Enrollment of co-managed devices based on Azure AD device token with ConfigMgr 1906

Introduction

A short and sweet peek into the latest improvement to the enrollment of co-managed devices into Microsoft Intune.

Prior to SCCM 1906 (System Center Configuration Manager), the enrollment into Microsoft Intune required a user to sign in to the device. This has now changed and the device is able to auto-enroll into Microsoft Intune based on its Azure AD device token.

Note: This is not an A-Z guide, so I’m sadly not covering all the basics and requirements around enrollment nor co-management. Instead I’m touching base with some of the interesting parts, based on my own environment, setup and curiosity. 🙂

Read more…

Updating SCCM (System Center Configuration Manager) Current Branch to version 1906

Introduction

Yesterday happened to be one of those #SCCM Fridays. And a big and awesome one indeed. So awesome I had to take a break from my vacation to catch up on the latest and greatest. 🙂

Configuration Manager Current Branch version 1906 was released and as with previous versions, I will walk you through the update process based on my own environment. I do this before touching base with some of the new and delicious features in upcoming posts.

Read more…

Send messages across your Windows 10 computers with SCCM and Toast Notifications

Introduction

First off, this is mostly an inspirational post and the script used here is the latest release of my Windows 10 Toast Notification Script.

Secondly, from time to time, I still see people in various forums asking how they can send popup messages to the computers in their environment using SCCM (System Center Configuration Manager).

So I figured it would make a decent and quick blog post, describing how one can do just that using my Windows 10 Toast Notification script.

Read more…

Getting started with Security Baselines: Moving from Group Policy to Microsoft Intune

Introduction

Another delicious feature went GA (General Availability) this week: Security Baselines in Microsoft Intune.

The Security Baselines in Intune is the equivalent to what we have done with Group Policy for some years now, and is basically a set of pre-configured Windows settings, which are recommended for the enterprise by Microsoft.

This post is not a typical A-Z guide, but rather a first look into the feature and what initial experiences I had with moving from Security Baselines with Group Policy to Security Baselines with Intune in a Co-management scenario.

Read more…

Configure OneDrive Known Folder Move with Administrative Templates in Microsoft Intune

Introduction

Short and sweet: Back in May 2019, Administrative Templates in Intune went from preview to General Availability. Back then the feature was released with a list of 277 settings. Not much, huh?

Today this will be extended by additional 2500 settings and among these will be the ability to configure OneDrive Known Folder Move. Exciting!

While the configuration of OneDrive Known Folder Move using Administrative Templates in Intune is pretty easy and straightforward, I figured it deserved a post here as well.

Also, initially when OneDrive Known Folder Move was introduced, I did this post on the topic: https://www.imab.dk/how-to-enable-onedrive-known-folder-move-using-sccm-system-center-configuration-manager/

Read more…

Enable and disable ConfigMgr client debug logging in a jiffy using Powershell and Run Script

Introduction

Debug/verbose logging! A topic which every ConfigMgr admin will have to get familiar with sooner or later. Lazy as one can be, I usually Google the requirements every time I need it, so I figured it was time to make something more permanent and more clever.

There are a billion blog posts on the topic already, but as far as my Google skills serves me, no one is using the run script feature and no one is providing complete scripts for the purpose. So this is me doing that. A complete solution for your copy/paste pleasure 🙂

Read more…

Intune enrollment, Multi-Factor Authentication and registering Security Information with Conditional Access

Introduction

This is a little something on the new option with Conditional Access, where you can specify restrictions for registering the end users security information used with Multi-Factor Authentication.

This is a nifty addition, enabling you to control when and where the security information can be added or changed, making sure it’s not an attacker who’s messing with the details.

In this post i’m trying to put this into the context of enrolling a new device, in this example an iOS device, where MFA is required for enrollment.

If the enrollment is being done by a user who’s without security information (imagine a newly hired employee), the user is initially prompted to register the security information. Now also imagine this being done by an attacker instead. Not good. Therefore it’s desirable to control from where the registering of the security information can be done. Curious? Read on 🙂

Read more…

Windows 10 Toast Notification Script Update: Personal greeting and protocol based reboot

Introduction

Short and sweet. My Windows 10 Toast Notification Script have received a minor update. Now being at version 1.2. The changes mentioned in details below.

Read more…

Upgrade Windows 10 over the Internet with In-Place Upgrade Task Sequences and ConfigMgr

Introduction

This is not exactly an A-Z guide on the topic, but rather a story of my experiences with upgrading Windows 10 over the Internet with In-Place Upgrade (IPU) Task Sequence using ConfigMgr and how it works in my environment.

I’m using a Cloud Management Gateway (CMG) with enhanced HTTP as well as initially being connected to the on-premises infrastructure with Always On VPN. The VPN in this scenario is a user-initiated tunnel and thus obviously disconnects once the upgrade restarts the computer. It’s not completely without challenges and I will try to cover those during this post.

Curious? Read on 🙂

Oh yeah, seeing I now allow IPU to happen over the Internet, I also created something in Powershell App Deployment Toolkit which extraordinarily warns the user if the upgrade is being initiated from outside the office network. A preview of that in the end of the post 🙂

Read more…

Migrate Office 365 ProPlus from 32-bit to 64-bit using Microsoft Intune or SCCM (System Center Configuration Manager)

Introduction

When installing Office 365 ProPlus today, the recommended and default architecture is 64-bit. It has been so for some time, but it’s not until lately (at time of writing) that the Office Deployment Tool (in short ODT), is able to migrate from 32-bit to 64-bit in a single operation.

I have tested the migration, both using Microsoft Intune and System Center Configuration Manager and the outcome is what made this blog post.

Note: Migrating Office 365 ProPlus like this, from 32-bit to 64-bit in production, probably has more to it in terms of considering third party add-ins. You will have to test and make sure those add-ins are compatible with the relevant 64-bit Office application. I expect there will be some migration paths for those as well, where you will need to remove the 32-bit add-in prior to migrating Office 365 ProPlus to 64-bit.

Read more…