Release Notes for Windows Intune

Issue: When assigning administrator permissions to a user in the Intune Account Portal, following new options are available:

• Allows ability to perform tier1 support tasks
  
  
• Allows ability to perform tier2 support tasks
  
  
• Lets users access various read-only tasks in the directory
  
  

Note
These are reserved for future possible improvements and should not be used. Users assigned to these roles have no permissions.

Workaround: Only use the following roles for assignment:

• Billing administrator
  
  
• Global administrator
  
  
• Password administrator
  
  
• Service administrator
  
  
• User management administrator
  
  

Issue: After a partner signs in to the Microsoft Partner Network, selects Option 1: Partners without an existing online services account, and fills in the data on the partner sign up page, you may see an error. You will receive an email message verifying that the OrgID has been created. However, the error occurs before the subscription is successfully assigned.

Workaround: Return to the Microsoft Partner Network site and select Option 2: Partners with an existing online services account. Sign in with your Live ID, and then enter your new OrgID when you are prompted.

Issue: In Windows Intune, you cannot create a group that includes all parent group members and then exclude specific members.

Workaround: When you create the group, do not select anything on the inclusion page. You can then specify just the objects you want to exclude. The group will be created with all the parent members and not the objects that you excluded.

Issue: After you upgrade to this release of Windows Intune, when you try to edit or save a Windows Intune Agent Settings policy or a Windows Intune Center policy that you created in the earlier version of Windows Intune, the attempt to save the policy might not succeed. Instead, a yellow bar might appear at the top of the Windows Intune administrator console window, prompting you to refresh or save the error log. This error occurs due to additional constraints that apply to data that you enter in policy setting fields (for example, if you specify processes to exclude when running a scan or using real-time protection, the process must end with one of the following file extensions: .exe, .com, or .scrn). These constraints did not apply to previous releases of Windows Intune.

Workaround: Before you save the policy, identify the data that is not valid, and then completely clear and re-enter the data. As you re-enter the data, prompts will provide information about constraints that apply in this version of Windows Intune. After you correct any issues with the data, you can save the policy.

Issue: After a user finishes the interactive part of the enrollment process for an iOS device, they can enter the mobile company portal immediately to browse for and install apps. However, the enrollment process continues in the background and usually is complete within a few minutes. If this background enrollment process is not successful, the user can still access the mobile company portal, however, they will be unable to install their selected apps.

The background enrollment process may fail for the following reasons:

1. The device is connected to the Internet by using Wi-Fi only. For example, the device has neither a SIM card or nor a cellular data connection, and the Wi-Fi network is blocking communications from Apple Push Notification service (APNs) on port 5223.
   
   
2. The Windows Intune service has experienced an error while completing processing of the enrollment request.
   
   

Workaround: To resolve this issue, do either of the following:

1. Make sure that your Wi-Fi network does not block port 5223.
   
   
2. Have the user follow these steps:
   
   
   1. On the iOS device, select Settings, select Safari, and then select Clear Cookies and Data.
      
      
   2. Select Settings, select General, and then select Profiles and delete the profile named Management Profile.
      
      
   3. Log on to the mobile company portal again, and on the Identify your device page, select Add another device and re-enroll.
      
      

Issue: If a user tries to connect to the company portal website by using Internet Explorer with Tracking Protection enabled and a tracking protection list that includes ajax.googleapis.com, they will receive the error “Not all of the site scripts could be loaded.”

Workaround: To access the company portal website, do one of the following:

• Use a different tracking protection list that does not include ajax.googleapis.com.
  
  
• Edit the tracking protections settings to allow the following URLs:
  
  
  • https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
    
    
  • http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
    
    
  • https://ajax.googleapis.com/ajax/libs/jqueryui/1.8.18/jquery-ui.min.js
    
    
  • http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.18/jquery-ui.min.js
    
    
  • https://ajax.googleapis.com/ajax/libs/jqueryui/1.8.18/themes/base/jquery-ui.css
    
    
  • http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.18/themes/base/jquery-ui.css
    
    
• Disable Internet Explorer tracking protection.
  
  
• Use a different browser.
  
  

Issue: Windows Intune will no longer provide non-Microsoft endpoint protection application removal functionality.

Workaround: If you want to remove a non-Microsoft endpoint protection application from client computers, you can do so by doing either of the following:

1. Use Windows Intune Software Distribution to deploy a removal tool that is provided by the manufacturer of the non-Microsoft endpoint protection application.
   
   
2. Remove the non-Microsoft endpoint protection application manually.
   
   

Issue: The Windows Intune client software cannot run on a computer that has Forefront Client Security installed, because both Windows Intune and Forefront Client Security use the same binary package (Windows Installer, also known as an .msi package) to install the Windows Intune Endpoint Protection service. If you try to install Windows Intune on a computer that has Forefront Client Security installed, the Windows Intune Endpoint Protection package is not enabled.

Workaround: To avoid this issue, if you plan to install the Windows Intune client software on a computer that has Forefront Client Security installed, remove Forefront Client Security before you install the Windows Intune client software.

Note
Be aware that this issue does not apply to computers that are running Forefront Endpoint Protection 2010. If you try to install Windows Intune on a computer that has Forefront Endpoint Protection 2010 installed, Forefront Endpoint Protection 2010 will be automatically uninstalled and Windows Intune Endpoint Protection will be installed.

Issue: With this version of Windows Intune, you must use a Microsoft Online Services account to complete the following tasks. They cannot be completed by using a Microsoft account.

• Sign in to the Windows Intune company portal or mobile company portal
  
  
• Self-enroll a computer
  
  
• Link users to a computer
  
  
• Editing users in a target group
  
  
• Add Microsoft Online Service users as service administrators
  
  

  Note
  You can add Windows Live ID users as service administrators by using a Microsoft account.

• Enroll your mobile device
  
  

Workaround: To use all the features of this version of Windows Intune, use Microsoft Online Services accounts to access the Windows Intune service.

Note
After you migrate to Microsoft Online Services, you cannot use Microsoft accounts. For more information, see Windows Intune Account Portal.

Issue: You cannot manage Windows Firewall by using Windows Intune policies.

Workaround: The Windows Firewall and IPsec Policy Agent services must be enabled on client computers to manage Windows Firewall by using Windows Intune. If these services were disabled by an external management tool, the services must be enabled if you want to manage Windows Firewall by using Windows Intune.

Issue: A computer that was enrolled in Windows Intune before the latest client release, and is then un-enrolled from Windows Intune, cannot be managed by WSUS.

Workaround: To return the client computers to a state that is manageable by WSUS, you must perform the following edits to the following registry keys on the client computers:

• reg delete HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate /v wuserver
  
  
• reg delete HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate /v wustatusserver
  
  
• reg delete HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au /v usewuserver
  
  
• reg delete HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au /v targetgroup
  
  

Caution
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Issue: If the Workstation service on a managed computer is disabled, the installation of the Windows Intune Monitoring Agent fails, and you will receive an error that has Event ID 11708.

Workaround: Follow the instructions in Microsoft Knowledge Base (KB) Article 969788 to resolve the issue.

Issue: When you self-enroll a computer that is running Windows XP, that computer must be running Microsoft Internet Explorer 8 or later, or you will receive an error.

Workaround: Make sure that all client computers running Windows XP are running Microsoft Internet Explorer 8 or greater.

Issue: A user has been soft-deleted in Active Directory and you want to recover their Manager and Member links.

Workaround: You must install and use the 64-bit version of the Directory Synchronization Tool. The 64-bit option is selected on the Set up and manage Active Directory synchronization page.

Issue: After you upgrade from the June 2012 Release of Windows Intune to this release of Windows Intune, the names of Windows RT devices that were enrolled in this release might appear in the inventory appended with “Windows.” However, the names of Windows RT devices that were enrolled when you were using the June 2012 Release might appear in the inventory appended with “Unknown.” For example:

• The names of Windows RT devices that were enrolled in the June 2012 release might appear in the inventory as <UserName>_Unknown.
  
  
• The names of Windows RT devices that are enrolled in this release might appear in the inventory as <UserName>_Windows.
  
  

Workaround: To resolve this issue, unenroll the Windows RT devices that were enrolled when you were using the June 2012 Release of Windows Intune, and then make sure that these devices are re-enrolled. For information about how to enroll Windows RT devices in direct management, see Enroll Windows RT Mobile Devices in Windows Intune Direct Management.

Issue: After a user signs up and creates a Windows Intune account, if they click the links for the Company Portal or the Windows Intune administrator console, they may receive an error. This happens because Active Directory takes several minutes to set up the new user account.

Workaround: After you create a new Windows Intune account, wait several minutes for Active Directory to finish provisioning the new account before you open the Company Portal and the Windows Intune administrator console.

Issue: If .NET Framework 4 is not installed on the machine that is running the Windows Intune Software Publishing tool, you are prompted to install the .NET Framework 4 when you first start the Windows Intune Software Publishing tool. After rebooting the machine you might encounter an issue when trying to launch the Windows Intune Software Publishing tool.

Workaround: Follow the instructions to install the .NET Framework 4. You may be prompted to restart the machine. If you encounter an issue while launching the Windows Intune Software Publishing tool after restarting the machine, try to launch the Windows Intune Software Publishing tool again.

Issue: When you try to start the Windows Intune Software Publishing tool by using a Microsoft account or a Microsoft Online User ID that is associated with multiple Windows Intune accounts, an error message is displayed.

Workaround: Add a different Microsoft account or Microsoft Online User ID that is not associated with any other Windows Intune accounts as an administrator of the Windows Intune account, and use that ID to log on to the Windows Intune Software Publishing tool.

Issue: The upper limit for an uploaded file to Windows Intune is 2 gigabytes. If the file is larger than 2 gigabytes, the upload will fail with an error.

Workaround: None.

This release of Windows Intune does not support distributed installation of any software that embeds the setup folder within the root folder. Because Microsoft Visual Studio 2010 follows this practice, installing Visual Studio 2010 through Windows Intune software distribution is not supported.

Issue: If you try to publish software on a computer that is running Windows XP SP3, you must change the registry for software publishing to work. The software publishing process uses the Microsoft Enhanced RSA and AES Cryptographic Provider. On Windows XP SP3, the name of the registry key that contains information about this provider has the string "(Prototype)" appended to it. The code that looks up the provider requires that the registry key not contain the string "(Prototype)."

Workaround: Create a new registry key that registers the cryptographic provider by using the expected name. The correct registry entries are as follows.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider]
"Image Path"="rsaenh.dll"
"Type"=dword:00000018
"SigInFile"=dword:00000000

Warning
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Issue: When you upgrade clients to the latest Windows Intune client version, Endpoint Protection client status may display error code 0x800706F7 under certain conditions. The error details indicate that the client Failed to Install, but the actual follow-up action to remedy this error is to restart the client.

Workaround: When error code 0x800706F7 is displayed in the Windows Intune administrator console for an Endpoint Protection client, then you have to restart the client.

Issue: If you are signed in to email by using a Microsoft account or Microsoft Online user ID account that is not a Windows Intune administrator account, and you click the activation link that is emailed when you first subscribe to Windows Intune, authentication fails, and you cannot sign in to Windows Intune. This issue occurs because Windows Live and Microsoft Online Services pass the same account credentials to Windows Intune that you are using to check email, not the Microsoft account or Microsoft Online user ID that is associated with the new Windows Intune subscription.

Workaround: To avoid this issue, unless you are signed in to your email account by using the exact Microsoft account or Microsoft Online user ID that you provided when you subscribed to Windows Intune, sign out of Windows Live, and then click the activation link. If it is necessary, forward the activation email to another account so that you can open the activation email and then click the activation link, but not pass unrecognized credentials to Windows Intune.

Issue: Upon connecting Windows Intune to a Microsoft Exchange environment, all users managed through Windows Intune will have their EAS policy reset to the current default policy on the Microsoft Exchange server, unless there is a more specific policy defined within Windows Intune.

Workaround: For any specific (nondefault) EAS policy the customer has on Exchange, a Windows Intune version should be created and associated with the correct users before you connect Windows Intune to Microsoft Exchange.

Issue: By default, updates are installed on client computers that are managed by Windows Intune one time every day at 3:00 AM. However, this behavior is not accurately indicated in the Security Center Automatic Updates section for computers that run Windows XP SP3, or in the Action Center Windows Update section for computers that run Windows Vista or Windows 7. Instead, the updates status inaccurately indicates that Windows Update is set to check with the user before downloading and installing updates, and the status is yellow. In addition, users might receive messages that inaccurately indicate that a problem has occurred.

Workaround: None.

Issue: Clicking Signout in the Windows Intune Account Portal fails to sign you out. This issue only occurs when you use Windows Internet Explorer 9.

Workaround: Open Windows Internet Explorer 9 as an administrator. Select Tools, then Internet Options, then Security, and then add the Microsoft Online Services address as a Trusted site.

Issue: When signing in to Windows Intune from a domain-joined computer by using your Microsoft Online Services credentials, your domain credentials will be used to connect to Windows Intune. If the domain account that is used to connect is not a Windows Intune administrator account, Windows Intune will report that the user is not recognized.

Workaround: Ensure that the domain account in this situation is a Windows Intune administrator. For more information, see Adding and Managing Administrators.

Issue: If you are configured for single sign-on by using Active Directory Federation Services (AD FS) 2.0, you will automatically be signed in in to Windows Intune when you use Windows Internet Explorer. If you are use Firefox as a browser, you may need to upgrade to the latest version of Firefox, and it may prompt you to sign in to Windows Intune. If you are use Google Chrome as a browser, you may not be able to sign in by using single sign-on.

Workaround: None.

Issue: When signing out of the Commerce Portal when using Firefox, you will receive an error that states “Your request cannot be processed”.

Workaround: Manually close the Firefox browser.

Issue: When a user account is soft-deleted from Active Directory and then reactivated, the user preferences for Windows Intune will not be restored.

Workaround: None.

Issue: Windows Intune can be used to create policies that control Windows Firewall configuration, but non-Microsoft firewall software is not affected by Windows Intune policy.

Workaround: To configure non-Microsoft firewall software, use the administration console provided by the firewall software manufacturer.

Issue: You cannot make policy changes to Windows Firewall on client computers where all the following conditions occur:

• The computers are running either Windows Vista or Windows Vista with Service Pack (SP) 1.
  
  
• The computers are not running the update specified in Knowledge Base article KB971800.
  
  
• The value of any of the settings (Domain, Private, or Public) is Yes for the Block all incoming connections, including those in the list of allowed programs profile setting in the Windows Firewall policy template in Windows Intune.
  
  

Workaround: Install the update KB971800 on affected client computers to manage Windows Firewall on those computers by using the service.

Issue: The Windows Intune Updates service only provides daylight saving time updates that are available on Windows Update. Updates that are offered outside of Windows Update, and out-of-band DST updates, are not provided by Windows Intune Updates. Daylight saving time is different between northern and southern hemispheres and is not observed in Asia, Africa, and parts of Central and South America. If your system is affected by daylight saving time, we strongly recommend updates to your operating system be installed accordingly. This is the expected behavior for the Windows Intune Updates service and is not considered a bug.

Workaround: No workaround is necessary. This is expected behavior of the Updates workspace in Windows Intune. For more information about available daylight saving time updates, see the Daylight Saving Time Help and Support Center and Microsoft Policy in Response to DST/TZ Requests.

Issue: If you remove the Security and Critical update classifications on the Update Settings page, update agents cannot perform at all on computers that are managed by Windows Intune.

Workaround: Ensure that the Security and Critical update classifications are selected.

Issue: After an update is installed, it cannot be uninstalled.

Workaround: None.

Issue: Approval status for an update on a Windows Intune client computer is displayed in the Approval column on the Computers tab of the update’s Properties page. The approval status, also known as the effective approval, should reflect the computer groups to which an update is applied and the computer groups of which the computer is a member. Currently, the effective approval that is displayed is the overall approval for an update regardless of computer; that is, whether it is approved for any computers. This is a bug. The Approval column should show only the effective approval for a specific computer.

Workaround: To determine the effective approval for an update on a specific computer, open the Properties page for the computer, and then click the Updates tab.

Issue: An auto-approval rule lets you select products for which an update approval is automated. In an auto-update rule, when you select a product that contains sub-products or child nodes, child nodes should be both selected and disabled, or dimmed. In this release of Windows Intune, when you select a container product automatically selects all child nodes, the display does not reflect this behavior. The check boxes of child nodes seem to be empty, and the child nodes are enabled and not dimmed. Although the display incorrectly indicates that sub-product check boxes can be filled and cleared manually, the underlying behavior, independent of the user experience, is that child products of a selected product are also selected for auto-approval rules.

Workaround: Currently, there is no workaround for this issue. The underlying behavior of the auto-approval rule is as expected, despite the error in the display of selected products.

Issue: When you deploy many updates at the same time by using the Manage Deployment task, some time can elapse before control is returned to you.

Workaround: Use CTRL+N to open a duplicate browser window and continue to work in the Windows Intune administrator console. Or, deploy updates in smaller batches.

Issue: If you are logged into the Windows Intune account portal and then click the Windows Intune administrator console or Windows Intune company portal links to open them, you may be prompted again for your credentials.

Workaround: None.

Issue: In this release, the alerts, monitoring, and remote assistance features are not available on computers that are running Windows 8.

Workaround: None.

Issue: If a recipient is automatically added to an alert notification, they may not always receive a notification.

Workaround: To make sure that recipients will receive message notification, you should manually add recipients to alert notifications.

Issue: If you accept a user’s Remote Assistance request from a computer that does not have Microsoft Office® Live Meeting Easy Assist installed, you are prompted to install Remote Assistance through Microsoft Easy Assist. If you install Remote Assistance through Microsoft Easy Assist when you are prompted to do this in the Remote Assistance session, and you do not restart your browser after the Remote Assistance session is finished, you are prompted again to install Remote Assistance through Microsoft Easy Assist if you try to join later sessions.

Workaround: Restart your browser after the first Remote Assistance session is finished to avoid being prompted repeatedly to install Remote Assistance through Microsoft Easy Assist.

Issue: If you are viewing the Windows Intune administrator console on a computer that is running a Macintosh operating system, you cannot accept or reject a user’s Remote Assistance request on that computer, even if the web browser pop-up blocker is configured to allow pop-up windows from Windows Intune.

Workaround: To accept or reject Remote Assistance requests from users, you must do so on a computer that is running Windows.

Issue: After you accept control of a user’s desktop during a remote assistance session on managed computers that are running either Windows Vista or Windows 7, the remote assistance session briefly displays blank if you try to access an application or tool that the user typically runs as an administrator (or runs with elevated user rights). The User Account Control (UAC) dialog box appears correctly in the user’s session, prompting the user to allow the elevated program to run. After the user either accepts or rejects the UAC request, you can control the session again, but cannot control or work in the elevated program, even if the user has clicked Yes in the UAC dialog box.

Workaround: To provide remote assistance for any program that requires local administrator rights, you can do either of the following:

• Disable UAC on the managed computer before providing remote assistance by using a Command Prompt window that is opened by using the Run as administrator command.
  
  
• On the managed computer, edit the Easy Assist manifest file by doing the following:
  
  
  1. Open the file %ProgramFiles%\Microsoft Easy Assist\Console\8.1.6416.0\supportconsole.exe.manifest.
     
     
  2. Look for the following line of code:
     
     requestedExecutionLevel level="asInvoker" uiAccess="false"
     
     
  3. Change the value of the uiAccess attribute to true, as shown in the following example:
     
     requestedExecutionLevel level="asInvoker" uiAccess="true"
     
     
  4. Save and close the file; the user must close and restart the Easy Assist session.