Search

Håvard Siegel Haukeberg

Paste life: Ctrl+C -> Ctrl+V

Open Search
Category

Coding without code

The personal IT blog – I am a Microsoft Employee

Deploy custom script with Microsoft Intune

Once you have:

  1. Created a script
  2. Packaged the script in an EXE

you should be ready to deploly that script to computers running the Microsoft Intune Management Agent. The Intune MDM channel does not support EXE, only MSI.

1
Log into Intune and go to Apps
2
Select Software Installer and select EXE then browse for the EXE

Follow the Wizard.

3
You are done. Now you need to move the user or PC into that group for deployment. Deploy to all PC’s? apply to all computers instead of a group.

7

8

 

 

3
Venter på å kjøre script
6
Manuelle oppgaver som kan gjøres på klienten

 

 

 

 

 

0

Create a GPO Script for Microsoft Intune

Microsoft Intune can not push out Group Policies onto computers, but we can target users or devices with scripts that change that setting in the registry.

Here is how you create a simple script that does just that.

@Echo off
echo A Script to set a Registry value using Windows Intune
REM registry key
reg add HKLM\Software\Policies\Microsoft\PassportForWork /f
reg add HKLM\Software\Policies\Microsoft\PassportForWork\ /v Enabled /t REG_DWORD /d 0 /f
if errorlevel 1 (
echo Error installing reg key
exit /b 1
) else (
echo Installed regkey
)
exit /b 0

 

Simply copy this script into a notepad file and then save it as PassportForWork.CMD right click and Run as Administrator to input the software policy where we set Passport for Work enabled as = 0 “Turn Off”

You can enter some of these register values:

REG_BINARY
REG_DWORD
REG_EXPAND_SZ
REG_LINK
REG_MULTI_SZ

Read more here: Registry Values (Technet)

 

Thanks to Richard Harrison at http://www.cableplugger.com/2013/03/adding-windows-registry-entry-with.html

2

Create a GPO Registry Key Script Package for Microsoft Intune

Here is how you create a script that adds a registry setting to the computers managed by Microsoft Intune.

Navigate to:

C:\Windows\System32\iexpress.exe

Right click it and select “Run as Administrator”

iexplore

12345678

9
Click Browse and select where you want the file to be saved

101112

success
You now have a EXE file that you can upload and deploy in Intune
0

Forgot login credentials and need to reset Windows 10 – Use Advanced Startup

If you are stuck on this screen and forgot your login there is a simple way to reset your device.

IMG_20160229_094507
Logon screen and you can not log in.

 

 

IMG_20160229_094527
Hold the “SHIFT” key and keep holding it while tapping/clicking on the power button and select restart

 

 

IMG_20160229_095023
Advanced startup. Press troubleshoot and then press “Reset this PC” 

Thanks to: http://www.tenforums.com/tutorials/2294-advanced-startup-options-boot-windows-10-a.html

 

 

0

Disable PIN code when joining Azure AD *UPDATED 2018

*THE AZURE AD PORTAL EXPERIENCE HAS BEEN UPDATED, TO FIND THIS SETTING IN THE NEW PORTAL LOOK HERE: Enable or Disable Windows hello in new AAD portal

If you are a larger organization or a school, simply asking your users to enter a pin and start authenticating with a phone might be challenging. Even more so when they have never done that before.

Here is how you disable PIN challenge and phone verification when joining Azure AD

UPDATE: In Azure.

  1. https://manage.windowsazure.com
  2. Go to Active Directory
  3. Select your Domain
  4. Select Applications
  5. Select Microsoft Intune
  6. Select Configure
  7. Under manage devices for these users, select All and click Save.
apps
Apps in Azure AD
configure
Configure the Intune app
manage all
Turn on MDM

In Intune.

  1. https://manage.microsoft.com
  2. Go to: Admin > Mobile Device Management > Windows > Passport for Work.
  3. Select: Deactivate Passport for Work on registered devices

Thats it.

deactivate passport

29

Azure AD join on Intune MDM classic agent channel *UPDATED

You can join Azure AD and use the Intune device agent for MDM and not the MDM channel when you enroll. It is a bit tricky and require manual touch on the device.

The best experience is to include the Intune agent in the Windows Image. If can not do this then here is how:

You need this:
  1. Azure AD Enrollment Administrator
  2. Microsoft Intune Agent on USB
  3. Windows 10 clean install (OOBE)
  4. Configure Azure AD to only MDM enroll
  5. Create a group for Security Group with all students
  6. Target Intune to only do MDM for that Group
Optional: Passport for Work registry disable script

Here are the steps:

In Azure AD:

  1. https://manage.windowsazure.com
  2. Go to Active Directory
  3. Select your Domain
  4. Select Applications
  5. Select Microsoft Intune
  6. Select Configure
  7. Under manage devices for these users, select Groups then browse and select the all students group. Select it and click on the check mark. Click Save down on the bottom bar.
appsconfigureselect eleverset groups

In Intune:

  1. Create an enrollment administrator in the Intune Console
  2. Go to ->Admin->Administrator->Device Enrollment Administrator Enter an Azure AD user as a device enrollment admin e.g. deployment@yourdomain.com
  3. *Create group for the devices that the Device Enrollment Administrator is a part of so that all his devices get targeted for a script.
  4. *Disable Passport for Work by pushing a Script to that group. This script Disables Passport for Work on the local machine so that you do not need to enter a pin.
  5. *Here is how you create the script: Create script
  6. *Here is how you package the script: Script Deployment
  7. *Here is how you deploy the script: Deploy custom script
  8. *One client is visible in Microsoft Intune you need to either distribute the software on all clients or on a client that you manually move into a specific group.
  9. That software will be pushed down in time. you may force the install on the device by pressing install on the client or refreshing the policy in Intune.
  10. Get the Intune agent from Admin->Download Client Software and save it to a USB stick.
*Only nessecary if you want to disable the “Create PIN promt” on login.

 

deployment admin
Enrollment Admin Creation

On the Device:

  1. Boot the clean device.
  2. Under the OOBE experience Select “My company owns this Device”
  3. Log on with that enrollment administrator and complete the setup.
  4. As the admin you will be challenged with a PIN prompt and you need to verify so bring your phone.
  5. Plug in USB and run the EXE file. Remember you need both the EXE and that small certificate file to be in the same folder for the enrollment to be toward your account.
  6. Let the machine sit if you can. The longer it sits, the more stuff will be downloaded so your next user do not have to wait.
  7. Log of your enrollment admin and give the PC to the students and let them log in with their user that is in the Student security group.
  8. The next user that logs on will be a standard user.
  9. He/She will be prompted for a pin but it can be bypassed by doin this:
0

Configuring Conditional Access to Exchange Online (365) with Intune

You can configure Microsoft Intune to block devices that do not comply with a “standard” access to Office 365 Exchange Online email.

Here is how:

  1. http://manage.microsoft.com in a silverlight browser.
  2. Create a Compliance Policy
  3. Policy->Compliance Policy->Create New
compliance policy
I will demand a password of minimum 6 digits and 1 minutes before screenlock.
Setting the Conditional Access and blocking Exchange Active Sync
  1. Policy->Conditional Acces->Exchange Online Policy
  2. Click following:
    • Activate Policy for Conditional Access
    • Select Specific Platforms
    • Check iOS (my rules will now only apply here, rest can read email.
    • Check: Require Compliance for Mobile Device
    • Select “Block access to e-mail for devices not supported by Intune”
    • Select “All users”
    • Select “No exception users”

The iOS users will now have to enroll in order to read email and when they do they need to set a 6 digit password.

Caution with using Active Sync only:

  1. If the user has allready configured email, he might not be blocked.
  2. If the user has been associated with that device earlier, he might not be blocked.

Enrollment procedure:

  1. Enter Your email in the native mail client by going to settings
  2. You recive an email with instructions on how to get access to your mail.
Follow that instruction.

 

0

Shared devices (Roaming Profiles) with Microsoft Intune

When you have more users than devices or users share devices and you only have Azure Active Directory the ability to switch users work a bit differently.

The first user that you enroll with will be an Administrator, all subsequent users will be a Standard users.

Microsoft Intune will block  any user to enroll a multitude of devices. The limit is set in Azure Active Direcory at 20 Devices. You can change this.

To do this keep in mind that you need to be an Administrator:

Navigate to: http://manage.windowsazure.com

ad

configure
Click Configure
Screenshot (1)
Select the number of devices you want the users to enroll

 

 

That is it. This user can now enroll an 1000 devices. on this domain

0

Azure Active Directory and Roaming Profiles

In Windows 10 you can join a machine to Azure AD instead of a local domain.

But

When you join Azure AD your account is given administrator privileges automatically. If you switch users by Ctrl+Alt+Del and Switch user, that user is set as a Standard user.

IMG_20160115_093848

If you do not know who will use the computer, only the first user will be administrator, the rest will be standard users and can not install programs.

IMG_20160115_092644

This action is default and can not be changed. Simply giving machines out to students will result in the first users becoming administrators. If you boot all machines before deployment and log in with your user, that user will be blocked after about 20 devices.

IMG_20160115_091519

 

How to fix this? Take a look at this post: https://haukeberg.wordpress.com/2016/01/18/shared-devices-roaming-profiles-with-microsoft-intune/

 

 

0

Blog at WordPress.com.

Up ↑