www.imab.dk Open in urlscan Pro
2a02:2350:5:107:99:4d2d:a0ab:7f85  Public Scan

Form analysis
1 forms found in the DOM

GET https://www.imab.dk/

<form method="get" class="search-form navigation-search" action="https://www.imab.dk/">
  <input type="search" class="search-field" value="" name="s" title="Search">
</form>

Text Content

Skip to content
 * 
 * 
 * 
 * 


IMAB.DK

Everything can be done automatically, as long as you configure it manually :-)


Menu
 * ConfigMgr
 * Intune
 * Co-management
 * AutoPilot
 * Windows 10
 * Windows 11
 * PowerShell
   * Windows 10 Toast Notification Script
   * SCCM Client Health Monitor Script
   * Lenovo BIOS Configurator
 * Windows as a Service
 * About
 * 


SILENTLY ENABLE BITLOCKER ON NON-MODERN STANDBY CAPABLE DEVICES USING MICROSOFT
ENDPOINT MANAGER

December 14, 2022December 14, 2022 by Martin Bengtsson


INTRODUCTION

I’ve been encrypting my Windows 11 devices using an Endpoint security disk
encryption policy for a while now and haven’t had any issues. That’s until
today.

Turns out there’s a known issue around this, which I haven’t encountered until
now.

If the device in question doesn’t support Modern Standby, you will have to
combine the ‘old’ Endpoint protection policies with the new Endpoint
security policies. My findings down below.

> If the device is HSTI-compliant but doesn’t support Modern Standby, an
> endpoint protection policy has to be configured to enforce silent BitLocker
> drive encryption



Read more…

Categories Co-management, Endpoint Manager, Enterprise Mobility, Intune, Windows
11 Leave a comment


GETTING WINDOWS 11 CIS COMPLIANT: CONFIGURING WINDOWS FIREWALL LOGGING USING
POWERSHELL AND MICROSOFT INTUNE

September 14, 2022September 14, 2022 by Martin Bengtsson


INTRODUCTION

I’m currently working on getting my Windows 11 devices CIS (CIS Center for
Internet Security (cisecurity.org) compliant in regards to their benchmark. This
takes some effort, especially if you don’t use Group Policy anymore.

 * For those who don’t know CIS benchmarks, get more details here: CIS
   Benchmarks (cisecurity.org) and here: Center for Internet Security (CIS)
   Benchmarks – Microsoft Compliance | Microsoft Docs

The CIS Benchmark for Microsoft Windows 11 Enterprise dictates that logging for
Windows Firewall is enabled, and is configured with certain settings. None of
those settings, at the time of writing, are available natively via Intune, so I
have chosen to resort to PowerShell and Proactive Remediations.

My scripts will create each log file, for each firewall profile: Domain,
Private, Public and make sure those log files are configured with the correct
permissions (otherwise the Defender engine won’t have permissions to write to
the files). Firewall logging will then be enabled with the recommended values.



Read more…

Categories Endpoint Manager, Enterprise Mobility, Intune, Microsoft 365,
PowerShell, Security, Windows 11 1 Comment


PREVENT WRITE AND EXECUTE ACCESS TO NON-APPROVED REMOVABLE STORAGE USING DEVICE
CONTROL AND MICROSOFT INTUNE

July 22, 2022July 22, 2022 by Martin Bengtsson


INTRODUCTION

Controlling which and how removable storage devices can be used in your
environment, seems to be an increasing demand from new and existing business
partners. At least that’s my observation made from within the legal vertical.

It all boils down to preventing data leakage and hardening of your security
posture, so I figured showing how this can be achieved with Microsoft Defender
for Endpoint Device Control and Microsoft Intune, would make a decent blog post.



Read more…

Categories Endpoint Manager, Enterprise Mobility, Intune, Microsoft 365,
Security 7 Comments


CONFIGURE AND USE LENOVO BIOS SUPERVISOR PASSWORD DURING OSD USING POWERSHELL
AND CONFIGURATION MANAGER

June 30, 2022June 29, 2022 by Martin Bengtsson


INTRODUCTION

Following up on my previous post, continuing on the Lenovo BIOS password topic.
This time I’m illustrating, how you initially can set the supervisor password
during the deployment of the operating system.

 * Find my previous post here: Inventory Lenovo BIOS password states using
   PowerShell and Proactive Remediations – imab.dk

Last time I mentioned, how this cannot be done remotely for security reasons.
However, there are an option to allow this during OSD (Operating System
Deployment), called System Deployment Boot Mode. If taking advantage of this,
you’re allowed to set the supervisor password programmatically in WinPE.

I’m using PowerShell to do so, and this post will walk you through the
necessities.



Read more…

Categories ConfigMgr, Endpoint Manager, Enterprise Mobility, MEMCM, PowerShell,
SCCM, Windows 11 4 Comments


INVENTORY LENOVO BIOS PASSWORD STATES USING POWERSHELL AND PROACTIVE
REMEDIATIONS

June 26, 2022June 26, 2022 by Martin Bengtsson


INTRODUCTION

Configuring the BIOS password on a Lenovo device for the first time, requires
manual labor. Either by you or by the OEM before shipping. For security reasons,
this cannot be done remotely.

So, what if the idea of having a supervisor password on your devices is
relatively new, and you have thousands of devices out there without?

Then you’ll have to come up with a process on getting to them manually, and in
this process, knowing exactly which devices that needs attention is key.



Read more…

Categories Endpoint Manager, Enterprise Mobility, Intune, Microsoft 365,
PowerShell, Windows 11 1 Comment


USE GROUP POLICY ANALYTICS TO MIGRATE MICROSOFT 365 APPS SECURITY BASELINE TO
THE CLOUD

June 27, 2022June 25, 2022 by Martin Bengtsson


INTRODUCTION

A new version of Microsoft 365 Apps for enterprise security baseline was
released last week, delivering the latest recommended security configuration for
the included applications.

Now, by the time of writing, not everything can be transitioned into Microsoft
Intune natively. There are simply not MDM support for each and every setting. So
for those settings without MDM support, you will have to leverage ADMX ingestion
or PowerShell.

This post will give you insight on using Group Policy Analytics, as well as how
to use ADMX ingestion and PowerShell to completely transition management of the
security baseline into the cloud.



Read more…

Categories Endpoint Manager, Enterprise Mobility, Intune, Microsoft 365,
PowerShell, Security, Windows 11 1 Comment


ESCROW BITLOCKER RECOVERY KEYS TO AZURE AD DURING FEATURE UPDATE TO WINDOWS 11

June 9, 2022 by Martin Bengtsson


INTRODUCTION

As promised, I’m continuing my Windows 11 journey, this time giving you a small
nugget on how to escrow BitLocker recovery keys to Azure AD during a Windows 11
Feature Update.

In my specific scenario, the recovery keys has so far been stored in on-premises
AD. For Windows 11, we change that, and store them in Azure AD instead.

For your convenience, find links to my previous Windows 11 posts here:

 * Customize your Windows 11 taskbar during OSD with ConfigMgr using just
   PowerShell
 * Monitor your Windows 11 Feature Updates with Custom Action Scripts and
   notifications sent to Microsoft Teams
 * Remove built-in Teams app and Chat Icon in Windows 11 during a Feature Update
   via SetupConfig.ini and SetupComplete.cmd



Read more…

Categories Azure, Endpoint Manager, Enterprise Mobility, Intune, PowerShell,
Windows 10, Windows 11 1 Comment


CUSTOMIZE YOUR WINDOWS 11 TASKBAR DURING OSD WITH CONFIGMGR USING JUST
POWERSHELL

June 9, 2022June 8, 2022 by Martin Bengtsson


INTRODUCTION

A short and sweet blog post to re-kickstart my blogging activities, after a long
period focusing on cybersecurity and the increased cybersecurity threat towards
organizations. For same reasons, my Windows 11 project has temporarily been on
pause.

However, now I’m back working on Windows 11, showing how you can customize the
taskbar during OSD (Operating System Deployment) with Configuration Manager
using just PowerShell (and no source files).

And yes, we are still leveraging Configuration Manager for regular OSD. This
still makes the most sense for our type of business.



Read more…

Categories ConfigMgr, Endpoint Manager, Enterprise Mobility, PowerShell, SCCM,
Windows 11 10 Comments


MONITOR YOUR WINDOWS 11 FEATURE UPDATES WITH CUSTOM ACTION SCRIPTS AND
NOTIFICATIONS SENT TO MICROSOFT TEAMS

June 9, 2022February 1, 2022 by Martin Bengtsson


INTRODUCTION

I’m kind of continuing on last weeks topic, where I wrote about leveraging
SetupConfig.ini and SetupComplete.cmd to carry out custom tasks during a Windows
11 Feature Update. 

 * Remove built-in Teams app and Chat Icon in Windows 11 during a Feature Update
   via SetupConfig.ini and SetupComplete.cmd

Today I want to demonstrate, how you can leverage the same custom action
scripts, to send notifications to a Microsoft Teams channel upon success or
failure, when upgrading to Windows 11 using a Feature Update.

I’m still preparing Windows 11 for broad deployment and I will post my exact
process once it’s ready. For now I’m just giving you tiny tidbits along the way.



Read more…

Categories ConfigMgr, Endpoint Manager, Enterprise Mobility, Intune, MEMCM,
PowerShell, Windows 10, Windows 11 Leave a comment


REMOVE BUILT-IN TEAMS APP AND CHAT ICON IN WINDOWS 11 DURING A FEATURE UPDATE
VIA SETUPCONFIG.INI AND SETUPCOMPLETE.CMD

June 9, 2022January 29, 2022 by Martin Bengtsson


INTRODUCTION

This topic in particular, has been very popular since the release of Windows 11
back in October last year.

At this point, there’s at least a dozen posts out there, on how to remove either
the built-in Teams app or the Chat Icon from the task bar on devices running
Windows 11 already.

I’m in the middle of preparing Windows 11 for broad deployment myself, and this
is how I make sure the built-in Teams app and Chat Icon is removed before the
user logs on to Windows 11 for the first time. In this scenario, after
completing the Feature Update coming from Windows 10.



Read more…

Categories ConfigMgr, Endpoint Manager, Enterprise Mobility, Intune, MEMCM,
PowerShell, SCCM, Windows 10, Windows 11 Leave a comment
Older posts
Page1 Page2 … Page21 Next →


MOST VIEWED POSTS

 1. Windows 10 Toast Notification Script (379,115)
 2. Deploy RSAT (Remote Server Administration Tools) for Windows 10 v1909 using
    ConfigMgr and Powershell (99,272)
 3. Deploy RSAT (Remote Server Administration Tools) for Windows 10 v2004 using
    ConfigMgr and Powershell (76,315)
 4. Deploy RSAT (Remote Server Administration Tools) for Windows 10 v20H2 using
    ConfigMgr and PowerShell (74,432)
 5. Deploy RSAT (Remote Server Administration Tools) for Windows 10 v1903 using
    SCCM (System Center Configuration Manager) and Powershell (63,106)
 6. Windows as a Service: Sharing my PreCache and In-Place Upgrade Task
    Sequences, part 1 (62,837)
 7. Install Google Chrome Extensions using Microsoft Intune in 3 different ways
    (Powershell, ADMX ingestion and MSI) (52,783)


RECENT POSTS

 * Silently enable BitLocker on non-Modern Standby capable devices using
   Microsoft Endpoint Manager
 * Getting Windows 11 CIS compliant: Configuring Windows Firewall Logging using
   PowerShell and Microsoft Intune
 * Prevent Write and Execute access to non-approved removable storage using
   Device Control and Microsoft Intune
 * Configure and use Lenovo BIOS supervisor password during OSD using PowerShell
   and Configuration Manager
 * Inventory Lenovo BIOS password states using PowerShell and Proactive
   Remediations


CATEGORIES

 * AutoPilot (7)
 * Azure (31)
 * Back 2 basics (5)
 * Co-management (26)
 * Conditional Access (9)
 * ConfigMgr (69)
 * Endpoint Manager (69)
 * Enterprise Mobility (44)
 * Intune (68)
 * MEMCM (43)
 * Microsoft 365 (10)
 * MVP (1)
 * Office 365 (6)
 * Other (2)
 * PowerShell (81)
 * SCCM (123)
 * SCCM 2012 (17)
 * Security (8)
 * Technical Preview (2)
 * Tools (16)
 * Windows 10 (91)
 * Windows 11 (14)
 * Windows 7 (1)
 * Windows 8 (7)
 * Windows as a Service (6)


© Martin Bengtsson - 2011 - 2023