Use custom compliance settings in Microsoft Intune to require Windows Hello enrollment

January 9, 2022January 8, 2022 by Martin Bengtsson

Introduction

Custom compliance settings in Intune, is a relatively new feature and is still in preview. However, the potential in this feature is enormous, and extends the possibilities for compliance policies almost endlessly.

More on the feature from Microsoft Docs here: Use custom compliance settings in Microsoft Intune | Microsoft Docs

A similar feature released to ConfigMgr 2 years ago, and is something I also blogged about here:

Device Compliance with Configuration Baselines, Configuration Manager version 1910 and Microsoft Intune

To demonstrate how awesome this really is, I will give you something I intend to use in production once the feature goes GA.

The use case here, is to ultimately use this in combination with Conditional Access. We don’t force the Windows Hello for Business enrollment via the built-in and full-screen wizard. We believe that’s too intrusive. Instead we send out Toast Notifications to those users/devices, where WHfB is still not in use.

Manage Windows Defender Firewall settings with Endpoint security: Move from Group Policy to Microsoft Intune

December 24, 2021December 23, 2021 by Martin Bengtsson

Introduction

More relevant than ever. Denmark is well into their second COVID-lockdown, and working from home and remote is yet again mandatory for many.

Speaking of remote work, moving workloads off of your on-premises Active Directory, and therefore being less dependent on your VPN, should be something to prioritize.

Obviously assuming on-premises AD as well as VPN requirement in this scenario, as this is still the reality for many

Managing your Windows Defender Firewall settings from the cloud is not only convenient, but I’d argue also something that will increase your security posture. I’ll try to elaborate along the lines.

Detect and Remediate Lenovo Vantage vulnerabilities using Proactive Remediations and Microsoft Endpoint Manager

December 18, 2021December 17, 2021 by Martin Bengtsson

Introduction

Just a quick blog post, on how to detect and remediate the Lenovo Vantage Vulnerabilities disclosed this week.

More information here: Lenovo Vantage Component Vulnerabilities – Lenovo Support CY
And here: Lenovo laptops vulnerable to bug allowing admin privileges (bleepingcomputer.com)

This surely has been an eventful week for most IT professionals, beginning with the #Log4j nightmare, and now ending with some Lenovo Vantage fun. Joking aside, this fix is pretty easy, but making sure and proving the vulnerability has been mitigated throughout your environment, might be something else. This post explains how I did.

New Security Baseline version November 2021 for Windows 10/11 in Microsoft Endpoint Manager

December 10, 2021December 9, 2021 by Martin Bengtsson

Introduction

Super quick blog post, covering the new version of Security Baselines for Windows 10 and 11 in Intune, which was delivered to us with the 2111 service release.

Not much has changed. In fact, if coming from the previous baseline version (December 2020), only one setting has been added: Scan scripts that are used in Microsoft browsers.

So lets take a quick peek at the process I went through, in order to update my Security Baseline.

Windows 10 Toast Notification Script Update: Custom notification app and more built-in prevention from disabling toast notifications

December 8, 2021December 8, 2021 by Martin Bengtsson

Introduction

It’s been a while since the last update on this script. I admit that. Better late than never, I guess.

This update brings a slight improvement to the looks of the toast notifications, and (almost) definitely removes the option for the end-user to disable the notifications as well.

Also, I was wondering about naming the script differently. The script surely works with Windows 11 too, but seeing the entire toast framework was introduced with Windows 10, and Windows 11 behind the scenes is still appearing as version 10.0, I will stick with the current name.

Getting started with Remote help with Intune and Microsoft Endpoint Manager

December 7, 2021December 6, 2021 by Martin Bengtsson

Introduction

Remote help is the brand new and sought-after feature, which provides classic remote assistance capabilities (almost) natively to Windows. Remote help was announced during this years Microsoft Ignite, and started its public preview rollout last week.

Remote help is integrated with Microsoft Endpoint Manager, and this blog post serves as my first look into getting started and using this delicious new feature.

TL:DR: Find a short video recording of the Remote help workflow down in the post. 🙂

Back to basics: Modifying registry for the CURRENT user coming from SYSTEM context

December 1, 2021 by Martin Bengtsson

Introduction

Back in the days, when I started out being a newbie in the software deployment world, I had no real grasp about the different contexts (USER vs. SYSTEM), and I found it to be a trivial task to combine the two.

Today I find it an obvious approach, and in this post, I will give a quick example of how to modify registry for the CURRENTLY logged on user, while delivering an installation in SYSTEM context.

Oftentimes the scenario is, that you need to deploy software which requires local SYSTEM permissions, and while doing so, you’d like to modify the registry for the CURRENTLY logged on user.

Remove desktop shortcuts for the current user and public profile using PowerShell and Proactive Remediations

October 11, 2021October 9, 2021 by Martin Bengtsson

Introduction

I think most IT-professionals who’s working with software delivery in some sort, has dealt with software and software installers in general, that puts a shortcut on the desktop by default. Annoying indeed.

Typically you’re in for a treat, when trying to figure out how to customize the installer, to prevent the shortcut on the desktop from being created. It’s not rare either, that the installer simply doesn’t support that.

And finally, we are all aware of the desktop-shortcut-mess, when using OneDrive PC folder backup (formerly known as ‘Known Folder Move’), where shortcuts are duplicated and synced between devices. Yikes.

Long story short, I was tired of spending time on desktop shortcuts, so I figured it was time to create my own solution to the problem.

Using Filters with Conditional Access: Protect your privileged users with an additional layer of security

September 7, 2021September 7, 2021 by Martin Bengtsson

Introduction

So, I’m quite far behind in my blogging schedule, and I’m merely picking up on a feature which released in preview back some time in May. Luckily, this doesn’t impact the importance of the topic, and therefore I’m still putting it out there.

A neat example of putting Filters to use with Conditional Access, is by protecting your privileged users, like your Global Administrators, with an additional layer, only allowing access to resources if coming from specific devices.

Curious? This post will walk you through how to achieve just that. 🙂

Configure Microsoft Teams application settings using PowerShell and Proactive Remediations in Microsoft Endpoint Manager

April 11, 2021April 11, 2021 by Martin Bengtsson

Introduction

Almost a year ago, I wrote a blog post on how to configure Microsoft Teams application settings using Configuration Manager and Powershell. For good measures, find this post in the link below:

Configure Microsoft Teams application settings using Configuration Manager and Powershell – imab.dk

Not too long ago, I started getting some reports on, that Teams is no longer picking up the changes made to the config.json and that Teams is hanging at the loading screen. I initially tried to reproduce, but was unable to.

I decided to invest some more time into the issue, and ended up being able to reproduce and find the cause. In the process of troubleshooting, I decided to try and move this into Proactive Remediations in Microsoft Endpoint Manager as well. The result made up this blog post.

Below a quick illustration of running the solution manually. The detection script detects that Microsoft Teams needs its settings configured, and the configure script carries out the configuration.