the user opens an Office app.

If the user is a member of multiple AAD groups with conflicting policy settings, priority is used to determine which policy setting is applied. The highest priority is applied, with “0” being the highest priority that you can assign. You can set the priority by choosing Reorder priority on the Policy configurations page.

Also, policy settings implemented by using Office cloud policy service take precedence over policy settings implemented by using Group Policy on Windows Server, as well as taking precedence over preference settings or locally applied policy settings.

I logged into my windows 10 PC that has proplus 1808 semi annual and verified the registry but there is no cloud folder as such.

Registry location:

I need to wait for sometime to get the changes applied on my device in my user profile. Once the policies are applied then,the content inside the deleted folder will be emptied after outlook closes.

Troubleshooting tips:

If the expected policies haven't been correctly applied to a user's device, try the following:

• Make sure the user is signed into Office 365 ProPlus, has activated it, and has a valid license.
• Make sure the user is part of the appropriate security group.
• Check the priority of the policy configurations in OCPS.  If the user is in multiple security groups that have policy configurations assigned to them, then the priority of the policy configurations determines which policies take effect.
• In some cases, policies might not be applied correctly if two users with different policies sign into Office 365 on the same device and during the same Windows session.

FAQ:

1. Does the Office client policy service replace Group Policy management options?
   No, this service provides an alternative to Group Policy management. Group Policy management enforces policies on Windows PCs joined to an Active Directory domain, while the Office client policy service only requires the user sign into Office using their corporate credentials (Azure Active Directory) along with a valid Office 365 ProPlus license.
2. What are primary differences between the types of policies I can enforce using Office client policy service compared to Group Policy?
   Office client policy service manages only user-based policies for Office 365 ProPlus. Group Policy can manage both user-based and machine-based policies.
3. How does the Office client policy service compare with the Office Customization Tool for Click-to-Run’s application preferences settings?
   The settings configured as part of Office installation using the Office Customization Tool for Click-to-Run – as well as previous OCT versions – are based on ‘preferences’, meaning that a user can change them. Office client policy service settings are enforced, like Group Policy enforcement.
4. If I use Group Policy Management and the Office cloud policy service, how will conflicts be resolved?
   The policies configured in the Office cloud policy service take precedence over any policies configured via Group Policy Management. If there are conflicts, the values specified in the Office cloud policy service for the conflicting policies will be honored.

5. Can I import policies from Group Policy Management to Office cloud policy service?
   At this time we do not have import capabilities, but we are looking at providing this functionality to help admins migrate.
6. How is this different from the Administrative Templates feature in Intune for Device configuration
   The Office cloud policy service is built specifically for managing Office policies in non-domain joined and non-MDM managed scenarios.  Office cloud policy service is available to any customer that owns Office 365 ProPlus.  If used with Intune, the policies configured in Office cloud policy service take precedence over any Office policies managed via Intune.

References:

https://docs.microsoft.com/en-us/DeployOffice/overview-office-cloud-policy-service

https://techcommunity.microsoft.com/t5/Office-365-Blog/The-new-cloud-based-policy-management-service-for-Office-365/ba-p/480676

Hope it helps!

Enrolling your devices into Microsoft Intune allows your Windows 10 devices to get access to your organization’s secure data, including email, files, and other resources. If your users want to access your organization's data from their BYOD windows 10 device , they can do so by themselves with simple steps without the need of admin.

Here is the Quick start: Enroll your Windows 10 device https://docs.microsoft.com/en-us/intune/quickstart-enroll-windows-device

Even though the steps are simple to enroll windows 10 device using the quick start guide  , it is always required to create user guide documentation with limitations and some FAQ’s as per the organization needs.

For example ,a company do not allow windows 10 home edition to be enrolled due to limitation on WIP policies on MDM devices. To block windows 10 home edition from being enrolled, we can enable bitlocker setting in device compliance policy in intune which will allow only pro,enterprise and education to bitlocker (Windows 10 home edition do not have bitlocker).

Since this is BYOD scenario ,it is difficult to troubleshoot when user hit into any issues remotely.

One of our user tried to enroll windows 10 device using the guide and completed the enrollment process.

User tried to access teams on the device but it failed with following error:

You can’t get there from here with device state unregistered and is because ,we have conditional access with grant access compliant .

so device must be compliant with the set of device compliance policies that we enforced.

Have asked user to check if the device enrollment is successful or not. I have also checked in intune portal for the device but i could not find entry to validate the compliance status.

So, have asked user one more time to send the screenshot of the device sync status from work/school account page and is below.

Device Sync Status: The sync could not be initiated (0x82ac019e)

Even though user tried to enroll the device, it did not complete the sync successfully ,hence there is no computer entry in intune portal.

I checked the EMS (intune and Azure AD ) license and also settings for the user +MDM enrollment group permissions and everything looks good .

The next ask from me to user was ,to send the work or school account configuration on the BYOD device.

As you can see above ,user device already Azure AD join to Eskonr.com Org and enrolled to different organization which is not supported by Microsoft.

It is not supported to enroll or register the device into multiple organization and is because ,conditional access allows only one identity per device at this time.

So the solution is to unregister from Azure AD join  (simply select the Azure AD account and Click disconnect) and then perform the device sync (the account used to enroll the device) to get complete the device sync successful and start accessing the organization data.

We expect to have clear error message on the the device sync status page for this type of scenario ,so user know what need’s to be done. OR atleast have a mechanism to notify user during the enrollment that ,your device already joined to different organization hence you cannot perform this step.

Here is the user voice for this request https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/37477378-dont-allow-windows-enrollment-to-different-org-whe .Please vote for it.

Hope it helps!

You can use Intune app protection policies independent of any mobile-device management (MDM) solution which means ,if you device is already enrolled to airwatch ,mobile iron,black berry ,these devices can still be managed with intune using Mobile application Management (MAM).

we are into MAM (MAM-WE) and no enrollment . So when we setup intune MAM protection policy ,we choose Require PIN in Access requirements with value 4 (user is prompted to set up this PIN the first time they run the app in a work or school context.)

As you can see below ,the access requirement settings,  we have setup the PIN length with 4 ,and also allowed touch ID .So users can use touch ID to access the work apps without entering the PIN always.

After few months ,due to security reasons ,we have decided to change the PIN to 6 digit from 4 digit but before we change it in production,we need to ensure ,how does it impact the end-user and what are the guidelines to send to them.

So as part of testing ,I have created new intune app protection policy and applied to AD sec group (test users) with select minimum PIN length to 6.

When the policy is deployed to users ,it wont apply immediately . Take a look at this article explaining about App Protection Policy delivery timing  https://docs.microsoft.com/en-us/intune/app-protection-policy-delivery

you can also use intune App Protection Report for iOS, Android to see what MAM policies are applied to user with apps as well and it also tell you ,the next available policy to the user .

When i deployed the policy to myself, i need to wait for 30 min and try to launch intune managed application (teams, outlook etc) .

when i did that ,i was expecting ,the app will fetch new policies from intune and prompt me to change the PIN length from 4 to 6 but it simply ask for touch ID and entered into teams application.

so i decided to try one more time,after few min of app inactivity ,i relaunch the app again ,this time ,i cancel the touch ID and see what happens next.

Click on Cancel when it prompt for touch ID

You will be promoted with following screen, Update PIN :Your organization has made changes that require you to update your PIN.

Click on Reset PIN

Key in 6 digit PIN and press enter

It will prompt again to re-enter PIN for confirmation and you are done.

When you apply this policy to all your users ,make sure you inform how does this policy impact them and if possible with simple steps as said above for good end-user experience.

Unless the touchID or  users click cancel touchID ,PIN change policy will never appear to users.

Hope it helps !

Few months ago ,Microsoft announced the preview of Administrative templates which include hundreds of settings that you can configure for Internet Explorer, OneDrive, remote desktop, Word, Excel, and other Office programs.

These templates give administrators a simplified view of settings similar to group-policy, but they're 100% cloud-based.

This feature supports Windows 10 and later operating system.

As part of mobile device management (MDM) solution, we can make use of these administrative templates (admx) and create configuration profiles to complete different tasks.

In this blog post ,we will see ,how to create device configuration profile with Onedrive settings and deploy to users/devices for the devices that are enrolled via intune MDM or auto pilot or Azure AD join devices.

One of the requirement that i ran into few weeks ago was ,to disable the change of onedrive location when user configure onedrive using corporate account.

1. Login to Intune portal (either via https://portal.azure.com or https://devicemanagement.microsoft.com/ )

2.I am using device management URL , Click on Device configuration ,click on create profile

Key in the Name ,Description ,Platform –>Windows 10 and later ,Profile Type—>Administrator Templates (Preview) ,click on create

Click on settings to configure Onedrive application settings

Under settings, you will see list of settings that can be configure for device,IE,office etc.

Search for Onedrive and select the policies that you want to configure for your Org.

I am going to configure the settings for onedrive that are marked in red arrow

click on each setting and choose enable

For setting:  Prevent users from changing the location of their OneDrive folder ,you need to have your tenant ID which can be obtained from your Azure Active Directory.

Click on this URL https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties and copy directory ID value.

Enter the Tenant GUID and type the value 1 to enable.

Once the settings are configured, they will save automatically ,click on close on the right corner side of the window.

Now click on the policy that we created and click on assignments ,choose the AD sec group

Click on Save.

We have created device configuration setting for Onedrive and we will now monitor this on end-user PC.

End-user experience:

Login to windows 10 device ,if the device is not yet intune enrolled ,then perform enrollment using work/school account.

upon the enrollment success ,it will sync with intune to get profile ,apps etc .

After few min ,the policy will get loaded and make necessary changes to the registry (onedrive settings).

How to monitor the admx template settings that we pushed using registry ?

After the policy applied to device ,registry changes will be applied to HKEY_CURRENT_USER\Software\Policies\Microsoft\OneDrive .

When user try to configure the onedrive ,the change of location will be disabled by Admin (intune) and the default location will be C:\users\%username%\Azure AD tenant Name

Troubleshooting if the device configuration policy not applied ? Read the blog post https://blogs.technet.microsoft.com/configmgrdogs/2018/08/09/troubleshooting-windows-10-intune-policy-failures/

I recently worked on requirement to create conditional access that will block access to office365 via browser app on intune enrolled device . We are still Hybrid Azure AD join and yet to be Azure AD join.

we have BYOD windows 10 intune enrolled devices and we have decided to block browser based sessions on these enrolled devices using conditional access for the apps like onedrive,exchange online,teams,Sharepoint etc.

In order to block browser session on Intune enrolled devices ,I will be using device state in conditional access which is still in preview for almost year .

To read more about  What are conditions in Azure Active Directory conditional access  https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions 

1. Login to Azure portal with an account that has enough rights to create Conditional Access https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies

2.Give it name Block_browser_BYODW10 ,select users/groups that you want to apply this policy

3. Cloud apps or actions and select the apps that you want block.

4. On conditions , Device platforms , configure ‘ Yes’ and under platform ,select windows

For locations ,I choose any .

5. Client apps (preview) ,configure ‘Yes’ and select Browser.

This setting help to monitor the any session that are coming from browser and block the access.

Browser apps - Browser apps include websites using the SAML, WS-Federation, or OpenID Connect web SSO protocols. This also applies to any website or web service that has been registered as an OAuth confidential client. For example, the Office 365 SharePoint website.

6.Device State (preview) ,we choose all device state and in the exclude ,choose hybrid Azure AD joined devices.

Exclude:

This setting will help us to exclude all Hybrid Azure AD join devices and include all other device state.

If you select ‘device marked complaint’ then intune enrolled windows 10 devices are compliant hence they will be able to access apps via browser so we don't select this.

If you have devices which are Azure AD join then this setting apply to them as well , so be cautious with this setting.

How do you differentiate Intune enrolled devices (BYOD) and Azure AD joined devices (+intune) with this setting? There is None at the moment .

This policy block access to all device state except hybrid Azure AD Join. Since we are still hybrid Azure AD join, this is perfect match for us at this point of time.

7.Now we have come to final setting which is access control ,choose Block access.

With this ,we have completed the Conditional access to block browser app from intune enrolled devices for selected applications.

we will now see the end-user experience on devices that are intune enrolled or any other device state which is not hybrid azure AD join:

On intune enrolled windows 10 device ,login to https://portal.office.com .It works because we blocked only set of applications but not all cloud apps.

Click on teams icon ,you will see the following message.

You cannot access this right now.

The same happens to all other applications that are included in the conditional access however ,if you access teams,outlook via non-browser which is app based, it works fine,

Hope it is useful

We can use the Azure portal to invite B2B collaboration users. You can invite guest users to the directory, to a group, or to an application. After you invite a user through any of these methods, the invited user's account is added to Azure Active Directory (Azure AD), with a user type of Guest. The guest user must then redeem their invitation to access resources.

Before you begin , Make sure your organization's external collaboration settings are configured such that you're allowed to invite guests. By default, all users and admins can invite guests.

But your organization's external collaboration policies might be configured to prevent certain types of users or admins from inviting guests.

To find out how to view and set these policies, see Enable B2B external collaboration and manage who can invite guests

In our Org, we don’t allow normal users to invite guests and we have collaboration restrictions to allow invitations only to specified domains .These specific domains must go through some approval process internally .

If user try to invite user (eswar@eskonr.com) and eskonr.com is not  whitelisted then it will fail to send invitation.

As you see below ,we opted for Allow invitations only to the specified domains (most restrictive) is opted and we have many domains added to our Azure portal for B2B collaboration .

With the list growing , at one of time ,our security team have requested to get list of all domains that are whitelisted . I started looking at the list of domains if there is manual way to select list of all domains ,copy them but it doesn't allow me to select all and only option is select one by one domain and copy.

So i started exploring the powershell script to automate this . This request is going to come again & again so it is better to spend sometime to prepare script and keep it ready when asked for it.

Here is the simple powershell script (bad way of writing )  to  get all whitelisted domains in azure AD.

$scriptpath = $MyInvocation.MyCommand.Path
#Get the current directory of the file stored.
$dir = Split-Path $scriptpath
#Get current date
$date = (get-date -f dd-MM-yyyy-hhmmss)
#Set filename to store the output
$Outfile = "$dir\Whitelisteddomains-"+$date+".csv"
#connect to Azure AD (assuming ,the AzureADPreview for now is being installed.)
Connect-AzureAD
#List all B2B domains based on the condition
$data = (Get-AzureADPolicy | ? {$_.DisplayName -eq "B2BManagementPolicy" } | select definition)
#replace single quote with escape charcter and double quotes
$defs = $data.Definition.Replace('"',"\""""")
$allowedDomains = $defs.Substring($defs.indexof("[")+1)
$allowedDomains = $allowedDomains.Substring(0,$allowedDomains.IndexOf("]"))
#revert back the quotes back to normal node to see the real output
$allowedDomains.Replace("\""""","") | out-file $Outfile –Force

Save the script to location and run the script .

On the PC that you run this script ,make sure you have AzureADPreview module installed. Why preview ? because the Get-AzureADPolicy cmdlet is still in preview and not in AzureAD module.

When you run the script ,it prompt for authentication and follow the conditional access (if you have any) before you connect to Azure portal .

Once you pass the authentication ,you will see file named with whitelisteddomains-date.csv

References :

Azure Active Directory B2B Documentation https://docs.microsoft.com/bs-cyrl-ba/azure/active-directory/b2b/?view=azuremgmtcdn-fluent-1.0.0

Allow or block invitations to B2B users from specific organizations https://docs.microsoft.com/bs-cyrl-ba/azure/active-directory/b2b/allow-deny-list?view=azuremgmtcdn-fluent-1.0.0

Hope it helps!

Role-based access control (RBAC) helps you manage who has access to your organization’s resources and what they can do with those resources. By assigning roles to your Intune users, you can limit what they can see and change. Each role has a set of permissions that determine what users with that role can access and change within your organization.

To create, edit, or assign roles, your account must have one of the following permissions in Azure AD:

• Global Administrator
• Intune Service Administrator (also known as Intune Administrator)

we are into MAM ONLY and no device enrollment. When a device is lost or stolen, or if the employee leaves your company, you want to make sure company app data is removed from the device. But you might not want to remove personal data on the device, especially if the device is an employee-owned device.

To perform selective wipe, the user who perform the action must have enough intune permissions. It is not possible to give intune admin role instead, we ca make use of RBAC to create require permissions to perform selective wipe only.

Following are the RBAC permissions needed to perform selective wipe task.

add Custom role with following permissions.

Managed apps: select Read ,wipe to Yes

Managed devices: Select read to Yes

Mobile App: Select Read to Yes

Once you create the RBAC role, assign it to AD sec group with scope target to group . To know more about scope tags in intune ,read https://docs.microsoft.com/en-us/intune/scope-tags

How to wipe only corporate data from Intune-managed apps https://docs.microsoft.com/en-us/intune/apps-selective-wipe

Reference:

Role-based access control (RBAC) with Microsoft Intune https://docs.microsoft.com/en-us/intune/role-based-access-control

I was working on SCCM report for client health dashboard. During this report creation ,found that ,device appear twice with different GUID ID and resource ID but with same hostname.

So i started looking at this issue to see how identify the records with duplicate hostnames.

SCCM clients are uniquely identified by a GUID. A GUID is a combination of the client's media access control (MAC) address and the time when the GUID is assigned.

This combination produces a number that is virtually always unique. The GUID assignment occurs during the client discovery and installation processes.

The GUID is stored in the client's Registry and in a binary file on the client's hard disk into smscfg.ini file (C:\Windows\SMSCFG.INI)

As you see below snapshot ,computer record appear twice with the information that was gathered through inventory/BGB/discovery.

Take a look at the following screenshots with 3 different problems .

Device with different resource ID and Client=Yes

With this information ,i started looking at SQL to write code and convert that to collection ,so it would be easy to cleanup records in automated way.

Device with different resource ID and client =No

Device with different resource ID and client=No

So i went to site hierarchy settings to see the conflict records but the settings applied correctly:

Why did this happens ? Old article but still valid though https://support.microsoft.com/en-us/help/837374/how-to-locate-and-clean-advanced-client-duplicate-guids-in-sms-2003

If you have maintenance task enabled ,these obsolete or inactive stale records taken care by that but do want to wait until the default maintenance task runs ?

Here is the SQL code to find out the list of devices with appear in SCCM console with its count.

select name0 [Device Name],count(*) Total from v_r_system
group by name0
having (count(name0))>1
order by Name0

If you want to see the device that appear maximum times in the top ,use the following query:

select name0 [Device Name],count(*) Total from v_r_system
group by name0
having (count(name0))>1
order by 2 desc

If you want to see the list of all devices with its resource ID ,use the following query:

select sys.name0,sys.ResourceID from v_r_system as sys
full join v_r_system as sys1 on sys1.ResourceId = sys.ResourceId
full join v_r_system as sys2 on sys2.Name0 = sys1.Name0
where sys1.Name0 = sys2.Name0 and sys1.ResourceId != sys2.ResourceId
group by sys.Name0,sys.ResourceID
order by 1

Create WQL Collection with following syntax:

I am making use of SMS_R_System with full join.

select sys.ResourceID,sys.ResourceType,sys.Name,sys.SMSUniqueIdentifier,
sys.ResourceDomainORWorkgroup,sys.Client from SMS_R_System as sys
full join SMS_R_System as sys1 on sys1.ResourceId = sys.ResourceId
full join SMS_R_System as sys2 on sys2.Name = sys1.Name
where sys1.Name = sys2.Name and sys1.ResourceId != sys2.ResourceId

P.S: The above queries are only used to find the computer names appear twice or more with different resource ID,GUID etc

Also note ,this collection includes active/live entry along with inactive entry .I could not find any way/logic to skip the active computers .

you can delete all these records  manually or create a powershell script with schedule to empty the collection . This way ,you loose the inventory of active computers but they send back in the next inventory cycle.

Hope it helps!

WIP (windows information protection) is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).

WIP provides:

• Obvious separation between personal and corporate data, without requiring employees to switch environments or apps.
• Additional data protection for existing line-of-business apps without a need to update the apps.
• Ability to wipe corporate data from Intune MDM enrolled devices while leaving personal data alone.
• Use of audit reports for tracking issues and remedial actions.
• Integration with your existing management system (Microsoft Intune, System Center Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage WIP for your company

To know more about windows information protection, please read https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip 

Issue description:

One of our BYOD user reported that ,on Windows 10 intune enrolled (MDM) ,he is unable to open any visio/project work related files (files that are protected with WIP).

Following is the error when launching corporate visio/project files.

Access has been denied

Launching personal visio/project files works fine .

To figure out the issue , I started at task manager if the visio app is running in personal or enterprise context mode.

Go to task manager ,details—>select columns—>enterprise context

As you see above ,visio.exe is considered as personnel instead of enterprise context.

As per TechNet document https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip , Microsoft Visio and Microsoft Project are not enlightened apps and need to be exempted from WIP policy.

What does it mean ?

Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. So user have choice of saving documents either as personal or corporate.

For Enlighted apps ,you will see options like below.

Visio and project are unenlightened apps and adding these apps into protected apps into WIP policy always consider all data in these apps are corporate and encrypt everything by default.

For unenlightened apps ,you will see options like below. There is no personal and always going be to work.

Solution:

Since visio/project is unenlightened apps, how do we get the WIP policy applied to these unenlightened apps ?

All we know is ,adding desktop apps with publisher information in protected apps in WIP would do the trick ? ? No and Yes. it depends on what settings your WIP policy consists of. I will explain both of these with reason.

To add any unenlightened app to protected apps ,use the following information.

Now let see ,adding visio.exe into protected app  as desktop would solve this issue ?

consider the above scenario with No: 

In my App protection policy for windows 10 ,i have the following settings:

In the protected apps, have applocker file imported with xml file and also have added visio/project .

Currently the enterprise applocker policy xml file for Office 365 ProPlus only contains specific Office apps, so most other apps published by Microsoft will not be included such as Visio and Project.

having both applocker policy with xml file and visio as desktop app will not make visio as protected app due to conflict and user always get access denied when open work files.

and if you look at task manager ,visio.exe run in personal mode rather enterprise context.

Also looking at C:\windows\system32\applocker\MDM\x\x\enterprisedataprotection\ ,WIP policy arrived to client successfully.

How do we get this working ?

Consider the scenario of Yes but will do this little bit different: 

If we want to add Visio to WIP allow list, we are going to remove enterprise applocker policy file in the target apps, and create a new desktop app record with only the publisher being set to “O=Microsoft Corporation, L=Redmond, S=Washington, C=US”, and leave the rest entries as wildcard “*”, so that every desktop app published by Microsoft will be in protected mode. And the enlightened apps will still have personal and enterprise context, whereas unenlightened apps such as Project and Visio will only be run in enterprise context.

WIP policy configuration:

I remove the existing app locker policy with office 365 and set publisher information to O=Microsoft Corporation, L=Redmond, S=Washington, C=US and remaining entries with *.

End user experience:

login to windows 10 BYOD  and perform device sync from work/school account.

This will sync and download the policies and update the settings.

Now open work visio/project files ,they will open successfully and this time ,they run in enterprise context .

There is 1 disadvantage with this setting is ,all visio/project files will be saved by default as work files .

Hope it helps!

Introduction:

With the recent Current Branch updates starting from 1806 , Microsoft is making good improvement on Software updates maintenance but there is lot to come in the near future. Read the Software updates maintenance tasks available in SCCM https://docs.microsoft.com/en-us/sccm/sum/deploy-use/software-updates-maintenance

Many SCCM Admins think that ,installing WSUS ,doing initial configuration and configuring SUP role is enough for software update patching but that's not true. When you finish initial WSUS configuration ,you go SUP properties and start selecting classification and products. Based on this selection criteria , updates get synced with Microsoft . These synced updates include itanium and many other junk updates. Once the updates are synced successfully ,you will see them in SCCM console under software update section . With this ,you can start patching your clients but over a period of time ,if you don't maintain your metadata/update catalog with the help of maintenance job (custom scripts/tools) ,you will hit into lot of issues. These issues could be like high CPU usage (IIS worker process) ,WSUS application pool in IIS stops automatically ,clients software update scan performance issues and many more.

Top reasons to have site performance issues ,client update scan ,WSUS application pool etc, is due to large number of updates in your WSUS database which includes superseded ,Itanium and other unneeded updates. If you decline all unused,itanium, superseded updates etc. at regular intervals then your site server will be happy with better performance and also your clients to perform quick update scan which will help to achieve better compliance rate.

There are N number of questions asked in various forums around WSUS and software update scan issues and there are several posts available with maintenance solution.

After going through lot of forums ,blog posts ,suggestions from Microsoft, I have come up with standard document that i have used all the times in every SCCM infra that i setup as part of SUP maintenance.

This solution consists of PowerShell scripts and also SQL reports to perform the cleanup/decline the junk updates that will help to improve the site server performance and also client update scanning.

How is it different from the built in SUP maintenance tasks ? when am running current branch 1806 and above ,do i still need this solution ?

Yes, the software update maintenance solution that is built in does very basic things like expiring the superseded updates ,cleaning the unused updates etc but what am going to describe in this blog post is more of advanced to decline the unneeded updates ,

configure WSUS in IIS as per best practices and further more.

If you have CAS, primary,secondary sites then you should perform these steps from bottom to top (secondary ,primary and CAS ).

Steps at glance:

A) Check the status of WSUS database with count of updates. These count of updates decides the catalog size

B) Decline itanium and other junk updates that you don't use in your infra.

C) Decline superseded updates.

D) Perform SQL indexing

E) Invoke WSUS configuration (best practice)

F) Troubleshooting.

A) Check the status of WSUS database with count of updates:

We will first use some SQL queries to fetch the current status of WSUS with count of updates before we decline them.

1. Use the appropriate method to back up the WSUS database (SUSDB). For related information, please see Create a Full Database Backup (SQL Server) .

2.Once the database is being backed up ,run the following SQL code against your WSUS database to see the count of updates (superseded ,declined ,total updates, live updates etc). It is always good validate the results before and after cleanup task.

3.I assume your WSUS DB is running on SQL but not on windows internal database .If your wsus database is running windows internal database (WID) ,then follow this guide and run the following SQL command.

4. Open SQL server management studio ,connect to your secondary site database (incase you have ,else primary then CAS) and run the following SQL code:

--get the count of total updates, superseded ,declined updates.

use SUSDB;
select
(Select count (*) 'Total Updates' from vwMinimalUpdate ) 'Total Updates',
(Select count (*) 'Live updates'  from vwMinimalUpdate where declined=0) as 'Live Updates',
(Select count (*) 'Superseded'  from vwMinimalUpdate where IsSuperseded =1) as 'Superseded',
(Select count (*) 'Superseded But NoDeclined'  from vwMinimalUpdate where IsSuperseded =1 and declined=0) as 'Superseded but not declined',
(Select count (*) 'Declined'  from vwMinimalUpdate where declined=1) as 'Declined',
(Select count (*) 'Superseded & Declined' from vwMinimalUpdate where IsSuperseded =1 and declined=1) 'Superseded & Declined'

Total Updates: count of all updates which includes superseded ,decline .This basically include all updates in your wsus db.

Live updates: Count of updates without declined .This includes all updates with superseded/without superseded but not declined. These updates are considered to generate the update catalog file.

Superseded: Count of all superseded updates

Superseded but not declined: Count of all superseded updates but they are not declined yet.

Declined:Count of updates that are declined. Declined updates never goes into update catalog file .

Superseded & declined: Count of updates that are superseded and declined.

As you see above,the total live updates that are considered to generate update catalog is 18000+ .This usually be larger update catalog file and with huge amount of updates, it also impact the CPU,memory on your WSUS because clients always talk to WSUS to download update catalog.

B) Decline itanium and other junk updates that you don't need in your infra.

Now ,download and extract the PowerShell scripts and SQL files that are available here.

Following are the files you get from the download link

Following are 2 powershell scripts (customized) that am going to use to decline the unused /superseded/itanium updates.

b.1)Decline-OtherUpdates.ps1

b.2)Decline-supersededUpdates.ps1 /Decline-SupersededUpdatesWithExclusionPeriod.ps1

Decline-OtherUpdates script have the following titles to decline because i dont use them in my infra.

Itanium
ia64
ARM64-based Systems
Windows 10 (consumer editions)
Windows 10 Education
Windows 10 Team
Windows 10 Insider Preview

Please review the tiles and make changes as you need .

Run the PowerShell script with command line:  .\Decline-OtherUpdates.ps1 -UpdateServer YourWSUSServerName -Port 8530 –DeclineItanium

As you see ,i have 2402 updates declined. This includes all the titles listed above.

C) Decline superseded updates.

Now we will run decline superseded updates script.

There are 2 scripts here for you Decline-supersededUpdates.ps1 and other Decline-SupersededUpdatesWithExclusionPeriod.ps1 . The only difference with these 2 scripts are ,added with exclusion period as per your SUP settings.

Login to your secondary site (if you have any) ,launch powershell in admin and change directory to the script that you placed.

To decline superseded updates ,we can make use of ExclusionPeriod as criteria that will help to decline updates that are in sync with our software update component properties .

In your configuration manager SUP properties ,if you have set supersedence behavior to expire immediately then you don't need to use above ExclusionPeriod period in the PowerShell however ,if you have configured supersedence behavior with X months then i would recommend to use same period in the script.

The following command lines show different ways in which PS scripts can be run (if the script is run on a WSUS server, you can use LOCALHOST instead of the actual SERVERNAME).

Based on your SUP settings ,if you want to decline all superseded updates ,then run the following command:

Decline-supersededUpdates.ps1 -UpdateServer SERVERNAME -Port 8530

If you want to decline the superseded updates with some exclusion period ,use the following command:

Decline-SupersededUpdatesWithExclusionPeriod.ps1 -UpdateServer SERVERNAME -Port 8530 -ExclusionPeriod 60

ExclusionPeriod 60 to gather information about updates on the WSUS server from current date that you run the script and check the number of updates that can be rejected.

P.S: Don't look at SQL query count (18182) vs PowerShell count (18175) as they are not same servers when i execute the code  

Once the updates are declined ,go back to your SQL and run the query against your WSUS DB to see the status.

This time ,you should see different count compared to last time run .

After declining the updates in WSUS , these declined updates still appear in SCCM  until you run software update sync.

Once the software update sync happens on SCCM server ,the changes you made on WSUS will appear in SCCM console.

After SUP sync ,you will see all declined updates from WSUS will disappear from SCCM console.

D) Perform SQL indexing

After you decline the updates , SUSDB needs to be re-indexed for optimal performance. See the section on Re-Indexing the WSUS Database above for related information .

Please wait until the execution of script completed.

E) WSUS configuration (Best practice)

You will find script Invoke-WSUSConfiguration.ps1 which i got from Johan which i always use in all SCCM infra as per best practice .

Take a look at the script to see what it does before you execute in your infra.

F) Troubleshooting.

In some cases ,if your WSUS database never cleaned up before and is the first time you are doing it on some secondary /primary sites ,execution of scripts may fail with following error and is because of too many updates .

In my case ,I had 23k plus total number of updates in WSUS database, hence script was always failing to fetch the data.

Connecting to WSUS server localhost on Port 8530... Connected.
Getting a list of all updates... Failed to get updates.
Error: The operation has timed out
If this operation timed out, please decline the superseded updates from the WSUS Console manually.

I tried few times running the script but I could not get through even though i restarted the IIS service and WSUS service.

If you are unable to decline the updates using script ,what other possibilities do we have ? open the WSUS console and do manual update,that takes lot of time.

Microsoft support engineer posted SQL code to decline the updates in SUSDB. 

1. If you have not backed up your SUSDB database, back up your SUSDB database before continuing .
2. Connect to SUSDB using SQL Management Studio.
3. Execute the following query: The number 60 for the number of rows containing " DECLARE @thresholdDays INT = 60" corresponds to the number of rows before # 1 and the number of days that match the number of months configured in the Supersedence rule. If the expiration date is set to expire immediately, you must set the SQL query value @thresholdDays to zero.
4. The SQL code that was posted in support article needs some syntax corrections to get it work OR it could be the reason that ,the support article in in Japanese language so while translating ,syntax got changed.

--Decline superseded updates in SUSDB; alternative to Decline-SupersededUpdatesWithExclusionPeriod.ps1
DECLARE @thresholdDays INT = 60--Specify the number of days between today and the release date for which the superseded updates must not be declined (ie, updates older than 90 days). This should match configuration of supersedence rules in SUP component properties, if ConfigMgr is being used with WSUS.
DECLARE @testRun BIT = 0--Set this to 1 without test excluding anything.
--There shouldn't be any need to modify anything after this line.




DECLARE @uid UNIQUEIDENTIFIER
DECLARE @title NVARCHAR (500)
DECLARE @date DATETIME
DECLARE @userName NVARCHAR (100) = SYSTEM_USER




DECLARE @count INT = 0




DECLARE DU CURSOR FOR
     SELECT MU.UpdateID, U.DefaultTitle, U.CreationDate FROM vwMinimalUpdate MU
     JOIN PUBLIC_VIEWS.vUpdate U ON MU.UpdateID = U.UpdateId
WHERE MU.IsSuperseded = 1 AND MU.Declined = 0 AND MU.IsLatestRevision = 1
     AND MU.CreationDate <DATEADD (dd,-@thresholdDays, GETDATE ())
ORDER BY MU.CreationDate




PRINT 'Declining superseded updates older than' + CONVERT (NVARCHAR (5), @thresholdDays) + 'days.' + CHAR (10)




OPEN DU
FETCH NEXT FROM DU INTO @uid, @title, @date
WHILE (@@FETCH_STATUS>-1)
BEGIN
     SET @count = @count + 1
     PRINT 'Declining update' + CONVERT (NVARCHAR (50), @uid) + '(Creation Date' + CONVERT (NVARCHAR (50), @date) + ')-' + @title + '...'
     IF @testRun = 0
         EXEC spDeclineUpdate @updateID = @uid, @adminName = @userName, @failIfReplica = 1
     FETCH NEXT FROM DU INTO @uid, @title, @date
END
CLOSE DU
DEALLOCATE DU




PRINT CHAR (10) + 'Attempted to decline' + CONVERT (NVARCHAR (10), @count) + 'updates.'

To check progress, monitor the Messages tab in the Results pane.

Depending on the number of updates ,it may take longer time. In my case ,it took ~15 min to decline around 10K updates.

Once the superseded updates are declined using SQL ,we can now go back to PowerShell script and run other script (decline other updates.).

Hope you find this post useful.

Following are some of the References that would help to go through the WSUS maintenance solution.

https://support.microsoft.com/en-sg/help/4490644/complete-guide-to-microsoft-wsus-and-configuration-manager-sup-maint

https://deploymentresearch.com/Research/Post/665/Fixing-WSUS-When-the-Best-Defense-is-a-Good-Offense

https://mnscug.org/blogs/sherry-kissinger/512-wsus-administration-wsuspool-web-config-settings-enforcement-via-configuration-items

https://home.configmgrftw.com/wsus-cleanup-for-configmgr/

https://damgoodadmin.com/2017/11/30/software-update-maintenance-its-a-thing-that-you-should-do/