Require TLS with Exchange Online and a custom made NDR (Non-Delivery Report) with Powershell, Azure Automation and Conditional Access

February 8, 2020February 5, 2020 by Martin Bengtsson

Introduction

First things first: This is not a typical topic on this blog, but I do find it highly relevant to share regardless.

The main story here is, that if you want to comply with GDPR and other regulations, you might end up in a situation where you need to require TLS for outgoing e-mails. This is something that’s easily achievable by configuring the proper transport rules in Exchange Online, but what if the recipient doesn’t support receiving e-mails encrypted with TLS in transit? In that situation, the e-mail typically bounce back after 24 hours of retrying (At the time of writing, this timer is not configurable in Exchange Online) .

24 hours is a long time to wait for the Non-Delivery Report, especially for my industry which is the legal vertical, so I had to come up with something else.

Powershell and Azure Automation to the rescue (and also a little something on how to protect the accounts used with Conditional Access).

OBS: Apologies if there are more clever solutions out there to cater for this. I haven’t been able to find any, but I’m sharing regardless, as the use of this easily can be transferred to other needs. 🙂

Getting started with Security Baselines: Moving from Group Policy to Microsoft Intune

July 14, 2019July 12, 2019 by Martin Bengtsson

Introduction

Another delicious feature went GA (General Availability) this week: Security Baselines in Microsoft Intune.

The Security Baselines in Intune is the equivalent to what we have done with Group Policy for some years now, and is basically a set of pre-configured Windows settings, which are recommended for the enterprise by Microsoft.

This post is not a typical A-Z guide, but rather a first look into the feature and what initial experiences I had with moving from Security Baselines with Group Policy to Security Baselines with Intune in a Co-management scenario.

Configure OneDrive Known Folder Move with Administrative Templates in Microsoft Intune

July 10, 2019July 10, 2019 by Martin Bengtsson

Introduction

Short and sweet: Back in May 2019, Administrative Templates in Intune went from preview to General Availability. Back then the feature was released with a list of 277 settings. Not much, huh?

Today this will be extended by additional 2500 settings and among these will be the ability to configure OneDrive Known Folder Move. Exciting!

While the configuration of OneDrive Known Folder Move using Administrative Templates in Intune is pretty easy and straightforward, I figured it deserved a post here as well.

Also, initially when OneDrive Known Folder Move was introduced, I did this post on the topic: https://www.imab.dk/how-to-enable-onedrive-known-folder-move-using-sccm-system-center-configuration-manager/

Intune enrollment, Multi-Factor Authentication and registering Security Information with Conditional Access

June 14, 2019June 14, 2019 by Martin Bengtsson

Introduction

This is a little something on the new option with Conditional Access, where you can specify restrictions for registering the end users security information used with Multi-Factor Authentication.

This is a nifty addition, enabling you to control when and where the security information can be added or changed, making sure it’s not an attacker who’s messing with the details.

In this post i’m trying to put this into the context of enrolling a new device, in this example an iOS device, where MFA is required for enrollment.

If the enrollment is being done by a user who’s without security information (imagine a newly hired employee), the user is initially prompted to register the security information. Now also imagine this being done by an attacker instead. Not good. Therefore it’s desirable to control from where the registering of the security information can be done. Curious? Read on 🙂

Migrate Office 365 ProPlus from 32-bit to 64-bit using Microsoft Intune or SCCM (System Center Configuration Manager)

April 23, 2019April 22, 2019 by Martin Bengtsson

Introduction

When installing Office 365 ProPlus today, the recommended and default architecture is 64-bit. It has been so for some time, but it’s not until lately (at time of writing) that the Office Deployment Tool (in short ODT), is able to migrate from 32-bit to 64-bit in a single operation.

I have tested the migration, both using Microsoft Intune and System Center Configuration Manager and the outcome is what made this blog post.

Note: Migrating Office 365 ProPlus like this, from 32-bit to 64-bit in production, probably has more to it in terms of considering third party add-ins. You will have to test and make sure those add-ins are compatible with the relevant 64-bit Office application. I expect there will be some migration paths for those as well, where you will need to remove the 32-bit add-in prior to migrating Office 365 ProPlus to 64-bit.

Connect to Microsoft Graph for Intune with Powershell ISE Add-ons

April 18, 2019March 4, 2019 by Martin Bengtsson

Introduction

If you are working with Microsoft Intune on a daily basis, chances are that you are familiar with the awesome Powershell Intune Graph script samples over at GitHub: https://github.com/microsoftgraph/powershell-intune-samples.

I have previously blogged specifically about putting 2 of the scripts to use here:

If you are less familiar with Powershell, the script samples might seem a bit intimidating and difficult for some to put to use. The new Microsoft.Graph.Intune PowerShell Module to the rescue!

Now, this post is not about using the actual module, but how you with a single click can connect to the Graph API and gain access to all the available cmdlets in a very easy and sufficient way.

Install Google Chrome Extensions using Microsoft Intune in 3 different ways (Powershell, ADMX ingestion and MSI)

March 3, 2019February 27, 2019 by Martin Bengtsson

Introduction

I have previously covered the approach on how to install Google Chrome extensions using System Center Configuration Manager. Find my post here: https://www.imab.dk/forcefully-deploy-the-windows-defender-google-chrome-extension-using-configuration-manager/

Then it came to my attention that Microsoft released another and new extension for Chrome last week. It’s called Microsoft Web Activities. This made me go through the approach again, and figured I wanted to cover the methods on how to install Google Chrome Extensions using Microsoft Intune.

Windows as a Service: Sharing my PreCache and In-Place Upgrade Task Sequences, part 2

August 20, 2019January 14, 2019 by Martin Bengtsson

Introduction

This is an extremely hot topic and I do know that we have some awesome OSD experts out there sharing their content already (Gary Blok, Mike Terrill etc.). Now, their content is way superior to mine and probably suit a lot of needs already, but I think that content around WaaS in particular is interesting and especially when sharing how one does Windows Servicing in details.

So, this is me doing just that – sharing my precaching and in-place upgrade task sequences – in details. This will be a lengthy post, so grab a good cup of coffee ?

Also, this is based on a mid-size company in Denmark and we don’t manage thousands and thousands of devices. WaaS is a small part of my daily job and I’m the only one doing it, so the time and effort put into this is reflecting the size of the company and the resources available, but is still done with an eye on the detail. With that being said, some of the stuff I do here is done with inspiration from how some of the mentioned people does it (credit where due during the posts). If you find yourself in similar position or just need some more inspiration – then this will be for you 🙂

Part 1: https://www.imab.dk/windows-as-a-service-sharing-my-precache-and-in-place-upgrade-task-sequences-part-1/

Windows as a Service: Sharing my PreCache and In-Place Upgrade Task Sequences, part 1

January 27, 2020January 9, 2019 by Martin Bengtsson

Introduction

This is an extremely hot topic and I do know that we have some awesome OSD experts out there sharing their content already (Gary Blok, Mike Terrill etc.). Now, their content is way superior to mine and probably satisfy a lot of needs already, but I think that content around WaaS in particular is interesting and especially when sharing how one does Windows Servicing in details.

So, this is me doing just that – sharing my precaching and in-place upgrade task sequences – in details. This will be a lengthy post, so grab a good cup of coffee 🙂

Part 2: https://www.imab.dk/windows-as-a-service-sharing-my-precache-and-in-place-upgrade-task-sequences-part-2/

Install RSAT (Remote Server Administration Tools) for Windows 10 v1809 using Microsoft Intune

December 30, 2018December 29, 2018 by Martin Bengtsson

Introduction

I don’t know if this will have many uses, but I did a similar post on how to deploy RSAT for Windows 10 v1809 using SCCM (System Center Configuration Manager) back in October when 1809 was initially released. As most people know by now, RSAT is no longer a separate downloadable add on to Windows, but something which is included as “Features on Demand” in the OS itself.

For your convenience, find my previous post here: https://www.imab.dk/deploy-rsat-remote-server-administration-tools-for-windows-10-v1809-using-sccm-system-center-configuration-manager/)

What if you don’t have SCCM and instead are fancying Microsoft Intune for software deployments? You might even run SCCM and Microsoft Intune Co-Management and like to do stuff differently and experimenting like I do? Then this post will be for you 🙂

Company Portal displaying my RSAT 1809 Win32 app (Sorry for the obscure language (Danish). Company portal insists on being in Danish on my computer)