Author: Gabriel Marculescu

Intune backup with Microsoft Graph and Azure Storage

Every admin knows that in some cases a backup copy can be life saver. Regardless is a server OS backup with some specific configurations, or a database holding critical billing information … or why not, a set of Intune device configuration policies Scenario In this post we start with the following challenge. You are an Intune administrator that work on a large team with multiple tenants. The environment complexity often led to modifying configuration on a wrong tenant or replacing a configuration by mistake. You require a better change management process, but in the mean time you still need to protect the data ( in this case the Intune configuration policies)S Solution Implement a backup solution with an automation account and Azure Storage. The automation account will use a native Microsoft Graph application you previously created In this post we will discuss the following steps Create the resource group and storage account with PowerShell Create the automation account Add a runbook to perform the backup Schedule the runbook execution Resource Group and Storage Account The data that you plan to backup needs a place to rest. Using the below script, we create a new resource group and a storage account. Feel free to modify the names if you like, but make sure your changes are consistent across the entire solution ( if you change them here, you change them...

Read More

Unattended Microsoft Graph API calls with PowerShell

Microsoft recently announced that developers should switch focus from Azure Ad graph to Microsoft Graph considering the plans are to work hard to close the gab between the two products – here The Modern desktop management word fosters automation more than ever. Operations on tenant like maintenance or replication will become more and more familiar. In this post you will learn how to use unattended Microsoft Graph API calls with PowerShell. Below are the high-level steps we will discuss Register native AAD application with application secretGrant permissions and administrative consent Create access token and access Microsoft Graph Register Native AAD application. We will register the application using PowerShell commands. As seen below, we need a client secret, an application name and redirect URIs connect-Azuread $tenantID=(Get-AzureADTenantDetail).ObjectId #client Secret is the application password . You can cenerate this as long as you dont have # special characters like + or / that can prevent correct authentication $client_secret = "2Uban4QXXXXXqg6mcXdpXXXXXzsTPPixJf6kXgcml3E=" $applicationName="BlogGraphApp" #you canuse any valid URL here $homePage = "https://gmarculescu.com" $appIdURI = "https://gmarculescu.com/?p=584" $logoutURI = "http://portal.office.com" #We create the application secret valid for one year starting today $today=[System.DateTime]::Now $keyId = (New-Guid).ToString(); $applicationSecret = New-Object Microsoft.Open.AzureAD.Model.PasswordCredential($null, $today.addyears(1), $keyId, $today, $client_secret) # We create the AAD aplication $AADApplication = New-AzureADApplication -DisplayName $applicationName ` -HomePage $homePage ` -ReplyUrls $homePage ` -IdentifierUris $appIdURI ` -LogoutUrl $logoutURI ` -PasswordCredentials $applicationSecret # We create a service principal for...

Read More

Deploying Win32Apps with Intune

The Win32App feature is a powerful method of deploying applications. Like SCCM applications, you can basically deploy any application, or even content, regardless the file extension. As long the application has install and uninstall scripts, it can be deployed. In this post we deploy cmtrace.exe directly on the user desktop Main steps when using win32apps in Intune are: Create intunewin package Create Intune App Deploy App Validate de deployment Create the intunewin package Create intunewin package Create a new folder and copy cmtrace.exe to that location. In my example I created c:\pkg\cmtrace Create the 2 install and unistall scripts as follows. The below scripts are one of the most simple scripts you can create. I use them to highlight the fact that the 2 scripts can be as simple as one line scripts that copy or delete a file or 10000 lines PS scripts that performs checks, sets registry keys, install dependencies, etc. Install : copy cmtrace.exe %userprofile%\desktop Uninstall : del %userprofile%\desktop\cmtrace.exe Download the IntuneWinAppUtil tool to c:\pkg folder Run the file and specify the source folder and the cmtrace.exe file as in the image below Now, the intunewin file is ready to be uploaded to Intune Create Intune App Intune -> Client Apps -> Apps -> Add For app type select Windows app (Win32) For app package file add the newly created intunewin file , click OK Change...

Read More

ADMX-Backed CSP – Set Chrome Homepage with Intune

ADMX Ingested CSP – Set Chrome Homepage with Intune In addition to standard policies, CSP policies can also be used to configure ADMX-backed policies. With this policy we use a third-party administrative template where registry keys and associated values are defined. The ADMX template is either shipped with OS or can be ingested into a device using CSP URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall In this post you will set up ADMX-backed policies to configure Chrome homepage with Intune: Get the chrome.admx file Ingest the ADMX template in Intune Determine what keys/settings need to be configured Configure the settings Test the policy Get the chrome policy templates including the chrome.admx from here Login to your tenant on https://portal.azure.com Go to Intune -> Device Configuration ->profiels In the Device Configuration blade click Create profile In the Create Profile blade enter Chrome Config for Name and for Description Select windows 10 or later for platform Profile type is custom In the new Custom OMA-URI Settings blade click Add In the Add row blade enter Ingest Chrome ADMX for Name and for Description For OMA-URI enter ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Chrome/Policy/ChromeAdmx Data type is string and in the value box copy and paste the entire chrome.admx content Now, let’s take a step back and discuss the settings that we need to configure to set up Chrome homepage On a computer that has chrome.admx imported open regedit.exe Go to HKLM\SOFTWARE\Microsoft\PolicyManager\ADMXDefault You...

Read More

Automatically Create Win10 Autopilot VMs – Part 2

How to Automatically Provision Win10 Autopilot Devices – Part 2 Scenario You have an autopilot demonstration environment running of Hyper-V. Considering the environment dynamics, you need to automate the VM provisioning. Manual approach is no longer feasible – “when you do something more than 2 times the same way, it is time to automate …” Solution Prepare a golden image you can use to clone new VM. From the Hype-V host start VM provisioning, upload Autopilot data to Intune and invoke remote wipe of the new clone to prepare it for Autopilot OOBE experience In this post you will prepare the Hyper-V host to control the Autopilot VM creation based on the golden image we created earlier Steps: Configure AutoPilot profile assignment using a dynamic device group Create the PS scriptRun the automation …. wait ….. yeeeey! 😊 Let’s configure the deployment profile auto-assignment. Open the Azure portal and login to your tenant Go to Intune > Groups Click new group Set group type to Security Group Name to AutoPilotDevicesMembership type is Dynamic DeviceOpen Dynamic Device membership blade click advanced rule Enter the following rule to add all new devices to the group : (device.devicePhysicalIDs -any _ -contains "[ZTDId]") 1 (device.devicePhysicalIDs -any _ -contains "[ZTDId]")  Click Add Query Create Now, we have a group that will contain all devices we upload as autopilot devices. It is time to create...

Read More