Configuring Microsoft Edge and ‘Always allow to open links of this type in the associated app’ using Microsoft Endpoint Manager

March 11, 2021 by Martin Bengtsson

Introduction

This is just a really quick post, describing how you configure Microsoft Edge to always – and without prompting the user – open certain links in their associated application.

This might seem like an odd and out of the ordinary post, but I needed this myself, and failed to find the relevant details described properly anywhere.

The mentioned prompt is something that’s generated when opening links to Teams meetings, or when trying to open Office documents in their respective desktop application.

Prompts which in most cases are irrelevant to the end-users, and by eliminating those, the user-experience is improved by a little. TL:DR down below.

Notify users when their device is running low on disk space using Toast Notifications and Endpoint Analytics Proactive Remediations

February 4, 2021February 3, 2021 by Martin Bengtsson

Introduction

This is a follow up, on the post I did a few weeks ago, on notifying users with devices being low on disk space, using Toast Notifications and Configuration Manager

Find the mentioned post here: Notify users when their device is running low on disk space using Toast Notifications and Configuration Manager

This time, I’m moving all of it, into the Endpoint Analytics Proactive Remediations feature of Microsoft Endpoint Manager Intune. This will actually simplify things a lot, as it removes the need for custom collections, Configuration Items and Baselines.

Move away from Group Policy and set wallpaper and lock screen images with local source files and Microsoft Endpoint Manager Intune

January 29, 2021January 28, 2021 by Martin Bengtsson

Introduction

This is something I currently just have done myself, in our own environment, and while it’s neither super technical nor advanced, then I figured it deserved some attention regardless.

I assume most hybrid (co-managed) environments still look towards Group Policy when doing this, because it’s easy and what we’ve always been doing. I’m regularly asked to change our desktop wallpaper and lock screen images, and when things needs to be done in a hurry, you usually stick to the easy solution.

This time though, I was stubborn and insisted on moving away from Group Policy and do it with Intune. The process made up this short blog post. 🙂

Setting up Microsoft Tunnel Gateway with Microsoft Endpoint Manager and Linux VM(s) in Azure

December 5, 2020December 4, 2020 by Martin Bengtsson

Introduction

I typically blog about topics, that I’m currently addressing in my own daily work, and this time is no different.

Covid-19 surely has a saying on this particular topic as well, and empowering our users to do more, working securely from home and remote, is key.

In that regard, we needed a simple VPN solution for our iOS devices, and while making my way through the setup and configuration of Microsoft Tunnel Gateway, I decided it was worth blogging as well.

This post will walk you through everything you need know, in order to successfully setup Microsoft Tunnel Gateway as a proof of concept.

This includes:

Creating the VM(s) in Azure
Assigning static public IP
Hardening of the inbound traffic
Configuring public DNS record
SSH’ing to the Linux server
Installing Docker on Linux
Setting up configuration in Microsoft Endpoint Manager
Installing Microsoft Tunnel on Linux
- Copying down TLS certificate to Linux
Deploying VPN profile in Microsoft Endpoint Manager
Verifying connection to VPN on iOS is successful

Comparing Security Baselines in Endpoint Manager using Powershell and Microsoft Graph API

September 28, 2020September 27, 2020 by Martin Bengtsson

Introduction

I just very recently discovered, that a new version of the Security Baseline for Windows 10 was made available in Microsoft Endpoint Manager Intune.

It’s been a while since the last version, more than a year in fact, so it was a pleasant surprise seeing an update on this area.

Security Baselines, and those for Windows 10 in particular, consist of a lot settings. So I wondered what’s changed and started browsing and comparing the various settings via the admin portal.

Then I realized how that’s not very optimal, and began looking for alternatives. I eventually got myself into trying something new, and went on to compare the Security Baselines Profiles using Powershell and the Microsoft Graph. The result of that journey is this post. 🙂

Endpoint Analytics: Locate devices not enrolled with Windows Hello for Business

August 20, 2020August 20, 2020 by Martin Bengtsson

Introduction

As promised, another use-case and example of Proactive Remediations in the new Endpoint Analytics feature in Microsoft Endpoint Manager (Intune).

New to Endpoint Analytics? Then grab a quick peek at following docs: What is Endpoint analytics (preview)?

In this example, I’m locating all devices, which currently are not making use of Windows Hello for Business, and display its logged on user a Toast Notification to remind them to get started.

If and when any organization is promoting and requiring the use of Windows Hello for Business, you will want to make sure that the users indeed are setting this up – and if not, nag them continuously until done.

I have previously done something similar with Configuration Manager: Remind users to enroll into Windows Hello for Business using Toast Notifications and ConfigMgr

Windows 10 Toast Notification Script Update: Support for use with Endpoint Analytics Proactive Remediations

July 8, 2020July 5, 2020 by Martin Bengtsson

Introduction

I accidentally got to spend my entire weekend, toying around and testing the new Endpoint Analytics Proactive Remediations feature in Microsoft Endpoint Manager (Intune).

New to Endpoint Analytics? Then grab a quick peek at following docs: What is Endpoint analytics (preview)?

Long story short is, that Proactive Remediations is capable of running Powershell scripts on a schedule on your Windows 10 devices, similar to what we have done for years with Configuration Manager and scheduled tasks.

So, I needed my Windows 10 Toast Notification Script to work with this delicious new feature – and now it does, hitting a version of 1.8.0. All the details down below.

NOTE: You can’t really tell, but the examples below are indeed generated from using Proactive Remediations. My Toast Notification Script is triggered, if a certain device is not enrolled with Windows Hello for Business. Blog post incoming. 🙂

Apologies for the Danish nonsense. I was testing the multi-language portion (in the script) as well, coming from Proactive Remediations 🙂

How to renew Apple MDM Push Certificate in Microsoft Endpoint Manager

May 5, 2020May 4, 2020 by Martin Bengtsson

Introduction

So, it’s that time of the year again. My Apple MDM Push Certificate, which is used with the enrollment of iOS devices in Microsoft Endpoint Manager, is due to expire and needs to be renewed.

I have done posts on this topic previously, but as UI and other things receive changes throughout the years, I figured I would do another and updated one for good measures.

For the curious, this is the exact steps I just went through to renew my Apple MDM Push Certificate, which was due to expire in roughly 12 days.

A first look into the new Antivirus Endpoint security policy experience in Microsoft Endpoint Manager

March 31, 2020March 30, 2020 by Martin Bengtsson

Introduction

Good news everyone!

Last week, a new Endpoint security policy experience in Microsoft Endpoint Manager was released. Among the new policies, you will find a brand new way of managing your Microsoft Defender Antivirus. This new policy type, offers the long-sought for tri-state configurations consisting of No, Yes and Not-configured, which simplifies things greatly.

I do think these new policies will make management a lot easier. Once all of your configurations eventually has transitioned away from regular device configuration profiles, the general view of security measures taken on your devices within Microsoft Intune, will improve by a lot.

This is not a typical A-Z guide, but rather my first and brief look into the new options. All of this of course, based on my own production environment. Curious? Read on. 🙂

My Always On VPN configuration with Microsoft Intune and Configuration Manager explained

March 27, 2020March 11, 2020 by Martin Bengtsson

Introduction

This is another post, I have wanted to do for some time now. Always On VPN is not something new, but many organizations are moving away from Direct Access, and Always On VPN seems to be the preferred and logical choice for many – including ours.

Also, I don’t think that the current outbreak of COVID-19 has missed anyone’s attention, which is why working from home and remote via VPN has become highly relevant these days.

This post will not go into details on the infrastructure required in order to setup Always On VPN (Remote Access Server, Network Policy Server, PKI etc.), but rather explain the configurations made on the client with Microsoft Intune and Configuration Manager. I will also elaborate on my experiences, again from the perspective of a production environment.

Finally, a big shout out to Michael Mardahl for always being a tremendous help. Go follow this dude. He’s amazing at what he does. 🙂