Tag: Windows 10

Windows Defender Browser Protection

Windows Defender Browser Protection

Smart Screen features now available in Google Chrome with the release of Microsoft’s Windows Defender Browser Protection extension for Chrome. Most organisations utilise a mixed browser environment and as Chrome being one of the most popular browsers around, I always see it as a requirement from customers to have it installed on their end user devices.

Windows Defender Browser Protection provides users with an early warning when navigating to phishing or malicious websites, with real-time protection from Microsoft. Windows Defender Browser Protection will show a red warning screen letting you know that the web page you are about to visit is known to be harmful.

Also Don’t forget, this extensions works with Microsoft’s Edge Chromium browser. 🙂


https://browserprotection.microsoft.com/learn.html

Once installed you can test the extension using Microsoft’s ATP test ground:


https://demo.wd.microsoft.com/Page/UrlRep

Microsoft Edge Chromium

Microsoft Edge Chromium

We all love Google’s Chrome browser and I must admit I use it all the time, I mean let’s address the elephant in the room. It eats RAM! But the speed and fluency of the Chrome browser I find it hands down better than Internet Explorer, Edge or Firefox. With a store full of extensions and customisation (Ad Block) it helps me navigate around the web without being bombarded with adverts.

With most organisations there is a need to stay Microsoft when deploying end user devices, this could be because you want more control on the browser, whilst Chrome in the early days didn’t do much to assist with granular control. It however does provide ADMX backed policies to control those minute settings to customise a browser for a organisations specific needs.

Internet Explorer is still around and well it won’t disappear anytime soon (I think!), we must move away from it one day. Organisations who deploy the latest Windows 10 OS to users tend to overlook Internet Explorer. Many legacy apps which are web based or interact with via the web utilise Internet Explorer in order to work not mentioning the 1800+ group policy settings you can enable…Yikes! The best recommendations on Internet Explorer is, if possible remove it!

Edge the new kid on the block was meant to be the successor of IE. It didnt go down to well when it failed to handle certain sites and would hand over back to IE. That’s 2 browsers users had to use!! More recently the Edge browser has stood up on it’s own but it is still clunky and slow in my opinion.

So where do we go now…?

Microsoft have revamped the Microsoft Edge browser to utilise Chromium. Yes that’s right! Microsoft are using Google’s Chromium power to bring a fast, fluent browsing experience to Windows 10 users. Using it over the past week has given a breath of fresh air to my Edge browser. I’m able to add all the extensions I used on chrome with the new Edge browser and it’s just as fast as Edge. This is defiantly a game changer with a whole new user experience. Admins no longer need to deploy Chrome to devices and users will still experience the same Edge UI but with lightening speed.

Go ahead download the new Edge browser (insider preview) and try it out for yourself.

How to DISM Language Packs into Windows 10 1809 1803 1709

How to DISM Language Packs into Windows 10 1809 1803 1709

How to DISM Language Packs into Windows 10

In order to inject language packs into Windows 10, we first need to mount our Windows 10 ISO and then inject our .cab language pack file. The Language packs are available from Microsoft’s Volume licensing portal or alternatively you can download it using the following website, you must convert the language file from this website, all of which is stated step by step: https://www.itechtics.com/windows-10-version-1809.

Mount your Windows 10 Image

  • Create a WIM file directory
Md C:\wim
  • Copy your original WIM to c:\wim
  • Create a Mount directory
md C:\mount
  • Create a temp directory
md C:\temp
  •     Create a directory to temporary store your cab files
md C:\languages
  • Find what index the Windows 10 Enterprise SKU is within the WIM File:
Dism /Get-ImageInfo /imagefile:C:\wim\install.wim
  • Mount the WIM file using the required Index number, I am using Index 3 Windows 10 Enterprise:
Dism /Mount-Image /ImageFile:"C:\wim\install.wim" /Index:3 /MountDir:C:\mount

To find out what the current language is set to on your Windows 10 image type the following command:

Dism /image:C:\Mount /Get-Intl

Inject your Language Pack:

There are multiple language files for Windows so you may repeat this step for each language file.

dism /image:C:\Mount /add-package /packagepath:"C:\languages\YOUR LANGUAGE FILE.cab"

Now we need to set the language to en-GB as default. To do this we will run the below commands.

Dism /image:C:\Mount /Set-UILang:en-GB
Dism /image:C:\Mount /Set-SysLocale:en-GB
Dism /image:C:\Mount /Set-UserLocale:en-GB
Dism /image:C:\Mount /Set-InputLocale:en-GB
Dism /image:C:\Mount /Set-AllIntl:en-GB

And Finally I always like setting the time to your locale, mine is GMT Standard Time for the UK.

Dism /image:C:\Mount /Set-TimeZone:"GMT Standard Time"

Lastly we need to update the lang.ini file which tells Windows what languages are available when doing installations such as upgrades. Run the below command to generate a new lang.ini file.

Dism /image:c:\Mount /gen-langini /distribution:"Root Path of Source Media"

That’s all for now folks, let me know how you get on in the comments below.

Thanks
Kam

Intune MDM Azure Portal Explained

Intune MDM Azure Portal Explained

MS Intune

Managing Windows 10 with Intune MDM

I am hoping this helps with the understanding of Intune (Azure Portal) and MDM.

 

There are 3 types of configurations for devices when connected to Intune (Azure Portal):

Intro:

Azure AD Registered devices: this allows a device to come into the realm of MDM. This is focused on BYOD. End users can bring their devices and Register them with Azure where they can be managed by adding a work/school account. Admins can push out policies. But nevertheless the end user can remove themselves from the MDM management, because this is their personal device.

Types of Azure AD Domain Joins:

Azure AD joined devices: this allows a device to join a Azure AD domain. Targeted for workplace devices that do not have an on-premise AD infrastructure or a cloud first/only approach. Benefits include:

  • Single-Sign-On (SSO) to your Azure managed SaaS apps and services. Your users don’t see additional authentication prompts when accessing work resources. The SSO functionality is even when they are not connected to the domain network available.
  • Enterprise compliant roaming of user settings across joined devices. Users don’t need to connect a Microsoft account (for example, Hotmail) to see settings across devices.
  • Access to Windows Store for Business using AD account. Your users can choose from an inventory of applications pre-selected by the organization.
  • Windows Hello support for secure and convenient access to work resources.
  • Restriction of access to apps from only devices that meet compliance policy.

 

Hybrid Azure AD Joined devices: this is for organisation who also have a on-premise footprint as well as cloud. Devices are joined to a local AD. These organisation would require the need for group policies or imaging devices or NTLM/Kerberos hence why they are not fully in Azure.

Rule of thumb:

A rule of a thumb, you should use:

  • Azure AD registered devices:
    • For personal devices
    • To manually register devices with Azure AD
  • Azure AD joined devices:
    • For devices that are owned by your organization
    • For devices that are not joined to an on-premises AD
    • To manually register devices with Azure AD
    • To change the local state of a device
  • Hybrid Azure AD joined devices for devices that are joined to an on-premises AD
    • For devices that are owned by your organization
    • For devices that are joined to an on-premises AD
    • To automatically register devices with Azure AD
    • To change the local state of a device

 

So what does this mean:

Well in a nutshell, you don’t need to use the old classic Intune portal!!! We can configure a on-premise domain joined machine to be managed by Azure Intune MDM (agentless MDM). The trouble you will find is that there is no clear documentation on how to configure this. My next post will discuss how to configure local AD domain joined device to be managed via Intune MDM using the Hybrid Azure AD Domain Join option.

DISM Injecting Windows 10 1709 1803 1809 Updates into a WIM Image

DISM Injecting Windows 10 1709 1803 1809 Updates into a WIM Image

Image File

Injecting Windows 10 1709 1803 1809 Updates into a WIM

 

Update 29/11/2018: This process has been tested and is working with Windows 10 1809! Your local computer must be running the same OS version as the image you are trying to DISM.

 

The following guide outlines how to inject Windows Updates into a WIM file using DISM. This process can help ensure newly built machines are patched before being handed out to end users. In addition this can also speed up the process of building Windows 10 as the Windows Update process during your task sequence will be relatively shortened.

  • Create a WIM file directory
Md C:\wim
  • Copy your original WIM to c:\wim
  • Create a Mount directory
md C:\mount
  • Create a temp directory
md C:\temp
  •     Create a update directory
md C:\msu
  • Find what index the Windows 10 Enterprise SKU is within the WIM File:
Dism /Get-ImageInfo /imagefile:C:\wim\install.wim

WIM index
WIM index

  • Mount the WIM file using the required Index number, I am using Index 3 Windows 10 Enterprise:
Dism /Mount-Image /ImageFile:"C:\wim\install.wim" /Index:3 /MountDir:C:\mount

Mount Windows 10 Image
Mount Windows 10 Image

You will notice the mount directory has all the extracted windows files/folders

  • Download the latest Windows 10 update package from Microsoft’s website and place it in the update folder C:\msu. I will be downloading the 4088776 update https://support.microsoft.com/en-us/help/4043454
  • Run the below code to inject your update

 

Dism /Add-Package /Image:C:\mount /PackagePath:C:\MSU\windows10.0-kb4088776-x64_55756340f1e2c2090f94de6d256eafd75e1cee9c.msu /LogPath:AddPackage.log

Inject Update into WIM File
Inject Update into WIM File

  • Lock in the Updates so they are restored during a recovery:
DISM /Cleanup-Image /Image:"C:\mount" /StartComponentCleanup /ResetBase /ScratchDir:C:\Temp

If you see the command prompt does not progress to 100%, press enter. It sometimes does not refresh although it has completed, very annoying.

Lock Injected Updates into WIM File
Lock Injected Updates into WIM File

  • Unmount the image and commit the changes:
Dism /Unmount-Image /MountDir:"C:\mount" /Commit

Unmount WIM Image
Unmount WIM Image

  • Now upload your WIM to SCCM or MDT, deploy and test.