Monitor your Windows 11 Feature Updates with Custom Action Scripts and notifications sent to Microsoft Teams

Introduction

I’m kind of continuing on last weeks topic, where I wrote about leveraging SetupConfig.ini and SetupComplete.cmd to carry out custom tasks during a Windows 11 Feature Update. 

Today I want to demonstrate, how you can leverage the same custom action scripts, to send notifications to a Microsoft Teams channel upon success or failure, when upgrading to Windows 11 using a Feature Update.

I’m still preparing Windows 11 for broad deployment and I will post my exact process once it’s ready. For now I’m just giving you tiny tidbits along the way. 🙂

Read more…

Remove built-in Teams app and Chat Icon in Windows 11 during a Feature Update via SetupConfig.ini and SetupComplete.cmd

Introduction

This topic in particular, has been very popular since the release of Windows 11 back in October last year.

At this point, there’s at least a dozen posts out there, on how to remove either the built-in Teams app or the Chat Icon from the task bar on devices running Windows 11 already.

I’m in the middle of preparing Windows 11 for broad deployment myself, and this is how I make sure the built-in Teams app and Chat Icon is removed before the user logs on to Windows 11 for the first time. In this scenario, after completing the Feature Update coming from Windows 10.

Read more…

Deploy your Always On VPN Profile for Windows 11 using Proactive Remediations in Microsoft Intune

Introduction

Why would you do this, when there’s a built-in option to do so, you may ask?

Well, I needed an alternative, as I kept getting some weird errors when using the built-in configuration profile in Intune. The errors only happens for me on Windows 11, so while I’m investigating these, I wanted to have an alternative in order for us to move on with our Windows 11 process.

  • EDIT: I was just made aware in the comment section, that there’s a known issue around this. Granted, this post can obviously serve as a workaround (or permanent solution moving forward) 🙂

Also, there’s still no option to lock the VPN strategy to SSTP-only in the native configuration profile in Intune. For that I used to run another weekly PowerShell script, resetting the strategy from IKEv2 to SSTP-only. Using a solution like this, also removes that requirement.

Read more…

I updated Configuration Manager in production to version 2111 last night

Introduction

Granted, I don’t manage a humongous Configuration Manager environment. I barely manage a thousand devices. Nevertheless, ConfigMgr is ideally and supposed to be kept up to date, at least within a supported range of version. I’m obviously always keen on keeping it up there on the latest and greatest.

  • This environment is originally stemming from a SCCM 2012 installation and has made it all the way into 2022 🙂

ConfigMgr 2111 released back primo December 2021 and is now generally available as an in-console update.

It’s been a while since last time I walked through the steps I usually take. This time however, I’m doing so AFTER completing the upgrade. I usually write the post, as I move on with the upgrade itself. This time it’s more like a ‘notes from the field’-approach.

Read more…

Use custom compliance settings in Microsoft Intune to require Windows Hello enrollment

Introduction

Custom compliance settings in Intune, is a relatively new feature and is still in preview. However, the potential in this feature is enormous, and extends the possibilities for compliance policies almost endlessly.

A similar feature released to ConfigMgr 2 years ago, and is something I also blogged about here:

To demonstrate how awesome this really is, I will give you something I intend to use in production once the feature goes GA.

The use case here, is to ultimately use this in combination with Conditional Access. We don’t force the Windows Hello for Business enrollment via the built-in and full-screen wizard. We believe that’s too intrusive. Instead we send out Toast Notifications to those users/devices, where WHfB is still not in use.

Read more…

Digitally signing my Toast Notification Script to use with ConfigMgr, AppLocker and Constrained Language Mode

Introduction

My Toast Notification Script unfortunately only works in PowerShell Full Language Mode (for the time being. I have plans to look into this).

This requirement does not work well with AppLocker and having Constrained Language Mode enabled. My solution to this, is to digitally sign the New-ToastNotification.ps1 file. While working my way through the process myself, I realized that a few changes to the Toast Notification Script itself was needed.

The changes made to this “edition” of the script, are only targeted  Configuration Manager. I’m not sure that moving between PowerShell Language Modes coming from Proactive Remediations in Intune, is something that’s possible (if anyone knows this, please let me know).

Additionally to the changes needed, I thought the process itself would make a decent and useful blog post. So here goes. 🙂

Read more…

Set primary and secondary DNS server addresses using ConfigMgr and PowerShell

Introduction

Just a very quick nugget, finishing up this year of IT.

We needed to change the configured DNS server addresses, on a good bunch of (non-domain joined) servers before heading into 2022. Per usual, I don’t like to do stuff manually, so I took the opportunity to write up a PowerShell script in order to assist us.

I figured this is something anybody might find useful, so I wanted to share the script I ended up creating.

For your convenience, I’m also illustrating how this can be used in combination with ConfigMgr, as this obviously was a requirement for automation purposes.

Happy New Year! 🙂

Read more…

Manage Windows Defender Firewall settings with Endpoint security: Move from Group Policy to Microsoft Intune

Introduction

More relevant than ever. Denmark is well into their second COVID-lockdown, and working from home and remote is yet again mandatory for many.

Speaking of remote work, moving workloads off of your on-premises Active Directory, and therefore being less dependent on your VPN, should be something to prioritize.

  • Obviously assuming on-premises AD as well as VPN requirement in this scenario, as this is still the reality for many

Managing your Windows Defender Firewall settings from the cloud is not only convenient, but I’d argue also something that will increase your security posture. I’ll try to elaborate along the lines.

Read more…

Detect and Remediate Lenovo Vantage vulnerabilities using Proactive Remediations and Microsoft Endpoint Manager

Introduction

Just a quick blog post, on how to detect and remediate the Lenovo Vantage Vulnerabilities disclosed this week.

This surely has been an eventful week for most IT professionals, beginning with the #Log4j nightmare, and now ending with some Lenovo Vantage fun. Joking aside, this fix is pretty easy, but making sure and proving the vulnerability has been mitigated throughout your environment, might be something else. This post explains how I did.

Read more…

New Security Baseline version November 2021 for Windows 10/11 in Microsoft Endpoint Manager

Introduction

Super quick blog post, covering the new version of Security Baselines for Windows 10 and 11 in Intune, which was delivered to us with the 2111 service release.

Not much has changed. In fact, if coming from the previous baseline version (December 2020), only one setting has been added: Scan scripts that are used in Microsoft browsers.

So lets take a quick peek at the process I went through, in order to update my Security Baseline.

Read more…