Configure and use Lenovo BIOS supervisor password during OSD using PowerShell and Configuration Manager


Following up on my previous post, continuing on the Lenovo BIOS password topic. This time I’m illustrating, how you initially can set the supervisor password during the deployment of the operating system.

Last time I mentioned, how this cannot be done remotely for security reasons. However, there are an option to allow this during OSD (Operating System Deployment), called System Deployment Boot Mode. If taking advantage of this, you’re allowed to set the supervisor password programmatically in WinPE.

I’m using PowerShell to do so, and this post will walk you through the necessities.

Read more…

Customize your Windows 11 taskbar during OSD with ConfigMgr using just PowerShell


A short and sweet blog post to re-kickstart my blogging activities, after a long period focusing on cybersecurity and the increased cybersecurity threat towards organizations. For same reasons, my Windows 11 project has temporarily been on pause.

However, now I’m back working on Windows 11, showing how you can customize the taskbar during OSD (Operating System Deployment) with Configuration Manager using just PowerShell (and no source files).

And yes, we are still leveraging Configuration Manager for regular OSD. This still makes the most sense for our type of business. 🙂

Read more…

Remove built-in Teams app and Chat Icon in Windows 11 during a Feature Update via SetupConfig.ini and SetupComplete.cmd


This topic in particular, has been very popular since the release of Windows 11 back in October last year.

At this point, there’s at least a dozen posts out there, on how to remove either the built-in Teams app or the Chat Icon from the task bar on devices running Windows 11 already.

I’m in the middle of preparing Windows 11 for broad deployment myself, and this is how I make sure the built-in Teams app and Chat Icon is removed before the user logs on to Windows 11 for the first time. In this scenario, after completing the Feature Update coming from Windows 10.

Read more…

I updated Configuration Manager in production to version 2111 last night


Granted, I don’t manage a humongous Configuration Manager environment. I barely manage a thousand devices. Nevertheless, ConfigMgr is ideally and supposed to be kept up to date, at least within a supported range of version. I’m obviously always keen on keeping it up there on the latest and greatest.

  • This environment is originally stemming from a SCCM 2012 installation and has made it all the way into 2022 🙂

ConfigMgr 2111 released back primo December 2021 and is now generally available as an in-console update.

It’s been a while since last time I walked through the steps I usually take. This time however, I’m doing so AFTER completing the upgrade. I usually write the post, as I move on with the upgrade itself. This time it’s more like a ‘notes from the field’-approach.

Read more…

Digitally signing my Toast Notification Script to use with ConfigMgr, AppLocker and Constrained Language Mode


My Toast Notification Script unfortunately only works in PowerShell Full Language Mode (for the time being. I have plans to look into this).

This requirement does not work well with AppLocker and having Constrained Language Mode enabled. My solution to this, is to digitally sign the New-ToastNotification.ps1 file. While working my way through the process myself, I realized that a few changes to the Toast Notification Script itself was needed.

The changes made to this “edition” of the script, are only targeted  Configuration Manager. I’m not sure that moving between PowerShell Language Modes coming from Proactive Remediations in Intune, is something that’s possible (if anyone knows this, please let me know).

Additionally to the changes needed, I thought the process itself would make a decent and useful blog post. So here goes. 🙂

Read more…

Set primary and secondary DNS server addresses using ConfigMgr and PowerShell


Just a very quick nugget, finishing up this year of IT.

We needed to change the configured DNS server addresses, on a good bunch of (non-domain joined) servers before heading into 2022. Per usual, I don’t like to do stuff manually, so I took the opportunity to write up a PowerShell script in order to assist us.

I figured this is something anybody might find useful, so I wanted to share the script I ended up creating.

For your convenience, I’m also illustrating how this can be used in combination with ConfigMgr, as this obviously was a requirement for automation purposes.

Happy New Year! 🙂

Read more…

Windows 10 Toast Notification Script Update: Custom notification app and more built-in prevention from disabling toast notifications


It’s been a while since the last update on this script. I admit that. Better late than never, I guess.

This update brings a slight improvement to the looks of the toast notifications, and (almost) definitely removes the option for the end-user to disable the notifications as well.

Also, I was wondering about naming the script differently. The script surely works with Windows 11 too, but seeing the entire toast framework was introduced with Windows 10, and Windows 11 behind the scenes is still appearing as version 10.0, I will stick with the current name.

Read more…

Enable ‘Block abuse of exploited vulnerable signed drivers’ in a jiffy using PowerShell and ConfigMgr


I find this highly relevant to share at this day. Especially in regards to yesterday’s ‘false positive’ situation, where a lot of system admins got a good scare, when Defender for Endpoint reported that “Suspicious ‘PowEmotet’ behavior was blocked’ on a high percentage of the enrolled devices.

What I really mean by this, is that when you have the option to reduce the attack surface of your environment, you should look into doing so ASAP.

Let’s say yesterdays situation was real, and you for whatever reason didn’t have behavior monitoring enabled in Microsoft Defender Antivirus. You would regret that pretty soon after being hit, when you realize that it could have been prevented.

Same goes for above. Rather look into enabling this new ASR (Attack Surface Reduction) rule today, rather than later after being compromised.

Read more…

Back to basics: Modifying registry for the CURRENT user coming from SYSTEM context


Back in the days, when I started out being a newbie in the software deployment world, I had no real grasp about the different contexts (USER vs. SYSTEM), and I found it to be a trivial task to combine the two.

Today I find it an obvious approach, and in this post, I will give a quick example of how to modify registry for the CURRENTLY logged on user, while delivering an installation in SYSTEM context.

Oftentimes the scenario is, that you need to deploy software which requires local SYSTEM permissions, and while doing so, you’d like to modify the registry for the CURRENTLY logged on user.

Read more…

Install Lenovo Drivers and BIOS directly from Lenovo’s Driver Catalog during OSD using Configuration Manager


This is something that I’ve wanted to do for a while; to always install the latest BIOS and drivers automatically during OSD.

Keeping BIOS and driver versions up to date, can be a tedious and time consuming task, and I wanted to take on a more cloud-like approach.

For that reason, I’ve spent some time on Lenovo Thin Installer as well as Lenovo System Update, but they didn’t quite live up to my expectations and need for flexibility.

Instead – and by coincident – I stumbled upon this awesome PowerShell module: jantari/LSUClient

It does exactly what Thin Installer and System Update offers, as well as giving you the flexibility of PowerShell. What’s not to like?

Read more…