Windows as a Service: Detecting AlwaysOn VPN and LTE connectivity with Powershell and Powershell App Deployment Toolkit

February 15, 2020February 12, 2020 by Martin Bengtsson

Introduction

This post is long overdue and something I originally considered doing when I explained my Windows as a Service process.

The story is, that I allow In-Place Upgrades with Configuration Manager to happen over the Internet and over VPN. While I do allow upgrades over VPN, I still prefer them happening on local network and I certainly doesn’t want them to happen over LTE.

I use Powershell App Deployment Toolkit to initiate the Windows 10 In-Place Upgrade Task Sequence, and I wanted to add more user-friendliness to the experience, by notifying the end-user about possible VPN and LTE connections.

Note #1: LTE connectivity can be prevented altogether in the Client Settings, but I’m not doing that for various reasons. 🙂

Note #2: I do precache everything prior to making the upgrade available. Therefore download of binaries should be limited to zero, though the connection to the site server is still needed, as well as connection to the domain (depending on what you are doing throughout your task sequence).

More WaaS posts: https://www.imab.dk/windows-as-a-service/

How I deploy, configure and set the new Microsoft Edge as default browser using Microsoft Intune and Configuration Manager

February 17, 2020January 24, 2020 by Martin Bengtsson

Introduction

Unless you have been hiding under a rock lately, you should be aware that the new Microsoft Edge browser happened and was released in the first stable release on January 15.

All very exciting and delicious, and we who have been testing with Dev and Beta versions across our enterprises, have been waiting eagerly to be able to offer the one browser to rule them all (hopefully).

So this is a little something on how I have chosen to deploy, configure and set the new Microsoft Edge as default browser, using a combination of both Microsoft Intune and Configuration Manager.

Device Compliance with Configuration Baselines, Configuration Manager version 1910 and Microsoft Intune

January 4, 2020January 3, 2020 by Martin Bengtsson

Introduction

This must be one of my favorite features of Configuration Manager version 1910: Include custom configuration baselines as part of compliance policy assessment.

For a detailed description of the feature, I suggest you read the What’s new article.

In short, this enables us to assess device compliance based on almost anything and really extends the possibilities.

I will walk through the setup required and give you a quick and easy example on how to use this new awesome feature in a co-management scenario.

Updating MEMCM (Microsoft Endpoint Manager Configuration Manager) to version 1910 on Christmas Eve

December 25, 2019December 24, 2019 by Martin Bengtsson

Introduction

Configuration Manager 1910 went globally available this friday, december 20, so I wanted to stay true to tradition and walk through the upgrade process based on my own environment.

This is usually something I do the very moment it’s possible to opt-in using the early update ring, but this time around the hours usually spent on blogging, are spent on my new born (9 weeks today). 🙂

As usual, this is based on a production environment. This might seem ballsy to do during the holiday season, but I’m confident I will be fine. Also, backup ftw, right? 😀 (NOTE: This particular environment have survived upgrades since SCCM 2012 without ever breaking)

Windows 10 Toast Notification Script Update: Retrieve task sequence deadline dynamically from WMI

July 23, 2020December 17, 2019 by Martin Bengtsson

Introduction

Another neat update to the Windows 10 Toast Notification Script is a reality. Now being on version 1.4.4.

The new version brings a new deadline option, that when enabled, will look in WMI for the specified task sequence package id, and retrieve the deadline of the required deployment dynamically.

This time a thank you goes out to @kevmjohnston for contributing with idea and bits of code. 🙂

What’s new and delicious are mentioned in details below.

Find the original page for the Windows 10 Toast Notification Script here: https://www.imab.dk/windows-10-toast-notification-script/

Co-management with ConfigMgr and Intune and a little something about Microsoft Defender antimalware policies

November 14, 2019November 12, 2019 by Martin Bengtsson

Introduction

Originally when the Endpoint Protection workload for co-management was introduced with Configuration Manager 1802, this was done without antimalware policies.

That essentially meant that antimalware policies was still being managed solely by Configuration Manager, while a feature like Exploit Guard was managed by Intune.

Now, this has since changed (at the time of writing, I’m not sure when they snug in the addition, but that’s not related to the post anyway) and the workload now includes antimalware policies enabling us to manage all aspects of Microsoft Defender with Microsoft Intune.

So what does that mean, and are there anything specifically you need to be aware of? I believe there is. 🙂

Deploy RSAT (Remote Server Administration Tools) for Windows 10 v1909 using ConfigMgr and Powershell

August 22, 2020October 21, 2019 by Martin Bengtsson

Introduction

NOTE: Script has been updated to v2004: https://www.imab.dk/deploy-rsat-remote-server-administration-tools-for-windows-10-v2004-using-configmgr-and-powershell/

Windows 10 v1909 was released to MSDN users last week, and true to tradition, I’m updating my Powershell script, enabling you to install RSAT for Windows 10 1909 automatically and unattended.

I received quite some feedback on my 1903 script, and thanks to that I made some improvements to the 1909 edition. That includes:

Added test for pending reboots. If reboot is pending, RSAT features might not install successfully
Added test for configuration of WSUS by Group Policy
- If WSUS is configured by Group Policy, history shows that additional settings might be needed for some environments

Remind users to enroll into Windows Hello for Business using Toast Notifications and ConfigMgr

February 15, 2020October 8, 2019 by Martin Bengtsson

Introduction

I recently did a tweet about doing a toast notification to lure end-users into enrolling their device with Windows Hello for Business voluntarily.

Find the tweet here: https://twitter.com/mwbengtsson/status/1179343506898329601
And another WHfB inspirational tweet here: https://twitter.com/mwbengtsson/status/1182346707302076416

Prior to doing the tweet, I found my self wrestling with Powershell and a way to locate devices not enrolled into WHfB yet. Seeing I only wanted to nag people not enrolled yet, this was a requirement for the entire process.

So this post is a little something on both the actual toast notification, but also on how I ended up locating devices not enrolled into WHfB yet using a Compliance Baseline in ConfigMgr.

Windows 10 Toast Notification Script Update: Check for Active Directory Password Expiration

July 23, 2020September 24, 2019 by Martin Bengtsson

Introduction

My Windows 10 Toast Notification Script has received another update, now being on version 1.4. What’s new and delicious are mentioned in details below.

Note: I know that expiring passwords are not ideal, but reality is that many still have them configured like so while trying to find their way out with Windows Hello for Business, Password-Less etc.

The toast notification might even serve as a good entry point into enrolling into WhFB when one are ready to do so. I’ll make an example of such in the future 🙂

Find the original page for the Windows 10 Toast Notification Script here: https://www.imab.dk/windows-10-toast-notification-script/

CMPivot use case: Hunt down devices infected with malware (WannaCry ransomware)

September 20, 2019September 20, 2019 by Martin Bengtsson

Introduction

CMPivot is a utility which was introduced with SCCM 1806 (System Center Configuration Manager).

In short, it’s a utility which enables us to query all currently connected devices for information in real-time.

This is extremely useful in a variety of situation, where a great example of such will be in case of a malware outbreak.

In case of a malware outbreak, a lot of questions becomes relevant to answer quickly:

How many devices are infected?
Which devices are not infected?
Are the malware spreading?
etc.

CMPivot to the rescue!