MDM

Intune – Deploy required user settings to Windows 10 with powershell

Martin Wüthrich Application Management, Azure AD, Client Settings, EMM, General, Intune, MDM, Operating System Deployment, Powershell, Remote Workplace, Windows 10

In this blog I would like to describe, how I managed to set required user settings to Windows 10.
Since I still do have an On-Premises environment, in which also File Servers reside and a DFS Namespace is still up and running, I wanted to make sure to get the advantages of using the local network.
So here are my two use-cases to solve:
1. Add a Network location for the DFS Path if the user is logged on On-Premises
2. Modify the local “host” file, to redirect the workfolder clients to the file server internally
Continue reading

Intune Autopilot – Prepopulate the Startmenu

Martin Wüthrich Client Settings, Company, EMM, Intune, MDM, Office365, Setup, Windows 10

It might be not that popular with Windows 10, but every company wants a well curated startmenu, rather than the default delivered from Microsoft:

We have multiple Options to configure the startmenu, I’m sure I don’t know them all. But when it comes to Windows 10 and Intune autopilot, we do not really have an option as what I have considered. This blog tries to catch the available options we currently have with Intune and Autopilot.
Continue reading

Intune – Configure “Fast startup” (HiberBoot) for Windows 10

Martin Wüthrich Azure AD, homelab, MDM, Remote Workplace, Windows 10

Since I changed my clients from GPO managed to Intune controlled, not all settings from GPO, but some of them needs to be set through Intune as well. As outlined in my previous blog, I tried to disable the Fast Startup Option on Windows 10 through a CSP. And I did not even found a CSP supporting this setting. Within this blog, I would like to show, how you can configure the fast startup (“Turn on fast startup (recommended)”) setting in Windows 10 through Microsoft Intune:

You may ask, why I want to disable this? My reason: I don’t want to reuse a desktop session which was hibernated. And only a reboot will force the client to create a new desktop session, if fast startup is enabled.
Continue reading

Windows 10 settings management with Intune

Martin Wüthrich Azure AD, Client Settings, Endpoint Protection, homelab, MDM, Office365, Remote Workplace, Windows 10

When a journey ends, a new journey will begin. My journey with the old school domain joined and GPO managed devices within my LAB ended, and I finally conquer new areas with Azure AD join and Intune controlled devices. Due to the lack of opportunities, I still waited so long, because a lot of settings were not possible to set. And some of them are still not that simple to set through Intune, but there is a solution for, I would like to say, most of the requirements.

So within this blog post, I would like to document my current knowledge of Windows 10 settings management through Intune. As today, we have the following options to configure GPO alike settings through Microsoft Intune:

  • Intune Windows Enrollment settings
  • Intune Portal blade settings
  • Intune Portal Custom CSP settings
  • Intune ADMX-backed administrative template settings (Preview)
  • PowerShell Script

    • Let’s have a closer look to the different options.
    Continue reading

    I have configured “Network Security: Restrict NTLM: NTLM authentication in this domain” months ago, here is why it catched me

    Martin Wüthrich EMM, homelab, MDM

    Today I would like to share my experience with troubleshooting a overcommitted security admin with less knowledge than it would be required (In fact, I’m talking about me here). Some month ago, I read about NTLM (v2 as well), and I decided to restrict NTLM in my LAB, to check what is working afterwards, and what stops working. To my surprise, everything went smooth, and I could not find an issue. So I forgot about this setting, everything seems to work, and it did.

    Lastly I decided to cut off Direct Access, since Microsoft does not invest in its future, and for other reasons, I’m not required to have a permanent connection to the LAB from remote, a VPN would be sufficient. I’m using WorkFolders as well, and secured it with Azure MFA, the same should apply to my VPN connection, the authentication should be not only be covered by Username and Password. With this, the goal was set, and I built up the LAB. Everything went nice, until the first VPN client wanted to connect. The NPS Server gave me the error:
    “The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.”

    Continue reading

    ConfigrMgr 1511 – Service connection point issues

    Martin Wüthrich ConfigMgr, EMM, MDM, SCCM, Windows 10 Mobile

    Hi reader,

    I was running ConfigMgr 1511 from an upgraded System Center 2012 Configuration Manager R2 SP1 Infrastructure with configured Intune Subscription without a problem for more than a month. But due to my Azure Tenant Name selection more than two years ago, I wanted to change the Tenant name from uncoolname.onmicrosoft.com to hosebei.onmicrosoft.com, because you might already guess it: the SharePoint URL.
    Exchange Hybrid and all other Services was not easy, but worked how I planned to do it. But unfortunately the Service Connector did not work after this change, even after changing the Intune Subscription to my new Tenant. Continue reading

    Implement Microsoft Windows Store for Business and Windows 10 Mobile

    Martin Wüthrich Application Management, EMM, MDM, Remote Workplace, Software Deployment, Windows 10, Windows 10 Mobile

    Today I would like to show you how the newly available Microsoft Windows Store for Business works, and how you implement it for your Windows 10 Mobile users.
    The most interesting part for Businesses with the new Store is the fact, that end users do not longer need a Microsoft Account (which is the former Live-ID or MSN Account long time ago), instead they can download and install applications from the store with their Organizational or what I would call them with the Azure Active Directory Account.
    To activate the Business Store for your Azure Tenant, you will need to have an Account with the Global Administrator permission (Source). With this account, you can go on to this Location and sign-up for the Business Store. Continue reading

    SCCM 2012 R2 SP1 – Windows 10 Mobile Management

    Martin Wüthrich EMM, MDM, SCCM 2012, Windows 10

    Hey Reader, yesterday I received my brand new Microsoft Lumia 950, and here is my unboxing video: (hahaha…. ;))
    No, not really, but, here are my experiences when it comes to manage a Windows 10 Mobile Device with System Center 2012 Configuration Manager R2 SP1, and I have also installed the latest cumulative Update (at the moment CU2).
    So I took the Phone and connected it to my WiFi to be able to access the Internet for enrolling the Device with Intune, which worked perfectly as before on my Windows Phone 8.1:
    Windows 10 Mobile Intune enrollment Continue reading

    SCCM 2012 + Intune – Remote Passcode Reset on Windows Phone 8.1

    Martin Wüthrich MDM, SCCM 2012

    In this post I would like to cover the topic of the Remote Passcode Change of a Windows Phone 8.1 Device when used as a Intune enrolled, where Intune is integrated to System Center 2012 Configuration Manager.
    Open your SCCM Console and navigate to the Device where you would like to reset the Passcode. Right-Click on the Device and select “Remote Device Actions”, in the opening Fly-out choose “Reset Passcode”:
    Reset Remote Passcode
    Continue reading