With Windows 11 Insider release 22059 the new Start Menu options were introduced which I love! I almost never anything in the recommended section on the Start Menu and now we get three alternatives to how much estate that part can take up on the Start Menu.
The same as today, more or less space. I want more Pins of course! This can be changed in Settings/ Personalization/Start Menu

As I don’t prefer the default option I want to change the default for my users when the next version of Windows 11 is released.
the Layout option is stored in the following registry value.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_Layout

 0 = Default

1 = More pins

2 = More recommendations

The same script described here can be used to modify the default Start Menu during OSD/AutPilot or simple add it to that list of settings that we change in that script.
https://ccmexec.com/2021/10/modifying-windows-11-start-button-location-and-taskbar-icons-during-osd-autopilot/

Happy customizing!

The post Windows 11 Insider Start Menu layout registry customizations appeared first on CCMEXEC.COM - Enterprise Mobility.

After returning from presenting at MMS 2022 in Minneapolis, my first physical event in 2 1/2 years! A great experience as always! I thought it was time to write a post on how important it is that enrollment using a device token works when using Co-management in MEMCM + MEM. 

The Configuration Manager client will handle the enrollment automatically in MDM when Co-management is enabled. The enrollment itself will always try to use a Device Token to enroll and if it is unsuccessful it will fall back to enrolling using the logged on users token. Many we talk to don’t know that the device token is being used for enrollment as the prefered way of enrolling.

Why is this important then, enrollment in Co-management using a Device token can be done without any end user is logged on to the device. This is important for example when deploying a new Hybrid Joined computer and we have moved workloads to MEM as the settings cannot be applied until a user logs on and the enrollment is successful if the device token fails and it tries again with a user token.

Device token kan fail when for example proxy servers, ADFS and other network related issues blocks it and this is something that needs to be handled when starting to enable co-management.

We see in many cases that enrollment using a user token is unsuccessful because there are more factors in play here as well, Conditional Access, enrollment restrictions, MFA and more that can block the enrollment. For example if the end user gets the dreaded “Work or school account problem” popup then user token enrollment will fail as well.

How can we verify that a device token is being used to enroll devices?, well we can check the CoManagementHandler.log file on the clients. In the case below we have blocked devices from enrolling using Enrollment restrictions. Note: that the enrollment restrictions “All Users” are deployed to “All Devices” and it will block device token enrollment as well.

In the Device Management Portal we can only see user enrollment failures so this will be empty when a co-managed device fails to enroll using a device token. So using the CoManagementHandler.log file is the best way to troubleshoot.

Conclusion, make sure that your hybrid-joined co-managed devices are enrolling using a device token to have the optimal Co-Management experience.

The post Co-Management and the importance of device token enrollment. appeared first on CCMEXEC.COM - Enterprise Mobility.

At the session I presented with Michael Niehaus on customizing Windows 11 at MMS 2022 in Minneapolis we talked about the new PowerShell support for installing Language packs and set system language which are included in the Windows 11 Insider build 22257. During the session we got the question if it works together with AutoPilot so of course I had to test it out.

The new PowerShell support in Windows 11 adds the following new commands.
Install-Language
Get-InstalledLanguage
Set-SystemPreferredUILanguage
Get-SystemPreferredUILanguage
Uninstall-Language

The new commands makes it easy to install language and manage language settings which is great! The language pack files needed are downloaded automatically when the command runs.

Get installed languages

What about AutoPilot then?

I just made a simple test, with a Script in Intune to see if it works and fulfills the purpose of installing the language pack during AutoPilot. I made a simple script that install Swedish Language and sets Swedish as the default language on the computer. Imported the script in Intune and deployed it.

Install-language -language sv-se 
Set-SystemPreferredUILanguage -language sv-se 

It works, my test-machines are in Swedish. When first logged in when ESP completes the language of the computer is Swedish as we would expect it to be.

But when running the get-installedLanguage it shows some interesting result showing that Swedish is installed but without any features. Also tested running Install-Language using Win32App instead of using a script and the result is the same.

I have tested this on Build 2261 and 22579 and the result is the same. My conclusion is, yes it works and as far as I can see it in Windows everything looks ok but checking the output it indicates that not all features could be installed.
If I make the Win32app available and run it through Company Portal it works just fine and the Get-InstalledLanguage module returns the correct feature pack installed as well. So that works!
I will continue testing this with later builds and update the post when and if there are any news.

The post Using Install-language during AutoPilot Windows 11 insider appeared first on CCMEXEC.COM - Enterprise Mobility.

One request that was made many times in the comments of the blog posts on TSBackground which is a remarkable tool from Johan Schrewelius, is to be able to show which DP is being used during OSD. I will try to explain the challenges with displaying DP information using TSBackground and some ways of doing it. The existing variable can be used without TSBackground as well of course to tattoo the registry for example with DPs used.
Which will give us the following result.

More information about TSBackground can be found here:
https://onevinn.schrewelius.it/Apps01.html and here https://ccmexec.com/2019/06/tsbackground-for-configmgr/
Displaying Management Point used is easy there is a Task Sequence variable that contains the MP used, “_SMSTSMP”. When it comes to displaying the Distribution Point used it is way more challenging. When the Task Sequence starts it check that all necessary content is available on the DP(s) used before the TS starts. This makes sense otherwise it will fail anyway when it runs, better to stop it before it starts. More than one DP can exist in the same boundary group and then more than one is listed. When the Task Sequence runs and there are more than one DP it will choose one randomly and potentially use more than one DP during OSD.

The following Task Sequence variables are created that can be used.

_SMSTSxxxxx variable

If “Copy the content in this package to a package share on distribution points:” is checked as shown below those packages will be added to a variable with the name “_SMSTSxxxx” where xxx stands for packageid.

For the packages that are not copied to a Package share on the DPs the information is blank as show in the table below.

_SMSTSHTTPxxxx variable

Each package referenced is also added to a variable with the name _SMSTHTTPxxxx where xxxx reflects the packageID as shown below.

The challenge of using this variable is that each DP can be represented more than once depending on HTTPS configuration on the DPs. For my boot image which I have on two DP’s in the Boundary for the client we will have four entries for content location.

_SMSTSLastContentDownloadLocation variable

This variable shows the latest content location used during OSD. Note: that if “Run from DP” is selected for the Task Sequence this variable will be empty during the whole time the Task Sequence runs expect if Applications are being deployed during the Task Sequence they will download the content and show up in the variable. Example of TS variable content is shown below.

Options that can be used together with TSBackground.

TSBackground is a great tool where we can customize the “General.xaml” file where we can modify what is being displayed during OSD.
Looking at the options we have I have created a little script that I run in the beginning of the Task Sequence that will create a new variable “OSDDPS” that contains the HTTPLocations where my BootImage is available when the Task Sequence starts. Reason for it is that the boot image used has its own variable, _SMSTSBootImageID. Using that we can calculate the name of the _SMSTSHTTPxxxxx variable for the boot image, in my example “_SMSTSHTTP060001AF”

I use this PowerShell script to calculate the DP(s) where the BootImage is available in the Boundary Group when the Task Sequence starts.

$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment
$BootImageID = "_SMSTSHTTP" + $tsenv.Value('_SMSTSBootImageID')
$BootImageDPs = $tsenv.Value($BootImageID)
$servers = @()

foreach ($location in $BootImageDPs.Split(',')) {
    $url = "{0}/{1}/{2}" -f $location.Split('/').Trim()
    $server = $url.Replace("HTTPS://", "").Replace("HTTP://", "").Replace("https://", "").Replace("http://", "")
    $servers += $server
}
$uniqueLocations = $servers | select -Unique
$struniqueLocations = $uniqueLocations -join ","
$tsenv.Value('OSDDPS') = $struniqueLocations

I run it early in my Task Sequence to make the variable available as soon as possible in my Task Sequence.

Then I update the “General.xaml” file in the TsBackground source files with the following rows.

I also add the _SMSTSLastContentDownloadLocation to my General.xaml file.

The result looks like this where Distribution Point(s) represents all DPs where the client can download the bootimage from in the Boundary Group.
And Last used content location is the last DP used to download content from.

As TSbackground updates the variables every second it will update the last used content location dynamically. IF Run TS from distribution point is used the Last used content location will be empty as nothing is downloaded. As shown in the example below. This client is in a boundary group with only one DP as well.

None of these options are perfect but adds information about which DPs are used which can be useful for troubleshooting and looks nice when added to the TSBackground as well. The sample General.xaml used can be downloaded here together with the script. https://github.com/Ccmexec/MEMCM-OSD-Scripts/tree/master/TSBackground

The post Show DP information during OSD using TSBackground appeared first on CCMEXEC.COM - Enterprise Mobility.

When starting to move workloads to Intune of the first workload to move is Compliance and Endpoint Protection. When moving the Endpoint protection workload the following configurations are moved to Intune instead of MEMCM:

• Windows Defender Antimalware
• Windows Defender Application Guard
• Windows Defender Firewall
• Windows Defender SmartScreen
• Windows Encryption
• Windows Defender Exploit Guard
• Windows Defender Application Control
• Windows Defender Security Center
• Windows Defender for Endpoint (now known as Microsoft Defender for Endpoint)

This makes sense in many ways to move as we have better options to manage almost all of the settings above from Intune as newer settings are missing from MEMCM. Also for the future if using Hybrid joined today a lot of configuration is already in there when it is time to move to AAD Joined instead.
One question I get many times is how long does it take for a client to Hybrid Join, enroll in MDM and for the Defender enrollment policy to come down to the device. I wrote a little simple script to log this during OSD of a new client and I was thinking that I maybe could improve the time it takes…
The output of the script looks like this and ends with “Onboarded to Defender for Endpoint” as shown below:

This can be used in many different ways, show a dialog when a newly deployed device in i prestage center is ready to ship, display a message, post to teams and much more.
The times in the sample above is pretty great, but it took me a while to get there as many things affect the time it takes for all steps to complete. When I added a step to install Software Updates during OSD the Hybrid Join completes during the Task Sequence that is why the script logs the same time. I did the following to improve enrollment times:

• Set the Co-Management policy to target all devices. (not having to wait for a collection update)
• Set the Endpoint Protection Workload to “All Systems” , again not to have to wait for collection updates.
• Configured the Defender for Endpoint onboarding to “All devices” instead of a Dynamic Group (use filters if you need instead = much faster)
• Used and up to date Windows 10 / Windows 11 Image, solved a lot of delays compared to using a one year old media.
• Make sure to use the latest MEMCM client in the Boot Image and install the latest one in the Task Sequence that solved some issues with Enrollment URL not being configured.
• Of course make sure the device has Internet access, not having to wait for proxy configurations that will also delay things.
• Another thing that can affect in large environments is the AAD connect sync of the computer object as that will affect Hybrid Join. After adding some more steps in my lab like install Software Updates so the Task Sequence takes more time. To be far also more close to production that timeout is not an issue anymore but could still be with multiple DC’s and replication.

The script

There a two scripts, one logs that OSD is complete and adds a Schedule task to trigger the script that will log how long time the different steps takes to C:\Windows\Temp\DefenderOnboarding.log file.
And when the process completes the script will delete the schedule task so it will not run again. The scripts can be downloaded from GitHub here: https://github.com/Ccmexec/MEMCM-OSD-Scripts/tree/master/Wait%20for%20Onboarding

Task Sequence step.

Running it from a package as the script imports the Schedule task using an .XML file.

The script:

# Script to write OSD Complete and register the Schedule Task that will monitor HYbrid Join, MDM enrollment, Defender for endpoint onboarding.
# Jorgen@ccmexec.com

$logfilepath="C:\Windows\Temp\DefenderOnboarding.log"

function WriteToLogFile ($message)
{
$message +" - "+ (Get-Date).ToString() >> $logfilepath
}

WriteToLogFile "OSD Complete"
Copy-Item -Path $PSScriptRoot'\WaitforOnboard.ps1' -Destination $env:Windir'\Temp'
Register-ScheduledTask -Xml (get-content $PSScriptRoot\WaitforOnboarding.xml | out-string) -TaskName "WaitforOnboarding"

The script triggered by the Schedule Task.

# Script to track the process HYbrid Join, MDM enrollment, Defender for endpoint onboarding.
# Jorgen@ccmexec.com

$logfilepath="C:\Windows\Temp\DefenderOnboarding.log"

function WriteToLogFile ($message)
{
$message +" - "+ (Get-Date).ToString() >> $logfilepath
}

WriteToLogFile "Script started"

do {
    $AADInfo = Get-Item "HKLM:/SYSTEM/CurrentControlSet/Control/CloudDomainJoin/JoinInfo"

$guids = $AADInfo.GetSubKeyNames()
foreach ($guid in $guids) {
    $guidSubKey = $AADinfo.OpenSubKey($guid);
    $DeviceDisplayName = ($Null -ne $guidSubKey.GetValue("DeviceDisplayName")
        )
       Start-Sleep -Seconds 1
    }
} while (
    $DeviceDisplayName -ne "True")
    WriteToLogFile "Hybrid Joined"

do {
    $MDMEnrollment = $Null -ne (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\MDMDeviceID).DeviceClientID
    Start-Sleep -Seconds 1
} while (
    $MDMEnrollment -ne "True")
    WriteToLogFile "Enrolled in MDM"

do {
       $MDEState = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status").onboardingstate -eq "1"
       Start-Sleep -Seconds 1
} while (
    $MDEState -ne "True")
    WriteToLogFile "Onboarded to Defender for endpoint"

Unregister-ScheduledTask -TaskName waitforonboarding -Confirm:$false

I hope this can be useful and I will post more examples how to use it with going forward.

The post Logging the Co-management and Defender onboarding process during OSD appeared first on CCMEXEC.COM - Enterprise Mobility.

When we move workloads to Intune in our Co-Management scenarios we lose some features we have been using and need to go back to basic. In this short post we will install updates during OSD using the PSWindowsUpdate module which is great. When we moved the Windows Update workload and uninstalled WSUS we need another way of installing updates. I did a lot of testing and excluding drivers and all updates with “preview” in the title works really well.

Start by saving the PSWindowsUpdate module to a temp directory on a computer, we download it so we can add it to our CM Package we us to install updates.

Save-module PsWindowsUpdate -Path C:\Module

That will create the following folder with the module inside

Then we save the script below in the same folder. The script will do the following:

• Copy the PSWindowsUpdate module to the local computer
• Read the TS variable for the location of the SMSTS.log folder
• Install updates from Windows Update excluding Drivers category and updates with “Preview” in the title.
• Log the progress to a log file in the CCM\Logs folder

# Script to install updates from Microsoft Update during OSD
# Jorgen@ccmexec.com

# Copy PSWindowsUpdate module
$TargetPath = Join-Path -Path $env:ProgramFiles -ChildPath "WindowsPowerShell\Modules"
mkdir $TargetPath -Force -ErrorAction Stop | Out-Null
Copy-item -path $PSScriptRoot'\PSWindowsUpdate' -Destination $TargetPath -Recurse
  
# Get SMSTSLog folder
$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment
$SMSTSLogfile = $tsenv.Value("_SMSTSLogPath")
$SMSTSLogfilepath = $SMSTSLogfile.Replace("\SMSTS.log", "")

# Install updates from Microsoft Update
Import-Module PSWindowsUpdate
Get-WindowsUpdate -AcceptAll -Install -NotCategory "Drivers" -NotTitle Preview -WindowsUpdate -IgnoreReboot | Out-File "$SMSTSLogfilepath\WindowsUpdate-$(get-date -f yyyy-MM-dd).log" -force

Our source folder now looks something like this and can be copied to our MEMCM Source folder share.

In Configuration Manager we create a Package with source files and distribute them to the relevant DP’s.

In our Task Sequence we add the following steps, note the Restart Computer steps, I had to add two restart computer steps to get all of my physical test machines to not break the task sequence engine with an unexpected reboot. Be sure to test that out!

A tip if you are piloting moving Windows Update for business, add a variable to the Co-Management Pilot collection. Then we can use that as a condition to run updates using this script or using Configuration Manager depending on the variable.
I will post more on Co-Management and prestaging a Co-Managed computer soon

The post Installing updates during OSD using PSWindowsUpdate appeared first on CCMEXEC.COM - Enterprise Mobility.

I have updated the script I use to uninstall built in apps in Windows 10 and Windows 11. Windows 11 22H2 has some changes when it comes to removing built-in apps. Is uninstalling built-in apps still a thing, yes it is. Teams Personal is one example of a similar app to Teams that causes unnecessary helpdesk calls and confusion for the end-users.
Attack vector is also a thing built-in apps have vulnerabilities and some apps are being abused like Power Automate and Quick Assist. I wrote a post on Quick Assist before, https://ccmexec.com/2021/09/windows-11-customizations-a-first-look/ It is maybe a good enough solution but for small companies maybe ok, but I still think it should be removed.

What is new in Windows 11 22H2?

Quick Assist – is no longer a Windows Capability it is now a built-in app instead of a capability.

ClipChamp – video editor, requires a Microsoft Account. Cannot see it being used in an enterprise.

I have updated the remove apps PowerShell script so it can be run without a capabilities file as we no longer need to remove Quick Assist as a capability. It can be downloaded from Github here: https://github.com/Ccmexec/MEMCM-OSD-Scripts/tree/master/Windows11

The download contains the following files.

The Apps+buildnr.txt contains a list will all apps that should be removed.
Capabilitites+buildnr.txt contains a list of the capabilities that should be removed. As Quick Assist no longer is a capability it is not needed anymore in Windows 11 22H2.

More on how to use the script can be found here: https://ccmexec.com/2018/04/windows-10-remove-builtin-apps-script-with-multiple-version-support/

The post Remove built-in apps in Windows 11 22H2 during OSD appeared first on CCMEXEC.COM - Enterprise Mobility.

One of the biggest differences there is between supporting an ADD joined Windows devices compared to On-premise is the Domain firewall profile. When a AD joined device are connected to the domain network it switches to a domain firewall profile where we can have management ports open. Administrative shares, WinRM, Remote Registry and much more which is pretty normal. This makes it possible for ServiceDesk and technicians to remotely troubleshoot errors without disturbing the end-user. Or to quote one customer “I haven’t talked to an end-user in 2 years, I am not about to start now” works in third-line without any customer interaction today.
AAD joined devices do not have the Domain Firewall profile they only have Public and Private which leaves us without that option.

For a Zero Trust implementation this works great but many have a network that is still trusted, using 802.1x on Ethernet for desktop devices for example. Then switching the firewall profile makes sense.

How can we Switch to Private Firewall profile on AAD joined Windows on connect then? It requires local admin permissions to switch to a different Firewall Profile which makes perfect sense.
I reused a script I wrote that uses a schedule task that triggers in the event when the computer connects to a specific network https://ccmexec.com/2020/11/map-drives-when-connecting-to-corporate-network/

The Schedule Task uses a custom event trigger based on network name as shown below. Here you need to change the name of the network. The SwitchFirewall.ps1 script has a section in the beginning where additional checks can/should be made that it actually is the corporate network we are connected to.

The script

The following files are needed and can be downloaded here: https://github.com/Ccmexec/Intune-MEM/tree/master/SwitchFirewall
The install.ps1 script will do the following
– Copy the SwitchFirewall.ps1 script to %programfiles%\SwitchFirewall
– Creates a Schedule task with trigger
– Set registry value that can be used for detection by Win32app

SwitchFirewall.ps1 script.

# Place additional checks here that the device connected to the correct network.
Get-NetConnectionProfile -Name "Demiranda.nu" | Set-NetConnectionProfile -NetworkCategory Private

Implementation

The download contains 4 files. Install.ps1 and Uninstall.ps1 as described above. and .xml file with the name och the network in the exported rule. And a SwitchFirewall.ps1 script that is executed by the schedule task.

Two files needs to be modified:
-SwitchFirewall Replace the network name
-SwitchFirewall.xml which is the schedule task to import als need to change the network name

Here are the settings needed to deploy the script as a Win32App:

Install Command: C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -noprofile -executionpolicy bypass -file Install.ps1
Uninstall Command: C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -noprofile -executionpolicy bypass -file UnInstall.ps1

Detection rule:

With this solution implemented we can deploy our Firewall settings for the Private profile and start to manage them remotely if we want to.
I hope this is useful.

The post Switch to Private Firewall profile on AAD joined when connected to specific network. appeared first on CCMEXEC.COM - Enterprise Mobility.

Yes!! Finally we can meet up in person again! We will arrange a physical hybrid user group event @Microsoft Reactor in Stockholm on the 19^th of October.(In Swedish)

The world has changed a lot since last time we did a physical event which was before covid. This time we will livestream it as well as in-person it will be great fun!
PatchMyPC is our sponsor for the event and without them it wouldn’t have been possible to host the event! Thank you for all you do for the community!

We have a great speaker lineup for the event!

Agenda:

0830 – 0900 – Doors Open

0900 – 0945 – Välkomna tillbaka – Trender och observationer – Stefan Schörling & Jörgen Nilsson

1000 – 1045 – An update on Microsoft Defender – Björn Axell

1100 – 1145 – 3rd party patching – Scott McAllister – PatchMyPC

Lunch

1245- 1345 – Autopilot lessons learned – Nickolaj Andersen & Thomas Åhlstedt

1400 – 1430 – Microsoft Store for Business / WinGet vad händer nu? – Jörgen Nilsson

Fika

1445 – 1545 – Windows 11 22H2 vad är nytt – Andreas Stenhall & Torbjörn Granheden

1545 – 1600 – Kahoot closing competition!

The good and bad news is that there are no tickets left for the event, lookout for information about Live stream(Swedish)

The post MMUGSE – physical event 2022-10-19 @Microsoft Reactor Stockholm. appeared first on CCMEXEC.COM - Enterprise Mobility.

In Windows 11 22H2 we have some great new options for the Start Menu layout which I really like, More Pins or More recommendations.

There is no builtin way to configure the default for the end-user with which Start Menu layout to use. We get a lot of questions from end-users that they would like to have more pinned apps in the Start menu to make it easier to start them without clicking on more apps first. Which we now can!

I wrote a post on how to customize the layout using registry values: https://ccmexec.com/2022/04/windows-11-insider-start-menu-layout-registry-customizations/

Me and my colleague Sassan updated the script mentioned here to customize the taskbar with new features: https://ccmexec.com/2021/10/modifying-windows-11-start-button-location-and-taskbar-icons-during-osd-autopilot/
The Taskbar could look like this:

New features:
– Set the default for More Pins
– Set the default for More recommendations
– Apply to all existing profiles on the computer
– Writes a registry value which can be used for detection in a Win32app, making it possible to install using Intune as well both as a script and Win32app.

The script can be used with the following variables:
– RemoveTaskView = Remove Task View from the Taskbar
– RemoveWidgets = Removes widgets from the Taskbar
– RemoveChat = Removes chat from the Taskbar
– MoveStartLeft = Move Start to the left
– RemoveSearch = Remove Search from the Taskbar
– StartMorePins = Changes the default Start layout to More pins (22H2)
– StartMoreRecommendations = Changes the default Start layout to More recommendations (22H2)
– RunForExistingUsers = Modifies all existing profiles on the computer.

Sample syntax:
powershell.exe -noprofile -executionpolicy bypass -file CustomizeTaskbar.ps1 -RemoveWidgets -StartMorePins –MoveStartLeft

The script can be downloaded from GitHub here: PowerShell/Customize TaskBar and Start Windows 11 at master · Ccmexec/PowerShell · GitHub

Registry value used for detection can be changed in the script.

In Intune we can use this for Win32App detection.
Win32app install syntax:
C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -noprofile -executionpolicy bypass -file CustomizeTaskbar.ps1 -RemoveWidgets -StartMorePins

Detection method:

I have had many requests for this script so I hope it will be useful!

The post Customizing Taskbar and Start in Windows 11 22h2 with PowerShell appeared first on CCMEXEC.COM - Enterprise Mobility.

Desktop App installer a.k.a. Windows Package Manager and Winget is a powerful addition to the Windows platform. It is also something that we all need to learn and configure according to our organization’s requirements, compliance requirements and security. The “New” Store support in Intune makes this a bit trickier as well as we must allow the users to install apps from the MS Store and/or the Winget repository to get that integration to work.
I realized I was thinking of the “new” store support in Intune the wrong way, I was seeing it as a replacement for the Business Store, but it is not. The business store will reach end of life in Q1 2023, which is soon when writing this. And the “new” store feature is not a replacement it is a refreshed store app support in the console just like  “Legacy” store apps and we should not compare it to the Business Store.

Last week I was tasked with configuring the Desktop App Installer as not all organization’s want their end user to install applications from the Winget repository as it is not controlled the same was as the MS Store repository. Well, in fairness organizations with high security requirements don’t want to let users install from the MS Store either. But with the Business Store retiring we have no choice of we want to deploy MS Whiteboard for example.

All organization’s need to decide on how Desktop App Installer (Winget) should be used. It is enabled by default so without any configuration a user can install apps from the MS Store repository and the Winget repository.

Configuration

For Group Policy there are .admx and .adml files that can be downloaded, imported into the central Policy Definitions folder and configured.

For Intune managed devices there is a DesktopAppInstaller CSP – https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-desktopappinstaller which works great for Windows 11 22H2 as the .admx/.adml file are there by default. According to Microsoft Learn it should work for Windows 10 as well but that is not what I am seeing.
Older versions of Windows 11 and Windows 10 does not have them and as the DesktopAppInstaller CSP is a ADMX backed CSP it will fail on older versions than Windows 11 22H2.

What about ingesting the .admx file then? Well, the registry keys/values created is located under Software\Microsoft\Windows\Appinstaller and that is a protected/blocked registry key. Ingestion will fail both with the Custom .ADMX feature and Ingestion using a custom policy (CSP) with access denied as shown below.

More information on the blocking of ingesting .admx files in the \Software\Policies\Microsoft key can be found here: https://learn.microsoft.com/en-us/windows/client-management/win32-and-centennial-app-policy-configuration#overview  

Desktop AppInstaller CSP settings

The settings will only allow apps from the MS Store and disable Hash Override, adding your own repository and modifying settings.

Here are my custom Configuration Policies for Desktop App installer, exported using “Intune Manager”, https://github.com/Micke-K/IntuneManagement which is simply great!

PowerShell script for the rest

As I couldn’t use the Desktop App Installer CSP for Windows 10 and Windows 11 22H2, I reverted to using a PowerShell script so I can get the job done!

# Registry key to create for the Desktop App Installer Policies

$RegistryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppInstaller"

# Check if the Appinstaller registry key already exists

if (!(Test-Path $RegistryPath)) {

        New-Item -Path $RegistryPath -Force

}

# Create the Desktop App Installer registry values

New-ItemProperty -Path $RegistryPath -Name "EnableAdditionalSources" -Value "0" -PropertyType dword -Force

New-ItemProperty -Path $RegistryPath -Name "EnableAllowedSources" -Value "0" -PropertyType dword -Force

New-ItemProperty -Path $RegistryPath -Name "EnableAppInstaller" -Value "1" -PropertyType dword -Force

New-ItemProperty -Path $RegistryPath -Name "EnableDefaultSource" -Value "0" -PropertyType dword -Force

New-ItemProperty -Path $RegistryPath -Name "EnableExperimentalFeatures" -Value "0" -PropertyType dword -Force

New-ItemProperty -Path $RegistryPath -Name "EnableHashOverride" -Value "0" -PropertyType dword -Force

New-ItemProperty -Path $RegistryPath -Name "EnableLocalManifestFiles" -Value "0" -PropertyType dword -Force

New-ItemProperty -Path $RegistryPath -Name "EnableMicrosoftStoreSource" -Value "1" -PropertyType dword -Force

New-ItemProperty -Path $RegistryPath -Name "EnableMSAppInstallerProtocol" -Value "0" -PropertyType dword -Force

New-ItemProperty -Path $RegistryPath -Name "EnableSettings" -Value "0" -PropertyType dword -Force

The post Configuring Desktop App Installer using CSP and script?! appeared first on CCMEXEC.COM - Enterprise Mobility.

The Security baseline in Intune is based on the Security Baseline for Edge v85.. We are currently on Edge baseline 107 (no new recommended settings for 108 & 109). That is only one reason for creating you own Edge Security baseline using Settings Catalog instead. More reasons are that it is easier to troubleshoot and managed only one policy instead of having some settings in the Baseline and the rest in an Edge policy based on settings catalog.

What are the challenges then? Well for security baseline v.107 (latest downloadable baseline) is that two settings does not exist in the Settings Catalog.

• Force WebSQL to be enabled
• Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context

These two settings are not in the Intune Security baseline either as they were added after v85..Here are the settings that can be set using settings catalog, all policies in green exists.

And here is an exported policy that can be imported using PowerShell for example so you don’t have to do the same detective work as I did. Intune-MEM/Edge Security Baseline 107 Settings catalog at master · Ccmexec/Intune-MEM · GitHub

If you want to set the two last settings here is a simple PowerShell script that will set the values missing in the Settings catalog. I tried importing the MSEdge.admx file and set the settings using the imported .admx feature but that did not work out either. Got duplicates of all settings and about half worked.

PowerShell script

# Registry key to create additional registry value for Microsoft Edge not in Settings catalog
 
$RegistryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Edge"
 
# Check if the Microsoft Edge registry key already exists
 
if (!(Test-Path $RegistryPath)) {
 
        New-Item -Path $RegistryPath -Force
 
}
 
# Create the Microsoft Edge additional registry values
 
New-ItemProperty -Path $RegistryPath -Name "WebSQLAccess" -Value "0" -PropertyType dword -Force
 
New-ItemProperty -Path $RegistryPath -Name "SharedArrayBufferUnrestrictedAccessAllowed" -Value "0" -PropertyType dword -Force

To verify the settings I used the HardeningKitty toolkit which is simply great! It can be used to check compliance against different Security Baselines, Microsoft, STIG and more. It can be downloaded from here: https://github.com/scipag/HardeningKitty
After adding the script I got all settings verified.

This is how I will manage the security baseline from now on for Microsoft Edge. I hope this is useful!
Next up the Windows Security baseline :D!

The post Configuring MS Edge Security Baseline v107 using Settings Catalog appeared first on CCMEXEC.COM - Enterprise Mobility.

I wrote a post a couple of weeks ago with the Microsoft Edge Security Baseline policy re-created in Settings catalog. I got a lot of questions if I had done it with the Windows MDM Security Baseline as well and here it is.
This was not a fun exercise it took a while. Looking forward to the end of Internet Explorer 11 once and for all, recreating this brought back memories on configuring IE 11 with Group Policies…. Not all positive.
I like using Settings Catalog better than the security baseline because it is easier to modify, easier to manage and follow up.
When I recreated the Edge Security baseline I had to use a PowerShell script to set two settings, that was not needed this time all settings was available.

The policy can be downloaded in .json format here:
https://github.com/Ccmexec/Intune-MEM/tree/master/Windows%20MDM%20Security%20Baseline%20Settings%20Catalog

I hope you find it useful

The post Windows MDM Security Baseline – Settings Catalog appeared first on CCMEXEC.COM - Enterprise Mobility.

Time to share how I am using Success.cmd to add the registry key to prevent Personal Teams. I think that the possibility to run commands when doing feature updates is used way too little. We have the option to use SetupConfig.ini as well with Intune, Configuration Manager and Standalone of that is what we want to do. Upgrade from Windows 10 to Windows 11 with Setupconfig.ini and Intune – CCMEXEC.COM – Enterprise Mobility

Windows 10/11 also have the possibility to run command during the different phases of a Feature upgrade like, Preinstall.cmd. Failure.cmd and Success.cmd (the names are self-explaining). These files are honored independently on how a feature upgrade is initiated. More Information can be found here:
https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions?view=windows-11

I have a separate computer I use to run Windows Insider(Canary) builds on and I am tired of removing Personal Teams every week for example. Using Success.cmd works great, been using it for a year now so I thought I write this to remind everyone that we can still run commands during a feature upgrade.

Do you want the command to run for each feature upgrade or only once? That is the first thing to decide.
%windir%\System32\update\run
Or
%windir%\System32\update\runonce

Under the selected folder we create a subfolder with the correct GUID (there are many GUID generators out their example: https://guidgenerator.com/online-guid-generator.aspx )

And in that folder, I drop my success.cmd file which will then run each time my machine do a feature update.

In my success.cmd file I have only one line as I am interested in getting rid of Personal Teams.

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Communications /v ConfigureChatAutoInstall /t REG_DWORD /d 0 /f

That will set the registry value so that Personal Teams will not reinstall after servicing. I can of course be used for so many other purposes, uninstalling built-in apps for example.

Using Success.cmd with Intune

I use a simple PowerShell script that copies the files to the correct location so I can deploy it to all my machines. I have deployed it as a Win32 app to be able to have more files in there in the future. 

Copy-Item -Path "$($PSScriptRoot)\58cbda92-67b7-423c-a51b-583e763136ab" "$env:windir\Setup\Scripts\Update\Run\58cbda92-67b7-423c-a51b-583e763136ab" -Recurse -Force

I added my GUID folder – and the script as shown in the structure below.

I use a simple detection rule that the file exists in the folder.

Takeaway: we are still in control of the feature update process as we can run commands on failure and on success.

The post Windows Servicing, Personal Teams and Success.cmd appeared first on CCMEXEC.COM - Enterprise Mobility.

This will be a short post on how to update WinPE boot images with a Cumulative Update as we need to do that now with the release of May 2023 Cumulative Update to address CVE-2023-24932. Spent all day with colleagues to try to test what happens to OS deployment (and AutoPilot) when deploying the mitigation for CV-2023-24932 and re imaging a computer.
There are still a lot of testing left with this update and the mitigations but one thing that is needed is to update the boot images used in Configuration Manager and MDT for example.

Here is a quick script https://github.com/Ccmexec/MEMCM-OSD-Scripts/blob/master/Update-BootWIM.ps1 that my best colleague Sassan Fanai https://twitter.com/sassan_f?s=20 wrote based on this sample from Microsoft Learn https://learn.microsoft.com/en-us/windows/deployment/update/media-dynamic-update

Note that before implementing the manual steps to mitigate the vulnerability make sure you have all required lifecycle inplace as deploying an unpatched image even if the boot images are updated will fail.

I applied the mitigations on a Virtual Machine and after that PXE boot fails with the following error.

Using the script to update the boot image

Start by downloading the script from the location above.
Then download the latest LCU from Microsoft Update Microsoft Update Catalog

To update the default Boot image do the following, for each custom image update the boot.wim in each source folder as well with the CU = redo the whole process below for each image.

• Create two folders in C: “Boot Image Backup” and “MediaRefresh”
• In the MediaRefresh folder create a Packages folder
• Copy the Cumulative Update to “MediaRefresh\Packages” folder and rename it to LCU.MSU
• Copy the Boot.wim from %Configuration Manager install folder%\OSD\Boot\X64 to “Boot Image Backup” – For the default boot.wim.

• Run the script and the boot image will be updated with the lastest CU.
• It will look like shown below.

• Rename the old boot image used in the %Configuration Manager install folder%\OSD\Boot\X64 to .bak for example and copy the updated Boot.Wim image
• Then update the distribution points with the updated boot image.
• In the console open properties on the Boot image and select reload and the new version will show.
  

Then PXE boot will work again. The updated boot image will work to PXE boot devices that have applied the mitigations steps and those that haven’t.
Next up build an image with the update in it or wait for VLSC to test that out so we can reinstall devices which have the mitigation applied.
If deploying an older image it will fail with the following error if it is an Hyper-V VM.

Now time for more testing!

The post PS Script to Update Boot images with CU-CVE-2023-24932 appeared first on CCMEXEC.COM - Enterprise Mobility.

On the 8th of June it is time again! Microsoft Management User Group Sweden – Summer Meetup @ Microsoft Reactor Stockholm. We have the great honor of having some great presenters & MVP’s to join us. Really looking forward to a great day.

We are very grateful for our Sponsor: Recast Software – https://recastsoftware.com

The agenda looks like follows:

Agenda:
0830 – 0900 – Doors Open
0900 – 0945 – Welcome – What is new in Endpoint Management – Stefan Schörling & Jörgen Nilsson
1000 – 1045 – Intune App Factory – Nickolaj Andersen
1100 – 1145 – Recast Sponsor Session
Lunch
1245- 1345 – Windows Laps – More than just a policy – Nicklas Ahlberg
1400 – 1430 – A look at Intune Suite – Johnny Radeck
Fika
1445 – 1545 – 10 tips to succeed with your Autopilot setup – Jan Ketil Skanke
1545 – 1600 – Q&A

Most sessions will be delivered in Swedish and we hope to be able to make it a Hybrid event, we are not really sure yet if we can solve it just yet. We will post that information in the User Group that we host on Facebook.

To sign up for the event check out the Facebook page and join the user group and from there you have the registration page.

https://www.facebook.com/groups/241438124169/

Hope to see you all there!

The post MMUGSE – Summer Meetup 8th of June 2023 appeared first on CCMEXEC.COM - Enterprise Mobility.

Finally time to blog during these busy times, removing Personal Teams in Windows 11 by setting the ConfigureChatAutoInstall registry value to prevent from installing.

The challenge is that the permissions on that registry key, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Communications is set to TrustedInstaller so it is hard to create the necessary value. There are solutions out there that uses Remediations to uninstall it or use SetACL.exe to set the permissions. That is why we wrote it in PowerShell natively instead, my co-worker Sassan made it look better than mine , it can be downloaded from here:

CodeDump/Set-ConfigureChatAutoInstall.ps1 at main · suazione/CodeDump · GitHub

The script does the following:

• Takes ownership of then registry key
• Creates and sets the registry value
• Sets the ownership back to TrustedInstaller
• Uninstalls Personal Teams if it is already installed

I deploy this as a Win32App in Intune and add it as a blocking app in the Enrollment Status Page so the value is set the first time the user logs on. Works great! Now that Windows 11 23H2 will be delivered as an eKB (Enablement Package) and hopefully not put it back as Windows 11 21H2 – Windows 11 22H2 did. If that is the case, we can easily use success.cmd as I wrote about here to keep it away. https://ccmexec.com/2023/03/windows-servicing-personal-teams-and-success-cmd/

Deploy it as a Win32App

To be able to use it as a blocking app I wrap it and use the following:

Install Command: %WINDIR%\sysnative\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File RemoveConsumerTeams.ps1

Uninstall Command: %WINDIR%\sysnative\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File RemoveConsumerTeams.ps1

Detection Rule: Registry

Key Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Communications

Value Name: ConfigureChatAutoInstall

As shown in the picture below.

I hope this will be of value so we can remove personal Teams and move on!

The post PowerShell script to keep Personal Teams away in Windows 11 appeared first on CCMEXEC.COM - Enterprise Mobility.

At WPNinjas 2023 in Baden me and my good friend Ronni Pedersen (@ronnipedersen) presented a session “Unleashing the Power of Microsoft Intune Community Tools” where we demoed a lot of amazing Intune Community tools.

Intune community tools are created by the best people in the best community in the world and they often fill feature gaps in Intune and solve challenges admins face in their day-to-day work. They help us all save time and make our lives easier. So if you like a tool, drop the creator a line on X or blog and show your appreciation!!

The following is the list of tools we demoed and links to them all.
• Intune Maps – Shehan Perera – https://intunemaps.com/
• Rockn Roll Tool – Nicklas Ahlberg – https://www.rockenroll.tech/
• Rock My Printers – Nicklas Ahlberg – https://www.rockenroll.tech/2023/03/14/rock-my-printers/
• Intune Remediation repo – Jannik Reinhard https://github.com/JayRHa/EndpointAnalyticsRemediationScripts
• System Information and Self- service tool – Jannik Reinhard – https://jannikreinhard.com/2023/01/01/system-information-and-self-service-tool/
• Bitlocker Pin – Intune – Oliver Kieselbach – https://oliverkieselbach.com/2019/08/02/how-to-enable-pre-boot-bitlocker-startup-pin-on-windows-with-intune/
• DCToolbox – Daniel Chronlund – https://danielchronlund.com/2020/11/09/dctoolbox-powershell-module-for-microsoft-365-security-conditional-access-automation-and-more/
• Device validation Tool – https://www.powerofpowershell.com/post/device-validation-with-powershell-wpf-gui-post-imaging-or-autopilot
• Intune Debug Toolkit – Mattias Melkersen – https://msendpointmgr.com/intune-debug-toolkit/
• Intune Device Details UI – Petri Paavola – https://github.com/petripaavola/IntuneDeviceDetailsGUI
• Intune LogReader – Petri Paavola – https://github.com/petripaavola/Get-IntuneManagementExtensionDiagnostics
• Intune Script Viewer – Trevor Jones – https://smsagent.blog/2022/05/11/script-viewer-for-microsoft-endpoint-manager
• Automatic Microsoft 365 Documentation – Thomas Kurth – https://www.wpninjas.ch/2021/05/automatic-intune-documentation-evolves-to-automatic-microsoft365-documentation/
• Intune Management – Micke Karlsson – https://github.com/Micke-K/IntuneManagement
• Intune Drive Mapping Generator – Nicola Suter –https://intunedrivemapping.azurewebsites.net/
• IntuneWin Build and Extract – Damien Van Robaeys –https://www.systanddeploy.com/2023/05/intunewin-build-and-extract-tool-to.html
• Enhanced Inventory Intune – Jan Ketil Skanke – https://msendpointmgr.com/2022/01/17/securing-intune-enhanced-inventory-with-azure-function/
• OSDCloud – David Segura – https://www.osdcloud.com/
• OSBuilder – David Segura – https://osdbuilder.osdeploy.com/
• PSAppdeployment toolkit – Seán Lillis and Dan Cunningham – https://psappdeploytoolkit.com/
• Intune Backup / Restore PowerShell module – John Seerden –https://github.com/jseerden/IntuneBackupAndRestore
• IntuneCD – Tobias Almen – https://almenscorner.io/introducing-intunecd-tool/

The post Community tools demoed at WPNinjas 2023 appeared first on CCMEXEC.COM - Enterprise Mobility.

The new Teams client is now a MSIX that we need to deploy. We have a tool for this called teamsbootstrapper.exe which gets new features all the time. The official Microsoft documentation can be found here Bulk deploy the new Microsoft Teams desktop client – Microsoft Teams | Microsoft Learn  
Teamsbootstrapper.exe support both online and offline installation of the Teams MSIX file, where online downloads the latest MSIX installer dynamically. We could deploy the MSIX using Intune/Configuration Manager but then we need to update the MSIX file from time to time to not deploy an old version to new clients.  

My coworker Sassan (@sassan_f) wrote a PowerShell script that will make the deployment easier and dynamic by downloading the latest teamsbootstrapper.exe as well dynamically so we don’t have to update our application in Intune or Configuration Manager when it is updated. It can be downloaded here: CodeDump/Install-MSTeams.ps1 at main · suazione/CodeDump · GitHub 
It also includes a switch when present, will configure RunOnce registry value for the Default User profile and all existing profiles to speed up installation of MSTeams after a user sign in. The RunOnce key will be deleted when uninstalling MSTeams using -Uninstall. If there is an active currently logged on user, a scheduled task will be be created that installs MSTeams as an AppxPackage to speed up the installation.  

The script works both in Intune and in Configuration Manager.  

Powershell is used as detection method and can be as simple as: 
if (“MSTeams” -in (Get-ProvisionedAppPackage -Online).DisplayName) { Write-Output “Installed” } 

CommandLine parameters for the script

PARAMETER EXE 
The name  of the executable file for the MSTeams installation bootstrapper. Default is “Teamsbootstrapper.exe”. 

PARAMETER MSIX 
The name of the MSIX file for offline installation of MSTeams, only required if using -Offline. Default is “MSTeams-x64.msix”. 

PARAMETER LogFile 
The path to the log file where the install/uninstall process will be logged. Default is “$env:TEMP\Install-MSTeams.log”. 

PARAMETER Offline 
A switch parameter that, when present, will initiate an offline installation of MSTeams using the local MSIX file. 

PARAMETER Uninstall 
A switch parameter that, when present, will deprovision MSTeams using the Teamsbootstrapper.exe and uninstall the MSTeams AppcPackage for AllUsers. Uninstall will delete the registry key: HKLM\Software\Wow6432Node\Microsoft\Office\Teams that can can block installations of MSTeams. 
Uninstall will attempt to remove InstallMSTeams RunOnce registry item for Default User and existing profiles that may have been set by SetRunOnce. 

PARAMETER ForceInstall 
A switch parameter that, when present, will uninstall and deprovision MSTeams before attempting installation. It will also delete the registry key: HKLM\Software\Wow6432Node\Microsoft\Office\Teams that can can block the installation of MSTeams. 

PARAMETER SetRunOnce 
A switch parameter that, when present, will configure RunOnce registry value for the Default User profile and all existing profiles to speed up installation of MSTeams after a user sign in. The RunOnce key will be deleted when uninstalling MSTeams using -Uninstall.
If there is a active currently logged on user, a scheduled task will be be created that installs MSTeams as an AppxPackage to speed up the installation. 

PARAMETER DownloadExe 
A switch parameter that, when present, will attempt to download teamsbootstrapper.exe from Microsoft and verify its digital signature. Using this parameter removes the need to include a local teamsbootstrapper.exe. Has to be specified for -Uninstall as well. 

To deploy it create a Win32app with or without the teamsbootstrapper.exe and/or MSIX file depending on your preferences and requirements.

Great work Sassan! Hope this will make Intune/Configuration Manager admins life easier deploying the new Teams client.  

The post Install New Teams client with PowerShell with or without content appeared first on CCMEXEC.COM - Enterprise Mobility.

Got this request based on the PowerShell script I wrote on how to make the “enrolled by” user in Intune member of the local admin group, but instead add the user to the Remote Desktop Users group. Which is really easy to change, but to get this to work in a good way we also need to enable remote desktop access to the device, configure Windows Firewall in a correct and secure way using the domain profile (which was added to Microsoft Entra Joined devices in December 2022).
In our scenario it was developers that wanted to remote control their own computers which could make sense. One requirement is that it’s only allowed on the corporate network, which is important because the Windows Security Baseline disables merge of local/group policy Windows Firewall rules for the public profile which is important. If we would deploy a Windows Firewall policy to enable RDP on all profiles it would also open RDP in the public profile, with 4G/5G card or direct internet access that would open RDP to Internet.

The script can be downloaded from GitHub:Intune-MEM/AddToRemoteDesktopUsers.ps1 at master · Ccmexec/Intune-MEM (github.com)

What do we need to do to enable Remote Desktop Access for the user that enrolled the device in Intune then?

• Deploy the script
• Configure Window Firewall with Network List Manager and open RDP
• Enable Remote Desktop
• Configure Remote Desktop Client to use “Web account to sign in..”

Deploy PowerShell script

I deploy it as a simple PowerShell script in Intune, it checks in the registry after the UPN of the user who enrolled the device in Intune and adds the user to the Remote Desktop Users group.

Windows Firewall

As I mentioned above it is important that we don’t enable Remote Desktop on the public Windows Firewall profile which is default for the built-in rule if that is enabled. Windows Security Baseline disables “Policy rules from Group Policy not merged” it also includes local Firewall rules.

Network List Manager can be used to enable the Domain Profile on a Microsoft Entra joined device. This is for me an important part of a Microsoft Entra Joined device design. So we actually can do some troubleshooting remotely without disturbing the end-user to troubleshoot their device.
Network List Manager is preferably configured using the Windows Firewall policy under Endpoint Security. In my case I use my Configuration Manager server as it has IIS Default website still active. The requirements for the TLS Authentication Endpoints are that it’s running HTTPS and can be validated using TLS 1.2 and does not require sign in.

We can verify this by using PowerShell:

Get-NetFirewallSetting -PolicyStore ActiveStore | Select-Object -ExpandProperty ActiveProfile

Now that we have that established, we can Enable Remote Desktop access in Windows Firewall. This is done using a simple Windows Firewall policy, were we only open it on the domain profile. I use the following settings:

Name: Enable RDP

Protocol: 6

Interface types: All

File path configured: %SystemRoot%\system32\svchost.exe

Edge traversal: Enabled

Network Types:  FW_PROFILE_TYPE_DOMAIN: This value represents the profile for networks that are connected to domains.

Direction: The rule applies to inbound traffic.

Service Name: termservice

Local Port ranges: 3389

Action: Allow

Description: Remote Desktop Connection

When it is deployed to the device we can verify that the firewall is correctly configured using the Windows in Windows Defender Firewall with advanced security MMC as shown below.

Enable Remote Desktop

Settings catalog for the win! Easy to deploy the setting to enable Remote Desktop access using this setting.

Configure Remote Desktop Client to use “web account to sign in..”

This is an awesome feature which gives us the possibility to require MFA for example or whatever Conditonal Access rules we want to control access Remote Desktop. CA policies can be applied to the Microsoft Remote Desktop with ID a4a365df-50f1-4397-bc59-1a1564b8bb9c to control access to the remote PC when single sign-on is enabled.

More information can be found here: https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-connection-single-sign-on

The user will get a single-sign on experience when connecting to the remote computer if signed in with the same user. This is an awesome experience and solution.

When connecting to the device as a different user the experience is just like login in using MFA for example in any Microsoft Entra application.

The post Enable RDP Access Only to the Enrolled by User in Windows Using Intune appeared first on CCMEXEC.COM - Enterprise Mobility.