Use Group Policy analytics to migrate Microsoft 365 Apps Security Baseline to the cloud

Introduction

A new version of Microsoft 365 Apps for enterprise security baseline was released last week, delivering the latest recommended security configuration for the included applications.

Now, by the time of writing, not everything can be transitioned into Microsoft Intune natively. There are simply not MDM support for each and every setting. So for those settings without MDM support, you will have to leverage ADMX ingestion or PowerShell.

This post will give you insight on using Group Policy Analytics, as well as how to use ADMX ingestion and PowerShell to completely transition management of the security baseline into the cloud.

Read more…

Escrow BitLocker recovery keys to Azure AD during Feature Update to Windows 11

Introduction

As promised, I’m continuing my Windows 11 journey, this time giving you a small nugget on how to escrow BitLocker recovery keys to Azure AD during a Windows 11 Feature Update.

In my specific scenario, the recovery keys has so far been stored in on-premises AD. For Windows 11, we change that, and store them in Azure AD instead.

For your convenience, find links to my previous Windows 11 posts here:

Read more…

Customize your Windows 11 taskbar during OSD with ConfigMgr using just PowerShell

Introduction

A short and sweet blog post to re-kickstart my blogging activities, after a long period focusing on cybersecurity and the increased cybersecurity threat towards organizations. For same reasons, my Windows 11 project has temporarily been on pause.

However, now I’m back working on Windows 11, showing how you can customize the taskbar during OSD (Operating System Deployment) with Configuration Manager using just PowerShell (and no source files).

And yes, we are still leveraging Configuration Manager for regular OSD. This still makes the most sense for our type of business. 🙂

Read more…

Monitor your Windows 11 Feature Updates with Custom Action Scripts and notifications sent to Microsoft Teams

Introduction

I’m kind of continuing on last weeks topic, where I wrote about leveraging SetupConfig.ini and SetupComplete.cmd to carry out custom tasks during a Windows 11 Feature Update. 

Today I want to demonstrate, how you can leverage the same custom action scripts, to send notifications to a Microsoft Teams channel upon success or failure, when upgrading to Windows 11 using a Feature Update.

I’m still preparing Windows 11 for broad deployment and I will post my exact process once it’s ready. For now I’m just giving you tiny tidbits along the way. 🙂

Read more…

Remove built-in Teams app and Chat Icon in Windows 11 during a Feature Update via SetupConfig.ini and SetupComplete.cmd

Introduction

This topic in particular, has been very popular since the release of Windows 11 back in October last year.

At this point, there’s at least a dozen posts out there, on how to remove either the built-in Teams app or the Chat Icon from the task bar on devices running Windows 11 already.

I’m in the middle of preparing Windows 11 for broad deployment myself, and this is how I make sure the built-in Teams app and Chat Icon is removed before the user logs on to Windows 11 for the first time. In this scenario, after completing the Feature Update coming from Windows 10.

Read more…

Deploy your Always On VPN Profile for Windows 11 using Proactive Remediations in Microsoft Intune

Introduction

Why would you do this, when there’s a built-in option to do so, you may ask?

Well, I needed an alternative, as I kept getting some weird errors when using the built-in configuration profile in Intune. The errors only happens for me on Windows 11, so while I’m investigating these, I wanted to have an alternative in order for us to move on with our Windows 11 process.

  • EDIT: I was just made aware in the comment section, that there’s a known issue around this. Granted, this post can obviously serve as a workaround (or permanent solution moving forward) 🙂

Also, there’s still no option to lock the VPN strategy to SSTP-only in the native configuration profile in Intune. For that I used to run another weekly PowerShell script, resetting the strategy from IKEv2 to SSTP-only. Using a solution like this, also removes that requirement.

Read more…

I updated Configuration Manager in production to version 2111 last night

Introduction

Granted, I don’t manage a humongous Configuration Manager environment. I barely manage a thousand devices. Nevertheless, ConfigMgr is ideally and supposed to be kept up to date, at least within a supported range of version. I’m obviously always keen on keeping it up there on the latest and greatest.

  • This environment is originally stemming from a SCCM 2012 installation and has made it all the way into 2022 🙂

ConfigMgr 2111 released back primo December 2021 and is now generally available as an in-console update.

It’s been a while since last time I walked through the steps I usually take. This time however, I’m doing so AFTER completing the upgrade. I usually write the post, as I move on with the upgrade itself. This time it’s more like a ‘notes from the field’-approach.

Read more…

Use custom compliance settings in Microsoft Intune to require Windows Hello enrollment

Introduction

Custom compliance settings in Intune, is a relatively new feature and is still in preview. However, the potential in this feature is enormous, and extends the possibilities for compliance policies almost endlessly.

A similar feature released to ConfigMgr 2 years ago, and is something I also blogged about here:

To demonstrate how awesome this really is, I will give you something I intend to use in production once the feature goes GA.

The use case here, is to ultimately use this in combination with Conditional Access. We don’t force the Windows Hello for Business enrollment via the built-in and full-screen wizard. We believe that’s too intrusive. Instead we send out Toast Notifications to those users/devices, where WHfB is still not in use.

Read more…

Digitally signing my Toast Notification Script to use with ConfigMgr, AppLocker and Constrained Language Mode

Introduction

My Toast Notification Script unfortunately only works in PowerShell Full Language Mode (for the time being. I have plans to look into this).

This requirement does not work well with AppLocker and having Constrained Language Mode enabled. My solution to this, is to digitally sign the New-ToastNotification.ps1 file. While working my way through the process myself, I realized that a few changes to the Toast Notification Script itself was needed.

The changes made to this “edition” of the script, are only targeted  Configuration Manager. I’m not sure that moving between PowerShell Language Modes coming from Proactive Remediations in Intune, is something that’s possible (if anyone knows this, please let me know).

Additionally to the changes needed, I thought the process itself would make a decent and useful blog post. So here goes. 🙂

Read more…

Set primary and secondary DNS server addresses using ConfigMgr and PowerShell

Introduction

Just a very quick nugget, finishing up this year of IT.

We needed to change the configured DNS server addresses, on a good bunch of (non-domain joined) servers before heading into 2022. Per usual, I don’t like to do stuff manually, so I took the opportunity to write up a PowerShell script in order to assist us.

I figured this is something anybody might find useful, so I wanted to share the script I ended up creating.

For your convenience, I’m also illustrating how this can be used in combination with ConfigMgr, as this obviously was a requirement for automation purposes.

Happy New Year! 🙂

Read more…