Always apply baseline to co-managed devices

Like the last couple of weeks, this week is also about co-management. This week is all about another nice detail that can be really useful, in specific use cases. That detail is the ability to always apply a configuration baseline to co-managed devices. Even when the Device configuration workload is switched from Configuration Manager to Microsoft Intune. That can be useful for configurations that are not available yet via Microsoft Intune, or for compliance checks that need to be performed and consolidated in one location. In this post I’ll provide a short introduction about the different configuration options, followed by the steps to configure a configuration baseline to co-managed devices when the workload is switched to Microsoft Intune. I’ll end this post with the end-results. …

Read more

Setting up kiosk mode on Windows 10 via OMA-DM

A while ago I did a blog post about managing AppLocker on Windows 10 via OMA-DM. During that post I showed how to use OMA-DM, via Microsoft Intune hybrid and standalone, to configure AppLocker. In this post I’ll do something similar for setting up kiosk mode on Windows 10. Windows 10 Enterprise and Windows 10 Education provide a configuration service provider (CSP) for setting up kiosk mode. That’s the AssignedAccess CSP. During this blog post I’ll go through the AssignedAccess CSP, and its required input, I’ll go through the configuration steps in Microsoft Intune hybrid and standalone and I’ll show the end-user experience with the Twitter app as an example. AssignedAccess CSP Before using the AssignedAccess CSP it’s good to get a better understanding  of …

Read more

Managing AppLocker on Windows 10 via OMA-DM

A while ago I did a blog post about managing Windows Defender of Windows 10 via OMA-DM. During that specific post I showed how to use OMA-DM, via Microsoft Intune standalone and hybrid, to configure Windows Defender. In this post I’ll do something similar for AppLocker. However, I have to admit that it was a bit more challenging for AppLocker. The main difference is that Windows 10 includes many different separate policy settings for Windows Defender, but provides a separate configuration service provider (CSP) for AppLocker. During this post I’ll show how to create the required AppLocker XML, what the AppLocker XML looks like, what the AppLocker CSP looks like and how to combine the AppLocker XML and the AppLocker CSP. I’ll end this post …

Read more

Windows Phone 8.1 and the Windows Phone Store

This blog post will be about the other magical store world of Windows Phone 8.1 and that’s the world of the Windows Phone Store. By now, I think many are already aware of the different possibilities for the Windows Phone Store, but I thought it would be time for a complete overview like I did for Windows Phone 8.1 and the Microsoft Intune Company Portal app. This post will contain the different scenarios for providing (limited) access to the Windows Phone Store. These scenarios will be explained for Microsoft Intune standalone and Microsoft Intune hybrid. Scenarios Now lets start with summarizing the different scenarios that are possible for providing (limiting) access to the Windows Phone Store. I found the following three scenarios and I’ll go …

Read more

Manage Windows Defender, of Windows 10, via OMA-DM

A couple of weeks ago I did a blog post about the different management options for Windows 8.1. In that specific post I already mentioned OMA-DM as a very valid method to manage Windows 8.1 and Windows 10 devices. To refresh the memories, OMA Device Management (OMA-DM) is an open management standard designed for mobile devices. The nice thing is that OMA-DM is also fully utilized in Windows 10, even the desktop version. That means that OMA-DM can be used to fully manage specific parts of a Windows 10 device. In this post I’ll show how OMA-DM can be used to fully manage Windows Defender in Windows 10. For Windows 10 it’s possible to manage all the settings available for Windows Defender. This includes everything, …

Read more

Windows Phone 8.1 and the Microsoft Intune Company Portal app

This blog post will be about the magical world of Windows Phone 8.1 and the Microsoft Intune Company Portal app. More specifically, about Windows Phone 8.1 and the two Microsoft Intune Company Portal apps. The Microsoft Intune Company Portal app of the Windows Phone Store and the Microsoft Intune Company Portal app deployed via either Microsoft Intune or ConfigMgr. Yes, I know there was recently a KB article released about the same subject. In this post I’ll go through more scenarios and I’ll go in more detail about the possible solutions and the pro’s and cons of those solutions. Scenarios Now lets start with summarizing the different scenarios that are possible with the combination of Microsoft Intune, ConfigMgr, Windows Phone 8.1 and the Microsoft Intune …

Read more

Updated Configuration Baseline and Hardware Inventory for Windows Phone 8.1

Microsoft has started with releasing the GDR2 update for Windows Phone 8.1. The good thing from a management perspective is that this update contains new management features. There are seven new additions to the PolicyManager configuration service provider (CSP). As I created the Windows Phone 8.1 configuration baseline and the Windows Phone 8.1 hardware inventory extension, I’ve updated both of them with these latest additions. This blog post will describe the newly added settings and a reminder about the download locations. Note: Another new feature that comes with the GDR2 update is bulk enrollment. Even though it’s not part of this post, I thought it’s definitely worth mentioning. For more information see the Windows Phone 8.1 MDM Protocol document. New settings The newly added settings …

Read more

Verify SSL Configurations of Site Roles via Compliance Settings in ConfigMgr 2012

This will be a short blog post about the locations in the registry where the SSL configurations are stored for the different site roles. This can be very useful in larger environments, with many sites, site systems and multiple administrators. These registry keys can be used as Configuration Items in a Configuration Baseline. This makes it easier to keep track of the SSL configuration of the environment. Registry Before providing the different locations, I think it’s good to note that the most site roles simply use 0 or 1 as values for a SSL configuration. Exceptions on this are the management point and the distribution point. These site roles can have different values based on the connection configuration (intranet and Internet, intranet-only, Internet-only) and CRL …

Read more

Installing Windows Features via Compliance Settings in ConfigMgr 2012

This weeks’ post will be about Installing Windows Features via Compliance Settings. In most cases the normal route for installing Windows Features will be the application model But what if checking for the installation of a Windows Feature is part of a Configuration Baseline, is it than possible to make the installation of a Windows Feature also part of the baseline? The answer to this question is, yes. In my case, I have a Windows 8.1 Configuration Baseline and one of the Configuration Items in the baseline checks for the installation of the Telnet Client. When the Telnet Client is not installed a script will start to remediate that by installing the Telnet Client. This way I get the complete compliance of a device, to …

Read more

Allow Direct Installation of Windows 8 Apps via Compliance Settings in ConfigMgr 2012

This weeks’ post will be about Allowing Direct Installation of Windows 8 Apps via Compliance Settings and can be seen as either a stand-alone post as well as a follow-up on my last post about Deploying Certificate Profiles with ConfigMgr 2012 . As there are two real requirements to deploy Windows 8 Apps: The Certification Authority (CA), that is used to sign the App, is trusted by the Windows 8 device. Allow Direct Installation of Windows 8 Apps is configured on the Windows 8 device. Of course these settings are configurable via Group Policies (as described in this post ), but, to use Group Policies, the device needs to be a member of the domain. So when either the device isn’t domain joined, or the …

Read more