Monthly archives "June 2015"

Have a life outside of work? No problem for this month’s Intune release.

Joe Kuster

This month Microsoft focused on handling the blindingly obvious situation where users want to use both company and personal Microsoft accounts with the same Office apps. Multi-Identity support has been added for Word, PowerPoint and OneDrive (Finally!).

In other big news, Microsoft continues to make use of their purchase of Accompli and it’s subsequent rebranding as Outlook for iOS and Android. Stand alone Intune now supports Outlook conditional access and MAM security rules (copy/paste protection for instance). You could do this before with the Android or iOS wrapping tools, but it’s nice to have out of the box support.

Additional updates include adding notifications in the Company Portal on iOS for new app versions, .appx app support for stand alone, fixing the issues in the last release of EndPoint Protection and some enhancements around malware reporting.

How to Easily Identify and Reinstall Software During Configuration manager OS Refresh Task Sequence without MDT

Joe Kuster

So you’ve been asked to reinstall all applications for users for the sake of reducing user impact? What do you do? Is this is a good idea? Read on:

One of the most commonly requested items that adds complexity to Operating System deployments is the topic of identifying and reinstalling applications. If MDT is in use, it supports Application Mapping, which must be configured, but is not always approachable by the novice. Should go you that route? Maybe. But what if MDT isn’t integrated or the Application Mapping is just a bit over your head? What I suggest below is simply one of the many ways of addressing this particular need.

But first:

As a best practice, a company should already have a baseline of applications provided for each unique role such as department or position and only deviate from that baseline where necessary, and ideally identify and automate those exceptions such as where special licensed software should be deployed. User deployments and self-service go a long way to making this an easier process. In reality, however, the situation is usually much less clear. Self-service isn’t always supported, there is expectation for 100% deployment before the user receives a system or the network simply may not handle deploying large apps to remote areas after the system is provisioned.

As a result, rather than spending the time to identify what the users should have, the decision makers often fall back on saying to re-install whatever the user had.

This approach presents many problems including:

  • It fails to consider updated versions or apply any nuance – Should the user receive the latest and greatest version of Java? What if it impacts their Line of business apps? Are there combinations of applications that must run at a downgraded version? Should some departments receive newer versions than others? Can IT actually support the numerous versions being asked of them? All of this would require business analysis on what apps should be deployed by role. Without it, the option is either to run obsolete and potentially insecure versions of software for the foreseeable future.
  • It’s a licensing headache – even if we can reinstall the application, carrying over a license key is often not supported and in some cases may not be allowed.
  • It’s a lot of work – Every version of every application must be identified, assessed if a substitution or reinstall is necessary and those to be reinstalled must be packaged. This can be hundreds or thousands of hours of work.
  • It needs kept up to date – As new versions or applications are added, the automated process must also be updated.


Ok, enough opinion piece, let’s get to reinstalling applications.


  • A OS deployment refresh task sequence must already exist, we are simply adding a few steps to it. It’s ok if you need to format the disk, but we do need to run the task sequence from within a working version of Windows first, not WinPE.
  • All apps or packages that you want to reinstall must be packaged, deployed to your DPs and you must have some way of identifying systems that should have it reinstalled. If you don’t know how to do this, Configuration Manager supports WQL to identify applications or even includes an MSI parser in the task sequence to get the unique GUID for the installation detection.


After ensuring you are booted into Windows OS (not PE), Create a Set a TS Variable step for each app you wish to reinstall:


Use a condition on that step that checks if the app is installed (WMI or the built in installed app check)


When reinstalling apps after OS Deployment.


How to update your Apple Push Network Certificate for Intune

Joe Kuster

Note: This post assumes you’re like most of my clients and no longer have your Push certificate request file. If you are on Windows, you will likely need both IE and Chrome as Chrome no longer supports Silverlight, but IE does not support Apple’s JSON uploader.


  1. Log into with your Intune administrator credentials
  2. Navigate to Admin > IOS > Upload an APNs Certificate
  3. Download the APNs Certificate Request, leaving this tab open
  4. Log into with your Apple Push Network credentials 
    (Use Chrome – Apple’s page is not IE friendly on the upload portion)
  5. Click Renew on the corresponding certificate for your Intune tenant
  6. Provide the CSR
  7. The certificate has been renewed.
  8. Download the certificate
  9. Return to the Intune APN Certificate section and click Upload the APNs Certificate
  10. A confirmation page will be displayed

Azure AD Premium–Gartner Visionary Rating after only 10 Months

Joe Kuster

Since it’s initial release, I’ve been pretty sold on Azure AD Premium having the most complete vision for Hybrid Identity management, and it’s good to see that I’m not alone Smile

Gartner has released their Magic Quadrant for Identity and Access Management as a Service, Worldwide study and listed Microsoft Azure AD Premium in an incredibly strong position, especially considering the product has only been on the market for around 10 months.

Good job MS, keep it up.

Don’t Panic! Microsoft is changing Intune app deployment for Android

Joe Kuster

Fairly self explanatory, but basically, yes, you’ll need to download the Company Portal to get apps for Android.

In September 2015, the Microsoft Intune Company Portal website will stop supporting app installation and management for Android devices that run versions 4.0 and later. Users that run an affected version must install the Company Portal app from Google Play to browse for, and install apps. Because the Company Portal app does not support Android versions earlier than 4.0, the Company Portal website will continue to provide app browsing and installation capabilities for Android versions 2.X and 3.X.
View this alert in the Microsoft Intune console:{AL=1941276}