Determine correct version of Microsoft Compatibility Appraiser using compliance settings in SCCM (System Center Configuration Manager)

Introduction

This Friday (Apr 27, 2018) Microsoft announced and acknowledged a new issue with WSUS and Configuration Manager causing clients querying WSUS to consume unexpected high network bandwidth. Everything in details here: https://support.microsoft.com/en-us/help/4163525/high-bandwidth-use-when-clients-scan-for-updates-from-local-wsus-serve

Microsoft has in this regard issued an update that limits how often the Appraiser runs the Windows Update query. To determine if a client has the update (and therefore considered compliant in this regard), you can check the value of a given registry key. As usual, we don’t like to do stuff manually, so how about using Configuration Manager and Powershell? Read on 🙂

Read more…

Onboarding Windows Server (2012 R2 and 2016) into Windows Defender ATP using the script feature in Configuration Manager (SCCM)

Introduction

Short and sweet post. I was looking into onboarding servers into Windows Defender ATP. The official documentation for such operation is listed here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection

In short, it’s about installing the Microsoft Monitoring Agent (if not installed already as a part of SCOM or OMS). I happen to have the agent installed already, and as of such the only requirement in this regard is to tell the agents to connect to another workspace. This can of course be done manually on each agent through the Microsoft Monitoring Agent properties in the control panel, but we don’t like to do stuff manually. That’s when I came up with the idea, to do this through the script feature in Configuration Manager. IMO this is a perfect fit, as this is a one time operation for existing servers. Curious? Read on 🙂

Read more…

Deploy a forced installation of the Windows Defender Google Chrome extension using SCCM (System Center Configuration Manager)

Introduction

A few days ago Microsoft released a new extension for the Google Chrome browser. More specifically, they released the Windows Defender Browser Protection extension, which leverages the same security technologies used by Microsoft’s own browser; Edge. Microsoft describes their new extension with following words:

The Windows Defender Browser Protection extension helps protect you against online threats, such as links in phishing emails and websites designed to trick you into downloading and installing malicious software that can harm your computer.

With that in mind, why not make that a permanent part of securing your environment and do so by forcing an automatic installation and thus render the users unable to disable or remove the extension. Read on, this is how you can do that using Configuration Manager.

Read more…

Flipping the switch, part 2.1: Exploit Guard challenges (Co-management with Intune MDM and SCCM)

Introduction

Just quickly following up on my previous post, on how I moved some of the Endpoint Protection workloads into Intune MDM (in a Co-management scenario with Configuration Manager). More specifically, I moved the Exploit Guard capabilities and while walking through the process, I mentioned the possible impact of Exploit Guard in an enterprise environment.

Again, this post is to highlight the possible impact of turning on a very specific ASR (Attack Surface Reduction) rule in Exploit Guard. Turns out, that this specific rule is not documented by Microsoft (at least I can’t find it in the Exploit Guard documentation: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules) and the impact is quite significant to those using Configuration Manager (and possible other stuff too). Curious? Keep reading 🙂

What Attack Surface Reduction rule?

The rule in question is having an ID of: D1E49AAC-8F56-4280-B9BA-993A6D77406C. This is not mentioned anywhere in the Exploit Guard documentation. In Intune, it’s the one I’m highlighting below:

Read more…

Flipping the switch, part 2: Moving Endpoint Protection workload to Intune MDM (Co-management with SCCM)

Introduction

Continuing the Co-management journey from last week, where I went through the steps required to setup co-management with Configuration Manager. This week I’m moving the Endpoint Protection workloads into Intune MDM. The ability to transition the Endpoint Protection workloads is brand new, and became available in Configuration Manager 1802. As of now, the endpoint protection workloads consists of following features:

  • Windows Defender Application Guard
  • Windows Defender Firewall
  • Windows Defender SmartScreen
  • Windows Encryption (BitLocker)
  • Windows Defender Exploit Guard
  • Windows Defender Application Control
  • Windows Defender Security Center
  • Windows Defender Advanced Threat Protection

Following walkthrough is exactly how I moved some of the Endpoint Protection features (more specifically Exploit Guard and some modifications to the Defender Security Center) into Intune MDM for at pilot group consisting of computers.

Endpoint Protection device configuration profiles

Read more…

Flipping the switch: How to enable Co-management in SCCM Current Branch (System Center Configuration Manager)

Introduction

Co-management! It was announced last year at Ignite in Orlando and it’s being pushed heavily these days by Microsoft. For those who don’t know the ups and downs, co-management is basically (for those using ConfigMgr already) managing computers with both a Configuration Manager client and Intune MDM.

There are different possibilities to achieve co-management. It may sound complicated, but it’s not. I will walk you through the few steps required, as well as cover the precise prerequisites and how to troubleshoot issues if any. Note: This is precisely how I have done in a production environment. Curious? Read on 🙂

My 2 devices being co-managed

Read more…

Remove inactive devices in Intune automatically using Microsoft Graph API and Powershell (and a scheduled task)

Introduction

*Updated July 23 2018: Minor changes to the script doing the deletion*

Just like we do in Configuration Manager, Active Directory, Exchange and anywhere else (where possible), It’s a good idea to keep things clean (at least I think so). Clean in terms of removing inactive computers, objects, mailboxes and so forth. This brings me to Microsoft Intune and how we can leverage Microsoft Graph API through Powershell to automatically remove inactive devices, and doing so on a schedule through a scheduled task. Curious? Read on 🙂

Example of devices that haven’t checked in for 30 days

Read more…

Upgrading Configuration Manager Current Branch to version 1802 (A real example from a real production environment)

Introduction

I know. There are tons of similar post explaining how to upgrade Configuration Manager Current Branch to the latest version, but that’s not a valid reason not to do another one (:D). Also, mine is exactly how I did it in our production environment, from beginning till end, and not in a lab where you usually (I do) almost blindfolded click next and accept everything, without any precautions.

This is a stand-alone primary site in an enterprise environment of a midsize company in Denmark, running on Windows Server 2016 (I most recently did an in place upgrade of the OS from 2012. Another blog post incoming soon), and for your inspiration, this is the exact steps I went through. Curious? Read on 🙂

Read more…

Provide Internet access to your private lab in Hyper-V using a Windows Server 2016 router

Introduction

This is a post on a subject I’m usually not addressing on my blog, but I think having a lab is crucial and super important for any IT pro. A lab for testing and screwing up before screwing up in production is key!

In my example, I’m running a lab in a private and isolated network, but I’m still very interested in providing Internet access for the servers and workstations running inside the lab. This is how to do just that, using the routing feature within Windows Server 2016. (I’m aware that Hyper-V in Server 2016/Windows 10 has a new NAT feature which can do this too, where a router is preferred in a more complex lab with several networks).

Read more…

Change device ownership in Microsoft Intune standalone using Microsoft Graph API and Powershell

Introduction

When enrolling devices into Microsoft Intune using the Company Portal, the devices end up enrolling as personal owned. This can be changed manually on each device directly in the Intune portal after enrollment. Making sure that all devices are company owned refines management and identification, as well as enabling Intune to perform additional management tasks. Also, for additional security, you can configure device restrictions to block enrollment of devices that are not company owned.

But what if we don’t like to do stuff manually and have hundreds or thousands of devices? Automation through Microsoft Graph API and Powershell to the rescue.

Read more…