Everything can be done automatically, as long as you configure it manually
First off, this is mostly an inspirational post and the script used here is the latest release of my Windows 10 Toast Notification Script.
Secondly, from time to time, I still see people in various forums asking how they can send popup messages to the computers in their environment using SCCM (System Center Configuration Manager).
So I figured it would make a decent and quick blog post, describing how one can do just that using my Windows 10 Toast Notification script.
Another delicious feature went GA (General Availability) this week: Security Baselines in Microsoft Intune.
The Security Baselines in Intune is the equivalent to what we have done with Group Policy for some years now, and is basically a set of pre-configured Windows settings, which are recommended for the enterprise by Microsoft.
This post is not a typical A-Z guide, but rather a first look into the feature and what initial experiences I had with moving from Security Baselines with Group Policy to Security Baselines with Intune in a Co-management scenario.
Short and sweet: Back in May 2019, Administrative Templates in Intune went from preview to General Availability. Back then the feature was released with a list of 277 settings. Not much, huh?
Today this will be extended by additional 2500 settings and among these will be the ability to configure OneDrive Known Folder Move. Exciting!
While the configuration of OneDrive Known Folder Move using Administrative Templates in Intune is pretty easy and straightforward, I figured it deserved a post here as well.
Also, initially when OneDrive Known Folder Move was introduced, I did this post on the topic: https://www.imab.dk/how-to-enable-onedrive-known-folder-move-using-sccm-system-center-configuration-manager/
Debug/verbose logging! A topic which every ConfigMgr admin will have to get familiar with sooner or later. Lazy as one can be, I usually Google the requirements every time I need it, so I figured it was time to make something more permanent and more clever.
There are a billion blog posts on the topic already, but as far as my Google skills serves me, no one is using the run script feature and no one is providing complete scripts for the purpose. So this is me doing that. A complete solution for your copy/paste pleasure 🙂
This is a little something on the new option with Conditional Access, where you can specify restrictions for registering the end users security information used with Multi-Factor Authentication.
This is a nifty addition, enabling you to control when and where the security information can be added or changed, making sure it’s not an attacker who’s messing with the details.
In this post i’m trying to put this into the context of enrolling a new device, in this example an iOS device, where MFA is required for enrollment.
If the enrollment is being done by a user who’s without security information (imagine a newly hired employee), the user is initially prompted to register the security information. Now also imagine this being done by an attacker instead. Not good. Therefore it’s desirable to control from where the registering of the security information can be done. Curious? Read on 🙂
Short and sweet. My Windows 10 Toast Notification Script have received a minor update. Now being at version 1.2. The changes mentioned in details below.
This is not exactly an A-Z guide on the topic, but rather a story of my experiences with upgrading Windows 10 over the Internet with In-Place Upgrade (IPU) Task Sequence using ConfigMgr and how it works in my environment.
I’m using a Cloud Management Gateway (CMG) with enhanced HTTP as well as initially being connected to the on-premises infrastructure with Always On VPN. The VPN in this scenario is a user-initiated tunnel and thus obviously disconnects once the upgrade restarts the computer. It’s not completely without challenges and I will try to cover those during this post.
Curious? Read on 🙂
Oh yeah, seeing I now allow IPU to happen over the Internet, I also created something in Powershell App Deployment Toolkit which extraordinarily warns the user if the upgrade is being initiated from outside the office network. A preview of that in the end of the post 🙂
When installing Office 365 ProPlus today, the recommended and default architecture is 64-bit. It has been so for some time, but it’s not until lately (at time of writing) that the Office Deployment Tool (in short ODT), is able to migrate from 32-bit to 64-bit in a single operation.
I have tested the migration, both using Microsoft Intune and System Center Configuration Manager and the outcome is what made this blog post.
Note: Migrating Office 365 ProPlus like this, from 32-bit to 64-bit in production, probably has more to it in terms of considering third party add-ins. You will have to test and make sure those add-ins are compatible with the relevant 64-bit Office application. I expect there will be some migration paths for those as well, where you will need to remove the 32-bit add-in prior to migrating Office 365 ProPlus to 64-bit.
Similar to when Windows 10 v1809 was released back in October 2018 and RSAT debuted as “Features on Demand”, the way of installing RSAT continues with the v1903 release.
Back then I did a Powershell script which is able to install and uninstall the RSAT features. I have now rewritten the script to also include Windows 10 v1903.
Find my 1809 post here: https://www.imab.dk/deploy-rsat-remote-server-administration-tools-for-windows-10-v1809-using-sccm-system-center-configuration-manager/
First off, bear with me here during the intro. I know introductions usually are boring, but I do have a few words to share with you first.
The following is by no means any substitution for any other Modern Driver Management solution out there. This is purely me exploring, learning and sharing that experience with anyone who’s interested. When I find something useful, I usually try to do my own thing for various reasons, but mainly to learn and also for being less dependent on others work and future maintenance plans.
Now, this post is primarily about a Powershell script and how that Powershell script is designed to run on a given device and export the device drivers into your ConfigMgr source file library or locally. In the process, the script is able to create a regular package in ConfigMgr containing those drivers. The post is also about how to use the regular packages for applying drivers, but the script is what took the most of my time 🙂
The idea here is, that you fire up a given device with a given version of Windows (preferably Windows 10) and install ALL the drivers (preferably the latest drivers) and verify that everything works in that combination of Windows, drivers and hardware model.
Note: Most vendors provide a tool which checks online for latest drivers and gives you option to install those. This is pretty handy when building new drivers for a given computer model.
Now knowing that everything works, this is the drivers you want to apply to future deployments of this computer model, so you run the script and everything is automatically exported and a package in ConfigMgr is created.
In lack of a better name, this is what I call ‘Almost Modern Driver Management‘. 😀
PS. If you’re looking for a truly nifty and ‘modern’ approach, I suggest you head over to SCConfigMgr.com and take a peek at their solutions for both BIOS and drivers.
