Everything can be done automatically, as long as you configure it manually :-)
Configuring the BIOS password on a Lenovo device for the first time, requires manual labor. Either by you or by the OEM before shipping. For security reasons, this cannot be done remotely.
So, what if the idea of having a supervisor password on your devices is relatively new, and you have thousands of devices out there without?
Then you’ll have to come up with a process on getting to them manually, and in this process, knowing exactly which devices that needs attention is key.
A new version of Microsoft 365 Apps for enterprise security baseline was released last week, delivering the latest recommended security configuration for the included applications.
Now, by the time of writing, not everything can be transitioned into Microsoft Intune natively. There are simply not MDM support for each and every setting. So for those settings without MDM support, you will have to leverage ADMX ingestion or PowerShell.
This post will give you insight on using Group Policy Analytics, as well as how to use ADMX ingestion and PowerShell to completely transition management of the security baseline into the cloud.
As promised, I’m continuing my Windows 11 journey, this time giving you a small nugget on how to escrow BitLocker recovery keys to Azure AD during a Windows 11 Feature Update.
In my specific scenario, the recovery keys has so far been stored in on-premises AD. For Windows 11, we change that, and store them in Azure AD instead.
For your convenience, find links to my previous Windows 11 posts here:
A short and sweet blog post to re-kickstart my blogging activities, after a long period focusing on cybersecurity and the increased cybersecurity threat towards organizations. For same reasons, my Windows 11 project has temporarily been on pause.
However, now I’m back working on Windows 11, showing how you can customize the taskbar during OSD (Operating System Deployment) with Configuration Manager using just PowerShell (and no source files).
And yes, we are still leveraging Configuration Manager for regular OSD. This still makes the most sense for our type of business. 🙂
I’m kind of continuing on last weeks topic, where I wrote about leveraging SetupConfig.ini and SetupComplete.cmd to carry out custom tasks during a Windows 11 Feature Update.Â
Today I want to demonstrate, how you can leverage the same custom action scripts, to send notifications to a Microsoft Teams channel upon success or failure, when upgrading to Windows 11Â using a Feature Update.
I’m still preparing Windows 11 for broad deployment and I will post my exact process once it’s ready. For now I’m just giving you tiny tidbits along the way. 🙂
This topic in particular, has been very popular since the release of Windows 11 back in October last year.
At this point, there’s at least a dozen posts out there, on how to remove either the built-in Teams app or the Chat Icon from the task bar on devices running Windows 11 already.
I’m in the middle of preparing Windows 11 for broad deployment myself, and this is how I make sure the built-in Teams app and Chat Icon is removed before the user logs on to Windows 11 for the first time. In this scenario, after completing the Feature Update coming from Windows 10.
Why would you do this, when there’s a built-in option to do so, you may ask?
Well, I needed an alternative, as I kept getting some weird errors when using the built-in configuration profile in Intune. The errors only happens for me on Windows 11, so while I’m investigating these, I wanted to have an alternative in order for us to move on with our Windows 11 process.
Also, there’s still no option to lock the VPN strategy to SSTP-only in the native configuration profile in Intune. For that I used to run another weekly PowerShell script, resetting the strategy from IKEv2 to SSTP-only. Using a solution like this, also removes that requirement.
Granted, I don’t manage a humongous Configuration Manager environment. I barely manage a thousand devices. Nevertheless, ConfigMgr is ideally and supposed to be kept up to date, at least within a supported range of version. I’m obviously always keen on keeping it up there on the latest and greatest.
ConfigMgr 2111 released back primo December 2021 and is now generally available as an in-console update.
It’s been a while since last time I walked through the steps I usually take. This time however, I’m doing so AFTER completing the upgrade. I usually write the post, as I move on with the upgrade itself. This time it’s more like a ‘notes from the field’-approach.
Custom compliance settings in Intune, is a relatively new feature and is still in preview. However, the potential in this feature is enormous, and extends the possibilities for compliance policies almost endlessly.
A similar feature released to ConfigMgr 2 years ago, and is something I also blogged about here:
To demonstrate how awesome this really is, I will give you something I intend to use in production once the feature goes GA.
The use case here, is to ultimately use this in combination with Conditional Access. We don’t force the Windows Hello for Business enrollment via the built-in and full-screen wizard. We believe that’s too intrusive. Instead we send out Toast Notifications to those users/devices, where WHfB is still not in use.
My Toast Notification Script unfortunately only works in PowerShell Full Language Mode (for the time being. I have plans to look into this).
This requirement does not work well with AppLocker and having Constrained Language Mode enabled. My solution to this, is to digitally sign the New-ToastNotification.ps1 file. While working my way through the process myself, I realized that a few changes to the Toast Notification Script itself was needed.
The changes made to this “edition” of the script, are only targeted Configuration Manager. I’m not sure that moving between PowerShell Language Modes coming from Proactive Remediations in Intune, is something that’s possible (if anyone knows this, please let me know).
Additionally to the changes needed, I thought the process itself would make a decent and useful blog post. So here goes. 🙂
