Thursday, December 15, 2022

This blogg has moved...

This blog has been migrated and modernized - you will automatically be forwarded to where all existing content has been imported and new content will be published.

Thank you for your patience and understanding during this migration!

Monday, December 12, 2022

The new multiple administrative approvals experience

Imagine a compromised administrative account going wild in your Intune environment. Wouldn't it be great to protect your configuration with a second factor, like MFA? Join me while I experience the new Multiple Administrative Approvals (MAA) feature for Intune which is out in public preview! 

By using Intune access polices we can require a second administrative account to approve changes in the environment before they are applied to the production environment. This can give associations to MFA (Multi Factor Authentication), but let's welcome MAA (Multiple Administrative Approvals) instead.

Tuesday, December 6, 2022

HP Connect for Intune, Part2: BIOS Authentication

This is part 2 in my series of blog posts covering HP Connect for Intune. The first post covered how to get the BIOS patched to the latest release. Today I cover the BIOS authentication, which is an important aspect of managing, controlling and securing Windows devices. If the BIOS can be accessed without authentication, a local or remote user may be able to disable basic security features, perhaps introducing malware early into the startup process that Windows may not protect against.  

The ultimate goal is to have a security boundary covering all aspects from chip to cloud. An UEFI BIOS is the chip containing the hardware start-up code and many settings that should be secured prior to booting into a Windows Operation System. We will manage the BIOS security limiting setting changes only to users or administrators with knowledge of the authentication mechanism. 

Please note: This is not a sponsored post!

Wednesday, November 30, 2022

The new Microsoft Store Experience

There is a new integration available between Microsoft Intune and the Microsoft Store for managing app installations from the cloud. This allows admins to easily browse, deploy and monitor applications. The new feature is powered by WinGet, the new windows package manager. I will explore this new feature in this blog post.

Intune has for a long time been great at getting policies and aps on to devices. The challenge has been to get new applications ready for provision in Intune. Whit this new feature, Independent Software Vendors (ISV) can publish and maintain their packages directly to this solution. This will ease the process and the burden of application management. 

With direct access to the apps in Intune, they can easily be made available fast and easy for user's self-service through the Company Portal. This is perfect for locked down environments where users have no local admin rights on their computers 

Thursday, November 24, 2022

Let Intune stimulate mobile updates

Mobile devices can be a challenging asset to manage and keep secure with their many variations in ownership, management and operating systems. This blog post will give you some ideas on how you can enforce a minimum version of the operating system on the mobile phones accessing the company's data in Microsoft 365.

The cell phone is for many users the edge of privacy where they can accept the company's administration. At the same time, it is important for the company to have control over its data and applications. 

An important prerequisite must be set from the orgranization - Yes, users can have access to data, under defined conditions. One important security measure is to ensure updated software regardless of management mode. Let us dive into the condition of having updated operative systems on the mobile device accessing company data.

Friday, November 11, 2022

Create AAD Licensing groups by Graph API

Group based licensing in Microsoft 365 is not a new feature, but still a feature a lot of organizations is missing out on. Assigning licenses to groups instead of directly to users provides advantages related to automation, overview and more. Information of this is easily available on net, but I have been missing an automated way of providing uniform groups for the purpose.

Assigning licenses to users by group membership in Azure Active directory is consistently documented at Microsoft Learn and at several other online locations. The advantages of this are therefore not specifically mentioned in this blog post. 

This blog post will focus on the creation of the groups in a uniform and automated way. Repeating manual tasks are not desired in a larger environment. This leads to small differences and configuration drift. By automating, we arrive at a uniform standard platform as quickly as possible.

Thursday, September 29, 2022

Branding your tenant and managed endpoints

A clear brand builds identity and affiliation. Microsoft 365 and Endpoint Manager has a rich set of tools for customizing your brand into the products. This will look nice and integrated, and it will help the end users detect security attacks. Let's take a deep dive into the possibilities associated with branding your tenant and endpoints!

A brand is a name, term, design, symbol or any other feature that distinguishes one company's good or service from those of other companies. Brands are used for recognition, creating values and identification. A brand is the sum of all expressions by which an entity (person, organization, company, business unit, city, nation, etc.) intends to be recognized.

With a workforce spread all over the modern hybrid workplace, it is more important than ever to spread the love of the company's brand. This blogpost will focus on how your brand can be incorporated to Microsoft 365 and all endpoints by Microsoft Endpoint Manager.

Friday, September 16, 2022

Building a MEMpowered LAB environment

In my early days as consultant within Microsoft technologies, I had complete lab environments running as virtual machines on heavy workstation laptops. Through the years as I have migrated to a cloud first philosophy, my lab environments have followed along. Working mainly with Microsoft 365 and Microsoft Endpoint Manager, my lab environments are now cloud based. 

I still remember making a decision moving from high performance laptops hosting all my virtualized lab environments. Looking back to my first switch to a lightweight Surface, I don't regret. The new light weighted devices powered by the cloud has been fantastic in my everyday work life. But - I still need environments to test and verify technologies and ideas before putting them to production. This blog post will cover some ways to build lab environments for the cloud based Microsoft solutions.

Friday, September 2, 2022

Unboxing: Philips P-Line 499P9H 49" DQHD SuperWide 32:

When spending hours, days, months and lifetime in front of a computer, a good monitor is essential for the workplace. Personally I prefer large monitors with huge resolution to get enough space to work efficiently with Microsoft 365, Endpoint Manager, scripting and automation. Traditionally I have used 3 to 4 monitors lined up. I will now share my experience after migrating to one single superwide screen. will it fulfill my needs and expectations out of the box, or do I need to do some hacks?

Please note: This is not a sponsored post!

The Philips 499P9H Hard Facts

The monitor I am installing is the Philips P-Line 499P9H 49" DQHD UltraWide 32:9 Curved which is like two full-size QHD monitors in one with its 5120x1440 resolution. It has a built in USB-C docking station and a pop-up webcam supporting Windows Hello!

Monday, August 15, 2022

Automating Teams voice reporting of users (2:2)

This is a follow up on my last blog post covering automated teams voice assignment for users. This time I will cover how the mentioned routine has been expanded to do reporting in PowerBI to show evolution and distribution throughout the lifetime of the service.

After running my routine of automated voice assignment in Teams for a while, I felt the need to have an overview of the solution and how it evolved.

Monday, August 8, 2022

Automating Teams voice assignment for users (1:2)

In order to manage voice and phone number assignments in Microsoft Teams, you need at least Teams Communications Administrator role. This role does however have more privileges than most organizations want to assign to their first line staff. This blog post will cover a way for first line to automate voice activation of users with the granularity necessary to cover several technologies such as Direct Routing and Operator Connect.

The main idea is to let first line operators use the tools they have access to when managing users without the demand of acquiring extra privileges.

By adding the Teams phone number in E.164 format to the users telephoneNumber field in AD/AAD and assigning the user as member of a defined security group, I have enough information to automate the Teams voice assignment for the user. This could also include license assignment through the group membership.

Monday, August 1, 2022

Find where your colleagues are on a floor plan

Microsoft Search helps users find relevant content, the right answers or people. Search administrators use their knowledge of the organization and its users to make it easy for users to find the relevant content. This blog post will cover how you can prepare information about employees in order to place them on a floor plan for the office buildings. 

This type of setup is part of my mindset of using as many features as possible from the Microsoft 365 licenses, often triggered through configuration and maintenance of information which provides value throughout the product line.

This kind of functionality will add value when searching for colleagues in the office landscape, or even when searching for the closest meeting room.

Monday, July 25, 2022

Autopilot - Device deadlock between two tenants

After wiping a Windows10 Autopilot device from Microsoft Endpoint Manager, we got welcomed to the correct tenant by name and logo. When signing in with a current licensed user, we got the message saying "That username looks like it belongs to another organization. try signing in again or start over with a different account". Time to troubleshoot!

The background for the wipe was to repurpose the device for a new user. 

Windows Autopilot is managed and maintained by Microsoft in a backend database that associates hashes with customer tenants. This time I got a schizophrenic device dealing with two tenants.