Release Notes for Windows Intune

Issue: You cannot manage Windows Firewall by using Windows Intune policies.

Workaround: The Windows Firewall and IPsec Policy Agent services must be enabled on client computers to manage Windows Firewall by using Windows Intune. If these services were disabled by an external management tool, the services must be enabled if you want to manage Windows Firewall by using Windows Intune.

Issue: The Windows Intune client software cannot function correctly if it is installed on a computer on which System Center Configuration Manager 2012 Beta is installed.

Workaround: Completely uninstall the System Center Configuration Manager 2012 Beta client software from the computer before you enroll the computer into the Windows Intune service.

Issue: You might be required to restart the computer after you install the Windows Intune client software. Up to two restarts of client computers could be required by client software agents.

Workaround: If you are prompted to restart the client computer during the client software installation and agent update process, restart the computer.

Issue: For Windows Vista and Windows 7 pre-SP1 computers, you might be required to restart the computer after you install the Windows Intune client software. This occurs because of a required update to the Windows Filtering Platform.

Workaround: To avoid a restart, install the Windows Filtering Platform update before you install the Windows Intune client software. The update is available to the public at http://support.microsoft.com/kb/981889.

Issue: If a customer is signed in to email by using a Windows Live ID account that is not a Windows Intune administrator account, and the customer clicks the activation link in the email message that is sent when customers first subscribe to Windows Intune, authentication fails, and the customer cannot sign in to Windows Intune. This happens because Windows Live passes the same account credentials to Windows Intune that the customer is using to check email, not the Windows Live ID that is associated with the new Windows Intune subscription.

Workaround: To avoid this issue, sign out of Windows Live unless you are signed in to your email account with the exact Windows Live ID that you provided when you subscribed to Windows Intune, and then click the activation link. If it is necessary, forward the activation email to another account so that you can open the activation email message, and then click the activation link, but not pass unrecognized credentials to Windows Intune.

Issue: The Windows Intune client software cannot run on a computer that has Forefront Client Security installed, because both Windows Intune and Forefront Client Security use the same binary package (Windows Installer, also known as an .msi package) to install the Windows Intune Endpoint Protection service. If you try to install Windows Intune on a computer that has Forefront Client Security installed, the Windows Intune Endpoint Protection package is not installed.

Workaround: To avoid this issue, if you plan to install the Windows Intune client software on a computer that has Forefront Client Security installed, remove Forefront Client Security before you install the Windows Intune client software.

Note
Be aware that this issue does not apply to computers that are running Forefront Endpoint Protection 2010. If you try to install Windows Intune on a computer that has Forefront Endpoint Protection 2010 installed, Forefront Endpoint Protection 2010 will be automatically uninstalled and Windows Intune Endpoint Protection will be installed.

Issue: To install the Windows Intune client software, client computers must be running at least Windows Installer 3.1. For client computers that are running Windows XP Service Pack (SP) 2, you must install Windows Installer version 3.1 before you can enroll the computers into Windows Intune.

Workaround: You can download the latest version of Windows Installer for Windows XP SP2 from Windows Installer. You can view the version of Windows Installer that is running on a client computer by right-clicking %windir%\System32\msiexec.exe and then clicking Properties.

Issue: If the Workstation service on a managed computer is disabled, the installation of the Windows Intune 1.0 Monitoring Agent fails, and you will receive an error that has Event ID 11708.

Workaround: Follow the instructions in Microsoft Knowledge Base (KB) Article 969788 (http://go.microsoft.com/fwlink/?LinkId=169467) to resolve the issue.

Issue: The Windows Intune Malware Protection client from the second public beta will have to be updated to the more recent version, which is Windows Intune Endpoint Protection. For this upgrade to occur automatically, you must first uninstall Windows Intune Malware Protection from the client computer. This means that there is a very small gap in protection against malicious software, also known as malware. During this brief window, users on client computers may be warned by the Windows Action Center that their computers are not protected.

Workaround: This issue is expected, and should resolve itself. If the issue persists, see the Windows Intune Endpoint Protection Help on the client.

Issue: On some browsers, if you are viewing the Windows Intune administrator console with a web browser that has a pop-up blocker enabled, you may receive an error when you try to complete the following tasks in the console:

• Accept or reject a user’s Remote Assistance request.
  
  
• View Windows Intune reports.
  
  
• Click a link to view the Microsoft Malware Protection Center home page or a malicious software topic in the Microsoft Malware Protection Center.
  
  
• Click a link to view the Privacy Notice.
  
  
• Reauthenticate if a Windows Intune administrator console session times out.
  
  

Workaround: Configure your browser pop-up blocker to allow pop-up windows from Windows Intune.

Issue: If you are viewing the Windows Intune administrator console on a computer that is running a Macintosh operating system, you cannot accept or reject a user’s Remote Assistance request on that computer, even if the web browser pop-up blocker is configured to allow pop-up windows from Windows Intune.

Workaround: To accept or reject Remote Assistance requests from users, you must do so on a computer that is running Windows.

Issue: If you accept a user’s Remote Assistance request from a computer that does not have Microsoft Office® Live Meeting Easy Assist installed, you are prompted to install Easy Assist. If you install Easy Assist when you are prompted to do this in the Remote Assistance session, and you do not restart your browser after the Remote Assistance session is finished, you are prompted again to install Easy Assist if you try to join later sessions.

Workaround: Restart your browser after the first Remote Assistance session is finished to avoid being prompted repeatedly to install Easy Assist.

Issue: Windows Intune can be used to create policies that control Windows Firewall configuration, but non-Microsoft firewall software is not affected by Windows Intune policy.

Workaround: To configure non-Microsoft firewall software, use the administration console provided by the firewall software manufacturer.

Issue: You cannot make policy changes to Windows Firewall on client computers where all the following conditions occur:

• The computers are running either Windows Vista or Windows Vista with Service Pack (SP) 1.
  
  
• The computers are not running the update specified in Knowledge Base article KB971800.
  
  
• The value of any of the settings (Domain, Private, or Public) is Yes for the Block all incoming connections, including those in the list of allowed programs profile setting in the Windows Firewall policy template in Windows Intune.
  
  

Workaround: Install the update KB971800 on affected client computers to manage Windows Firewall on those computers by using the service.

Issue: After you are signed in to the Windows Intune service, your session does not time out. If multiple Internet Explorer windows are open, closing the Internet Explorer window that is running Windows Intune does not sign you out of the service. Opening a new window or tab in Internet Explorer automatically signs you in to the service without prompting you to enter your Windows Intune administrator Live ID and password.

Workaround: In the Windows Intune administrator console, click Sign out to end a session. Alternatively, close all open Internet Explorer tabs and windows.

Issue: The Windows Intune Updates service only provides daylight saving time (DST) updates that are available on Windows Update. Updates that are offered outside Windows Update, and out-of-band DST updates, are not provided by Windows Intune Updates. DST is different between northern and southern hemispheres and is not observed in Asia, Africa, and parts of Central and South America. If your system is affected by DST, we strongly recommend updates to your operating system be installed accordingly. This is typical Windows Intune Update service behavior and is not considered a bug.

Workaround: No workaround is necessary. This is expected behavior of the Updates workspace in Windows Intune. For more information about available DST updates, see the Daylight Saving Time Help and Support Center (http://go.microsoft.com/fwlink/?LinkID=99640) and Microsoft Policy in Response to DST/TZ Requests (http://go.microsoft.com/fwlink/?LinkId=183845).

Issue: If an administrator removes the Security and Critical update classifications on the Update Settings page, update agents cannot perform at all on computers that are managed by Windows Intune.

Workaround: Make sure that the Security and Critical update classifications are selected.

Issue: After an update is installed, it cannot be uninstalled.

Workaround: None.

Issue: Approval status for an update on a Windows Intune client computer is displayed in the Approval column on the Computers tab of the update’s Properties page. The approval status, also known as effective approval, should reflect the computer groups to which an update is applied, and the computer groups of which the computer is a member. Currently, the effective approval that is displayed is the overall approval for an update regardless of computer; namely, whether it is approved for any computers. This is a bug. The Approval column should show only the effective approval for a specific computer.

Workaround: To determine the effective approval for an update on a specific computer, open the Properties page for the computer, and then click the Updates tab.

Issue: After an administrator accepts control of a user’s desktop during a remote assistance session on managed computers that are running either Windows Vista or Windows 7, the administrator’s remote assistance session is briefly displayed as blank if the administrator tries to access an application or tool that the user typically runs as an administrator (or runs with elevated user rights). The User Account Control (UAC) dialog box appears correctly in the user’s session, prompting the user to let the elevated program to run. After the user either accepts or rejects the UAC request, the administrator can control the session again, but cannot control or work in the elevated program, even if the user has clicked Yes in the UAC dialog box.

Workaround: To provide remote assistance for any program that requires local administrator rights, the Windows Intune administrator can do either of the following:

• Disable UAC on the managed computer before providing remote assistance by using a Command Prompt window that is opened by using the Run as administrator command.
  
  
• On the managed computer, edit the Easy Assist manifest file by doing the following:
  
  
  1. Open the file %ProgramFiles%\Microsoft Easy Assist\Console\8.1.6416.0\supportconsole.exe.manifest.
     
     
  2. Look for the following line of code:
     
     requestedExecutionLevel level="asInvoker" uiAccess="false"
     
     
  3. Change the value of the uiAccess attribute to true, as shown in the following example:
     
     requestedExecutionLevel level="asInvoker" uiAccess="true"
     
     
  4. Save and close the file. The user must close and restart the Easy Assist session.
     
     

Issue: An auto-approval rule lets you select products for which an update approval is automated. In an auto-update rule, when you select a product that contains sub-products or child nodes, child nodes should be both selected and disabled, or dimmed. In this release of Windows Intune, selecting a container product automatically selects all child nodes, although the display does not reflect this behavior. The check boxes of child nodes seem to be empty, and the child nodes are enabled and not dimmed. Although the display incorrectly indicates that sub-product check boxes can be filled and cleared manually, the underlying behavior, independent of the user experience, is that child products of a selected product are also selected for auto-approval rules.

Workaround: Currently, there is no workaround for this issue. The underlying behavior of the auto-approval rule is as expected, despite the error in the display of selected products.

Issue: When you deploy lots of updates at the same time by using the Manage Deployment task, a long time can elapse before control is returned to you.

Workaround: Use CTRL+N to open a duplicate browser window and continue to work in the Windows Intune administrator console. Or, you can deploy updates in smaller batches.

Issue: A computer that was enrolled in Windows Intune before the latest client release, and is then un-enrolled from Windows Intune, cannot be managed by WSUS.

Workaround: To return the client computers to a state that is manageable by WSUS, you must perform the following edits to the following registry keys on the client computers:

• reg delete HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate /v wuserver
  
  
• reg delete HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate /v wustatusserver
  
  
• reg delete HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au /v usewuserver
  
  
• reg delete HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au /v targetgroup
  
  

Caution
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Issue: Computers that are managed by Windows Intune are not automatically downloading anti-malware definition updates. You can check the status of virus and spyware definitions either by opening Windows Intune Endpoint Protection on managed computers and viewing the status on the Home tab, or by checking the status of the computer in the Windows Intune administrator console.

Workaround: To resolve this issue, do one of the following:

• Opt in to Microsoft Update on computers that you intend to manage before you enroll them in the Windows Intune service.
  
  
• Do not use a proxy server on managed computers.
  
  
• If you must use a proxy server on managed computers, make sure that the network environment supports the automatic detection of the proxy server and that Internet Explorer is configured for automatic proxy server detection on managed computers.