In this blog post, we will see how to use Microsoft Intune to disable the firewall and network protection notifications that pop-up on windows 10 workstation. The use case could be that, if you have POS devices where you need to disable/hide all notifications. We are not disabling the firewall instead it will be notifications ONLY. To disable the firewall and network protection notifications using Microsoft Intune, we will use configuration service provider (CSP). A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. For a supported CSP’s, please refer Configuration…
Author: Eswar Koneti
This is quick blog post on how to create device collection for computers that are online and showing the green checkmark.When a configuration manager client is installed,it will have the following status code indicating the device. For more information about device client status, please refer hereHow do we create a collection for clients that are online? Collections uses WQL and following is the WQL syntax you can use to create the collection.we will use wmi class called SMS_CollectionMemberClientBaselineStatus which has the client online status information. This information comes from the client notification that uses BGB/fast channel.This collection uses sub-selected query.select…
I had provisioned a windows server 2012 R2 (Yes, it is 2012 R2) and while installing the SCEP client (System Center Endpoint Protection client installation files are picked from current branch 2010), it failed with the following error code. Setup - Cannot complete the System Center Endpoint Protection installation. An error has prevented the System Center Endpoint Protection setup wizard from completing successfully. Please restart your computer and try again. Error code:0x8004FF91. [8004FF91] I have tried various command line switches for SCEP client installation but all returned the same error code. The server was installed with Configuration Manager client 2010…
Starting in Configuration Manager 2010, we can use OS boot media from SCCM to reimage internet-based devices that connect through a Cloud Management Gateway (CMG). Do note that, this method cannot join the devices to domain but only in a workgroup as there is no domain connectivity for internet-based clients. This scenario is useful to support remote workers. Though the devices are in workgroup, these can be managed via Configuration Manager for application deployment, patching, and other features that support a client over CMG. In case of any issues with remote worker windows OS, we can use the OS Boot…
I was recently helping out a customer who had issues with wsuscontent folder size which was about 330GB. This folder size usually around 5-6GB if you are not using standalone WSUS or 3rd party updates for patching.This folder primarily stores the information about.1. Software update end-user license agreement (EULA).2. Microsoft patches for windows and other products for standalone WSUS.3. 3rd party updates In case you have integrated the 3rd party patching tool.The following is the screenshot for the wsuscontent folder size.When the customer reported about the wsuscontent size is huge, the following questions were raised.1. Is it standalone or integrated…
Microsoft 365 endpoints are the set of destination IP addresses, DNS domain names, and URLs for Microsoft 365 traffic on the Internet. To optimize performance to Microsoft 365 cloud-based services, these endpoints need special handling by client browsers and the devices in our edge network. These devices include firewalls, SSL Break and Inspect and packet inspection devices, and data loss prevention systems. By default, there are 3 core services Exchange Online, SharePoint Online & OneDriveForBusiness, and Microsoft Teams. Apart from this, there is a very critical service which is a must needed for Office 365 which is Microsoft 365 Common…
Microsoft Azure Active Directory and Office 365 uses open standards and protocols such as OpenID Connect (OIDC) for authentication and OAuth 2.0 for authorization. In Azure Active Directory, when a client application like Outlook connects to a service like Exchange Online, the API requests are authorized using OAuth 2.0 access tokens. By default, these access tokens are valid for one hour, when they expire, the client is redirected back to Azure AD to refresh them. The 1hr time period is long enough and there are possibilities for token exfiltration and other malicious activities can happen. This is not just a…
When a Configuration Manager client is installed and configured to use the software updates agent, it will automatically configured with a local Group Policy setting that specifies the Configuration Manager software update point. The Group Policy setting used is the intranet Microsoft update service location, specified as a Windows Update computer administrative template.The following snippet shows the local group policy setting for the client that is enabled with software update agent.GPO:In case you have a local Group Policy setting that is configured with Microsoft update service location which will always be overwritten by an Active Directory Group Policy setting, and…