Deploy your Always On VPN Profile for Windows 11 using Proactive Remediations in Microsoft Intune


Why would you do this, when there’s a built-in option to do so, you may ask?

Well, I needed an alternative, as I kept getting some weird errors when using the built-in configuration profile in Intune. The errors only happens for me on Windows 11, so while I’m investigating these, I wanted to have an alternative in order for us to move on with our Windows 11 process.

  • EDIT: I was just made aware in the comment section, that there’s a known issue around this. Granted, this post can obviously serve as a workaround (or permanent solution moving forward) 🙂

Also, there’s still no option to lock the VPN strategy to SSTP-only in the native configuration profile in Intune. For that I used to run another weekly PowerShell script, resetting the strategy from IKEv2 to SSTP-only. Using a solution like this, also removes that requirement.

Read more…

Use custom compliance settings in Microsoft Intune to require Windows Hello enrollment


Custom compliance settings in Intune, is a relatively new feature and is still in preview. However, the potential in this feature is enormous, and extends the possibilities for compliance policies almost endlessly.

A similar feature released to ConfigMgr 2 years ago, and is something I also blogged about here:

To demonstrate how awesome this really is, I will give you something I intend to use in production once the feature goes GA.

The use case here, is to ultimately use this in combination with Conditional Access. We don’t force the Windows Hello for Business enrollment via the built-in and full-screen wizard. We believe that’s too intrusive. Instead we send out Toast Notifications to those users/devices, where WHfB is still not in use.

Read more…

Getting started with Remote help with Intune and Microsoft Endpoint Manager


Remote help is the brand new and sought-after feature, which provides classic remote assistance capabilities (almost) natively to Windows. Remote help was announced during this years Microsoft Ignite, and started its public preview rollout last week.

Remote help is integrated with Microsoft Endpoint Manager, and this blog post serves as my first look into getting started and using this delicious new feature.

TL:DR: Find a short video recording of the Remote help workflow down in the post. 🙂

Read more…

Notify users when their device is running low on disk space using Toast Notifications and Endpoint Analytics Proactive Remediations


This is a follow up, on the post I did a few weeks ago, on notifying users with devices being low on disk space, using Toast Notifications and Configuration Manager

This time, I’m moving all of it, into the Endpoint Analytics Proactive Remediations feature of Microsoft Endpoint Manager Intune. This will actually simplify things a lot, as it removes the need for custom collections, Configuration Items and Baselines.

Read more…

How I change the update channels for Microsoft 365 Apps using Configuration Manager


OK, so this post is admittedly a few weeks overdue, but regardless still relevant. Microsoft has decided, as we know by now, to carry out a name change of the Office 365 ProPlus suite, and rename the product to Microsoft 365 Apps (for Enterprise).

Following this change of name, Microsoft also decided to introduce some new changes to the update channels, which includes new names as well as a brand new update channel: Monthly Enterprise Channel.

So I figured, all things taken into considerations, that I wanted to go into details on how I’m changing the update channels using Configuration Manager.

This is a somewhat continuation of my previous blog post: Use Powershell to create device collections in Configuration Manager for the new Microsoft 365 Apps update channels

Carrot on a stick: All of the configurations I have made for this setup, I have exported for you to download. No real configuration needed in your end. Just download and import – almost. 😀

Read more…

A brief first look on Microsoft Defender ATP Tamper Protection


Late last night my time, Tamper Protection in the Microsoft Defender stack went Generally Available.

In short and as the name implies, this is a feature which essentially locks Microsoft Defender and prevents your security settings from being tampered with, including changes made by an administrator.

From a security perspective, this is a great and welcomed addition – let’s take a closer look. 🙂

PS. I did find some oddities in some of the behavior when trying to disable Microsoft Defender through Group Policy. More on that in the end of the post.

Read more…