Category: Microsoft

Move Software Updates to Intune with Co-management

To move on with the transition towards Modern Management we can use Co-management in SCCM to decide where settings are coming from. In this specific scenario we will do a switch from Software Updates via SCCM to Intune controlled Software Updates for one test client. I will show you the following steps.

  1. How to setup the Co-management connection in SCCM
  2. How to configure the Co-management connection to be able to switch Software updates from SCCM to a pilot Intune group
  3. How to configure a Windows 10 Update Ring in Intune and assign to a group
  4. How to verify that the client are getting the correct settings

Prerequisites for this scenario:

  • A test client (in my case running 1809)
  • SCCM environment (in my case running 1810)
  • Intune environment
  • Hybrid Azure AD Joined device
  • An Intune group with the test client as a member
  • Company Portal installed on a client

Step 1 and 2 – This step in done in SCCM console

\Administration\Overview\Cloud Services\Co-management

1.Co-management > Configure Co-management

2. Next

3. Sign in

4. Logon with an Intune Administrator (Global administrator in my case)

5. Next

6. Automatic enrollment in Intune > Pilot

7. Next

8. Workloads > Switch Windows Updates policies to Pilot Intune

9. Pilot collection > Choose a collection with your test client

10. Next

11. Done

 

Step 3 – This step is done in Intune

https://devicemanagement.portal.azure.com

1. Software updates

2. Windows 10 Update Rings

3. Create

4. Name: SU-Windows 10-Test

5. Description: Software Update – Test group

6. Settings
Below are an example, please configure it so it fits your environment

7. Assignments

8. Select groups to include > Group with test client

9. Save

 

Step 4 – This step is done on the test client

1. Open Company Portal

2. Settings > Sync

3. Run > control update

4. View configured update polices

5. Look under Policies set on your device – here we want to see that settings are coming from Mobile Device Management as below

6. Be sure to turn off any GPO:s that might turn off access to Windows Updates

7. Done

This is how you make the switch over to Intune and as you can see it doesn’t require that much.

If you have any questions, feel free to email me at tobias.sandberg@xenit.se or comment down below. I will try to answer you as soon as possible.

 



Intune – Administrative Templates (Preview) are here

Microsoft has now released their Administrative Templates (Preview) for Intune which makes it a lot more simple to use settings like controlling a OneDrive setup, changing Office settings or configure Internet Explorer.

So where do you find this new functionality?

  1. Login to the Intune Management Portal
  2. Go to Device Configuration > Profiles > Create profile
    • Name: Enter a Profile name
    • Platform: Windows 10 and later
    • Profile type: Administrative Templates (Preview)
  3. Select Create
  4. Select Settings
    • Here you can see a list of all the available Administrative Templates that can be configured (please see the complete list below as of right now)
  5. Start configure your desired settings
  6. Save
  7. Assign to a group
  8. Done
SETTING NAME PATH
Access data sources across domains\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Access data sources across domains\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
All Processes\Windows Components\Internet Explorer\Security Features\Restrict ActiveX Install
All Processes\Windows Components\Internet Explorer\Security Features\Scripted Window Security Restrictions
All Processes\Windows Components\Internet Explorer\Security Features\Restrict File Download
All Processes\Windows Components\Internet Explorer\Security Features\Protection From Zone Elevation
Allow active scripting\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow background saves\Microsoft Publisher 2016\Publisher Options\Save
Allow background saves\Microsoft Word 2016\Word Options\Advanced
Allow binary and script behaviors\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow cut, copy or paste operations from the clipboard via script\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow cut, copy or paste operations from the clipboard via script\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Allow drag and drop or copy and paste files\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Allow drag and drop or copy and paste files\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow file downloads\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow font downloads\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Allow font downloads\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow loading of XAML files\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Allow loading of XAML files\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow META REFRESH\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow only approved domains to use ActiveX controls without prompt\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow only approved domains to use ActiveX controls without prompt\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Allow only approved domains to use the TDC ActiveX control\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Allow only approved domains to use the TDC ActiveX control\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow printers to be published\Printers
Allow Remote Shell Access\Windows Components\Windows Remote Shell
Allow script-initiated windows without size or position constraints\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow script-initiated windows without size or position constraints\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Allow scripting of Internet Explorer WebBrowser controls\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Allow scripting of Internet Explorer WebBrowser controls\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow scriptlets\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow scriptlets\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Allow software to run or install even if the signature is invalid\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Allow standby states (S1-S3) when sleeping (plugged in)\System\Power Management\Sleep Settings
Allow syncing OneDrive accounts for only specific organizations\System\OneDrive
Allow text to be dragged and dropped\Microsoft PowerPoint 2016\PowerPoint Options\Advanced
Allow text to be dragged and dropped\Microsoft Publisher 2016\Publisher Options\Advanced
Allow Trusted Locations on the network\Microsoft Excel 2016\Excel Options\Security\Trust Center\Trusted Locations
Allow updates to status bar via script\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Allow updates to status bar via script\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Allow users to connect remotely by using Remote Desktop Services\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections
Always prompt for password upon connection\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
Auto Save every\Microsoft Project 2016\Project Options\Save\Auto Save Options
Automatic prompting for file downloads\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Automatic prompting for file downloads\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Automatically receive small updates to improve reliability\Microsoft Office 2016\Privacy\Trust Center
AutoRecover delay\Microsoft Excel 2016\Excel Options\Save
AutoRecover files\Microsoft Word 2016\Word Options\Advanced\File Locations
AutoRecover save location\Microsoft Excel 2016\Excel Options\Save
AutoRecover time\Microsoft Excel 2016\Excel Options\Save
Block additional file extensions for OLE embedding\Microsoft Office 2016\Security Settings
Block macros from running in Office files from the Internet\Microsoft Word 2016\Word Options\Security\Trust Center
Block macros from running in Office files from the Internet\Microsoft Visio 2016\Visio Options\Security\Trust Center
Block macros from running in Office files from the Internet\Microsoft Excel 2016\Excel Options\Security\Trust Center
Block macros from running in Office files from the Internet\Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center
Block social network contact synchronization\Microsoft Outlook 2016\Outlook Social Connector
Block specific social network providers\Microsoft Outlook 2016\Outlook Social Connector
Block syncing OneDrive accounts for specific organizations\System\OneDrive
Block the Office Store\Microsoft Office 2016\Security Settings\Trust Center\Trusted Catalogs
Boot-Start Driver Initialization Policy\System\Early Launch Antimalware
Capitalize first letter of sentence\Microsoft Office 2016\Tools | AutoCorrect Options… (Excel, PowerPoint and Access)
Capitalize first letter of sentence\Microsoft Word 2016\Word Options\Proofing\AutoCorrect
Capitalize names of days\Microsoft Word 2016\Word Options\Proofing\AutoCorrect
Capitalize names of days\Microsoft Office 2016\Tools | AutoCorrect Options… (Excel, PowerPoint and Access)
Check ActiveX objects\Microsoft Office 2016\Security Settings
Check for server certificate revocation\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Check for signatures on downloaded programs\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Check grammar with spelling\Microsoft Word 2016\Word Options\Proofing
Check grammar with spelling\Microsoft PowerPoint 2016\PowerPoint Options\Proofing
Check OLE objects\Microsoft Office 2016\Security Settings
Check spelling as you type\Microsoft Publisher 2016\Publisher Options\Proofing
Check spelling as you type\Microsoft PowerPoint 2016\PowerPoint Options\Proofing
Coauthoring and in-app sharing for Office files\System\OneDrive
Configure Solicited Remote Assistance\System\Remote Assistance
Control Event Log behavior when the log file reaches its maximum size\Windows Components\Event Log Service\Application
Correct accidental usage of cAPS LOCK key\Microsoft Word 2016\Word Options\Proofing\AutoCorrect
Correct accidental use of cAPS LOCK key\Microsoft Office 2016\Tools | AutoCorrect Options… (Excel, PowerPoint and Access)
Correct TWo INitial CApitals\Microsoft Word 2016\Word Options\Proofing\AutoCorrect
Correct TWo INitial CApitals\Microsoft Office 2016\Tools | AutoCorrect Options… (Excel, PowerPoint and Access)
Customize consent settings\Windows Components\Windows Error Reporting\Consent
Customize warning messages\System\Remote Assistance
Default file format\Microsoft Excel 2016\Excel Options\Save
Default file format\Microsoft PowerPoint 2016\PowerPoint Options\Save
Default file location\Microsoft Excel 2016\Excel Options\Save
Default location for OST files\Microsoft Outlook 2016\Miscellaneous\PST Settings
Default location for PST files\Microsoft Outlook 2016\Miscellaneous\PST Settings
Delay updating OneDrive.exe until the second release wave\System\OneDrive
Disable All ActiveX\Microsoft Office 2016\Security Settings
Disable changing home page settings\Windows Components\Internet Explorer
Disable First Run Movie\Microsoft Office 2016\First Run
Disable Office connections to social networks\Microsoft Outlook 2016\Outlook Social Connector
Disable Opt-in Wizard on first run\Microsoft Office 2016\Privacy\Trust Center
Disable Reading Pane Compose\Microsoft Outlook 2016\Outlook Options\Mail\Compose Messages
Disable the Office Start screen for Access\Microsoft Access 2016\Miscellaneous
Disable the Office Start screen for Project\Microsoft Project 2016\Miscellaneous
Disable the Office Start screen for Publisher\Microsoft Publisher 2016\Miscellaneous
Disable the Office Start screen for Word\Microsoft Word 2016\Miscellaneous
Disable Weather Bar\Microsoft Outlook 2016\Outlook Options\Preferences\Calendar Options
Disable Windows Error Reporting\Windows Components\Windows Error Reporting
Disallow Autoplay for non-volume devices \Windows Components\AutoPlay Policies
Display Error Notification \Windows Components\Windows Error Reporting
Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled \Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Do not allow drive redirection \Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection
Do not allow passwords to be saved \Windows Components\Remote Desktop Services\Remote Desktop Connection Client
Do not allow Windows to activate Enhanced Storage devices \System\Enhanced Storage Access
Do not display network selection UI \System\Logon
Do not display the password reveal button \Windows Components\Credential User Interface
Do not display the reading pane \Microsoft Outlook 2016\Outlook Options\Other
Do not preserve zone information in file attachments \Windows Components\Attachment Manager
Do not send additional data \Windows Components\Windows Error Reporting
Do not show social network info-bars \Microsoft Outlook 2016\Outlook Social Connector
Don’t run antimalware programs against ActiveX controls \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
Don’t run antimalware programs against ActiveX controls \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Don’t run antimalware programs against ActiveX controls \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
Don’t run antimalware programs against ActiveX controls \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Download signed ActiveX controls \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Download signed ActiveX controls \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Download unsigned ActiveX controls \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Download unsigned ActiveX controls \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Enable Automatic Updates \Microsoft Office 2016 (Machine)\Updates
Enable Customer Experience Improvement Program \Microsoft Office 2016\Privacy\Trust Center
Enable dragging of content from different domains across windows \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Enable dragging of content from different domains across windows \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Enable dragging of content from different domains within a window \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Enable dragging of content from different domains within a window \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Enable MIME Sniffing \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Enable MIME Sniffing \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Enable OneDrive Files On-Demand \System\OneDrive
Enable RPC Endpoint Mapper Client Authentication \System\Remote Procedure Call
Enumerate administrator accounts on elevation \Windows Components\Credential User Interface
General \Microsoft Outlook 2016\Outlook Options\Spelling
Hardened UNC Paths \Network\Network Provider
Hide option to enable or disable updates \Microsoft Office 2016 (Machine)\Updates
Hide the Office Store button \Microsoft Outlook 2016\Outlook Options\Other
Hide Update Notifications \Microsoft Office 2016 (Machine)\Updates
Ignore words in UPPERCASE \Microsoft Office 2016\Tools | Options | Spelling
Ignore words with numbers \Microsoft Office 2016\Tools | Options | Spelling
Improve Proofing Tools \Microsoft Office 2016\Tools | Options | Spelling\Proofing Data Collection
Include local path when user is uploading files to a server \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Include local path when user is uploading files to a server \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Initialize and script ActiveX controls not marked as safe \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Initialize and script ActiveX controls not marked as safe \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Initialize and script ActiveX controls not marked as safe \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
Initialize and script ActiveX controls not marked as safe \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
Internet Explorer Processes \Windows Components\Internet Explorer\Security Features\MK Protocol Security Restriction
Internet Explorer Processes \Windows Components\Internet Explorer\Security Features\Binary Behavior Security Restriction
Internet Explorer Processes \Windows Components\Internet Explorer\Security Features\Mime Sniffing Safety Feature
Internet Explorer Processes \Windows Components\Internet Explorer\Security Features\Notification bar
Intranet Sites: Include all network paths (UNCs) \Windows Components\Internet Explorer\Internet Control Panel\Security Page
Java permissions \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Java permissions \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
Java permissions \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
Java permissions \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
Java permissions \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
Java permissions \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
Java permissions \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone
Java permissions \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
Java permissions \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Large PST: Absolute maximum size \Microsoft Outlook 2016\Miscellaneous\PST Settings
Large PST: Size to disable adding new content \Microsoft Outlook 2016\Miscellaneous\PST Settings
Launching applications and files in an IFRAME \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Launching applications and files in an IFRAME \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Legacy PST: Absolute maximum size \Microsoft Outlook 2016\Miscellaneous\PST Settings
Legacy PST: Size to disable adding new content \Microsoft Outlook 2016\Miscellaneous\PST Settings
Logon options \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Logon options \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Migrate Pre-existing TeamSites with OneDrive Files On-Demand \System\OneDrive
Navigate windows and frames across different domains \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Navigate windows and frames across different domains \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Notify antivirus programs when opening attachments \Windows Components\Attachment Manager
Online Content Options \Microsoft Office 2016\Tools | Options | General | Service Options…\Online Content
Open e-mail attachments in Reading View \Microsoft Word 2016\Word Options\General
Permanently remove all deleted content from PST and OST files \Microsoft Outlook 2016\Miscellaneous\PST Settings
Point and Print Restrictions \Printers
Point and Print Restrictions \Control Panel\Printers
Prevent display of the user interface for critical errors \Windows Components\Windows Error Reporting
Prevent enabling lock screen slide show \Control Panel\Personalization
Prevent ignoring certificate errors \Windows Components\Internet Explorer\Internet Control Panel
Prevent installation of devices that match any of these device IDs \System\Device Installation\Device Installation Restrictions
Prevent installation of devices using drivers that match these device setup classes \System\Device Installation\Device Installation Restrictions
Prevent managing SmartScreen Filter \Windows Components\Internet Explorer
Prevent OneDrive from generating network traffic until the user signs in to OneDrive \System\OneDrive
Prevent per-user installation of ActiveX controls \Windows Components\Internet Explorer
Prevent users from adding new content to existing PST files \Microsoft Outlook 2016\Miscellaneous\PST Settings
Prevent users from changing the location of their OneDrive folder \System\OneDrive
Prevent users from synchronizing personal OneDrive accounts \System\OneDrive
Prevent users from using the remote file fetch feature to access files on the computer \System\OneDrive
Prohibit User from manually redirecting Profile Folders \Desktop
Remove “Run this time” button for outdated ActiveX controls in Internet Explorer \Windows Components\Internet Explorer\Security Features\Add-on Management
Replace text as you type \Microsoft Word 2016\Word Options\Proofing\AutoCorrect
Replace text as you type \Microsoft Office 2016\Tools | AutoCorrect Options… (Excel, PowerPoint and Access)
Require a password when a computer wakes (on battery) \System\Power Management\Sleep Settings
Require a password when a computer wakes (plugged in) \System\Power Management\Sleep Settings
Require secure RPC communication \Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
Restrict Unauthenticated RPC clients \System\Remote Procedure Call
Run .NET Framework-reliant components not signed with Authenticode \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Run .NET Framework-reliant components not signed with Authenticode \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Run .NET Framework-reliant components signed with Authenticode \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Run .NET Framework-reliant components signed with Authenticode \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Run ActiveX controls and plugins \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Save AutoRecover info \Microsoft Excel 2016\Excel Options\Save
Save AutoRecover info \Microsoft Word 2016\Word Options\Save
Save AutoRecover info \Microsoft PowerPoint 2016\PowerPoint Options\Save
Save AutoRecover info every (minutes) \Microsoft Publisher 2016\Publisher Options\Save
Save Interval \Microsoft Project 2016\Project Options\Save\Auto Save Options
Script ActiveX controls marked safe for scripting \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Scripting of Java applets \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Security Zones: Do not allow users to add/delete sites \Windows Components\Internet Explorer
Security Zones: Do not allow users to change policies \Windows Components\Internet Explorer
Service Level Options \Microsoft Office 2016\Tools | Options | General | Service Options…\Online Content
Set client connection encryption level \Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
Set maximum Kerberos SSPI context token buffer size \System\Kerberos
Set the default behavior for AutoRun \Windows Components\AutoPlay Policies
Set the default location for the OneDrive folder \System\OneDrive
Set the maximum download bandwidth that OneDrive.exe uses \System\OneDrive
Set the maximum percentage of upload bandwidth that OneDrive.exe uses \System\OneDrive
Set the maximum upload bandwidth that OneDrive.exe uses \System\OneDrive
Show security warning for potentially unsafe files \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Show security warning for potentially unsafe files \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Silently configure OneDrive using the primary Windows account \System\OneDrive
Specify the maximum log file size (KB) \Windows Components\Event Log Service\Application
Specify the maximum log file size (KB) \Windows Components\Event Log Service\Security
Specify the maximum log file size (KB) \Windows Components\Event Log Service\System
Specify use of ActiveX Installer Service for installation of ActiveX controls \Windows Components\Internet Explorer
Target Version \Microsoft Office 2016 (Machine)\Updates
The maximum size of a user’s OneDrive for Business before they will be prompted to choose which folders are downloaded \System\OneDrive
Turn off app notifications on the lock screen \System\Logon
Turn off Autoplay \Windows Components\AutoPlay Policies
Turn off blocking of outdated ActiveX controls for Internet Explorer \Windows Components\Internet Explorer\Security Features\Add-on Management
Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains \Windows Components\Internet Explorer\Security Features\Add-on Management
Turn off Crash Detection \Windows Components\Internet Explorer
Turn off downloading of print drivers over HTTP \System\Internet Communication Management\Internet Communication settings
Turn off Internet download for Web publishing and online ordering wizards \System\Internet Communication Management\Internet Communication settings
Turn off Outlook Social Connector \Microsoft Outlook 2016\Outlook Social Connector
Turn off picture password sign-in \System\Logon
Turn off printing over HTTP \System\Internet Communication Management\Internet Communication settings
Turn off Protected View for attachments opened from Outlook \Microsoft Excel 2016\Excel Options\Security\Trust Center\Protected View
Turn off Protected View for attachments opened from Outlook \Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center\Protected View
Turn off System Restore \System\System Restore
Turn off the Security Settings Check feature \Windows Components\Internet Explorer
Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows \Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Turn on certificate address mismatch warning \Windows Components\Internet Explorer\Internet Control Panel\Security Page
Turn on convenience PIN sign-in \System\Logon
Turn on Cross-Site Scripting Filter \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Turn on Enhanced Protected Mode \Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Turn on Protected Mode \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Turn on Protected Mode \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Turn on session logging \System\Remote Assistance
Turn on SmartScreen Filter scan \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone
Turn on SmartScreen Filter scan \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Turn on SmartScreen Filter scan \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Turn on SmartScreen Filter scan \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
Turn on the auto-complete feature for user names and passwords on forms \Windows Components\Internet Explorer
Typing replaces selected text \Microsoft Word 2016\Word Options\Advanced
Update Channel \Microsoft Office 2016 (Machine)\Updates
Update Deadline \Microsoft Office 2016 (Machine)\Updates
Update Path \Microsoft Office 2016 (Machine)\Updates
Use CTRL + Click to follow hyperlink \Microsoft Word 2016\Word Options\Advanced
Use Pop-up Blocker \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Use Pop-up Blocker \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Userdata persistence \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Userdata persistence \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Users can choose how to handle Office files in conflict \System\OneDrive
VBA Macro Notification Settings \Microsoft Excel 2016\Excel Options\Security\Trust Center
VBA Macro Notification Settings \Microsoft Access 2016\Application Settings\Security\Trust Center
VBA Macro Notification Settings \Microsoft Project 2016\Project Options\Security\Trust Center
VBA Macro Notification Settings \Microsoft Visio 2016\Visio Options\Security\Trust Center
VBA Macro Notification Settings \Microsoft Publisher 2016\Security\Trust Center
VBA Macro Notification Settings \Microsoft Word 2016\Word Options\Security\Trust Center
VBA Macro Notification Settings \Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center
Weather Bar Update Frequency \Microsoft Outlook 2016\Outlook Options\Preferences\Calendar Options
Weather Service URL \Microsoft Outlook 2016\Outlook Options\Preferences\Calendar Options
Web sites in less privileged Web content zones can navigate into this zone \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Web sites in less privileged Web content zones can navigate into this zone \Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
When formatting, automatically format entire word \Microsoft Publisher 2016\Publisher Options\Advanced
When selecting, automatically select entire word \Microsoft PowerPoint 2016\PowerPoint Options\Advanced
When selecting, automatically select entire word \Microsoft Publisher 2016\Publisher Options\Advanced

If you have any questions, feel free to email me at tobias.sandberg@xenit.se or comment down below. I will try to answer you as soon as possible.

Happy configuring!



How to handle pinned start menu apps in Windows 10

As I have been working with customizing Windows 10 for a while now, it has never worked against me this much. However, sometimes Windows do have its ways of working against you. With challenges like these you get the opportunity to spend a lot of time coming up with a solution. So this blog post is about my battle with the start menu of Windows 10 Professional. If you are here for the quick solution, skip to the bottom and the TL;DR section.

The Problem:

I have been able to customize the start menu of Windows 10 with ease since version 1511 with the Export / Import-StartLayout cmdlet. But this time I got a request to remove all the pinned apps on the right side of the start menu. A colleague discussed this and he told me he had done a similar solution inside a Citrix Virtual Desktop, and he spent quite the amount of time with this, I thought this would be much easier than it turned out to be. So the requested start menu should at the end look something like this upcoming picture, with the following demands:

  • No pinned apps on the right box or the start menu
  • In the task bar, have Chrome & Explorer pinned. 

This was the requested layout

To begin with, I created an XML file with just Chrome & Explorer pinned in the task bar, and having set the <DefaultLayoutOverride LayoutCustomizationRestrictionType=”OnlySpecifiedGroups”> . My thought was that this would give me a clean start menu, but this was my first failed attempt. The colleague of mine who preciously had a similar issue in a Citrix environment had during his research time come across this post containing a script called “Pin-Apps“. This script contained a Unpin function which turned out to be very helpful. So I started adapting my work after this script. But this is where I came across my second setback. First, I was not able to have this script and the Import-StartLayout-script in the same logon script, nor having one script on startup, and one on login, so I had to think of a way configure this in my isolated lab environment.

Luckily, I’ve been working a lot with OS-deployment, so I created a Task Sequence containing the Import-StartLayout-script, which managed to run successfully together with my login-script containing the Pin-Apps script. But here I came across my third setback, which by far had the most impact and was the one I spent the most time struggling with. For some reason I was not able to remove bloatware, such as Candy Crush, Minecraft etc. The script ran successfully, but every time, the outcome looked like this

Some applications would not be removed

I could not understand why these applications would not be removed. I have had to deal with bloat ware before, but then it was just to remove them with Appx-cmdlets. I checked Get-AppxPackage & Get-AppxProvisionedPackage, and ran Remove-AppxPackage and Remove-AppxProvisionedPackage several times, but these apps were not removable and did not show up until I manually selected them, and they started downloading (as shown on the application in the top right corner on the picture). So apparently they were either links or shortcuts to the Windows Store. This is works if you are using Windows 10 Enterprise. 

This is where I started going deep. The apps were all published in the Windows AppStore, so I started looking for any kind of possibilities, with help from Powershell, to by force download all apps in the Windows Store. I spent a lot of time with this, but without any success. So I had to rethink my plan. There was no way to have the bloat ware-applications to be downloaded by force, there was no way to remove them by removing them with Appx-cmdlets, and there was no way to have a clean start menu with a XML-file. This gave me the idea. If you can’t beat them, join them. There was no way to actively remove all the applications from the start menu of a Windows 10 Professional, but replacing them worked.

The solution:

As I have yet to find any other way of removing the superfluous applications, creating a new XML replacing the start menu with some random default applications was the only successful way for me. To list these applications, go to Shell:AppsFolder or shell:::{4234d49b-0245-)4df3-b780-3893943456e1} in file explorer.

Applications can be found here

I just chose to pin some of the applications which were default on my start menu, that I knew was very much removable, exported these to a new XML which turned out to it look like this:

From here I had to modify the Pin-Apps script to make it more suitable for a Swedish operating system, and added a register key so it would not run more than once on each user. If you want to lock down the right side of the start menu, you just set or create the LockedStartLayout registry key, located under both HKEY_Local_Machine & HKEY_Current_User\Software\Policies\Microsoft\Windows\Explorer, to 1

If you are running another OS language than Swedish or English, to find the verb for unpin, simply save an application name to the variable $appname (as an example I will use Windows Powershell) and run the following part: 

This will give you all the verbs which are applied to this application. In this case “Unpin from Start” is present.

After modifying the necessary bits I added it to a PowerShell logon script GPO with the parameter -UnpinAll, with the .ps1 file located inside the GPO repository, making sure it’s accessible for everyone.

 

TL;DR: 

If you are running Windows 10 Professional, you need to replace applications in the start menu before removing them, as a suggestion running in a Task Sequence of some kind setting the default start menu layout and then have a GPO to run the PowerShell script stated above.

If you are running Windows 10 Enterprise, just use the Logon script GPO and you will be fine. If you still have some unwanted applications, run a script removing built-in apps (for example this Invoke-RemoveBuiltinApps )

If you have any questions or thoughts about this post, feel free to email me at johan.nilsson@xenit.se



Teams is replacing Skype for Business – how does it (really) work for the user?

Most of us know Teams is replacing Skype for Business in Office 365. There is no official end date but we see indications. Microsoft is no longer adding Skype for Business for new tenants with less than 500 users and they say Teams is now complete. Yesterday we also saw the first indication that Microsoft is starting to switch active tenants to Teams – so you better be ready!

Looking at the official Microsoft documentation, all is green and good. Just switch and you will experience all the goodness of Teams. But how does it really work and look for the end user? I assume you already know how Teams works and looks and the way to migrate – this blog post is just how it works for the end-user when it comes to interoperability with Skype for Business.

Important note: This might change on short bases and here is the Microsoft official documentation on interoperability.

So assume you’re in a all SfB environment and considering using Teams. You verify you are in Coexistance mode: Islands which means users are able to use both Skype for Business and Teams simultaneously:

You decide to switch one of your users (let’s call him Ben) to TeamsOnly mode – that’s what we did and the rest of the users are still in SfB, but remember, there is nothing stopping all the other users to start using Teams, they just have to go to https://teams.microsoft.com and they can use SfB and Teams at the same time.

Internal communication within tenant

First if Ben tries to start the SfB client, he will get:

But we shouldn’t uninstall the SfB client – keep on reading…

  • If both users are in Teams (in case some other users have found out they can use Teams) you will get the full experience so I will not go into details there.
  • Ben will be able to receive and reply to messages received from Sfb users within the Teams client.
  • Screen sharing and file transfer is not supported between Teams and Skype for Business – you need to create a meeting for that.

There is one caveat here, if the other user has ever started Teams weeks/months ago, they are considered to be “activated in Teams” which means Ben no longer can initiate a new SfB conversation with that user. Ben can only initiate a new conversation with the other user in Teams and if that user is no longer using Teams (for example if they decided they didn’t like it), they will not receive it. However, if the other users initiates chat from SfB to Ben, Ben will be able to reply to SfB.

And the absolutely best feature is that you have persistent chat experience over all devices so you can initiate a chat session in a web browser on your laptop, continue in the fat client on your desktop and keep the whole thread in your mobile device.

So in short, we would recommend to keep interoperability period as short as possible because some of the confusion it creates…

External communication

So imagine all your users are in Teams. But you will see that many other organizations are still in SfB in Office 365 or even SfB on-premises which means they will “never” get Teams – how do you communicate with them?

  • Again, if both users are in Teams you will get the full experience so I will not go into details there.
  • Ben will be able to both initiate, receive and reply to SfB chat sessions.
  • Ben can’t initiate screen sharing nor file transfers to SfB users – a meeting is required for that.
  • Ben can still join SfB meetings, that’s what the SfB client is used for – or, of course, he could use the SfB Web App. So we don’t see that going away very soon.
  • If the other user (still on SfB) initiates a screen sharing or file transfer to Ben, it is not supported and the official answer is that the user should receive the following message so a meeting is required. We have found that the message is actually received in Ben’s SfB client if he has it logged in and active in the background and he will actually be able to receive the file and see the screen sharing session. YMMV.

Ben will also realize that as long as his Office 365 ProPlus is updated, the New Skype Meeting choice will be removed and New Teams Meeting will be the only choice.

This is just one part of the story, the big difference is the way that Teams can be more than what SfB was when it comes to collaboration. You need to develop a plan for how to communicate this to your users… You might also have other dependencies with SfB like conference room equipment like Skype Room Systems and integration with PBX.

Interoperability between SfB and Teams might not be the best in the world, but we also see Microsoft is pushing Teams and from Ignite sessions, we see that the user experience during interoperability will not change much – what we see is what we get and we better adapt and inform our users so this is clear.



Automating delimiter selection when working with Csv cmdlets

Recently I walked passed a collegue with an error on his Powershell console which peaked my interest. He quickly noted that he had chosen the wrong delimiter for the Csv he imported which resulted in errors in the code, I then jokingly said “Why don’t you just use the ‘Get-CsvDelimiter’ cmdlet?” and we had a quick laugh.
30 minutes later the “Get-CsvDelimiter” function was born, but first,

Let’s dive into how Import-Csv, ConvertFrom-Csv & delimiters really work

When used correctly Import-Csv & ConvertFrom-Csv creates an array object with each row as a PSCustomObject with named content based on headers.

Import-Csv has two constructors, one with Path as a required and the other with Path & Delimiter as required.
If you omit the delimiter parameter the Path constructor will be used, now this constructor has a required parameter (according to the documentation) that is auto filled. Instead of using Delimiter we can use “UseCulture” which takes the current culture delimiter as input,

“To find the list separator for a culture, use the following command: (Get-Culture).TextInfo.ListSeparator.” –docs.microsoft

If we interpret the documentation this is a required parameter, but it is not really required, as we are able to pass only the -Path parameter and delimiter will autofill

Assume we’re using the following CSV as input ($File)

the command “Import-Csv $File” will output a valid object. Now in my opinion it should fail. As my culture specifies semicolon (;) as the default listseparator, while forcing “-UseCulture” can’t produce a correct csv object. This basically means that UseCulture is not a required parameter and the default unless specified is always a comma (,)

The exact same goes for ConvertFrom-Csv.

Presenting Get-CsvDelimiter

The below function will search and find the most probable delimiter used in a Csv file.

Let’s see how it works.

$File is a csv file with the below data.

If we run Import-Csv $File we’ll get a incorrect table object, every row will have a single property containing the row data.

If we instead specify a delimiter as shown below, we’ll calculate the most probable delimiter and use that to produce a correct CSV table object without having to inspect the csv culture or assume anything.

And to prove it works, the below code outputs only the Name column in the Csv

If we have a stringobject and need to convert it that is also possible.

With this method we can use virtually any delimiter we want, assuming that the Csv is formatted correctly. Again we’re using the same csv input but we change the delimiter to a “greater than” (>) symbol and see how the function performs.

Now when we run the function standalone we’ll get a Greater than symbol as the return

And finally, when running the previous code we get the same output as when we were using a semicolon as the delimiter.

 

Get-CsvDelimiter



Mapped network printers unavailable due to SMB1 being obsolete

INTRODUCTION

As we all might be familiar with, printers are one of those little peculiar matters within IT. Implementing these in an IT-environment is self-explanatory oftentimes, but when they do not cooperate the issue itself can stem from one single obscure root cause, if not a string of these having to be checked upon.

Recently, I encountered a particular printer issue which I found interesting enough to share. The root cause here, in summary, was due to the network protocol SMB1 (Server Message Block) being obsolete in recent Windows releases.



Run Windows Defender inside a sandbox

Last week Microsoft released the news that they have added a new feature to Windows Defender Antivirus. The new feature allows Windows Defender Antivirus to run within a sandbox.

Other antivirus providers have been offering the possibility to open files in a sandbox-environment before but what Windows Defender now offers is the feature that all virus scans are done inside a virtual sandbox. The biggest benefit of running the virus scans in a virtual sandbox is when the antivirus engine is scanning a malicious file. The malicious code that usually would be executed to exploit a vulnerability will now only affect the virtual sandbox and not the actual computer resources.

This new feature proves that Microsoft are really making an effort to increase the reputation of Defender. There is a debate whether this is the best way to go but it is good sign that Microsoft is really making an effort to develop Defender Antivirus with features like this.

Microsoft describes the feature in the following way on their blog:

Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm. This is part of Microsoft’s continued investment to stay ahead of attackers through security innovations. Windows Defender Antivirus and the rest of the Windows Defender ATP stack now integrate with other security components of Microsoft 365 to form Microsoft Threat Protection. It’s more important than ever to elevate security across the board, so this new enhancement in Windows Defender Antivirus couldn’t come at a better time.

It sure sounds interesting, so why don’t we try it out?

Requirements:

  • Windows 10, version 1703 and above.

How to activate the sandbox feature:

  • Open an elevated ‘Command Prompt’
  • Type: ‘setx /M MP_FORCE_USE_SANDBOX 1’ and then press enter
  • Then restart your computer and that should be it. Just make sure that you actually restart it since it won’t be activated if you just do a regular shutdown/start.

How to inactivate the sandbox feature:

  • Open the ‘Control Panel’
  • Navigate to ‘System’ and click on ‘Advanced System Settings’
  • Click on ‘Environment Variables’, navigate to ‘System Variables’ and remove ‘MP_FORCE_USE_SANDBOX 1’.
  • Restart the computer.

The feature is not enabled by default yet so it might not be a good idea to use it in a production environment, but it might be a good time to give Windows Defender a new chance? Have you had time to try it out yet? What do you think about it?



Teams in your Multi-user environment done right!

Microsoft Teams is on the rise, more and more businesses is seeing the potential of Teams and want a piece of the action.

Unfortunately Microsoft Teams is not ideally designed to work on a Multi-user environment like Citrix Xenapp or Microsoft Remote Desktop services. It is entirely installed in the users profile, and its quite big. A clean installation of teams is roughly 600 MB and will quickly grow, and you know what that means… You guessed it: Super long logon time, since logging on to the Multi-user environment often means the profile would be downloaded to Session Host before you are properly logged on, the users will not be happy! And on top of that, the latest recommendation in size per Teams installation is 3 GB…

There is however some rumors indicating there will be releasing a business version soon addressing this very issue! But if you are anything like me, and cant simply wait, there is a solution if you are willing to pay a small price, and you will at the same time have access to tons of other great stuff.

FSLogix Profile Container

FSLogix Profile Container is a great product that basically removes the profile size entirely, is an little agent you install on your Session Hosts and configure with an ADMX, you also need a file share with enough space for some big profiles. FSLogix is in the business of so called filter-drivers, what it does is simply put, lying to Windows. For example, when you install a 32-bit application to your 64-bit Windows System, Windows will use its own filter-driver to get it to work, its the same technology, its efficient and simple. In FSLogix case it is lying to the windows about the profiles, Windows thinks its a local profile, it does not know that in fact, the entire profile is contained in a vhd-file, mounted to the server. Because its a virtual disk that attaches to the server, there is only one SMB handle. It will therefor not be a huge load on the network, which you often sees when you for example roam your profiles.

Install Teams

When you have FSLogix Profile Container in place you can now install teams on your environment.  In early October Microsoft released a new version of Teams with some new features when deploying Teams to all the users in an organization, we are going to use parts of that to install Teams on to our environment!

 

  1. Download the latest version of Teams MSI-file (x64) file here!
  2. If you like to disable Auto-start of Teams use the following install string (otherwise just install without the option):

    This will put an Install file under “C:\Program Files”, and when a user logon it will automatically install Teams to this user.
  3. You do not need to update the MSI to the latest version, Teams will automatically download and install pending updates on the next logon of the user.

There you go, now your users can benefit from the full experience of Teams in your Multi-user environment, with one exception: if you are using Citrix, you have “Skype for Business Optimization Pack” to utilize local client resources for best quality of Skype meetings and calls. There is no support for Teams as of for now. It will soon be available though. With that said, I wouldn’t uninstall Skype for business just yet.

Other Great stuff

As mentioned above, there is a lot of benefits using FSLogix Profile Container. For a great period of time, Citrix User Profile Manager has been the best way to reduce the size of the profiles while still have the most important settings saved in your profile. But this is still just a trade-off, you trade off your caches and settings that impact your profile logon, but at the same time still trying to get the best experience for the user, this will sometimes collide and you have to choose between longer logon time or full functionality of a certain application.

With FSLogix Profile Container you no longer need to worry about large profiles, you don´t need to trade off! There are a lot of applications that saves a ton of settings and files in your profile that you now can install without impacting the user experience, this opens up a great deal of opportunities. You can for example install OneNote with it´s (potentially)  gigantic cache, CAD applications with thousands of files in the user profile and so much more.

 

If you find this interesting and would like a trial of FSLogix Profile Container to see if this fits your organizations needs, please contact us. It is easily installed and does not require additional servers or infrastructure!

 



Create Azure Policy’s based on Resource Graph querys

If you have used Resource graph to query resources you might realized it comes very handy when creating Azure Policy’s, for example you might check the SKU of virtual machines before you create the policy to audit specific sizes of virtual machines or even prevent creation of them. (If you haven’t yet used Azure Resource Graph you can check my previous post out – https://tech.xenit.se/azure-resource-graph/)

Let’s take it further and actually create a Policy based on our Resource Graph query.

In my example below i query all storage accounts that allows connection from all Virtual Networks and the where environment is set to Prod.

Iam running all commands in Cloud Shell and CLI, but you could just aswell use Powershell.

CLI

The query is looking for below setting, it can be found under Firewalls and virtual networks under your storage accounts.

Creating the policy

To create the Policy, I am using the tool GraphToPolicy. The tool and instructions can be found here http://aka.ms/graph2policy

Follow the instructions for the tool and when you have the tool imported to your cloud shell environment you are ready to go.

Iam using the same query as before and creates a Policy to Audit all storage accounts that allows connections from all Virtual Networks and have the environment tag set to Prod.

CLI

Output:

CLI

Same policy as above but query in variable

After creation the policy is ready for assignment. I assigned it to my test subscription and as you can see in my example it shows that one of my storage accounts are non-compliant.

Summary

Resource Graph is a handy tool and as you might have understood its very useful when looking for specific properties or anomalies in your resources. Together with the GraphToPolicy it’s easy to create Azure Policys based on your Resource Graph Querys.

Credit for the tool goes to robinchapas https://github.com/robinchapas/ConvertToPolicy

If you have any questions you can reach me at tobias.vuorenmaa@xenit.se



Monitoring vDisk Rebalance Enabled

In a recent use-case that I stumbled across, I wanted to monitor a few different things in a Citrix-environment with Provisioning Services technology.

In this specific blog-post I’ll show you how I configured monitoring for whether Rebalance Enabled is configured for active vDisk, with Provisioning Services (PVS) Powershell SnapIn.