Azure Functions are a great way to build scalable, reliable, and cost-effective applications without the need to manage any servers. Azure Functions are event-driven, meaning they run in response to triggers such as HTTP requests, timers, queues, or blobs. In this blog post, I will show you how to create your first Azure Function, test it locally, and deploy it to Azure.

What You Need

• An Azure account.
• Visual Studio Code. You can download it here: Download Visual Studio Code – Mac, Linux, Windows.
• The Azure Functions extension for Visual Studio Code. You can install it from the VS Code marketplace here: Azure Functions – Visual Studio Marketplace.
• The Azure Functions Core Tools. You can install them from here: Develop Azure Functions locally using Core Tools | Microsoft Learn.
• A local development environment that supports your preferred programming language. For this blog, we will use Python, but you can also use C#, Java, JavaScript, TypeScript, Ballerina, or PowerShell.

Creating Your First Function

To create your first function, follow these steps:

1. Open Visual Studio Code and create a new folder for your project.
2. In the VS Code menu, go to View > Command Palette and type “Azure Functions: Create new project”.
3. Select the folder you created and choose a language for your function. We will use Python for this example.
4. Select ModelV2 and Python <3.11.
5. Choose a template for your function. We will use HTTP trigger, which means our function will run when we send an HTTP request to it.
6. Give your function a name. We will use “HelloWorld” for this example.
7. Choose an authorization level for your function. We will use “Anonymous”, which means anyone can call our function without a key. (Don’t use this for your production environment)
8. Wait for the project to be created. You should see a new folder called “HelloWorld” with some files inside.

Testing Your Function Locally

To test your function locally, follow these steps:

• In the VS Code menu, go to Terminal > New Terminal and type “func start”. This will start the Azure Functions Core Tools and run your function locally.
• You should see a message like this: ‘Functions: HelloWorld: [GET, POST] [URL]’
• Copy the URL and paste it in your browser. You should see a message like this: “This HTTP triggered function executed successfully. Pass a name in the query string or in the request body for a personalized response.“
• Add a query parameter to the URL, like this: [URL]. You should see a message like this: “Hello Azure!” (Tip: If you want to test POST calls, use the VS code extension Thunder Client)
• Congratulations, you have successfully created and tested your first Azure Function locally!

Deploying Your Function to the Cloud

To deploy your function to the cloud, follow these steps:

• In the VS Code menu, go to View > Command Palette and type “Azure Functions: Deploy to function app”.
• Select your subscription and choose “Create new function app in Azure”.

• Give your function app a unique name. We will use “HelloWorldFunctionApp” for this example.
• Choose a runtime stack for your function app. We will use “Python 3.11” for this example.
• Choose a region for your function app. We will use “West Europe” for this example.
• Wait for the deployment to complete. You should see a message like this: “Deployment completed.”

• Copy the URL of your function app and append “/api/HelloWorld” to it. You should see a message like this: “Please pass a name on the query string or in the request body.”
• Add a query parameter to the URL, like this: [URL]. You should see a message like this: “Hello Azure!”
• Congratulations, you have successfully deployed your first Azure Function to the cloud!

Conclusion

In this blog post, you have learned how to create, test, and deploy your first Azure Function using Visual Studio Code and the Azure Functions extension. Azure Functions are a powerful and easy way to build serverless applications that scale automatically and cost you only for what you use. You can learn more about Azure Functions here.

Also, check out my recent post on Azure Services to Enhance Intune Automation.

The post How to Start with Azure Functions appeared first on Recast Software.

What is Microsoft Graph?

Microsoft Graph is a powerful API that connects various services and features across the Microsoft ecosystem. It acts as a gateway, allowing developers to access and interact with data that flows through Microsoft products such as Microsoft 365, Intune Entra, and many more.

Key Features of Microsoft Graph

• Unified API Endpoint: Microsoft Graph consolidates APIs from different Microsoft cloud services into a single endpoint, making it easier for developers to access data with one unified interface instead of dealing with multiple APIs.
• Access to Data: It provides access to a wealth of information including user data (like emails, contacts, calendar events), organizational data (like the organizational structure, employee profiles), and device data (like security updates, device configuration profiles).
• Real-Time Changes: Microsoft Graph supports real-time notifications via webhooks. It allows applications to be notified when data changes, enabling more dynamic and responsive apps.
• Cross-Platform: Being RESTful, it can be used across various platforms and programming languages which support HTTP requests.
• Permissions and Security: It uses OAuth 2.0 for authorization, ensuring that applications request specific permissions in line with the data they need access to, thereby adhering to security best practices.

Developers can use Microsoft Graph to build apps and scripts that leverage data and functionalities from various services to automate tasks, gain new insights, build reports, and more.

How to Start with Microsoft Graph API Calls

A call has four components. First is the base URL, which is always https://graph.microsoft.com.

After this, there is the API version: the v1 API or the beta API. The beta often contains more information, but the structure can change later, whereas v1 is more stable with no major structural changes.

After this the endpoint follows like deviceManagement/auditEvents. This is the endpoint which keeps the data or the action. Lastly, we also have the query-parameters. You can use them to only get the top results or to filter/extend the results.

{BASE_URL}/{VERSION}/{ENDPOINT}?{QUERY_PARAMETERS}

How to Test Microsoft Graph API Calls

The best way when you want to craft commands and run them to test is to use the Microsoft Graph explorer. You can find them under the following link:

Graph Explorer | Try Microsoft Graph APIs

This is an easy way to test the calls and check the results.

How to Find the Correct Microsoft Graph API Call

Now we know how to test the call, but how can we find the correct endpoint. This is thankfully quite easy. As described above, most portals use the Graph API in the background. We can use this to our advantage.

There are two common ways. The first method is to use your browser’s network monitor to display the data in the portal you need or to run the action you’re searching for. In the Network monitor you can then Graph the call and the body (if it is a post).

The second way is to use the GraphXRay browser extension from Eunice, Dhruv, Clement, Monica & @merill. You do the same as done for the network monitor, but the extension directly generates code for you. This is very powerful.

How to Start with MS Graph in PowerShell

To run a call in PowerShell, you have two primary ways. Here, I will describe the recommended way.

Ultimately, you need two components. One is the authentication component. For this you can use the Graph SDK. To install this SDK, you have to run:

Install-Module Microsoft.Graph -Scope CurrentUser

Or

Install-Module Microsoft.Graph.Beta -Scope CurrentUser

To authenticate locally using your user with delegated access, you can run:

Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All"

Once you deploy the code to an app service or Azure function, I recommend using managed identity auth. This must be activated on the service, and then you can authenticate using this command:

Connect-MgGraph -Identity

Next, check the authentication topic. How should we run a command? I recommend using the SDK here also. There is a way to use the predefined command from the SDK, but I would not recommend this way. Why? It is not consistent and very confusing due to the automatically generated code.

One example:

Get-MgDeviceManagementDeviceCompliancePolicyScheduledActionForRuleScheduledActionConfiguration

Here I will run ‘Invoke-MgGraphRequest’:

Invoke-MgGraphRequest -Method GET https://graph.microsoft.com/v1.0/me

To demonstrate with a very small script:

Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All"

Invoke-MgGraphRequest -Method GET https://graph.microsoft.com/v1.0/me

Conclusion: The Power of Microsoft Graph

Microsoft Graph is a versatile tool that enables you to automate tasks, gather insights, and develop custom solutions within the Microsoft ecosystem. By learning and utilizing its API calls and integrating them into your workflows, you can significantly enhance your company’s efficiency and responsiveness. Whether you are testing calls with the Graph Explorer or implementing them in PowerShell, the knowledge of Microsoft Graph opens up endless possibilities for IT professionals.

The post How to Start with Microsoft Graph appeared first on Recast Software.

This post explores why Liquit Workspace is the best alternative to Ivanti Workspace Control and Ivanti Automation. Let’s dive in.

There are a few solutions on the market that could serve as potential alternatives to Ivanti Workspace Control. Most of these alternatives are User Environment Manager solutions, which is precisely where Liquit Workspace differentiates itself. We’re not your typical User Environment Manager solution. Instead, we offer a unique approach that sets us apart in the crowded field of digital workspace solutions. 

Liquit Workspace rethinks the way organizations manage and deliver digital workspaces to their users. Organizations can dynamically offer and manage applications to their users or devices, based on context if needed. We know that digital environments are a complex mix of different workspaces, SaaS, clouds, virtualization platforms (VDI / SBC), and operating systems. Liquit Workspace stands out as a comprehensive solution in managing diverse digital environments.

Redefining End-User Computing after Ivanti Workspace Control End of Life

Many organizations today are questioning the necessity of a traditional UEM solution. With a significant shift towards hybrid workplaces for many organizations, the reliance on laptops and portal-provided applications is increasing.

However, virtual environments like Citrix or VMware remain essential due to legacy applications that require specific infrastructure and are sensitive to latency. This justifies their continued use. End-user computing (EUC) has evolved beyond just virtual desktops; now, managing apps and endpoints is increasingly important. Liquit Workspace is perfectly suited for the hybrid workplace for several reasons:

• Unified User Experience: Liquit Workspace ensures a consistent, customizable user experience across all devices. This is vital for hybrid work models where employees may use different devices in various locations.
• Efficient Application Management: Liquit Workspace guarantees that users automatically receive the latest version of the applications they need, delivered in the way they prefer. This is particularly useful in a hybrid work environment where employees may need different applications formats depending on their location.
• Self-Servicing: Liquit Workspace allows users to access what they need from an easily accessible catalog of applications and services. This is crucial for hybrid working, where IT support might not always be readily available.
• Offline Access: Liquit Workspace provides local access without an internet connection, which can be beneficial for remote workers who may not have a reliable internet connection.
• Just in Time Delivery: Liquit Workspace quickly delivers the right applications and settings to the right users or devices, no matter where they are.
• Safe & Compliant: Liquit Workspace ensures a secure and compliant environment for delivering applications and services while empowering end-users with maximum freedom within IT boundaries. Through customizable access controls and policy enforcement, Liquit Workspace enables IT administrators to maintain regulatory compliance while offering users the flexibility they need to be productive.

Utilizing Liquit Workspace allows teams to embrace seamless, efficient, and user-centric approaches to managing the hybrid workspace.

Addressing Challenges Following the End of Life of Ivanti Workspace Control

Let’s be honest, there are also some downsides. Just like the other alternatives, we face similar “challenges.” The first challenge is the inevitable migration. No matter which alternative is chosen, migration cannot be avoided. Therefore, it’s crucial to account for time, resources, knowledge, and expertise for both Ivanti Workspace Control and the newly selected alternative.

Secondly, no alternative on the market currently offers the complete functionality that Ivanti Workspace Control provides. This factor must be considered when making a choice and determining which functionality is most critical or important.

Reflecting on Ivanti Workspace Control’s Impact Before Its End of Life

Remember when RES Software was the go-to for IT pros? Those were the times when Ivanti Workspace Control and Ivanti Automation became our best friends, especially in Citrix virtual environments. They were the dynamic duo, always seen together, making our jobs easier. I personally worked a lot with both solutions, and I fell in love with it. And I know I wasn’t the only one; many of my IT peers felt the same way. The ease and convenience they brought to managing a Citrix environment were significant. We were able to create a lot of Golden Images with Ivanti Automation, all without breaking a sweat.

The beauty of Ivanti Workspace Control is its simplicity and the ability to manage everything from a single console, the flexibility it offers, and the ability to set just-in-time user settings—a dream come true for any IT admin. And now, Liquit is stepping up, offering that same simplicity and charm.

Liquit’s Advantages in the Post-Ivanti Workspace Control Era

Liquit can take care of a significant portion of the functionalities that Ivanti Workspace Control and Ivanti Automation have long provided. Liquit Workspace introduces new dimensions of control and automation that cater to the dynamic needs of today’s environments. Several new dimensions of control and automation that Liquit brings to the table include:

• Universal Agent: One agent to rule them all. The Liquit Universal Agent unifies Windows and macOS management. With the Universal Agent, the IT department can simultaneously oversee all macOS and Windows applications. Meanwhile, end-users experience smooth and uninterrupted access to their applications.
• Connectors: These connectors help manage applications across different platforms such as VMware Horizon, Citrix StoreFront, Microsoft Azure Virtual Desktop, Microsoft Store, and many more.
• Smart Icons: Liquit’s Smart Icon technology streamlines the deployment of applications across any device or location, elevating the user experience and boosting employee efficiency by automating essential functions and offering instant access based on context.

A few key Context (Workspace Containers) highlights:

• Condition sets (Zones)
• Register settings
• Set Desktop Wallpaper
• Filters and specific actions (context awareness)
• Printer mappings
• Drive Mappings
• Securing application access 
• Device deployments
• Application installations
• Set Environment Variables
• Use of scripting

Additional Benefits of Liquit

Here is a curated selection of additional benefits of working with Liquit:

• Liquit Workspace is designed to be more lightweight and can be deployed in various configurations, including on-premises or in your own cloud, without any additional costs.
• The platform can also be delivered as a SaaS solution. In that case, the need for an on-premises infrastructure is completely gone. You can get started right away and we’ll take care of any updates.
• It’s way faster compared to Ivanti Workspace control.
• Looking for ways to manage different customers at once? Look no further. Liquit Workspace supports multitenancy deployments. Particularly in terms of managing different zones (e.g. individual customers) at once and making applications available (and up to date) in an easy, highly automated and cost-effective way, Liquit Workspace is unparalleled.
• Easy support for remoting devices without the need for relay servers, just port 443. 
• Release & Patch Management with DTAP testing.
• Connection to the Microsoft Store. 
• Multi-platform, we support both Windows and macOS. 
• Launch various file formats (EXE, MSIX, MSIX, App-V etc.). In case of App-V you don’t need the App-V infrastructure anymore. Just load your App-V packages in Liquit and that’s all.
• No need for installation to use the Console (can be used via HTML5 or Liquit Launcher) 
• Later this year, MacOS applications will also be included in the Liquit Setup Store
• No need for another product for the Automation & Deployment part, like Ivanti Automation that has an integration with IWC. This is all available within Liquit from one console. 
• No bugfixes like Ivanti Workspace Control, but real new features with the latest technology.

Addressing the Challenges

While exploring alternatives to Ivanti Workspace Control, it’s essential to acknowledge that no solution can replicate its functionality entirely. However, Liquit Workspace covers many of Ivanti’s capabilities and offers additional benefits. Here are the main challenges and how Liquit addresses them:

• No Profile Management: This challenge can be resolved easily and cost-efficiently with Microsoft FSLogix Profile containers. These containers redirect the entire Windows user profile into a Virtual Hard Disk (VHD), ensuring a consistent user experience. Best of all, it’s often available at no extra cost, as it’s probably already included in your existing Microsoft licenses such as Remote Desktop Services (RDS) Client Access License (CAL), which are required to use Citrix Virtual App/Desktop environment.
• No Security Module (formerly known as RES AppGuard): This can be addressed using Windows AppLocker or Windows Defender Application Control (WDAC). AppLocker, available in Enterprise editions of Windows, lets you control which apps and files users can run. Windows Defender Application Control, introduced with Windows 10, offers advanced application control and code integrity policies to defend against various cyber threats, providing comprehensive security for Windows clients.

Remember: behind every challenge lies a potential improvement!

Seeing is Believing: A Glimpse into Liquit’s Workspace Management Capabilities

The video below provides a glimpse into what Liquit Workspace can do in this domain. This sneak peek reveals a key advantage of Liquit: a set of User settings that are executed during login, tailored for multi-platform compatibility through context.

Imagine you’re in the midst of a VDI transition, moving from Citrix to Microsoft AVD. Typically, this would mean juggling two platforms simultaneously. However, with Liquit Workspace, this process is simplified and expedited. Liquit Workspace’s intuitive design allows for a seamless transition, maintaining both platforms with great efficiency.

Preparing for a Future Beyond Ivanti Workspace Control’s End of Life

While the search for a one-size-fits-all solution continues, we remain optimistic. The synergy between different solutions brings us closer to achieving our goal. However, as we move forward and the workspace evolves, embracing Liquit Workspace signals a step towards modernizing workspaces. Embrace Liquit Workspace to future-proof your digital environment and stay ahead in the evolving IT landscape.

Ready to get started with your transition? Or do you have questions about how we can assist you? Send us an email at transition@recastsoftware.com.

The post Ivanti Workspace Control End of Life: Discover Your Next Steps with Liquit appeared first on Recast Software.

Here’s why: 

• Scattered Data: Information gets siloed across multiple tools, making it difficult to get a holistic view of your IT environment. 
• Duplication of Effort: Tasks like user management and patching become repetitive across different platforms. 
• Compliance Chaos: Meeting regulations requires jumping between tools to gather evidence, wasting time and increasing the risk of errors. 

Simplification is the cornerstone of operational efficiency. For countless IT teams globally, the challenge of juggling multiple software vendors creates a significant hurdle, affecting everything from budget allocation to compliance adherence. Recognizing this, many organizations are now turning towards a unified solution to mitigate these challenges—enter Recast Software. 

Unified IT Management: A Path to Operational Excellence

At the heart of Recast Software’s suite is the promise of unified IT management. This consolidation is not just about reducing the number of tools in your arsenal; it’s about streamlining operations in a manner that cuts down complexity and associated costs. The integration of comprehensive tools within a single suite fosters a more efficient management process, ensuring that IT teams can focus on strategic initiatives rather than getting bogged down by administrative tasks. 

Compliance Confidence: Navigating the Maze with Ease 

Adhering to compliance standards such as ISO 27001 and SOC2 is daunting for any organization. Recast Software’s suite simplifies this process. For one, Privilege Manager’s capabilities in managing admin access align perfectly with SOC 2’s criteria by ensuring that Windows operating systems are not operated with constant local administrator privileges. This targeted approach not only aids in meeting compliance confidently but also positions organizations favorably for audits. 

Enhanced Productivity: Doing More with Less

Today, the demand for increased productivity without proportional increases in staffing is a common theme. Recast Software addresses this by automating critical processes such as vulnerability remediation and application management. The suite’s ability to manage local user groups, enforce role-based access controls, and provide comprehensive patch management capabilities allows IT teams to enhance their performance significantly. Read more about our automation tool within Right Click Tools here. 

The shift towards a unified suite of tools also simplifies the training requirements for IT teams significantly. When software solutions are consolidated, training complexity is reduced, and the learning curve for new and existing employees flattens. This streamlined training process leads to quicker mastery of the tools, enabling staff to utilize the full suite of functionalities more effectively and efficiently. 

A Strategic Ally in Risk Management 

Risk management is an ongoing concern, with vulnerabilities emerging at an alarming rate. Recast Software’s suite directly targets critical areas within security protocols, acting as a sentinel against potential threats. This proactive stance is especially beneficial in the context of cybersecurity insurance, where demonstrating robust security measures is crucial. 

The Largest Third-Party Patching Catalog on the Market

A notable highlight of Recast Software’s application management offering is the integration of Application Manager, featuring the largest third-party patching catalog on the market, into the Recast Management Server. With over 2,500 applications, this expanded catalog ensures that organizations of all sizes have comprehensive coverage, thereby significantly reducing the attack surface and enhancing the organization’s security posture. 

Patch your apps on the go.

Select and manage applications from a web-based portal with Application Manager.ttt

Get Custom Pricing

The Tangible Benefits of IT Software Consolidation

Consolidating IT software with Recast Software brings many benefits. From enhanced efficiency and ease of use to cost savings and improved team unity, the advantages are clear. Furthermore, the guaranteed tech compatibility and elimination of redundancies add additional strategic value to choosing a unified suite for IT management and security. 

Streamlining IT operations and enhancing security can be more efficient than ever before. With Recast Software, organizations can navigate the challenges of modern IT management, ensuring operational excellence and compliance. IT software consolidation is not just about simplifying the IT landscape; it’s about empowering organizations to focus on what they do best, leveraging technology as a tool for success. 

The post Streamlining IT Management: The Advantages of Consolidating with Recast Software  appeared first on Recast Software.

Paint a picture of your household growing up. Could 10-year-old Jannik imagine your current successes within the Microsoft arena, including your MVP status? Could your family?

From a young age, technology and computers fascinated me, making my career not just my job but my passion. Despite being only 26, I’ve dedicated a decade to IT. Achieving MVP status was beyond my and my parents’ expectations—it was not my initial goal with blogging, yet it’s a milestone I hold in high regard.

Reflecting on your journey, could you share a moment or project that steered you towards specializing in Intune and modern device management? How has this focus shaped your career path?

Since the inception of Microsoft Intune, I was captivated by its potential, even choosing it as the subject of my final educational project. After briefly working in another area, I returned to this field, aiming to delve as deeply as possible into the product and Azure, and to learn as much as I could. I was fortunate to participate in a project where almost all our endpoints were migrated to a cloud-only management system.

With your experience in AIOPS and leveraging AI for IT operations, what strategies would you recommend for SysAdmins to shift from reactive to more proactive operations? How can tools be optimized in this approach?

I envision an increasing role for AI across all sectors in the years ahead, offering boundless potential and opportunities. I also foresee a transformation in device management, for example, with tools like the Security Co-Pilot, as well as changes in how both administrators and users will work in the future. My vision is to achieve a state where the environment is so well automated that problems are detected early and resolved automatically. Additionally, administrators will gain rapid insights that would not be possible without this new technology.

Given your recent work on creating an Intune Co-Pilot using Azure OpenAI Studio and GPT Remediation creator, what do you see as the next (or current) frontier for AI and machine learning in endpoint management and security?

Generally, I see no limits—only more opportunities. I think with the Security CoPilot, Microsoft has launched a very good product that effectively combines their offerings, and this is precisely the potential of AI. There are more and more tools and data available and integrating them will likely be one of the next trends. An administrator should no longer have to search for data sources or identify current problems; the AI should deliver this information directly to them.

From your perspective, what are the most frequent oversights you see organizations make in managing and securing their endpoints? Could you share best practices?

A common oversight is not adopting a cloud-native mindset. I think if you go in the direction of Intune management but can’t separate yourself from the on-premise way of thinking, I see this as a mistake. Of course there is software, devices, requirements that cannot or are not allowed to go into the cloud, but there are solutions for everything.

While your expertise centers on Microsoft technologies, are there any non-Microsoft tools or practices you integrate to enhance endpoint security and management? How do these complement your work with Intune?

I think Microsoft has very good products and answers for most requirements. Of course, the larger an environment, the more requirements there are that cannot always be covered out of the box. Azure presents limitless opportunities for crafting custom solutions to bridge these gaps.

However, there are also some great 3^rd party solutions like Recast, Patch my PC, and others on the market. With the Intune Suite, Microsoft also has a good strategy to collect many 3rd party products. I’m generally a fan of the “less is more” philosophy.

What advice would you give to young professionals aiming to excel in IT and potentially earn recognition as an MVP one day?

Find joy in your work. I don’t think it’s good to set the goal of becoming an MVP for yourself and only do community work for that reason. In IT, I think it’s very important to have the right mindset. Always be open to learning new things and to sharing what you’ve learned.

That’s also how I started blogging. My goal was to deal with new things, to write them down so that I can read about them and share them with others.

SysAdmin Superstars Series

Explore our other interviews with SysAdmin Superstars:

• Q & A with SysAdmin Superstars – Prajwal Desai
• Q & A with SysAdmin Superstars – Sami Laiho
• Q & A with SysAdmin Superstars: Jörgen Nilsson

The post Q & A with SysAdmin Superstars: Jannik Reinhard appeared first on Recast Software.

Step by Step: Creating a Recast Agent Deployment Process in Application Manager

To start we will navigate to the Application Manager tab in the Recast Management Server.  

From here: 

1. Click on Deployment Processes  
2. Click on the Add Deployment Process button 

Here, we will select the application that we will be deploying. In this case, I chose the Recast Agent. You can scroll through the list to find the desired application or search for it. 

1. In the search field, type the name of the application 
2. Click on the check box to select the application 
3. Click Next 

Here, you can change the name of the deployment or just leave the default name. In this case, I will use the default name and then click next. 

In this step, you will pick the desired target collection. You can search for the collection or pick it from a list, then click Save and Close.  

**You will be able to select additional collections later** 

On this page, you can set the duration of your deployment, delays, and make additional Deployment Processes for the selected software targeting different collections.   

By clicking the Duration drop down, you can select when you want to deploy the application. In this case, I will select 3 days after the application is released. 

You can click on the three dots and Add Delay. In this example, I will add a delay of 1 Day.  

By hovering your mouse over the 3 days bar, you can see that the deployment will be available after 1 day and forced at 4 days. 

After you’ve selected your desired schedule, click Save. You can now click Run or wait until it runs.  

Lastly, by clicking the + button to the right of the duration, it will give you the option to target a different collection. After selecting the desired collection, the process will be the same. 

Note: 

• It is recommended that you have different collections to target different architectures, for example: separate collections for Chrome x86 vs x64. 

• You can add your own parameters and switches to the deployments by clicking on the gear in the top right of the Deployment process, then selecting the Advanced options. 

Recast Agent Deployed via Application Manager

In wrapping up, the process outlined for deploying the Recast Agent within Application Manager demonstrates the streamlined and adaptable approach to enhancing app and patch management. This process is broadly applicable across the app catalog. 

Additional Patching Posts

• Application Management for Windows and macOS
• Rapid Software Patching Required
• Application Patching with Application Manager

The post How to Create a Recast Agent Deployment Process in Application Manager appeared first on Recast Software.

As of February 2024, Windows continues to dominate the global market with an impressive 72% share of all Operating Systems (OSs) worldwide, according to StatCounter. MacOS market share has been steadily climbing the ranks with 16% market share. Over the years, macOS has carved out a respectable niche, growing to approximately a fifth of the market. 

As diversity in OSs is the norm, largely due to employees having the free choice of their device and therefore OS, this makes it more challenging for IT Professionals. 

With that information in mind: How do you manage both needs and provide the right application, package, versions, and patches regardless of Windows or macOS Operating System? This blog showcases how Liquit solves for this problem.  

Application Management: Liquit and Intune 

I have often been asked how Liquit compares to Intune. To get straight to the point, we are not a replacement for Intune but rather a powerful enrichment. Liquit complements Microsoft Intune by providing distinct advantages that ease the frustrations faced by users and IT teams.  

Microsoft Intune is a popular Mobile Device Management (MDM) solution used by many organizations for managing their Windows devices. Support for macOS was added to Intune back in 2015, though the feature set and capabilities were not as extensive back then. This may have caused organizations to avoid Intune in the past. However, the features in Intune have grown and improved in recent years, likely aided by the free choice of a device at many companies and the steadily climbing macOS market share. The improvements within Intune make it interesting for many organizations to reconsider it now, providing an option for one MDM solution already used for Windows that can now also manage macOS devices, improving security and productivity. 

Intune is an excellent MDM solution, but still has some shortcomings regarding Application Management and deployment. Some of the well-known challenges include: 

• The Application packaging and patching struggle, which are time consuming. 
• The application deployment process, which can take significant time. 

This is where Liquit steps in to help. While not an MDM solution, Liquit serves as a powerful application management platform. Intune serves as the MDM software (security, compliance, Windows updates, and device provisioning) and Liquit as the app management platform across Windows and macOS. 

Liquit Deployment Enables Application Management in both Windows and macOS 

Liquit can do a single deployment to deliver a basic set of applications for both platforms. Microsoft Intune and Windows Autopilot will deploy the Liquit Universal Agent. After the Liquit Universal agent is installed and active, Liquit kicks off a deployment. When packages are being created from the Liquit Setup Store, you will always have the latest version of those applications installed.  

Later this year, applications for macOS will also be available within Liquit. This will work the same way as Windows applications in the Liquit Setup Store. You can, of course, also make use of applications from the Microsoft Store. 

For the recent webinar, I created a Liquit Deployment called “Webinar Demo” which contains the applications shown below. 

For Windows, I created a couple of packages from the Liquit Setup Store. Because macOS applications are becoming available later this year in Liquit, I worked around the current limitation by creating custom packages where I use bash script to download the latest version, install, and cleanup the files. See the example below for Slack. 

Created Action

Example Bash Script

/usr/bin/curl -sL "https://slack.com/ssb/download-osx-universal" -o /tmp/slack.dmg 

TMPDIR=$(mktemp -d) 

hdiutil attach /tmp/slack.dmg -noverify -quiet -nobrowse -mountpoint "${TMPDIR}" 

ditto "${TMPDIR}"/Slack.app /Applications/Slack.app 

xattr -r -d com.apple.quarantine /Applications/Slack.app 

hdiutil eject "${TMPDIR}" 

rm /tmp/slack.dmg 

To ensure that applications land on the correct Operating System, I used filters for the platform type for the packages.  

Liquit Smart Icon Technology 

Liquit Smart Icon technology is where it all comes together. IT teams get to decide the automated flow behind an icon. From a user perspective it’s a typical icon to click and open apps. However, it is much more behind the scenes. 

Without Liquit Smart Icon technology, organizations face several challenges: 

• Lack of Immediate Contextual Access: Without Smart Icons, end-users don’t have quick, context-aware access to applications. They’d need to navigate through multiple steps or interfaces to launch an application. 
• Manual Intervention for Critical Tasks: Tasks like starting Excel and connecting drive mappings and network printers would normally require manual intervention. Without Smart Icons this leads to inefficiencies and user frustration. 
• Complexity in Dependency Delivery: Without Smart Icons, ensuring that all dependencies are delivered seamlessly becomes challenging. End-users too often encounter issues when launching applications due to missing components. 
• Reduced User Productivity: The absence of Liquit’s streamlined approach means that users would spend more time managing application settings and less time concentrating on their work. 
• Difficulties Managing Patches: Without Liquit Smart Icons, organizations may need to rely on manual processes to check for updates and install them. This can be time-consuming and prone to human error. Liquit Smart Icons automatically check if the app is already installed and using the latest version. If not, Liquit installs or updates the application on-demand without the users even noticing. 

Liquit Smart Icon technology simplifies application delivery regardless of the device or location and improves the user experience, empowering employees to be more productive by automating critical tasks and providing immediate contextual access. 

Smart Icon Demos 

In the recent webinar, I demonstrated a Smart Icon for WhatsApp, which contained two actions in one Install action. The Windows application is set to be installed from the Microsoft Store, while macOS will use the custom application I created. To ensure that applications land on the correct Operating System, I used filters for the platform type for each of the packages. 

This Smart Icon contains two actions in one Launch action set. Stop at first effective action’ is activated: 

• The first action launches the WhatsApp macOS application bundle.  
• The second action launches the WhatsApp Microsoft Store app.  

I used Microsoft Teams as a second example. During the recent webinar, this application was already installed. The Smart Icon for Microsoft Teams contained four actions in one Launch action. ‘Stop at first effective action’ was again activated: 

1. Launches the Microsoft Teams Windows App (New) 
2. Launches the Microsoft Teams app (Classic)
3. Launches the Microsoft Teams macOS application bundle
4. Launches the Microsoft Teams Online url

Context Aware Automation 

In the webinar, I showed a demo where Smart Icons from WhatsApp and Google Chrome were placed on the desktop. Next, I set a custom wallpaper. Liquit enables one unified workspace on both operating systems, Windows and macOS. The trick here lies in the context: I created a context for Windows and one for macOS to get this done. The demo videos below show how this looks. 

Because both devices are not connected to Microsoft Entra ID, Single Sign-on (SSO) is impossible, so I must log in.  

Demo Videos: Below, I first launch the Smart Icon for Microsoft Teams from the Liquit Launcher. Then, I click the desktop Smart Icon for WhatsApp, it auto-installs, and then launches. 

Conclusion: Application Management for Windows and macOS 

Liquit offers a strategic enhancement to Intune, specifically tailored to bridge the gaps in application management across Windows and macOS environments. By integrating Liquit’s comprehensive application deployment and Smart Icon technology, organizations can streamline their IT processes, ensuring seamless application management and deployment. This not only simplifies the IT team’s workload but also elevates the overall user experience, making application management more efficient and effective. For those looking to optimize their application management strategy, exploring Liquit’s capabilities is a logical next step. 

Additional Liquit Posts

• Liquit, a part of Recast Software, Expands OEM Partnership with VMware
• Unbound Application Lifecycle Management
• Liquit and Intune’s Transformative Collaboration

The post Optimizing Application Management for Windows and macOS  appeared first on Recast Software.

Feedback and real-world application have driven us to update this script further. Now, it not only uninstalls applications with greater precision—regardless of whether they are .EXE or .MSI files—but also integrates seamlessly with Microsoft Configuration Manager (ConfigMgr), allowing for immediate hardware inventory updates post-uninstallation. 

A Tribute to Collaboration 

A colleague, Jason Sandys, had previously tackled this challenge himself with VBScript. His work underscores the collaborative spirit within the IT community and the ongoing dialogue between VBScript and PowerShell. Jason’s script, which also prompts a hardware inventory cycle, serves as a testament to the collaborative spirit and diverse approaches available for managing IT tasks. 

The Current Script to Uninstall Applications  

Our current script includes the following capabilities: 

• Comprehensive Inventory Management: Incorporates both delta and full hardware inventory options post-application uninstallation, ensuring your system’s inventory is always current. 
• Enhanced Compatibility: Previous versions were limited to MSI files. The updated script extends its capabilities to EXE files, broadening its application scope. 
• Efficient Application Detection and Uninstallation: Automatically detects and uninstalls all versions of a targeted application, leveraging both x86 and x64 registry keys for thorough removal. 
• Detailed Logging: Maintains a comprehensive log of all actions for auditing and troubleshooting purposes. 

Below is the beginning of the script, but download the full script here. 

Force a Full SCCM Hardware Inventory 

By default, a delta hardware inventory cycle will start as one of the last steps within the script. There is nothing more that you need to do. However, we suggest forcing a full inventory when uninstalling applications. Then all you need to do is change the $fullinventory = $false value to $true. This will force a full SCCM hardware inventory to occur. 

Deploying the PowerShell Script with ConfigMgr 

Here is how you deploy this application management script: 

1. Customize the Script: Edit the script to specify the application(s) you wish to uninstall. Utilize wildcards (*) for broader matching criteria. 
2. Set Inventory Preferences: Decide whether to trigger a delta or full hardware inventory post-uninstallation and adjust the script accordingly. 
3. Prepare for Deployment: Create a package in SCCM, setting the command line to execute the PowerShell script with appropriate execution policies. It should look similar to the following: 
   • powershell.exe -ExecutionPolicy bypass -file Uninstallv10.ps1 

4. Deploy: As with any SCCM program, deploy your package to the targeted systems for automated application management. 

Using the Uninstall Application Script 

You can see in the screenshot below that several copies of MIR were installed on this test computer last year. 

Our program is set to silently deploy in the background. Nothing to see from an end-user’s perspective! 

If you would like to verify that the PowerShell script is running, look at the Task Manager. You’ll have to be quick! The script only takes a few seconds to a few minutes to run depending on the number of ARP it must remove.  

As an aside, you can also see that the script ran within the Execmgr.log on your test computer. 

You can see from the screenshot above that after a few minutes all the Monitor Information Reporting ARP entries were removed. 

Remember that the hardware inventory cycle (delta or full) will start soon after all applications are uninstalled. It only takes a few seconds to run (~60 seconds). 

Reboot Computers 

In some cases, you might want to reboot the computers after the hardware inventory is submitted to SCCM. In our case, we added a Sleep command to the PowerShell script for 75-seconds before rebooting. If your hardware inventory takes longer, simply adjust the time accordingly. 

Here are the commands we used: 
Start-sleep – seconds 75 
restart-computer –force 

The Impact of Streamlined Application Management 

Utilizing this script not only simplifies the uninstallation process but also enhances your IT environment’s security and efficiency by ensuring only necessary applications are installed and accurately reflected in your hardware inventory. This approach to application management aligns with best practices in IT security, ensuring systems are not burdened with outdated or unnecessary applications that could pose security risks. 

Final Thoughts 

The journey from the initial script to its current form illustrates the power of feedback, collaboration, and continuous learning in IT operations. As we move forward, embracing these advanced tools and techniques will be key in navigating the complexities of modern IT environments, ensuring we remain at the forefront of efficiency, security, and operational excellence. 

The post Using PowerShell to Uninstall Applications appeared first on Recast Software.

My colleague Marty Miller recently wrote a post titled, How to Configure BitLocker with Intune using the Device Configuration Profile Method. Today’s post will walk you through the process of setting up BitLocker on Windows devices using Intune’s Disk Encryption Profiles method, offering peace of mind and enhanced security for your IT environment. 

What is BitLocker?

BitLocker, a feature offered by Windows, helps encrypt volumes, aiding your organization in avoiding data theft and loss from malicious attempts. It’s a feature that enables encryption at rest. 

Requirements to enable BitLocker with Intune: 

• Microsoft Endpoint Manager Intune License 
• Entra Joined or Hybrid Entra Joined device. 
• Devices must have a TPM chip at version 1.2 or higher (2.0 recommend) 
• Windows 10/11 Pro, Education & Enterprise 
• BIOS set to Native EUFI 

Built in roles to manage BitLocker: 

• Help Desk Operator 
• Intune Administrator 
• Global Administrator 

Create Endpoint Security Policy to Configure BitLocker 

Sign into the Microsoft Intune admin center by going to https://intune.microsoft.com

Create a Profile

Select Endpoint Security on the left-hand panel > Scroll down and under “Manage” click on Disk Encryption > On the Disk encryption page click on + Create Profile > Platform: Windows 10 and later, Profile: BitLocker > click Create. 

On the Basics page you will need to add a Name to the policy and an optional description. > click Next when ready. 

On the Configuration settings page, the BitLocker drop down menu shows the following: 

• Require Device Encryption – This allows the IT administrator to enable or disable the requirement of BitLocker. By default, it’s set to not configured. In this case, I will set it to Enabled. 
• Allow Warning for Other Disk Encryption – This allows admin to disable all notifications about BitLocker encryption or prompts to the users, for a silent deployment of encryption. If you select Enabled, your users will see a warning prompt and encryption notification. If you select Disabled, your users will NOT see a warning prompt or encryption notification. If left at default, users will see warning and notification prompts. I will go ahead and select Disabled to run a silent encryption. 

When “Disabled” is selected the Recovery key is backed up to the users Microsoft Entra account. 

•  Allow Standard User Encryption – Allows for Admin to enable BitLocker where the user logged in is not an administrator. If you select Enabled, this policy will try to enforce encryption on all drives even if the user on the device is a standard user. If you select Disabled, the policy will not be set and if the logged-on user is a standard user it will not try to encrypt any drives. In this case, I don’t care if the user is or is not an administrator. Either way, I want to push the policy. I will select Enabled. 
• Configure Recovery Password Rotation – This is a setting that lets you rotate your BitLocker Password after you have used it to recover or unlock your device. You have four options. The first is Refresh off (default), which means BitLocker keys will not rotate after use. Next, you have Refresh on for Azure AD-Joined devices, this will rotate password after use on Azure AD-Joined Devices and the next choice is Refresh on for both Azure AD-joined and hybrid-joined devices, Here the password will rotate upon use on for Azure AD-Joined devices AND hybrid-joined devices. And last you have Not configured which, rotation is turned on by default for Azure AD-Joined devices and off for hybrid. In this case, I will select Refresh on for Azure-AD joined devices. 

BitLocker Drive Encryption

On the section below BitLocker, you are prompted with Administrative Templates where you can enable additional settings for BitLocker Encryption. I will go ahead and enable settings at a high level but please set the configurations based on your organization’s needs. 

Under Windows Components > BitLocker Encryption you see the following Choose drive encryption method and cipher strength (Windows 10 [ Version 1511] and later): Here you can enable the algorithm and cipher strength that will be used for BitLocker Drive Encryption. I will select Enabled. 

Once you select enabled, you will be prompted with other options on what encryption methods you want to use. I will keep all the defaults for the sake of simplicity. 

Next, you see ‘Provide the unique identifiers for your organization.’ You can leave that as ‘Not Configured’ since you do not need to associate unique identifiers to your BitLocker protected drives. 

Operating System Drives

Windows Components > BitLocker Drive Encryption > Operating System Drives.

Enforce drive encryption type on operating system drives: This setting allows you to set up the encryption type you want used by BitLocker Drive Encryption.

Options: 

• Disabled: If not enabled, the user will be prompted to select the encryption type before BitLocker is enabled. 
• Enabled: This will determine the encryption type that BitLocker will use from this policy 
• Not configured: (Default): Same as Disabled, user will be prompted to select the encryption type before BitLocker is enabled. 

If enabled is selected, you can choose the encryption type: 

Select the encryption type: (Device): 

• Allow user to choose (default): 
• Full Encryption 
• Used Space Only encryption. 

Next, you have the option to Require additional authentication at Startup. 

Options: 

• Disabled: No authentication needed at startup 
• Enabled: You can require users to enter a password, pin etc. before they can access the encrypted data. 
• Not Configured: No authentication needed at startup. 

I will set mine to not configured but if enabled, you get the following prompts. 

• Configure TPM startup key and PIN: 
• Configure TPM Startup PIN: 
• Configure TPM startup: 
• Configure TPM startup key: 

In the next section, you see the following (to avoid confusion, I will blur out the section already covered): 

Configure minimum PIN length for startup: Which is a good choice if you want your users to have a PIN to unlock devices to access encrypted drives. 

Configure enhanced PINS for startup: This allows for your users to use enhanced PINS with both upper or lowercase letters, numbers, spaces and symbols. 

Disallow standard users from changing the PIN or password: If disabled or not configured standard users can change BitLocker PINS 

Allow devices compliant with InstantGO or HSTI to opt out of preboot PIN: If this is not enabled, options of the top section Require additional authentication at startup is used. 

Enable use of BitLocker authentication requiring preboot keyboard input on slates: 

Choose how BitLocker-protected operating system drives can be recovered: This is a control to allow you to recover OS Drives in the absence of the startup key. 

Configure pre-boot recovery message and URL: This will allow you to create a message or URL that is shown on BitLocker recovery screen when locked. This can provide you with information on next steps. 

Fixed Data Drives

Almost there! Next up, Windows Components > BitLocker Drive Encryption > Fixed Data Drives. 

You find the following options in that section: 

Enforce drive encryption type on fixed data drives: This setting allows you to set up the encryption type you want used by BitLocker Drive Encryption. 

• If enabled you can choose the encryption type: Full encryption, Used Space Only encryption and     Allow user to choose (default) 

Choose how BitLocker-protected fixed drives can be recovered: This is a control to allow you to recover OS Drives in the absence of the startup key. 

Deny write access to fixed drives not protected by BitLocker: This gives you the control to allow you to give users the ability write data to drives not protected by BitLocker. 

Removable Data Drives

In the next section, you find Windows Components > BitLocker Drive Encryption > Removable Data Drives. 

You find the following options for this section, which will cover how to configure BitLocker for removal drives such as external hard drives and USB drives. 

Control use of BitLocker on removable drives: This is a setting that gives you the control to use BitLocker on removable drives. 

Deny write access to removable drives not protected by BitLocker: This gives you the control to allow you to give users the ability write data to drives not protected by BitLocker. 

Configuration Example

For Demo Only

I’ll show you what I have configured for demo purposes only. This is not a recommendation or advice for your environment. 

BitLocker Section

Administrative Templates: Windows Components BitLocker Drive Encryption 

Administrative Templates: Windows Components BitLocker Drive Encryption > Operating System Drives 

Administrative Templates: Windows Components BitLocker Drive Encryption > Fixed Data Drives 

Administrative Templates: Windows Components BitLocker Drive Encryption > Removable Data Drives 

Once you configure this policy to meet your organizational needs, click ‘Next.’ You will land on the Scope tags page. Fill in as needed. 

Select the assignment for this policy. I suggest starting with a pilot group before deploying company wide. 

Once you have reviewed your configuration settings, go ahead and create. 

Check BitLocker Policy

Let’s check that the new BitLocker policy is working correctly. Currently on my test device, I can see that my machine’s disk is not encrypted as I have the option to Turn on BitLocker. I will go ahead and sync this device through the Intune portal to force the policy just created.  

After a few syncs, I can see BitLocker is enabled.  

Configure BitLocker on Windows Devices with Intune

BitLocker Successfully Enabled 

The integration of BitLocker with Microsoft Intune offers a streamlined and secure approach to disk encryption on Windows devices. By following the steps outlined in this guide, you can effectively protect sensitive data from unauthorized access, significantly reducing the risks associated with lost or stolen devices. Remember, adapting these settings to the specific needs of your organization is crucial for optimal security.  

If you have any questions or require further assistance in configuring BitLocker with Intune, do not hesitate to reach out to me via Twitter or via our support team. Stay proactive in your cybersecurity efforts and ensure your organization’s data remains protected and compliant. 

Additional BitLocker Posts

• How to Configure Bitlocker with Intune: Device Configuration Profile Method
• BitLocker Compliance Tool Dashboard: Ensure Compliance Before Loss or Theft

Right Click Tools Enterprise is loved and trusted by thousands.

96% of our customers keep coming back and renewing because Right Click Tools is essential to their environment.

Get Custom Pricing

The post How to Configure BitLocker on Windows Devices with Intune: Disk Encryption Profiles Method  appeared first on Recast Software.

Why Upgrade? 

But why should companies consider upgrading their operating systems when the one currently in place works just fine? That might be true at this moment, however, there are benefits to upgrading operating systems. Here are a few: 

• Security – When you are running on outdated operating systems, you are leaving yourself open to system vulnerabilities, which can lead to security breaches. 
• Performance – Upgrading to the latest software could help improve performance and speed, while adding stability to your devices. 
• Compatibility – There are some applications that may require your device to be using a certain operating system to perform correctly. Avoiding OS upgrades could disrupt workflow and productivity if not addressed. 
• Compliance – If your organization needs to follow certain guidelines or standards for device operating systems, you’ll need to ensure you comply with their requirements. 

How to Upgrade from Windows 10 to Windows 11 using Intune 

Convinced? Perfect. Let us roll out Windows 11 then. Well before we can do that let us make sure we meet the following requirements for Windows 11 upgrade with Intune. 

Prerequisites for Windows 11 Upgrade with Intune 

You need the following licenses to leverage Intune’s Feature updates for Windows 10 and later: 

• Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) 
• Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) 
• Windows Virtual Desktop Access E3 or E5 
• Microsoft 365 Business Premium 

Feature updates are supported for the following Windows 10/11 editions: 

• Pro 
• Enterprise 
• Education 
• Pro for Workstations 

Device Specification requirements for upgrading to Windows 11: 

• Processor: 1 GHz or faster with 2 or more cores on a suitable 64-bit processor 
• Memory: 4GB RAM 
• Storage: 64GB or more 
• System Firmware: UEFI, Secure Boot compatible 
• TPM: Trusted Platform Module (TPM) version 2.0 

You must also have the following in place for devices: 

• Be running a version of Windows 10 that is still supported. 
• Be enrolled with Intune MDM and Hybrid AD Joined or Entra AD Joined. 
• Have Telemetry on and at a minimum have it set to required. 
• Set Microsoft Account Sign-in Assistance (wildsvc) to run. By default, it’s set to Manual (Trigger start), allows to run when needed. 

Okay, now that our bases are covered, let us go ahead and upgrade! 

How to Upgrade: Step-by-Step

Login to Microsoft Intune Admin Center (https://intune.microsoft.com) 

In the Microsoft Intune Admin Center, select “Devices” > “Feature updates for Windows 10 and later > “Create Profile“. 

Create a new Windows Update Ring specifically for the Windows 11 upgrade, assign a name to help easily identify the feature update deployment, and then give it a description to help give the policy some context. Under the Feature deployment settings, set the version of windows you want to deploy next to Feature update to deploy. Once your option is selected, next select the Rollout options to manage when you want this update available. 

Assign the Windows Feature Update Ring to the targeted Windows 10 devices that you want to upgrade. I created a static group named ‘US IT Users’ to easily scope out a test group. I recommend starting off with a pilot group to help you navigate this change and get feedback to improve the rollout to your broader organization. 

Review your assignments and policy. Once it looks accurate, go ahead and create it. 

Testing the Policy

Now that we have set that policy, let us try it. Below I will highlight a user from that group that was on Windows 10, and we will see the experience on how it is when we upgrade it to Windows 11.  

Here is my device running on Windows 10, Version 22H2 (OS Build 19045.3448).

I ran a sync from the company portal and came back to it later to find a Windows 11, version 22H2 update ready to download!  

Here I let the download run and came back to it a little bit later. As we see, we will need a reboot to apply those updates. 

Voilà! After rebooting and allowing the process to complete, we successfully landed on Windows 11, Version 22H2.

Conclusion 

In conclusion, upgrading your organization’s devices to Windows 11 using Microsoft Intune can help enhance security, performance, and compliance. With Intune’s features, the once-daunting task of upgrading becomes a streamlined process, allowing for a smoother transition than my peers experienced in the past. 

Starting with a pilot group is a prudent approach, enabling you to gather insights and adjust before a full-scale rollout. Remember, an operating system upgrade isn’t just a technical change — it’s a strategic move towards a more robust, efficient, and secure infrastructure. 

Other Intune Posts

• How to Set Up Windows LAPS with Microsoft Intune 
• How Recast Software Powers Your Intune Migration
• Right Click Tools Helps Co-Managed Intune and ConfigMgr Environments

The post How to Upgrade Windows 10 Devices to Windows 11 with Intune  appeared first on Recast Software.