Delivering your corporate applications can be a nightmare if you dont have a enterprise delivery solution like System Center or 3rd party mechanism.
So let’s see how Azure Blob Storage and Microsoft Intune can address this issue by using a storage location and PowerShell script.
Azure Storage Account
One of the requirements for this solution is an Azure Storage Account within your Azure subscription, this account will be used for storing the applications which you would like to roll out to your Windows 10 desktops that are managed using Microsoft Intune.
Storage Account
Specify the required settings within the Basic tab for creating a Storage Account.
Basic Properties
Using the default settings as shown below
Advanced Properties
Click Review and Create Click Create
Configuring Storage Account with required Applications
Click Container Specify the Name Select Conditioner (anonymous read access for containers and blobs) under Public Access Level
Blob – Container
Select your container Select Upload Select the files you want to upload Modify the block size if it’s less than the size of the files you are uploading Select Upload
Once the files are upload they all have a unique url which is used to identify the file as shown below. This will be required later for the PowerShell script.
The PowerShell Script!!!
This script has been made available on GitHub, you will need to modify the following;
$bginfo64 and $layout to reference your Azure Blob Storage for each file
Microsoft Azure Active Directory (Azure AD) and Microsoft Intune bring the power of the intelligent cloud to Windows 10 device management, including management capabilities for BitLocker. Some of these capabilities work on Windows 10 Pro, while other capabilities require Windows 10 Enterprise or Education editions.
The first step to managing BitLocker using Microsoft Intune is to visit the new Microsoft Endpoint Manager admin center. Select Endpoint security > Disk encryption, and then Create policy. Enter in the Platform and Profile indicated in the screen capture below, and then select Create.
Next, enter the basics, such as the name of the policy and an optional description,
Then move on to Configuration settings. Notice you can search for a specific setting, like “fixed drive policy,” or you can scroll through the settings.
Also notice the options offered for key rotation.
This setting, which requires Windows 10, version 1909 or later, will change the recovery key when the recovery key is used to unlock a drive.
Important notice!!
As you enable settings, additional settings may appear. For example, Enabling Fixed drive encryption expands more options: Recovery key file creation and Configure BitLocker recovery key package.
Finally, add Scope tags (optional), assign the new policy to specific groups of users or devices, and select Create.
The settings that can be configured here include:
BitLocker – Base Settings
Enable full disk encryption for OS and fixed data drives
Require storage cards to be encrypted (mobile only)
When integrating your Windows 10 devices into Microsoft Endpoint Manager, you may encounter policy conflicts where the same setting is configured both on-premises via GPO and Intune. When this happens it can be a complete nightmare, so in this post I will show you how to identify GPOS not supported by MDM.
When integrating your Windows 10 devices into Microsoft Endpoint Manager, you may encounter policy conflicts where the same setting is configured both on-premises via GPO and Intune. When this happens it can be a complete nightmare, so in this post I will show you how to configure Microsoft Endpoint Manager so that your MDM policies rein over GPO.
Lets get to it and launch Microsoft Endpoint Manager dashboard –> Go to Devices –> Configuration Profile –> Create Profile
Platform – Windows 10 and later Profile – Custom
Click Create
Click Add and enter the below
Name: ConflictPolicyConflict Description: Enter value if required OMA-URI: ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP Data type: Integer Value: 1
Click Save –> Press Next
If you are using Scope Tags – Define your tags and Press Next
Define your selected groups of machines for the profile and Press Next
Define applicability rules if in use and Press Next
Press Create
This will now force MDM Policies to win over Group Policies assigned to a Windows 10 device.
There is a registry key that decreases the delay for end-users to see their administratively assigned libraries via the OneDrive sync client.
Important Note
The purpose of this Proactive Remediation profile is so that the reg key is set everytime a user reboots the client device. As this key is removed at reboot. Proactive Remediation is a solution that detects if this registry key exists and if not, create it, on a recurring schedule.
So lets get creating the Proactive Remediation profile
First of all, we need to create Configuration Profile within Microsoft Endpoint Manager, you’ll need to gather the SharePoint document library ID or ID), for all the locations you would like to publish to your Windows 10 Devices. In this blog I am going to publish the Blogabout Cloud Library to all my devices.
A window will now appear, (if you receive any prompts to open OneDrive ignore it), click Copy library ID, keep this handy.
Creating the Configuration Profile
In order to apply the configuration to your Windows 10 devices that are enrolled into Microsoft Endpoint Manager. Launch Microsoft Endpoint Manager go to Devices –> Configuration Profiles –> Create Profile
Select Windows 10 and Administrative Templates
Press Next
Provide a Name for the profile and brief description as shown below
Under Computer Configuration and OneDrive, look for the setting Configure team site libraries to sync automatically
Click Enable Enter the name you would like to be displayed and the Library ID as shown below
I am now going to recommend a number of other Microsoft OneDrive settings
Setting
Configuration
Silently sign in users to the OneDrive sync app with their Windows credentials
Enabled
Silently move Windows known folders to OneDrive
Enabled
Use OneDrive Files On-Demand
Enabled
Require user to confirm large delete operations
Enabled
Convert synced team site files to online-only files
Enabled
That completes the Configuration Profile setup, deploy this to your test users before deploying to production.
In my next post I am going to be looking leverage Proactive Remediation to decrease the synchronization time of assigned libraries to the Windows 10 device. The Microsoft default is 8 hours before the assigned libraries are published.
I have been recently important ADMX templates and been generating potential errors that IT Administrators may encounter. This post is one of the errors you may receive if you don’t configure the Custom Profile correctly.
So as you can see from below I am receiving an Error Code 0x87d10190, the cause of this error is due to the string being incorrect.
When typing, copying or pasting in the string for the ADMX template you need to ensure you copy everything. Making sure there is no additional characters or spaces in the string. In my case, I missed a full stop at the start of the string as shown below.
Once adding in the full stop, the profile was successfully applied to the targeted devices.
As a big adovcate of PowerShell Scripts in Microsoft Endpoint Manager, I definitely welcome the recent changes which Microsoft have implemented. This will have some positive effects on most organisations but maybe not as welcomed by others and heres why?
In my experience some organisations like to leverage PowerShell to modify applications that have been installed using Win32 apps. An example I have experience within this space is Java ( Oh the horror ). This organisation still required a fat install of java to run a legacy application and Java was inserted using GPO with reg hive modified to prevent the regular and annoying pop up for updates.
So to address this we installed Java via W32 apps and used a PowerShell script from Microsoft Endpoint Manager to modify the key.
What you will probably need to do is allow your script to fail. Once the script has failed, the Win32 apps will then be installed, and If the script fails, the Intune management extension agent retries the script three times for the next three consecutive Intune management extension agent check-in. The check in period is every 60 minutes so in that time you should have succesfully installed all Win32 apps.
Here is the new channges for PowerShell scripts.
PowerShell scripts execute before apps, and time out reduced
There are some updates to PowerShell scripts:
Microsoft Intune management extension execution flow is reverted back to processing PowerShell scripts first, and then running Win32 apps.
To resolve an Enrollment Status Page (ESP) time out issue, PowerShell scripts time out after 30 minutes. Previously, they timed out after 60 minutes.
Sometimes you may come across special cases where either your customer or your own organisation might need to implement a solution which increases your security footprint. This post is no different and inspired from the MS-100 exam which I have recently taken and passed.
During the lab question I was asked how you would implement MFA for end user who want to enroll Windows 10 devices. So lets get to it…
Provide your policy a “Name” Select the user(s) or group(s) you want to apply the policy to Click Cloud apps and actions – Click Select Apps and search then select Microsoft Intune Enrollment.
Under Grant – Select Require multi-factor authentication
Select on to enable the policy
Heres the process I had to go through to join a Windows 10 device to my tenant with MFA.
In the below screenshot is a configuration setting I have in my tenant for defining if devices are Corporate or Personally owned
All my corporate apps are now available for install.
In this part we will go through the complete installation of SQL 2017 and configure SQL before installing SCCM Current Branch 1806 or higher.
Important Info
If you are planning on installing an older version of SQL, please follow our previous post here
Click the following link to see all supported SQL versions. For this post, I am going to install SQL 2017 on a separate server. (DB01)
Execute Setup.exe from the SQL installation media, select New SQL server stand-alone installation
Provide the product key and click Next
Review and Click Next
Check Use Microsoft Update to check for updates and click Next
Select SQL Server Feature Installation
Please Note
Some steps following steps in the wizard are automatically skipped where no action is required. For example, Products Updates, Install setup Files and Install Rules might be skipped.
Select the Database Engine feature and specify the SQL installation directory. This is the directory for the program files and shared features
Select Default instance and ensure that your instance is created on the SQL Volume
Set all services to run as the SQL Server Account that you created previously and set the services startup type to Automatic
On the Collation tab, set the Database Engine to use SQL_Latin1_General_CP1_CI_AS
In the Server Configuration tab, set the authentication mode to Windows Authentication and in the SQL Server Administrators add your SCCM Admins group
In the Data Directories tab set your drive letters correctly for your SQL databases, Logs, TempDB, and backup
On the TempDB, complete the various information based on the Database sizing section below.
Click Install
Complete the installation by clicking Close
Install SQL Server Management Studio (SSMS)
Back in the SQL Server Installation Center, click on Install SQL Server Management tools.
This will redirect you to the Download page of SQL Server Management Studio. SSMS is no longer tied to the SQL server installation in terms of version.
Adjust the installation path if need, then click Install
Install SQL Reporting Services
Back in the SQL Server Installation Center, click on Install SQL Reporting Services.
The SQL reporting services is just like the Management console, it requires a
Click on Install Reporting Services
Provide the Product key
Accept License terms
Click Next
Select the installation path, click Install
A reboot is required after the installation
Apply SQL 2017 CU22 or higher
At the time of this writing, the latest SQL Cumulative Update is CU22. We will install it in order to have an updated SQL Installation. Note that CU2 is the minimum requirement
Download and execute SQL 2017 CU22 Accept the license terms and click Next
Leave default values, click Next
Wait for Check File in Use and click Next
Click Update
Update completed, might require a reboot
SPN Creation
When you configure SQL Server to use the local system account, a Service Principal Name (SPN) for the account is automatically created in Active Directory Domain Services. When the local system account is not in use, you must manually register the SPN for the SQL Server service account.
Since we are using a domain account, we must run the Setspn tool on a computer that resides in the domain of the SQL Server. It must use Domain Administrator credentials to run.
Run both commands to create the SPN, Change the server name and account name in each commands.
setspn -A MSSQLSvc/db01:1433 officec2r\svc.sql
setspn -A MSSQLSvc/db01.officec2r.com:1433 officec2r\svc.sql
To verify the domain user SPN is correctly registered, use the Setspn -L command
setspn –L officec2r\svc.sql
SQL Configuration
SCCM setup verifies that SQL Server reserves a minimum of 8 GB of memory for the primary site. To avoid, the warning, we’ll set the SQL Server memory limits to 8GB-12GB (80% of available RAM). Open SQL Server Management Studio
Right click the top SQL Server instance node
Select Properties
In the Memory tab define a limit for the minimum and maximum server memory. Configure and limit the memory to 80% of your server available RAM. In my case I have 16GB available.
Minimum 8192
Maximum 12288
SQL Communications
To ensure proper SQL communication, verify that settings are set accordingly in SQL Network configurationOpen SQL Server Configuration Manager
Go to SQL Server Network Configuration / Protocols forSCCM
On the Right Pane, right-click TCP/IP and select Properties
In the Protocol tab
Enable: YES
Listen All : NO
In the IP Addresses tab
IP1 (which should have your Server IP)
Active : YES
Enabled : YES
All other IP and IP ALL
Active : YES
Enabled : NO
TCP Dynamic Ports : Blank value
TCP Port : 1433
Once the modification has been made, restart the SQL Server Service.
The server is now ready for the SCCM installation. We will now run the prerequisite checker and proceed to the complete SCCM Installation. We will install a stand-alone Primary site.
