gerryhampsoncm.blogspot.com
Open in
urlscan Pro
2a00:1450:4001:82b::2001
Public Scan
URL:
http://gerryhampsoncm.blogspot.com/
Submission Tags: falconsandbox
Submission: On June 02 via api from US — Scanned from DE
Submission Tags: falconsandbox
Submission: On June 02 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Gerry Hampson Device Management
SUNDAY, 14 MAY 2023
MANAGING LOCAL ADMINS ON AZURE AD JOINED DEVICES
We've been able to do this for quite some time. We've been able to add
individual users as local administrators on Azure AD joined devices. More
recently this has become a lot easier. We can now use Azure AD groups to manage
this. With Azure AD Premium P1 or P2, you can create a role-assignable group and
assign the Device Administrator roles to the group.
There are some additional considerations. Firstly, you can only configure a
group to be role-assignable when you create the group. You cannot change this
afterwards.
I've created a group called "Local admins test 1". See the configuration "Azure
roles can be assigned to the group". I've toggled this to yes.
We're told that we cannot change this setting after the group is created.
Next I've created a group called "Local admins test 2". This time I didn't
select that Azure roles can be assigned to the group.
You can see that this setting cannot be turned off after the group has been
created.
It can't be turned on either.
Now when I add an assignment to the Device Administrators role, only "Local
admins test 1" is available for selection.
Note that you must be a Privileged Role Administrators or Global Administrator
to create the group in the first place.
If you are not then the "Azure roles can be assigned to the group" option is not
available (you can't even see it).
Finally this option is only supported for Assigned groups.
Just for kicks I've selected Dynamic User.
However it automatically changes to Assigned and greyed out, once I toggle the
option to Yes.
I hope this helps. Until next time.......
Posted by Gerry Hampson at 17:01 No comments:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Azure Active Directory, Azure Active Directory Premium, Intune
SATURDAY, 18 FEBRUARY 2023
TIPS FOR ONBOARDING SERVERS TO DEFENDER FOR ENDPOINT
This week is all about Microsoft Defender for Endpoint (MDE). It's very easy to
onboard workstations (Windows 10/11) to MDE. Intune does that automatically for
you.
Navigate to Endpoint Security > Endpoint detection and response, create the
policy and assign to all devices.
There is a little more to do for servers as they are not supported for
enrollment in Intune.
First, how would you know if your server was already onboarded to MDE? Obviously
you could search for the server in the Microsoft 365 Defender portal, but how
can you tell on the server itself?
Look at the services. If the Windows Defender Advanced Threat Protection Service
(Service name: Sense) is Automatic and Running, then the server has been
onboarded. The screenshot above shows a server that has not been onboarded. The
behaviour and the onboarding steps are slightly different depending on the
server operating system.
Note: when you use Microsoft Defender for Cloud to monitor servers, they are
automatically onboarded to Defender for Endpoint. For this blog post, I'm
assuming you are not using Defender for Cloud.
Windows Server 2012R2
2012R2 servers do not include Defender Antivirus or Defender for Endpoint
natively. You must install the unified Defender solution on these servers.
Onboarding steps are as follows:
* Install the unified Defender client (this is downloaded from MDE portal).
This installs Microsoft Defender Antivirus and the EDR sensor. It creates the
Windows Defender Advanced Threat Protection Service. The service is not
started and is set to Manual.
* Install the unified Defender client update package (KB5005292 -
download here). This updates the EDR sensor, which communicates with MDE.
* Run the MDE onboarding script (this is downloaded from MDE portal). This
onboards the server to MDE. It starts the Windows Defender Advanced Threat
Protection Service and configures it to be Automatic.
Windows Server 2016
2016 servers natively include Defender Antivirus (as long as the Defender
feature is added) but not Defender for Endpoint. You must install the unified
Defender solution on these servers.
Onboarding steps are as follows:
* Verify that the Defender feature is added and updated. Defender must also be
turned on.
* Run updateplatform hotfix (download here from Microsoft Malware Protection
Center (MMPC)). This updates Defender to the latest version.
* Install the unified Defender client (this is downloaded from MDE portal).
This installs the EDR sensor. It creates the Windows Defender Advanced Threat
Protection Service. The service is not started and is set to Manual.
* Install the unified Defender client update package (KB5005292 -
download here). This updates the EDR sensor, which communicates with MDE.
* Run the MDE onboarding script (this is downloaded from MDE portal). This
onboards the server to MDE. It starts the Windows Defender Advanced Threat
Protection Service and configures it to be Automatic.
You will get this error if you don't update the platform before you install the
unified Defender client.
Please update Windows Defender Antivirus (KB4052623) to the latest version.
Windows Server 2019 (and 2022)
These servers already include Defender AV and the EDR sensor. The Windows
Defender Advanced Threat Protection Service already exists but is not running
and is set to Manual.
There is one onboarding step:
* Run the MDE onboarding script (this is downloaded from MDE portal). This
onboards the server to MDE. It starts the Windows Defender Advanced Threat
Protection Service and configures it to be Automatic.
The steps above can be automated using your server management solution.
You've now onboarded the server and the Windows Defender Advanced Threat
Protection Service is running. Where can you see the onboarding details?
You need to look in the registry. Navigate
to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SenseCM. Here you can see the Tenant ID
and enrollment status. You should see EnrollmentStatus = 1.
I hope this helps. Until next time......
Posted by Gerry Hampson at 17:22 1 comment:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Defender, DefenderforEndpoint, Intune, MDE
WEDNESDAY, 8 FEBRUARY 2023
INTUNE APP INSTALL FAILED - AN APP UPDATE IS AVAILABLE 0X87D13B9F
I'm working on an iOS management solution for a customer this week involving the
integration of Apple Business Manager and Intune. I also integrated Apple VPP
with Intune for the deployment of volume purchased apps. Everything was working
well until I noticed that some apps were failing. Microsoft Teams and Microsoft
OneDrive has reported as Failed (big red icon) in the Intune console, with this
error:
"An app update is available. Available apps can be updated using Company Portal
and required apps will auto-update on device sync. (0x87D13B9F)".
This wasn't quite right. The apps had installed, but Intune was telling me that
there was a new version available. I didn't like the red "failed" icon so I
wanted to fix it.
In Apple Business Manager I had a look at Teams and could see that a new version
had just been published.
I had configured the VPP token in Intune to automatically update apps, so why
did it fail? You can find the answer in the Microsoft docs.
"By default, Intune syncs with the Apple Business Manager service twice a day".
Therefore the latest version of the app wasn't yet available in Intune. I could
just have waited for the automatic sync and this would have just resolved
itself.
A manual sync of the VPP token does the trick.
The new version was automatically installed and reported successful.
This Microsoft doc has further information.
"When updating a VPP app, it can take up to 24 hours for the device to receive
the updated VPP app".
This is more an annoyance than an error, especially when you are doing customer
demonstrations, but it is easily solved.
I hope this helps. Until next time.....
Posted by Gerry Hampson at 15:00 No comments:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Apple Business Manager, Intune, iOS, VPP
MONDAY, 6 FEBRUARY 2023
REMOVE PRE-INSTALLED HP SOFTWARE DURING AUTOPILOT
This was a task I was given by a customer recently. They wanted all the
pre-installed HP software removed when provisioning HP ProBook 450 G8 laptops
using Autopilot and Intune. As I like to tell customers, "if you can script it
you can do it with Intune".
This was the list:
1. HP Connection Optimizer
2. HP Documentation
3. HP ICS
4. HP Notifications
5. HP Security Update Service
6. HP Support Assistant
7. HP Wolf Security
1. HP Connection Optimizer
This one is a little tricky and requires the help of an answer file. I got a
little help from Reddit
Create an InstallShield answer file. Copy the text to Notepad and save as .iss
file (I called it HPConnOpt.iss)
[InstallShield Silent]
Version=v7.00
File=Response File
[File Transfer]
OverwrittenReadOnly=NoToAll
[{6468C4A5-E47E-405F-B675-A70A70983EA6}-DlgOrder]
Dlg0={6468C4A5-E47E-405F-B675-A70A70983EA6}-SdWelcomeMaint-0
Count=3
Dlg1={6468C4A5-E47E-405F-B675-A70A70983EA6}-MessageBox-0
Dlg2={6468C4A5-E47E-405F-B675-A70A70983EA6}-SdFinishReboot-0
[{6468C4A5-E47E-405F-B675-A70A70983EA6}-SdWelcomeMaint-0]
Result=303
[{6468C4A5-E47E-405F-B675-A70A70983EA6}-MessageBox-0]
Result=6
[Application]
Name=HP Connection Optimizer
Version=2.0.18.0
Company=HP Inc.
Lang=0409
[{6468C4A5-E47E-405F-B675-A70A70983EA6}-SdFinishReboot-0]
Result=1
BootOption=0
I copied the answer file to Azure storage and generated a shared access
signature so that the file could be downloaded from anywhere.
Next is the script (UninstallHPConnOpt.ps1)
invoke-webrequest -uri
"https://xxx.blob.core.windows.net/autopilot-scripts/HPConnOpt.iss?MySharedAccessSignature"
-outfile "C:\Windows\Temp\HPConnOpt.iss"
&'C:\Program Files (x86)\InstallShield Installation
Information\{6468C4A5-E47E-405F-B675-A70A70983EA6}\setup.exe' @('-s',
'-f1C:\Windows\Temp\HPConnOpt.iss')
The script downloads the answer file and copies to C:\Windows\Temp. It then
executes setup.exe for HP Connection Optimizer and calls the answer file. This
uninstalls the app.
To deploy the solution via Intune, copy the script and answer file to a folder.
Then create a Win32 app which results in a .IntuneWin file containing both
files.
2. HP Documentation
This one is a bit more straightforward. The script sets the location to
"C:\Program File\HP\Documentation" and then runs the uninstall command.
Set-location "C:\Program Files\HP\Documentation"
.\Doc_uninstall.cmd
Upload the script to Intune and assign to a group.
3. HP ICS
They're getting easier
$Prod = Get-WMIObject -Classname Win32_Product | Where-Object Name -Match 'ICS'
$Prod.UnInstall()
Upload the script to Intune and assign to a group.
4. HP Notifications
This one is the same format.
$Prod = Get-WMIObject -Classname Win32_Product | Where-Object Name -Match 'HP
Notifications'
$Prod.UnInstall()
5. HP Security Update Service
Same format again.
$Prod = Get-WMIObject -Classname Win32_Product | Where-Object Name -Match 'HP
Security Update Service'
$Prod.UnInstall()
6. HP Support Assistant
This one is a little different. It's an appx installation. Nicolaj Andersen has
an excellent script for removing unwanted built-in appx apps during
provisioning, except those that you explicitly whitelist. The script will remove
the HP Support Assistant.
7. HP Wolf Security
Same format as before
$Prod = Get-WMIObject -Classname Win32_Product | Where-Object Name -Match 'HP
Wolf Security'
$Prod.UnInstall()
These are the settings you need when you are deploying your scripts with Intune.
I hope this helps you and saves you time if have the same task.
Until next time......
Posted by Gerry Hampson at 15:31 2 comments:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: Intune, MEM, MSIntune
MONDAY, 2 JANUARY 2023
SILENTLY INSTALL TEN TOP WIN32 APPS WITH INTUNE
We've heard a lot about Winget and the Windows Package Manager recently. However
we'll still need to be able to deploy Win32 apps via Intune for the foreseeable
future, especially during an Autopilot process. This blog post isn't about using
the Win32 Content Prep tool to convert apps into the intunewin format. It's
about the research I carried out to understand how to install ten top apps (with
a focus on the financial sector) silently and to detect them afterwards. This
research can take a while so I thought it might save others some time.
Edit the installation command with your executable name. Note that I've used the
presence of a file as my detection method for many of the apps. You can be more
specific with this rule by configuring a file version if that's what you need.
Bloomberg Terminal:
Provides coverage of markets, industries, companies and securities across all
asset classes.
Download the latest “Bloomberg Terminal” installer
* Silent install: sotr102_5_80.exe /s maindir=“C:\blp\” conn_type=Private
* Detection (file or folder exists): C:\blp\Wintrv\wintrv.exe
Refinitiv FXall:
Formerly Reuters, a complete end-to-end solution for your FX trades
There is one additional consideration with this application. A response file
must be generated in order to install it silently. Generate the response file by
running this command (as administrator):
Refinitiv-FXall-Setup.exe -r installer.properties
The installation wizard launches. Follow the wizard to the end. This installs
the application and creates the response file. This file must be saved in the
same folder as the EXE when the app is being converted to a .Intunewin file.
* Silent install: Refinitiv-FXall-Setup.exe -i silent
* Detection (file or folder exists): C:\Program Files\Refinitiv\Refinitiv
FXall_\7.9.0.53\Refinitiv FXall_.exe
Anaconda:
Anaconda Distribution is the world’s most popular open-source Python
distribution platform. Download
* Silent install: Anaconda2-4.2.0-Windows-x86_64.exe /InstallationType=AllUsers
/S /D=C:\Program Files\Anaconda2
* Detection (file or folder exists): C:\Program Files\Anaconda2\pythonw.exe
Morning Star Direct:
Morning Star Direct is an investment & portfolio analysis software, which gives
you the tools to build strategies and products.
Morning Star Direct is a pretty straightforward installation as it is MSI based.
However there are two additional consideration here.
* Firstly, the Morning Star Direct application forces a reboot, which happens
automatically and without warning. We have to use the parameter
REBOOT=ReallySuppress to prevent that. A reboot is still required to complete
the installation but the user is notified to restart.
* Secondly, there are two installations.
* The Morning Star Direct prerequisites can be downloaded from here
* The Morning Star Direct application can be downloaded here
* The Prerequisites app has to be added as a dependency for the Morning Star
Direct application and is installed first.
* Silent install: msiexec /i "prerequisite.msi" /qn
* Detection : MSI {7FA41A52-1D83-4C2D-A432-475AA3F7881B}
* Silent install: msiexec /i "direct.msi" /qn REBOOT=ReallySuppress
* Detection: MSI {D9C2A982-D2E0-4E83-B8FD-8E7B8160EBA2}
SQL Server Management Studio:
This app was developed by Microsoft and is used for configuring, managing, and
administering all components within Microsoft SQL Server. It can be
downloaded here
* Silent install: SSMS-Setup-ENU.exe /quiet
* Detection (file or folder exists): C:\Program Files (x86)\Microsoft SQL
Server Management Studio 18\Common7\IDE\Ssms.exe
Visual Studio Code:
Visual Studio Code is a lightweight but powerful source code editor. Download
* Silent install: VSCodeSetup-x64-1.74.2.exe /silent
* Detection (file or folder exists): C:\Program Files\Microsoft VS
Code\Code.exe
Power BI Desktop:
Get a 360° view of your business data and quickly connect, shape, visualize, and
share data insights through Power BI. Download
* Silent install: PBIDesktopSetup_x64.exe -s ACCEPT_EULA=1
* Detection (file or folder exists): C:\Program Files\Microsoft Power BI
Desktop\bin\PBIDesktop.exe
Adobe Reader:
This app can be downloaded here
* Silent install: AcroRdrDC2200320258_en_US.exe /sALL /rs /msi EULA_ACCEPT=YES
* Detection (file or folder exists): C:\Program Files (x86)\Adobe\Acrobat
Reader DC\Reader\AcroRd32.exe
Sophos Antivirus:
This app can be downloaded here
* Silent install: SophosSetup.exe --quiet
* Detection (file or folder exists): C:\Program Files\Sophos\Sophos UI\Sophos
UI.exe exists
Remote Help:
Remote help is a premium add-on application that works with Intune and enables
your users to get assistance when needed over a remote connection.
Remote help must be installed on each device before that device can be used to
participate in a remote help session. You can download the latest version of
remote help directly from Microsoft
* Silent install: remotehelpinstaller.exe /quiet acceptTerms=1
* Detection (file or folder exists): C:\Program Files\Remote
help\RemoteHelp.exe
-----------------------------------------------------------------------------------------------------------------------
That's it, that was the ten apps that I recently had to deploy via Intune for a
financial services customer. I hope you find it handy if you need to work with
one of them. It was difficult to get this information for some of the apps as
the enterprise installation documentation was only available with a support
contract.
Until next time.....
Posted by Gerry Hampson at 20:31 No comments:
Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest
Labels: EMS, Intune, Win32
Older Posts Home
Subscribe to: Posts (Atom)
TOTAL PAGEVIEWS
3593188
ABOUT ME
Gerry Hampson Senior Consultant, Ergo Group. Microsoft MVP in Enterprise Client
Management. Specialist in Microsoft implementations. View my complete profile
VIDEO TRAINING COURSE
VIDEO TRAINING COURSE
VIDEO TRAINING COURSE
VIDEO TRAINING COURSE
PUBLISHED BOOK
PUBLISHED BOOK
SPEAKING EVENTS
* Workplace Ninja (Lucerne, Switzerland) 12th - 14th September 2022
* Techmentor Orlando 15th - 19th November 2021
* System Center User Group Sweden (6th October 2020)
* Workplace Ninja 2020 (25th August 2020)
* Microsoft 365 Virtual Marathon
* WMUG London Port-Ignite Modern Management (20th Jan 2020)
* SCUGDK Copenhagen (30th August 2019)
* WMUG @ Reactor 1908 (21st August 2019)
* MMS 2019 (6th May 2019)
* Goodbye Windows 7, Hello Windows 10 (11th March 2019)
* Lowlands Unite Belgium (7th Nov 2018)
* WMUG - Being modern and doing management (30th Oct 2018)
* MMS 2018 (14th May)
* WMUG event with DJam 16th October 2017
* WMUG event 21st August 2017 with Wally Mead (London)
* WMUG event 21st April 2017 - Windows 10 and Azure Cloud
* Microsoft IT Innovation Series event 15th June 2016 - Protect the data you
own, on the devices you don’t. Learn more about Microsoft Enterprise Mobility
* WMUG Event 31st March 2016 - Configuration Manager and the Cloud
* Webinar 10th Feb 2016 - 5 really cool features of Configuration Manager with
Intune
* Microsoft IT Innovation Series 2nd December 2015 - What’s new in Windows 10
Enterprise
* WMUG User Event 24th August 2015 - Enterprise Client Management for the
Modern World
RSS SUBSCRIBE
LABELS
* 1511 (14)
* 1602 (3)
* 1610 (3)
* 1706 (1)
* 1803 (1)
* 1810 (1)
* 1909 (2)
* 1E (6)
* 2002 (1)
* Activation (1)
* ADK (7)
* Android (10)
* Apple (4)
* Apple Business Manager (1)
* AutoPilot (8)
* Azure (30)
* Azure Active Directory (3)
* Azure Active Directory Premium (14)
* Azure AD (2)
* Azure AD Premium (7)
* Azure Monitor (1)
* Azure Storage (1)
* Backup (2)
* Baseline (1)
* BitLocker (5)
* Book (1)
* CD.Latest (2)
* CDP (2)
* Cloud App Discovery (1)
* Cloud Distribution Point (2)
* Cloud Management Gateway (14)
* CMG (14)
* co-management (2)
* comanagement (2)
* Conditional Access (2)
* ConfigMgr (191)
* Configuration Manager (53)
* CSI (5)
* CSP (3)
* Current Branch (27)
* Defender (4)
* DefenderforEndpoint (2)
* Direct Access (10)
* EA (1)
* Easy Setup (2)
* EBF (1)
* EMS (76)
* Endpoint Analytics (1)
* Endpoint Manager (6)
* Endpoint Protection (10)
* enrollment (1)
* Enterprise Mobility Suite (68)
* Flexera (1)
* FSLogix (2)
* HAADJ (2)
* hybrid (1)
* Imaging (9)
* in place upgrade (1)
* Intune (126)
* iOS (9)
* kiosk (1)
* language pack (1)
* LAPS (1)
* Linux (5)
* M365 (3)
* MAM (27)
* Management Point (2)
* Mandatory Profile (1)
* MBAM (8)
* MDE (2)
* MDM (65)
* MDT (8)
* MEM (25)
* MEMCM (2)
* Microsoft Endpoint Manager (14)
* Migration (2)
* Mobile Application Management (32)
* Mobile Device Management (77)
* MSIntune (3)
* Nomad (5)
* OMS (1)
* On premise MDM (3)
* OSD (2)
* PoSH (1)
* Power BI (1)
* PowerShell (7)
* PXE (1)
* R2 (44)
* Recovery (1)
* Restore (1)
* Rights Managment (6)
* RMS (4)
* SaaS (3)
* SCCM (186)
* SCEP (9)
* search (1)
* Secunia (7)
* Service Connection Point (2)
* Software Updates (5)
* SQL (4)
* Sysprep (1)
* System Center (11)
* System Center 2012 (143)
* Telemetry (1)
* Third Party patching (4)
* Upgrade (2)
* Upgrade Readiness (1)
* VPN Profile (1)
* VPP (2)
* WAIK (2)
* WiFi Profile (2)
* Win32 (1)
* Windows 10 (25)
* Windows 7 (4)
* Windows 8 (9)
* Windows 8 Phones (16)
* Windows Defender ATP (2)
* Windows Virtual Desktop (7)
* Windows10 (1)
* Windows11 (1)
* WMUG (2)
* WoL (2)
* WSfB (3)
* WSUS (1)
* WVD (9)
* Zebra (1)
BLOG ARCHIVE
* ▼ 2023 (5)
* ▼ May (1)
* Managing local admins on Azure AD Joined devices
* ► February (3)
* ► January (1)
* ► 2022 (11)
* ► December (2)
* ► October (1)
* ► September (2)
* ► August (1)
* ► June (2)
* ► March (1)
* ► February (2)
* ► 2021 (8)
* ► November (1)
* ► October (1)
* ► September (1)
* ► August (1)
* ► June (1)
* ► May (1)
* ► March (1)
* ► February (1)
* ► 2020 (25)
* ► December (1)
* ► November (2)
* ► October (2)
* ► September (1)
* ► August (2)
* ► July (1)
* ► June (1)
* ► May (4)
* ► April (5)
* ► March (4)
* ► February (2)
* ► 2019 (16)
* ► December (2)
* ► November (1)
* ► October (1)
* ► September (1)
* ► July (3)
* ► May (3)
* ► April (2)
* ► March (1)
* ► January (2)
* ► 2018 (15)
* ► December (3)
* ► October (1)
* ► September (2)
* ► August (1)
* ► July (1)
* ► June (1)
* ► May (1)
* ► February (3)
* ► January (2)
* ► 2017 (17)
* ► November (1)
* ► October (1)
* ► September (1)
* ► August (5)
* ► May (2)
* ► April (3)
* ► March (2)
* ► January (2)
* ► 2016 (29)
* ► December (1)
* ► November (3)
* ► October (2)
* ► September (2)
* ► August (2)
* ► July (2)
* ► June (1)
* ► April (4)
* ► March (3)
* ► February (2)
* ► January (7)
* ► 2015 (70)
* ► December (10)
* ► November (3)
* ► October (5)
* ► September (4)
* ► August (2)
* ► July (7)
* ► June (5)
* ► May (9)
* ► April (6)
* ► March (8)
* ► February (1)
* ► January (10)
* ► 2014 (64)
* ► December (5)
* ► November (8)
* ► October (1)
* ► September (2)
* ► August (6)
* ► June (5)
* ► May (4)
* ► March (13)
* ► February (8)
* ► January (12)
* ► 2013 (102)
* ► December (2)
* ► November (6)
* ► October (9)
* ► August (21)
* ► July (9)
* ► June (4)
* ► May (10)
* ► April (6)
* ► March (11)
* ► February (21)
* ► January (3)
Awesome Inc. theme. Powered by Blogger.
Diese Website verwendet Cookies von Google, um Dienste anzubieten und Zugriffe
zu analysieren. Deine IP-Adresse und dein User-Agent werden zusammen mit
Messwerten zur Leistung und Sicherheit für Google freigegeben. So können
Nutzungsstatistiken generiert, Missbrauchsfälle erkannt und behoben und die
Qualität des Dienstes gewährleistet werden.Weitere InformationenOk