How to remove a policy settings from a user/device managed by Intune

As you all know, Intune can deploy all kind of settings and profiles (security settings, WiFi, Certificate, Mail and VPN profiles) to your users and devices. But what if you want to remove one of the settings/profiles.

Until now this hasn’t been possible (expect if you did a selective wipe/full wipe). With the updates delivered in the November and December release of Microsoft Intune backend, the policy will be removed when:

  • User or device leaves a collection / Group where policy was targeted to
  • Admin removes the deployment
  • Admin removes the policy itself

Note that this feature is available in both if you use Microsoft Intune Standalone and SCCM UDM with Intune.

As with all things we do with the device, we are dependent of underlying management platform. Below you see what’s can remove per platform.

Type of settings



WP8.1 (There is no support for WP8)


Resource access Profiles (WiFi, VPN, Email, Certificate etc)





Configuration Items



Supported settings:

All settings except roaming settings

The list of policies can also be found at under “What happens when a policy is deleted, or no longer applicable”

To illustrate how this can look like I have recorded a short video describing how this looks like.

If you have any questions or feedback, please add into the comments below

Azure Active Directory now supports shared accounts

One of the feature in Azure Active Directory is the ability to get Single Sign On (SSO) to over 2400 SaaS applications (the number application available in the market place  20141113). Last week the team release a new feature that let you managed so called “shared accounts” in a much better/easier way.

  1. You can now add multiple accounts. For example, a marketing person might need to have access to multiple Twitter accounts
  2. You can assign the application to a group instead of a user

Lets see how this would look like if you would like to add multiple Twitter Accounts.

  1. Sign into the Azure management portal
  2. Under the Active Directory section, select your directory, then select the Applications tab.
  3. Click Add to add the first Twitter app/Account
  4. Select “Add an application from the gallery”
  5. Search for the Twitter app and then click Ok to select it
  6. Click “Assign users
  7. Select Groups and search/look for your group, when you find the one you want to use click Assign
  8. Select “I want to enter the credentials to be shared among all group members
  9. You have now successfully assigned the first account, lets add a second account
  10. Select the Application tab and click Add
  11. Select “Add an application from the gallery”
  12. Search for the Twitter app and then click Ok to select it. Since this is the second Twitter app you now get the option to name the app
  13. Click “Assign users” and repeat the steps 6-8 (except using a new group and another twitter account(
  14. You have now successfully assign two different Twitter accounts to two different groups. Lets see how this looks like for an end user that is a member of both of the groups.
  15. ‘Sign into the My Apps web portal (or use the native apps for IOS or Android). You will now see both of the Twitter accounts you have permission to use. Not the if you click on them you will be redirected to Twitter without the need to add any password

My Apps app is now available for both IOS and Android

To access user self service feature in Azure Active Directory Premium  the user can use the web portal or the native apps. The first native app Microsoft released was for IOS but last week the team released a Android version for My Apps.

Below you see some print screens of the how they look like on different form factors and for the different platforms.

Web portal






Samsung Galaxy S4

Samsung GalaxyS4

Nexus 7

Nexus 7


Download My Apps from Apple Store

Download My Apps from Google Play

Read more about Azure Active Directory Premium (AADP)

Read more about the EMS Suite where AADP is included

Intune will power the new MDM feature in Office 365

Today at Teched Europe, Microsoft announced a new feature in Office 365 – built-in mobile device management for Office 365. What cool about this is that you will actually be using the Intune backend and if you want to get more feature there will be an easy way to “upgrade” to Intune

To get a better understanding on what will be included in the Office 365 SKUs and what will be included in EMS/Intune, please visit 

To see some of the feature in action, below you have a short video explaining the features.


Which hotfixes should I apply to get the most of EMS

Hotfixes includes as we all know fixes to things that doesn’t work as expected but it also sometimes includes improvements and this is why I decided to write this blog post. This list is nothing official, I will list the updates that will/can impact EMS products (stability and improvements)

Note! This post will be updated as soon as I find any new hotfixes. Last update 2015-04-08

System Center 2012 R2 + Intune (also called Intune UDM)





KB3026739 (CU4)

A lot of things, please look at KB to see the whole list

All CU’s are cumulative so all fixes that were in CU1 +CU2 +CU3 is also included

This update replaces Cumulative Update 3 for System Center 2012 R2 Configuration Manager



In Microsoft SystemCenter 2012 R2 Configuration Manager, when a user becomes a cloud-managed user, a settings policy may not target the assignment for the user.

The original fix for this was included in CU2+CU3 but was broken by the installer process (script was overwritten and function reverted back to original state).

The effect of this is that users that are included in an collection will get the “fast download of a polices” but for any users added after applying CU2 or CU3 will not get the policies. 
Note 1 –There is one version of the fix for a CU2 installation and one for CU3.
Note 2 – If you installed the CU2 version and then install CU3 you need to install the CU3 version of this fix
Note 3 – After installing the hotfix, please run the script (that you can copy from the KB), this script will fix all existing deployments

   This update is included in CU4


Greatly reduces the time that’s required to execute a successful retire or wipe of a Mobile Device Management (MDM) device. These operations now run on the device in a matter of seconds, assuming the device is reachable by Windows Intune.

To apply this hotfix, you must have Cumulative Update 3

( )

   This update is included in CU4

KB2994331 (CU3)

A lot of things, please look at KB to see the whole list.

All CU’s are cumulative so all fixes that were in CU1 +CU2 is also included

This update replaces Cumulative Update 2 for System Center 2012 R2 Configuration Manager

( )


Kb2970177 (CU2)

The main improvement in this update is Speed. If you been working with device enrollment you probably noticed that it can take a wile for the device to receive all the profiles/policies you deployed to it.With the CU2 for SCCM 2012 R2 and the May update for the Intune backend, this has been improved a lot.

See for more information and step by step how to install it

This update replaces Cumulative Update 1

( )

for System Center 2012 R2 Configuration Manager.


Enrolling an Android device in both Exchange Active Sync (EAS) and Mobile Device Management causes a duplicate device to be created in the Administrator Console.







Windows Server 2012 R2 WAP Server role






Large URI request in Web Application Proxy fails in Windows Server 2012 R2

For more information on how to use WAP in front of a NDES server see Pieter Wigleven blog Note that this is still a “privat” fix and you need to call support to get it (no cost). This hotfix is now included in the December 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2



 Windows Server – ADFS






Issues where IOS devices can logon to Company Portal

Several issues after updating ADFS servers that have security update 2843638 or 2843639 installed in Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008.



A lot of things for ADFS 2.0, please look at KB to see the whole list.

Note that this update is only for ADFS 2.0 servers

2607496 Description of Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0

2681584 Description of Update Rollup 2 for Active Directory Federation Services (AD FS) 2.0


Windows Server 2008 R2 CA Server role






Renewal request for an SCEP certificate fails in Windows Server 2008 R2 if the certificate is managed by using NDES

This update is only needed if you want to implement certificate deployment with SCEP and your CA is running on Windows Server 2008R2

If it is possible, I would recommend to upgrade to a newer server OS

CU2 for SCCM 2012 R2 is now released–Does it improve/impact Intune customers?

The CU2 update for System Center Configuration Manager 2012 R2 was just release. As with all CU’s, they include both fixes and improvements. With this blog post I want to highlight the things that are included in CU2 and will improve/impact Intune customers.

If you read the Kb2970177 you will se the following:

Mobile device management / Intune
  • Policies that apply to devices that are used together with Windows Intune may take 10 minutes or more to apply. Additionally, policies that are created before enrollment may not appear on the new device.
  • The Policy Request and Management Point fields for mobile devices may be missing from the Client Activity Details tab on the summary page for a given device.

Except for the two bug fixes it also includes one other major thing and that’s – Speed. If you been working with device enrollment you probably noticed that it can take a wile for the device to receive all the profiles/policies you deployed to it.With the CU2 for SCCM 2012 R2 and the May update for the Intune backend, this has been improved a lot.

So, if you use User Collection targeted Polices and Profiles they will be delivered to the User’s devices immediately after enrolling the devices.

The start benefit from this feature, install SCCM 2012 R2 CU 2 and test to enroll. Below you see a demonstration on the steps and the result.

  1. Install SCCM 2012 CU2

  2. Verify that your profiles/policy’s is deployed to a user collection

  3. Enroll a device and validate that the profiles/policy’s is deployed immediately

Important links from the videos:

Update 1 – If you have an existing SCEP profile you need to “manually” update it so it can be deployed during enrollment. Easiest way is to open the profile and just change the name or any other “cosmetic” change will also work. This will add a new revision on the profile and it will now work. Note that all SCEP profiles added after you applied CU2 is not affected by this issue

Windows Intune + Samsung KNOX = True

Last week Samsung announced that Samsung KNOX will support Windows Intune. Except for this, they also announced that they will add “Workplace Join” functionality into the Samsung Androids devices so the will be able to workplace join an Active Directory (this can be done on IOS and Windows 8.x today).

This is very good news for all Windows Intune customers that uses Samsung Android devices, really looking forward to the update

Read the full Samsung Press Release

What’s new in the Jan/Feb 2014 Intune update

The Jan/Feb 2014 update to Windows Intune has now been out for a couple of weeks. This was the first  update that was released through the SCCM “Extensions for Windows Intune”


So what did the update actually include:

  • Ability for the administrator to configure email profiles, which can automatically configure (IOS and WP8) the device with the appropriate email server information and related policies, as well as the ability to remove the profile along with the email itself via a remote wipe if needed (Only IOS).
  • Support for new configuration settings in iOS 7, including the "Managed open in" capability to protect corporate data by controlling which apps and accounts are used to open documents and attachments, and disabling the fingerprint unlock feature.
  • Ability for the administrator to remotely lock the device if it is lost or stolen, and reset the password if the user forgets it (as of now, this this feature only exist in the Intune standalone cloud service).

If you would like to see a good demo of some of the new features, please look at the interview on Channel9 with Martin Booth

Updated version of the Support Tool for Windows Intune Trial Management of Window Phone 8 is now avalable

Today a revision to the Support Tool for Windows Intune Trial Management of Window Phone 8 has been released. This tool facilitates Microsoft System Center 2012 Configuration Manager admins and Windows Intune standalone admins to try out Windows Phone 8 enrollment and software distribution scenarios during the Trial period.

The new revisions include:

· The new Windows Intune Company Portal for Windows Phone 8 released on Oct 18.

· A bug fix to address the ‘UBound’ error in the vbscript. [This script is needed only for Configuration Manager and not Intune standalone]

Download Support Tool for Windows Intune Trial Management of Window Phone 8