Modern Device Management

I recently worked on setting up a startup script GPO policy for installing ConfigMgr agent and almost immediately I started noticing issues with it. This seemed a bit odd as I had used the same script and the setup in another environment and there were no issues. It was time to do a deep dive and after checking for the relevant permissions for the script and the network share, I moved my focus to the event logs. I noticed event ids 1129 followed by 1130. Event id 1129  translates to -  The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator. What can cause this error? According to Microsoft , the error can be caused due to the following reasons -  1. The Netlogon service...

Picking up from my last post that covers details on enabling & creating Web Content Filtering rule in Defender for Endpoint, I will now cover the process for creating custom network indicator rules that can be used to supersede the Web Content Filtering categories. What are Indicators anyway? Defender for Endpoint can block malicious IPs/URLs through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser based on Microsoft's own threat intelligence data. By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your organization's own threat intelligence. What are the pre-requisites for Indicators? Before one can go about setting up the rules, following pre-requisites must be met. 1. Network Protection to be enabled in block mode. 2. The Antimalware client version must be 4.18.1906.x or later. 3. Supported on machines on Windows 10,...

So here is the situation. You access Microsoft Defender 365 Portal  to enable Web Content Filtering, only to find out it is missing. What do you do? Well this is because at the time of writing this blog post, Web Content Filtering is still in Preview and in order to enable it, you first need to enable the Preview features in Defender. To turn on the preview experience setting,  1. Navigate to Microsoft 365 Defender Portal > Settings > Endpoints > Advanced features > Preview features. 2. Toggle the setting between On and Off and select Save preferences. Once you have enabled the Preview features , you should see Web Content Filtering listing shortly. In my experience, it can take 15-20 minutes to show up. When it does, just go under Endpoint > Advanced features again and turn it on. Refresh the page and you should see Web Content Filtering listing under Endpoint > Rules. Now that we have got the feature enabled, let's see what this feature is all about and ho...

Last year, I had blogged about addressing the DMA requirement for Lenovo devices. This time I am covering the same requirement for Dell models using MDT. I recently did an MDT implementation and as part of the requirements, Dell devices needed to be BitLocker encrypted. Nothing unusual about it, except some models refused to get encrypted. Having dealt with the similar issue in the past with Lenovo devices, I immediately checked the event viewer logs and details in System information. As suspected the issue turned out to be un-trusted DMA buses. Dell has provided the solution  which needs to be put in an automated process. This is how you can go about it. The solution involves 2 steps – 1. Set Permissions to take ownership of the DmaSecurity registry key. 2. Import the Add_AllowedBuses.reg containing the Bus classes provided by Dell. Set Permissions I created an application containing the  SetACL.exe  utility and the .bat file to give ownership and full rights to 'Everyo...

I recently had to deal with a requirement where  websites (mostly legacy web apps) designed and compatible to run on IE versions 10 and older, needed to be allowed to run on Edge Chromium. That is when I stumbled on Enterprise Mode  which allows rendering  websites using a modified browser configuration, designed to emulate legacy versions of Internet Explorer. Using Intune, I am going to cover the process of creating an Enterprise Mode Site List Manager  containing website URLs along with specific render modes and the configuration of Microsoft Edge browser. Create the Enterprise Mode Site List XML Download the EMIESiteListManager.msi and install it. C lick on Add   button   which will allow you to add URLs along with relevant Compat Mode and Open In . For Open in when you choose None , the URL is allowed to open in Internet Explorer and Edge. Choose IE11 to force the URL to open in IE or choose MSEdge to open the URL in Edge. Since my requirement is...