Everything can be done automatically, as long as you configure it manually :-)
Controlling which and how removable storage devices can be used in your environment, seems to be an increasing demand from new and existing business partners. At least that’s my observation made from within the legal vertical.
It all boils down to preventing data leakage and hardening of your security posture, so I figured showing how this can be achieved with Microsoft Defender for Endpoint Device Control and Microsoft Intune, would make a decent blog post.
Following up on my previous post, continuing on the Lenovo BIOS password topic. This time I’m illustrating, how you initially can set the supervisor password during the deployment of the operating system.
Last time I mentioned, how this cannot be done remotely for security reasons. However, there are an option to allow this during OSD (Operating System Deployment), called System Deployment Boot Mode. If taking advantage of this, you’re allowed to set the supervisor password programmatically in WinPE.
I’m using PowerShell to do so, and this post will walk you through the necessities.
Configuring the BIOS password on a Lenovo device for the first time, requires manual labor. Either by you or by the OEM before shipping. For security reasons, this cannot be done remotely.
So, what if the idea of having a supervisor password on your devices is relatively new, and you have thousands of devices out there without?
Then you’ll have to come up with a process on getting to them manually, and in this process, knowing exactly which devices that needs attention is key.
A new version of Microsoft 365 Apps for enterprise security baseline was released last week, delivering the latest recommended security configuration for the included applications.
Now, by the time of writing, not everything can be transitioned into Microsoft Intune natively. There are simply not MDM support for each and every setting. So for those settings without MDM support, you will have to leverage ADMX ingestion or PowerShell.
This post will give you insight on using Group Policy Analytics, as well as how to use ADMX ingestion and PowerShell to completely transition management of the security baseline into the cloud.
As promised, I’m continuing my Windows 11 journey, this time giving you a small nugget on how to escrow BitLocker recovery keys to Azure AD during a Windows 11 Feature Update.
In my specific scenario, the recovery keys has so far been stored in on-premises AD. For Windows 11, we change that, and store them in Azure AD instead.
For your convenience, find links to my previous Windows 11 posts here:
A short and sweet blog post to re-kickstart my blogging activities, after a long period focusing on cybersecurity and the increased cybersecurity threat towards organizations. For same reasons, my Windows 11 project has temporarily been on pause.
However, now I’m back working on Windows 11, showing how you can customize the taskbar during OSD (Operating System Deployment) with Configuration Manager using just PowerShell (and no source files).
And yes, we are still leveraging Configuration Manager for regular OSD. This still makes the most sense for our type of business. 🙂
I’m kind of continuing on last weeks topic, where I wrote about leveraging SetupConfig.ini and SetupComplete.cmd to carry out custom tasks during a Windows 11 Feature Update.
Today I want to demonstrate, how you can leverage the same custom action scripts, to send notifications to a Microsoft Teams channel upon success or failure, when upgrading to Windows 11 using a Feature Update.
I’m still preparing Windows 11 for broad deployment and I will post my exact process once it’s ready. For now I’m just giving you tiny tidbits along the way. 🙂
This topic in particular, has been very popular since the release of Windows 11 back in October last year.
At this point, there’s at least a dozen posts out there, on how to remove either the built-in Teams app or the Chat Icon from the task bar on devices running Windows 11 already.
I’m in the middle of preparing Windows 11 for broad deployment myself, and this is how I make sure the built-in Teams app and Chat Icon is removed before the user logs on to Windows 11 for the first time. In this scenario, after completing the Feature Update coming from Windows 10.
Why would you do this, when there’s a built-in option to do so, you may ask?
Well, I needed an alternative, as I kept getting some weird errors when using the built-in configuration profile in Intune. The errors only happens for me on Windows 11, so while I’m investigating these, I wanted to have an alternative in order for us to move on with our Windows 11 process.
Also, there’s still no option to lock the VPN strategy to SSTP-only in the native configuration profile in Intune. For that I used to run another weekly PowerShell script, resetting the strategy from IKEv2 to SSTP-only. Using a solution like this, also removes that requirement.
Granted, I don’t manage a humongous Configuration Manager environment. I barely manage a thousand devices. Nevertheless, ConfigMgr is ideally and supposed to be kept up to date, at least within a supported range of version. I’m obviously always keen on keeping it up there on the latest and greatest.
ConfigMgr 2111 released back primo December 2021 and is now generally available as an in-console update.
It’s been a while since last time I walked through the steps I usually take. This time however, I’m doing so AFTER completing the upgrade. I usually write the post, as I move on with the upgrade itself. This time it’s more like a ‘notes from the field’-approach.
