Category Archives: Windows 10

Deploying BGInfo using Azure Blob Storage and Microsoft Endpoint Manager

Delivering your corporate applications can be a nightmare if you dont have a enterprise delivery solution like System Center or 3rd party mechanism.

So let’s see how Azure Blob Storage and Microsoft Intune can address this issue by using a storage location and PowerShell script.

Azure Storage Account

One of the requirements for this solution is an Azure Storage Account within your Azure subscription, this account will be used for storing the applications which you would like to roll out to your Windows 10 desktops that are managed using Microsoft Intune.

Storage Account

Specify the required settings within the Basic tab for creating a Storage Account.

Basic Properties

Using the default settings as shown below

Advanced Properties

Click Review and Create
Click Create

Configuring Storage Account with required Applications

Click Container
Specify the Name
Select Conditioner (anonymous read access for containers and blobs) under Public Access Level

Blob – Container

Select your container
Select Upload
Select the files you want to upload
Modify the block size if it’s less than the size of the files you are uploading
Select Upload

Once the files are upload they all have a unique url which is used to identify the file as shown below. This will be required later for the PowerShell script.

The PowerShell Script!!!

This script has been made available on GitHub, you will need to modify the following;

$bginfo64 and $layout to reference your Azure Blob Storage for each file

Download Script

https://github.com/TheWatcherNode/blogaboutcloud/blob/master/Get-BGInfo.ps1

Publish script via Microsoft Endpoint Manager

Launch Microsoft Endpoint Manager https://endpoint.microsoft.com

Browse to Devices –> Scripts –> Click Add –> Select Windows 10

Provide a name and description (optional).. Press Next

Provide your script and select Run script in 64 bit PowerShell Host. Press Next

Press next on Scope Tag, unless you utilize them within your environment

Select the group(s) you wish to target.. Press Next

Press Add to complete

Once the script has applied to the required workstations, at the next reboot the BGInfo will be presented on the desktop wallpaper

Regards
The Author – Blogabout.Cloud

Managing your BitLocker Encryption using Microsoft Endpoint Manager

Microsoft Azure Active Directory (Azure AD) and Microsoft Intune bring the power of the intelligent cloud to Windows 10 device management, including management capabilities for BitLocker. Some of these capabilities work on Windows 10 Pro, while other capabilities require Windows 10 Enterprise or Education editions.

The first step to managing BitLocker using Microsoft Intune is to visit the new Microsoft Endpoint Manager admin center. Select Endpoint security > Disk encryption, and then Create policy. Enter in the Platform and Profile indicated in the screen capture below, and then select Create.

Next, enter the basics, such as the name of the policy and an optional description,

Then move on to Configuration settings. Notice you can search for a specific setting, like “fixed drive policy,” or you can scroll through the settings.

Also notice the options offered for key rotation.

This setting, which requires Windows 10, version 1909 or later, will change the recovery key when the recovery key is used to unlock a drive.

Important notice!!

As you enable settings, additional settings may appear. For example, Enabling Fixed drive encryption expands more options: Recovery key file creation and Configure BitLocker recovery key package.

Finally, add Scope tags (optional), assign the new policy to specific groups of users or devices, and select Create.

The settings that can be configured here include:

  • BitLocker – Base Settings
    • Enable full disk encryption for OS and fixed data drives
    • Require storage cards to be encrypted (mobile only)
    • Hide Prompt about third-party encryption
    • Configure client-driven recovery password rotation
  • BitLocker – Fixed Drive Settings
    • BitLocker fixed drive policy
  • BitLocker – OS Drive Settings
    • BitLocker system drive policy
  • BitLocker – Removable Drive Settings
    • BitLocker removable drive settings

For more details, see the RequireDeviceEncryption section of the BitLocker CSP.

Regards
The Author – Blogabout.Cloud

Avoid conflicts with Group Policy and Microsoft Endpoint Manager – Identify Group Policy settings not supported by MDM.

When integrating your Windows 10 devices into Microsoft Endpoint Manager, you may encounter policy conflicts where the same setting is configured both on-premises via GPO and Intune. When this happens it can be a complete nightmare, so in this post I will show you how to identify GPOS not supported by MDM.

To run this tool follow the instructions below:

Install Remote Server Administration Tools. Windows 7 – https://www.microsoft.com/en-us/download/details.aspx?id=7887 Windows 8 – https://www.microsoft.com/en-us/download/details.aspx?id=28972
Window 8.1 – https://www.microsoft.com/en-us/download/details.aspx?id=39296
Windows 10 – https://www.microsoft.com/en-us/download/details.aspx?id=45520

Install this MMAT tool zipped Folder to your PC and unzip the folder.

Open a PowerShell Window running as an Admin.
Change directory to MMAT-master folder which contains all the scripts and exe inside.

Run the following script:

Set-ExecutionPolicy -ExecutionPolicy Unrestricted 

./Invoke-MdmMigrationAnalysisTool.ps1 -collectGPOReports -runAnalysisTool

When Invoke-MdmMigrationAnalysisTool.ps1 is completed,it will generate:

MDMMigrationAnalysis.xml: XML report containing information about policies for the target user and computer and how they map, if at all, to MDM.

As you can see from below you will have report defining what is and isnt supported

Regards
The Author – Blogabout.Cloud

Avoid conflicts with Group Policy and Microsoft Endpoint Manager – Make your MDM Policies Win

When integrating your Windows 10 devices into Microsoft Endpoint Manager, you may encounter policy conflicts where the same setting is configured both on-premises via GPO and Intune. When this happens it can be a complete nightmare, so in this post I will show you how to configure Microsoft Endpoint Manager so that your MDM policies rein over GPO.

Lets get to it and launch Microsoft Endpoint Manager dashboard –> Go to Devices –> Configuration Profile –> Create Profile

Platform – Windows 10 and later
Profile – Custom

Click Create

Click Add and enter the below

Name: ConflictPolicyConflict
Description: Enter value if required
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP
Data type: Integer
Value: 1

Click Save –> Press Next

If you are using Scope Tags – Define your tags and Press Next

Define your selected groups of machines for the profile and Press Next

Define applicability rules if in use and Press Next

Press Create

This will now force MDM Policies to win over Group Policies assigned to a Windows 10 device.

Regards
The Author – Blogabout.Cloud

QuickTip: Unable to see available applications for Windows 10 device in Company Portal

When enrolling new or existing Windows 10 devices into Microsoft Endpoint Manager, the user may not be able to see the available straight away as shown below;

Screenshot of no device shown.

The resolution for this is a very simple one from the Company Portal

http://portal.manage.microsoft.com go to ‘Devices’

Select Tap here.

Screenshot of my devices.

On the next screen, select your device to enroll it.

Screenshot of selecting which device.

You are returned to My Devices. The device should show a green check, as shown in the following screenshot.

Screenshot of my devices.

Return to the Apps screen. The applications should now be visible.

Screenshot of apps displayed.

Regards
The Author – Blogabout.Cloud

Deploy Win32 Apps with Endpoint Manager (Intune) MSI Edition.

In this post, we will detail how to deploy Win32 Apps with Endpoint Manager. We’ll deploy GitHub with the MSI installer as an example.

Win32 Apps Endpoint Manager Prerequisites

Intune Win32 Application

Prepare Endpoint Manager Win32 application

First, you need to “wrap” all the required files into an Endpoint Manager (Intune) format. To do so, Microsoft has a tool that will “convert” your application into a .intunewin file at the end of the process. The generated .intunewin file contains all compressed and encrypted source setup files and the encryption information to decrypt it.

Important Info
  • To view help, run IntuneWinAppUtil.exe -h.
  • Download the Microsoft Win32 Content Prep Tool and have the desired application source files.
  • Open a command prompt as admin and browse to the folder of IntuneWinAppUtil.exe
  • Run the following command line
    • IntuneWinAppUtil.exe -c <source folder> -s <source setup file> -o <output folder>
    • In this example we used an HP Driver: IntuneWinAppUtil.exe -c D:\Intune -s GitHubDesktopSetup.msi -o d:\intune

Create Microsoft Endpoint Manager Win32 Application

Endpoint Manager Win32 Apps
  • Select Windows app (Win32) from the App type drop list
  • On the App Information pane click Select App package file and select the previously created .intunewin file and click Ok
  • Complete the missing App Information. Click Next
  • Depending on the application format, install and uninstall command lines will be auto-completed. Adjust the parameter if needed. Click Next
  • On the Requirement pane, OS architecture and minimum OS are required. Click Next
Endpoint Manager Win32 Apps
  • Detection rules work the same way as in ConfigMgr application model. In the case of an MSI, it is simple. Select Manually configure detection rule, select rule type MSI and the MSI Product Code should be auto-populated. Click Next
  • On the Dependencies tab: Software dependencies are applications that must be installed before this application can be installed. Adjust if needed. Click Next
  • On the Assignment tab, select the group of users or computer to deploy the Win32 App
Endpoint Manager Win32 Apps
  • Review your Win32 App setting and click Create
  • At this point, it will upload the.IntuneWin file and soon after, a notification will display to say it’s ready to go!

Regards
The Author – Blogabout.Cloud

Decrapifing your Windows Autopilot devices

If you anywhere like me, you will share a pet hate for Windows 10 Bloatware new brand new devices. In the “good old days” you would get an image without the crap installed and that would be it but with Windows Autopilot deployments the bloatware is preinstalled so how do we deal with this challenge today?

The Script

First of all, we need a script that will remove the Windows 10 Bloatware, here a script that I have modified to make it a bit smoother for what we are trying to achieve.

https://github.com/TheWatcherNode/blogaboutcloud/blob/master/Get-Windows10_Bloater.ps1

Microsoft Endpoint Manager Console

Log into your Microsoft Endpoint Manager Dashboard using the https://endpoint.microsoft.com portal. Then select Devices –> Scripts and Add

Select Windows 10 not macOS then provide the name of the script and a brief description

Under script location browse to the required PowerShell script on your client device.

Understanding this section

Run this script using the logged on credentials: Select Yes to run the script with the user’s credentials on the device. Choose No (default) to run the script in the system context. Many administrators choose Yes. If the script is required to run in the system context, choose No.

Enforce script signature check: Select Yes if the script must be signed by a trusted publisher. Select No (default) if there isn’t a requirement for the script to be signed.

Run script in 64-bit PowerShell host: Select Yes to run the script in a 64-bit PowerShell (PS) host on a 64-bit client architecture. Select No (default) runs the script in a 32-bit PowerShell host.

Specify Tags if you are utilizing them in your environment and once you completed that section, select the groups where you want the scripts applied.

Review your settings and press Add

This script will now apply to your Windows 10 device and remove all the unwanted Windows 10 Bloatware.

Regards
The Author – Blogabout.Cloud

Version 2004 – Windows 10 and Server Security Baseline

This week Microsoft has announced the final release of the security configuration baseline settings for Windows 10 and Windows Server version 2004. This version sees 1 additional policy and 1 policy removed, Microsoft has also made 2 recommendations that organizations might worth considering.

Download the Microsoft Security Compliance Toolkit that allows you to test the recommended configurations, and customize/implement as appropriate.

Notable changes are as followed;

TitleDescriptionConfiguration
LDAP Channel Binding Requirements In the Windows Server version 1809 Domain Controller baseline we created and enabled a new custom MS Security Guide setting called Extended Protection for LDAP Authentication (Domain Controllers only) based on the values provided here. This setting is now provided as part of Windows and no longer requires a custom ADMX. An announcement was made in March of this year and now all supported Active Directory domain controllers can configure this policy. The value will remain the same in our baseline, but the setting has moved to the new location. We are deprecating our custom setting. The new setting location is: Security Settings\Local Policies\Security Options\Domain controller: LDAP server channel binding token requirements.
 
Note: this new policy requires the March 10, 2020 security update. (We assume that, as security conscious baselines users, you are patching!) Details of that patch are here.
Policy updated
Microsoft Defender Antivirus File HashMicrosoft Defender Antivirus continues to enable new features to better protect consumers and enterprises alike. As part of this journey Windows has a new setting to compute file hashes for every executable file that is scanned, if it wasn’t previously computed. You can find this new setting here: Computer Configurations\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\Enable file hash computation feature.
 
You should consider using this feature to improve blocking for custom indicators in Microsoft Defender Advanced Threat Protection (MDATP). This new feature forces the engine to compute the full file hash for all executable files that are scanned. This can have a performance cost, which we minimize by only generating hashes on first sight. The scenarios where you may want to test more thoroughly for performance include devices where you frequently create new executable content (for example, developers) or where you install or update applications extremely frequently.
 
Because this setting is less helpful for customers who are not using MDATP, we have not added it to the baseline, but we felt it was potentially impactful enough to call out. If you chose to enable this setting, we recommend throttling the deployment to ensure you measure the impact on your users’ machines.
Worth considering
Account Password LengthIn the Windows 10 1903 security baselines we announced the removal of the account password expiration policy. We continue to invest in improving this experience. With Windows 10 2004, two new security settings have been added for password policies: ‘Minimum password length audit’ and ‘Relax minimum password length limits’. These new settings can be found under Account Policies\Password Policy.
 
Previously, you could not require passwords/phrases greater than 14 characters. Now you can! Being able to require a length of more than 14 characters (maximum of 128) can help better secure your environment until you can fully implement a multi-factor authentication strategy. Our vision remains unchanged in achieving a password-less future, but we also recognize that this takes time to fully implement across both your users and your existing applications and systems.
 
You should be cautious with this new setting because it can potentially cause compatibility issues with existing systems and processes. That’s why we introduced the ‘Minimum password length audit’ setting, so you can see what will happen if you increase your password/phrase length. With auditing you can set your limit anywhere between 1 and 128. Three new events are also created as part of this setting and will be logged as new SAM events in the System event log: one event for awareness, one for configuration, and one for error.
 
This setting will not be added to the baseline as the minimum password length should be audited before broad enforcement due to the risk of application compatibility issues. However, we urge organizations to consider these two settings. Additional details about these new settings will be found here, once the new article get published in the coming days.
 
(NOTE: As of the today the link is not yet live, we are actively working to ensure it gets posted soon!)
 
As a reminder, length alone is not always the best predictor of password strength, so we strongly recommend considering solutions such as the on-premise Azure Active Directory Password Protection which does sub-string matching using a dictionary of known weak terms, and rejects passwords that don’t meet a certain score.
Worth considering
Turn on Behavior MonitoringIn keeping with our principals of criteria for baseline inclusion we have found that the following setting does not need to be enforced; there is no UI path to the setting, you must be a privileged account to make the change, lastly we do not feel a mis-informed Admin would change this setting.  Based on these principals we are removing Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\Turn on behavior monitoringPolicy removed

Regards
The Author – Blogabout.Cloud

Installing PowerShell modules using Microsoft Endpoint Manager

In this video I show how I install all the common PowerShell modules that I use when building/provisioning Windows 10 devices that are registered in MEM.In this video I show how I install all the common PowerShell modules that I use when building/provisioning Windows 10 devices that are registered in MEM.

Regards
The Author – Blogabout.Cloud

Configuring your Windows 10 devices with custom Desktop and Lockscreen backgrounds with Microsoft Endpoint Manager.

Using Microsoft Endpoint Manager and Azure Blob Storage to deliver customized Desktop and Lockscreen backgrounds.

Regards
The Author – Blogabout.Cloud