Microsoft Intune Mobile Application Management (MAM) policy changes not working

The following blog describes the solution to a scenario I encountered whereby changes to a Microsoft Intune mobile application management (MAM) policy would not take effect


In preparation for rolling out an MS Intune Mobile Application Management (MAM) policy to Outlook for iOS clients I created a test policy to enable pin protection and applied it to a test user account.  The steps used can be found here

In summary

  1. Create a test user and assign a Microsoft Intune license via
  2. SummaryStep1
  3. Create a user group to apply the app protection policy to, and assign the test user to the group, again via
  4. SummaryStep2
  5. Create an App protection policy via
  6. SummaryStep3
  7. Configure the policy settings (e.g. Require PIN access)
  8. SummaryStep4
  9. Choose Apps to associate with policy (e.g. Outlook)
  10. SummaryStep5
  11. Deploy policy to test group
  12. SummaryStep6

This worked well.  After the policy applied, when I opened Outlook for iOS as the test user I was prompted to enter a pin


Note:  It can take up to 8 hours for a newly deployed app protection policy to be applied.


The problem arose when I removed the test MAM policy (or more specifically, removed the test user from the group “Test – MAM Policy”). I expected that the pin protection settings would no longer apply.  However, the test user continued to be prompted to enter a pin, even after waiting sufficient time for the changes to take effect.


It was the “Common IT administrator issues” section of the Troubleshoot Mobile Application Management guide that pointed me in the right direction.  Specifically, this section which indicated that I may need to force a sync of the Outlook for iOS client for the changes to take effect


I used the following steps to force a sync of the Outlook for iOS client:

  1. From the Outlook app, click on settings
  2. Settings
  3. Select the test Office 365 account and then choose “Reset Account”
  4. ResetAccount

This forced a sync of the Outlook client.  Next time I opened the Outlook app, the pin protection policy had been removed.

Microsoft Intune Useful Links & Information

Microsoft Intune Useful Links & Information

The following is a collection of links to Microsoft Intune resources that may be useful to anyone looking to get started with Intune

Training Guides

  1. Microsoft Virtual Academy Intune Training
  2. Intune documentation
  3. What to tell your end users about using Microsoft Intune

Blogs, Videos & Customer Stories

  1. Whats New
    1. Intune Standalone & General Product Updates
    2. Intune Hybrid What’s New
    3. Blogs
      1. Brad Anderson’s Blog
      2. Simon May’s Blog
      3. Enterprise Mobility & Security Blog
      4. Intune Support Blog
    4. Forums
      1. Microsoft Intune UserVoice
      2. Microsoft Intune Forums

Useful Tools

  1. System Centre Configuration Manager Hybrid Diagnostic Tool

Support Information

  1. Engage the Intune FastTrack Centre for deployment assistance
  2. How to engage Premier Support for technical help and troubleshooting

How to get a detailed list of all your Configuration Manager Deployments using Powershell

In this blog I will show you step by step how to quickly get a detailed list of all your Configuration Manager deployments, output in Excel table format, including the following details

  • Application Name
  • Assignment ID
  • CI_ID
  • Collection
  • Collection Name
  • DeploymentID
  • Creation Time
  • Deployment Time
  • Enforcement Deadline
  • PackageID

You can also download this guide from the Technet Gallery here

First, open the System Center Configuration Manager Console


Click on the down arrow in the upper right hand corner and choose “Connect via Windows Powershell”.  This opens PowerShell with the Configuration Manager module loaded.  Type the following command (use whatever path you want to save the output)

Get-CMDeployment | Export-csv -NoTypeInformation c:\temp\Deployments.CSV



Next, open the Deployments.CSV file using Microsoft Excel.

Highlight / select all the rows and columns with data, select the “Insert” Tab, click on “Table”


Make sure to tick “My table has headers”, the click OK


You now have an excel spreadsheet, in table format, with detailed information about all your deployments including

  • Application Name
  • Software Name
  • Assignment ID
  • CI_ID
  • Collection
  • Collection Name
  • DeploymentID
  • Creation Time
  • Deployment Time
  • Enforcement Deadline
  • PackageID



Unable to run Office 365 / Exchange Hybrid Wizard – “Content was blocked because it was not signed by a valid security certificate”

Unable to run Office 365 / Exchange Hybrid Wizard – “Content was blocked because it was not signed by a valid security certificate”


From the Exchange Admin Center you run the Hybrid configuration setup


You are prompted to login to Office 365


You enter your credentials


And then receive this message / warning



You are unable to complete the Hybrid configuration



You can resolve this issue by installing the certificate as follows:

1: Click on the security report icon (the lock symbol in the browser address bar)

2: Click View Certificates


3: Click “Install Certificate”


4: Select “Local Machine” and click next


5: Click Next


6: Click Finish


7: Click Ok


8: Restart Internet Explorer & the Exchange Admin Center.

9: Click enable on the Hybrid setup

10: Log into Office 365 when prompted

You will be returned to the Hybrid setup page


This time, when you click Enable, the Exchange Hybrid setup wizard will start



How to enable MAC address spoofing on a Hyper-V 2012 R2 Virtual Machine using PowerShell

I recently had to enable MAC address spoofing on the network adapters of two virtual machines deployed on Hyper-V 2012.  Here’s how I did it using PowerShell:

First, use the following command to take a look at the current configuration of our network adapter

Get-VMNetworkAdapter -VMName  VirtualMachineName –ComputerName HyperVHostName |fl Name,MacAddressSpoofing


  • VMName = Virtual Machine Name
  • Computer Name = Hyper-V host name


  • Name = Virtual Network Adapter Name

We can see that MacAddressSpoofing is currently Off

Run the following command to turn MacAddressSpoofing On

Set-VMNetworkAdapter  VMName VirtualMachineName –ComputerName HyperVHostName –VMNetworkAdapter  NetworkAdapterName -MacAddressSpoofing On


Re-run the following command to verify MacAddressSpoofing is On

Get-VMNetworkAdapter -VMName  VirtualMachineName –ComputerName HyperVHostName |fl Name,MacAddressSpoofing


WSUS – The file for this update failed to download

Edit:  I’ve posted this on youtube here 


During a recent deployment of WSUS on Windows 2012 R2, using WID database, I ran into a problem whereby after I approved updates, they would fail to download.  The WSUS console show the following error “The files for this update failed to download”


The application log showed the following Event ID 364 error


And also the following Event ID 10032 error


With such a specific error description in the Event Id 364 I thought finding a solution would be straight forward.  And indeed I quickly found this following KB article describing the issue I was experiencing

In my environment we were not using a Sonicwall firewall device, so Method 1 applied to my scenario.  Specifically, configure BITS to work in foreground mode.  The KB article details the command to run, and for my scenario (WSUS 3.0 with a Windows Internal Database that was created by a default WSUS installation) the solution described was to run the following command:

%programfiles%\Update Services\Setup\ExecuteSQL.exe -S %Computername%\MICROSOFT##SSEE -d “SUSDB” -Q “update tbConfigurationC set BitsDownloadPriorityForeground=1”

However, I did not have the ExecuteSQL.exe utility anywhere on my WSUS server.  A missing ExecuteSQL.exe utility scenario is also described on this blog, and pointed me in the right direction.


Firstly, download and install the Microsoft SQL Server 2012 Feature Pack from here.  Specifically, you want to install the Native Client & Command Line Utilities


Then open an administrative command prompt to C:\Program Files\Microsoft SQL Server\110\Tools\Binn

Run the following command

SQLCMD.exe -S \\.\pipe\Microsoft##WID\tsql\query -d “SUSDB” -Q “update tbConfigurationC set BitsDownloadPriorityForeground=1”


Once complete, restart the Windows Update service.

After that, my WSUS server was able to download updates successfully from Microsoft Update.