A first look into the new Antivirus Endpoint security policy experience in Microsoft Endpoint Manager

March 31, 2020March 30, 2020 by Martin Bengtsson

Introduction

Good news everyone!

Last week, a new Endpoint security policy experience in Microsoft Endpoint Manager was released. Among the new policies, you will find a brand new way of managing your Microsoft Defender Antivirus. This new policy type, offers the long-sought for tri-state configurations consisting of No, Yes and Not-configured, which simplifies things greatly.

I do think these new policies will make management a lot easier. Once all of your configurations eventually has transitioned away from regular device configuration profiles, the general view of security measures taken on your devices within Microsoft Intune, will improve by a lot.

This is not a typical A-Z guide, but rather my first and brief look into the new options. All of this of course, based on my own production environment. Curious? Read on. 🙂

Windows 10 Toast Notification Script Update: Run ConfigMgr applications directly from the action button

March 18, 2020March 18, 2020 by Martin Bengtsson

Introduction

Another update to the Windows 10 Toast Notification Script is a reality. Now being on version 1.6.

The feedback and questions related to the Windows 10 Toast Notification Script keeps coming and that’s amazing!

In my last post and update of the script, I added the option to natively and with help of a custom protocol in Windows, to run task sequences directly from the action button.

Since then, I was asked if the script is able to launch application directly from the action button as well, and sure thing. I just added that capability to the script and the details are explained below.

Find the original page for the Windows 10 Toast Notification Script here: https://www.imab.dk/windows-10-toast-notification-script

Securing your endpoints with Microsoft Intune, part 1: Exploit Guard Controlled Folder Access

March 5, 2020March 5, 2020 by Martin Bengtsson

Introduction

This is the first and initial blog post of an upcoming series, all concerning how one can secure their endpoints using Microsoft Intune.

The posts are meant to serve as titbits, quickly giving the reader an understanding of a specific feature.

The posts are not released in any particular order, and the topics discussed are based on what I’m currently looking into, in my own environment.

Therefore and as usual, this is not a typical and standard walk through, but more a look into how I’m initially taking on the discussed topic. Curios? Read on! 🙂

Require TLS with Exchange Online and a custom made NDR (Non-Delivery Report) with Powershell, Azure Automation and Conditional Access

February 24, 2020February 5, 2020 by Martin Bengtsson

Introduction

First things first: This is not a typical topic on this blog, but I do find it highly relevant to share regardless.

The main story here is, that if you want to comply with GDPR and other regulations, you might end up in a situation where you need to require TLS for outgoing e-mails. This is something that’s easily achievable by configuring the proper transport rules in Exchange Online, but what if the recipient doesn’t support receiving e-mails encrypted with TLS in transit? In that situation, the e-mail typically bounce back after 24 hours of retrying (At the time of writing, this timer is not configurable in Exchange Online) .

24 hours is a long time to wait for the Non-Delivery Report, especially for my industry which is the legal vertical, so I had to come up with something else.

Powershell and Azure Automation to the rescue (and also a little something on how to protect the accounts used with Conditional Access).

OBS: Apologies if there are more clever solutions out there to cater for this. I haven’t been able to find any, but I’m sharing regardless, as the use of this easily can be transferred to other needs. 🙂

Getting started with Security Baselines: Moving from Group Policy to Microsoft Intune

July 14, 2019July 12, 2019 by Martin Bengtsson

Introduction

Another delicious feature went GA (General Availability) this week: Security Baselines in Microsoft Intune.

The Security Baselines in Intune is the equivalent to what we have done with Group Policy for some years now, and is basically a set of pre-configured Windows settings, which are recommended for the enterprise by Microsoft.

This post is not a typical A-Z guide, but rather a first look into the feature and what initial experiences I had with moving from Security Baselines with Group Policy to Security Baselines with Intune in a Co-management scenario.

Configure OneDrive Known Folder Move with Administrative Templates in Microsoft Intune

July 10, 2019July 10, 2019 by Martin Bengtsson

Introduction

Short and sweet: Back in May 2019, Administrative Templates in Intune went from preview to General Availability. Back then the feature was released with a list of 277 settings. Not much, huh?

Today this will be extended by additional 2500 settings and among these will be the ability to configure OneDrive Known Folder Move. Exciting!

While the configuration of OneDrive Known Folder Move using Administrative Templates in Intune is pretty easy and straightforward, I figured it deserved a post here as well.

Also, initially when OneDrive Known Folder Move was introduced, I did this post on the topic: https://www.imab.dk/how-to-enable-onedrive-known-folder-move-using-sccm-system-center-configuration-manager/

Intune enrollment, Multi-Factor Authentication and registering Security Information with Conditional Access

June 14, 2019June 14, 2019 by Martin Bengtsson

Introduction

This is a little something on the new option with Conditional Access, where you can specify restrictions for registering the end users security information used with Multi-Factor Authentication.

This is a nifty addition, enabling you to control when and where the security information can be added or changed, making sure it’s not an attacker who’s messing with the details.

In this post i’m trying to put this into the context of enrolling a new device, in this example an iOS device, where MFA is required for enrollment.

If the enrollment is being done by a user who’s without security information (imagine a newly hired employee), the user is initially prompted to register the security information. Now also imagine this being done by an attacker instead. Not good. Therefore it’s desirable to control from where the registering of the security information can be done. Curious? Read on 🙂

Migrate Office 365 ProPlus from 32-bit to 64-bit using Microsoft Intune or SCCM (System Center Configuration Manager)

April 23, 2019April 22, 2019 by Martin Bengtsson

Introduction

When installing Office 365 ProPlus today, the recommended and default architecture is 64-bit. It has been so for some time, but it’s not until lately (at time of writing) that the Office Deployment Tool (in short ODT), is able to migrate from 32-bit to 64-bit in a single operation.

I have tested the migration, both using Microsoft Intune and System Center Configuration Manager and the outcome is what made this blog post.

Note: Migrating Office 365 ProPlus like this, from 32-bit to 64-bit in production, probably has more to it in terms of considering third party add-ins. You will have to test and make sure those add-ins are compatible with the relevant 64-bit Office application. I expect there will be some migration paths for those as well, where you will need to remove the 32-bit add-in prior to migrating Office 365 ProPlus to 64-bit.

Connect to Microsoft Graph for Intune with Powershell ISE Add-ons

April 18, 2019March 4, 2019 by Martin Bengtsson

Introduction

If you are working with Microsoft Intune on a daily basis, chances are that you are familiar with the awesome Powershell Intune Graph script samples over at GitHub: https://github.com/microsoftgraph/powershell-intune-samples.

I have previously blogged specifically about putting 2 of the scripts to use here:

If you are less familiar with Powershell, the script samples might seem a bit intimidating and difficult for some to put to use. The new Microsoft.Graph.Intune PowerShell Module to the rescue!

Now, this post is not about using the actual module, but how you with a single click can connect to the Graph API and gain access to all the available cmdlets in a very easy and sufficient way.

Install Google Chrome Extensions using Microsoft Intune in 3 different ways (Powershell, ADMX ingestion and MSI)

March 3, 2019February 27, 2019 by Martin Bengtsson

Introduction

I have previously covered the approach on how to install Google Chrome extensions using System Center Configuration Manager. Find my post here: https://www.imab.dk/forcefully-deploy-the-windows-defender-google-chrome-extension-using-configuration-manager/

Then it came to my attention that Microsoft released another and new extension for Chrome last week. It’s called Microsoft Web Activities. This made me go through the approach again, and figured I wanted to cover the methods on how to install Google Chrome Extensions using Microsoft Intune.