Håvard Siegel Haukeberg

Paste life: Ctrl+C -> Ctrl+V



Microsoft Intune enrollment on Android for end users

All Android is not the same

First let me start of by saying that almost all android phones are different in respect to enrollment. These screenshots are taken on a Sony Device. The most complicated part with Android is that the End User have to fix the compliance settings yourself.

How good are your users?

e.g. as seen here the end user need to set the pin-code him/herself to be compliant. Make sure that your users can do this themselves before you start.

Picture by picture guide

Here is how you as a end user will experience Intune in your organization






If you are an IT admin, check out this guide on how it looks like for you in the Intune Portal

Microsoft Intune Enrollment of Android for IT Admin

Step 1: Enrollment

Once a end user has enrolled a Android device it will shortly show up in the Intune portal.

Step 2: Verify status in Intune

This is what a healthy Device should look like in the Intune Portal :


This device is healthy and should have access to email and does not need attention.


If you need device info, the Intune MDM agent will pull information from the device and display some of it here in the general info tab just right to the health status


Just some of the info pulled from Intune



There are many different Android phones out there. They all provide info to Intune MDM differently. Here Sony is not able to convey the OS name correctly to Intune.

Not all android phones report OS correctly


In the device list you can see and sort the list of devices on most of the general information.


Sort and find your device


When the end user enrolled this Sony Android Device he was prompted to group his device himself into a group. This group is displayed here. I have named this group myeself in the Intune portal. You could name it anything other than personal if you want to.


Device Group Mapping


Management channel should be set to intune or intune and EAS when your device is enrolled. We should also se the Compliant status. If it is not compliant, check your compliance policies in intune policy tab or make sure that you have made the device compliant e.g. enabled PIN or encryption/screen lock +++


If your device is not compliant it will be blocked from exchange when you run Conditional Access.


Intune upgrading or removing the Exchange Connector

So, what would happen if you upgrade from On-premise Exchange Connector or simply remove the Exchange Connector in Intune?

Here in this blog I remove the Exchange Online connector and test what happens on a iPad that is enrolled with Intune.

The user account has Conditional Access on Exchange Online enabled.

Conditional Access enabled


Enrolled the device with Intune and checked the Intune Management Portal that the device was registered and active


I now delete the Exchange Connection to see what happens on the iPad for the end-user.



Connection Deleted.

-> With the connection deleted you can still send and recieve mails from any device without any Conditional Access. As long as you enter the login credentials into any mail app it works.

Removed the device from the company portal app and severed the Intune connection. There is no conditional access so you can still send and recieve mails.

Then add the exchange connector again from and now my device should be blocked since Conditional access prevents non-enrolled devices from reading mail.


Nothing will happen untill the service has synced with exchange so click the “Run Fast Sync”button


A prompt will appear, just close it.

Exchange Conditional Access will now apply to all acounts again. If you have a device which is approved in Intune, no action required. If it is not enrolled in Intune you will have to enroll it.

After some hours when Exchange discovered that this device is not enrolled anymore it will also block mail. This takes about two hours.

Exchange Conditional Access on existing mailbox
Notice the top email asking for renrollment.

Background: The Exchange Connector sends power shell cmdlets to the exchange server. In the Azure AD Microsoft saves the ActiveSync ID with the ID of the Object or Device. This enables our service to block or allow certain devices from reading email. The comprehensive overview of what the connector does can be found here:

Microsoft Intune Company Portal Enrollment on iPad for end-users

Here is a complete set of screen dumps which the end user will have to see/do in order to enroll a iOS device into Intune.


Conditional Access prevents exchange online sync before enrollment



Conditional Access Behavior on Outlook 2016

If you enable conditional Access in Intune then Your devices will have to be enrolled with Intune in order to read mail. If they are not enrolled or otherwise compliant they will be blocked.

-You can relax these demands as you see fit, but that would kinda defeat its purpose.

This is how Outlook behaves

1 - autodiscover
Add Your account as usual
2 - modern auth prompt
Modern Auth Prompt
4 - conditional access required
Conditional Access checkpoint

This user will not be allowed to Complete the mail setup.
Note that you have to enable ADAL on Exchange Online and use Outlook 2013-2016 With ADAL in order for this to work. Click here to se how to set up Exchange Online with ADAL

How to enroll Your Windows 10 Machine in Intune to get back mail?

Click here for the MDM enrollment instructions without Azure AD join.

or here

for MDM enrollment instructions with Azure AD Join

Deploy Office 2016 ProPlus from Office 365 with Microsoft Intune

You can use Microsoft Intune agent to distribute and deploy quietly Office 2016 ProPlus bits to any Windows PC you manage with the agent.

Here is what you do:

  1. Download the Office Deployment Toolkit
  2. Install it and you get two files. Setup.exe and Configuration.xml
  3. Configure the configure.xml with something like this:
    • <Configuration>
        <Add OfficeClientEdition="32" Branch="Current">
          <Product ID="O365ProPlusRetail">
            <Language ID="en-us" />
      <Display Level="None" AcceptEULA="True" />
  4. Upload the exe file and select to include other files in the folder.
  5. Add the command line argument to /configure configuration.xml
  6. Deploy the software to the target groups.
  7. Make sure that your computer is in that target group
  8. Wait for Office to Install
Magic will happen on the client device. It must be logged in as an Administrator for this to work.
get all files
wifi acitivty system
Under installation the wifi starts working in the background
Resource manager office click to run
You can see that Office Click to Run is going in the background.


Extending an Intune, EMS or Office 365 Trial

Need more time to decide?

Thats okay, if your trial is about to run out simply:

  1. Log on to  as an Administrator
  2. Navigate to: Billing->Subscriptions
  3. Find the trial you want to extend and click it
  4. Click Extend and enter a credit card. (It will not be charged)
  5. Click Submit

That’s it, 30 more days


ems licenses extend trial


Deploy custom script with Microsoft Intune

Once you have:

  1. Created a script
  2. Packaged the script in an EXE

you should be ready to deploly that script to computers running the Microsoft Intune Management Agent. The Intune MDM channel does not support EXE, only MSI.

Log into Intune and go to Apps
Select Software Installer and select EXE then browse for the EXE

Follow the Wizard.

You are done. Now you need to move the user or PC into that group for deployment. Deploy to all PC’s? apply to all computers instead of a group.





Venter på å kjøre script
Manuelle oppgaver som kan gjøres på klienten






Create a GPO Script for Microsoft Intune

Microsoft Intune can not push out Group Policies onto computers, but we can target users or devices with scripts that change that setting in the registry.

Here is how you create a simple script that does just that.

@Echo off
echo A Script to set a Registry value using Windows Intune
REM registry key
reg add HKLM\Software\Policies\Microsoft\PassportForWork /f
reg add HKLM\Software\Policies\Microsoft\PassportForWork\ /v Enabled /t REG_DWORD /d 0 /f
if errorlevel 1 (
echo Error installing reg key
exit /b 1
) else (
echo Installed regkey
exit /b 0


Simply copy this script into a notepad file and then save it as PassportForWork.CMD right click and Run as Administrator to input the software policy where we set Passport for Work enabled as = 0 “Turn Off”

You can enter some of these register values:


Read more here: Registry Values (Technet)


Thanks to Richard Harrison at

Blog at

Up ↑

%d bloggers like this: