Tuesday, 22 November 2016

Microsoft Intune - enterprise enrollment CNAME best practice

I was asked this question recently and I didn't know the answer so I did some research.

What is the correct DNS CNAME record to configure for Enterprise Enrollment of mobile devices with Intune?

First, I should explain that this CNAME is only required if you are enrolling Windows devices. It is not required for iOS and Android.

There are three options:
  1. Redirect enterpriseenrollment.yourdomain.com to manage.microsoft.com
  2. Redirect enterpriseenrollment-s.yourdomain.com to manage.microsoft.com
  3. Don't configure a CNAME at all
So this is the scoop on the three options:
  1. This is a throwback to the early stages of this technology. It still works but is now deemed to be less secure and not recommended by Microsoft. You will still find this referenced on many online blog posts simply because they have not been updated.
  2. This is now the recommended configuration. It uses a secure channel (hence the -s).
  3. This will also work but means that the user has to enter "manage.microsoft.com" as the server name during the enrollment process. This would be #2 in terms of preference.

Edit Feb 1st 2017:

manage.microsoft.com is being deprecated on Feb 11th 2017 and will no longer work for enrolling Windows devices.

You should to create a CNAME in DNS that redirects EnterpriseEnrollment.yourdomain.com to EnterpriseEnrollment-s.manage.microsoft.com.

You can see this information in the official docs

I hope this clears up any confusion. Until next time.......

Monday, 21 November 2016

Microsoft are listening to feedback?? - my experience

My favourite part of the being in the MVP Program is being able to provide feedback directly to the product group. The cynical view is that they just don't listen so there is no point in providing feedback. However this is simply not the case. I have a little story I would like to share.

Last year I deployed an Intune Proof of Concept for one of my customers. We carried out intensive testing of the various elements, one of which was mobile application management. We created MAM policies to restrict the integration between managed and unmanaged apps. This worked very well and data could not be transferred between managed and unmanaged apps. Unfortunately, it worked a little too well. If I clicked on a telephone number in Outlook or the managed browser I was unable to launch the phone dialer app on the device (as it was unmanaged) and I couldn't make a phone call. This just didn't make sense to me.

I filed a DCR (bug) on Microsoft Connect (you will need a Microsoft Live to access this) to allow special access to specific unmanaged apps (eg. phone dialer).


"While using Intune Managed Applications it would be good if users could integrate with specific device components eg phone dialer. Users should be able to make a telephone call by selecting the number in the Managed App. They currently can't - I've tested it. The operation is not permitted".

The DCR was actioned and closed. I'm pleased to say that ALL MAM-aware Office apps and the Intune Managed Browsers (for both iOS and Android) have now been upgraded to incorporate this request. I've just successfully tested with Outlook and Managed Browser.

If a feature doesn't make sense to you or doesn't work the way you think it should then let Microsoft know. The products will only improve with user feedback.

For bugs use Microsoft Connect:


For feature suggestions use UserVoice.

ConfigMgr CB 1610 delivers features I've been waiting for

System Center Configuration Manager Current Branch 1610 was released on 18th November. You must opt in to fast ring to see 1610 in the ConfigMgr console early. Full details can be found here

Many new features are available such as:
  • Windows 10 Upgrade Analytics
  • Office 365 Servicing Dashboard and app deployment
  • Software Updates Compliance Dashboard
  • Cloud Management Gateway
  • Client Peer Cache
  • Enhancements in Software Center
  • New remote control features
However I've been looking at the less publicized enhancements. In particular there are two very simple improvements that I have been waiting for.

1. Windows Store for Business integration

I previously published a blog post on configuring native integration with ConfigMgr and Windows Store for Business. You can read that here

This feature was delivered as "pre-release" in 1606. It was very useful but a little limited in terms of troubleshooting. Synchronization failed in my lab environment and I couldn't do anything about it.

WsfbSyncWorker.log file displayed the synchronization error.

However I was very limited on what I could do in the console. I could only view the Properties of the WSfB account......

....and everything was grayed out. This wasn't that helpful. Kim Oppalfens figured out a way to remove the account using WMI but I'm pretty sure that it wouldn't be supported.

Enhancements have been added in 1610.

Now we can easily delete the account and add a new one.

We can also edit the account settings.

I've now been able to fix my synchronization problem.

2. Send a Sync Request to Intune enrolled device

Previously synchronization had to be initiated using the Intune Company Portal on the mobile device itself.

Now we can send a sync request to the device directly from the ConfigMgr console. This is a huge improvement. We no longer have to guide users to do this for themselves.

Until next time.......