question

Chiragshah-1104 avatar image
0 Votes"
Chiragshah-1104 asked Chiragshah-1104 answered

intune push the same policy/script again

I got one interesting point, if anybody can help me break the ice.

As we know, Intune will only push the deltas.

I am assigning one power-shell script S1 to do one simple registry-change.
Next day I am sending one another script S2 to reverse that change.
Now if I want to send the original S1 one more time, it is not happening (even though I hit SYNC button on Intune) as S1 was already assigned and successfully applied to that user.

Any trick to instrument Intune to send S1 ?
Is there any thing like forcefully sending policy/script to the device.



Thanks.

mem-intune-generalmem-intune-device-configurations
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Chiragshah-1104 avatar image
0 Votes"
Chiragshah-1104 answered

Excellent @RahulJindal-2267
Now it makes sense to me and we can close this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RahulJindal-2267 avatar image
0 Votes"
RahulJindal-2267 answered

The script from Intune will not re-run by itself if it has already run successfully. The easiest way to make it re-run is by making change in the policy of some sort. Just rename the script to something else, upload it again. Intune will see this a new policy and then execute it again on end points. I normally use versioning in the script to control the execution. Example v1.0, v1.1

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Chiragshah-1104 avatar image
0 Votes"
Chiragshah-1104 answered RahulJindal-2267 commented

@RahulJindal-2267 thanks for your answer and totally makes sense.
I will try to see if adding description etc. can trigger it.


On that note, I have one point to confirm.
as script is a one time deployment, are the configuration profiles also one time deployment ??

Thanks.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am not sure what you meant by adding description, but if it involves uploading a renamed script then yes, that should update the policy.

For all other policies like device configuration policies, a simple modification of any setting will trigger re-evaluation of the policy.

0 Votes 0 ·
Chiragshah-1104 avatar image
0 Votes"
Chiragshah-1104 answered

what I meant by description is, when you configure script in Intune, you also give some description of the script. (there is a field for it)
I was in impression if I make any change like that , it will trigger the push again.

Anyways, more important point is the "configuration policies"
Yes, I agree that if I modify any setting in the policy, the whole policy will trigger.
But that is exactly that same like script.
As you can not re-run the script, you can not re-push the configuration.


I was hoping that Intune might give some explicit, forceful sync-up switch for Intune Admin to push any particular policy if/when needed (even if the policy was successfully assigned previously)

May be some local-admin made some out-of-band change to test something on the device and voided the config-policy.
Now we want to push the policy to take the control back.


Thanks.


















5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RahulJindal-2267 avatar image
0 Votes"
RahulJindal-2267 answered

Scripts don’t re-run unless you update the script itself. Changing the description against the script will also not result in re-running of the script.

The device configuration policies are evaluated every 8 hours. If a local admin does change something, the setting under the mdm policy will fall out of compliance and during a scheduled re-evaluation, the managed setting will again get applied. I hope this clears things.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Chiragshah-1104 avatar image
0 Votes"
Chiragshah-1104 answered

Thanks again @RahulJindal-2267

yes, that is another tangent to to it i.e., during every check-in if compliance policy has that setting configured then it will be applied.
however, configuration policies are huge and there is not every setting you can do through compliance. (if I understood correctly)
So I believe if any such setting is modified by local-admin, Intune would remain out of loop and unaware about it.


Thanks.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RahulJindal-2267 avatar image
0 Votes"
RahulJindal-2267 answered

Device Compliance and setting compliance under device configuration are 2 different things. Device compliance policy prepares the overall compliance of the device based on finite list of parameters that you can configure in the policy. Example - Antivirus, Spyware, Firewall, Bitlocker to name a few. Device configuration on the other hand have many profiles and each setting carry its own compliance.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Chiragshah-1104 avatar image
0 Votes"
Chiragshah-1104 answered

So let me clarify my point with one real example.

I have one config-policy for win10 device to show SSPR link on windows login screen.
Basically it is OMA-URI setting (/Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset)


Now, after this policy is successfully set on the device, if I as an local-admin go ahead and turn this OFF from the device, next time when compliance check happens, will my device be declared non-compliant ??
OR
every setting of every config-policy will be applied if broken and then the device status will be sent compliant ??




Thanks

















5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RahulJindal-2267 avatar image
0 Votes"
RahulJindal-2267 answered

In this particular example nothing will happen to device compliance as the device compliance policy doesn’t check for such settings. As mentioned before Device compliance policy only evaluates certain parameters (stated in my previous response). The only compliance that will get affected here is for the CSP setting of SSPR. When found to be non-compliant, Intune will re-configure it at the next check-in

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Chiragshah-1104 avatar image
0 Votes"
Chiragshah-1104 answered

May be I am missing something, but your last line is conflicting with first two lines in response.

How will Intune find the CSP setting of SSPR ??

Appreciate if you elaborate it a little more.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.