A first look into the new Antivirus Endpoint security policy experience in Microsoft Endpoint Manager

Introduction

Good news everyone!

Last week, a new Endpoint security policy experience in Microsoft Endpoint Manager was released. Among the new policies, you will find a brand new way of managing your Microsoft Defender Antivirus. This new policy type, offers the long-sought for tri-state configurations consisting of No, Yes and Not-configured, which simplifies things greatly.

I do think these new policies will make management a lot easier. Once all of your configurations eventually has transitioned away from regular device configuration profiles, the general view of security measures taken on your devices within Microsoft Intune, will improve by a lot.

This is not a typical A-Z guide, but rather my first and brief look into the new options. All of this of course, based on my own production environment. Curious? Read on. 🙂

Read more…

Windows 10 Toast Notification Script Update: Run ConfigMgr applications directly from the action button

Introduction

Another update to the Windows 10 Toast Notification Script is a reality. Now being on version 1.6.

The feedback and questions related to the Windows 10 Toast Notification Script keeps coming and that’s amazing!

In my last post and update of the script, I added the option to natively and with help of a custom protocol in Windows, to run task sequences directly from the action button.

Since then, I was asked if the script is able to launch application directly from the action button as well, and sure thing. I just added that capability to the script and the details are explained below.

Read more…

My Always On VPN configuration with Microsoft Intune and Configuration Manager explained

Introduction

This is another post, I have wanted to do for some time now. Always On VPN is not something new, but many organizations are moving away from Direct Access, and Always On VPN seems to be the preferred and logical choice for many – including ours.

Also, I don’t think that the current outbreak of COVID-19 has missed anyone’s attention, which is why working from home and remote via VPN has become highly relevant these days.

This post will not go into details on the infrastructure required in order to setup Always On VPN (Remote Access Server, Network Policy Server, PKI etc.), but rather explain the configurations made on the client with Microsoft Intune and Configuration Manager. I will also elaborate on my experiences, again from the perspective of a production environment.

Finally, a big shout out to Michael Mardahl for always being a tremendous help. Go follow this dude. He’s amazing at what he does. 🙂

Read more…

Securing your endpoints with Microsoft Intune, part 1: Exploit Guard Controlled Folder Access

Introduction

This is the first and initial blog post of an upcoming series, all concerning how one can secure their endpoints using Microsoft Intune.

The posts are meant to serve as titbits, quickly giving the reader an understanding of a specific feature.

The posts are not released in any particular order, and the topics discussed are based on what I’m currently looking into, in my own environment.

Therefore and as usual, this is not a typical and standard walk through, but more a look into how I’m initially taking on the discussed topic. Curios? Read on! 🙂

Read more…

Troubleshooting Configuration Manager: Parsing client logs using Powershell and Configuration Items

Introduction

This particular post and topic, originates from me troubleshooting the Office 365 updating issue, where updating Office 365 through Configuration Manager failed and generated error 80070057.

The issue got some attention on both on reddit as well as on Twitter, as the issue on the affected devices, was breaking the ability to apply subsequent Office 365 updates.

The updates which introduced the said issue was quickly pulled, but some devices obviously managed to install the updates anyway.

So how do we fix that and how do we know which devices that are affected? This specific issue produced a specific error in some of the ConfigMgr Client Side Logs, so I came up with a solution involving Powershell and a Configuration Item.

Read more…

Configuring and managing my Surface Pro X using Windows AutoPilot, Microsoft Intune and Configuration Manager

Introduction

This is not a traditional walk through of a specific technical topic. It’s rather a story about setting up my new Surface Pro X device, making it work with AutoPilot, Intune and ConfigMgr in a Hybrid AAD Join deployment.

You don’t per say have to own a Surface Pro X device in order to benefit from the content in this post. However, as the Surface Pro X ships with an ARM processor, it makes for some unique situations and experiences.

During the post, I will deep dive some of the technical aspects of Hybrid AAD joining the device, as this has a lot of moving parts and dependencies in order to work.

Additionally, this process was not completely without obstacles. I’m not sure if these obstacles are working as intended or not, but I failed to get Co-management work loads to work properly, as well as I was seeing weird things happening if applying the Security Baseline for Windows. More on that throughout the post. 🙂

Read more…

Back to basics: Deploying applications with Custom Global Conditions in Configuration Manager

Introduction

This past week I went back to basics with Configuration Manager, as I was working with some applications where I needed the deployments to behave differently based on various factors.

Some may resort to creating individual applications or even packages for each specific need, but there are more clever ways of doing it.

For instance, in this specific case, I had different sets of binaries to be used, varying based on the architecture of Office 365 ProPlus installed. I also wanted something different to happen, whether the installation was happening with a task sequence or not.

So again, this is something a single Application in combination with the proper Global Conditions can cater for. No need to create several Applications or Packages. Curious? Continue reading 🙂

Read more…

Windows as a Service: Detecting AlwaysOn VPN and LTE connectivity with Powershell and Powershell App Deployment Toolkit

Introduction

This post is long overdue and something I originally considered doing when I explained my Windows as a Service process.

The story is, that I allow In-Place Upgrades with Configuration Manager to happen over the Internet and over VPN. While I do allow upgrades over VPN, I still prefer them happening on local network and I certainly doesn’t want them to happen over LTE.

I use Powershell App Deployment Toolkit to initiate the Windows 10 In-Place Upgrade Task Sequence, and I wanted to add more user-friendliness to the experience, by notifying the end-user about possible VPN and LTE connections.

Note #1: LTE connectivity can be prevented altogether in the Client Settings, but I’m not doing that for various reasons. 🙂

Note #2: I do precache everything prior to making the upgrade available. Therefore download of binaries should be limited to zero, though the connection to the site server is still needed, as well as connection to the domain (depending on what you are doing throughout your task sequence).

Read more…

Require TLS with Exchange Online and a custom made NDR (Non-Delivery Report) with Powershell, Azure Automation and Conditional Access

Introduction

First things first: This is not a typical topic on this blog, but I do find it highly relevant to share regardless.

The main story here is, that if you want to comply with GDPR and other regulations, you might end up in a situation where you need to require TLS for outgoing e-mails. This is something that’s easily achievable by configuring the proper transport rules in Exchange Online, but what if the recipient doesn’t support receiving e-mails encrypted with TLS in transit? In that situation, the e-mail typically bounce back after 24 hours of retrying (At the time of writing, this timer is not configurable in Exchange Online) .

24 hours is a long time to wait for the Non-Delivery Report, especially for my industry which is the legal vertical, so I had to come up with something else.

Powershell and Azure Automation to the rescue (and also a little something on how to protect the accounts used with Conditional Access).

OBS: Apologies if there are more clever solutions out there to cater for this. I haven’t been able to find any, but I’m sharing regardless, as the use of this easily can be transferred to other needs. 🙂

Read more…

How I deploy, configure and set the new Microsoft Edge as default browser using Microsoft Intune and Configuration Manager

Introduction

Unless you have been hiding under a rock lately, you should be aware that the new Microsoft Edge browser happened and was released in the first stable release on January 15.

All very exciting and delicious, and we who have been testing with Dev and Beta versions across our enterprises, have been waiting eagerly to be able to offer the one browser to rule them all (hopefully).

So this is a little something on how I have chosen to deploy, configure and set the new Microsoft Edge as default browser, using a combination of both Microsoft Intune and Configuration Manager.

Read more…