Intune on Nicola Suter

Did you hear that maester supports Intune?

Thu, 04 Dec 2025 20:00:07 +0000

Did you know that the maester framework now supports Microsoft Intune checks? In this blog post, I’ll give you a quick overview of the new capabilities and how to get started.

About Maester
#

Maester is an open-source security assessment framework that helps you evaluate the security posture of your Microsoft Entra ID and Microsoft 365 environments. It provides a collection of tests that can be run against your tenant to identify potential misconfigurations and security risks.

After executing the tests, maester generates a detailed report that highlights the findings and provides recommendations for remediation:

Intune Related Checks
#

The great thing about maester is that it’s highly extensible, allowing you to add custom tests and checks based on your specific requirements. To share some Intune best practices with the community, I contributed a set of Intune related checks to the maester framework.

The following Intune checks are now available in maester:

MT.1090 - Global administrator role should not be added as local administrator on the device during Microsoft Entra join
MT.1091 - Registering user should not be added as local administrator on the device during Microsoft Entra join
MT.1092 - Intune APNS certificate should be valid for more than 30 days
MT.1093 - Apple Automated Device Enrollment Tokens should be valid for more than 30 days
MT.1094 - Apple Volume Purchase Program Tokens should be valid for more than 30 days
MT.1095 - Android Enterprise account connection should be healthy
MT.1096 - Ensure at least one Intune Multi Admin Approval policy is configured
MT.1097 - Ensure all Intune Certificate Connectors are healthy and running supported versions
MT.1098 - Mobile Threat Defense Connectors should be healthy
MT.1099 - Windows Diagnostic Data Processing should be enabled
MT.1100 - Intune Diagnostic Settings should include Audit Logs
MT.1101 - Default Branding Profile should be customized
MT.1102 - Windows Feature Update Policy Settings should not reference end of support builds
MT.1103 - Ensure Intune RBAC groups are protected by Restricted Management Administrative Units or Role Assignable groups
MT.1105 - Ensure MDM Authority is set to Intune

Example
#

To run the tests you can simply run:

Retrieving Windows LAPS Azure AD Passwords with PowerShell

Wed, 10 May 2023 00:00:00 +0000

Did you know that for the new Windows LAPS Azure AD is also maintaining the password history? The built in PowerShell commandlet relies on the Microsoft Graph PowerShell SDK and within this post I want to show you how to work with the Get-LapsAADPassword cmdlet.

Kudos to Niklas Tinner as he brought this to my attention while working together.

Where is this command originating from?
#

The Get-LapsAADPassword cmdlet is part of the LAPS PowerShell module that was baked into the Windows Operating system with the April 2023 quality updates.

The module is maintained as part of the Operating System and builds the Interface to interact with Windows LAPS locally on a device. The module binaries reside within C:\Windows\system32\WindowsPowerShell\v1.0\Modules\LAPS and consist of DLLs and PowerShell files:

Let’s retrieve some passwords
#

Before we can start retrieving passwords we need to make sure, that we have the appropriate Microsoft Graph PowerShell SDK module present.

We can easily check this with the following PowerShell command:

Get-Module -Name Microsoft.Graph -ListAvailable

If you do not retrieve any output, you need to install the module with local Administrator privileges with:

Let's have a tête-à-tête with the new Windows LAPS for Azure AD joined devices

Fri, 21 Apr 2023 18:56:24 +0000

Loooooong awaited and it’s finally here - the new Windows LAPS. With the previous announcement(s) of the integration into the native Windows operating system and support for Azure AD join this was a long-awaited feature. With the recent patch Tuesday the binaries were backed and delivered natively into the current Windows client and Server OS and today they also launched the Azure AD backend that can serve as the backup source for passwords. Within this post, I want to give you a quick impression of what the deployment experience currently looks like and where I needed some adjustments to get the expected result.

Setup
#

Prerequisites
#

To deploy LAPS with Azure AD password backup and Intune you need licenses/access to those tools and Windows 10/11 devices with the latest April patches installed. A full list of prerequisites is provided by Microsoft here.

Azure AD enablement
#

Unlike the on-premises AD LAPS enablement we do not need any schema extensions and can simply enable the following toggle within our Azure AD device settings:

You must not touch my endpoint security settings!

Sun, 12 Mar 2023 00:00:00 +0000

Intune Endpoint Security Configuration Settings have become the way to go for configuring security features on various platforms. What did start with Microsoft Defender for Endpoint settings for Windows clients has evolved to settings for macOS, Windows Servers and is treated like a first class citizen. So it is important to guard those sensitive configurations as they control (and can potentially disable) vital security features on endpoints such as defender tamper protection, attack surface reduction rules, firewall and many more.

Within this post I want to show you an approach to monitor changes to Intune Endpoint security settings with Microsoft Sentinel and watchlists that can be easily customised based on your environment and needs. My main idea is to classify the sensitive configurations in the environment and only creating incidents for those. Of course you could alert on every Intune configuration change but for most of the environments this would lead to many alerts without providing value.

Prerequisites
#

Changes to the Intune Endpoint security settings area are visible like other changes within the Intune Audit Logs.

To have the audit events within our Sentinel workspace we need to enable the forwarding for at least AuditLogs. This can be done within the Intune Tenant Administration > Diagnostic Settings blade.

Migrating to the new Windows Store experience

Mon, 30 Jan 2023 18:56:24 +0000

The Microsoft Store for Business will be discontinued mid 2023 and Intune recently introduced the new Windows Store experience backed by winget to distribute apps to your Intune managed endpoints.

To simplify the migration to the new Windows Store experience I created a PowerShell Script that migrates all currently assigned Windows Store for Business apps to the new Windows Store experience.

Kudos to Sander Rozemuller for providing detailed instructions about creating winget apps as PowerShell code samples.

Challenges
#

While scripting and extracting the existing Windows Store for Business (WSfB) apps I encountered the following issues:

Not all apps in WSfB have valid privacy and information URLs, therefore I added a check whether the URL starts with http(s).
Some apps have characters present (äöüë….) that require UTF-8 encoding. So I explicitly set the HTTP content-type header to UTF8.

Script prerequisites
#

To run the script you need to have the Microsoft Graph PowerShell SDK modules installed on your machine. You can install them with the following command:

Install-Module Microsoft.Graph.Authentication, Microsoft.Graph.Devices.CorporateManagement -Scope CurrentUser

From a permissions perspective you need an Azure AD Application Administrator for the initial OAuth permission consent and for regular execution the Intune Administrator role.

Setting up a radius server for Azure AD joined devices and 802.1x

Sun, 25 Sep 2022 00:00:00 +0000

A common pitfall in environments where Windows server is used for radius authentication is that Microsoft network policy server (NPS) does currently not support device based authentication for Azure AD joined devices. NPS always checks for the existence of a corresponding computer object in AD. For my home setup and lab I wanted to build a radius solution to enable 802.1x authentication on my Wi-Fi network.

Disclaimer
#

This post describes my setup and does not cover prerequisites like certification authority, certificate revocation and client certificate deployment via SCEP. Furthermore you should be familiar with docker, network topics, dns and Intune.

Available solutions
#

Well known commercial Network Access Control (NAC) solutions like CISCO ISE or Aruba Clearpass often ship with an integrated RADIUS server and the possibility to configure wheter LDAP lookups for computer accounts should happen. Important is, that the solution supports certificate revocation checks either via CRLs or OCSP to ensure network access is blocked when a client certificate is revoked.

For my home and lab setup I wanted to leverage a free or open source solution and decided to use freeRADIUS, probably the most popular open source radius server. freeRADIUS supports EAP-TLS for 802.1x authentication out of the box and is well documented. Additionally, I was looking for a solution that can be deployed to both locallly in my network (e.g. on a raspberry pi) and also to PaaS offerings like Azure.

Android dedicated devices managed home screen and system apps

Tue, 20 Sep 2022 00:00:00 +0000

Android enterprise dedicated devices with the Microsoft Managed Homescreen app are a conenient way to provide devices with restricted functionality and customized look and feel to end users. Because the Managed Homescreen app acts as an overlay to the underlying Android certain prompts and features are not enabled by default unless you allow-list them by deploying the corresponding Android System App and add the app to the kiosk device restrictions.

System Apps
#

System apps can be added as separate app type within MEM:

It is important to deploy the desired system apps as required to your devices and also adding them within the kiosk configuration:

List of commonly used System apps for Samsung devices
#

Based on a recent project where we had Samsung devices in place we allow-listed the following system apps within the kiosk configuration:

Description	App Bundle ID
USB File Transfer Prompt Android Version < 12	`com.samsung.android.MtpApplication`
USB File Transfer Prompt Android Version >= 12	`com.android.mtp`
Android System UI (used for a variety of prompts)	`com.android.systemui`
Service Mode App (USB prompts)	`com.sec.android.app.servicemodeapp`
Knox license prompts	`com.samsung.android.knox.pushmanager`
Samsung Android update prompts	`com.wssyncmldm`
Knox smdms	`com.sec.enterprise.knox.cloudmdm.smdms`
Knox container core	`com.samsung.android.knox.containercore`
Knox attestation	`com.sec.enterprise.knox.attestation`
Keyboard changes	`com.samsung.android.honeyboard`

An indicator to decide wheter you need to add an app to the list is always when you can see the prompts outside of the managed homescreen app after leaving the kiosk mode. {: .notice–info}

The easiest way to work with the Microsoft Graph PowerShell SDK

Fri, 09 Sep 2022 00:00:00 +0000

When you are new to RESTful APIs and want to start with Microsoft Graph to automate tasks in your Endpoint Manager tenant all the stuff about app registrations, access tokens, pagination and request headers can be quite confusing. In this post I want to show you a quick tip to kickstart your Microsoft Graph API experience.

Requirements
#

Cloud admin account with Intune Administrator role assigned
Ability to install Modules from the PowerShell gallery

JWT
#

Just because you can’t see it… doesn’t mean it isn’t there: Due to the naturality of OAuth 2.0 and OpenID connect (these are the protocols involved for authorization and authentication in a cloud environment) we can capture short lived access tokens, also called Json Web Tokens (JWTs) directly from a browser. Tokens are usually valid between 50 and 60 minutes - just what we need to get some hands on with Microsoft Graph API and MEM automation.

The cool thing is actually that we don’t need any kind of app registration or additional permissions which can be quite some blocker in certain restricted environments (or staff unfamiliar with those technologies 😉).

Intune app protection policy report

Mon, 13 Dec 2021 00:00:00 +0000

App protection (also called MAM) policies have been around for a couple of years within MEM and I already used them in various projects to protect company data on unmanaged iOS and Android devices. One of the drawbacks with this approach is that we do not have full visibility about the usage and I tried to shed some light about this with a PowerShel reporting script that pulls data from the Microsoft Graph API.

Information visible within the portal
#

In the MEM portal we can find report data about the number of users that have checked-in to any MAM policy grouped by the respective app.

If we want to perform a wipe we will also be able to see the devices a user has registered:

Of course I was curious which additional data is available on the Microsoft Graph API and found the following resource storing app protection policy check in details: /users/{ID}/managedAppRegistrations.

Script
#

The script uses the Intune PowerShell SDK (could easily be ported to MSAL.PS because I wrote it already a couple of months ago) to enumerate all internal users within the tenant and will check the above mentioned managedAppRegistrations resource. At the end you are presented a flattened CSV report containig the following details:

Dealing with Intune OMA-URI encoding and applocker rules

Tue, 16 Feb 2021 00:00:00 +0000

While fine-tuning and adjusting applocker policies for co-managed Windows 10 clients I got really annoyed by special characters commonly used in the German/Swiss language. The Intune portal seemed to use different encoding and didn’t allow me to just copy/paste the currently deployed policy and extend it with a new rule. I needed to request the original file that was uploaded to the tenant in order to adjust the rule. Instead of just accepting this I decided that it is time for an easier approach which I will share with you.

The actual issue
#

After uploading the XML with the applocker policies (in my case EXE rules), special characters like ‘ö’ or ‘ü’ have a weird encoding displayed in the portal. The next person that wants to edit the policy needs to take care to fix the unrecognized characters otherwise the publisher rule won’t work anymore.

Top: Portal view of the special characters, bottom: original file.

Fixing things
#

Save file with UTF-8 encoding
#

First, make sure that you saved an uploaded the file with UTF-8 encoding as this introduces support for most character sets. You can do this by selecting the encoding box in the right bottom of Visual Studio Code:

Android Enterprise Enrollment: Page Not Found

Sat, 19 Dec 2020 00:00:00 +0000

While doing some Android Enterprise enrollment tests for corporate-owned devices with work profiles I stumbled over the following issue after signing-in with the work account: “Page not found”.

The solution is fairly simple, just double check that your user does not have the device enrollment manager role assigned, which can be found under the device enrollment pane:

The docs tell us:

If you’re enrolling Android Enterprise personally-owned work profile or corporate-owned work profile devices by using a DEM account, there is a limit of 10 devices that can be enrolled per account. Microsoft Docs

In my case, I wasn’t exceeding that limit because it was the first enrollment with that account so I’m not sure if the docs are accurate.

Updated 21.12.2020:

~~I already opened an issue on GitHub about the doc contents.~~

@nicolonsky Good question. Using a DEM account isn’t available to enroll COPE devices. We fixed the article. The changes should be live later today. Thanks for bringing this to our attention.

Hope this helps.

Housekeeping for stale MEM profiles

Wed, 16 Dec 2020 00:00:00 +0000

When involved in new projects I often find a bunch of old profiles in the Microsoft Endpoint Management Console. Before going ahead with a new implementation it’s the best time to clean-up all the leftovers from past ramblings.

How to identify stale profiles
#

If one or multiple statements are met for a profile it is very likely to be a stale profile:

No assignments, assignments to a group without members
“Test” included within the profile name or description
Last modified points back in time for more than a year
No devices reported success/failure status for the given profile type

What to do with stale profiles
#

So let’s be brave and delete them. But Intune doesn’t offer any [CTRL] + [Z] or recycle bin possibilities so we might want to have some kind of archive, just in case?

Let’s agree that we:

Check the points from the list above
Ask our colleagues if they know something about the profiles and their usage
Take a backup

deleting them afterward is a reasonable action which is probably beneficial for everyone.

Export and import MEM Endpoint Security Profiles

Thu, 19 Nov 2020 00:00:00 +0000

Recently I got a DM on Twitter with a question about how to export and import Endpoint Security profiles with Microsoft Graph. Besides a technical answer which might be of interest for you, I’d like to show you the workflow I used to give a proper reply.

Original question:

Hi @nicolonsky, I was advised on the MS Elite Partner focus groups team (MEM Automation) to reach out to you regarding my question about export/import policies from Endpoint Security in Intune. I’ve been able to export the Disk Encryption policy (via graph explorer), but haven’t been able to find the correct format to use to upload/import it. I was hoping that you would be able to advise on how to go about achieving this.

Workflow
#

Discover request URL’s and payload
#

To discover the request URLs and payloads I used the methodology I explained in the this post a while ago. Basically, I tracked the network activity and used a filter to only include requests made to the Graph API while doing the following activities:

Ensuring regular Defender Quick scans with Microsoft Endpoint Manager proactive remediations

Mon, 28 Sep 2020 00:00:00 +0000

While looking into the new Microsoft Defender Antivirus report available in MEM (Intune) I discovered some machines which did not report any recent Defender antimalware scans, despite configured via configuration profile. Of course, AV scans are kinda old-fashioned against rapidly evolving threats but a regular quick scan won’t hurt anyone. Instead of having a look at every single machine affected, I decided to try out the new proactive remediations feature which went globally available last week and let endpoint analytics do the detection and remediation work for me. As a reference, I used the Tutorial: Proactive remediations from Microsoft which covers the process quite well.

PowerShell scrips
#

For Endpoint analytics / Proactive remediations we need two PowerShell scripts. The first script is used as a detection script and determines whether remediation is necessary based on the exit code. Exit code 0 indicates a healthy status and exit code 1 indicates remediation necessary. Remediation occurs with a second PowerShell script.

To detect the most recent Defender scan I used the Windows Eventlog. Event ID’s are documented here.

Detection script
#

Remediation script
#

The remediation script is just about a one-liner to trigger a quick scan. You can extend this based on your requirements and respective to your Intune settings. E.g. triggering a signature update for a scan or adding additional steps.

Discover the Microsoft Graph API with the Microsoft Endpoint Manager Portal

Tue, 08 Sep 2020 00:00:00 +0000

You always wanted to automate a specific action within Intune / the Microsoft Endpoint Manager Portal (MEM) but were afraid of the complexity? The Microsoft Graph API docs deliver you more questions instead of answers? Automating tasks within the MEM portal could be very easy, couldn’t it? I promise it will be much simpler with this magician trick.

Microsoft Endpoint Manager Portal
#

The MEM Portal UI relies on the Microsoft Graph API. This means that the UI where you create new settings and policies and the Intune backend are encapsulated with different layers. Communication between the UI and the backend happens with the Microsoft Graph API. With the developer tools we can trace network traffic and discover the request URLs and request body payload which are required to interact with the API.

{: .align-center}

Example about how to capture URLs and build a PowerShell script
#

Original request body:

Bulk create Intune mobile app deployment groups and assignments

Wed, 19 Aug 2020 00:00:00 +0000

Creating assignments and software deployment groups for Intune mobile apps is quite a repetitive and manual task. Because of that, I want to share a PowerShell script with you which allows you to automatically create software deployment groups in Azure AD and the assignments for various intents.

The script allows you to:

Create Azure AD groups (install uninstall purpose)
- Pick existing groups based on displayName
Assign Intune mobile apps (tested for Win32 and MSI LOB apps)

You can find the script on my techblog GitHub repository.

Because of the configurable group prefixes the script helps you to keep your Intune environment clean and implement a standard app assignment configuration.

The script uses the Microsoft Graph API and the following resources

https://graph.microsoft.com/beta/deviceAppmanagement/mobileApps
https://graph.microsoft.com/beta/deviceAppmanagement/mobileApps/{AppID}/Assignments
https://graph.microsoft.com/beta/groups

It uses the preregistered app “Microsoft Intune PowerShell” which exists by default in all tenants. If you want to run the Script with PowerShell 7 you need to create an adjust the MSAL token section with the -DeviceCode parameter.

You can bulk select the apps you want to create the assignment and AAD deployment groups:

Hope this saves you some time.

Intune scope tags and role-based access control explained

Mon, 03 Aug 2020 00:00:00 +0000

For larger Intune environments a solid role-based access implementation becomes crucial to ensure a secure administration. But how does Intune role-based access control (RBAC) work in combination with scope tags and how to get started? This post gets you covered with explanations and practical examples.

Role-based access control within the Microsoft 365 ecosystem
#

Within the Microsoft 365 ecosystem, Microsoft provides Azure AD administrative roles to administrate services like Exchange (Exchange administrator), SharePoint (SharePoint administrator), Intune (Intune administrator) and so on.

As you can see Azure AD provides (usually) only one role which grants full administrative access over a service. You can configure more fine-grained controls within the service itself - that’s where the RBAC controls of the respective service kick in.

To give you another example: You might have a 1^st or 2^nd level support department which needs permissions to perform remote actions on Intune managed devices. Instead of assigning them the Azure AD Intune Administrator role, it’s more convenient to assign them a fine-grained Intune RBAC role which delegates exactly the permissions needed.

As the name already indicates Intune related roles only live within the Intune tenant and cannot be managed from AAD and vice-versa:

Managing the new Microsoft Edge Browser with Intune

Mon, 03 Feb 2020 15:40:58 +0000

With the availability of the new Edge browser based on chromium I gained the first experiences about configuring the browser in an enterprise environment. Of course I want to share those with you. This post hopefully helps you to roll-out and configure the new Edge Browser with Microsoft Intune.

Install the new Edge Chromium with Intune
#

The installation of Edge is not the main topic of this post. The Edge browser is available in Intune as built-in app type like the Office 365 suite. More information about the installation process is available here.

Set Edge Chromium as default browser
#

Default applications are configured on the Windows 10 operating system level via app associations. The current app associations of a device can be exported with dism and the command:

Dism /Online /Export-DefaultAppAssociations:"appassociations.xml"

Which will produce a file containing all associations. For setting Edge as the default browser this one is sufficient:

To deploy an app associations file with Intune it needs to be base64 encoded. I used the base64encode online tool.

Intune configuration
#

To distribute the default app association configure the following OMA-URI in a custom device configuration profile:

Prevent Intune devices from getting the Microsoft search (Bing) plugin

Fri, 24 Jan 2020 11:19:24 +0000

Microsoft recently announced to install a Bing extension on new and existing Office 365 ProPlus installations which will set Bing as the default search engine starting with the first Office 365 ProPlus release in 2020 - not appreciated Microsoft and definitely not what customers want! The extension will be shipped for new Office installations and existing clients with Office 365 ProPlus installed when they update.

Update 11.02.2020: “ The Microsoft Search in Bing browser extension will not be automatically deployed with Office 365 ProPlus.” - I will keep this post for the archives.

Starting with Version 2002 of Office 365 ProPlus, an extension for Microsoft Search in Bing will be installed that makes Bing the default search engine for the Google Chrome web browser only on devices in certain locations. This extension will be installed with new installations of Office 365 ProPlus or when existing installations of Office 365 ProPlus are updated. (Reference)

As expected date the 2002 release will be rolling out in March for the monthly update channel.

More details are available under:

New Office installations
#

To avoid the plugin being installed with new office installations edit your Office 365 Configuration with the Office Customization Tool . Make sure to toggle the switch for “Set default search engine to Microsoft Search in Bing” to off:

Deploy fonts to Intune managed Windows 10 devices

Sun, 19 Jan 2020 16:25:21 +0000

Recently a customer using Microsoft Intune requested to deploy a TrueType font required by one of their line of business apps. Because Intune does not offer a native solution to deploy fonts it was quite clear that a PowerShell script or Intune Win32 app should do the trick. Note that the mentioned PowerShell scripts can also be used for app deployments with Configuration Manager (MEMCM).

How to install a font programmatically?
#

There seem to be multiple options depending on the operating system version. I’ve tested this with Windows 10 1909. And broke it down to the following steps:

Copy the font to the “C:\Windows\Fonts” folder
Create a registry key which points to the filename of the *.ttf or *.otf font copied to the Windows font path

How to install a font with Intune?
#

To get the font to Windows 10 devices I created a PowerShell script which copies the font files to the windows-fonts folder and creates the required registry key.

Deploying the PowerShell script as Intune Win32 app has the advantage that we can link the font as a dependency if any app requires a specific font. Additionally we can detect and uninstall the font if needed.

Monitor Apple token expiration in Intune

Sat, 04 Jan 2020 14:55:00 +0000

Apple tokens for Mobile Device Management like APNS certificates, DEP and VPP tokens need a renewal every 365 days. When an APNS certificate has expired you are forced to re-enroll all of your MDM managed apple devices. To avoid any headaches I put together a few lines of PowerShell which monitor the expiration with Azure automation and send a notification to Microsoft teams or email.

Script
#

The script is intended to run recurring on Azure automation. And I recommend to setup a schedule which runs the script once a week. The script checks the following apple tokens and triggers the teams notification if it expires in less than the configured number of days:

Push Notification certificate
DEP (Device Enrollment Program) tokens
VPP (Volume Purchase Program) tokens

Hint : You can setup multiple DEP and VPP tokens in your Intune tenant.

The triggered notification is delivered to Microsoft Teams as message card with some details about the token

Prerequisites
#

In order to get the monitoring up and running you need at least:

Azure automation account (ideally with a service principal), if you need a guide to set up an automation account read follow this article
An incoming webhook for your Microsoft Teams team which will receive the notifications OR an email account to send mails
The script from my Github techblog repository

Create a Microsoft Teams Webhook
#

Navigate to your desired teams channel which should receive the notifications and add a new incoming webhook:

Have you already started with Intune automation and Microsoft Graph?

Thu, 19 Dec 2019 21:16:47 +0000

This post has the intention to give you an overview and starting point to automate things with the Microsoft Graph API and PowerShell. While having the focus on Intune and EM+S but the basics are also valid for other Microsoft services.

The world is changing and so are you?
#

When talking about automation most people only think about some PowerShell code and scheduled tasks running on whatever box in an environment. But technology regarding Microsoft services and it’s automation possibilities have definitely evolved quickly. Automation can now be done with basically any scripting or programming language because Microsoft offers us the Microsoft Graph API. Although API (application program interface) sounds more like a developer term engineers should better get used to consuming API’s. As more and more services can be consumed as SaaS API’s are mostly offered for further data processing and automation.

Microsoft Graph API
#

Microsoft describes it’s own Graph API as “Microsoft Graph is the gateway to data and intelligence in Microsoft 365”. Most of the API’s out there are built according the RESTful definition. A RESTful, also called REST API should implement the following operations (HTTP methods) to work with data:

Application based authentication with the Intune PowerShell SDK using a certificate

Tue, 10 Dec 2019 15:43:58 +0000

As you might have noticed I have been doing quite a lot of automation stuff with Microsoft Graph for Intune and Azure AD. My preferred way to run PowerShell scripts which need to run on a regular basis is to use Azure automation. Unfortunately the official “Intune-PowerShell-SDK” does not support authentication with a client certificate. Therefore I updated the module and will show you how to use it with Azure automation.

Why I don’t like client secrets
#

Azure automation brings us service principals (run as accounts) which simplify the access to Azure resources by providing an Azure AD app registration and certificates to authenticate against Azure AD. This provides more security and prevents the risk from having client secrets stored as plain text in scripts. Going with a client secret when having a nice certificate based authentication solution in place feels like making a step-backwards for me. This was the main reason why I decided to “upgrade” the Intune-PowerShell-SDK to support certificate based authentication.

Why I love the Intune-PowerShell-SDK
#

This PowerShell SDK provides nice Cmdlets to do any kind of automation with Microsoft Graph, not only limited to Intune because it offers a helper cmdlets like:

Bulk update Windows Autopilot groupTags

Sun, 01 Dec 2019 11:21:58 +0000

Recently I needed to change a couple of groupTags on existing Windows Autopilot devices. Because Windows Autopilot profiles have been assigned based on the groupTag. Of course I could have done this with the portal (check out the devicemanagement.microsoft.com portal if not done yet!) but I am definitely an automation fan when I need to do repetitive work.

Portal view and property mapping
#

In the Intune portal the Group Tag field on an Autopilot device maps to the Azure AD device property “OrderID”.
Dynamic Azure AD Groups to assign Autopilot profiles to devices can be built with the following membership rule:

(device.devicePhysicalIds -any _ -eq "[OrderID]:mOSD")

The “Order Identifier” field on an Autopilot device maps to the Azure AD device property “PurchaseOrderId”.
Dynamic Azure AD Groups to assign Autopilot profiles to devices can be built with the following membership rule:

(device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:1234")

PowerShell script to update groupTags
#

The following script updates the groupTag of one or multiple selected Autopilot devices. Selection is done with a PowerShell GridView.

Please note:

Intune export uploaded PowerShell scripts

Wed, 09 Oct 2019 16:36:57 +0000

After you have uploaded a PowerShell script to the Intune portal you won’t be able to view the script or its content. Therefore things become complicated when an Intune tenant is managed by multiple admins and someone wants to update or review a script. In addition to the unknown script content things can go from bad to worse if you can’t find the script anymore. Fortunately we can recollect our PowerShell scripts directly from the Microsoft Graph API.

Taking advantage of the Intune-PowerShell-SDK
#

Install the Intune-PowerShell-SDK
Consent MS Graph App registration if not done yet (uses default Microsoft Intune PowerShell App with ID: d1ddf0e4-d672-4dae-b554-9d5bdfd93547 )
Execute the snippet below

Retrieve device configuration - PowerShell scripts
#

Final words
#

This was more a minimalistic self-serving post instead of a good explained one but it hopefully helps you if in need to export your PowerShell scripts in Intune without reinventing the wheel.

Windows Autopilot failed to delete device records

Sun, 29 Sep 2019 20:16:03 +0000

Recently I needed to delete a desktop machine from the Windows Autopilot service in order to use the machine in another tenant. But the problem was that the Intune and Azure AD device objects were already deleted. All attempts taken within the Microsoft 365 Device Management and Intune Portal were unsuccessful.

Issue
#

Usually the autopilot device shows the associated Azure AD and Intune objects but here they were shown as N/A (not available) because they were already deleted.

Every attempt to delete the device produced the following error:

Device 8CC9082ZVE deletion failed. Please delete the associated Intune device before deleting this Autopilot device record.

Solution
#

A quick visit to the Microsoft Store for Business resolved things because there I could delete the device without any issue. Direct URL to the Microsoft Store for Business. After a sync in the Intune Autopilot Devices pane the device had also gone from the Intune portal.

Final words
#

This was a rather short post but I hope it prevents headache if you want to delete an Autopilot device with stale Azure AD / Intune records.

Windows Autopilot White Glove Field Notes

Wed, 14 Aug 2019 16:38:31 +0000

I’m happy to share some field notes and experiences with the Windows Autopilot White Glove feature which is available with the Windows 10 1903 release. I’ve done a lot of testing and engineering for a recent project which also included this brand new feature.

First things first (requirements)
#

This is probably the most important information of this post. Really make sure to verify the following prerequisites for Autopilot White Glove. Because there are additional requirements compared to Autopilot enrollments.

Basic Autopilot
#

Make sure that a “classical” Autopilot Deployment is working properly without any issues.

Hardware and OS
#

Hardware with support for device Attestation (“Physical devices that support TPM 2.0 and device attestation; virtual machines are not supported.”)
Physical devices with Ethernet connectivity (WiFi connectivity is not supported!)
Windows 10, version 1903 with KB4505903 injected (equals OS Build 18362.267)

Starting the white glove adventure
#

Preparing Windows 10 1903
#

As mentioned by Michael Niehaus Windows multiple Autopilot issues were fixed by KB4505903. So we need to inject this cumulative update to the downloaded source. This was already the first hurdle to overcome because I’ve missed the fact that the Windows Setup (install.wim) actually contained multiple image indexes (yeah it’s kinda embarrassing). We achieve this by using dism offline servicing with PowerShell cmdlets.

Windows Autopilot White Glove Error 0x81036501

Thu, 08 Aug 2019 16:58:05 +0000

While testing Autopilot White glove for a customer project my test machines always got stuck within the “Registering your device for mobile management” step and timed out after 12 minutes and returned the error “0x81036501” just before showing the White Glove Failed screen. I was doing my tests with Windows 10 1903 DE (German) with the most recent cumulative update installed, meaning OS build: 18362.267.

The Issue
#

As normal Autopilot enrollments were working like a charm this one had to be related to the White Glove scenario. Here’s a screen capture showing the actual behavior (unfortunately with German display language):

By pressing [shift] + [F10] i opened a command prompt and launched the event viewer (eventvwr.msc). In the “Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot” event log I found the following error popping up multiple times, including a retry attempt and limit:

Autopilot discovery failed to find a valid MDM. Confirm that the AAD tenant is properly provisioned and licensed for exactly one MDM. HRESULT = 0x81036501

AutopilotManager failed during device enrollment phase DeviceDiscovery. HRESULT = 0x81036501

On the enrollment status page the error “0x81036501” got displayed for like one second before showing the red generic Autopilot White glove error screen.

Intune Win32 app requirements deep dive

Mon, 05 Aug 2019 17:09:02 +0000

The Intune Win32 app requirements feature is quite underrated and often overseen in my experience. The ability to specify a custom PowerShell scripts allow us to check for specific hardware or device properties in order to determine if an app or firmware update should be installed or not. So there’s no need to build multiple and complex dynamic Azure AD groups for the assignment of your apps.

Use cases from the field
#

From recent projects I’ve discovered the following use cases to deploy Win32 apps only to specific hardware types:

Install specific device drivers or hardware vendor’s software which is not available within the Windows update catalog (e.g. hotkey features, firmware updates)
Install a VPN client only on notebooks and tablets (e.g. Palo Alto GlobalProtect Client)

Win32 app requirements
#

Intune Win32 app requirements are evaluated by the Intune Management Extension to check if a device fulfills defined requirements for an application installation. Requirements support both built-in and custom rules.

Built-in rules
#

Wit the built-in capabilities we can check for:

5 Ways to Screw up your Intune Tenant

Wed, 31 Jul 2019 06:40:00 +0000

Here are 5 common recommendations based on misconfigurations I’ve came across in the field which will give your Intune tenant and devices a hard time to work smoothly. So better read this post that you not screw up your Intune tenant and maybe take advantage of the experiences others already gained.

Housekeeping
#

It’s important to know which devices are actually being used and usually a nice addition to understand compliance data. Stale device entries in may give you a wrong impression of your Intune tenant and it’s health. So enable the automatic device cleanup rule to remove the enrolled device from Intune. Additionally you may also remove the device entries stored in Azure Active Directory (I created a little on-demand script for this which can also run in azure automation).

Same applies to registered Autopilot devices. E.g. if you allow your employees to buy their old devices from the company if they get a new one make sure to remove the device from the Autopilot service. Otherwise you’ll see it again popping up in your tenant very soon. Thus it also prevents the device from being registered in another tenant as autopilot device.

Automating network drive mapping configuration with Intune

Fri, 19 Jul 2019 07:32:46 +0000

I’m thrilled to introduce the intune-drive-mapping-generator which creates PowerShell scripts to map network drives with Intune. The tool is open source and built on ASP.NET Core MVC.

The intune-drive-mapping-generator is your tool of choice to:

Generate an Intune PowerShell script to map network drives on Azure AD joined devices
Seamlessly migrate existing network drive mapping group policies
Generate a network drive mapping configuration from scratch
Use an existing Active Directory group as a filter to deploy all your drive mapping configurations within one script

This all happens without scripting effort. You receive a fully functional PowerShell script for the deployment with Intune.

Architecture
#

This tool is designed to work best with the following components although it can be useful for other purposes(?) :

Azure AD Joined and Intune enrolled Windows 10 devices
Synced user account from Active Directory to Azure Active Directory (Azure AD Connect)
On-premises file servers

Howto
#

Export existing group policy
#

To convert your existing drive mapping group policy configuration, save the GPO as XML report with the group policy management console.

Creating desktop shortcuts with Intune

Tue, 09 Jul 2019 23:22:24 +0000

Why want you to create desktop shortcuts with Intune? Business specific apps may require special shortcuts in order to launch the application with the right parameters. Or you need to create a shortcut for an application which is stored on your on premises fileserver. For this purpose I created a little solution which closes the gap between the modern cloud and on premises world. In comparison with other solutions this one works if you have redirected the users desktop with OneDrive Known Folder Move and automatically remediates missing shortcuts if they got deleted.

Direct link to the GitHub repository.

Browser links: Instead of placing shortcuts to websites on the desktop I would recommend you to use managed bookmarks which can be directly provisioned within the web browser. I documented this for the new Microsoft Edge based on chromium here. {: .notice}

Features
#

This solution works when the desktop is redirected with OneDrive Known Folder Move
Everything is user based (local userprofile)
If the shortcut is missing or deleted it gets automatically (re)created
Possibility to remove shortcut via Intune Win32 app uninstall
Shortcut can point to: URL, File (UNC) or Folder (UNC)
Ability to pass shortcut arguments
Ability to specify shortcut icon (UNC/URL)
Ability to deploy shortcut together with an app using Intune Win32 app dependencies

Architecture
#

A simple PowerShell script which does all the shortcut stuff is wrapped as Intune Win32 App. This adds possibility to detect the presence of the shortcut and if required to uninstall it with Intune. In order to work with the redirected desktop to OneDrive with Known Folder Move we can take advantage of the [Environment]::GetFolderPath("Desktop") method to resolve the desktop location. Based on the Win32 app configuration the shortut get’s either created on the users personal desktop or on the allusers desktop.

Enroll macOS devices to Microsoft Intune

Thu, 23 May 2019 14:22:05 +0000

As Microsoft starts to empower the integration for non Windows devices and also the available apps for macOS devices you might want to profit from your existing MDM solution of choice (Microsoft Intune) and enable features like conditional access or Windows Defender ATP on your macOS devices. This post covers the enrollment with the company portal app. If you want to enroll your devices with DEP (device enrollment program) you can find a great guide here.

Mind the enrollment restrictions
#

Let’s start and check the configured enrollment restrictions to make sure that the macOS enrollment is not blocked for your tenant. You’ll find them on your Intune dashboard under: Microsoft Intune > Device enrollment - Enrollment restrictions

Intune enrollment restrictions

Get an Apple MDM push certificate
#

Without loosing into details - you need an Apple MDM push certificate (also called APNs) to manage apple devices with MDM. The push certificate allows your MDM solution to send notifications about device actions to your end devices (e.g. wipe, app installation, new policy). To request a push certificate you need a valid Apple ID.

Introducing the OneDrive AutoMountTeamSites setting

Sun, 17 Mar 2019 16:03:09 +0000

Reviewing the latest OneDrive features I wanted to try the new AutoMountTeamSites setting which lets you preconfigure SharePoint online sites to sync automatically for defined users and devices.

Updated on 12.07.2019: Included the Intune administrative template configuration

The setting is officially described as follow:

This setting lets you specify SharePoint team site libraries to sync automatically the next time users sign in to the OneDrive sync client. (Microsoft)

If you enable this setting, the OneDrive sync client will automatically download the contents of the libraries you specified as online-only files the next time the user signs in. The user won’t be able to stop syncing the libraries. (Microsoft)

Prerequisites
#

In order to get things up an running we need at least:

OneDrive sync client version 19.012.0121.0011 or newer
Windows 10 Version 1709 or newer
OneDrive Files On-Demand enabled (described below)

Be aware that this feature is not supported with on-premises SharePoint sites and not recommended to enable this setting for more than 1'000 devices. The device limit is related to the Windows Push Notification Service which tells the OneDrive clients when a file change occurs on a server side. When you exceed that limit clients will find themselves in a polling mode. Hans Brender explains this behavior well on his blog.

Intune map network drives and execute PowerShell script on each user logon

Fri, 11 Jan 2019 20:51:36 +0000

Recently a customer needed a drive mapping solution to access his on premise file shares during his transition phase to a cloud-only workplace. I wanted to share the solution with you because it’s a frequently asked question around a modern workplace migration. The following solution can also be extended or modified for a printer mapping or other PowerShell scripts which need to run on each user logon.

Updated 04.08.2019: I’ve developed an automated solution to generate network drive mapping configurations with an online tool which also migrates group policy network drive mappings. See: next-level-network-drive-mapping-with-intune.

Direct link to the final scripts

Lets assume we have the following scenario:

- Customer with hybrid user-identities (Azure AD Connect) - On premise ressources with legacy file shares - Devices are Azure AD joined ( **not** hybrid joined) - MDM managed with Intune - [Optional] Always on VPN for external on-premise resource access - [Optional] Windows Hello for Business deployment as described [here](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso)

Architecture
#

With my colleague Alain Schneiter I designed the following solution:

Main PowerShell script stored on Azure blob storage which handles the drive mapping - driveletters, UNC paths and descriptions can be configured within the script
Client side script deployed with Intune which triggers the main script during logon. The main script is not stored locally which makes it easy to customize (no updates oder changes needed on client side)
Deployment is user targeted via Azure AD group and Intune

Azure blob storage configuration
#

We wanted to store the script within Azure because the customer was already using Azure blob storage. It’s also possible to store the PowerShell script on GitHub if you don’t want to use Azure.

Clean up stale Azure AD devices

Thu, 10 Jan 2019 22:25:00 +0000

If you are using Azure AD and the time passes you’ll have a lot of old device entries. If you enable the automatic device cleanup rule in Microsoft Intune the device is only removed within MDM and the Azure AD entry still exists.

Intune device cleanup rule

For this reason I created a tiny PowerShell snippet to create a report with all devices which didn’t contact your Azure AD tenant since the treshold date specified. If you confirm the operation you can also delete all affected devices.

Please be careful when running the script because when removing a device from Azure AD the stored Bitlocker recovery keys are also removed. I can recommend Roger Zander’s Azure table-based Bitlocker recovery key solution.

Deploy OneDrive KFM with Microsoft Intune OMA-URI

Thu, 06 Sep 2018 18:37:21 +0000

OneDrive KFM (Known Folder Move) allows you to redirect common Windows folders (Desktop, Documents and Pictures) to the users personal OneDrive. OneDrive Known Folder Move is the modern replacement for the well known folder redirection group policy. The deployment with Microsoft Intune allows you to trigger or automate the OneDrive KFM configuration for your end users.

Updated on 04.08.2019: Added administrative template configuration

This post is based on a great article from Oliver Kieselbach about Deep dive ADMX ingestion to configure SilentAccountConfig with OneDrive. I used his blog to play around with the admx ingestion.

Prerequisites
#

To automatically deploy OneDrive Known Folder Move the following prerequisites must be met:

OneDrive sync client with build 18.111.0603.0004 or greater
Azure AD Joined or Hybrid Azure AD Joined Windows 10 Device Running Windows 10 1709 or later

Intune Configuration
#

Configure SilentAccountConfig
#

Option #1 - ADMX Templates
#

With SilentAccountConfig enabled OneDrive for Business gets automatically configured with the current user account who’s signing in to Windows.

Windows 10 1803 New MDM Policy CSP Settings

Sat, 21 Apr 2018 22:11:30 +0000

Hello. Long time no see. Finally I’m back with a new post. This time I created a nice little list with Windows 10 1803 New MDM Policy CSP Settings for the next Windows 10 release. If you’re not familiar with Policy CSP Settings - that are GPO Settings configureable over an Intune OMA-Uri Policy. Here’s a great introducation to Policy CSP Settings.

My favorite policy CPS’s available with Windows 10 1803
#

The following CSP’s are available on Windows 10 1803 and later:

ControlPolicyConflict: MDMWinsOverGP
This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy are set on the device.
Microsoft docs
LanmanWorkstation: EnableInsecureGuestLogons
This policy setting determines if the SMB client will allow insecure guest logons to an SMB server
Microsoft docs
RestrictedGroups: ConfigureGroupMembership
This security setting allows an administrator to define the members of a security-sensitive (restricted) group.
Microsoft docs

You can find the entire list (CSV) on Github.

The scripts to retrieve and compare the available Policy CSP’s for a Windows version are available on GitHub. Feel free to leave feedback or improvement changes.

Intune on Nicola Suter

Did you hear that maester supports Intune?

About Maester #

Intune Related Checks #

Example #

Retrieving Windows LAPS Azure AD Passwords with PowerShell

Where is this command originating from? #

Let’s retrieve some passwords #

Let's have a tête-à-tête with the new Windows LAPS for Azure AD joined devices

Setup #

Prerequisites #

Azure AD enablement #

You must not touch my endpoint security settings!

Prerequisites #

Migrating to the new Windows Store experience

Challenges #

Script prerequisites #

Setting up a radius server for Azure AD joined devices and 802.1x

Disclaimer #

Available solutions #

Android dedicated devices managed home screen and system apps

System Apps #

List of commonly used System apps for Samsung devices #

The easiest way to work with the Microsoft Graph PowerShell SDK

Requirements #

JWT #

Intune app protection policy report

Information visible within the portal #

Script #

Dealing with Intune OMA-URI encoding and applocker rules

The actual issue #

Fixing things #

Save file with UTF-8 encoding #

Android Enterprise Enrollment: Page Not Found

Housekeeping for stale MEM profiles

How to identify stale profiles #

What to do with stale profiles #

Export and import MEM Endpoint Security Profiles

Workflow #

Discover request URL’s and payload #

Ensuring regular Defender Quick scans with Microsoft Endpoint Manager proactive remediations

PowerShell scrips #

Detection script #

Remediation script #

Discover the Microsoft Graph API with the Microsoft Endpoint Manager Portal

Microsoft Endpoint Manager Portal #

Example about how to capture URLs and build a PowerShell script #

Bulk create Intune mobile app deployment groups and assignments

Intune scope tags and role-based access control explained

Role-based access control within the Microsoft 365 ecosystem #

Managing the new Microsoft Edge Browser with Intune

Install the new Edge Chromium with Intune #

Set Edge Chromium as default browser #

Intune configuration #

Prevent Intune devices from getting the Microsoft search (Bing) plugin

New Office installations #

Deploy fonts to Intune managed Windows 10 devices

How to install a font programmatically? #

How to install a font with Intune? #

Monitor Apple token expiration in Intune

Script #

Prerequisites #

Create a Microsoft Teams Webhook #

Have you already started with Intune automation and Microsoft Graph?

The world is changing and so are you? #

Microsoft Graph API #

Application based authentication with the Intune PowerShell SDK using a certificate

Why I don’t like client secrets #

Why I love the Intune-PowerShell-SDK #

Bulk update Windows Autopilot groupTags

Portal view and property mapping #

PowerShell script to update groupTags #

Intune export uploaded PowerShell scripts

Taking advantage of the Intune-PowerShell-SDK #

Retrieve device configuration - PowerShell scripts #

Final words #

Windows Autopilot failed to delete device records

Issue #

Solution #

Final words #

About Maester
#

Intune Related Checks
#

Example
#

Where is this command originating from?
#

Let’s retrieve some passwords
#

Setup
#

Prerequisites
#

Azure AD enablement
#

Prerequisites
#

Challenges
#

Script prerequisites
#

Disclaimer
#

Available solutions
#

System Apps
#

List of commonly used System apps for Samsung devices
#

Requirements
#

JWT
#

Information visible within the portal
#

Script
#

The actual issue
#

Fixing things
#

Save file with UTF-8 encoding
#

How to identify stale profiles
#

What to do with stale profiles
#

Workflow
#

Discover request URL’s and payload
#

PowerShell scrips
#

Detection script
#

Remediation script
#

Microsoft Endpoint Manager Portal
#

Example about how to capture URLs and build a PowerShell script
#

Role-based access control within the Microsoft 365 ecosystem
#

Install the new Edge Chromium with Intune
#

Set Edge Chromium as default browser
#

Intune configuration
#

New Office installations
#

How to install a font programmatically?
#

How to install a font with Intune?
#

Script
#

Prerequisites
#

Create a Microsoft Teams Webhook
#

The world is changing and so are you?
#

Microsoft Graph API
#

Why I don’t like client secrets
#

Why I love the Intune-PowerShell-SDK
#

Portal view and property mapping
#

PowerShell script to update groupTags
#

Taking advantage of the Intune-PowerShell-SDK
#

Retrieve device configuration - PowerShell scripts
#

Final words
#

Issue
#

Solution
#

Final words
#

First things first (requirements)
#

Basic Autopilot
#

Hardware and OS
#

Starting the white glove adventure
#

Preparing Windows 10 1903
#

The Issue
#

Use cases from the field
#

Win32 app requirements
#

Built-in rules
#

Housekeeping
#

Architecture
#

Howto
#

Export existing group policy
#

Features
#

Architecture
#

Mind the enrollment restrictions
#

Get an Apple MDM push certificate
#

Prerequisites
#

Architecture
#

Azure blob storage configuration
#

Prerequisites
#

Intune Configuration
#

Configure SilentAccountConfig
#

Option #1 - ADMX Templates
#

My favorite policy CPS’s available with Windows 10 1803
#