Microsoft Intune – Things to remember before you use new Azure integrated Intune

As you may already know that Microsoft decided and moved from Classic Intune to Azure integrated Intune.  There are few things that needs to considered before you decide to use Azure integrated Intune for patch management.

  • The app groups that are created in Classic intune are being migrated to Azure integrated Intune.  These groups cannot be used in Classic intune anymore.  If you would like to patch the workstations with the existing group or create a new groups, it wont work – Microsoft acknowledged this as bug and awaiting resolution (This has been resolved now)
  • If there is a policy that exists in the Classic portal and you are using Azure integrated intune, and has a software update ring, then there might be a policy conflict.  Make sure the Classic Intune are removed.
  • Classic Intune can only manage the devices using Intune management agent.  Azure integrated Intune can manage the devices only if the device is enrolled as Mobile Device.  If the agent is present in the workstations, it cant be enrolled as mobile device.  So first thing you should do is to remove the Agent.
  • If the Agent is present in the workstation it cant be enrolled to new Azure integrated Intune.  You have to uninstall the agent, you can use https://gallery.technet.microsoft.com/Uninstall-the-Intune-b42111d1.  This will create a Schedule Tasks.  It may take about 5 to 10 mins.  It uses ProvisioningUtil.exe located under C:\Program Files\Microsoft\OnlineManagement\Common.  If you have custom installation path or if the exe doesn’t exist, then you might need to install the Agent again and run this script again.
  • If you are planning to migrate to Azure integrated Intune from Classic Intune, make sure the device is not listed in the Classic portal.  If the device is visible, then before enrolling, make sure the workstation entry is removed from the Classic portal.  Sometimes you may see entries in both the portal, In that case, you have to remove the device from both the portal, and re-enroll.
  • Finally, version upgrade of windows 10 is not straight forward.

Hope this helps

VJ

Spectre – Vulnerabilities

Recently Google Project Zero team has identified a vulnerabilities on CPU that is affecting all AMD, Intel and ARM Processors.

The variants of the issue identified so far,

Variant 1: bounds check bypass (CVE-2017-5753)
Variant 2: branch target injection (CVE-2017-5715)
Variant 3: rogue data cache load (CVE-2017-5754)

The entire Azure / Office 365 platform from Microsoft is being patched and rebooted as a matter of priority to resolve this problem.  You might have already got notification to do a redeploy at your convenience or MS would have forced it last week.

To take care of the on-prem infrastructure, MS has released patches

https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

No patches will be available for Windows XP, Vista, 2000, 2003 etc.

These patches only mitigate the exposure of vulnerability but not resolve.  You MUST update your infrastructure as soon as possible and also check for any manufacture update like BIOS or driver updates

*Google Chrome, IE, Firefox also got some updates last week to handle this vulnerabilities.

Hope this information was useful.

VJ