Digitally signing my Toast Notification Script to use with ConfigMgr, AppLocker and Constrained Language Mode

Introduction

My Toast Notification Script unfortunately only works in PowerShell Full Language Mode (for the time being. I have plans to look into this).

This requirement does not work well with AppLocker and having Constrained Language Mode enabled. My solution to this, is to digitally sign the New-ToastNotification.ps1 file. While working my way through the process myself, I realized that a few changes to the Toast Notification Script itself was needed.

The changes made to this “edition” of the script, are only targeted  Configuration Manager. I’m not sure that moving between PowerShell Language Modes coming from Proactive Remediations in Intune, is something that’s possible (if anyone knows this, please let me know).

Additionally to the changes needed, I thought the process itself would make a decent and useful blog post. So here goes. 🙂

Read more…

Set primary and secondary DNS server addresses using ConfigMgr and PowerShell

Introduction

Just a very quick nugget, finishing up this year of IT.

We needed to change the configured DNS server addresses, on a good bunch of (non-domain joined) servers before heading into 2022. Per usual, I don’t like to do stuff manually, so I took the opportunity to write up a PowerShell script in order to assist us.

I figured this is something anybody might find useful, so I wanted to share the script I ended up creating.

For your convenience, I’m also illustrating how this can be used in combination with ConfigMgr, as this obviously was a requirement for automation purposes.

Happy New Year! 🙂

Read more…

Manage Windows Defender Firewall settings with Endpoint security: Move from Group Policy to Microsoft Intune

Introduction

More relevant than ever. Denmark is well into their second COVID-lockdown, and working from home and remote is yet again mandatory for many.

Speaking of remote work, moving workloads off of your on-premises Active Directory, and therefore being less dependent on your VPN, should be something to prioritize.

  • Obviously assuming on-premises AD as well as VPN requirement in this scenario, as this is still the reality for many

Managing your Windows Defender Firewall settings from the cloud is not only convenient, but I’d argue also something that will increase your security posture. I’ll try to elaborate along the lines.

Read more…

Detect and Remediate Lenovo Vantage vulnerabilities using Proactive Remediations and Microsoft Endpoint Manager

Introduction

Just a quick blog post, on how to detect and remediate the Lenovo Vantage Vulnerabilities disclosed this week.

This surely has been an eventful week for most IT professionals, beginning with the #Log4j nightmare, and now ending with some Lenovo Vantage fun. Joking aside, this fix is pretty easy, but making sure and proving the vulnerability has been mitigated throughout your environment, might be something else. This post explains how I did.

Read more…

New Security Baseline version November 2021 for Windows 10/11 in Microsoft Endpoint Manager

Introduction

Super quick blog post, covering the new version of Security Baselines for Windows 10 and 11 in Intune, which was delivered to us with the 2111 service release.

Not much has changed. In fact, if coming from the previous baseline version (December 2020), only one setting has been added: Scan scripts that are used in Microsoft browsers.

So lets take a quick peek at the process I went through, in order to update my Security Baseline.

Read more…

Windows 10 Toast Notification Script Update: Custom notification app and more built-in prevention from disabling toast notifications

Introduction

It’s been a while since the last update on this script. I admit that. Better late than never, I guess.

This update brings a slight improvement to the looks of the toast notifications, and (almost) definitely removes the option for the end-user to disable the notifications as well.

Also, I was wondering about naming the script differently. The script surely works with Windows 11 too, but seeing the entire toast framework was introduced with Windows 10, and Windows 11 behind the scenes is still appearing as version 10.0, I will stick with the current name.

Read more…

Install Lenovo Drivers and BIOS directly from Lenovo’s Driver Catalog during OSD using Configuration Manager

Introduction

This is something that I’ve wanted to do for a while; to always install the latest BIOS and drivers automatically during OSD.

Keeping BIOS and driver versions up to date, can be a tedious and time consuming task, and I wanted to take on a more cloud-like approach.

For that reason, I’ve spent some time on Lenovo Thin Installer as well as Lenovo System Update, but they didn’t quite live up to my expectations and need for flexibility.

Instead – and by coincident – I stumbled upon this awesome PowerShell module: jantari/LSUClient

It does exactly what Thin Installer and System Update offers, as well as giving you the flexibility of PowerShell. What’s not to like?

Read more…

Remove desktop shortcuts for the current user and public profile using PowerShell and Proactive Remediations

Introduction

I think most IT-professionals who’s working with software delivery in some sort, has dealt with software and software installers in general, that puts a shortcut on the desktop by default. Annoying indeed.

Typically you’re in for a treat, when trying to figure out how to customize the installer, to prevent the shortcut on the desktop from being created. It’s not rare either, that the installer simply doesn’t support that.

And finally, we are all aware of the desktop-shortcut-mess, when using OneDrive PC folder backup (formerly known as ‘Known Folder Move’), where shortcuts are duplicated and synced between devices. Yikes.

Long story short, I was tired of spending time on desktop shortcuts, so I figured it was time to create my own solution to the problem.

Read more…

Using Filters with Conditional Access: Protect your privileged users with an additional layer of security

Introduction

So, I’m quite far behind in my blogging schedule, and I’m merely picking up on a feature which released in preview back some time in May. Luckily, this doesn’t impact the importance of the topic, and therefore I’m still putting it out there.

A neat example of putting Filters to use with Conditional Access, is by protecting your privileged users, like your Global Administrators, with an additional layer, only allowing access to resources if coming from specific devices.

Curious? This post will walk you through how to achieve just that. 🙂

Read more…

Configure Microsoft Teams application settings using PowerShell and Proactive Remediations in Microsoft Endpoint Manager

Introduction

Almost a year ago, I wrote a blog post on how to configure Microsoft Teams application settings using Configuration Manager and Powershell. For good measures, find this post in the link below:

Not too long ago, I started getting some reports on, that Teams is no longer picking up the changes made to the config.json and that Teams is hanging at the loading screen. I initially tried to reproduce, but was unable to.

I decided to invest some more time into the issue, and ended up being able to reproduce and find the cause. In the process of troubleshooting, I decided to try and move this into Proactive Remediations in Microsoft Endpoint Manager as well. The result made up this blog post.

Below a quick illustration of running the solution manually. The detection script detects that Microsoft Teams needs its settings configured, and the configure script carries out the configuration.

Read more…