Category Archives: Microsoft Endpoint Manager

Deploying BGInfo using Azure Blob Storage and Microsoft Endpoint Manager

Delivering your corporate applications can be a nightmare if you dont have a enterprise delivery solution like System Center or 3rd party mechanism.

So let’s see how Azure Blob Storage and Microsoft Intune can address this issue by using a storage location and PowerShell script.

Azure Storage Account

One of the requirements for this solution is an Azure Storage Account within your Azure subscription, this account will be used for storing the applications which you would like to roll out to your Windows 10 desktops that are managed using Microsoft Intune.

Storage Account

Specify the required settings within the Basic tab for creating a Storage Account.

Basic Properties

Using the default settings as shown below

Advanced Properties

Click Review and Create
Click Create

Configuring Storage Account with required Applications

Click Container
Specify the Name
Select Conditioner (anonymous read access for containers and blobs) under Public Access Level

Blob – Container

Select your container
Select Upload
Select the files you want to upload
Modify the block size if it’s less than the size of the files you are uploading
Select Upload

Once the files are upload they all have a unique url which is used to identify the file as shown below. This will be required later for the PowerShell script.

The PowerShell Script!!!

This script has been made available on GitHub, you will need to modify the following;

$bginfo64 and $layout to reference your Azure Blob Storage for each file

Download Script

https://github.com/TheWatcherNode/blogaboutcloud/blob/master/Get-BGInfo.ps1

Publish script via Microsoft Endpoint Manager

Launch Microsoft Endpoint Manager https://endpoint.microsoft.com

Browse to Devices –> Scripts –> Click Add –> Select Windows 10

Provide a name and description (optional).. Press Next

Provide your script and select Run script in 64 bit PowerShell Host. Press Next

Press next on Scope Tag, unless you utilize them within your environment

Select the group(s) you wish to target.. Press Next

Press Add to complete

Once the script has applied to the required workstations, at the next reboot the BGInfo will be presented on the desktop wallpaper

Regards
The Author – Blogabout.Cloud

Managing your BitLocker Encryption using Microsoft Endpoint Manager

Microsoft Azure Active Directory (Azure AD) and Microsoft Intune bring the power of the intelligent cloud to Windows 10 device management, including management capabilities for BitLocker. Some of these capabilities work on Windows 10 Pro, while other capabilities require Windows 10 Enterprise or Education editions.

The first step to managing BitLocker using Microsoft Intune is to visit the new Microsoft Endpoint Manager admin center. Select Endpoint security > Disk encryption, and then Create policy. Enter in the Platform and Profile indicated in the screen capture below, and then select Create.

Next, enter the basics, such as the name of the policy and an optional description,

Then move on to Configuration settings. Notice you can search for a specific setting, like “fixed drive policy,” or you can scroll through the settings.

Also notice the options offered for key rotation.

This setting, which requires Windows 10, version 1909 or later, will change the recovery key when the recovery key is used to unlock a drive.

Important notice!!

As you enable settings, additional settings may appear. For example, Enabling Fixed drive encryption expands more options: Recovery key file creation and Configure BitLocker recovery key package.

Finally, add Scope tags (optional), assign the new policy to specific groups of users or devices, and select Create.

The settings that can be configured here include:

  • BitLocker – Base Settings
    • Enable full disk encryption for OS and fixed data drives
    • Require storage cards to be encrypted (mobile only)
    • Hide Prompt about third-party encryption
    • Configure client-driven recovery password rotation
  • BitLocker – Fixed Drive Settings
    • BitLocker fixed drive policy
  • BitLocker – OS Drive Settings
    • BitLocker system drive policy
  • BitLocker – Removable Drive Settings
    • BitLocker removable drive settings

For more details, see the RequireDeviceEncryption section of the BitLocker CSP.

Regards
The Author – Blogabout.Cloud

Avoid conflicts with Group Policy and Microsoft Endpoint Manager – Identify Group Policy settings not supported by MDM.

When integrating your Windows 10 devices into Microsoft Endpoint Manager, you may encounter policy conflicts where the same setting is configured both on-premises via GPO and Intune. When this happens it can be a complete nightmare, so in this post I will show you how to identify GPOS not supported by MDM.

To run this tool follow the instructions below:

Install Remote Server Administration Tools. Windows 7 – https://www.microsoft.com/en-us/download/details.aspx?id=7887 Windows 8 – https://www.microsoft.com/en-us/download/details.aspx?id=28972
Window 8.1 – https://www.microsoft.com/en-us/download/details.aspx?id=39296
Windows 10 – https://www.microsoft.com/en-us/download/details.aspx?id=45520

Install this MMAT tool zipped Folder to your PC and unzip the folder.

Open a PowerShell Window running as an Admin.
Change directory to MMAT-master folder which contains all the scripts and exe inside.

Run the following script:

Set-ExecutionPolicy -ExecutionPolicy Unrestricted 

./Invoke-MdmMigrationAnalysisTool.ps1 -collectGPOReports -runAnalysisTool

When Invoke-MdmMigrationAnalysisTool.ps1 is completed,it will generate:

MDMMigrationAnalysis.xml: XML report containing information about policies for the target user and computer and how they map, if at all, to MDM.

As you can see from below you will have report defining what is and isnt supported

Regards
The Author – Blogabout.Cloud

Avoid conflicts with Group Policy and Microsoft Endpoint Manager – Make your MDM Policies Win

When integrating your Windows 10 devices into Microsoft Endpoint Manager, you may encounter policy conflicts where the same setting is configured both on-premises via GPO and Intune. When this happens it can be a complete nightmare, so in this post I will show you how to configure Microsoft Endpoint Manager so that your MDM policies rein over GPO.

Lets get to it and launch Microsoft Endpoint Manager dashboard –> Go to Devices –> Configuration Profile –> Create Profile

Platform – Windows 10 and later
Profile – Custom

Click Create

Click Add and enter the below

Name: ConflictPolicyConflict
Description: Enter value if required
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
Data type: Integer
Value: 1

Click Save –> Press Next

If you are using Scope Tags – Define your tags and Press Next

Define your selected groups of machines for the profile and Press Next

Define applicability rules if in use and Press Next

Press Create

This will now force MDM Policies to win over Group Policies assigned to a Windows 10 device.

Regards
The Author – Blogabout.Cloud

Decrease the delay of administratively assigned OneDrive libraries with Proactive remediations

There is a registry key that decreases the delay for end-users to see their administratively assigned libraries via the OneDrive sync client.

Important Note

The purpose of this Proactive Remediation profile is so that the reg key is set everytime a user reboots the client device. As this key is removed at reboot. Proactive Remediation is a solution that detects if this registry key exists and if not, create it, on a recurring schedule.

So lets get creating the Proactive Remediation profile

Navigate to Reports –> Endpoint Analytics 

Proactive Remediations; Click Create Script Package

Provide Name and Description

Now it’s time to upload the scripts, for the detection script, copy and paste the below PowerShell code

 Clear-Host
 <#Information
 
    Author: thewatchernode
    Contact: author@blogabout.cloud
    Published: 5th January 2021
    
    .DESCRIPTION
    This script is designed remediate OneDrive Flag 
    
    Version Changes            
    
    : 0.1 Initial Script Build
    : 1.0 Inital Release
     
    Credit:
    
    .EXAMPLE
    .\Detect_OneDriveDelayFlag.ps1
    
    Description
    -----------
    Runs script with default values.
    
    .INPUTS
    None. You cannot pipe objects to this script.
#>
 #region Shortnames
$Path = "HKCU:\SOFTWARE\Microsoft\OneDrive\Accounts\Business1"
$Name = "Timerautomount"
$Type = "QWORD"
$Value = 1
#endregion Shortnames

#region Function
Function Set-OneDriveRegKey {
Try {
    $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Select-Object -ExpandProperty $Name
    If ($Registry -eq $Value){
        Write-Output "Compliant"
        Exit 0
    } 
    Write-Warning "Not Compliant"
    Exit 1
} 
Catch {
    Write-Warning "Not Compliant"
    Exit 1
}
}
#endregion Function

#Script Block
Set-OneDriveRegKey

For the remediation script, copy and paste the below PowerShell code

 Clear-Host
 <#Information
 
 
    Author: thewatchernode
    Contact: author@blogabout.cloud
    Published: 5th January 2021
    
    .DESCRIPTION
    This script is designed remediate OneDrive Flag 
    
    Version Changes            
    
    : 0.1 Initial Script Build
    : 1.0 Inital Release
     
    Credit:
    
    .EXAMPLE
    .\Remediate_OneDriveDelayFlag.ps1
    
    Description
    -----------
    Runs script with default values.
    
    .INPUTS
    None. You cannot pipe objects to this script.
#>


#region Shortnames
$Path = "HKCU:\SOFTWARE\Microsoft\OneDrive\Accounts\Business1"
$Name = "Timerautomount"
$Type = "QWORD"
$Value = 1
#endregion Shortnames

#region Script Block
Set-ItemProperty -Path $Path -Name $Name -Type $Type -Value $Value
#endregion Script Block

Ensure that the Run this script using the logged-on credentials is set to Yes. The Settings should look like so

Assign the custom script to your require groups

As the default schedule is Daily, you may have a require to edit the schedule.

This concldues this post.

Regards
The Author – Blogabout.Cloud

Syncing of OneDrive Shared Librabies automatically using Microsoft Endpoint Manager

First of all, we need to create Configuration Profile within Microsoft Endpoint Manager, you’ll need to gather the SharePoint document library ID or ID), for all the locations you would like to publish to your Windows 10 Devices. In this blog I am going to publish the Blogabout Cloud Library to all my devices.

A window will now appear, (if you receive any prompts to open OneDrive ignore it), click Copy library ID, keep this handy.

Creating the Configuration Profile

In order to apply the configuration to your Windows 10 devices that are enrolled into Microsoft Endpoint Manager. Launch Microsoft Endpoint Manager go to Devices –> Configuration Profiles –> Create Profile

Select Windows 10 and Administrative Templates

Press Next

Provide a Name for the profile and brief description as shown below

Under Computer Configuration and OneDrive, look for the setting Configure team site libraries to sync automatically

Click Enable
Enter the name you would like to be displayed and the Library ID as shown below

I am now going to recommend a number of other Microsoft OneDrive settings

SettingConfiguration
Silently sign in users to the OneDrive sync app with their Windows credentialsEnabled
Silently move Windows known folders to OneDriveEnabled
Use OneDrive Files On-DemandEnabled
Require user to confirm large delete operationsEnabled
Convert synced team site files to online-only filesEnabled

That completes the Configuration Profile setup, deploy this to your test users before deploying to production.

In my next post I am going to be looking leverage Proactive Remediation to decrease the synchronization time of assigned libraries to the Windows 10 device. The Microsoft default is 8 hours before the assigned libraries are published.

Regard
The Author – Blogabout.Cloud

-2016345712 (Syncml(400): The request command could not be performed because of malformed syntax in the command

I have been recently important ADMX templates and been generating potential errors that IT Administrators may encounter. This post is one of the errors you may receive if you don’t configure the Custom Profile correctly.

So as you can see from below I am receiving an Error Code 0x87d10190, the cause of this error is due to the string being incorrect.

When typing, copying or pasting in the string for the ADMX template you need to ensure you copy everything. Making sure there is no additional characters or spaces in the string. In my case, I missed a full stop at the start of the string as shown below.

Once adding in the full stop, the profile was successfully applied to the targeted devices.

Regards
The Author – Blogabout.Cloud

Improvements for PowerShel scripts in Microsoft Endpoint Manager – Good or Bad?

As a big adovcate of PowerShell Scripts in Microsoft Endpoint Manager, I definitely welcome the recent changes which Microsoft have implemented. This will have some positive effects on most organisations but maybe not as welcomed by others and heres why?

In my experience some organisations like to leverage PowerShell to modify applications that have been installed using Win32 apps. An example I have experience within this space is Java ( Oh the horror ). This organisation still required a fat install of java to run a legacy application and Java was inserted using GPO with reg hive modified to prevent the regular and annoying pop up for updates.

So to address this we installed Java via W32 apps and used a PowerShell script from Microsoft Endpoint Manager to modify the key.

What you will probably need to do is allow your script to fail. Once the script has failed, the Win32 apps will then be installed, and If the script fails, the Intune management extension agent retries the script three times for the next three consecutive Intune management extension agent check-in. The check in period is every 60 minutes so in that time you should have succesfully installed all Win32 apps.

Here is the new channges for PowerShell scripts.

PowerShell scripts execute before apps, and time out reduced

There are some updates to PowerShell scripts:

  • Microsoft Intune management extension execution flow is reverted back to processing PowerShell scripts first, and then running Win32 apps.
  • To resolve an Enrollment Status Page (ESP) time out issue, PowerShell scripts time out after 30 minutes. Previously, they timed out after 60 minutes.

For more information, see Use PowerShell scripts on Windows 10 devices in Intune.

Regards
The Author – Blogabout.Cloud

HowTo: Ensure your end user are prompted for MFA when enrolling Windows 10 devices. Conditional Access to the rescue

Sometimes you may come across special cases where either your customer or your own organisation might need to implement a solution which increases your security footprint. This post is no different and inspired from the MS-100 exam which I have recently taken and passed.

During the lab question I was asked how you would implement MFA for end user who want to enroll Windows 10 devices. So lets get to it…

Launch http://endpoint.microsoft.com and select Device + Conditional Access

Select New Policy

Provide your policy a “Name”
Select the user(s) or group(s) you want to apply the policy to
Click Cloud apps and actions – Click Select Apps and search then select Microsoft Intune Enrollment.

Under Grant – Select Require multi-factor authentication

Select on to enable the policy

Heres the process I had to go through to join a Windows 10 device to my tenant with MFA.

In the below screenshot is a configuration setting I have in my tenant for defining if devices are Corporate or Personally owned

All my corporate apps are now available for install.

Regards
The Author – Blogabout.Cloud

Installing SCCM Current Branch – SQL Server Installation (Part 2)

In this part we will go through the complete installation of SQL 2017 and configure SQL before installing SCCM Current Branch 1806 or higher.

Important Info

If you are planning on installing an older version of SQL, please follow our previous post here

Click the following link to see all supported SQL versions. For this post, I am going to install SQL 2017 on a separate server. (DB01)

Execute Setup.exe from the SQL installation media, select New SQL server stand-alone installation

SCCM SQL 2017 Install Guide

Provide the product key and click Next

SCCM SQL 2017 Install Guide

Review and Click Next

SCCM SQL 2017 Install Guide

Check Use Microsoft Update to check for updates and click Next

SCCM SQL 2017 Install Guide

Select SQL Server Feature Installation

Please Note

Some steps following steps in the wizard are automatically skipped where no action is required. For example, Products Updates, Install setup Files and Install Rules might be skipped.

Select the Database Engine feature and specify the SQL installation directory. This is the directory for the program files and shared features

  • Select Default instance and ensure that your instance is created on the SQL Volume

Set all services to run as the SQL Server Account that you created previously and set the services startup type to Automatic

On the Collation tab, set the Database Engine to use SQL_Latin1_General_CP1_CI_AS

In the Server Configuration tab, set the authentication mode to Windows Authentication and in the SQL Server Administrators add your SCCM Admins group

In the Data Directories tab set your drive letters correctly for your SQL databases, Logs, TempDB, and backup

On the TempDB, complete the various information based on the Database sizing section below.

  • Click Install

Complete the installation by clicking Close

Install SQL Server Management Studio (SSMS)

Back in the SQL Server Installation Center, click on Install SQL Server Management tools.

SCCM SQL 2017 Install Guide
  • This will redirect you to the Download page of SQL Server Management Studio. SSMS is no longer tied to the SQL server installation in terms of version.
  • Adjust the installation path if need, then click Install

Install SQL Reporting Services

  • Back in the SQL Server Installation Center, click on Install SQL Reporting Services.

The SQL reporting services is just like the Management console, it requires a

Click on Install Reporting Services

SCCM SQL 2017 Install Guide

Provide the Product key

SCCM SQL 2017 Install Guide

Accept License terms

SCCM SQL 2017 Install Guide

Click Next

SCCM SQL 2017 Install Guide

Select the installation path, click Install

SCCM SQL 2017 Install Guide

A reboot is required after the installation

SCCM SQL 2017 Install Guide

Apply SQL 2017 CU22 or higher

At the time of this writing, the latest SQL Cumulative Update is CU22. We will install it in order to have an updated SQL Installation. Note that CU2 is the minimum requirement

Download and execute SQL 2017 CU22
Accept the license terms and click Next

Leave default values, click Next

Wait for Check File in Use and click Next

Click Update

Update completed, might require a reboot

SPN Creation

When you configure SQL Server to use the local system account, a Service Principal Name (SPN) for the account is automatically created in Active Directory Domain Services. When the local system account is not in use, you must manually register the SPN for the SQL Server service account.

Since we are using a domain account, we must run the Setspn tool on a computer that resides in the domain of the SQL Server. It must use Domain Administrator credentials to run.

Run both commands to create the SPN, Change the server name and account name in each commands.

setspn -A MSSQLSvc/db01:1433 officec2r\svc.sql
setspn -A MSSQLSvc/db01.officec2r.com:1433 officec2r\svc.sql


To verify the domain user SPN is correctly registered, use the Setspn -L command

setspn –L officec2r\svc.sql

SQL Configuration

SCCM setup verifies that SQL Server reserves a minimum of 8 GB of memory for the primary site. To avoid, the warning, we’ll set the SQL Server memory limits to 8GB-12GB (80% of available RAM). Open SQL Server Management Studio

Right click the top SQL Server instance node

Select Properties

In the Memory tab define a limit for the minimum and maximum server memory. Configure and limit the memory to 80% of  your server available RAM. In my case I have 16GB available.

Minimum 8192

Maximum 12288

SQL Communications

To ensure proper SQL communication, verify that settings are set accordingly in SQL Network configurationOpen SQL Server Configuration Manager

Go to SQL Server Network Configuration / Protocols for SCCM

On the Right Pane, right-click TCP/IP and select Properties

In the Protocol tab

Enable: YES

Listen All : NO

In the IP Addresses tab

IP1 (which should have your Server IP)

Active : YES

Enabled : YES

All other IP and IP ALL

Active : YES

Enabled : NO

TCP Dynamic Ports : Blank value

TCP Port : 1433

Once the modification has been made, restart the SQL Server Service.

The server is now ready for the SCCM installation. We will now run the prerequisite checker and proceed to the complete SCCM Installation. We will install a stand-alone Primary site.

In the next part we will look at installing SCCM

Regards,
The Author – Blogabout.Cloud