Configuring and managing my Surface Pro X using Windows AutoPilot, Microsoft Intune and Configuration Manager (Hybrid AAD Join and other configs explained)

February 19, 2020February 18, 2020 by Martin Bengtsson

Introduction

This is not a traditional walk through of a specific technical topic. It’s rather a story about setting up my new Surface Pro X device, making it work with AutoPilot, Intune and ConfigMgr in a Hybrid AAD Join deployment.

You don’t per say have to own a Surface Pro X device in order to benefit from the content in this post. However, as the Surface Pro X ships with an ARM processor, it makes for some unique situations and experiences.

During the post, I will deep dive some of the technical aspects of Hybrid AAD joining the device, as this has a lot of moving parts and dependencies in order to work.

Additionally, this process was not completely without obstacles. I’m not sure if these obstacles are working as intended or not, but I failed to get Co-management work loads to work properly, as well as I was seeing weird things happening if applying the Security Baseline for Windows. More on that throughout the post. 🙂

Back to basics: Deploying applications with Custom Global Conditions in Configuration Manager

February 16, 2020February 16, 2020 by Martin Bengtsson

Introduction

This past week I went back to basics with Configuration Manager, as I was working with some applications where I needed the deployments to behave differently based on various factors.

Some may resort to creating individual applications or even packages for each specific need, but there are more clever ways of doing it.

For instance, in this specific case, I had different sets of binaries to be used, varying based on the architecture of Office 365 ProPlus installed. I also wanted something different to happen, whether the installation was happening with a task sequence or not.

So again, this is something a single Application in combination with the proper Global Conditions can cater for. No need to create several Applications or Packages. Curious? Continue reading 🙂

Windows as a Service: Detecting AlwaysOn VPN and LTE connectivity with Powershell and Powershell App Deployment Toolkit

February 15, 2020February 12, 2020 by Martin Bengtsson

Introduction

This post is long overdue and something I originally considered doing when I explained my Windows as a Service process.

The story is, that I allow In-Place Upgrades with Configuration Manager to happen over the Internet and over VPN. While I do allow upgrades over VPN, I still prefer them happening on local network and I certainly doesn’t want them to happen over LTE.

I use Powershell App Deployment Toolkit to initiate the Windows 10 In-Place Upgrade Task Sequence, and I wanted to add more user-friendliness to the experience, by notifying the end-user about possible VPN and LTE connections.

Note #1: LTE connectivity can be prevented altogether in the Client Settings, but I’m not doing that for various reasons. 🙂

Note #2: I do precache everything prior to making the upgrade available. Therefore download of binaries should be limited to zero, though the connection to the site server is still needed, as well as connection to the domain (depending on what you are doing throughout your task sequence).

More WaaS posts: https://www.imab.dk/windows-as-a-service/

Require TLS with Exchange Online and a custom made NDR (Non-Delivery Report) with Powershell, Azure Automation and Conditional Access

February 8, 2020February 5, 2020 by Martin Bengtsson

Introduction

First things first: This is not a typical topic on this blog, but I do find it highly relevant to share regardless.

The main story here is, that if you want to comply with GDPR and other regulations, you might end up in a situation where you need to require TLS for outgoing e-mails. This is something that’s easily achievable by configuring the proper transport rules in Exchange Online, but what if the recipient doesn’t support receiving e-mails encrypted with TLS in transit? In that situation, the e-mail typically bounce back after 24 hours of retrying (At the time of writing, this timer is not configurable in Exchange Online) .

24 hours is a long time to wait for the Non-Delivery Report, especially for my industry which is the legal vertical, so I had to come up with something else.

Powershell and Azure Automation to the rescue (and also a little something on how to protect the accounts used with Conditional Access).

OBS: Apologies if there are more clever solutions out there to cater for this. I haven’t been able to find any, but I’m sharing regardless, as the use of this easily can be transferred to other needs. 🙂

How I deploy, configure and set the new Microsoft Edge as default browser using Microsoft Intune and Configuration Manager

February 17, 2020January 24, 2020 by Martin Bengtsson

Introduction

Unless you have been hiding under a rock lately, you should be aware that the new Microsoft Edge browser happened and was released in the first stable release on January 15.

All very exciting and delicious, and we who have been testing with Dev and Beta versions across our enterprises, have been waiting eagerly to be able to offer the one browser to rule them all (hopefully).

So this is a little something on how I have chosen to deploy, configure and set the new Microsoft Edge as default browser, using a combination of both Microsoft Intune and Configuration Manager.

Device Compliance with Configuration Baselines, Configuration Manager version 1910 and Microsoft Intune

January 4, 2020January 3, 2020 by Martin Bengtsson

Introduction

This must be one of my favorite features of Configuration Manager version 1910: Include custom configuration baselines as part of compliance policy assessment.

For a detailed description of the feature, I suggest you read the What’s new article.

In short, this enables us to assess device compliance based on almost anything and really extends the possibilities.

I will walk through the setup required and give you a quick and easy example on how to use this new awesome feature in a co-management scenario.

Updating MEMCM (Microsoft Endpoint Manager Configuration Manager) to version 1910 on Christmas Eve

December 25, 2019December 24, 2019 by Martin Bengtsson

Introduction

Configuration Manager 1910 went globally available this friday, december 20, so I wanted to stay true to tradition and walk through the upgrade process based on my own environment.

This is usually something I do the very moment it’s possible to opt-in using the early update ring, but this time around the hours usually spent on blogging, are spent on my new born (9 weeks today). 🙂

As usual, this is based on a production environment. This might seem ballsy to do during the holiday season, but I’m confident I will be fine. Also, backup ftw, right? 😀 (NOTE: This particular environment have survived upgrades since SCCM 2012 without ever breaking)

Windows 10 Toast Notification Script Update: Retrieve task sequence deadline dynamically from WMI

December 25, 2019December 17, 2019 by Martin Bengtsson

Introduction

Another neat update to the Windows 10 Toast Notification Script is a reality. Now being on version 1.4.4.

The new version brings a new deadline option, that when enabled, will look in WMI for the specified task sequence package id, and retrieve the deadline of the required deployment dynamically.

This time a thank you goes out to @kevmjohnston for contributing with idea and bits of code. 🙂

What’s new and delicious are mentioned in details below.

Find the original page for the Windows 10 Toast Notification Script here: https://www.imab.dk/windows-10-toast-notification-script/

Script Update: Automatically remind users to update iOS with e-mails and custom notifications using Microsoft Intune Powershell SDK

December 16, 2019December 16, 2019 by Martin Bengtsson

Introduction

If you already use or intend to use my script, which reminds users to update iOS with e-mails and custom notification, you will want to use the updated script. 🙂

I obviously put the script to use in production, and quickly realized that the script also picks up obsolete devices. This is not ideal, as you might end up in a situation where a user is reminded by e-mail, to update a device which is obsolete and no longer in use.

So the script has been updated to cater for this situation, and now only picks up devices which has been syncing with Microsoft Intune within the last 2 days.

My original and still valid post on how to use the script here: https://www.imab.dk/automatically-remind-users-to-update-ios-with-e-mails-and-custom-notifications-using-microsoft-intune-powershell-sdk/

Automatically remind users to update iOS with e-mails and custom notifications using Microsoft Intune Powershell SDK

December 16, 2019December 1, 2019 by Martin Bengtsson

Introduction

**Minor update**: https://www.imab.dk/script-update-automatically-remind-users-to-update-ios-with-e-mails-and-custom-notifications-using-microsoft-intune-powershell-sdk/

Long title! It could have been even longer, but I struggled to squeeze in that the e-mail also is sent over Office 365 and the entire deliciousness is running on a schedule with Azure Automation. 🙂

The story here is, that iOS is getting updates quite frequently, and a lot of enterprises (including myself), are managing those iOS devices as private BYOD devices enrolled through the Company Portal. As of such, keeping the devices up to date is the end-user’s responsibility and something that’s often forgotten and neglected.

So what if we could send those devices and users a kind reminder automatically, both as a custom notification directly on the device, but also as an e-mail? Microsoft Intune Powershell SDK to the rescue!