Implementing Windows LAPS with Azure AD

Marc-Andre ChartrandSCCMLeave a Comment

First announced at MS Ignite 2022 as Cloud LAPS , the now rebranded Windows LAPS Enables local admin password management for Azure Ad and Hybrid-joined devices to store those passwords in Azure Ad instead of the on-prem AD. This is a big win for remote users that are not connected to the VPN. You can also use Windows LAPS to backup the key to on-prem Active Directory instead of using the GPO, making the old LAPS obsolete. This blog post will only focus on doing the Windows LAPS backup to Azure AD. For more context on LAPS (Local Administrator Password Solution), this was introduced by Microsoft in May 2015 and does just what the name suggests, allows the management of the password of the Local Administrator Account on workstations, allowing all Windows PCs to have their own unique local admin password by storing it in the computer’s Active Directory object. … Read More

Create Adobe Photoshop Intune package for mass deployment

Jonathan LefebvreIntuneLeave a Comment

Application packaging in Intune or SCCM is one of the jobs that can frequently create headaches. For many years, Adobe products have been challenging to automate and deploy for MECM/Intune Admins. Whether because of updates, licensing, or unclear instructions, it has always been a challenge for Adobe Creative suite products. I was recently tasked to package Adobe Photoshop with Intune. To my pleasant surprise, Adobe now has a cloud admin console that makes that process a breeze compared to what was done before. In this blog post, we will detail how to generate a source installation for Adobe Photoshop using the Adobe Admin Console and deploy it using Intune. Requirements We will start by downloading the software from the Adobe website. Here are the high-level steps : Create Adobe Photoshop deployment package Abode products need to match the architecture of the OS. 32 Bit applications won’t work on 64-bit Windows … Read More

How to manage Google Chrome with Intune

Jonathan LefebvreIntuneLeave a Comment

Google Chrome is one of the most widely used web browsers in the world. It is known for its speed, stability, and a wide variety of extensions that are available for it. As a result, many organizations have adopted Chrome as their default web browser. To manage Chrome on enterprise devices, Intune is a powerful tool that can be used to deploy and manage policies. In this blog post, we will discuss how to manage Google Chrome with Intune. With the increasing popularity of Intune, and the ability to replace Group Policy with Device Configuration, one area needs a bit more work to be managed. Third-party applications that support the GPO model can be used with Intune by importing ADMX from the vendor. It is the case for Google products, especially Google Chrome. We will demonstrate how to manage Google Chrome by importing Google’s admx for a similar approach as … Read More

Deploy Win32 Apps with Intune

Benoit LecoursIntune5 Comments

Since September 2019, it’s possible to distribute Win32 applications using Microsoft Intune. This was a major show-stopper to go full MDM for Windows 10 devices for many companies and would keep using SCCM/MEMCM to fulfill this duty. In this post, we will detail how to deploy Win32 Apps with Microsoft Intune. We’ll deploy Google Chrome with the MSI installer as an example. Understanding the Basics First, let’s define what’s a Win32 application. Win32 applications are traditional desktop applications that run on Windows operating systems. With the increasing trend towards cloud management, organizations are looking for ways to manage Win32 apps from the cloud, which is where Intune comes in. Microsoft Intune is a cloud-based device management platform that enables organizations to manage devices, apps, and data. With Intune, IT administrators can manage and distribute Win32 applications to Windows 10/11 devices. There are several benefits to deploying Win32 applications with Intune, … Read More

Getting started with Microsoft Intune

Benoit LecoursIntune, SCCM4 Comments

If you have been following the SCCM community for the past months, you’ve been hearing a lot about comanagement, cloud management gateway, cloud distribution point, and Intune. You may also hear that SCCM is dying and that Intune is your only path in the near future to manage your company devices. The good news is that SCCM is not dead, in fact, it’s been rolling out new features quarterly in the past 3 years thanks to the new servicing model and the product group is not slowing down. The bad news is that… well, there’s no bad news… but as a sysadmin, you have a steep learning curve if you’ve not been following the “sccm intune modern management” storm from past months. . In this blog post, we will go over the basics to start with Microsoft intune. It supports Windows and a variety of devices. You may wonder why would … Read More

How to enable SCCM Co-Management

Benoit LecoursIntune, SCCM, WINDOWS 1011 Comments

With the release of SCCM 1710, one of the key new features is the SCCM Co-Management possibility with Microsoft Intune. Comanagement enables some interesting features like conditional access, remote actions with Intune, and provisioning using AutoPilot. You can decide which feature is managed by which platform (SCCM or Intune). This is great to slowly phase into Intune. There are two main paths to reach to co-management: Windows 10 and later devices managed by Configuration Manager and hybrid Azure AD joined get enrolled into Intune Windows 10 devices that are enrolled in Intune and then install with the Configuration Manager client We will describe how to enable co-management and enroll an SCCM-managed Windows 10 device into Intune. SCCM Co-Management Prerequisites SCCM 1710 or later Azure AD Subscription EMS or Intune license for all users Azure AD automatic enrollment enabled Following our blog post, only configure Azure AD. Do not follow instructions … Read More

Import Windows Devices for AutoPilot in Microsoft Endpoint Manager

Benoit LecoursIntune13 Comments

Windows Autopilot is a solution designed that allows you to set up and pre-configure Windows devices for your environment using Azure and Endpoint Manager. The goal of Autopilot is to reduce the OS deployment complexity. If done correctly, a user logs to an out-of-box computer, logs on his computer with his ADD user account, and applications and configurations get deployed. All that with minimum infrastructure requirements. If you are new to Autopilot, we have a post that describes every step you need to do to get started. Autopilot has its flaws but it’s improving very fast. One of those flaws was that device importation was made from the Windows Store for Business or the Microsoft Partner Center. Those days are over since you can now import your device directly from Endpoint Manager. Endpoint Manager Autopilot device import Launch Endpoint Manager Select Device / Enroll Devices / Windows enrollment In the Windows Autopilot … Read More

How to use Microsoft Defender for Endpoint antivirus security with Intune

Jonathan LefebvreIntuneLeave a Comment

Microsoft Defender has come a long way since the first few releases to become a leader in all all-things security-related. What was originally a standard antivirus solution has evolved into a full product suite. If you are looking to configure Microsoft Defender(Endpoint protection) with Configuration Manager, see our guide that is available in our shop This post will focus on configuring Microsoft Defender for Endpoint Security Antivirus by using Intune. Prerequisites Windows 10 or Windows 11 Aside from the Intune various licensing option you’ll need to manage your devices, there are no other requirements to use this feature. Create Microsoft Defender for Endpoint antivirus security profiles Connect to the Endpoint portal Browse to Endpoint Security/ Antivirus Click Create Policy. At this point, the Antivirus policies are split into 3 distinct sections. Microsoft Defender Antivirus This will essentially manage the core features. Microsoft Defender Antivirus Exclusions This will be the various … Read More

Manage Android devices without GMS using Microsoft Endpoint Manager

Eswar KonetiEMS, IntuneLeave a Comment

I was recently helping out a customer who wanted to manage Android mobile devices using Endpoint Manager for users in China. What is different from managing Android mobile devices for users in China and out of China? There is a significant difference and it is due to the services available on an Android mobile device that is required for managing the devices using Microsoft Intune. Microsoft Endpoint Manager provides 2 ways of protecting the mobile devices which are MAM-WE (Application management without enrollment) and Device enrollment (MDM). Following are some of the major differences between MDM vs MAM (app protection policies): MDM (Mobile Device Management) MAM(Mobile Application Management) Enroll devices Publish Apps Provision settings, certs, profiles Configure and update apps Auto install apps Secure corporate data within mobile apps Report and messure device compliance Report app inventory and usage Remove corporate data Remove corporate data Reset device Remote wipe (Corporate … Read More

How to use Windows Update for Business with Intune

Jonathan LefebvreIntuneLeave a Comment

Windows Update for Business is one of the new things Microsoft proposed along with Windows 10. It has come a long way since it’s release. Even if it isn’t perfect yet, or give all the flexibility that ConfigMgr (MEMCM) offer when managing monthly update or feature release, for many small/medium business, this brings a more simple approach to patching and maintaining Windows 10 up to date. In this post, we will detail how to configure Intune Windows Update for Business to patch Windows 10 devices managed by Intune Pre-requisites Windows 10 must be managed by Intune If Windows 10 is being co-managed with ConfigMgr(MEMCM), make sure the slider for Software Update is set to Intune Intune Windows Update Business – Update rings strategy Depending on multiple factors, the key for Windows Update for Business to be successful is to define the various update rings for your enterprise. Here, no magic … Read More