9 Best New Features in SCCM 1902

Introduction Yesterday saw the release of SCCM 1902 and it seems to include a lot of useful features we have been waiting for. I'm mentioning most of the highlights here but you can go to the what's new page for a full list. 1902 will be generally available in about two weeks but If you want to try it out you can use the Enable Fast Ring script to get it today. Download it here. Search for devices using MAC address You can new add MAC Address as a criteria in the Device view. This means you don't have to…

0 Comments
How to Quickly Find Windows 10 Recovery Key

Table of Contents Introduction My PC recently got stuck at startup after the installation of Windows Update. I tried multiple ways to restart it, but I always got stuck at the same point. I had to find my Windows 10 Recovery Key to continue. Since my PC is standalone, I didn’t have an organization that stored the recovery key centrally, so I have to keep track of it myself. I could boot into Startup Repair and select Reset this PC, but it wanted me to supply a recovery key.Fortunately, I used my Microsoft Live ID on the PC at some…

0 Comments
Intune BitLocker Recovery Keys

Microsoft just added a preview feature to Intune that we have been waiting for! You can now find your Intune BitLocker Recovery keys from the device information blade in Intune. This makes it much easier for administrators while helping users with their locked devices. An example of this could be when using Windows AutoPilot and automatically encrypting the drives of enrolled devices. Normally you have the recovery keys stored in Active Directory or MBAM, but since moving to Azure AD you can only find it there. Browse to the intune portal, https://devicemanagement.microsoft.comGo to Devices > All Devices and search for…

0 Comments
How to Find Azure AD Connect Server

I will show you how to find Azure AD Connect in your environment using Active Directory Users and Computers. I visited a customer who needed to force a delta sync using Azure AD Connect. The person responsible was absent, which meant that nobody knew where it was installed. I found a simple method of finding the server after some research, but it depends on the service account. It turns out that the installer writes the servername to the description field of the GMSA account during installation. Azure AD Connect is the engine that synchronizes the identities from your Active Directory…

0 Comments
Server Missing in Wsus Console

In this post I will explain how I solved my problem when I had a server missing in wsus console. I had just set up a new WSUS Server for a customer and deployed the GPO settings. The GPO contained the basic settings required to configure the clients, like servername, computer group and what update schedule to follow. Even though all settings were correct only some servers appeared in the console. After some thorough troubleshooting I was sure that the GPO settings were correct but I still had the same issue. I had a feeling that something was wrong when…

0 Comments
Configuring Local Administrator Password Solution (LAPS)

Introduction Local Administrator Password Solution (LAPS) is a technology from Microsoft that allows you secure the passwords for local administrators and store them in Active Directory, in a similar way to BitLocker recovery keys.This technology allows you to randomize a password for each computer you enable it on and to enforce complexity policies to make sure they stay secure. With all the new security features coming around lately you should definitely configure LAPS for Windows 10 to use it like a great supplement. Local administrator accounts has always been an issue to manage in large environments and especially when there are multiple…

0 Comments
How to Enable BitLocker on Existing Devices Using SCCM

All businesses want to protect their data to make sure it is safe from unauthorized users. A big part of this is to encrypt the disks of their devices using BitLocker. This can easily be done during OS installation for all new computers but it might be troublesome to enable BitLocker on existing devices. BitLocker can use multiple key information methods but in this case, I will focus on TPM. TPM is a hardware component that is installed by the manufacturer and can be used to ensure that the computers have not been tampered with while the computer was powered…

14 Comments
How to create SCCM collection based on Configuration Baseline compliance

Background I was looking at how to create SCCM collection based on configuration baseline as a validation step before running upgrades on Windows 10 devices. During this process I wanted to automate collection memberships based on the results of the validation. It turns out that you can quite easily create SCCM Collection Based on Configuration Baseline. I'm using this method to verify that our devices fulfill the requirements before assigning the Feature Upgrade. Solution All you need to do is navigate to Configuration Baselines to select the baseline you want to use. Click the Deployments tab and right-click on the deployment…

4 Comments
How to execute powershell.exe with script and parameters

Background I had some problems today powershell.exe and the syntax. My goal was to use an application that executes a script together with parameter to start an installation. This is how to execute powershell.exe properly using command prompt. What I tried to do I wanted to run Powershell.exe from the command line and supply it with arguments, a file and parameters. First I was trying to use something like this powershell.exe -ExecutionPolicy Bypass -File "Install-Application.ps1 -Mode Install" -WindowStyle Hidden -NoProfile I couldn't get this to work and the CM logs didn't tell me what the issue was. What the issue…

0 Comments
GPO Inaccessible, Empty or Disabled due to delegations

Introduction During a project a customer of mine found that a new policy didn't work as intented due to GPO inaccessible. The GPOs were verified multiple times and there was nothing wrong with either the settings, the scope or the security filtering. After some troubleshooting I found that gpresult /h indicated that the reason was beacuase GPO Inaccessible, Empty or Disabled. Issue Because of vulnerabilities in GPOs Microsoft implemented a design change in Security Update for Group Policy (3163622). The update changes how the policies are retrieved by using the computers security context instead of the users´. The reason for this…

0 Comments