A brief first look on Microsoft Defender ATP Tamper Protection

Introduction

Late last night my time, Tamper Protection in the Microsoft Defender stack went Generally Available.

In short and as the name implies, this is a feature which essentially locks Microsoft Defender and prevents your security settings from being tampered with, including changes made by an administrator.

From a security perspective, this is a great and welcomed addition – let’s take a closer look. 🙂

PS. I did find some oddities in some of the behavior when trying to disable Microsoft Defender through Group Policy. More on that in the end of the post.

Read more…

Remind users to enroll into Windows Hello for Business using Toast Notifications and SCCM

Introduction

I recently did a tweet about doing a toast notification to lure end-users into enrolling their device with Windows Hello for Business voluntarily.

Prior to doing the tweet, I found my self wrestling with Powershell and a way to locate devices not enrolled into WHfB yet. Seeing I only wanted to nag people not enrolled yet, this was a requirement for the entire process.

So this post is a little something on both the actual toast notification, but also on how I ended up locating devices not enrolled into WHfB yet using a Compliance Baseline in ConfigMgr.

Read more…

Enrollment of co-managed devices based on Azure AD device token with ConfigMgr 1906

Introduction

A short and sweet peek into the latest improvement to the enrollment of co-managed devices into Microsoft Intune.

Prior to SCCM 1906 (System Center Configuration Manager), the enrollment into Microsoft Intune required a user to sign in to the device. This has now changed and the device is able to auto-enroll into Microsoft Intune based on its Azure AD device token.

Note: This is not an A-Z guide, so I’m sadly not covering all the basics and requirements around enrollment nor co-management. Instead I’m touching base with some of the interesting parts, based on my own environment, setup and curiosity. 🙂

Read more…

Configure OneDrive Known Folder Move with Administrative Templates in Microsoft Intune

Introduction

Short and sweet: Back in May 2019, Administrative Templates in Intune went from preview to General Availability. Back then the feature was released with a list of 277 settings. Not much, huh?

Today this will be extended by additional 2500 settings and among these will be the ability to configure OneDrive Known Folder Move. Exciting!

While the configuration of OneDrive Known Folder Move using Administrative Templates in Intune is pretty easy and straightforward, I figured it deserved a post here as well.

Also, initially when OneDrive Known Folder Move was introduced, I did this post on the topic: https://www.imab.dk/how-to-enable-onedrive-known-folder-move-using-sccm-system-center-configuration-manager/

Read more…

Intune enrollment, Multi-Factor Authentication and registering Security Information with Conditional Access

Introduction

This is a little something on the new option with Conditional Access, where you can specify restrictions for registering the end users security information used with Multi-Factor Authentication.

This is a nifty addition, enabling you to control when and where the security information can be added or changed, making sure it’s not an attacker who’s messing with the details.

In this post i’m trying to put this into the context of enrolling a new device, in this example an iOS device, where MFA is required for enrollment.

If the enrollment is being done by a user who’s without security information (imagine a newly hired employee), the user is initially prompted to register the security information. Now also imagine this being done by an attacker instead. Not good. Therefore it’s desirable to control from where the registering of the security information can be done. Curious? Read on 🙂

Read more…

Connect to Exchange Online with Powershell, Modern Authentication and Conditional Access

Introduction

This is not one of the usual topics I blog about, but nonetheless it’s quite relevant. If you leverage Conditional Access to protect your corporate resources, good chances are that you are blocking legacy authentication (or at least that is something you should consider doing).

If you also fancy connecting to Exchange Online using Powershell for automation reasons, another good chance is that this is done with basic/legacy authentication. This is obviously a conflict with my first statement, so I figured it would make a good blog post to describe how to connect to Exchange Online automated with Modern Authentication while being protected by Conditional Access.

Read more…

Connect to Microsoft Graph for Intune with Powershell ISE Add-ons

Introduction

If you are working with Microsoft Intune on a daily basis, chances are that you are familiar with the awesome Powershell Intune Graph script samples over at GitHub: https://github.com/microsoftgraph/powershell-intune-samples.

I have previously blogged specifically about putting 2 of the scripts to use here:

If you are less familiar with Powershell, the script samples might seem a bit intimidating and difficult for some to put to use. The new Microsoft.Graph.Intune PowerShell Module to the rescue!

Now, this post is not about using the actual module, but how you with a single click can connect to the Graph API and gain access to all the available cmdlets in a very easy and sufficient way.

Read more…

Install Google Chrome Extensions using Microsoft Intune in 3 different ways (Powershell, ADMX ingestion and MSI)

Introduction

I have previously covered the approach on how to install Google Chrome extensions using System Center Configuration Manager. Find my post here: https://www.imab.dk/forcefully-deploy-the-windows-defender-google-chrome-extension-using-configuration-manager/

Then it came to my attention that Microsoft released another and new extension for Chrome last week. It’s called Microsoft Web Activities. This made me go through the approach again, and figured I wanted to cover the methods on how to install Google Chrome Extensions using Microsoft Intune.

Read more…

PXE boot your way into Windows AutoPilot and Windows 10 Shared PC

Introduction

This is a continuation of my previous post on Windows AutoPilot for existing devices. This time covering a similar scenario, where I’m PXE booting an existing device (known or unknown to ConfigMgr) into a Windows 10 Shared PC with Windows AutoPilot and Microsoft Intune

Now, the scenario might have many similarities compared to last week, but nevertheless there’s a real purpose with the crazyness. This is about getting started with Windows AutoPilot and giving you inspiration on how to do that. In my environment, it’s a whole lot easier to make the switch into AutoPilot for non-user devices (I bet I’m not alone on this one). That be devices which are shared between users in public spaces and kiosk devices in particular.

Also, devices in this category are quite often not brand new and might even be old repurposed user-devices (hence we cannot ask our reseller to add them into AutoPilot prior to delivery and thus we have to do it ourselves) 🙂

A peek into the AutoPilot Deployment Profiles in my environment

Read more…

Install RSAT (Remote Server Administration Tools) for Windows 10 v1809 using Microsoft Intune

Introduction

I don’t know if this will have many uses, but I did a similar post on how to deploy RSAT for Windows 10 v1809 using SCCM (System Center Configuration Manager) back in October when 1809 was initially released. As most people know by now, RSAT is no longer a separate downloadable add on to Windows, but something which is included as “Features on Demand” in the OS itself.

For your convenience, find my previous post here: https://www.imab.dk/deploy-rsat-remote-server-administration-tools-for-windows-10-v1809-using-sccm-system-center-configuration-manager/)

What if you don’t have SCCM and instead are fancying Microsoft Intune for software deployments? You might even run SCCM and Microsoft Intune Co-Management and like to do stuff differently and experimenting like I do? Then this post will be for you 🙂

Company Portal displaying my RSAT 1809 Win32 app (Sorry for the obscure language (Danish). Company portal insists on being in Danish on my computer)

Read more…