Device Management ProIf you use the group membership feature in dynamic AAD groups (still in preview), make sure you stay on top up of what groups you delete. If you delete a group that is part of the dynamic membership it will cause the group to not update.
Remove the group from the evaluation to fix the issue.
Microsoft has released a patch (KB5025175) to address CVE-2022-41099. This patch consist of a PowerShell that is to be used in conjunction with the latest Windows Safe OS Dynamic Update for your architecture and Windows version.
Many are annoyed that Microsoft released a PowerShell script instead of an actual Windows Update to fix this vulnerability. The patch can be easily applied via Config Manager (and also Intune). Here’s the quick and dirty way to deploy the fix. For simplicity sake, we will push this out as a program (package).
Copy the PowerShell script and Windows Safe OS Dynamic Update to your content share.
In MEMC, create a package with a standard program and source files pointing to the folder copied the script and file to.
Name the program Install with the command line below. Your packagepath will differ depending on the name of the Dynamic Update file you placed in your source folder along with the PowerShell script.
"%Windir%\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command .\PatchWinREScript_2004plus.ps1 -packagePath "windows10.0-kb5021043-x64_efa19d2d431c5e782a59daaf2d.cab"
Estimated disk space should be 250MB and max run time 30 minutes.
Distribute content and deploy the program to machines. Remember the dynamic update is specific to the running OS Version, so make sure your deploying to applicable machines.
Approximately a year before the pandemic started, I worked with Microsoft Fast Track to set up my organization’s Intune environment and co-management for our laptops. This went well and functioned as expected in my testing. I soon started asking my higher-ups if we could work on migrating group policies to configration profiles and start utilizing Intune capabilities. There was no interest and Intune fell by the wayside besides me using it to deploy required apps.
Fast forward to COVID-19. No always-on VPN, no cloud management gateway, but we did have a neglected Intune environment. There was one problem; devices had their Intune workloads revoked. This was an undocumented result of Configuration Manager clients not communicating with SCCM for a while. I convinced management that cloud management gateway was much needed during these times. After our cloud management gateway was setup and working, we needed to get the co-managed clients talking to their management point again. They don’t know about the new CMG of course and with Intune workloads being revoked, the only function that worked in Intune is.. PowerShell scripts. 😃
To get the endpoints back functioning, Intune workloads need to be reset and SCCM client with the CCMHostname and certificates deployed. Deploy the new SCCM app first, so the endpoint will install right after the workloads are reset.
To reset the workloads via Intune, deploy a PowerShell script that changed the flag value in the registry and restart Intune’s service. The value is the sum of the Intune workloads.
Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\CCM -Name CoManagementFlags -Value 111
Restart-Serviec IntuneManagementExtension -Force| Capability | Workload |
| 8193 | All Workloads with SCCM |
| 2 | Compliance Policies |
| 4 | Resource access Policies |
| 8 | Device Configuration |
| 16 | Windows Updates Policies |
| 4128 | Endpoint Protection |
| 64 | Client Apps |
| 128 | Office Click-to-Run Apps |
| Capability | Workload |
| 1 | All Workloads with SCCM |
| 2 | Compliance Policies |
| 4 | Resource access Policies |
| 8 | Device Configuration |
| 16 | Windows Updates Policies |
| 32 | Endpoint Protection |
| 64 | Client Apps |
| 128 | Office Click-to-Run Apps |
If you want to verify if the endpoint has been configured for the CMG, look in the registry for CMGFQDN under the HKLM:\Software\Microsoft\CCM key.
I WILL NOT re-post topics from my previous blog. Lets start fresh.
Also, I’ve learned my lessons about using super cheap hosting :-). You get what you pay for, and sometimes you don’t even get that.