Posts

Showing posts from July, 2021

ConfigMgr CB Update & High Availability Groups Failover Pre-requisite

Image
If you have HA setup to use SQL Server Always on availability group, then this blog may just help you. Recently, I needed to perform a Current Branch update in ConfigMgr to 2010 and as part of the preparation, I ran the pre-requisite checker. Almost immediately it threw an error pointing to Failover Availability group not being in correct state . This is a customer's environment so I was only getting to know the specifics of the configuration. That is the beauty of the pre-requisite checker in ConfigMgr, it flags up such issues and allows you to address and correct them before installing the actual update. In order to fix the issue, one needs to switch the Failover from Automatic to Manual against the Availability Group . According to Microsoft , this is needed when installing ConfigMgr updates. Also, as far as I know, this is also needed when performing any kind of site maintenance. After the change was made in SQL, I ran the pre-requisite checker again and everything passed wit...

Intune and Google's Cloud Device Policy Controller (DPC)

Image
Recently, I was looking at some compliance reports for Android enrolled devices in Intune and Google's Cloud DPC caught my attention.  This got me curious and while researching I realized that there is very little documentation available in relation to Google's Cloud DPC and Intune so I decided to blog about it. Before we dive into it, lets see how DPC fits in Enterprise Mobility Management (EMM) model first. An Android Enterprise solution is a combination of three components: EMM console, Android Device Policy, and managed Google Play. EMM console EMM solutions typically take the form of an EMM console—a web application you develop that allows IT admins to manage their organization, devices, and apps. To support these functions for Android, you integrate your console with the APIs and UI components provided by Android Enterprise. Android Device Policy All Android devices that an organization manages through your EMM console must install Android Device Policy during setup. Andr...

Implementing App protection policies using Tier based Data Protection Framework

Image
If you are managing your mobile devices using Intune or another MDM, then you should look at implementing App protection policies (APP), also known as MAM. APP are rules that ensure an organization's data remains safe or contained in a managed app. The APP policy gets enforced when a user attempts to access or move "corporate" data, or a set of actions that are prohibited or monitored when the user is inside the app. When configuring App Protection Policies, there are a number of settings and options available which can become overwhelming. To make it easier for organizations to implement APP, Microsoft has broken down the APP policies in form of a Tier based framework for mobile app management. Level 1 enterprise basic data protection – This configuration replaces the need for basic Exchange Online device access policies by requiring a PIN to access work or school data, encrypting the work or school account data, and providing the capability to selectively wipe the schoo...

Enable and Configure Windows Defender Firewall rules using Intune

Image
If you’re managing your devices using Microsoft Intune, you may want to control your Windows Defender Firewall policy. A firewall controls what network traffic is allowed and not allowed to pass through ports. For regular devices like laptops and desktops, the firewall should allow very little inbound traffic. There is rarely any legitimate reason for other devices to connect to your device, or home network, unsolicited. Therefore, it's important to have Microsoft Defender Firewall switched on to protect your device from unauthorized access. As always, I am going to refer to a use case as I feel that is the best way of putting things in context. While working on an assignment, I noticed that an end user would receive Windows Defender FW prompt stating that some executables are getting blocked. These were related to an application called AS 400. At this point, I had not configured any FW rules to allow any Inbound or Outbound traffic, but soon realized that the FW was getting enab...

Proactive Remediation Scripts in Intune..the saga continues. Detect and delete a Windows Scheduled Task

Image
Just a couple of months back I had blogged about fixing Broken Device Sync using Proactive remediation scripts in Intune. Today I am going to cover a use case involving detecting a schedule task and deleting it using Proactive remediation scripts feature in Intune. A little background on the use case - If you have been working with Lenovo devices, then you may have come across Glance by Mirametrix pre-installed on some of the models. Glance uses the built-in camera to provide some security features like Presence Detection, Privacy alerts etc. However, the software can also result in intrusive behavior and cause disruption to end user's over all experience. A customer I recently worked with wanted to get rid of this software and part of the solution was to delete the Schedule task that is responsible for re-installing the software after the reboot. Head over to this link for more details. Coming to the solution - As you would know by now that for Proactive remediation scripts fea...