Configure Microsoft Teams application settings using PowerShell and Proactive Remediations in Microsoft Endpoint Manager

Introduction

Almost a year ago, I wrote a blog post on how to configure Microsoft Teams application settings using Configuration Manager and Powershell. For good measures, find this post in the link below:

Not too long ago, I started getting some reports on, that Teams is no longer picking up the changes made to the config.json and that Teams is hanging at the loading screen. I initially tried to reproduce, but was unable to.

I decided to invest some more time into the issue, and ended up being able to reproduce and find the cause. In the process of troubleshooting, I decided to try and move this into Proactive Remediations in Microsoft Endpoint Manager as well. The result made up this blog post.

Below a quick illustration of running the solution manually. The detection script detects that Microsoft Teams needs its settings configured, and the configure script carries out the configuration.

Read more…

Notify users when their device is running low on disk space using Toast Notifications and Endpoint Analytics Proactive Remediations

Introduction

This is a follow up, on the post I did a few weeks ago, on notifying users with devices being low on disk space, using Toast Notifications and Configuration Manager

This time, I’m moving all of it, into the Endpoint Analytics Proactive Remediations feature of Microsoft Endpoint Manager Intune. This will actually simplify things a lot, as it removes the need for custom collections, Configuration Items and Baselines.

Read more…

Move away from Group Policy and set wallpaper and lock screen images with local source files and Microsoft Endpoint Manager Intune

Introduction

This is something I currently just have done myself, in our own environment, and while it’s neither super technical nor advanced, then I figured it deserved some attention regardless.

I assume most hybrid (co-managed) environments still look towards Group Policy when doing this, because it’s easy and what we’ve always been doing. I’m regularly asked to change our desktop wallpaper and lock screen images, and when things needs to be done in a hurry, you usually stick to the easy solution.

This time though, I was stubborn and insisted on moving away from Group Policy and do it with Intune. The process made up this short blog post. πŸ™‚

Read more…

Windows as a Service: Sharing my PreCache and In-Place Upgrade Task Sequences – 20H2 edition, part 1

Introduction

Yes! It’s true. I’m still leveraging Task Sequences and Configuration Manager to upgrade Windows 10.

I’m also Co-managing my devices and deploy regular updates via Windows Update for Business. Just not feature updates. I fancy the full-control approach, taking the opportunity to update BIOS and drivers while at it. Everything works directly over the Internet via the Cloud Management Gateway. No hard requirements in being on-premises or on VPN.

I have previously shared my precache and in-place upgrade task sequences. A lot have happened since then, and I wanted to take the opportunity to share my updated approach in details.

I’m covering each and every step, just like I did in my previous blog posts. Some steps are exactly the same, but in order to fully supersede the old posts, I’m covering everything in details here.

Now, I can’t go over explaining my WaaS process without mentioning THE OSD experts Gary Blok,Β Mike Terrill. They are tirelessly sharing their approach as well. If you are looking for a WaaS solution on steroids, I suggest you head over to garytown.com and miketerrill.net for inspiration.

If you are looking for something less advanced, then you are at the right place. With that being said, some of the stuff I do, is done with inspiration from what Gary is sharing at garytown.com – just without the steroids. πŸ˜›

And yes! The task sequence will be available for download in the very end of the post!

Let’s get to it. πŸ™‚

Part 2: Windows as a Service: Sharing my PreCache and In-Place Upgrade Task Sequences – 20H2 edition, part 2

Read more…

My Always On VPN configuration with Microsoft Intune and Configuration Manager explained

Introduction

This is another post, I have wanted to do for some time now. Always On VPN is not something new, but many organizations are moving away from Direct Access, and Always On VPN seems to be the preferred and logical choice for many – including ours.

Also, I don’t think that the current outbreak of COVID-19 has missed anyone’s attention, which is why working from home and remote via VPN has become highly relevant these days.

This post will not go into details on the infrastructure required in order to setup Always On VPN (Remote Access Server, Network Policy Server, PKI etc.), but rather explain the configurations made on the client with Microsoft Intune and Configuration Manager. I will also elaborate on my experiences, again from the perspective of a production environment.

Finally, a big shout out to Michael Mardahl for always being a tremendous help. Go follow this dude. He’s amazing at what he does. πŸ™‚

Read more…

Configuring and managing my Surface Pro X using Windows AutoPilot, Microsoft Intune and Configuration Manager

Introduction

This is not a traditional walk through of a specific technical topic. It’s rather a story about setting up my new Surface Pro X device, making it work with AutoPilot,Β Intune and ConfigMgr in a Hybrid AAD Join deployment.

You don’t per say have to own a Surface Pro X device in order to benefit from the content in this post. However, as the Surface Pro X ships with an ARM processor, it makes for some unique situations and experiences.

During the post, I will deep dive some of the technical aspects of Hybrid AAD joining the device, as this has a lot of moving parts and dependencies in order to work.

Additionally, this process was not completely without obstacles. I’m not sure if these obstacles are working as intended or not, but I failed to get Co-management work loads to work properly, as well as I was seeing weird things happening if applying the Security Baseline for Windows. More on that throughout the post. πŸ™‚

Read more…

How I deploy, configure and set the new Microsoft Edge as default browser using Microsoft Intune and Configuration Manager

Introduction

Unless you have been hiding under a rock lately, you should be aware that the new Microsoft Edge browser happened and was released in the first stable release on January 15.

All very exciting and delicious, and we who have been testing with Dev and Beta versions across our enterprises, have been waiting eagerly to be able to offer the one browser to rule them all (hopefully).

So this is a little something on how I have chosen to deploy, configure and set the new Microsoft Edge as default browser, using a combination of both Microsoft Intune and Configuration Manager.

Read more…

Device Compliance with Configuration Baselines, Configuration Manager version 1910 and Microsoft Intune

Introduction

This must be one of my favorite features of Configuration Manager version 1910: Include custom configuration baselines as part of compliance policy assessment.

For a detailed description of the feature, I suggest you read the What’s new article.

In short, this enables us to assess device compliance based on almost anything and really extends the possibilities.

I will walk through the setup required and give you a quick and easy example on how to use this new awesome feature in a co-management scenario.

Read more…

Co-management with ConfigMgr and Intune and a little something about Microsoft Defender antimalware policies

Introduction

Originally when the Endpoint Protection workload for co-management was introduced with Configuration Manager 1802, this was done without antimalware policies.

That essentially meant that antimalware policies was still being managed solely by Configuration Manager, while a feature like Exploit Guard was managed by Intune.

Now, this has since changed (at the time of writing, I’m not sure when they snug in the addition, but that’s not related to the post anyway) and the workload now includes antimalware policies enabling us to manage all aspects of Microsoft Defender with Microsoft Intune.

So what does that mean, and are there anything specifically you need to be aware of? I believe there is. πŸ™‚

Read more…

Enrollment of co-managed devices based on Azure AD device token with ConfigMgr 1906

Introduction

A short and sweet peek into the latest improvement to the enrollment of co-managed devices into Microsoft Intune.

Prior to SCCM 1906 (System Center Configuration Manager), the enrollment into Microsoft Intune required a user to sign in to the device. This has now changed and the device is able to auto-enroll into Microsoft Intune based on its Azure AD device token.

Note: This is not an A-Z guide, so I’m sadly not covering all the basics and requirements around enrollment nor co-management. Instead I’m touching base with some of the interesting parts, based on my own environment, setup and curiosity. πŸ™‚

Read more…