Recast's Endpoint Management Recap - March 2020

Welcome to the  Recast Endpoint Management Recap, March 2020

What a month! New terms entered our vocabulary, Social Distancing for example, activities cancelled, conferences gone virtual or postponed, schools closed, IT infrastructures put to the test as employers urged working from home, and toilet paper nearly became a currency. It's been a crazy month. We even produced a Special Edition recap covering tips and tricks to maximize bandwidth potential.

So what's been going on, while we've been distancing ourselves from human interaction, the community has been busy.  If you're not on twitter, you should be.  It's been a great lifeline to stay connected with IT professionals when our local TCSMUG was postponed this month, and we're working from home. Here at Recast, we've all been working from home, but thankfully we have Slack and other tools to be in constant connection with teammates.

As always, the layout to the post:

  • Events / Conference News
  • Microsoft Product Announcements
  • Hardware Vendor Updates (Tools / Security / Features)
  • Community Tools / News
  • Recast Updates

That's the idea, a high level overview of things going on that you'll want to be aware of and you can dig into them further on your own. If you're new to REMR (This blog post), you'll want to look back at previous months, so much great content.  I often look back because I know I had posted about a topic and needed to find that blog post or Doc link, or whatever the case is.

Events & Conferences

Upcoming Events and User Group info.

  • Ignite the Tour - Chicago - April 15-16, 2020 CANCELED
  • Ignite 2020 - September 21–25, 2020 - New Orleans, LA
  • GeekWeek - Truesec - March 23-27, 2020, Chicago - Date Change: Dec 6-11
  • MMS MOA - Postponed to July 26th-30th

Microsoft Products & Announcements

Products:

Microsoft Edge Browser (Based on Chromium Engine): LANDING PAGE

ConfigMgr What's New Landing Page

ConfigMgr Tech Preview Landing Page

  • TP 2002.2
  •   Improvements to BitLocker management
  •   Improvements to support for ARM64 devices
  •   Search all subfolders for configuration items and configuration baselines
  •   Microsoft Endpoint Manager tenant attach: Device sync and device actions

Intune What's New Landing Page - This updates so frequently, that it's best you just bookmark it if you use intune.


Announcements:

Hardware Vendor Updates - Microsoft Surface Highlight Edition

HP
Dell
  • [Enterprise Tools Landing Page]
  • Dell Command Monitor - Last Update 2019.12 - Support for determining the status of the Warranty - [User Guide] [Reference Guide]
  • Dell Command Configure (CCTK) - Last Update 2019.09
  • Dell Command Update  - Last Update 2020.02 - DCU 3.1.1 was released at the end of February. It was a minor update that addressed some bug issues. Includes support for proxy enhancements, DCH drivers, and addresses some arbitrary overwrite issues. Dell recommends using the latest version of the software to ensure optimum experience in the update process.
  • Dell Command PowerShell Provider - Last Update 2019.04
  • Dell Update Catalog - MeMCM catalog upgrade to the v3 schema to support categories so that you can reduce the update import from a static 4-5K items to only those models you care about.  Only PatchMyPC and Dell support this currently
Lenovo
Microsoft [Surface]

I was able to get in contact this month with someone inside Microsoft, who was able to help provide a much needed increase in their representation on this monthly post. I'm going to provide the RAW feedback form them this month, as I found it very helpful in my own understanding of what MS has available for the Surface line.  In up coming months, I'll trim it back, but though this was important to share.

  • Surface Enterprise Management Mode [SEMM]
  •   Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devices with Surface UEFI that allows you to secure and manage firmware settings within your organization. With SEMM, IT professionals can prepare configurations of UEFI settings and install them on a Surface device. In addition to the ability to configure UEFI settings, SEMM also uses a certificate to protect the configuration from unauthorized tampering or removal. What that means in a nutshell is that SEMM can be used to lock down the firmware and hardware without using passwords, rather certificates and UEFI configuration packages.  It has an MSI tool to generate packages (called "Surface UEFI Configurator") if you're doing one or two at a time or you want to test quickly, and it also has a PowerShell provider dll ("Surface UEFI Manager") and is scriptable (SEMM_PowerShell.zip from the Surface Tools for IT site) has examples) so that it can be deployed en masse via tools like SCCM.  An interesting note, you can't use a SEMM MSI package in SCCM because it installs as LOCALSYSTEM (even if you're running as a user, it still ultimately uses the LOCALSYSTEM account to stage the firmware write, which is disallowed explicitly to any account but administrators with a full, interactive logon session.....), hence why the PS provider exists.  The Configurator, PowerShell module, and script samples can be downloaded from the  SurfaceTools for IT page
  • Device Firmware Configuration Interface [DFCI]
  •  With Windows Autopilot Deployment and Intune, you can manage Unified Extensible Firmware Interface (UEFI) settings after they're enrolled by using the Device Firmware Configuration Interface (DFCI). DFCI enables Windows to pass management commands from Intune to UEFI to Autopilot deployed devices. This allows you to limit end user's control over BIOS settings. For example, you can lock down the boot options to prevent users from booting up another OS, such as one that doesn't have the same security features. DFCI is still in test (planned to go live this summer, although current situations may alter that timeline somewhat), but it's the cloud analog to SEMM - a certificate is installed into the device UEFI (meaning this only supports new products right now, it isn't planned to be available to older products prior to Pro7/Laptop3/ProX right this second) from the factory, and settings can be pushed from InTune to lock down devices and the UEFI itself.  It doesn't have 100% of the capabilities of SEMM at the current moment, as we are just building this out, but if enough customers test/use and ask for the addition of features currently only found in SEMM, we can consider it as with any DCR filing.  We're trying to focus on the big line items that people generally want to approach (disable hardware like cameras and microphones, enforce secure boot, boot order lock down, etc.) versus going with 100% of the SEMM feature set right away.  This allows us to build quicker and release quicker, and potentially bring features later versus trying to get everything working correctly out of the gate, which would have delayed by who knows how long. Also of note, you may have noticed that our UEFI, and all of the features I am describing, are open source and can be used by anyone, including other OEMs (and you may notice that Hyper-V machines on Server 2019 have a familiar UEFI....).
  • Surface Data Eraser [SDE]
  •   Microsoft Surface Data Eraser is a tool that boots from a USB stick and allows you to perform a secure wipe of all data from a compatible Surface device. A Microsoft Surface Data Eraser USB stick requires only the ability to boot from USB. The USB stick is easy to create by using the provided wizard, the Microsoft Surface Data Eraser wrapper, and is easy to use with a simple graphic interface, no command line needed. To learn more about the data wiping capabilities and practices Since most of our devices do not have removable storage, and customers may want/need verification that the NVMe format (Section 5.23) command with data purge has actually cleaned the device to, say, GDPR standards, we have a tool to do so (also used internally on devices that come back for repair / refurbish, and Windows actually does this when you use a USB key to restore a recovery image and choose to remove everything if the disk is an NVMe disk) that will log erasure and is certified (and certificates of validation of secure erase can be had on request).  The tool will wipe any shipped drive in a Surface device - it may even erase drives that the user might replace with (say, on a Laptop 3) that didn't come from Microsoft, although the guarantee of secure erase cannot be made with certification in that regard, whereas it can if the drive and unit were shipped in, or repaired to, a "factory" state using drives we would ship with the device.
  • Surface Diagnostics Toolkit [SDT] : Coming SOON!
  •   Built with advanced diagnostics, logging, and repair capabilities, SDT enables IT admins to quickly resolve hardware, software, and firmware issues in Surface devices, beginning with Surface Pro 3 and later. The solution consists of a distributable desktop application and command-line app console that ship together in Surface Tools for IT . Surface Diagnostics Toolkit comes in two flavors - a UWP app (mostly designed for guiding a user through all tests in a 1:1 fashion), and a command-line variant that can be deployed en masse to machines and resulting data collected for analysis.  The administrator can determine what tests to run, including where to output the file(s) generated to assist in discovery and analysis.  This tool also includes a "best practices analysis" pass which will by default create an output file letting you know the status of the configuration of your device compared to specific tests.  These BPA rules are built out of learnings from support and the field, as well as guidance from engineering, and are a part of this tool.
  • Project Mu [Link]
  •  Project Mu is a modular adaptation of TianoCore's edk2 tuned for building modern devices using a scalable, maintainable, and reusable pattern. Mu is built around the idea that shipping and maintaining a UEFI product is an ongoing collaboration between numerous partners.
  • DFCI on Project MU [Link]

Community Tools \ Blogs

Check out some of our favorite tools for ConfigMgr, along with several blog posts covering a wide range of areas and ideas to all help with Endpoint Management.  

One more note, I do my best to provide Twitter accounts with the blog posts, both to provide credit where credit is due, and so you can then follow them yourselves to stay in the loop as things are coming out and ideas are being discussed on twitter.

Highlight of the Month... 21 Days of MEM Tips.  Thanks Donna Ryan for putting this together! Yet another reason to get on Twitter!

PodCasts / Blog Series / Video Blogs

Blog Posts

 Cloud Tech
ConfigMgr Task Sequence / OSD / WaaS
General ConfigMgr
 Other SysAdmin Goodies
 Tools / Newsletters / Docs

Recast Software Updates

Thanks for checking out the post, and look forward to more monthly updates of what's going on.  If you think we missed something, or want any other news added, find us on Twitter: @RecastSoftware