With each release of a new Configuration Manager Current Branch we get new and awesome features. Amazing work by the Configuration Manager team at Microsoft to be able to switch focus to what is important like when Covid-19 hit. Delivering new features three times a year that will make all our lives a little bit easier.
For the Configuration Manager 2103 here are my top 5 features! For information on all the new cool features check out the official docs here: https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/changes/whats-new-in-version-2103

Disable application deployments

Big red button” is something that we have talked about and had on the wish list for a long while and now it is here for applications as well I should add. It has been possible in Phased deployment for example before to disable/enable the deployment.
For those of you who remember that System Management Server, SMS was called “Slow Moving Software” many years back because the client pulls for information and it could take time for things to happen on the client. Now many improvements have been made to make it faster with Client Notifications, but one thing is for sure Configuration Manager is never as fast as the One time you do a mistake With this new option for Applications, we can disable the deployment of an upgrade that gone wrong and then trigger a client notification for the collection with the affected clients to force them to download the new policy with the information that it is disabled.
then we can hopefully at least minimize the damage done.

Improvements to BitLocker management

The move of MBAM standalone to BitLocker Management in Configuration Manager is great! Simplifies and reduces complexity by removing the need for a MBAM standalone server.
With the new features added in the 2103 release:

• We can manage BitLocker for removable devices over CMG
• Support of Enhanced HTTP

That makes this feature hit the top 5!

Another feature is added is that it supports TPM Password as well, which is in the MBAM standalone product today. But TPM password hash behavior changed in Windows 10 1607 so the clients will not be able to capture it if we do not use something like this during OSD, which we call “TPM Pass the Hash”. https://ccmexec.com/2016/11/mbam-tpm-password-hash-and-windows-10-1607/

Centralized management of console extensions

Managing and updating Console Extensions is a big challenge today in an enterprise. With this release we can now manage console extensions and update them as well. A great step in the right direction! Under the Updates and Servicing node we now have the option to manage Console Extensions.

Per default there is only one, but we can use that to test the feature out. Recast awesome Right Click tools are in the Community hub but is only available in Tech Preview as of now.

The options we have available are many, we can revoke approval for example for a console extension.  

If we combine that with the Hierarchy setting shown below, to only allow console extensions that are approved in the hierarchy, we now have control.

If you enable that setting and restart the admin console all your extensions are immediately hidden! That means that we can have total control of Console Extensions in the future!

Add a report as a favorite

One of the great things with Configuration Manager is reporting and all the information that is at our fingertips! The other problem is to find the report we want out of all the reports in there.

Favorites to the rescue, this is beautiful! We can now select a report as favorite, and it will show up here in this view.

Selecting a report as a favorite can be done in the admin console or from Reporting Services as well. Note: To be able to use this feature we must be using SQL server 2017 or later.

Deploy a feature update with a task sequence

Also making the top 5 is using a feature update in our In-place upgrade Task Sequence. I see it as another tool in toolbox, we get more tools to get the work done. Generally the servicing ESD file is smaller than our in place upgrade Image. We can still use our existing logic in our Task sequence for doing in-place upgrades.

Note that all options including Dynamic updates are disabled as soon as a Feature update is selected instead of an Upgrade Package. Some of these settings we can control with Setupconfig.ini, blogpost coming!

With all the other great improvements both to servicing of Windows 10 going from 2004/20Hh2 -> 21H1 with an enablement package and the improvements in the Admin console for servicing we have many great options in the future to come!

What features do we miss?

Remote control over CMG/IBCM which is in the Technical Preview would be nice! But it did not make it. Hopefully, next time!

The post Top 5 new features in Configuration Manager 2103 appeared first on CCMEXEC.COM - Enterprise Mobility.

A highlight of every month is when a new Configuration Manager Technical Preview is out! Always extremely fun to see and test out new features that is coming, some can be directly from a Uservoice suggestions.
There are some amazing gems in MEMCM 2104 Technical Preview release! Cloud attach improvements, console improvements and last but not least CMTrace has picked up speed and is now Turbo-Charged! I have recorded some short videos of my favorite features.

News in Tenant Attach

Tenant attach got two new great features in this Technical Preview, BitLocker recovery keys and historical inventory data in resource explorer. Both features are simply great.
Historical inventory data in resource explorer:
Historical inventory data is built on one of the core feature in Configuration Manager where we can see what has changed on a computer from date to date. Now in Tenant attach as well!

BitLocker recovery keys:
Being able to access the BitLocker recovery keys in the Intune portal is a great addition and value add as Servicedesk staff has one less portal to go to. It will mark the key as used and the device will rotate the key on the next sync. Here is a little short video on how it looks.

Software Update actions from the monitoring node

This one is easy to look past as the Tenant attach features are great but this is one of those fairly “simple” change that will be extremely appreciated by all admins. When looking at deployment status of a Software Update we can now initiate an action to Evaluate Software updates deployments on the devices. A real timesaver!

CMTrace – Turbo charge

I did not record a video of CMTrace but the speed it has gained is great! much much faster (yes, I will grab CMTrace.exe from my TP and use it ASAP!) Again a really small but useful feature that will again save time and stress when waiting for the log file to load.

Other features:

There are more improvements that I haven’t covered but check out the official docs from more information. You can also do as I do, Install Technical Preview try it out and provide feedback!

– Tenant attach: Offboarding
– Support layered keyboard driver during OS deployment
– Improvements to Support Center

For more information on the other new features check out the official docs. https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2021/technical-preview-2104

Summary, I would like to see Scope tags on Tenant attached devices as they will always show up in the Intune console even if I don’t have permissions to manage them.

My favorite Technical Preview feature is still Remote Control over CMG – Remote Control over CMG MEMCM TP 2009 – First look – CCMEXEC.COM – Enterprise Mobility Let’s hope we see it in Current branch soon!

The post Amazing gems in MEMCM 2104 Technical Preview appeared first on CCMEXEC.COM - Enterprise Mobility.

Configuration Manager 2106 Technical preview is filled with great new features! I will write more about them but I had to start out with testing to convert CMG to Virtual Machine Scale set which is a new feature.

Before we start, I made sure that I had enabled the providers in the Subscription needed in my Azure Subscription as documented here: https://ccmexec.com/2020/09/memcm-2009-tp-cmg-virtual-machine-sets/
When migrating we cannot change all options, they are described here: Technical preview 2106 – Configuration Manager | Microsoft Docs

The CMG setup I had in my Technical Preview environment was usign self-signed cert with the following settings:
Cloud Service Name: cmgtp441.cloudapp.net
Service Name: CMGTP441.ccmexectp.com

If no DNS alias together with a CloudApp.net self signed certificate the wizard will complete but the service name will be wrong and at least my site could not connect to it, which makes sense. That was my first attempt before I redeployed the classic CMG to then be able to convert it.

Lets start!

Important to note the new Deployment name, as we need it to update DNS later to point to the new VM Scale set name.

Then I updated my DNS record CMGTP441.ccmexectp.com with the new Deployment Name as the CName: cmgTP441.westeurope.cloupapp.azure.com

A flushDNS was needed as well on the Server hosting the Cloud Management Gateway Connection Point for it to be able to connect.

A really smooth experience, took a couple of minutes and then it was done! The complete documentation for the Technical Preview 2106 can be found here: https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2021/technical-preview-2106/?WT.mc_id=EM-MVP-4034884

The post Convert CMG to VM Scale Set – MEMCM TP 2106 appeared first on CCMEXEC.COM - Enterprise Mobility.

New version of Mashpia (Yes the solution has a name now!)

Biggest improvements in the new version is we are moving away from webservice to using the built-in adminservice from ConfigMgr!

This solution is provided to the Community by Daniel Gråhns and Nicklas Eriksson, Twitter(Sigge_gooner), thank you for sharing it! Great work!

As the title says it is a solution for deploying drivers and software during a Task Sequence using HP Image Assistant. The benefit of using this is that you can automate the whole process of downloading and updating drivers and solve the additional software needed for HP devices. Including the software needed as that is not included in the driver packs.
The purpose of this solution is to:

• Install HP drivers and related Software during OS Deployment or drivers update.
• Automate download of drivers, bios and software
• Create and distribute packages in Configuration Manager
• Easily update the drivers/software to the latest version automatically

How does it work

In the folder with the scripts, we have the following files.

All configuration is done in the Config.xml file by editing the variables there. Site Code, Package path and more, It is well documented in the script.
In the Import-models.csv file we simply put the Basebord ID, Modelname and OS version as shown below.

Then we run the script, it will download the Softpaqs, create a Package and distribute it to the dp group we select in the config. We will cover that later in this post.
The script will automatically install HPCSML and update it if needed.

In the task sequence we run the following commands that will use the Configmgr Webservice to populate the variables for which package should be used.
Then it is downloaded and installed by using the image assistant and the files downloaded to the local disc as source.

If a second pass of HPIA is needed, which could be the case simply just add that model to the Conditions for the “Second HPIA Pass if needed”

Prereqs

The solution uses the following components:

• Enable Adminservice – MSEndpointMgr – Modern Driver Management (Adminservice)

What is the administration service – Configuration Manager | Microsoft Docs

• Create Serviceaccount with correct permissions in ConfigMgr to be able to query adminservice for information.
• HP Software Framework – Available on HP FTP /pub/caps-softpag/cmit/softpaq file “CASLSetup.exe” (use an FTP software like Winscp for example)
• The files for this solution – GITHUB
• Exported Task Sequence with the steps need – GITHUB
• Driver Package with the latest WinPE Driver Pack – http://ftp.hp.com/pub/caps-softpaq/cmit/HP_WinPE_DriverPack.html

We will not cover how to enable the ConfigMgr adminservice, that is included in the manual provided with the download above.

HP Software Framework

We need a Package in Configuration Manager with the HP Software Framework. Here is how to download and extract the .msi file.

• Download the file “CASLSetup.exe” from the HP FTP site

• Run the following command:
   CASLSetup.exe /s /x /b”E:\Temp” /v” /qn”
  That will extract the .msi to E:\Temp.

• Then copy the file to your MEMCM Package source share
• Create a Package and Program in Configuration Manager for the HP Software Framework using the “Create package from definition” and use the .MSI works just fine.
• Distribute the content to the correct DP group.

HP WinPE driver Package

As we install all drivers using HP Image Assistant we still need storage drivers and network drivers to be installed during OSD to be able to get Windows 10 up and running.

• Download the HP WinPE package that matches the OS version you are deploying.
• Import the drivers to a driver package we can then use in the Task Sequence as shown below.

Use the following conditions so it only installs for HP devices.

PowerShell script

Before we run the script for the first time, we need to configure it for our environment.

• Download the HPIA.zip file from Github here:
• Extract the content to a folder, in my example “E:\HP Repository”

How to run the script: .\ImportHPIA.ps1 -Config .\Config.xml

Then we are ready to run the script for the first time, there is a log file as well you can use to check for errors if the script is run as a Scheduled Task for example.
The result in my case will look like this.

And the packages have gotten the information needed for the Configmgr Adminservice to pull them down.

Task Sequence import

The steps needed in the Task Sequence can be downloaded from Github and then imported to make it as easy as possible.

• Download the Exported task sequence and import it in Configuration Manager
• Select “Ignore Dependency” when importing it.

• Edit the imported task sequence
• Fix the error so the package for HP Software Management Framework is correct
• Add serviceaccount as a variable and remember to select “Do not display this value”.

Edit the “PowerShell script” so the input varibels for -Siteserver and OS version matches the that you want to install.

Copy the whole group included in the Task Sequence so it runs after the full OS is installed.

Putting it all together

Edit the “import-models.csv” file with your information as mentioned above.

Then it is time to run the script and watch it download the drivers for our models and then test out the deployment. You can schedule it as well of hours and let it update the driver packages if needed.!

The post New version of HPIA automation in a TS – MASHPIA appeared first on CCMEXEC.COM - Enterprise Mobility.

I have always liked Microsoft BitLocker Administration and Monitoring(MABM) as it provides us with additional functionality compared to saving the BitLocker recovery key in Active Directory. MBAM brings us for example:
– Protection against accidental deletion of AD computer object (Separate DB)
– Key rotation
– Self-Service
– Role based access to Recovery Keys
– Compliance reporting
– Escrowing TPM Password Hash
..and more.

MBAM was integrated in Configuration Manager and first released in 1910 and has been improved in every release after that. Where the latest addition is support for Enhanced HTTP and CMG to escrow the recovery key which is awesome!
To enable BitLocker during OSD when using MBAM Standalone we used the script “Invoke-MbamClientDeployment.ps1” after first installing the MBAM client during OSD. The script then escrowed the recovery key and if present the TPM Password Hash to the MBAM Webservice and all was well.

When MBAM was integrated into MEMCM many of us still used the same script / solution to enable BitLocker during OS deployment as the WebService/DB tables used by MBAM was basically just added to Configuration Manager.

However in MEMCM 2103 this all changed after supportcase it turned out that using the script (and I would assume GPO) creates extra policies and drastically impact performance.
From the KB article:
“Using the Invoke-MbamClientDeployment.ps1 PowerShell script or alternative methods that utilize the MBAM Agent API to escrow recovery keys to a Management Point in Configuration Manager current branch, version 2103 generates a large amount of policy targeted to all devices which can cause policy storms. This leads to severe degradation of performance in Configuration Manager, primarily with SQL and Management Points.”

More information can be found here: https://docs.microsoft.com/en-us/mem/configmgr/hotfix/2103/10372804
If you have used the script or MBAM GPO pointing the MBAM client to MEMCM I would run the script in the KB article above to check if you are impacted, if so you need to create a support ticket to get help to fix it.
In one of my lab environments I have one entry as shown in the sample output below:

The CM Update KB10372804 and later versions of MEMCM contains a fix to make sure that these policies are not created. It does not clear up already existing that is why a support call is needed to clean up the already created policies.

Docs now also has a clear statement the using the “Invoke-MbamClientDeployment.ps1” together with MEMCM 2103 and later is not supported. Even if the issue is fixed I would not use the script anyway as it clearly states “Not Supported”

More information here: https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25

What options do we have then to enable BitLocker during OSD to save them in MEMCM?
– Do not enable BitLocker during OSD but let the Configuration Manager client handle it after OSD ( many security departments would not approve)
– Enable BitLocker and don’t save the Recovery Key during OSD and then let the MEMCM client manage it(I would not go down that road either)
– Enable BitLocker and save the registry key in Active Directory using the builtin-steps in the Task Sequence to then later let the MEMCM client escrow it to the Configuration Manager DB.

If you like want a third option please vote for this User Voice Item!: Add option to the “Enable BitLocker” Task Sequence step to escrow the Recovery key directly to MEMCM DB – Welcome to Configuration Manager Feedback (uservoice.com)
that would be great to be able to enable BitLocker with a builtin step in the Task Sequence and save it in the MEMCM DB without having to store it in AD before for example.

Here are some sample steps, really simple in the Task Sequence, Important is to use the same Encryption Algorithm in both steps in the Task Sequence as in the BitLocker Policy in Configuration Manager.

Pre-Provision BitLocker :

Enable BitLocker:

What about the TPM Password Hash? Well it has been tricky to get it to escrow as it since Windows 10 1607 it is no longer available from within Windows.
We can no longer store TPM Password hash anymore even if it exists in a Task Sequence variable if TPM Ownership is taken during OSD.
More information can be found here: https://ccmexec.com/2016/11/mbam-tpm-password-hash-and-windows-10-1607/

The post Important! – MEMCM enabling BitLocker during OSD post 2103 appeared first on CCMEXEC.COM - Enterprise Mobility.

Customization of Windows 10 is something that we have done since Windows 10 was released. Reason? Get rid of apps that are not enterprise ready and should not be on an Corporate device, set default apps for our preferred applications maybe apply company branding and more.

Windows 11 changes nothing of this, as many of the same apps are installed and there are still many scenarios where we want to modify the experience for the end user. What has changed is the Start Menu! The Start Menu is and will always be a big discussion point on how and what IT should control.
Lets’ have a look at the basic customizations we normally do and how they work in Windows 11.

This is how my “Windows 11 customizations” step looks like in my Task Sequence (yes, Start menu is greyed out more on why later in the post)

Branding – Works the same as in Windows 10
Remove Builtin Apps – Works the same way as in Windows 10
Importing a Default App Association – Works the same way as in Windows 10

Start Menu – Does not work the same way! It has a new format .Json, more on that later.

Windows 11 Start Menu

The Start Menu in Windows 11 is one of the biggest news and is totally different from Windows 10.

In Windows 10 we are used to use PowerShell, Intune or Group Policy to Pin apps, partially control the Start Menu and so on. We have many options that suits all the different needs out there.
In Windows 11 the Export-StartLayout command generates an .Json file instead of an .xml file as it did in Windows 10.

When writing this the Import-StartLayout command cannot import the same .json file which is generated when we export it.

The documentation for OEMs how to modify the Start Menu has been published and can be found here: https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/customize-the-windows-11-start-menu/
LayoutModification.xml is the file that was used in Windows 10 and in Windows 11 it has a new friend, LayoutModification.Json.
From Docs:

Let’s hope there will be a new option for the Import-startlayout in the future that can handle the import of the file as well.

Branding

Branding for me is something that IT should not decide, it is the business that should decide how/if it should be controlled.
Branding for me is changing the lock screen, replacing the default background and default user account picture for example. It works exactly the same way as it did in Windows 10.
End result could look like this:

The script can be found here: https://github.com/Ccmexec/MEMCM-OSD-Scripts

Default App association

Works in the same way it did in Windows 10. We make the changes we want to under settings, default apps export them and then import them during OSD.

• Log on to the computer as a user that is local administrator and open Settings and then Apps
• Under Default Apps make the changes so they are the way you want them, example could be .PDF

• Then open a Command Prompt with Run as administrator.
• In the command prompt type, the following command to export the file associations.
  C:\WINDOWS\system32>Dism.exe /online /Export-DefaultAppAssociations:C:\Windows\Temp\DefaultApps.xml
• Edit the DefaultApps.xml to only include the associations you want to change.
• Place it in the source folder together with script that can be downloaded below.
  

• Add it to your Task Sequence
  

Sample script can be downloaded here: https://github.com/Ccmexec/MEMCM-OSD-Scripts

Remove builtin apps and capabilities

Works the same way as in Windows 10 more information can be found here:
https://ccmexec.com/2018/04/windows-10-remove-builtin-apps-script-with-multiple-version-support/

Worth noticing is that if you do the other way around and and list what you want to keep instead of what to remove be sure to update it. There are some new interesting app names in Windows 11 that we most likely should not uninstall in there.

A version with the script and application list for Windows 11 can be found here: https://github.com/Ccmexec/MEMCM-OSD-Scripts

Summary

To sum it up, not much have changed expect for the Start Menu which is obvious as it is totally remade.
Looking forward with great interest in how IT-Pro can manage the Start Menu experience for our end users.

The post Windows 11 customizations a first look appeared first on CCMEXEC.COM - Enterprise Mobility.

Me and Fellow MVP Ronni Pedersen have been presenting on Windows Servicing on a number of events the last couple of months! One of the things we cover is how to use Setupconfig.ini together with Intune when doing Windows Servicing.
After testing it out when doing an upgrade from Windows 10 to Windows 11 using Feature update in Intune, I finally put together a blog post on how to use SetupConfig.ini when doing Windows Servicing with Intune.
SetupConfig.ini is your new best friend to quote our session on Windows Servicing.

The post on the topic can be found over at 4Sysops.com

https://4sysops.com/archives/upgrade-from-windows-10-to-windows-11-with-setupconfigini-and-intune/

Be sure to check it out!

Happy servicing!

The post Upgrade from Windows 10 to Windows 11 with Setupconfig.ini and Intune appeared first on CCMEXEC.COM - Enterprise Mobility.

When Windows 10 was released I and many others did a lot of customizing of Start Menu, Taskbar branding and so on. Windows 11 changes that as we can no longer change or modify the Start Menu, or well we control the default Pinned apps using Intune/MDM but it is simply not worth it. I assume that the lack of customization and control of the Start menu is the reason why Windows 11 is shipping without Multi-App Kiosk support as well. https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps

On the TaskBar in Windows 11 we have a new “Chat” icon which I still see a need of removing as it launches the new Teams which can only be used with Microsoft Accounts.

When we launch it we get this getting started wizard.

The new Teams client also needs to be removed at least in some scenarios otherwise I am afraid that it will cause confusion for our end users as it is really hard to see the difference of which Teams is which.

I have simply uninstalled the new Teams using the same script I use for the rest of the builtin apps – https://ccmexec.com/2018/04/windows-10-remove-builtin-apps-script-with-multiple-version-support/ Simply updated it for Windows 11 to include “MicrosoftTeams” as that is the app name.
Well back to removing the Chat icon.

Removing the Chat Icon using Intune

There is a new CSP setting we can use, “Experience/ConfigureChatIcon” which does exactly what we want.
Policy CSP – Experience – Windows Client Management | Microsoft Docs

We create a new Configuration Profile for Windows 10 and later, type Custom and use the settings below.

OMA-URI = “./Device/Vendor/MSFT/Policy/Config/Experience/ConfigureChatIcon”

Removing the Chat Icon using Group Policy

There is a new Group Policy settings to disable the Chat Icon as well. Either download the released .ADMX download here: Download ADMX Templates for Windows 11 October 2021 Update [21H2] from Official Microsoft Download Center or copy the files from C:\Windows\Policydefinitions on a Windows 11 computer to your Central policy store. The Chaticon is part of the TaskBar.ADMX and .ADML so you can only update those if you like.

The GPO settings can be found under Computer Configuration\Administrative Templates\Windows Component\Chat

I personally wish that the icons on the bottom of the Start Menu was enabled by default as they make much sense.

I may spend some time on enabling it, we will see, so much more Windows 11 to test out.

The post Remove the chat icon in Windows 11 Start menu using GPO/Intune appeared first on CCMEXEC.COM - Enterprise Mobility.

I was determined not to do any customization of the Start button location, but I couldn’t keep my hands off. There are some useful registry keys that we can use to set the default location of the Start Button and hide Task View, Chat icon for example during OSD or AutoPilot for that matter using a PowerShell script.

The really cool part is that the Start menu moves as soon as you set the registry value as shown below.

We could make it look like below example, not saying that you should that is up to you.

The following settings can be changed using the registry.

Start button alignment – 0 = Left
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“TaskbarAl”=dword:00000000

Remove Task View from the Taskbar
[KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“ShowTaskViewButton”=dword:00000000

Remove Chat from the Taskbar
[KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“TaskbarMn”=dword:00000000

Remove Widgets from the Taskbar
[KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“TaskbarDa”=dword:00000000

Remove Search from the Taskbar
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search]
“SearchboxTaskbarMode”=dword:00000000

Here is a sample script that can be used during OS Deployment or Intune for that matter to set the default behaviour in in the Default user registry hive. I used reg.exe to set the Search settings otherwise the registry hive fails to unload.

REG LOAD HKLM\Default C:\Users\Default\NTUSER.DAT

# Removes Task View from the Taskbar
New-itemproperty "HKLM:\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "ShowTaskViewButton" -Value "0" -PropertyType Dword

# Removes Widgets from the Taskbar
New-itemproperty "HKLM:\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "TaskbarDa" -Value "0" -PropertyType Dword

# Removes Chat from the Taskbar
New-itemproperty "HKLM:\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "TaskbarMn" -Value "0" -PropertyType Dword

# Default StartMenu alignment 0=Left
New-itemproperty "HKLM:\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "TaskbarAl" -Value "0" -PropertyType Dword

# Removes search from the Taskbar
reg.exe add "HKLM\Default\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v SearchboxTaskbarMode /t REG_DWORD /d 0 /f

REG UNLOAD HKLM\Default

I run it in my task sequence as an inline PowerShell script as shown below.

I hope this can be useful! Now time for more playing around with Windows 11

The post Modifying Windows 11 Start button location and Taskbar icons during OSD/AutoPilot appeared first on CCMEXEC.COM - Enterprise Mobility.

When it comes to modifying the TaskBar in Windows 11 nothing has changed since Windows 10. The only change is that the Start Menu part of the XML file is no longer used, it has been replaced by a .json file. More on that in the next post. More information can be found here on Microsoft Docs: Configure and customize Windows 11 taskbar – Configure Windows | Microsoft Docs
What do we need to modify the TaskBar then? We need an .XML file as shown below as sample. It will remove everything and replace it with Edge and File Explorer.

Sample .XML file

<?xml version="1.0" encoding="utf-8"?>
<LayoutModificationTemplate
    xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
    xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
    xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
    xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"
    Version="1">
  <CustomTaskbarLayoutCollection PinListPlacement="Replace">
    <defaultlayout:TaskbarLayout>
      <taskbar:TaskbarPinList>
        <taskbar:DesktopApp DesktopApplicationID="MSEdge"/>
        <taskbar:DesktopApp DesktopApplicationID="Microsoft.Windows.Explorer"/>
      </taskbar:TaskbarPinList>
    </defaultlayout:TaskbarLayout>
 </CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>

If we want to keep the default and only add pinned apps to the TaskBar, we remove the PinListPlacement=”Replace” from the XML file.

Modify Windows 11 Taskbar during OSD

We can use the same script as we did in Windows 10 to import a default start menu layout during OSD. I have mine in a folder called Windows 11 Taskbar which contains my Taskbar.xml file and a PowerShell script to import it. This script will import it during OSD as a default Taskbar that the end user can change as they want.

The PowerShell script consist of one-line, which will import the Taskbar.xml file during OS deployment.

Import-StartLayout -LayoutPath $PSScriptRoot\Startmenustd.xml -MountPath $env:SystemDrive\

My Task Sequence contains the following step which I have added to my “Windows 11 Customization” group with a condition to only apply on “Windows 11 64-bit”

Modify Windows 11 Taskbar using Intune

In Intune we can deploy a Custom Taskbar layout using the same Configuration Profile we did for the Start Menu layout in Windows 10. The policy must be applied before the end-user logs on for the first time.

• Create a new Configuration Policy,

• Under the Start section, import the .xml file you want to use.

Modify Windows 11 Taskbar using Group Policy

Deploying a custom Taskbar using Group Policy can be done using the “Start Layout” policy we used for Windows 10 to import Taskbar and Start Menu layout. It still works for the Taskbar part. Place the .xml file on a share so it is reachable for the client.

In the Group Policy we point to our “taskbar.xml” file we want the computer to use.

If the Group Policy is applied to a computer that is already deployed it will overwrite the change the end user have done to the Taskbar on the next logon.

The post Modify Windows 11 Taskbar during OSD, Intune and GPO appeared first on CCMEXEC.COM - Enterprise Mobility.

Now the time has come to look at customizing the default Windows 11 Start Menu. Customizing the Start Menu using Intune is simple and works great by using the new CSP “ConfigureStartPins”. More information can be found here: https://docs.microsoft.com/en-us/windows/configuration/customize-start-menu-layout-windows-11
For on-premise there is no support for using the same feature either with PowerShell or Group Policy, however there is a way for OEM’s to Pin items to the Start Menu. It doesn’t work the same way and the end-result is not nearly as beautiful but more on that in the next blog post.

Modifying the default Start Menu using Intune

Before we start, note that Office 365 Apps will always be added as Pinned by default, if that is your reason to deploy a default Start Menu layout you don’t have to.

We start by arranging the Start Menu on a Windows 11 computer to make it look like we want. You can also create you .JSON file manually if you like. We use the same PowerShell command we did in Windows 10 to export the Start Menu layout, “Export-StartLayout”, in Windows 11 it will produce a .JSON file instead of an .XML file. In my case that sample .JSON file looks like shown below.

Sample .JSON file:

{"pinnedList":[{"desktopAppId":"MSEdge"},{"desktopAppId":"Microsoft.Office.WINWORD.EXE.15"},{"desktopAppId":"Microsoft.Office.EXCEL.EXE.15"},{"desktopAppId":"Microsoft.Office.POWERPNT.EXE.15"},{"packagedAppId":"windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel"},{"desktopAppId":"Microsoft.Windows.Explorer"},{"desktopAppId":"com.squirrel.Teams.Teams"},{"desktopAppId":"Microsoft.Office.OUTLOOK.EXE.15"}]}

To deploy the Custom Start Menu we use a Custom Configuration Profile in Intune.
OMA-URI: ./Vendor/MSFT/Policy/Config/Start/ConfigureStartPins
Data type: String

The end result is great it overwrites the entire Start Menu layout, Note that if you deploy it after the end user have logged on for the first time it will still apply and overwrite the currently pinned apps.

There are more settings we can do using the new CSPs’ for Windows 11 but more on that in later posts.

The post Customize default Windows 11 Start Menu using Intune appeared first on CCMEXEC.COM - Enterprise Mobility.

In Windows 11 we can no longer deploy a custom Start Menu layout as we could in Windows 10. We don’t have any “Partial” managed option either as we had in Windows 10. The Group Policy “Start Layout” can still be used to deploy a custom Taskbar layout, HOWEVER the end user can no longer pin apps to the Start Menu if it’s deployed to the client, more on that topic here: Modify Windows 11 Taskbar during OSD, Intune and GPO – CCMEXEC.COM – Enterprise Mobility

What can we do if we are not using Intune then? There is an option for OEMs to pin applications to the Start Menu by using a “LayoutModification.json” file. The functionality is a bit limited, but we can use it to pin apps per default during OSD. More information can be found here: Customize the Windows 11 Start menu | Microsoft Docs

What can we do then? These are the rules of the LayoutModification.json.

If we look at the Start Menu this is what the apps we place in the different sections ends up. When we have tested this is what we have observed so far:

• Edge is always pinned first
• Word, Excel, PowerPoint are automatically pinned if installed
• Outlook is NOT pinned per default
• If we add one of these apps in our Layoutmodification.json they will not move but they will take up one of the items that we can pin in the file.
• Teams cannot be pinned as it isn’t installed for all users and not installed when the user logs on.

Here is my sample LayoutModification.json that can be used for testing.

{
    "primaryOEMPins": [
        {
            "desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\7-Zip\\7-Zip File Manager.lnk"
        },
		{
            "desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Endpoint Manager\\Configuration Manager\\Software Center.lnk"
        },
		{
            "desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Outlook.lnk"
        },
        {
            "packagedAppId": "Microsoft.WindowsTerminal_8wekyb3d8bbwe!App"
        }
    ],
    "secondaryOEMPins": [
		{
            "packagedAppId": "Microsoft.WindowsCamera_8wekyb3d8bbwe!App"
        },
		{
            "packagedAppId": "Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe!App"
        },
		{
            "packagedAppId": "Microsoft.SecHealthUI_8wekyb3d8bbwe!SecHealthUI"
        }		
    ],
    "firstRunOEMPins": [ 
        {
            "packagedAppId": "Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe!App"
        }
	]
}

The result will look like this, Start will be divided in two:

During OSD I run a PowerShell script that copies the LayoutModification.json to the correct location.

My source files:

The PowerShell script:

Copy-Item -Path $PSScriptRoot'\LayoutModification.json' -Destination $env:SystemDrive'\Users\Default\Appdata\Local\Microsoft\Windows\Shell'

It is not perfect, but we can at least pin some default apps. If we should do that is up to you!
Thanks to my amazing colleague Sassan Fanai who helped a lot with testing all this out.
I hope you find it useful!

The post Customizing Windows 11 default Start Menu during OSD using LayoutModification.json appeared first on CCMEXEC.COM - Enterprise Mobility.

One of my favorite features in Windows 11 is the folders we can enable on the Start Menu. They are discrete and easy to access. Unfortunately, the Start Menu folders are not enabled by default which I would very much approve if they were! These are the folders we are talking about.

They can manually be turned on in Settings > Personalization > Start > Folders as shown below.

We can however enable them using CSP in Windows 11 but there is no way of doing it using Group Policy or registry settings. More information on the CSP can be found here: Policy CSP – Start – Windows Client Management | Microsoft Docs
What we can do is use the MDM WMI Bridge provider to set these settings using PowerShell.
MVP Peter van der Woude has created a great PowerShell script template which can be found here:
Windows 10 MDM Bridge WMI Provider: Settings template – All about Microsoft Endpoint Manager (petervanderwoude.nl) Great work and a real timesaver.

I use the script during OSD to enable the Start Menu folders. They are turned on by the script but the end-user can not turn it off it the like that is the downside. However it does not take up any estate that can be used for anything else so I think it is fine. If the end-user tries to change the values they are greyed out as shown below.

Task Sequence step

I run the script during OSD in my Windows 11 branding group as shown below the script accepts variables for each setting that should be enabled.
The following variables can be used:
-Documents
-Download
-FileExplorer
-HomeGroup
-Music
-Network
-PersonalFolder
-Pictures
-Settings
-Videos
Here is sample screenshot of the step I use in my Task Sequence:

The script is written by my great co-worker Sassan Fanai!
It can also be downloaded from GitHub: MEMCM-OSD-Scripts/Windows11 at master · Ccmexec/MEMCM-OSD-Scripts · GitHub
It can also be used to set the values to Disabled and Not configured.

<#
.SYNOPSIS
    Uses MDM Bridge Provider to configure pinned folders next to the Power button in Windows 11 start menu.
.DESCRIPTION
    Configures the pinned folder next to the Power button in Windows 11 using the MDM Bridge Provider.
    The configured pinned folders will be enforced and can not be disabled by the user (grayed out).
    Credit to Peter van der Woude for his great template for updating MDM policy settings:
    https://www.petervanderwoude.nl/post/windows-10-mdm-bridge-wmi-provider-settings-template/
.PARAMETER AllowPinnedFolder*
    Switch paramters that specifies which folders that should be pinned/unpinned.
    All parameters use default CSP policy name but aliases can be used to shorten their names.
    For example using -AllowPinnedFolderDocuments, -PinDocuments or -Documents will achieve the same results.
.PARAMETER Configure
    Specifies how the folders should be configured: Enabled (default), Disabled or NotConfigured.
.EXAMPLE
    PinStartFolders.ps1 -AllowPinnedFolderDownloads -PinFileExplorer -Settings
.EXAMPLE
    PinStartFolders.ps1 -AllowPinnedFolderDownloads -PinFileExplorer -Settings -Configure NotConfigured
.NOTES
    Version 1.0 (2021-10-11) - Sassan Fanai
    Version 1.1 (2021-10-17) - Sassan Fanai
        Added $Configure parameter

#>
[CmdletBinding()]
param (
    [Alias("PinDocuments","Documents")]
    [switch]$AllowPinnedFolderDocuments,
    [Alias("PinDownloads","Downloads")]
    [switch]$AllowPinnedFolderDownloads,
    [Alias("PinFileExplorer","FileExplorer")]
    [switch]$AllowPinnedFolderFileExplorer,
    [Alias("PinHomeGroup","HomeGroup")]
    [switch]$AllowPinnedFolderHomeGroup,
    [Alias("PinMusic","Music")]
    [switch]$AllowPinnedFolderMusic,
    [Alias("PinNetwork","Network")]
    [switch]$AllowPinnedFolderNetwork,
    [Alias("PinPersonalFolder","PersonalFolder")]
    [switch]$AllowPinnedFolderPersonalFolder,
    [Alias("PinPictures","Pictures")]
    [switch]$AllowPinnedFolderPictures,
    [Alias("PinSettings","Settings")]
    [switch]$AllowPinnedFolderSettings,
    [Alias("PinVideos","Videos")]
    [switch]$AllowPinnedFolderVideos,
    [ValidateSet("Enabled","Disabled","NotConfigured")]
    [string]$Configure = "Enabled"
)

function Update-PolicySetting {
    <#
    .SYNOPSIS
        A simple function to update policy settings by using MDM WMI Bridge
    .DESCRIPTION
        This function provides the capability to adjust policy settings by using the MDM WMI Bridge.
        It supports the capabilities to create, update and remove an instance
    .PARAMETER className
        This parameter is required for the name of the WMI class
    .PARAMETER parentID
        This parameter is required for the name of the parent node of the OMA-URI
    .PARAMETER instanceID
        This parameter is required for the name of the WMI instance, which is the node of the OMA-URI
    .PARAMETER configureProperty
        This parameter is required when configuring a setting and is the name of the property
    .PARAMETER valueProperty
        This parameter is required when configuring a setting and is the value of the property
    .PARAMETER removeInstance
        This switch is used to indicate that the specified variables are used for deleting the WMI instance
    .EXAMPLE
        Update-PolicySetting -className 'MDM_Policy_Config01_Start02' -parentID './Vendor/MSFT/Policy/Config' -instanceID 'Start' -configureProperty 'HideAppList' -valueProperty 1
        This example will run the function and configure a the property to hide the app list in Start
    .EXAMPLE
        Update-PolicySetting -className 'MDM_Policy_Config01_Start02' -parentID './Vendor/MSFT/Policy/Config' -instanceID 'Start' -removeInstance
        This example will run the function and remove the instance of Start
    .NOTES
        Author: Peter van der Woude
        Contact: pvanderwoude@hotmail.com
    #>
        param (
            [Parameter(Mandatory=$true)]$className,
            [Parameter(Mandatory=$true)]$parentID,
            [Parameter(Mandatory=$true)]$instanceID,
            [Parameter(Mandatory=$false)]$configureProperty,
            [Parameter(Mandatory=$false)]$valueProperty,
            [Parameter(Mandatory=$false)][Switch]$removeInstance
        )
        try {
            #Get a specific instance
            $instanceObject = Get-CimInstance -Namespace 'root\cimv2\mdm\dmmap' -ClassName $className -Filter "ParentID='$parentID' and InstanceID='$instanceID'" -ErrorAction Stop
        }
        catch {
            Write-Host $_ | Out-String
        }

        #Verify the action
        if ($removeInstance -eq $false) {
            #Verify if the additional required parameters are provided
            if ($PSBoundParameters.ContainsKey('configureProperty') -and ($PSBoundParameters.ContainsKey('valueProperty'))) {
                #Verify if the instance already exists
                if ($null -eq $instanceObject) {
                    try {
                        #Create a new instance
                        New-CimInstance -Namespace 'root\cimv2\mdm\dmmap' -ClassName $className -Property @{ InstanceID=$instanceID; ParentID=$parentID; $configureProperty=$valueProperty } -ErrorAction Stop
                        Write-Output "Successfully created the instance of '$instanceID'"
                    }
                    catch {
                        Write-Host $_ | Out-String
                    }
                }
                else {
                    try {
                        #Adjust a specific property
                        $instanceObject.$configureProperty = $valueProperty

                        #Modify an existing instance
                        Set-CimInstance -CimInstance $instanceObject -ErrorAction Stop
                        Write-Output "Successfully adjusted the instance of '$instanceID'"
                    }
                    catch {
                        Write-Host $_ | Out-String
                    }
                }
            }
            else {
                Write-Output ">> Make sure to provide a value for configureProperty and valueProperty when creating or adjusting an instance <<"
            }
        }
        elseif ($removeInstance -eq $true) {
            #Verify if the instance already exists
            if ($null -ne $instanceObject) {
                try {
                    #Remove a specific instance
                    Remove-CimInstance -InputObject $instanceObject -ErrorAction Stop
                    Write-Output "Successfully removed the instance of '$instanceID'"
                }
                catch {
                    Write-Host $_ | Out-String
                }
            }
            else {
                Write-Output "No instance available of '$instanceID'"
            }
        }
    }

switch ($Configure) {
    'Enabled' {
        [int]$Value = 1
    }
    'Disabled' {
        [int]$Value = 0
    }
    'NotConfigured' {
        [int]$Value = 65535
    }
}

$PSBoundParameters.Remove('Configure') | Out-Null

if ($PSBoundParameters.Keys.Count -ge 1) {
    $PSBoundParameters.Keys | ForEach-Object {
        Update-PolicySetting -className 'MDM_Policy_Config01_Start02' -parentID './Vendor/MSFT/Policy/Config' -instanceID 'Start' -configureProperty $PSitem -valueProperty $Value
    }
}
else {
    "No folders will be pinned/unpinned. No parameters were specified."
}

The post Configure Windows 11 Start Menu folders using PowerShell appeared first on CCMEXEC.COM - Enterprise Mobility.

Wrote a blog post on how to Troubleshoot Windows 10/11 Subscription based activation over at 4Sysops. The issue we saw show up as Windows 10 Enterprise subscription is not valid as shown below.

It turns out the If there is more than one Azure AD account added under “Access work or School”, they will fail with the error “0x87E10BF2” in the Store event log. Again it is the evil dialog that Microsoft Apps like Remote Desktop, Microsoft 365 apps and more that prompt the user “Stay signed in to all your apps” that causes it.

I wrote about the issue where on personal enrolled devices it breaks the Intune sync altogether as well.
https://ccmexec.com/2021/01/mem-windows-10-personal-device-and-sync-issues/

To read more check out the post on 4SysOps.com on how to troubleshoot and fix the issue.

https://4sysops.com/archives/windows-1011-azure-adintune-enterprise-subscription-is-not-valid/

The post Troubleshooting Windows 10/11 Enterprise subscription is not valid appeared first on CCMEXEC.COM - Enterprise Mobility.

IPUInstaller is a community tool from my Co-Worker Johan Schrewelius that gives us another option to do Windows Upgrades with control and less user-down time. A new version has been released that includes Windows 11 support which is great!
I have blogged about IPUInstaller before https://ccmexec.com/2021/02/windows-servicing-in-the-work-from-anywhere-era-using-ipuinstaller/ and here is a short video how it could look like when used together with another community tool Deployment Scheduler.

Why use IPUInstaller then? Because it is faster still makes it possible to upgrade drivers and do pre and post commands. DeploymentScheduler adds the option to present a nice UI for the end users to Schedule and Postpone the upgrade. However, with Windows 11 and even more optimizations has been done by Microsoft, my question would be why?
I have made some tests on a Fujitsu Lifebook 8GB RAM, Core i5 upgrading from Windows 10 20h2 -> Windows 11 21H2 from a clean windows 10 so additional time will be added in real life. I used the Built-in Task Sequence template to upgrade and Windows Servicing in Configuration Manager.
The results from the tests are in and shown below!

With a 3-minute downtime for the restart we could just push the upgrade and prompt the end user to restart. 3 minutes is basically what each Cumulative update takes each month.

Windows 1x MUI Support
A special feature for (previously hidden and slightly less versatile) for you who have support multiple languages, is the possibility to use one (1) mui media for all of them (use your favorite tool, like Wim Witch or OSD Builder to build the media, iso).

Add an xml file to the application folder and map the various editions supported to their respective index as such:

IPUInstaller.exe will automatically pick and apply the correct edition.

Windows 11 Support

Support for Windows 11 is controlled by a command line switch.

IPUinstaller and DeploymentScheduler can be downloaded here: https://onevinn.schrewelius.it/index.html

I hope this enables more to use something else that Task Sequences to upgrade Windows to improve the end user experience out there.

The post IPUInstaller update with Windows 11 and MUI Support appeared first on CCMEXEC.COM - Enterprise Mobility.

I wrote a post on 4Sysops.com on the new Remote Help feature in Intune/MEM. A great and long awaited feature as we today need to buy a separate product or use Quick Assist which is built in and free but has many limitations (and should be removed from all corporate managed devices).
In Configuration Manager Technical Preview 2112 Technical Preview, we also learned that the feature in MEMCM to remotely control computers through the Cloud Management Gateway, which has been in Technical Preview for a couple of years, will never be released and removed from Technical Preview, which is sad.

But when you think about it, it makes sense two products to support and maintain that solves the same thing..
Remote help is in preview. We know there will be an additional cost for it, but we don’t know yet whether it will be an add-on license or how it will be licensed. However, there will be a cost for it when it becomes generally available. Compared to Quick Assist, remote help requires you to use an organizational account, which is extremely important!

Be sure to check out the full post over at 4Sysops.com on how Remote Help in MEM can be used to support your end users!

https://4sysops.com/archives/remote-help-for-intune-and-microsoft-endpoint-manager/

The post Remote help for Intune/MEM appeared first on CCMEXEC.COM - Enterprise Mobility.

It was a while ago since I wrote a post on what’s new in MEMCM Tech Previews but I could not help myself this time, some great stuff in this one! It it amazing that the Product Group ships at least 12 Technical previews each year with new features both small and large. In this release we have custom icons for Task Sequences and Package/programs amazing!

The small ones are often my favorites as they can make all admins life easier. A great example is the ability to Run script and Client Notification from the deployment status view of an application for example:

Using this we can easily run a “Evaluate Application Deployments” task on all failed for example, wake-up computers and so on.
I assume it isn’t that small change as it looks like, so maybe it is wrong to say it is small, but it will be very useful!

Custom icon for Task Sequence/package

All I can say is Yes, yes, yes!!! The current Top 1(open) request on the Configuration Manager feedback portal – Microsoft Endpoint Configuration Manager · Community – Custom icon for Task Sequence / Package

Yes, we can now add icons for Task Sequence / packages, a great feature loooooong awaited and asked for. I for one had stopped hoping for it to be added to the product but here we are!

And it looks beautiful in Software Center!

And as I wrote above we can now add an icon to a package as well.

LedBat for Software Update Points

We have had LedBat support for Distribution Points for a while now and in MEMCM TP 2201 we have the setting available for Software Update points as well as a new option under properties.

Distribution status visualization

We now have the option to visualize content distribution status of an application for example. Not that much to look at in my small TP environment but it will be useful, I wonder how it would look like in a large environment.

Sort by icon in the console

Another one of the “small” ones which are really useful. I think I have tried to sort on the icon many times just to realize that it doesn’t sort on the icon, but now it does. Simple, easy and useful!

To summarize, some really great features in there this time around! As always it was fun playing around with the TP release. For a complete list of new features in this release, check out the docs page: https://docs.microsoft.com/en-us/mem/configmgr/core/get-started/2022/technical-preview-2201

The post Great stuff in MEMCM Tech Preview 2201 appeared first on CCMEXEC.COM - Enterprise Mobility.

Now that Cloud Management Gateway (Classic Service classic) is deprecated and will be removed in the future releases of Configuration Manager after 1 March 2022 we can now longer deploy a CMG using the cloud service (classic).

This is most likely due the fact that Classic VMs is being removed in Azure as the link below shows.
https://docs.microsoft.com/en-us/azure/virtual-machines/classic-vm-deprecation.
Which options do we have to migrate then?
It depends on the Cloud Management Gateway is configured today if it uses a custom DNS domain name or a *.cloudapp.net name. If a custom DNS name is being used the built-in wizard can be used to convert the Cloud Management Gateway to a Virtual Machine Scale set as I wrote a post on when it was in Technical Preview: https://ccmexec.com/2021/06/convert-cmg-to-vm-scale-set-memc-tp-2106/.

Important when migrating to a CMG Virtual Machine Scale set is that we configure the prereqs which differs from classic to virtual machine scale set.
In the Azure Subscription used we need to add the following Resource Providers that are required when using Virtual machine scale sets.

What if we used a *.cloudapp.net DNS name then? The challenge is that the DNS name has changed for Virtual Machine Scale Sets to *<Region>.cloudapp.azure.com, in my example that would be *.northeurope.cloudapp.azure.com.

When we run the migration wizard we cannot change the certificate used for the service which means that we cannot change the name, which makes perfect sense because all clients that are connected to the CMG will have no chance to get the new name of the service.

With the release of Configuration Manager 2107 we got a new option, we can now deploy a CMG cloud service (Classic) and a CMG that uses Virtual Machine Scale Set at the same time.
This was not possible before and this gives us a great migration option, simply deploy a new cloud management gateway using Virtual Machine Scale set in parallel with our classic one.

Remember that you need to have a second site system that we can install an additional Cloud Management Gateway Connector that you need.

If we look a client which is on the internet it picks up the new CMG as a DP really fast and after a while the new CMG as a MP as well.
Before the new CMG was installed:

The client rotates the Internet-based management point after a while or when we remove the old CMG.

Important: If co-management is used and we deploy the Configuration Manager client to Intune managed device the installation string needs to be updated with the correct one. The installation string sample under Cloud Attach updated itself with the new one as soon as I deployed the new CMG

My sample CM Client Bootstrap LoB app in Intune which I needs to be updated manually to reflect the new CMG.

I wrote above that we had two options to migrate, the other option would be to deploy a new CMG using a DNS Name and then migrate that to a Virtual Machine scale set. Which was the way we had to do it before MEMCM 2107 was released.
But now the option described above makes much more sense.

The post MEMCM Cloud Management Gateway migration options appeared first on CCMEXEC.COM - Enterprise Mobility.

Google Chrome is a very popular browser but as other browsers it needs to be managed as well. One great reference for how to secure and configure Google Chrome is the Security Technical Implementation Guide (STIG) which can be found here:
Google Chrome Current Windows Security Technical Implementation Guide (stigviewer.com)

I have created a Custom policy based on v.97 of the ADMX and the 2021-11-19 STIG release. It can be downloaded from here: https://github.com/Ccmexec/
The configuration profile can be imported using the sample script at Github to import configuration profiles: powershell-intune-samples/DeviceConfiguration_Import_FromJSON.ps1 at master · microsoftgraph/powershell-intune-samples · GitHub

Not all settings fits on the same page, there are 42 settings + the ADMX ingestion step

I plan to keep this configuration profile updated when new STIG is released or settings change name location in newer .ADMX files. In version v98 of the Google Chrome .admx files there was no such changes.

The post Intune Configuration Profile for Google Chrome based on STIG appeared first on CCMEXEC.COM - Enterprise Mobility.

MEMCM 2203 has been released with some great features that I need to write about. Must be one of the releases that includes most the top request features like Escrow BitLocker Recovery Key to MEMCM in a Task Sequence, Dark Mode! and Icons for Task Sequences and packages.

Escrow BitLocker Recovery Key to MEMCM in a Task Sequence

This has been a gap ever since the MBAM standalone features was assimilated in MEMCM. We used a script before which is no longer supported and caused an issue as well if use a couple of versions ago.
See screenshot from docs below, https://docs.microsoft.com

That makes this new Task Sequence step a great addition!

Dark Mode

Dark Mode is a highly requested feature to quote a colleague “Wow I no longer need sunglasses when working in the CM console” It is a pre-release features that needs to be activated before it can be used.

Icons for Task Sequences and packages

This must also be one of the most requested features out there all time! Icons for Task Sequences and Packages. Finally a more user friendly experience!

Run script and Client Notification from Deployment Status

These types of updates are my personal favorite, the small ones that makes a big impact. Being able to run script and client notification actions from deployment status is a huge time saver. Love it!

Management Insights : Deprecated and unsupported features.

Most likely one of the feature in MEMCM that is most underestimated. Great insights in cleanup and making your site perform optimal, now with a new category which shows status for deprecated and unsupported features as shown below. A great help in what cleanup needs to be done!

Run script in temporary device node

When using temporary device nodes, device actions like Run Scripts are now available to make the experience in the console consistent. Again one of those smaller improvements which has makes it possible to run script in temporary nodes which has been annoying that it wasn’t possible.

Delete collection references 

When deleting a collection we now can select all dependent collections and delete them. I will use this with caution but it is a great improvement.

There are many more great features. Check out the complete documentation at docs https://docs.microsoft.com

Truly great work by the Configuration Manager team, closing some of the top requested features!!

The post MEMCM 2203 released with great features appeared first on CCMEXEC.COM - Enterprise Mobility.