Conditional Access: Restrict access to Exchange Online and only grant access to company enrolled devices using the Outlook app

Introduction

Long title, but that’s actually what this post is going to cover; how you can secure the access to company e-mail accounts and only allow access to such, if coming from an enrolled (compliant) Intune device and that device uses the Outlook app.

In this scenario, we only uses iOS devices and of such only allow enrollment of iOS devices, but this can of course be android and Windows as well. Everything in this post is achievable with the use of Microsoft Intune and Conditional Access in Azure. Curious? Read on 🙂

Read more…

How to renew Apple Push Certificate in Microsoft Intune standalone

Introduction

I have previously done a short post on how to renew the Apple Push Certificate when having Intune integrated with Configuration Manager (Hybrid). Since then, I’ve changed the MDM authority to Intune standalone and therefore the procedure changes slightly. Again, this is taken directly from an production environment and my certificate was due to expire in roughly 30 days. For the curious, this is the exact steps I went through to renew our Apple Push Certificate in Microsoft Intune standalone.

Picture of the front page of the Apple Push Certificate portal

Read more…

Install the latest version of Sysinternals Suite tools without any source files using SCCM (System Center Configuration Manager) and Powershell

Introduction

It’s an unusual and kind of off topic subject to me, but it might be useful to someone anyway. At least I think it’s different and creative 🙂

The Sysinternals Suite can be downloaded like any other bunch of tools and distributed with whatever method you prefer (download the latest version here: https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite), but what if you always want the latest and greatest version, but don’t have the interest or resources to keep track of dates and versions? Read on. This is how you always install the latest version using System Center Configuration Manager and a Powershell script.

Read more…

Enable password reset on the login screen of a Hybrid Azure AD joined Windows 10 1803 device

Introduction

More Windows 10 1803! Password reset directly from the login screen of Windows 10 has been possible since Windows 10 1709, but only in a cloud-only scenario. This changed with 1803, and users having a hybrid Azure AD environment, are now able to offer this service to their users as well. (assuming they roll on the latest and greatest Windows 10 version). This guide explains what’s required in a Hybrid environment and how to leverage Configuration Manager to apply the proper configuration on the client.

For this to work, there are a few prerequisites:

  • Windows 10 1803 or newer
  • Password writeback enabled in Azure AD Connect
    • Proper permissions in on-premise AD for the AAD Connect account
  • Password reset enabled in Azure AD
  • Enable password reset on the 1803 clients (in this scenario through ConfigMgr)

Read more…

How can I deploy RSAT (Remote Server Administration Tools) for Windows 10 1803 using SCCM (System Center Configuration Manager)

Introduction

Continuing on the Windows 10 1803 journey from last week. RSAT (Remote Server Administration Tools) is available as well. This is a quick guide on how you can deploy RSAT for Windows 10 1803 using an application in the Software Center of Configuration Manager. RSAT is available for download following this link: https://www.microsoft.com/en-us/download/details.aspx?id=45520

The files available for download includes following. Select the one appropriate for your running OS.

  • WindowsTH-RSAT_WS_1803-x64.msu
  • WindowsTH-RSAT_WS_1803-x86.msu
  • WindowsTH-RSAT_WS2016-x64.msu
  • WindowsTH-RSAT_WS2016-x86.msu

Read more…

How can I in-place upgrade to Windows 10 1803 using Powershell App Deployment Toolkit and SCCM (System Center Configuration Manager)

Introduction

Update July 26, 2018: I have made an update to below content. Please find the new post on the link below. Note that the content in this post is still relevant.

Windows 10 1803 is out (old news I know). Nevertheless, its always a good idea to be ahead and start thinking and planning the upgrade of your environment. Configuration Manager offers a lot of flexibility in terms of servicing plans and the use of task sequences.

Task sequences is the preferred method in our environment, and I thought I’d share how you can deploy the Windows 10 1803 upgrade through the Powershell App Deployment Toolkit, some custom Powershell script and an application in the Configuration Manager Software Center. Curious? Read on. 🙂

Read more…

Determine correct version of Microsoft Compatibility Appraiser using compliance settings in SCCM (System Center Configuration Manager)

Introduction

This Friday (Apr 27, 2018) Microsoft announced and acknowledged a new issue with WSUS and Configuration Manager causing clients querying WSUS to consume unexpected high network bandwidth. Everything in details here: https://support.microsoft.com/en-us/help/4163525/high-bandwidth-use-when-clients-scan-for-updates-from-local-wsus-serve

Microsoft has in this regard issued an update that limits how often the Appraiser runs the Windows Update query. To determine if a client has the update (and therefore considered compliant in this regard), you can check the value of a given registry key. As usual, we don’t like to do stuff manually, so how about using Configuration Manager and Powershell? Read on 🙂

Read more…

Onboarding Windows Server (2012 R2 and 2016) into Windows Defender ATP using the script feature in Configuration Manager (SCCM)

Introduction

Short and sweet post. I was looking into onboarding servers into Windows Defender ATP. The official documentation for such operation is listed here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection

In short, it’s about installing the Microsoft Monitoring Agent (if not installed already as a part of SCOM or OMS). I happen to have the agent installed already, and as of such the only requirement in this regard is to tell the agents to connect to another workspace. This can of course be done manually on each agent through the Microsoft Monitoring Agent properties in the control panel, but we don’t like to do stuff manually. That’s when I came up with the idea, to do this through the script feature in Configuration Manager. IMO this is a perfect fit, as this is a one time operation for existing servers. Curious? Read on 🙂

Read more…

Deploy a forced installation of the Windows Defender Google Chrome extension using SCCM (System Center Configuration Manager)

Introduction

A few days ago Microsoft released a new extension for the Google Chrome browser. More specifically, they released the Windows Defender Browser Protection extension, which leverages the same security technologies used by Microsoft’s own browser; Edge. Microsoft describes their new extension with following words:

The Windows Defender Browser Protection extension helps protect you against online threats, such as links in phishing emails and websites designed to trick you into downloading and installing malicious software that can harm your computer.

With that in mind, why not make that a permanent part of securing your environment and do so by forcing an automatic installation and thus render the users unable to disable or remove the extension. Read on, this is how you can do that using Configuration Manager.

Read more…

Flipping the switch, part 2.1: Exploit Guard challenges (Co-management with Intune MDM and SCCM)

Introduction

Just quickly following up on my previous post, on how I moved some of the Endpoint Protection workloads into Intune MDM (in a Co-management scenario with Configuration Manager). More specifically, I moved the Exploit Guard capabilities and while walking through the process, I mentioned the possible impact of Exploit Guard in an enterprise environment.

Again, this post is to highlight the possible impact of turning on a very specific ASR (Attack Surface Reduction) rule in Exploit Guard. Turns out, that this specific rule is not documented by Microsoft (at least I can’t find it in the Exploit Guard documentation: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules) and the impact is quite significant to those using Configuration Manager (and possible other stuff too). Curious? Keep reading 🙂

What Attack Surface Reduction rule?

The rule in question is having an ID of: D1E49AAC-8F56-4280-B9BA-993A6D77406C. This is not mentioned anywhere in the Exploit Guard documentation. In Intune, it’s the one I’m highlighting below:

Read more…