Manage Windows Defender Firewall settings with Endpoint security: Move from Group Policy to Microsoft Intune

Introduction

More relevant than ever. Denmark is well into their second COVID-lockdown, and working from home and remote is yet again mandatory for many.

Speaking of remote work, moving workloads off of your on-premises Active Directory, and therefore being less dependent on your VPN, should be something to prioritize.

  • Obviously assuming on-premises AD as well as VPN requirement in this scenario, as this is still the reality for many

Managing your Windows Defender Firewall settings from the cloud is not only convenient, but I’d argue also something that will increase your security posture. I’ll try to elaborate along the lines.

Read more…

New Security Baseline version November 2021 for Windows 10/11 in Microsoft Endpoint Manager

Introduction

Super quick blog post, covering the new version of Security Baselines for Windows 10 and 11 in Intune, which was delivered to us with the 2111 service release.

Not much has changed. In fact, if coming from the previous baseline version (December 2020), only one setting has been added: Scan scripts that are used in Microsoft browsers.

So lets take a quick peek at the process I went through, in order to update my Security Baseline.

Read more…

Configure Microsoft Teams application settings using PowerShell and Proactive Remediations in Microsoft Endpoint Manager

Introduction

Almost a year ago, I wrote a blog post on how to configure Microsoft Teams application settings using Configuration Manager and Powershell. For good measures, find this post in the link below:

Not too long ago, I started getting some reports on, that Teams is no longer picking up the changes made to the config.json and that Teams is hanging at the loading screen. I initially tried to reproduce, but was unable to.

I decided to invest some more time into the issue, and ended up being able to reproduce and find the cause. In the process of troubleshooting, I decided to try and move this into Proactive Remediations in Microsoft Endpoint Manager as well. The result made up this blog post.

Below a quick illustration of running the solution manually. The detection script detects that Microsoft Teams needs its settings configured, and the configure script carries out the configuration.

Read more…

Notify users when their device is running low on disk space using Toast Notifications and Endpoint Analytics Proactive Remediations

Introduction

This is a follow up, on the post I did a few weeks ago, on notifying users with devices being low on disk space, using Toast Notifications and Configuration Manager

This time, I’m moving all of it, into the Endpoint Analytics Proactive Remediations feature of Microsoft Endpoint Manager Intune. This will actually simplify things a lot, as it removes the need for custom collections, Configuration Items and Baselines.

Read more…

Move away from Group Policy and set wallpaper and lock screen images with local source files and Microsoft Endpoint Manager Intune

Introduction

This is something I currently just have done myself, in our own environment, and while it’s neither super technical nor advanced, then I figured it deserved some attention regardless.

I assume most hybrid (co-managed) environments still look towards Group Policy when doing this, because it’s easy and what we’ve always been doing. I’m regularly asked to change our desktop wallpaper and lock screen images, and when things needs to be done in a hurry, you usually stick to the easy solution.

This time though, I was stubborn and insisted on moving away from Group Policy and do it with Intune. The process made up this short blog post. πŸ™‚

Read more…

Windows as a Service: Sharing my PreCache and In-Place Upgrade Task Sequences – 20H2 edition, part 1

Introduction

Yes! It’s true. I’m still leveraging Task Sequences and Configuration Manager to upgrade Windows 10.

I’m also Co-managing my devices and deploy regular updates via Windows Update for Business. Just not feature updates. I fancy the full-control approach, taking the opportunity to update BIOS and drivers while at it. Everything works directly over the Internet via the Cloud Management Gateway. No hard requirements in being on-premises or on VPN.

I have previously shared my precache and in-place upgrade task sequences. A lot have happened since then, and I wanted to take the opportunity to share my updated approach in details.

I’m covering each and every step, just like I did in my previous blog posts. Some steps are exactly the same, but in order to fully supersede the old posts, I’m covering everything in details here.

Now, I can’t go over explaining my WaaS process without mentioning THE OSD experts Gary Blok,Β Mike Terrill. They are tirelessly sharing their approach as well. If you are looking for a WaaS solution on steroids, I suggest you head over to garytown.com and miketerrill.net for inspiration.

If you are looking for something less advanced, then you are at the right place. With that being said, some of the stuff I do, is done with inspiration from what Gary is sharing at garytown.com – just without the steroids. πŸ˜›

And yes! The task sequence will be available for download in the very end of the post!

Let’s get to it. πŸ™‚

Part 2: Windows as a Service: Sharing my PreCache and In-Place Upgrade Task Sequences – 20H2 edition, part 2

Read more…

My Always On VPN configuration with Microsoft Intune and Configuration Manager explained

Introduction

This is another post, I have wanted to do for some time now. Always On VPN is not something new, but many organizations are moving away from Direct Access, and Always On VPN seems to be the preferred and logical choice for many – including ours.

Also, I don’t think that the current outbreak of COVID-19 has missed anyone’s attention, which is why working from home and remote via VPN has become highly relevant these days.

This post will not go into details on the infrastructure required in order to setup Always On VPN (Remote Access Server, Network Policy Server, PKI etc.), but rather explain the configurations made on the client with Microsoft Intune and Configuration Manager. I will also elaborate on my experiences, again from the perspective of a production environment.

Finally, a big shout out to Michael Mardahl for always being a tremendous help. Go follow this dude. He’s amazing at what he does. πŸ™‚

Read more…

Configuring and managing my Surface Pro X using Windows AutoPilot, Microsoft Intune and Configuration Manager

Introduction

This is not a traditional walk through of a specific technical topic. It’s rather a story about setting up my new Surface Pro X device, making it work with AutoPilot,Β Intune and ConfigMgr in a Hybrid AAD Join deployment.

You don’t per say have to own a Surface Pro X device in order to benefit from the content in this post. However, as the Surface Pro X ships with an ARM processor, it makes for some unique situations and experiences.

During the post, I will deep dive some of the technical aspects of Hybrid AAD joining the device, as this has a lot of moving parts and dependencies in order to work.

Additionally, this process was not completely without obstacles. I’m not sure if these obstacles are working as intended or not, but I failed to get Co-management work loads to work properly, as well as I was seeing weird things happening if applying the Security Baseline for Windows. More on that throughout the post. πŸ™‚

Read more…

How I deploy, configure and set the new Microsoft Edge as default browser using Microsoft Intune and Configuration Manager

Introduction

Unless you have been hiding under a rock lately, you should be aware that the new Microsoft Edge browser happened and was released in the first stable release on January 15.

All very exciting and delicious, and we who have been testing with Dev and Beta versions across our enterprises, have been waiting eagerly to be able to offer the one browser to rule them all (hopefully).

So this is a little something on how I have chosen to deploy, configure and set the new Microsoft Edge as default browser, using a combination of both Microsoft Intune and Configuration Manager.

Read more…

Device Compliance with Configuration Baselines, Configuration Manager version 1910 and Microsoft Intune

Introduction

This must be one of my favorite features of Configuration Manager version 1910: Include custom configuration baselines as part of compliance policy assessment.

For a detailed description of the feature, I suggest you read the What’s new article.

In short, this enables us to assess device compliance based on almost anything and really extends the possibilities.

I will walk through the setup required and give you a quick and easy example on how to use this new awesome feature in a co-management scenario.

Read more…