Securing your endpoints with Microsoft Intune, part 1: Exploit Guard Controlled Folder Access

March 5, 2020March 5, 2020 by Martin Bengtsson

Introduction

This is the first and initial blog post of an upcoming series, all concerning how one can secure their endpoints using Microsoft Intune.

The posts are meant to serve as titbits, quickly giving the reader an understanding of a specific feature.

The posts are not released in any particular order, and the topics discussed are based on what I’m currently looking into, in my own environment.

Therefore and as usual, this is not a typical and standard walk through, but more a look into how I’m initially taking on the discussed topic. Curios? Read on! 🙂

Troubleshooting Configuration Manager: Parsing client logs using Powershell and Configuration Items

March 1, 2020February 27, 2020 by Martin Bengtsson

Introduction

This particular post and topic, originates from me troubleshooting the Office 365 updating issue, where updating Office 365 through Configuration Manager failed and generated error 80070057.

The issue got some attention on both on reddit as well as on Twitter, as the issue on the affected devices, was breaking the ability to apply subsequent Office 365 updates.

The updates which introduced the said issue was quickly pulled, but some devices obviously managed to install the updates anyway.

So how do we fix that and how do we know which devices that are affected? This specific issue produced a specific error in some of the ConfigMgr Client Side Logs, so I came up with a solution involving Powershell and a Configuration Item.

More on the specific issue detailed here: https://support.microsoft.com/en-us/help/4532996/office-365-version-1910-updates-in-configmgr-do-not-download-or-apply
- Microsoft released a fix for the issue, but the fix only applies to certain Office 365 builds. I’m not sure about the details here, but I had the issue on several builds, outside of the mentioned range of versions.

Configuring and managing my Surface Pro X using Windows AutoPilot, Microsoft Intune and Configuration Manager

February 21, 2020February 18, 2020 by Martin Bengtsson

Introduction

This is not a traditional walk through of a specific technical topic. It’s rather a story about setting up my new Surface Pro X device, making it work with AutoPilot, Intune and ConfigMgr in a Hybrid AAD Join deployment.

You don’t per say have to own a Surface Pro X device in order to benefit from the content in this post. However, as the Surface Pro X ships with an ARM processor, it makes for some unique situations and experiences.

During the post, I will deep dive some of the technical aspects of Hybrid AAD joining the device, as this has a lot of moving parts and dependencies in order to work.

Additionally, this process was not completely without obstacles. I’m not sure if these obstacles are working as intended or not, but I failed to get Co-management work loads to work properly, as well as I was seeing weird things happening if applying the Security Baseline for Windows. More on that throughout the post. 🙂

Back to basics: Deploying applications with Custom Global Conditions in Configuration Manager

February 16, 2020February 16, 2020 by Martin Bengtsson

Introduction

This past week I went back to basics with Configuration Manager, as I was working with some applications where I needed the deployments to behave differently based on various factors.

Some may resort to creating individual applications or even packages for each specific need, but there are more clever ways of doing it.

For instance, in this specific case, I had different sets of binaries to be used, varying based on the architecture of Office 365 ProPlus installed. I also wanted something different to happen, whether the installation was happening with a task sequence or not.

So again, this is something a single Application in combination with the proper Global Conditions can cater for. No need to create several Applications or Packages. Curious? Continue reading 🙂

Windows as a Service: Detecting AlwaysOn VPN and LTE connectivity with Powershell and Powershell App Deployment Toolkit

February 15, 2020February 12, 2020 by Martin Bengtsson

Introduction

This post is long overdue and something I originally considered doing when I explained my Windows as a Service process.

The story is, that I allow In-Place Upgrades with Configuration Manager to happen over the Internet and over VPN. While I do allow upgrades over VPN, I still prefer them happening on local network and I certainly doesn’t want them to happen over LTE.

I use Powershell App Deployment Toolkit to initiate the Windows 10 In-Place Upgrade Task Sequence, and I wanted to add more user-friendliness to the experience, by notifying the end-user about possible VPN and LTE connections.

Note #1: LTE connectivity can be prevented altogether in the Client Settings, but I’m not doing that for various reasons. 🙂

Note #2: I do precache everything prior to making the upgrade available. Therefore download of binaries should be limited to zero, though the connection to the site server is still needed, as well as connection to the domain (depending on what you are doing throughout your task sequence).

More WaaS posts: https://www.imab.dk/windows-as-a-service/

Require TLS with Exchange Online and a custom made NDR (Non-Delivery Report) with Powershell, Azure Automation and Conditional Access

February 24, 2020February 5, 2020 by Martin Bengtsson

Introduction

First things first: This is not a typical topic on this blog, but I do find it highly relevant to share regardless.

The main story here is, that if you want to comply with GDPR and other regulations, you might end up in a situation where you need to require TLS for outgoing e-mails. This is something that’s easily achievable by configuring the proper transport rules in Exchange Online, but what if the recipient doesn’t support receiving e-mails encrypted with TLS in transit? In that situation, the e-mail typically bounce back after 24 hours of retrying (At the time of writing, this timer is not configurable in Exchange Online) .

24 hours is a long time to wait for the Non-Delivery Report, especially for my industry which is the legal vertical, so I had to come up with something else.

Powershell and Azure Automation to the rescue (and also a little something on how to protect the accounts used with Conditional Access).

OBS: Apologies if there are more clever solutions out there to cater for this. I haven’t been able to find any, but I’m sharing regardless, as the use of this easily can be transferred to other needs. 🙂

How I deploy, configure and set the new Microsoft Edge as default browser using Microsoft Intune and Configuration Manager

February 17, 2020January 24, 2020 by Martin Bengtsson

Introduction

Unless you have been hiding under a rock lately, you should be aware that the new Microsoft Edge browser happened and was released in the first stable release on January 15.

All very exciting and delicious, and we who have been testing with Dev and Beta versions across our enterprises, have been waiting eagerly to be able to offer the one browser to rule them all (hopefully).

So this is a little something on how I have chosen to deploy, configure and set the new Microsoft Edge as default browser, using a combination of both Microsoft Intune and Configuration Manager.

Device Compliance with Configuration Baselines, Configuration Manager version 1910 and Microsoft Intune

January 4, 2020January 3, 2020 by Martin Bengtsson

Introduction

This must be one of my favorite features of Configuration Manager version 1910: Include custom configuration baselines as part of compliance policy assessment.

For a detailed description of the feature, I suggest you read the What’s new article.

In short, this enables us to assess device compliance based on almost anything and really extends the possibilities.

I will walk through the setup required and give you a quick and easy example on how to use this new awesome feature in a co-management scenario.

Updating MEMCM (Microsoft Endpoint Manager Configuration Manager) to version 1910 on Christmas Eve

December 25, 2019December 24, 2019 by Martin Bengtsson

Introduction

Configuration Manager 1910 went globally available this friday, december 20, so I wanted to stay true to tradition and walk through the upgrade process based on my own environment.

This is usually something I do the very moment it’s possible to opt-in using the early update ring, but this time around the hours usually spent on blogging, are spent on my new born (9 weeks today). 🙂

As usual, this is based on a production environment. This might seem ballsy to do during the holiday season, but I’m confident I will be fine. Also, backup ftw, right? 😀 (NOTE: This particular environment have survived upgrades since SCCM 2012 without ever breaking)

Windows 10 Toast Notification Script Update: Retrieve task sequence deadline dynamically from WMI

July 23, 2020December 17, 2019 by Martin Bengtsson

Introduction

Another neat update to the Windows 10 Toast Notification Script is a reality. Now being on version 1.4.4.

The new version brings a new deadline option, that when enabled, will look in WMI for the specified task sequence package id, and retrieve the deadline of the required deployment dynamically.

This time a thank you goes out to @kevmjohnston for contributing with idea and bits of code. 🙂

What’s new and delicious are mentioned in details below.

Find the original page for the Windows 10 Toast Notification Script here: https://www.imab.dk/windows-10-toast-notification-script/