Thursday, February 16, 2012 12:48 AM
I am developing and testing a plan to deploy Intune on a domain network that also uses Group Policy. I have read the Intune help about how to make group policy coexist with Intune policy (http://onlinehelp.microsoft.com/en-gb/windowsintune/hh127751.aspx), and I am trying to use Option 2, the WMI filter.
Before I use this with Group Policy, I'm trying to use WMI manually to tell me whether Intune is installed on a PC. It's not working and I'm beginning to wonder if the instructions are wrong. Here's what I've tried:
First, I took a freshly-installed Windows 7 PC and did "mofcomp wti.mof" in an elevated command prompt. Then I tested whether the WMI Intune definitions had been added, by typing (in a command prompt):
wmic /namespace:"\\root\WindowsIntune" path WindowsIntune_ManagedNode get
This returns the result:
Note this says that Intune is installed (second column), *even though this is a freshly-built PC with no Intune!*. I completely understand this answer because, in the MOF file that the help page contains, there's a section:
instance of WindowsIntune_ManagedNode
Version = "1.0";
WindowsIntunePolicyEnabled = 1;
This definition appears to initialize the WMI variable "WindowsIntunePolicyEnabled" to 1 (i.e. True), even if Intune is not installed. Is this an error in the Intune help or do I misunderstand? As I read the instructions, compiling this MOF with a script on all computers in your domain would mark them ALL as having Intune installed, even if it isn't!
Anyway, I then proceeded to install Intune and wait until it had been installed completely, the policies had been applied, and the Intune Console showed that the PC had no alerts. Then I ran the above wmic command again, and the WMI variable WindowsIntunePolicyEnabled was still true. Installing Intune had no effect on it.
Next, I refreshed the Windows 7 PC so it was again a freshly-rebuilt system. This time I compiled a MOF file which I had changed to define WindowsIntunePolicyEnabled = 0. Now the wmic command shows that Intune is not installed. However when I later installed Intune this value did not change!! It looks like an Intune installation is not updating this WMI value no matter which way I initialize it! (Note that during the Intune install, you can see in the System log that it is installing a ton of WMI entries, so it's plausible that Intune would update WindowsIntunePolicyEnabled. But it doesn't...)
What am I doing wrong or how can I test whether a PC is being managed by Intune using WMI???
Here are some follow-up questions assuming that I get the above working, since the WMI documentation is pretty vague:
1. Does the WindowsIntunePolicyEnabled variable mean that Intune is merely installed on a PC, or does it mean that Intune policies have been applied? In other words, what would it do if I installed Intune from an organization that did not have any Intune policies defined?
2. If I install Intune, then later uninstall Intune and retire the PC (but keep using it under Group Policy), will WindowsIntunePolicyEnabled change back to once again show that Intune is not installed?
Thanks for your help.
Thursday, February 16, 2012 6:21 PMModerator
The Windows Intune install has no effect on the WMI setting you are deploying with the MOF file. The MOF is a way for you to prevent specific Group Policy's from applying on a specific set of Windows Intune machines. The MOF doesn't mean Windows Intune is installed or isn't, it's just a simple way for you to filter out a set of machines from receiving policy that might impact Windows Intune. You can deploy this MOF to machines prior to enrolling Windows Intune, set your GPO filtering and then install Windows Intune.
If you retire a machine from Windows Intune, you should manually remove the WMI setting or set it to 0 to prevent it from being filtered by GPO.
If you want a WMI Filter that will only apply GPO to machines that actually have Windows Intune installed or will return machines that have Windows Intune installed you can use:
select * from Win32_product where Name="Windows Intune"
Jon L - MSFT
Thursday, February 16, 2012 6:48 PM
In other words, the WMI filter has to be manually maintained just like a security group filter. That'e extremely unclear from the help page I referenced, which says "To apply a WMI filter, deploy a WMI class instance to all computers in the enterprise before you enroll any computers in the Windows Intune service. The enrollment process automatically resets the WMI instance to indicate that a computer is enrolled in the Windows Intune service and is subject to Windows Intune policy."
The bolded sentence seems to be completely wrong based on what you are telling me. Is there a way to submit feedback on the Intune help pages?
Anyway, thank you for the clarification and the constructive example about how to select from Win32_product as an alternate way to do what I am trying to achieve.
Thursday, February 16, 2012 7:41 PMModerator
Let me confirm that is expected. I'll follow up later today.
Jon L. - MSFT
Friday, February 17, 2012 6:24 AMModerator
I haven't forgot about you! I'm working on getting the right information for you, I hope to have it tomorrow.
Jon L. - MSFT
Friday, February 17, 2012 2:23 PM
No problem. When I searched for previous posts about WMI deployment filtering, I found nothing. Am I the first one to attempt it? Maybe people who manage group policy don't usually overlap with the people who are deploying Intune?
In any case, I have a little time before I have to get this working. I'd prefer a detailed accurate answer even if it takes longer, so take the time you need.
FYI, when you install Intune, there are some messages in the System event log that new entries are being added to WMI in the \\root\WindowsIntune namespace. So Intune itself does use that namespace and it's plausible that it could be loading something that indicates it's installed. But the help artlcle seems to be not quite right..
Friday, February 17, 2012 6:19 PMModerator
Yes, some of the agents use that namespace to store information (confirmed on my test machine), but not for storing whether or not Windows Intune is installed.
The documentation needs a tweak to better reflect the information it's trying to convey, which is an admin can deploy the WIT.MOF to manually filter machines that are getting Windows Intune so your GPO's don't apply to them. I've confirmed that with our engineers and we're working on updating that in a future release of the documentation.
I'm not sure are the first person to use WMI Deployment filtering but you are the first person to ask the question here. We really appreciate your feedback.
Jon L. - MSFT
Sunday, September 16, 2012 10:51 PMThis answer has performance issues. Querying Win32_Product causes MSI to re-check every product installation (or something), eating 100% of a core for quite a while. Calling it frequently causes the computer to become non-responsive. Any alternatives?