Configure BitLocker on Intune Enrolled Windows 10 Devices

BitLocker can be managed in several ways in the enterprise. GPOs, MBAM, ConfigMgr are the most common methods. But what if you don't have Microsoft EA to bring in MBAM or you have Windows 10 Professional devices? And you have mobile Windows 10 devices that does not joined to ADDS. To overcome above issues, there's a possibility to manage BitLocker through Microsoft Intune and Azure AD. But to keep in mind this method does not provide funtionality as MBAM. In the end of this post I will describe limitations of this method.

Following are the steps to configure BitLocker through Intune and AAD. I have tested this on a Azure AD joined Windows 10 (1703) machine that directly enrolled in Intune as MDM.

Block Apps on Intune Enrolled Samsung Devices through OMA-URI Settings

Recently one of our customers had a requirement to use Samsung Galaxy Tabs as Kiosk devices. These devices are shared devices that have enrolled to Intune using a Device Enrollment Manager (DEM) account which only used to run a specific LOB application.

The issue that we faced was this specific tab model, Samsung Galaxy Tab E 9.6 (SM-T561) does not have full KNOX capability baked into the OS. Simply there's no KNOX version information in Settings > About device. Because of this, none of the KNOX required policies didn't work on the device because Intune requires Samsung KNOX capable devices.

Since "Kiosk policy" didn't work on this device, the only method to achieve this was block apps from running through OMA-URI settings.

Deploy ADMX-Backed Policies to Intune Managed Windows 10 Device

In the past, Intune was only able to deploy a given set of device configuration policies. So, if the company has Intune managed Windows devices, they missed the good old Group Policy functionality. Fortunately starting with Windows 10 version 1703 (= Creators Update) and the new MDM capabilities, now it is possible to deploy certain ADMX based group policies (ADMX-backed policies) to Intune managed devices with the aid of Policy CSP.

Protect Corporate Apps & Data on devices with Intune Mobile Application Management (MAM) – Using Intune in Azure Portal

Mobile Application Management or simply MAM is a great feature that comes with Enterprise Mobility + Security suite. It helps to protect corporate apps and data by enforcing configurable policies. MAM policies can be deployed to employee-owned unmanaged devices, devices that are enrolled in Intune and devices managed by a third-party mobile device management (MDM) solution.
This article describes how to configure MAM policies on Android devices that are enrolled in Intune.

For this guide I am using a device which is enrolled in Intune.

Upgrade to Internet Explorer 11 using System Center Configuration Manager - An Alternative Way

Recently one of our customer wanted to upgrade their Internet Explorer version to 11 in Windows 7 machines since Microsoft already stopped support for versions below Internet Explorer 11 long time back.

For the upgrade, most used methods are:

1. Task Sequence.
2. IEAK - Internet Explorer Administration Kit.

From above two, task sequence was the preferred method because, in that, it is possible to deploy prerequisites first and then deploy Internet Explorer 11 and also it can control restarts.

IEAK does not have many success rates.

But for me both of the above methods didn't work as it should. Task sequence gave errors.

So I used this method: