Conditional Access: Restrict access to company resources and only grant access to trusted IPs

September 6, 2021July 10, 2018 by Martin Bengtsson

Introduction

I have previously given a few examples on use cases for Conditional Access, and I admit, for the Conditional Access newbie, the options available can seem daunting. So how about a very simple scenario, where access to company resources are blocked, if not coming from a trusted IP?

Imagine service accounts running some Powershell scripts for automation in your Azure/O365 tenant or other accounts who are never meant to be used outside of your organization. Simply block those from authenticating in Azure/O365 if not coming from your headquarter public IP. This is how you can do just that, using Conditional Access.

Illustration of the conditions of a Conditional Access rule. In this scenario, location is in focus

How to enable OneDrive Known Folder Move using SCCM (System Center Configuration Manager)

September 25, 2018July 6, 2018 by Martin Bengtsson

Introduction

Last week the OneDrive team presented a new feature called ‘Known Folder Move’. In short, it enables us to move the content and location of the Desktop, Documents and Picture folders into OneDrive. This comes really handy when switching computers and you find your desktop, documents and picture folder exactly as you left them on the previous computer.

More about the feature right here: https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/Migrate-Your-Files-to-OneDrive-Easily-with-Known-Folder-Move/ba-p/207076

Above post also covers how to enable the feature manually or by using group golicies. As usual, we don’t like to do stuff manually and we don’t like old school group policies either. So, how about enabling this feature using Configuration Manager?

SCCM Client Health Monitor: Automatically remediate Provisioning Mode and corrupt local Group Policy files

August 16, 2019July 5, 2018 by Martin Bengtsson

Introduction

Update: This post has been superseded with this: https://www.imab.dk/sccm-client-health-monitor-script/

A ConfigMgr/SCCM client stuck in provisioning mode or having corrupt local group policy files (Registry.pol) are two very common and nagging issues in a Configuration Manager environment. Where it’s rather easy to use Configuration Manager to remediate the corrupt policy files, it’s another story with a SCCM client stuck in provisioning mode (the client has very limited functionality). I haven’t personally been seeing clients in provisioning mode that often, but I do occasionally see it happen following an Windows in-place upgrade .

Both scenarios will cause a drop in compliance in regards to Software Updates and general software deployments, and unless being very thorough when walking through compliance reports, clients being affected by either issues can be difficult to spot, especially in larger environments.

So I hereby give you my solution to how you can automatically remediate both issues outside of Configuration Manager using Powershell and thus increase the compliance and overall health of your environment.

Powershell snippet from running the SCCM ClientHealthMonitor script

Adding Adobe Third-Party Software Update catalog in SCCM (System Center Configuration Manager) Technical Preview 1806.2

December 30, 2018July 1, 2018 by Martin Bengtsson

Introduction

In the beginning of June I wrote a post about how to enable Third-Party Software Updates in SCCM Technical Preview 1806 without using SCUP. This week another release of SCCM Technical Preview hit the streets. 1806 in a second edition, also called 1806.2.

This release further iterates on support for Third-Party Software Updates, and now enables us to add custom catalogs such as Adobe. In this post I will walk you through how to do just that, and show you how to add the Adobe catalog for Acrobat Reader DC to Configuration Manager and thus allowing us to deploy updates for Adobe natively without using SCUP.

More about this release right here: https://cloudblogs.microsoft.com/enterprisemobility/2018/06/27/three-exciting-improvements-to-phased-deployments-in-configuration-manager-technical-preview-1806-2/

Illustration of Adobe Software Updates in SCCM Technical Preview 1806.2

Flipping the switch, part 3: Moving Software Updates workload to Intune MDM (Co-management with SCCM)

December 21, 2018June 27, 2018 by Martin Bengtsson

Introduction

Continuing on the Co-management and flipping the switch journey. I have previously been going through how to initially enable Co-management with Configuration Manager and Microsoft Intune, and how to move some of the Endpoint Protection workloads to Intune MDM.

This time I will walk you through how I moved the Software Updates workload from Configuration Manager to Intune MDM. Everything still based on a production environment and along the lines some additional ramblings on the topic.

Example of 2 Windows 10 update rings in Microsoft Intune

Friday fun: Automatically add bookmarks for all current Enterprise Mobility MVP blogs using Powershell

May 25, 2021June 22, 2018 by Martin Bengtsson

Introduction

This was actually just some random idea I got out of the blue, but if you love learning and love staying current with Configuration Manager and Microsoft Intune, you probably want to follow some of these blogs. You might even have some of them bookmarked already.

This is also for the new and upcoming Configuration Manager / Intune admin. I know when I saw the product for the first time during the SCCM 2007 days, I had no clue where to look for knowledge and who to follow to stay current. This will be a good start. I have gathered all the current Enterprise Mobility MVPs in one place (those who focuses on SCCM / Intune and those who has a blog). They are not all in english though, but Google translate can be used as well.

Also, note that my list also includes a few MVPs who isn’t awarded in the Enterprise Mobility category, but indeed is worth following anyway. Currently the list counts 60 blogs. I intend to keep the list updated and might even expand on the possibilities a bit.

Back to basics: How can I fully automate the patching of Windows 10 using SCCM (System Center Configuration Manager)

September 24, 2018June 19, 2018 by Martin Bengtsson

Introduction

I have been spending some time on the Configuration Manager forums on Technet lately, and questions about Software Updates (among others) frequently pops up. So I thought of creating a series of blog post explaining some of the basics of Configuration Manager or explaining some of the topics I often see being repeated as questions on the forums.

This will be the very first in such series, where I will give an example on how you can use SCCM to fully automate the patching of Windows 10. All of these examples will be based on the latest version of Configuration Manager Current Branch.

Peak at the Automatic Deployment Rule we will be creating and configuring in this example

Switch default browser the enterprise way using the Software Center in SCCM (System Center Configuration Manager) and Powershell

January 29, 2020June 14, 2018 by Martin Bengtsson

Introduction

In this post I will talk about Windows 10, file associations and how you can let the user in an enterprise switch default browser through the Software Center in SCCM (System Center Configuration Manager). All of this is done in an environment where file associations are tightly managed and locked through group policies (as they should be in an enterprise) on computers running Windows 10. Curious on the topic? Read on 🙂

Enable Third-Party Software Updates in SCCM (System Center Configuration Manager) Technical Preview 1806

July 1, 2018June 11, 2018 by Martin Bengtsson

Introduction

System Center Configuration Manager Technical Preview version 1806 was released last week. Among other new cool features following this release, this new TP version comes with the ability to deploy Third-Party Software Updates without using SCUP (System Center Update Publisher).

This is a short walk through on the prerequisites and how to enable and use the new feature in the Technical Preview of System Center Configuration Manager.

Microsoft Intune and Conditional Access in a Co-management scenario

June 5, 2018June 5, 2018 by Martin Bengtsson

Introduction

Last week I gave an example on how to leverage Microsoft Intune and Conditional Access to restrict access to Exchange Online for iOS devices. This week, I’m continuing the use of Microsoft Intune and Conditional Access, and will give an example on how to restrict access to company e-mail if not using a Windows 10 1803 device. All of this based on a computer co-managed with both Microsoft Intune and Configuration Manager.

So basically; no e-mails if not running on the latest and greatest version of Windows 10 on my co-managed device.