Welcome to the Recast Endpoint Management Recap, March 2020
What a month! New terms entered our vocabulary, Social Distancing for example, activities cancelled, conferences gone virtual or postponed, schools closed, IT infrastructures put to the test as employers urged working from home, and toilet paper nearly became a currency. It’s been a crazy month. We even produced a Special Edition recap covering tips and tricks to maximize bandwidth potential.
So what’s been going on, while we’ve been distancing ourselves from human interaction, the community has been busy. If you’re not on twitter, you should be. It’s been a great lifeline to stay connected with IT professionals when our local TCSMUG was postponed this month, and we’re working from home. Here at Recast, we’ve all been working from home, but thankfully we have Slack and other tools to be in constant connection with teammates.
As always, the layout to the post:
- Events / Conference News
- Microsoft Product Announcements
- Hardware Vendor Updates (Tools / Security / Features)
- Community Tools / News
- Recast Updates
That’s the idea, a high level overview of things going on that you’ll want to be aware of and you can dig into them further on your own. If you’re new to REMR (This blog post), you’ll want to look back at previous months, so much great content. I often look back because I know I had posted about a topic and needed to find that blog post or Doc link, or whatever the case is.
Events & Conferences
Upcoming Events and User Group info.
- Ignite the Tour – Chicago – April 15-16, 2020 CANCELED
- Ignite 2020 – September 21–25, 2020 – New Orleans, LA
- GeekWeek – Truesec – March 23-27, 2020, Chicago – Date Change: Dec 6-11
- MMS MOA – Postponed to July 26th-30th
Microsoft Products & Announcements
Microsoft Edge Browser (Based on Chromium Engine): LANDING PAGE
- 2020.02.18 – Update Rollup for Microsoft Endpoint Configuration Manager current branch, version 1910
- Several bug fixes
- Includes the 4 previous hotfixes
- Request Client Update
- TP 2002.2
- Improvements to BitLocker management
- Improvements to support for ARM64 devices
- Search all subfolders for configuration items and configuration baselines
- Microsoft Endpoint Manager tenant attach: Device sync and device actions
Intune What’s New Landing Page – This updates so frequently, that it’s best you just bookmark it if you use intune.
- Universal Print was announced, looks interesting, more info: What is Universal Print
- Windows 10 1709 Support Extended until October 2020.
- Windows has paused non-security patches! Starting in May 2020, we [Microsoft] are pausing all optional non-security releases (C and D updates) for all supported versions of Windows client and server products (Windows 10, version 1909 down through Windows Server 2008 SP2).
- Microsoft Defender ATP Preview for Linux. They recently released Defender ATP for MacOS, now Linux
- Remote Desktop Connection Manager Depreciated … and not being patched for a serious CVE
- TechNet Gallery is going away!
Hardware Vendor Updates – Microsoft Surface Highlight Edition
- [Enterprise Tools Landing Page] [Community / Blog Site]
- HP Client Management Script Library – Updated 2020.03 – Version 1.4.3
- [Blog Post] HP Client Management Script Library 1.4.3 – and a security bulletin PSA
- HP Image Assistant – 188.8.131.52 – Updated 2020.02.12
- Adds support for Offline Mode repositories created using Client Management Script Library version 1.4
- Adds support for a non-interactive mode which displays HPIA actions in a progress bar when run from the command line on a client.
- HP Manageability Integration Kit – 184.108.40.206 – Latest Release from 2020.01
- HP BIOS Configuration Utility (BCU) – Version 220.127.116.11 SP100599 – User Guide (PDF) – Latest Release from 2019.12
- [Enterprise Tools Landing Page]
- Dell Command Monitor – Last Update 2019.12 – Support for determining the status of the Warranty – [User Guide] [Reference Guide]
- Dell Command Configure (CCTK) – Last Update 2019.09
- Dell Command Update – Last Update 2020.02 – DCU 3.1.1 was released at the end of February. It was a minor update that addressed some bug issues. Includes support for proxy enhancements, DCH drivers, and addresses some arbitrary overwrite issues. Dell recommends using the latest version of the software to ensure optimum experience in the update process.
- Dell Command PowerShell Provider – Last Update 2019.04
- Dell Update Catalog – MeMCM catalog upgrade to the v3 schema to support categories so that you can reduce the update import from a static 4-5K items to only those models you care about. Only PatchMyPC and Dell support this currently
- [Enterprise Tools Landing Page][Blog Site]
- System Update 5.07.0093 – Updated 2020-02 – Minor Enhancements. [Release Notes]
- Thin Installer 1.3.0018 – Updated 2019-12-19 – Several command line enhancements. [Release Notes]
- Vantage for Enterprise – Version 20.1908.3.0 – Not much info available on this, large download with lots of parts.
- [Blog Post] – System Update Suite and MEM: Part 1 Deploying the Apps & Part 2 Deploying and Configuring the Apps
- [Blog Post] – Deploying Lenovo System Update with automatic updates disabled
I was able to get in contact this month with someone inside Microsoft, who was able to help provide a much needed increase in their representation on this monthly post. I’m going to provide the RAW feedback form them this month, as I found it very helpful in my own understanding of what MS has available for the Surface line. In up coming months, I’ll trim it back, but though this was important to share.
- Surface Enterprise Management Mode [SEMM]
- Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devices with Surface UEFI that allows you to secure and manage firmware settings within your organization. With SEMM, IT professionals can prepare configurations of UEFI settings and install them on a Surface device. In addition to the ability to configure UEFI settings, SEMM also uses a certificate to protect the configuration from unauthorized tampering or removal. What that means in a nutshell is that SEMM can be used to lock down the firmware and hardware without using passwords, rather certificates and UEFI configuration packages. It has an MSI tool to generate packages (called “Surface UEFI Configurator”) if you’re doing one or two at a time or you want to test quickly, and it also has a PowerShell provider dll (“Surface UEFI Manager”) and is scriptable (SEMM_PowerShell.zip from the Surface Tools for IT site) has examples) so that it can be deployed en masse via tools like SCCM. An interesting note, you can’t use a SEMM MSI package in SCCM because it installs as LOCALSYSTEM (even if you’re running as a user, it still ultimately uses the LOCALSYSTEM account to stage the firmware write, which is disallowed explicitly to any account but administrators with a full, interactive logon session…..), hence why the PS provider exists. The Configurator, PowerShell module, and script samples can be downloaded from the SurfaceTools for IT page
- Device Firmware Configuration Interface [DFCI]
- With Windows Autopilot Deployment and Intune, you can manage Unified Extensible Firmware Interface (UEFI) settings after they’re enrolled by using the Device Firmware Configuration Interface (DFCI). DFCI enables Windows to pass management commands from Intune to UEFI to Autopilot deployed devices. This allows you to limit end user’s control over BIOS settings. For example, you can lock down the boot options to prevent users from booting up another OS, such as one that doesn’t have the same security features. DFCI is still in test (planned to go live this summer, although current situations may alter that timeline somewhat), but it’s the cloud analog to SEMM – a certificate is installed into the device UEFI (meaning this only supports new products right now, it isn’t planned to be available to older products prior to Pro7/Laptop3/ProX right this second) from the factory, and settings can be pushed from InTune to lock down devices and the UEFI itself. It doesn’t have 100% of the capabilities of SEMM at the current moment, as we are just building this out, but if enough customers test/use and ask for the addition of features currently only found in SEMM, we can consider it as with any DCR filing. We’re trying to focus on the big line items that people generally want to approach (disable hardware like cameras and microphones, enforce secure boot, boot order lock down, etc.) versus going with 100% of the SEMM feature set right away. This allows us to build quicker and release quicker, and potentially bring features later versus trying to get everything working correctly out of the gate, which would have delayed by who knows how long. Also of note, you may have noticed that our UEFI, and all of the features I am describing, are open source and can be used by anyone, including other OEMs (and you may notice that Hyper-V machines on Server 2019 have a familiar UEFI….).
- Surface Data Eraser [SDE]
- Microsoft Surface Data Eraser is a tool that boots from a USB stick and allows you to perform a secure wipe of all data from a compatible Surface device. A Microsoft Surface Data Eraser USB stick requires only the ability to boot from USB. The USB stick is easy to create by using the provided wizard, the Microsoft Surface Data Eraser wrapper, and is easy to use with a simple graphic interface, no command line needed. To learn more about the data wiping capabilities and practices Since most of our devices do not have removable storage, and customers may want/need verification that the NVMe format (Section 5.23) command with data purge has actually cleaned the device to, say, GDPR standards, we have a tool to do so (also used internally on devices that come back for repair / refurbish, and Windows actually does this when you use a USB key to restore a recovery image and choose to remove everything if the disk is an NVMe disk) that will log erasure and is certified (and certificates of validation of secure erase can be had on request). The tool will wipe any shipped drive in a Surface device – it may even erase drives that the user might replace with (say, on a Laptop 3) that didn’t come from Microsoft, although the guarantee of secure erase cannot be made with certification in that regard, whereas it can if the drive and unit were shipped in, or repaired to, a “factory” state using drives we would ship with the device.
- Surface Diagnostics Toolkit [SDT] : Coming SOON!
- Built with advanced diagnostics, logging, and repair capabilities, SDT enables IT admins to quickly resolve hardware, software, and firmware issues in Surface devices, beginning with Surface Pro 3 and later. The solution consists of a distributable desktop application and command-line app console that ship together in Surface Tools for IT . Surface Diagnostics Toolkit comes in two flavors – a UWP app (mostly designed for guiding a user through all tests in a 1:1 fashion), and a command-line variant that can be deployed en masse to machines and resulting data collected for analysis. The administrator can determine what tests to run, including where to output the file(s) generated to assist in discovery and analysis. This tool also includes a “best practices analysis” pass which will by default create an output file letting you know the status of the configuration of your device compared to specific tests. These BPA rules are built out of learnings from support and the field, as well as guidance from engineering, and are a part of this tool.
- Project Mu [Link]
- Project Mu is a modular adaptation of TianoCore’s edk2 tuned for building modern devices using a scalable, maintainable, and reusable pattern. Mu is built around the idea that shipping and maintaining a UEFI product is an ongoing collaboration between numerous partners.
- DFCI on Project MU [Link]
Community Tools Blogs
Check out some of our favorite tools for ConfigMgr, along with several blog posts covering a wide range of areas and ideas to all help with Endpoint Management.
One more note, I do my best to provide Twitter accounts with the blog posts, both to provide credit where credit is due, and so you can then follow them yourselves to stay in the loop as things are coming out and ideas are being discussed on twitter.
Highlight of the Month… 21 Days of MEM Tips. Thanks Donna Ryan for putting this together! Yet another reason to get on Twitter!
PodCasts / Blog Series / Video Blogs
- [Youtube Channel] Episode 31: Syncing of SharePoint Team Site Libraries & 32: Decoding AutoPilot Enrollment Status [@OnPremCloudGuy & @AdamGrossTX]
- [Blog Series] Keep it Simple with Intune – Several Posts this month (Paul Winstanley [MVP] – @SCCMentor)
- [Blog Series] Practical PowerShell | Practical PowerShell Part 2 (Sean Bulger @managed_blog)
- [Youtube] Microsoft Endpoint Manager MVP RoundTable – Feature Updates, AutoPilot, Security and More!
- [Youtube] Quick Tips for Microsoft Education Features (Mike Tholfsen @mtholfsen)
- [PodCast] Episode 1 of a new podcast focusing on the Community [Tweet] (Couple of Jerks @JustJerksPod)
- [Blog Post – MEM Admin Center] Using device sync and device actions in Microsoft Endpoint Manager Admin Center (Niall C. Brady – @ncbrady)
- [Blog Post – MEM Admin Center] Take action on your ConfigMgr devices from the Microsoft Endpoint Manager admin center
- [Blog Post – Intune / CM] Enabling the new Tenant Attach feature in Configuration Manager TP2002.2 (Niall C. Brady – @ncbrady)
- [Blog Post – Office 365] How to quickly optimize Office 365 traffic for remote staff & reduce the load on your infrastructure
- [Blog Post- Azure] Keep control of your Azure environment with Azure Policy (Thomas Maurer @ThomasMaurer)
- [Blog Post -Azure] Setup ConfigMgr LAB Infrastructure in Azure IaaS | SCCM | MEMCM (Anoop C Nair @anoopmannur)
- [Blog Post – ATP] Deploy Microsoft Defender ATP for macOS with Intune (Jan Ketil Skanke [MVP] @JankeSkanke)
- [Blog Post – Intune] Microsoft Endpoint Manager Bulk Device Actions (Peter Egerton @PeterEgerton)
- [Blog Post – Intune] Change the Intune Primary User – Public Preview Now Available (Scott Duffey)
- [Blog Post – Intune] Intune Troubleshooting 101
- [Blog Post – Intune] How to rename Windows 10 devices in Intune using PowerShell (Maurice Daly @modaly_it)
- [Blog Post – Intune] Manage Win32 applications in Microsoft Intune with PowerShell (Nickolaj Andersen @NickolajA
- [Blog Post – Intune] Managing Intune PowerShell Scripts with Microsoft Graph (Trevor Jones @SMSagentTrevor)
- [Blog Post – Intune] Scenario: Perform Automation Based on Device Enrollment in Microsoft Intune (ramseyg @ramseyg)
- [Blog Post – Intune] New Administrative Templates UI in Microsoft Endpoint Manager (Maurice Daly [MVP] @modaly_it)
- [Blog Post – Azure] Windows Virtual Desktop technical deployment (and expansion) walkthrough (Christiaan Brinkhoff @Brinkhoff_C)
ConfigMgr Task Sequence / OSD / WaaS
- [Blog Post] Manage multiple languages and keyboard layouts using UI++ in a 1910 task sequence using a custom answer file (Sean Bulger – @managed_blog)
- [Blog Post] Simplifying Windows 10 deployment with Configuration Manager (Mike_Bailey)
- [Blog Post] Deploying Autopilot with MDT on USB – A WIM Witch Use Case (Donna Ryan @TheNotoriousDRR)
- [Blog Post] Distribute Drivers at Mach speed (Johan @josch62)
- [Blog Post] Benchmarking Peer Cache vs. BranchCache – Bare-metal OS Deployment (Johan Arwidmark @jarwidmark)
- [Blog Post & Video] OSD Builder in a Task Sequence (Gary Blok @gwblok)
- [Blog Post] Create your first CM dashboard with PowerBI Desktop (Benoit Lecours @benoitlecours)
- [Blog Post] SCCM: Housekeeping Collections
- [Blog Post] Some tips for setting up a CMG (Gerry Hampson @GerryHampson)
- [Blog Post] How to Troubleshoot ConfigMgr Hardware Inventory Issues (Garth @GarthMJ)
- [Blog Post] Troubleshooting Configuration Manager: Parsing client logs using Powershell and Configuration Items (Martin Bengtsson @mwbengtsson)
- [Blog Post] Inventory Deprovisioned Windows 10 Apps (Cody Mathis @CodyMathis12)
- [Blog Post] Do I really need MDT integration? (Maurice Daly @modaly_it)
- [Blog Post] Toast Notification Script Update: Run ConfigMgr applications directly from the action button (Martin Bengtsson @mwbengtsson)
Other SysAdmin Goodies
- [Blog Post] How to SSH into a Windows 10 Machine from Linux OR Windows OR anywhere (Scott Hanselman @shanselman)
- [Blog Post] Disrupting the Modern Workplace: Are our IT teams ready to drive change? (Sean Bulger – @managed_blog)
- [Blog Post] PowerShell 7 Profile Paths and Locations (Prateek Singh @singhprateik)
- [Blog Post] Installing the HP Client Management Script Library in WinPE (Jon Anderson @ConfigJon)
- [Blog Post -Edge] Enable IE Mode and use a Site List in Edge Chromium with Microsoft Endpoint Manager (Ben Whitmore @byteben)
- [Blog Post – Build CM Lab] Hydration Kit For Windows Server 2019, SQL Server 2017 and ConfigMgr Current Branch (Johan Arwidmark @jarwidmark)
- [Blog Post] Why you should Replace RDCMan with Windows Admin Center (Billy York @SCAutomation)
- [Blog Post] PowerShell and WPF: Use DatePicker Control to create a quick booking system (Damien Van Robaeys [MVP] @syst_and_deploy)
- [Blog Post] How to add a PowerShell Remoting Session in the Windows Terminal menu (Thomas Maurer @ThomasMaurer)
Tools / Newsletters / Docs
- [Tool] OSDeploy [David Segura] – Several enhancements this month: 20.2.20 (2020 February 20) Gary Blok Edition
- [Video Post] FWSMUG | March 2020 Webinar | Using OSDBuilder for Windows 10 Offline Servicing
- [Tool] Driver Automation Tool Updated to 6.4.6 on 2020.03. Several new enhancements.
- [Tool] SSRS Reports (Ioan Popovici @IoanPopovici)
Recast Software Updates
- March is Women’s History Month, and what better way to celebrate than to highlight a few of the amazing women who are trailblazers in our community! Women’s History Month: Featured Women in IT
- Ever wonder how to build a ConfigMgr lab from scratch? A new 12-part blog series walks through every step of the process. Building a ConfigMgr Lab from Scratch – Series Intro
- Recast Endpoint Management Recap – Special Edition – Maximize Bandwidth Potential
- Webinar: Deploy single-purpose kiosk devices with ConfigMgr, using Right Click Tools’ Kiosk Manager. View webinar recording.
- Watch for Right Click Tools version 4.2 coming soon!
Thanks for checking out the post, and look forward to more monthly updates of what’s going on. If you think we missed something, or want any other news added, find us on Twitter: @RecastSoftware
See how Right Click Tools are changing the way systems are managed.
Immediately boost productivity with our limited, free to use, Community Edition.
Get started with Right Click Tools today: