Delivering your corporate applications can be a nightmare if you dont have a enterprise delivery solution like System Center or 3rd party mechanism.
So let’s see how Azure Blob Storage and Microsoft Intune can address this issue by using a storage location and PowerShell script.
Azure Storage Account
One of the requirements for this solution is an Azure Storage Account within your Azure subscription, this account will be used for storing the applications which you would like to roll out to your Windows 10 desktops that are managed using Microsoft Intune.
Specify the required settings within the Basic tab for creating a Storage Account.
Using the default settings as shown below
Click Review and Create Click Create
Configuring Storage Account with required Applications
Click Container Specify the Name Select Conditioner (anonymous read access for containers and blobs) under Public Access Level
Select your container Select Upload Select the files you want to upload Modify the block size if it’s less than the size of the files you are uploading Select Upload
Once the files are upload they all have a unique url which is used to identify the file as shown below. This will be required later for the PowerShell script.
The PowerShell Script!!!
This script has been made available on GitHub, you will need to modify the following;
$bginfo64 and $layout to reference your Azure Blob Storage for each file
Microsoft Azure Active Directory (Azure AD) and Microsoft Intune bring the power of the intelligent cloud to Windows 10 device management, including management capabilities for BitLocker. Some of these capabilities work on Windows 10 Pro, while other capabilities require Windows 10 Enterprise or Education editions.
The first step to managing BitLocker using Microsoft Intune is to visit the new Microsoft Endpoint Manager admin center. Select Endpoint security > Disk encryption, and then Create policy. Enter in the Platform and Profile indicated in the screen capture below, and then select Create.
Next, enter the basics, such as the name of the policy and an optional description,
Then move on to Configuration settings. Notice you can search for a specific setting, like “fixed drive policy,” or you can scroll through the settings.
Also notice the options offered for key rotation.
As you enable settings, additional settings may appear. For example, Enabling Fixed drive encryption expands more options: Recovery key file creation and Configure BitLocker recovery key package.
Finally, add Scope tags (optional), assign the new policy to specific groups of users or devices, and select Create.
The settings that can be configured here include:
BitLocker – Base Settings
Enable full disk encryption for OS and fixed data drives
Require storage cards to be encrypted (mobile only)
When integrating your Windows 10 devices into Microsoft Endpoint Manager, you may encounter policy conflicts where the same setting is configured both on-premises via GPO and Intune. When this happens it can be a complete nightmare, so in this post I will show you how to identify GPOS not supported by MDM.
When integrating your Windows 10 devices into Microsoft Endpoint Manager, you may encounter policy conflicts where the same setting is configured both on-premises via GPO and Intune. When this happens it can be a complete nightmare, so in this post I will show you how to configure Microsoft Endpoint Manager so that your MDM policies rein over GPO.
Lets get to it and launch Microsoft Endpoint Manager dashboard –> Go to Devices –> Configuration Profile –> Create Profile
Platform – Windows 10 and later Profile – Custom
Click Add and enter the below
Name: ConflictPolicyConflict Description: Enter value if required OMA-URI: ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP Data type: Integer Value: 1
Click Save –> Press Next
If you are using Scope Tags – Define your tags and Press Next
Define your selected groups of machines for the profile and Press Next
Define applicability rules if in use and Press Next
This will now force MDM Policies to win over Group Policies assigned to a Windows 10 device.
There is a registry key that decreases the delay for end-users to see their administratively assigned libraries via the OneDrive sync client.
The purpose of this Proactive Remediation profile is so that the reg key is set everytime a user reboots the client device. As this key is removed at reboot. Proactive Remediation is a solution that detects if this registry key exists and if not, create it, on a recurring schedule.
So lets get creating the Proactive Remediation profile
First of all, we need to create Configuration Profile within Microsoft Endpoint Manager, you’ll need to gather the SharePoint document library ID or ID), for all the locations you would like to publish to your Windows 10 Devices. In this blog I am going to publish the Blogabout Cloud Library to all my devices.
A window will now appear, (if you receive any prompts to open OneDrive ignore it), click Copy library ID, keep this handy.
Creating the Configuration Profile
In order to apply the configuration to your Windows 10 devices that are enrolled into Microsoft Endpoint Manager. Launch Microsoft Endpoint Manager go to Devices –> Configuration Profiles –> Create Profile
Select Windows 10 and Administrative Templates
Provide a Name for the profile and brief description as shown below
Under Computer Configuration and OneDrive, look for the setting Configure team site libraries to sync automatically
Click Enable Enter the name you would like to be displayed and the Library ID as shown below
I am now going to recommend a number of other Microsoft OneDrive settings
Silently sign in users to the OneDrive sync app with their Windows credentials
Silently move Windows known folders to OneDrive
Use OneDrive Files On-Demand
Require user to confirm large delete operations
Convert synced team site files to online-only files
That completes the Configuration Profile setup, deploy this to your test users before deploying to production.
In my next post I am going to be looking leverage Proactive Remediation to decrease the synchronization time of assigned libraries to the Windows 10 device. The Microsoft default is 8 hours before the assigned libraries are published.
I have been recently important ADMX templates and been generating potential errors that IT Administrators may encounter. This post is one of the errors you may receive if you don’t configure the Custom Profile correctly.
So as you can see from below I am receiving an Error Code 0x87d10190, the cause of this error is due to the string being incorrect.
When typing, copying or pasting in the string for the ADMX template you need to ensure you copy everything. Making sure there is no additional characters or spaces in the string. In my case, I missed a full stop at the start of the string as shown below.
Once adding in the full stop, the profile was successfully applied to the targeted devices.
As a big adovcate of PowerShell Scripts in Microsoft Endpoint Manager, I definitely welcome the recent changes which Microsoft have implemented. This will have some positive effects on most organisations but maybe not as welcomed by others and heres why?
In my experience some organisations like to leverage PowerShell to modify applications that have been installed using Win32 apps. An example I have experience within this space is Java ( Oh the horror ). This organisation still required a fat install of java to run a legacy application and Java was inserted using GPO with reg hive modified to prevent the regular and annoying pop up for updates.
So to address this we installed Java via W32 apps and used a PowerShell script from Microsoft Endpoint Manager to modify the key.
What you will probably need to do is allow your script to fail. Once the script has failed, the Win32 apps will then be installed, and If the script fails, the Intune management extension agent retries the script three times for the next three consecutive Intune management extension agent check-in. The check in period is every 60 minutes so in that time you should have succesfully installed all Win32 apps.
Here is the new channges for PowerShell scripts.
PowerShell scripts execute before apps, and time out reduced
There are some updates to PowerShell scripts:
Microsoft Intune management extension execution flow is reverted back to processing PowerShell scripts first, and then running Win32 apps.
To resolve an Enrollment Status Page (ESP) time out issue, PowerShell scripts time out after 30 minutes. Previously, they timed out after 60 minutes.
Sometimes you may come across special cases where either your customer or your own organisation might need to implement a solution which increases your security footprint. This post is no different and inspired from the MS-100 exam which I have recently taken and passed.
During the lab question I was asked how you would implement MFA for end user who want to enroll Windows 10 devices. So lets get to it…
Download and execute SQL 2017 CU22 Accept the license terms and click Next
Leave default values, click Next
Wait for Check File in Use and click Next
Update completed, might require a reboot
When you configure SQL Server to use the local system account, a Service Principal Name (SPN) for the account is automatically created in Active Directory Domain Services. When the local system account is not in use, you must manually register the SPN for the SQL Server service account.
Since we are using a domain account, we must run the Setspn tool on a computer that resides in the domain of the SQL Server. It must use Domain Administrator credentials to run.
Run both commands to create the SPN, Change the server name and account name in each commands.
setspn -A MSSQLSvc/db01:1433 officec2r\svc.sql
setspn -A MSSQLSvc/db01.officec2r.com:1433 officec2r\svc.sql
To verify the domain user SPN is correctly registered, use the Setspn -L command
setspn –L officec2r\svc.sql
SCCM setup verifies that SQL Server reserves a minimum of 8 GB of memory for the primary site. To avoid, the warning, we’ll set the SQL Server memory limits to 8GB-12GB (80% of available RAM). Open SQL Server Management Studio
Right click the top SQL Server instance node
In the Memory tab define a limit for the minimum and maximum server memory. Configure and limit the memory to 80% of your server available RAM. In my case I have 16GB available.
To ensure proper SQL communication, verify that settings are set accordingly in SQL Network configurationOpen SQL Server Configuration Manager
Go to SQL Server Network Configuration / Protocols forSCCM
On the Right Pane, right-click TCP/IP and select Properties
In the Protocol tab
Listen All : NO
In the IP Addresses tab
IP1 (which should have your Server IP)
Active : YES
Enabled : YES
All other IP and IP ALL
Active : YES
Enabled : NO
TCP Dynamic Ports : Blank value
TCP Port : 1433
Once the modification has been made, restart the SQL Server Service.
The server is now ready for the SCCM installation. We will now run the prerequisite checker and proceed to the complete SCCM Installation. We will install a stand-alone Primary site.