Everything can be done automatically, as long as you configure it manually :-)
System Center Configuration Manager Technical Preview version 1806 was released last week. Among other new cool features following this release, this new TP version comes with the ability to deploy Third-Party Software Updates without using SCUP (System Center Update Publisher).
This is a short walk through on the prerequisites and how to enable and use the new feature in the Technical Preview of System Center Configuration Manager.
Last week I gave an example on how to leverage Microsoft Intune and Conditional Access to restrict access to Exchange Online for iOS devices. This week, I’m continuing the use of Microsoft Intune and Conditional Access, and will give an example on how to restrict access to company e-mail if not using a Windows 10 1803 device. All of this based on a computer co-managed with both Microsoft Intune and Configuration Manager.
So basically; no e-mails if not running on the latest and greatest version of Windows 10 on my co-managed device.
It’s an unusual and kind of off topic subject to me, but it might be useful to someone anyway. At least I think it’s different and creative 🙂
The Sysinternals Suite can be downloaded like any other bunch of tools and distributed with whatever method you prefer (download the latest version here: https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite), but what if you always want the latest and greatest version, but don’t have the interest or resources to keep track of dates and versions? Read on. This is how you always install the latest version using System Center Configuration Manager and a Powershell script.
More Windows 10 1803! Password reset directly from the login screen of Windows 10 has been possible since Windows 10 1709, but only in a cloud-only scenario. This changed with 1803, and users having a hybrid Azure AD environment, are now able to offer this service to their users as well. (assuming they roll on the latest and greatest Windows 10 version). This guide explains what’s required in a Hybrid environment and how to leverage Configuration Manager to apply the proper configuration on the client.
For this to work, there are a few prerequisites:
Continuing on the Windows 10 1803 journey from last week. RSAT (Remote Server Administration Tools) is available as well. This is a quick guide on how you can deploy RSAT for Windows 10 1803 using an application in the Software Center of Configuration Manager. RSAT is available for download following this link: https://www.microsoft.com/en-us/download/details.aspx?id=45520
The files available for download includes following. Select the one appropriate for your running OS.
Update July 26, 2018: I have made an update to below content. Please find the new post on the link below. Note that the content in this post is still relevant.
Windows 10 1803 is out (old news I know). Nevertheless, its always a good idea to be ahead and start thinking and planning the upgrade of your environment. Configuration Manager offers a lot of flexibility in terms of servicing plans and the use of task sequences.
Task sequences is the preferred method in our environment, and I thought I’d share how you can deploy the Windows 10 1803 upgrade through the Powershell App Deployment Toolkit, some custom Powershell script and an application in the Configuration Manager Software Center. Curious? Read on. 🙂
This Friday (Apr 27, 2018) Microsoft announced and acknowledged a new issue with WSUS and Configuration Manager causing clients querying WSUS to consume unexpected high network bandwidth. Everything in details here: https://support.microsoft.com/en-us/help/4163525/high-bandwidth-use-when-clients-scan-for-updates-from-local-wsus-serve
Microsoft has in this regard issued an update that limits how often the Appraiser runs the Windows Update query. To determine if a client has the update (and therefore considered compliant in this regard), you can check the value of a given registry key. As usual, we don’t like to do stuff manually, so how about using Configuration Manager and Powershell? Read on 🙂
Short and sweet post. I was looking into onboarding servers into Windows Defender ATP. The official documentation for such operation is listed here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection
In short, it’s about installing the Microsoft Monitoring Agent (if not installed already as a part of SCOM or OMS). I happen to have the agent installed already, and as of such the only requirement in this regard is to tell the agents to connect to another workspace. This can of course be done manually on each agent through the Microsoft Monitoring Agent properties in the control panel, but we don’t like to do stuff manually. That’s when I came up with the idea, to do this through the script feature in Configuration Manager. IMO this is a perfect fit, as this is a one time operation for existing servers. Curious? Read on 🙂
A few days ago Microsoft released a new extension for the Google Chrome browser. More specifically, they released the Windows Defender Browser Protection extension, which leverages the same security technologies used by Microsoft’s own browser; Edge. Microsoft describes their new extension with following words:
The Windows Defender Browser Protection extension helps protect you against online threats, such as links in phishing emails and websites designed to trick you into downloading and installing malicious software that can harm your computer.
With that in mind, why not make that a permanent part of securing your environment and do so by forcing an automatic installation and thus render the users unable to disable or remove the extension. Read on, this is how you can do that using Configuration Manager.
Just quickly following up on my previous post, on how I moved some of the Endpoint Protection workloads into Intune MDM (in a Co-management scenario with Configuration Manager). More specifically, I moved the Exploit Guard capabilities and while walking through the process, I mentioned the possible impact of Exploit Guard in an enterprise environment.
Again, this post is to highlight the possible impact of turning on a very specific ASR (Attack Surface Reduction) rule in Exploit Guard. Turns out, that this specific rule is not documented by Microsoft (at least I can’t find it in the Exploit Guard documentation: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules) and the impact is quite significant to those using Configuration Manager (and possible other stuff too). Curious? Keep reading 🙂
The rule in question is having an ID of: D1E49AAC-8F56-4280-B9BA-993A6D77406C. This is not mentioned anywhere in the Exploit Guard documentation. In Intune, it’s the one I’m highlighting below:
