Troubleshooting PowerShell script delivered by Microsoft Endpoint Manager

Troubleshooting PowerShell script delivered by Microsoft Endpoint Manager

Delivering PowerShell scripts to Windows 10 devices using Microsoft Endpoint Manager is one of my favorite features but what do you do if the delivery of the script fails? There are two ways of checking for troubleshooting purposes

Using the Registry

By browsing the following location you able to see all the PowerShell script that has been applied to your Windows 10 device. With this, you will see Result/ResultDetails which provide if the execution was successful and any error message if not successful.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Policies\

Using the Log File

The other option is using the CMTrace.exe tool which is apart of the 2012 Configuration Manager Toolkit. The link has been provided https://www.microsoft.com/en-us/download/confirmation.aspx?id=50012

This allows you to open the IntuneManagementExtension log file which is located in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs.

It highlights all the relevant warning and error messages in either Yellow or Red depending on the severity of the issue.

When you click on the failure you will receive details about the known issue that is causing the script to fail.

Regards
The Author – Blogabout.Cloud

Making your PowerShell script self elevate to run as an Administrator

Making your PowerShell script self elevate to run as an Administrator

I have been recently running a number of PowerShell scripts where I required to elevate the session to Administrator. Ideally I didnt want to have to provide logon details everytime, so the following script removed the need to provide Admin credentials.

# Original Script located at:
# http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/09/23/a-self-elevating-powershell-script.aspx

# Get the ID and security principal of the current user account
$myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent()
$myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID)

# Get the security principal for the Administrator role
$adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator

# Check to see if we are currently running “as Administrator”
if ($myWindowsPrincipal.IsInRole($adminRole))

{
# We are running “as Administrator” – so change the title and background color to indicate this
$Host.UI.RawUI.WindowTitle = $myInvocation.MyCommand.Definition + “(Elevated)”
$Host.UI.RawUI.BackgroundColor = “DarkBlue”
clear-host

}
else
{
# We are not running “as Administrator” – so relaunch as administrator

# Create a new process object that starts PowerShell
$newProcess = new-object System.Diagnostics.ProcessStartInfo “PowerShell”;

# Specify the current script path and name as a parameter
$newProcess.Arguments = $myInvocation.MyCommand.Definition;

# Indicate that the process should be elevated
$newProcess.Verb = “runas”;

# Start the new process
[System.Diagnostics.Process]::Start($newProcess);

# Exit from the current, unelevated, process
exit

}

Regards
The Author – Blogabout.Cloud

Newly Available Protected Apps in Microsoft Endpoint Manager

Newly Available Protected Apps in Microsoft Endpoint Manager

Microsoft has recently announced that 14 applications have been included for App Protection. These applications apply to either iOS or Andriod Platforms.

If you are unaware of all the applications that can be protected by Microsoft, please visit the following url: https://docs.microsoft.com/en-us/mem/intune/apps/apps-supported-intune-apps

Below lists all the newly available applications released on May 11th 2020 (2005 Service Release)

ApplicationDescriptionPlatform
Board PapersBoard Papers is a board portal solution that combines an iPad application with Microsoft SharePoint® integration.iOS
Breezy for IntuneBreezy For Intune provides secure print capabilities for your iOS device. Our integration with Intune ensures that your data stays secure while on-device, and own our end-to-end encryption and enterprise grade security ensure that it stays that way on its way to the printer.iOS
Hearsay Relate for IntuneHearsay Relate for Intune enables advisors to manage and nurture their book of business in a protected BYOD environment with mobile application management (MAM). This version of Hearsay Relate allows IT administrators to protect corporate data while keeping advisors in touch with their book of business.
Hearsay Relate, a mobile application that enables financial services professionals to move business forward. Leverage compliant texting and seamless voice calling to connect with your entire book of business. Stay productive with calendar integration to set appointments, and schedule reminder messages for upcoming meetings, birthday greetings, and more.
Hearsay Relate for Intune gives enterprise users all the features they expect from Hearsay Relate, while providing IT administrators the MAM functionality they need to keep corporate data safe. In the event of a lost or stolen device, IT can remove Hearsay Relate for Intune from the device along with any sensitive data associated with it.
iOS / Andriod
ISEC7 Mobile Exchange Delegate for IntuneMake your meetings simpler, more substantive, and more environmentally friendly.iOS
Lexmark for IntuneMobile computing has become pervasive—it’s simply a state of always on, barrier-free connectedness that entertains, enlightens and helps you get more work done.
While business users expect desktop and mobile printing to be equally convenient, IT managers know how complicated it can be to provide seamless output due to mobile’s unique characteristics. With connectivity, security and network challenges to solve across multiple operating systems, providing your users with the flexible printing they expect can be complex.
Lexmark offers the experience and innovation to help you meet the printing needs of your users in a way that’s easy and hassle-free for IT. By addressing your challenges with a comprehensive set of tools and options, we can help you achieve a mobile printing experience that is more transparent, simple and secure.
iOS
Meetio EnterpriseMeetio’s mobile app for organizations using Meetio room management solutions. Meetio Enterprise simplifies your workday by allowing you to schedule meetings and meeting rooms – all at once, while you’re on the go.iOS / Andriod
Microsoft WhiteboardMicrosoft Whiteboard app provides a freeform intelligent canvas where teams can ideate, create, and collaborate visually via the cloud. It enhances teamwork by allowing all team members to edit and comment directly on the canvas in real time, no matter where they are. And all your work stays safe in the cloud, ready to be picked back up from any device.iOS
Now Mobile – IntuneNow employees can find answers and get work done across IT, HR, Facilities, Finance, Legal and other departments, all from a modern mobile app powered by the Now Platform®.The Now Platform® delivers employee experiences and productivity through digital workflows across departments, systems and people.
Examples of things you can do in the app:
IT: Request a laptop or a reset password
Facilities: Find and book a conference room
Finance: Request a corporate credit card
Legal: Have a new vendor sign an NDA
HR: Find the next company holiday and check the vacation policy
Now® Mobile powered by the Now Platform® – finally work life can be as great as real life
iOS / Andriod
Qlik Sense MobileQlik Sense is a market leading, next generation application for self-service oriented analytics. Qlik’s patented associative technology allows people to easily combine data from many different sources and explore it freely, without the limitations of query-based tools.iOS / Andriod
ServiceNow Agent – IntuneServiceNow Mobile Agent app delivers out-of-the-box, mobile-first experiences for the most common service desk agent workflows, making it easy for agents to triage, act on and resolve requests on the go. The app enables service desk agents to promptly manage and resolve end user issues from their mobile devices. Agents use the app’s intuitive interface to accept and update work even without Internet connectivity. The app greatly simplifies work by leveraging native device capabilities for tasks like navigation, barcode scanning, or collecting a signature.

The app comes with out-of-the-box workflows for service desk agents in IT, Customer Service, HR, Field Services, Security Ops and IT Asset Management. Organizations can easily configure and extend the workflows to meet their own unique needs.With Mobile Agent you can:
– Manage the work assigned to your teams.
– Triage incidents and cases.
– Act on approvals with swipe gestures and quick actions.
– Complete work while offline.
– Access the full issue details, activity stream, and related lists of records.
– Optimize workflows with location, camera, and touchscreen hardware
iOS / Andriod
ServiceNow Onboarding – IntuneServiceNow® Mobile Onboarding empowers new hires to complete tasks, view content, and get help across departments—including IT, HR, Facilities, Finance, and Legal—all from a single native mobile app.

Streamline the onboarding experience by allowing new hires to:
– Order a laptop and phone from IT.
– Setup a workspace with Facilities.
– Sign an NDA from Legal.
– Submit a photo and update their profile with HR.
– Review an expense policy from Finance and get help if they have questions.

Powered by the Now Platform®, Mobile Onboarding manages workflows across multiple departments and systems, hiding the complexity of backend processes. New hires don’t even have to know which departments are involved in any given process. They receive a simple and easy onboarding experience and can complete tasks before they even start, ensuring they are day-one ready.
iOS / Andriod
Smartcrypt for IntuneSmartcrypt for Intune is specifically designed for existing PKWARE customers operating in an Intune environment. Smartcrypt lets you get your work done on the go. It’s fast, secure and simple to use so you can be productive from anywhere. If you are unsure if you have Smartcrypt please contact your company’s IT administrator. With Smartcrypt, you can: Encrypt and decrypt files using Smartkeys, Decrypt archives with X.509 Digital Certificates, Create and manage Smartkeys, Perform digital signing and authentication of data with X.509 Digital Certificates, Encrypt and decrypt files with Strong Passphrase encryption, including AE2, Login with existing Active Directory credentials, Create and view unencrypted zip archives. Smartcrypt armors data at its core, eliminating vulnerabilities everywhere data is used, shared or stored. For nearly three decades, PKWARE has provided encryption and compression software to more than 30,000 enterprise customers and over 200 government agencies. Available for iOS/iPadOS and Android.iOS
Tact for IntuneTact for Intune is the first CRM and Sales Assistant that unifies data from Salesforce.com, email, calendar, maps and other everyday tools into a conversational, human-friendly experience. Powered by AI, Tact automates the administrative work for the salesperson, unifies CRM with other data sources to deliver a single pane of glass, and pushes intelligence to each seller in order to nudge them into high performance behavior. Enterprises can now gain increased seller productivity, richer customer data and better CRM adoption while ensuring enterprise-grade security at the application layer with Tact for Intune.iOS / Andriod
Zero – Email for AttorneysZERØ’s email client has been engineered to help lawyers work less and bill more. With ZERØ, lawyers can:
– Predictively file messages to their document management system or to their corresponding email folders.
– Sort their inboxes by parameters such as importance and sender.
– Receive a warning in real-time if they are about to send a message to a potential wrong recipient.
– Automatically and contemporaneously capture the time spent interacting with client messages from their mobile devices.
iOS

Regards
The Author – Blogabout.Cloud

What’s dropped this month in Microsoft Endpoint Manager – April Round Up

What’s dropped this month in Microsoft Endpoint Manager – April Round Up

In this post, you can see all the new items that have been released in the following product areas

– Device Management
– App Management
– Device Configuration
– Device enrollment
– Monitor and Troubleshoot
– Security

Device Management

Trusted Platform Manager (TPM) Version information now on Device Hardware page

You can now see the TPM version number on a device’s hardware page (Microsoft Endpoint Manager admin center > Devices > choose a device > Hardware > look under System enclosure).

Microsoft Endpoint Manager tenant attach: Device sync and device actions

Microsoft Endpoint Manager is bringing together Configuration Manager and Intune into a single console. Starting in Configuration Manager version 2002, you can upload your Configuration Manager devices to the cloud service and take actions on them in the admin center. For more information, see Microsoft Endpoint Manager tenant attach: Device sync and device actions.

App Management

Manage S/MIME settings for Outlook on Android Enterprise devices

You can use app configuration policies to manage the S/MIME setting for Outlook on devices that run Android Enterprise. You can also choose whether or not to allow the device users to enable or disable S/MIME in Outlook settings. To use app configuration policies for Android, in the Microsoft Endpoint Manager admin center go to Apps > App configuration policies > Add > Managed devices. For more information about configuring settings for Outlook, see Microsoft Outlook configuration settings.

Pre-release testing for Managed Google Play apps

Organizations that are using Google Play’s closed test tracks for app pre-release testing can manage these tracks with Intune. You can selectively assign apps that are published to Google Play’s pre-production tracks to pilot groups in order to perform testing. In Intune, you can see whether an app has a pre-production build test track published to it, as well as be able to assign that track to AAD user or device groups. This feature is available for all of our currently supported Android Enterprise scenarios (work profile, fully managed, and dedicated). In the Microsoft Endpoint Manager admin center, you can add a Managed Google Play app by selecting Apps > Android > Add. For more information, see Working with Managed Google Play Closed Testing Tracks.

Microsoft Teams is now included in the Office 365 Suite for macOS

Users who are assigned Microsoft Office for macOS in Microsoft Endpoint Manager will now receive Microsoft Teams in addition to the existing Microsoft Office apps (Word, Excel, PowerPoint, Outlook, and OneNote). Intune will recognize the existing Mac devices that have the other Office for macOS apps installed, and will attempt to install Microsoft Teams the next time the device checks in with Intune. In the Microsoft Endpoint Manager admin center, you can find the Office 365 Suite for macOS by selecting Apps > macOS > Add. For more information, see Assign Office 365 to macOS devices with Microsoft Intune.

Update to Android app configuration policies

Android app configuration policies have been updated to allow admins to select the device enrollment type before creating an app config profile. The functionality is being added to account for certificate profiles that are based on enrollment type (Work profile or Device Owner). This update provides the following:

  1. If a new profile is created and Work Profile and Device Owner Profile are selected for device enrollment type, you will not be able to associate a certificate profile with the app config policy.
  2. If a new profile is created and Work Profile only is selected, Work Profile certificate policies created under Device Configuration can be utilized.
  3. If a new profile is created and Device Owner only is selected, Device Owner certificate policies created under Device Configuration can be utilized.

Important

Existing policies created prior to the release of this feature (April 2020 release – 2004) that do not have any certificate profiles associated with the policy will default to Work Profile and Device Owner Profile for device enrollment type. Also, existing policies created prior to the release of this feature that have certificate profiles associated with them will default to Work Profile only.

Additionally, we are adding Gmail and Nine email configuration profiles that will work for both Work Profile and Device Owner enrollment types, including the use of certificate profiles on both email configuration types. Any Gmail or Nine policies that you have created under Device Configuration for Work Profiles will continue to apply to the device and it is not necessary to move them to app configuration policies.

In the Microsoft Endpoint Manager admin center, you can find app configuration policies by selecting Apps > App configuration policies. For more information about app configuration policies, see App configuration policies for Microsoft Intune.

Push notification when device ownership type is changed

You can configure a push notification to send to both your Android and iOS Company Portal users when their device ownership type has been changed from Personal to Corporate as a privacy courtesy. This push notification is set to off by default. The setting can be found in the Microsoft Endpoint Manager by selecting Tenant administration > Customization. To learn more about how device ownership affects your end-users, see Change device ownership.

Group targeting support for Customization pane

You can target the settings in the Customization pane to user groups. To find these settings in Intune, navigate to the Microsoft Endpoint Manager admin center, select Tenant administration > Customization. For more information about customization, see How to customize the Intune Company Portal apps, Company Portal website, and Intune app.

Microsoft Office 365 ProPlus rename

Microsoft Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise. To learn more, see Name change for Office 365 ProPlus. In our documentation, we’ll commonly refer to it as Microsoft 365 Apps. In the Microsoft Endpoint Manager admin center, you can find the apps suite by selecting Apps > Windows > Add. For information about adding apps, see Add apps to Microsoft Intune.

Device Configuration

New shell script settings for macOS devices

When configuring shell scripts for macOS devices, you can now configure the following new settings:

  • Hide script notifications on devices
  • Script frequency
  • Maximum number of times to retry if script fails

For more information, see Use shell scripts on macOS devices in Intune.

Multiple “Evaluate each connection attempt” on-demand VPN rules supported on iOS, iPadOS, and macOS

The Intune user experience allows multiple on-demand VPN rules in the same VPN profile with the Evaluate each connection attempt action (Devices > Configuration profiles > Create profile > iOS/iPadOS or macOS for platform > VPN for profile > Automatic VPN > On-demand).

It only honored the first rule in the list. This behavior is fixed, and Intune evaluates all rules in the list. Each rule is evaluated in the order it appears in the on-demand rules list.

Note

If you have existing VPN profiles that use these on-demand VPN rules, the fix applies the next time you change the VPN profile. For example, make a minor change, such as change the connection the name, and then save the profile.

If you’re using SCEP certificates for authentication, this change causes the certificates for this VPN profile to be re-issued.

Applies to:

  • iOS/iPadOS
  • macOS

For more information on VPN profiles, see Create VPN profiles.

Additional options in SSO and SSO app extension profiles on iOS/iPadOS devices

On iOS/iPadOS devices, you can:

  • In SSO profiles (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device features for profile > Single sign-on), set the Kerberos principal name to be the Security Account Manager (SAM) account name in SSO profiles.
  • In SSO app extension profiles (Devices > Configuration profiles > Create profile > iOS/iPadOS for platform > Device features for profile > Single sign-on app extension), configure the iOS/iPadOS Microsoft Azure AD extension with fewer clicks by using a new SSO app extension type. You can enable the Azure AD extension for devices in shared device mode and send extension-specific data to the extension.

Applies to:

  • iOS/iPadOS 13.0+

For more information on using single sign-on on iOS/iPadOS devices, see Single sign-on app extension overview and Single sign-on settings list.

Device enrollment

Delete Apple Automated Device Enrollment token when default profile is present

Previously, you couldn’t delete a default profile, which meant that you couldn’t delete the Automated Device Enrollment token associated with it. Now, you can delete the token when:

  • no devices are assigned to the token
  • a default profile is present To do so, delete the default profile and then delete the associated token. For more information, see Delete an ADE token from Intune.

Scaled up support for Apple Automated Device Enrollment and Apple Configurator 2 devices, profiles, and tokens

To help distributed IT departments and organizations, Intune now supports up to 1000 enrollment profiles per token, 2000 Automated Device Enrollment (formerly known as DEP) tokens per Intune account, and 75,000 devices per token. There is no specific limit for devices per enrollment profile, below the maximum number of devices per token.

Intune now supports up to 1000 Apple Configurator 2 profiles.

For more information, see Supported volume.

All devices page column entry changes

On the All devices page, the entries for the Managed by column have changed:

  • Intune is now displayed instead of MDM
  • Co-managed is now displayed instead of MDM/ConfigMgr Agent

The export values are unchanged.

Monitor and troubleshoot

Collect logs to better troubleshoot scripts assigned to macOS devices

You can now collect logs for improved troubleshooting of scripts assigned to macOS devices. You can collect logs up to 60 MB (compressed) or 25 files, whichever occurs first. For more information, see Troubleshoot macOS shell script policies using log collection.

Security

Derived credentials to provision Android Enterprise Fully Managed devices with certificates

Intune now supports use of derived credentials as an authentication method for Android devices. Derived credentials are an implementation of the National Institute of Standards and Technology (NIST) 800-157 standard for deploying certificates to devices. Our support for Android expands on our support for devices that run iOS/iPadOS.

Derived credentials rely on the use of a Personal Identity Verification (PIV) or Common Access Card (CAC) card, like a smart card. To get a derived credential for their mobile device, users start in the Microsoft Intune app and follow an enrollment workflow that is unique to the provider you use. Common to all providers is the requirement to use a smart card on a computer to authenticate to the derived credential provider. That provider then issues a certificate to the device that’s derived from the user’s smart card.

You can use derived credentials as the authentication method for device configuration profiles for VPN and WiFi. You can also use them for app authentication, and S/MIME signing and encryption for applications that support it.

Intune now supports the following derived credential providers with Android:

  • Entrust Datacard
  • Intercede

A third provider, DISA Purebred, will be available for Android in a future release.

Microsoft Edge security baseline is now Generally Available

A new version of the Microsoft Edge security baseline is now available, and is released as generally available (GA). The previous Edge baseline was in Preview. The new baseline version ins April 2020 (Edge version 80 and later).

With the release of this new baseline, you’ll no longer be able to create profiles based on the previous baseline versions, but you can continue to use profiles you created with those versions. You can also choose to update your existing profiles to use the latest baseline version.

Microsoft Apps for Enterprise – Changing Channels, New Channel and Default changes.

Microsoft Apps for Enterprise – Changing Channels, New Channel and Default changes.

Microsoft has now announced that Microsoft Apps for Enterprise will receive 3 changes to its product releases. These changes are currently In Development but I dont expect them to be in that state for long as I am already seeing one of the changes within my own tenant.

Changes to the current Channel Names

https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=63585

Over the lifetime of Office ProPlus which is now Microsoft Apps for Business, Microsoft have changed the name for the channels multiple time. So this new development isnt a surprise as Microsoft does love a name change.

Existing Channel NameNew Channel Name
Semi-AnnualSemi-Annual Enterprise
Semi-Annual (Targeted)Semi-Annual Enterprise (Preview)
MonthlyCurrent
Monthly (Targeted)Current (Preview)

New update channel for Microsoft Apps for Enterprise

https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=63591

In the past, there have only ever been 4 main Channels for Microsoft Apps for Enterprise (not including the insider release channels). Microsoft has announced that they are creating a new channel to help customers seeking to stay up to date with features updates, such as real-time collaboration and AI capabilities. This channel will be called Monthly Enterprise

Default Channel for new Office 365 Tenants

https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=63757

The existing Office 365 tenants you should be firmilar that Semi-Annual Channel is the default channel, however for new Office 365 tenants the default will become the Current Channel.

Regards
The Author – Blogabout.Cloud

Delivering your favourite configuration, tweaks and PowerShell modules to all of your Microsoft Endpoint Managed Windows 10 devices.

Delivering your favourite configuration, tweaks and PowerShell modules to all of your Microsoft Endpoint Managed Windows 10 devices.

In recent times I have had to rebuild a number of my Windows 10 devices and reinstall my favourite scripts, applications and tweaks. Which got me thinking there must be a better way of rebuilding my devices, so heres my approach.

Azure Blob Storage

After transitioning from a very UC focused role I have been learning an appreciation for the whole M365 stack and how Microsoft Azure can work hand in hand with potential problems or scenarios. Microsoft have done a very good job in providing a platform to enable businesses and organisations to leverage their subscriptions in more power ways, so with that being said lots looks at Azure Blob Storage.

First of all we need to log into the Azure Portal as this is where all the required work will now take place. Once logged in you will need to search for Storage account as this is where all files will need stored. In my case, I have already created a Storage Account but you can complete this by using the Add button.

Storage Accounts

As you have now created the Storage Account, you will need to go to Containers as shown below.

Containers

Again in my case I already have a container called intuneblogaboutcloud but you can create your container by clicking + Container

New / Existing Containers

We can now upload all required PowerShell scripts, installers, images etc.. depending on what you are attending to achieve. In my container, I have created folders to structure the data.

Structure to the container

One of the key things to understand with each file uploaded it has a unique URL, please keep this in mind as later in this post I will be demostrating how I use this URL to deliver customizations to my Windows 10 devices.

Example of the blob uploaded

PowerShell Scripts

So Microsoft Endpoint Manager has the ability to deliver PowerShell scripts to any and all Windows 10 enrolled devices. As I was getting annoyed in having to reinstall PowerShell customizations and tweaks I like to perform on my client machines. I created several scripts that do the hard work for me.

Now we will need to connect to Microsoft Endpoint Manager portal. Once logged in browse to Devices –> PowerShell Scripts.

PowerShell Scripts

As you can see from the above I am curently delivering 3 scripts to my Windows 10 endpoints so lets look at them a bit closer.

Microsoft Teams – Custom Backgrounds

Please refer to my dedicated post about publishing custom backgrounds for Microsoft Teams.

PowerShell – Common Modules

In my line of work, I use a number of PowerShell modules to help me achieve the required outcomes to complete a project or ad-hoc work for customers.

The below script installs the following PowerShell modules

One of the unique features of this script is to check for updated versions of the module from the PSGallery. However, this feature isn’t effective using MEM for delivery unless a modified script is upload to the MEM.

https://github.com/TheWatcherNode/blogaboutcloud/blob/master/Get-CommonModules.ps1

PowerShell – Custom PowerShell Tweaks

While working on a customer engagement there was a requirement to deliver customization to Windows 10 endpoint and to be able to achieve this via a “Cloud First Approach”.

The below script has designed to action the following;

  • Create a local directory to download all files from Azure Blob Storage (C:\_build)
  • Download all specified files from Azure Blob Storage
  • Run all applications or scripts
  • Remove C:\_build folder directory
  • Run any necessary PowerShell commands to configure applications.

https://github.com/TheWatcherNode/blogaboutcloud/blob/master/Get-AppsfromBlobStorage.ps1

As mentioned in the Azure Blob Storage section the unique URL will have an important part to play. As you can see from the image below, I have highlighted 3 sections

  • 1 – The unique URL with its our unique variable name $chromeinstaller
  • 2 – The download command
  • 3 – The installer command

Even with limited PowerShell experience, you will be able to understand how this script works and customize to your needs. Whether its an .msi, .exe, .ps1 you just modify the script to your needs.

W32 Apps

Finally, delivering applications to Windows 10 using the native W32 App method. Microsoft have already made it easier with Microsoft Apps for Enterprise aka Office ProPlus but as you can see I have leverage MEM to install a number of MSI files that I like on my machines. I will not going into detail on this section as its quite straight forward.

So there you have it, customizing my Windows 10 devices with my tweaks, modules and applications via Microsoft Endpoint Manager + Azure Blob Storage and PowerShell.

Regards
The Author – Blogabout.Cloud

Windows 10 – Administrative Templates (Improvements)

Windows 10 – Administrative Templates (Improvements)

Since the introduction of Administrative Template in Microsoft Intune as it was known at the time. I have tried to include my customers in the journey of adopting a “Cloud First” approach over on-premise Group Policies, as always in my experience. Most of the customers today have 10s to 100s of GPOS in place that are either legacy or not relevant to their environment today.

One of the biggest challenges for myself as a consultant was wading through the lines and lines of configuration options available in Administrative Templates.

So as you can see from the below, its just lines and lines of configuration settings

Now with the improvements to the Administrative Templates, we have the look and feel of on-premise Group Policy. This is a massive step in the right direction to ensure that any IT professional that hasn’t had any cloud experience receives a common interface they are used to.

If you still feel that Administrative Templates is still not quite there for your enterprise needs, do not fear MMAT is another great solution for understanding your current group policies and identify which polices can be migrated to the cloud using Custom OMA-URI profiles.

https://github.com/WindowsDeviceManagement/MMAT

IMPORTANT Reminder
Microsoft Endpoint Manager portal will be removed from the Azure Portal. So get into the habit now of browsing to http://endpoint.microsoft.com the home of modern management.

Regards
The Author – Blogabout.Cloud

Deploying custom Microsoft Teams Backgrounds with Azure Blob Storage and Microsoft Endpoint Manager

Deploying custom Microsoft Teams Backgrounds with Azure Blob Storage and Microsoft Endpoint Manager

In previous blogs I have mentioned how to install applications and perform customization using Azure Blob Storage. The following process use the same guidelines;

I have uploaded the images to a container within Azure, if you are unsure how to complete this please refer to;

The above post provides detailed information in configuring Azure Blob Storage for your needs.

Once you have the files you would like to push to the client devices.

Download the get-teamsbackgroundfromblobstorage.ps1 script from GitHub.

https://github.com/TheWatcherNode/blogaboutcloud/blob/master/Get-TeamsBackgroundfromBlobStorage.ps1

Modified the URLs to reference your Azure Blob Storage, as shown below

You will need to go to your Microsoft Endpoint Manager Dashboard http://endpoint.microsoft.com –>

Then browse to Devices –> Scripts –> Add

Once you have added the modified script and assigned to the relevant Users or Device or both. At the next check in the PowerShell script will execute against the device to make the new background available.

As you can see from my image below, my 2 new images have appeared as options.

Regards,
The Author – Blogabout.Cloud

Going Passwordless with YubiKey by Yubico

Going Passwordless with YubiKey by Yubico

This has been on my To-Do list for such a long time and because of Covid-19 I have finally found the hours required to get this done. A while back I received two Yubico and never got around to testing them 🙁 naughty I know. So let’s look at Yubico;

Microsoft and Yubico have been created a path for a passwordless future for organizations of all shapes and sizes. With a technology standard called FIDO2 and U2F which Yubico co-authored with, Microsoft and Google. Yubico became a founding member of the FIDO Alliance.

How does it all work, I hear you

The Yubikey supports multiple methods for authentication, enabling and the same key to be used across services and applications. With an out of the box native integration for the Microsoft environment provides a rapid deployment.

Diagram that outlines the steps involved for user sign-in with a FIDO2 security key
  1. The user plugs the FIDO2 security key into their computer.
  2. Windows detects the FIDO2 security key.
  3. Windows sends an authentication request.
  4. Azure AD sends back a nonce.
  5. The user completes their gesture to unlock the private key stored in the FIDO2 security key’s secure enclave.
  6. The FIDO2 security key signs the nonce with the private key.
  7. The primary refresh token (PRT) token request with signed nonce is sent to Azure AD.
  8. Azure AD verifies the signed nonce using the FIDO2 public key.
  9. Azure AD returns PRT to enable access to on-premises resources.

Enabling support for Yubikey

Time to log into your Azure Active Directory via http://portal.azure.com

Select Security
Select Authentication methods
Select FIDO2 Security Key and Enable for your environment

Now thats the easy bit completed, the next step is educating the users.

NOOooooo That's impossible!!!!! - Luke Skywalker - quickmeme

Configuring Yubikey

Each user will need to visit the following your https://myprofile.microsoft.com/

Select Security Info
Click Add Method
Select Security Key –> Add
Select USB device
Press Next
Insert your Security Key into one of your USB ports.
Specify a security key PIN
Touch the button on the security key
Provide a name to identity the security key
All Done!!

Hows does the sign-in work?

Well, really simple. Check out the video below

Regards
The Author – Blogabout.Cloud

Cloud App Discovery: New activity policy templates for Microsoft Teams

Cloud App Discovery: New activity policy templates for Microsoft Teams

Microsoft has now released 3 brand new Activity policies for Microsoft Teams and with the current state of the world. I believe these additions are perfect for organisations that was forced into “Working from Home” culture but wasnt geared up for it. These activity policy templates enable you to detect potentially suspicious activities in Microsoft Teams:

  • Access level change (Teams): Alerts when a team’s access level is changed from private to public.
  • External user added (Teams): Alerts when an external user is added to a team.

Please see the below screenshoot for an example of the alert you would see in Cloud App Security.

  • Mass deletion (Teams): Alerts when a user deletes a large number of teams.

Please see the below screenshoot for an example of the alert you would see in Cloud App Security.

Regards
The Author – Blogabout.Cloud