How to renew Apple MDM Push Certificate in Microsoft Endpoint Manager

May 5, 2020May 4, 2020 by Martin Bengtsson

Introduction

So, it’s that time of the year again. My Apple MDM Push Certificate, which is used with the enrollment of iOS devices in Microsoft Endpoint Manager, is due to expire and needs to be renewed.

I have done posts on this topic previously, but as UI and other things receive changes throughout the years, I figured I would do another and updated one for good measures.

For the curious, this is the exact steps I just went through to renew my Apple MDM Push Certificate, which was due to expire in roughly 12 days.

Uninstall all Zoom applications in a jiffy using Configuration Manager and Powershell

April 8, 2020April 7, 2020 by Martin Bengtsson

Introduction

Long story short, using Zoom these days for video conferencing , meetings, webinars and so on, is quite popular. However, Zoom has also received a lot of critique for being insecure, which has resulted in several articles on the topic.

For your reference, here’s a few of the articles:

The Zoom installation has the ability to be installed in the current user’s profile (consumer download), as well as onto the local machine in programfiles(x86) (enterprise download). This makes for some annoying situations, coming from an enterprise point of view, if and when you are asked to promptly uninstall all Zoom applications again (due to above reasons).

So I put together a Powershell script which can be run as SYSTEM with Configuration Manager. The script will find all installed Zoom applications, whether they are installed locally or in the user’s profile, and uninstall them automatically.

Deploying Software (Updates) via VPN, Cloud Management Gateway and Microsoft Update using Configuration Manager

April 3, 2020April 3, 2020 by Martin Bengtsson

Introduction

This is currently a very hot topic, all given the sad circumstances regarding the COVID-19 outbreak all over the world. So I figured it would make a relevant and helpful blog post, to share the details on how I have configured boundaries, boundary groups and everything related to deploying software and software updates in the different #WorkingFromHome situations with VPN and the Cloud Management Gateway.

We are using Always On VPN, and the configuration is something I have explained here as well: https://www.imab.dk/my-always-on-vpn-configuration-with-microsoft-intune-and-configuration-manager-explained/

Also, this is not a typical A-Z guide, but rather some insights to, how I have done some of the configurations in order to cater for remote work. Curious? Read on. 🙂

A first look into the new Antivirus Endpoint security policy experience in Microsoft Endpoint Manager

March 31, 2020March 30, 2020 by Martin Bengtsson

Introduction

Good news everyone!

Last week, a new Endpoint security policy experience in Microsoft Endpoint Manager was released. Among the new policies, you will find a brand new way of managing your Microsoft Defender Antivirus. This new policy type, offers the long-sought for tri-state configurations consisting of No, Yes and Not-configured, which simplifies things greatly.

I do think these new policies will make management a lot easier. Once all of your configurations eventually has transitioned away from regular device configuration profiles, the general view of security measures taken on your devices within Microsoft Intune, will improve by a lot.

This is not a typical A-Z guide, but rather my first and brief look into the new options. All of this of course, based on my own production environment. Curious? Read on. 🙂

Windows 10 Toast Notification Script Update: Run ConfigMgr applications directly from the action button

July 23, 2020March 18, 2020 by Martin Bengtsson

Introduction

Another update to the Windows 10 Toast Notification Script is a reality. Now being on version 1.6.

The feedback and questions related to the Windows 10 Toast Notification Script keeps coming and that’s amazing!

In my last post and update of the script, I added the option to natively and with help of a custom protocol in Windows, to run task sequences directly from the action button.

Since then, I was asked if the script is able to launch application directly from the action button as well, and sure thing. I just added that capability to the script and the details are explained below.

Find the original page for the Windows 10 Toast Notification Script here: https://www.imab.dk/windows-10-toast-notification-script

My Always On VPN configuration with Microsoft Intune and Configuration Manager explained

March 27, 2020March 11, 2020 by Martin Bengtsson

Introduction

This is another post, I have wanted to do for some time now. Always On VPN is not something new, but many organizations are moving away from Direct Access, and Always On VPN seems to be the preferred and logical choice for many – including ours.

Also, I don’t think that the current outbreak of COVID-19 has missed anyone’s attention, which is why working from home and remote via VPN has become highly relevant these days.

This post will not go into details on the infrastructure required in order to setup Always On VPN (Remote Access Server, Network Policy Server, PKI etc.), but rather explain the configurations made on the client with Microsoft Intune and Configuration Manager. I will also elaborate on my experiences, again from the perspective of a production environment.

Finally, a big shout out to Michael Mardahl for always being a tremendous help. Go follow this dude. He’s amazing at what he does. 🙂

Securing your endpoints with Microsoft Intune, part 1: Exploit Guard Controlled Folder Access

March 5, 2020March 5, 2020 by Martin Bengtsson

Introduction

This is the first and initial blog post of an upcoming series, all concerning how one can secure their endpoints using Microsoft Intune.

The posts are meant to serve as titbits, quickly giving the reader an understanding of a specific feature.

The posts are not released in any particular order, and the topics discussed are based on what I’m currently looking into, in my own environment.

Therefore and as usual, this is not a typical and standard walk through, but more a look into how I’m initially taking on the discussed topic. Curios? Read on! 🙂

Troubleshooting Configuration Manager: Parsing client logs using Powershell and Configuration Items

March 1, 2020February 27, 2020 by Martin Bengtsson

Introduction

This particular post and topic, originates from me troubleshooting the Office 365 updating issue, where updating Office 365 through Configuration Manager failed and generated error 80070057.

The issue got some attention on both on reddit as well as on Twitter, as the issue on the affected devices, was breaking the ability to apply subsequent Office 365 updates.

The updates which introduced the said issue was quickly pulled, but some devices obviously managed to install the updates anyway.

So how do we fix that and how do we know which devices that are affected? This specific issue produced a specific error in some of the ConfigMgr Client Side Logs, so I came up with a solution involving Powershell and a Configuration Item.

More on the specific issue detailed here: https://support.microsoft.com/en-us/help/4532996/office-365-version-1910-updates-in-configmgr-do-not-download-or-apply
- Microsoft released a fix for the issue, but the fix only applies to certain Office 365 builds. I’m not sure about the details here, but I had the issue on several builds, outside of the mentioned range of versions.

Windows 10 Toast Notification Script Update: Run ConfigMgr Task Sequences directly from the action button

July 23, 2020February 20, 2020 by Martin Bengtsson

Introduction

A new update to the Windows 10 Toast Notification Script is a reality. Now being on version 1.5.

I’m receiving a lot of feedback and questions related to the Windows 10 Toast Notification Script and that makes me really happy. I’m trying my best to get back to each and everyone.

One question I’m receiving often, is how one is able to run a Task Sequence directly from the action/install button in the actual toast notification. Therefore I figured I’d do everyone good and make it a native option in the script itself.

I have previously covered how one can initiate a reboot, also directly from the action button. This post is available from here: https://www.imab.dk/windows-10-toast-notification-script-update-personal-greeting-and-protocol-based-reboot/

Configuring and managing my Surface Pro X using Windows AutoPilot, Microsoft Intune and Configuration Manager

February 21, 2020February 18, 2020 by Martin Bengtsson

Introduction

This is not a traditional walk through of a specific technical topic. It’s rather a story about setting up my new Surface Pro X device, making it work with AutoPilot, Intune and ConfigMgr in a Hybrid AAD Join deployment.

You don’t per say have to own a Surface Pro X device in order to benefit from the content in this post. However, as the Surface Pro X ships with an ARM processor, it makes for some unique situations and experiences.

During the post, I will deep dive some of the technical aspects of Hybrid AAD joining the device, as this has a lot of moving parts and dependencies in order to work.

Additionally, this process was not completely without obstacles. I’m not sure if these obstacles are working as intended or not, but I failed to get Co-management work loads to work properly, as well as I was seeing weird things happening if applying the Security Baseline for Windows. More on that throughout the post. 🙂