New Security Baseline version November 2021 for Windows 10/11 in Microsoft Endpoint Manager

Introduction

Super quick blog post, covering the new version of Security Baselines for Windows 10 and 11 in Intune, which was delivered to us with the 2111 service release.

Not much has changed. In fact, if coming from the previous baseline version (December 2020), only one setting has been added: Scan scripts that are used in Microsoft browsers.

So lets take a quick peek at the process I went through, in order to update my Security Baseline.

Read more…

Windows 10 Toast Notification Script Update: Custom notification app and more built-in prevention from disabling toast notifications

Introduction

It’s been a while since the last update on this script. I admit that. Better late than never, I guess.

This update brings a slight improvement to the looks of the toast notifications, and (almost) definitely removes the option for the end-user to disable the notifications as well.

Also, I was wondering about naming the script differently. The script surely works with Windows 11 too, but seeing the entire toast framework was introduced with Windows 10, and Windows 11 behind the scenes is still appearing as version 10.0, I will stick with the current name.

Read more…

Enable ‘Block abuse of exploited vulnerable signed drivers’ in a jiffy using PowerShell and ConfigMgr

Introduction

I find this highly relevant to share at this day. Especially in regards to yesterday’s ‘false positive’ situation, where a lot of system admins got a good scare, when Defender for Endpoint reported that “Suspicious ‘PowEmotet’ behavior was blocked’ on a high percentage of the enrolled devices.

What I really mean by this, is that when you have the option to reduce the attack surface of your environment, you should look into doing so ASAP.

Let’s say yesterdays situation was real, and you for whatever reason didn’t have behavior monitoring enabled in Microsoft Defender Antivirus. You would regret that pretty soon after being hit, when you realize that it could have been prevented.

Same goes for above. Rather look into enabling this new ASR (Attack Surface Reduction) rule today, rather than later after being compromised.

Read more…

Back to basics: Modifying registry for the CURRENT user coming from SYSTEM context

Introduction

Back in the days, when I started out being a newbie in the software deployment world, I had no real grasp about the different contexts (USER vs. SYSTEM), and I found it to be a trivial task to combine the two.

Today I find it an obvious approach, and in this post, I will give a quick example of how to modify registry for the CURRENTLY logged on user, while delivering an installation in SYSTEM context.

Oftentimes the scenario is, that you need to deploy software which requires local SYSTEM permissions, and while doing so, you’d like to modify the registry for the CURRENTLY logged on user.

Read more…

Install Lenovo Drivers and BIOS directly from Lenovo’s Driver Catalog during OSD using Configuration Manager

Introduction

This is something that I’ve wanted to do for a while; to always install the latest BIOS and drivers automatically during OSD.

Keeping BIOS and driver versions up to date, can be a tedious and time consuming task, and I wanted to take on a more cloud-like approach.

For that reason, I’ve spent some time on Lenovo Thin Installer as well as Lenovo System Update, but they didn’t quite live up to my expectations and need for flexibility.

Instead – and by coincident – I stumbled upon this awesome PowerShell module: jantari/LSUClient

It does exactly what Thin Installer and System Update offers, as well as giving you the flexibility of PowerShell. What’s not to like?

Read more…

Remove desktop shortcuts for the current user and public profile using PowerShell and Proactive Remediations

Introduction

I think most IT-professionals who’s working with software delivery in some sort, has dealt with software and software installers in general, that puts a shortcut on the desktop by default. Annoying indeed.

Typically you’re in for a treat, when trying to figure out how to customize the installer, to prevent the shortcut on the desktop from being created. It’s not rare either, that the installer simply doesn’t support that.

And finally, we are all aware of the desktop-shortcut-mess, when using OneDrive PC folder backup (formerly known as ‘Known Folder Move’), where shortcuts are duplicated and synced between devices. Yikes.

Long story short, I was tired of spending time on desktop shortcuts, so I figured it was time to create my own solution to the problem.

Read more…

Install the new Remote Desktop Connection Manager (RDCMan) with ConfigMgr and PowerShell

Introduction

Another kickstarting blog post, getting into the swing of things again after a somewhat lacking period.

Now, RDCman has been revived and arrived last week in a new version 2.8.

For fun and giggles, I did a short PowerShell script which uninstalls the old version (2.7, registered with windows installer) and downloads the new version 2.8 directly from live.sysinternals.com.

This is a little something on the script itself and how to put that to use with ConfigMgr.

Read more…

Connect to your Configuration Manager environment with PowerShell ISE addons

Introduction

A quick post, serving as a kickstarter for my blogging activities, here (almost) post the covid-19 situation.

Today’s topic is probably not something new for a lot of the amazing IT-pros, who’s already familiar with PowerShell ISE and the Configuration Manager PowerShell module.

Nonetheless, I figured this would be a great way to kickstart my blogging activities, while someone else hopefully will learn something new along the way.

Read more…

Windows 10 Toast Notification Script Update: Improved re-run behavior with ConfigMgr and allow running in SYSTEM context

Introduction

A new version of the Windows 10 Toast Notification Script is here. The script is now being on version 2.2.0.

This version brings the option to run the script and thus display toast notifications coming from SYSTEM context.

A requirement has been so far, that the script is being run with the logged on user’s credentials. This is still recommended, but for scenarios where this is not possible, like running this with a task sequence (task sequences always run as local system), this new ability will give you the option to display toast notification for the logged on user, even if coming from local system context.

The work done here, with running the script under SYSTEM, is entirely done by Andrew. Thank you!

Also, with a built-in prevention of having multiple toast notifications being displayed in a row, the script is now also better at handling the re-run behavior in ConfigMgr. Having multiple toast notification displayed in a row, is something that can happen, if a device misses a deployment schedule. The nature of ConfigMgr is to catch up on the missed schedule, and this can lead to multiple toast notifications being displayed.

Read more…

Configure Microsoft Teams application settings using PowerShell and Proactive Remediations in Microsoft Endpoint Manager

Introduction

Almost a year ago, I wrote a blog post on how to configure Microsoft Teams application settings using Configuration Manager and Powershell. For good measures, find this post in the link below:

Not too long ago, I started getting some reports on, that Teams is no longer picking up the changes made to the config.json and that Teams is hanging at the loading screen. I initially tried to reproduce, but was unable to.

I decided to invest some more time into the issue, and ended up being able to reproduce and find the cause. In the process of troubleshooting, I decided to try and move this into Proactive Remediations in Microsoft Endpoint Manager as well. The result made up this blog post.

Below a quick illustration of running the solution manually. The detection script detects that Microsoft Teams needs its settings configured, and the configure script carries out the configuration.

Read more…