MDM errors failures and how to fix them

Over the course of this many month Air-Watch MDM project I’ve been conducting, I have run into WAY more than my fair share of MDM enrollment related issues.

Troubleshooting MDM issues presents a whole new set of difficulties, because where SCCM provides glorious log files with tons of community engagement and answers, MDM gives you hard to locate Windows Event logs. Every SCCM error code is meticulously documented on the web, where MDM errors give you this result:

This is how you know you are WAY off the reservation!

Never fear though, for I have compiled the most common and frustating errors which I have painstakingly worked through into this, very originally named volume

Where to find enrollment errors

You can monitor the status of an enrollment in the Windows Event Viewer, under this area:

Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin

It is routine to see some errors here, so not all errors need to be solved, however when you’re trying to troubleshoot why a machine won’t enroll in MDM, then you should be looking here first.   Continue reading

Advertisements

The quest for true silent MDM Enrollment

If you’ve been reading my blog recently, you’ve seen a lot of posts about MDM and Provisioning Options for Windows 10.  Previously we’ve covered:

And in this post we will dig further into the options available to us to deploy a Provisioning Package with the goal of allowing for silent MDM Enrollment and Silent application of a provisioning package!

Continue reading

SCCM v Intune Showdown

sccm

If you’re an SCCM Administrator you’ve likely heard of InTune and might be wondering when to use it.

In this post, we’ll cover how SCCM and Intune are able to manage Windows 10 full desktop computers (including laptops and Windows tablets like the Surface or Surface book.)

If instead you’re wondering about managing the Surface RT, lol, enjoy your metro cutting board.

Best use for a Surface RT in 2016

To understand where InTune really shines, let’s think of where SCCM works best:

  • known and defined network infrastructure
  • well connected end-point devices (less of an issue today)
  • standardized hardware models
  • standardized, company owned hardware
  • Active Directory Domain (all SCCM servers must be domain members)
  • Managed machines are either domain joined, or need certificates (certs =PKI =Even more infrastructure and configuration)
  • Wonderfully powerful imaging capabilities

It becomes pretty obvious, SCCM is for the big enterprise,  which its also expensive and has some serious requirements.

Now, let’s contrast this to the management story we have from Intune:

  • No requirement for local hardware or infrastructure
  • No on premises Active Directory requirement
  • Works very well with Azure AD
  • Works great with user owned and heterogeneous devices
  • Literally zero imaging options

For the rest of this post, I’ll list the big capabilities of an Enterprise Client Management tool and contrast how each of these tools perform at that task, we’ll cover: Continue reading

InTune – Don’t forget this important e-mail setting!

On a recent InTune deployment, we had a requirement to force encryption and security on mobile devices and also provision mail profiles as well.

During the pilot, we heard informal reports that a user thought they couldn’t send a photo using their company e-mail after migration, but we found this hard to reproduce.

However, during the production roll-out, we discovered that users were unable to add attachments using their InTune configured mail account.

Note that this was an ConfigMgr w/ InTune deployment, and the affected devices were mostly iOS and Android devices.

How do I fix this?

You control this setting from ConfigMgr, so launch the console. Continue reading